diff --git a/.new-additions b/.new-additions index e2628fdf3a..e9511b791d 100644 --- a/.new-additions +++ b/.new-additions @@ -1,4 +1,8 @@ +http/cves/2008/CVE-2008-1547.yaml +http/cves/2010/CVE-2010-1586.yaml +http/cves/2012/CVE-2012-4982.yaml http/cves/2019/CVE-2019-1943.yaml +http/cves/2021/CVE-2021-44138.yaml http/cves/2023/CVE-2023-25157.yaml http/miscellaneous/crypto-mining-malware.yaml http/misconfiguration/symfony-fragment.yaml diff --git a/helpers/wordpress/plugins/so-widgets-bundle.txt b/helpers/wordpress/plugins/so-widgets-bundle.txt index ce92a2d3c1..daf515c92d 100644 --- a/helpers/wordpress/plugins/so-widgets-bundle.txt +++ b/helpers/wordpress/plugins/so-widgets-bundle.txt @@ -1 +1 @@ -1.50.0 \ No newline at end of file +1.50.1 \ No newline at end of file diff --git a/helpers/wordpress/plugins/ultimate-addons-for-gutenberg.txt b/helpers/wordpress/plugins/ultimate-addons-for-gutenberg.txt index 68167133b9..952f449f1f 100644 --- a/helpers/wordpress/plugins/ultimate-addons-for-gutenberg.txt +++ b/helpers/wordpress/plugins/ultimate-addons-for-gutenberg.txt @@ -1 +1 @@ -2.6.5 \ No newline at end of file +2.6.6 \ No newline at end of file diff --git a/http/cves/2008/CVE-2008-1547.yaml b/http/cves/2008/CVE-2008-1547.yaml new file mode 100644 index 0000000000..bc9e0ebac4 --- /dev/null +++ b/http/cves/2008/CVE-2008-1547.yaml @@ -0,0 +1,35 @@ +id: CVE-2008-1547 + +info: + name: Microsoft OWA Exchange Server 2003 - 'redir.asp' Open Redirection + author: ctflearner + severity: medium + description: | + Open redirect vulnerability in exchweb/bin/redir.asp in Microsoft Outlook Web Access (OWA) for Exchange Server 2003 SP2 (aka build 6.5.7638) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the URL parameter. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2008-1547 + - https://www.exploit-db.com/exploits/32489 + - https://www.securityfocus.com/bid/31765/info + classification: + cvss-metrics: AV:N/AC:M/Au:N/C:N/I:P/A:N + cvss-score: 4.3 + cve-id: CVE-2008-1547 + cwe-id: CWE-601 + cpe: cpe:2.3:a:microsoft:exchange_server:2003:sp2:*:*:*:*:*:* + metadata: + max-request: 2 + shodan-query: http.title:"Outlook" + tags: cve,cve2008,redirect,owa,exchange,microsoft + +http: + - method: GET + path: + - "{{BaseURL}}/exchweb/bin/redir.asp?URL=https://interact.sh" + - "{{BaseURL}}/CookieAuth.dll?GetLogon?url=%2Fexchweb%2Fbin%2Fredir.asp%3FURL%3Dhttps%3A%2F%2Finteract.sh&reason=0" + + stop-at-first-match: true + matchers: + - type: regex + part: header + regex: + - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$' diff --git a/http/cves/2010/CVE-2010-1586.yaml b/http/cves/2010/CVE-2010-1586.yaml new file mode 100644 index 0000000000..be1672ce8f --- /dev/null +++ b/http/cves/2010/CVE-2010-1586.yaml @@ -0,0 +1,31 @@ +id: CVE-2010-1586 + +info: + name: HP System Management Homepage (SMH) v2.x.x.x - Open Redirect + author: ctflearner + severity: medium + description: | + Open redirect vulnerability in red2301.html in HP System Management Homepage (SMH) 2.x.x.x allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the RedirectUrl parameter. + reference: + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1586 + - https://yehg.net/lab/pr0js/advisories/hp_system_management_homepage_url_redirection_abuse + classification: + cvss-metrics: AV:N/AC:M/Au:N/C:N/I:P/A:N + cvss-score: 4.3 + cve-id: CVE-2010-1586 + cwe-id: CWE-20 + cpe: cpe:2.3:a:hp:system_management_homepage:2.0.0:*:*:*:*:*:*:* + metadata: + max-request: 1 + tags: cve,cve2010,redirect,smh,hp + +http: + - method: GET + path: + - "{{BaseURL}}/red2301.html?RedirectUrl=http://interact.sh" + + matchers: + - type: regex + part: header + regex: + - '(?m)^(?:Location\s*?:\s*?)(?:http?://|//)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$' diff --git a/http/cves/2012/CVE-2012-4982.yaml b/http/cves/2012/CVE-2012-4982.yaml new file mode 100644 index 0000000000..0352e782ec --- /dev/null +++ b/http/cves/2012/CVE-2012-4982.yaml @@ -0,0 +1,31 @@ +id: CVE-2012-4982 +info: + name: Forescout CounterACT 6.3.4.1 - Open Redirect + author: ctflearner + severity: medium + description: | + Open redirect vulnerability in assets/login on the Forescout CounterACT NAC device before 7.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the 'a' parameter. + reference: + - https://www.exploit-db.com/exploits/38062 + - https://www.reactionpenetrationtesting.co.uk/forescout-cross-site-redirection.html + - https://nvd.nist.gov/vuln/detail/CVE-2012-4982 + classification: + cvss-metrics: AV:N/AC:M/Au:N/C:P/I:P/A:N + cvss-score: 5.8 + cve-id: CVE-2012-4982 + cwe-id: CWE-20 + cpe: cpe:2.3:a:forescout:counteract:6.3.4.10:*:*:*:*:*:*:* + metadata: + max-request: 1 + tags: cve,cve2012,redirect,forescout,counteract + +http: + - method: GET + path: + - "{{BaseURL}}/assets/login?a=https://interact.sh" + + matchers: + - type: regex + part: header + regex: + - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$' diff --git a/http/cves/2015/CVE-2015-1880.yaml b/http/cves/2015/CVE-2015-1880.yaml index cf6b417de1..fe1b6beb96 100644 --- a/http/cves/2015/CVE-2015-1880.yaml +++ b/http/cves/2015/CVE-2015-1880.yaml @@ -15,7 +15,7 @@ info: cvss-score: 4.3 cve-id: CVE-2015-1880 cwe-id: CWE-79 - tags: cve,cve2015,xss,fortigates,ssl + tags: cve,cve2015,xss,fortigates metadata: max-request: 1 diff --git a/http/cves/2021/CVE-2021-44138.yaml b/http/cves/2021/CVE-2021-44138.yaml new file mode 100644 index 0000000000..2b8b435522 --- /dev/null +++ b/http/cves/2021/CVE-2021-44138.yaml @@ -0,0 +1,47 @@ +id: CVE-2021-44138 + +info: + name: Caucho Resin >=4.0.52 <=4.0.56 - Directory traversal + author: carrot2 + severity: high + description: | + There is a Directory traversal vulnerability in Caucho Resin, as distributed in Resin 4.0.52 - 4.0.56, which allows remote attackers to read files in arbitrary directories via a ; in a pathname within an HTTP request. + reference: + - https://nvd.nist.gov/vuln/detail/cve-2021-44138 + - https://github.com/maybe-why-not/reponame/issues/2 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2021-44138 + cwe-id: CWE-22 + metadata: + verified: "true" + shodan-query: html:"Resin" + tags: cve,cve2021,resin,caucho,lfi + +http: + - method: GET + path: + - "{{BaseURL}}/;/WEB-INF/web.xml" + - "{{BaseURL}}/resin-doc/;/WEB-INF/resin-web.xml" + + stop-at-first-match: true + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + condition: and + + - type: word + part: header + words: + - "text/xml" + - "application/xml" + condition: or + + - type: status + status: + - 200 diff --git a/http/cves/2023/CVE-2023-1434.yaml b/http/cves/2023/CVE-2023-1434.yaml index 51334610af..aa7ecc08df 100644 --- a/http/cves/2023/CVE-2023-1434.yaml +++ b/http/cves/2023/CVE-2023-1434.yaml @@ -4,6 +4,8 @@ info: name: Odoo - Cross-Site Scripting author: DhiyaneshDK severity: medium + description: | + Odoo is a business suite that has features for many business-critical areas, such as e-commerce, billing, or CRM. Versions before the 16.0 release are vulnerable to CVE-2023-1434 and is caused by an incorrect content type being set on an API endpoint. reference: - https://www.sonarsource.com/blog/odoo-get-your-content-type-right-or-else - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1434 diff --git a/http/osint/dotcards.yaml b/http/osint/dotcards.yaml index 803cb78a3a..45195864ad 100644 --- a/http/osint/dotcards.yaml +++ b/http/osint/dotcards.yaml @@ -30,4 +30,10 @@ http: words: - "'s dot.Profile" + - type: word + part: body + words: + - '"message":"The username does not exist"' + negative: true + # Enhanced by cs 03/17/2023 diff --git a/http/vulnerabilities/jenkins/jenkins-script.yaml b/http/vulnerabilities/jenkins/jenkins-script.yaml index e4b0909e37..502b43fb6c 100644 --- a/http/vulnerabilities/jenkins/jenkins-script.yaml +++ b/http/vulnerabilities/jenkins/jenkins-script.yaml @@ -2,12 +2,13 @@ id: jenkins-script info: name: Jenkins - Remote Code Execution - author: philippedelteil + author: philippedelteil,DhiyaneshDK severity: critical description: | Jenkins is susceptible to a remote code execution vulnerability due to accessible script functionality. reference: - https://hackerone.com/reports/403402 + - https://medium.com/@gokulsspace/the-30000-bounty-affair-3f025ee6b834 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H cvss-score: 10.0 @@ -20,7 +21,9 @@ http: - method: GET path: - "{{BaseURL}}/script/" + - "{{BaseURL}}/jenkins/script" + stop-at-first-match: true matchers-condition: and matchers: - type: word @@ -38,5 +41,3 @@ http: - type: status status: - 200 - -# Enhanced by mp on 2022/05/26 diff --git a/http/exposed-panels/c2/cobalt-strike-c2.yaml b/ssl/c2/cobalt-strike-c2.yaml similarity index 96% rename from http/exposed-panels/c2/cobalt-strike-c2.yaml rename to ssl/c2/cobalt-strike-c2.yaml index 0ce1273491..5e76bfea79 100644 --- a/http/exposed-panels/c2/cobalt-strike-c2.yaml +++ b/ssl/c2/cobalt-strike-c2.yaml @@ -10,6 +10,7 @@ info: - https://blog.sekoia.io/hunting-and-detecting-cobalt-strike/ metadata: max-request: 1 + verified: "true" shodan-query: ssl.cert.serial:146473198 tags: ssl,c2,ir,osint diff --git a/http/exposed-panels/c2/metasploit-c2.yaml b/ssl/c2/metasploit-c2.yaml similarity index 97% rename from http/exposed-panels/c2/metasploit-c2.yaml rename to ssl/c2/metasploit-c2.yaml index ae5f9a5723..c5385d75e7 100644 --- a/http/exposed-panels/c2/metasploit-c2.yaml +++ b/ssl/c2/metasploit-c2.yaml @@ -10,7 +10,7 @@ info: https://www.socinvestigation.com/shodan-filters-to-hunt-adversaries-infrastructure-and-c2/ metadata: max-request: 1 - verified: true + verified: "true" shodan-query: ssl:"MetasploitSelfSignedCA" tags: c2,ir,osint,metasploit