Merge pull request #44 from projectdiscovery/master

Updation
patch-1
Dhiyaneshwaran 2021-04-23 12:53:02 +05:30 committed by GitHub
commit 63b01dcaaa
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
24 changed files with 106 additions and 80 deletions

View File

@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc
| Templates | Counts | Templates | Counts | Templates | Counts |
| ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- |
| cves | 291 | vulnerabilities | 133 | exposed-panels | 120 |
| takeovers | 67 | exposures | 78 | technologies | 63 |
| misconfiguration | 55 | workflows | 30 | miscellaneous | 20 |
| cves | 290 | vulnerabilities | 133 | exposed-panels | 121 |
| takeovers | 67 | exposures | 79 | technologies | 64 |
| misconfiguration | 56 | workflows | 30 | miscellaneous | 20 |
| default-logins | 24 | exposed-tokens | 0 | dns | 8 |
| fuzzing | 8 | helpers | 7 | iot | 11 |
**101 directories, 991 files**.
**101 directories, 994 files**.
</td>
</tr>

View File

@ -4,6 +4,10 @@ info:
author: CasperGN
severity: medium
tags: cve,cve2005
description: Lotus Domino R5 and R6 WebMail, with "Generate HTML for all fields" enabled, stores sensitive data from names.nsf in hidden form fields, which allows remote attackers to read the HTML source to obtain sensitive information such as (1) the password hash in the HTTPPassword field, (2) the password change date in the HTTPPasswordChangeDate field, (3) the client platform in the ClntPltfrm field, (4) the client machine name in the ClntMachine field, and (5) the client Lotus Domino release in the ClntBld field, a different vulnerability than CVE-2005-2696.
reference: |
- http://www.cybsec.com/vuln/default_configuration_information_disclosure_lotus_domino.pdf
- https://www.exploit-db.com/exploits/39495
requests:
- method: GET

View File

@ -4,6 +4,7 @@ info:
name: Apache Struts2 S2-001 RCE
author: pikpikcu
severity: critical
description: Struts support in OpenSymphony XWork before 1.2.3, and 2.x before 2.0.4, as used in WebWork and Apache Struts, recursively evaluates all input as an Object-Graph Navigation Language (OGNL) expression when altSyntax is enabled, which allows remote attackers to cause a denial of service (infinite loop) or execute arbitrary code via form input beginning with a "%{" sequence and ending with a "}" character.
reference: https://www.guildhab.top/?p=2326
tags: cve,cve2007,apache,rce,struts

View File

@ -4,6 +4,8 @@ info:
name: AppServ Open Project 2.5.10 and earlier XSS
author: unstabl3
severity: medium
description: Cross-site scripting (XSS) vulnerability in index.php in AppServ Open Project 2.5.10 and earlier allows remote attackers to inject arbitrary web script or HTML via the appservlang parameter.
reference: https://exchange.xforce.ibmcloud.com/vulnerabilities/42546
tags: cve,cve2008,xss
requests:

View File

@ -3,6 +3,8 @@ info:
name: CMSimple 3.1 - Local File Inclusion
author: pussycat0x
severity: high
description: |
Directory traversal vulnerability in cmsimple/cms.php in CMSimple 3.1, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the sl parameter to index.php. NOTE: this can be leveraged for remote file execution by including adm.php and then invoking the upload action. NOTE: on 20080601, the vendor patched 3.1 without changing the version number.
reference: https://www.exploit-db.com/exploits/5700
tags: cve,cve2008,lfi
requests:

View File

@ -4,7 +4,10 @@ info:
name: Adobe ColdFusion 8.0/8.0.1/9.0/9.0.1 LFI
author: pikpikcu
severity: high
reference: https://github.com/vulhub/vulhub/tree/master/coldfusion/CVE-2010-2861
description: Multiple directory traversal vulnerabilities in the administrator console in Adobe ColdFusion 9.0.1 and earlier allow remote attackers to read arbitrary files via the locale parameter to (1) CFIDE/administrator/settings/mappings.cfm, (2) logging/settings.cfm, (3) datasources/index.cfm, (4) j2eepackaging/editarchive.cfm, and (5) enter.cfm in CFIDE/administrator/.
reference: |
- https://github.com/vulhub/vulhub/tree/master/coldfusion/CVE-2010-2861
- http://www.adobe.com/support/security/bulletins/apsb10-18.html
tags: cve,cve2010,coldfusion,lfi
requests:

View File

@ -4,10 +4,11 @@ info:
name: Majordomo2 - SMTP/HTTP Directory Traversal
author: pikpikcu
severity: high
description: Directory traversal vulnerability in the _list_file_get function in lib/Majordomo.pm in Majordomo 2 before 20110131 allows remote attackers to read arbitrary files via .. (dot dot) sequences in the help command, as demonstrated using (1) a crafted email and (2) cgi-bin/mj_wwwusr in the web interface.
reference: |
- https://www.exploit-db.com/exploits/16103
- https://nvd.nist.gov/vuln/detail/CVE-2011-0063
- https://nvd.nist.gov/vuln/detail/CVE-2011-0049
- http://www.kb.cert.org/vuls/id/363726
tags: cve,cve2011,majordomo2,lfi
requests:

View File

@ -4,6 +4,7 @@ info:
name: Apache Struts2 S2-008 RCE
author: pikpikcu
severity: critical
description: The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method.
reference: https://blog.csdn.net/weixin_43416469/article/details/113850545
tags: cve,cve2012,apache,rce,struts

View File

@ -4,7 +4,8 @@ info:
name: Apache Struts2 S2-012 RCE
author: pikpikcu
severity: critical
reference: https://nvd.nist.gov/vuln/detail/CVE-2013-1965
description: Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect.
reference: http://struts.apache.org/development/2.x/docs/s2-012.html
tags: cve,cve2013,apache,rce,struts
requests:

View File

@ -5,6 +5,7 @@ info:
author: exploitation & @dwisiswant0
severity: critical
description: In Struts 2 before 2.3.15.1 the information following "action:", "redirect:" or "redirectAction:" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code.
reference: http://struts.apache.org/release/2.3.x/docs/s2-016.html
tags: cve,cve2013,rce,struts,apache
requests:

View File

@ -4,7 +4,11 @@ info:
name: ElasticSearch v1.1.1/1.2 RCE
author: pikpikcu
severity: critical
reference: https://github.com/vulhub/vulhub/tree/master/elasticsearch/CVE-2014-3120
description: |
The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended security policy if the user does not run Elasticsearch in its own independent virtual machine.
reference: |
- https://github.com/vulhub/vulhub/tree/master/elasticsearch/CVE-2014-3120
- https://www.elastic.co/blog/logstash-1-4-3-released
tags: cve,cve2014,elastic,rce
requests:

View File

@ -4,7 +4,12 @@ info:
author: princechaddha
severity: high
description: The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.
reference: https://www.cvedetails.com/cve/CVE-2014-3704/
reference: |
- https://www.drupal.org/SA-CORE-2014-005
- http://www.exploit-db.com/exploits/34984
- http://www.exploit-db.com/exploits/34992
- http://www.exploit-db.com/exploits/34993
- http://www.exploit-db.com/exploits/35150
tags: cve,cve2014,drupal,sqli
requests:

View File

@ -5,6 +5,9 @@ info:
author: pentest_swissky
severity: high
description: Attempts to exploit the "shellshock" vulnerability (CVE-2014-6271 and CVE-2014-7169) in web applications
reference: |
- http://www.kb.cert.org/vuls/id/252743
- http://www.us-cert.gov/ncas/alerts/TA14-268A
tags: cve,cve2014,rce
requests:

View File

@ -4,7 +4,10 @@ info:
name: ElasticSearch 1.4.0/1.4.2 RCE
author: pikpikcu
severity: critical
reference: https://blog.csdn.net/JiangBuLiu/article/details/94457980
description: The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script.
reference: |
- https://blog.csdn.net/JiangBuLiu/article/details/94457980
- http://www.elasticsearch.com/blog/elasticsearch-1-4-3-1-3-8-released/
tags: cve,cve2015,elastic,rce
requests:

View File

@ -4,7 +4,10 @@ info:
name: Eclipse Jetty Remote Leakage
author: pikpikcu
severity: medium
reference: https://nvd.nist.gov/vuln/detail/CVE-2015-2080
reference: |
- https://github.com/eclipse/jetty.project/blob/jetty-9.2.x/advisories/2015-02-24-httpparser-error-buffer-bleed.md
- https://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html
- http://packetstormsecurity.com/files/130567/Jetty-9.2.8-Shared-Buffer-Leakage.html
description: |
The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak

View File

@ -5,7 +5,7 @@ info:
author: pdteam
severity: high
description: Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, allows remote attackers to read arbitrary files via unspecified vectors.
reference: https://nvd.nist.gov/vuln/detail/CVE-2015-3337
reference: https://www.exploit-db.com/exploits/37054/
tags: cve,cve2015,elastic,lfi
requests:

View File

@ -3,6 +3,7 @@ info:
name: Wordpress 4.6 Remote Code Execution
author: princechaddha
severity: high
description: The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.
reference: https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html
tags: wordpress,cve,cve2016,rce

View File

@ -4,7 +4,11 @@ info:
name: Apache S2-032 Struts RCE
author: dhiyaneshDK
severity: high
reference: https://cwiki.apache.org/confluence/display/WW/S2-032
description: |
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.
reference: |
- https://cwiki.apache.org/confluence/display/WW/S2-032
- https://struts.apache.org/docs/s2-032.html
tags: cve,cve2016,struts,rce,apache
requests:

View File

@ -4,6 +4,7 @@ info:
name: Trend Micro Threat Discovery Appliance Auth Bypass via Directory Traversal
author: dwisiswant0
severity: critical
description: On the Trend Micro Threat Discovery Appliance 2.6.1062r1, directory traversal when processing a session_id cookie allows a remote, unauthenticated attacker to delete arbitrary files as root. This can be used to bypass authentication or cause a DoS.
reference: https://gist.github.com/malerisch/5de8b408443ee9253b3954a62a8d97b4
tags: cve,cve2016,lfi

View File

@ -1,36 +0,0 @@
id: CVE-2020-1147
info:
name: RCE at SharePoint Server (.NET Framework & Visual Studio) detection
author: dwisiswant0
description: A remote code execution vulnerability exists in .NET Framework, Microsoft SharePoint, and Visual Studio when the software fails to check the source markup of XML file input, aka '.NET Framework, SharePoint Server, and Visual Studio Remote Code Execution Vulnerability'.
severity: critical
tags: cve,cve2020,sharepoint,iis,rce
reference: |
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1147
- https://srcincite.io/blog/2020/07/20/sharepoint-and-pwn-remote-code-execution-against-sharepoint-server-abusing-dataset.html
requests:
- method: GET
path:
- "{{BaseURL}}/_layouts/15/listform.aspx?PageType=1&ListId=%7B13371337-1337-1337-1337-133713371337%7D"
matchers-condition: and
matchers:
- type: word
words:
- "List does not exist"
- "It may have been deleted by another user"
part: body
condition: and
- type: word
words:
- "Microsoft-IIS"
- "X-SharePointHealthScore"
- "SharePointError"
- "SPRequestGuid"
- "MicrosoftSharePointTeamServices"
condition: or
part: header
- type: status
status:
- 200

View File

@ -0,0 +1,25 @@
id: CVE-2021-24146
info:
name: Modern Events Calendar Lite < 5.16.5 - Unauthenticated Events Export
description: Lack of authorisation checks in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly restrict access to the export files, allowing unauthenticated users to exports all events data in CSV or XML format for example.
author: random_robbie
severity: high
reference: https://wpscan.com/vulnerability/c7b1ebd6-3050-4725-9c87-0ea525f8fecc
tags: wordpress,wp-plugin,cve,cve2021
requests:
- method: GET
path:
- "{{BaseURL}}/wp-admin/admin.php?page=MEC-ix&tab=MEC-export&mec-ix-action=export-events&format=csv"
matchers-condition: and
matchers:
- type: word
words:
- "mec-events"
part: header
- type: status
status:
- 200

View File

@ -1,31 +0,0 @@
id: CVE-2021-28480
info:
name: Microsoft Exchange Server Remote Code Execution detection
author: madrobot
severity: critical
description: CVE-2021-28480 & CVE-2021-28481 received a CVSS score of 9.8 which is remarkably high. Both of these have 'Network' as attack vector, which means the attack can be executed remotely and the exploit might potentially be wormable.
tags: cve,cve2021,rce,exchange
reference: |
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-28480
- https://khonggianmang.vn/check-proxynotfound/en
requests:
- raw:
- |
GET /ews/exchange.asmx HTTP/1.1
Host: {{Hostname}}
Authorization: NTLM TlRMTVNTUAABAAAABoIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAAAAMAA=
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
matchers-condition: and
matchers:
- type: regex
regex:
- "NTLM .+"
part: header
- type: dsl
dsl:
- "contains(tolower(all_headers), 'www-authenticate') && status_code == 401"

View File

@ -0,0 +1,27 @@
id: grav-cms-detect
info:
name: Grav CMS Detect
author: cyllective
severity: info
description: Detects Grav CMS
tags: tech,grav,cms
references: https://github.com/getgrav/grav
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: or
matchers:
- type: word
part: header
words:
- 'Set-Cookie: grav-site-'
- type: word
part: body
words:
- '<meta name="generator" content="GravCMS" />'

View File

@ -30,6 +30,7 @@ workflows:
- template: cves/2020/CVE-2020-14092.yaml
- template: cves/2020/CVE-2020-35951.yaml
- template: cves/2020/CVE-2020-35489.yaml
- template: cves/2021/CVE-2021-24146.yaml
- template: vulnerabilities/wordpress/wordpress-auth-bypass-wptimecapsule.yaml
- template: vulnerabilities/wordpress/wordpress-rce-simplefilelist.yaml
- template: vulnerabilities/wordpress/wordpress-total-upkeep-backup-download.yaml