From 809e87987cc3658362f12b49dfa3decddd1c17bf Mon Sep 17 00:00:00 2001 From: MostInterestingBotInTheWorld <98333686+MostInterestingBotInTheWorld@users.noreply.github.com> Date: Fri, 20 May 2022 17:38:52 -0400 Subject: [PATCH] Dashboard Content Enhancements (#4456) Dashboard Content Enhancements --- cves/2022/CVE-2022-0346.yaml | 2 ++ cves/2022/CVE-2022-1040.yaml | 10 ++++---- cves/2022/CVE-2022-1388.yaml | 8 +++---- cves/2022/CVE-2022-22954.yaml | 11 ++++++--- cves/2022/CVE-2022-22963.yaml | 7 ++++-- cves/2022/CVE-2022-22965.yaml | 22 +++++------------- cves/2022/CVE-2022-26148.yaml | 13 +++++++---- cves/2022/CVE-2022-26352.yaml | 7 ++++-- cves/2022/CVE-2022-29303.yaml | 4 +++- cves/2022/CVE-2022-29464.yaml | 11 +++++---- cves/2022/CVE-2022-30525.yaml | 8 ++++--- exposures/configs/laravel-env.yaml | 16 ++++++++++--- exposures/configs/phpinfo.yaml | 5 ++++ file/electron/node-integration-enabled.yaml | 7 ++++-- fuzzing/wordpress-weak-credentials.yaml | 23 +++++++++++++++---- iot/qvisdvr-deserialization-rce.yaml | 18 +++++++++++---- .../http-missing-security-headers.yaml | 3 ++- misconfiguration/jupyter-ipython-unauth.yaml | 14 +++++++---- .../kubernetes/kubernetes-pods.yaml | 7 ++++-- misconfiguration/laravel-debug-enabled.yaml | 6 ++++- misconfiguration/misconfigured-docker.yaml | 5 +++- .../springboot/springboot-heapdump.yaml | 8 +++++-- .../unauthenticated-nacos-access.yaml | 6 ++++- ssl/deprecated-tls.yaml | 6 ++++- .../laravel/laravel-ignition-xss.yaml | 12 ++++++---- 25 files changed, 164 insertions(+), 75 deletions(-) diff --git a/cves/2022/CVE-2022-0346.yaml b/cves/2022/CVE-2022-0346.yaml index 229672a9a3..5671d6650d 100644 --- a/cves/2022/CVE-2022-0346.yaml +++ b/cves/2022/CVE-2022-0346.yaml @@ -6,6 +6,8 @@ info: severity: high description: | The plugin does not validate a parameter which can be set to an arbitrary value, thus causing XSS via error message or RCE if allow_url_include is turned on. + classification: + cve-id: CVE-2022-0346 reference: - https://wpscan.com/vulnerability/4b339390-d71a-44e0-8682-51a12bd2bfe6 - https://wordpress.org/plugins/www-xml-sitemap-generator-org/ diff --git a/cves/2022/CVE-2022-1040.yaml b/cves/2022/CVE-2022-1040.yaml index d5be897feb..9f349f9959 100644 --- a/cves/2022/CVE-2022-1040.yaml +++ b/cves/2022/CVE-2022-1040.yaml @@ -1,11 +1,11 @@ id: CVE-2022-1040 info: - name: Sophos Firewall - RCE + name: Sophos Firewall <=18.5 MR3 - Remote Code Execution author: For3stCo1d severity: critical description: | - An authentication bypass vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v18.5 MR3 and older. + Sophos Firewall version v18.5 MR3 and older contains an authentication bypass vulnerability in the User Portal and Webadmin which could allow a remote attacker to execute code. reference: - https://github.com/killvxk/CVE-2022-1040 - https://github.com/CronUp/Vulnerabilidades/blob/main/CVE-2022-1040_checker @@ -17,9 +17,9 @@ info: cve-id: CVE-2022-1040 cwe-id: CWE-287 metadata: - shodan-query: http.title:"Sophos" verified: true - tags: cve,cve2022,sophos,firewall,auth-bypass + shodan-query: http.title:"Sophos" + tags: cve,cve2022,sophos,firewall,auth-bypass,rce requests: - method: POST @@ -44,3 +44,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/05/19 diff --git a/cves/2022/CVE-2022-1388.yaml b/cves/2022/CVE-2022-1388.yaml index 3df38adf13..050f0960be 100644 --- a/cves/2022/CVE-2022-1388.yaml +++ b/cves/2022/CVE-2022-1388.yaml @@ -5,9 +5,7 @@ info: author: dwisiswant0,Ph33r severity: critical description: | - This F5 BIG-IP vulnerability can allow an unauthenticated attacker - with network access to the BIG-IP system through the management - port and/or self IP addresses to execute arbitrary system commands. + F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, may allow undisclosed requests to bypass iControl REST authentication. reference: - https://twitter.com/GossiTheDog/status/1523566937414193153 - https://www.horizon3.ai/f5-icontrol-rest-endpoint-authentication-bypass-technical-deep-dive/ @@ -19,8 +17,8 @@ info: cve-id: CVE-2022-1388 cwe-id: CWE-306 metadata: + verified: true shodan-query: http.title:"BIG-IP®-+Redirect" +"Server" - verified: "true" tags: f5,bigip,cve,cve2022,rce,mirai variables: @@ -64,3 +62,5 @@ requests: - "commandResult" - "8831-2202-EVC" condition: and + +# Enhanced by mp on 2022/05/19 diff --git a/cves/2022/CVE-2022-22954.yaml b/cves/2022/CVE-2022-22954.yaml index 0e994f63a0..066b1ec510 100644 --- a/cves/2022/CVE-2022-22954.yaml +++ b/cves/2022/CVE-2022-22954.yaml @@ -1,14 +1,16 @@ id: CVE-2022-22954 info: - name: VMware Workspace ONE Access - Freemarker SSTI + name: VMware Workspace ONE Access - Server-Side Template Injection author: sherlocksecurity severity: critical - description: An unauthenticated attacker with network access could exploit this vulnerability by sending a specially crafted request to a vulnerable VMware Workspace ONE or Identity Manager. Successful exploitation could result in remote code execution by exploiting a server-side template injection flaw. + description: | + VMware Workspace ONE Access is susceptible to a remote code execution vulnerability due to a server-side template injection flaw. An unauthenticated attacker with network access could exploit this vulnerability by sending a specially crafted request to a vulnerable VMware Workspace ONE or Identity Manager. reference: - https://www.tenable.com/blog/vmware-patches-multiple-vulnerabilities-in-workspace-one-vmsa-2022-0011 - https://www.vmware.com/security/advisories/VMSA-2022-0011.html - http://packetstormsecurity.com/files/166935/VMware-Workspace-ONE-Access-Template-Injection-Command-Execution.html + - https://nvd.nist.gov/vuln/detail/CVE-2022-22954 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 @@ -26,9 +28,12 @@ requests: matchers-condition: and matchers: - type: word + part: body words: - "Authorization context is not valid" - type: status status: - - 400 \ No newline at end of file + - 400 + +# Enhanced by mp on 2022/05/19 diff --git a/cves/2022/CVE-2022-22963.yaml b/cves/2022/CVE-2022-22963.yaml index 2ae6d138f3..d04177443d 100644 --- a/cves/2022/CVE-2022-22963.yaml +++ b/cves/2022/CVE-2022-22963.yaml @@ -1,17 +1,18 @@ id: CVE-2022-22963 info: - name: Spring Cloud Function SPEL RCE + name: Spring Cloud - Remote Code Execution author: Mr-xn,Adam Crosser severity: critical description: | - In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources. + Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions are susceptible to remote code execution vulnerabilities. When using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources. reference: - https://github.com/spring-cloud/spring-cloud-function/commit/0e89ee27b2e76138c16bcba6f4bca906c4f3744f - https://github.com/cckuailong/spring-cloud-function-SpEL-RCE - https://tanzu.vmware.com/security/cve-2022-22963 - https://nsfocusglobal.com/spring-cloud-function-spel-expression-injection-vulnerability-alert/ - https://github.com/vulhub/vulhub/tree/scf-spel/spring/spring-cloud-function-spel-injection + - https://nvd.nist.gov/vuln/detail/CVE-2022-22963 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 @@ -41,3 +42,5 @@ requests: - type: status status: - 500 + +# Enhanced by mp on 2022/05/19 diff --git a/cves/2022/CVE-2022-22965.yaml b/cves/2022/CVE-2022-22965.yaml index 7118050fe3..ff7b24531d 100644 --- a/cves/2022/CVE-2022-22965.yaml +++ b/cves/2022/CVE-2022-22965.yaml @@ -1,7 +1,7 @@ id: CVE-2022-22965 info: - name: Spring Framework RCE via Data Binding on JDK 9+ (Spring4Shell) + name: Spring Framework - Remote Code Execution author: justmumu,arall,dhiyaneshDK,akincibor severity: critical description: A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it. @@ -11,12 +11,13 @@ info: - https://twitter.com/RandoriAttack/status/1509298490106593283 - https://mp.weixin.qq.com/s/kgw-O4Hsd9r2vfme3Y2Ynw - https://twitter.com/_0xf4n9x_/status/1509935429365100546 - remediation: 5.3.x users should upgrade to 5.3.18+, 5.2.x users should upgrade to 5.2.20+. + - https://nvd.nist.gov/vuln/detail/cve-2022-22965 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-22965 cwe-id: CWE-94 + remediation: 5.3.x users should upgrade to 5.3.18+, 5.2.x users should upgrade to 5.2.20+. tags: cve,cve2022,rce,spring,injection,oast,intrusive requests: @@ -24,19 +25,6 @@ requests: path: - "{{BaseURL}}/?class.module.classLoader.resources.context.configFile=https://{{interactsh-url}}&class.module.classLoader.resources.context.configFile.content.aaa=xxx" - matchers-condition: and - matchers: - - type: word - part: interactsh_protocol # Confirms the HTTP Interaction - words: - - "http" - - - type: word - part: interactsh_request - words: - - "User-Agent: Java" - case-insensitive: true - - method: POST path: - "{{BaseURL}}" @@ -58,4 +46,6 @@ requests: part: interactsh_request words: - "User-Agent: Java" - case-insensitive: true \ No newline at end of file + case-insensitive: true + +# Enhanced by mp on 2022/05/19 diff --git a/cves/2022/CVE-2022-26148.yaml b/cves/2022/CVE-2022-26148.yaml index e8cc13ed70..315b0b25a8 100644 --- a/cves/2022/CVE-2022-26148.yaml +++ b/cves/2022/CVE-2022-26148.yaml @@ -1,14 +1,15 @@ id: CVE-2022-26148 info: - name: Grafana Zabbix Integration - Credential Disclosure + name: Grafana & Zabbix Integration - Credential Disclosure author: Geekby severity: critical - description: An issue was discovered in Grafana through 7.3.4, when integrated with Zabbix. The Zabbix password can be found in the api_jsonrpc.php HTML source code. When the user logs in and allows the user to register, one can right click to view the source code and use Ctrl-F to search for password in api_jsonrpc.php to discover the Zabbix account password and URL address. + description: | + Grafana through 7.3.4, when integrated with Zabbix, contains a credential disclosure vulnerability. The Zabbix password can be found in the api_jsonrpc.php HTML source code. When the user logs in and allows the user to register, one can right click to view the source code and use Ctrl-F to search for password in api_jsonrpc.php to discover the Zabbix account password and URL address. reference: - - https://nvd.nist.gov/vuln/detail/CVE-2022-26148 - https://2k8.org/post-319.html - https://security.netapp.com/advisory/ntap-20220425-0005/ + - https://nvd.nist.gov/vuln/detail/CVE-2022-26148 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 @@ -16,7 +17,7 @@ info: metadata: fofa-query: app="Grafana" shodan-query: title:"Grafana" - tags: cve,cve2022,grafana,zabbix + tags: cve,cve2022,grafana,zabbix,exposure requests: - method: GET @@ -50,4 +51,6 @@ requests: regex: - '"password":"(.*?)"' - '"username":"(.*?)"' - - '"url":"([a-z:/0-9.]+)\/api_jsonrpc\.php' \ No newline at end of file + - '"url":"([a-z:/0-9.]+)\/api_jsonrpc\.php' + +# Enhanced by mp on 2022/05/19 diff --git a/cves/2022/CVE-2022-26352.yaml b/cves/2022/CVE-2022-26352.yaml index 711cc65c7a..b73a664312 100644 --- a/cves/2022/CVE-2022-26352.yaml +++ b/cves/2022/CVE-2022-26352.yaml @@ -1,13 +1,14 @@ id: CVE-2022-26352 info: - name: DotCMS Arbitrary File Upload + name: DotCMS - Arbitrary File Upload author: h1ei1 severity: critical - description: There is an arbitrary file upload vulnerability in the /api/content/ path of the DotCMS management system, and attackers can upload malicious Trojans to obtain server permissions. + description: DotCMS management system contains an arbitrary file upload vulnerability via the /api/content/ path which can allow attackers to upload malicious Trojans to obtain server permissions. reference: - https://blog.assetnote.io/2022/05/03/hacking-a-bank-using-dotcms-rce/ - https://github.com/h1ei1/POC/tree/main/CVE-2022-26352 + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26352 classification: cve-id: CVE-2022-26352 tags: cve,cve2022,rce,dotcms @@ -39,3 +40,5 @@ requests: - 'contains(body_2, "CVE-2022-26352")' - 'status_code_2 == 200' condition: and + +# Enhanced by mp on 2022/05/19 diff --git a/cves/2022/CVE-2022-29303.yaml b/cves/2022/CVE-2022-29303.yaml index f79aeb9a98..af28609590 100644 --- a/cves/2022/CVE-2022-29303.yaml +++ b/cves/2022/CVE-2022-29303.yaml @@ -10,9 +10,11 @@ info: - https://www.exploit-db.com/exploits/50940 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29303 - https://drive.google.com/drive/folders/1tGr-WExbpfvhRg31XCoaZOFLWyt3r60g?usp=sharing + classification: + cve-id: CVE-2022-29303 metadata: + verified: true shodan-query: http.html:"SolarView Compact" - verified: "true" tags: cve,cve2022,rce,injection variables: diff --git a/cves/2022/CVE-2022-29464.yaml b/cves/2022/CVE-2022-29464.yaml index 1fe6b91fec..ad4db0c895 100644 --- a/cves/2022/CVE-2022-29464.yaml +++ b/cves/2022/CVE-2022-29464.yaml @@ -1,15 +1,16 @@ id: CVE-2022-29464 info: - name: WSO2 Management - Unrestricted Arbitrary File Upload & Remote Code Execution + name: WSO2 Management - Arbitrary File Upload & Remote Code Execution author: luci,dhiyaneshDk severity: critical - description: Certain WSO2 products allow unrestricted file upload with resultant remote code execution. This affects WSO2 API Manager 2.2.0 and above through 4.0.0; WSO2 Identity Server 5.2.0 and above through 5.11.0; WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, and 5.6.0; WSO2 Identity Server as Key Manager 5.3.0 and above through 5.10.0; and WSO2 Enterprise Integrator 6.2.0 and above through 6.6.0. + description: | + Certain WSO2 products allow unrestricted file upload with resultant remote code execution. This affects WSO2 API Manager 2.2.0 and above through 4.0.0; WSO2 Identity Server 5.2.0 and above through 5.11.0; WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, and 5.6.0; WSO2 Identity Server as Key Manager 5.3.0 and above through 5.10.0; and WSO2 Enterprise Integrator 6.2.0 and above through 6.6.0. reference: - https://shanesec.github.io/2022/04/21/Wso2-Vul-Analysis-cve-2022-29464/ - https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1738 - - https://nvd.nist.gov/vuln/detail/CVE-2022-29464 - https://github.com/hakivvi/CVE-2022-29464 + - https://nvd.nist.gov/vuln/detail/CVE-2022-29464 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 @@ -42,4 +43,6 @@ requests: matchers: - type: dsl dsl: - - "contains(body_2, 'WSO2-RCE-CVE-2022-29464')" \ No newline at end of file + - "contains(body_2, 'WSO2-RCE-CVE-2022-29464')" + +# Enhanced by mp on 2022/05/19 diff --git a/cves/2022/CVE-2022-30525.yaml b/cves/2022/CVE-2022-30525.yaml index 0b7408fff2..2f46378e32 100644 --- a/cves/2022/CVE-2022-30525.yaml +++ b/cves/2022/CVE-2022-30525.yaml @@ -1,16 +1,16 @@ id: CVE-2022-30525 info: - name: Zyxel Firewall - Unauthenticated RCE + name: Zyxel Firewall - OS Command Injection author: h1ei1,prajiteshsingh severity: critical description: | - The vulnerability affects Zyxel firewalls that support Zero Touch Provisioning (ZTP), including the ATP Series, VPN Series, and USG FLEX Series (including USG20-VPN and USG20W-VPN), allowing an unauthenticated remote attacker to target the affected device as nobody Execute arbitrary code as a user on. + An OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 50(W) firmware versions 5.10 through 5.21 Patch 1, USG20(W)-VPN firmware versions 5.10 through 5.21 Patch 1, ATP series firmware versions 5.10 through 5.21 Patch 1, VPN series firmware versions 4.60 through 5.21 Patch 1, are susceptible to a command injection vulnerability which could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device. reference: - https://www.rapid7.com/blog/post/2022/05/12/cve-2022-30525-fixed-zyxel-firewall-unauthenticated-remote-command-injection/ - https://github.com/rapid7/metasploit-framework/pull/16563 - - https://nvd.nist.gov/vuln/detail/CVE-2022-30525 - https://www.zyxel.com/support/Zyxel-security-advisory-for-OS-command-injection-vulnerability-of-firewalls.shtml + - https://nvd.nist.gov/vuln/detail/CVE-2022-30525 classification: cve-id: CVE-2022-30525 metadata: @@ -36,3 +36,5 @@ requests: - type: status status: - 500 + +# Enhanced by mp on 2022/05/19 diff --git a/exposures/configs/laravel-env.yaml b/exposures/configs/laravel-env.yaml index a81e9775ca..0cbea65fd3 100644 --- a/exposures/configs/laravel-env.yaml +++ b/exposures/configs/laravel-env.yaml @@ -1,12 +1,19 @@ id: laravel-env info: - name: Laravel .env file accessible + name: Laravel - Sensitive Information Disclosure author: pxmme1337,dwisiswant0,geeknik,emenalf,adrianmf - severity: critical - description: Laravel uses the .env file to store sensitive information like database credentials and tokens. It should not be publicly accessible. + severity: high + description: | + A Laravel .env file was discovered, which stores sensitive information like database credentials and tokens. It should not be publicly accessible. reference: - https://laravel.com/docs/master/configuration#environment-configuration + - https://stackoverflow.com/questions/38331397/how-to-protect-env-file-in-laravel + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cve-id: + cwe-id: CWE-522 tags: config,exposure,laravel requests: @@ -37,6 +44,7 @@ requests: matchers-condition: and matchers: - type: regex + part: body regex: - "(?mi)^APP_(NAME|ENV|KEY|DEBUG|URL|PASSWORD)=" - "(?mi)^DB_(HOST|PASSWORD|DATABASE)=" @@ -45,3 +53,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/05/19 diff --git a/exposures/configs/phpinfo.yaml b/exposures/configs/phpinfo.yaml index de732be701..05322a12c7 100644 --- a/exposures/configs/phpinfo.yaml +++ b/exposures/configs/phpinfo.yaml @@ -3,6 +3,10 @@ id: phpinfo-files info: name: phpinfo Disclosure author: pdteam,daffainfo,meme-lord,dhiyaneshDK + description: | + A "PHP Info" page was found. The output of the phpinfo() command can reveal detailed PHP environment information. + remediation: | + Remove PHP Info pages from publicly accessible sites, or restrict access to authorized users only. severity: low tags: config,exposure,phpinfo @@ -32,6 +36,7 @@ requests: matchers-condition: and matchers: - type: word + part: body words: - "PHP Extension" - "PHP Version" diff --git a/file/electron/node-integration-enabled.yaml b/file/electron/node-integration-enabled.yaml index a2c58017d2..d0e3061b56 100644 --- a/file/electron/node-integration-enabled.yaml +++ b/file/electron/node-integration-enabled.yaml @@ -1,14 +1,15 @@ id: node-integration-enabled info: - name: Node Integration Enabled + name: Electron Applications - Cross-Site Scripting & Remote Code Execution author: me9187 severity: critical + description: | + Electron Applications is susceptible to remote code execution by way of cross-site scripting via nodeIntegration by calling require('child_process').exec('COMMAND');. reference: - https://blog.yeswehack.com/yeswerhackers/exploitation/pentesting-electron-applications/ - https://book.hacktricks.xyz/pentesting/pentesting-web/xss-to-rce-electron-desktop-apps tags: electron,file,nodejs - # nodeIntegration in Electron Applications means you can turn XSS into RCE by calling require('child_process').exec('COMMAND'); file: - extensions: @@ -19,3 +20,5 @@ file: - type: word words: - "nodeIntegration: true" + +# Enhanced by mp on 2022/05/19 diff --git a/fuzzing/wordpress-weak-credentials.yaml b/fuzzing/wordpress-weak-credentials.yaml index 0bec5f6f85..7c0be01ac7 100644 --- a/fuzzing/wordpress-weak-credentials.yaml +++ b/fuzzing/wordpress-weak-credentials.yaml @@ -1,9 +1,18 @@ id: wordpress-weak-credentials info: - name: WordPress Weak Credentials + name: WordPress - Weak Credentials author: evolutionsec severity: critical + description: | + Weak WordPress Credentials were discovered. + reference: + - https://www.wpwhitesecurity.com/strong-wordpress-passwords-wpscan/ + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N + cvss-score: 5.8 + cve-id: + cwe-id: CWE-522 tags: wordpress,default-login,fuzz requests: @@ -22,16 +31,20 @@ requests: passwords: helpers/wordlists/wp-passwords.txt threads: 50 attack: clusterbomb + stop-at-first-match: true matchers-condition: and matchers: - - type: status - status: - - 302 - type: word + part: header words: - '/wp-admin' - 'wordpress_logged_in' condition: and - part: header \ No newline at end of file + + - type: status + status: + - 302 + +# Enhanced by mp on 2022/05/19 diff --git a/iot/qvisdvr-deserialization-rce.yaml b/iot/qvisdvr-deserialization-rce.yaml index 23e643a70e..d4683196d1 100644 --- a/iot/qvisdvr-deserialization-rce.yaml +++ b/iot/qvisdvr-deserialization-rce.yaml @@ -4,8 +4,15 @@ info: name: QVISDVR JSF Deserialization - Remote Code Execution author: me9187 severity: critical + description: | + QVISDVR Java-Deserialization was discovered, which could allow remote code execution. reference: - https://twitter.com/Me9187/status/1414606876575162373 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cvss-score: 10.0 + cve-id: + cwe-id: CWE-77 tags: qvisdvr,rce,deserialization,jsf,iot requests: @@ -33,11 +40,14 @@ requests: matchers-condition: and matchers: - - type: status - status: - - 500 - type: word part: interactsh_protocol words: - - http \ No newline at end of file + - http + + - type: status + status: + - 500 + +# Enhanced by mp on 2022/05/19 diff --git a/misconfiguration/http-missing-security-headers.yaml b/misconfiguration/http-missing-security-headers.yaml index 62c50779b6..ec6e6003ca 100644 --- a/misconfiguration/http-missing-security-headers.yaml +++ b/misconfiguration/http-missing-security-headers.yaml @@ -4,7 +4,8 @@ info: name: HTTP Missing Security Headers author: socketz,geeknik,G4L1T0,convisoappsec,kurohost,dawid-czarnecki,forgedhallpass severity: info - description: It searches for missing security headers, but obviously, could be so less generic and could be useless for Bug Bounty. + description: | + This template searches for missing HTTP security headers. The impact of these missing headers can vary. tags: misconfig,generic requests: diff --git a/misconfiguration/jupyter-ipython-unauth.yaml b/misconfiguration/jupyter-ipython-unauth.yaml index c2b980f407..7ea15f99a0 100644 --- a/misconfiguration/jupyter-ipython-unauth.yaml +++ b/misconfiguration/jupyter-ipython-unauth.yaml @@ -1,11 +1,15 @@ id: jupyter-ipython-unauth info: - name: Jupyter ipython Unauth + name: Jupyter ipython - Authorization Bypass author: pentest_swissky severity: critical - description: Unauthenticated access to Jupyter instance - tags: unauth + description: Jupyter was able to be accessed without authentication. + classification: + cvss-score: 10.0 + cvss-metrics: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cwe-id: CWE-288 + tags: unauth,jupyter requests: - method: GET @@ -21,4 +25,6 @@ requests: words: - ipython/static/components - ipython/kernelspecs - part: body \ No newline at end of file + part: body + +# Enhanced by mp on 2022/05/20 diff --git a/misconfiguration/kubernetes/kubernetes-pods.yaml b/misconfiguration/kubernetes/kubernetes-pods.yaml index 310bec3667..3041df2584 100644 --- a/misconfiguration/kubernetes/kubernetes-pods.yaml +++ b/misconfiguration/kubernetes/kubernetes-pods.yaml @@ -1,11 +1,12 @@ id: kubernetes-pods-api info: - name: Kubernetes Pods API + name: Kubernetes Pods - API Discovery & Remote Code Execution author: ilovebinbash,geeknik,0xtavian severity: critical - description: When the service port is available, anyone can execute commands inside the container. See https://github.com/officialhocc/Kubernetes-Kubelet-RCE for inspiration. + description: A Kubernetes Pods API was discovered. When the service port is available, unauthenticated users can execute commands inside the container. reference: + - https://github.com/officialhocc/Kubernetes-Kubelet-RCE - https://blog.binaryedge.io/2018/12/06/kubernetes-being-hijacked-worldwide/ tags: k8,unauth,kubernetes,devops @@ -29,3 +30,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/05/20 diff --git a/misconfiguration/laravel-debug-enabled.yaml b/misconfiguration/laravel-debug-enabled.yaml index 6ccbc892bb..6b550771cc 100644 --- a/misconfiguration/laravel-debug-enabled.yaml +++ b/misconfiguration/laravel-debug-enabled.yaml @@ -4,7 +4,10 @@ info: name: Laravel Debug Enabled author: notsoevilweasel severity: medium - description: Laravel with APP_DEBUG set to true is prone to show verbose errors. + description: | + Laravel with APP_DEBUG set to true is prone to show verbose errors. + remediation: | + Disable Laravel's debug mode by setting APP_DEBUG to false. tags: debug,laravel,misconfig requests: @@ -15,6 +18,7 @@ requests: matchers-condition: and matchers: - type: word + part: body words: - can_execute_commands diff --git a/misconfiguration/misconfigured-docker.yaml b/misconfiguration/misconfigured-docker.yaml index f8654a5d7e..79d1061031 100644 --- a/misconfiguration/misconfigured-docker.yaml +++ b/misconfiguration/misconfigured-docker.yaml @@ -1,9 +1,10 @@ id: misconfigured-docker info: - name: Misconfigured Docker on Default Port + name: Docker Container - Misconfiguration Exposure author: dhiyaneshDK severity: critical + description: A Docker container misconfiguration was discovered. The Docker daemon can listen for Docker Engine API requests via three different types of Socket - unix, tcp, and fd. With tcp enabled, the default setup provides un-encrypted and un-authenticated direct access to the Docker daemon. It is conventional to use port 2375 for un-encrypted, and port 2376 for encrypted communication with the daemon. reference: - https://madhuakula.com/content/attacking-and-auditing-docker-containers-using-opensource/attacking-docker-containers/misconfiguration.html tags: docker,unauth,devops @@ -25,3 +26,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/05/20 diff --git a/misconfiguration/springboot/springboot-heapdump.yaml b/misconfiguration/springboot/springboot-heapdump.yaml index 51a66859dc..5e1e407c32 100644 --- a/misconfiguration/springboot/springboot-heapdump.yaml +++ b/misconfiguration/springboot/springboot-heapdump.yaml @@ -1,10 +1,12 @@ id: springboot-heapdump info: - name: Detect Springboot Heapdump Actuator + name: Spring Boot Actuator - Heap Dump Detection author: that_juan_,dwisiswant0,wdahlenb severity: critical - description: Environment variables and HTTP requests can be found in the HPROF + description: A Spring Boot Actuator heap dump was detected. A heap dump is a snapshot of JVM memory, which could expose environment variables and HTTP requests. + reference: + - https://github.com/pyn3rd/Spring-Boot-Vulnerability tags: springboot,exposure requests: @@ -28,3 +30,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/05/20 diff --git a/misconfiguration/unauthenticated-nacos-access.yaml b/misconfiguration/unauthenticated-nacos-access.yaml index 1c69ac5852..38b6ac2224 100644 --- a/misconfiguration/unauthenticated-nacos-access.yaml +++ b/misconfiguration/unauthenticated-nacos-access.yaml @@ -1,11 +1,13 @@ id: unauthenticated-nacos-access info: - name: Unauthenticated Nacos access v1.x + name: Nacos 1.x - Authentication Bypass author: taielab,pikpikcu severity: critical + description: "Nacos 1.x was discovered. A default Nacos instance needs to modify the application.properties configuration file or add the JVM startup variable Dnacos.core.auth.enabled=true to enable the authentication function (reference: https://nacos.io/en-us/docs/auth.html). But authentication can still be bypassed under certain circumstances and any interface can be called as in the following example that can add a new user (POST https://127.0.0.1:8848/nacos/v1/auth/users?username=test&password=test). That user can then log in to the console to access, modify, and add data." reference: - https://github.com/alibaba/nacos/issues/4593 + - https://nacos.io/en-us/docs/auth.html tags: nacos,unauth requests: @@ -34,3 +36,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/05/20 diff --git a/ssl/deprecated-tls.yaml b/ssl/deprecated-tls.yaml index c13005d1ed..f2d4a388e6 100644 --- a/ssl/deprecated-tls.yaml +++ b/ssl/deprecated-tls.yaml @@ -1,11 +1,15 @@ id: deprecated-tls info: - name: Deprecated TLS Detection (inferior to TLS 1.2) + name: Deprecated TLS Detection (TLS 1.1 or SSLv3) author: righettod severity: info reference: - https://ssl-config.mozilla.org/#config=intermediate + description: | + Both TLS 1.1 and SSLv3 are deprecated in favor of stronger encryption. + remediation: | + Update the web server's TLS configuration to disable TLS 1.1 and SSLv3. metadata: shodan-query: ssl.version:sslv2 ssl.version:sslv3 ssl.version:tlsv1 ssl.version:tlsv1.1 tags: ssl diff --git a/vulnerabilities/laravel/laravel-ignition-xss.yaml b/vulnerabilities/laravel/laravel-ignition-xss.yaml index e813a2d5cc..62ea4ee259 100644 --- a/vulnerabilities/laravel/laravel-ignition-xss.yaml +++ b/vulnerabilities/laravel/laravel-ignition-xss.yaml @@ -4,6 +4,10 @@ info: name: Laravel Ignition XSS author: 0x_Akoko severity: medium + description: | + Laravel's Ignition contains a cross-site scripting vulnerability when debug mode is enabled. + remediation: | + Disable Laravel's debug mode by setting APP_DEBUG to false. reference: - https://www.acunetix.com/vulnerabilities/web/laravel-ignition-reflected-cross-site-scripting/ - https://github.com/facade/ignition/issues/273 @@ -21,11 +25,11 @@ requests: words: - "Undefined index: --> in file" - - type: status - status: - - 500 - - type: word part: header words: - "text/html" + + - type: status + status: + - 500