parent
386b86878c
commit
809e87987c
|
@ -6,6 +6,8 @@ info:
|
|||
severity: high
|
||||
description: |
|
||||
The plugin does not validate a parameter which can be set to an arbitrary value, thus causing XSS via error message or RCE if allow_url_include is turned on.
|
||||
classification:
|
||||
cve-id: CVE-2022-0346
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/4b339390-d71a-44e0-8682-51a12bd2bfe6
|
||||
- https://wordpress.org/plugins/www-xml-sitemap-generator-org/
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
id: CVE-2022-1040
|
||||
|
||||
info:
|
||||
name: Sophos Firewall - RCE
|
||||
name: Sophos Firewall <=18.5 MR3 - Remote Code Execution
|
||||
author: For3stCo1d
|
||||
severity: critical
|
||||
description: |
|
||||
An authentication bypass vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v18.5 MR3 and older.
|
||||
Sophos Firewall version v18.5 MR3 and older contains an authentication bypass vulnerability in the User Portal and Webadmin which could allow a remote attacker to execute code.
|
||||
reference:
|
||||
- https://github.com/killvxk/CVE-2022-1040
|
||||
- https://github.com/CronUp/Vulnerabilidades/blob/main/CVE-2022-1040_checker
|
||||
|
@ -17,9 +17,9 @@ info:
|
|||
cve-id: CVE-2022-1040
|
||||
cwe-id: CWE-287
|
||||
metadata:
|
||||
shodan-query: http.title:"Sophos"
|
||||
verified: true
|
||||
tags: cve,cve2022,sophos,firewall,auth-bypass
|
||||
shodan-query: http.title:"Sophos"
|
||||
tags: cve,cve2022,sophos,firewall,auth-bypass,rce
|
||||
|
||||
requests:
|
||||
- method: POST
|
||||
|
@ -44,3 +44,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/05/19
|
||||
|
|
|
@ -5,9 +5,7 @@ info:
|
|||
author: dwisiswant0,Ph33r
|
||||
severity: critical
|
||||
description: |
|
||||
This F5 BIG-IP vulnerability can allow an unauthenticated attacker
|
||||
with network access to the BIG-IP system through the management
|
||||
port and/or self IP addresses to execute arbitrary system commands.
|
||||
F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, may allow undisclosed requests to bypass iControl REST authentication.
|
||||
reference:
|
||||
- https://twitter.com/GossiTheDog/status/1523566937414193153
|
||||
- https://www.horizon3.ai/f5-icontrol-rest-endpoint-authentication-bypass-technical-deep-dive/
|
||||
|
@ -19,8 +17,8 @@ info:
|
|||
cve-id: CVE-2022-1388
|
||||
cwe-id: CWE-306
|
||||
metadata:
|
||||
verified: true
|
||||
shodan-query: http.title:"BIG-IP®-+Redirect" +"Server"
|
||||
verified: "true"
|
||||
tags: f5,bigip,cve,cve2022,rce,mirai
|
||||
|
||||
variables:
|
||||
|
@ -64,3 +62,5 @@ requests:
|
|||
- "commandResult"
|
||||
- "8831-2202-EVC"
|
||||
condition: and
|
||||
|
||||
# Enhanced by mp on 2022/05/19
|
||||
|
|
|
@ -1,14 +1,16 @@
|
|||
id: CVE-2022-22954
|
||||
|
||||
info:
|
||||
name: VMware Workspace ONE Access - Freemarker SSTI
|
||||
name: VMware Workspace ONE Access - Server-Side Template Injection
|
||||
author: sherlocksecurity
|
||||
severity: critical
|
||||
description: An unauthenticated attacker with network access could exploit this vulnerability by sending a specially crafted request to a vulnerable VMware Workspace ONE or Identity Manager. Successful exploitation could result in remote code execution by exploiting a server-side template injection flaw.
|
||||
description: |
|
||||
VMware Workspace ONE Access is susceptible to a remote code execution vulnerability due to a server-side template injection flaw. An unauthenticated attacker with network access could exploit this vulnerability by sending a specially crafted request to a vulnerable VMware Workspace ONE or Identity Manager.
|
||||
reference:
|
||||
- https://www.tenable.com/blog/vmware-patches-multiple-vulnerabilities-in-workspace-one-vmsa-2022-0011
|
||||
- https://www.vmware.com/security/advisories/VMSA-2022-0011.html
|
||||
- http://packetstormsecurity.com/files/166935/VMware-Workspace-ONE-Access-Template-Injection-Command-Execution.html
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-22954
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -26,9 +28,12 @@ requests:
|
|||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "Authorization context is not valid"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 400
|
||||
|
||||
# Enhanced by mp on 2022/05/19
|
||||
|
|
|
@ -1,17 +1,18 @@
|
|||
id: CVE-2022-22963
|
||||
|
||||
info:
|
||||
name: Spring Cloud Function SPEL RCE
|
||||
name: Spring Cloud - Remote Code Execution
|
||||
author: Mr-xn,Adam Crosser
|
||||
severity: critical
|
||||
description: |
|
||||
In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.
|
||||
Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions are susceptible to remote code execution vulnerabilities. When using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.
|
||||
reference:
|
||||
- https://github.com/spring-cloud/spring-cloud-function/commit/0e89ee27b2e76138c16bcba6f4bca906c4f3744f
|
||||
- https://github.com/cckuailong/spring-cloud-function-SpEL-RCE
|
||||
- https://tanzu.vmware.com/security/cve-2022-22963
|
||||
- https://nsfocusglobal.com/spring-cloud-function-spel-expression-injection-vulnerability-alert/
|
||||
- https://github.com/vulhub/vulhub/tree/scf-spel/spring/spring-cloud-function-spel-injection
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-22963
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -41,3 +42,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 500
|
||||
|
||||
# Enhanced by mp on 2022/05/19
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2022-22965
|
||||
|
||||
info:
|
||||
name: Spring Framework RCE via Data Binding on JDK 9+ (Spring4Shell)
|
||||
name: Spring Framework - Remote Code Execution
|
||||
author: justmumu,arall,dhiyaneshDK,akincibor
|
||||
severity: critical
|
||||
description: A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
|
||||
|
@ -11,12 +11,13 @@ info:
|
|||
- https://twitter.com/RandoriAttack/status/1509298490106593283
|
||||
- https://mp.weixin.qq.com/s/kgw-O4Hsd9r2vfme3Y2Ynw
|
||||
- https://twitter.com/_0xf4n9x_/status/1509935429365100546
|
||||
remediation: 5.3.x users should upgrade to 5.3.18+, 5.2.x users should upgrade to 5.2.20+.
|
||||
- https://nvd.nist.gov/vuln/detail/cve-2022-22965
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2022-22965
|
||||
cwe-id: CWE-94
|
||||
remediation: 5.3.x users should upgrade to 5.3.18+, 5.2.x users should upgrade to 5.2.20+.
|
||||
tags: cve,cve2022,rce,spring,injection,oast,intrusive
|
||||
|
||||
requests:
|
||||
|
@ -24,19 +25,6 @@ requests:
|
|||
path:
|
||||
- "{{BaseURL}}/?class.module.classLoader.resources.context.configFile=https://{{interactsh-url}}&class.module.classLoader.resources.context.configFile.content.aaa=xxx"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol # Confirms the HTTP Interaction
|
||||
words:
|
||||
- "http"
|
||||
|
||||
- type: word
|
||||
part: interactsh_request
|
||||
words:
|
||||
- "User-Agent: Java"
|
||||
case-insensitive: true
|
||||
|
||||
- method: POST
|
||||
path:
|
||||
- "{{BaseURL}}"
|
||||
|
@ -59,3 +47,5 @@ requests:
|
|||
words:
|
||||
- "User-Agent: Java"
|
||||
case-insensitive: true
|
||||
|
||||
# Enhanced by mp on 2022/05/19
|
||||
|
|
|
@ -1,14 +1,15 @@
|
|||
id: CVE-2022-26148
|
||||
|
||||
info:
|
||||
name: Grafana Zabbix Integration - Credential Disclosure
|
||||
name: Grafana & Zabbix Integration - Credential Disclosure
|
||||
author: Geekby
|
||||
severity: critical
|
||||
description: An issue was discovered in Grafana through 7.3.4, when integrated with Zabbix. The Zabbix password can be found in the api_jsonrpc.php HTML source code. When the user logs in and allows the user to register, one can right click to view the source code and use Ctrl-F to search for password in api_jsonrpc.php to discover the Zabbix account password and URL address.
|
||||
description: |
|
||||
Grafana through 7.3.4, when integrated with Zabbix, contains a credential disclosure vulnerability. The Zabbix password can be found in the api_jsonrpc.php HTML source code. When the user logs in and allows the user to register, one can right click to view the source code and use Ctrl-F to search for password in api_jsonrpc.php to discover the Zabbix account password and URL address.
|
||||
reference:
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-26148
|
||||
- https://2k8.org/post-319.html
|
||||
- https://security.netapp.com/advisory/ntap-20220425-0005/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-26148
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -16,7 +17,7 @@ info:
|
|||
metadata:
|
||||
fofa-query: app="Grafana"
|
||||
shodan-query: title:"Grafana"
|
||||
tags: cve,cve2022,grafana,zabbix
|
||||
tags: cve,cve2022,grafana,zabbix,exposure
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
@ -51,3 +52,5 @@ requests:
|
|||
- '"password":"(.*?)"'
|
||||
- '"username":"(.*?)"'
|
||||
- '"url":"([a-z:/0-9.]+)\/api_jsonrpc\.php'
|
||||
|
||||
# Enhanced by mp on 2022/05/19
|
||||
|
|
|
@ -1,13 +1,14 @@
|
|||
id: CVE-2022-26352
|
||||
|
||||
info:
|
||||
name: DotCMS Arbitrary File Upload
|
||||
name: DotCMS - Arbitrary File Upload
|
||||
author: h1ei1
|
||||
severity: critical
|
||||
description: There is an arbitrary file upload vulnerability in the /api/content/ path of the DotCMS management system, and attackers can upload malicious Trojans to obtain server permissions.
|
||||
description: DotCMS management system contains an arbitrary file upload vulnerability via the /api/content/ path which can allow attackers to upload malicious Trojans to obtain server permissions.
|
||||
reference:
|
||||
- https://blog.assetnote.io/2022/05/03/hacking-a-bank-using-dotcms-rce/
|
||||
- https://github.com/h1ei1/POC/tree/main/CVE-2022-26352
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26352
|
||||
classification:
|
||||
cve-id: CVE-2022-26352
|
||||
tags: cve,cve2022,rce,dotcms
|
||||
|
@ -39,3 +40,5 @@ requests:
|
|||
- 'contains(body_2, "CVE-2022-26352")'
|
||||
- 'status_code_2 == 200'
|
||||
condition: and
|
||||
|
||||
# Enhanced by mp on 2022/05/19
|
||||
|
|
|
@ -10,9 +10,11 @@ info:
|
|||
- https://www.exploit-db.com/exploits/50940
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29303
|
||||
- https://drive.google.com/drive/folders/1tGr-WExbpfvhRg31XCoaZOFLWyt3r60g?usp=sharing
|
||||
classification:
|
||||
cve-id: CVE-2022-29303
|
||||
metadata:
|
||||
verified: true
|
||||
shodan-query: http.html:"SolarView Compact"
|
||||
verified: "true"
|
||||
tags: cve,cve2022,rce,injection
|
||||
|
||||
variables:
|
||||
|
|
|
@ -1,15 +1,16 @@
|
|||
id: CVE-2022-29464
|
||||
|
||||
info:
|
||||
name: WSO2 Management - Unrestricted Arbitrary File Upload & Remote Code Execution
|
||||
name: WSO2 Management - Arbitrary File Upload & Remote Code Execution
|
||||
author: luci,dhiyaneshDk
|
||||
severity: critical
|
||||
description: Certain WSO2 products allow unrestricted file upload with resultant remote code execution. This affects WSO2 API Manager 2.2.0 and above through 4.0.0; WSO2 Identity Server 5.2.0 and above through 5.11.0; WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, and 5.6.0; WSO2 Identity Server as Key Manager 5.3.0 and above through 5.10.0; and WSO2 Enterprise Integrator 6.2.0 and above through 6.6.0.
|
||||
description: |
|
||||
Certain WSO2 products allow unrestricted file upload with resultant remote code execution. This affects WSO2 API Manager 2.2.0 and above through 4.0.0; WSO2 Identity Server 5.2.0 and above through 5.11.0; WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, and 5.6.0; WSO2 Identity Server as Key Manager 5.3.0 and above through 5.10.0; and WSO2 Enterprise Integrator 6.2.0 and above through 6.6.0.
|
||||
reference:
|
||||
- https://shanesec.github.io/2022/04/21/Wso2-Vul-Analysis-cve-2022-29464/
|
||||
- https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1738
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-29464
|
||||
- https://github.com/hakivvi/CVE-2022-29464
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-29464
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -43,3 +44,5 @@ requests:
|
|||
- type: dsl
|
||||
dsl:
|
||||
- "contains(body_2, 'WSO2-RCE-CVE-2022-29464')"
|
||||
|
||||
# Enhanced by mp on 2022/05/19
|
||||
|
|
|
@ -1,16 +1,16 @@
|
|||
id: CVE-2022-30525
|
||||
|
||||
info:
|
||||
name: Zyxel Firewall - Unauthenticated RCE
|
||||
name: Zyxel Firewall - OS Command Injection
|
||||
author: h1ei1,prajiteshsingh
|
||||
severity: critical
|
||||
description: |
|
||||
The vulnerability affects Zyxel firewalls that support Zero Touch Provisioning (ZTP), including the ATP Series, VPN Series, and USG FLEX Series (including USG20-VPN and USG20W-VPN), allowing an unauthenticated remote attacker to target the affected device as nobody Execute arbitrary code as a user on.
|
||||
An OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 50(W) firmware versions 5.10 through 5.21 Patch 1, USG20(W)-VPN firmware versions 5.10 through 5.21 Patch 1, ATP series firmware versions 5.10 through 5.21 Patch 1, VPN series firmware versions 4.60 through 5.21 Patch 1, are susceptible to a command injection vulnerability which could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.
|
||||
reference:
|
||||
- https://www.rapid7.com/blog/post/2022/05/12/cve-2022-30525-fixed-zyxel-firewall-unauthenticated-remote-command-injection/
|
||||
- https://github.com/rapid7/metasploit-framework/pull/16563
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-30525
|
||||
- https://www.zyxel.com/support/Zyxel-security-advisory-for-OS-command-injection-vulnerability-of-firewalls.shtml
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-30525
|
||||
classification:
|
||||
cve-id: CVE-2022-30525
|
||||
metadata:
|
||||
|
@ -36,3 +36,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 500
|
||||
|
||||
# Enhanced by mp on 2022/05/19
|
||||
|
|
|
@ -1,12 +1,19 @@
|
|||
id: laravel-env
|
||||
|
||||
info:
|
||||
name: Laravel .env file accessible
|
||||
name: Laravel - Sensitive Information Disclosure
|
||||
author: pxmme1337,dwisiswant0,geeknik,emenalf,adrianmf
|
||||
severity: critical
|
||||
description: Laravel uses the .env file to store sensitive information like database credentials and tokens. It should not be publicly accessible.
|
||||
severity: high
|
||||
description: |
|
||||
A Laravel .env file was discovered, which stores sensitive information like database credentials and tokens. It should not be publicly accessible.
|
||||
reference:
|
||||
- https://laravel.com/docs/master/configuration#environment-configuration
|
||||
- https://stackoverflow.com/questions/38331397/how-to-protect-env-file-in-laravel
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
|
||||
cvss-score: 8.3
|
||||
cve-id:
|
||||
cwe-id: CWE-522
|
||||
tags: config,exposure,laravel
|
||||
|
||||
requests:
|
||||
|
@ -37,6 +44,7 @@ requests:
|
|||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
part: body
|
||||
regex:
|
||||
- "(?mi)^APP_(NAME|ENV|KEY|DEBUG|URL|PASSWORD)="
|
||||
- "(?mi)^DB_(HOST|PASSWORD|DATABASE)="
|
||||
|
@ -45,3 +53,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/05/19
|
||||
|
|
|
@ -3,6 +3,10 @@ id: phpinfo-files
|
|||
info:
|
||||
name: phpinfo Disclosure
|
||||
author: pdteam,daffainfo,meme-lord,dhiyaneshDK
|
||||
description: |
|
||||
A "PHP Info" page was found. The output of the phpinfo() command can reveal detailed PHP environment information.
|
||||
remediation: |
|
||||
Remove PHP Info pages from publicly accessible sites, or restrict access to authorized users only.
|
||||
severity: low
|
||||
tags: config,exposure,phpinfo
|
||||
|
||||
|
@ -32,6 +36,7 @@ requests:
|
|||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "PHP Extension"
|
||||
- "PHP Version"
|
||||
|
|
|
@ -1,14 +1,15 @@
|
|||
id: node-integration-enabled
|
||||
|
||||
info:
|
||||
name: Node Integration Enabled
|
||||
name: Electron Applications - Cross-Site Scripting & Remote Code Execution
|
||||
author: me9187
|
||||
severity: critical
|
||||
description: |
|
||||
Electron Applications is susceptible to remote code execution by way of cross-site scripting via nodeIntegration by calling require('child_process').exec('COMMAND');.
|
||||
reference:
|
||||
- https://blog.yeswehack.com/yeswerhackers/exploitation/pentesting-electron-applications/
|
||||
- https://book.hacktricks.xyz/pentesting/pentesting-web/xss-to-rce-electron-desktop-apps
|
||||
tags: electron,file,nodejs
|
||||
# nodeIntegration in Electron Applications means you can turn XSS into RCE by calling require('child_process').exec('COMMAND');
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
|
@ -19,3 +20,5 @@ file:
|
|||
- type: word
|
||||
words:
|
||||
- "nodeIntegration: true"
|
||||
|
||||
# Enhanced by mp on 2022/05/19
|
||||
|
|
|
@ -1,9 +1,18 @@
|
|||
id: wordpress-weak-credentials
|
||||
|
||||
info:
|
||||
name: WordPress Weak Credentials
|
||||
name: WordPress - Weak Credentials
|
||||
author: evolutionsec
|
||||
severity: critical
|
||||
description: |
|
||||
Weak WordPress Credentials were discovered.
|
||||
reference:
|
||||
- https://www.wpwhitesecurity.com/strong-wordpress-passwords-wpscan/
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
|
||||
cvss-score: 5.8
|
||||
cve-id:
|
||||
cwe-id: CWE-522
|
||||
tags: wordpress,default-login,fuzz
|
||||
|
||||
requests:
|
||||
|
@ -22,16 +31,20 @@ requests:
|
|||
passwords: helpers/wordlists/wp-passwords.txt
|
||||
threads: 50
|
||||
attack: clusterbomb
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 302
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- '/wp-admin'
|
||||
- 'wordpress_logged_in'
|
||||
condition: and
|
||||
part: header
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 302
|
||||
|
||||
# Enhanced by mp on 2022/05/19
|
||||
|
|
|
@ -4,8 +4,15 @@ info:
|
|||
name: QVISDVR JSF Deserialization - Remote Code Execution
|
||||
author: me9187
|
||||
severity: critical
|
||||
description: |
|
||||
QVISDVR Java-Deserialization was discovered, which could allow remote code execution.
|
||||
reference:
|
||||
- https://twitter.com/Me9187/status/1414606876575162373
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
||||
cvss-score: 10.0
|
||||
cve-id:
|
||||
cwe-id: CWE-77
|
||||
tags: qvisdvr,rce,deserialization,jsf,iot
|
||||
|
||||
requests:
|
||||
|
@ -33,11 +40,14 @@ requests:
|
|||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 500
|
||||
|
||||
- type: word
|
||||
part: interactsh_protocol
|
||||
words:
|
||||
- http
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 500
|
||||
|
||||
# Enhanced by mp on 2022/05/19
|
||||
|
|
|
@ -4,7 +4,8 @@ info:
|
|||
name: HTTP Missing Security Headers
|
||||
author: socketz,geeknik,G4L1T0,convisoappsec,kurohost,dawid-czarnecki,forgedhallpass
|
||||
severity: info
|
||||
description: It searches for missing security headers, but obviously, could be so less generic and could be useless for Bug Bounty.
|
||||
description: |
|
||||
This template searches for missing HTTP security headers. The impact of these missing headers can vary.
|
||||
tags: misconfig,generic
|
||||
|
||||
requests:
|
||||
|
|
|
@ -1,11 +1,15 @@
|
|||
id: jupyter-ipython-unauth
|
||||
|
||||
info:
|
||||
name: Jupyter ipython Unauth
|
||||
name: Jupyter ipython - Authorization Bypass
|
||||
author: pentest_swissky
|
||||
severity: critical
|
||||
description: Unauthenticated access to Jupyter instance
|
||||
tags: unauth
|
||||
description: Jupyter was able to be accessed without authentication.
|
||||
classification:
|
||||
cvss-score: 10.0
|
||||
cvss-metrics: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
||||
cwe-id: CWE-288
|
||||
tags: unauth,jupyter
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
@ -22,3 +26,5 @@ requests:
|
|||
- ipython/static/components
|
||||
- ipython/kernelspecs
|
||||
part: body
|
||||
|
||||
# Enhanced by mp on 2022/05/20
|
||||
|
|
|
@ -1,11 +1,12 @@
|
|||
id: kubernetes-pods-api
|
||||
|
||||
info:
|
||||
name: Kubernetes Pods API
|
||||
name: Kubernetes Pods - API Discovery & Remote Code Execution
|
||||
author: ilovebinbash,geeknik,0xtavian
|
||||
severity: critical
|
||||
description: When the service port is available, anyone can execute commands inside the container. See https://github.com/officialhocc/Kubernetes-Kubelet-RCE for inspiration.
|
||||
description: A Kubernetes Pods API was discovered. When the service port is available, unauthenticated users can execute commands inside the container.
|
||||
reference:
|
||||
- https://github.com/officialhocc/Kubernetes-Kubelet-RCE
|
||||
- https://blog.binaryedge.io/2018/12/06/kubernetes-being-hijacked-worldwide/
|
||||
tags: k8,unauth,kubernetes,devops
|
||||
|
||||
|
@ -29,3 +30,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/05/20
|
||||
|
|
|
@ -4,7 +4,10 @@ info:
|
|||
name: Laravel Debug Enabled
|
||||
author: notsoevilweasel
|
||||
severity: medium
|
||||
description: Laravel with APP_DEBUG set to true is prone to show verbose errors.
|
||||
description: |
|
||||
Laravel with APP_DEBUG set to true is prone to show verbose errors.
|
||||
remediation: |
|
||||
Disable Laravel's debug mode by setting APP_DEBUG to false.
|
||||
tags: debug,laravel,misconfig
|
||||
|
||||
requests:
|
||||
|
@ -15,6 +18,7 @@ requests:
|
|||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- can_execute_commands
|
||||
|
||||
|
|
|
@ -1,9 +1,10 @@
|
|||
id: misconfigured-docker
|
||||
|
||||
info:
|
||||
name: Misconfigured Docker on Default Port
|
||||
name: Docker Container - Misconfiguration Exposure
|
||||
author: dhiyaneshDK
|
||||
severity: critical
|
||||
description: A Docker container misconfiguration was discovered. The Docker daemon can listen for Docker Engine API requests via three different types of Socket - unix, tcp, and fd. With tcp enabled, the default setup provides un-encrypted and un-authenticated direct access to the Docker daemon. It is conventional to use port 2375 for un-encrypted, and port 2376 for encrypted communication with the daemon.
|
||||
reference:
|
||||
- https://madhuakula.com/content/attacking-and-auditing-docker-containers-using-opensource/attacking-docker-containers/misconfiguration.html
|
||||
tags: docker,unauth,devops
|
||||
|
@ -25,3 +26,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/05/20
|
||||
|
|
|
@ -1,10 +1,12 @@
|
|||
id: springboot-heapdump
|
||||
|
||||
info:
|
||||
name: Detect Springboot Heapdump Actuator
|
||||
name: Spring Boot Actuator - Heap Dump Detection
|
||||
author: that_juan_,dwisiswant0,wdahlenb
|
||||
severity: critical
|
||||
description: Environment variables and HTTP requests can be found in the HPROF
|
||||
description: A Spring Boot Actuator heap dump was detected. A heap dump is a snapshot of JVM memory, which could expose environment variables and HTTP requests.
|
||||
reference:
|
||||
- https://github.com/pyn3rd/Spring-Boot-Vulnerability
|
||||
tags: springboot,exposure
|
||||
|
||||
requests:
|
||||
|
@ -28,3 +30,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/05/20
|
||||
|
|
|
@ -1,11 +1,13 @@
|
|||
id: unauthenticated-nacos-access
|
||||
|
||||
info:
|
||||
name: Unauthenticated Nacos access v1.x
|
||||
name: Nacos 1.x - Authentication Bypass
|
||||
author: taielab,pikpikcu
|
||||
severity: critical
|
||||
description: "Nacos 1.x was discovered. A default Nacos instance needs to modify the application.properties configuration file or add the JVM startup variable Dnacos.core.auth.enabled=true to enable the authentication function (reference: https://nacos.io/en-us/docs/auth.html). But authentication can still be bypassed under certain circumstances and any interface can be called as in the following example that can add a new user (POST https://127.0.0.1:8848/nacos/v1/auth/users?username=test&password=test). That user can then log in to the console to access, modify, and add data."
|
||||
reference:
|
||||
- https://github.com/alibaba/nacos/issues/4593
|
||||
- https://nacos.io/en-us/docs/auth.html
|
||||
tags: nacos,unauth
|
||||
|
||||
requests:
|
||||
|
@ -34,3 +36,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/05/20
|
||||
|
|
|
@ -1,11 +1,15 @@
|
|||
id: deprecated-tls
|
||||
|
||||
info:
|
||||
name: Deprecated TLS Detection (inferior to TLS 1.2)
|
||||
name: Deprecated TLS Detection (TLS 1.1 or SSLv3)
|
||||
author: righettod
|
||||
severity: info
|
||||
reference:
|
||||
- https://ssl-config.mozilla.org/#config=intermediate
|
||||
description: |
|
||||
Both TLS 1.1 and SSLv3 are deprecated in favor of stronger encryption.
|
||||
remediation: |
|
||||
Update the web server's TLS configuration to disable TLS 1.1 and SSLv3.
|
||||
metadata:
|
||||
shodan-query: ssl.version:sslv2 ssl.version:sslv3 ssl.version:tlsv1 ssl.version:tlsv1.1
|
||||
tags: ssl
|
||||
|
|
|
@ -4,6 +4,10 @@ info:
|
|||
name: Laravel Ignition XSS
|
||||
author: 0x_Akoko
|
||||
severity: medium
|
||||
description: |
|
||||
Laravel's Ignition contains a cross-site scripting vulnerability when debug mode is enabled.
|
||||
remediation: |
|
||||
Disable Laravel's debug mode by setting APP_DEBUG to false.
|
||||
reference:
|
||||
- https://www.acunetix.com/vulnerabilities/web/laravel-ignition-reflected-cross-site-scripting/
|
||||
- https://github.com/facade/ignition/issues/273
|
||||
|
@ -21,11 +25,11 @@ requests:
|
|||
words:
|
||||
- "Undefined index: --><svg onload=alert(document.domain)> in file"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 500
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "text/html"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 500
|
||||
|
|
Loading…
Reference in New Issue