Merge branch 'projectdiscovery:master' into dashboard

2022-05-23 17:24:43 -04:00 · 2022-05-23 17:24:43 -04:00 · bd5823ea54
parent 49b7f1f77d 52b8d0183f
commit bd5823ea54
5 changed files with 67 additions and 16 deletions
--- a/.new-additions
+++ b/.new-additions
@ -12,6 +12,7 @@ exposed-panels/jupyter-notebook.yaml
 exposed-panels/looker-panel.yaml
 exposures/files/xampp-environment-variables.yaml
 miscellaneous/robots-txt-endpoint.yaml
+misconfiguration/selenium-exposure.yaml
 ssl/self-signed-ssl.yaml
 token-spray/api-binaryedge.yaml
 token-spray/api-c99.yaml
--- a/cves/2019/CVE-2019-16932.yaml
+++ b/cves/2019/CVE-2019-16932.yaml
@ -3,7 +3,7 @@ id: CVE-2019-16932
 info:
  name: Visualizer < 3.3.1 - Blind Server-Side Request Forgery (SSRF)
  author: akincibor
-  severity: high
+  severity: critical
  description: |
    This plugin suffers from a blind SSRF vulnerability in the /wp-json/visualizer/v1/upload-data endpoint.
  classification:
@ -12,6 +12,12 @@ info:
    - https://wpscan.com/vulnerability/9892
    - https://nathandavison.com/blog/wordpress-visualizer-plugin-xss-and-ssrf
    - https://nvd.nist.gov/vuln/detail/CVE-2019-16932
+    - https://wordpress.org/plugins/visualizer/#developers
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
+    cvss-score: 10
+    cve-id: CVE-2019-16932
+    cwe-id: CWE-918
  tags: cve,cve2019,wp-plugin,ssrf,wordpress,xss,unauth

 requests:
--- a/misconfiguration/selenium-exposure.yaml
+++ b/misconfiguration/selenium-exposure.yaml
@ -0,0 +1,34 @@
+id: selenium-exposure
+
+info:
+  name: Selenium Node exposure
+  author: w0Tx
+  severity: high
+  description: |
+    If a Selenium Node is exposed without any form of authentication, RCE could be possible if chromium is configured. By default the port is 4444, still, most of the internet facing are done through reverse proxies.
+  reference:
+    - https://nutcrackerssecurity.github.io/selenium.html
+    - https://labs.detectify.com/2017/10/06/guest-blog-dont-leave-your-grid-wide-open/
+  metadata:
+    verified: true
+    shodan-query: "/wd/hub"
+  tags: selenium,misconfiguration,rce,chromium
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/wd/hub"
+
+    redirects: true
+    max-redirects: 2
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'WebDriverRequest'
+          - '<title>WebDriver Hub</title>'
+        condition: or
+
+      - type: status
+        status:
+          - 200
--- a/vulnerabilities/sangfor/sangfor-edr-auth-bypass.yaml
+++ b/vulnerabilities/sangfor/sangfor-edr-auth-bypass.yaml
@ -4,29 +4,36 @@ info:
  name: Sangfor EDR Authentication Bypass
  author: princechaddha
  severity: high
-  description: A vulnerability in Sangfor EDR allows remote attackers to access the system with 'admin' privileges by accessing the login page directly using a provided username rather than going through the login
+  description: |
+    A vulnerability in Sangfor EDR allows remote attackers to access the system with 'admin' privileges by accessing the login page directly using a provided username rather than going through the login
    screen without providing a username.
+  metadata:
+    fofa-query: app="sangfor"
  tags: sangfor,auth-bypass,login

 requests:
  - method: GET
    path:
      - "{{BaseURL}}/ui/login.php?user=admin"
+
    matchers-condition: and
    matchers:
+      - type: word
+        part: body
+        words:
+          - "/download/edr_installer_"
+
+      - type: word
+        part: header
+        words:
+          - 'Set-Cookie=""'
+        negative: true
+
+      - type: word
+        part: header
+        words:
+          - 'Set-Cookie='
+
      - type: status
        status:
          - 302
-      - type: word
-        words:
-          - "/download/edr_installer_"
-        part: body
-      - type: word
-        words:
-          - 'Set-Cookie=""'
-        part: header
-        negative: true
-      - type: word
-        words:
-          - 'Set-Cookie='
-        part: header
--- a/vulnerabilities/sangfor/sangfor-edr-rce.yaml
+++ b/vulnerabilities/sangfor/sangfor-edr-rce.yaml
@ -7,6 +7,8 @@ info:
  description: A vulnerability in Sangfor EDR product allows remote unauthenticated users to cause the product to execute arbitrary commands.
  reference:
    - https://www.cnblogs.com/0day-li/p/13650452.html
+  metadata:
+    fofa-query: app="sangfor"
  tags: rce,sangfor

 requests:
@ -21,9 +23,10 @@ requests:
    matchers-condition: and
    matchers:
      - type: regex
+        part: body
        regex:
          - "root:.*:0:0:"
-        part: body
+
      - type: status
        status:
          - 200