daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into updated-tags

patch-1
Ritik Chaddha 2024-01-26 13:48:21 +05:30
parent 129fae0047 5c4205db17
commit f9322db69d
2696 changed files with 19945 additions and 13833 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/new-templates.yml vendored
View File

@ -7,6 +7,8 @@ on:
paths:
- '**.yaml'
workflow_dispatch:
release:
types: [published]
jobs:
templates:

142
.github/workflows/templates-sync.yml vendored
View File

@ -3,51 +3,103 @@ on:
push:
paths:
- '.new-additions'
- 'http/cves/2015/CVE-2015-2794.yaml'
- 'http/cves/2023/CVE-2023-42343.yaml'
- 'http/cves/2023/CVE-2023-46574.yaml'
- 'http/exposures/docker-daemon-exposed.yaml'
- 'http/token-spray/api-openai.yaml'
- 'http/vulnerabilities/ruijie/ruijie-nmc-sync-rce.yaml'
- 'http/vulnerabilities/ruijie/ruijie-rg-eg-web-mis-rce.yaml'
- 'http/vulnerabilities/yonyou/yonyou-ksoa-dept-sqli.yaml'
- 'cloud/enum/aws-app-enum.yaml'
- 'cloud/enum/aws-s3-bucket-enum.yaml'
- 'cloud/enum/azure-db-enum.yaml'
- 'cloud/enum/azure-vm-cloud-enum.yaml'
- 'cloud/enum/azure-website-enum.yaml'
- 'cloud/enum/gcp-app-engine-enum.yaml'
- 'cloud/enum/gcp-bucket-enum.yaml'
- 'cloud/enum/gcp-firebase-app-enum.yaml'
- 'cloud/enum/gcp-firebase-rtdb-enum.yaml'
- 'http/cves/2023/CVE-2023-41109.yaml'
- 'network/misconfig/erlang-daemon.yaml'
- 'code/cves/2019/CVE-2019-14287.yaml'
- 'code/cves/2021/CVE-2021-3156.yaml'
- 'http/cves/2020/CVE-2020-12124.yaml'
- 'http/cves/2023/CVE-2023-50968.yaml'
- 'http/cves/2023/CVE-2023-51467.yaml'
- 'http/misconfiguration/cookies-without-httponly.yaml'
- 'http/misconfiguration/php/php-composer-binary.yaml'
- 'http/vulnerabilities/dahua/dahua-icc-backdoor-user.yaml'
- 'http/cves/2023/CVE-2023-44353.yaml'
- 'http/technologies/cisco-asa-detect.yaml'
- 'http/vulnerabilities/dlink/dlink-netgear-xss.yaml'
- 'http/exposed-panels/goodjob-dashboard.yaml'
- 'http/exposed-panels/onlyoffice-login-panel.yaml'
- 'http/cves/2023/CVE-2023-6379.yaml'
- 'http/misconfiguration/apache/apache-server-status.yaml'
- 'http/osint/piratebay.yaml'
- 'javascript/network/smb/smb-anonymous-access.yaml'
- 'javascript/network/smb/smb-shares.yaml'
- 'javascript/network/smb/smb-signing-not-required.yaml'
- 'javascript/network/smb/smb2-capabilities.yaml'
- 'http/cves/2023/CVE-2023-6623.yaml'
- 'http/cves/2024/CVE-2024-0352.yaml'
- 'http/default-logins/camunda/camunda-default-login.yaml'
- 'http/cves/2023/CVE-2023-50917.yaml'
- 'http/misconfiguration/cookies-without-httponly-secure.yaml'
- 'http/vulnerabilities/wanhu/wanhuoa-downloadservlet-lfi.yaml'
- 'code/privilege-escalation/linux/binary/privesc-aa-exec.yaml'
- 'code/privilege-escalation/linux/binary/privesc-ash.yaml'
- 'code/privilege-escalation/linux/binary/privesc-awk.yaml'
- 'code/privilege-escalation/linux/binary/privesc-bash.yaml'
- 'code/privilege-escalation/linux/binary/privesc-cdist.yaml'
- 'code/privilege-escalation/linux/binary/privesc-choom.yaml'
- 'code/privilege-escalation/linux/binary/privesc-cpulimit.yaml'
- 'code/privilege-escalation/linux/binary/privesc-csh.yaml'
- 'code/privilege-escalation/linux/binary/privesc-csvtool.yaml'
- 'code/privilege-escalation/linux/binary/privesc-dash.yaml'
- 'code/privilege-escalation/linux/binary/privesc-dc.yaml'
- 'code/privilege-escalation/linux/binary/privesc-distcc.yaml'
- 'code/privilege-escalation/linux/binary/privesc-elvish.yaml'
- 'code/privilege-escalation/linux/binary/privesc-enscript.yaml'
- 'code/privilege-escalation/linux/binary/privesc-env.yaml'
- 'code/privilege-escalation/linux/binary/privesc-expect.yaml'
- 'code/privilege-escalation/linux/binary/privesc-find.yaml'
- 'code/privilege-escalation/linux/binary/privesc-fish.yaml'
- 'code/privilege-escalation/linux/binary/privesc-flock.yaml'
- 'code/privilege-escalation/linux/binary/privesc-gawk.yaml'
- 'code/privilege-escalation/linux/binary/privesc-grc.yaml'
- 'code/privilege-escalation/linux/binary/privesc-ionice.yaml'
- 'code/privilege-escalation/linux/binary/privesc-julia.yaml'
- 'code/privilege-escalation/linux/binary/privesc-lftp.yaml'
- 'code/privilege-escalation/linux/binary/privesc-ltrace.yaml'
- 'code/privilege-escalation/linux/binary/privesc-lua.yaml'
- 'code/privilege-escalation/linux/binary/privesc-mawk.yaml'
- 'code/privilege-escalation/linux/binary/privesc-multitime.yaml'
- 'code/privilege-escalation/linux/binary/privesc-mysql.yaml'
- 'code/privilege-escalation/linux/binary/privesc-nawk.yaml'
- 'code/privilege-escalation/linux/binary/privesc-nice.yaml'
- 'code/privilege-escalation/linux/binary/privesc-node.yaml'
- 'code/privilege-escalation/linux/binary/privesc-nsenter.yaml'
- 'code/privilege-escalation/linux/binary/privesc-perl.yaml'
- 'code/privilege-escalation/linux/binary/privesc-pexec.yaml'
- 'code/privilege-escalation/linux/binary/privesc-php.yaml'
- 'code/privilege-escalation/linux/binary/privesc-posh.yaml'
- 'code/privilege-escalation/linux/binary/privesc-python.yaml'
- 'code/privilege-escalation/linux/binary/privesc-rake.yaml'
- 'code/privilege-escalation/linux/binary/privesc-rc.yaml'
- 'code/privilege-escalation/linux/binary/privesc-rlwrap.yaml'
- 'code/privilege-escalation/linux/binary/privesc-rpm.yaml'
- 'code/privilege-escalation/linux/binary/privesc-rpmdb.yaml'
- 'code/privilege-escalation/linux/binary/privesc-rpmverify.yaml'
- 'code/privilege-escalation/linux/binary/privesc-ruby.yaml'
- 'code/privilege-escalation/linux/binary/privesc-run-parts.yaml'
- 'code/privilege-escalation/linux/binary/privesc-sash.yaml'
- 'code/privilege-escalation/linux/binary/privesc-slsh.yaml'
- 'code/privilege-escalation/linux/binary/privesc-socat.yaml'
- 'code/privilege-escalation/linux/binary/privesc-softlimit.yaml'
- 'code/privilege-escalation/linux/binary/privesc-sqlite3.yaml'
- 'code/privilege-escalation/linux/binary/privesc-ssh-agent.yaml'
- 'code/privilege-escalation/linux/binary/privesc-sshpass.yaml'
- 'code/privilege-escalation/linux/binary/privesc-stdbuf.yaml'
- 'code/privilege-escalation/linux/binary/privesc-strace.yaml'
- 'code/privilege-escalation/linux/binary/privesc-tar.yaml'
- 'code/privilege-escalation/linux/binary/privesc-tcsh.yaml'
- 'code/privilege-escalation/linux/binary/privesc-time.yaml'
- 'code/privilege-escalation/linux/binary/privesc-timeout.yaml'
- 'code/privilege-escalation/linux/binary/privesc-tmate.yaml'
- 'code/privilege-escalation/linux/binary/privesc-torify.yaml'
- 'code/privilege-escalation/linux/binary/privesc-torsocks.yaml'
- 'code/privilege-escalation/linux/binary/privesc-unshare.yaml'
- 'code/privilege-escalation/linux/binary/privesc-vi.yaml'
- 'code/privilege-escalation/linux/binary/privesc-view.yaml'
- 'code/privilege-escalation/linux/binary/privesc-vim.yaml'
- 'code/privilege-escalation/linux/binary/privesc-xargs.yaml'
- 'code/privilege-escalation/linux/binary/privesc-xdg-user-dir.yaml'
- 'code/privilege-escalation/linux/binary/privesc-yash.yaml'
- 'code/privilege-escalation/linux/binary/privesc-zsh.yaml'
- 'code/privilege-escalation/linux/rw-shadow.yaml'
- 'code/privilege-escalation/linux/rw-sudoers.yaml'
- 'code/privilege-escalation/linux/sudo-nopasswd.yaml'
- 'code/privilege-escalation/linux/writable-etc-passwd.yaml'
- 'dns/dns-rebinding.yaml'
- 'http/cves/2018/CVE-2018-10942.yaml'
- 'http/cves/2023/CVE-2023-22527.yaml'
- 'http/cves/2023/CVE-2023-27639.yaml'
- 'http/cves/2023/CVE-2023-27640.yaml'
- 'http/cves/2023/CVE-2023-47211.yaml'
- 'http/cves/2023/CVE-2023-48023.yaml'
- 'http/cves/2023/CVE-2023-6023.yaml'
- 'http/cves/2023/CVE-2023-6875.yaml'
- 'http/cves/2024/CVE-2024-0204.yaml'
- 'http/default-logins/node-red/nodered-default-login.yaml'
- 'http/default-logins/powershell/powershell-default-login.yaml'
- 'http/exposed-panels/autoset-detect.yaml'
- 'http/exposed-panels/compalex-detect.yaml'
- 'http/exposed-panels/doris-panel.yaml'
- 'http/exposures/configs/vbulletin-path-disclosure.yaml'
- 'http/exposures/logs/go-pprof-debug.yaml'
- 'http/miscellaneous/defacement-detect.yaml'
- 'http/misconfiguration/doris-dashboard.yaml'
- 'http/vulnerabilities/apache/apache-nifi-rce.yaml'
- 'http/vulnerabilities/juniper/junos-xss.yaml'
- 'http/vulnerabilities/prestashop/prestashop-blocktestimonial-file-upload.yaml'
- 'http/vulnerabilities/vbulletin/vbulletin-backdoor.yaml'
workflow_dispatch:
jobs:
triggerRemoteWorkflow:

141
.new-additions
View File

@ -1,44 +1,97 @@
cloud/enum/aws-app-enum.yaml
cloud/enum/aws-s3-bucket-enum.yaml
cloud/enum/azure-db-enum.yaml
cloud/enum/azure-vm-cloud-enum.yaml
cloud/enum/azure-website-enum.yaml
cloud/enum/gcp-app-engine-enum.yaml
cloud/enum/gcp-bucket-enum.yaml
cloud/enum/gcp-firebase-app-enum.yaml
cloud/enum/gcp-firebase-rtdb-enum.yaml
code/cves/2019/CVE-2019-14287.yaml
code/cves/2021/CVE-2021-3156.yaml
http/cves/2015/CVE-2015-2794.yaml
http/cves/2020/CVE-2020-12124.yaml
http/cves/2023/CVE-2023-41109.yaml
http/cves/2023/CVE-2023-42343.yaml
http/cves/2023/CVE-2023-44353.yaml
http/cves/2023/CVE-2023-46574.yaml
http/cves/2023/CVE-2023-50917.yaml
http/cves/2023/CVE-2023-50968.yaml
http/cves/2023/CVE-2023-51467.yaml
http/cves/2023/CVE-2023-6379.yaml
http/cves/2023/CVE-2023-6623.yaml
http/cves/2024/CVE-2024-0352.yaml
http/default-logins/camunda/camunda-default-login.yaml
http/exposed-panels/goodjob-dashboard.yaml
http/exposed-panels/onlyoffice-login-panel.yaml
http/exposures/docker-daemon-exposed.yaml
http/misconfiguration/apache/apache-server-status.yaml
http/misconfiguration/cookies-without-httponly-secure.yaml
http/misconfiguration/php/php-composer-binary.yaml
http/osint/piratebay.yaml
http/technologies/cisco-asa-detect.yaml
http/token-spray/api-openai.yaml
http/vulnerabilities/dahua/dahua-icc-backdoor-user.yaml
http/vulnerabilities/dlink/dlink-netgear-xss.yaml
http/vulnerabilities/ruijie/ruijie-nmc-sync-rce.yaml
http/vulnerabilities/ruijie/ruijie-rg-eg-web-mis-rce.yaml
http/vulnerabilities/wanhu/wanhuoa-downloadservlet-lfi.yaml
http/vulnerabilities/yonyou/yonyou-ksoa-dept-sqli.yaml
javascript/network/smb/smb-anonymous-access.yaml
javascript/network/smb/smb-shares.yaml
javascript/network/smb/smb-signing-not-required.yaml
javascript/network/smb/smb2-capabilities.yaml
network/misconfig/erlang-daemon.yaml
code/privilege-escalation/linux/binary/privesc-aa-exec.yaml
code/privilege-escalation/linux/binary/privesc-ash.yaml
code/privilege-escalation/linux/binary/privesc-awk.yaml
code/privilege-escalation/linux/binary/privesc-bash.yaml
code/privilege-escalation/linux/binary/privesc-cdist.yaml
code/privilege-escalation/linux/binary/privesc-choom.yaml
code/privilege-escalation/linux/binary/privesc-cpulimit.yaml
code/privilege-escalation/linux/binary/privesc-csh.yaml
code/privilege-escalation/linux/binary/privesc-csvtool.yaml
code/privilege-escalation/linux/binary/privesc-dash.yaml
code/privilege-escalation/linux/binary/privesc-dc.yaml
code/privilege-escalation/linux/binary/privesc-distcc.yaml
code/privilege-escalation/linux/binary/privesc-elvish.yaml
code/privilege-escalation/linux/binary/privesc-enscript.yaml
code/privilege-escalation/linux/binary/privesc-env.yaml
code/privilege-escalation/linux/binary/privesc-expect.yaml
code/privilege-escalation/linux/binary/privesc-find.yaml
code/privilege-escalation/linux/binary/privesc-fish.yaml
code/privilege-escalation/linux/binary/privesc-flock.yaml
code/privilege-escalation/linux/binary/privesc-gawk.yaml
code/privilege-escalation/linux/binary/privesc-grc.yaml
code/privilege-escalation/linux/binary/privesc-ionice.yaml
code/privilege-escalation/linux/binary/privesc-julia.yaml
code/privilege-escalation/linux/binary/privesc-lftp.yaml
code/privilege-escalation/linux/binary/privesc-ltrace.yaml
code/privilege-escalation/linux/binary/privesc-lua.yaml
code/privilege-escalation/linux/binary/privesc-mawk.yaml
code/privilege-escalation/linux/binary/privesc-multitime.yaml
code/privilege-escalation/linux/binary/privesc-mysql.yaml
code/privilege-escalation/linux/binary/privesc-nawk.yaml
code/privilege-escalation/linux/binary/privesc-nice.yaml
code/privilege-escalation/linux/binary/privesc-node.yaml
code/privilege-escalation/linux/binary/privesc-nsenter.yaml
code/privilege-escalation/linux/binary/privesc-perl.yaml
code/privilege-escalation/linux/binary/privesc-pexec.yaml
code/privilege-escalation/linux/binary/privesc-php.yaml
code/privilege-escalation/linux/binary/privesc-posh.yaml
code/privilege-escalation/linux/binary/privesc-python.yaml
code/privilege-escalation/linux/binary/privesc-rake.yaml
code/privilege-escalation/linux/binary/privesc-rc.yaml
code/privilege-escalation/linux/binary/privesc-rlwrap.yaml
code/privilege-escalation/linux/binary/privesc-rpm.yaml
code/privilege-escalation/linux/binary/privesc-rpmdb.yaml
code/privilege-escalation/linux/binary/privesc-rpmverify.yaml
code/privilege-escalation/linux/binary/privesc-ruby.yaml
code/privilege-escalation/linux/binary/privesc-run-parts.yaml
code/privilege-escalation/linux/binary/privesc-sash.yaml
code/privilege-escalation/linux/binary/privesc-slsh.yaml
code/privilege-escalation/linux/binary/privesc-socat.yaml
code/privilege-escalation/linux/binary/privesc-softlimit.yaml
code/privilege-escalation/linux/binary/privesc-sqlite3.yaml
code/privilege-escalation/linux/binary/privesc-ssh-agent.yaml
code/privilege-escalation/linux/binary/privesc-sshpass.yaml
code/privilege-escalation/linux/binary/privesc-stdbuf.yaml
code/privilege-escalation/linux/binary/privesc-strace.yaml
code/privilege-escalation/linux/binary/privesc-tar.yaml
code/privilege-escalation/linux/binary/privesc-tcsh.yaml
code/privilege-escalation/linux/binary/privesc-time.yaml
code/privilege-escalation/linux/binary/privesc-timeout.yaml
code/privilege-escalation/linux/binary/privesc-tmate.yaml
code/privilege-escalation/linux/binary/privesc-torify.yaml
code/privilege-escalation/linux/binary/privesc-torsocks.yaml
code/privilege-escalation/linux/binary/privesc-unshare.yaml
code/privilege-escalation/linux/binary/privesc-vi.yaml
code/privilege-escalation/linux/binary/privesc-view.yaml
code/privilege-escalation/linux/binary/privesc-vim.yaml
code/privilege-escalation/linux/binary/privesc-xargs.yaml
code/privilege-escalation/linux/binary/privesc-xdg-user-dir.yaml
code/privilege-escalation/linux/binary/privesc-yash.yaml
code/privilege-escalation/linux/binary/privesc-zsh.yaml
code/privilege-escalation/linux/rw-shadow.yaml
code/privilege-escalation/linux/rw-sudoers.yaml
code/privilege-escalation/linux/sudo-nopasswd.yaml
code/privilege-escalation/linux/writable-etc-passwd.yaml
dns/dns-rebinding.yaml
http/cves/2018/CVE-2018-10942.yaml
http/cves/2023/CVE-2023-22527.yaml
http/cves/2023/CVE-2023-27639.yaml
http/cves/2023/CVE-2023-27640.yaml
http/cves/2023/CVE-2023-47211.yaml
http/cves/2023/CVE-2023-48023.yaml
http/cves/2023/CVE-2023-6023.yaml
http/cves/2023/CVE-2023-6875.yaml
http/cves/2024/CVE-2024-0204.yaml
http/default-logins/node-red/nodered-default-login.yaml
http/default-logins/powershell/powershell-default-login.yaml
http/exposed-panels/autoset-detect.yaml
http/exposed-panels/compalex-detect.yaml
http/exposed-panels/doris-panel.yaml
http/exposures/configs/vbulletin-path-disclosure.yaml
http/exposures/logs/go-pprof-debug.yaml
http/miscellaneous/defacement-detect.yaml
http/misconfiguration/doris-dashboard.yaml
http/vulnerabilities/apache/apache-nifi-rce.yaml
http/vulnerabilities/juniper/junos-xss.yaml
http/vulnerabilities/prestashop/prestashop-blocktestimonial-file-upload.yaml
http/vulnerabilities/vbulletin/vbulletin-backdoor.yaml

22
README.md
View File

@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|--------------|-------|------------|-------|----------|-------|------|-------|
| cve | 2296 | dhiyaneshdk | 1123 | http | 6913 | info | 3337 | file | 312 |
| panel | 1038 | dwisiswant0 | 801 | file | 312 | high | 1458 | dns | 18 |
| wordpress | 938 | daffainfo | 788 | workflows | 191 | medium | 1439 | | |
| xss | 848 | pikpikcu | 353 | network | 131 | critical | 919 | | |
| exposure | 844 | pussycat0x | 307 | ssl | 27 | low | 248 | | |
| wp-plugin | 812 | ritikchaddha | 298 | javascript | 21 | unknown | 34 | | |
| osint | 677 | pdteam | 286 | dns | 17 | | | | |
| tech | 649 | ricardomaia | 229 | headless | 11 | | | | |
| lfi | 619 | geeknik | 224 | code | 3 | | | | |
| edb | 598 | theamanrawat | 221 | cves.json | 1 | | | | |
| cve | 2318 | dhiyaneshdk | 1135 | http | 6947 | info | 3351 | file | 312 |
| panel | 1040 | dwisiswant0 | 801 | file | 312 | high | 1471 | dns | 20 |
| wordpress | 941 | daffainfo | 789 | workflows | 191 | medium | 1445 | | |
| xss | 851 | pikpikcu | 353 | network | 132 | critical | 933 | | |
| exposure | 850 | pussycat0x | 313 | ssl | 27 | low | 251 | | |
| wp-plugin | 815 | ritikchaddha | 298 | javascript | 25 | unknown | 34 | | |
| osint | 678 | pdteam | 286 | dns | 17 | | | | |
| tech | 650 | ricardomaia | 229 | headless | 11 | | | | |
| lfi | 622 | geeknik | 225 | cloud | 9 | | | | |
| edb | 598 | theamanrawat | 221 | code | 5 | | | | |
**534 directories, 7902 files**.
**545 directories, 7957 files**.
</td>
</tr>

2
TEMPLATES-STATS.json
View File

File diff suppressed because one or more lines are too long

9763
TEMPLATES-STATS.md
View File

File diff suppressed because it is too large Load Diff

20
TOP-10.md
View File

@ -1,12 +1,12 @@
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|--------------|-------|------------|-------|----------|-------|------|-------|
| cve | 2296 | dhiyaneshdk | 1123 | http | 6913 | info | 3337 | file | 312 |
| panel | 1038 | dwisiswant0 | 801 | file | 312 | high | 1458 | dns | 18 |
| wordpress | 938 | daffainfo | 788 | workflows | 191 | medium | 1439 | | |
| xss | 848 | pikpikcu | 353 | network | 131 | critical | 919 | | |
| exposure | 844 | pussycat0x | 307 | ssl | 27 | low | 248 | | |
| wp-plugin | 812 | ritikchaddha | 298 | javascript | 21 | unknown | 34 | | |
| osint | 677 | pdteam | 286 | dns | 17 | | | | |
| tech | 649 | ricardomaia | 229 | headless | 11 | | | | |
| lfi | 619 | geeknik | 224 | code | 3 | | | | |
| edb | 598 | theamanrawat | 221 | cves.json | 1 | | | | |
| cve | 2318 | dhiyaneshdk | 1135 | http | 6947 | info | 3351 | file | 312 |
| panel | 1040 | dwisiswant0 | 801 | file | 312 | high | 1471 | dns | 20 |
| wordpress | 941 | daffainfo | 789 | workflows | 191 | medium | 1445 | | |
| xss | 851 | pikpikcu | 353 | network | 132 | critical | 933 | | |
| exposure | 850 | pussycat0x | 313 | ssl | 27 | low | 251 | | |
| wp-plugin | 815 | ritikchaddha | 298 | javascript | 25 | unknown | 34 | | |
| osint | 678 | pdteam | 286 | dns | 17 | | | | |
| tech | 650 | ricardomaia | 229 | headless | 11 | | | | |
| lfi | 622 | geeknik | 225 | cloud | 9 | | | | |
| edb | 598 | theamanrawat | 221 | code | 5 | | | | |

4
cloud/enum/azure-vm-cloud-enum.yaml
View File

@ -8,7 +8,7 @@ info:
Searches for Azure virtual machines via their registered DNS names.
metadata:
verified: true
tags: cloud,enum,cloud-enum,azure
tags: cloud,cloud-enum,azure,fuzz,enum
self-contained: true
@ -62,4 +62,4 @@ dns:
part: answer
words:
- "IN\tA"
# digest: 4b0a004830460221008d223bfdb3585e335e8282ca206945a6f7704dab4a2899d3410229bf0db7132d022100b9de9af2b393a559575b67a5b25b6334fe8cddd1ceed5059ee634dc3b0292d50:922c64590222798bb761d5b6d8e72950
# digest: 4b0a00483046022100f91b6621181f8a7317c1ffc179ec2b81e33c8dd0dd28cc4871b13ffbb794ce84022100e7424a97fab1f6b745d735e7dad8f13b08ad36732b24216ae2826611af634318:922c64590222798bb761d5b6d8e72950

2
cloud/enum/azure-website-enum.yaml
View File

@ -33,4 +33,4 @@ http:
- 200
- 302
condition: or
# digest: 490a00463044022001ff1a4cff9e33f3817df1e824a00e35f76c6f8e22cd34e3616e452978dc46f702200913c7710eba2b3df98325a1bb7da86b55cde6d4a3d7199a7d952f1f7988a3fa:922c64590222798bb761d5b6d8e72950
# digest: 4a0a0047304502204e87fb6ea9b294616dce1e74e429d8a83672921a242d1b3421a0c553eba83894022100bf53c3468808e2316f9194022db3618093873de428109de1984d0664f6bc89ee:922c64590222798bb761d5b6d8e72950

2
cloud/enum/gcp-app-engine-enum.yaml
View File

@ -39,4 +39,4 @@ http:
- "status_code==302"
- contains(location, "login")
condition: and
# digest: 490a0046304402204edc5a3fc90ff80b8397219e37a716d5b582c9821dbb0edda2c52c585aa241ca022067b0c7178f7f345975f765bdd56afc967505028e459ed113c8fbd450a1dcb76a:922c64590222798bb761d5b6d8e72950
# digest: 490a00463044022017250b6b9f7ccf30e614e7bfb992e2e9ec13fd27556137cf4b13dc2f2a8c70b602200e352bbaebbd9dfbced84b3f9dff65c9d1b3dac47a0eec812b738a987931a14c:922c64590222798bb761d5b6d8e72950

2
cloud/enum/gcp-bucket-enum.yaml
View File

@ -36,4 +36,4 @@ http:
name: "Protected GCP Bucket"
status:
- 403
# digest: 490a004630440220549241cfe0dbdadf24bcbdabd6cbf8e82a45bea577710e8409da53f3bdef37d202203bab8b09dea7b68aafc32f8214b331ee6dc4dbe85c0e7a34693b8062dec6fb6a:922c64590222798bb761d5b6d8e72950
# digest: 4b0a00483046022100baff7bb9e12a115a59a755c8188c3544cc8497dc3a17860023486de9f4992def02210096b193c8507208f3d30cd9fc716d4be46cd9acb83418f2fa62f0d10ce305d026:922c64590222798bb761d5b6d8e72950

2
cloud/enum/gcp-firebase-app-enum.yaml
View File

@ -31,4 +31,4 @@ http:
name: "Open GCP Firebase App"
status:
- 200
# digest: 490a004630440220721a516d58d71b3c20990c97c22986fd212caafa366f2641bdb4fe9df0a53f9802205ecd4bfcda0808d5002e9d1194e0ec0f4d2b2f2140170c0df4ffb11372a6470f:922c64590222798bb761d5b6d8e72950
# digest: 4a0a00473045022065f44c35d042a0e98f90303a7f4181c0644c2e2fb8c7344c42d13104f89a454a022100cf17441e1fdb9ae05d7bdfca68f98abf3a4794b4d24e8ec69083e6323e96c39f:922c64590222798bb761d5b6d8e72950

2
cloud/enum/gcp-firebase-rtdb-enum.yaml
View File

@ -47,4 +47,4 @@ http:
name: "Deactivated GCP Firebase RTDB"
status:
- 423
# digest: 490a0046304402200dcb47ae02c77c619eea0d95a6ab7dc9f2be071cea09abee3a7ab748b11e561c022034956ced05346f9cfcc9d425d92fa1242c979572e8ae02030496597f64ccfe82:922c64590222798bb761d5b6d8e72950
# digest: 490a0046304402207b555ae31d639c4a2fa71c2988103f8eb74cd24ca8b3304e33059facb0c9275f02203b74c0ab6645d3c30970046284fffbea86b75f0bcf40192f6021b2297b616b7d:922c64590222798bb761d5b6d8e72950

8
code/cves/2023/CVE-2023-49105.yaml
View File

@ -15,13 +15,11 @@ info:
cvss-score: 9.8
cve-id: CVE-2023-49105
cwe-id: CWE-287
cpe: cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*
epss-score: 0.00091
epss-percentile: 0.38353
cpe: cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: owncloud
max-request: 2
product: owncloud
shodan-query: title:"owncloud"
tags: cve,cve2023,code,owncloud,auth-bypass
@ -86,4 +84,4 @@ http:
- type: dsl
dsl:
- '"Username => "+ username'
# digest: 4a0a00473045022100f17bb3bb403b74c4e84e6190df79bf767df834017742b4b95607de42a3d948bb02205f2f1de3f09d31920d6bf102ba93c1ad271809327b5997d8d58e9f97f2886c11:922c64590222798bb761d5b6d8e72950
# digest: 4a0a00473045022100f1395fdef2764cce1bd751a6a94c3f89afc0fb10d9437288388d31d6460a983002203d431b3492fa8d2501b3387ae3cf0f975385c21f7ac74d2deafcf878645c6f45:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-aa-exec.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-aa-exec
info:
name: aa-exec - Privilege Escalation
author: daffainfo
severity: high
description: |
aa-exec is used to launch a program confined by the specified profile and or namespace.
reference:
- https://gtfobins.github.io/gtfobins/aa-exec/
metadata:
verified: true
tags: code,linux,aa-exec,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
aa-exec whoami
- engine:
- sh
- bash
source: |
sudo aa-exec whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 490a00463044022052655e82a2302e3930061a3e1ca4ea0c65ab553c1a688654c29f9f50eecb29690220468307131c8570d5c7c58b629e5cb7c069c1078dea98d211b619b0a9de1f6f69:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-ash.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-ash
info:
name: Ash - Privilege Escalation
author: daffainfo
severity: high
description: |
Ash allows the value of a variable to be set at the same time it is marked read only by writing readonly name=value With no arguments
reference:
- https://gtfobins.github.io/gtfobins/ash/
metadata:
verified: true
tags: code,linux,ash,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
ash -c 'whoami'
- engine:
- sh
- bash
source: |
sudo ash -c 'whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a00473045022100d25c9dd1ce2eab3a962a4071a9f7500f59466848425225cd4047cc3115acbe37022061461b964e2bc7a9985a89d47c03136a8cb815900a1ba2038fbb8d073b88737b:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-awk.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-awk
info:
name: awk - Privilege Escalation
author: daffainfo
severity: high
description: |
AWK is a domain-specific language designed for text processing and typically used as a data extraction and reporting tool. Like sed and grep, it is a filter, and is a standard feature of most Unix-like operating systems.
reference:
- https://gtfobins.github.io/gtfobins/awk/
metadata:
verified: true
tags: code,linux,awk,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
awk 'BEGIN {system("whoami")}'
- engine:
- sh
- bash
source: |
sudo awk 'BEGIN {system("whoami")}'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a0047304502207cfdd41f99f02f347c5b0128ff351ced0e1c8e89e428d60a150c3c0c4f4074a70221008929ee587f0b3ab78860124591c0b22afad37bb9de4f3220dadc7a4fe8865717:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-bash.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-bash
info:
name: Bash - Privilege Escalation
author: daffainfo
severity: high
description: |
Bash is a Unix shell and command language written by Brian Fox for the GNU Project as a free software replacement for the Bourne shell. The shell's name is an acronym for Bourne Again Shell, a pun on the name of the Bourne shell that it replaces and the notion of being born again.
reference:
- https://gtfobins.github.io/gtfobins/bash/
metadata:
verified: true
tags: code,linux,bash,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
bash -c 'whoami'
- engine:
- sh
- bash
source: |
sudo bash -c 'whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a00473045022100b7f18627e0f3bbce9603130789596a844773fb76cdf73efdd2aa6073f8dad7eb02200510ef23d0f787a00e1701e1ad09999cf61f7bfcd43981de1be530439984302d:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-cdist.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-cdist
info:
name: Cdist - Privilege Escalation
author: daffainfo
severity: high
description: |
cdist is a free software configuration management tool for Unix-like systems. It manages nodes over SSH using the Bourne Shell, and does not require any additional software to be installed on target nodes.
reference:
- https://gtfobins.github.io/gtfobins/cdist/
metadata:
verified: true
tags: code,linux,cdist,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
cdist shell -s whoami
- engine:
- sh
- bash
source: |
sudo cdist shell -s whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4b0a00483046022100afe727ba45ca0c542cf2d85169a2be57d6e94550933ab38dcea2dc7a3bd9eb32022100e6d9677f8dc6af52f782bf0411ad39256b42baeae17ad41d2cb78f617de9a96c:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-choom.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-choom
info:
name: choom - Privilege Escalation
author: daffainfo
severity: high
description: |
choom is a command-line utility in Linux that allows users to change the memory limits of a process. It can be used for privilege escalation by manipulating the memory limits of a process to gain elevated privileges.
reference:
- https://gtfobins.github.io/gtfobins/choom/
metadata:
verified: true
tags: code,linux,choom,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
choom -n 0 whoami
- engine:
- sh
- bash
source: |
sudo choom -n 0 whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a00473045022100fc1a34cafa1e9c85f010f1aa08836c998e0f4e513055f17bfb43da6db708baa202200ec15a67896e438ec1b28022758c36b7989839fa08ede457ff86aa9c0d8c03f8:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-cpulimit.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-cpulimit
info:
name: CPUlimit - Privilege Escalation
author: daffainfo
severity: high
description: |
cpulimit is a command-line utility in Linux that allows users to limit the CPU usage of a process. It can be used to control and limit the CPU usage of a specific process, which can be helpful in various scenarios such as preventing a process from consuming excessive CPU resources.
reference:
- https://gtfobins.github.io/gtfobins/cpulimit/
metadata:
verified: true
tags: code,linux,cpulimit,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
cpulimit -l 100 -f whoami
- engine:
- sh
- bash
source: |
sudo cpulimit -l 100 -f whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 490a0046304402207e255b9140d3cd0efd52da82f2f4afeb244db042c2f993abb08f8859759f18030220164d73b076aabb9806d19260cc6b408cc718d4417c1cae85d5e6cc7928cb3348:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-csh.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-csh
info:
name: csh - Privilege Escalation
author: daffainfo
severity: high
description: |
csh stands for C Shell, which is a Unix shell with C-like syntax. It is a command-line interpreter that provides a command-line interface for Unix-like operating systems. It has features similar to other Unix shells such as bash and sh, but with a different syntax and set of features.
reference:
- https://gtfobins.github.io/gtfobins/csh/
metadata:
verified: true
tags: code,linux,csh,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
csh -c 'whoami'
- engine:
- sh
- bash
source: |
sudo csh -c 'whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 490a00463044022073087d98db072057b1d437680410e93f4001fafa2b317ee2b2222b096888298402205cf5ea8bf97355a4045d3ad9e358df8cdf008972984d331749da3b24cdd81112:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-csvtool.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-csvtool
info:
name: csvtool - Privilege Escalation
author: daffainfo
severity: high
description: |
csvtool is a command-line utility in Unix-like operating systems that provides various tools for working with CSV (Comma-Separated Values) files. It can be used to manipulate, process, and analyze CSV data from the command line, making it a useful tool for tasks such as data extraction, transformation, and loading.
reference:
- https://gtfobins.github.io/gtfobins/csvtool/
metadata:
verified: true
tags: code,linux,csvtool,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
csvtool call 'whoami;false' /etc/passwd
- engine:
- sh
- bash
source: |
sudo csvtool call 'whoami;false' /etc/passwd
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a004730450221008f61aeee9c793f162145ff039cb690183408260ff73c1fa21d70cb446f268e0c022019369ba062fbcd462b62d4f372eb206a9f971cc2c9e892cbeaf8db6657748214:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-dash.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-dash
info:
name: Dash - Privilege Escalation
author: daffainfo
severity: high
description: |
dash is a POSIX-compliant shell that is commonly used as the default system shell on Debian-based systems. It is designed to be a lightweight and fast shell, suitable for scripting and system administration tasks. It aims to be compatible with the POSIX standard for shells, providing a minimalistic and efficient environment for running shell scripts.
reference:
- https://gtfobins.github.io/gtfobins/dash/
metadata:
verified: true
tags: code,linux,dash,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
dash -c 'whoami'
- engine:
- sh
- bash
source: |
sudo dash -c 'whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a0047304502206693d6df56591ca0de940a5ff0c655c2e36744fd82fb12906d55eaab0705cb5802210099aa3cc19e3d2124e7e010ba08e62fd0fb803c2cbdaa933835208f2c46a4168e:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-dc.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-dc
info:
name: dc - Privilege Escalation
author: daffainfo
severity: high
description: |
dc is a command-line calculator in Unix and Unix-like operating systems. It uses reverse Polish notation (RPN) and provides a simple and efficient way to perform arithmetic operations from the command line. It can be used for basic and advanced mathematical calculations, making it a handy tool for scripting and quick calculations in the terminal.
reference:
- https://gtfobins.github.io/gtfobins/dc/
metadata:
verified: true
tags: code,linux,dc,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
dc -e '!whoami'
- engine:
- sh
- bash
source: |
sudo dc -e '!whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 490a0046304402205ac8f96adceec1df1bfc74a6cee80bb9be8da55b59bd0d39a2962903d92744e602204525b6c022a9b041ab95f3cc04c0d94db22968d66e1977221c13f4923e20cccd:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-distcc.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-distcc
info:
name: distcc - Privilege Escalation
author: daffainfo
severity: high
description: |
distcc is a distributed compilation tool for C, C++, and Objective-C. It allows a user to distribute compilation of these languages across several machines on a network, which can significantly speed up the compilation process for large projects.
reference:
- https://gtfobins.github.io/gtfobins/distcc/
metadata:
verified: true
tags: code,linux,distcc,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
distcc whoami
- engine:
- sh
- bash
source: |
sudo distcc whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 490a0046304402205ba3e54f4b95e19c1661de38e4b1fc44d192293ddfc358839ce83bb50f2f310b02201c16dafa2e5fbab09c2d6cb3fd330dbe9c2f815ed63bb432a4314a1c8d66acaa:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-elvish.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-elvish
info:
name: elvish - Privilege Escalation
author: daffainfo
severity: high
description: |
elvish is a Unix shell that emphasizes expressiveness and extensibility. It aims to provide a more user-friendly and programmable shell experience, with features such as a powerful scripting language, a rich set of data types, and a clean and consistent syntax.
reference:
- https://gtfobins.github.io/gtfobins/elvish/
metadata:
verified: true
tags: code,linux,elvish,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
elvish -c 'whoami'
- engine:
- sh
- bash
source: |
sudo elvish -c 'whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a00473045022006ef5df54c4af5c94d5a8116e6729d5f02092d18272e0679ab271be1237406ae022100dede2ce3e800f4da16d6b7495bc2ce6f6b1aaf30870ec0900b1c4f0fcff8e3e2:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-enscript.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-enscript
info:
name: enscript - Privilege Escalation
author: daffainfo
severity: high
description: |
enscript is a command-line tool used for converting text files to PostScript format for printing. It provides various options for formatting and manipulating the output, making it a useful tool for generating high-quality printed documents from text files.
reference:
- https://gtfobins.github.io/gtfobins/enscript/
metadata:
verified: true
tags: code,linux,enscript,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
enscript /dev/null -qo /dev/null -I 'whoami >&2'
- engine:
- sh
- bash
source: |
sudo enscript /dev/null -qo /dev/null -I 'whoami >&2'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a00473045022100cd92c4051987599289f054963d4a8bef07e76dde6a71fc5369dfb8d7bd7d6de502203d17432adfb10310d44a7665cd1039f3ed412c9724b10499074976a8abe39a41:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-env.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-env
info:
name: env - Privilege Escalation
author: daffainfo
severity: high
description: |
In Linux, the env command is used to display or modify the environment variables for a command. It can be used to set environment variables for a specific command or to print the current environment variables.
reference:
- https://gtfobins.github.io/gtfobins/env/
metadata:
verified: true
tags: code,linux,env,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
expect -c 'spawn whoami;interact'
- engine:
- sh
- bash
source: |
sudo expect -c 'spawn whoami;interact'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a00473045022060c647f36eb03856e0eaf016f8c04e4bf4100be1884abc528dbadb7d377272500221008e50317abae9efa259ad2a682bc304062fccb32782430543cb1aa2a6c34b32b4:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-expect.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-expect
info:
name: expect - Privilege Escalation
author: daffainfo
severity: high
description: |
expect is a Unix scripting and testing utility that automates interactive applications such as telnet, ftp, passwd, fsck, rlogin, tip, and more. It uses scripts to control interactive applications, making it useful for automating tasks that involve user input.
reference:
- https://gtfobins.github.io/gtfobins/expect/
metadata:
verified: true
tags: code,linux,expect,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
expect -c 'spawn whoami;interact'
- engine:
- sh
- bash
source: |
sudo expect -c 'spawn whoami;interact'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a00473045022100a073cb82c1a879f2dcb9365115bf48040e82ca681024d4ffc00c3fe1069eadea02207a1d5377c689cba96b0c4af6d23866def098d684efedee083f2443b480ac11d4:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-find.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-find
info:
name: find - Privilege Escalation
author: daffainfo
severity: high
description: |
The find command in Linux is used to search for files and directories in a directory hierarchy based on various criteria such as name, type, size, and permissions. It is a powerful tool for locating files and performing operations on them, such as executing commands or applying changes.
reference:
- https://gtfobins.github.io/gtfobins/find/
metadata:
verified: true
tags: code,linux,find,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
find . -exec whoami \; -quit
- engine:
- sh
- bash
source: |
sudo find . -exec whoami \; -quit
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4b0a0048304602210088a9e54d22ecaf73f27add5afc616c28d2bae731b36d30b54c1b22a8336842f4022100d0d9b84c518dad57a1d1d9e47f4fb936b0432d75bab077f44feeb0af407cdac5:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-fish.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-fish
info:
name: fish - Privilege Escalation
author: daffainfo
severity: high
description: |
fish is a user-friendly command-line shell for Unix-like operating systems. It provides features such as syntax highlighting, autosuggestions, and a built-in scripting language. Fish aims to be easy to use and learn, making it a popular choice for both interactive shell usage and scripting.
reference:
- https://gtfobins.github.io/gtfobins/fish/
metadata:
verified: true
tags: code,linux,fish,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
fish -c 'whoami'
- engine:
- sh
- bash
source: |
sudo fish -c 'whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a00473045022100b8c37d7d92e15ddf46da724d5b6fc80370b17ad700869f5db2d2773c92fc971c02207927e8db3a6c8d4f5c7ae5d350feee388a6966bfa029f15fdde4a71b1be75bf0:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-flock.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-flock
info:
name: Flock - Privilege Escalation
author: daffainfo
severity: high
description: |
flock is a command-line utility in Unix-like operating systems that is used to manage file locks. It can be used to synchronize access to a file among multiple processes, preventing conflicts and ensuring data integrity. Additionally, flock can be used in shell scripts to control access to critical sections of code.
reference:
- https://gtfobins.github.io/gtfobins/flock/
metadata:
verified: true
tags: code,linux,flock,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
flock -u / whoami
- engine:
- sh
- bash
source: |
sudo flock -u / whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4b0a00483046022100eaf218a03c71c87c400be7cf0c1a081838f0f82fb83278cd47bb1d442dc806f7022100a9c552cfce0ef36e1b5667fbe535aaf721f8bccb6b7128b9bf15ae5aadfb36f2:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-gawk.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-gawk
info:
name: gawk - Privilege Escalation
author: daffainfo
severity: high
description: |
gawk is the GNU implementation of the AWK programming language. It is a powerful text processing tool that allows for pattern scanning and processing of text files. gawk is commonly used for data extraction, reporting, and manipulation tasks in shell scripts and command-line environments.
reference:
- https://gtfobins.github.io/gtfobins/gawk/
metadata:
verified: true
tags: code,linux,gawk,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
gawk 'BEGIN {system("whoami")}'
- engine:
- sh
- bash
source: |
sudo gawk 'BEGIN {system("whoami")}'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a00473045022020f4d974f3c1c91fc22770c9ddc902e1730f238b504ebe4841afce2655b8787e0221008b88f06c877c3cd9a6f631fb933703d0e8cc518cd43814b1d3c4c38cd2e72c3b:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-grc.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-grc
info:
name: grc - Privilege Escalation
author: daffainfo
severity: high
description: |
grc is a command-line utility that enhances the output of other commands with color and style. It is commonly used to improve the readability of command output by adding color highlighting and formatting. grc can be configured to work with various commands and is often used to make log files and command output easier to interpret.
reference:
- https://gtfobins.github.io/gtfobins/grc/
metadata:
verified: true
tags: code,linux,grc,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
grc --pty whoami
- engine:
- sh
- bash
source: |
sudo grc --pty whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a0047304502203f113d23698935598ff0d77fdf51bf1ca11d3a69f5dc82268a9529bc4da4e3340221008386bd8523a073f3ecf134d4cb0034246089b5f32e4eda4f2fb7e7c847c63978:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-ionice.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-ionice
info:
name: ionice - Privilege Escalation
author: daffainfo
severity: high
description: |
ionice is a command-line utility in Linux that is used to set or get the I/O scheduling class and priority for a program. It allows users to control the I/O priority of a process, which can be useful for managing system resources and improving overall system performance.
reference:
- https://gtfobins.github.io/gtfobins/ionice/
metadata:
verified: true
tags: code,linux,ionice,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
ionice whoami
- engine:
- sh
- bash
source: |
sudo ionice whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 490a0046304402200dc051f60cfa8b06d03cf29eb136b6d42a7ba17cc2e495bd74567b4d43085d1c0220092a4e9e5c1be7c995fa058be2330cede3897eac1aa048b8a16150dc601dfdfa:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-julia.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-julia
info:
name: Julia - Privilege Escalation
author: daffainfo
severity: high
description: |
Julia is a high-level, high-performance programming language for technical computing. It is designed for numerical and scientific computing, but it is also used for general-purpose programming. Julia is known for its speed and ease of use, and it has a growing community of users and developers.
reference:
- https://gtfobins.github.io/gtfobins/julia/
metadata:
verified: true
tags: code,linux,julia,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
julia -e 'run(`whoami`)'
- engine:
- sh
- bash
source: |
sudo julia -e 'run(`whoami`)'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 490a00463044022008cde511c19f2e81af9ea724afbfb70af2b46b90969efa5dd93fc95214e0fe5602200da4093ad99901bf9d7c8d6dc7c222dce24b38ec0de355c37560a48fc5d87e91:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-lftp.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-lftp
info:
name: lftp - Privilege Escalation
author: daffainfo
severity: high
description: |
lftp is a command-line file transfer program for Unix-like systems. It supports various protocols such as FTP, HTTP, SFTP, and FISH, and provides a range of features for file transfer and mirroring. lftp is known for its reliability and scriptability, making it a popular choice for automated file transfer tasks.
reference:
- https://gtfobins.github.io/gtfobins/lftp/
metadata:
verified: true
tags: code,linux,lftp,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
lftp -c '!whoami'
- engine:
- sh
- bash
source: |
sudo lftp -c '!whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4b0a004830460221009a7ba137fdf1380d4bc9afe57a3ffa1ecee7a9bbcfb87d7ad307800668bfe4d5022100ed4696a4fea878b8f4cf733026f909ba49c989c54800817c36e8f32e7815c821:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-ltrace.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-ltrace
info:
name: ltrace - Privilege Escalation
author: daffainfo
severity: high
description: |
ltrace is a debugging utility in Linux that is used to intercept and record dynamic library calls made by a process. It can be used to trace the library calls made by a program, which is helpful for debugging and understanding its behavior.
reference:
- https://gtfobins.github.io/gtfobins/ltrace/
metadata:
verified: true
tags: code,linux,ltrace,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
ltrace -b -L whoami
- engine:
- sh
- bash
source: |
sudo ltrace -b -L whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4b0a00483046022100a452f6736abe6bbadb861e870601d904d7439ccddb99b99c9813c60890cf6454022100ce8f36f3a3960ccacd29196c18c151075811bca88c4609b018d44611e7da91f4:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-lua.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-lua
info:
name: lua - Privilege Escalation
author: daffainfo
severity: high
description: |
Lua is a powerful, efficient, lightweight, embeddable scripting language. It is often used as a scripting language for game development and other applications that require a customizable and extensible scripting interface. Lua is known for its simplicity, speed, and ease of integration with other languages and systems.
reference:
- https://gtfobins.github.io/gtfobins/lua/
metadata:
verified: true
tags: code,linux,lua,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
lua -e 'os.execute("whoami")'
- engine:
- sh
- bash
source: |
sudo lua -e 'os.execute("whoami")'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a00473045022100fe88d4daba0948f777be6dfe5e85dc1896f8b55009e3cac210034ad321c3e82d02203840fbc951223967db8270b7c5337cb8c464b58b62a5f8563d3d9e48c4804ead:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-mawk.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-mawk
info:
name: mawk - Privilege Escalation
author: daffainfo
severity: high
description: |
mawk is an efficient and fast implementation of the AWK programming language. It is designed to be smaller and faster than the original AWK implementation, making it suitable for large data processing tasks. mawk is commonly used for text processing and pattern scanning in shell scripts and command-line environments.
reference:
- https://gtfobins.github.io/gtfobins/mawk/
metadata:
verified: true
tags: code,linux,mawk,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
mawk 'BEGIN {system("whoami")}'
- engine:
- sh
- bash
source: |
sudo mawk 'BEGIN {system("whoami")}'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 490a0046304402200f2fc2cb7ee4195d6ba84734e5816cd6344c1027d789617f593fd573a882798d0220456bbb1bff1ee4887264d39670a7bafd2d3e6e5714ac616b65454e26490b1c50:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-multitime.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-multitime
info:
name: Multitime - Privilege Escalation
author: daffainfo
severity: high
description: |
multitime is a command-line utility that allows for the timing and execution of commands multiple times. It is often used for benchmarking and performance testing of commands and scripts, providing a convenient way to measure the execution time of a given task.
reference:
- https://gtfobins.github.io/gtfobins/multitime/
metadata:
verified: true
tags: code,linux,multitime,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
multitime whoami
- engine:
- sh
- bash
source: |
sudo multitime whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a00473045022100d690fd1752fe80fe6c5d74dd217f1faa159c22b9a1139640caef077da0ca162802201b52fef3e20b018125ed2898a41ee118a709b666e1be56843798f64ad03c4d01:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-mysql.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-mysql
info:
name: MySQL - Privilege Escalation
author: daffainfo
severity: high
description: |
MySQL is an open-source relational database management system (RDBMS) that uses structured query language (SQL) for managing and manipulating data. It is widely used for web applications and is known for its reliability, ease of use, and performance. MySQL is a popular choice for database-driven applications and is supported on various platforms.
reference:
- https://gtfobins.github.io/gtfobins/mysql/
metadata:
verified: true
tags: code,linux,mysql,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
mysql -e '\! whoami'
- engine:
- sh
- bash
source: |
sudo mysql -e '\! whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4b0a00483046022100ab3c58233daf1cde6a71b666f1ad59b29abb8f36ac9d2caf325d3ef30dbb7d63022100ee4ec42f3059b0d1e07f5e7b6132d20f247b66f95e28d4cf74587040d390df0b:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-nawk.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-nawk
info:
name: nawk - Privilege Escalation
author: daffainfo
severity: high
description: |
nawk is an implementation of the AWK programming language. It is a text-processing language that is commonly used for pattern scanning and processing of text files. nawk provides powerful features for data extraction, reporting, and manipulation, making it a valuable tool for text processing tasks in shell scripts and command-line environments.
reference:
- https://gtfobins.github.io/gtfobins/nawk/
metadata:
verified: true
tags: code,linux,nawk,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
nawk 'BEGIN {system("whoami")}'
- engine:
- sh
- bash
source: |
sudo nawk 'BEGIN {system("whoami")}'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a00473045022100c455bfbade2717cae09e5e1ad5d3f3f32f100dabe62e9ed83960ea513ec0c9190220455786daaf6e8b9213b6921268602b555e67d35000aa1bd4bca08006d233f58e:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-nice.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-nice
info:
name: Nice - Privilege Escalation
author: daffainfo
severity: high
description: |
In Unix-like operating systems, the nice command is used to execute a program with a modified scheduling priority. It allows users to start a process with a specified priority level, which can influence the allocation of CPU resources. This can be useful for managing system resources and controlling the impact of a process on system performance.
reference:
- https://gtfobins.github.io/gtfobins/nice/
metadata:
verified: true
tags: code,linux,nice,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
nice whoami
- engine:
- sh
- bash
source: |
sudo nice whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a0047304502206658814909d649229bdbe08eca7e6695d1fb07bf9cc2b42e87052ada4c56e87b02210098cecf5578ad70645f6f11e5cabe566e9d602b2f528f764bab48200bd9fc32af:922c64590222798bb761d5b6d8e72950

55
code/privilege-escalation/linux/binary/privesc-node.yaml Normal file
View File

@ -0,0 +1,55 @@
id: privesc-node
info:
name: Node - Privilege Escalation
author: daffainfo
severity: high
description: |
Node.js is a popular open-source, cross-platform JavaScript runtime environment that executes JavaScript code outside of a web browser. It is commonly used for building scalable network applications and is known for its event-driven, non-blocking I/O model. Node.js is widely used for server-side scripting and has a large ecosystem of libraries and frameworks.
reference:
- https://gtfobins.github.io/gtfobins/node/
metadata:
verified: true
tags: code,linux,node,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
node -e 'require("child_process").spawn("whoami", {stdio: [0, 1, 2]})'
- engine:
- sh
- bash
source: |
sudo node -e 'require("child_process").spawn("whoami", {stdio: [0, 1, 2]})'
- engine:
- sh
- bash
source: |
node -e 'process.setuid(0); require("child_process").spawn("whoami", {stdio: [0, 1, 2]})'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
- 'contains(code_4_response, "root")'
condition: or
# digest: 4a0a00473045022100dcb589afe5b82d4c95a8a103942bdfa4ffdeca24be83816bda1013e2efdb0648022067f67aba51dd433b67493daa6970d379d08bf8c91351375fac26c6c2a54f0999:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-nsenter.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-nsenter
info:
name: Nsenter - Privilege Escalation
author: daffainfo
severity: high
description: |
nsenter is a command-line utility in Linux that allows a user to enter into an existing namespace. It is commonly used for troubleshooting and managing namespaces in containerized environments. By using nsenter, users can enter into a specific namespace and execute commands within that namespace, which can be helpful for various system administration tasks.
reference:
- https://gtfobins.github.io/gtfobins/nsenter/
metadata:
verified: true
tags: code,linux,nsenter,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
nsenter whoami
- engine:
- sh
- bash
source: |
sudo nsenter whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a00473045022100bcc2702e046210af31cecc2bc6d6f6f17d55deba9283429ecbaa37b2da7ad3d6022076555f0b6ddfef5630de6165278458fec5a6dfd9dbe33a25ccac7d35827df83f:922c64590222798bb761d5b6d8e72950

55
code/privilege-escalation/linux/binary/privesc-perl.yaml Normal file
View File

@ -0,0 +1,55 @@
id: privesc-perl
info:
name: Perl - Privilege Escalation
author: daffainfo
severity: high
description: |
Perl is a high-level, general-purpose programming language known for its powerful text processing capabilities. It is often used for system administration, web development, and network programming. Perl's syntax and features make it well-suited for tasks such as parsing and manipulating text, making it a popular choice for various scripting and automation tasks.
reference:
- https://gtfobins.github.io/gtfobins/perl/
metadata:
verified: true
tags: code,linux,perl,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
perl -e 'exec "whoami";'
- engine:
- sh
- bash
source: |
sudo perl -e 'exec "whoami";'
- engine:
- sh
- bash
source: |
perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "whoami";'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
- 'contains(code_4_response, "root")'
condition: or
# digest: 490a0046304402200a093cb0aa2ec75dfb33f02dc087b501b5f6187d60468a6c67db3cddffc095d30220078ba7495f4c1a33103ce617214ba05d89845fd6941672e576ab45a8a1cb89d8:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-pexec.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-pexec
info:
name: pexec - Privilege Escalation
author: daffainfo
severity: high
description: |
The term "pexec" typically refers to the "privileged execution" of a command or program.
reference: |
https://gtfobins.github.io/gtfobins/pexec/
metadata:
verified: true
tags: code,linux,pexec,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
pexec whoami
- engine:
- sh
- bash
source: |
sudo pexec whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a00473045022100c000c6aff21897526283edb9a61a091f4bf4f35f40ba88d17a5be43abca4078802200947b42987bab5740cbae7af869fa6f069e877273bd74f31eb6fc52700de08c0:922c64590222798bb761d5b6d8e72950

55
code/privilege-escalation/linux/binary/privesc-php.yaml Normal file
View File

@ -0,0 +1,55 @@
id: privesc-php
info:
name: PHP - Privilege Escalation
author: daffainfo
severity: high
description: |
PHP is a popular server-side scripting language that is widely used for web development. It is known for its ease of use, flexibility, and broad support for web frameworks and content management systems. PHP is commonly used to create dynamic web pages, process form data, manage sessions, and interact with databases.
reference:
- https://gtfobins.github.io/gtfobins/php/
metadata:
verified: true
tags: code,linux,php,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
php -r 'system("whoami");'
- engine:
- sh
- bash
source: |
sudo php -r 'system("whoami");'
- engine:
- sh
- bash
source: |
php -r "posix_setuid(0); system("whoami");"
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
- 'contains(code_4_response, "root")'
condition: or
# digest: 4b0a00483046022100a2811ec94d726526a0710b6e046ee5f70bc02c6157d3f5e8d01149b0355c021d022100c4be4f37e14acf2f6798474a6e96d2d4c9179e1bf72dddeb6def304c006d2839:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-posh.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-posh
info:
name: posh - Privilege Escalation
author: daffainfo
severity: high
description: |
"posh" typically refers to the "Policy-compliant Ordinary SHell," which is a restricted shell designed to provide a limited set of commands and features for users with restricted access. It is often used in environments where users require limited functionality and access to system resources.
reference:
- https://gtfobins.github.io/gtfobins/posh/
metadata:
verified: true
tags: code,linux,posh,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
posh -c 'whoami'
- engine:
- sh
- bash
source: |
sudo posh -c 'whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 490a0046304402202ccc69f1fcf287f4fec214024209ac72716454f2cf716fdc0793cbca8c0d3929022078a753c35cd96d3bec81ce9d3701450bb0d3e91edc06bbb531b961e240965014:922c64590222798bb761d5b6d8e72950

55
code/privilege-escalation/linux/binary/privesc-python.yaml Normal file
View File

@ -0,0 +1,55 @@
id: privesc-python
info:
name: PHP - Privilege Escalation
author: daffainfo
severity: high
description: |
Python is a high-level, general-purpose programming language known for its readability and simplicity. It is widely used for web development, scientific computing, artificial intelligence, and system automation. Python's versatility, extensive standard library, and large community make it a popular choice for a wide range of applications.
reference:
- https://gtfobins.github.io/gtfobins/python/
metadata:
verified: true
tags: code,linux,php,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
python -c 'import os; os.system("whoami")'
- engine:
- sh
- bash
source: |
sudo python -c 'import os; os.system("whoami")'
- engine:
- sh
- bash
source: |
python -c 'import os; os.setuid(0); os.system("whoami")'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
- 'contains(code_4_response, "root")'
condition: or
# digest: 4b0a00483046022100dd52f3cccbdc07d60cadac29decf11d1227996a161f41918275422c8076e5398022100bb97bda70a37f3f30a579fa0cc157826af2f11edd9bd7aab0da65e3dabfbba6c:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-rake.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-rake
info:
name: Rake - Privilege Escalation
author: daffainfo
severity: high
description: |
Rake is a build automation tool written in Ruby. It is similar to Make, Ant, or MSBuild, but uses a Ruby syntax. Rake is often used for automating tasks in software development, such as building, testing, and deploying applications.
reference:
- https://gtfobins.github.io/gtfobins/rake/
metadata:
verified: true
tags: code,linux,rake,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
rake -p '`whoami 1>&0`'
- engine:
- sh
- bash
source: |
sudo rake -p '`whoami 1>&0`'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 490a0046304402200749958e9afd9829c1f67a0ccc3dc94d28bc49715a8335644e76b91eab470a0f02205f3c3d21b41c81dd7e52a8716b05f8e688af8afd0b203aff9e0d89850fe800e8:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-rc.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-rc
info:
name: RC - Privilege Escalation
author: daffainfo
severity: high
description: |
the rc command is a shell command interpreter that is used to execute commands and scripts. It is commonly used for scripting and automation tasks, and it provides a set of built-in commands and features for interacting with the system.
reference:
- https://gtfobins.github.io/gtfobins/rc/
metadata:
verified: true
tags: code,linux,rc,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
rc -c 'whoami'
- engine:
- sh
- bash
source: |
sudo rc -c 'whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a00473045022100ddc05de2641a181def4a9885d521a3060f68cbffdd0bac50e77315bd7e454bdd022025d8281ce109511fd7daa67dc3d51337c4dc4086cf0e084656e9143fb87170e0:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-rlwrap.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-rlwrap
info:
name: rlwrap - Privilege Escalation
author: daffainfo
severity: high
description: |
rlwrap is a utility that provides readline functionality to commands that lack it, allowing for command-line editing and history capabilities. It is commonly used to enhance the user experience when working with command-line tools that do not have built-in readline support.
reference:
- https://gtfobins.github.io/gtfobins/rlwrap/
metadata:
verified: true
tags: code,linux,rlwrap,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
rlwrap whoami
- engine:
- sh
- bash
source: |
sudo rlwrap whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a0047304502200ca88583b60e012b980e0043f04126ac3b05a5583b20efda37538715a768ecb7022100f29a6760712b6791f1bb45ce5e7d6b1b5fc92f267e3ffc99497fb0eaa7dca258:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-rpm.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-rpm
info:
name: rpm - Privilege Escalation
author: daffainfo
severity: high
description: |
rpm stands for "Red Hat Package Manager." It is a command-line package management utility used in Red Hat-based Linux distributions to install, update, and manage software packages. rpm is also used to query package information, verify package integrity, and perform various administrative tasks related to software packages.
reference:
- https://gtfobins.github.io/gtfobins/rpm/
metadata:
verified: true
tags: code,linux,rpm,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
rpm --pipe 'whoami 0<&1'
- engine:
- sh
- bash
source: |
sudo rpm --pipe 'whoami 0<&1'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a004730450220528464c28b189da3511e6757b61dcb7f6fba8a90515f2b337edcdb7aee9f5d7d022100b4c40f9809265bb79ffc65b504aa4074521a1b1e5a50f3d7a1dd91530b8dfed7:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-rpmdb.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-rpmdb
info:
name: rpmdb - Privilege Escalation
author: daffainfo
severity: high
description: |
The rpmdb is the database used by the RPM Package Manager to store metadata about installed packages on a Linux system. It is used to track information about installed packages, including their files, dependencies, and other attributes. The rpmdb is a critical component of package management on RPM-based Linux distributions.
reference:
- https://gtfobins.github.io/gtfobins/rpmdb/
metadata:
verified: true
tags: code,linux,rpmdb,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
rpmdb --eval '%(whoami 1>&2)'
- engine:
- sh
- bash
source: |
sudo rpmdb --eval '%(whoami 1>&2)'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 490a0046304402205c6ed2d663dbda0003dc3b0315103fb62ce649fc9771b88d15e9003c0093f6c402207181b174440db32afaaecb0c106c6ecafcb7605d20272b86c7055b7c96988b08:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-rpmverify.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-rpmverify
info:
name: rpmverify - Privilege Escalation
author: daffainfo
severity: high
description: |
The rpmverify command is used to verify the integrity and authenticity of installed RPM packages on a Linux system. It checks the files in the installed packages against the information stored in the RPM database to detect any modifications or discrepancies. This helps ensure the security and stability of the system by identifying any unauthorized changes to the installed packages.
reference:
- https://gtfobins.github.io/gtfobins/rpmverify/
metadata:
verified: true
tags: code,linux,rpmverify,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
rpmverify --eval '%(whoami 1>&2)'
- engine:
- sh
- bash
source: |
sudo rpmverify --eval '%(whoami 1>&2)'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a004730450220749059b8ec0e7d457d03ced81b4b48b3d69580b77a6e0c1198dcd2534727d4ed022100eb51a489cfa87f8689a639d6b921964d9e4a0b2b8e6aee5869361c52f4c71796:922c64590222798bb761d5b6d8e72950

55
code/privilege-escalation/linux/binary/privesc-ruby.yaml Normal file
View File

@ -0,0 +1,55 @@
id: privesc-ruby
info:
name: Ruby - Privilege Escalation
author: daffainfo
severity: high
description: |
Ruby is a dynamic, open-source programming language known for its simplicity and productivity. It is often used for web development, scripting, and software development. Ruby's elegant syntax and focus on developer happiness have made it a popular choice for building web applications and other software projects.
reference:
- https://gtfobins.github.io/gtfobins/ruby/
metadata:
verified: true
tags: code,linux,ruby,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
ruby -e 'exec "whoami"'
- engine:
- sh
- bash
source: |
sudo ruby -e 'exec "whoami"'
- engine:
- sh
- bash
source: |
ruby -e 'Process::Sys.setuid(0); exec "whoami"'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
- 'contains(code_4_response, "root")'
condition: or
# digest: 4a0a0047304502200d04ad6da824e3e4f8d827df453f11e89847545580da1379ad50187f92ce04fd022100889cc924bcb70907e887d989a704b2619b0fe0c144d7977a67fa607bcaf34645:922c64590222798bb761d5b6d8e72950

47
code/privilege-escalation/linux/binary/privesc-run-parts.yaml Normal file
View File

@ -0,0 +1,47 @@
id: privesc-run-parts
info:
name: run-parts - Privilege Escalation
author: daffainfo
severity: high
description: |
The run-parts command in Linux is used to run all the executable files in a directory. It is commonly used for running scripts or commands located in a specific directory, such as system maintenance scripts in /etc/cron.daily. The run-parts command provides a convenient way to execute multiple scripts or commands in a batch manner.
reference: https://gtfobins.github.io/gtfobins/run-parts/
metadata:
verified: true
tags: code,linux,run-parts,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
run-parts --new-session --regex 'whoami' /bin
- engine:
- sh
- bash
source: |
sudo run-parts --new-session --regex 'whoami' /bin
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a0047304502205d85cde00b6bfc479c2841da6603a84f6f418b3ef381bdc29990827138c2908c022100a9c341fc7f3a062b19e258bb7e86b1450073d7c9a907a50ef8794594c1af4374:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-sash.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-sash
info:
name: sash - Privilege Escalation
author: daffainfo
severity: high
description: |
sash is a stand-alone shell that is commonly used for system recovery and maintenance. It provides a minimal set of commands and features, making it useful in situations where the regular shell environment may not be available or functional. sash is often used in emergency situations to troubleshoot and repair systems.
reference:
- https://gtfobins.github.io/gtfobins/sash/
metadata:
verified: true
tags: code,linux,sash,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
sash -c 'whoami'
- engine:
- sh
- bash
source: |
sudo sash -c 'whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a00473045022100d8d67e00bbc52458f01744e11b2b5259a352359c9c1e81f4774860dd02b27e1802201268d3e689f33254cd462e50b301420c5b2836ac0046a941fa0c5c5b84ded4d6:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-slsh.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-slsh
info:
name: slsh - Privilege Escalation
author: daffainfo
severity: high
description: |
slsh is a command-line shell that is designed to provide a secure environment for executing shell commands. It is often used in scenarios where security and privilege separation are important, such as in web hosting environments or when running untrusted code. slsh aims to provide a secure and restricted shell environment for executing commands.
reference:
- https://gtfobins.github.io/gtfobins/slsh/
metadata:
verified: true
tags: code,linux,slsh,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
slsh -e 'system("whoami")'
- engine:
- sh
- bash
source: |
sudo slsh -e 'system("whoami")'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a00473045022100a3195731e14a3f5c9462def2093d7906d9f7083b9cb504a7381d70a9a0252e5502207cd3087a296269c5b88025db54aae77f60bf0d64f18614db8f5582e5a20076e6:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-socat.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-socat
info:
name: Socat - Privilege Escalation
author: daffainfo
severity: high
description: |
Socat is a command-line utility that establishes two bidirectional byte streams and transfers data between them. It can be used for a wide range of networking tasks, such as file transfer, port forwarding, and network testing. Socat is known for its versatility and is often used for creating complex network connections and proxies.
reference:
- https://gtfobins.github.io/gtfobins/socat/
metadata:
verified: true
tags: code,linux,socat,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
socat stdin exec:whoami
- engine:
- sh
- bash
source: |
sudo socat stdin exec:whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a004730450220755e5136cf6b0ec3b416358ecc2a90892c26dab2f7a3fbb6ef098cdfe1ac68d8022100f798e038d59ab5edcbefa1ed088bd0d541ef503ae79805012bebf24995cac979:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-softlimit.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-softlimit
info:
name: softlimit - Privilege Escalation
author: daffainfo
severity: high
description: |
The softlimit command is used in conjunction with the daemontools software to set resource limits for a process. It is commonly used to control the resource usage of a process, such as limiting its memory or CPU usage. The softlimit command helps in managing and controlling the resource consumption of a process, which can be useful for ensuring system stability and preventing resource exhaustion.
reference:
- https://gtfobins.github.io/gtfobins/softlimit/
metadata:
verified: true
tags: code,linux,softlimit,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
softlimit whoami
- engine:
- sh
- bash
source: |
sudo softlimit whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 490a004630440220787613f207549b1c982719be3a49e956deaab5b6906ffbcd219dcd836cd2ff3d022075d2f5c3c83f8f35f91032d617e137d4e43b6bde96989e49c21d639cb60aef81:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-sqlite3.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-sqlite3
info:
name: sqlite3 - Privilege Escalation
author: daffainfo
severity: high
description: |
sqlite3 is a lightweight, self-contained, and serverless SQL database engine. It is widely used in embedded systems, mobile devices, and small to medium-sized applications.
reference:
- https://gtfobins.github.io/gtfobins/sqlite3/
metadata:
verified: true
tags: code,linux,sqlite3,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
sqlite3 /dev/null '.shell whoami'
- engine:
- sh
- bash
source: |
sudo sqlite3 /dev/null '.shell whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4b0a00483046022100b4867d1b9d79db5d65c779b564460f5ed40d23a044551e3f8c6aa4ef3227a09d022100a51e2e31cc8ad753a5a8a48ce0eba09730d0eea67d7b1a247f64df771e2a7542:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-ssh-agent.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-ssh-agent
info:
name: ssh-agent - Privilege Escalation
author: daffainfo
severity: high
description: |
ssh-agent is a program that helps manage and store private keys used for SSH authentication. It is often used to hold the decrypted private keys in memory, allowing for seamless authentication to remote servers without the need to re-enter passphrases for the keys.
reference:
- https://gtfobins.github.io/gtfobins/ssh-agent/
metadata:
verified: true
tags: code,linux,ssh-agent,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
ssh-agent whoami
- engine:
- sh
- bash
source: |
sudo ssh-agent whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a00473045022100b753c3b219a51512f664bffcb2260ee8818cb2dedc7ad56dd2abfbc9c3098c9d02203c904efa51d90d9e74cf3fc931c0746d801e5359cd7c2c302de15089e6000896:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-sshpass.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-sshpass
info:
name: sshpass - Privilege Escalation
author: daffainfo
severity: high
description: |
sshpass is a command-line tool that provides a way to automatically input SSH passwords for password authentication. It is commonly used in scripts and automated processes where interactive password entry is not feasible.
reference:
- https://gtfobins.github.io/gtfobins/sshpass/
metadata:
verified: true
tags: code,linux,sshpass,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
sshpass whoami
- engine:
- sh
- bash
source: |
sudo sshpass whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a004730450220094f30de7f11cc2db0a7e20e174f0d4ec8090c5b6ca57e047d081e2f7c6f38f1022100ec82a1aa799635b21303c12945cdce10a5aba671ae2cfa3fde58cd333c15e252:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-stdbuf.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-stdbuf
info:
name: stdbuf - Privilege Escalation
author: daffainfo
severity: high
description: |
The stdbuf command is used to modify the buffering operations of another command. It can be used to adjust the input/output buffering of a command, which can be useful for controlling the flow of data and improving the performance of certain operations.
reference:
- https://gtfobins.github.io/gtfobins/stdbuf/
metadata:
verified: true
tags: code,linux,stdbuf,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
stdbuf -i0 whoami
- engine:
- sh
- bash
source: |
sudo stdbuf -i0 whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4b0a004830460221009591ab6b38c91a906c3798218c576a7f436505855af6613249f6492274f30342022100e14a43caf3b2f7d9db3858ad0f0ce0c3cb2333ac56f5c3642c326db04dfc6bf4:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-strace.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-strace
info:
name: strace - Privilege Escalation
author: daffainfo
severity: high
description: |
strace is a diagnostic, debugging, and instructional utility for Linux. It is used to monitor the system calls and signals that a program receives, allowing users to trace and analyze its interactions with the kernel.
reference:
- https://gtfobins.github.io/gtfobins/strace/
metadata:
verified: true
tags: code,linux,strace,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
strace -o /dev/null whoami
- engine:
- sh
- bash
source: |
sudo strace -o /dev/null whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 490a00463044022004a60c344e7b5d1878acb82b78027520e0402053ce9b080ee9eb807f0f3d9fc202203695fa9cde0c6d2321fe3b994b6a5905cf6d1a7a8b369ff9dde21dca0b6324e9:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-tar.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-tar
info:
name: tar - Privilege Escalation
author: daffainfo
severity: high
description: |
tar is a command-line utility used to create and manipulate archive files. It is commonly used for bundling multiple files and directories into a single archive, often used in conjunction with compression tools like gzip or bzip2.
reference:
- https://gtfobins.github.io/gtfobins/tar/
metadata:
verified: true
tags: code,linux,tar,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=whoami
- engine:
- sh
- bash
source: |
sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 490a004630440220087093983b273eed4e1cd049ea189259644b82fa05d847a9ea5759d5cac748210220734da5a1acead8c4850dd1914e28f1789fcb6a8c15f401a025a85ad61c869e81:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-tcsh.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-tcsh
info:
name: tcsh - Privilege Escalation
author: daffainfo
severity: high
description: |
tcsh is a Unix shell based on and compatible with the C shell (csh). It provides a command-line interface for interacting with the operating system and executing commands.
reference:
- https://gtfobins.github.io/gtfobins/tcsh/
metadata:
verified: true
tags: code,linux,tcsh,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
tcsh -c 'whoami'
- engine:
- sh
- bash
source: |
sudo tcsh -c 'whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a0047304502206b01d2dba89b176065d1cda636fef106909c915bd5b1c3f2a78fe684210a06cc022100cc011ce84840a655454a0e77710665e50152dbacfcd4d3ef0aa99dd8c644033b:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-time.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-time
info:
name: Time - Privilege Escalation
author: daffainfo
severity: high
description: |
The time command is used to determine the amount of time taken by a command to execute.
reference:
- https://gtfobins.github.io/gtfobins/time/
metadata:
verified: true
tags: code,linux,time,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
time whoami
- engine:
- sh
- bash
source: |
sudo time whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4b0a00483046022100cc8e3fbc97d7198e7c975f6afe20638e1e0cc9a39a4102125433074ce70972f8022100a4d8e3b805817711f7cdcd8e67d24ef7a9193a74e31104e2e721b49b14d5c6ac:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-timeout.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-timeout
info:
name: Timeout - Privilege Escalation
author: daffainfo
severity: high
description: |
The timeout command is used to run a command with a specified time limit. It is commonly used to prevent a command from running indefinitely and to enforce a time restriction on its execution.
reference:
- https://gtfobins.github.io/gtfobins/timeout/
metadata:
verified: true
tags: code,linux,timeout,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
timeout 7d whoami
- engine:
- sh
- bash
source: |
sudo timeout 7d whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a00473045022100b14feb5994b6568d189c65f7fdd09262cc98fde6dbbe1a3491faff155657ed4a022047bcbb8428be076b89868f132185df823b7f06b3b1dffca9602aa7f1c09e4e5b:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-tmate.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-tmate
info:
name: tmate - Privilege Escalation
author: daffainfo
severity: high
description: |
tmate is a terminal multiplexer that allows multiple users to access and collaborate in the same terminal session.
reference:
- https://gtfobins.github.io/gtfobins/tmate/
metadata:
verified: true
tags: code,linux,tmate,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
tmate -c whoami
- engine:
- sh
- bash
source: |
sudo tmate -c whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4b0a00483046022100bad54c8fab4967e3192ee32f2260b8b1d97bc01803218c272a3b5cc0ec265ddc02210095e387ac431a8608cb08182955781602ec196b639dcdf3b67ba2b1aa935d7481:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-torify.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-torify
info:
name: Torify - Privilege Escalation
author: daffainfo
severity: high
description: |
torify is a command-line utility that is used to transparently route network traffic through the Tor network. It is commonly used to anonymize the network connections of other command-line programs, allowing them to communicate over the Tor network for enhanced privacy and security.
reference:
- https://gtfobins.github.io/gtfobins/torify/
metadata:
verified: true
tags: code,linux,torify,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
torify whoami
- engine:
- sh
- bash
source: |
sudo torify whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a004730450220154ec04f332ea7e202cbcfeafd63857b85e9bed7e847c9bd5676dd4c887b8f0d022100f2d7f29b486c60956522e7f60b7705f93fca788825aaa855f24b65d0e9eb38a1:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-torsocks.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-torsocks
info:
name: Torsocks - Privilege Escalation
author: daffainfo
severity: high
description: |
torsocks is a wrapper that enables the use of the Tor network for any program, including those that do not natively support proxy settings. It intercepts and redirects network calls from the target program through the Tor network, providing a way to anonymize the network traffic of various applications.
reference:
- https://gtfobins.github.io/gtfobins/torsocks/
metadata:
verified: true
tags: code,linux,torsocks,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
torsocks whoami
- engine:
- sh
- bash
source: |
sudo torsocks whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4b0a004830460221009ccfb6a8d991e200d8f5780d56ba3db6d46cdc82fa3e7d9c57d6ac5605db4844022100c99b0af514c9a8414f12c721bcde734f01c1e2ac279ae97ee9a5ec4acd7254e2:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-unshare.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-unshare
info:
name: Unshare - Privilege Escalation
author: daffainfo
severity: high
description: |
The unshare command is used to run a command in a new namespace, which can isolate various aspects of the system, such as the mount namespace, network namespace, user namespace, and more.
reference:
- https://gtfobins.github.io/gtfobins/unshare/
metadata:
verified: true
tags: code,linux,unshare,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
unshare whoami
- engine:
- sh
- bash
source: |
sudo unshare whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a00473045022051813a52f05fe4e85c256e0fb2b37db4c2ca3ad0761c191bcfc84b832a3376fe022100b548ea734cc498a18fb003c25273e18a27c6e3b264f0092a0559822203bc056f:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-vi.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-vi
info:
name: Vi - Privilege Escalation
author: daffainfo
severity: high
description: |
vi is a classic text editor in Unix and Unix-like operating systems. It is known for its modal editing capabilities and is often used for editing configuration files, scripts, and other text-based content in a terminal environment.
reference:
- https://gtfobins.github.io/gtfobins/vi/
metadata:
verified: true
tags: code,linux,vi,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
vi -c '!whoami'
- engine:
- sh
- bash
source: |
sudo vi -c '!whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 490a00463044022061470482019e232b8dd4e74311f7a7d063964948171f608f888c369ffe4627d302201561f18adcd1531372b9a71ea697d2aa879ffaa1ed68173923715c313846c99c:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-view.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-view
info:
name: View - Privilege Escalation
author: daffainfo
severity: high
description: |
view is a command that is often associated with the vi text editor. When invoked as "view," vi starts in read-only mode, allowing users to view files without the ability to modify them.
reference:
- https://gtfobins.github.io/gtfobins/view/
metadata:
verified: true
tags: code,linux,view,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
view -c ':!whoami'
- engine:
- sh
- bash
source: |
sudo view -c ':!whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 490a004630440220745d93f1bcfb94d74dcf88e19f6183ad4bd975d158e3f1144b9ef1bea5bdf16602204eb58016fc57746a533d29204d6866b5c970ec1618fc0f5c18ba192b9fa8be1b:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-vim.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-vim
info:
name: Vim - Privilege Escalation
author: daffainfo
severity: high
description: |
Vim is a highly configurable, modal text editor based on the vi editor.
reference:
- https://gtfobins.github.io/gtfobins/vim/
metadata:
verified: true
tags: code,linux,vim,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
vim -c '!whoami'
- engine:
- sh
- bash
source: |
sudo vim -c '!whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a0047304502210097753cfbafc37950b15b53deff6dc81db080103b5a42de2269bc478a47084b0f0220610b9984a25a0ee19724242e8d9f893eda02eaaeb115c3960c89962a46643b8f:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-xargs.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-xargs
info:
name: Xargs - Privilege Escalation
author: daffainfo
severity: high
description: |
xargs is a command in Unix and Unix-like operating systems used to build and execute command lines from standard input.
reference:
- https://gtfobins.github.io/gtfobins/xargs/
metadata:
verified: true
tags: code,linux,xargs,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
xargs -a /dev/null whoami
- engine:
- sh
- bash
source: |
sudo xargs -a /dev/null whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4b0a00483046022100e502140967a7fd972baa3f8ddd98adbe4c99b0d34191364ec9a3ed55f9e3caa0022100ac2ab00f625df439fa051705ce700f21aee98f9218db1f2ae9ec6315b54195ad:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-xdg-user-dir.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-xdg-user-dir
info:
name: xdg-user-dir - Privilege Escalation
author: daffainfo
severity: high
description: |
The xdg-user-dir command is used to retrieve the path of a user's special directories, such as the user's home directory, desktop directory, download directory, and others, based on the XDG Base Directory Specification.
reference:
- https://gtfobins.github.io/gtfobins/xdg-user-dir/
metadata:
verified: true
tags: code,linux,xdg-user-dir,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
xdg-user-dir '}; whoami #'
- engine:
- sh
- bash
source: |
sudo xdg-user-dir '}; whoami #'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a004730450220701c2a9df9952e6bfd696274f6ba54fd1e8d5679da4e278fb3dab833fb1779a8022100cff3379e79aff775160c435df5a290c70f9b8d263bfd877a3a3c4fd63e896ca6:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-yash.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-yash
info:
name: Yash - Privilege Escalation
author: daffainfo
severity: high
description: |
yash is a POSIX-compliant command shell that aims to be a lightweight and efficient alternative to other shells such as Bash or Zsh.
reference:
- https://gtfobins.github.io/gtfobins/yash/
metadata:
verified: true
tags: code,linux,yash,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
yash -c 'whoami'
- engine:
- sh
- bash
source: |
sudo yash -c 'whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4b0a00483046022100c6894473ffd208e9539bbaa707a70e0eaecda95fdb3e204ac6e3317f3953b787022100c830b24cadbbe5d400ad4123673b1a146d12d5dd9faa9b5750251af6d6e37cea:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-zsh.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-zsh
info:
name: Zsh - Privilege Escalation
author: daffainfo
severity: high
description: |
zsh is a powerful and feature-rich shell for Unix-like operating systems. It offers advanced interactive features, extensive customization options, and robust scripting capabilities
reference:
- https://gtfobins.github.io/gtfobins/zsh/
metadata:
verified: true
tags: code,linux,zsh,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
zsh -c 'whoami'
- engine:
- sh
- bash
source: |
sudo zsh -c 'whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 490a0046304402200fe72b359a88bdfd94240a5d26c83549a114ef09577f197b3dbf43d9555f7a330220170fd068c5f2adf8493b8eee427287a7b29c3e0fffc88d9d4a9a527eca31e0e4:922c64590222798bb761d5b6d8e72950

44
code/privilege-escalation/linux/rw-shadow 2.yaml Normal file
View File

@ -0,0 +1,44 @@
id: rw-shadow
info:
name: /etc/shadow writable or readabel - Privilege Escalation
author: daffainfo
severity: high
reference:
- https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-etc-shadow
metadata:
verified: true
tags: code,linux,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
[ -r "/etc/shadow" ] || [ -w "/etc/shadow" ] && echo "Either readable or writable" || echo "Not readable and not writable"
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: word
part: code_2_response
words:
- "Either readable or writable"
- type: word
part: code_2_response
words:
- "Not readable and not writable"
negative: true
# digest: 4b0a00483046022100c78963808dac941393a893b98ff00ee7009bd9228193e55ecbb9640e944f7789022100fca86fbd6ee146369c1bdfe59c87b532d1117bca280dba5ef319e71f0102fde1:922c64590222798bb761d5b6d8e72950

44
code/privilege-escalation/linux/rw-shadow.yaml Normal file
View File

@ -0,0 +1,44 @@
id: rw-shadow
info:
name: /etc/shadow writable or readabel - Privilege Escalation
author: daffainfo
severity: high
reference:
- https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-etc-shadow
metadata:
verified: true
tags: code,linux,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
[ -r "/etc/shadow" ] || [ -w "/etc/shadow" ] && echo "Either readable or writable" || echo "Not readable and not writable"
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: word
part: code_2_response
words:
- "Either readable or writable"
- type: word
part: code_2_response
words:
- "Not readable and not writable"
negative: true
# digest: 4b0a00483046022100c78963808dac941393a893b98ff00ee7009bd9228193e55ecbb9640e944f7789022100fca86fbd6ee146369c1bdfe59c87b532d1117bca280dba5ef319e71f0102fde1:922c64590222798bb761d5b6d8e72950

44
code/privilege-escalation/linux/rw-sudoers 2.yaml Normal file
View File

@ -0,0 +1,44 @@
id: rw-sudoers
info:
name: /etc/sudoers writable or readable - Privilege Escalation
author: daffainfo
severity: high
reference:
- https://book.hacktricks.xyz/linux-hardening/privilege-escalation#etc-sudoers-etc-sudoers.d
metadata:
verified: true
tags: code,linux,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
[ -r "/etc/sudoers" ] || [ -w "/etc/sudoers" ] && echo "Either readable or writable" || echo "Not readable and not writable"
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: word
part: code_2_response
words:
- "Either readable or writable"
- type: word
part: code_2_response
words:
- "Not readable and not writable"
negative: true
# digest: 4a0a00473045022100d543bff4619a3dee763c3cf291100761f724c8b2481d689fd4d9115992bd90470220558daf66ad9cbfb3c1e70caf73285980c389bd4d87aa9a5fda473b303d099847:922c64590222798bb761d5b6d8e72950

44
code/privilege-escalation/linux/rw-sudoers.yaml Normal file
View File

@ -0,0 +1,44 @@
id: rw-sudoers
info:
name: /etc/sudoers writable or readable - Privilege Escalation
author: daffainfo
severity: high
reference:
- https://book.hacktricks.xyz/linux-hardening/privilege-escalation#etc-sudoers-etc-sudoers.d
metadata:
verified: true
tags: code,linux,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
[ -r "/etc/sudoers" ] || [ -w "/etc/sudoers" ] && echo "Either readable or writable" || echo "Not readable and not writable"
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: word
part: code_2_response
words:
- "Either readable or writable"
- type: word
part: code_2_response
words:
- "Not readable and not writable"
negative: true
# digest: 4a0a00473045022100d543bff4619a3dee763c3cf291100761f724c8b2481d689fd4d9115992bd90470220558daf66ad9cbfb3c1e70caf73285980c389bd4d87aa9a5fda473b303d099847:922c64590222798bb761d5b6d8e72950

27
code/privilege-escalation/linux/sudo-nopasswd 2.yaml Normal file
View File

@ -0,0 +1,27 @@
id: sudo-nopasswd
info:
name: Sudo NOPASSWD - Privilege Escalation
author: daffainfo
severity: high
description: Sudo configuration might allow a user to execute some command with another user's privileges without knowing the password.
reference:
- https://book.hacktricks.xyz/linux-hardening/privilege-escalation#nopasswd
metadata:
verified: true
tags: code,linux,sudo,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
sudo -l
matchers:
- type: word
part: code_1_response
words:
- "(root) NOPASSWD:"
# digest: 4a0a00473045022100e62bc1a0b1a457ab643a4ee150cfc38becf287d629ee5200603723849691bc2602204b8aea2931fe9c3486dd06edf9325e8d2b406be20cc5fbcef197ff152119ddef:922c64590222798bb761d5b6d8e72950

27
code/privilege-escalation/linux/sudo-nopasswd.yaml Normal file
View File

@ -0,0 +1,27 @@
id: sudo-nopasswd
info:
name: Sudo NOPASSWD - Privilege Escalation
author: daffainfo
severity: high
description: Sudo configuration might allow a user to execute some command with another user's privileges without knowing the password.
reference:
- https://book.hacktricks.xyz/linux-hardening/privilege-escalation#nopasswd
metadata:
verified: true
tags: code,linux,sudo,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
sudo -l
matchers:
- type: word
part: code_1_response
words:
- "(root) NOPASSWD:"
# digest: 4a0a00473045022100e62bc1a0b1a457ab643a4ee150cfc38becf287d629ee5200603723849691bc2602204b8aea2931fe9c3486dd06edf9325e8d2b406be20cc5fbcef197ff152119ddef:922c64590222798bb761d5b6d8e72950

32
code/privilege-escalation/linux/writable-etc-passwd 2.yaml Normal file
View File

@ -0,0 +1,32 @@
id: writable-etc-passwd
info:
name: /etc/passwd writable - Privilege Escalation
author: daffainfo
severity: high
reference:
- https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-etc-passwd
metadata:
verified: true
tags: code,linux,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
[ -w "/etc/passwd" ] && echo "Writable" || echo "Not writable"
matchers:
- type: word
part: code_1_response
words:
- "Writable"
- type: word
part: code_1_response
words:
- "Not writable"
negative: true
# digest: 4a0a004730450220688d5a0b52ecf69ea46224b683a6ee0c757513641d59b72abb034cc31af73f11022100987335f5bd847f8c382c487b8af7a71c9b156c1e578436f6b0e01f791f229130:922c64590222798bb761d5b6d8e72950

32
code/privilege-escalation/linux/writable-etc-passwd.yaml Normal file
View File

@ -0,0 +1,32 @@
id: writable-etc-passwd
info:
name: /etc/passwd writable - Privilege Escalation
author: daffainfo
severity: high
reference:
- https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-etc-passwd
metadata:
verified: true
tags: code,linux,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
[ -w "/etc/passwd" ] && echo "Writable" || echo "Not writable"
matchers:
- type: word
part: code_1_response
words:
- "Writable"
- type: word
part: code_1_response
words:
- "Not writable"
negative: true
# digest: 4a0a004730450220688d5a0b52ecf69ea46224b683a6ee0c757513641d59b72abb034cc31af73f11022100987335f5bd847f8c382c487b8af7a71c9b156c1e578436f6b0e01f791f229130:922c64590222798bb761d5b6d8e72950

2
config/recommended.yml
View File

@ -13,7 +13,7 @@ severity:
- unknown
type:
- dns
- http
- tcp
- javascript

37
cves.json
View File

@ -492,6 +492,7 @@
{"ID":"CVE-2018-10818","Info":{"Name":"LG NAS Devices - Remote Code Execution","Severity":"critical","Description":"LG NAS devices contain a pre-auth remote command injection via the \"password\" parameter.","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2018/CVE-2018-10818.yaml"}
{"ID":"CVE-2018-10822","Info":{"Name":"D-Link Routers - Local File Inclusion","Severity":"high","Description":"D-Link routers DWR-116 through 1.06, DIR-140L through 1.02, DIR-640L through 1.02,DWR-512 through 2.02,DWR-712 through 2.02,DWR-912 through 2.02, DWR-921 through 2.02, DWR-111 through 1.01, and probably others with the same type of firmware allows remote attackers to read arbitrary files via a /.. or // after \"GET /uir\" in an HTTP request to the web interface.","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2018/CVE-2018-10822.yaml"}
{"ID":"CVE-2018-10823","Info":{"Name":"D-Link Routers - Remote Command Injection","Severity":"high","Description":"D-Link DWR-116 through 1.06, DWR-512 through 2.02, DWR-712 through 2.02, DWR-912 through 2.02, DWR-921 through 2.02, and DWR-111 through 1.01 device may allow an authenticated attacker to execute arbitrary code by injecting the shell command into the chkisg.htm page Sip parameter. This allows for full control over the device internals.\n","Classification":{"CVSSScore":"8.8"}},"file_path":"http/cves/2018/CVE-2018-10823.yaml"}
{"ID":"CVE-2018-10942","Info":{"Name":"Prestashop AttributeWizardPro Module - Arbitrary File Upload","Severity":"critical","Description":"In the Attribute Wizard addon 1.6.9 for PrestaShop allows remote attackers to execute arbitrary code by uploading a php file.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2018/CVE-2018-10942.yaml"}
{"ID":"CVE-2018-10956","Info":{"Name":"IPConfigure Orchid Core VMS 2.0.5 - Local File Inclusion","Severity":"high","Description":"IPConfigure Orchid Core VMS 2.0.5 is susceptible to local file inclusion.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2018/CVE-2018-10956.yaml"}
{"ID":"CVE-2018-11227","Info":{"Name":"Monstra CMS \u003c=3.0.4 - Cross-Site Scripting","Severity":"medium","Description":"Monstra CMS 3.0.4 and earlier contains a cross-site scripting vulnerability via index.php. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2018/CVE-2018-11227.yaml"}
{"ID":"CVE-2018-11231","Info":{"Name":"Opencart Divido - Sql Injection","Severity":"high","Description":"OpenCart Divido plugin is susceptible to SQL injection\n","Classification":{"CVSSScore":"8.1"}},"file_path":"http/cves/2018/CVE-2018-11231.yaml"}
@ -760,7 +761,6 @@
{"ID":"CVE-2019-6112","Info":{"Name":"WordPress Sell Media 2.4.1 - Cross-Site Scripting","Severity":"medium","Description":"WordPress Plugin Sell Media v2.4.1 contains a cross-site scripting vulnerability in /inc/class-search.php that allows remote attackers to inject arbitrary web script or HTML via the keyword parameter (aka $search_term or the Search field).","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2019/CVE-2019-6112.yaml"}
{"ID":"CVE-2019-6340","Info":{"Name":"Drupal - Remote Code Execution","Severity":"high","Description":"Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10 V contain certain field types that do not properly sanitize data from non-form sources, which can lead to arbitrary PHP code execution in some cases.","Classification":{"CVSSScore":"8.1"}},"file_path":"http/cves/2019/CVE-2019-6340.yaml"}
{"ID":"CVE-2019-6715","Info":{"Name":"W3 Total Cache 0.9.2.6-0.9.3 - Unauthenticated File Read / Directory Traversal","Severity":"high","Description":"WordPress plugin W3 Total Cache before version 0.9.4 allows remote attackers to read arbitrary files via the SubscribeURL field in SubscriptionConfirmation JSON data via pub/sns.php.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2019/CVE-2019-6715.yaml"}
{"ID":"CVE-2019-6799","Info":{"Name":"phpMyAdmin \u003c4.8.5 - Local File Inclusion","Severity":"medium","Description":"phpMyAdmin before 4.8.5 is susceptible to local file inclusion. When the AllowArbitraryServer configuration setting is set to true, an attacker can read, with the use of a rogue MySQL server, any file on the server that the web server's user can access. This is related to the mysql.allow_local_infile PHP configuration, and the inadvertent ignoring of options(MYSQLI_OPT_LOCAL_INFIL calls.\n","Classification":{"CVSSScore":"5.9"}},"file_path":"http/cves/2019/CVE-2019-6799.yaml"}
{"ID":"CVE-2019-6802","Info":{"Name":"Pypiserver \u003c1.2.5 - Carriage Return Line Feed Injection","Severity":"medium","Description":"Pypiserver through 1.2.5 and below is susceptible to carriage return line feed injection. An attacker can set arbitrary HTTP headers and possibly conduct cross-site scripting attacks via a %0d%0a in a URI.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2019/CVE-2019-6802.yaml"}
{"ID":"CVE-2019-7192","Info":{"Name":"QNAP QTS and Photo Station 6.0.3 - Remote Command Execution","Severity":"critical","Description":"This improper access control vulnerability allows remote attackers to gain unauthorized access to the system. To fix these vulnerabilities, QNAP recommend updating Photo Station to their latest versions.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2019/CVE-2019-7192.yaml"}
{"ID":"CVE-2019-7219","Info":{"Name":"Zarafa WebApp \u003c=2.0.1.47791 - Cross-Site Scripting","Severity":"medium","Description":"Zarafa WebApp 2.0.1.47791 and earlier contains an unauthenticated reflected cross-site scripting vulnerability. An attacker can execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2019/CVE-2019-7219.yaml"}
@ -865,7 +865,7 @@
{"ID":"CVE-2020-15920","Info":{"Name":"Mida eFramework \u003c=2.9.0 - Remote Command Execution","Severity":"critical","Description":"Mida eFramework through 2.9.0 allows an attacker to achieve remote code execution with administrative (root) privileges. No authentication is required.","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2020/CVE-2020-15920.yaml"}
{"ID":"CVE-2020-16139","Info":{"Name":"Cisco Unified IP Conference Station 7937G - Denial-of-Service","Severity":"high","Description":"Cisco Unified IP Conference Station 7937G 1-4-4-0 through 1-4-5-7 allows attackers to restart the device remotely via specially crafted packets that can cause a denial-of-service condition. Note: We cannot prove this vulnerability exists. Out of an abundance of caution, this CVE is being assigned to better serve our customers and ensure all who are still running this product understand that the product is end of life and should be removed or upgraded.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2020/CVE-2020-16139.yaml"}
{"ID":"CVE-2020-16846","Info":{"Name":"SaltStack \u003c=3002 - Shell Injection","Severity":"critical","Description":"SaltStack Salt through 3002 allows an unauthenticated user with network access to the Salt API to use shell injections to run code on the Salt-API using the SSH client.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2020/CVE-2020-16846.yaml"}
{"ID":"CVE-2020-16952","Info":{"Name":"Microsoft SharePoint - Remote Code Execution","Severity":"high","Description":"Microsoft SharePoint is vulnerable to a remote code execution when the software fails to check the source markup of an application package.","Classification":{"CVSSScore":"7.8"}},"file_path":"http/cves/2020/CVE-2020-16952.yaml"}
{"ID":"CVE-2020-16952","Info":{"Name":"Microsoft SharePoint - Remote Code Execution","Severity":"high","Description":"Microsoft SharePoint is vulnerable to a remote code execution when the software fails to check the source markup of an application package.","Classification":{"CVSSScore":"8.6"}},"file_path":"http/cves/2020/CVE-2020-16952.yaml"}
{"ID":"CVE-2020-17362","Info":{"Name":"Nova Lite \u003c 1.3.9 - Cross-Site Scripting","Severity":"medium","Description":"Nova Lite before 1.3.9 for WordPress is susceptible to reflected cross-site scripting via search.php.","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2020/CVE-2020-17362.yaml"}
{"ID":"CVE-2020-17453","Info":{"Name":"WSO2 Carbon Management Console \u003c=5.10 - Cross-Site Scripting","Severity":"medium","Description":"WSO2 Management Console through 5.10 is susceptible to reflected cross-site scripting which can be exploited by tampering a request parameter in Management Console. This can be performed in both authenticated and unauthenticated requests.","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2020/CVE-2020-17453.yaml"}
{"ID":"CVE-2020-17456","Info":{"Name":"SEOWON INTECH SLC-130 \u0026 SLR-120S - Unauthenticated Remote Code Execution","Severity":"critical","Description":"SEOWON INTECH SLC-130 and SLR-120S devices allow remote code execution via the ipAddr parameter to the system_log.cgi page.","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2020/CVE-2020-17456.yaml"}
@ -945,6 +945,7 @@
{"ID":"CVE-2020-27467","Info":{"Name":"Processwire CMS \u003c2.7.1 - Local File Inclusion","Severity":"high","Description":"Processwire CMS prior to 2.7.1 is vulnerable to local file inclusion because it allows a remote attacker to retrieve sensitive files via the download parameter to index.php.","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2020/CVE-2020-27467.yaml"}
{"ID":"CVE-2020-27481","Info":{"Name":"Good Layers LMS Plugin \u003c= 2.1.4 - SQL Injection","Severity":"critical","Description":"An unauthenticated SQL Injection vulnerability in Good Layers LMS Plugin \u003c= 2.1.4 exists due to the usage of \"wp_ajax_nopriv\" call in WordPress, which allows any unauthenticated user to get access to the function \"gdlr_lms_cancel_booking\" where POST Parameter \"id\" was sent straight into SQL query without sanitization.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2020/CVE-2020-27481.yaml"}
{"ID":"CVE-2020-27735","Info":{"Name":"Wing FTP 6.4.4 - Cross-Site Scripting","Severity":"medium","Description":"Wing FTP 6.4.4 is vulnerable to cross-site scripting via its web interface because an arbitrary IFRAME element can be included in the help pages via a crafted link, leading to the execution of (sandboxed) arbitrary HTML and JavaScript in the user's browser.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2020/CVE-2020-27735.yaml"}
{"ID":"CVE-2020-27838","Info":{"Name":"KeyCloak - Information Exposure","Severity":"medium","Description":"A flaw was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest threat from this vulnerability is to data confidentiality.\n","Classification":{"CVSSScore":"6.5"}},"file_path":"http/cves/2020/CVE-2020-27838.yaml"}
{"ID":"CVE-2020-27866","Info":{"Name":"NETGEAR - Authentication Bypass","Severity":"high","Description":"NETGEAR R6020, R6080, R6120, R6220, R6260, R6700v2, R6800, R6900v2, R7450, JNR3210, WNR2020, Nighthawk AC2100, and Nighthawk AC2400 routers are vulnerable to authentication bypass vulnerabilities which could allow network-adjacent attackers to bypass authentication on affected installations.","Classification":{"CVSSScore":"8.8"}},"file_path":"http/cves/2020/CVE-2020-27866.yaml"}
{"ID":"CVE-2020-27982","Info":{"Name":"IceWarp WebMail 11.4.5.0 - Cross-Site Scripting","Severity":"medium","Description":"IceWarp WebMail 11.4.5.0 is vulnerable to cross-site scripting via the language parameter.","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2020/CVE-2020-27982.yaml"}
{"ID":"CVE-2020-27986","Info":{"Name":"SonarQube - Authentication Bypass","Severity":"high","Description":"SonarQube 8.4.2.36762 allows remote attackers to discover cleartext SMTP,\nSVN, and GitLab credentials via the api/settings/values URI.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2020/CVE-2020-27986.yaml"}
@ -1225,7 +1226,7 @@
{"ID":"CVE-2021-26710","Info":{"Name":"Redwood Report2Web 4.3.4.5 \u0026 4.5.3 - Cross-Site Scripting","Severity":"medium","Description":"Redwood Report2Web 4.3.4.5 and 4.5.3 contains a cross-site scripting vulnerability in the login panel which allows remote attackers to inject JavaScript via the signIn.do urll parameter.","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-26710.yaml"}
{"ID":"CVE-2021-26723","Info":{"Name":"Jenzabar 9.2x-9.2.2 - Cross-Site Scripting","Severity":"medium","Description":"Jenzabar 9.2.x through 9.2.2 contains a cross-site scripting vulnerability. It allows /ics?tool=search\u0026query.","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-26723.yaml"}
{"ID":"CVE-2021-26812","Info":{"Name":"Moodle Jitsi Meet 2.7-2.8.3 - Cross-Site Scripting","Severity":"medium","Description":"Moodle Jitsi Meet 2.7 through 2.8.3 plugin contains a cross-site scripting vulnerability via the \"sessionpriv.php\" module. This allows attackers to craft a malicious URL, which when clicked on by users, can inject JavaScript code to be run by the application.","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-26812.yaml"}
{"ID":"CVE-2021-26855","Info":{"Name":"Microsoft Exchange Server SSRF Vulnerability","Severity":"critical","Description":"This vulnerability is part of an attack chain that could allow remote code execution on Microsoft Exchange Server. The initial attack requires the ability to make an untrusted connection to Exchange server port 443. Other portions of the chain can be triggered if an attacker already has access or can convince an administrator to open a malicious file. Be aware his CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, and CVE-2021-27078.","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-26855.yaml"}
{"ID":"CVE-2021-26855","Info":{"Name":"Microsoft Exchange Server SSRF Vulnerability","Severity":"critical","Description":"This vulnerability is part of an attack chain that could allow remote code execution on Microsoft Exchange Server. The initial attack requires the ability to make an untrusted connection to Exchange server port 443. Other portions of the chain can be triggered if an attacker already has access or can convince an administrator to open a malicious file. Be aware his CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, and CVE-2021-27078.","Classification":{"CVSSScore":"9.1"}},"file_path":"http/cves/2021/CVE-2021-26855.yaml"}
{"ID":"CVE-2021-27124","Info":{"Name":"Doctor Appointment System 1.0 - SQL Injection","Severity":"medium","Description":"SQL injection in the expertise parameter in search_result.php in Doctor Appointment System v1.0.\n","Classification":{"CVSSScore":"6.5"}},"file_path":"http/cves/2021/CVE-2021-27124.yaml"}
{"ID":"CVE-2021-27132","Info":{"Name":"Sercomm VD625 Smart Modems - CRLF Injection","Severity":"critical","Description":"Sercomm AGCOMBO VD625 Smart Modems with firmware version AGSOT_2.1.0 are vulnerable to Carriage Return Line Feed (CRLF) injection via the Content-Disposition header.","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-27132.yaml"}
{"ID":"CVE-2021-27309","Info":{"Name":"Clansphere CMS 2011.4 - Cross-Site Scripting","Severity":"medium","Description":"Clansphere CMS 2011.4 contains an unauthenticated reflected cross-site scripting vulnerability via the \"module\" parameter.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-27309.yaml"}
@ -1320,7 +1321,7 @@
{"ID":"CVE-2021-33904","Info":{"Name":"Accela Civic Platform \u003c=21.1 - Cross-Site Scripting","Severity":"medium","Description":"Accela Civic Platform through 21.1 contains a cross-site scripting vulnerability via the security/hostSignon.do parameter servProvCode.","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-33904.yaml"}
{"ID":"CVE-2021-34370","Info":{"Name":"Accela Civic Platform \u003c=21.1 - Cross-Site Scripting","Severity":"medium","Description":"Accela Civic Platform through 21.1 contains a cross-site scripting vulnerability via ssoAdapter/logoutAction.do successURL.","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-34370.yaml"}
{"ID":"CVE-2021-34429","Info":{"Name":"Eclipse Jetty - Information Disclosure","Severity":"medium","Description":"Eclipse Jetty 9.4.37-9.4.42, 10.0.1-10.0.5 and 11.0.1-11.0.5 are susceptible to improper authorization. URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized administrative operations. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5.\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2021/CVE-2021-34429.yaml"}
{"ID":"CVE-2021-34473","Info":{"Name":"Exchange Server - Remote Code Execution","Severity":"critical","Description":"Microsoft Exchange Server is vulnerable to a remote code execution vulnerability. This CVE ID is unique from CVE-2021-31196, CVE-2021-31206.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-34473.yaml"}
{"ID":"CVE-2021-34473","Info":{"Name":"Exchange Server - Remote Code Execution","Severity":"critical","Description":"Microsoft Exchange Server is vulnerable to a remote code execution vulnerability. This CVE ID is unique from CVE-2021-31196, CVE-2021-31206.\n","Classification":{"CVSSScore":"9.1"}},"file_path":"http/cves/2021/CVE-2021-34473.yaml"}
{"ID":"CVE-2021-34621","Info":{"Name":"WordPress ProfilePress 3.0.0-3.1.3 - Admin User Creation Weakness","Severity":"critical","Description":"ProfilePress WordPress plugin is susceptible to a vulnerability in the user registration component in the ~/src/Classes/RegistrationAuth.php file that makes it possible for users to register on sites as an administrator.","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-34621.yaml"}
{"ID":"CVE-2021-34640","Info":{"Name":"WordPress Securimage-WP-Fixed \u003c=3.5.4 - Cross-Site Scripting","Severity":"medium","Description":"WordPress Securimage-WP-Fixed plugin 3.5.4 and prior contains a cross-site scripting vulnerability due to the use of $_SERVER['PHP_SELF'] in the ~/securimage-wp.php file, which allows attackers to inject arbitrary web scripts.","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-34640.yaml"}
{"ID":"CVE-2021-34643","Info":{"Name":"WordPress Skaut Bazar \u003c1.3.3 - Cross-Site Scripting","Severity":"medium","Description":"WordPress Skaut Bazar plugin before 1.3.3 contains a reflected cross-site scripting vulnerability due to the use of $_SERVER['PHP_SELF'] in the ~/skaut-bazar.php file, which allows attackers to inject arbitrary web scripts.","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-34643.yaml"}
@ -1482,7 +1483,7 @@
{"ID":"CVE-2021-46422","Info":{"Name":"SDT-CW3B1 1.1.0 - OS Command Injection","Severity":"critical","Description":"Telesquare SDT-CW3B1 1.1.0 is affected by an OS command injection vulnerability that allows a remote attacker to execute OS commands without any authentication.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-46422.yaml"}
{"ID":"CVE-2021-46424","Info":{"Name":"Telesquare TLR-2005KSH 1.0.0 - Arbitrary File Delete","Severity":"critical","Description":"Telesquare TLR-2005KSH 1.0.0 is affected by an arbitrary file deletion vulnerability that allows a remote attacker to delete any file, even system internal files, via a DELETE request.","Classification":{"CVSSScore":"9.1"}},"file_path":"http/cves/2021/CVE-2021-46424.yaml"}
{"ID":"CVE-2021-46704","Info":{"Name":"GenieACS =\u003e 1.2.8 - OS Command Injection","Severity":"critical","Description":"In GenieACS 1.2.x before 1.2.8, the UI interface API is vulnerable to unauthenticated OS command injection via the ping host argument (lib/ui/api.ts and lib/ping.ts). The vulnerability arises from insufficient input validation combined with a missing authorization check.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-46704.yaml"}
{"ID":"CVE-2022-0087","Info":{"Name":"Keystone 6 Login Page - Open Redirect and Cross-Site Scripting","Severity":"medium","Description":"On the login page, there is a \"from=\" parameter in URL which is vulnerable to open redirect and can be escalated to reflected XSS.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2022/CVE-2022-0087.yaml"}
{"ID":"CVE-2022-0087","Info":{"Name":"Keystone 6 Login Page - Open Redirect and Cross-Site Scripting","Severity":"medium","Description":"On the login page, there is a \"from=\" parameter in URL which is vulnerable to open redirect and can be escalated to reflected XSS.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2022/CVE-2022-0087.yaml"}
{"ID":"CVE-2022-0140","Info":{"Name":"WordPress Visual Form Builder \u003c3.0.8 - Cross-Site Scripting","Severity":"medium","Description":"WordPress Visual Form Builder plugin before 3.0.8 contains a cross-site scripting vulnerability. The plugin does not perform access control on entry form export, allowing an unauthenticated user to export the form entries as CSV files using the vfb-export endpoint.\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2022/CVE-2022-0140.yaml"}
{"ID":"CVE-2022-0147","Info":{"Name":"WordPress Cookie Information/Free GDPR Consent Solution \u003c2.0.8 - Cross-Site Scripting","Severity":"medium","Description":"WordPress Cookie Information/Free GDPR Consent Solution plugin prior to 2.0.8 contains a cross-site scripting vulnerability via the admin dashboard. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2022/CVE-2022-0147.yaml"}
{"ID":"CVE-2022-0148","Info":{"Name":"WordPress All-in-one Floating Contact Form \u003c2.0.4 - Cross-Site Scripting","Severity":"medium","Description":"WordPress All-in-one Floating Contact Form, Call, Chat, and 50+ Social Icon Tabs plugin before 2.0.4 contains a reflected cross-site scripting vulnerability on the my-sticky-elements-leads admin page.","Classification":{"CVSSScore":"5.4"}},"file_path":"http/cves/2022/CVE-2022-0148.yaml"}
@ -1918,8 +1919,8 @@
{"ID":"CVE-2022-44957","Info":{"Name":"WebTareas 2.4p5 - Cross-Site Scripting","Severity":"medium","Description":"webtareas 2.4p5 was discovered to contain a cross-site scripting (XSS) vulnerability in the component /clients/listclients.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field.\n","Classification":{"CVSSScore":"5.4"}},"file_path":"http/cves/2022/CVE-2022-44957.yaml"}
{"ID":"CVE-2022-45037","Info":{"Name":"WBCE CMS v1.5.4 - Cross Site Scripting (Stored)","Severity":"medium","Description":"A cross-site scripting (XSS) vulnerability in /admin/users/index.php of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Display Name field.\n","Classification":{"CVSSScore":"5.4"}},"file_path":"http/cves/2022/CVE-2022-45037.yaml"}
{"ID":"CVE-2022-45038","Info":{"Name":"WBCE CMS v1.5.4 - Cross Site Scripting (Stored)","Severity":"medium","Description":"A cross-site scripting (XSS) vulnerability in /admin/settings/save.php of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website Footer field.\n","Classification":{"CVSSScore":"5.4"}},"file_path":"http/cves/2022/CVE-2022-45038.yaml"}
{"ID":"CVE-2022-45354","Info":{"Name":"Download Monitor \u003c= 4.7.60 - Sensitive Information Exposure","Severity":"medium","Description":"The Download Monitor plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.7.60 via REST API. This can allow unauthenticated attackers to extract sensitive data including user reports, download reports, and user data including email, role, id and other info (not passwords)\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2022/CVE-2022-45354.yaml"}
{"ID":"CVE-2022-45362","Info":{"Name":"WordPress Paytm Payment Gateway \u003c=2.7.0 - Server-Side Request Forgery","Severity":"high","Description":"WordPress Paytm Payment Gateway plugin through 2.7.0 contains a server-side request forgery vulnerability. An attacker can cause a website to execute website requests to an arbitrary domain, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.","Classification":{"CVSSScore":"7.2"}},"file_path":"http/cves/2022/CVE-2022-45362.yaml"}
{"ID":"CVE-2022-45354","Info":{"Name":"Download Monitor \u003c= 4.7.60 - Sensitive Information Exposure","Severity":"high","Description":"The Download Monitor plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.7.60 via REST API. This can allow unauthenticated attackers to extract sensitive data including user reports, download reports, and user data including email, role, id and other info (not passwords)\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2022/CVE-2022-45354.yaml"}
{"ID":"CVE-2022-45362","Info":{"Name":"WordPress Paytm Payment Gateway \u003c=2.7.0 - Server-Side Request Forgery","Severity":"medium","Description":"WordPress Paytm Payment Gateway plugin through 2.7.0 contains a server-side request forgery vulnerability. An attacker can cause a website to execute website requests to an arbitrary domain, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.","Classification":{"CVSSScore":"6.5"}},"file_path":"http/cves/2022/CVE-2022-45362.yaml"}
{"ID":"CVE-2022-45365","Info":{"Name":"Stock Ticker \u003c= 3.23.2 - Cross-Site-Scripting","Severity":"medium","Description":"The Stock Ticker plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in the ajax_stockticker_symbol_search_test function in versions up to, and including, 3.23.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2022/CVE-2022-45365.yaml"}
{"ID":"CVE-2022-45805","Info":{"Name":"WordPress Paytm Payment Gateway \u003c=2.7.3 - SQL Injection","Severity":"critical","Description":"WordPress Paytm Payment Gateway plugin through 2.7.3 contains a SQL injection vulnerability. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2022/CVE-2022-45805.yaml"}
{"ID":"CVE-2022-45835","Info":{"Name":"WordPress PhonePe Payment Solutions \u003c=1.0.15 - Server-Side Request Forgery","Severity":"high","Description":"WordPress PhonePe Payment Solutions plugin through 1.0.15 is susceptible to server-side request forgery. An attacker can cause a website to execute website requests to an arbitrary domain, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2022/CVE-2022-45835.yaml"}
@ -1937,6 +1938,7 @@
{"ID":"CVE-2022-47002","Info":{"Name":"Masa CMS - Authentication Bypass","Severity":"critical","Description":"Masa CMS 7.2, 7.3, and 7.4-beta are susceptible to authentication bypass in the Remember Me function. An attacker can bypass authentication via a crafted web request and thereby obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2022/CVE-2022-47002.yaml"}
{"ID":"CVE-2022-47003","Info":{"Name":"Mura CMS \u003c10.0.580 - Authentication Bypass","Severity":"critical","Description":"Mura CMS before 10.0.580 is susceptible to authentication bypass in the Remember Me function. An attacker can bypass authentication via a crafted web request and thereby obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2022/CVE-2022-47003.yaml"}
{"ID":"CVE-2022-47075","Info":{"Name":"Smart Office Web 20.28 - Information Disclosure","Severity":"high","Description":"An issue was discovered in Smart Office Web 20.28 and earlier allows attackers to download sensitive information via the action name parameter to ExportEmployeeDetails.aspx, and to ExportReportingManager.aspx.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2022/CVE-2022-47075.yaml"}
{"ID":"CVE-2022-47501","Info":{"Name":"Apache OFBiz \u003c 18.12.07 - Local File Inclusion","Severity":"high","Description":"Arbitrary file reading vulnerability in Apache Software Foundation Apache OFBiz when using the Solr plugin. This is a pre-authentication attack. This issue affects Apache OFBiz: before 18.12.07.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2022/CVE-2022-47501.yaml"}
{"ID":"CVE-2022-47615","Info":{"Name":"LearnPress Plugin \u003c 4.2.0 - Local File Inclusion","Severity":"critical","Description":"Local File Inclusion vulnerability in LearnPress WordPress LMS Plugin \u003c= 4.1.7.3.2 versions.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2022/CVE-2022-47615.yaml"}
{"ID":"CVE-2022-47945","Info":{"Name":"Thinkphp Lang - Local File Inclusion","Severity":"critical","Description":"ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled (lang_switch_on=true). An unauthenticated and remote attacker can exploit this to execute arbitrary operating system commands, as demonstrated by including pearcmd.php.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2022/CVE-2022-47945.yaml"}
{"ID":"CVE-2022-47966","Info":{"Name":"ManageEngine - Remote Command Execution","Severity":"critical","Description":"Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2022/CVE-2022-47966.yaml"}
@ -2005,6 +2007,7 @@
{"ID":"CVE-2023-22515","Info":{"Name":"Atlassian Confluence - Privilege Escalation","Severity":"critical","Description":"Atlassian Confluence Data Center and Server contains a broken access control vulnerability that allows an attacker to create unauthorized Confluence administrator accounts and access Confluence.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-22515.yaml"}
{"ID":"CVE-2023-22518","Info":{"Name":"Atlassian Confluence Server - Improper Authorization","Severity":"critical","Description":"All versions of Confluence Data Center and Server are affected by this unexploited vulnerability. There is no impact to confidentiality as an attacker cannot exfiltrate any instance data.\nAtlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-22518.yaml"}
{"ID":"CVE-2023-2252","Info":{"Name":"Directorist \u003c 7.5.4 - Local File Inclusion","Severity":"medium","Description":"Directorist before 7.5.4 is susceptible to Local File Inclusion as it does not validate the file parameter when importing CSV files.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2023/CVE-2023-2252.yaml"}
{"ID":"CVE-2023-22527","Info":{"Name":"Atlassian Confluence - Remote Code Execution","Severity":"critical","Description":"A template injection vulnerability on older versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected instance. Customers using an affected version must take immediate action.\nMost recent supported versions of Confluence Data Center and Server are not affected by this vulnerability as it was ultimately mitigated during regular version updates. However, Atlassian recommends that customers take care to install the latest version to protect their instances from non-critical vulnerabilities outlined in Atlassians January Security Bulletin.\n","Classification":{"CVSSScore":"10"}},"file_path":"http/cves/2023/CVE-2023-22527.yaml"}
{"ID":"CVE-2023-22620","Info":{"Name":"SecurePoint UTM 12.x Session ID Leak","Severity":"high","Description":"An issue was discovered in SecurePoint UTM before 12.2.5.1. The firewall's endpoint at /spcgi.cgi allows sessionid information disclosure via an invalid authentication attempt. This can afterwards be used to bypass the device's authentication and get access to the administrative interface.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-22620.yaml"}
{"ID":"CVE-2023-2272","Info":{"Name":"Tiempo.com \u003c= 0.1.2 - Cross-Site Scripting","Severity":"medium","Description":"Tiempo.com before 0.1.2 is susceptible to cross-site scripting via the page parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-2272.yaml"}
{"ID":"CVE-2023-22897","Info":{"Name":"Securepoint UTM - Leaking Remote Memory Contents","Severity":"medium","Description":"An issue was discovered in SecurePoint UTM before 12.2.5.1. The firewall's endpoint at /spcgi.cgi allows information disclosure of memory contents to be achieved by an authenticated user. Essentially, uninitialized data can be retrieved via an approach in which a sessionid is obtained but not used.\n","Classification":{"CVSSScore":"6.5"}},"file_path":"http/cves/2023/CVE-2023-22897.yaml"}
@ -2054,6 +2057,8 @@
{"ID":"CVE-2023-27482","Info":{"Name":"Home Assistant Supervisor - Authentication Bypass","Severity":"critical","Description":"Home Assistant Supervisor is an open source home automation tool. A remotely exploitable vulnerability bypassing authentication for accessing the Supervisor API through Home Assistant has been discovered.This impacts all Home Assistant installation types that use the Supervisor 2023.01.1 or older. Installation types, like Home Assistant Container (for example Docker), or Home Assistant Core manually in a Python environment, are not affected.\n","Classification":{"CVSSScore":"10"}},"file_path":"http/cves/2023/CVE-2023-27482.yaml"}
{"ID":"CVE-2023-27524","Info":{"Name":"Apache Superset - Authentication Bypass","Severity":"critical","Description":"Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config.","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-27524.yaml"}
{"ID":"CVE-2023-27587","Info":{"Name":"ReadToMyShoe - Generation of Error Message Containing Sensitive Information","Severity":"medium","Description":"ReadToMyShoe generates an error message containing sensitive information prior to commit 8533b01. If an error occurs when adding an article, the website shows the user an error message. If the error originates from the Google Cloud TTS request, it will include the full URL of the request, which contains the Google Cloud API key.\n","Classification":{"CVSSScore":"6.5"}},"file_path":"http/cves/2023/CVE-2023-27587.yaml"}
{"ID":"CVE-2023-27639","Info":{"Name":"PrestaShop TshirteCommerce - Directory Traversal","Severity":"high","Description":"The Custom Product Designer (tshirtecommerce) module for PrestaShop allows HTTP requests to be forged using POST and GET parameters, enabling a remote attacker to perform directory traversal on the system and view the contents of code files.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2023/CVE-2023-27639.yaml"}
{"ID":"CVE-2023-27640","Info":{"Name":"PrestaShop tshirtecommerce - Directory Traversal","Severity":"high","Description":"The Custom Product Designer (tshirtecommerce) module for PrestaShop allows HTTP requests to be forged using POST and GET parameters, enabling a remote attacker to perform directory traversal on the system and view the contents of code files.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2023/CVE-2023-27640.yaml"}
{"ID":"CVE-2023-2766","Info":{"Name":"Weaver OA 9.5 - Information Disclosure","Severity":"high","Description":"A vulnerability was found in Weaver OA 9.5 and classified as problematic. This issue affects some unknown processing of the file /building/backmgr/urlpage/mobileurl/configfile/jx2_config.ini. The manipulation leads to files or directories accessible. The attack may be initiated remotely.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-2766.yaml"}
{"ID":"CVE-2023-2779","Info":{"Name":"Super Socializer \u003c 7.13.52 - Cross-Site Scripting","Severity":"medium","Description":"The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-2779.yaml"}
{"ID":"CVE-2023-2780","Info":{"Name":"Mlflow \u003c2.3.1 - Local File Inclusion Bypass","Severity":"critical","Description":"Path Traversal: '\\..\\filename' in GitHub repository mlflow/mlflow prior to 2.3.1.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-2780.yaml"}
@ -2203,7 +2208,7 @@
{"ID":"CVE-2023-4169","Info":{"Name":"Ruijie RG-EW1200G Router - Password Reset","Severity":"high","Description":"A vulnerability was found in Ruijie RG-EW1200G 1.0(1)B1P5. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /api/sys/set_passwd of the component Administrator Password Handler. The manipulation leads to improper access controls. The attack can be launched remotely.\n","Classification":{"CVSSScore":"8.8"}},"file_path":"http/cves/2023/CVE-2023-4169.yaml"}
{"ID":"CVE-2023-4173","Info":{"Name":"mooSocial 3.1.8 - Reflected XSS","Severity":"medium","Description":"A vulnerability, which was classified as problematic, was found in mooSocial mooStore 3.1.6. Affected is an unknown function of the file /search/index.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-4173.yaml"}
{"ID":"CVE-2023-4174","Info":{"Name":"mooSocial 3.1.6 - Reflected Cross Site Scripting","Severity":"medium","Description":"A vulnerability has been found in mooSocial mooStore 3.1.6 and classified as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to cross site scripting. The attack can be launched remotely.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-4174.yaml"}
{"ID":"CVE-2023-41763","Info":{"Name":"Skype for Business 2019 (SfB) - Blind Server-side Request Forgery","Severity":"medium","Description":"Skype Pre-Auth Server-side Request Forgery (SSRF) vulnerability\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2023/CVE-2023-41763.yaml"}
{"ID":"CVE-2023-41763","Info":{"Name":"Skype for Business 2019 (SfB) - Blind Server-side Request Forgery","Severity":"medium","Description":"Skype Pre-Auth Server-side Request Forgery (SSRF) vulnerability\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2023/CVE-2023-41763.yaml"}
{"ID":"CVE-2023-41892","Info":{"Name":"CraftCMS \u003c 4.4.15 - Unauthenticated Remote Code Execution","Severity":"critical","Description":"Craft CMS is a platform for creating digital experiences. This is a high-impact, low-complexity attack vector leading to Remote Code Execution (RCE). Users running Craft installations before 4.4.15 are encouraged to update to at least that version to mitigate the issue. This issue has been fixed in Craft CMS 4.4.15.","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-41892.yaml"}
{"ID":"CVE-2023-42343","Info":{"Name":"OpenCMS - Cross-Site Scripting","Severity":"medium","Description":"OpenCMS below 10.5.1 is vulnerable to Cross-Site Scripting vulnerability.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2023/CVE-2023-42343.yaml"}
{"ID":"CVE-2023-42442","Info":{"Name":"JumpServer \u003e 3.6.4 - Information Disclosure","Severity":"medium","Description":"JumpServer is an open source bastion host and a professional operation and maintenance security audit system. Starting in version 3.0.0 and prior to versions 3.5.5 and 3.6.4, session replays can download without authentication. Session replays stored in S3, OSS, or other cloud storage are not affected. The api `/api/v1/terminal/sessions/` permission control is broken and can be accessed anonymously. SessionViewSet permission classes set to `[RBACPermission | IsSessionAssignee]`, relation is or, so any permission matched will be allowed. Versions 3.5.5 and 3.6.4 have a fix. After upgrading, visit the api `$HOST/api/v1/terminal/sessions/?limit=1`. The expected http response code is 401 (`not_authenticated`).\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2023/CVE-2023-42442.yaml"}
@ -2225,15 +2230,20 @@
{"ID":"CVE-2023-46359","Info":{"Name":"cPH2 Charging Station v1.87.0 - OS Command Injection","Severity":"critical","Description":"An OS command injection vulnerability in Hardy Barth cPH2 Ladestation v1.87.0 and earlier, may allow an unauthenticated remote attacker to execute arbitrary commands on the system via a specifically crafted arguments passed to the connectivity check feature.\n","Classification":{"CVSSScore":"9.6"}},"file_path":"http/cves/2023/CVE-2023-46359.yaml"}
{"ID":"CVE-2023-46574","Info":{"Name":"TOTOLINK A3700R - Command Injection","Severity":"critical","Description":"An issue in TOTOLINK A3700R v.9.1.2u.6165_20211012 allows a remote attacker to execute arbitrary code via the FileName parameter of the UploadFirmwareFile function.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-46574.yaml"}
{"ID":"CVE-2023-46747","Info":{"Name":"F5 BIG-IP - Unauthenticated RCE via AJP Smuggling","Severity":"critical","Description":"CVE-2023-46747 is a critical severity authentication bypass vulnerability in F5 BIG-IP that could allow an unauthenticated attacker to achieve remote code execution (RCE). The vulnerability impacts the BIG-IP Configuration utility, also known as the TMUI, wherein arbitrary requests can bypass authentication. The vulnerability received a CVSSv3 score of 9.8.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-46747.yaml"}
{"ID":"CVE-2023-46805","Info":{"Name":"Ivanti ICS - Authentication Bypass","Severity":"high","Description":"An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.","Classification":{"CVSSScore":"8.2"}},"file_path":"http/cves/2023/CVE-2023-46805.yaml"}
{"ID":"CVE-2023-4714","Info":{"Name":"PlayTube 3.0.1 - Information Disclosure","Severity":"high","Description":"A vulnerability was found in PlayTube 3.0.1 and classified as problematic. This issue affects some unknown processing of the component Redirect Handler. The manipulation leads to information disclosure. The attack may be initiated remotely.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-4714.yaml"}
{"ID":"CVE-2023-47211","Info":{"Name":"ManageEngine OpManager - Directory Traversal","Severity":"high","Description":"A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258. A specially crafted HTTP request can lead to arbitrary file creation. An attacker can send a malicious MiB file to trigger this vulnerability.\n","Classification":{"CVSSScore":"8.6"}},"file_path":"http/cves/2023/CVE-2023-47211.yaml"}
{"ID":"CVE-2023-47246","Info":{"Name":"SysAid Server - Remote Code Execution","Severity":"critical","Description":"In SysAid On-Premise before 23.3.36, a path traversal vulnerability leads to code execution after an attacker writes a file to the Tomcat webroot, as exploited in the wild in November 2023.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-47246.yaml"}
{"ID":"CVE-2023-48023","Info":{"Name":"Anyscale Ray 2.6.3 and 2.8.0 - Server-Side Request Forgery","Severity":"high","Description":"The Ray Dashboard API is affected by a Server-Side Request Forgery (SSRF) vulnerability in the url parameter of the /log_proxy API endpoint. The API does not perform sufficient input validation within the affected parameter and any HTTP or HTTPS URLs are accepted as valid.\n","Classification":{"CVSSScore":"9.1"}},"file_path":"http/cves/2023/CVE-2023-48023.yaml"}
{"ID":"CVE-2023-49070","Info":{"Name":"Apache OFBiz \u003c 18.12.10 - Arbitrary Code Execution","Severity":"critical","Description":"Pre-auth RCE in Apache Ofbiz 18.12.09. It's due to XML-RPC no longer maintained still present. This issue affects Apache OFBiz: before 18.12.10.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-49070.yaml"}
{"ID":"CVE-2023-49103","Info":{"Name":"OwnCloud - Phpinfo Configuration","Severity":"high","Description":"An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo). This information includes all the environment variables of the webserver. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key. Simply disabling the graphapi app does not eliminate the vulnerability. Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-49103.yaml"}
{"ID":"CVE-2023-4966","Info":{"Name":"Citrix Bleed - Leaking Session Tokens","Severity":"high","Description":"Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA ?virtual?server.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-4966.yaml"}
{"ID":"CVE-2023-4974","Info":{"Name":"Academy LMS 6.2 - SQL Injection","Severity":"critical","Description":"A vulnerability was found in Academy LMS 6.2. It has been rated as critical. Affected by this issue is some unknown functionality of the file /academy/tutor/filter of the component GET Parameter Handler. The manipulation of the argument price_min/price_max leads to sql injection. The attack may be launched remotely. VDB-239750 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-4974.yaml"}
{"ID":"CVE-2023-50290","Info":{"Name":"Apache Solr - Host Environment Variables Leak via Metrics API","Severity":"high","Description":"Exposure of Sensitive Information to an Unauthorized Actor Vulnerability in Apache Solr.\nThe Solr Metrics API publishes all unprotected environment variables available to each Apache Solr instance. Users can specify which environment variables to hide, however, the default list is designed to work for known secret Java system properties. Environment variables cannot be strictly defined in Solr, like Java system properties can be, and may be set for the entire host,unlike Java system properties which are set per-Java-proccess.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2023/CVE-2023-50290.yaml"}
{"ID":"CVE-2023-5074","Info":{"Name":"D-Link D-View 8 v2.0.1.28 - Authentication Bypass","Severity":"critical","Description":"Use of a static key to protect a JWT token used in user authentication can allow an for an authentication bypass in D-Link D-View 8 v2.0.1.28\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-5074.yaml"}
{"ID":"CVE-2023-50968","Info":{"Name":"Apache OFBiz \u003c 18.12.11 - Server Side Request Forgery","Severity":"high","Description":"Arbitrary file properties reading vulnerability in Apache Software Foundation Apache OFBiz when user operates an uri call without authorizations. The same uri can be operated to realize a SSRF attack also without authorizations. Users are recommended to upgrade to version 18.12.11, which fixes this issue.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2023/CVE-2023-50968.yaml"}
{"ID":"CVE-2023-51467","Info":{"Name":"Apache OFBiz \u003c 18.12.11 - Remote Code Execution","Severity":"critical","Description":"The vulnerability allows attackers to bypass authentication to achieve a simple Server-Side Request Forgery (SSRF)\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2023/CVE-2023-51467.yaml"}
{"ID":"CVE-2023-50917","Info":{"Name":"MajorDoMo thumb.php - OS Command Injection","Severity":"critical","Description":"MajorDoMo (aka Major Domestic Module) before 0662e5e allows command execution via thumb.php shell metacharacters. NOTE: this is unrelated to the Majordomo mailing-list manager.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-50917.yaml"}
{"ID":"CVE-2023-50968","Info":{"Name":"Apache OFBiz \u003c 18.12.11 - Server Side Request Forgery","Severity":"high","Description":"Arbitrary file properties reading vulnerability in Apache Software Foundation Apache OFBiz when user operates an uri call without authorizations. The same uri can be operated to realize a SSRF attack also without authorizations. Users are recommended to upgrade to version 18.12.11, which fixes this issue.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-50968.yaml"}
{"ID":"CVE-2023-51467","Info":{"Name":"Apache OFBiz \u003c 18.12.11 - Remote Code Execution","Severity":"critical","Description":"The vulnerability allows attackers to bypass authentication to achieve a simple Server-Side Request Forgery (SSRF)\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-51467.yaml"}
{"ID":"CVE-2023-5244","Info":{"Name":"Microweber \u003c V.2.0 - Cross-Site Scripting","Severity":"medium","Description":"Reflected Cross-Site Scripting Vulnerability in types GET parameter on the /editor_tools/rte_image_editor endpoint.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-5244.yaml"}
{"ID":"CVE-2023-5360","Info":{"Name":"WordPress Royal Elementor Addons Plugin \u003c= 1.3.78 - Arbitrary File Upload","Severity":"critical","Description":"Arbitrary File Upload vulnerability in WordPress Royal Elementor Addons Plugin. This could allow a malicious actor to upload any type of file to your website. This can include backdoors which are then executed to gain further access to your website. This vulnerability has been fixed in version 1.3.79\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-5360.yaml"}
{"ID":"CVE-2023-5375","Info":{"Name":"Mosparo \u003c 1.0.2 - Open Redirect","Severity":"medium","Description":"Open Redirect in GitHub repository mosparo/mosparo prior to 1.0.2.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-5375.yaml"}
@ -2241,12 +2251,19 @@
{"ID":"CVE-2023-6018","Info":{"Name":"Mlflow - Arbitrary File Write","Severity":"critical","Description":"An attacker can overwrite any file on the server hosting MLflow without any authentication.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-6018.yaml"}
{"ID":"CVE-2023-6020","Info":{"Name":"Ray Static File - Local File Inclusion","Severity":"high","Description":"LFI in Ray's /static/ directory allows attackers to read any file on the server without authentication.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-6020.yaml"}
{"ID":"CVE-2023-6021","Info":{"Name":"Ray API - Local File Inclusion","Severity":"high","Description":"LFI in Ray's log API endpoint allows attackers to read any file on the server without authentication.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-6021.yaml"}
{"ID":"CVE-2023-6023","Info":{"Name":"VertaAI ModelDB - Path Traversal","Severity":"high","Description":"The endpoint \"/api/v1/artifact/getArtifact?artifact_path=\" is vulnerable to path traversal. The main cause of this vulnerability is due to the lack of validation and sanitization of the artifact_path parameter.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-6023.yaml"}
{"ID":"CVE-2023-6038","Info":{"Name":"H2O ImportFiles - Local File Inclusion","Severity":"high","Description":"An attacker is able to read any file on the server hosting the H2O dashboard without any authentication.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-6038.yaml"}
{"ID":"CVE-2023-6063","Info":{"Name":"WP Fastest Cache 1.2.2 - Unauthenticated SQL Injection","Severity":"high","Description":"The WP Fastest Cache WordPress plugin before 1.2.2 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-6063.yaml"}
{"ID":"CVE-2023-6379","Info":{"Name":"OpenCMS 14 \u0026 15 - Cross Site Scripting","Severity":"medium","Description":"Cross-site scripting (XSS) vulnerability in Alkacon Software Open CMS, affecting versions 14 and 15 of the 'Mercury' template.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-6379.yaml"}
{"ID":"CVE-2023-6380","Info":{"Name":"OpenCms 14 \u0026 15 - Open Redirect","Severity":"medium","Description":"Open redirect vulnerability has been found in the Open CMS product affecting versions 14 and 15 of the 'Mercury' template\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-6380.yaml"}
{"ID":"CVE-2023-6553","Info":{"Name":"Worpress Backup Migration \u003c= 1.3.7 - Unauthenticated Remote Code Execution","Severity":"critical","Description":"The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.7 via the /includes/backup-heart.php file. This is due to an attacker being able to control the values passed to an include, and subsequently leverage that to achieve remote code execution. This makes it possible for unauthenticated threat actors to easily execute code on the server.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-6553.yaml"}
{"ID":"CVE-2023-6623","Info":{"Name":"Essential Blocks \u003c 4.4.3 - Local File Inclusion","Severity":"critical","Description":"Wordpress Essential Blocks plugin prior to 4.4.3 was discovered to be vulnerable to a significant Local File Inclusion vulnerability that may be exploited by any attacker, regardless of whether they have an account on the site.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-6623.yaml"}
{"ID":"CVE-2023-6634","Info":{"Name":"LearnPress \u003c 4.2.5.8 - Remote Code Execution","Severity":"high","Description":"The LearnPress plugin for WordPress is vulnerable to Command Injection in all versions up to, and including, 4.2.5.7 via the get_content function. This is due to the plugin making use of the call_user_func function with user input. This makes it possible for unauthenticated attackers to execute any public function with one parameter, which could result in remote code execution.\n","Classification":{"CVSSScore":"8.1"}},"file_path":"http/cves/2023/CVE-2023-6634.yaml"}
{"ID":"CVE-2023-6875","Info":{"Name":"WordPress POST SMTP Mailer \u003c= 2.8.7 - Authorization Bypass","Severity":"critical","Description":"The POST SMTP Mailer Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a type juggling issue on the connect-app REST endpoint in all versions up to, and including, 2.8.7.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-6875.yaml"}
{"ID":"CVE-2023-7028","Info":{"Name":"GitLab - Account Takeover via Password Reset","Severity":"critical","Description":"An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address.\n","Classification":{"CVSSScore":"10"}},"file_path":"http/cves/2023/CVE-2023-7028.yaml"}
{"ID":"CVE-2024-0204","Info":{"Name":"Fortra GoAnywhere MFT - Authentication Bypass","Severity":"critical","Description":"Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-0204.yaml"}
{"ID":"CVE-2024-0352","Info":{"Name":"Likeshop \u003c 2.5.7.20210311 - Arbitrary File Upload","Severity":"high","Description":"A vulnerability classified as critical was found in Likeshop up to 2.5.7.20210311. This vulnerability affects the function FileServer::userFormImage of the file server/application/api/controller/File.php of the component HTTP POST Request Handler. The manipulation of the argument file with an unknown input leads to a unrestricted upload vulnerability. The CWE definition for the vulnerability is CWE-434\n","Classification":{"CVSSScore":"7.3"}},"file_path":"http/cves/2024/CVE-2024-0352.yaml"}
{"ID":"CVE-2024-21887","Info":{"Name":"Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) - Command Injection","Severity":"critical","Description":"A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.","Classification":{"CVSSScore":"9.1"}},"file_path":"http/cves/2024/CVE-2024-21887.yaml"}
{"ID":"CVE-2001-1473","Info":{"Name":"Deprecated SSHv1 Protocol Detection","Severity":"high","Description":"SSHv1 is deprecated and has known cryptographic issues.","Classification":{"CVSSScore":"7.5"}},"file_path":"network/cves/2001/CVE-2001-1473.yaml"}
{"ID":"CVE-2011-2523","Info":{"Name":"VSFTPD 2.3.4 - Backdoor Command Execution","Severity":"critical","Description":"VSFTPD v2.3.4 had a serious backdoor vulnerability allowing attackers to execute arbitrary commands on the server with root-level access. The backdoor was triggered by a specific string of characters in a user login request, which allowed attackers to execute any command they wanted.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"network/cves/2011/CVE-2011-2523.yaml"}
{"ID":"CVE-2015-3306","Info":{"Name":"ProFTPd - Remote Code Execution","Severity":"critical","Description":"ProFTPD 1.3.5 contains a remote code execution vulnerability via the mod_copy module which allows remote attackers to read and write to arbitrary files via the site cpfr and site cpto commands.","Classification":{"CVSSScore":"10"}},"file_path":"network/cves/2015/CVE-2015-3306.yaml"}

2
cves.json-checksum.txt
View File

@ -1 +1 @@
a998cd2b3adce2edceb6de0fdac96f95
c95ebe1b9b7034e3fe834994f5aaf6ba

68
dns/dns-rebinding.yaml Normal file
View File

@ -0,0 +1,68 @@
id: dns-rebinding
info:
name: DNS Rebinding Attack
author: ricardomaia
severity: high
description: |
Detects DNS Rebinding attacks by checking if the DNS response contains a private IPv4 or IPv6 address.
reference:
- https://capec.mitre.org/data/definitions/275.html
- https://payatu.com/blog/dns-rebinding/
- https://heimdalsecurity.com/blog/dns-rebinding/
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 8.6
cwe-id: CWE-350
metadata:
verified: true
tags: redirect,dns,network
dns:
- name: "{{FQDN}}"
type: A
matchers:
# IPv4
- type: regex
part: answer
regex:
- 'IN.*A.*(127\.0\.0\.1|10\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.(1[6-9]|2\d|3[0-1])\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3})$'
extractors:
- type: regex
part: answer
name: IPv4
group: 1
regex:
- 'IN.*A.*(127\.0\.0\.1|10\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.(1[6-9]|2\d|3[0-1])\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3})'
- name: "{{FQDN}}"
type: AAAA
matchers:
# IPv6 Compressed
- type: regex
part: answer
regex:
- "IN.+A.+(fd([0-9a-fA-F]{2}):([0-9a-fA-F]{0,4}:){0,5}(:[0-9a-fA-F]{0,4}){1,2}(:)?)$"
# IPv6
- type: regex
part: answer
regex:
- "IN.+A.+(fd([0-9a-fA-F]{2}):([0-9a-fA-F]{1,4}:){0,5}([0-9a-fA-F]{1,4}:){1,2}[0-9a-fA-F]{1,4})$"
extractors:
- type: regex
part: answer
name: IPv6_Compressed
group: 1
regex:
- "IN.+A.+(fd([0-9a-fA-F]{2}):([0-9a-fA-F]{0,4}:){0,5}(:[0-9a-fA-F]{0,4}){1,2}(:)?)$"
- type: regex
part: answer
name: IPv6
group: 1
regex:
- "IN.+A.+(fd([0-9a-fA-F]{2}):([0-9a-fA-F]{1,4}:){0,5}([0-9a-fA-F]{1,4}:){1,2}[0-9a-fA-F]{1,4})$"
# digest: 4b0a00483046022100f0a55cef522de3cb3a67f445e11a1b53bc3996d393ae8dca6c8a294d3ef4ee7d022100fd80879dba0c5289969d7e5d21abfbc3af1783c77a6d8e3dd23ce740c69bc309:922c64590222798bb761d5b6d8e72950

4
headless/cves/2018/CVE-2018-25031.yaml
View File

@ -20,7 +20,7 @@ info:
cve-id: CVE-2018-25031
cwe-id: CWE-20
epss-score: 0.00265
epss-percentile: 0.63947
epss-percentile: 0.64105
cpe: cpe:2.3:a:smartbear:swagger_ui:*:*:*:*:*:*:*:*
metadata:
verified: true
@ -71,4 +71,4 @@ headless:
words:
- "swagger"
case-insensitive: true
# digest: 4b0a00483046022100d805a655b1da7c4ffb5a6cf0d1ff3a10547b6e0a4e755f0a6cb104d48ee11057022100a2b518e4335e2691b470df2630c3a2fb69f0f6b5de042d71b0783a51206b4382:922c64590222798bb761d5b6d8e72950
# digest: 4a0a0047304502201d2c4f6c99e19c9617e208cc65e4ae8878b1e0f78ce754fde797ab2423024ecd0221008225ba508361199dec70fec6b61799973fd1fc7ba83eaab4f46e4893b3de62a9:922c64590222798bb761d5b6d8e72950

2
helpers/wordpress/plugins/ad-inserter.txt
View File

@ -1 +1 @@
2.7.32
2.7.33

2
helpers/wordpress/plugins/adminimize.txt
View File

@ -1 +1 @@
1.11.9
1.11.10

2
helpers/wordpress/plugins/advanced-custom-fields.txt
View File

@ -1 +1 @@
6.2.3
6.2.4

Some files were not shown because too many files have changed in this diff Show More