From 3869bbc4325bbe3bfebb722d5b8e38faed15c156 Mon Sep 17 00:00:00 2001 From: Mehran Seifalinia <70560051+Mehran-Seifalinia@users.noreply.github.com> Date: Tue, 1 Aug 2023 21:07:59 +0330 Subject: [PATCH 1/5] CVE-2023-37979.yaml This template is designed to validate the version of Ninja Forms in WordPress plugins. If the version is 3.6.25 or lower, it becomes vulnerable to this specific CVE (Common Vulnerabilities and Exposures). --- http/cves/2023/CVE-2023-37979.yaml | 48 ++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 http/cves/2023/CVE-2023-37979.yaml diff --git a/http/cves/2023/CVE-2023-37979.yaml b/http/cves/2023/CVE-2023-37979.yaml new file mode 100644 index 0000000000..5883e6c1aa --- /dev/null +++ b/http/cves/2023/CVE-2023-37979.yaml @@ -0,0 +1,48 @@ +id: CVE-2023-37979 + +info: + name: Ninja Forms <= 3.6.25 - Reflected XSS (Authenticated) + author: Mehran Seifalinia + severity: medium + description: | + The Ninja Forms plugin for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) in versions up to, and including, 3.6.25. This vulnerability requires an authenticated user to exploit. Attackers can abuse the 'data' parameter with insufficient input sanitization and output escaping, allowing them to inject arbitrary web scripts that execute when an authenticated user, logged in to WordPress, performs certain actions, such as clicking on a link. Successful exploitation could lead to session hijacking, phishing attacks, or other malicious activities. + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2023-37979 + metadata: + fofa-query: "wp-content/plugins/ninja-forms/" + google-query: inurl:"/wp-content/plugins/ninja-forms/" + shodan-query: 'vuln:CVE-2023-37979' + tags: cve, wordpress, wp-plugin, ninja-forms, medium, xss + +http: + - method: GET + redirects: true + max-redirects: 2 + path: + - "{{BaseURL}}/wp-content/plugins/ninja-forms/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?m)Stable tag:\\s*([\\d.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "ninja-forms" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.6.25') \ No newline at end of file From 0cc5a83e13a8daf68e9af67c344714fb6b858ca7 Mon Sep 17 00:00:00 2001 From: Mehran Seifalinia <70560051+Mehran-Seifalinia@users.noreply.github.com> Date: Fri, 4 Aug 2023 12:57:44 +0330 Subject: [PATCH 2/5] Update python-scanner.yaml - Added new regex for code injection: 'execfile'. - Added new regex for command injection: 'subprocess.run', 'commands.getoutput'. Modified 'os.popen' regex for better detection. - Added new regex for untrusted source: 'marshal.loads', 'pickle.Unpickler'. - Modified 'dangerous-yaml' regex to include 'yaml.safe_load'. - Added new regex in 'sqli' for various database execute functions. --- file/python/python-scanner.yaml | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/file/python/python-scanner.yaml b/file/python/python-scanner.yaml index 8efec98d89..4debdc68b3 100644 --- a/file/python/python-scanner.yaml +++ b/file/python/python-scanner.yaml @@ -4,7 +4,7 @@ info: name: Python Scanner author: majidmc2 severity: info - description: Indicators for dangerous Python functions + description: Nuclei template to detect potentially dangerous Python functions in Python files. The template checks for functions that could lead to code injection, command injection, loading untrusted data, and SQL injection vulnerabilities. reference: - https://www.kevinlondon.com/2015/07/26/dangerous-python-functions.html - https://www.kevinlondon.com/2015/08/15/dangerous-python-functions-pt2.html @@ -21,26 +21,38 @@ file: - 'exec' - 'eval' - '__import__' - + - 'execfile' + - type: regex name: command-injection regex: - 'subprocess.call\(.*shell=True.*\)' - 'os.system' - - 'os.popen' + - 'os.popen\d?' + - 'subprocess.run' + - 'commands.getoutput' - type: regex name: untrusted-source regex: - - 'pickle.loads' - - 'cPickle.loads' + - 'pickle\.loads' + - 'c?Pickle\.loads?' + - 'marshal\.loads' + - 'pickle\.Unpickler - type: regex name: dangerous-yaml regex: - - 'yaml.load' + regex: + - 'yaml\.load' + - 'yaml\.safe_load' - type: regex name: sqli regex: - - 'cursor.execute' \ No newline at end of file + regex: + - 'cursor\.execute' + - 'sqlite3\.execute' + - 'MySQLdb\.execute' + - 'psycopg2\.execute' + - 'cx_Oracle\.execute' From 97baa89b58ecbd0710e94223b66c6d7f1685c401 Mon Sep 17 00:00:00 2001 From: Mehran Seifalinia <70560051+Mehran-Seifalinia@users.noreply.github.com> Date: Fri, 4 Aug 2023 12:59:31 +0330 Subject: [PATCH 3/5] Update python-scanner.yaml - Fix minor syntax in last update --- file/python/python-scanner.yaml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/file/python/python-scanner.yaml b/file/python/python-scanner.yaml index 4debdc68b3..db43d2e081 100644 --- a/file/python/python-scanner.yaml +++ b/file/python/python-scanner.yaml @@ -38,19 +38,17 @@ file: - 'pickle\.loads' - 'c?Pickle\.loads?' - 'marshal\.loads' - - 'pickle\.Unpickler + - 'pickle\.Unpickler' - type: regex name: dangerous-yaml regex: - regex: - 'yaml\.load' - 'yaml\.safe_load' - type: regex name: sqli regex: - regex: - 'cursor\.execute' - 'sqlite3\.execute' - 'MySQLdb\.execute' From a4c00b41307242f91f10d8959581177c94022237 Mon Sep 17 00:00:00 2001 From: Mehran Seifalinia <70560051+Mehran-Seifalinia@users.noreply.github.com> Date: Fri, 4 Aug 2023 13:12:15 +0330 Subject: [PATCH 4/5] Delete CVE-2023-37979.yaml Is not accepted. --- http/cves/2023/CVE-2023-37979.yaml | 48 ------------------------------ 1 file changed, 48 deletions(-) delete mode 100644 http/cves/2023/CVE-2023-37979.yaml diff --git a/http/cves/2023/CVE-2023-37979.yaml b/http/cves/2023/CVE-2023-37979.yaml deleted file mode 100644 index 5883e6c1aa..0000000000 --- a/http/cves/2023/CVE-2023-37979.yaml +++ /dev/null @@ -1,48 +0,0 @@ -id: CVE-2023-37979 - -info: - name: Ninja Forms <= 3.6.25 - Reflected XSS (Authenticated) - author: Mehran Seifalinia - severity: medium - description: | - The Ninja Forms plugin for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) in versions up to, and including, 3.6.25. This vulnerability requires an authenticated user to exploit. Attackers can abuse the 'data' parameter with insufficient input sanitization and output escaping, allowing them to inject arbitrary web scripts that execute when an authenticated user, logged in to WordPress, performs certain actions, such as clicking on a link. Successful exploitation could lead to session hijacking, phishing attacks, or other malicious activities. - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2023-37979 - metadata: - fofa-query: "wp-content/plugins/ninja-forms/" - google-query: inurl:"/wp-content/plugins/ninja-forms/" - shodan-query: 'vuln:CVE-2023-37979' - tags: cve, wordpress, wp-plugin, ninja-forms, medium, xss - -http: - - method: GET - redirects: true - max-redirects: 2 - path: - - "{{BaseURL}}/wp-content/plugins/ninja-forms/readme.txt" - - extractors: - - type: regex - name: version - part: body - group: 1 - internal: true - regex: - - "(?m)Stable tag:\\s*([\\d.]+)" - - matchers-condition: and - matchers: - - type: status - status: - - 200 - - - type: word - words: - - "ninja-forms" - part: body - - - type: dsl - dsl: - - compare_versions(version, '<= 3.6.25') \ No newline at end of file From 36be5350b96dd2dd6dce15fd1a96d86784e9f556 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Fri, 4 Aug 2023 16:50:30 +0530 Subject: [PATCH 5/5] fix-template --- file/python/python-scanner.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/file/python/python-scanner.yaml b/file/python/python-scanner.yaml index db43d2e081..75665a1e64 100644 --- a/file/python/python-scanner.yaml +++ b/file/python/python-scanner.yaml @@ -22,7 +22,7 @@ file: - 'eval' - '__import__' - 'execfile' - + - type: regex name: command-injection regex: