Skip to content

Commit

Permalink
20240914
Browse files Browse the repository at this point in the history
  • Loading branch information
actions-user committed Sep 14, 2024
1 parent afda931 commit 3254da2
Show file tree
Hide file tree
Showing 247 changed files with 8,635 additions and 586 deletions.
2 changes: 1 addition & 1 deletion date.txt
Original file line number Diff line number Diff line change
@@ -1 +1 @@
20240913
20240914
199 changes: 199 additions & 0 deletions poc.txt

Large diffs are not rendered by default.

42 changes: 21 additions & 21 deletions poc/adobe/servudaemon-ini.yaml
Original file line number Diff line number Diff line change
@@ -1,21 +1,21 @@
id: servudaemon-ini

info:
name: servudaemon-ini
author: NoRed0x
severity: high
description: This Nuclei template checks for sensitive data disclosure vulnerabilities at the servudaemon.ini file
tags: config, secrets, leaks

requests:
- method: GET
path:
- '{{BaseURL}}/servudaemon.ini'
stop-at-first-match: true
matchers:
- type: word
part: body
words:
- 'LocalSetupPassword'
- '[GLOBAL]'
- 'LogFileSystemMes'
id: servudaemon-ini

info:
name: servudaemon-ini
author: NoRed0x
severity: high
description: This Nuclei template checks for sensitive data disclosure vulnerabilities at the servudaemon.ini file
tags: config, secrets, leaks

requests:
- method: GET
path:
- '{{BaseURL}}/servudaemon.ini'
stop-at-first-match: true
matchers:
- type: word
part: body
words:
- 'LocalSetupPassword'
- '[GLOBAL]'
- 'LogFileSystemMes'
50 changes: 25 additions & 25 deletions poc/auth/Devias-kit-register.yaml
Original file line number Diff line number Diff line change
@@ -1,25 +1,25 @@
id: Devias-kit-register

info:
name: Devias-kit-register
author: 111xnagashy
description: registeration is opened for admin dashboard for Devias Kit PRO v6.1.0
severity: critical
tags: register ,critical ,admin ,dashboard

requests:
- method: GET
path:
- "{{BaseURL}}/auth/jwt/register"
- "{{BaseURL}}/auth-demo/register/classic"
- "{{BaseURL}}/auth-demo/register/modern"
redirects: false
matchers-condition: and
matchers:
- type: word
part: body
words:
- "Terms and Conditions"
- type: status
status:
- 200
id: Devias-kit-register

info:
name: Devias-kit-register
author: 111xnagashy
description: registeration is opened for admin dashboard for Devias Kit PRO v6.1.0
severity: critical
tags: register ,critical ,admin ,dashboard

requests:
- method: GET
path:
- "{{BaseURL}}/auth/jwt/register"
- "{{BaseURL}}/auth-demo/register/classic"
- "{{BaseURL}}/auth-demo/register/modern"
redirects: false
matchers-condition: and
matchers:
- type: word
part: body
words:
- "Terms and Conditions"
- type: status
status:
- 200
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
id: login-with-phone-number-aea0c3c842fc83ee23cca8b6e9587f2e

info:
name: >
Login with phone number <= 1.7.49 - Authenticated (Subscriber+) Authorization Bypass to Privilege Escalation
author: topscoder
severity: low
description: >
reference:
- https://github.com/topscoder/nuclei-wordfence-cve
- https://www.wordfence.com/threat-intel/vulnerabilities/id/de7cde2c-142c-4004-9302-be335265d87d?source=api-scan
classification:
cvss-metrics:
cvss-score:
cve-id:
metadata:
fofa-query: "wp-content/plugins/login-with-phone-number/"
google-query: inurl:"/wp-content/plugins/login-with-phone-number/"
shodan-query: 'vuln:'
tags: cve,wordpress,wp-plugin,login-with-phone-number,low

http:
- method: GET
redirects: true
max-redirects: 3
path:
- "{{BaseURL}}/wp-content/plugins/login-with-phone-number/readme.txt"

extractors:
- type: regex
name: version
part: body
group: 1
internal: true
regex:
- "(?mi)Stable tag: ([0-9.]+)"

- type: regex
name: version
part: body
group: 1
regex:
- "(?mi)Stable tag: ([0-9.]+)"

matchers-condition: and
matchers:
- type: status
status:
- 200

- type: word
words:
- "login-with-phone-number"
part: body

- type: dsl
dsl:
- compare_versions(version, '<= 1.7.49')
59 changes: 59 additions & 0 deletions poc/backup/backuply-253411f9e6deece69610e01c03a5fe30.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
id: backuply-253411f9e6deece69610e01c03a5fe30

info:
name: >
Backuply – Backup, Restore, Migrate and Clone <= 1.3.4 - Authenticated (Admin+) SQL Injection
author: topscoder
severity: low
description: >
reference:
- https://github.com/topscoder/nuclei-wordfence-cve
- https://www.wordfence.com/threat-intel/vulnerabilities/id/6a061553-c988-4a31-a0a2-7a2608faa33f?source=api-scan
classification:
cvss-metrics:
cvss-score:
cve-id:
metadata:
fofa-query: "wp-content/plugins/backuply/"
google-query: inurl:"/wp-content/plugins/backuply/"
shodan-query: 'vuln:'
tags: cve,wordpress,wp-plugin,backuply,low

http:
- method: GET
redirects: true
max-redirects: 3
path:
- "{{BaseURL}}/wp-content/plugins/backuply/readme.txt"

extractors:
- type: regex
name: version
part: body
group: 1
internal: true
regex:
- "(?mi)Stable tag: ([0-9.]+)"

- type: regex
name: version
part: body
group: 1
regex:
- "(?mi)Stable tag: ([0-9.]+)"

matchers-condition: and
matchers:
- type: status
status:
- 200

- type: word
words:
- "backuply"
part: body

- type: dsl
dsl:
- compare_versions(version, '<= 1.3.4')
59 changes: 59 additions & 0 deletions poc/cve/CVE-2022-2446.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
id: CVE-2022-2446

info:
name: >
WP Editor <= 1.2.9 - Authenticated (Admin+) PHAR Deserialization
author: topscoder
severity: low
description: >
The WP Editor plugin for WordPress is vulnerable to deserialization of untrusted input via the 'current_theme_root' parameter in versions up to, and including 1.2.9. This makes it possible for authenticated attackers with administrative privileges to call files using a PHAR wrapper that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.
reference:
- https://github.com/topscoder/nuclei-wordfence-cve
- https://www.wordfence.com/threat-intel/vulnerabilities/id/f3555702-4427-4569-8fd6-f84113593e9d?source=api-prod
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.2
cve-id: CVE-2022-2446
metadata:
fofa-query: "wp-content/plugins/wp-editor/"
google-query: inurl:"/wp-content/plugins/wp-editor/"
shodan-query: 'vuln:CVE-2022-2446'
tags: cve,wordpress,wp-plugin,wp-editor,low

http:
- method: GET
redirects: true
max-redirects: 3
path:
- "{{BaseURL}}/wp-content/plugins/wp-editor/readme.txt"

extractors:
- type: regex
name: version
part: body
group: 1
internal: true
regex:
- "(?mi)Stable tag: ([0-9.]+)"

- type: regex
name: version
part: body
group: 1
regex:
- "(?mi)Stable tag: ([0-9.]+)"

matchers-condition: and
matchers:
- type: status
status:
- 200

- type: word
words:
- "wp-editor"
part: body

- type: dsl
dsl:
- compare_versions(version, '<= 1.2.9')
59 changes: 59 additions & 0 deletions poc/cve/CVE-2022-3459-f874164b02061f0298b7dc031fdb9eac.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
id: CVE-2022-3459-f874164b02061f0298b7dc031fdb9eac

info:
name: >
WooCommerce Multiple Free Gift <= 1.2.3 - Insufficient Server-Side Validation to Arbitrary Gift Adding
author: topscoder
severity: medium
description: >
The WooCommerce Multiple Free Gift plugin for WordPress is vulnerable to gift manipulation in all versions up to, and including, 1.2.3. This is due to plugin not enforcing server-side checks on the products that can be added as a gift. This makes it possible for unauthenticated attackers to add non-gift items to their cart as a gift.
reference:
- https://github.com/topscoder/nuclei-wordfence-cve
- https://www.wordfence.com/threat-intel/vulnerabilities/id/cdb9c321-1a2c-4593-9947-2071a908ee1c?source=api-prod
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
cvss-score: 5.3
cve-id: CVE-2022-3459
metadata:
fofa-query: "wp-content/plugins/woocommerce-multiple-free-gift/"
google-query: inurl:"/wp-content/plugins/woocommerce-multiple-free-gift/"
shodan-query: 'vuln:CVE-2022-3459'
tags: cve,wordpress,wp-plugin,woocommerce-multiple-free-gift,medium

http:
- method: GET
redirects: true
max-redirects: 3
path:
- "{{BaseURL}}/wp-content/plugins/woocommerce-multiple-free-gift/readme.txt"

extractors:
- type: regex
name: version
part: body
group: 1
internal: true
regex:
- "(?mi)Stable tag: ([0-9.]+)"

- type: regex
name: version
part: body
group: 1
regex:
- "(?mi)Stable tag: ([0-9.]+)"

matchers-condition: and
matchers:
- type: status
status:
- 200

- type: word
words:
- "woocommerce-multiple-free-gift"
part: body

- type: dsl
dsl:
- compare_versions(version, '<= 1.2.3')
Loading

0 comments on commit 3254da2

Please sign in to comment.