-
Notifications
You must be signed in to change notification settings - Fork 272
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
afda931
commit 3254da2
Showing
247 changed files
with
8,635 additions
and
586 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1 @@ | ||
20240913 | ||
20240914 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,21 +1,21 @@ | ||
id: servudaemon-ini | ||
|
||
info: | ||
name: servudaemon-ini | ||
author: NoRed0x | ||
severity: high | ||
description: This Nuclei template checks for sensitive data disclosure vulnerabilities at the servudaemon.ini file | ||
tags: config, secrets, leaks | ||
|
||
requests: | ||
- method: GET | ||
path: | ||
- '{{BaseURL}}/servudaemon.ini' | ||
stop-at-first-match: true | ||
matchers: | ||
- type: word | ||
part: body | ||
words: | ||
- 'LocalSetupPassword' | ||
- '[GLOBAL]' | ||
- 'LogFileSystemMes' | ||
id: servudaemon-ini | ||
|
||
info: | ||
name: servudaemon-ini | ||
author: NoRed0x | ||
severity: high | ||
description: This Nuclei template checks for sensitive data disclosure vulnerabilities at the servudaemon.ini file | ||
tags: config, secrets, leaks | ||
|
||
requests: | ||
- method: GET | ||
path: | ||
- '{{BaseURL}}/servudaemon.ini' | ||
stop-at-first-match: true | ||
matchers: | ||
- type: word | ||
part: body | ||
words: | ||
- 'LocalSetupPassword' | ||
- '[GLOBAL]' | ||
- 'LogFileSystemMes' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,25 +1,25 @@ | ||
id: Devias-kit-register | ||
|
||
info: | ||
name: Devias-kit-register | ||
author: 111xnagashy | ||
description: registeration is opened for admin dashboard for Devias Kit PRO v6.1.0 | ||
severity: critical | ||
tags: register ,critical ,admin ,dashboard | ||
|
||
requests: | ||
- method: GET | ||
path: | ||
- "{{BaseURL}}/auth/jwt/register" | ||
- "{{BaseURL}}/auth-demo/register/classic" | ||
- "{{BaseURL}}/auth-demo/register/modern" | ||
redirects: false | ||
matchers-condition: and | ||
matchers: | ||
- type: word | ||
part: body | ||
words: | ||
- "Terms and Conditions" | ||
- type: status | ||
status: | ||
- 200 | ||
id: Devias-kit-register | ||
|
||
info: | ||
name: Devias-kit-register | ||
author: 111xnagashy | ||
description: registeration is opened for admin dashboard for Devias Kit PRO v6.1.0 | ||
severity: critical | ||
tags: register ,critical ,admin ,dashboard | ||
|
||
requests: | ||
- method: GET | ||
path: | ||
- "{{BaseURL}}/auth/jwt/register" | ||
- "{{BaseURL}}/auth-demo/register/classic" | ||
- "{{BaseURL}}/auth-demo/register/modern" | ||
redirects: false | ||
matchers-condition: and | ||
matchers: | ||
- type: word | ||
part: body | ||
words: | ||
- "Terms and Conditions" | ||
- type: status | ||
status: | ||
- 200 |
59 changes: 59 additions & 0 deletions
59
poc/auth/login-with-phone-number-aea0c3c842fc83ee23cca8b6e9587f2e.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
id: login-with-phone-number-aea0c3c842fc83ee23cca8b6e9587f2e | ||
|
||
info: | ||
name: > | ||
Login with phone number <= 1.7.49 - Authenticated (Subscriber+) Authorization Bypass to Privilege Escalation | ||
author: topscoder | ||
severity: low | ||
description: > | ||
reference: | ||
- https://github.com/topscoder/nuclei-wordfence-cve | ||
- https://www.wordfence.com/threat-intel/vulnerabilities/id/de7cde2c-142c-4004-9302-be335265d87d?source=api-scan | ||
classification: | ||
cvss-metrics: | ||
cvss-score: | ||
cve-id: | ||
metadata: | ||
fofa-query: "wp-content/plugins/login-with-phone-number/" | ||
google-query: inurl:"/wp-content/plugins/login-with-phone-number/" | ||
shodan-query: 'vuln:' | ||
tags: cve,wordpress,wp-plugin,login-with-phone-number,low | ||
|
||
http: | ||
- method: GET | ||
redirects: true | ||
max-redirects: 3 | ||
path: | ||
- "{{BaseURL}}/wp-content/plugins/login-with-phone-number/readme.txt" | ||
|
||
extractors: | ||
- type: regex | ||
name: version | ||
part: body | ||
group: 1 | ||
internal: true | ||
regex: | ||
- "(?mi)Stable tag: ([0-9.]+)" | ||
|
||
- type: regex | ||
name: version | ||
part: body | ||
group: 1 | ||
regex: | ||
- "(?mi)Stable tag: ([0-9.]+)" | ||
|
||
matchers-condition: and | ||
matchers: | ||
- type: status | ||
status: | ||
- 200 | ||
|
||
- type: word | ||
words: | ||
- "login-with-phone-number" | ||
part: body | ||
|
||
- type: dsl | ||
dsl: | ||
- compare_versions(version, '<= 1.7.49') |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
id: backuply-253411f9e6deece69610e01c03a5fe30 | ||
|
||
info: | ||
name: > | ||
Backuply – Backup, Restore, Migrate and Clone <= 1.3.4 - Authenticated (Admin+) SQL Injection | ||
author: topscoder | ||
severity: low | ||
description: > | ||
reference: | ||
- https://github.com/topscoder/nuclei-wordfence-cve | ||
- https://www.wordfence.com/threat-intel/vulnerabilities/id/6a061553-c988-4a31-a0a2-7a2608faa33f?source=api-scan | ||
classification: | ||
cvss-metrics: | ||
cvss-score: | ||
cve-id: | ||
metadata: | ||
fofa-query: "wp-content/plugins/backuply/" | ||
google-query: inurl:"/wp-content/plugins/backuply/" | ||
shodan-query: 'vuln:' | ||
tags: cve,wordpress,wp-plugin,backuply,low | ||
|
||
http: | ||
- method: GET | ||
redirects: true | ||
max-redirects: 3 | ||
path: | ||
- "{{BaseURL}}/wp-content/plugins/backuply/readme.txt" | ||
|
||
extractors: | ||
- type: regex | ||
name: version | ||
part: body | ||
group: 1 | ||
internal: true | ||
regex: | ||
- "(?mi)Stable tag: ([0-9.]+)" | ||
|
||
- type: regex | ||
name: version | ||
part: body | ||
group: 1 | ||
regex: | ||
- "(?mi)Stable tag: ([0-9.]+)" | ||
|
||
matchers-condition: and | ||
matchers: | ||
- type: status | ||
status: | ||
- 200 | ||
|
||
- type: word | ||
words: | ||
- "backuply" | ||
part: body | ||
|
||
- type: dsl | ||
dsl: | ||
- compare_versions(version, '<= 1.3.4') |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
id: CVE-2022-2446 | ||
|
||
info: | ||
name: > | ||
WP Editor <= 1.2.9 - Authenticated (Admin+) PHAR Deserialization | ||
author: topscoder | ||
severity: low | ||
description: > | ||
The WP Editor plugin for WordPress is vulnerable to deserialization of untrusted input via the 'current_theme_root' parameter in versions up to, and including 1.2.9. This makes it possible for authenticated attackers with administrative privileges to call files using a PHAR wrapper that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload. | ||
reference: | ||
- https://github.com/topscoder/nuclei-wordfence-cve | ||
- https://www.wordfence.com/threat-intel/vulnerabilities/id/f3555702-4427-4569-8fd6-f84113593e9d?source=api-prod | ||
classification: | ||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | ||
cvss-score: 7.2 | ||
cve-id: CVE-2022-2446 | ||
metadata: | ||
fofa-query: "wp-content/plugins/wp-editor/" | ||
google-query: inurl:"/wp-content/plugins/wp-editor/" | ||
shodan-query: 'vuln:CVE-2022-2446' | ||
tags: cve,wordpress,wp-plugin,wp-editor,low | ||
|
||
http: | ||
- method: GET | ||
redirects: true | ||
max-redirects: 3 | ||
path: | ||
- "{{BaseURL}}/wp-content/plugins/wp-editor/readme.txt" | ||
|
||
extractors: | ||
- type: regex | ||
name: version | ||
part: body | ||
group: 1 | ||
internal: true | ||
regex: | ||
- "(?mi)Stable tag: ([0-9.]+)" | ||
|
||
- type: regex | ||
name: version | ||
part: body | ||
group: 1 | ||
regex: | ||
- "(?mi)Stable tag: ([0-9.]+)" | ||
|
||
matchers-condition: and | ||
matchers: | ||
- type: status | ||
status: | ||
- 200 | ||
|
||
- type: word | ||
words: | ||
- "wp-editor" | ||
part: body | ||
|
||
- type: dsl | ||
dsl: | ||
- compare_versions(version, '<= 1.2.9') |
59 changes: 59 additions & 0 deletions
59
poc/cve/CVE-2022-3459-f874164b02061f0298b7dc031fdb9eac.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
id: CVE-2022-3459-f874164b02061f0298b7dc031fdb9eac | ||
|
||
info: | ||
name: > | ||
WooCommerce Multiple Free Gift <= 1.2.3 - Insufficient Server-Side Validation to Arbitrary Gift Adding | ||
author: topscoder | ||
severity: medium | ||
description: > | ||
The WooCommerce Multiple Free Gift plugin for WordPress is vulnerable to gift manipulation in all versions up to, and including, 1.2.3. This is due to plugin not enforcing server-side checks on the products that can be added as a gift. This makes it possible for unauthenticated attackers to add non-gift items to their cart as a gift. | ||
reference: | ||
- https://github.com/topscoder/nuclei-wordfence-cve | ||
- https://www.wordfence.com/threat-intel/vulnerabilities/id/cdb9c321-1a2c-4593-9947-2071a908ee1c?source=api-prod | ||
classification: | ||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N | ||
cvss-score: 5.3 | ||
cve-id: CVE-2022-3459 | ||
metadata: | ||
fofa-query: "wp-content/plugins/woocommerce-multiple-free-gift/" | ||
google-query: inurl:"/wp-content/plugins/woocommerce-multiple-free-gift/" | ||
shodan-query: 'vuln:CVE-2022-3459' | ||
tags: cve,wordpress,wp-plugin,woocommerce-multiple-free-gift,medium | ||
|
||
http: | ||
- method: GET | ||
redirects: true | ||
max-redirects: 3 | ||
path: | ||
- "{{BaseURL}}/wp-content/plugins/woocommerce-multiple-free-gift/readme.txt" | ||
|
||
extractors: | ||
- type: regex | ||
name: version | ||
part: body | ||
group: 1 | ||
internal: true | ||
regex: | ||
- "(?mi)Stable tag: ([0-9.]+)" | ||
|
||
- type: regex | ||
name: version | ||
part: body | ||
group: 1 | ||
regex: | ||
- "(?mi)Stable tag: ([0-9.]+)" | ||
|
||
matchers-condition: and | ||
matchers: | ||
- type: status | ||
status: | ||
- 200 | ||
|
||
- type: word | ||
words: | ||
- "woocommerce-multiple-free-gift" | ||
part: body | ||
|
||
- type: dsl | ||
dsl: | ||
- compare_versions(version, '<= 1.2.3') |
Oops, something went wrong.