-
Notifications
You must be signed in to change notification settings - Fork 272
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
1c786a8
commit 55f83c9
Showing
118 changed files
with
6,176 additions
and
284 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1 @@ | ||
20240820 | ||
20240821 |
59 changes: 59 additions & 0 deletions
59
poc/auth/event-espresso-decaf-22176fe8722d0971848f71b56590811f.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
id: event-espresso-decaf-22176fe8722d0971848f71b56590811f | ||
|
||
info: | ||
name: > | ||
Event Espresso 4 Decaf – Event Registration Event Ticketing <= 5.0.22.decaf - Authenticated (Subscriber+) Missing Authorization to Limited Plugin Settings Modification | ||
author: topscoder | ||
severity: low | ||
description: > | ||
reference: | ||
- https://github.com/topscoder/nuclei-wordfence-cve | ||
- https://www.wordfence.com/threat-intel/vulnerabilities/id/689abb68-0c19-4f89-91db-fd15ab8bca8e?source=api-scan | ||
classification: | ||
cvss-metrics: | ||
cvss-score: | ||
cve-id: | ||
metadata: | ||
fofa-query: "wp-content/plugins/event-espresso-decaf/" | ||
google-query: inurl:"/wp-content/plugins/event-espresso-decaf/" | ||
shodan-query: 'vuln:' | ||
tags: cve,wordpress,wp-plugin,event-espresso-decaf,low | ||
|
||
http: | ||
- method: GET | ||
redirects: true | ||
max-redirects: 3 | ||
path: | ||
- "{{BaseURL}}/wp-content/plugins/event-espresso-decaf/readme.txt" | ||
|
||
extractors: | ||
- type: regex | ||
name: version | ||
part: body | ||
group: 1 | ||
internal: true | ||
regex: | ||
- "(?mi)Stable tag: ([0-9.]+)" | ||
|
||
- type: regex | ||
name: version | ||
part: body | ||
group: 1 | ||
regex: | ||
- "(?mi)Stable tag: ([0-9.]+)" | ||
|
||
matchers-condition: and | ||
matchers: | ||
- type: status | ||
status: | ||
- 200 | ||
|
||
- type: word | ||
words: | ||
- "event-espresso-decaf" | ||
part: body | ||
|
||
- type: dsl | ||
dsl: | ||
- compare_versions(version, '* - 5.0.22.decaf') |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
id: snapshot-backup | ||
|
||
info: | ||
name: > | ||
Snapshot Backup <= 2.1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting | ||
author: topscoder | ||
severity: medium | ||
description: > | ||
reference: | ||
- https://github.com/topscoder/nuclei-wordfence-cve | ||
- https://www.wordfence.com/threat-intel/vulnerabilities/id/b467fc26-242f-47c4-bcfd-38980489a0c3?source=api-scan | ||
classification: | ||
cvss-metrics: | ||
cvss-score: | ||
cve-id: | ||
metadata: | ||
fofa-query: "wp-content/plugins/snapshot-backup/" | ||
google-query: inurl:"/wp-content/plugins/snapshot-backup/" | ||
shodan-query: 'vuln:' | ||
tags: cve,wordpress,wp-plugin,snapshot-backup,medium | ||
|
||
http: | ||
- method: GET | ||
redirects: true | ||
max-redirects: 3 | ||
path: | ||
- "{{BaseURL}}/wp-content/plugins/snapshot-backup/readme.txt" | ||
|
||
extractors: | ||
- type: regex | ||
name: version | ||
part: body | ||
group: 1 | ||
internal: true | ||
regex: | ||
- "(?mi)Stable tag: ([0-9.]+)" | ||
|
||
- type: regex | ||
name: version | ||
part: body | ||
group: 1 | ||
regex: | ||
- "(?mi)Stable tag: ([0-9.]+)" | ||
|
||
matchers-condition: and | ||
matchers: | ||
- type: status | ||
status: | ||
- 200 | ||
|
||
- type: word | ||
words: | ||
- "snapshot-backup" | ||
part: body | ||
|
||
- type: dsl | ||
dsl: | ||
- compare_versions(version, '<= 2.1.1') |
17 changes: 8 additions & 9 deletions
17
poc/cross_site_request_forgery/django-debug-exposure-csrf.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,25 +1,24 @@ | ||
id: django-debug-exposure | ||
|
||
info: | ||
name: Django Debug Exposure | ||
author: shelled | ||
severity: medium | ||
author: geeknik | ||
reference: https://twitter.com/Alra3ees/status/1397660633928286208 | ||
severity: high | ||
tags: django,exposure | ||
|
||
requests: | ||
- method: POST | ||
path: | ||
- "{{BaseURL}}/admin/login/?next=/admin/" | ||
|
||
matchers-condition: and | ||
matchers: | ||
- type: status | ||
status: | ||
- 403 | ||
|
||
- 500 | ||
- type: word | ||
part: body | ||
words: | ||
- 'seeing the help section of this page because you have <code>DEBUG =' | ||
- 'True</code>' | ||
- "DB_HOST" | ||
- "DB_NAME" | ||
- "DJANGO" | ||
- "ADMIN_PASSWORD" | ||
condition: and |
59 changes: 59 additions & 0 deletions
59
poc/cve/CVE-2022-1206-72f3efe3c37f1b1e3da1c1576bb63644.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
id: CVE-2022-1206-72f3efe3c37f1b1e3da1c1576bb63644 | ||
|
||
info: | ||
name: > | ||
AdRotate – Ad manager & AdSense Ads <= 5.13.2 - Authenticated (Admin+) Double Extension Arbitrary File Upload | ||
author: topscoder | ||
severity: low | ||
description: > | ||
The AdRotate Banner Manager – The only ad manager you'll need plugin for WordPress is vulnerable to arbitrary file uploads due to missing file extension sanitization in the adrotate_insert_media() function in all versions up to, and including, 5.13.2. This makes it possible for authenticated attackers, with administrator-level access and above, to upload arbitrary files with double extensions on the affected site's server which may make remote code execution possible. This is only exploitable on select instances where the configuration will execute the first extension present. | ||
reference: | ||
- https://github.com/topscoder/nuclei-wordfence-cve | ||
- https://www.wordfence.com/threat-intel/vulnerabilities/id/9f92219a-e07e-422d-a9f2-dbe4fbcd5f55?source=api-prod | ||
classification: | ||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | ||
cvss-score: 7.2 | ||
cve-id: CVE-2022-1206 | ||
metadata: | ||
fofa-query: "wp-content/plugins/adrotate/" | ||
google-query: inurl:"/wp-content/plugins/adrotate/" | ||
shodan-query: 'vuln:CVE-2022-1206' | ||
tags: cve,wordpress,wp-plugin,adrotate,low | ||
|
||
http: | ||
- method: GET | ||
redirects: true | ||
max-redirects: 3 | ||
path: | ||
- "{{BaseURL}}/wp-content/plugins/adrotate/readme.txt" | ||
|
||
extractors: | ||
- type: regex | ||
name: version | ||
part: body | ||
group: 1 | ||
internal: true | ||
regex: | ||
- "(?mi)Stable tag: ([0-9.]+)" | ||
|
||
- type: regex | ||
name: version | ||
part: body | ||
group: 1 | ||
regex: | ||
- "(?mi)Stable tag: ([0-9.]+)" | ||
|
||
matchers-condition: and | ||
matchers: | ||
- type: status | ||
status: | ||
- 200 | ||
|
||
- type: word | ||
words: | ||
- "adrotate" | ||
part: body | ||
|
||
- type: dsl | ||
dsl: | ||
- compare_versions(version, '<= 5.13.2') |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
id: CVE-2022-1206 | ||
|
||
info: | ||
name: > | ||
AdRotate – Ad manager & AdSense Ads <= 5.13.2 - Authenticated (Admin+) Double Extension Arbitrary File Upload | ||
author: topscoder | ||
severity: low | ||
description: > | ||
The AdRotate Banner Manager – The only ad manager you'll need plugin for WordPress is vulnerable to arbitrary file uploads due to missing file extension sanitization in the adrotate_insert_media() function in all versions up to, and including, 5.13.2. This makes it possible for authenticated attackers, with administrator-level access and above, to upload arbitrary files with double extensions on the affected site's server which may make remote code execution possible. This is only exploitable on select instances where the configuration will execute the first extension present. | ||
reference: | ||
- https://github.com/topscoder/nuclei-wordfence-cve | ||
- https://www.wordfence.com/threat-intel/vulnerabilities/id/9f92219a-e07e-422d-a9f2-dbe4fbcd5f55?source=api-prod | ||
classification: | ||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | ||
cvss-score: 7.2 | ||
cve-id: CVE-2022-1206 | ||
metadata: | ||
fofa-query: "wp-content/plugins/adrotate/" | ||
google-query: inurl:"/wp-content/plugins/adrotate/" | ||
shodan-query: 'vuln:CVE-2022-1206' | ||
tags: cve,wordpress,wp-plugin,adrotate,low | ||
|
||
http: | ||
- method: GET | ||
redirects: true | ||
max-redirects: 3 | ||
path: | ||
- "{{BaseURL}}/wp-content/plugins/adrotate/readme.txt" | ||
|
||
extractors: | ||
- type: regex | ||
name: version | ||
part: body | ||
group: 1 | ||
internal: true | ||
regex: | ||
- "(?mi)Stable tag: ([0-9.]+)" | ||
|
||
- type: regex | ||
name: version | ||
part: body | ||
group: 1 | ||
regex: | ||
- "(?mi)Stable tag: ([0-9.]+)" | ||
|
||
matchers-condition: and | ||
matchers: | ||
- type: status | ||
status: | ||
- 200 | ||
|
||
- type: word | ||
words: | ||
- "adrotate" | ||
part: body | ||
|
||
- type: dsl | ||
dsl: | ||
- compare_versions(version, '<= 5.13.2') |
59 changes: 59 additions & 0 deletions
59
poc/cve/CVE-2023-2987-0525060cce1946c27a3697cc1520f683.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
id: CVE-2023-2987-0525060cce1946c27a3697cc1520f683 | ||
|
||
info: | ||
name: > | ||
Wordapp <= 1.6.0 - Authorization Bypass through Use of Insufficiently Unique Cryptographic Signature | ||
author: topscoder | ||
severity: high | ||
description: > | ||
The Wordapp plugin for WordPress is vulnerable to authorization bypass due to an use of insufficiently unique cryptographic signature on the 'wa_pdx_op_config_set' function in versions up to, and including, 1.6.0. This makes it possible for unauthenticated attackers to the plugin to change the 'validation_token' in the plugin config, providing access to the plugin's remote control functionalities, such as creating an admin access URL, which can be used for privilege escalation. | ||
reference: | ||
- https://github.com/topscoder/nuclei-wordfence-cve | ||
- https://www.wordfence.com/threat-intel/vulnerabilities/id/80440bfa-4a02-4441-bbdb-52d7dd065a9d?source=api-prod | ||
classification: | ||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | ||
cvss-score: 9.8 | ||
cve-id: CVE-2023-2987 | ||
metadata: | ||
fofa-query: "wp-content/plugins/wordapp/" | ||
google-query: inurl:"/wp-content/plugins/wordapp/" | ||
shodan-query: 'vuln:CVE-2023-2987' | ||
tags: cve,wordpress,wp-plugin,wordapp,high | ||
|
||
http: | ||
- method: GET | ||
redirects: true | ||
max-redirects: 3 | ||
path: | ||
- "{{BaseURL}}/wp-content/plugins/wordapp/readme.txt" | ||
|
||
extractors: | ||
- type: regex | ||
name: version | ||
part: body | ||
group: 1 | ||
internal: true | ||
regex: | ||
- "(?mi)Stable tag: ([0-9.]+)" | ||
|
||
- type: regex | ||
name: version | ||
part: body | ||
group: 1 | ||
regex: | ||
- "(?mi)Stable tag: ([0-9.]+)" | ||
|
||
matchers-condition: and | ||
matchers: | ||
- type: status | ||
status: | ||
- 200 | ||
|
||
- type: word | ||
words: | ||
- "wordapp" | ||
part: body | ||
|
||
- type: dsl | ||
dsl: | ||
- compare_versions(version, '<= 1.6.0') |
Oops, something went wrong.