updated templates with multiple payloads / request with flow

Author: princechaddha

http/cves/2014/CVE-2014-2383.yaml

@@ -26,12 +26,28 @@ info:
     cpe: cpe:2.3:a:dompdf:dompdf:*:beta3:*:*:*:*:*:*
   metadata:
     verified: true
-    max-request: 11
+    max-request: 13
     vendor: dompdf
     product: dompdf
   tags: cve2014,cve,lfi,wp-plugin,wpscan,dompdf,wordpress,wp,edb,seclists
 
+flow: http(1) && http(2)
+
 http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/dompdf.php"
+      - "{{BaseURL}}/wp-content/plugins/"
+
+    stop-at-first-match: true
+    matchers:
+      - type: word
+        words:
+          - "dompdf"
+          - "WordPress"
+        condition: or
+        internal: true
+
   - method: GET
     path:
       - "{{BaseURL}}{{paths}}"

http/cves/2017/CVE-2017-17562.yaml

@@ -25,13 +25,28 @@ info:
     epss-percentile: 0.99889
     cpe: cpe:2.3:a:embedthis:goahead:*:*:*:*:*:*:*:*
   metadata:
-    max-request: 65
+    max-request: 66
     vendor: embedthis
     product: goahead
     shodan-query: cpe:"cpe:2.3:a:embedthis:goahead"
   tags: cve,cve2017,rce,goahead,fuzz,kev,vulhub,embedthis
 
+flow: http(1) && http(2)
+
 http:
+  - raw:
+      - |
+        GET /cgi-bin/ HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: word
+        words:
+          - "GoAhead"
+          - "cgi-bin"
+        condition: or
+        internal: true
+
   - raw:
       - |
         GET /cgi-bin/{{endpoint}}?LD_DEBUG=help HTTP/1.1

http/cves/2021/CVE-2021-26084.yaml

@@ -24,7 +24,7 @@ info:
     epss-percentile: 0.99978
     cpe: cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*
   metadata:
-    max-request: 13
+    max-request: 14
     vendor: atlassian
     product: confluence_data_center
     shodan-query:
@@ -33,7 +33,23 @@ info:
     fofa-query: app="atlassian-confluence"
   tags: cve2021,cve,rce,confluence,injection,ognl,kev,atlassian
 
+flow: http(1) && http(2)
+
 http:
+  - raw:
+      - |
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: word
+        words:
+          - "confluence"
+          - "atlassian"
+        condition: or
+        internal: true
+
+  - raw:
   - raw:
       - |
         POST /{{path}} HTTP/1.1

http/cves/2022/CVE-2022-2034.yaml

@@ -24,13 +24,28 @@ info:
     cpe: cpe:2.3:a:automattic:sensei_lms:*:*:*:*:*:wordpress:*:*
   metadata:
     verified: true
-    max-request: 100
+    max-request: 101
     vendor: automattic
     product: sensei_lms
     framework: wordpress
   tags: cve,cve2022,wp,disclosure,wpscan,sensei-lms,fuzz,hackerone,wordpress,wp-plugin,automattic
 
+flow: http(1) && http(2)
+
 http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/wp-json/wp/v2/"
+
+    matchers:
+      - type: word
+        words:
+          - "sensei"
+          - "wp-json"
+        condition: or
+        internal: true
+
+  - method: GET
   - method: GET
     path:
       - "{{BaseURL}}/wp-json/wp/v2/sensei-messages/{{num}}"

http/cves/2023/CVE-2023-24489.yaml

@@ -26,7 +26,7 @@ info:
     cpe: cpe:2.3:a:citrix:sharefile_storage_zones_controller:*:*:*:*:*:*:*:*
   metadata:
     verified: true
-    max-request: 256
+    max-request: 257
     vendor: citrix
     product: sharefile_storage_zones_controller
     shodan-query:
@@ -38,7 +38,24 @@ info:
 variables:
   fileName: '{{rand_base(8)}}'
 
+flow: http(1) && http(2)
+
 http:
+  - raw:
+      - |
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: word
+        words:
+          - "ShareFile Storage Server"
+          - "ShareFile"
+          - "documentum"
+        condition: or
+        internal: true
+
+  - raw:
   - raw:
       - |
         POST /documentum/upload.aspx?parentid={{url_encode(padding)}}&raw=1&unzip=on&uploadid={{fileName}}\..\..\..\cifs&filename={{fileName}}.aspx HTTP/1.1

http/cves/2023/CVE-2023-27524.yaml

@@ -25,7 +25,7 @@ info:
     cpe: cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*
   metadata:
     verified: true
-    max-request: 45
+    max-request: 46
     vendor: apache
     product: superset
     shodan-query:
@@ -37,7 +37,23 @@ info:
       - icon_hash=1582430156
   tags: packetstorm,cve,cve2023,apache,superset,auth-bypass,kev
 
+flow: http(1) && http(2)
+
 http:
+  - raw:
+      - |
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: word
+        words:
+          - "Apache Superset"
+          - "superset"
+        condition: or
+        internal: true
+
+  - raw:
   - raw:
       - |
         GET /api/v1/database/{{path}} HTTP/1.1

http/cves/2023/CVE-2023-2825.yaml

@@ -24,7 +24,7 @@ info:
     cpe: cpe:2.3:a:gitlab:gitlab:16.0.0:*:*:*:community:*:*:*
   metadata:
     verified: true
-    max-request: 16
+    max-request: 17
     vendor: gitlab
     product: gitlab
     shodan-query:
@@ -37,7 +37,23 @@ info:
 variables:
   data: "{{rand_base(5)}}"
 
+flow: http(1) && http(2)
+
 http:
+  - raw:
+      - |
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: word
+        words:
+          - "GitLab"
+          - "gitlab"
+        condition: or
+        internal: true
+
+  - raw:
   - raw:
       - |
         GET /users/sign_in HTTP/1.1

http/cves/2023/CVE-2023-6379.yaml

@@ -24,7 +24,7 @@ info:
     cpe: cpe:2.3:a:alkacon:opencms:*:*:*:*:*:*:*:*
   metadata:
     verified: true
-    max-request: 11
+    max-request: 12
     vendor: alkacon
     product: opencms
     shodan-query:
@@ -36,7 +36,22 @@ info:
     google-query: intitle:"opencms"
   tags: cve2023,cve,opencms,xss,alkacon
 
+flow: http(1) && http(2)
+
 http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/"
+
+    matchers:
+      - type: word
+        words:
+          - "OpenCms"
+          - "opencms"
+        condition: or
+        internal: true
+
+  - method: GET
   - method: GET
     path:
       - "{{BaseURL}}{{paths}}"

http/default-logins/apache/tomcat-default-login.yaml

@@ -11,13 +11,28 @@ info:
   classification:
     cpe: cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
   metadata:
-    max-request: 405
+    max-request: 406
     vendor: apache
     product: tomcat
     shodan-query: title:"Apache Tomcat"
   tags: tomcat,apache,default-login
 
+flow: http(1) && http(2)
+
 http:
+  - raw:
+      - |
+        GET /manager/html HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: word
+        words:
+          - "Apache Tomcat"
+          - "401 Unauthorized"
+        condition: or
+        internal: true
+
   - raw:
       - |
         GET /manager/html HTTP/1.1

http/default-logins/couchdb/couchdb-default-login.yaml

@@ -13,13 +13,29 @@ info:
     cpe: cpe:2.3:a:apache:couchdb:*:*:*:*:*:*:*:*
   metadata:
     verified: true
-    max-request: 16
+    max-request: 17
     fofa-query: app="APACHE-CouchDB"
     product: couchdb
     vendor: apache
   tags: default-login,couchdb,misconfig
 
+flow: http(1) && http(2)
+
 http:
+  - raw:
+      - |
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: word
+        words:
+          - "CouchDB"
+          - "couchdb"
+        condition: or
+        internal: true
+
+  - raw:
   - raw:
       - |
         POST /_session HTTP/1.1