Merge branch 'master' into master

Author: securestep9

lib/payloads/wordlists/wp_plugin_small.txt

@@ -145,6 +145,7 @@ placester
 plugin-dir
 plugin-newsletter
 post-highlights
+post-smtp
 premium_gallery_manager
 pretty-link
 profiles

modules/scan/citrix_lastpatcheddate.yaml

@@ -0,0 +1,45 @@
+info:
+  name:  citrix_lastpatcheeddate_scan
+  author: OWASP Nettacker Team
+  severity: 3
+  description: Citrix Netscaler Gateway Last Patched Date Scan
+  reference:
+  profiles:
+    - scan
+    - http
+    - citrix
+    - low_severity
+
+payloads:
+  - library: http
+    steps:
+      - method: head
+        timeout: 3
+        headers:
+          User-Agent: "{user_agent}"
+        allow_redirects: false
+        ssl: false
+        url:
+          nettacker_fuzzer:
+            input_format: "{{schema}}://{target}:{{ports}}/epa/scripts/win/nsepa_setup.exe"
+            prefix: ""
+            suffix: ""
+            interceptors:
+            data:
+              schema:
+                - "http"
+                - "https"
+              ports:
+                - 80
+                - 443
+        response:
+          condition_type: and
+          log: "response_dependent['headers']['Last-Modified']"
+          conditions:
+            status_code:
+              regex: "200"
+              reverse: false
+            headers:
+              Last-Modified:
+                regex: .*  
+                reverse: false

modules/scan/http_html_title.yaml

@@ -0,0 +1,43 @@
+info:
+  name: http_html_title_scan
+  author: OWASP Nettacker Team
+  severity: 3
+  description: HTTP HTML Title scan - extracts the TITLE tag which can help identify the application running on the server
+  reference:
+  profiles:
+    - scan
+    - http
+    - low_severity
+
+payloads:
+  - library: http
+    steps:
+      - method: get
+        timeout: 3
+        headers:
+          User-Agent: "{user_agent}"
+        allow_redirects: true
+        ssl: false
+        url:
+          nettacker_fuzzer:
+            input_format: "{{schema}}://{target}:{{ports}}"
+            prefix: ""
+            suffix: ""
+            interceptors:
+            data:
+              schema:
+                - "http"
+                - "https"
+              ports:
+                - 80
+                - 443
+        response:
+          condition_type: or
+          log: "response_dependent['status_code'] response_dependent['content']"
+          conditions:
+            status_code:
+                regex: \d\d\d
+                reverse: false
+            content:
+                regex: <title>(.+?)</title> 
+                reverse: false

modules/scan/ivanti_epmm_lastpatcheddate.yaml

@@ -0,0 +1,48 @@
+info:
+  name: ivanti_epmm_lastpatcheddate_scan
+  author: OWASP Nettacker Team
+  severity: 3
+  description: Ivanti EPMM Last Patched Date Scan
+  reference:
+  profiles:
+    - scan
+    - http
+    - ivanti
+    - low_severity
+
+payloads:
+  - library: http
+    steps:
+      - method: head
+        timeout: 3
+        headers:
+          User-Agent: "{user_agent}"
+        allow_redirects: false
+        ssl: false
+        url:
+          nettacker_fuzzer:
+            input_format: "{{schema}}://{target}:{{ports}}/mifs/css/pages/userlogin.css"
+            prefix: ""
+            suffix: ""
+            interceptors:
+            data:
+              schema:
+                - "http"
+                - "https"
+              ports:
+                - 80
+                - 443
+        response:
+          condition_type: and
+          log: "response_dependent['headers']['Last-Modified']"
+          conditions:
+            status_code:
+              regex: "200"
+              reverse: false
+            headers:
+              Last-Modified:
+                regex: .*  
+                reverse: false
+              Content-Type:
+                regex: "css"
+                reverse: false  

modules/scan/ivanti_ics_lastpatcheddate.yaml

@@ -0,0 +1,48 @@
+info:
+  name: ivanti_ics_lastpatcheddate_scan
+  author: OWASP Nettacker Team
+  severity: 3
+  description: Ivanti ICS Last Patched Date Scan
+  reference:
+  profiles:
+    - scan
+    - http
+    - ivanti
+    - low_severity
+
+payloads:
+  - library: http
+    steps:
+      - method: head
+        timeout: 3
+        headers:
+          User-Agent: "{user_agent}"
+        allow_redirects: false
+        ssl: false
+        url:
+          nettacker_fuzzer:
+            input_format: "{{schema}}://{target}:{{ports}}/dana-na/css/ds.js"
+            prefix: ""
+            suffix: ""
+            interceptors:
+            data:
+              schema:
+                - "http"
+                - "https"
+              ports:
+                - 80
+                - 443
+        response:
+          condition_type: and
+          log: "response_dependent['headers']['Last-Modified']"
+          conditions:
+            status_code:
+              regex: "200"
+              reverse: false
+            headers:
+              Last-Modified:
+                regex: .*  
+                reverse: false
+            Content-Type: 
+              regex: "javascript"
+              reverse: false

modules/vuln/ivanti_epmm_cve_2023_35082.yaml

@@ -0,0 +1,53 @@
+info:
+  name: ivanti_epmm_cve_2023_35082_vuln
+  author: OWASP Nettacker team 
+  severity: 9.8
+  description: CVE-2023-35082 is an authentication bypass in Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core
+  reference: 
+    - https://forums.ivanti.com/s/article/CVE-2023-35082-Remote-Unauthenticated-API-Access-Vulnerability-in-MobileIron-Core-11-2-and-older
+    - https://www.cisa.gov/news-events/alerts/2024/01/18/cisa-adds-one-known-exploited-vulnerability-catalog
+    - https://www.helpnetsecurity.com/2024/01/19/exploited-cve-2023-35082/
+    - https://www.rapid7.com/blog/post/2023/08/02/cve-2023-35082-mobileiron-core-unauthenticated-api-access-vulnerability/
+  profiles:
+    - vuln
+    - vulnerability
+    - http
+    - high_severity
+    - cve
+    - ivanti
+    - ivanti_epmm
+    - cisa_kev
+
+payloads:
+  - library: http
+    steps:
+      - method: get
+        timeout: 3
+        headers:
+          User-Agent: "{user_agent}"
+        allow_redirects: false
+        ssl: false
+        url:
+          nettacker_fuzzer:
+            input_format: "{{schema}}://{target}:{{ports}}/{{paths}}"
+            prefix: ""
+            suffix: ""
+            interceptors:
+            data:
+              paths:  
+                - "mifs/asfV3/api/v2/ping"
+              schema:
+                - "http"
+                - "https"
+              ports:
+                - 80
+                - 443
+        response:
+          condition_type: and
+          conditions:
+            status_code:
+              regex: "200"
+              reverse: false
+            content:
+              regex: "vspVersion"
+              reverse: false

modules/vuln/ivanti_ics_cve_2023_46805.yaml

@@ -22,7 +22,7 @@ payloads:
       - method: get
         timeout: 3
         headers:
-          User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36"
+          User-Agent: "{user_agent}"
         allow_redirects: false
         ssl: false
         url:
@@ -44,8 +44,8 @@ payloads:
           condition_type: and
           conditions:
             status_code:
-              regex: '403'
+              regex: "403"
               reverse: false
             content:
-              regex: '<html>'
+              regex: "<html>"
               reverse: true

modules/vuln/wp_plugin_cve_2023_6875.yaml

@@ -0,0 +1,51 @@
+info:
+  name: wp_plugin_cve_2023_6875_vuln
+  author: Captain-T2004
+  severity: 9
+  description: POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress <= 2.8.7 – Unauthenticated Stored Cross-Site Scripting via device
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-6875
+    - https://www.wordfence.com/blog/2024/01/type-juggling-leads-to-two-vulnerabilities-in-post-smtp-mailer-wordpress-plugin/
+    - https://www.cve.org/CVERecord?id=CVE-2023-6875
+  profiles:
+    - vuln
+    - vulnerability
+    - http
+    - critical_severity
+    - cve2023
+    - cve
+    - wordpress
+    - wp_plugin
+
+payloads:
+  - library: http
+    steps:
+      - method: post
+        timeout: 3
+        headers:
+          User-Agent: "{user_agent}"
+        allow_redirects: false
+        ssl: false
+        url:
+          nettacker_fuzzer:
+            input_format: "{{schema}}://{target}:{{ports}}/wp-json/post-smtp/v1/connect-app"
+            prefix: ""
+            suffix: ""
+            interceptors:
+            data:
+              schema:
+                - "http"
+                - "https"
+              ports:
+                - 80
+                - 443
+        response:
+          success_conditions: content
+          condition_type: and
+          conditions:
+            content:
+              regex: "fcm_token"
+              reverse: false
+            status_code:
+              regex: "200"
+              reverse: false

requirements.txt

@@ -4,11 +4,11 @@ ipaddr==2.2.0
 requests==2.31.0
 aiohttp==3.9.1
 asyncio==3.4.3
-paramiko==3.3.1
+paramiko==3.4.0
 texttable==1.6.7
 PySocks==1.7.1 # library_name=socks # module name is not equal to socks name; this is required to be checked on startup
 pyOpenSSL==23.2.0 # library_name=OpenSSL
-flask==3.0.0
+flask==3.0.1
 SQLAlchemy>=1.4.43 # library_name=sqlalchemy
 py3DNS==4.0.0 # library_name=DNS
 numpy==1.26.2

version.txt

@@ -1 +1 @@
-0.3.2 TRENT
+0.3.3 TRENT