daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added comments with URLs under the "references" field 

Related nuclei tickets:
* #259 - dynamic key-value field support for template information
* #940 - new infos in template
* #834
* RES-84
patch-1
forgedhallpass 2021-08-19 16:15:35 +03:00
parent e68d15ab63
commit 0b432b341b
30 changed files with 70 additions and 110 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
cves/2017/CVE-2017-10271.yaml
View File

@ -5,11 +5,11 @@ info:
author: dr_set
severity: high
description: Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent - WLS Security). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.
reference: https://github.com/vulhub/vulhub/tree/fda47b97c7d2809660a4471539cd0e6dbf8fac8c/weblogic/CVE-2017-10271
reference:
- https://github.com/vulhub/vulhub/tree/fda47b97c7d2809660a4471539cd0e6dbf8fac8c/weblogic/CVE-2017-10271
- https://github.com/SuperHacker-liuan/cve-2017-10271-poc
tags: cve,cve2017,rce,oracle,weblogic
# Source:- https://github.com/SuperHacker-liuan/cve-2017-10271-poc
requests:
- raw:
- |

7
cves/2017/CVE-2017-11444.yaml
View File

@ -5,12 +5,11 @@ info:
author: dwisiswant0
severity: high
description: Subrion CMS before 4.1.5.10 has a SQL injection vulnerability in /front/search.php via the $_GET array.
reference: https://github.com/intelliants/subrion/issues/479
reference:
- https://github.com/intelliants/subrion/issues/479
- https://mp.weixin.qq.com/s/89mCnjUCvmptLsKaeVlC9Q
tags: cve,cve2017,sqli,subrion
# Source:
# - https://mp.weixin.qq.com/s/89mCnjUCvmptLsKaeVlC9Q
requests:
- method: GET
path:

2
cves/2017/CVE-2017-14537.yaml
View File

@ -9,7 +9,7 @@ info:
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2017-14537
- https://secur1tyadvisory.wordpress.com/2018/02/13/trixbox-multiple-path-traversal-vulnerabilities-cve-2017-14537/
- Product vendor:-https://sourceforge.net/projects/asteriskathome/
- https://sourceforge.net/projects/asteriskathome/ # vendor homepage
requests:
- raw:

8
cves/2018/CVE-2018-16763.yaml
View File

@ -5,10 +5,10 @@ info:
author: pikpikcu
severity: critical
tags: cve,cve2018,fuelcms,rce
# Vendor Homepage: https://www.getfuelcms.com/
# Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1
# reference: https://www.exploit-db.com/exploits/47138
reference:
- https://www.exploit-db.com/exploits/47138
- https://www.getfuelcms.com/ # Vendor Homepage
- https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1 # Software Link
requests:
- raw:

7
cves/2018/CVE-2018-17431.yaml
View File

@ -6,10 +6,9 @@ info:
severity: critical
description: Comodo Firewall & Central Manager (UTM) All Release before 2.7.0 & 1.5.0 Remote Code Execution (Web Shell based)
tags: cve,cve2018,comodo,rce
# References:
# - https://www.exploit-db.com/exploits/48825
# - https://secure.comodo.com/home/purchase.php?pid=106&license=try&track=9276&af=9276
reference:
- https://www.exploit-db.com/exploits/48825
- https://secure.comodo.com/home/purchase.php?pid=106&license=try&track=9276&af=9276
requests:
- raw:

7
cves/2019/CVE-2019-7256.yaml
View File

@ -5,12 +5,11 @@ info:
author: pikpikcu
severity: critical
description: Linear eMerge E3-Series devices allow Command Injections.
reference: https://www.exploit-db.com/exploits/47619
reference:
- https://www.exploit-db.com/exploits/47619
- http://linear-solutions.com/nsc_family/e3-series/ # vendor homepage
tags: cve,cve2019,emerge,rce
# Vendor Homepage: http://linear-solutions.com/nsc_family/e3-series/
# Software Link: http://linear-solutions.com/nsc_family/e3-series/
requests:
- raw: # Default Port
- |

7
cves/2020/CVE-2020-0618.yaml
View File

@ -5,15 +5,14 @@ info:
author: joeldeleep
description: A remote code execution vulnerability exists in Microsoft SQL Server Reporting Services when it incorrectly handles page requests, aka 'Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability'.
severity: high
# THIS TEMPLATE IS ONLY FOR DETECTING
# To carry out further attacks, please see reference[1] below.
# This template works by guessing user ID.
reference:
- https://www.mdsec.co.uk/2020/02/cve-2020-0618-rce-in-sql-server-reporting-services-ssrs/
- https://github.com/euphrat1ca/CVE-2020-0618
tags: cve,cve2020,rce
# THIS TEMPLATE IS ONLY FOR DETECTING
# To carry out further attacks, please see reference[1] below.
# This template works by guessing user ID.
requests:
- method: GET
path:

11
cves/2020/CVE-2020-10148.yaml
View File

@ -7,14 +7,13 @@ info:
description: |
This template could allow to bypass authentication and execute API
commands which may result in a compromise of the SolarWinds instance.
reference: https://kb.cert.org/vuls/id/843464
reference:
- https://kb.cert.org/vuls/id/843464
- https://github.com/jaeles-project/jaeles-signatures/blob/master/cves/solarwinds-lfi-cve-2020-10148.yaml
- https://gist.github.com/0xsha/75616ef6f24067c4fb5b320c5dfa4965
- https://twitter.com/0xsha/status/1343800953946787847
tags: cve,cve2020,solarwinds,rce
# References:
# - https://github.com/jaeles-project/jaeles-signatures/blob/master/cves/solarwinds-lfi-cve-2020-10148.yaml
# - https://gist.github.com/0xsha/75616ef6f24067c4fb5b320c5dfa4965
# - https://twitter.com/0xsha/status/1343800953946787847
requests:
- method: GET
path:

5
cves/2020/CVE-2020-12720.yaml
View File

@ -8,11 +8,6 @@ info:
reference: https://github.com/rekter0/exploits/tree/master/CVE-2020-12720
tags: cve,cve2020,vbulletin,sqli
# Source https://github.com/rekter0/exploits/tree/master/CVE-2020-12720
# This template supports the detection part only.
# Do not test any website without permission
# https://github.com/swisskyrepo/nuclei-templates/blob/20179794c2030144ec85f0231a8d455b5d7e35c5/cves/CVE-2020-12720.yaml
requests:
- raw:
- |

16
cves/2020/CVE-2020-15505.yaml
View File

@ -6,23 +6,17 @@ info:
severity: critical
description: |
A remote code execution vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0; and Sentry versions 9.7.2 and earlier, and 9.8.0; and Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier that allows remote attackers to execute arbitrary code via unspecified vectors.
reference: |
# THIS TEMPLATE IS ONLY FOR DETECTING
# To carry out further attacks, please see reference[2] below.
# This template works by passing a Hessian header, otherwise;
# it will return a 403 or 500 internal server error. Reference[3].
reference:
- https://blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html
- https://github.com/iamnoooob/CVE-Reverse/tree/master/CVE-2020-15505
- https://github.com/iamnoooob/CVE-Reverse/blob/master/CVE-2020-15505/hessian.py#L10
- https://github.com/orangetw/JNDI-Injection-Bypass
tags: cve,cve2020,mobileiron,rce
# THIS TEMPLATE IS ONLY FOR DETECTING
# To carry out further attacks, please see references[2] below.
# This template works by passing a Hessian header, otherwise;
# it will return a 403 or 500 internal server error. References[3].
# References:
# - [1] https://blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html
# - [2] https://github.com/iamnoooob/CVE-Reverse/tree/master/CVE-2020-15505
# - [3] https://github.com/iamnoooob/CVE-Reverse/blob/master/CVE-2020-15505/hessian.py#L10
# - [4] https://github.com/orangetw/JNDI-Injection-Bypass
requests:
- raw:
- |

9
cves/2020/CVE-2020-24223.yaml
View File

@ -5,13 +5,12 @@ info:
author: pikpikcu
severity: medium
description: Mara CMS 7.5 allows cross-site scripting (XSS) in contact.php via the theme or pagetheme parameters.
reference: https://www.exploit-db.com/exploits/48777
reference:
- https://www.exploit-db.com/exploits/48777
- https://sourceforge.net/projects/maracms/ # vendor homepage
- https://sourceforge.net/projects/maracms/files/MaraCMS75.zip/download # software link
tags: cve,cve2020,mara,xss
# Vendor Homepage: https://sourceforge.net/projects/maracms/
# Software Link: https://sourceforge.net/projects/maracms/files/MaraCMS75.zip/download
# Source: https://www.exploit-db.com/exploits/48777
requests:
- method: GET
path:

6
cves/2020/CVE-2020-24312.yaml
View File

@ -6,11 +6,11 @@ info:
severity: high
description: |
mndpsingh287 WP File Manager v6.4 and lower fails to restrict external access to the fm_backups directory with a .htaccess file. This results in the ability for unauthenticated users to browse and download any site backups, which sometimes include full database backups, that the plugin has taken.
reference: https://zeroaptitude.com/zerodetail/wordpress-plugin-bug-hunting-part-1/
reference:
- https://zeroaptitude.com/zerodetail/wordpress-plugin-bug-hunting-part-1/
- https://nvd.nist.gov/vuln/detail/CVE-2020-24312
tags: cve,cve2020,wordpress,backups
# NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-24312
# Source: https://zeroaptitude.com/zerodetail/wordpress-plugin-bug-hunting-part-1/
# Note: Manually check content
requests:

1
cves/2020/CVE-2020-5776.yaml
View File

@ -12,7 +12,6 @@ info:
# in the event that a CSRF is leveraged against an existing admin session for MAGMI.
# At the time of this advisory, no patch exists for this issue.
requests:
- raw:
- |

2
cves/2020/CVE-2020-5777.yaml
View File

@ -12,8 +12,6 @@ info:
# While the Db connection is down, you can access http://[TARGET]/magmi/web/magmi.php
# whith default credential "magmi:magmi" (Authorization: Basic bWFnbWk6bWFnbWk=)
# Tested on a AWS t2.medium with max_connection = 75 and PHP-FPM pm-max_children = 100
# Ref:
# - https://github.com/dweeves/magmi-git/blob/18bd9ec905c90bfc9eaed0c2bf2d3525002e33b9/magmi/inc/magmi_auth.php#L35
requests:
- raw:

12
cves/2020/CVE-2020-7209.yaml
View File

@ -7,17 +7,15 @@ info:
tags: cve,cve2020,rce
description: LinuxKI v6.0-1 and earlier is vulnerable to an remote code execution which is resolved in release 6.0-2.
reference:
http://packetstormsecurity.com/files/157739/HP-LinuxKI-6.01-Remote-Command-Injection.html
http://packetstormsecurity.com/files/158025/LinuxKI-Toolset-6.01-Remote-Command-Execution.html
https://github.com/HewlettPackard/LinuxKI/releases/tag/v6.0-2
- http://packetstormsecurity.com/files/157739/HP-LinuxKI-6.01-Remote-Command-Injection.html
- http://packetstormsecurity.com/files/158025/LinuxKI-Toolset-6.01-Remote-Command-Execution.html
- https://github.com/HewlettPackard/LinuxKI/releases/tag/v6.0-2
- https://github.com/HewlettPackard/LinuxKI/commit/10bef483d92a85a13a59ca65a288818e92f80d78
- https://www.hpe.com/us/en/home.html # vendor homepage
# This template exploits a vulnerability in LinuxKI Toolset <= 6.01 which allows remote code execution.
# The kivis.php pid parameter received from the user is sent to the shell_exec function, resulting in security vulnerability.
# https://github.com/HewlettPackard/LinuxKI/commit/10bef483d92a85a13a59ca65a288818e92f80d78
# vendor: https://www.hpe.com/us/en/home.html
# software: https://github.com/HewlettPackard/LinuxKI
requests:
- method: GET
path:

9
cves/2020/CVE-2020-9496.yaml
View File

@ -9,14 +9,7 @@ info:
reference:
- http://packetstormsecurity.com/files/158887/Apache-OFBiz-XML-RPC-Java-Deserialization.html
- http://packetstormsecurity.com/files/161769/Apache-OFBiz-XML-RPC-Java-Deserialization.html
# This template detects a Java deserialization vulnerability in Apache
# OFBiz's unauthenticated XML-RPC endpoint /webtools/control/xmlrpc for
# versions prior to 17.12.04.
# --
# References:
# - https://securitylab.github.com/advisories/GHSL-2020-069-apache_ofbiz
- https://securitylab.github.com/advisories/GHSL-2020-069-apache_ofbiz
requests:
- raw:

8
cves/2021/CVE-2021-22122.yaml
View File

@ -12,14 +12,6 @@ info:
- https://twitter.com/ptswarm/status/1357316793753362433
tags: cve,cve2021,fortiweb,xss
# FortiWeb GUI interface may allow an unauthenticated, remote attacker
# to perform a reflected cross site scripting attack (XSS) by injecting
# malicious payload in different vulnerable API end-points.
# -
# References:
# - https://www.fortiguard.com/psirt/FG-IR-20-122
# - https://twitter.com/ptswarm/status/1357316793753362433
requests:
- method: GET
path:

1
cves/2021/CVE-2021-26295.yaml
View File

@ -13,7 +13,6 @@ info:
# Note:- This is detection template, To perform deserializes do as below
# java.exe -jar .\ysoserial-master-d367e379d9-1.jar URLDNS http://t53lq9.dnslog.cn/ > mad.ot
# `cat mad.ot | hex` and replace in <cus-obj> along with the url in std-String value
# Exploit: https://github.com/yumusb/CVE-2021-26295-POC
requests:
- raw:

8
default-logins/grafana/grafana-default-credential.yaml
View File

@ -4,9 +4,11 @@ info:
author: pdteam
severity: high
tags: grafana,default-login
reference:
- https://grafana.com/docs/grafana/latest/administration/configuration/#disable_brute_force_login_protection
- https://stackoverflow.com/questions/54039604/what-is-the-default-username-and-password-for-grafana-login-page
- https://github.com/grafana/grafana/issues/14755
# https://grafana.com/docs/grafana/latest/administration/configuration/#disable_brute_force_login_protection
# https://github.com/grafana/grafana/issues/14755
# Grafana blocks for 5 minutes after 5 "Invalid" attempts for valid user.
# So make sure, not to attempt more than 4 password for same valid user.
@ -22,7 +24,7 @@ requests:
- admin
# Added default grafana and prometheus user.
# Source:- https://stackoverflow.com/questions/54039604/what-is-the-default-username-and-password-for-grafana-login-page
# Source: https://stackoverflow.com/questions/54039604/what-is-the-default-username-and-password-for-grafana-login-page
attack: sniper

3
default-logins/solarwinds/solarwinds-default-admin.yaml
View File

@ -11,9 +11,6 @@ info:
# POST /SolarWinds/InformationService/v3/Json/Create/Orion.Pollers HTTP/1.1
# {"PollerType":"Hello, world! from nuclei :-P", "NetObject":"N:1337", "NetObjectType":"N", "NetObjectID":1337}
# References:
# - https://github.com/solarwinds/OrionSDK/wiki/REST
requests:
- method: GET
path:

6
dns/azure-takeover-detection.yaml
View File

@ -5,13 +5,13 @@ info:
author: pdteam
severity: high
tags: dns,takeover
reference:
- https://godiego.tech/posts/STO/ # kudos to @secfaults for sharing process details.
# Update the list with more CNAMEs related to azure
# Update the list with more CNAMEs related to Azure
# You need to claim the CNAME in Azure portal (https://portal.azure.com) to confirm the takeover.
# Reference:- https://godiego.tech/posts/STO/, kudos to @secfaults for sharing process details.
# Do not report this without claiming the CNAME.
dns:
- name: "{{FQDN}}"
type: A

8
exposures/configs/alibaba-canal-info-leak.yaml
View File

@ -5,10 +5,10 @@ info:
author: pikpikcu
severity: info
tags: config,exposure
# https://github.com/alibaba/canal/issues/632
# https://netty.io/wiki/reference-counted-objects.html
# https://my.oschina.net/u/4581879/blog/4753320
reference:
- https://github.com/alibaba/canal/issues/632
- https://netty.io/wiki/reference-counted-objects.html
- https://my.oschina.net/u/4581879/blog/4753320
requests:
- method: GET

3
technologies/clockwork-php-page.yaml
View File

@ -3,7 +3,8 @@ info:
name: Clockwork PHP page exposure
author: organiccrap
severity: high
# https://twitter.com/damian_89_/status/1250721398747791360
reference: https://twitter.com/damian_89_/status/1250721398747791360
requests:
- method: GET
path:

2
technologies/firebase-detect.yaml
View File

@ -4,7 +4,7 @@ info:
name: firebase detect
author: organiccrap
severity: low
# http://ghostlulz.com/google-exposed-firebase-database/
reference: http://ghostlulz.com/google-exposed-firebase-database/
requests:
- method: GET

4
technologies/liferay-portal-detect.yaml
View File

@ -3,8 +3,8 @@ info:
name: Liferay Portal Detection
author: organiccrap,dwisiswant0
severity: info
# CVE-2020-7961: Liferay Portal Unauthenticated RCE
# https://github.com/mzer0one/CVE-2020-7961-POC
reference: https://github.com/mzer0one/CVE-2020-7961-POC # CVE-2020-7961: Liferay Portal Unauthenticated RCE
requests:
- method: GET
path:

2
vulnerabilities/jira/jira-unauthenticated-dashboards.yaml
View File

@ -1,7 +1,7 @@
id: jira-unauthenticated-dashboards
# If public sharing is ON it allows users to share dashboards and filters with all users including
# those that are not logged in. Those dashboard and filters could reveal potentially sensitive information.
# those that are not logged in. Those dashboards and filters could reveal potentially sensitive information.
info:
name: Jira Unauthenticated Dashboards

8
vulnerabilities/other/rconfig-rce.yaml
View File

@ -7,10 +7,10 @@ info:
tags: rconfig,rce
# This template supports the user creation part only.
# To triggering an RCE, see references[2].
# References:
# - [1] https://www.rconfig.com/downloads/rconfig-3.9.5.zip
# - [2] https://www.exploit-db.com/exploits/48878
# To triggering an RCE, see reference[2].
reference:
- https://www.rconfig.com/downloads/rconfig-3.9.5.zip
- https://www.exploit-db.com/exploits/48878
requests:
- raw:

9
vulnerabilities/other/sick-beard-xss.yaml
View File

@ -5,10 +5,11 @@ info:
author: pikpikcu
severity: medium
tags: xss
# Vendor Homepage: https://sickbeard.com/
# Software Link: https://github.com/midgetspy/Sick-Beard
# shodan dork: sickbeard
reference:
- https://sickbeard.com/ # vendor homepage
- https://github.com/midgetspy/Sick-Beard # software link
customAttributes:
shodan-dork: sickbeard
requests:
- method: GET

1
vulnerabilities/springboot/springboot-h2-db-rce.yaml
View File

@ -7,7 +7,6 @@ info:
tags: springboot,rce
# Payload taken from @pyn3rd (Twitter), see reference[2].
reference:
- https://spaceraccoon.dev/remote-code-execution-in-three-acts-chaining-exposed-actuators-and-h2-database
- https://twitter.com/pyn3rd/status/1305151887964946432

2
vulnerabilities/wordpress/wordpress-emergency-script.yaml
View File

@ -5,8 +5,6 @@ info:
author: dwisiswant0
severity: info
tags: wordpress
# Ref:-
reference: https://wordpress.org/support/article/resetting-your-password/#using-the-emergency-password-reset-script
requests: